But in terms of communities it might be that voting is looked down upon for certain members of that community not the community as a whole.

In broader terms while marking people who have voted may not reveal who they voted for it does reveal that they did vote. This is less private than the election authorities maintaining the record of who has voted.

Plus, you have the extra layer of public perception: it's much easier to convince a chunk of the public that all the machines in some area are miscounting, than it is to convince them that all human vote counter in those areas are miscounting, and all in the same direction.

And you can send observers that can watch the entire process.

"Entire" is the keyword here.

Any programmer worth their salt knows that it's practically impossible to vet that what is executing is 1:1 the code that someone at some point in time audited somewhere, or that the code is worthy of trust from the commons in the first place.

Anyone and everyone can watch someone count paper ballots, noone can watch a computer count electronic ballots.

What?

There are entire systems built around doing exactly that. Embedded, military, high-trust.

It's never state of the art performance or mass deployed, because most people would rather have performance and cost optimized over assurance, but it exists and is in production use.

You verify hardware, chain of custody from production to delivery, track every deployed piece of hardware, then lock the firmware and enforce restrictions on anything that executes after that.

It's not easy or cheap (or foolproof, as anything can be exploited), but it's also not impossible. And substantially hardens security.

And for simpler systems with lower performance requirements, completely achievable.

F.ex. voting machines don't need to be running 16-core, hyperthreaded CPUs running multi-process operating systems

This is a completely different thing. In those systems, the organization doing the vetting is the one that protects itself through those systems; the good of the organization is presumed to be aligned with the good of the end-users by the threat model. That is, the threat model is purely external to the organization: we are protecting the army's computers from an enemy army or a rogue soldier. An end-user of such a system (say, a low rank soldier sitting in a tank that includes remote-controlled components) can't really trust that those things are used in their best interest. For all they know, the devices are listening to every conversation looking for signs of treason/incompetence - this is still perfectly allowed by an embedded, military, high-trust system. It's the generals that trust the system, as it were, not the individual soldiers.

In contrast, in an election, what we care about is not that the sitting president trusts the results; we care that every individual voter trusts them. And the individual voters are not the ones that have the power to control the way procurement, hiring, vetting, verification, and everything else is done. In fact, the relationship between the electorate and the voting organizers is normally modeled as partly adversarial. The true test of a democracy is whether the populace can easily vote down the people currently in power, the ones that are organizing the election, when they would like to maintain their power.

So yes, I agree that if I am building a system that I want to trust with voting, and I have enough money, I can build an electronic system that I can trust. And you can build one that you can trust. But I can't build one that you can trust, unless you already trust me.

There is no way to demonstrate that what is executing is the source code unless you're compiling at execution time from a local vetted copy of the source code. Is the guy who vetted the source code vetted? Who vets the vetter? Is the compiler actually compiling the source code? Is the compiler compiling as generally expected? What about bugs in the compiler? Is the source code even what it claims (binary blobs!)?

What about the hardware? Are there any black box enclaves? Bugs? Does it actually crunch as would be generally expected of a number cruncher? Does it even have the vetted software?

All this complexity and anyone would be fully within their right to say "I don't and won't trust this."

Meanwhile, someone counting paper ballots by hand can be immediately understood by anyone and everyone. It's simple and it's brutally effective. So what if the process takes time? Good stuff usually takes time, what's the rush? So what if the human counter(s) screw up? Human errors are inevitable, that's why you count multiple times to confirm the results can be repeated.

The most secure, most hardened, most certified ballot counting machine cannot compare to a simple human counting paper ballots in witness of anyone and everyone.

Still, in the interest of a conversation, some brief answers. Please ask in detail about any you're interested in (but realize I'm going to balance the time I spend answering with the time you spend researching and asking).

"Is the guy who vetted the source code vetted?" Yes, because he or she was assigned a key and signed the code with it.

"Who vets the vetter?" Whatever level of diligence you want, up to and including TS+SCI level.

"Is the compiler actually compiling the source code? Is the compiler compiling as generally expected? What about bugs in the compiler?" This is why you test. And it's pathological to believe that well-tested compilers, that have built trillions of lines of code, are going to only fail to successfully compile election code.

"Is the source code even what it claims (binary blobs!)?" See test and also dependency review and qualification.

"What about the hardware? Are there any black box enclaves?" Yes, by design, because that's how secure systems are built. And no, the enclaves aren't black boxes.

"Bugs? Does it actually crunch as would be generally expected of a number cruncher?" Testing and validation.

"Does it even have the vetted software?" Signed executables, enforced by trusted hardware.

> Meanwhile, someone counting paper ballots by hand can be immediately understood by anyone and everyone. It's simple and it's brutally effective

No, it's not. Because people are messy, error-prone entities, especially when it comes to doing a boring process 100+ times in a row.

You're not comparing against perfection: you're comparing against at best bored/distracted and at worst possibly-partisan humans.

Human counts rarely match exactly, because humans make mistakes. And then they make mistakes in the recounts intended to validate counts.

If you can't envision all the ways humans can fail, then I'd reflect on why things never fail at your work because of people, and everything always runs smoothly.

>you're not thinking about this very hard

Yes, because the commons will not think very hard about a complicated "solution" when a much simpler solution already exists.

>If you can't envision all the ways humans can fail,

Yes, humans fail. It's also not important. Any election worth its salt should be counting multiple times using a variety of counters and witnesses to demonstrate repeatability of the vote.

Again: Humans failing is not important.

What is important is the ability to verify immediately and simply how the vote is being tallied. Machines can and will fail (or more likely be corrupted) like humans, but we can immediately see when the human screws up whereas it's impossible to see when the machine screws up.

It's baffling I'm having to argue this to FOSS people of all peoples, you guys should know better than anyone else that vetting source code and binaries and hardware is a fool's errand for something as important as counting votes.

Nothing beats the brutal simplicity of hand counting paper ballots while everyone watches.

That "unless" is the whole problem. And it's not just if a third party gets involved, it can well be from the builders or the current operators of the machine who are the ones actively exploiting it as well.

While I think of it, the USA and UK should both stop holding votes on working days. That is nuts! Do what Australia does and vote on a Saturday and make it compulsory.

Here is a similar example: https://www.volksfreund.de/imgs/scaled/28/1/8/3/7/5/7/5/0/5/...

The vertical columns (labelled as Group A to E in screenshot) divide up the political parties. The Greens will be one column, Labor Party another, Liberal Party another column and so on.

There are two horizontal rows separated by a thick line.

You can choose to either vote "above the line" or "below the line" but not both methods.

Above the line is used if you would like to vote based upon the wishes of a political party and below the line is used for "finer grained" voting for individual persons.

For example the Labor party might have 3 Candidates "Fred", "Mary" and "Bob" if I vote above the line I can put a 1 next to the Labor party and then the Labor party's wishes will determine how my vote is distributed.

Or if I Vote below the line I must number 12 different people in the order I want them to be chosen. So I could number Bob from Labor first, Peggy from the Greens second, then Fred from Labor third and so on and I exert exact control over how I want my preferences to be distributed.

edit: Our elections are staggered, The State parliament is elected on different day to the Federal Parliament, which is different to Local City Council elections.

The Tuesday law was passed in 1845. Instead of changing it, many legislators are pushing in the opposite direction: trying to selectively suppress their opponents' votes further. If it hurts them more than us, it's a worthy goal!

I agree with GP. Transparency is more important than precision in democracy.

Good engineering is about choosing the right technology, not just the more recent one. Sometimes the right technology is paper.

Says who? Also, what does "accurate" here actually mean?

Speaking as someone who actually understands computers and machines: I agree with the commons (who are simpletons with regards to computers and machines) that machines cannot be trusted to be "accurate" (whatever that means) or even trusted in general.

Especially when a simpler, confirmable-by-anyone method exists: Having someone count paper ballots by hand in the presence of anyone and everyone. That includes mistakes and errors. The value here is anyone and everyone can and will immediately understand (and thus accept) what is going on.

Also, why are we even putting the integrity of the very foundation of our democracy on the table in exchange for convenience and cost of all things? Are we serious? It should be a good thing we are taking precious time and money to make sure our democracy is working properly. I thought democracy was actually fucking important.

I've written some code at a previous job to simplify data entry. The previous method was adding numbers from a stack of papers, with a calculator. I trust my code to add up the numbers on the computer over a human reading them from a printout and entering them in a calculator.

Humans make mistakes. A lot.

To put some numbers on this, from my experience.

Health insurance manual claims processors (who usually average ~5 years of experience) can do 95+% accuracy, at speed (a few minutes), at scale. That's counting and verifying multiple things against processing rules.

General data entry, from less trained folks, tends to average around 85% accurate (i.e. 15 mistakes + 85 entries correct, out of 100 entries).