> Kiniy said Galois will design two basic voting machine types. The first will be a ballot-marking device that uses a touch-screen for voters to make their selections. That system won’t tabulate votes. Instead it will print out a paper ballot marked with the voter’s choices, so voters can review them before depositing them into an optical-scan machine that tabulates the votes. Galois will bring this system to Def Con this year.
This sounds great: paper trail, no chance of "hanging chads" or bad handwriting, verifiable by the voter at the moment before scanning and hand-countable if necessary.
I hate being outright dismissive but it sounds like an expensive html/pdf form with a printer attached.
I do agree that the paper trail is a great thing. I'm not fundamentally against electronic voting, but I haven't heard of a system that can really compete with the simplicity and verifiability of the immutablility you get from paper ballots inside ballot boxes being watched over by interested parties on all sides.
> I hate being outright dismissive but it sounds like an expensive html/pdf form with a printer attached.
And I like it. The simpler the design, the better. Sometimes it takes a billion dollars and a couple of smart researchers to invent the "obvious" solution to a problem.
We've got butterfly ballots, confusing electronics-only machines, and a variety of bad standards as the basis of our current voting infrastructure. Telling everybody to use a damn PDF + printer would be a gross improvement.
And suddenly I have another use case for my language for specifying scientific protocols. Counting votes in a way that is scientifically verifiable. Turns out keeping verifiable lab notebooks for legal reasons is a really similar problem to keeping verifiable vote tallies, also for legal reasons (hopefully). It is telling that we have better provenance systems for far more complex processes but we still haven't managed one for person one vote ....
Give America an idea, and SOMEONE in America will royally screw it up. Its a big country filled with lots of smart people, but also filled with lots of dumb people.
DARPA is working to come up with the standard that the whole country should follow. That's good and useful research. Even if it comes out to be the obvious solution (a paper ballot off of a damn printer), there's benefit to one of the major research institutions of this country telling the rest of the country how things should be done.
They were particularly badly arranged punch card ballots; the solutions to both the bad arrangement (“don't do that, like most people didn't do previously”) and the punch card (”use optical scan”) related problems are not only well known but pretty widely adopted.
I agree. But why did butterfly ballots proliferate in Florida?
Ultimately: the administrators weren't thinking about ballot issues. Palm Beach, Florida, was understaffed and underpaid, under-invested. They had other things on their mind when they deployed their machines.
They needed to move off of the punch-card system ASAP, but they couldn't afford to. They had the same issue in 1996 before the famous year 2000 issue. It was known, but not much could be done about it.
I guess this printer methodology from DARPA might be too expensive. Or maybe the scanning machines can be owned by the state, so that poorer areas won't have to invest into the machines. Etc. etc.
There's a lot of issues aside from "use paper ballots". The entire voting system needs to be considered. I hope that DARPA's challenge will include these issues in their design process.
> They needed to move off of the punch-card system ASAP, but they couldn't afford to
Sure, but moving money around to deal with that problem is easy (and mostly doable intrastate, but, a federal role isn't unreasonable.)
But this isn't a problem calling for novel technology. (As has already been demonstrated by the move to e-voting that happened in many places after 2000, though some people got the wrong message and decided that we just chose the wrong technical solution—but a lot of that is due to lobbying by the people selling technical solutions.)
> Give America an idea, and SOMEONE in America will royally screw it up. Its a big country filled with lots of smart people, but also filled with lots of dumb people.
More specifically - it's a big country with a fantastic amount of decentralization. Elections are run and ballots are designed not, by national governments, not by state governments, but by county governments. The chance that someone will mess up is a lot higher.
(Of course, this does have the advantage that centralized tampering with the ballot is harder.)
In this case perhaps paper where you don't see anything, but that will trip up the scanner. You only need to have votes declared invalid. Of course, preferably just a random subset of them. You can choose for districts you don't like and distribute that paper there.
> I've always wondered why nobody suggests doing that in the US
In this case, Occam's Razor beats Hanlon's Razor: The simplest explanation is malice, not stupidity. The groups who are the most hysteric about hypothetical voter-fraud are dishonest. Their actual goal is not to prevent vanishingly-rare crime, but to suppress legitimate voters in a partisan fashion.
Finger-inking at the poll-site does not offer them a useful tool for skewing the election results. It imposes no special discouragement or advantage to a particular group, and it also does not create a system for arbitrary "enforcement." (In contrast, consider poll-taxes or name-similarity databases with insanely high rates of false-positives.)
Some might retort: "I don't suggest finger-inking because it won't stop someone from impersonating another voter." True, it won't stop that from happening the first time, but it limits it to once. This means N improper votes require N humans, and as N gets large the odds of keeping it secret go to zero.
How many of those dogs registered to vote showed up and cast a ballot?
If anyone actually cares enough to have a mostly accurate cost effective voter registration database, they'd reuse any one of our existing national demographic databases. But they don't. Because the recurring drama caused by our existing fragmented poorly funded more error prone system is too useful.
Voter fraud of that form basically doesn't exist. You are already marked as voted at your designated polling place. A purple finger is just for show, even in other countries. Its like a "I Voted" sticker.
> I have been informed by social scientists that requiring voter ID is racist
Do you have a personal opinion on that? I don't see it as racist in any way, because it applies equally to everybody.
We have a few basic rules for voters in this country, one is that they are citizens, two is that they are registered. Being able to demonstrate that you are the registered voter you claim to be seems to me to be essential to a fair election process.
> I don't see it as racist in any way, because it applies equally to everybody
Would you say the same thing about poll taxes?
The idea of ID laws is not inherently racist. It's the implementations that are problematic.
For example, one jurisdiction that got in trouble for its voter ID law (I forget which one) was found by the courts to have, when writing their law, did a study of what forms of ID voters had, found out which of those had the biggest differences between prevalence among whites and among blacks, and then picked as the allowed forms of ID those that would most favor whites and disfavor blacks.
Places that aren't as blatant about it (or at least aren't dumb enough to actually talk about it in legislative committees for which subpoenable records are kept...) often leave hints that their motive is racial. For example, they might limit the number of places that can issue IDs, and reduce their operating hours, so that a poor person without a car (more likely to be black than white) has to take a long bus ride there and back, and has to take time off work to do so. This can be a serious hardship. (Worse, it might take more than one trip if there is any problem with the supporting documentation for the ID application. Unsurprisingly, it has been found that minor errors that tend to be overlooked when a middle class white person applies are much more likely to derail things for a poor black person).
Another hint that their motives are suspect is that such efforts are usually accompanied by efforts to make it harder for minorities to vote that have nothing to do with ID, such as closing polling places in minority neighborhoods and limiting voting hours, or reducing the number of voting machines at minority neighborhood polling places so that lines will be long.
If voter ID laws were actually about preventing voter fraud rather than about suppressing legitimate votes from poor and minorities, they would be accompanied by changes to make it cheap and easy for people to get the appropriate ID.
Also, they would be about registration ID, not voting ID, since what little fraud there actually is usually takes place via absentee ballots.
>Do you have a personal opinion on that? I don't see it as racist in any way, because it applies equally to everybody.
“The law, in its majestic equality, forbids the rich as well as the poor to sleep under bridges, to beg in the streets, and to steal bread.”
In practical terms, there are a lot of people in the US that simply cannot afford to buy an ID - both because of the actual cost and because of the logistics and documentation required. Trying to get a certified birth certificate from another state when you are homeless is, I imagine, pretty damn hard and relatively expensive to do.
If the US had a system where ID was available to all completely without cost (and only taking a trivial amount of time) then I’d agree with you more.
> Usually you need that ID to exercise your constitutional right to bear arms.
12 states have constitutional carry laws. I can buy and carry with no ID needed.
As for voting and issues in obtaining valid ID, I can guarantee if you're on HN, you are not the group being talked about getting an ID.
I had to obtain a birth certificate from my state. I had to drive 3 hours away, and pay $25, and drive 3 hours back to get it. And for someone who doesn't have a car, lives in the city, and lives week to week, they won't be getting a valid ID anytime soon.
Oh yeah, and they're primarily black and poor. That's why the racist claims are made.
>I don't see it as racist in any way, because it applies equally to everybody.
To build a little on what the other commenters are saying, I recently watched a talk about equity and how it compares to equality. There's a famous image of people of different heights looking over a fence that shows well how equality does not always lead to justice. I have found it worthwhile, every time I see "equality" featured, to ask about how this is different than equity. In this case, it's inequitable (to a degree) because it is disadvantageous for the poor or other marginalized groups to jump through these hoops even if they're the same hoops that the advantaged groups have.
I'll also note this equality-equity distinction is making its way into mainstream American politics. On page 6 of the Green New Deal is a provision that the federal government has the duty of promoting equity and justice for people oppressed because of their race or circumstance. This is noteworthy because (as far as I'm aware) federal law has only been providing equality so far, but now there's a shift in policy to provide equity and not ask for equality.
No strong opinion! But I understand there exists a legal precedent of disparate impact, such that a policy "applies equally to everyone" can end up being illegal because it effectively targets a protected class even though it doesn't have any language to that extent.
> I hate being outright dismissive but it sounds like an expensive html/pdf form with a printer attached.
I don't think that's dismissive at all. That's what it is, and it sounds good to me. Basically the computer is a scribe with perfect handwriting that fills out the paper ballot for the voter while the voter watches. Absolutely any voter is qualified to assert whether the ballot contains the votes they intended to cast.
From there, you could have the voter carry the ballot and drop it in a box that's being observed by any number of interested parties, providing old-fashioned accountability. Counting by scanner is an optional time saver, with hand counts as the alternative / double-check.
Don't forget that electronic voting machines can have accessibility features that paper ballots lack - having a glorified form printer is actually a sound design that lets us gain these benefits without the negatives.
Speed. One of the reasons some politicians want electronic voting is to have the tentative results in as fast as possible, so they can sod off to their respective celebration/mourning shindigs and call it a night. That the actual, lawful count follows in the course of hours or even days is, to them, then acceptable.
Having these machines do a preliminary tally gives you a more accurate forecast of the votes cast than exit polls.
Optical scan machines solve that issue quite nicely and more robustly, especially when a ballot needs to be spoiled due to error (it can be physically destoryed before tally instead of needing to support deletion or modification of records in the voting machine).
This is missing two completely unnecessary failure modes that pen and paper don't have:
1. You cannot know whether the device leaks your vote, i.e., whether your vote is secret. Mind you that in addition to an attack inside the device, this can also happen via simple electromagnetic side channels inherent in the device--as has been demonstrated quite a while ago for Nedap voting computers by the dutch campaign against voting computers, where you could distinguish selected candicates by tuning an AM radio to the right frequency.
2. When the device malfunctions, whether due to a defect or sabotage, and only particular candidates can not be selected, that creates a side channel where the voter is effectively forced to unveil who they want to vote for.
Neither of those failure modes exist with paper ballots.
> Neither of those failure modes exist with paper ballots.
Paper ballots stop secret cameras in the ballot room? I mean, they really don't. It depends on your threat-model. A lot of things will come down to trust.
> 2. When the device malfunctions, whether due to a defect or sabotage, and only particular candidates can not be selected, that creates a side channel where the voter is effectively forced to unveil who they want to vote for.
See Butterfly ballots. Paper ballots in USA (Florida specifically) which basically had this flaw. It was confusing to know which circles and lines were going to the correct candidate you wished to vote for. Asking for help on the ballot would leak information on who you wanted to vote for.
A poorly done paper-ballot has its own set of issues.
> Paper ballots stop secret cameras in the ballot room?
And neither do touchscreens. Paper is better if it's not done comically wrong.
And even the worst paper ballots have a much smaller attack surface for plain old analog rumors than the best possible electronic system. The most powerful way to undermine a democracy is not flipping some votes to one candidate in perfect secrecy, it's making all candidates/camps believe that the other did. This could destroy a democracy even without a single vote having actually been tampered with.
Electronic voting, only understood by experts, is perfect soil for such rumors and no amount of open sourcing can change that. The many human counters involved in a hierarchical paper vote counting scheme are not just an unfortunate inefficiency left over from a time when machines could not count yet, they also serve as witnesses, not only for keeping their peers in check but also for dampening any unfounded rumors that might come up. They increase trust even when they are not actively speaking up against rumors, just by being there, in numbers, as passive dampening elements like the moderator rods in a fission plant.
> Paper ballots stop secret cameras in the ballot room?
Ballot rooms are just about as decentralised and non-standard as it's possible to get your head around. Voting machines are the exact opposite.
Are we actually discussing that someone could or would roll out a (nationwide?) network of hidden cameras across church halls, schools, and other places where people go to cast paper ballots. Undetected?
Distributing compromised software - or designing your attack into the hardware - for voting machines would be child's play by comparison.
These might be good arguments for letting people fill the ballot in manually, if they wish. Based on the design as I understand it, it seems like users aren't prohibited from printing a blank ballot and taking a pen to it themselves.
The part I don't like is the printer. They're woefully unreliable devices. Having been an election judge, handling a bunch of flaky tech in polling places is the last thing the poll workers need. They have a lot to do already.
In MN, we use paper ballots with Scantron readers for excellent results. I'm not sure what problem this new system is supposed to solve that the Scantron model doesn't.
My grandma has shaky hands. She can’t really fill out a scantron. I have no problem with people filling out their own ballots. The pristine filled out and verified by the voter ballot seems harder to spoil than a hand filled out ballot.
My preference is for plenty of machines available to fill out paper ballots, but give voters the option of filling out by hand.
That’s why anyone should be permitted to watch the process from start to finish. Heck, videotape the collection box from the moment it is shown to be empty and sealed till the ballots are retrieve. Videotape the counting process. Do all this in the public square, televised and streamed.
Poll based opscans are (should be) configured to reject spoiled (or unreadable) ballots.
So ballot marking technologies have marginal utility. Expensive fix for a non-problem.
For complying with HAVA mandated accessibility, the Automark is slightly less bad than the others. The only solution which actually fulfilled all the requirements and was preferred by the disabled community is a non-electronic protective ballot sleeve called the Vote-PAD. Alas, it hasn't been available for quite some time. Being cost effective, meaning less pork, it didn't have any champions.
Fortunately, a new ballot marker, twenty years too late, doesn't help with the increasingly fashionable postal balloting, so there's no danger this latest noble effort will have any benefit.
I'd say that the massive investment is necessary because of how uncomplicated this particular system is. Without a large, sprawling, and well-funded project backing it, a simple (and probably far more reliable) solution can lack credibility when compared to more complicated alternatives.
People consistently overestimate the reliability of that solution, especially for older voters with mobility challenges. Pushbuttons or levers that demand macroscopic elbow/shoulder motion are easier for that demographic to use than sensitive screens requiring fine motor control.
And that's all to say nothing of what happens when the screens become miscalibrated and accept taps a few pixels off. I'm fairly confident most of the "It switched my vote" reports we hear are actually this category of "user-error" (which should really be counted as "machine malfunction").
It is still impossible to submit a vote without personally verifying it or deciding that you don't really care enough to review your choices. A peripheral device is one more thing than can break or be tampered with. The user experience issue is up to them to implement.
In general, getting elderly people, low-income populations and other late adopters of technology to use touchscreens correctly has been much easier than getting people to use a mouse. The mouse is less physically intuitive than "poke the thing you want." For most of us, though, we hardly notice a difference.
I'm a poll worker so I have some experience with the problem. I agree with you that a peripheral is one more thing that can break or be tampered with, and I wouldn't recommend a mouse. Here's what I've observed (at least in the iVotronic systems we use in Pennsylvania):
- since there's only one screen, and it's all touchscreen, users get consistently confused between pictures of buttons describing what the buttons do and the buttons themselves
- the touchscreen is itself a peripheral and prone to wearing out. When it does, the fact it's wearing out is difficult to observe during the election day; there's no cursor indicator, so a poll worker can't check calibration.
- users with fine-motor-coordination issues have to brace against the box to steady themselves to touch the tiny targets they want. There's nowhere to brace against a touchscreen that isn't also touch-sensitive input, and the screens don't accept multi-touch.
A row of buttons along each side of the screen, not unlike the solution used at many ATMs, would ameliorate all these problems. These boxes are already custom hardware jobs, so switching out touchscreens for a couple of button banks would be cheaper, equally usable for most voters, and more usable for mobility-impaired voters. It would improve all three observed problems.
Wishes and horses though; the machines we have are the ones we use.
What we saw in 2016 was that even if a candidate were to contest a result, none of the election committees were willing to commit to a full hand recount; instead, the only options were to retabulate through the very same tabulation processes and machines that had produced the questionable results in the first place.
Without low barrier to recount by hand, the electronic systems production of paper trails is worthless. Arguably worse than worthless, because it leaves everyone thinking there is a usable backup, when there isn't.
This is absolute hogwash, there are other methods than a full hand recount if you have a paper trail, some of which only require counting a small number of the ballots by hand.
The best example of this is a Risk Limiting Audit (RLA). You only have to re-count a smaller number of ballots until the overwhelming probability is that the vote is confirmed, or that the vote is rejected. Depending on the disparity between the ballot options, this count can actually be very small.
During the mid aughts, the consensus of the Election Verification Network (EVN) crowd (academics, election administrators, feds) was that audits were no better than manual recounts and just as expensive.
I'll read the paper you linked, but know that it's contrary to the received wisdom, and I'm very skeptical of any claims that auditing elections are feasible or worthwhile. By audit, I mean anything short of a full manual recount.
Okay. I lightly read that paper.
First, it specifically says to only audit the VVPR, meaning the actual ballots, not the VVPAT, which is just what the computer says it recorded. So there might be some miscommunication. I assumed #bdamm was referring to the VVPAT.
Second, the meat of the paper is refinements for calculating the confidence that the official result is correct based on recounting a sample. All of the caveats with audits, not within the scope of this paper, remain the same.
Colorado successfully performed an RLA, and didn't have to recount every ballot. If you really want to read more, Free and Fair (IIRC, the same group bidding on the DARPA grant) has open source software and instructions on how to perform RLAs: https://github.com/FreeAndFair/ColoradoRLA
Where's the problem? I've been leaning towards the idea that maybe every election should have a hand count. You can get your electronic count first for the early announcements, but it should be verified by the hand count. What's the downside, just the cost? Seems likely worthwhile to me.
The problem is that the vast majority of elections aren't counted incorrectly, and you're vastly increasing the cost on an under-funded system for no benefit in five-nines of the cases (and the remaining cases can have a recount triggered by one of the candidates, but not at no cost to them).
I fail to see what the downside is of counting every election twice.
Frankly the cost of elections doesn't seem to be a serious problem for any government. They're choosing to fix some roads instead of boosting the quality of elections. Frankly I'll take the election over potholes or whatever else the government is spending money on, because if I can't trust the election, I can't trust the government.
Not sure why hand counting is so difficult. In the UK we hand count elections. It is just a matter of sorting ballot papers into a pile for each candidate. This pile can then be easily checked to make sure that no vote has been mis-recorded.
Having too many races on the same ballot already compromises ballot secrecy, to an extent.
"We want you to vote for Jim Totes-Legitimate for President. But so that we can recognize your ballot paper and we can verify that you voted for him and we don't have to break your kneecaps, please also mark your other ballot races as follows: Fred Also-Ran for First Assistant Flangedoodle, Sheila Plausible for Second Assistant Flangedoodle, Hazel Placeholder for Junior Hog Counsellor."
Which is also why the cryptographic voting systems cannot protect voter privacy. Those systems require hash collisions to hide your ballot in the herd of ballots. But the combination of precinct size and complicated ballots means any particular ballot is utterly unique (no hash collision).
I'd be far more charitable towards crypto advocates if they also specified the conditions required for their system to work correctly.
> The first will be a ballot-marking device that uses a touch-screen for voters to make their selections. That system won’t tabulate votes. Instead it will print out a paper ballot marked with the voter’s choices, so voters can review them before depositing them into an optical-scan machine that tabulates the votes.
That seems backwards. Touch screens suck. Why not build a validation machine that voters can feed manually-completed optical scan ballots into, before they go to the tabulator? Clear feedback would help catch incorrectly filled out votes before they're cast, no touch screen required.
The validation machine could have a very clear and user-friendly display, which candidate pictures are large type. That would definitely be easier to verify than a computer-generated optical scan ballot.
"Why not build a validation machine that voters can feed manually-completed optical scan ballots into, before they go to the tabulator?"
That's precisely how poll-based opscans work.
Central count (for postal ballots processing) is necessarily different, because that sanity check cannot be done, so voter intent must be adjudicated when ballots (or individual votes) are unreadable. It's a sausage factory.
I know, we have them in my district, but they don't do all the validation I was talking about. I think all that the current machines do is validate that there were no overvotes, etc. I was proposing a separate machine that would let the voter validate that the ballot would be read as they intended.
I think they want to simplify the human interaction as much as possible to eliminate things like hanging chads, misreads due to erasures etc. This also requires less importance on the other human step which is reviewing as there are hopefully fewer errors in the first place
Although I would favor a screen with physical buttons next to it (not like the garbage you see on ATMs and gas pumps though)
> not like the garbage you see on ATMs and gas pumps though
What don't you like about these buttons? As mentioned elsewhere in the comments, this is a proved design that works well for a great number of people. Plus, the elderly / tech averse are likely to already know how it works.
The code should be anonymous, so that it can't be used to trace who made the vote, yet still can be used to verify that is counted. This way, anyone can verify that they're vote was actually counted, so the voting system will be verifiable later on.
>The systems Galois designs won’t be available for sale. But the prototypes it creates will be available for existing voting machine vendors or others to freely adopt and customize without costly licensing fees or the millions of dollars it would take to research and develop a secure system from scratch.
I guess the devil is always in the details. "freely adopt and customize" to me says that the code will not be verifiable or open source anymore? Or that the implementation could be flawed. Open sourcing the code, and then letting commercial entities change it, cut corners, make money, etc seems to be a good way to ensure that all the hard work that went into designing the system is rapidly compromised.
Isn't there a law in the US prohibiting public institutions from competing with private businesses? This may provide a cause for not rolling it out, but rather handing it over to private enterprises for implementation.
Edit: I recall the US having to withdraw from the Human Genome Project because of this as soon as a private enterprise claimed it as a field of business.
Actually, the HGP was on the verge of being scrapped, but then the U.K. came to the rescue with a major investment to make up for the US. If I recall this right, the US enterprise (Celera) wanted to take an algorithmic shortcut in mapping and verifications, by this overtaking the HGP regarding final results in order to provide the data as a paid service. This happened 7 years before the scheduled finalization of the HGP. Eventually, they finished in a tie. (However, this has been some years ago now and I'm not a US citizen.)
I've heard of that too, but I believe that only comes to tax software.
In some other countries they mail you a postcard with how much taxes you owe, but if you have deductions they didn't know about you have to correct it... They wanted to a similar system here but the major companies like Intuit and H&R Block lobbied agaisnt it...
Yes, kind of. US Tax-Exempt entities directly engaged in "unrelated business activites" can be subject to "unrelated business income tax" or UBIT at the federal level. But that's unlikely to deter an agency of the federal government which would not be subject to UBIT.
The benefit of open source is that it is verifiable by peer review.
I would take an open source and peer reviewed voting system that was originated by the NSA and CIA and every other spook organization over one that was closed-source and hand-coded by Larry Lessig or whomever is your favorite person of integrity.
Galois has a reputation for being one of the most visible and well-known shops associated with Haskell. I'm curious to see what they can accomplish. A little bit of poking showed this coming up -- I definitely wonder if that's around the same direction they'll be taking.
Why does this keep coming up? What is the compelling argument against paper ballots? There is no need for results to be known immediately, so how does making voting an exercise done by computers make anything better, particularly when computers are much more vulnerable to remote interference?
> If we can have a secure and audit-able banking system (and every other aspect of our lifes), surely we can have the same for voting?
There's one major requirement in voting systems that throws a huge wrench in everything, anonymity. In order to prevent vote buying and coercion voters can't be tied to specific votes. So any system that allows a person to check that their vote got counted for their candidate isn't workable because that violates the anonymity requirement.
There's a million reasons that votes change as they're counted and recounted. For one in some states absentee ballots can be postmarked up to the day of the election so they can trickle in for a while after the day of. Another is machine breakdowns and just mistakes as the complete numbers are gathered.
The way this (anonymity) is handled in the Estonian system is that votes can be validated out-of-band for 30 minutes after they were cast, then they're locked. Additionally, a voter can overwrite their previous vote at any time during the vote period, so they could always prove their first vote, and then overwrite it privately later.
There are several other major problems with their system , but I think they should at least get credit for their approach.
That's the paradox with e-voting/internet voting. You need to verify the voter is who they say they are, but it also has to be completely anonymous. The banks know who you are and what you do with your bank account, you can't have that with voting.
That's a big part of the advantage of paper ballots. The cost of subversion is high because more people need to be in on any conspiracy to subvert the system. More conspirators means more and more incentive to defect against co-conspirators.
Electronic systems do not scale subversion cost with electorate size. But they do scale the payoff of subversion.
Not always true. Where I live, small parties have the problem of not being able to allocate sufficient resources to monitor all voting rooms. Then if it happens that only representatives of two of the biggest political parties are observing the counting, strange things can happen (e.g. the small parties not getting any votes).
What's wrong with paper as a technology? Nothing. What's wrong with paper as a proposed solution? Education and public perception.
People who work with computers understand their limitations. But the average person on the street doesn't seem to see them the same way. They think computers equal modernization equal reliability. True or not, if you want to voting system to be a political reality, you'd have to change public opinion, and we've spent more than a decade trying to but haven't gotten that done.
> What is the compelling argument against paper ballots?
To play devil's advocate...
Paper is just a medium. With apologies to Claude Shannon, critical properties of information are best ensured through secure protocols, not by picking a particular medium.
E.g., if the property you want is security, encryption is more provably secure than invisible ink. The properly encrypted message can be stored on paper, radio, magnets, or neurons, it doesn't matter.
The properties we want from ballots are somewhat uncommon and therefore very unintuitive. They are still properties of information. Availability and deniability simultaneously? (So you can personally confirm, but never provably sell your vote).
We could design a cryptographic protocol to meet those unique design goals. But not using paper alone, because the math would be too hard.
Paper appears to guarantee availability and privacy, just as invisible ink appears to guarantee security. In practice, each often fall short. Ballot boxes disappear. Absentee ballots travel through the postal system, which is a bit like blasting one unencrypted UDP packet and hoping for the best. No individual can take their paper ballot and later confirm how it was counted.
You could do these things with electrons though. It would require some fast math, like almost all useful protocols in information theory.
If you could make voting much cheaper and faster, it could be used to decide more things. (If your immediate reaction is "But voting is a terrible way to make decisions!", well, there's considerable evidence in your favor. I think we should be researching collective decision-making a lot more broadly, but voting tech could be one building block.)
In Switzerland the swiss Post is implementing something similar => my thoughts are very similar to yours (we can even vote by letter, and an electronic vote might in comparison save me at most 5 seconds out of the avg 3 hours of debate with friends and family & reading & watching debates on TV for each round of voting).
The swiss Post organized recently a public review (with awards to identify bugs - see another older thread on HN) for the software that they'll try to launch.
On one hand the swiss Post's solution would allow me to actively check if my vote was part of the total, which I think is absolutely fantastic.
On the other hand I did access the source repository of the new potential voting system <with sparkling eyes expecting something "special"> but I didn't even start digging into it as soon as I saw that it was written in Java.
I thought that such a software, which is the foundation to the future of a nation (voting system), would have as its foundation 1) a language that leaves very little room for technical and functional bugs (e.g. something used in the aerospace industry?), 2) would be structured using an extremely well-known-for-its-reliability workflow-engine and 3) was submitted to testing covering basically ALL possible combinations at ALL levels (not just e.g. "10000 cycles of randomness" but all possible input-values, for all layers).
When I saw that it was written in Java (nothing against Java - same thing for e.g. C/C++) I immediately gave up because, even if that SW is made to be absolutely unhackable >>now<<, this won't be true anymore starting from the next releases as the $ and "attention" will inevitably be reduced more and more and the whole tower will start to crumble.
Summarized: I'd like such a system, but I would need it to implemented in an extremely strict way that is able to survive times of low budgets and/or bad employees and/or bad management and/or of course corruption, which is when coincidentally a stable solution would be needed the most.
I usually (have to) choose between dark- or light-grey when I vote, but in this case, to replace the current system, it's one of the rare occasions for which I would need a "pure white" solution :)
Paper ballot operational complexity scales linearly with the size of the electorate, which makes them adequately scalable for any practical use. (There's maybe an issue with using paper ballots for some esoteric election methods, because of how operational complexity scales with number of candidates for some type of tallying, but absent a decision that use of one of those methods is desirable that's immaterial.)
Because of the reasons explained in the article - you can verify that your vote was recorded, and you can calculate the total yourself. There's also no need for recounts, it uses less labour and you know the result immediately.
Title is misleading. This is 3rd party contractor that won an RFP bid yo push out hard copy verification of ballot and voter's choice with some "DARPA techniques". Not quite the secure confidential system with data integrity I was hoping for.
> We will show a methodology that could be used by others to build a voting system that is completely secure.
This really feels like a Proof-of-concept or reference architecture, at best.
I don't believe that putting a price tag on a piece of software legitimizes it for a given use case.
I get this same feeling from posts that say "Product X written in language Y". While I agree that there exists a right programming language for a given task, it is not in itself a reason to use product X.
I use this premise as one of my architectural interview questions- design a voting system.
Having asked it dozens of times, I’ve come to the conclusion that I don’t trust anyone to build a voting system. I like it as a question tho, since it’s open ended enough to really let the candidate focus on the domains interesting to them; scalability, security, data modeling, whatever they want really.
Agreed. I was about to write this off as a boring project that might go nowhere, but I have a huge confidence that Galois will treat this with the gravitas necessary from a computing and security theory point of view.
It might still go nowhere, but I expect there will be very interesting developments as a result of it.
Thought experiment: Have, like in aviation, units built of two separate, but parallel architectures designed and built by unrelated, independent manufacturers with software written by independent teams in different languages and deploy them redundantly. (E.g., Airbus does this.) Now you have cranked up the cost for any manipulations to the requirements of successfully attacking two separate architectures in the same realtime timeframe, maybe at several redundant units at once. Leaving the message path. So you're still screwed. (Simply, because the win to cost ratio may be near to infinity. If we have concerns regarding personal messages, how could we possibly guarantee for this one?) Enter the paper trail and printers. – However, does anyone remember the Xerox scanner debacle of misarranged and falsely duplicated data by the compression algorithm, or the debates about Obama's birth certificate (due to image portions duplicated by the compression algorithm)? Things like these went unnoticed for years.
What we may learn from this, a) there's no perfect system involving software, b) if we do not want to invest as much in democracy as we do in shuffling around a few people by aviation, how may we be worth it? Anyway, voting methods shouldn't be about cost reduction.
Sounds good. But in practice it's complicated.. In Brazil we have been using electronic voting systems for 20 years. Since then, there's been absolutely NO EVIDENCE of fraud. Specialists are regularly invited to know the code and try to find vulnerabilities (the code wasn't open-sourced, and personally I don't think it should).
And, even so, the losing parties ALWAYS claim there's been some fraud, and a significant part of their respective voters buy such discourse.
There's been turnover of power pretty regularly in most parts, and even this doesn't stop folks of accusing electoral fraud.
Last year, thanks Whatsapp, the debate's gained special contours. Lots of malicious people shared videos showing fake frauds, which were dismissed after some hours.
There's been also lots of stupid people mistyping into the ballot and screaming around with a camera accusing a fraud.
It was a bit of a mess and things tend to get serious in very tight scores, since there won't be a safe, auditable way of recounting the votes without having to fully believe in the government agency responsible for operating the system.
The system makes the process extremely efficient. We are 100 million voters, voting is mandatory, and we always know the winners within a couple of hours past the end of the voting process. But..
My ideal voting system would allow me to have a real time feed of votes as they come in, so that at the end of the night I can check my records vs the "official" records. Names can be detached, all I need is a Ballot id. BallotId can be something as simple as the hash of RegisteredVoterId + password + Salt + ElectionId.
As long as the voter remembers their password, they can look up their record, and the record can be a fully public record with anominity.
how does the current system, or any voting system, prevent coercion? If there's a gun to your head, or some other ultimatum, it seems far too late to be worrying about your vote being shared. Even if votes aren't all logged, you can still be tortured for the answer. I would much rather the country have an individual coercion problem than a mass voting fraud problem.
"Voting systems should [...] not permit anyone, including the voters themselves, to learn how they voted" What could possibly be the benefit of that?
By having dozens of people watching everything except the actual marking of the ballot. Scrutineers are highly motivated: they want to catch the other candidate cheating.
I've been a scrutineer in a polling room. I could watch and challenge anything except the marking of a ballot. And I did. So did other scrutineers. The odds of the mobster keeping a rotating scheme without detection approach zero with great rapidity, especially since staying in the ballot after casting your vote is not permitted.
If you really want a secret voting system such that the voter can’t access their own history, then just do not offer the password option. Instead a unique private key is generated, but never distributed to the voter or any other party.
However, I’d personally prefer a system that was fully public. Problems: Social Pressure, Violent/Non-Violent Coercion, Retaliation.
Coercion could be a problem but with enough humans seems unlikely to be effective without the details of the conspiring entity to leak. If here are 10 jurors or a few judges coercion matters because it is easy to cover up. Coercion at scale has never occurred. Coercing any double digit percentage of 300 MM voters through violence or bribes or etc will leak based on the law of large numbers. Conspiracies stop being theories when they are validated by thousands/millions of people.
Social pressure is a bit trickier. It does force any minority voice to reconsider their vote. However, this isn’t different from most of history where a violent or non-violent revolution occurs. Most people lie about their opinion officially but build consensus privately. Until a point where the scale tips and both opinions are appropriate and debatable.
Retaliation is the biggest issue. But we already have some pretty good laws in place around discrimination based on politics. We can improve those, but also as a society we need to get better at debate without retaliation and hiding opinions doesn’t help that societal improvement.
Laws can prevent coercion, at least by major businesses, but another concern is people selling their votes on a black market. Still, to me, the benefits of an open and verifiable voting system would outweigh the downsides.
A simple secret ballot by paper is both open (anyone can observe the ballot casting and counting) and verifiable (the vote count can be repeated to confirm the totals).
Voters don't need to be able to verify their vote post-election because a) they cast their ballot, so they can just remember who they voted for, and b) they can't change their decision, so there is no need to have a record of it.
Fair enough, this idea came to me before 2016. Post 2016, in this world where people are ready to commit violence purely based off their judgement of your political beliefs, this is a legitimate concern.
Generally all mail in voting systems let you override your vote. If someone coerces you once and you send in another ballot postmarked after the first or go to your polling location in person on election day you can override that vote.
You basically need to hold someone hostage or under total surveillance from when the ballot is mailed to when the polls are closed to avoid them just sending in their actual ballot afterwards.
With an electronic voting system the window of time you have to hold someone hostage is much shorter - simply force their vote an hour before the polls close and then hold them prisoner for the hour.
At least here in Denmark mail voting does not just mean that you send your vote by mail.
It means that you before the voting date go to a public office, a consulate in a foreign country, etc., show you ID, go into a voting booth and votes, and they put you vote into an envelope, that is sealed and mailed to voting place.
Or that two appointed volunteers goes to e.g., a assisted living facility and witness residents voting and placing their vote in a envelope that is then sealed and mailed to a voting place.
When thinking about voting by mail I wouldn't consider North Carolina's system as exemplar, since it is still primarily a polling-place election. Instead, look towards Washington, Oregon, and Colorado which are states where elections are entirely by mail. Evidence of coercion or fraud is low, and engagement is high.
In many states it is possible to get an absentee ballot for any reason, which allows the same coersion potential but without the convenience of full vote by mail. Forcing voting in person also has a large effect on who actually votes (due to work or other issues getting in the way, which could also include coersion from a spouse who thought you might vote the wrong way or doesn't think you should be able to vote). Presumably people are checking if there are large swings in voting patterns when vote by mail is started that would indicate widespread coersion. Coersion can also be effective in practice even when the actual voting is done in secret.
I wouldn't recommend vote by mail for Mexico, where there is widespread vote buying even with secret ballots, but for the US it seems to me that vote by mail is likely to be more representative and increase the chance that voters will research the candidates as they are voting. No system is perfect so it is a question of what tradeoffs seem to make the most sense for particular situations.
The problem with any voting system that allows you to verify the vote after the fact is that it makes it too easy to coerce someone to vote a certain way.
I can promise you money (or threaten you with violence) to vote a certain way, but you can't follow me into the booth, and no matter how you make me "verify" I can always change the vote between verification and depositing it in the box.
If there is a way to verify after, then I can withhold payment until you verify your vote, or hurt you after I've seen your vote isn't what I wanted. By not allowing after the fact verification, it means that can't happen, and greatly reduces coerced votes.
So as cool as it would be to verify my vote after the fact, it has too many unintended consequences.
Using 'something you know' it's possible to both verify how your vote went and at the same time not allow someone else to know, even if forced.
A simple example would be assigning a random color to each option per person. So blue means Trump for you. Hilary for someone else.
You only need to get people into a booth once, to learn which color is which option.
From there on in, verification is as simple as looking at the color to make sure it's correct. No one else can be sure what the color means.
Same principle can be done on multiple votes, though information will leak. So if you're coerced more than once you'd need to regenerate your colors. So while this solution stops the 'violence' coercion it won't stop 'sale' coercion.
Also the other problem is people will write their colors down or forget them - which is why as you say verification after the fact causes way too many problems.
Not necessarily. Systems that allow you to verify that your vote was included and counted toward the candidate you selected in the booth, but do not allow you to prove to a third party who you voted for, are known, such as Scantegrity .
It sounds like the new system has this feature, and also another key feature of Scantegrity which is that the tallying can be done publicly and independently verified. From the article:
> The optical-scan system will print a receipt with a cryptographic representation of the voter’s choices. After the election, the cryptographic values for all ballots will be published on a web site, where voters can verify that their ballot and votes are among them.
> “That receipt does not permit you to prove anything about how you voted, but does permit you to prove that the system accurately captured your intent and your vote is in the final tally,” Kiniry said.
> Members of the public will also be able to use the cryptographic values to independently tally the votes to verify the election results so that tabulating the votes isn't a closed process solely in the hands of election officials.
> “Any organization [interested in verifying the election results] that hires a moderately smart software engineer [can] write their own tabulator,” Kiniry said. “We fully expect that Common Cause, League of Women Voters and the [political parties] will all have their own tabulators and verifiers.”
I saw value in being able to confirm the public record matches what you did in the booth.
When you vote there would be a record of the registration Id voted for this particular election id. Information that you voted is already available... so this component is not a change to the system really.
How well does it work for people with motor disabilities? Vision disabilities? Does an X mean a choice or they crossed out their choice? What happens when the pens run out of ink? What if they can’t read English?
Helpers? What do you pay them? Can they understand that dialect of that obscure language? Do you trust them not to lie about what they’re marking on the ballot for someone?
The truth is electronic voting machines have upsides. Having the system fill out the ballot which the voter then hands in seems like an almost ideal use to me. It’s totally verifiable but can help many people who wouldn’t be able to vote without help.
I legitimately don't understand what's the invention here. If all you're trying to do is avoiding having an invalid or ambiguous ballot and you print out a paper copy anyway, why invest 10 million into a new system instead of just using some bog standard computer + printer?
If you're going to get the physical ballot anyway what's the point?
Systems comprising entirely of pen/paper and manual counters with oversight by the parties, where sufficient engagement in the community provides the volunteer manpower to oversee the election, are impervious to electronic interference.
Surely it doesn't cost $10m to build a secure ballot form. Existing solutions have had so many obvious flaws that it seemed like e-voting companies weren't actually interested in accurately counting votes. They really need 50+ people to make a checkbox form and print the result?
Secure hardware sounds like the wrong idea, I think. I think the correct idea will be something more similar to block chains. A system where the security of the system lies in the ability for anyone to make a copy of the voting data at any point in time. So there will be multiple copies of the voting data, owned both by the authorities and by ordinary people.
If the authorities try to tamper with the central copy of the voting data, it will be checked by the multiple copies owned by the general public.
I think that's the general idea one should pursue. Not "secure hardware".
> Have there been any competitions to make an open source, highly scalable and verifiable anti-tampering voting system
Yes, for thousands of years. The result is called the paper ballot.
You cannot have a verifiable anti-tampering voting system using computers. You need verifiability by the general public. Auditing a microchip is not something members of the general public know how to do, and in any case, it detroys the chip, so it's kinda useless anyway.
Are those tamper proof? I recall some engineers testifying before congress about specifically making paper ballot systems that were designed to allow altering results. DieBold I think? I don't have a link handy, but it seems that is just as fallible.
Or do you mean hand written ballots? Does anyone still use those?
And yeah, the digital ones have been hacked at DefCon by children. (their parents taught them how to hack the devices, so I guess that is cheating)
Maybe throw in some Blockchain or did I use a BS Bingo term?
In the UK, ballots are still done with pen and paper. You put a cross in one of the labelled squares and fold the paper, then drop it into the ballot box.
Also, while the guidelines say it has to be a cross, it could be any clear mark (though best not to risk it), as soneone drew a rude symbol in a square and it was counted as a vote! (https://www.bbc.co.uk/news/magazine-32693485)
> Or do you mean hand written ballots? Does anyone still use those?
Yes. The constitutional court of Germany ruled that electronic voting is essentially illegal in Germany due to all the inherent flaws, so all elections are done with pen and paper, ballot boxes, and manual counting.
> Members of the public will also be able to use the cryptographic values to independently tally the votes to verify the election results so that tabulating the votes isn't a closed process solely in the hands of election officials.
This sounds like they are using homomorphic encryption?
A corrupt human being can change one vote, or a few hundred if they're very industrious, in a paper ballot system. A corrupt human being can change every vote in an electronic ballot system. I would rather use the system where fraud is difficult and expensive and low-impact.
Corruptible humans will always be in charge, until Terminator. The question is, how much corruption are we willing to put up with, how would we know it is happening, and how robust are the apparatus for correcting those abuses?
Allowing everyone to verify that their vote was counted as they intend is a start, but....I'm not saying it has to use block chain, but for its veracity to actually be openly verifiable, the voting ledger has to be publicly visible.
That's all assuming the voting machine is actually running the software/hardware they tell you - how would a voter check?
The article briefly mentions "That receipt does not permit you to prove anything about how you voted, but does permit you to prove that the system accurately captured your intent and your vote is in the final tally,". But if that receipt doesn't let you prove anything about how you voted, how can you tell from it that your vote was captured 'correctly'? The machine can print anything on the receipt!
Then there is the question - what problem is e-voting trying to solve? Hand-counting scales perfectly and is extremely difficult to covertly tamper with. So the only 'problem' e-voting solves is that of being unable to covertly and fully subvert elections.
> That's all assuming the voting machine is actually running the software/hardware they tell you - how would a voter check?
Have dedicated hardware compute a hash from the content of program ROM on demand with a button press and present it on an auxilliary 7-segment display. Compare against the hash of the vetted image. No software need be involved.
At some point in the process, machines will be used for tabulation. You have to trust the hardware to some extent. Just keep it as simple as possible to minimize confounding complexity that an attacker can hide in.
If the compiler was compromised, how do you know the vetted image is correct? If the hardware was compromised, then the software will still hash to the correct value. And once the attacker knows where you're getting the dedicated hardware for the hash, he can compromise that as well.
And the entire system relies on the people implementing it to not have been compromised. Because if they were, if the government itself compromised the machines, the voters could never tell. How good is a voting system that only works if your government is honest?
I think it's unfair to say there is no point in e-voting besides malice.
e-Voting could make it easier / cheaper to deploy polling stations, collect ballots faster, and potentially to use more complex (but more fair and accurate) voting methods like Ranked Choice or others.
As for the "We won't tell you how you voted but you can validate it", my first guess would be some kind of PKI where you are given the equivalent of a private key, and your results are signed.
There are issues trusting hardware vs. trusting the sight of paper and two humans, I get that. But it's worth researching.
> e-Voting could make it easier / cheaper to deploy polling stations, collect ballots faster, and potentially to use more complex (but more fair and accurate) voting methods like Ranked Choice or others.
In Australia we use IRV (what you call ranked-choice) and we don't have any forms of electronic voting for federal elections, and the overwhelming majority of votes cast in state elections are paper ballots (which are hand-filled). You don't need e-Voting to solve that problem.
Your votes are still probably counted by a computer. In San Francisco, we use optical scan ballots. This system is very similar. It prints out a ballot that you validate and feed into an optical scan machine. Marking the ballot is electronic, which allows for more language choices, assistance for hearing impaired people, etc.
I'm sorry, do you know what the acronym D.A.R.P.A. stands for, or that they explicitly stated they aren't the production implementer of any such system? Do you know what the network you're throwing packets at is based on?
Anything that relies on secure hardware/software is broken, since those are impossible to assure. The only part that can actually guarantee secure voting is everything that's outside the hardware. Things like cryptographic signatures, hashes, paper trails, whatever. Things that don't rely on the black box you're presented with when you vote to work how you think it works.
Researching that doesn't require a prototype. So why are they building one? As a first step to using a voting system based on it. This isn't 'research', it's propaganda to sell the idea that hardware can be secure. They'll give it to Defcon or whoever, and once they fix all the weaknesses hackers can find, they'll triumphantly declare it's 'secure', and that we can switch to e-voting, and not to worry our pretty little heads about chip/compiler-level backdoors, or if the builders of the system themselves subvert it.
They can state they won't be the implementer of such systems all they like, that doesn't change the intent of this program - to push e-voting reliant on 'secure' hardware.
I know it is being beaten to death, but a major issue with voting is the counting part. The counting is where the fraud is being perpetrated (and no, I'm not so naive to think it doesn't happen). Seattle. Minneapolis. Milwaukee. Detroit. Philadelphia. Broward County. And those are just recent examples.
I think there is counting fraud from sea to shining sea. What are we going to do to make the vote counters less able to rig the vote and cease "finding" boxes of absentee ballots or whatever at the last minute with 99% precincts reporting?
Because you cannot verify your phone is not compromised at either a software or hardware level.
You would need independently verifiable hardware and all software running on a closed system (ie, no third party modifications to running software which would mean at most a trusted sandbox for other applications outside the proven path) to be able to trust it to reliably take your vote.
Thats on the order of correctness provability that NASA puts into launch vehicles but NASA doesn't have to contend with hostile actors seeking to undermine their software and hardware.
TL;DR: hardware security, software security, authentication of voters, and the tech literacy of the average person.
Because now instead of securing centralized voting locations and machines you somehow have to create perfectly secure software running on you Aunt Flourence's machine with 51 tool bars and 3 different bot nets installed and also make sure she can use it properly and securely. Oh also now you're accepting votes as bits over the internet giving nation states probably the juiciest target and the widest possible attack surface (see securing every voters computer).
Even using something like the IME and secure enclaves to take the computation outside the the range of your average exploit it's still vulnerable to attack.
Then even if you've perfectly secured the hardware and software you're just left with the largest login/key infrastructure problem of all time with the average voter having to understand how to not be tricked into not actually using your secured software and hardware environment...