I agree insofar as ensuring all e-voting implementation attempts are open source will enable us to more comprehensively prove that it is a fundamentally bad idea.
Candidates drop out, die, or become ineligible in all kinds of ways. Paper is not strictly better and can create costs and complications on the day of the election itself.
Electronic voting is fine. Why can't we just have a printer in the polling booth? I run my ballot, then hit print, then I can manually verify it, and then drop the printed ballot in a box.
You didn't define how paper ballots are better. Given that many electronic systems print paper ballots, I'm not sure how they could be said to be universally better.
Electronic ballots can be much better than paper in two ways. Firstly, they are faster to count. I'm not sure why that matters, but it's true and seem people seem to think knowing the outcome quickly is important.
Far more importantly to me: they are easier to use. In Australia we have compulsory voting. A lot of attention is paid to how many votes are invalid. It currently runs at 5%, but ranges up to 10% in areas with lower education levels or non-English speaking. Voting machines can tell you verify if the vote is valid, help you if they aren't, provide information from the candidates if you want to know more.
One the downside, a poorly designed voting machine can be far less secure than out current paper system. Sadly, I don't think I've seen proprietary voting voting machine that didn't have significant design flaws. Making the situation worse is the voting machine companies like to keep their flaws well hidden (flaws aren't good for sales). In Australia, we've had examples of the Australian Electoral Commission perusing academic researchers in the courts for revealing flaws. [0] Mandating open source mandate is a solution to that.
One of the few things I was happy with Texas legislation this year was moving all to paper ballots. They still use the "bubble counter" machinery though and not human eyeballs. But it's not like it still relies on honest people and a government that is neutral when it comes to counting votes. That's starting to look like it is less and less possible with the current regime's banana republic chaos.
Haven't watched it, but to summarize what I imagine someone aligned with me would say: A ballot's entire lifecycle can be watched as it goes from the stack to the booth to the dropbox to the counting pile. Poll watchers are vestigial as soon as voting machines are involved; it becomes the honor system, which is not trustworthy enough in a system where the parties do not trust each other. The best you have is 'we have found no evidence of widespread voter fraud', a carefully couched statement from media organs you don't necessarily trust either. You, a (Democrat/Republican), can trust a system with paper ballots, because people from your party will observe all relevant details of the process everywhere the process occurs.
Arguments against electronic voting: 1) one person can change millions of votes 2) vulnerable even outside the country 3) even if you audit the software, it's hard to verify that the audited software is what is actually loaded on the machines 4) even if you check hashes of the software, how do you check the software that checks the software (this is a restatement of the Ken Thompson Hack) 5) proprietary software 6) USB sticks are insecure 7) final computer tallying everything is owned and located in a single place 8) XSS attacks on e-voting pages.
Arguments for physical voting: 1) centuries old, many attacks have already been tried and failed 2) no identifying marks on ballot = no opportunity to pressure voters to change their vote 3) multiple people involved in each stage of the process
I realized after typing that out that YouTube has a "Show Transcript" function, so try that for the second video.
In addition, and I think the punch line, if you take measures to decentralize and audit every single part of the digital process, you have just made the most expensive pencil and it'll not perform that much better against manual voting to begin with.
This isn't a technology problem, really. It's a problem of corruptible humans. In US elections, there are billions and even trillions of dollars at stake. Observe the grifting being done by the current administration. Thus, humans are extremely incentivized to corrupt the process. Technology just makes the corruption easier. Technology enables the grifter.
An optical hollerith machine would be useful. It would sort paper ballots into buckets based on selection. It's relatively easy to flip through a stack of ballots and ensure that every one has the same selection. Saves the effort of hand sorting which is not error free.
Are they using only the electronic version or the mixed version? We used the mixed version in some elections here in Argentina. The paper trail is harder to fake, and the electronic part close a few problems of theonly paper version.
Things have always been iffy. No one knows for sure.
Edit: That link is the most recent example. Googling for voting machines themselves would bring more examples. Every election cycle we go through reports of malfunctioning, no audit, audit not matching, extra machines appearing, machines being taken around by politically connected, even things like pressing any button on the machine voting for the same party…etc., but ECI has been pushing it aside and refusing to open up. This recent one became an issue because the manipulation (allegedly) went a layer deeper into the voter rolls themselves and they are public data.
Haha no. Voting machines caused absurd amounts of political instability here in Brazil. It's essentially become wrongthink to question the system.
Our elected representatives have tried to add a paper trail to the machines twice now and it was ruled unconstitutional for total bullshit reasons. Our former president was banned from future presidential races because he questioned the machines. We have a judge loudly proclaiming that the machines are UNQUESTIONABLE with such unwavering pride you'd think he'd have the balls to start a billion dollar bug bounty and post it here on HN. He only allows you to "audit" the system by appointment behind closed doors and the only tools you're allowed to bring with you is a pen and a piece of paper. People found issues even with these restrictions. There are people protesting to this day, laymen asking for source code, completely unaware of the existence of supply chain attacks and the fact the source code would prove nothing and serve only to humiliate them. We have former US president Biden's top CIA guy telling our former president to stop questioning the machines, wouldn't be surprised if they had access to this shit.
Germany did it right: voting machines are unconstitutional because citizens do not understand it. Elections must be fully auditable by the average person. This is the correct stance.
Belgium has been doing it for 25 years, though not without some issues. I'm happy to let other countries lead the way on this since we have a perfectly viable alternative.
A solid starting point, but it's easy to lose sight of the other critical part of the puzzle--integrity of the voting rolls. High quality vote tabulation needs to start from voters, where _only_ legitimate voters vote, and each only votes (at most) once, after which yes, their vote is accurately tabulated.
Voter rolls are public information in the US; there are several watchdog groups that perform verification services and have done so for decades; and to date, none have uncovered the kind of large-scale voter fraud that would necessitate doing anything differently from what we do now.
In fact, I'd argue that having 50 different voting systems with 50 different ways to prove eligibility makes our elections more resilient to large-scale voter fraud, even if it makes it more difficult to verify voter rolls wholesale.
Cryptocurrencies don't need to do things like make sure that no human gets more than one vote, only humans (no bots) from a specific part of the world get a vote, and keep votes secret. Blockchain is not the solution.
Here in Germany, the Pirate Party has discussed the topic at length, since they (1) love voting innovations, and (2) have generally good knowledge on CS stuff, and so far I think no real solution is known for anonymous, confidential, secure digital voting with verifiable results, which is easy to reach with paper ballots and public observers of the counting.
Aren't most paper ballots processed by machine anyway? Every ballot I've ever cast has gone through something akin to a Scantron machine.
The cost of human labor to count all ballots by hand will be enormous. Probably worth it I suppose, but this really is something that should be primarily automated. But again, trust in software. Sigh, why can't we just have nice things?
A single polling station usually only has a few thousand voters. During the day, polling officers at the station processed (signed/stamped/tore/etc) every single ballot that went into the boxes. They also verified every person's ID. When polling closes, why is it enormous human labor to count the votes, but all the processing during the day is not?
Chile has a very good election system and there's basically no machine input in the process.
What's important is being able to segment the population in enough voting places so that each voting place is maneaganle just by a small number of people. The Chilean system is scalable because you can always just add more voting places as the population grows.
Usually these voting places are civic centres, stadiums, schools.
It's a good system and generally for a presidential election we get the results in about 4 hours after voting ends.
> The cost of human labor to count all ballots by hand will be enormous
In Taiwan, this is how it's done. Every ballot is counted by human. It's completely public: you can just walk in any polling station during the counting process and watch they count.
Australia hand-counts. In a federal election, a voter will typically cast a preferential vote for the lower house, and a more complicated proportional vote for 3 senate seats. Rarely, they'll vote on 1 or 2 propositions ("referenda"). This seems comparable to a federal US ballot (first-past-the-post votes for house/senate/president).
The US casts 10 times as many votes - so it seems reasonable for the US to hire 10 times as many poll workers? Hand-counting is O(n) i.e. constant per-capita, and it scales horizontally.
Local and state ballots in the US can feature tens of elected positions and propositions, I could imagine hand-counting them to be quite expensive.
I'm much less concerned about automated vote counters, as long as they are not connected to the Internet, enough ballots are hand-reviewed to make sure that the values from the machine don't seem way off, and the specific type of counting machine isn't uniform across the whole election.
If your paper ballot are counted by simple, airgapped machines - that's both a vastly reduced attack surface, and is easy (if laborious) to physically audit.
The cost of human labor? Maybe US-exceptionalism is peeking through?
In actually democratic countries the elections are done on holidays(Sunday) and the polling stations are in where you live.
It is your vote you silly. It is your democratic duty, right and responsibility to guard it if you don't trust the observers by becoming one. Everybody should be able to watch the process and the count!
Losing one day of revenue would not hurt. Especially on a holiday.
I'm watching him talk about the two key ingredients of an election (anonymity and trust, for those not watching the video) and thinking "We don't have those in U.S. elections".
I live in California, where the voting method is vote-by-mail and you sign your ballot. That breaks anonymity right there, plus there's a barcode that matches address and ballot for traceability, so in theory anyone involved in the election process could look at my ballot, cross-reference against address, and figure out how I voted. In practice I've never heard of anyone being pressured or confronted based on how they voted, so my default assumption is this doesn't happen much or at all.
But even broader, in the U.S. your party registration is public information. That's why whenever there's a political shooting, the media always says "He was a registered Republican" or "registered Democrat" or "was not registered to vote". And this mechanism is actively and publicly being exploited to alter elections. Since the U.S. is a two-party system and party membership is public, you have a fairly good idea how each precinct is going to vote before they vote, and can gerrymander maps to get the outcomes you want.
Plenty of trust issues in physical ballot transfer as well. California is vote-by-mail, but that assumes the postal service is a reliable carrier, while there was just a recent news story [1] about ballots being stolen. Before I lived in California, I was in Massachusetts, where we voted on 1930s-era lever voting machines where you hit a lever down and it marks a paper ballot without you ever seeing the real ballot. Between elections, these were stored backstage at the local middle school, so a mechanically-inclined middle schooler with knowledge of how an upcoming election's ballots would be formatted (and we did mock elections in middle school) could have rigged the machines to deliver the local precinct to their preferred candidate.
The useful points in the video were basically that decentralization and redundancy are what make physical elections hard to rig: you have to hack multiple locations to influence the overall election, and at each point you have multiple eyes watching you. He sets up the contrast with software voting, where you have the same software running on each machine, and even if the software is open-source, you can't be sure that the rest of the stack it's running on is secure (an oblique reference to the Ken Thompson Hack [2]).
But decentralization and redundancy are properties that you can introduce into software systems just as easily as real-wold systems. The KTH can be countered through Diverse Double-Compiling, for example [3]. zkStarks and digital signatures give you ability to prove that you authored something without revealing what that something is or who you are. The importance of client diversity for the security of the network as a whole has been well-known in the filesharing and crypto worlds. And anyone who has worked in Big Tech, aviation, or telecom could tell you that having multiple paths to success that are developed by independent teams is important for any computer system that is in a safety- or reliability-critical area.
> I live in California, where the voting method is vote-by-mail and you sign your ballot. That breaks anonymity right there, plus there's a barcode that matches address and ballot for traceability, so in theory anyone involved in the election process could look at my ballot, cross-reference against address, and figure out how I vote
They actually go through quite a bit of effort to prevent breaking anonymity.
The incoming ballots are scanned and sorted by machine to record that they arrived. Later, signatures on the envelope are checked. The signature verified sealed ballots are then moved and fed into a high speed extractor separating the ballot from the envelope so the envelope label isn't visible, breaking any linkage between the ballot and the voter's identity. Ballots are stacked with other ballots, still folded and moved elsewhere to be counted. The empty envelopes are kept and scanned again.
All of this happens with multiple people and on camera.
The ballot barcodes don't record any unique information that can identify voters - they're just things like precinct, ballot language and page number.
Because of the extreme diversity in voting methods in the US (it varies not only by state, but by county within the state) it's impossible to accurately make any generalization about voting in the US. For example, in my parents' county in Wisconsin, you show up at the polling place, they check you off the list of registered voters, and they hand you a ballot with no individual markings at all. Once you finish filling it out, you put it in a box with the other identical ballots, to be counted later. It's as anonymous as you could possibly ask for, except that they know that someone claiming to be you showed up and voted.
As far as party registration goes, is that required where you are? Because if so that's insane and the government there needs to change that. Everywhere I've lived you don't need to register any kind of party affiliation (and indeed some places you couldn't), you just register as a voter and you're good. Maybe it's different where you are, but if so just be aware that it is (thankfully) not universally done wrong in the way you describe.
Humans are actually quite bad at hand-tallying hundreds of millions of datapoints. Our eyes go glassy but we press on anyway.
Machines are very good at doing that kind of tedious labor accurately.
Whether human beings will put more trust in a system that we know will be wrong, but it's wrong for comfortable meat reasons, over a system that might be compromised but will be more accurate its more of a psychology question than a technical question though.
Human tallying is a source of errors, but it typically doesn't affect the outcome in major ways. This is more of an argument against large scale winner-takes-it-all election systems, as they have the least resilience against this kind of error.
The main benefit of manual tallying is that election tampering at scale becomes a rather labor-intensive and physical process that is more likely to leave detectable traces. Compare that to the the last US presidential election that has statistical oddities in machine-tallied voting results of kinds that have historically been shown to correlate with election fraud. If this was indeed caused by fraudulent voting software, it happened without leaving any other obvious traces of tampering.
I've counted paper ballots for multiple presidential elections in my country.
People who think it's not safe should really spend some time learning how it works. It's impossible to cheat at scale. Each ballot is verified to be correct my multiple eyes. A person is reading, one is writing down the name, one is verifying and some other things I don't remember.
To cheat you need to have everyone in on it. A whole town involved to cheat and to at best win one polling station. It's safe because anyone can attend the counting, so each party can send someone to check no shenanigans is going on.
So the more votes you want to be winning by cheating the more people must be brought in the conspiracy. That's impossible to be unnoticed at the scale of a city, much less at the scale of a country.
>Humans are actually quite bad at hand-tallying hundreds of millions of datapoints.
Humans just need to be able to separate a few hundreds of ballots into a couple of piles. When introducing double checking this makes an incredibly rigorous process, which can be open to the public. This is the case here in Germany.
Everything after that can be done by computers as all the data after that is published.
These system used for voting means that humans don't hand tally hundred of millions of votes. They tally those in a voting district only. Those them get aggregated with other districts and so on until the whole states and then the country is counted.
The problem with the accuracy assumption of electronic voting is that a) its all coded without errors and b) someone hasn't deliberately but code into manipulate the vote numbers.
Posting those links without any insight from your side is just quoting dogma and, to me, it shows that you haven't really spent any time to consider the arguments. In my opinion shows that you lack imagination.
Every problem Tom mentions can be worked on and overcome. Maybe not today, maybe not by the next big election, but we should still start now, rather than later. We need to do everything possible to increase participation in the democratic process, especially for the demographics that are currently not very involved, which are also the demographics that are more likely to adopt electronic methods of voting.
>We need to do everything possible to increase participation in the democratic process
Do we? Participation should be made easy for those eligible and inclined to do so, but I don't see the benefit of encouraging participation from people who can't be bothered to put some effort into it, or are ignorant of the issues and candidates and are easily swayed by trashy campaign ads. I've seen the statistic thrown around that less than half of americans can even name the 3 branches of government, and if that's true I think those people have a civic duty not to vote.
These files are actually cursed and I want all drives that contain their data destroyed with acid. But I have a slight feeling other voting software isn't really any better, even though in theory it should be relatively simple software in the grand scheme of things.
Public trust cannot exist if the voting system requires *any* expertise. Voting systems should be idiot-proof. If you cannot explain how voting system is manipulation-proof to a 7 year old, your voting system is untrustworthy.
This means anything more complex than a pen or a stamp on an approved paper is too complex.
I live in Ireland which I think has one of the best voting systems in the world (don't worry we've still got plenty of other serious problems with our electoral system).
It's 100% paper PRSTV & so the counts are slow. Not only is this generally OK (because getting a rapid result is absolutely not a requirement of any well-functioning voting system) but it also has actual benefits.
The main benefit is predicated on the count being engaging in and of itself. Other countries put a lot of effort into jazzing up statistical presentations on constituency predictions, cloropleths aplenty, to engage viewers. In Ireland, count centres are not only manned by trained count staff, they're also flooded with volunteer tallymen who verify the counting in realtime. Count coverage is on the ground, showing a real physical process that's intricate enough to be watchable. The entire process also serves as an education-through-doing in how our voting system works, so you get a more engaged & informed electorate (when it comes to the mechanics of voting - still unfortunately not that informed on policy, that's a worldwide problem).
One of the weird things for computer people about the Irish voting system is that it's non-deterministic! You can count the same ballots in a different order and get a different result (because it depends which votes you choose as "surplus" to redistribute).
In practice it doesn't seem to matter that much. The counters even out the first-level effects of this, so it only matters for votes that have been transferred more than once; it can be determined statistically that it changes the result only in a very small number of cases; and there are plenty of other weird threshold effects to care about instead. But it's one property you might expect of a fair voting system that Ireland doesn't give you.
True! In The Netherlands, where I live, we still vote on paper ballots. The ballots are counted by hand. The counting is public, anyone can go and observe the counting.
This is in no way intended to be disparaging: there are processes that work within the scale of small European nations that simply won't at larger scales.
Just the fact that there are millions of citizens means you have to trust the process. When I go vote and stamp my votes, you need to trust my county’s counters. I find it strange we focus so much on tampering with an individual vote (machine says you voted for X instead of Y) rather than tampering with aggregation
That's an inquisitive 7 year old. Definitely reward them. Let's explain. A good voting system needs to guarantee
- Secrecy of who voted for whom
- Transparency of everything else. The names of everybody in the process, the process itself and all the statistics should be verifiably public.
Being an observer to your polling station must be a guaranteed voter right. Similarly all participating parties must have the right to send representatives to observe the entire process.
Before opening the polling station all ballots are counted by multiple observers from all sides. This is recorded into files / documentation of each observer. So the number of possible ballot papers that can be voted on is documented.
Then each ballot paper needs to be stamped with a official local seal. This is also observed by every observer. The number of stamped ballots is also counted and documented. The number has to match the original ones.
The number of people who can vote in that voting station is determined by a population survey. In bigger cities each region must have roughly the same number of constituents.
The number of ballots that are stamped must match the number of eligible voters in the polling station. A voter can request to change a damaged ballot paper. The replacement should be done in front of all observers and the voter. The replaced ballot is destroyed in front of everyone.
After putting their ballot into the box, the voter has to sign their name in multiple printouts of the list of eligible voters of that polling station. These printouts of the lists are held by observers from multiple sides. The number of signatures has to match the number of ballots in the box.
Everybody can observe the count. All the numbers are checked against each other.
If you think that this is infeasible, I come from a country of 80 million people and live in a similarly sized one. Both of them use the same system. It works. It scales since it is an almost trivially parallelizable problem. We get the election results in the same day of voting.
What signature or stamp? In my country we make any mark, although conventionally a cross is used in illustrations.
Many countries have secret ballots, mine doesn't, for reasons which are extremely sketchy (and presumably why my country is blue, not dark blue like New Zealand on the democracy map)
The comments on this have lots of folks focused purely on the software, talking about a lack of paper ballots, etc. So, let me provide some more context that is missing from the post.
For those who don't know the VotingWorks software is both Open Source and their machines create and count paper ballots. You can read about it here: https://www.voting.works/machines
Essentially they have a computer, a ballot marking device, that people can use to mark their ballot. That ballot is printed on paper. Then the paper can be validated visually. Then fed into a machine to scan and count. The paper ballot is preserved and can be later audited.
The ballot marking device has a number of advantage over pre-printed and hand marked ballots:
- American Disabilities Act (ADA) compliant using standard web technologies
- Available in applicable languages without lots of translated papers on hand
- Errors or typos in ballots can be fixed days before election instead of weeks (due to print shop lead times)
- Better UX for complex races where things like ranked choice, choose three, etc with rules which can cause people to mismark and then have their ballots rejected
- Avoids sloppy/incomplete markings that must be interpreted and judged by counters/auditors
The entire system runs offline. It is open source.
They also have separate open source software for running risk limiting audits using the paper ballots: https://www.voting.works/audits
This is an excellent overview & much needed context. I read the (very short) OP but didn't dive into other sections of the website (which is not an initiative I'd previously been aware of).
Probably a difficult task to ensure all readers of all pages on the entire website are fully aware of this context in advance - I'd imagine this kind of averse reaction will continue to be common until these kind of hybrid systems become more widespread (or the interests pushing paperless are comprehensively silenced, which seems less likely).
---
That said, now that I do have full context, I do have two criticisms:
1. Clicking through to the VotingWorks frontpage, the copy still doesn't really highlight in a very obvious manner the paper nature of the system. You really have to analyse the website to figure this detail out.
2. The homepage does contain a section entitled "Faster Election Results" - which I do think flies directly in the face of many criticisms in the HN comments here & I personally believe to be an approach that's incompatible with democratic integrity. Counts should simply not be trying to be fast as a high priority - verifying the automated count by hand is insufficient if it isn't done as a matter of course. Ideally, live, while the count is taking place. The latter is not feasible with an automated system, & the former is a lot more likely to be overlooked if speed is a priority.
We don't just need systems that can be fair, we need systems that incentivize fairness & don't contain perverse incentives - count speed is exactly such an incentive.
I live in The Netherlands. We are a reasonable modern country, where a lot of things are automated, even in governmental organizations. However, voting is still done on paper ballots. And those paper ballots are then counted manually. This has huge benefits. There always is a paper trail. It’s hard to manipulate votes without getting caught. If there’s any doubt about a certain district’s results, the votes can be recounted. This happens regularly.
Why do we need machines? Counting the votes for e.g. the parliament only takes 24 hours or so, generally. And we don’t have elections every week, right?
You should acknowledge the tradeoff: physical presence is the condition.
It might not happen much in the Netherlands, but for instance making it so fewer people reach voting stations is a classic move. That's one of the failure mode avoided by the other means.
Voting ballots straight getting lost/destroyed is another failure mode, and yes it happens more than we want it to.
The sheer time to get the vote counted is also an issue, and we've seen voter sentiment shifting while the vote is still ongoing, with the media reporting directly influencing the outcome.
It could still be the saner tradeoff in the end, but it's misleading to present it as some ideal or inherently reliable solution.
The software doesn't matter that much. If you want to use voting machines, you need to create a paper trail with them that can be audited.
Auditing the software isn't enough if you can't reliably verify that this is actually what's running on the machines, or if the machines weren't otherwise tampered with in some way.
So they open the source ... how do I know that's what's running on the voting machine? There's really no good practical solution to this problem. What matters more is that there is a voter-verified paper audit trail and that this record is actually counted. At least by spot check risk-limiting audits, but ideally just count every vote manually to verify.
> There's really no good practical solution to this problem.
Remote attestation via trusted execution environments is a thing. It is not a theoretical one either. See, for example, Graphene OS's Auditor app[0]. Solving this for voting machines in particular would be a matter of good design, not of solving fundamentally hard problems.
From a process perspective, how can a constituent know with absolute certainty that their vote was counted, every voter in the system was legal, and the final tally was authentic? Especially when there's no way to even audit what you voted for after the fact?
Every time I try to get to the bottom of this, it always boils down to "trust the system" which makes me uneasy.
Not being able to audit what you voted for after the fact is by design. Otherwise, it would make buying votes a viable strategy since you'd be able to show them who you voted for. Yes, taking a picture of the ballot is an option, but you can always ask for another ballot paper after you take the photo. Where I live, you're not even allowed to have a camera out in the same room as a voting booth for this exact reason.
IMO the best solution here is to have electronic counting with an auditable and traceable paper trail as a backup. Every time I've voted for the past 10 years has been like this. First, I get a ballot paper from the front desk and stick it into an airgapped ballot marking machine. I then make my choices and the machine prints them onto the ballot paper. I'm able to read the paper and verify that it matches the choices I made. I then stick it into a separate airgapped ballot counting machine, which scans my ballot and deposits the paper copy into a sealed box. The entire process of setting up the machines, transporting the paper ballots, and reading the results from the machines is cross-checked and signed off on by volunteer poll workers from both parties.
Each polling station should have representatives from multiple parties as well as independent observers.
> how can a constituent know with absolute certainty that their vote was counted
The representative of your party plus independent observer said all votes at your polling station were counted. You know both those community members and know them to be generally honorable. Ergo your vote was counted.
> every voter in the system was legal
None of the observers at the polling station, or the station head claimed any illegal person voted.
> the final tally was authentic
The observers all signed as witnesses on the final tally.
This is not the "system. it is humans you know who are telling you what they saw. If you can't trust other humans at their word, democracy cannot fundamentally work.
I think the sentiment of the OP actually gets to the heart of this (the idea of open-source is transparency, visibility, auditability) but the problem here is it need to be applied to the actual process, not to the process of building tools for the actual process.
It's not that developing voting software should be open-source, its that actual voting should be "open-source" in the physical sense.
Trusting the system is possible if you can (you, yourself) readily observe every part of the system. I don't think giving members of the public access to the server your voting software is hosted on is a very viable idea, but giving members of the public access to paper count centres is (it's done very successfully in many countries).
Readit News
• Why Electronic Voting is a BAD Idea <https://www.youtube.com/watch?v=w3_0x6oaDmI>
• Why Electronic Voting Is Still A Bad Idea <https://www.youtube.com/watch?v=LkH2r-sNjQs>
If you can not independently verify election results, what good does published source code do?
Elections are a process, not a result.
Electronic voting is fine. Why can't we just have a printer in the polling booth? I run my ballot, then hit print, then I can manually verify it, and then drop the printed ballot in a box.
Literally the easiest thing to do.
You didn't define how paper ballots are better. Given that many electronic systems print paper ballots, I'm not sure how they could be said to be universally better.
Electronic ballots can be much better than paper in two ways. Firstly, they are faster to count. I'm not sure why that matters, but it's true and seem people seem to think knowing the outcome quickly is important.
Far more importantly to me: they are easier to use. In Australia we have compulsory voting. A lot of attention is paid to how many votes are invalid. It currently runs at 5%, but ranges up to 10% in areas with lower education levels or non-English speaking. Voting machines can tell you verify if the vote is valid, help you if they aren't, provide information from the candidates if you want to know more.
One the downside, a poorly designed voting machine can be far less secure than out current paper system. Sadly, I don't think I've seen proprietary voting voting machine that didn't have significant design flaws. Making the situation worse is the voting machine companies like to keep their flaws well hidden (flaws aren't good for sales). In Australia, we've had examples of the Australian Electoral Commission perusing academic researchers in the courts for revealing flaws. [0] Mandating open source mandate is a solution to that.
https://www.unimelb.edu.au/newsroom/news/2019/november/flaws...
Arguments against electronic voting: 1) one person can change millions of votes 2) vulnerable even outside the country 3) even if you audit the software, it's hard to verify that the audited software is what is actually loaded on the machines 4) even if you check hashes of the software, how do you check the software that checks the software (this is a restatement of the Ken Thompson Hack) 5) proprietary software 6) USB sticks are insecure 7) final computer tallying everything is owned and located in a single place 8) XSS attacks on e-voting pages.
Arguments for physical voting: 1) centuries old, many attacks have already been tried and failed 2) no identifying marks on ballot = no opportunity to pressure voters to change their vote 3) multiple people involved in each stage of the process
I realized after typing that out that YouTube has a "Show Transcript" function, so try that for the second video.
Deleted Comment
They don’t have stellar democracy grades from The Economist’s index: https://en.wikipedia.org/wiki/The_Economist_Democracy_Index and both seem worse off in the last ten years than the ten years before.
https://www.bbc.com/news/articles/cj9w43p7741o.amp
Things have always been iffy. No one knows for sure.
Edit: That link is the most recent example. Googling for voting machines themselves would bring more examples. Every election cycle we go through reports of malfunctioning, no audit, audit not matching, extra machines appearing, machines being taken around by politically connected, even things like pressing any button on the machine voting for the same party…etc., but ECI has been pushing it aside and refusing to open up. This recent one became an issue because the manipulation (allegedly) went a layer deeper into the voter rolls themselves and they are public data.
We don’t know what’s up with the machines.
Our elected representatives have tried to add a paper trail to the machines twice now and it was ruled unconstitutional for total bullshit reasons. Our former president was banned from future presidential races because he questioned the machines. We have a judge loudly proclaiming that the machines are UNQUESTIONABLE with such unwavering pride you'd think he'd have the balls to start a billion dollar bug bounty and post it here on HN. He only allows you to "audit" the system by appointment behind closed doors and the only tools you're allowed to bring with you is a pen and a piece of paper. People found issues even with these restrictions. There are people protesting to this day, laymen asking for source code, completely unaware of the existence of supply chain attacks and the fact the source code would prove nothing and serve only to humiliate them. We have former US president Biden's top CIA guy telling our former president to stop questioning the machines, wouldn't be surprised if they had access to this shit.
Germany did it right: voting machines are unconstitutional because citizens do not understand it. Elections must be fully auditable by the average person. This is the correct stance.
In fact, I'd argue that having 50 different voting systems with 50 different ways to prove eligibility makes our elections more resilient to large-scale voter fraud, even if it makes it more difficult to verify voter rolls wholesale.
Here in Germany, the Pirate Party has discussed the topic at length, since they (1) love voting innovations, and (2) have generally good knowledge on CS stuff, and so far I think no real solution is known for anonymous, confidential, secure digital voting with verifiable results, which is easy to reach with paper ballots and public observers of the counting.
The cost of human labor to count all ballots by hand will be enormous. Probably worth it I suppose, but this really is something that should be primarily automated. But again, trust in software. Sigh, why can't we just have nice things?
What's important is being able to segment the population in enough voting places so that each voting place is maneaganle just by a small number of people. The Chilean system is scalable because you can always just add more voting places as the population grows.
Usually these voting places are civic centres, stadiums, schools.
It's a good system and generally for a presidential election we get the results in about 4 hours after voting ends.
In Taiwan, this is how it's done. Every ballot is counted by human. It's completely public: you can just walk in any polling station during the counting process and watch they count.
The US casts 10 times as many votes - so it seems reasonable for the US to hire 10 times as many poll workers? Hand-counting is O(n) i.e. constant per-capita, and it scales horizontally.
Local and state ballots in the US can feature tens of elected positions and propositions, I could imagine hand-counting them to be quite expensive.
In actually democratic countries the elections are done on holidays(Sunday) and the polling stations are in where you live.
It is your vote you silly. It is your democratic duty, right and responsibility to guard it if you don't trust the observers by becoming one. Everybody should be able to watch the process and the count!
Losing one day of revenue would not hurt. Especially on a holiday.
I live in California, where the voting method is vote-by-mail and you sign your ballot. That breaks anonymity right there, plus there's a barcode that matches address and ballot for traceability, so in theory anyone involved in the election process could look at my ballot, cross-reference against address, and figure out how I voted. In practice I've never heard of anyone being pressured or confronted based on how they voted, so my default assumption is this doesn't happen much or at all.
But even broader, in the U.S. your party registration is public information. That's why whenever there's a political shooting, the media always says "He was a registered Republican" or "registered Democrat" or "was not registered to vote". And this mechanism is actively and publicly being exploited to alter elections. Since the U.S. is a two-party system and party membership is public, you have a fairly good idea how each precinct is going to vote before they vote, and can gerrymander maps to get the outcomes you want.
Plenty of trust issues in physical ballot transfer as well. California is vote-by-mail, but that assumes the postal service is a reliable carrier, while there was just a recent news story [1] about ballots being stolen. Before I lived in California, I was in Massachusetts, where we voted on 1930s-era lever voting machines where you hit a lever down and it marks a paper ballot without you ever seeing the real ballot. Between elections, these were stored backstage at the local middle school, so a mechanically-inclined middle schooler with knowledge of how an upcoming election's ballots would be formatted (and we did mock elections in middle school) could have rigged the machines to deliver the local precinct to their preferred candidate.
The useful points in the video were basically that decentralization and redundancy are what make physical elections hard to rig: you have to hack multiple locations to influence the overall election, and at each point you have multiple eyes watching you. He sets up the contrast with software voting, where you have the same software running on each machine, and even if the software is open-source, you can't be sure that the rest of the stack it's running on is secure (an oblique reference to the Ken Thompson Hack [2]).
But decentralization and redundancy are properties that you can introduce into software systems just as easily as real-wold systems. The KTH can be countered through Diverse Double-Compiling, for example [3]. zkStarks and digital signatures give you ability to prove that you authored something without revealing what that something is or who you are. The importance of client diversity for the security of the network as a whole has been well-known in the filesharing and crypto worlds. And anyone who has worked in Big Tech, aviation, or telecom could tell you that having multiple paths to success that are developed by independent teams is important for any computer system that is in a safety- or reliability-critical area.
[1] https://www.almanacnews.com/election/2025/10/14/ballots-stol...
[2] https://aeb.win.tue.nl/linux/hh/thompson/trust.html
[3] https://dwheeler.com/trusting-trust/
They actually go through quite a bit of effort to prevent breaking anonymity.
The incoming ballots are scanned and sorted by machine to record that they arrived. Later, signatures on the envelope are checked. The signature verified sealed ballots are then moved and fed into a high speed extractor separating the ballot from the envelope so the envelope label isn't visible, breaking any linkage between the ballot and the voter's identity. Ballots are stacked with other ballots, still folded and moved elsewhere to be counted. The empty envelopes are kept and scanned again.
All of this happens with multiple people and on camera.
The ballot barcodes don't record any unique information that can identify voters - they're just things like precinct, ballot language and page number.
As far as party registration goes, is that required where you are? Because if so that's insane and the government there needs to change that. Everywhere I've lived you don't need to register any kind of party affiliation (and indeed some places you couldn't), you just register as a voter and you're good. Maybe it's different where you are, but if so just be aware that it is (thankfully) not universally done wrong in the way you describe.
Humans are actually quite bad at hand-tallying hundreds of millions of datapoints. Our eyes go glassy but we press on anyway.
Machines are very good at doing that kind of tedious labor accurately.
Whether human beings will put more trust in a system that we know will be wrong, but it's wrong for comfortable meat reasons, over a system that might be compromised but will be more accurate its more of a psychology question than a technical question though.
The main benefit of manual tallying is that election tampering at scale becomes a rather labor-intensive and physical process that is more likely to leave detectable traces. Compare that to the the last US presidential election that has statistical oddities in machine-tallied voting results of kinds that have historically been shown to correlate with election fraud. If this was indeed caused by fraudulent voting software, it happened without leaving any other obvious traces of tampering.
Having a paper trail and an observable counting process is worth a small error margin.
People who think it's not safe should really spend some time learning how it works. It's impossible to cheat at scale. Each ballot is verified to be correct my multiple eyes. A person is reading, one is writing down the name, one is verifying and some other things I don't remember.
To cheat you need to have everyone in on it. A whole town involved to cheat and to at best win one polling station. It's safe because anyone can attend the counting, so each party can send someone to check no shenanigans is going on.
So the more votes you want to be winning by cheating the more people must be brought in the conspiracy. That's impossible to be unnoticed at the scale of a city, much less at the scale of a country.
Humans just need to be able to separate a few hundreds of ballots into a couple of piles. When introducing double checking this makes an incredibly rigorous process, which can be open to the public. This is the case here in Germany.
Everything after that can be done by computers as all the data after that is published.
The problem with the accuracy assumption of electronic voting is that a) its all coded without errors and b) someone hasn't deliberately but code into manipulate the vote numbers.
Every problem Tom mentions can be worked on and overcome. Maybe not today, maybe not by the next big election, but we should still start now, rather than later. We need to do everything possible to increase participation in the democratic process, especially for the demographics that are currently not very involved, which are also the demographics that are more likely to adopt electronic methods of voting.
Do we? Participation should be made easy for those eligible and inclined to do so, but I don't see the benefit of encouraging participation from people who can't be bothered to put some effort into it, or are ignorant of the issues and candidates and are easily swayed by trashy campaign ads. I've seen the statistic thrown around that less than half of americans can even name the 3 branches of government, and if that's true I think those people have a civic duty not to vote.
It would certainly be exhausting to share an opinion on every single resource you want to share with someone.
* Opens Cargo.lock [1] and pnpm-lock.yaml [2]
* Closes Cargo.lock and pnpm-lock.yaml
* Goes to find a Tylenol
At least with open source we can see the sausage getting made...
[1] https://github.com/votingworks/vxsuite/blob/main/Cargo.lock
[2] https://github.com/votingworks/vxsuite/blob/main/pnpm-lock.y...
Deleted Comment
Deleted Comment
Watch out that you don't catch the autism :) /s
> [1] https://github.com/votingworks/vxsuite/blob/main/Cargo.lock
> [2] https://github.com/votingworks/vxsuite/blob/main/pnpm-lock.y...
These files are actually cursed and I want all drives that contain their data destroyed with acid. But I have a slight feeling other voting software isn't really any better, even though in theory it should be relatively simple software in the grand scheme of things.
This means anything more complex than a pen or a stamp on an approved paper is too complex.
It's 100% paper PRSTV & so the counts are slow. Not only is this generally OK (because getting a rapid result is absolutely not a requirement of any well-functioning voting system) but it also has actual benefits.
The main benefit is predicated on the count being engaging in and of itself. Other countries put a lot of effort into jazzing up statistical presentations on constituency predictions, cloropleths aplenty, to engage viewers. In Ireland, count centres are not only manned by trained count staff, they're also flooded with volunteer tallymen who verify the counting in realtime. Count coverage is on the ground, showing a real physical process that's intricate enough to be watchable. The entire process also serves as an education-through-doing in how our voting system works, so you get a more engaged & informed electorate (when it comes to the mechanics of voting - still unfortunately not that informed on policy, that's a worldwide problem).
In practice it doesn't seem to matter that much. The counters even out the first-level effects of this, so it only matters for votes that have been transferred more than once; it can be determined statistically that it changes the result only in a very small number of cases; and there are plenty of other weird threshold effects to care about instead. But it's one property you might expect of a fair voting system that Ireland doesn't give you.
- Secrecy of who voted for whom
- Transparency of everything else. The names of everybody in the process, the process itself and all the statistics should be verifiably public.
Being an observer to your polling station must be a guaranteed voter right. Similarly all participating parties must have the right to send representatives to observe the entire process.
Before opening the polling station all ballots are counted by multiple observers from all sides. This is recorded into files / documentation of each observer. So the number of possible ballot papers that can be voted on is documented.
Then each ballot paper needs to be stamped with a official local seal. This is also observed by every observer. The number of stamped ballots is also counted and documented. The number has to match the original ones.
The number of people who can vote in that voting station is determined by a population survey. In bigger cities each region must have roughly the same number of constituents.
The number of ballots that are stamped must match the number of eligible voters in the polling station. A voter can request to change a damaged ballot paper. The replacement should be done in front of all observers and the voter. The replaced ballot is destroyed in front of everyone.
After putting their ballot into the box, the voter has to sign their name in multiple printouts of the list of eligible voters of that polling station. These printouts of the lists are held by observers from multiple sides. The number of signatures has to match the number of ballots in the box.
Everybody can observe the count. All the numbers are checked against each other.
If you think that this is infeasible, I come from a country of 80 million people and live in a similarly sized one. Both of them use the same system. It works. It scales since it is an almost trivially parallelizable problem. We get the election results in the same day of voting.
Many countries have secret ballots, mine doesn't, for reasons which are extremely sketchy (and presumably why my country is blue, not dark blue like New Zealand on the democracy map)
For those who don't know the VotingWorks software is both Open Source and their machines create and count paper ballots. You can read about it here: https://www.voting.works/machines
Essentially they have a computer, a ballot marking device, that people can use to mark their ballot. That ballot is printed on paper. Then the paper can be validated visually. Then fed into a machine to scan and count. The paper ballot is preserved and can be later audited.
The ballot marking device has a number of advantage over pre-printed and hand marked ballots:
- American Disabilities Act (ADA) compliant using standard web technologies
- Available in applicable languages without lots of translated papers on hand
- Errors or typos in ballots can be fixed days before election instead of weeks (due to print shop lead times)
- Better UX for complex races where things like ranked choice, choose three, etc with rules which can cause people to mismark and then have their ballots rejected
- Avoids sloppy/incomplete markings that must be interpreted and judged by counters/auditors
The entire system runs offline. It is open source.
They also have separate open source software for running risk limiting audits using the paper ballots: https://www.voting.works/audits
Disclosure: I am a donor to VotingWorks.
Probably a difficult task to ensure all readers of all pages on the entire website are fully aware of this context in advance - I'd imagine this kind of averse reaction will continue to be common until these kind of hybrid systems become more widespread (or the interests pushing paperless are comprehensively silenced, which seems less likely).
---
That said, now that I do have full context, I do have two criticisms:
1. Clicking through to the VotingWorks frontpage, the copy still doesn't really highlight in a very obvious manner the paper nature of the system. You really have to analyse the website to figure this detail out.
2. The homepage does contain a section entitled "Faster Election Results" - which I do think flies directly in the face of many criticisms in the HN comments here & I personally believe to be an approach that's incompatible with democratic integrity. Counts should simply not be trying to be fast as a high priority - verifying the automated count by hand is insufficient if it isn't done as a matter of course. Ideally, live, while the count is taking place. The latter is not feasible with an automated system, & the former is a lot more likely to be overlooked if speed is a priority.
We don't just need systems that can be fair, we need systems that incentivize fairness & don't contain perverse incentives - count speed is exactly such an incentive.
Why do we need machines? Counting the votes for e.g. the parliament only takes 24 hours or so, generally. And we don’t have elections every week, right?
It might not happen much in the Netherlands, but for instance making it so fewer people reach voting stations is a classic move. That's one of the failure mode avoided by the other means.
Voting ballots straight getting lost/destroyed is another failure mode, and yes it happens more than we want it to.
The sheer time to get the vote counted is also an issue, and we've seen voter sentiment shifting while the vote is still ongoing, with the media reporting directly influencing the outcome.
It could still be the saner tradeoff in the end, but it's misleading to present it as some ideal or inherently reliable solution.
Auditing the software isn't enough if you can't reliably verify that this is actually what's running on the machines, or if the machines weren't otherwise tampered with in some way.
Note that ananymous is also a required part of voting.
Remote attestation via trusted execution environments is a thing. It is not a theoretical one either. See, for example, Graphene OS's Auditor app[0]. Solving this for voting machines in particular would be a matter of good design, not of solving fundamentally hard problems.
[0] https://attestation.app/
Every time I try to get to the bottom of this, it always boils down to "trust the system" which makes me uneasy.
IMO the best solution here is to have electronic counting with an auditable and traceable paper trail as a backup. Every time I've voted for the past 10 years has been like this. First, I get a ballot paper from the front desk and stick it into an airgapped ballot marking machine. I then make my choices and the machine prints them onto the ballot paper. I'm able to read the paper and verify that it matches the choices I made. I then stick it into a separate airgapped ballot counting machine, which scans my ballot and deposits the paper copy into a sealed box. The entire process of setting up the machines, transporting the paper ballots, and reading the results from the machines is cross-checked and signed off on by volunteer poll workers from both parties.
> how can a constituent know with absolute certainty that their vote was counted
The representative of your party plus independent observer said all votes at your polling station were counted. You know both those community members and know them to be generally honorable. Ergo your vote was counted.
> every voter in the system was legal
None of the observers at the polling station, or the station head claimed any illegal person voted.
> the final tally was authentic
The observers all signed as witnesses on the final tally.
This is not the "system. it is humans you know who are telling you what they saw. If you can't trust other humans at their word, democracy cannot fundamentally work.
This, but also, important to point out that this is a question of scale: "If you can't trust other human*s*" - plural.
Surely we could do better? Testimony doesn't assuage my concerns that the process may not be tamper proof.
It's not that developing voting software should be open-source, its that actual voting should be "open-source" in the physical sense.
Trusting the system is possible if you can (you, yourself) readily observe every part of the system. I don't think giving members of the public access to the server your voting software is hosted on is a very viable idea, but giving members of the public access to paper count centres is (it's done very successfully in many countries).