The biggest advantage physical voting has it is follows human-scaling laws. Which often is a problem (inefficient) but for voting this is a massive benefit for one particular reason - due to lack of automation any fraud doesn't also benefit from the same automation so has to be large scale and widely distributed for it to be impactful (the fraud has to be distributed to the humans involved). Which isn't to say that it can't happen (and does!) but requires a lot more effort and in the physical world there always a lot more fingerprints left, cameras looking, informants, etc.
This probably only works properly in the developed countries. In developing countries like India we suffered through decades of "booth captures" [1] where armed gangs would take over a polling booth and cast votes for their political candidate at gun point. Villagers would be disallowed from casting their votes. In many instances, the polling booth itself would be set on fire, ensuring that those votes are never counted.
With EVMs the polling officer can just deactivate the machine (which stops the counting at that moment) making booth capturing pointless.
Not saying this is not possible in developed countries. It could very well happen sometime in the future where armed gangs take over polling booths (especially if the candidate in question is bound to lose due to corruption/scandal and needs to cling onto political power to prevent himself/herself from going to prison).
> This probably only works properly in the developed countries. In developing countries like India we suffered through decades of "booth captures" [1] where armed gangs would take over a polling booth and cast votes for their political candidate at gun point. Villagers would be disallowed from casting their votes. In many instances, the polling booth itself would be set on fire, ensuring that those votes are never counted.
Yeah, but these are visible! They provide evidence that the voting was not fair.
Compare to electronic voting, where a capture might be done and no one ever finds out.
We want rigging of elections to be visible. That's the whole point.
I don't think any system can do much if things have degraded to the point where armed gangs are running around with impunity. I think systems (paper or otherwise) presuppose a certain level of functional civil society
I mean looks like booth capture can only capture a booth at most and to capture more you practically need armed rebellion. But if we automate it, then you only need to capture a location to capture all booths in the region.
> Not saying this is not possible in developed countries. It could very well happen sometime in the future where armed gangs take over polling booths…
I fully expect this happening more as the systems degrade in the west and, arguably, it already has happened several times now in many different ways, even if executed in more “sophisticated” ways that make it less apparent.
What do you call the many “color revolutions” the US and EU have now perpetrated in many different ways and places? The ”gang” was just a state level actor with immense resources and methods that exceed the local capacity to prevent them… just like a local gang using arms to take over a local polling booth.
There are declassified versions of old and obsolete CIA guides on how to conduct the precursors of such “color revolutions” through long term “capacity building” that is then activated if/when necessary. That’s the voluntarily declassified manual of the CIA; someone might suggest there are more effective instructions that are classified.
There have also been medium sophistication level events like what has happened over the last several years in Europe, where Merkel ordered an election result cancelled through technicalities because she/the literal The Party, did not like the result (I guess you can take the woman out of the dictatorship…), the EU simply used the judiciary to force a “runoff” because the election results were not to its liking, de facto canceling elections, or even all the subtle measures like visually misrepresenting election results where the bar or pie chart does not match the numerical data to suppress public mandate and perceptions about results, i.e., higher result numbers being represented by smaller bars than lower numbers.
I would argue they are all examples of the very same things you describe, the equivalent of “…gangs take over polling booths…” only it’s done through process, authority, policy, or even law and those in power tell themselves they’re doing it for “our democracy” and justified through similar dystopian, narcissistic, megalomanic, authoritarian mindsets; “I need to be in power for your own good because you don’t know any better”.
It could go both ways, either things will increasingly start degrading even more as the power slips out of the “gang’s”hands, and the system starts crumbling around them; or if “digital voting” is fully implemented there will essentially be “backdoors” to make sure the powers can “preserve our democracy” just like they need OS backdoors and media control to “protect the children”, which coincidentally seems to always coincide with them remaining in power and control and the people not even being asked about major upheavals of their society and their votes being effectively meaningless because the agenda is continuous regardless of election results.
It’s like those people who used to play slot machines at the casino, (now doing so digitally on their phones) pounding at the buttons that do absolutely nothing since the algorithm is what determines where the spin ends, not them rapidly hitting an essentially dead button just because the “clicking”, the “voting”, makes them think they have control. . . . “our democracy” where you and I are not part of that “our”.
The other advantage in physical voting is that so many people are needed to participate in the process. The probability of aligned bad actors goes down significantly when the voting process is a civic responsibility shared by volunteers who monitor each other. It's not perfect but public participation adds to the legitimacy of the process itself.
It's not fraud is difficult to do, it's difficult to do so without people noticing. The problem of r-country is not that fraud is not discovered, they problem is they are not capable to course-correct (in general, but in regards to having elections specifically)
I don't care how much maths and encryption you use, you can't get out of the fact that things can be anonymous (no one can know how you voted) or verifiable (people can prove that you only voted once) but not both.
- Switzerland usually gets around this by knowing where everyone lives and mailing them a piece of paper 'something you have'
- South Africa gets around this by putting ink on your fingernail
I've read quite a bit about the e-voting systems in Switzerland and USA and I just don't see how they thread the needle. At some point, you have to give someone access to a database and they can change that database.
Until we all have government-issued public keys or something, there isn't a technical solution to this? (Genuinely curious if I'm wrong here)
The USA threads the needle by simply not having verifiable voting. And it turns out it works pretty well. Despite countless hours and lawsuits dedicated to finding people who voted more than once, only a handful of cases have actually turned up.
It's not that there are no checks. You have to give your name, and they know if you've voted more than once at that station that day. To vote more than once you'd have to pretend to be somebody else, in person, which means that if you're caught you will go to jail.
We could certainly do better, but thus far all efforts to defeat this non-problem are clearly targeted at making it harder for people to vote rather than any kind of election integrity.
- A front of queue, show ID of some sort (various accepted) to volunteer
- They scratch you from the list and hand you a paper scantron sheet
- Go to private booth, fill out scantron
- Go to exit, scan ballot (it scans and then drops into a locked box for manual tally later, if necessary)
The "easy" ways to vote fraudulently are also easily caught... fake ID documents, voting twice, etc.
For people who forget their ID or have address changes that haven't propagated through the voter roll, there is provisional voting - you do the same as above, but they keep the ballot in a separate pile and validate your eligibility to vote at a later time. IIRC, the voter gets a ticket # so they can check the voter portal later to see if the ballot was accepted.
As noted, the number of fraudulent votes are astonishingly small, given the amount of money spent on proving otherwise. The current GOP has spent 100s of millions or billions on proving wide-spread fraud and so far, all they've managed to prove a few voters, most of whom were actually GOP-leaning, have committed fraud (and most of them were caught day-of already).
> Despite countless hours and lawsuits dedicated to finding people who voted more than once, only a handful of cases have actually turned up.
Trust in the system should always be highly valued even if the skepticism is largely unwarranted. Saying a lawsuit hasn't caught it yet won't persuade many skeptics.
> The USA threads the needle by simply not having verifiable voting. And it turns out it works pretty well.
No, no, no. January 6 is a systemic failure.
The purpose of a voting system is to select the most popular candidate in a way that is so far beyond doubt that a populist loser can't claim the results are wrong without alienating his base.
Even leaving aside the whole "Trump doesn't care if his lies are credible" thing, the US system works very poorly there. Mail-in voting, drive-in voting, voting machines, they leave room for suspicion, no matter how confident the people running the system are.
Lots of cyber risks with the use of online voting though, especially in jurisdictions without standards/certification. I outline many in my thesis which explores the risks to online elections in Ontario, Canada (one of the largest and longest-running users of online voting in the world)
> You can have e-voting systems that protect ballot secrecy and are verifiable.
In these systems the voter cannot verify that their vote was secret as they cannot understand, and much less verify the voting machine.
> And you can do that without providing proof of who any particular voter voted for.
Which is good for preventing the sale of votes, but keeps things obscure in a magical and correct box.
How can I tell the machine didn't alter my vote if it cannot tell me, and just me, who I voted for? The global sanity checks are worthless if the machine changed my vote as I entered it.
If it's a completely binary choice of "election was valid" and "election was invalid" without any partial verifications of results, I think it's still a massive step back.
By which I mean: paper ballots have problems. But a fault in a handful of ballots doesn't mean the rest of the ballots need to get tossed out.
I do not believe that a system managed by humans can be faultless.
> The centralized server must be trusted not to violate ballot secrecy,[7] this limitation can be mitigated against by distributing trust amongst several stakeholders.
> The ballot auditing/reconstruction device must be trusted to ensure successful ballot auditing (also known as cast-as-intended verifiability),[7][16] this limitation can be mitigated against by distributing auditing checks amongst several devices, only one of which must be trusted.
Sure you can, you just need an anonymous voting mechanism that's sufficiently naive. You use the verifiable process to restrict access to that anonymous mechanism.
In Canada, at both federal and provincial levels, you walk up to a desk and identify yourself, are crossed off a list, and handed a paper ballot. You go behind a screen, mark an X on the ballot, fold it up, take it back out to another desk, and put it in the box. It's extraordinarily simple.
> At some point, you have to give someone access to a database and they can change that database.
Well, that kind of fraud is a different issue from someone reading the database and figuring out who someone voted for (you just... don't record identities in the database).
There will never be a technical or operational process that excludes cheating. The only deterrence that seems to work on humans and even then only most of the time is severe capitol punishment and that will only be as effective as people believe it happens thus requiring live streaming of the removal of cheaters heads without censorship. The current legal process of each country would have to be by-passed or people would just sit in a cage for 30 years. Even in such cases there will be people that sacrifice themselves if they think that bribe money can go to their family but that is at least a start.
I think the day I _must_ walk go a desk to vote is the day I'll give up. Voting by mail is one of the best things occuring here (in Switzerland). You get the voting stuff by mail, make your crosses, put it back into the postal box and it's delivered for free (as in beer) to the government.
The Italian way looks similar to the Swiss way. In detail:
When I go to cast a vote in Italy I bring with me my state issued photo ID (everybody has one, I mean: must have one) and a state issued sheet of paper with the address of the place I must go to vote and a grid of empty spaces. I don't have to register to vote, basically I'm registered at birth. The people at the polling station take my two cards and look for me in their registry. They mark that I came to vote, stamp an empty space on the second card and handle me the paper ballots. I think that in this way it's both anonymous and verifiable. When the card with the stamps is full, they mail me a new one.
The state definitely know where people live. Babies are registered when they are born and people have to register any change of their address of residence. It's been like that at least since Italy became a country in the 1860s.
By the way, how do I know that they counted my vote as I cast it? I can't know it. I must trust that they did not open the box and replaced the ballots, but people from the several competing parties visit the polling station and can attend the counting. I trust that process much more than something happening inside a computer program.
Australia has a system where you are anonymous and can prove that you only voted once:
You have to be registered and must vote within your electorate, so your name appears on a certified list for that electorate and each voting location has that list. When you vote, they strike your name from the list.
After the election, the lists from these locations are compared. Anyone who votes twice has their name struck twice, and are investigated for electoral fraud.
Whether people know if you voted or not is immaterial, as voting is mandatory in Australia.
How does that prove that you only voted once? If I know someone's name and address (and by extension their electorate) I can rock up and vote as as many as I want.
> you can't get out of the fact that things can be anonymous (no one can know how you voted) or verifiable (people can prove that you only voted once) but not both
Seems like the obvious solution here would be for the voting machine to generate two separate records:
- A record of the vote itself, without specifying the voter
- A record of the voter having voted, without specifying for whom/what
And of course, if the number of vote records doesn't match the number of voter records, then shenanigans have likely ensued, warranting an election fraud investigation.
What about this? Consider a toy system: everyone gets issued a UUID, everyone can see how every UUID voted, but only you know which one is your vote.
This is of course flawed because a person can be coerced to share their ID. In which case you could have a system in which the vote itself is encrypted and the encryption key is private. Any random encryption key works and will yield a valid vote (actual vote = public vote + private key), so under coercion you can always generate a key that will give the output that you want, but only you know the real one.
Besides the fact that 99% of the general population won't be able to understand this, a $5€ wrench says that you show me proof of the correct private key (either by you showing me the letter you received, me being present when you set it up, or however it is set up)
You have to trust that both 1) the UUID issuing party is not keeping the actual id to uuid mapping in the logs 2) the same party isn't allocating an excessive number of uuids to mass-vote for the "good" choice.
In-person voting does provide these guarantees, to extent that violating them will be discoverable and both parties have an incentive to discover such things.
On the US keep in mind elections are run at the state level and below, so we don't have a single voting system, we have 50+.
My state, Oregon, for example uses a very straightforward vote by mail system. They ask if you wanna register to vote when you get/update your drivers license or state id. Your ballot just comes in the mail, you fill it out, send it back. For folks that lack a permanent address or similar, you can get provisional ballots at libraries and similar city offices. The provisional ballots make you fill out enough information to check if you're allowed to vote.
It's simple, convenient, secure, and efficient.
So why don't more states do it this way?
Unfortunately there's a long ugly history of using all sorts of dirty tricks for voter suppression in the US, in particular to keep Jim Crow going. And unfortunately variations of that continue today. I don't have the energy to dig into it fully here, I just want any international readers to be aware there's a whole lot of utterly craven bad faith when it comes to discussions around voting fraud and security in the US.
Ironically most production e-voting systems do not use blockchains. That's because there isn't need for decentralization, just verifiability of a correct result and protecting voting secrecy.
> Until we all have government-issued public keys or something
That's actually pretty common in Europe. The Spanish DNI (national identity card) has a chip these days, which gives you an authenticated key pair for accessing digital services.
In the pilot project for digital voting, that identity is only used to authenticate the user, and then an anonymous key needs generated that can be used to cast the final vote.
South Africa is in a somewhat similar situation of having a gigantic (1-10%, government is too broken to figure out where in that range) illegal immigrant population and poor access to paperwork for many citizens that would make any heavily scrutinized citizenship for registration lean heavily towards disenfranchisement of the poorer segments.
each citizen gets an anonymized private key via a secure channel (eg. postal) and use that to vote.
votes are double enveloped:
outer envelop: anonymized id
+ inner envelop: vote.
mixnet separates the votes and cryptographically shuffles them to decouple relationships.
only at the end the shuffled votes are decrypted using the private key of the election itself that was split using shamir secret sharing (eg 5 out of 7 shares to reconstruct)
the thing that’s not clear from the article and it’s a shame is that it seems the failure was the hardware (the 3 USB keys) not the election software. This could be simply avoided by having redundancy on the hardware (2 USBs per share) or more shares themselves (5 out of 9 shares)
Maintain a list of identity hashes. When someone goes to vote, deny them if they're already in the list . Otherwise, add their hash to the list then allow a vote to be cast.
An extremely simple scheme is allowing voters to enter an identifier of their choosing and displaying that with the votes publicly. This is both verifiable and anonymous.
Any issues you can come up with this scheme are also iirc pretty easily solvable.
While this sounds like it allowed remote voting, it's interesting that some places (e.g. The Netherlands) went back to 100% paper instead of voting machines. That causes counting to take quite some time, with estimates/interim counts in between.
I don't understand why voting machines can't just print your vote on a piece of paper behind a plastic window for you to see while also recoding the vote in a database. That is 100% anonymous and can't be cheated. The database is the instant answer at election closing time, and then you can take some days to count the papers as confirmation that nothing weird happened.
No way to hack that. If you print something different on the paper the voter will see it. If you try to hack it by printing more papers than actual votes, the paper count won't match the amount of voting passes that you collected/verified when letting people into the polling station.
It may even be safer than the current paper approach, because if the paper vote counters try to cheat their counts won't match the database triggering an investigation as well.
> The database is the instant answer at election closing time, and then you can take some days to count the papers as confirmation that nothing weird happened.
You are misunderstanding "who to trust".
The source of trust in a paper vote election is your party's representative + independent election observers. You believe them that they were sitting at the polling station all day, watching both the voting and counting, and nothing fishy happened. You don't have to trust the state officials in any way, and you don't have to trust any one else either. Just your party - which is kind of the point. The only people you maximally trust is your party.
In your proposal, you are saying that to trust the outcome, I must trust the state officials - the ones who built the machines. Those are exactly the people I distrust to do a fair election.
The poster is also trusting the database provider, database admin, the voting machine provider, the voting machine maintenance person, etc in an electronic voting machine since they implied this by saying database. Manual paper counts with multiple counters and multiple counts that resolve differences are hard to top when each set of counters is adversarial. In spite of that one thing I thought might be useful and point of failure if electronic voting were allowed is from Venezuela of all places. Each precinct printed an initial tally, the opposition collected most of them and claimed they were cheated. They might have had a fair election up until the voting machines were summed up at a central location -it appears the ruling party cheated when adding up the precincts. https://apnews.com/article/venezuela-election-maduro-machado...
The national elections in NLD have a single ballot in the whole country, with 10+ parties who each get a column of their candidates on the ballot, and with one box for each of the candidates. In these elections for the 150 seats of parliament, often there are 200+ candidates listed total. As a result, the ballot sheets need to be quite large and so are quite far into the 'unwieldy' part of the handling spectrum.
This size issue also complicates verification and counting, because you have to verify that of all checkboxes, exactly one is filled in, and sorting/counting needs to do this for practically every ballot.
There has been some experimenting with changing the ballot to a 'party' and 'list number' ballot, where you fill in the party of your chosen candidate together with their number on the party list, but AFAIK that has not (yet?) been approved for wider use.
>I don't understand why voting machines can't just print your vote on a piece of paper behind a plastic window for you to see while also recoding the vote in a database
If it's counted electronically from the database, the piece of paper is completely worthless. Unless you can get the entire voting population to give you their paper and then count them, you will never know if the count is right. If a hacker switched 15% of the vote from one party to another, how could you tell from a piece of paper that tells you who you voted for?
you can count the paper votes only in your voting point/building. If there are abnormalities you can alert other people to trigger the global recounting
Yes, it's not foolproof, attacker can just modify the electronic voting data in places where he knows people don't usually do recounting. But it makes his job harder
Voting machines here (Indiana) will print a sheet with your choices, which you can review before feeding it to a counting machine. That way you have a paper trail for recounts, and a sanity check before the vote is cast.
I think this is probably sufficient, but also wonder if theres a circular logic to the "No way to hack that" claim. If the hypothetical hack could both corrupt the digital votes and the printing it could ensure the vote counts line up. I guess it maybe makes it harder, but if the printed paper votes are there to validate the digital votes and vice-versa I'm not sure its quite as air-tight as claimed.
Edit: I just realized you also mentioned "voter-passes" when entering the voting site. That definitely makes it much harder! If those were corrupted you could still pull it off, but that level of sophistication is really likely to get caught.
Ireland has both paper only voting, and a PR-STV voting system. Counting can take, literally, days (the most recent EU election took five days to fill all the seats). It is a spectator sport for a certain type of nerd.
> I don't understand why voting machines can't just print your vote on a piece of paper behind a plastic window for you to see while also recoding the vote in a database.
They absolutely can. Brazil uses electronic voting machines and that exact method was proposed to increase the trustworthiness of the system. We'd get the best of both worlds: fast vote counting and an auditable paper trail that serves as the ultimate truth.
Supreme court declared it unconstitutional using total bullshit arguments ranging from "it compromises voting secrecy" to "it's hard to implement", thereby fueling concerns that the voting machines are compromised.
I don't understand the need for e-voting. Germany's entirely paper-based system works fine! After voting closes, volunteers count the votes for a few hours and we get a result.
Canada also uses hand counted paper ballots and it works great. There's no need to make large-scale voting electronic, and I'd never trust it without major social institutions in place that can provide the kind of oversight we have with good old paper ballots.
The pilot is for people unable to get to a polling booth. Traditionally, we use postal votes for this. But postal votes enable voter fraud (primarily selling your vote), so we can only use it for a small portion of votes or results become too suspect.
So paper systems require ballot boxes and polling stations for the vast majority, which makes elections expensive, complicated, and generally problematic. And unpopular, with low turnout, particularly during flu season and pandemic.
Wider participation in voting? Easier to vote for people who can’t travel to the voting station, for myriad reasons? Just more efficient for everyone involved?
And bigger picture, once you prove a system that’s easier, more efficient, reliable… you could expand to more votes on more things. Like… the Swiss do.
—-
(A German advocating for paper-based bureaucracy… whatever next? ;) )
Drawing two crosses on a piece of paper every couple of years has really nothing to do with democracy. Democracy is when one can vote on all topics on any level (local village, town, district, county, state, ...) using the computer at home. This is possible to implement using the algorithms/data structures available today. We actually do basically everything online today - except voting.
For instance, such a system would be immune to corruption. That's one of the major reasons such a system will likely never appear.
> For instance, such a system would be immune to corruption
OTOH, it enables vote buying and intimidation at scale: you vote from home in exchange for 5€/not being beat up and have to film yourself doing it, so that the local bad guy gets authorized to bulldoze the local nature reserve.
Vote buying and intimidation already exist, but proving it is harder, all remote voting on everything would just make it more convenient.
The only potential benefit I can think of is getting results faster, but it's really not important enough to optimise for.
Maybe a dual system of paper ballots and e-voting could be good so that they cross check each other. Can't stuff paper ballots without manipulating the digital counter, can't manipulate the digital counter without stuffing ballots. A digital counter also enables meta analysis which could identify suspicious patterns, like a wave of votes for a particular candidate.
Another possible benefit I've heard of is it can stop some kinds of voter intimidation:
Someone gets hand of an empty ballot, they fill in the ballot and give it to you and tell you to come back with another empty ballot. Rinse and repeat. Of course, with today's smartphones there are simpler ways to do this. Also moot if you can vote by mail, which is why voting by mail is a really bad idea.
It is not even about understanding. It is about how easy it is to distrust it.
Contrary to what nerds think, the goal of elections isn't to get bulletproof results by mathematical standards. The goal is to create agreeable consent among those who voted. A good election system is one where even sworn enemies can begrudgingly agree on the result.
A paper ballot system has the advantage that it can be monitored by any group that has members which have mastered the skill of object permanence and don't lie. That is not everybody, but it is much better than any hypothetical digital system
> The goal is to create agreeable consent among those who voted.
If you still consistently miscount so that popular power isn't aligned with the electoral results, you will still face all the problems a democracy was designed to avoid. Starting with violent protests and revolutions.
But then, most countries fail this at other stages already.
More importantly, you want your system to be bulletproof before it's audited. By the time you're talking about audits, the populists have already started flooding the zone.
The system should be so obviously secure that any person walking into a poll station should intuitively understand, seeing the poll workers, why fraud would be very hard to perform, so that when their favourite populist candidate loses and claims fraud, they think "that doesn't make sense".
If the voter needs to read technical documentation to understand why the populist is wrong, it's already too late.
How about a machine voting system with paper fallback. You as a voter can review the paper protocol from your vote. If there is distrust, the justice system can review the paper trail as well.
> the goal of elections isn't to get bulletproof results by mathematical standards. The goal is to create agreeable consent among those who voted. A good election system is one where even sworn enemies can begrudgingly agree on the result.
First you must explain to them why the former is not an example of the latter.
Also e-voting can be hacked (I guess they vote from their computer/smartphone, which can be hacked from the other side of the world). The last place you want to care about phishing, IMO, is voting.
Good luck hacking in-person voting or even "physical" mail voting from the other side of the world.
Regular ballot voting can also be hacked and on a scale. Making ballots invalid while counting them, or modifying them in some form or other, intentionally writing wrong values in the counting protocols...
And of course controlled vote or paid vote...
E-voting can and has also led to exposing voting fraud -- see Venezuella.
As a Swiss citizen I strongly disagree. Most people capable of reading and basic maths (addition!) can understand the counting of our paper ballots. My kids understand how this works since they are like 5.
Any citizen can go and check how votes are counted in their Geminde. Any citizen can check what is reported in the federal tally. I did several times. It's not rocket science.
Readit News
With EVMs the polling officer can just deactivate the machine (which stops the counting at that moment) making booth capturing pointless.
Not saying this is not possible in developed countries. It could very well happen sometime in the future where armed gangs take over polling booths (especially if the candidate in question is bound to lose due to corruption/scandal and needs to cling onto political power to prevent himself/herself from going to prison).
[1]: https://en.wikipedia.org/wiki/Booth_capturing
Yeah, but these are visible! They provide evidence that the voting was not fair.
Compare to electronic voting, where a capture might be done and no one ever finds out.
We want rigging of elections to be visible. That's the whole point.
Deleted Comment
I fully expect this happening more as the systems degrade in the west and, arguably, it already has happened several times now in many different ways, even if executed in more “sophisticated” ways that make it less apparent.
What do you call the many “color revolutions” the US and EU have now perpetrated in many different ways and places? The ”gang” was just a state level actor with immense resources and methods that exceed the local capacity to prevent them… just like a local gang using arms to take over a local polling booth.
There are declassified versions of old and obsolete CIA guides on how to conduct the precursors of such “color revolutions” through long term “capacity building” that is then activated if/when necessary. That’s the voluntarily declassified manual of the CIA; someone might suggest there are more effective instructions that are classified.
There have also been medium sophistication level events like what has happened over the last several years in Europe, where Merkel ordered an election result cancelled through technicalities because she/the literal The Party, did not like the result (I guess you can take the woman out of the dictatorship…), the EU simply used the judiciary to force a “runoff” because the election results were not to its liking, de facto canceling elections, or even all the subtle measures like visually misrepresenting election results where the bar or pie chart does not match the numerical data to suppress public mandate and perceptions about results, i.e., higher result numbers being represented by smaller bars than lower numbers.
I would argue they are all examples of the very same things you describe, the equivalent of “…gangs take over polling booths…” only it’s done through process, authority, policy, or even law and those in power tell themselves they’re doing it for “our democracy” and justified through similar dystopian, narcissistic, megalomanic, authoritarian mindsets; “I need to be in power for your own good because you don’t know any better”.
It could go both ways, either things will increasingly start degrading even more as the power slips out of the “gang’s”hands, and the system starts crumbling around them; or if “digital voting” is fully implemented there will essentially be “backdoors” to make sure the powers can “preserve our democracy” just like they need OS backdoors and media control to “protect the children”, which coincidentally seems to always coincide with them remaining in power and control and the people not even being asked about major upheavals of their society and their votes being effectively meaningless because the agenda is continuous regardless of election results.
It’s like those people who used to play slot machines at the casino, (now doing so digitally on their phones) pounding at the buttons that do absolutely nothing since the algorithm is what determines where the spin ends, not them rapidly hitting an essentially dead button just because the “clicking”, the “voting”, makes them think they have control. . . . “our democracy” where you and I are not part of that “our”.
But the ballots are not even printed on security paper. They don't have a serial number on them, either.
Sheriff monitors the ballot box (ex. Jimmy Carter's opponent).
Only allow loyalists to count the result (and then report w/e you want; ex. Russia).
- Switzerland usually gets around this by knowing where everyone lives and mailing them a piece of paper 'something you have'
- South Africa gets around this by putting ink on your fingernail
I've read quite a bit about the e-voting systems in Switzerland and USA and I just don't see how they thread the needle. At some point, you have to give someone access to a database and they can change that database.
Until we all have government-issued public keys or something, there isn't a technical solution to this? (Genuinely curious if I'm wrong here)
It's not that there are no checks. You have to give your name, and they know if you've voted more than once at that station that day. To vote more than once you'd have to pretend to be somebody else, in person, which means that if you're caught you will go to jail.
We could certainly do better, but thus far all efforts to defeat this non-problem are clearly targeted at making it harder for people to vote rather than any kind of election integrity.
- Enter queue
- A front of queue, show ID of some sort (various accepted) to volunteer
- They scratch you from the list and hand you a paper scantron sheet
- Go to private booth, fill out scantron
- Go to exit, scan ballot (it scans and then drops into a locked box for manual tally later, if necessary)
The "easy" ways to vote fraudulently are also easily caught... fake ID documents, voting twice, etc.
For people who forget their ID or have address changes that haven't propagated through the voter roll, there is provisional voting - you do the same as above, but they keep the ballot in a separate pile and validate your eligibility to vote at a later time. IIRC, the voter gets a ticket # so they can check the voter portal later to see if the ballot was accepted.
As noted, the number of fraudulent votes are astonishingly small, given the amount of money spent on proving otherwise. The current GOP has spent 100s of millions or billions on proving wide-spread fraud and so far, all they've managed to prove a few voters, most of whom were actually GOP-leaning, have committed fraud (and most of them were caught day-of already).
Does it?
This is the third election in a row where the losing party claim the election was not legitimate and/or hacked.
So you go to other stations, duh. It's called "carousel voting" [0], if done on a large, organized scale.
[0] https://en.wikipedia.org/wiki/Carousel_voting
Trust in the system should always be highly valued even if the skepticism is largely unwarranted. Saying a lawsuit hasn't caught it yet won't persuade many skeptics.
No, no, no. January 6 is a systemic failure.
The purpose of a voting system is to select the most popular candidate in a way that is so far beyond doubt that a populist loser can't claim the results are wrong without alienating his base.
Even leaving aside the whole "Trump doesn't care if his lies are credible" thing, the US system works very poorly there. Mail-in voting, drive-in voting, voting machines, they leave room for suspicion, no matter how confident the people running the system are.
If cheating is difficult to prove then we would expect only minimal evidence even with material amounts of cheating.
You can use homomorphic encryption or mixnets to prove that:
1) all valid votes were counted
2) no invalid votes were added
3) the totals for each candidate is correct
And you can do that without providing proof of who any particular voter voted for. A few such systems:
https://en.wikipedia.org/wiki/Helios_Voting
https://www.belenios.org/
Authentication to these systems is another issue - there are problems with mailing people credentials (what if they discard them in the trash?).
https://www.cbc.ca/news/canada/ontario-municipal-elections-o...
Estonia (a major adopter of online voting) solves this with the national identity card, which essentially is government issued public/private keys.
https://en.wikipedia.org/wiki/Estonian_identity_card
Lots of cyber risks with the use of online voting though, especially in jurisdictions without standards/certification. I outline many in my thesis which explores the risks to online elections in Ontario, Canada (one of the largest and longest-running users of online voting in the world)
https://uwo.scholaris.ca/items/705a25de-f5df-4f2d-a2c1-a07e9...
In these systems the voter cannot verify that their vote was secret as they cannot understand, and much less verify the voting machine.
> And you can do that without providing proof of who any particular voter voted for.
Which is good for preventing the sale of votes, but keeps things obscure in a magical and correct box.
How can I tell the machine didn't alter my vote if it cannot tell me, and just me, who I voted for? The global sanity checks are worthless if the machine changed my vote as I entered it.
By which I mean: paper ballots have problems. But a fault in a handful of ballots doesn't mean the rest of the ballots need to get tossed out.
I do not believe that a system managed by humans can be faultless.
from https://en.wikipedia.org/wiki/Helios_Voting
> The centralized server must be trusted not to violate ballot secrecy,[7] this limitation can be mitigated against by distributing trust amongst several stakeholders.
> The ballot auditing/reconstruction device must be trusted to ensure successful ballot auditing (also known as cast-as-intended verifiability),[7][16] this limitation can be mitigated against by distributing auditing checks amongst several devices, only one of which must be trusted.
So neither secure nor anonymous...
In Canada, at both federal and provincial levels, you walk up to a desk and identify yourself, are crossed off a list, and handed a paper ballot. You go behind a screen, mark an X on the ballot, fold it up, take it back out to another desk, and put it in the box. It's extraordinarily simple.
> At some point, you have to give someone access to a database and they can change that database.
Well, that kind of fraud is a different issue from someone reading the database and figuring out who someone voted for (you just... don't record identities in the database).
I think the day I _must_ walk go a desk to vote is the day I'll give up. Voting by mail is one of the best things occuring here (in Switzerland). You get the voting stuff by mail, make your crosses, put it back into the postal box and it's delivered for free (as in beer) to the government.
Deleted Comment
isn't that racist? i've heard it repeated but i'm not so sure
[0] https://satoss.uni.lu/members/jun/papers/CSR13.pdf
[1] https://fc16.ifca.ai/voting/papers/ABBT16.pdf
When I go to cast a vote in Italy I bring with me my state issued photo ID (everybody has one, I mean: must have one) and a state issued sheet of paper with the address of the place I must go to vote and a grid of empty spaces. I don't have to register to vote, basically I'm registered at birth. The people at the polling station take my two cards and look for me in their registry. They mark that I came to vote, stamp an empty space on the second card and handle me the paper ballots. I think that in this way it's both anonymous and verifiable. When the card with the stamps is full, they mail me a new one.
The state definitely know where people live. Babies are registered when they are born and people have to register any change of their address of residence. It's been like that at least since Italy became a country in the 1860s.
By the way, how do I know that they counted my vote as I cast it? I can't know it. I must trust that they did not open the box and replaced the ballots, but people from the several competing parties visit the polling station and can attend the counting. I trust that process much more than something happening inside a computer program.
You have to be registered and must vote within your electorate, so your name appears on a certified list for that electorate and each voting location has that list. When you vote, they strike your name from the list.
After the election, the lists from these locations are compared. Anyone who votes twice has their name struck twice, and are investigated for electoral fraud.
Whether people know if you voted or not is immaterial, as voting is mandatory in Australia.
Works pretty well for a paper system.
This is true, but its used in other countries as well, as it's a simple, effective, low-tech, affordable process.
Most notably in India https://edition.cnn.com/2024/05/02/style/india-elections-pur...
but also in many other countries: https://en.wikipedia.org/wiki/Election_ink#International_use
Nah, that still boils down to "you have to trust government". And I preferred when "Why would they care how I vote?" was a rhetorical question.
Seems like the obvious solution here would be for the voting machine to generate two separate records:
- A record of the vote itself, without specifying the voter
- A record of the voter having voted, without specifying for whom/what
And of course, if the number of vote records doesn't match the number of voter records, then shenanigans have likely ensued, warranting an election fraud investigation.
This is of course flawed because a person can be coerced to share their ID. In which case you could have a system in which the vote itself is encrypted and the encryption key is private. Any random encryption key works and will yield a valid vote (actual vote = public vote + private key), so under coercion you can always generate a key that will give the output that you want, but only you know the real one.
In-person voting does provide these guarantees, to extent that violating them will be discoverable and both parties have an incentive to discover such things.
My state, Oregon, for example uses a very straightforward vote by mail system. They ask if you wanna register to vote when you get/update your drivers license or state id. Your ballot just comes in the mail, you fill it out, send it back. For folks that lack a permanent address or similar, you can get provisional ballots at libraries and similar city offices. The provisional ballots make you fill out enough information to check if you're allowed to vote.
It's simple, convenient, secure, and efficient.
So why don't more states do it this way?
Unfortunately there's a long ugly history of using all sorts of dirty tricks for voter suppression in the US, in particular to keep Jim Crow going. And unfortunately variations of that continue today. I don't have the energy to dig into it fully here, I just want any international readers to be aware there's a whole lot of utterly craven bad faith when it comes to discussions around voting fraud and security in the US.
It's the only problem in existence that can be solved by the blockchain...
That's actually pretty common in Europe. The Spanish DNI (national identity card) has a chip these days, which gives you an authenticated key pair for accessing digital services.
In the pilot project for digital voting, that identity is only used to authenticate the user, and then an anonymous key needs generated that can be used to cast the final vote.
Deleted Comment
Isn't that what secure hashes do? ID to hash is anonymous and checking for duplicate hashes verifies only voting once.
each citizen gets an anonymized private key via a secure channel (eg. postal) and use that to vote.
votes are double enveloped: outer envelop: anonymized id + inner envelop: vote.
mixnet separates the votes and cryptographically shuffles them to decouple relationships.
only at the end the shuffled votes are decrypted using the private key of the election itself that was split using shamir secret sharing (eg 5 out of 7 shares to reconstruct)
the thing that’s not clear from the article and it’s a shame is that it seems the failure was the hardware (the 3 USB keys) not the election software. This could be simply avoided by having redundancy on the hardware (2 USBs per share) or more shares themselves (5 out of 9 shares)
Deleted Comment
Maintain a list of identity hashes. When someone goes to vote, deny them if they're already in the list . Otherwise, add their hash to the list then allow a vote to be cast.
An extremely simple scheme is allowing voters to enter an identifier of their choosing and displaying that with the votes publicly. This is both verifiable and anonymous.
Any issues you can come up with this scheme are also iirc pretty easily solvable.
I don't understand why voting machines can't just print your vote on a piece of paper behind a plastic window for you to see while also recoding the vote in a database. That is 100% anonymous and can't be cheated. The database is the instant answer at election closing time, and then you can take some days to count the papers as confirmation that nothing weird happened.
No way to hack that. If you print something different on the paper the voter will see it. If you try to hack it by printing more papers than actual votes, the paper count won't match the amount of voting passes that you collected/verified when letting people into the polling station.
It may even be safer than the current paper approach, because if the paper vote counters try to cheat their counts won't match the database triggering an investigation as well.
You are misunderstanding "who to trust".
The source of trust in a paper vote election is your party's representative + independent election observers. You believe them that they were sitting at the polling station all day, watching both the voting and counting, and nothing fishy happened. You don't have to trust the state officials in any way, and you don't have to trust any one else either. Just your party - which is kind of the point. The only people you maximally trust is your party.
In your proposal, you are saying that to trust the outcome, I must trust the state officials - the ones who built the machines. Those are exactly the people I distrust to do a fair election.
We vote during the day... polls close in the evening... A few hours later we have the results. Hand counted, for the entire country.
What is the difference?
The national elections in NLD have a single ballot in the whole country, with 10+ parties who each get a column of their candidates on the ballot, and with one box for each of the candidates. In these elections for the 150 seats of parliament, often there are 200+ candidates listed total. As a result, the ballot sheets need to be quite large and so are quite far into the 'unwieldy' part of the handling spectrum.
This size issue also complicates verification and counting, because you have to verify that of all checkboxes, exactly one is filled in, and sorting/counting needs to do this for practically every ballot.
There has been some experimenting with changing the ballot to a 'party' and 'list number' ballot, where you fill in the party of your chosen candidate together with their number on the party list, but AFAIK that has not (yet?) been approved for wider use.
If it's counted electronically from the database, the piece of paper is completely worthless. Unless you can get the entire voting population to give you their paper and then count them, you will never know if the count is right. If a hacker switched 15% of the vote from one party to another, how could you tell from a piece of paper that tells you who you voted for?
Yes, it's not foolproof, attacker can just modify the electronic voting data in places where he knows people don't usually do recounting. But it makes his job harder
Edit: I just realized you also mentioned "voter-passes" when entering the voting site. That definitely makes it much harder! If those were corrupted you could still pull it off, but that level of sophistication is really likely to get caught.
They absolutely can. Brazil uses electronic voting machines and that exact method was proposed to increase the trustworthiness of the system. We'd get the best of both worlds: fast vote counting and an auditable paper trail that serves as the ultimate truth.
Supreme court declared it unconstitutional using total bullshit arguments ranging from "it compromises voting secrecy" to "it's hard to implement", thereby fueling concerns that the voting machines are compromised.
I have a hard time believing that it collected exactly 2,048 votes by coincidence
So paper systems require ballot boxes and polling stations for the vast majority, which makes elections expensive, complicated, and generally problematic. And unpopular, with low turnout, particularly during flu season and pandemic.
And bigger picture, once you prove a system that’s easier, more efficient, reliable… you could expand to more votes on more things. Like… the Swiss do.
—-
(A German advocating for paper-based bureaucracy… whatever next? ;) )
For instance, such a system would be immune to corruption. That's one of the major reasons such a system will likely never appear.
OTOH, it enables vote buying and intimidation at scale: you vote from home in exchange for 5€/not being beat up and have to film yourself doing it, so that the local bad guy gets authorized to bulldoze the local nature reserve.
Vote buying and intimidation already exist, but proving it is harder, all remote voting on everything would just make it more convenient.
Maybe a dual system of paper ballots and e-voting could be good so that they cross check each other. Can't stuff paper ballots without manipulating the digital counter, can't manipulate the digital counter without stuffing ballots. A digital counter also enables meta analysis which could identify suspicious patterns, like a wave of votes for a particular candidate.
Someone gets hand of an empty ballot, they fill in the ballot and give it to you and tell you to come back with another empty ballot. Rinse and repeat. Of course, with today's smartphones there are simpler ways to do this. Also moot if you can vote by mail, which is why voting by mail is a really bad idea.
https://scotopia.in/journal/journalbkend/paper_list/v-4-i-1(...
Why Electronic Voting Is Still A Bad Idea:
https://www.youtube.com/watch?v=LkH2r-sNjQs
My Līberum Cōnsilium (see references on page 55):
https://repo.autonoma.ca/repo/delibero/raw/HEAD/docs/manual/...
Contrary to what nerds think, the goal of elections isn't to get bulletproof results by mathematical standards. The goal is to create agreeable consent among those who voted. A good election system is one where even sworn enemies can begrudgingly agree on the result.
A paper ballot system has the advantage that it can be monitored by any group that has members which have mastered the skill of object permanence and don't lie. That is not everybody, but it is much better than any hypothetical digital system
If you still consistently miscount so that popular power isn't aligned with the electoral results, you will still face all the problems a democracy was designed to avoid. Starting with violent protests and revolutions.
But then, most countries fail this at other stages already.
The system should be so obviously secure that any person walking into a poll station should intuitively understand, seeing the poll workers, why fraud would be very hard to perform, so that when their favourite populist candidate loses and claims fraud, they think "that doesn't make sense".
If the voter needs to read technical documentation to understand why the populist is wrong, it's already too late.
First you must explain to them why the former is not an example of the latter.
The problem with e-voting is that it gives the losers an infinite number of things to complain about and challenge the election.
Good luck hacking in-person voting or even "physical" mail voting from the other side of the world.
Deleted Comment
And of course controlled vote or paid vote...
E-voting can and has also led to exposing voting fraud -- see Venezuella.
Any citizen can go and check how votes are counted in their Geminde. Any citizen can check what is reported in the federal tally. I did several times. It's not rocket science.