I agree, however, those of us who understand the importance of paper ballots are having a hard time selling it to the public. We're coming across as Luddites. I'm impressed that the New York Times is promoting open source software; it's a small step in the right direction. Perhaps the message we should be spreading is that paper ballots are even more "open source" than any computer software. With paper, poll workers can prevent hacking by simply observing, using physical locks, and communicating with other poll workers. Software (open source or not) only seems to complicate all of that.
There are actually elaborate rules and measures on the handling of paper ballots to work around complicated schemes that have been devised to defraud the vote. It's certainly not foolproof.
- Some states use mailed paper ballots
- Some states use paper-free voting
- Some states use a mixture of electronic and paper voting
The biggest risk is not the mechanism, but the way it is implemented: 5,000 independent jurisdictions all have completely independent ways of choosing how to vote, and then completely independent methods of implementing it. [3]
This[1] testimony from 2001 includes a good history of the voting process and the reasons why it is handled the way it is. The parent[2] directory contains 16 years of commentary articles.
Agreed. And to add to it, we should switch to a system in which we have:
* 100% mail-in paper ballots, like Oregon -- no long lines, no games about which districts get which machines, no polling place intimidation
* Mandatory random-sample hand recounts (this has been shown to only need to be on the order of thousands of ballots out of millions for most races, given the statistical confidence you get with it)
And if you want the benefits of computers (fast counting, ability to prove your vote was counted correctly) without sacrificing the secret ballot or the paper audit trail you can use something like punchscan or scantegrity.
The number of comments here that assume paper ballots are inherently unhackable is disturbing. Paper is a technology like any other and subject to being manipulated by clever folks. The only way to have secure, trustworthy voting systems is to have them constantly being designed, updated, understood and publicly auditable. The only downside inherent to digital vs paper systems is that they're more complex and harder for people to understand and therefore audit, but there are plenty of upsides and the downsides can be mitigated through education. Open source is absolutely important for the auditability of voting software, but the same openness and transparency is just as vital with paper. tl;dr, it's not hard to hack paper!
First, you've omitted a major downside of digital vs. paper systems, scalability. Attacks on paper systems are much harder to scale, are more easily detected and more readily audited by staff who need no IT training/experience. There are other downsides, but scalability is a good example.
Second, the "plenty of upsides" are mere niceties. I don't know of any must-haves unique to digital voting systems. What do they offer that is worth their diminished security compared with paper ballots?
I put security of our electoral process at top priority. Given the difference in attack surfaces of digital systems vs. paper ballots, I can't see a case for the former.
The continuing parade of breaches of supposedly super secure systems indicates we don't yet know how to code systems for large-scale public applications where security is absolutely essential. Paper ballots are the best we have for now.
The important difference is that paper "hacking" scales as O(n) while computer hacking scales as O(1).
If you hack election software, you can change thousands or millions of votes as easily as one. The physical nature of paper means you have to work for each ballot.
True, but it is significantly (as in several orders of magnitude) harder to hack paper at a national scale than it is to hack an electronic voting record at a national scale.
Hacking paper requires people physically interacting with that paper to subvert it. That amounts to 1+ person per box of paper votes.
Electronics just needs the one person who discovered and exploited the vulnerability.
You don't even have to modify the paper often. All that's really needed is for observers from any interested party to be allowed, which they are in the US. Then to affect anything above the city level an attacker has to bribe or coerce hundreds of people to turn a blind eye to things against their own political interests. They can watch polling places to spot ballot stuffing and counting places to spot count issues/fraud.
The mainstream digital voting method, that is a digital only ballot totaling everything is basically impossible to audit. It shouldn't be used anywhere.
Yet, there are ways to make digital voting auditable. There is an inherent conflict between a system being auditable and anonymous. You can't completely satisfy both, but paper satisfy none, so there is plenty of margin for improvement.
No one has indicated they're unhackable. The argument is that ballot stuffing is pretty well understood how to mitigate enough that it's not a factor in altering outcomes.
Open source voting software will never replace proprietary voting software, because open discussion of voting software security will reveal that it's impossible to build hack-proof voting terminals.
You can stuff ballot boxes, that's where the term comes from. Nothing is "hack-proof."
I think it's funny that people are freaking out on HN about this. The hacks at Defcon all took a long time to do, and I believe all required keys to the machines, and all were done on older voting machines. There has been no evidence of people hacking machines during the elections. Stuffing ballot boxes and other forms of voting fraud have been around for a long time, and nothing we do is going to stop it 100%.
Also voting machines generally have paper copies that print off the back of the machine that are anonymized but can be matched if foul play is called into question, at least in my area. Couple that with monitors that stand near machines or walk around and I feel pretty comfortable with electronic voting.
The only plausible hack would be an inside job, but I too find this difficult to believe. It would takes tons and tons of people to hack the machines if it required physical access. You'd have to hack ever machine, and even when you were done there are so many districts it would be nearly impossible to swing the election in any meaningful way.
> impossible to build hack-proof voting terminals.
Suppose they do build a hack-proof voting terminal - how can you tell that's what you're voting on, and not a compromised machine with identical appearance? De-cap all the chips and put them under an electron-microscope?
Of course there will never be a perfect way. However, I have a feeling that by multiplying voting methods, fraud impact can be contained. Mail vote increases the number of people voting and have the same positive effect (drowning a fraud in valid results).
Haven't we gotten past the "open source == secure" mindset yet? Yes, open source software can be audited. But secure software is also really really expensive. "With enough eyes, all bugs are shallow" has been pretty well repudiated. Finding security bugs and fixing them in open source products is exactly the sort of drudgery that people don't tend to do on their own; it's not fun like adding new features is. Open source is not a silver bullet to add security where other forces are pushing against it. Android is open source, iOS isn't. Which is more secure? I'm not saying that iOS is more secure because it's closed source, I'm just saying that "open source == secure" is overly simplistic.
Many open-source projects simply don't have the resources to adequately test their products or provide support. Contrast this with a large company which has the resources and the willpower to provide support for their software. Often the best of both worlds is a large company/organization that dedicates its resources to an open-source product, but that's not always the case.
But this issue is never as black and white as "open-source is more secure." There are many other factors that go into the security of a product beyond its source code being readable. Deciding which factors matter largely depends upon your unique threat model.
Even if they use open source software, what guarantee is there that version of the software deployed on the machines is the same as one people can inspect?
You could have multiple independent inspectors do such certification provided state/federal laws are strong enough to discourage bad actors, but there's a bigger problem than that: how do you guarantee that the hardware is the same? You don't, especially if malicious State actors are involved.
Even in the case of inspecting software, you'd have to guarantee that the systems are secured after inspection and not tampered with. That's an even more difficult problem.
A natural extension of the industry requirement for crypto implementations to be open-sourced. How can you rely on the security of a system you cannot inspect? The trouble is that security through obscurity is the physical standard - you can't keep a lock everyone knows the cut for - so the non-technical approach is sticking with what you know.
It's disturbing that a major corporation has the lobbying power to back that kind of unsafe position for its own gain, though.
Security through obscurity is a factor in physical security, but locks are really not an example of that. The construction of most locks is well documented, or easy to reverse engineer by buying an identical lock. The thing keeping a lock secure is the key, which is a regular secret just like any crypto key. Nobody would claim ssh does security by obscurity because anyone who knows my key can get into my server.
I have two open-ended questions on the subject of technology in U.S. voting.
(1) Why doesn't our electoral system require public disclosure of each voter's record? What would the ramifications of publishing each voter's identity & ballot online be? My thinking, like other comments here, is that a transparent voting system would make results more easily verifiable, if not easy to verify.
(2) At what point could we transition toward more of a democracy (in contrast to the representative, republican system) through the use of digital voting, which has a lower "barrier to entry" than turning out to a polling center? Particularly on nationwide issues like healthcare, I presume there are relatively few technological barriers to letting every citizen vote individually on a bill and immense political and social consequences. I can't fathom the outcomes -- do you know of any discussion of such a system?
Non sequitur: I've always wanted to see a "name brand" professional sports team run, down to the minutiae, by online fan voting. I know it's out there in small leagues already.
This seems like a problem that requires multiple approaches to fix. Since the election, I've been thinking that a system with these features would be ideal
1. Electronic machines powered by OSS
- Provides fast counting, and potentially better UX in scenarios with large number of items to vote on
- Ability for the public to review the code
2. Machines print copy of ballot that voter can verify before being placed in a secure ballot box
- Provides auditable backup record
3. Machines give the option to print a second copy of the ballot with a unique code. This code can be used to verify selections later via some kind of online interface.
- Gives the user one more check on ballot integrity
- Allows voter to keep voting record anonymous if they choose
I think this would balance pros/cons of pure paper vs. electronic voting systems
They're not actually that hard to count, they leave a hard to alter record, they require more effort to fake, etc.
The under investment in voting and the focus on mechanizing it has been a disaster in the US and is teetering on the edge of being incredibly dangerous to the well-being of the country.
Electronic voting has none of the features we want and all the failure modes we don't. Return to entirely paper.
(For what it's worth, my area seems to basically use those test scanning systems on paper mail-in ballots. That's still more electronics than I like involved in the process, but is much better than fully electronic and we might be stuck with that as long as we use mail-in ballots -- which is a separate debate.)
California is almost entirely paper ballots across the state. Moreover, 1% of ballots are hand-audited to verify the integrity of the electronic tally.
Years ago there was a push for online voting. The state commission came away from that study suggesting a return to paper ballots, recommending to ditch even the new electronic voting machines that were becoming popular, because of the lack of credible, verifiable security. I think paper ballots are effectively required by law, now, with exceptions for accommodating people with disabilities.
> That's still more electronics than I like involved in the process,
I think most places that use these will use an additional count-by-hand pass afterwards. If someone is tampering with these count-only machines it's likely that they will be discovered and prosecuted.
If you need open source voting software in order to trust that your voting system is working reliably, you have already lost, because that implies your voting system is depending on software working correctly.
Look at Scantegrity [1]. It provides end to end independent verifiability of elections and lets voters check to see if their vote was counted correctly, without depending on the voting software functioning correctly.
I find Rivest's video( https://www.youtube.com/watch?v=BYRTvoZ3Rho ) on homomorphic encryption as voting mechanism quite interesting. It looks more secure than pen and paper.
All user get a receipt which they can verify is same during vote counting.
They themselves can vote count using all others receipt.
At the same time, they can't sell their vote as it's encrypted.
There was once a GNU project for electronic voting (https://www.gnu.org/software/free/), but it was stopped after realizing they were trying to do was almost impossible to do and changed the direction into recommending to not use electronic voting systems at all.
Give each vote a uuid. Give the voter a receipt with their uuid and results. Post the full results online by uuid; voters can verify the recorded online result is faithful.
Label the online results by voting site. Keep a count at each site of the number of people that voted. Verify this count more or less matches the results posted online.
That would result in scenarios like this: "I'll pay you X amount for a 'Yes' UUID". It's far better to keep the result anonymous.
As for the counts, where I vote my name is recorded in a book and then I cast my ballot. So it should be possible to verify that the book tally and vote tally match.
As others have said, this can lead to vote buying or voter intimidation ("vote for x or I'll break your face")
Spitballing here: What if you get the receipt with UUID and your choices, then at a separate kiosk only in the polling ststion you can enter your UUID to view the full results as posted online. Along with your UUID and results, a hash of the two is displayed and can be printed onto your receipt. Before leaving the station, you must detach and dispose of the plaintext voting choices, but you can hang onto the UUID + hash.
At any time in the future, you can enter your UUID into the site, which will compute and display only the hash, giving you verification of no tampering but not disclosing any results to nefarious third parties.
A UUID could let one verify that one's own vote was correctly recorded, but it does nothing to prevent stuffing the ballot box, which seems to be the more normal way of swinging an election.
Paper and pen is the way to go. It provides a verifiable record of votes cast and means you need physical/personal access to to tamper with the result. That also means people with no special skills can provide security for all segments the voting process.
I think a lot of you guys mentioning paper ballots are also missing something very important: what is counting the paper ballots? Is a Scantron machine reading the ballots? If so, the firmware could be compromised to bias results in a particular direction in a stealthy manner.
I have never assumed anything other than that it would be humans, presumably mostly volunteers from the various political parties, doing the counting. That is how it is done in Sweden, and I think also a bunch of other European countries. It worked fine for us before we have computers and it still works. We get a preliminary result within a few hours, and a final result in like 3 or 4 days. And the problem of manually counting votes scales linearly with the population so the size of the country should not matter much.
Open source voting software is not sufficient. Paper ballots are better, but I suspect that electronic + verified paper receipt + an audit process is a fuller solution. Paper alone can be more easily locally subverted, electronic alone can be more globally. But if you have to alter both an electronic record/reporting and the paper ballots in a way that correlates then you have a better resistance than either paper/electronic alone.
[+] [-] pedrocr|8 years ago|reply
https://news.ycombinator.com/item?id=14891266
[+] [-] hathawsh|8 years ago|reply
[+] [-] peterwwillis|8 years ago|reply
Problems with paper voting:
Problems with electronic voting: Actual way voting is handled The biggest risk is not the mechanism, but the way it is implemented: 5,000 independent jurisdictions all have completely independent ways of choosing how to vote, and then completely independent methods of implementing it. [3]This[1] testimony from 2001 includes a good history of the voting process and the reasons why it is handled the way it is. The parent[2] directory contains 16 years of commentary articles.
[1] http://homepage.divms.uiowa.edu/~jones/voting/congress.html [2] http://homepage.divms.uiowa.edu/~jones/voting/index.html [3] http://homepage.divms.uiowa.edu/~jones/voting/PutinTrump.sht...
[+] [-] sapote|8 years ago|reply
* 100% mail-in paper ballots, like Oregon -- no long lines, no games about which districts get which machines, no polling place intimidation
* Mandatory random-sample hand recounts (this has been shown to only need to be on the order of thousands of ballots out of millions for most races, given the statistical confidence you get with it)
[+] [-] avelis|8 years ago|reply
Instead, use open source hardware. Use pen and paper!
:-)
[+] [-] dgudkov|8 years ago|reply
[+] [-] SAI_Peregrinus|8 years ago|reply
[+] [-] stephengillie|8 years ago|reply
[+] [-] yosito|8 years ago|reply
[+] [-] ridgeguy|8 years ago|reply
First, you've omitted a major downside of digital vs. paper systems, scalability. Attacks on paper systems are much harder to scale, are more easily detected and more readily audited by staff who need no IT training/experience. There are other downsides, but scalability is a good example.
Second, the "plenty of upsides" are mere niceties. I don't know of any must-haves unique to digital voting systems. What do they offer that is worth their diminished security compared with paper ballots?
I put security of our electoral process at top priority. Given the difference in attack surfaces of digital systems vs. paper ballots, I can't see a case for the former.
The continuing parade of breaches of supposedly super secure systems indicates we don't yet know how to code systems for large-scale public applications where security is absolutely essential. Paper ballots are the best we have for now.
[+] [-] BurningFrog|8 years ago|reply
If you hack election software, you can change thousands or millions of votes as easily as one. The physical nature of paper means you have to work for each ballot.
[+] [-] eric_h|8 years ago|reply
True, but it is significantly (as in several orders of magnitude) harder to hack paper at a national scale than it is to hack an electronic voting record at a national scale.
Hacking paper requires people physically interacting with that paper to subvert it. That amounts to 1+ person per box of paper votes.
Electronics just needs the one person who discovered and exploited the vulnerability.
[+] [-] rtkwe|8 years ago|reply
[+] [-] marcosdumay|8 years ago|reply
Yet, there are ways to make digital voting auditable. There is an inherent conflict between a system being auditable and anonymous. You can't completely satisfy both, but paper satisfy none, so there is plenty of margin for improvement.
[+] [-] cmurf|8 years ago|reply
[+] [-] rectang|8 years ago|reply
Paper ballots are a superior technology.
[+] [-] partiallypro|8 years ago|reply
I think it's funny that people are freaking out on HN about this. The hacks at Defcon all took a long time to do, and I believe all required keys to the machines, and all were done on older voting machines. There has been no evidence of people hacking machines during the elections. Stuffing ballot boxes and other forms of voting fraud have been around for a long time, and nothing we do is going to stop it 100%.
Also voting machines generally have paper copies that print off the back of the machine that are anonymized but can be matched if foul play is called into question, at least in my area. Couple that with monitors that stand near machines or walk around and I feel pretty comfortable with electronic voting.
The only plausible hack would be an inside job, but I too find this difficult to believe. It would takes tons and tons of people to hack the machines if it required physical access. You'd have to hack ever machine, and even when you were done there are so many districts it would be nearly impossible to swing the election in any meaningful way.
[+] [-] DarkKomunalec|8 years ago|reply
Suppose they do build a hack-proof voting terminal - how can you tell that's what you're voting on, and not a compromised machine with identical appearance? De-cap all the chips and put them under an electron-microscope?
[+] [-] roselan|8 years ago|reply
Canton of Geneva have open sourced their voting app. https://github.com/republique-et-canton-de-geneve/chvote-1-0
Of course there will never be a perfect way. However, I have a feeling that by multiplying voting methods, fraud impact can be contained. Mail vote increases the number of people voting and have the same positive effect (drowning a fraud in valid results).
[+] [-] cwyers|8 years ago|reply
[+] [-] BoringCode|8 years ago|reply
But this issue is never as black and white as "open-source is more secure." There are many other factors that go into the security of a product beyond its source code being readable. Deciding which factors matter largely depends upon your unique threat model.
[+] [-] Kpourdeilami|8 years ago|reply
[+] [-] mikegerwitz|8 years ago|reply
Even in the case of inspecting software, you'd have to guarantee that the systems are secured after inspection and not tampered with. That's an even more difficult problem.
The systems are simply too complex.
[+] [-] ivanbakel|8 years ago|reply
It's disturbing that a major corporation has the lobbying power to back that kind of unsafe position for its own gain, though.
[+] [-] wongarsu|8 years ago|reply
[+] [-] mipmap04|8 years ago|reply
Additionally, if you really wanted to protect voting and still use computers, use an open ballot and also allow voters to audit their own vote.
[+] [-] jangerhofer|8 years ago|reply
(1) Why doesn't our electoral system require public disclosure of each voter's record? What would the ramifications of publishing each voter's identity & ballot online be? My thinking, like other comments here, is that a transparent voting system would make results more easily verifiable, if not easy to verify.
(2) At what point could we transition toward more of a democracy (in contrast to the representative, republican system) through the use of digital voting, which has a lower "barrier to entry" than turning out to a polling center? Particularly on nationwide issues like healthcare, I presume there are relatively few technological barriers to letting every citizen vote individually on a bill and immense political and social consequences. I can't fathom the outcomes -- do you know of any discussion of such a system?
Non sequitur: I've always wanted to see a "name brand" professional sports team run, down to the minutiae, by online fan voting. I know it's out there in small leagues already.
[+] [-] bearcobra|8 years ago|reply
1. Electronic machines powered by OSS - Provides fast counting, and potentially better UX in scenarios with large number of items to vote on - Ability for the public to review the code 2. Machines print copy of ballot that voter can verify before being placed in a secure ballot box - Provides auditable backup record 3. Machines give the option to print a second copy of the ballot with a unique code. This code can be used to verify selections later via some kind of online interface. - Gives the user one more check on ballot integrity - Allows voter to keep voting record anonymous if they choose
I think this would balance pros/cons of pure paper vs. electronic voting systems
[+] [-] SomeStupidPoint|8 years ago|reply
They're not actually that hard to count, they leave a hard to alter record, they require more effort to fake, etc.
The under investment in voting and the focus on mechanizing it has been a disaster in the US and is teetering on the edge of being incredibly dangerous to the well-being of the country.
Electronic voting has none of the features we want and all the failure modes we don't. Return to entirely paper.
(For what it's worth, my area seems to basically use those test scanning systems on paper mail-in ballots. That's still more electronics than I like involved in the process, but is much better than fully electronic and we might be stuck with that as long as we use mail-in ballots -- which is a separate debate.)
[+] [-] wahern|8 years ago|reply
Years ago there was a push for online voting. The state commission came away from that study suggesting a return to paper ballots, recommending to ditch even the new electronic voting machines that were becoming popular, because of the lack of credible, verifiable security. I think paper ballots are effectively required by law, now, with exceptions for accommodating people with disabilities.
[+] [-] 15155|8 years ago|reply
I think most places that use these will use an additional count-by-hand pass afterwards. If someone is tampering with these count-only machines it's likely that they will be discovered and prosecuted.
[+] [-] tzs|8 years ago|reply
Look at Scantegrity [1]. It provides end to end independent verifiability of elections and lets voters check to see if their vote was counted correctly, without depending on the voting software functioning correctly.
[1] https://en.wikipedia.org/wiki/Scantegrity
[+] [-] khrm|8 years ago|reply
All user get a receipt which they can verify is same during vote counting. They themselves can vote count using all others receipt. At the same time, they can't sell their vote as it's encrypted.
[+] [-] uncletaco|8 years ago|reply
[+] [-] GlitchMr|8 years ago|reply
[+] [-] dilap|8 years ago|reply
Label the online results by voting site. Keep a count at each site of the number of people that voted. Verify this count more or less matches the results posted online.
[+] [-] denom|8 years ago|reply
As for the counts, where I vote my name is recorded in a book and then I cast my ballot. So it should be possible to verify that the book tally and vote tally match.
[+] [-] filoeleven|8 years ago|reply
Spitballing here: What if you get the receipt with UUID and your choices, then at a separate kiosk only in the polling ststion you can enter your UUID to view the full results as posted online. Along with your UUID and results, a hash of the two is displayed and can be printed onto your receipt. Before leaving the station, you must detach and dispose of the plaintext voting choices, but you can hang onto the UUID + hash.
At any time in the future, you can enter your UUID into the site, which will compute and display only the hash, giving you verification of no tampering but not disclosing any results to nefarious third parties.
[+] [-] IncRnd|8 years ago|reply
Unfortunately, this system is neither trustworthy nor correct, as adding new UUIDs to the rolls defeats the system.
A voting system is a security system that has to work in the presence of bad actors.
[+] [-] agarden|8 years ago|reply
[+] [-] saint_fiasco|8 years ago|reply
[+] [-] zAy0LfpBZLC8mAC|8 years ago|reply
Very relevant to this topic: Ken Thompson's "Reflections on Trusting Trust":
https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thomp...
[+] [-] 43224gg252|8 years ago|reply
[+] [-] wildmusings|8 years ago|reply
[+] [-] denom|8 years ago|reply
[+] [-] jjawssd|8 years ago|reply
Please observe a real world example of this: https://www.youtube.com/watch?v=8mBMHPxdljE
[+] [-] jeltz|8 years ago|reply
[+] [-] boobsbr|8 years ago|reply
You could put them in sequence and compare the results. If results diverge, you investigate why.
[+] [-] maxerickson|8 years ago|reply
But those are both more straightforward with paper ballots than with other systems.
[+] [-] digikata|8 years ago|reply