To Protect Voting, Use Open-Source Software

Just have the electronic system return a clearly labeled ballot to the voter, which would be verified and turned in before leaving. A physical count can be used to confirm the electronic count or vice-versa (physical counting has vulnerabilities too).

Voting with paper does not scale. You can't make people vote everyday for example, which is required if you'd like to implement direct democracy.

On the other hand, with direct democracy, the stakes are lower for each vote. So there is less incentive to manipulate the vote. So it makes sense to use e-voting for direct democracy.

In the end the voting mechanism in democracy is not really about precision, it's more about getting an acceptable outcome for all the parties

I like the model where you vote electronically and you can see (through a clear material) that the machine prints out a copy of your votes and drops them into a bin.

You can throw cryptographic verification on top of that if you like.

That's silly. Do you need to use paper and pencil to do banking? If we as a society and individually can trust our money to technology then why not voting?

Having a merkle tree and voting from your device instead of a polling station is not just more convenient - it's more secure too. Everyone can verify their vote was counted!!

And right now? Right now we have a government database of who voted for what. That's crazy.

I think you could do some secure voting software if all your citizens had a secure two factor signature and you used block chain.

I'm not sure why you would do it in a non-corrupt country though.

Came here to say that.

Transparent voting boxes, ballots in envelopes, manual redundant counting done by people, usually voter who were nicely asked if they can come help back in the evening. That's what we use in France, you get the official result a few hours after the closing of the voting stations.

The whole process is watchable, from the sealing of the box the morning to the count in the end and parties send observers in random stations to check nothing fishy happens. An official log book is open for anyone to notice if they feel something fishy happened (you were not allowed to vote, the counting was unfair, etc...)

Oh, and make voting day a holiday, or just put it on Sundays.

I used to wonder how US could not even get that last part right, but then I understood that a whole party thinks it is in its interest to have less voters.

The vote processing chain is lengthy, it is inevitable that a computer system will be inserted somewhere in that chain. Right now the push is to have these systems right at the front, facing the voter, but that isn't the only time the votes are processed electronically.

In my district we vote by coloring in little circles with a #2 pencil, we then feed that directly into an electronic machine that tallies the results for my district. While the paper I handled is stored in the machine, I am sure that the results are transmitted to the next link in the chain through some computer system.

With so many links in the chain, it's my opinion that it's unreasonable to expect them all to be processed by people. It won't scale and I'm not convinced that it's that much safer anyway. It would be my preference that the pieces of the system that perform this processing are backed with open source software.

At the very least, if there is a case where tampering is suspected, officials of the court can compare the software on the machine with the software in the repository. This would prove in a clear and straightforward manner that tampering has occurred.

As painful as it is, I think we all need to trust the state, to some degree, to do the jobs that are the responsibility of the state. Once the votes have been tallied for a district, isn't it possible to tamper with them as they are transmitted up the chain to the next link in the processing? Or when regions of the state send their votes up to whatever the next link might be? I think that is possible, the best we can hope for is to push for as much transparency as possible and hope that, if it comes to it, we have enough data to detect such tampering.

Where is the good old Anonymous when we need them?

We need a high-profile hack of some local elections to drive that point home. Something done completely for teh lulz, leading to a result so absurd the elections would have to be redone.

> the voting machine is running the exact same source code?

Or the processor is trustworthy ? Many voting machines are using old processors, such as 68000, and it would not be too hard to emulate a a rogue processor that will have a different behavior, whatever the source code is.

You can also change the behavior of the voting machine at a certain time, or in certain conditions (such as detecting a voting session has started)

The problem is not that voting machines are vulnerable to one or two attacks. There are thousands of ways of compromising them.

The only answer to this is that cryptography specialists do not have any answer to a secure electronic voting not involving a physical element (a bulletin, a receipt, etc.). This means that there is no THEORETICAL solution.

There are attempts to create an end-to-end auditable voting systems. Where you don't have to trust the organizers or machinery to not trick you, and you can validate that your vote was counted correctly.

https://en.wikipedia.org/wiki/End-to-end_auditable_voting_sy...

Sadly, as far as I know, none is without issues (older systems were found to have various problems, and newer stuff is still bleeding edge that wasn't yet reviewed thoroughly).

I agree with you entirely. There is no absolute way that we know of to truly know the code running is the exact code on GitHub. You can fake that it is in many ways, I don't see people running shell commands on the software before and after they vote to make sure it's the correct software. Even IF that software remains uncompromised, who owns the database? Who stops them from-

Way too many factors...

> and I'd be suspicious on anyone trying to promote it.

It's just a former CIA Director signing the op-ed. It's not like they have a collection of zero-days and other exploits is it?

Not just the software we should be concerned about, hardware too.

Why use a voting machine at all? Isn't the main point of having a polling location simply so you can verify your identity? If we could come up with a system that allowed one's identity to be verified online, or by postal service, then do we really need thousands of machines collecting the votes. Couldn't it be centralized to a handful of more easily audited systems?

My country doesn't require voter ID at all, other than confirming a few details and most studies here has shown that requiring ID didn't cut down on fraud.

For me it's important that the barrier to voting is as low as possible, and we don't have a governement issued ID that is free.

I'd rather say it's a good idea but it also is a technical problem that is not yet convincingly solved. It is clear though that open source by itself is not a solution, for the very reason you mention (how can one be sure about what code is running on a machine one doesn't own?).

That being said, from times to times articles show up about someone who claimed to have invented a viable solution. So we should not diss the idea and keep an open mind. Eventually someone will find a solution.

There's a lot more to elections than tabulation.

Mapping, voter files, candidate filings, canvassing reports, ballot artwork, translations, ballot tracking, etc.

All of it should be open source. The way it used to be. Before the vendors smelled blood. (Especially after HAVA.)

I traveled my state advocating "citizen owned software". Everyone gets that phrasing. Overwhelming support.

I agree, you'd need a way to verify every machine is running the the open source software. The risk are too great you'll fail and the rewards for anyone that can hack the machines too great.

To say a machine hasn't been hacked is trying to prove a negative.

Every time we vote, there is more talk about the burned ballots, unopened chests, uncounted votes and fraud concerning votes being collected from neighboring countries posing as people from my nation.

So yeah. Doesn't really matter whether it's electronic or not.

Depends on what your need is. If you need to alter votes, it's an extremely good system!

This video is absolutely an amazing summary. Thanks for linking it!

Until you want to scale due to using rapid direct democracy. Paper ballots will still WORK perfectly, but the workload will be massive.

One other requirement too.

3) Users should not be able to prove to another person who they voted for

This is to prevent people from using threats of violence or promise of reward to coerce others into voting a certain way.

Unfortunately, this requirement is very hard to fulfil while also fulfilling requirement 1.

I think this make a lot of sense. I'm not sure a checksumming method that can indicate tampering can be devised, but my hope would be that by making the data publicly available for every stage of the processing pipeline, auditors or interested parties might be able to detect fraud.

This does not ensure the data itself isn't wrong.

Bingo. And those of us who've studied voting computers extensively have concluded they're to be avoided.

You have to hang out with election administrators to grok that. Their motivations are not the same as the voters. Their election night prayer is "Please God, don't let this election be close."

They want certainty more than any thing else. For decades, computers were regarded as more accurate, impartial, certain than human tabulators.

Second factor is appropriations. Elections are big money. And like all industrires, there's a revolving door between government and industry.

Admin also want control. Their impulse is to centralize, simplify. Think of the logistics of running 100s of voting sites, 1,000s of precincts. All the training, people, materials, gear that has to be stored, shuttled around, repaired, etc. Moving to voting computers, reducing head count, moving to central count seemed like a huge win. (But you and I people computer people, we know they just traded problems.)

Valid ID should also be required.

With paper ballots how do we guarantee those with a right to vote who cannot travel to a secure voting location have the ability to do so?

Paper ballots without voter ID requirement are ridiculous.

That sounds a whole lot like paper voting to me...except more expensive and more complicated. What's wrong with giving everyone a pencil and a ballot paper, at the polling station, in place of the NFC device?

The only winner in that scenario is the company manufacturing the NFC devices. That system is too complex.

Because it doesn't work.

It's worse than not working. It's because nobody can ever be sure if it's working or not.

Granted what is publicly known, it not working is a very likely outcome, but nobody will ever be able to contest it.

The cost of disruption is extremely high for voting, for pretty much everyone.

For other systems, a disruption is just inconvenient for most people. Like if I can't use my credit card for a day, I don't care (of course this may be of more consequence for some people). Same thing with a power outage (and people that need it can have a backup for grid power; how do you have a backup for legitimate governance?).

1. Because it lacks anonymity?

2. Because the average voter cannot possibly understand and verify the security properties of that setup.

and it could even help with vote counting per city, if they originate from a "city" wallet, that came out of a "region" wallet and so on..

In case anyone can't see why this is a whole heap more terrible on top of the terribleness of electronic ballots...

Verifying actual real identity over the internet is impossible. Even if you did webcam-based biometric authentication of identity - these are fooled by a photograph. Going to a polling station and verifying your identity to a human being is much harder to fake, and almost impossible to scale.

The web is an untrustworthy delivery mechanism. What say if a nation state wants to disrupt your election, and starts DDoSing the hell out of it all. Protecting against such attacks at that scale would be extremely difficult.

Also on the topic of state-level disruption, it is well known that orgs such as GCHQ, the NSA etc. hoard zero-days. How do you know your extensively tested system isn't vulnerable to a zero-day that another state has and you don't?

For me the biggest issue with voting that is not a "paper ballot cast in a sealed secure room" is that there is no way to guarantee that the person is voting for the party they like. This is because somebody could break into your home and coerce you to vote for some party, they will also be able to verify that you have voted as they have instructed you. With a secure room they can maybe pressure you to vote one way or other, but in the end they can not verify it. Unless they can hack the electronic system and reverse the ID->vote link. This problem disappears with paper ballot (if it is reasonably secured, in my country at some point you received a ballot for every party and only cast the one you liked, the third party could ask you to bring them all the other ballots as proof)

Because then you need to secure the computer used to access the website. Good luck with that.

Wait, what? I haven't seen a single anti-free-software comment in this thread; most people are against electronic voting entirely, whether it is open or closed source. Why would Microsoft be anti-electronic voting?

We detached this subthread from https://news.ycombinator.com/item?id=14969875 and marked it off-topic.

The block chain is best known for bitcoin, but it's actually a really awesome tool for keeping public records safe.

Things like land ownership is vulnerable to manipulation. We don't think about it much in the west because our governments don't change the name of the owner of your house for money, but it's a real problem in corrupt countries.

It's also a major problem in shipping. Where ownership of containers is done with paper forms, that because of corruption have a higher cost of shipping than the actual container itself, and containers still get claimed with faked forms.

Know what Mærsk did to secure the container contracts? They used the block chain.

Much like container forms or land contracts, paper votes are only safe if your system isn't corrupt. With the block chain you could remove the need of relying on the system to be honest because everyone would be able to read the record.

Right now you rely on independent observers, and I hate to tell you this, but we've been unable to influence elections in corrupt countries so far.

When Putin wins with 900% of the votes in regions that hate him you can say that it seems unlikely, if they'd used block chain you would be able to see that it was a lie.

If you consider Bitcoin a pyramid scheme I would love to hear your treatise on fiat currency, fractional reserve banking, and capitalism in general.

I don't think you know what a pyramid scheme is.

How about learning the definition of the words you use before throwing them around?

But how can I (a voter), audit it in the voting booth? How can I verify that the extensively audited software is actually running on the machine in front of me?

plus, I might add, you can create secure software, that can't be penetrated from outside, but what about the hardware? Unless you write this (software) too, how can you trust the underlying hardware? e.g.: broadpwn. Yes, open source makes it easier to audit/collaborate/patch but it's not enough.

Uh. Blockchain is just a doubly-linked list with hashes. And a set of rules how the peers validate blocks and come to a consensus. Not some magic crypto pixie dust that brings anonymity or prevents fraud.

It could come useful, e.g., for keeping census data to avoid some forms of fraud. E.g. prevent rouge organizers loading elections with "dead souls" voters (Gogol-style). But I don't see any immediate use for election themselves.

Say, the blocks would store anonymized votes (nothing about blockchain itself implements the anonymization). One immediate issue I see is that blockchain only verifies integrity of the blocks after they're in there and out to the public, so it could be verified. Sending them too early would skew election results (observers would be able to see the intermediate results and bias their votes accordingly), and sending them too late would probably make blockchain mostly pointless.