It's not an engineering problem, it's a political problem. To the extent that it's engineering, it's solved if we would only adopt the known good approaches.
But we won't because there is political utility in having elections remain murky and messy for parties who may benefit from manipulation of the vote through disenfranchisement or other shenanigans.
I think paper ballots should be collected at each polling location.
I also think paper ballot totals from each polling location should be published publicly in a variety of forms, so that the totals can be added independently.
Paper ballots get counted publicly. Anyone that would like to witness it can attend for any amount of time and call out miss counts. Totals are read out on live TV.
The most successful attacks on democracy are gerrymandering (US especially) and misinformation (global problem, see Brexit thou specifically). Don't get me wrong, this sort of security is necessary but there's nothing wrong with tossing out the machines and using real paper ballots with a pencil (thus sidestepping the problem). You can even machine-read those for a machine count (which can be verified since the paper ballots are still around to rescan with different hardware/software for validation).
How do you engineer around the misinformation vector thou? That's the hard problem.
The premise of democracy, at least the American incarnation, is to allow people to believe whatever they want to believe. As a candidate, you have the freedom to say whatever you want. Even if everything they say is true, they can draw attention to the wrong issues, or stoke fear. To argue against misinformed voters is to argue against the foundation of the process. It's not just foreign countries dropping propaganda to disrupt sensible consensus, its the people themselves running who are propagating misinformation.
"In a Democracy, the real rulers are the dexterous manipulators of votes, with their placemen, the mechanics who so skillfully operate the hidden springs which move the puppets in the arena of democratic elections. Men of this kind are ever ready with loud speeches lauding equality; in reality, they rule the people as any despot or military dictator might rule it." - pobedonostsev
At the end of the day, whoever either spends the most money yelling out a megaphone, or gets the most attention yelling, gets elected. Except for times like Trump exploiting the modern news/press cycle for his own benefit, most election winners are the one who spends more money. I think the last time the lesser spend won a presidential election was Carter running against Ford. Goldwater got spanked as well, compared to spending.
Not only are paper ballots simple and effective, they can be mailed out 2 weeks ahead of time and people can vote with a laptop, at their leisure. Also, you don't have to store them for three months at a time with proof of custody, you can just scan them, or dump them once the election has been certified.
Voting machines sound great but that it's solving a problem by doing things the same with tech.
>How do you engineer around the misinformation vector thou? That's the hard problem.
You can solve both with good education but public education will never teach people to think critically about government en-masse because the committees of bureaucrats that decide the curriculum and the teachers that teach it get a government paycheck at the end of the day. They're not gonna be inclined to go all out when it comes to teaching people about things like gerrymandering, propaganda, etc. This is not for any nefarious reason or the result of any conspiracy, people just tend to see the good but not the bad when it comes to their source of income. The incentive system is simply not set up in a way to produce voters who think critically.
Use the post office. Use paper ballots in the mail. Many security issues vanish if polling places are no longer rich targets. In my state of residence, my ballot is sent in the mail, and I get SMS notifications when it is sent to me and when it is counted.
I like the idea of snail mailing a PIN number for an online system. But I’m a layman on the security issues that complicate what seems easy, is it the MITM risk of anything over a wire?
Disenfranchisement (e.g. requiring voter ID) and gerrymandering are far more significant issues for the democratic process in the USA than ballot security, which is a relatively solved problem.
Step 1) Make sure the guy in charge of bringing election security bills to vote on the Senate floor can't accept campaign donations from voting machine companies [1].
Step 2) Bring election security bills to vote on Senate floor.
Both are important, but WRT elections, faith in security is as important as actual physical security. I don't see how a black box of tech can convince a layperson that voting is secure. We need more in the way of audit trails and accountability.
The toughest part is ensuring anonymity and privacy while ensuring someone can only vote once, ensure the vote is legitimate, and accounted for.
The only way I can see that is using a PKI-based ID to validate the ID of someone, but then how do you ensure that person can vote anonymously and only once?
Back when we were all agonising over "Hanging Chads" in Bush v. Gore, Bruce Schneier published a series of collaborative works featuring the back & forth design of secure paper ballots + digital voting. So that was what? 2000?
Surely the problem then isn't technical, it's cultural and political.
IMO it shouldn't be all or nothing, here's a system I think would be the best of both worlds:
- Allow people to express voting intent & go through the candidates on the ticket with a website/app (as strong as it can be), which spits out some random ID/QR code
- Widen voting time period to months
- Support mail-in-ballots in more states
- Add a mandatory # of holidays per year (with proof of vote, notification of which local/national election the person is voting in)
- Require people to confirm their vote in person, with the option to vote with the QR their phone generated (and a confirmation screen afterwards for them to review), with every vote required to take a certain amount of time in the booth (to prevent timing people to figure out if they used their cell phone or not).
This setup allows for a few things:
- Early consideration of candidates and their positions and the ability to save how you were going to vote once you're in the booth
- More signals of voting intent that could be used to detect fraud (in addition to random sampling)
This scheme probably needs more thought to prevent election tampering, but I think adding a digital element as additive would be a benefit. If the digital element detects voting intent that sharply diverges from voter rolls, then a recount in whatever county is triggered.
I had thought that this was a great opportunity for blockchain, if identity could be solved reliably. That being said, identity is already being solved through IDs, voting stations, home-delivered ballots, etc.
The audit-ability and reproduce-ability would be great features, while cost and latency wouldn't be huge problems for voting.
There were even a few start ups in the space (e.g. Votem), but none seem to have made the jump to doing real elections. Votem did a few smaller voting experiments like a vote for the Rock & Roll hall of fame, but never made its way to state elections.
I hope that DARPA can not only inspire innovation, but also help startups break into the difficult game of government contracting.
You can't have an anonymous system that simultaneously allows meaningful verification: if there is no way to tie me to my vote in the system, then there is no way for me to prove that my vote was misrepresented to anyone but myself. Even if there were, there is no way for me to prove that my claim about my vote is correct. Even if many people come out claiming that their votes are mis-represented, there is no way to know whether that is a sign of errors/tampering with the system, or a concerted campaign to try to put the election in doubt.
Any system which foregoes physical proof of voting as a base for the count, relying instead on after-the-fact verification, is open to this problem. A complex system, whether software or even mechanical, can never match this level of confidence.
I wonder if biometry (e.g. a fingerprint) could be reliably used as the private key (and thus the identity on the blockchain). That is, without a 3rd party / external system.
For trust, the network (as any blockchain network) would have to be properly decentralized, and (good or at least benevolent) people would have to be incentivized to run the network. I.e. there would be a monetary value (a coin, or a token), which would have its own pros and cons as seen by various parties.
(Mentioning fingerprints, I cannot but reference the movie Southland Tales, which in my view was the most prophetic movie ever made.)
There used to be a problem with vote buying / coercion. If you can prove you voted one way or another, you can sell your vote, or your employer can fire you for voting the wrong way (for example).
Given postal votes are a thing, and have been for many years (at least for UK/AU/NZ), is there still such stringent requirements on making it difficult/impossible to buy/coerce votes? Since both can be done using postal votes already.
Does this then open up more digital options? Eg app based voting where your vote is published along with everyone elses but in anonymised form, so everyone can independently verify the totals. By anonymised I mean the app displays a random “vote reference ID” that you could check in the final published ledger to see your vote was included, and was recorded correctly.
1. go vote
2. check to see who hasn't left their house today via open source GPS indicators
3. vote as them too because its illegal for those at a voting station to ask to verify your identification
4. ???
5. undetectable voter fraud
There's a high chance you'll go try to vote as someone who simply didn't register. In California you could then register as that person and vote provisionally, but polling officials will check your identification.
Alternatively you may attempt to impersonate someone using vote by mail. In that case, there won't be a ballot to vote at the polling station, and even if you are able to successfully register provisionally or convince polling workers to give you a blank to fill out, election officials are already looking for these kinds of duplicates.
I know Ron Rivest has a lot of interest and work invested into securing voting system.
I can't point you to a direct paper, but if you Google it I'm sure you'll find more then enough.
Those who are involved in the American election industry, from government to vendors or consultants, have committed to a platform based on verified C. The industry continues to refuse to adopt a memory safe language such as Rust. Granted, the investment in a new toolset is costly. However, the benefits are very compelling. In the meanwhile, industry will crutch its toolset decisions with white hat hacking events, bug bounties, millions of dollars in contracts supporting audits and testing, etc.
Path dependence is costly. In the case of elections, more than money is at stake. Industry must move beyond verified C to Rust.
[+] [-] rectang|6 years ago|reply
> If election security is an engineering problem,
It's not an engineering problem, it's a political problem. To the extent that it's engineering, it's solved if we would only adopt the known good approaches.
But we won't because there is political utility in having elections remain murky and messy for parties who may benefit from manipulation of the vote through disenfranchisement or other shenanigans.
[+] [-] m463|6 years ago|reply
I also think paper ballot totals from each polling location should be published publicly in a variety of forms, so that the totals can be added independently.
[+] [-] tamrix|6 years ago|reply
[+] [-] Beltiras|6 years ago|reply
How do you engineer around the misinformation vector thou? That's the hard problem.
[+] [-] basch|6 years ago|reply
"In a Democracy, the real rulers are the dexterous manipulators of votes, with their placemen, the mechanics who so skillfully operate the hidden springs which move the puppets in the arena of democratic elections. Men of this kind are ever ready with loud speeches lauding equality; in reality, they rule the people as any despot or military dictator might rule it." - pobedonostsev
At the end of the day, whoever either spends the most money yelling out a megaphone, or gets the most attention yelling, gets elected. Except for times like Trump exploiting the modern news/press cycle for his own benefit, most election winners are the one who spends more money. I think the last time the lesser spend won a presidential election was Carter running against Ford. Goldwater got spanked as well, compared to spending.
[+] [-] jethro_tell|6 years ago|reply
Voting machines sound great but that it's solving a problem by doing things the same with tech.
[+] [-] dsfyu404ed|6 years ago|reply
You can solve both with good education but public education will never teach people to think critically about government en-masse because the committees of bureaucrats that decide the curriculum and the teachers that teach it get a government paycheck at the end of the day. They're not gonna be inclined to go all out when it comes to teaching people about things like gerrymandering, propaganda, etc. This is not for any nefarious reason or the result of any conspiracy, people just tend to see the good but not the bad when it comes to their source of income. The incentive system is simply not set up in a way to produce voters who think critically.
[+] [-] lidHanteyk|6 years ago|reply
[+] [-] ufo|6 years ago|reply
1) Now the post office is a rich target
2) The voter doesn't see with their own eyes that their ballot has been deposited. They have to trust the SMS message.
3) It is more vulnerable to vote coercion. Family members, employers or organized crime might force you to show them your ballot before its submitted.
[+] [-] airstrike|6 years ago|reply
[+] [-] conductr|6 years ago|reply
[+] [-] phs318u|6 years ago|reply
And more on the same topic: https://www.schneier.com/essays/elections/
[+] [-] toomanybeersies|6 years ago|reply
[+] [-] lucifirius|6 years ago|reply
[+] [-] ModernMech|6 years ago|reply
Step 2) Bring election security bills to vote on Senate floor.
[1] https://www.newsweek.com/mitch-mcconnell-robert-mueller-elec...
[+] [-] hedora|6 years ago|reply
[deleted]
[+] [-] daenz|6 years ago|reply
[+] [-] m-p-3|6 years ago|reply
The only way I can see that is using a PKI-based ID to validate the ID of someone, but then how do you ensure that person can vote anonymously and only once?
[+] [-] Quequau|6 years ago|reply
Surely the problem then isn't technical, it's cultural and political.
[+] [-] josh_fyi|6 years ago|reply
[+] [-] hardwaresofton|6 years ago|reply
- Allow people to express voting intent & go through the candidates on the ticket with a website/app (as strong as it can be), which spits out some random ID/QR code
- Widen voting time period to months
- Support mail-in-ballots in more states
- Add a mandatory # of holidays per year (with proof of vote, notification of which local/national election the person is voting in)
- Require people to confirm their vote in person, with the option to vote with the QR their phone generated (and a confirmation screen afterwards for them to review), with every vote required to take a certain amount of time in the booth (to prevent timing people to figure out if they used their cell phone or not).
This setup allows for a few things:
- Early consideration of candidates and their positions and the ability to save how you were going to vote once you're in the booth
- More signals of voting intent that could be used to detect fraud (in addition to random sampling)
This scheme probably needs more thought to prevent election tampering, but I think adding a digital element as additive would be a benefit. If the digital element detects voting intent that sharply diverges from voter rolls, then a recount in whatever county is triggered.
[+] [-] ElijahLynn|6 years ago|reply
* Ranked Choice Voting (or better)
* Individual Vote Verification API
[+] [-] sambroner|6 years ago|reply
The audit-ability and reproduce-ability would be great features, while cost and latency wouldn't be huge problems for voting.
There were even a few start ups in the space (e.g. Votem), but none seem to have made the jump to doing real elections. Votem did a few smaller voting experiments like a vote for the Rock & Roll hall of fame, but never made its way to state elections.
I hope that DARPA can not only inspire innovation, but also help startups break into the difficult game of government contracting.
[+] [-] tsimionescu|6 years ago|reply
Any system which foregoes physical proof of voting as a base for the count, relying instead on after-the-fact verification, is open to this problem. A complex system, whether software or even mechanical, can never match this level of confidence.
[+] [-] sly010|6 years ago|reply
If identity could be solved reliably, you wouldn't need a blockchain.
[+] [-] ypcx|6 years ago|reply
For trust, the network (as any blockchain network) would have to be properly decentralized, and (good or at least benevolent) people would have to be incentivized to run the network. I.e. there would be a monetary value (a coin, or a token), which would have its own pros and cons as seen by various parties.
(Mentioning fingerprints, I cannot but reference the movie Southland Tales, which in my view was the most prophetic movie ever made.)
[+] [-] hedora|6 years ago|reply
[+] [-] yardstick|6 years ago|reply
Does this then open up more digital options? Eg app based voting where your vote is published along with everyone elses but in anonymised form, so everyone can independently verify the totals. By anonymised I mean the app displays a random “vote reference ID” that you could check in the final published ledger to see your vote was included, and was recorded correctly.
[+] [-] karterk|6 years ago|reply
In India's case, the paper ballots actually caused a lot of rigging as booth capturing was ramptant. EVMs greatly helped tackle that.
A small sample of the votes are also verified using voter-verified paper audit trail (VVPAT).
[+] [-] iyw|6 years ago|reply
[+] [-] thepaperone|6 years ago|reply
1. go vote 2. check to see who hasn't left their house today via open source GPS indicators 3. vote as them too because its illegal for those at a voting station to ask to verify your identification 4. ??? 5. undetectable voter fraud
[+] [-] bb611|6 years ago|reply
Alternatively you may attempt to impersonate someone using vote by mail. In that case, there won't be a ballot to vote at the polling station, and even if you are able to successfully register provisionally or convince polling workers to give you a blank to fill out, election officials are already looking for these kinds of duplicates.
[+] [-] dwobry|6 years ago|reply
[+] [-] unknown|6 years ago|reply
[deleted]
[+] [-] shanxS|6 years ago|reply
[+] [-] rectang|6 years ago|reply
https://en.wikipedia.org/wiki/2018_North_Carolina%27s_9th_co...
> On February 21, the board unanimously voted to call a new election because of fraud by Republican operatives.
[+] [-] Dowwie|6 years ago|reply
Path dependence is costly. In the case of elections, more than money is at stake. Industry must move beyond verified C to Rust.