An optical hollerith machine would be useful. It would sort paper ballots into buckets based on selection. It's relatively easy to flip through a stack of ballots and ensure that every one has the same selection. Saves the effort of hand sorting which is not error free.
Belgium has been doing it for 25 years, though not without some issues. I'm happy to let other countries lead the way on this since we have a perfectly viable alternative.
A solid starting point, but it's easy to lose sight of the other critical part of the puzzle--integrity of the voting rolls. High quality vote tabulation needs to start from voters, where _only_ legitimate voters vote, and each only votes (at most) once, after which yes, their vote is accurately tabulated.
Here in Germany, the Pirate Party has discussed the topic at length, since they (1) love voting innovations, and (2) have generally good knowledge on CS stuff, and so far I think no real solution is known for anonymous, confidential, secure digital voting with verifiable results, which is easy to reach with paper ballots and public observers of the counting.
Aren't most paper ballots processed by machine anyway? Every ballot I've ever cast has gone through something akin to a Scantron machine.
The cost of human labor to count all ballots by hand will be enormous. Probably worth it I suppose, but this really is something that should be primarily automated. But again, trust in software. Sigh, why can't we just have nice things?
I'm watching him talk about the two key ingredients of an election (anonymity and trust, for those not watching the video) and thinking "We don't have those in U.S. elections".
I live in California, where the voting method is vote-by-mail and you sign your ballot. That breaks anonymity right there, plus there's a barcode that matches address and ballot for traceability, so in theory anyone involved in the election process could look at my ballot, cross-reference against address, and figure out how I voted. In practice I've never heard of anyone being pressured or confronted based on how they voted, so my default assumption is this doesn't happen much or at all.
But even broader, in the U.S. your party registration is public information. That's why whenever there's a political shooting, the media always says "He was a registered Republican" or "registered Democrat" or "was not registered to vote". And this mechanism is actively and publicly being exploited to alter elections. Since the U.S. is a two-party system and party membership is public, you have a fairly good idea how each precinct is going to vote before they vote, and can gerrymander maps to get the outcomes you want.
Plenty of trust issues in physical ballot transfer as well. California is vote-by-mail, but that assumes the postal service is a reliable carrier, while there was just a recent news story [1] about ballots being stolen. Before I lived in California, I was in Massachusetts, where we voted on 1930s-era lever voting machines where you hit a lever down and it marks a paper ballot without you ever seeing the real ballot. Between elections, these were stored backstage at the local middle school, so a mechanically-inclined middle schooler with knowledge of how an upcoming election's ballots would be formatted (and we did mock elections in middle school) could have rigged the machines to deliver the local precinct to their preferred candidate.
The useful points in the video were basically that decentralization and redundancy are what make physical elections hard to rig: you have to hack multiple locations to influence the overall election, and at each point you have multiple eyes watching you. He sets up the contrast with software voting, where you have the same software running on each machine, and even if the software is open-source, you can't be sure that the rest of the stack it's running on is secure (an oblique reference to the Ken Thompson Hack [2]).
But decentralization and redundancy are properties that you can introduce into software systems just as easily as real-wold systems. The KTH can be countered through Diverse Double-Compiling, for example [3]. zkStarks and digital signatures give you ability to prove that you authored something without revealing what that something is or who you are. The importance of client diversity for the security of the network as a whole has been well-known in the filesharing and crypto worlds. And anyone who has worked in Big Tech, aviation, or telecom could tell you that having multiple paths to success that are developed by independent teams is important for any computer system that is in a safety- or reliability-critical area.
Humans are actually quite bad at hand-tallying hundreds of millions of datapoints. Our eyes go glassy but we press on anyway.
Machines are very good at doing that kind of tedious labor accurately.
Whether human beings will put more trust in a system that we know will be wrong, but it's wrong for comfortable meat reasons, over a system that might be compromised but will be more accurate its more of a psychology question than a technical question though.
Posting those links without any insight from your side is just quoting dogma and, to me, it shows that you haven't really spent any time to consider the arguments. In my opinion shows that you lack imagination.
Every problem Tom mentions can be worked on and overcome. Maybe not today, maybe not by the next big election, but we should still start now, rather than later. We need to do everything possible to increase participation in the democratic process, especially for the demographics that are currently not very involved, which are also the demographics that are more likely to adopt electronic methods of voting.
These files are actually cursed and I want all drives that contain their data destroyed with acid. But I have a slight feeling other voting software isn't really any better, even though in theory it should be relatively simple software in the grand scheme of things.
Public trust cannot exist if the voting system requires *any* expertise. Voting systems should be idiot-proof. If you cannot explain how voting system is manipulation-proof to a 7 year old, your voting system is untrustworthy.
This means anything more complex than a pen or a stamp on an approved paper is too complex.
I live in Ireland which I think has one of the best voting systems in the world (don't worry we've still got plenty of other serious problems with our electoral system).
It's 100% paper PRSTV & so the counts are slow. Not only is this generally OK (because getting a rapid result is absolutely not a requirement of any well-functioning voting system) but it also has actual benefits.
The main benefit is predicated on the count being engaging in and of itself. Other countries put a lot of effort into jazzing up statistical presentations on constituency predictions, cloropleths aplenty, to engage viewers. In Ireland, count centres are not only manned by trained count staff, they're also flooded with volunteer tallymen who verify the counting in realtime. Count coverage is on the ground, showing a real physical process that's intricate enough to be watchable. The entire process also serves as an education-through-doing in how our voting system works, so you get a more engaged & informed electorate (when it comes to the mechanics of voting - still unfortunately not that informed on policy, that's a worldwide problem).
True! In The Netherlands, where I live, we still vote on paper ballots. The ballots are counted by hand. The counting is public, anyone can go and observe the counting.
Just the fact that there are millions of citizens means you have to trust the process. When I go vote and stamp my votes, you need to trust my county’s counters. I find it strange we focus so much on tampering with an individual vote (machine says you voted for X instead of Y) rather than tampering with aggregation
The comments on this have lots of folks focused purely on the software, talking about a lack of paper ballots, etc. So, let me provide some more context that is missing from the post.
For those who don't know the VotingWorks software is both Open Source and their machines create and count paper ballots. You can read about it here: https://www.voting.works/machines
Essentially they have a computer, a ballot marking device, that people can use to mark their ballot. That ballot is printed on paper. Then the paper can be validated visually. Then fed into a machine to scan and count. The paper ballot is preserved and can be later audited.
The ballot marking device has a number of advantage over pre-printed and hand marked ballots:
- American Disabilities Act (ADA) compliant using standard web technologies
- Available in applicable languages without lots of translated papers on hand
- Errors or typos in ballots can be fixed days before election instead of weeks (due to print shop lead times)
- Better UX for complex races where things like ranked choice, choose three, etc with rules which can cause people to mismark and then have their ballots rejected
- Avoids sloppy/incomplete markings that must be interpreted and judged by counters/auditors
The entire system runs offline. It is open source.
They also have separate open source software for running risk limiting audits using the paper ballots: https://www.voting.works/audits
This is an excellent overview & much needed context. I read the (very short) OP but didn't dive into other sections of the website (which is not an initiative I'd previously been aware of).
Probably a difficult task to ensure all readers of all pages on the entire website are fully aware of this context in advance - I'd imagine this kind of averse reaction will continue to be common until these kind of hybrid systems become more widespread (or the interests pushing paperless are comprehensively silenced, which seems less likely).
---
That said, now that I do have full context, I do have two criticisms:
1. Clicking through to the VotingWorks frontpage, the copy still doesn't really highlight in a very obvious manner the paper nature of the system. You really have to analyse the website to figure this detail out.
2. The homepage does contain a section entitled "Faster Election Results" - which I do think flies directly in the face of many criticisms in the HN comments here & I personally believe to be an approach that's incompatible with democratic integrity. Counts should simply not be trying to be fast as a high priority - verifying the automated count by hand is insufficient if it isn't done as a matter of course. Ideally, live, while the count is taking place. The latter is not feasible with an automated system, & the former is a lot more likely to be overlooked if speed is a priority.
We don't just need systems that can be fair, we need systems that incentivize fairness & don't contain perverse incentives - count speed is exactly such an incentive.
I live in The Netherlands. We are a reasonable modern country, where a lot of things are automated, even in governmental organizations. However, voting is still done on paper ballots. And those paper ballots are then counted manually. This has huge benefits. There always is a paper trail. It’s hard to manipulate votes without getting caught. If there’s any doubt about a certain district’s results, the votes can be recounted. This happens regularly.
Why do we need machines? Counting the votes for e.g. the parliament only takes 24 hours or so, generally. And we don’t have elections every week, right?
You should acknowledge the tradeoff: physical presence is the condition.
It might not happen much in the Netherlands, but for instance making it so fewer people reach voting stations is a classic move. That's one of the failure mode avoided by the other means.
Voting ballots straight getting lost/destroyed is another failure mode, and yes it happens more than we want it to.
The sheer time to get the vote counted is also an issue, and we've seen voter sentiment shifting while the vote is still ongoing, with the media reporting directly influencing the outcome.
It could still be the saner tradeoff in the end, but it's misleading to present it as some ideal or inherently reliable solution.
The software doesn't matter that much. If you want to use voting machines, you need to create a paper trail with them that can be audited.
Auditing the software isn't enough if you can't reliably verify that this is actually what's running on the machines, or if the machines weren't otherwise tampered with in some way.
So they open the source ... how do I know that's what's running on the voting machine? There's really no good practical solution to this problem. What matters more is that there is a voter-verified paper audit trail and that this record is actually counted. At least by spot check risk-limiting audits, but ideally just count every vote manually to verify.
> There's really no good practical solution to this problem.
Remote attestation via trusted execution environments is a thing. It is not a theoretical one either. See, for example, Graphene OS's Auditor app[0]. Solving this for voting machines in particular would be a matter of good design, not of solving fundamentally hard problems.
From a process perspective, how can a constituent know with absolute certainty that their vote was counted, every voter in the system was legal, and the final tally was authentic? Especially when there's no way to even audit what you voted for after the fact?
Every time I try to get to the bottom of this, it always boils down to "trust the system" which makes me uneasy.
Not being able to audit what you voted for after the fact is by design. Otherwise, it would make buying votes a viable strategy since you'd be able to show them who you voted for. Yes, taking a picture of the ballot is an option, but you can always ask for another ballot paper after you take the photo. Where I live, you're not even allowed to have a camera out in the same room as a voting booth for this exact reason.
IMO the best solution here is to have electronic counting with an auditable and traceable paper trail as a backup. Every time I've voted for the past 10 years has been like this. First, I get a ballot paper from the front desk and stick it into an airgapped ballot marking machine. I then make my choices and the machine prints them onto the ballot paper. I'm able to read the paper and verify that it matches the choices I made. I then stick it into a separate airgapped ballot counting machine, which scans my ballot and deposits the paper copy into a sealed box. The entire process of setting up the machines, transporting the paper ballots, and reading the results from the machines is cross-checked and signed off on by volunteer poll workers from both parties.
Each polling station should have representatives from multiple parties as well as independent observers.
> how can a constituent know with absolute certainty that their vote was counted
The representative of your party plus independent observer said all votes at your polling station were counted. You know both those community members and know them to be generally honorable. Ergo your vote was counted.
> every voter in the system was legal
None of the observers at the polling station, or the station head claimed any illegal person voted.
> the final tally was authentic
The observers all signed as witnesses on the final tally.
This is not the "system. it is humans you know who are telling you what they saw. If you can't trust other humans at their word, democracy cannot fundamentally work.
I think the sentiment of the OP actually gets to the heart of this (the idea of open-source is transparency, visibility, auditability) but the problem here is it need to be applied to the actual process, not to the process of building tools for the actual process.
It's not that developing voting software should be open-source, its that actual voting should be "open-source" in the physical sense.
Trusting the system is possible if you can (you, yourself) readily observe every part of the system. I don't think giving members of the public access to the server your voting software is hosted on is a very viable idea, but giving members of the public access to paper count centres is (it's done very successfully in many countries).
I would be fine if they had at least the same level of scrutiny as slot machines --- can we turn Citizens United around and argue that since dollars can be used to buy speech which influences votes, voting machine should have the same level of scrutiny/verification/auditing which applies to finance?
There seems to be a news story every year about how someone won a jackpot or other large prize on a slot machine, only for it to be denied because the slot machine was "malfunctioning".
Under appreciated benefit of hand-counting paper ballots: it is an opportunity for participation in your democracy.
I had the privilege of helping count votes in my small town 2012. Volunteers stayed up after voting ended and all of the ballots were double checked - counted by two separate people, working together at a long table. Cheating or manipulation was inconceivable, and there were many layers of double checking.
The beauty of this system is it is infinitely scalable. The more voters there are, the more vote counting volunteers there are. For larger cities you can split up by blocks or per polling place. There should be many polling places to make voting easy and accessible.
It isn’t fast or fancy or glamorous. But communities ignore the power of communal activities at their peril.
I don’t really understand the blind trust in paper in person ballots. Historically and currently, elections are stolen all the time whether paper or not. Off the top of my head some recent ones: election irregularities in Venezuela and the Russian referendums in Crimea.
If people in power want to cheat, they will. Shuffling around the tech isn’t going to do all that much to change things.
That's a non-sequitur. Election manipulation is orders of magnitudes easier with voting machine manipulation and might not even be traceable. With paper ballots, you have to swap thousands of ballots that are handled by thousands of people, corrupt or prohibit independent observers, deal with election commissions and overseers, and so on. You can have recounts. With voting machines, you just have to push a software patch to these machines or manipulate the software that interfaces with them. No recount will help.
Hey there, I'm the founder of VotingWorks, happy to answer questions.
We should have made it clear in that post that our voting system is not just open-source, it's also always paper ballots, mostly filled out by hand, sometimes by ballot-marking devices for voters who need or choose it.
Many good points in the thread about open-source not being enough. Indeed! But open-source is, in my opinion, necessary for public trust. Not sufficient, but necessary.
Reproducible builds – we hope to get there in the not-too-distant future!
Attestation – yes we have that! there's a quick and hardware-TPM-rooted way to check that a VotingWorks paper-ballot tabulator has not been modified since it left the VotingWorks floor. Takes 30 seconds, with a QR code on screen that contains all the attestation data and digital signature, unlocked only on successful secure boot.
Also, the build of the system from source is not done by us, it's done by a third-party testing lab, accredited by the Election Assistance Commission. States that want to can request the installation medium straight from the lab and install it themselves.
And if you want more, I spoke recently at USENIX security about what it takes to build a voting machine everyone can trust. It's a lot more about resiliency engineering than security.
> Public Trust Demands Open-Source Voting Systems (voting.works)
Unless something has changed recently, election integrity demands a voter-verified paper ballot that is retained with security by the authority, and can be physically counted, as a check against compromised or defective digital systems.
Open source is not sufficient. Don't let marketing sound bites be a confusing diversion from the problem.
If the US understands anything this year, it's how important elections are. Hopefully we get another one.
Stop me if you heard it before, but paper ballot with automatic counting machine is the way to go. You still get real time update, and you have a physical ballot box that's constantly under watch of volunteers from multiple parties. And if there's any dispute (there will be disputes) you can simply bring out the boxes and count again.
It's a simple, cost-effective system which is impossible to hack. Electronic voting offers no advantage over this.
Did you look at the link at all? That's what this company sells. They make ballot marking devices that print your vote on a ballot paper, then a separate ballot box that counts the votes by scanning the ballot papers.
This is a solved problem, but for reasons I don't understand it has only been used in a few elections. Do this:
• Use paper ballots that are marked by the voter filling in ovals next to the name of the candidate or proposition they are voting for using a marker supplied by the election officials.
• These paper ballots can be hand counted or counted by simple optical scan machines that are already widely in use in many places.
• By using some clever chemistry in the ink when you print the ballots and in the marker used to mark it you can print a code in each of the ovals that is invisible until the oval is filled in using that special marker.
By using some clever cryptographic techniques to come up with those invisible codes you can make a system with the following properties.
1. After the election all of the cast ballots can be published, allowing anyone to do an independent recount.
2. Any individual voter after the election can, if they noted the code that was on their ballot for a particular candidate, verify that their particular ballot was included in the count and that their vote counted toward the correct candidate.
3. An individual cannot prove to a third party that they voted for a particular candidate.
Throughout most of the non-US parts of the western world voting works quite well using paper ballots and hand counts. Any organization treating voting like a tech problem is willfully oblivious of the existing very good low-tech solutions. I think the intention is often good. But tech is also a new vector for attacking elections, so sometimes it's malicious. And it's very hard to tell the difference, and with elections even the appearance of interference is risky. We should outright reject technical solutions to voting, all it does is add risk.
Something being open source does not mean anyone has even the slightest clue how it is running. People would have to see a read-only view of the active production run-time in trace/debug in real time to have a clue which of course would not be permitted. All code can be live-patched without leaving a trace by custom firmware or a thumb drive in production to conditionally change behavior on the fly to achieve any means or results. All electronic voting equipment can be tinkered with and any news stories about engineers testifying to congress will be erased for fear of reducing confidence in voting systems. Bribed developers take bigger risks for smaller gains all the time such as wireless front-line support selling or changing SIM information in SIM swaps.
Paper trails on the other hand can be verified and secured physically with chain of custody and proper attestation. Paper output can still be designed to be easy scan, verify and re-tabulate. I would like to see the paper trails scanned and uploaded to a centralized block chain so we can see if one of these things is not like the other. I would also like to see higher definition CCTV cameras monitoring the entire voting process and more of those cameras. That should also be uploaded somewhere they can not be tampered with and if a camera goes offline oopsie doopsie it's all hands on deck. Ballot drop-off boxes and mail in votes need to be outlawed and every state needs voter ID.
Why stop at software? Open-source software is a good idea in election systems. The principle could be better generalized as an "open" (copyleft licensed) process for the entire system, regardless of whether the election system is implemented as software or not.
Anyone who talks about election security should be required to spend at least a few moments walking around Defcon in the election machine hacking village. Even absent electronic voting machines we still need to apply that same level of rigor to security across all domains of the election system no matter what format is used.
More fundamentally, the epistemic meaning of a ballot, a vote, or an option on the ballot, how options are even decided for inclusion or their exclusion, which outcome deciding algorithms are used, and how "the result" is interpreted by society or implemented by a political agent is deeply confused. The vote itself has very little resemblance to what actually happens. Such things likely cannot be formally specified anyway. Massive amounts of ambiguity, noise, error rate, and insecurity are to be expected in these kinds of systems. So what then are we even doing with all this? I am not referring to what we say we are achieving, or what we say we are intending to achieve, but rather what kind of actual outcomes be can supported by careful engineering of all these components?
We’ve been using mail ballots for decades, as a voter this system is convenient and afaik hasn’t been seriously challenged.
Your suggestion for its abolition aligns with treasonous players like Vought.
It might be an aside but it would be, "really groovy" if the general public started to realize that, "democracy" is a way of life and a set of considerations that furthers an open public discourse and attempts to maximize human felicity and reduce cruelty. In an oxymoronic sense it's the public voting on things that actually kills real democracy.
No. Democracy is not about reducing cruelty, or any other vaguely activists points of views. It is about having people choose where they want to go. It might be that these choices unveil that humanity, statistically speaking, is actually a cruel bunch. And, what you think is cruel, might be just fair to someone else. Democracy is about surfacing the human nature.
To understand criticism with electronic voting system let's assume the best case: say you make the perfect, mathematically verified voting software. That is perfectly up to date each election. That runs on open yet tampersafe hardware that is as the stickers say never obsolete. That notices any human error and hacking attempt (not that such a thing exists).
Even with that utopian scenario the remaining problem is that the goal of elections is agreeable consent. Mewning the goal isn't just to get a decision. The goal is to get a decision, people can agree with because they trust the process must have been okay. If your vote is low stakes, like where you go for lunch with your collegues, then that trust doesn't matter, who cares if it was wrong? But if it is high stakes even a perfect digital system is problematic, because even intelligent, technological expert voters have no chance of understanding which of the moving parts might influence what in which way in practise.
Meaning a paper ballot with the right process can more or less be understood by everybody who can count and has mastered the cognitive skill of object permanence.
A Rust project with a 30k Cargo.lock file filled with dependencies on an even more complex operating system, running complex (in a different way) hardware, that might differ for each voting location isn't that. And that isn't about the programming language or the tech stack. It is about the intransparent nature of electronic systems themselves.
I spent a three quarters of my life learning programming and electronics including hardware design and I teach that stuff on a university level. Even I would have a hard time ensuring there is really no backdoor in the whole stack. And this fact means even if there is no backdoor in it, there might be and there is no realistic way for a normal person to check. I understand the nerd appeal. It is cool to toy around and figure that problem out. But the core of the problem is not technological it is sociological.
That is such a big flaw that IMO it is not worth it for high stakes elections.
Complaining about electronic voting (absolutely valid and reasonable take btw) while living in the country with first past the post election system, is like complaining about bad wall insulation in a house which is on fire. Yes, insulation is a actual valid problem. But maybe not a Priority 1 at that particular moment.
In first past the post system, between 1% to 49% of votes are stolen and tossed by design. This actually, not hypothetically happens, in real life. Electronic voting maybe can be abused, and maybe some significant number votes may be defrauded. But in FPTP it has actually happened already and at a much worse scale. Imo the real high priority issue is obvious.
My preference (I think) is we have a federal holiday "America Day", (call it Trump day for all I care) where we celebrate, hand out cookies, friends and family get together, etc. and we all vote in person.
One of the weaknesses in our democracy is the insistency of doing things virtually - it's the same weakness exposed by social media.
Electronic systems are always going to be subject to hacking and manipulation, and are more easy to hack and manipulate at a large scale (scaling is the point of software). In-person voting is still subject to manipulation, but you can just go back and look at the ballots on paper as they are. You get more targeted manipulation, but it's probably easier for a single person to uncover and reason about.
National mandatory holiday for voting would eliminate soo many issues and concerns. It really should be a must in every country, at least for the biggest elections. Inbefore "lazy urupeons are wrong, no holidays is the only true way!!!" there are 11 federal holidays in the USA, same as in many European countries, and the sky didn't fall down because of that. Adding 0.20-0.25 holiday per year won't return a country to dark ages or anything.
I agree with paper ballots, completely. But requiring voting to be in-person: how do you deal with citizens who are homebound, traveling, or working? Not literally everyone can get the day off--even if you suggest "shifts", there will be some people who won't be able to, whether because the hospital is understaffed and people will literally die, or because they don't have the resources to get to the voting hall on their lunch break.
As the CCC has stressed almost 20 years ago already, "public trust" demoands pure analog, no software at all, voting. Whenever someone comes back and tries to introduce some sort of voting machines, they are trying to fool you. Never EVER trust an electronic voting machine, no matter WHO is trying to sell it to you.
I've been saying it for years. We are more than capable of creating an official USA app that every American can download, test their knowledge on a topic, and vote. If X.com can implement polling, why can't the US Gov? In my opinion, they want to portray the illusion of democracy, not actually implement it.
There are many Americans that can't or won't download a "USA app". Owning a smartphone must not be a requirement for participating in democracy.
And if all you want is political polling, every elected representative does this already (well, they generally pay someone else to do it). So I'm not sure what it would mean for the US gov to do it separately. Do you imagine that a "non-partisan agency" like the CBO would do it with taxpayer dollars, as a publi service for the politicians who would still vote however they do?
Only the deployed hardware matters. Or only the person reading the result of the machine matters. Or only the USB key which is transferring the results matters. Or…
Once you start with non-transparent mechanisms, there is no end to it.
I think, that there is only one way to make voting machines to be trustworthy. If anyone can run ballots through their own machine to verify results, AND there will be multiple parties doing exactly this, then you can trust the outcome.
But still it is not a way to fight a political party that will use dummy machine that counts each ballot as a vote for them, and then accusing all others that they are trying to steal the elections. It is an unbelievable stupid tactic, but I think it may work in USA, judging by people eager to believe any BS if it supports their party.
we need a system that's based on paper. the machine can be digital, but, for instance, the vote needs to be written on a "roll of cash register paper".
The voter needs to be able to see their vote on the paper.
Reading the rolls needs to be done by machines, but by several different machines reading the same rolls. So we can verify.
Software is not the problem. The medium of persistence is.
The technology forum that despises technology, what a world. We should be expanding voting access, not taking it back to the 19th century. Vote with whatever means you have: wanna show up physically and hand-write your ballot, great!, wanna mail it in, go for it!, wanna vote via website or app, have fun!
Who gives a shit man, it's not going to be the end of the world or even substantially change things no matter what methods we choose. You might as well choose the ones that make things easier on people. Crazy that the world wide information network that we've built and defines our current age in history is treated like some horrible evil. It's not, it will be fine. But with vote by website now every home, school, and library in the country becomes a polling place.
There is no amount of transparency that will achieve the mythical "public trust" that's being envisioned. Our current voting system is all paper right now, actual voting fraud—meaning literal ballot stuffing is nonexistent and still people buy into conspiracy theories. Voting manipulation happens in broad daylight at the systems level and is done by carefully restricting access. Expand access and the problem vanishes.
It's frustrating, honestly. Everyday we trust some tech with our lives, but voting? It's unacceptable. Oh, you can have this cryptocurrency that you can use to buy things without the government or anyone else getting to spy on you! But voting should be only with paper and pen because you can not trust machines!!!
Yes, and it's incredible how many problems are solved by hand-counted paper ballots. I get that it's a big task, that it takes time (and some US administrations seem to despise not knowing election results the night of the election), and that it's very tempting to automate, but the basic formula of 1) everyone gets a paper ballot; 2) the ballots are collected at a polling station; 3) the ballots are counted by hand is much harder to corrupt. Maybe build the fancy stuff on top of the paper ballot, like serialized ballots to prevent duplication or timed locks on ballot boxes to prevent tampering, but for the love of Democracy, keep it simple!
These kinds of comments always annoy me a bit. It's 2025. 155,238,302 people voted in the most recent US presidential election. It is entirely silly that we expect people to manually count that many ballots in this day and age. And count them without errors! (And yes, we can make those paper ballots machine-readable, but you still need software to count them.)
Yes, I know: before computers and other mechanical systems, people had to count ballots by hand. There were many fewer people voting then, and regardless, that's not really the point: they counted by hand because they had no alternative.
Electronic voting certainly brings new problems into the mix. I don't think those problems are insurmountable. The problem isn't the technology itself. It's the legal and social landscape around voting technology. Open source, with reproducible builds and a method to verify that the code running on a machine was built from a particular version of source, is a start. Verification of that software's functionality, on par with the verification done of critical software (medical devices, things that go into space, slot machines, etc.) would be another good move.
Voters can also receive paper receipts, and I'm sure we can come up with some sort of scheme to take a representative sample of the electronically-recorded votes and validate them against the paper receipts, while maintaining voter privacy.
Here in Germany every single vote is on paper and is counted publicly, where any citizen has the right to observe the counting process. There is a list of all people eligible to vote at a certain voting location, where all voters are crossed out when they come to vote. While errors of course happen, I have absolutely no doubt that the results are free from intentional interference and that the only people voting are those who are eligible to vote.
The idea that my vote is digitally recorded seems absurd. And I do believe that the consistent distrust of Americans in the integrity of their elections is caused by the design of the voting system. There just seem to be so many completely unaddressed flaws. Open sourcing only addresses some part of the flaws and I do not think that electronic voting should ever be trusted.
Trust in a democracy starts with trust in elections, which I do not think can be reasonably provided by electronic voting mechanisms.
Some of the comments here seem to be associating electronic voting with these electronic voting systems. The systems described by this project all have paper ballots and audit trails, they're electronic assistants in running a paper ballot election.
I've only worked a couple elections in a single US county, so I don't claim to be an expert. But the projects described by the company align with each of the devices we use in elections today. Using their software would be the equivalent of moving from MS Office to LibreOffice for operating the government. It won't solve everything, could have bugs, but there are some significant long term advantages, like not depending on a company that could go out of business for security patches.
The first device voters encounter is people working the electronic poll books. We still have a paper backup available, but prefer the electronic versions. First, they can scan the barcode on the drivers license for a quick check-in (usually). When person shows up at the wrong location, we immediately know without spending a couple minutes looking through the paper list. We can even tell them where their voting location is rather than "you're not on the list, we don't know why". When someone needs to vote from their car, we can take a poll book with us and check them in curbside, no extra back and forth. And anyone can check-in at any poll book, rather than splitting the list up by last name. If there is ever a hack of the poll book, changing the list of voters, that could have also been done with the paper backup, and that's why there's a provisional voting process.
After that, over 99% of voters get a paper ballot. They mark their oval with a pen, and take it over to the scanner. This is where the security happens. There's a paper audit of the vote, and the vote is anonymous, your name is not on the ballot.
Less than 1% of the voters ask to use a ballot marking device. They are there for ADA requirements, allowing people that have difficulty marking a ballot by hand to vote. They have headphones to read the choices if needed for the blind. When finished, their choices are printed on their paper ballot, human readable and verifiable, and taken to the same scanner used by other voters. Most people don't even realize ballot marking devices exist, I didn't before I started working the election, and I've yet to see anyone request to use it.
The next step is where people get suspicious. The paper ballots are run through a scanner at the precinct, by the voter. These are monitored by an election worker to ensure the voter scans their ballot, but we stand so we can't see the ballot choices for voter privacy/secret ballots. These machines output a tally in multiple forms at the end of the election, including multiple paper copies and USB drives. The various copies get split up and separately delivered, each by a team of workers, for both redundancy and to ensure no one person is ever alone with the results.
A very important process happening throughout the day is counting the votes. The number of voters that register in the poll books is compared with the number of ballots given out (when ballots are unwrapped, they are counted, and what remains at the end of the day is counted again), and also the number that went through the scanner. Things get complicated (I assume reports are made after an extensive search is done) if we are ever off by one ballot in those counts.
The common fear that someone could stuff the ballot box, even by an insider, doesn't match my experience. In addition to the counts above, multiple workers, from multiple parties, are assigned to each precinct. We don't leave the ballots at any stage unattended at any time.
At the end of the day, the tallied ballots are sealed in a box. All equipment is locked back up. And lots of items (tallies, USB disks, sealed ballot boxes, provisional ballots, etc) are returned by a team of people that night to the county government building. From there, initial counts are released and then the election needs to get certified. That's where my personal experience ends.
The certification process includes deciding which provisional ballots to accept, and then counting them. But it also includes audits of the equipment. And those audits are supposed to take some boxes of ballots from select precincts and run them through a different a scanner to verify the tally is the same. The precinct scanners are also audited before we receive them, which is visible because a permanent count is tracked on the machine that's never zero for us, even when it's a new machine that's never been used in a previous year's election. In addition to all those electronic counts on different equipment, some percentage of ballots is likely hand counted. This certification process all happens over the course of days, if not weeks, but the initial count is usually out in a few hours when a first team of workers brings back one of the two USB disks (along with other items).
There are ways to hack an election, but these electronic machines are at the bottom of my list. Someone would have to alter the counts from the scanners without adding or removing votes, in a way that doesn't get caught in an electronic or hand audit in the future on independent equipment, and doesn't get detected in an audit of the machine before it is placed in service. And the whole process is constantly watched by workers from more than one party affiliation.
Instead, if you wanted to hack the election, you'd first become a billionaire, and buy all the media companies to ensure the population only sees one opinion. Then you'd gerrymander the election districts so most elections aren't really contested. And in locations where it might be close, you fill it with ads and social media misinformation so that voters don't know what to believe and they follow the loudest voices that repeated the most. Not only is that a lot more likely to work, but there's no chance of any consequences if you get caught since it's not illegal.
The US has the worst voting system intentionally, not accidentally. And mail-in voting shows we aren't even a little serious about election integrity. We're militantly against it: you can get people to rabidly support universal IDs for trivial, nonsensical reasons that have never resulted in significant problems; and to demand digital IDs, device attestation, and real names on social media; but to the same people showing IDs to vote is supposed to be the end of democracy.
People have made this proposal every year since the 90s, and depending on the year it was the Republicans rabidly opposing it or the Democrats rabidly opposing it. Good luck getting things accomplished with a good argument. That's not how things get done. The people who get the final say about this would love to get rid of voting altogether, but they'll settle for vendor kickbacks.
The US doesn’t have a national ID system, so your proposal doesn’t make sense. The closest thing is social security cards but those are not photo IDs.
A signed affidavit or local ID should be fine to establish identity. That can be done when signing up for mail in voting (although I personally prefer in person).
Voter fraud is extremely rare under the current system.
teddyh|4 months ago
• Why Electronic Voting is a BAD Idea <https://www.youtube.com/watch?v=w3_0x6oaDmI>
• Why Electronic Voting Is Still A Bad Idea <https://www.youtube.com/watch?v=LkH2r-sNjQs>
bogwog|4 months ago
ncr100|4 months ago
throwaway48476|4 months ago
unknown|4 months ago
[deleted]
oceansky|4 months ago
standardUser|4 months ago
vandyswa|4 months ago
didibus|4 months ago
jnxx|4 months ago
Here in Germany, the Pirate Party has discussed the topic at length, since they (1) love voting innovations, and (2) have generally good knowledge on CS stuff, and so far I think no real solution is known for anonymous, confidential, secure digital voting with verifiable results, which is easy to reach with paper ballots and public observers of the counting.
estimator7292|4 months ago
The cost of human labor to count all ballots by hand will be enormous. Probably worth it I suppose, but this really is something that should be primarily automated. But again, trust in software. Sigh, why can't we just have nice things?
nostrademons|4 months ago
I live in California, where the voting method is vote-by-mail and you sign your ballot. That breaks anonymity right there, plus there's a barcode that matches address and ballot for traceability, so in theory anyone involved in the election process could look at my ballot, cross-reference against address, and figure out how I voted. In practice I've never heard of anyone being pressured or confronted based on how they voted, so my default assumption is this doesn't happen much or at all.
But even broader, in the U.S. your party registration is public information. That's why whenever there's a political shooting, the media always says "He was a registered Republican" or "registered Democrat" or "was not registered to vote". And this mechanism is actively and publicly being exploited to alter elections. Since the U.S. is a two-party system and party membership is public, you have a fairly good idea how each precinct is going to vote before they vote, and can gerrymander maps to get the outcomes you want.
Plenty of trust issues in physical ballot transfer as well. California is vote-by-mail, but that assumes the postal service is a reliable carrier, while there was just a recent news story [1] about ballots being stolen. Before I lived in California, I was in Massachusetts, where we voted on 1930s-era lever voting machines where you hit a lever down and it marks a paper ballot without you ever seeing the real ballot. Between elections, these were stored backstage at the local middle school, so a mechanically-inclined middle schooler with knowledge of how an upcoming election's ballots would be formatted (and we did mock elections in middle school) could have rigged the machines to deliver the local precinct to their preferred candidate.
The useful points in the video were basically that decentralization and redundancy are what make physical elections hard to rig: you have to hack multiple locations to influence the overall election, and at each point you have multiple eyes watching you. He sets up the contrast with software voting, where you have the same software running on each machine, and even if the software is open-source, you can't be sure that the rest of the stack it's running on is secure (an oblique reference to the Ken Thompson Hack [2]).
But decentralization and redundancy are properties that you can introduce into software systems just as easily as real-wold systems. The KTH can be countered through Diverse Double-Compiling, for example [3]. zkStarks and digital signatures give you ability to prove that you authored something without revealing what that something is or who you are. The importance of client diversity for the security of the network as a whole has been well-known in the filesharing and crypto worlds. And anyone who has worked in Big Tech, aviation, or telecom could tell you that having multiple paths to success that are developed by independent teams is important for any computer system that is in a safety- or reliability-critical area.
[1] https://www.almanacnews.com/election/2025/10/14/ballots-stol...
[2] https://aeb.win.tue.nl/linux/hh/thompson/trust.html
[3] https://dwheeler.com/trusting-trust/
shadowgovt|4 months ago
Humans are actually quite bad at hand-tallying hundreds of millions of datapoints. Our eyes go glassy but we press on anyway.
Machines are very good at doing that kind of tedious labor accurately.
Whether human beings will put more trust in a system that we know will be wrong, but it's wrong for comfortable meat reasons, over a system that might be compromised but will be more accurate its more of a psychology question than a technical question though.
mariusor|4 months ago
Every problem Tom mentions can be worked on and overcome. Maybe not today, maybe not by the next big election, but we should still start now, rather than later. We need to do everything possible to increase participation in the democratic process, especially for the demographics that are currently not very involved, which are also the demographics that are more likely to adopt electronic methods of voting.
thadt|4 months ago
* Opens Cargo.lock [1] and pnpm-lock.yaml [2]
* Closes Cargo.lock and pnpm-lock.yaml
* Goes to find a Tylenol
At least with open source we can see the sausage getting made...
[1] https://github.com/votingworks/vxsuite/blob/main/Cargo.lock
[2] https://github.com/votingworks/vxsuite/blob/main/pnpm-lock.y...
aydyn|4 months ago
bogwog|4 months ago
stego-tech|4 months ago
unknown|4 months ago
[deleted]
NekkoDroid|4 months ago
Watch out that you don't catch the autism :) /s
> [1] https://github.com/votingworks/vxsuite/blob/main/Cargo.lock
> [2] https://github.com/votingworks/vxsuite/blob/main/pnpm-lock.y...
These files are actually cursed and I want all drives that contain their data destroyed with acid. But I have a slight feeling other voting software isn't really any better, even though in theory it should be relatively simple software in the grand scheme of things.
okanat|4 months ago
This means anything more complex than a pen or a stamp on an approved paper is too complex.
lucideer|4 months ago
It's 100% paper PRSTV & so the counts are slow. Not only is this generally OK (because getting a rapid result is absolutely not a requirement of any well-functioning voting system) but it also has actual benefits.
The main benefit is predicated on the count being engaging in and of itself. Other countries put a lot of effort into jazzing up statistical presentations on constituency predictions, cloropleths aplenty, to engage viewers. In Ireland, count centres are not only manned by trained count staff, they're also flooded with volunteer tallymen who verify the counting in realtime. Count coverage is on the ground, showing a real physical process that's intricate enough to be watchable. The entire process also serves as an education-through-doing in how our voting system works, so you get a more engaged & informed electorate (when it comes to the mechanics of voting - still unfortunately not that informed on policy, that's a worldwide problem).
bkummel|4 months ago
matthewfcarlson|4 months ago
oivey|4 months ago
elevation|4 months ago
supportengineer|4 months ago
philips|4 months ago
For those who don't know the VotingWorks software is both Open Source and their machines create and count paper ballots. You can read about it here: https://www.voting.works/machines
Essentially they have a computer, a ballot marking device, that people can use to mark their ballot. That ballot is printed on paper. Then the paper can be validated visually. Then fed into a machine to scan and count. The paper ballot is preserved and can be later audited.
The ballot marking device has a number of advantage over pre-printed and hand marked ballots:
- American Disabilities Act (ADA) compliant using standard web technologies
- Available in applicable languages without lots of translated papers on hand
- Errors or typos in ballots can be fixed days before election instead of weeks (due to print shop lead times)
- Better UX for complex races where things like ranked choice, choose three, etc with rules which can cause people to mismark and then have their ballots rejected
- Avoids sloppy/incomplete markings that must be interpreted and judged by counters/auditors
The entire system runs offline. It is open source.
They also have separate open source software for running risk limiting audits using the paper ballots: https://www.voting.works/audits
Disclosure: I am a donor to VotingWorks.
lucideer|4 months ago
Probably a difficult task to ensure all readers of all pages on the entire website are fully aware of this context in advance - I'd imagine this kind of averse reaction will continue to be common until these kind of hybrid systems become more widespread (or the interests pushing paperless are comprehensively silenced, which seems less likely).
---
That said, now that I do have full context, I do have two criticisms:
1. Clicking through to the VotingWorks frontpage, the copy still doesn't really highlight in a very obvious manner the paper nature of the system. You really have to analyse the website to figure this detail out.
2. The homepage does contain a section entitled "Faster Election Results" - which I do think flies directly in the face of many criticisms in the HN comments here & I personally believe to be an approach that's incompatible with democratic integrity. Counts should simply not be trying to be fast as a high priority - verifying the automated count by hand is insufficient if it isn't done as a matter of course. Ideally, live, while the count is taking place. The latter is not feasible with an automated system, & the former is a lot more likely to be overlooked if speed is a priority.
We don't just need systems that can be fair, we need systems that incentivize fairness & don't contain perverse incentives - count speed is exactly such an incentive.
bkummel|4 months ago
Why do we need machines? Counting the votes for e.g. the parliament only takes 24 hours or so, generally. And we don’t have elections every week, right?
makeitdouble|4 months ago
It might not happen much in the Netherlands, but for instance making it so fewer people reach voting stations is a classic move. That's one of the failure mode avoided by the other means.
Voting ballots straight getting lost/destroyed is another failure mode, and yes it happens more than we want it to.
The sheer time to get the vote counted is also an issue, and we've seen voter sentiment shifting while the vote is still ongoing, with the media reporting directly influencing the outcome.
It could still be the saner tradeoff in the end, but it's misleading to present it as some ideal or inherently reliable solution.
fabian2k|4 months ago
Auditing the software isn't enough if you can't reliably verify that this is actually what's running on the machines, or if the machines weren't otherwise tampered with in some way.
bluGill|4 months ago
Note that ananymous is also a required part of voting.
bkummel|4 months ago
colmmacc|4 months ago
lewiscollard|4 months ago
Remote attestation via trusted execution environments is a thing. It is not a theoretical one either. See, for example, Graphene OS's Auditor app[0]. Solving this for voting machines in particular would be a matter of good design, not of solving fundamentally hard problems.
[0] https://attestation.app/
Areibman|4 months ago
Every time I try to get to the bottom of this, it always boils down to "trust the system" which makes me uneasy.
ndiddy|4 months ago
IMO the best solution here is to have electronic counting with an auditable and traceable paper trail as a backup. Every time I've voted for the past 10 years has been like this. First, I get a ballot paper from the front desk and stick it into an airgapped ballot marking machine. I then make my choices and the machine prints them onto the ballot paper. I'm able to read the paper and verify that it matches the choices I made. I then stick it into a separate airgapped ballot counting machine, which scans my ballot and deposits the paper copy into a sealed box. The entire process of setting up the machines, transporting the paper ballots, and reading the results from the machines is cross-checked and signed off on by volunteer poll workers from both parties.
abdullahkhalids|4 months ago
> how can a constituent know with absolute certainty that their vote was counted
The representative of your party plus independent observer said all votes at your polling station were counted. You know both those community members and know them to be generally honorable. Ergo your vote was counted.
> every voter in the system was legal
None of the observers at the polling station, or the station head claimed any illegal person voted.
> the final tally was authentic
The observers all signed as witnesses on the final tally.
This is not the "system. it is humans you know who are telling you what they saw. If you can't trust other humans at their word, democracy cannot fundamentally work.
lucideer|4 months ago
It's not that developing voting software should be open-source, its that actual voting should be "open-source" in the physical sense.
Trusting the system is possible if you can (you, yourself) readily observe every part of the system. I don't think giving members of the public access to the server your voting software is hosted on is a very viable idea, but giving members of the public access to paper count centres is (it's done very successfully in many countries).
oceansky|4 months ago
WillAdams|4 months ago
RandomBacon|4 months ago
Eddy_Viscosity2|4 months ago
n8cpdx|4 months ago
I had the privilege of helping count votes in my small town 2012. Volunteers stayed up after voting ended and all of the ballots were double checked - counted by two separate people, working together at a long table. Cheating or manipulation was inconceivable, and there were many layers of double checking.
The beauty of this system is it is infinitely scalable. The more voters there are, the more vote counting volunteers there are. For larger cities you can split up by blocks or per polling place. There should be many polling places to make voting easy and accessible.
It isn’t fast or fancy or glamorous. But communities ignore the power of communal activities at their peril.
oivey|4 months ago
If people in power want to cheat, they will. Shuffling around the tech isn’t going to do all that much to change things.
jonathanstrange|4 months ago
benadida|4 months ago
We should have made it clear in that post that our voting system is not just open-source, it's also always paper ballots, mostly filled out by hand, sometimes by ballot-marking devices for voters who need or choose it.
Many good points in the thread about open-source not being enough. Indeed! But open-source is, in my opinion, necessary for public trust. Not sufficient, but necessary.
Reproducible builds – we hope to get there in the not-too-distant future!
Attestation – yes we have that! there's a quick and hardware-TPM-rooted way to check that a VotingWorks paper-ballot tabulator has not been modified since it left the VotingWorks floor. Takes 30 seconds, with a QR code on screen that contains all the attestation data and digital signature, unlocked only on successful secure boot.
Also, the build of the system from source is not done by us, it's done by a third-party testing lab, accredited by the Election Assistance Commission. States that want to can request the installation medium straight from the lab and install it themselves.
And if you want more, I spoke recently at USENIX security about what it takes to build a voting machine everyone can trust. It's a lot more about resiliency engineering than security.
https://www.usenix.org/conference/usenixsecurity25/presentat...
neilv|4 months ago
Unless something has changed recently, election integrity demands a voter-verified paper ballot that is retained with security by the authority, and can be physically counted, as a check against compromised or defective digital systems.
Open source is not sufficient. Don't let marketing sound bites be a confusing diversion from the problem.
If the US understands anything this year, it's how important elections are. Hopefully we get another one.
yongjik|4 months ago
It's a simple, cost-effective system which is impossible to hack. Electronic voting offers no advantage over this.
ndiddy|4 months ago
philips|4 months ago
tzs|4 months ago
• Use paper ballots that are marked by the voter filling in ovals next to the name of the candidate or proposition they are voting for using a marker supplied by the election officials.
• These paper ballots can be hand counted or counted by simple optical scan machines that are already widely in use in many places.
• By using some clever chemistry in the ink when you print the ballots and in the marker used to mark it you can print a code in each of the ovals that is invisible until the oval is filled in using that special marker.
By using some clever cryptographic techniques to come up with those invisible codes you can make a system with the following properties.
1. After the election all of the cast ballots can be published, allowing anyone to do an independent recount.
2. Any individual voter after the election can, if they noted the code that was on their ballot for a particular candidate, verify that their particular ballot was included in the count and that their vote counted toward the correct candidate.
3. An individual cannot prove to a third party that they voted for a particular candidate.
Here is a paper on such a system: https://eprint.iacr.org/2010/502.pdf
Wikipedia article on it: https://en.wikipedia.org/wiki/Scantegrity
Here is a paper showing how it satisfies item #3: https://eprint.iacr.org/2010/502
jdoliner|4 months ago
Bender|4 months ago
Paper trails on the other hand can be verified and secured physically with chain of custody and proper attestation. Paper output can still be designed to be easy scan, verify and re-tabulate. I would like to see the paper trails scanned and uploaded to a centralized block chain so we can see if one of these things is not like the other. I would also like to see higher definition CCTV cameras monitoring the entire voting process and more of those cameras. That should also be uploaded somewhere they can not be tampered with and if a camera goes offline oopsie doopsie it's all hands on deck. Ballot drop-off boxes and mail in votes need to be outlawed and every state needs voter ID.
kanzure|4 months ago
Anyone who talks about election security should be required to spend at least a few moments walking around Defcon in the election machine hacking village. Even absent electronic voting machines we still need to apply that same level of rigor to security across all domains of the election system no matter what format is used.
More fundamentally, the epistemic meaning of a ballot, a vote, or an option on the ballot, how options are even decided for inclusion or their exclusion, which outcome deciding algorithms are used, and how "the result" is interpreted by society or implemented by a political agent is deeply confused. The vote itself has very little resemblance to what actually happens. Such things likely cannot be formally specified anyway. Massive amounts of ambiguity, noise, error rate, and insecurity are to be expected in these kinds of systems. So what then are we even doing with all this? I am not referring to what we say we are achieving, or what we say we are intending to achieve, but rather what kind of actual outcomes be can supported by careful engineering of all these components?
Blockchain is no solution here. See:
"Going from bad to worse: from Internet voting to blockchain voting" https://www.dci.mit.edu/s/VotingPaper-RivestNarulaSunoo-3.pd...
jcarrano|4 months ago
horacemorace|4 months ago
fzeroracer|4 months ago
There is fundamentally no difference between a mail-in ballot and a ballot you drop at an arbitrary box somewhere.
Yizahi|4 months ago
kiitos|4 months ago
how then should voters who are not physically present in their voting district cast their votes?
AfterHIA|4 months ago
https://sites.pitt.edu/~rbrandom/Courses/Antirepresentationa...
https://en.wikipedia.org/wiki/A_Theory_of_Justice
lynx97|4 months ago
atoav|4 months ago
Even with that utopian scenario the remaining problem is that the goal of elections is agreeable consent. Mewning the goal isn't just to get a decision. The goal is to get a decision, people can agree with because they trust the process must have been okay. If your vote is low stakes, like where you go for lunch with your collegues, then that trust doesn't matter, who cares if it was wrong? But if it is high stakes even a perfect digital system is problematic, because even intelligent, technological expert voters have no chance of understanding which of the moving parts might influence what in which way in practise.
Meaning a paper ballot with the right process can more or less be understood by everybody who can count and has mastered the cognitive skill of object permanence.
A Rust project with a 30k Cargo.lock file filled with dependencies on an even more complex operating system, running complex (in a different way) hardware, that might differ for each voting location isn't that. And that isn't about the programming language or the tech stack. It is about the intransparent nature of electronic systems themselves.
I spent a three quarters of my life learning programming and electronics including hardware design and I teach that stuff on a university level. Even I would have a hard time ensuring there is really no backdoor in the whole stack. And this fact means even if there is no backdoor in it, there might be and there is no realistic way for a normal person to check. I understand the nerd appeal. It is cool to toy around and figure that problem out. But the core of the problem is not technological it is sociological.
That is such a big flaw that IMO it is not worth it for high stakes elections.
Yizahi|4 months ago
In first past the post system, between 1% to 49% of votes are stolen and tossed by design. This actually, not hypothetically happens, in real life. Electronic voting maybe can be abused, and maybe some significant number votes may be defrauded. But in FPTP it has actually happened already and at a much worse scale. Imo the real high priority issue is obvious.
unknown|4 months ago
[deleted]
ericmay|4 months ago
One of the weaknesses in our democracy is the insistency of doing things virtually - it's the same weakness exposed by social media.
Electronic systems are always going to be subject to hacking and manipulation, and are more easy to hack and manipulate at a large scale (scaling is the point of software). In-person voting is still subject to manipulation, but you can just go back and look at the ballots on paper as they are. You get more targeted manipulation, but it's probably easier for a single person to uncover and reason about.
Yizahi|4 months ago
saulpw|4 months ago
lynx97|4 months ago
ether3ric|4 months ago
saulpw|4 months ago
And if all you want is political polling, every elected representative does this already (well, they generally pay someone else to do it). So I'm not sure what it would mean for the US gov to do it separately. Do you imagine that a "non-partisan agency" like the CBO would do it with taxpayer dollars, as a publi service for the politicians who would still vote however they do?
nbngeorcjhe|4 months ago
adverbly|4 months ago
luxuryballs|4 months ago
teddyh|4 months ago
Once you start with non-transparent mechanisms, there is no end to it.
ordu|4 months ago
But still it is not a way to fight a political party that will use dummy machine that counts each ballot as a vote for them, and then accusing all others that they are trying to steal the elections. It is an unbelievable stupid tactic, but I think it may work in USA, judging by people eager to believe any BS if it supports their party.
cies|4 months ago
The voter needs to be able to see their vote on the paper.
Reading the rolls needs to be done by machines, but by several different machines reading the same rolls. So we can verify.
Software is not the problem. The medium of persistence is.
ori_b|4 months ago
If the goal is public trust, open source isn't helpful for the general public.
cyberge99|4 months ago
Spivak|4 months ago
Who gives a shit man, it's not going to be the end of the world or even substantially change things no matter what methods we choose. You might as well choose the ones that make things easier on people. Crazy that the world wide information network that we've built and defines our current age in history is treated like some horrible evil. It's not, it will be fine. But with vote by website now every home, school, and library in the country becomes a polling place.
There is no amount of transparency that will achieve the mythical "public trust" that's being envisioned. Our current voting system is all paper right now, actual voting fraud—meaning literal ballot stuffing is nonexistent and still people buy into conspiracy theories. Voting manipulation happens in broad daylight at the systems level and is done by carefully restricting access. Expand access and the problem vanishes.
tuesdaynight|4 months ago
yachad|4 months ago
AndyMcConachie|4 months ago
astroflection|4 months ago
brendoelfrendo|4 months ago
kelnos|4 months ago
Yes, I know: before computers and other mechanical systems, people had to count ballots by hand. There were many fewer people voting then, and regardless, that's not really the point: they counted by hand because they had no alternative.
Electronic voting certainly brings new problems into the mix. I don't think those problems are insurmountable. The problem isn't the technology itself. It's the legal and social landscape around voting technology. Open source, with reproducible builds and a method to verify that the code running on a machine was built from a particular version of source, is a start. Verification of that software's functionality, on par with the verification done of critical software (medical devices, things that go into space, slot machines, etc.) would be another good move.
Voters can also receive paper receipts, and I'm sure we can come up with some sort of scheme to take a representative sample of the electronically-recorded votes and validate them against the paper receipts, while maintaining voter privacy.
kawfey|4 months ago
RajT88|4 months ago
https://xkcd.com/2030/
constantcrying|4 months ago
Here in Germany every single vote is on paper and is counted publicly, where any citizen has the right to observe the counting process. There is a list of all people eligible to vote at a certain voting location, where all voters are crossed out when they come to vote. While errors of course happen, I have absolutely no doubt that the results are free from intentional interference and that the only people voting are those who are eligible to vote.
The idea that my vote is digitally recorded seems absurd. And I do believe that the consistent distrust of Americans in the integrity of their elections is caused by the design of the voting system. There just seem to be so many completely unaddressed flaws. Open sourcing only addresses some part of the flaws and I do not think that electronic voting should ever be trusted.
Trust in a democracy starts with trust in elections, which I do not think can be reasonably provided by electronic voting mechanisms.
bmitch3020|4 months ago
I've only worked a couple elections in a single US county, so I don't claim to be an expert. But the projects described by the company align with each of the devices we use in elections today. Using their software would be the equivalent of moving from MS Office to LibreOffice for operating the government. It won't solve everything, could have bugs, but there are some significant long term advantages, like not depending on a company that could go out of business for security patches.
The first device voters encounter is people working the electronic poll books. We still have a paper backup available, but prefer the electronic versions. First, they can scan the barcode on the drivers license for a quick check-in (usually). When person shows up at the wrong location, we immediately know without spending a couple minutes looking through the paper list. We can even tell them where their voting location is rather than "you're not on the list, we don't know why". When someone needs to vote from their car, we can take a poll book with us and check them in curbside, no extra back and forth. And anyone can check-in at any poll book, rather than splitting the list up by last name. If there is ever a hack of the poll book, changing the list of voters, that could have also been done with the paper backup, and that's why there's a provisional voting process.
After that, over 99% of voters get a paper ballot. They mark their oval with a pen, and take it over to the scanner. This is where the security happens. There's a paper audit of the vote, and the vote is anonymous, your name is not on the ballot.
Less than 1% of the voters ask to use a ballot marking device. They are there for ADA requirements, allowing people that have difficulty marking a ballot by hand to vote. They have headphones to read the choices if needed for the blind. When finished, their choices are printed on their paper ballot, human readable and verifiable, and taken to the same scanner used by other voters. Most people don't even realize ballot marking devices exist, I didn't before I started working the election, and I've yet to see anyone request to use it.
The next step is where people get suspicious. The paper ballots are run through a scanner at the precinct, by the voter. These are monitored by an election worker to ensure the voter scans their ballot, but we stand so we can't see the ballot choices for voter privacy/secret ballots. These machines output a tally in multiple forms at the end of the election, including multiple paper copies and USB drives. The various copies get split up and separately delivered, each by a team of workers, for both redundancy and to ensure no one person is ever alone with the results.
A very important process happening throughout the day is counting the votes. The number of voters that register in the poll books is compared with the number of ballots given out (when ballots are unwrapped, they are counted, and what remains at the end of the day is counted again), and also the number that went through the scanner. Things get complicated (I assume reports are made after an extensive search is done) if we are ever off by one ballot in those counts.
The common fear that someone could stuff the ballot box, even by an insider, doesn't match my experience. In addition to the counts above, multiple workers, from multiple parties, are assigned to each precinct. We don't leave the ballots at any stage unattended at any time.
At the end of the day, the tallied ballots are sealed in a box. All equipment is locked back up. And lots of items (tallies, USB disks, sealed ballot boxes, provisional ballots, etc) are returned by a team of people that night to the county government building. From there, initial counts are released and then the election needs to get certified. That's where my personal experience ends.
The certification process includes deciding which provisional ballots to accept, and then counting them. But it also includes audits of the equipment. And those audits are supposed to take some boxes of ballots from select precincts and run them through a different a scanner to verify the tally is the same. The precinct scanners are also audited before we receive them, which is visible because a permanent count is tracked on the machine that's never zero for us, even when it's a new machine that's never been used in a previous year's election. In addition to all those electronic counts on different equipment, some percentage of ballots is likely hand counted. This certification process all happens over the course of days, if not weeks, but the initial count is usually out in a few hours when a first team of workers brings back one of the two USB disks (along with other items).
There are ways to hack an election, but these electronic machines are at the bottom of my list. Someone would have to alter the counts from the scanners without adding or removing votes, in a way that doesn't get caught in an electronic or hand audit in the future on independent equipment, and doesn't get detected in an audit of the machine before it is placed in service. And the whole process is constantly watched by workers from more than one party affiliation.
Instead, if you wanted to hack the election, you'd first become a billionaire, and buy all the media companies to ensure the population only sees one opinion. Then you'd gerrymander the election districts so most elections aren't really contested. And in locations where it might be close, you fill it with ads and social media misinformation so that voters don't know what to believe and they follow the loudest voices that repeated the most. Not only is that a lot more likely to work, but there's no chance of any consequences if you get caught since it's not illegal.
EverydayBalloon|4 months ago
[deleted]
breakingrules3|4 months ago
[deleted]
billy99k|4 months ago
[deleted]
pessimizer|4 months ago
The US has the worst voting system intentionally, not accidentally. And mail-in voting shows we aren't even a little serious about election integrity. We're militantly against it: you can get people to rabidly support universal IDs for trivial, nonsensical reasons that have never resulted in significant problems; and to demand digital IDs, device attestation, and real names on social media; but to the same people showing IDs to vote is supposed to be the end of democracy.
People have made this proposal every year since the 90s, and depending on the year it was the Republicans rabidly opposing it or the Democrats rabidly opposing it. Good luck getting things accomplished with a good argument. That's not how things get done. The people who get the final say about this would love to get rid of voting altogether, but they'll settle for vendor kickbacks.
n8cpdx|4 months ago
A signed affidavit or local ID should be fine to establish identity. That can be done when signing up for mail in voting (although I personally prefer in person).
Voter fraud is extremely rare under the current system.