The biggest advantage physical voting has it is follows human-scaling laws. Which often is a problem (inefficient) but for voting this is a massive benefit for one particular reason - due to lack of automation any fraud doesn't also benefit from the same automation so has to be large scale and widely distributed for it to be impactful (the fraud has to be distributed to the humans involved). Which isn't to say that it can't happen (and does!) but requires a lot more effort and in the physical world there always a lot more fingerprints left, cameras looking, informants, etc.
This probably only works properly in the developed countries. In developing countries like India we suffered through decades of "booth captures" [1] where armed gangs would take over a polling booth and cast votes for their political candidate at gun point. Villagers would be disallowed from casting their votes. In many instances, the polling booth itself would be set on fire, ensuring that those votes are never counted.
With EVMs the polling officer can just deactivate the machine (which stops the counting at that moment) making booth capturing pointless.
Not saying this is not possible in developed countries. It could very well happen sometime in the future where armed gangs take over polling booths (especially if the candidate in question is bound to lose due to corruption/scandal and needs to cling onto political power to prevent himself/herself from going to prison).
The other advantage in physical voting is that so many people are needed to participate in the process. The probability of aligned bad actors goes down significantly when the voting process is a civic responsibility shared by volunteers who monitor each other. It's not perfect but public participation adds to the legitimacy of the process itself.
I don't care how much maths and encryption you use, you can't get out of the fact that things can be anonymous (no one can know how you voted) or verifiable (people can prove that you only voted once) but not both.
- Switzerland usually gets around this by knowing where everyone lives and mailing them a piece of paper 'something you have'
- South Africa gets around this by putting ink on your fingernail
I've read quite a bit about the e-voting systems in Switzerland and USA and I just don't see how they thread the needle. At some point, you have to give someone access to a database and they can change that database.
Until we all have government-issued public keys or something, there isn't a technical solution to this? (Genuinely curious if I'm wrong here)
The USA threads the needle by simply not having verifiable voting. And it turns out it works pretty well. Despite countless hours and lawsuits dedicated to finding people who voted more than once, only a handful of cases have actually turned up.
It's not that there are no checks. You have to give your name, and they know if you've voted more than once at that station that day. To vote more than once you'd have to pretend to be somebody else, in person, which means that if you're caught you will go to jail.
We could certainly do better, but thus far all efforts to defeat this non-problem are clearly targeted at making it harder for people to vote rather than any kind of election integrity.
Lots of cyber risks with the use of online voting though, especially in jurisdictions without standards/certification. I outline many in my thesis which explores the risks to online elections in Ontario, Canada (one of the largest and longest-running users of online voting in the world)
Sure you can, you just need an anonymous voting mechanism that's sufficiently naive. You use the verifiable process to restrict access to that anonymous mechanism.
In Canada, at both federal and provincial levels, you walk up to a desk and identify yourself, are crossed off a list, and handed a paper ballot. You go behind a screen, mark an X on the ballot, fold it up, take it back out to another desk, and put it in the box. It's extraordinarily simple.
> At some point, you have to give someone access to a database and they can change that database.
Well, that kind of fraud is a different issue from someone reading the database and figuring out who someone voted for (you just... don't record identities in the database).
The Italian way looks similar to the Swiss way. In detail:
When I go to cast a vote in Italy I bring with me my state issued photo ID (everybody has one, I mean: must have one) and a state issued sheet of paper with the address of the place I must go to vote and a grid of empty spaces. I don't have to register to vote, basically I'm registered at birth. The people at the polling station take my two cards and look for me in their registry. They mark that I came to vote, stamp an empty space on the second card and handle me the paper ballots. I think that in this way it's both anonymous and verifiable. When the card with the stamps is full, they mail me a new one.
The state definitely know where people live. Babies are registered when they are born and people have to register any change of their address of residence. It's been like that at least since Italy became a country in the 1860s.
By the way, how do I know that they counted my vote as I cast it? I can't know it. I must trust that they did not open the box and replaced the ballots, but people from the several competing parties visit the polling station and can attend the counting. I trust that process much more than something happening inside a computer program.
Australia has a system where you are anonymous and can prove that you only voted once:
You have to be registered and must vote within your electorate, so your name appears on a certified list for that electorate and each voting location has that list. When you vote, they strike your name from the list.
After the election, the lists from these locations are compared. Anyone who votes twice has their name struck twice, and are investigated for electoral fraud.
Whether people know if you voted or not is immaterial, as voting is mandatory in Australia.
While this sounds like it allowed remote voting, it's interesting that some places (e.g. The Netherlands) went back to 100% paper instead of voting machines. That causes counting to take quite some time, with estimates/interim counts in between.
I don't understand why voting machines can't just print your vote on a piece of paper behind a plastic window for you to see while also recoding the vote in a database. That is 100% anonymous and can't be cheated. The database is the instant answer at election closing time, and then you can take some days to count the papers as confirmation that nothing weird happened.
No way to hack that. If you print something different on the paper the voter will see it. If you try to hack it by printing more papers than actual votes, the paper count won't match the amount of voting passes that you collected/verified when letting people into the polling station.
It may even be safer than the current paper approach, because if the paper vote counters try to cheat their counts won't match the database triggering an investigation as well.
> The database is the instant answer at election closing time, and then you can take some days to count the papers as confirmation that nothing weird happened.
You are misunderstanding "who to trust".
The source of trust in a paper vote election is your party's representative + independent election observers. You believe them that they were sitting at the polling station all day, watching both the voting and counting, and nothing fishy happened. You don't have to trust the state officials in any way, and you don't have to trust any one else either. Just your party - which is kind of the point. The only people you maximally trust is your party.
In your proposal, you are saying that to trust the outcome, I must trust the state officials - the ones who built the machines. Those are exactly the people I distrust to do a fair election.
Voting machines here (Indiana) will print a sheet with your choices, which you can review before feeding it to a counting machine. That way you have a paper trail for recounts, and a sanity check before the vote is cast.
>I don't understand why voting machines can't just print your vote on a piece of paper behind a plastic window for you to see while also recoding the vote in a database
If it's counted electronically from the database, the piece of paper is completely worthless. Unless you can get the entire voting population to give you their paper and then count them, you will never know if the count is right. If a hacker switched 15% of the vote from one party to another, how could you tell from a piece of paper that tells you who you voted for?
I think this is probably sufficient, but also wonder if theres a circular logic to the "No way to hack that" claim. If the hypothetical hack could both corrupt the digital votes and the printing it could ensure the vote counts line up. I guess it maybe makes it harder, but if the printed paper votes are there to validate the digital votes and vice-versa I'm not sure its quite as air-tight as claimed.
Edit: I just realized you also mentioned "voter-passes" when entering the voting site. That definitely makes it much harder! If those were corrupted you could still pull it off, but that level of sophistication is really likely to get caught.
Ireland has both paper only voting, and a PR-STV voting system. Counting can take, literally, days (the most recent EU election took five days to fill all the seats). It is a spectator sport for a certain type of nerd.
> I don't understand why voting machines can't just print your vote on a piece of paper behind a plastic window for you to see while also recoding the vote in a database.
They absolutely can. Brazil uses electronic voting machines and that exact method was proposed to increase the trustworthiness of the system. We'd get the best of both worlds: fast vote counting and an auditable paper trail that serves as the ultimate truth.
Supreme court declared it unconstitutional using total bullshit arguments ranging from "it compromises voting secrecy" to "it's hard to implement", thereby fueling concerns that the voting machines are compromised.
I don't understand the need for e-voting. Germany's entirely paper-based system works fine! After voting closes, volunteers count the votes for a few hours and we get a result.
Canada also uses hand counted paper ballots and it works great. There's no need to make large-scale voting electronic, and I'd never trust it without major social institutions in place that can provide the kind of oversight we have with good old paper ballots.
The pilot is for people unable to get to a polling booth. Traditionally, we use postal votes for this. But postal votes enable voter fraud (primarily selling your vote), so we can only use it for a small portion of votes or results become too suspect.
So paper systems require ballot boxes and polling stations for the vast majority, which makes elections expensive, complicated, and generally problematic. And unpopular, with low turnout, particularly during flu season and pandemic.
Wider participation in voting? Easier to vote for people who can’t travel to the voting station, for myriad reasons? Just more efficient for everyone involved?
And bigger picture, once you prove a system that’s easier, more efficient, reliable… you could expand to more votes on more things. Like… the Swiss do.
—-
(A German advocating for paper-based bureaucracy… whatever next? ;) )
Drawing two crosses on a piece of paper every couple of years has really nothing to do with democracy. Democracy is when one can vote on all topics on any level (local village, town, district, county, state, ...) using the computer at home. This is possible to implement using the algorithms/data structures available today. We actually do basically everything online today - except voting.
For instance, such a system would be immune to corruption. That's one of the major reasons such a system will likely never appear.
The only potential benefit I can think of is getting results faster, but it's really not important enough to optimise for.
Maybe a dual system of paper ballots and e-voting could be good so that they cross check each other. Can't stuff paper ballots without manipulating the digital counter, can't manipulate the digital counter without stuffing ballots. A digital counter also enables meta analysis which could identify suspicious patterns, like a wave of votes for a particular candidate.
Stories like this probably scare some people off from electronic voting but I don't think this is that big of a deal. When we finish voting operations in my area we load the ballots up on someone's personal vehicle and they take them down, securely, to where they need to go. That vehicle could get blown up and those ballots could be gone, though I think we could still get a record of the results.
That being said for the United States, I am in favor of in-person voting requiring proof of citizenship, and making "voting day" a paid national holiday. Not so much for technical or efficiency reasons but for social reasons. I'd argue it should be mandatory but I don't think we should force people to do anything we don't have to force them to do, and I'm not sure we want disinterested people voting anyway.
Exercising democracy, requiring people to put in a minimal amount of thought and effort goes a long way. It should be a celebratory day with cookies and apple pie and free beer for all. Not some cold, AI-riddled, stay in your house and never meet your neighbors, clicking a few buttons to accept the Terms of Democracy process.
I know there's a lot of discussion points around "efficiency" or "cost" or "accessibility" or how difficult it supposedly is to have an ID (which is weird when you look at how other countries run elections) and there are certainly things to discuss there, but by and large I think the continued digitalization and alienation of Americans is a much worse problem that can be addressed with more in-person activities and participation in society. We're losing too many touchpoints with reality.
> Tech Enthusiasts: Everything in my house is wired to the Internet of Things! I control it all from my smartphone! My smart-house is bluetooth enabled and I can give it voice commands via alexa! I love the future!
> Programmers / Engineers: The most recent piece of technology I own is a printer from 2004 and I keep a loaded gun ready to shoot it if it ever makes an unexpected noise.
Paper ballots work just fine. Why are we using tools for scale (computers) when voting is an incredibly small and finite domain. Just total waste of tax dollars and over engineered solution to a simple problem.
Paper ballots are a must. Vote on a touchscreen, then have the terminal print out a voter-verifiable paper ballot that can also be machine counted.
Make the ballot printout layout a standard format. Then machines from multiple vendors can verify the counts on a subset of the ballots. And as a last resort, the ballots can be hand counted as well.
This is why you do parallel paper/electronic voting. Fill it out electronically, it prints a receipt (maybe including a QR code), you mail the receipt (along with the 'classic' absentee voting stuff, i.e. double envelope, proof of eligibility to vote in the outer envelope.)
Oh and as a side effect it can be audited very nicely.
The article is very light on the encryption scheme and software used.
For HN I would have expected a more detailed discussion of what could have gone wrong (it seems like a bug in some software package since we have this power of 2 ^ 11 being 2048
[+] [-] everfrustrated|9 days ago|reply
[+] [-] kshri24|9 days ago|reply
With EVMs the polling officer can just deactivate the machine (which stops the counting at that moment) making booth capturing pointless.
Not saying this is not possible in developed countries. It could very well happen sometime in the future where armed gangs take over polling booths (especially if the candidate in question is bound to lose due to corruption/scandal and needs to cling onto political power to prevent himself/herself from going to prison).
[1]: https://en.wikipedia.org/wiki/Booth_capturing
[+] [-] notarobot123|9 days ago|reply
[+] [-] throwaway85825|9 days ago|reply
[+] [-] lesuorac|9 days ago|reply
Sheriff monitors the ballot box (ex. Jimmy Carter's opponent).
Only allow loyalists to count the result (and then report w/e you want; ex. Russia).
[+] [-] ritzaco|10 days ago|reply
- Switzerland usually gets around this by knowing where everyone lives and mailing them a piece of paper 'something you have'
- South Africa gets around this by putting ink on your fingernail
I've read quite a bit about the e-voting systems in Switzerland and USA and I just don't see how they thread the needle. At some point, you have to give someone access to a database and they can change that database.
Until we all have government-issued public keys or something, there isn't a technical solution to this? (Genuinely curious if I'm wrong here)
[+] [-] jfengel|9 days ago|reply
It's not that there are no checks. You have to give your name, and they know if you've voted more than once at that station that day. To vote more than once you'd have to pretend to be somebody else, in person, which means that if you're caught you will go to jail.
We could certainly do better, but thus far all efforts to defeat this non-problem are clearly targeted at making it harder for people to vote rather than any kind of election integrity.
[+] [-] beautiful_apple|10 days ago|reply
You can use homomorphic encryption or mixnets to prove that:
1) all valid votes were counted
2) no invalid votes were added
3) the totals for each candidate is correct
And you can do that without providing proof of who any particular voter voted for. A few such systems:
https://en.wikipedia.org/wiki/Helios_Voting
https://www.belenios.org/
Authentication to these systems is another issue - there are problems with mailing people credentials (what if they discard them in the trash?).
https://www.cbc.ca/news/canada/ontario-municipal-elections-o...
Estonia (a major adopter of online voting) solves this with the national identity card, which essentially is government issued public/private keys.
https://en.wikipedia.org/wiki/Estonian_identity_card
Lots of cyber risks with the use of online voting though, especially in jurisdictions without standards/certification. I outline many in my thesis which explores the risks to online elections in Ontario, Canada (one of the largest and longest-running users of online voting in the world)
https://uwo.scholaris.ca/items/705a25de-f5df-4f2d-a2c1-a07e9...
[+] [-] zahlman|9 days ago|reply
In Canada, at both federal and provincial levels, you walk up to a desk and identify yourself, are crossed off a list, and handed a paper ballot. You go behind a screen, mark an X on the ballot, fold it up, take it back out to another desk, and put it in the box. It's extraordinarily simple.
> At some point, you have to give someone access to a database and they can change that database.
Well, that kind of fraud is a different issue from someone reading the database and figuring out who someone voted for (you just... don't record identities in the database).
[+] [-] dmos62|10 days ago|reply
[0] https://satoss.uni.lu/members/jun/papers/CSR13.pdf
[1] https://fc16.ifca.ai/voting/papers/ABBT16.pdf
[+] [-] pmontra|9 days ago|reply
When I go to cast a vote in Italy I bring with me my state issued photo ID (everybody has one, I mean: must have one) and a state issued sheet of paper with the address of the place I must go to vote and a grid of empty spaces. I don't have to register to vote, basically I'm registered at birth. The people at the polling station take my two cards and look for me in their registry. They mark that I came to vote, stamp an empty space on the second card and handle me the paper ballots. I think that in this way it's both anonymous and verifiable. When the card with the stamps is full, they mail me a new one.
The state definitely know where people live. Babies are registered when they are born and people have to register any change of their address of residence. It's been like that at least since Italy became a country in the 1860s.
By the way, how do I know that they counted my vote as I cast it? I can't know it. I must trust that they did not open the box and replaced the ballots, but people from the several competing parties visit the polling station and can attend the counting. I trust that process much more than something happening inside a computer program.
[+] [-] nness|9 days ago|reply
You have to be registered and must vote within your electorate, so your name appears on a certified list for that electorate and each voting location has that list. When you vote, they strike your name from the list.
After the election, the lists from these locations are compared. Anyone who votes twice has their name struck twice, and are investigated for electoral fraud.
Whether people know if you voted or not is immaterial, as voting is mandatory in Australia.
Works pretty well for a paper system.
[+] [-] SideburnsOfDoom|10 days ago|reply
This is true, but its used in other countries as well, as it's a simple, effective, low-tech, affordable process.
Most notably in India https://edition.cnn.com/2024/05/02/style/india-elections-pur...
but also in many other countries: https://en.wikipedia.org/wiki/Election_ink#International_use
[+] [-] kanapala|10 days ago|reply
[+] [-] t0mas88|9 days ago|reply
I don't understand why voting machines can't just print your vote on a piece of paper behind a plastic window for you to see while also recoding the vote in a database. That is 100% anonymous and can't be cheated. The database is the instant answer at election closing time, and then you can take some days to count the papers as confirmation that nothing weird happened.
No way to hack that. If you print something different on the paper the voter will see it. If you try to hack it by printing more papers than actual votes, the paper count won't match the amount of voting passes that you collected/verified when letting people into the polling station.
It may even be safer than the current paper approach, because if the paper vote counters try to cheat their counts won't match the database triggering an investigation as well.
[+] [-] abdullahkhalids|9 days ago|reply
You are misunderstanding "who to trust".
The source of trust in a paper vote election is your party's representative + independent election observers. You believe them that they were sitting at the polling station all day, watching both the voting and counting, and nothing fishy happened. You don't have to trust the state officials in any way, and you don't have to trust any one else either. Just your party - which is kind of the point. The only people you maximally trust is your party.
In your proposal, you are saying that to trust the outcome, I must trust the state officials - the ones who built the machines. Those are exactly the people I distrust to do a fair election.
[+] [-] realo|9 days ago|reply
We vote during the day... polls close in the evening... A few hours later we have the results. Hand counted, for the entire country.
What is the difference?
[+] [-] macintux|9 days ago|reply
[+] [-] max51|9 days ago|reply
If it's counted electronically from the database, the piece of paper is completely worthless. Unless you can get the entire voting population to give you their paper and then count them, you will never know if the count is right. If a hacker switched 15% of the vote from one party to another, how could you tell from a piece of paper that tells you who you voted for?
[+] [-] monkaiju|9 days ago|reply
Edit: I just realized you also mentioned "voter-passes" when entering the voting site. That definitely makes it much harder! If those were corrupted you could still pull it off, but that level of sophistication is really likely to get caught.
[+] [-] kosinus|9 days ago|reply
[+] [-] rsynnott|9 days ago|reply
[+] [-] something765478|8 days ago|reply
[+] [-] matheusmoreira|9 days ago|reply
They absolutely can. Brazil uses electronic voting machines and that exact method was proposed to increase the trustworthiness of the system. We'd get the best of both worlds: fast vote counting and an auditable paper trail that serves as the ultimate truth.
Supreme court declared it unconstitutional using total bullshit arguments ranging from "it compromises voting secrecy" to "it's hard to implement", thereby fueling concerns that the voting machines are compromised.
[+] [-] qq66|9 days ago|reply
I have a hard time believing that it collected exactly 2,048 votes by coincidence
[+] [-] angrydev|9 days ago|reply
[+] [-] userbinator|9 days ago|reply
[+] [-] luplex|9 days ago|reply
[+] [-] bdamm|9 days ago|reply
[+] [-] stubish|9 days ago|reply
So paper systems require ballot boxes and polling stations for the vast majority, which makes elections expensive, complicated, and generally problematic. And unpopular, with low turnout, particularly during flu season and pandemic.
[+] [-] mft_|9 days ago|reply
And bigger picture, once you prove a system that’s easier, more efficient, reliable… you could expand to more votes on more things. Like… the Swiss do.
—-
(A German advocating for paper-based bureaucracy… whatever next? ;) )
[+] [-] coffinbirth|9 days ago|reply
For instance, such a system would be immune to corruption. That's one of the major reasons such a system will likely never appear.
[+] [-] cedws|9 days ago|reply
Maybe a dual system of paper ballots and e-voting could be good so that they cross check each other. Can't stuff paper ballots without manipulating the digital counter, can't manipulate the digital counter without stuffing ballots. A digital counter also enables meta analysis which could identify suspicious patterns, like a wave of votes for a particular candidate.
[+] [-] hocuspocus|9 days ago|reply
[+] [-] zoobab|10 days ago|reply
[+] [-] thangalin|9 days ago|reply
https://scotopia.in/journal/journalbkend/paper_list/v-4-i-1(...
Why Electronic Voting Is Still A Bad Idea:
https://www.youtube.com/watch?v=LkH2r-sNjQs
My Līberum Cōnsilium (see references on page 55):
https://repo.autonoma.ca/repo/delibero/raw/HEAD/docs/manual/...
[+] [-] pilingual|9 days ago|reply
[+] [-] eunos|10 days ago|reply
[+] [-] marcosdumay|9 days ago|reply
Looks like some block-size thing.
[+] [-] ericmay|10 days ago|reply
That being said for the United States, I am in favor of in-person voting requiring proof of citizenship, and making "voting day" a paid national holiday. Not so much for technical or efficiency reasons but for social reasons. I'd argue it should be mandatory but I don't think we should force people to do anything we don't have to force them to do, and I'm not sure we want disinterested people voting anyway.
Exercising democracy, requiring people to put in a minimal amount of thought and effort goes a long way. It should be a celebratory day with cookies and apple pie and free beer for all. Not some cold, AI-riddled, stay in your house and never meet your neighbors, clicking a few buttons to accept the Terms of Democracy process.
I know there's a lot of discussion points around "efficiency" or "cost" or "accessibility" or how difficult it supposedly is to have an ID (which is weird when you look at how other countries run elections) and there are certainly things to discuss there, but by and large I think the continued digitalization and alienation of Americans is a much worse problem that can be addressed with more in-person activities and participation in society. We're losing too many touchpoints with reality.
[+] [-] ninalanyon|9 days ago|reply
[+] [-] MengerSponge|9 days ago|reply
> Programmers / Engineers: The most recent piece of technology I own is a printer from 2004 and I keep a loaded gun ready to shoot it if it ever makes an unexpected noise.
[+] [-] nemo44x|9 days ago|reply
[+] [-] ChoGGi|9 days ago|reply
No thanks.
[+] [-] Vvector|9 days ago|reply
Make the ballot printout layout a standard format. Then machines from multiple vendors can verify the counts on a subset of the ballots. And as a last resort, the ballots can be hand counted as well.
[+] [-] fabiofzero|10 days ago|reply
[+] [-] jonas21|9 days ago|reply
[+] [-] eqvinox|9 days ago|reply
This is why you do parallel paper/electronic voting. Fill it out electronically, it prints a receipt (maybe including a QR code), you mail the receipt (along with the 'classic' absentee voting stuff, i.e. double envelope, proof of eligibility to vote in the outer envelope.)
Oh and as a side effect it can be audited very nicely.
[+] [-] unknown|10 days ago|reply
[deleted]
[+] [-] DoctorOetker|9 days ago|reply
For HN I would have expected a more detailed discussion of what could have gone wrong (it seems like a bug in some software package since we have this power of 2 ^ 11 being 2048