HN Gopher Feed (2017-12-06) - page 1 of 10 ___________________________________________________________________
Hearing on Cybersecurity of Voting Machines: Testimony of Prof.
Matt Blaze [pdf]
107 points by warrenm
https://oversight.house.gov/wp-content/uploads/2017/11/Blaze-UPe...___________________________________________________________________
klondike_ - 5 hours ago
It's insane that anybody thought electronic voting machines were a
good idea when paper ballots have worked for hundreds of
years.Where paper ballots are transparent and accountable,
electronic voting machines have closed source and unaudited
software. They go against the core tenets of transparency and
fairness that make democracy work.
tnorthcutt - 4 hours ago
FWIW, it's "tenets" (not "tenants"). I agree with your point,
just thought you might want to know :)
klondike_ - 3 hours ago
Thanks, fixed the typo
warrenm - 1 hours ago
Luddite much?It's insane anybody thought electronic baking was a
good idea when paper money has worked for hundreds of
years.Electronic voting machines aren't problem.Bad
implementations are the potential problem.
gervase - 3 hours ago
I don't disagree, but I also don't think that how long something
has been done one way is indicative of that way's optimality. By
such an argument, microwaves as a form of cooking and airplanes
as a form of travel would both be bad ideas.I think it's more
persuasive to focus on the transparency/auditability/fairness
argument. Perhaps as an extension, an emphasis on the ability of
the average participant/voter to understand the mechanisms behind
how the system works?
nickbauman - 2 hours ago
Yes it's critical for democracy that the mechanism can be not
only understood by a layman but verified by a layman. I'm sure
we can make a system that experts believe is safe. But it's the
voter that has to believe and it's unreasonable to ask them to
be experts. If you lose the voter, democracy cannot function.
deadmetheny - 3 hours ago
Fuck optimization. I want vote tallying to be slow, labour-
intensive, and repeatable by independent parties with no
special knowledge or equipment. Making the system more
efficient opens attack vectors. We know how to count and paper
ballots have been around so long that the attack vectors are
known and can be planned around.
Godel_unicode - 2 hours ago
> Making the system more efficient opens attack vectors.No.
Doing that badly might have that effect, but there is no
axiom which states that accurate counting must be slow or
manual. Have electronic voting with instant tallying, with a
parallel optical-scanning verification of the generated paper
ballot. Then have manual spot checking of the automated
counting process, with whatever sample rate you choose. This
is a solved problem (ask the USPS if you want
details).Instant results which are "the ballots got wet"
proof and have a totally auditable record.
TeMPOraL - 43 minutes ago
> Doing that badly might have that effect, but there is no
axiom which states that accurate counting must be slow or
manual.No, but there is an axiom that says the more
expensive an attack is, the less likely it will be carried
out. Hacking manual counting requires so absurd amounts of
coordination between so many individuals, that you can
pretty much discount the possibility. High technology is a
vehicle of multiplying the power of individuals. The same
process that makes electronic counting more efficient,
makes it also much cheaper to attack.> This is a solved
problem (ask the USPS if you want details).TBH, postal
services screw up in that department regularly, but nobody
cares, as the impact is very small.
rhino369 - 1 hours ago
Hand counting is very likely less accurate than machine
counting.
TeMPOraL - 47 minutes ago
Doesn't have to be perfectly accurate - it only has to be
in the ballpark of the correct amount and with low
deviation. In voting, a method with consistent +/- 1% error
is better than a method that generally has +/- 0.0000001%
error but can be trivially hacked to produce +/- 50% error.
Elections aren't usually decided on a single vote, and in
those rare cases, you can recount stuff few more times to
be sure.
banku_brougham - 1 hours ago
with the notable exceptions of: software failures,
adversarial exploits, malicious design, et al
TheGRS - 2 hours ago
OK, but voting is also a very short part of the democratic
process. Voting needs to be reasonably fast so that the
decisions are then enacted. If recounts cause the process to
take months (which I believe was the case back in 2000), then
it also makes the transition process take longer and seeds
ever more doubt into the process. Just look at what happened
in Kenya recently.
TeMPOraL - 39 minutes ago
If you vote on a decision directly, it makes sense for it
to be fast. But for large elections, when you select future
rulers that will hold their office for years, a few days of
delay between the vote and the results makes pretty much
zero difference - especially that you usually do the vote
while the old politicians still have months to go.
sverige - 1 hours ago
> Voting needs to be reasonably fast so that the decisions
are then enacted.Leaving aside other countries and their
transition times, in the U.S. at least, there is always
more than enough time to have a recount before the winner
takes office. There is also enough time to do the same for
things like ballot initiatives and referenda, which don't
go into effect immediately, but some reasonable amount of
time after the vote.With reference to the 2000 election,
the legal fight over the process to perform manual recounts
in Florida took far longer than the actual recounts would
have taken, dragging it out to December 12. Interestingly
enough, while I have heard some still claim that "Bush
stole the election," when the press actually finished a
manual recount, the conclusion was that Bush had, in fact,
won the vote. But people will believe what they want to
believe about the fairness of elections when it doesn't go
their way, as has been amply demonstrated recently.
anigbrowl - 2 hours ago
No it isn't. Electronics actually work just great when the vast
majority of actors are behaving cooperatively, as when you use
your credit card to buy something on the internet. Most of the
time your order arrives as specified, you pay the amount
expected, and nothing bad happens. It's great.The problem with
voting is that trust doesn't really exist, you have large blocs
that are historically willing to undermine the integrity of the
process itself because the risks of getting caught the penalties
associated with same are low and mild compared to the potential
payoffs of success. I would argue that too much power is
concenrtated in elective offices, such that the incentives for
cheating so vastly outweight the downside risks that shenanigans
become inevitable.The American approach to this has been to
distribute power across as many elective offices as possible.
This may have been a mistake, and furthermore it makes voting
enormously elaborate and complex. American ballots are huge.
That's better than the paternalism that obtains in
parliamentarian systems, where you get to vote for a small number
representatives once every few years and on a referendum maybe
once a decade, which makes it easy to do all the ballot-counting
by hand.Paper ballots can't be counted by hand in the US. I mean,
yeah, it's theoretically possible, but when ballot papers in a
general election can have 40 ro 50 candidates and referendum
items, counting has to be automated (eg by scanning) and recounts
are limited to specific races in specific precincts. To be frank,
it would be very easy for a determined attacker to throw an
entire election into doubt by subverting just a few key points.
All I need to do is force votes close enough to trigger the
recount threshold in multiple (>=3) disparate races in multiple
(>=3) busy precincts and then have a few Outraged Citizens show
up to protest the injustice simultaneously. To be honest you
could probably do that with ad buys and not even use knowing
operatives. The amplifying effect of the media will do the rest.
On top of the commercial impulses that drive the media to seek
spectacle first and substance alter, the wide availability of
camera and communications technology is a double-edged sword; on
one level it provides an economic and cultural stimulus which is
great, but that also means that it's extremely subject to
manipulation as the capacity for media production outstrips that
of critical consumption - that is to say, our capacity to create
rumors often exceeds our capacity to filter them out, and
leveraging this at a critical time like an election makes it easy
to provoke political instability.Sp, while paper ballots seem to
have greater integrity than electronic voting, they're really not
that much harder to undermine and require the acceptance of all
kinds of practical problems that come with fetishizing
tradition.Could we not instead have voting machines with open
source and audited software, or better yet voting software that
we could all have on our phones that met the same standards?
That'd be the ideal, but it hasn't happened until now because
procurement and the political process itself are deeply
corrupted, and in addition to the basic corruption of two sides
spending vast sums of money to struggle over power, there's the
bigger issue that if you could gain popular acceptance for a
solid verifiable open-source voting mechanism we wouldn't need
much of our political infrastructure; that is to say,
instantaneous, reliable, and credible electronic voting is a
threat to the existence of the political class, and by extension
to the buyers of said political class's services.
emmelaich - 4 minutes ago
It's a premature optimisation gone malignant.It's techno-philia
from the techno-ignorant.
rdtsc - 3 hours ago
> They go against the core tenets of transparency and fairness
that make democracy work.The reason for the existence of
electronic machines is often something as mundane as the cousin
of the governor owns a company which happens to make the
machines.
walshemj - 2 hours ago
um voting should not be transparent you don't want "Vinny" or
"Paddy" the block captain coming round and saying "Mr Falcone /
Mr Murphy Is very Upset about the way you voted"
LeifCarrotson - 4 hours ago
The core feature of a voting system is to determine who got more
votes.With paper, that's a laborious process, requiring
physically adding up millions of pieces of information. And many
other things - like horses, sailboats, and slavery existed for
hundreds of years but have been phased out for superior
technology. An electronic voting machine or computer would, in
theory, be able to take votes and output a result without this
effort. Electronic voting machines are, at first pass, a good
idea.The presence or lack of transparency, accountability, and
auditability are implementation details, not principles of
electronic voting machines. In the absence of bad decision
making and the presence of properly aligned incentives, the
issues current voting machines suffer from could be worked around
with a different implementation.Before computers were an option,
paper was not chosen because of these properties it's now lauded
to have.
TeMPOraL - 3 hours ago
Doesn't change the fact that those non-core features are
actually essential in practice.The core feature of a car is to
go places fast, but it's also crucial it doesn't kill its
occupants. Similarly, the essential aspects of a voting system
are things like perception of fairness (otherwise we're back to
killing each other for the seat at the table) and protecting
individuals from being bribed or coerced into voting in a
particular way. Electronic voting systems fail to provide those
features in a reliable way.
LeifCarrotson - 49 minutes ago
Transportation systems get people places. Cars get people
places fast, and are so much more effective than the old
methods (horses or walking) that their increased danger is
worth it. They just need to be safe enough. Equivalently,
it's so much easier to tabulate voting results with computers
that we just need to make it reliable enough.
TeMPOraL - 33 minutes ago
Yes. The point is, electronic voting systems are not good
enough with respect to the trust general population will
have in the system.Consider that there are, and will always
be, people on the losing side that argue the elections were
rigged. In the paper version, the scenario is so
implausible that it's not worth much attention. In an
electronic system, where maybe 1% of the electorate can
actually understand how it works, and only 0.1% of that 1%
have enough access to actually verify it works the way it
says it works, it will be much easier to argue that the
other side rigged the election. For democracy to work, it's
less important who is elected, and more important that
everyone accepts the result of the process.
losteric - 3 hours ago
The real risk is full digitization, which these voting machines
provide. Our elections cannot be a black box.There are middle
grounds. Paper doesn't have to be manually tabulated.Punch-hole
ballots can be mechanically tabulated, fill-in-the-bubble
ballots can be read with minimal software. Results can be
aggregated by software and communicated over networks because
the results can be audited with the paper trail (both cheap
sampling/statistical auditing and an expensive total manual
tabulation).If chads and improperly filled ballots cause
problems, create a machine to fill in the paper ballot for
people - but give the voter the ballot, let them verify, then
walk over and drop it in a ballot box.If the NSA can't lock
down their espionage weapons, we can't trust some second-rate
politically-connected software vendors to run our elections. We
need auditing, we need paper.
walshemj - 2 hours ago
Doesn't seem to be a problem in the UK the US population is
only 5xOf course properly implementing the civlservice reforms
(of the 19th century) and not electing Judges and other
positions that should be filled on merit by civil servants
might help
justadudeama - 1 hours ago
Do you think there is a world that we can safely and securely
depend on electronic systems? Aka, enough open source and open
hardware then anybody can ensure that the system is secure?
TeMPOraL - 24 minutes ago
(NOTE: did HN just break? It's cutting my comment in half
when I try to submit/edit it...)In general, we'd have to
close the loop over hardware the way we did with software.In
software, you can write open-source code that depends only on
other open-source code, and you write and distribute it with
open-source tools. Trusting-trust-style attacks aside[0],
everything on the software layer can be inspectable by
anyone, and in principle you could read through all of the
code and understand what's doing[1].With hardware though,
there pretty much isn't any usable open-source hardware stack
that's a) fully open-source at every level, and b)
verifiable. The latter is particularly damning, because chips
are made in commercial factories you can't inspect, and the
actual process is secret. (1/2)
deadmetheny - 3 hours ago
>With paper, that's a laborious process, requiring physically
adding up millions of pieces of informationThat is a feature of
paper ballots, not a bug. We have plenty of volunteers to count
ballots and there's no necessary equipment or domain knowledge
to do so. The attack surface is thin and well-known with paper.
monocasa - 3 hours ago
> With paper, that's a laborious process, requiring physically
adding up millions of pieces of information.I'd argue that this
isn't a huge deal since the amount of labor available scales
essentially linearly with the amount of votes cast.
excalibur - 2 hours ago
Unless you follow Saudi Arabia's lead and start granting
citizenship to robots. Then you can't use them as labor for
counting paper ballots, as that would turn them into
electronic voting machines.
rthille - 5 hours ago
It's not insane if you look at the motivations behind who was
pushing them.
nvr219 - 4 hours ago
Please explain I don't know anything about this
slavik81 - 4 hours ago
I hope you're not implying some sort of conspiracy theory. As
far as I can tell, the driving motivation seems to be saving
money.We just had our municipal elections. Plenty of regular
people saw the slowness and the expense of paper ballots. Some
asked about switching to electronic voting, because even to a
layman it's obvious how computers could potentially make
tallying votes faster and cheaper.The part that's not obvious
is security and making results auditable. That's much harder
for electronic voting, but it's not as obvious to a layman.
RobertoG - 3 hours ago
Paper ballots are more secure, precisely because they need a
lot of people in the process.If most of those people is
chosen randomly between the population, as it happens in my
country, the system is pretty robust. As this is HN: It's a
distributed system, every node making its own checks.So, the
answer to the complains is that the slowness and the expense
are a feature, not a bug.
rhino369 - 1 hours ago
Well, one type of paper ballot probably tipped a presidential
election. There was a sudden push to get rid of any ambiguity.
It was an overreaction but that is why it happened.
boomboomsubban - 1 hours ago
The ambiguity wasn't necessary in that election, politics made
the ballots confusing and they can do the same thing with
electronic ballots. And even with that ambiguity, a recount
would have solved the issue. The Supreme Court decided that
election by stopping the recount.
cmurf - 24 minutes ago
But profit!
blfr - 4 hours ago
More importantly, what problems are electronic machines solving?
Having to wait until the next day for results?
pault - 4 hours ago
If you are a government, making something easier to measure is
a benefit, regardless of the second order effects it might
have.
wfo - 3 hours ago
The existence of a reliable objective audit trail is a
"problem" that is solved by electronic voting machines. Well, a
problem for people who wish to rig elections. Perhaps the
ability to untraceably modify millions of votes with the push
of a button at an unaccountable private company's headquarters
is a feature, not a bug?Given how obvious and easy to execute
this is, it seems impossible to imagine any justification for
the change that does not at least consider this an acceptable
plausible consequence of the choice.
space_fountain - 4 hours ago
Price. I gaurantee that's the problem they were brought in
because of.
blfr - 4 hours ago
Because classic counting was too expensive or too cheap?
TheGRS - 4 hours ago
Classic counting being what? By hand? Does that sound like
the most accurate or efficient way to go about this?
throwawayjava - 4 hours ago
This is the key comment of this thread.Assuming perfect
security and absence of software bugs, we'd be insane to
prefer human counters to machine counters.
klondike_ - 3 hours ago
Nobody expects humans to be accurate, and that's why
there are checks and balances in place to make sure the
counts are accurate and unbiased. It would take a huge
conspiracy to swing an election.Computers represent a
single point of failure, one piece of malicious software
could affect an election and nobody would even know. This
problem is made even worse by the closed source machines
in use right now.
DenisM - 3 hours ago
The manual mistakes will average out with scale. Software
mistakes get multiplied.
TheGRS - 1 hours ago
I feel like software mistakes are easily identifiable and
fixable where human mistakes are not on both accounts.
Plus, even small mistakes could lead to elections being
decided on just a few votes the wrong way.
boomboomsubban - 1 hours ago
The rare truly close race generally faces a recount
anyway, so the same mistakes would need to happen
multiple times. Unlikely for humans, plausible for
machines.
potatolicious - 3 hours ago
Too expensive. Classic counting means counting by hand,
which means a small army of people (or, for a federal
election, a large army of people, literally the size of
some armies).That said I believe that, absent major changes
to regulations around voting machines, the labor cost is
worth the security, transparency, and accountability
benefits.Automating the counting process must be done in a
way that preserves the ability to manually verify the count
- voting machines that do not produce a paper audit trail
that can be verified by humans are fundamentally insecure.
Spellman - 3 hours ago
Thinking back to the Gore-Bush election and issues of ambiguous
paper ballots during the very tight recount. Everyone remember
hanging chads? Or double voted ballots? There's an argument to be
had that digital systems are more robust and will enforce the
proper rules in a non-ambiguous manner.That's not to dismiss the
claims of cost (projected to be cheaper than armies of manual
counters) and speed (instant results on election night!) that
also likely spurred this decision. In hindsight though we are
learning of the other issues we have created while trying to
solve the originals.
jimrandomh - 1 hours ago
During the Bush-Gore election, the paper voting machines had
ambiguities but the digital ones were actually hacked.
https://en.wikipedia.org/wiki/Volusia_error
FooHentai - 2 hours ago
Both sides of this particular debate seem to be stuck in this
silly false dichotomy where you either have insecure electronic
voting, or entirely revert to traditional paper ballots.We can
have sophisticated and safe electronic voting, but we have to
introduce it gradually, with transparency and major, sustained
investment.We must also do something that doesn't come naturally:
Critically review and audit progress to-date, and use this
information to conservatively set direction for future effort.
The aviation industry's approach to technology is the kind of
model that is needed here, not that of startups or big corporate.
jstewartmobile - 2 hours ago
Schneier once wrote[0], "The worst enemy of security is
complexity", and I'm inclined to agree with him.
"Sophisticated and safe" is an almost guaranteed
contradiction.[0]
https://www.schneier.com/essays/archives/1999/11/a_plea_for_...
FooHentai - 24 minutes ago
Ah, my intent with the use of sophistication was more in the
sense of being greatly worked on over time, and adapted based
on real-world experience and the complexity of the
environment in which it exists.It was not my intent to
suggest that the system itself would need to be greatly
complex. Perhaps my use of the term was incorrect.
TheGRS - 2 hours ago
The suggestions mentioned in this testimony basically recommend
doing just that. Paper ballots are used to keep a record of the
vote in the case of a system outage or if a manual audit is
triggered, but for the most part you would never do it that
way. Statistical analysis is used to trigger alerts that there
may be fraud happening at a particular polling station.
DannyB2 - 1 hours ago
Your words about paper ballots being transparent, accountable,
etc are exactly how paper ballots have NOT worked for hundreds of
years. At least not "worked" the way some people wish they would
"work".Hence electronic paperless voting with no tamper proof
audit trail.
jdietrich - 1 hours ago
In the video below, Tom Scott explains why paper ballots are
intrinsically more secure than electronic voting. If you're
reading this and don't think that electronic voting is a terrible
idea, I urge you to spend the next eight minutes of your life
watching it.https://www.youtube.com/watch?v=w3_0x6oaDmI
wh1te_n0ise - 3 hours ago
I'm confused how you can say paper ballots have any of those
properties.Once you've handed off your paper ballot, it's no
longer "transparent". You have no signature (physical or
digital) that verifies that your vote was counted in the final
tally. You also have no proof that all other votes submitted in
that election were legitimate votes from real, identified
eligible voters. Ballot stuffing and mis-recording of votes are
both forms of fraud that have been performed under the so-called
"transparent" paper voting systems..."Accountable" implies that
you have adequate identification. Last time I checked (last
presidential election), I only needed to provide a name and a
birthday in order to vote, which are both things that are
publicly available information. Without adequate identification
of people (see: biometrics + smart cards, ideally), you don't
have accountability or even the ability to reliably detect voter
fraud. Why would you want to favor a paper system which relies
on people (who can be paid off, blackmailed) when better
solutions exist that get rid of some of the possibility of human
error?Personally, I'd rather have a public electronic voting
system where all voting transactions are stored on a public
blockchain. That way I can verify the vote tallies for myself
and I can also verify that the vote that I submitted was actually
recorded and included on the public blockchain. You add in the
assumption that all voting machines must be closed source and un-
audited - but that's not an inherent property of voting machines.
Governments could just as easily use open source and publicly-
audited voting machines.
tonyztan - 3 hours ago
>I can also verify that the vote that I submitted was actually
recorded and included on the public blockchain.Would this allow
you to prove to someone else how you voted in the election? If
so, that's not a desired property.Currently there is no way for
you to prove, to yourself or someone else, who you voted for in
an election because nobody gets to see your ballot and you
cannot take a photo. This makes vote buying and coercion much
more difficult. I'd like our voting system to keep this
feature.
wh1te_n0ise - 2 hours ago
I can see how that would be a concern, and I'd say to that -
it really depends on the implementation.You could have a
blockchain-based system where everything is public (say, like
Bitcoin), which from your perspective would be bad.You could
have a blockchain-based system where you need a "view key" in
order to actually view the details of a particular
transaction (say, like Monero), which from your perspective
would also be bad.In the latter system I'm describing, you
could have a procedural control that you have a choice of
receiving your "view key" or something along those lines to
deter coercion and vote buying.Other possibilities would be
allowing voters to change their votes at a later date, or
creating a system that allows voters to vote remotely such
that they could do so in the comfort of their own home where
they'd be (presumably) free from coercion and other
influences.
Godel_unicode - 2 hours ago
If it's possible to get vote attestations (using view keys
for instance) then coercion and vote buying will happen.
Consider that if I can coerce/buy your vote I can
coerce/buy your view key (no a duress key doesn't help, if
it exists I'll demand both).The system needs to retain the
current property of being able to lie about having voted a
certain way with 0 chance that you will be discovered
because getting proof is impossible.Consider that it won't
be "comfort of their own home" it'll be the comfort of
their union bosses office so he can be sure they voted as
directed.
wh1te_n0ise - 2 hours ago
First off, I hope you realize that in the current paper
systems that your "union boss" could literally walk down
to the voting station themselves and give them your name
& birthday and just submit votes on your behalf without
needing to "coerce" or "buy" any votes.Regardless, I said
that it was dependent on the implementation. If I am
able to change my votes at a later date, then who cares
if my union boss can pull me into his office and force me
to vote a certain way? I'll just go in that evening and
issue a corrective vote and be issued a new "view key"
associated with that transaction and my boss would be
none the wiser.Or you could have a system where the
blockchain isn't public, but rather it's only accessible
by a few designated government machines. Then for
auditing purposes if you want to verify your vote, you go
into a facility (no electronics [besides your
identification] allowed) with your "view key" and prove
your identity (biometrics, smart card) and then you're
able to then receive assurance that your vote was
recorded as expected by viewing the transaction from one
of the government machines.Then your union boss doesn't
have the ability to check your votes.You know what I love
though - people who make all discussions black and white
and don't consider the large spectrum of possibilities.
walshemj - 2 hours ago
In the Uk with paper ballots when you vote your checked against
the electoral register before you get the ballot.
DannyB2 - 1 hours ago
I don't have a problem with electronic voting if:The electronic
machine has a nice UI. Clear. Offered in multiple languages.
Maybe even show pictures of the candidates. Touch screen. It's
all great.It MUST produce a paper ballot that clearly shows what my
vote is. I put it in a cardboard sandwith for privacy. I drop the
ballot from the cardboard into ANOTHER machine that instantly
counts my vote. A readout on the top of the machine shows the
total number of ballots counted today. I can see that number
increment as my ballot is scanned and dropped into a basket within
the machine's guts. That gives me a feeling of assurance that my
vote was counted and scanned. What the machine scans is the same
exact thing on the ballot that my eyeball scans. That way the
"human readable" part of the ballot cannot differ from the "machine
readable" part of the ballot since they are one and the same.Now at
various points during the day, the election officials could obtain
the number of votes to each candidate in order to update the press
on how it is going.A statistical audit for anomalies can be done --
even on the paper ballots.If needed, a laborious manual recount
could be done using the paper ballots.You get the reliability of
paper ballots and recounts. And the convenience of modern UIs and
rapid counting.
baddox - 1 hours ago
FYI, it's generally ill-advised to report official vote counts
from a polling location before those polls are closed, because
doing so is likely to discourage later voters.
enitihas - 2 hours ago
One very important point in favor of paper based voting systems
which often comes up on HN is that attacks against paper based
voting are inherently not scalable, while electronic voting is
prone to large scale attacks by a corrupt government or a
determined and resourceful adversary.I used to be in favor of
electronic voting, but after slowly learning more and more about
how difficult it is to create secure system, I think voting is one
place where we are not yet ready to digitise(if we ever will be).
Godel_unicode - 2 hours ago
This is a false dichotomy. Read Matt's testimony.We can have
immediate results and reduced errors from electronic voting while
simultaneously having a perfect, affirmative paper record.
anigbrowl - 2 hours ago
attacks against paper based voting are inherently not
scalableSure they are. Attacks against the counting are not, but
you can easily attack the voters int heir heads by microtargeting
of advertising, both electronic and in more traditional forms
like paper mailers or street displays. You can't easily produce a
particular outcome across a large population, but you don't need
to; all you have to do is throw the integrity of the election
into sufficient doubt that the political consensus breaks down
and it's off to the races. And that is very very easy to do, as
we have seen over and over again.
enitihas - 2 hours ago
But all these attacks still remain possible with whatever
electronic voting system you choose. So I don't see how
electronic voting offers us any help here.
anigbrowl - 2 hours ago
I expanded on this in greater detail in one of my other
comments and omitted to mention it again here, sorry. In
addition to forcing a close vote by whatever means, you then
attack the integrity of the ballot-counting process at the
local level. This is easy to do in a a paper-based system
because of the information asymmetry that exists from voting
precincts; you don't know much about the integrity of the
vote in any other precinct besides your own, and likely not
even in that unless you're really interested.On the other
hand, you know a lot about the general integrity of
electronic transactions because you probably use a credit or
debit card frequently and in many different places and
contexts and it works predictably. So even though that system
isn't that secure, enough people believe in it through
repetition and general utility that it remains in place.
Voting is infrequent and thus easier to get up conspiracy
theories about.
forapurpose - 2 hours ago
> after slowly learning more and more about how difficult it is
to create secure systemIt's an IT problem that many at HN should
understand. Secure this system against potential nation state
attackers who are highly motivated:* System is distributed across
locations in every county in the nation* System is actually a
variety of different systems, not built to any standard or spec
(AFAIK).* Software and hardware are not audited or known to be
secure. Much of it is well past it's designed lifetime. Level of
maintenance varies, but is probably low on average.* System is
operated by amateurs, often volunteers, a different group of them
in every location. Operators have a variety of training, but
often very little and often minimal security training. Operators
are not vetted.* Physical security is minimal. Also, up to 180
million users are given private, physical access to the
system....Obviously, it's an absurdly impossible task. To any
degree that it is possible, the expense would be so high that
paper would be the obvious choice.
wilkystyle - 4 hours ago
Tom Scott has a good video about this:
https://youtube.com/watch?v=w3_0x6oaDmI
umanwizard - 5 hours ago
Why the fuck do we need electronic voting.I post this on every
thread involving electronic voting and nobody has yet successfully
responded.Paper is secure by default.
gjjrfcbugxbhf - 4 hours ago
We don't.People want it because it is faster to count.
umanwizard - 4 hours ago
Results in places like France and the UK are known within a few
hours.
anigbrowl - 2 hours ago
Do they vote for as many electoral offices and ballot
propositions at the same time as is typical in American
elections? Comparing American and European election
mechanisms is like comparing a truck with a bicycle.
gjjrfcbugxbhf - 4 hours ago
Even there people occasionally suggest electronic voting as a
means to speed things up.
TheGRS - 4 hours ago
Are they the real results or the exit polls?
gjjrfcbugxbhf - 4 hours ago
Exit polls are instant. The national implications of
elections are usually declared around 3-5am (counting
starts around 10pm). The last constituencies usual declare
by midday the next day. In the last UK general one
constituency took two days - there were about 12 votes
between the top two parties so they did a few recounts.
walshemj - 2 hours ago
in the UK That's part of the fun staying up to watch the
returns come in even more so if your actually working I
got home after dawn one time
TheGRS - 4 hours ago
Secure by what standard? Its fairly easy to forge paper ballots
or mis-report counts.
walshemj - 2 hours ago
How? you only get the ballot sat the poling station and
tampering with the boxes is hard as all parties have observers
and the boxes are sealed before transport.
gjjrfcbugxbhf - 3 hours ago
Not at scale.
wh1te_n0ise - 3 hours ago
It doesn't need to be at scale if the elections are won by
very small margins. Successfully executing voter fraud on a
few key districts can sway an entire election.
gervase - 3 hours ago
Although I don't think the current implementation of electronic
voting is needed, some kind of electronic voting may be needed to
facilitate novel developments in representation.For example, why
do we select our representatives based on where we live, and then
have them represent us on every possible issue? This leads to
issue voting, where a voter may choose a representative based
solely on their stance on a single issue (for example, abortion),
even if that representatives does not reflect their stances on
all other topics.An issue-based representative system where you
select several representatives, with each assigned a particular
topic or subtopic of voter-selected granularity, would allow you
to rank your interests and allow your overall political views to
be better reflected by your elected representative(s).For
example, you might rank privacy very highly as one of your
topics, and elect someone from the EFF to represent you on
privacy-related issues (but nothing else, as the EFF knows
nothing about these other topics). As a secondary priority, you
also care about low taxes, so you choose a fiscal conservative to
represent you on most economic and spending issues. However, you
also want to ensure that your local community is represented, so
you finally elect a local politician to represent you on all
other issues.For additional information on what such a system
might look like, you may want to read this article. [0]However,
as such a system has many scalability problems (logistically) if
based on paper-based voting, it is only possible to implement
practically using an electronic/digital system. However, the
transparency and fairness of such an electronic system are no
less important in this case than they are under our existing
political structure, and possible more so.Hopefully this has
illustrated some potential long-term benefits of electronic
voting systems, even if it doesn't address the short-term
problems generated by the closed-source, unaudited systems being
deployed now.[0]: https://bford.github.io/2014/11/16/deleg.html
thevardanian - 4 hours ago
Paper isn't secure by default. You have people miscount, steal,
forge, destroy, and do other unscrupulous things to change the
results.
ams6110 - 3 hours ago
But it's much harder to do any of those things undetected on a
scale that would actually affect the results.
ShabbosGoy - 3 hours ago
This is a very good point.Electronic voting machines are a
solution in search of a problem.
Arkanosis - 2 hours ago
No voting paradigm is secure, that's inevitable. But voting
machines are /efficiently/ insecure (ie. you can miscount,
steal, forge, destroy and change the results /at scale/).
maerF0x0 - 3 hours ago
Some electronic voting systems would allow the voter to confirm
their vote was counted and correct after the fact. Imagine if a
webpage posted all the votes (crypto secured of course) such that
any voter could verify their vote. IMO this would help end the
corruption. If a statistically significant enough people stand up
after a vote and say "I didnt vote that!" the we can be made
aware of corruption.
mattnewton - 2 hours ago
If I understand you correctly, wouldn?t that open up an avenue
for vote buying? Confirm what you voted for at home?
Arkanosis - 2 hours ago
If you can verify your own vote after the fact, then you can be
compelled to prove what you've voted, thus making vote selling
and vote under threat possible.Deniable voting ? aka not being
able to verify a single vote ? is a feature of paper-based
voting, not a drawback.
anigbrowl - 2 hours ago
It's easy to subvert that. The Nazis established compliance
through a mix of rumor and intimidation; creating the belief
that ballots were secretly marked or numbered in some
contexts, or simply forcing open voting in
others.http://www.newsweek.com/tainted-electoral-victory-hitl
er-554...https://books.google.com/books?id=iG4ud0PxeDMC&pg=PA
110&lpg=...It doesn't matter whether you actually mark the
ballots or not if a sufficiently large number of people
believe you might have done so. And considering how we're
regularly reminded that laser printers leave tiny microdot
patterns that allow the identification of which individual
unit printed something, what makes you think voters could not
be persuaded to believe the same thing about ballots,
regardless of the fact that they're produced by offset
lithography? Most people already live in a world where the
technology is indistinguishable from magic. Rationalists
often mistakenly believe that everyone or at least a
substantial majority of the population are as rational and
well-informed as they are. They're not.
jmgrosen - 1 hours ago
> If you can verify your own vote after the fact, then you
can be compelled to prove what you've voted, thus making vote
selling and vote under threat possible.That's not the case.
Imagine this system: upon receiving your ballot at the
polling place, you find n candidates, each with random
numbers from 1 to n associated with them. You pick candidate
#i, submit that vote, and take home a receipt saying you
voted for candidate #i. Then proof is later posted that your
vote was counted for candidate #i (using some fancy crypto).
Then you can verify that your vote was indeed counted for the
correct candidate, but no one (not even you, were you to
forget) can tell who that candidate is.For more information
on these sorts of voting systems, see https://www.usvotefound
ation.org/sites/default/files/E2EVIV_.... It's intended as a
review of remote voting systems, but a lot of it apply to
other types of systems as well.
TheGRS - 1 hours ago
That's pretty clever.I've been reading this discussion off
and on a lot today because I'm pretty fascinated that so
many people feel so strongly against electronic voting and
would rather have paper. On Hacker News of all places. Yes
there are ways to manipulate any system, but being software
developers we should all know that there are ways to fix
these things and make it better.That's what we're all here
for, not for regression to old systems that seem great on
paper (ha!), but for progression and new systems that work
better.
mikeokner - 2 hours ago
> Imagine if a webpage posted all the votes (crypto secured of
course) such that any voter could verify their vote.That can't
ever happen. It will create a market for buying/selling votes
because it's possible to prove who you voted for. It will also
create a system that allows for individuals to be threatened &
coerced into voting a particular way.
anigbrowl - 2 hours ago
We already have that for all practical purposes.
dundercoder - 1 hours ago
I worked at Three Mike Island inspecting a steam generator during a
refueling outage. A robot arm operated by a person ran a sensor
down each pipe to inspect its integrity. After completion a random
set of pipes were chosen for verification. If even one pipe in the
verification set differed from its original scan, the entire steam
generator had to be reinspected.We had a huge incentive to get it
right. Counting ballots should be just as verifiable and accurate.
NatW - 4 hours ago
A bit oversimplified, but in France, voters are essentially given a
printed coupon book, with each candidate on a different coupon.They
just take their coupon/candidate of choice and deposit it into a
box.There are no pencils needed, no ambiguity. Ballots are hand-
counted and totals are reached rapidly. A far less-hackable
alternative to what exists in the US IMHO.
gist - 4 hours ago
> There are no pencils needed, no ambiguity.I could argue that a
system such as that is easier to have fraud simply because all of
the tickets for a particular voter look exactly the same and
there is noting unique on each ticket (the way it is marked) that
can differentiate in a way to make fraud less likely.
TheGRS - 4 hours ago
This was the system the US had for a long time. In fact the
newspapers would have coupons you could cut out and bring to the
polls.Problem back then was that people would literally beat you
up on the way to the poll if they disagreed with your choice. It
was an entirely different culture around voting, secret polls
were not a thing.I live in Oregon State and we are one of the few
states that does all of our voting entirely by mail. I think it
is the best way to do things. No need to go to the polls and you
can do research while you fill out your ballot. We have polling
offices available if you forget to fill it out on time.
justadudeama - 1 hours ago
Do you have some sources on that? I think it would be really
interesting to read up on.
vertex-four - 4 hours ago
Surely voting by mail has the same problem - your family
members, abusive partner, employer, etc etc, could force you to
vote a certain way?
TheGRS - 4 hours ago
Sure, polling places are still offered in that case. The
benefit of voting from home greatly outweighs the cons IMO.I
wasn't implying that voting coupons would still have the
issue of people bullying you, just why we don't use that
system anymore. And honestly coupons seem a little archaic to
me, not to mention easy to manipulate.
walshemj - 2 hours ago
Postal voting does have problems like granny farming and
stealing postal ballots.
amenghra - 18 minutes ago
CHVote is a fun read. The formal document is here:
https://eprint.iacr.org/2017/325.pdfThere's a higher level concept
document here: https://github.com/republique-et-canton-de-geneve
/chvote-pro...
ouid - 4 hours ago
Is it possible to remotely brick the most insecure voting machines
before election day?
wyldfire - 4 hours ago
From [1] (also note that video of this testimony is there):>
BACKGROUND:> In September 2016, prior to the 2016 elections, the IT
Subcommittee held a hearing entitled ?Cybersecurity of Voting
Machines?.> In January 2017, Department of Homeland Security (DHS)
Secretary Jeh Johnson designated election infrastructure as
?critical infrastructure? with the intent of offering assistance to
state and local election officials. On September 22, 2017, DHS
notified 21 states of Russian government hackers? attempt to breach
state systems during the 2016 election. Two weeks later, DHS
announced the creation of an election security task force to
enhance coordination with state and local election officials.> On
September 8, 2017, the Commonwealth of Virginia?s election
supervisors directed counties to end the use of touchscreen voting
machines before November?s elections, citing the devices posed
unacceptable digital risks.[1] https://oversight.house.gov/hearing
/cybersecurity-voting-mac...
jrs95 - 4 hours ago
Why do these make it to the front page like once a month? Do we
really need to say "we don't need electronic voting" this often?
provost - 4 hours ago
They don't. This post is a rare congressional testimony by a
subject matter expert, on a security & technology topic.The rest
of the posts you're alluding to are weak, media articles by non-
experts.
taoistextremist - 2 hours ago
Despite all the comments here denouncing electronic voting, I think
it could work if done right and provide a better security than
paper ballots. This, however, would involve something like some
blockchain voting proposals I've seen floated around. Being able to
provide a paper trail that's extremely hard to tamper with (as
opposed to paper ballots which really aren't), along with,
depending on how it's implemented, allowing easier access to voting
by allowing remote options like internet or phone.
jstewartmobile - 2 hours ago
Votes may be secret, but there is an identity issue for one-man-
one-vote, as well as an authorization issue for minors and
convicted felons.How would you attack those with a blockchain?
wh1te_n0ise - 1 hours ago
There are entities in existence that issue identification
(SSNs, Passports, Drivers License) - why not just have them
issue a hardware token once you've proven your identity to
them?If someone steals the hardware token, you could get it
revoked and have a new one re-issued; just as you'd do if you
lost your Passport of Drivers License.The hardware token (as
well as some form of biometric identification) could be your
assurance of one-man-one-vote. The hardware token would do all
of the key management needed to submit votes to the blockchain.
The blockchain by itself would not be the full solution - only
part of it.
colemannugent - 1 hours ago
Ah, now you've run into one of the many political problems
surrounding voting: most states don't require a government
issued ID to vote and 40% of states don't require voter ID at
all.Good luck getting anything like you suggested passed in
states like California or New York.
jstewartmobile - 1 hours ago
Sounds more like an administrative solution with a blockchain
as a 3rd wheel. If we're going full administrative, could
just PGP it, and limit the franchise to nerds.
TheGRS - 1 hours ago
Each eligible voter gets a unique key they can vote with. Only
way to get around that would be impersonation of someone else's
key. 2-step verification could be used.
lordnacho - 2 hours ago
Someone must have mentioned this idea somewhere:Use something like
a cryptocoin. You go to a voting office, get approved as a legit
voter, and they send you a coin. You send it to some address for a
candidate. Everyone can see the result.Pros/cons?
tonyztan - 2 hours ago
I commented this somewhere below, but it also applies here:Would
this allow you to prove to someone else how you voted in the
election? If so, that's not a desired property.Currently there is
no way for you to prove, to yourself or someone else, who you
voted for in an election because nobody gets to see your ballot
and you cannot take a photo. This makes vote buying and coercion
much more difficult. I'd like our voting system to keep this
feature.
anigbrowl - 1 hours ago
you cannot take a photoObviously you can and people do even
though they're not supposed to.
forapurpose - 1 hours ago
Con: Voting systems not only require confidentiality, integrity
and availability, citizens must have confidence in those
properties. Very few people understand blockchain; it would be a
mumbo-jumbo black box to almost everyone and invite suspicions
of tampering, manipulation by politicians, and actual tampering.
jonny_eh - 5 hours ago
The choice quote: I offer three specific recommendations:
? Paperless DRE voting machines should be immediately phased
out from US elections in favor of systems, such as precinct-
counted optical scan ballots, that leave a direct artifact
of the voter?s choice. ? Statistical ?risk limiting audits?
should be used after every election to detect software
failures and attacks. ? Additional resources, infrastructure,
and training should be made available to state and local
voting officials to help them more effectively defend their
systems against increasingly sophisticated adversaries.