HN Theater @HNTheaterMonth

Machines of any kind have absolutely no place in any voting system:

https://www.youtube.com/watch?v=w3_0x6oaDmI

https://www.youtube.com/watch?v=LkH2r-sNjQs

Tom Scott once made the very good point in one of is videos[1] that it's not just enough for a system to be truly, cryptographically secure. The public must also be able to understand and trust the chain that keeps the system safe.

By this measure, perhaps the best RNG is still Bev from the local RSL hand-cranking her bingo cage.

[1]https://www.youtube.com/watch?v=LkH2r-sNjQs

⬐ user3939382

How about the Cloudflare lava lamps?

https://www.cloudflare.com/learning/ssl/lava-lamp-encryption...

⬐ nuccy

Or just a simple microphone recording cheering audience noise for 10s...

I am not familiar with Debian's practices, but electronic voting can't work for a nation because:

- centralization (there must be a central, corruptible place where the voters are authenticated or the votes are counted)

- software is untrustable: https://www.win.tue.nl/%7Eaeb/linux/hh/thompson/trust.html

The USA has had a Diebold voting scandal. Other countries are using a paper-based voting process which can be supervised by third parties.

https://en.wikipedia.org/wiki/Premier_Election_Solutions#Sec...

Relevant watching: Tom Scott: Why Electronic Voting Is Still A Bad Idea

https://www.youtube.com/watch?v=LkH2r-sNjQs

One possible solution could be ZCash ( https://eprint.iacr.org/2017/585.pdf ) but it has had its own problems ( https://www.coindesk.com/zcash-team-reveals-it-fixed-a-catas... ).

⬐ charcircuit

Electronic voting systems using zero knowledge proofs are superior to paper votes because it's possible to check for yourself that your vote was actually counted and not ignored.

Paper voting is extremely expensive to scale compared to a website that lets you vote. Everyone could get a notification on their phone when they are asked to vote on something as opposed to having to fill out paper and send it somewhere to be counted.

⬐ qsort

Paper voting ensures privacy and voter verification, something even the best electronic solutions can't properly handle. No thanks, I can actually show up and vote once every few years.

⬐ charcircuit

>Paper voting ensures privacy

So do ZKP based voting systems.

>voter verification

What do you mean by this? If you mean signatures you can have people sign their signature on their phone or desktop.

>I can actually show up and vote once every few years

This is a lot of friction which prevents many people from voting.

⬐ XorNot

Friction to prevent people from voting is a US phenomenon where voting participation (i.e. turning up and declaring something, even if it is an abstention) is not considered a legal obligation - and thus, the lack of participation is not viewed as a possible attempt to interfere with democracy.

⬐ gjulianm

> So do ZKP based voting systems.

Assuming no vulnerabilities on the ZKP system, a perfect implementation and no information leak from other sources.

> What do you mean by this?

I assume that ensuring that the person voting is who they claim they are. If someone steals the certificates of that person, they could impersonate them.

> This is a lot of friction which prevents many people from voting.

In Spain (and I guess in a lot of other countries) voting in-person means walking to the closest polling center (99% of the time it's less than 10 minute walk) on a Sunday, picking up the paper, doing the queue (maybe another 10 minutes) and walking out. The alternative is mail-in voting, which usually takes a few minutes of walking to the closest post-office, signing some documents and waiting for the ballot to come. Compare that with getting the certificates, storing them securely, downloading the program to do the voting, installing it, praying it works, then using the program and cast the vote. Think of all the people who aren't good with computers, and how easy would it be for them to do all those steps correctly.

In the ideal case I agree that electronic voting systems would be better. But the world is not ideal, quite a lot of things can go wrong with them because of their complexity and detecting those issues will be difficult. On the other hand, paper voting is fairly simple, the number of things that can go wrong is low and easy to detect by anyone.

⬐ codedokode

Government-issued certificates for electronic voting are a terrible solution because it is trivial to generate millions of certificates for fictious voters and vote in their name.

⬐ touisteur

I agree.

I don't understand the argument of reducing cost of elections and scaling. The current paper system in place in most works (at least in European countries where I've witnessed the process) and doesn't need to scale more. If actors in a democracy can't afford such a system, and the occasional (once, twice a year) walk to the voting place, 15 minutes wait and fellow-citizen interaction, can't we accept they don't care for voting and participating and stop listening?

I'm all for accommodation of special cases (people with reduced mobility or unability to be in contact with other people) but we already have the necessary systems in place (mail-in or vote delegation).

Literally one of the last places I'd check for change or optimization. It works, leave it alone, I'll happily pay the 3 or 10eur a year.

⬐ throwaway48375

American here and I have had to wait >2 hours to vote multiple times. In the worst instance someone tried to illegally close the polling place even though people were still lined up outside. This is in clear violation of state law. So long as you are lined up to vote before the polling place closes they have to take your vote. To the sheriff's department credit (they are generally terrible) the deputy who responded refused to make people leave and told the worker they had to stay open. When I lived in a more rural area of the same county I would just walk in and vote within a couple minutes. I'm sure it isn't broken by design though.

⬐ iso1210

> American here and I have had to wait >2 hours to vote multiple times.

That doesn't have to be the case though, that's a political decision to staff voting booths like that. It's also trivial to fix.

⬐ michaelt

> American here and I have had to wait >2 hours to vote multiple times.

That's not a fault of paper voting though - that's just a policy decision your political leaders have made.

They could easily open more polling stations. Making voters queue is a classic voter suppression tactic.

⬐ monetus

live in a metropolis? -also american but in a midsized city and ~15 minutes is more than the average wait.

⬐ adgjlsfhk1

What that means is that you don't live in a city in a republican state. For the past couple decades, the GOP has gotten increasingly brazen about reducing the number of polling places for the people they don't want to vote.

⬐ monetus

Tennessee. I think I might incredibly be in a low traffic part of town despite it being a huge commercial sector with surrounding suburbs.

⬐ PoignardAzur

The American voting system seems broken in many ways that have not much to do using paper.

Elections taking place on tuesdays instead of weekends for some reason, low polling-places-per-voters ratio (though numbers are hard to find), ballots with multiple non-trivial questions, etc.

Before turning to voting machines, there's a lot that could be changed at every level. Moving Election Day to weekends would be a good start.

⬐ touisteur

I don't even understand the concept of voting on workdays. WTF. This is a sacred thing! Especially if you want citizens of all horizons participating (and I want people from all sides to check on each other - without being too disruptive by default... I mean there's a process for reporting and all - doing it on a weekend is a minimum.

See, no need for fancy tech. Paid officials and unpaid volunteers manning everything.

⬐ toyg

The American voting system is broken by design. There used to be reasons and conventions, and there is a somewhat excessive regard for states rights, but you could build a system that keeps that regard while being sane and fair. The fact that the US political classes would rather focus on gerrymandering instead, tells you all that you need to know about motives.

⬐ mariusor

> I don't understand the argument of reducing cost of elections and scaling.

How about if we could scale ballots to such an extent that a citizen can vote from wherever/whenever on all issues they're interested in[1], not just a head of state election every X years? Wouldn't that be a more democratic process ?

I believe it would, and that paper ballots won't get us there.

[1] A current instance of this is the Swiss voting system: https://en.wikipedia.org/wiki/Voting_in_Switzerland

⬐ touisteur

Well, I live in a representative democracy, and it mostly works. I don't think the vote is only way to express political power, just the most 'sacred' and extreme of all. The one of removing your ruler (or ruling party) from power.

And making people vote on issues they're interested in just makes me think only extremes will be heard and counted, and I would have to give my opinion on a bunch of things I don't really care about, or am not quite competent enough. To me, the democratic vote should be a precious rare thing, to elect a representative or a bunch of them, and trust them to do a non-too-shitty job of it.

Referendums, IMO are among the worst democratic moments in my republic, and I feel my concitoyens (from talking to some, and reading what they say in polls or public forums) don't really vote on the specific subject but on a global policy rant. It's a place to vent, not to decide ; when your elected ruler throws up his hands and gives you back the wheel at the last moment, with little context, FSD-style.

⬐ mariusor

> It's a place to vent, not to decide

When the ballot process can be done in the morning with your coffee and toast, maybe more people would be inclined to apply judgement and vote in good faith.

And I think I speak a truism when I say that more deciding power for each citizen is a better kind of democracy than representative democracy. What I'm hearing from you are just hypotheticals that nobody can be sure of without actually trying a system like this. Basically that's all I'm saying, the current democratic process leaves a lot of citizens without proper representation and probably we need to move in a direction where that's not true any more. We need to look at alternative ballot systems which would allow that. If the current political strata are wrecked in the process, all the better.

⬐ ilammy

> I don't think the vote is only way to express political power, just the most 'sacred' and extreme of all. The one of removing your ruler (or ruling party) from power.

Indeed, the voting is less about getting people you want to have power, but more about preventing people you don't want from getting power (or retaining the power). Votes don't directly affect the actual policy decisions that representatives make afterwards, you're not legally bound to fulfill your campaign promises. What voting process does instead is telling the society, ‘See, the elected officials are not massively hated by the people, no need for a concern’.

The thing about representative democracy is that your representative is still your representative even if you didn't vote for them.

⬐ iso1210

> Paper voting is extremely expensive to scale

And thus is impossible to hack at scale.

It costs $x to run an election and count the votes for Y thousand peple voting for a position, that scales pretty much linearly - have 1 ballot and 1,000 votes costing say $100, have 1 ballot and 1 million votes and it costs no more than $100,000

⬐ mariusor

> And thus is impossible to hack at scale.

I think numerous cases of electoral fraud over the course of global history prove this statement wrong.

⬐ ilammy

> zero knowledge proofs are [...] possible to check for yourself

Only if you're an expert cryptographer, else you're deferring to the authority.

> Paper voting is extremely expensive to scale

That's a feature.

⬐ rosndo

> Only if you're an expert cryptographer, else you're deferring to the authority.

At least it’s still provable, a plenty of people can afford to hire their own cryptographers to do verification. Foreign observers can also do the same.

⬐ gjulianm

Paper voting is provable too. Vote and then observe the counting which is usually public. You can take a look at the box to ensure that it hasn't been tampered with.

⬐ rosndo

Paper voting is vulnerable to basic sleight of hand, and your ability to effectively monitor the count is somewhat limited.

Electronic voting can be much better, but it is of course not a terribly easy problem to solve.

For what it’s worth, I don’t believe that paper voting is particularly problematic. But I do think that electronic voting could make voting easier and more accessible.

⬐ gjulianm

I don't know how vote counting is done in other places, but I've seen it in my country and it's not vulnerable to basic sleight of hand, at least not for more than one or two votes. Poll workers are all citizens randomly selected, the president of each table takes envelopes from a transparent box, opens them, shows them to the other three or four workers of the table (plus any observers that want to be there) and declares the content of the vote.

> But I do think that electronic voting could make voting easier and more accessible.

I don't think so. Think of all the people who have difficulty with basic computer/phone tasks, either because of knowledge or accessibility issues. Do you think all the steps to securely cast votes with an electronic system are going to be easier and more accessible for them?

⬐ rosndo

> I don't think so. Think of all the people who have difficulty with basic computer/phone tasks, either because of knowledge or accessibility issues. Do you think all the steps to securely cast votes with an electronic system are going to be easier and more accessible for them?

I don’t think an in-person electronic voting system needs to be any more difficult than current paper ballots.

⬐ gjulianm

Certificate management is more difficult than simply holding an ID card, going to a website/downloading a program is more difficult (and has more potential problems) than going to a polling station, and doing all the steps the program requires will hardly be as simple as "put paper in envelope".

⬐ ilammy

> a plenty of people can afford to hire their own cryptographers to do verification

That's still deferring to the authority. The cryptographer I paid to says it’s all verified, these 1,000,000 people believe them, so naturally I must believe too because why would they lie – is that how it goes? Why not then just drop this whole voting thing, managing keys, checking proofs – why waste time on all this, just let cryptographers announce the results? You trust them, right? They're smart, they'll probably make good decisions.

Paper ballots which can be counted by hand reasonably efficiently enforce a low-tech process that is understood by literally everyone, is resistant to fraud at scale, and leaves massive amount of literal paper trail for audit with no extra provisions. If a citizen wants to be an observer – they just go and see ballots counted. If ZKP were used then what, why only qualified cryptographers are allowed to be qualified observers? Is this really a necessary requirement for a voting process?

⬐ M2Ys4U

> Electronic voting systems using zero knowledge proofs are superior to paper votes because it's possible to check for yourself that your vote was actually counted and not ignored.

Which means somebody can hold a gun to your head and force you to prove that you voted and that your vote counted.

That is not, to put it mildly, desirable in an election.

⬐ charcircuit

You can already do that with mail in ballots easily. Someone could also threaten you to record yourself filling out a paper ballot.

⬐ danuker

Unless they also demand that you film yourself continuously up to putting the envelope in a mailbox, they can't be sure you actually mailed the ballot or that you didn't invalidate the result later.

This would risk exposing yourself, and in turn, the intimidator.

But if only one ballot is mailed per citizen, they can be reasonably sure you didn't vote for the competition.

⬐ M2Ys4U

Yes, which is why I also dislike postal voting and want to minimise its use.

⬐ teagoat

What does postal voting have to do with that? they could also force you to film yourself at a polling station...

⬐ M2Ys4U

Well at least where I live (the UK), it's illegal to film in a polling station and the staff in the polling stations should be looking out for that and reporting it.

More importantly (with both postal voting and in-person voting) it's impossible to perform these attacks after the fact, but if you have a receipt of your vote it can be done at any time after you vote.

⬐ codedokode

Electronic voting is very difficult to monitor and verify independently, especially when voter lists are not publicly available. It is difficult to verify whether turnout number is correct, and on the countrary it is easy to add millions of fictious voters and vote for them.

> it's possible to check for yourself that your vote was actually counted and not ignored.

Let's say you voted for candidate A and didn't find your vote. How can you prove that you really voted for A?

> Everyone could get a notification on their phone when they are asked to vote on something as opposed to having to fill out paper and send it somewhere to be counted.

Voting with such system is equivalent to publishing results without any actual voting.

⬐ serenitylater

None

⬐ JanisErdmanis

> Let's say you voted for candidate A and didn't find your vote. How can you prove that you really voted for A?

With ZKP it would look something as follows:

1. Encrypt a vote with a commonly known public key and publish it to the bulletin board.

2. Shuffle the votes and producing a ZKP proof of correctness assuring that only votes from bulletin board where shuffled, no vote were added, removed or modified.

3. Tally the votes and produce a proof of correct decryption.

The argument is that since authorities does not know the choice of the voter they would accept the vote to the authenticated and public bulletin board which would prevent vote omission.

⬐ codedokode

I didn't understand the algorithm completely (for example, whether you post your vote anonymously or under your name, and where is the private key for the public key you mentioned).

Let's say bulletin board software replaces the vote with 20% probability. You post your vote for candidate A and see that it didn't appear on the board (because the board replaced it with vote for candidate B, but you don't know about it). How can you prove that you tried to vote for A and not for B? The records show that you have voted, and as voting is anonymous it is impossible to know how you voted.

Of course, there are other ways to meddle with such election. For example, you see that the turnout is 99%. How can you verify this number? The government refuses to publish a list of voters because GDPR doesn't allow that. And even if the country publishes this list how you can verify that the list doesn't contain fictious voters?

⬐ JanisErdmanis

> I didn't understand the algorithm completely (for example, whether you post your vote anonymously or under your name, and where is the private key for the public key you mentioned).

It's best to illustrate it with the ElGamal cryptosystem. Let's say that system officials have set up keypair `sk`, `pk = g^sk` and let everyone know `g, pk`. To submit a vote, the voter selects an option corresponding to a message `m` and encrypts it with a freely chosen randomization factor `r` and obtains a tuple `(g^r, m*pk^r)`. He signs this encryption under their name and sends it to the bulletin board.

The last bit is whether to allow everyone to see that you have or have not voted so whether the fact that you have participated in the elections. There seems to be the consensus in the literature that the signature should be concealed from the public and be allowed to verify only for independent auditors.

> Let's say bulletin board software replaces the vote with 20% probability. You post your vote for candidate A and see that it didn't appear on the board (because the board replaced it with vote for candidate B, but you don't know about it). How can you prove that you tried to vote for A and not for B? The records show that you have voted, and as voting is anonymous it is impossible to know how you voted.

One way to preserve the integrity of the bulletin board is that upon receiving a `vote <- ((g^r, m*pk^r), sig)`, the bulletin board issues a signature on the `vote` and returns it to the voter for the latter to assert for the vote to not be changed. Even when the signature is not present on the bulletin board, the voter can check the presence of `(g^r, m*pk^r)` as the randomization factor makes it unique for each voter.

> Of course, there are other ways to meddle with such election. For example, you see that the turnout is 99%. How can you verify this number? The government refuses to publish a list of voters because GDPR doesn't allow that. And even if the country publishes this list how you can verify that the list doesn't contain fictious voters?

The fictitious voters are indeed a thing if we can't trust the independent auditors of the bulletin board. Personally, I would never support an internet voting system where the result of the elections would lay on the integrity of a few trusted auditors who have special access to do so. Thus I would greatly prefer for the voter lists (the signatures) to be public in spite of losing participation anonymity.

⬐ grumbel

> it's possible to check for yourself that your vote was actually counted and not ignored.

That's a bug, not a feature. The point of not doing that with paper voting is that it makes selling your vote difficult, as nobody else can verify what you voted for. You on the other side know that you put the ballot in the box and can stay around to see if the votes in the box get accurately counted.

With electronic voting you lose that. You either have to blindly trust the system or by allowing vote verification make it easy for others to sell the votes.

⬐ mariusor

> That's a bug, not a feature.

I think you're wrong. A bug would be if you could tell how a vote was cast, not if it was counted.

⬐ naniwaduni

You also want to be able to check if your vote was falsely counted, lest an unscrupulous election operator simply reassign all but a handful of votes to its preferred option.

Vote selling is a pretty nasty problem to work around.

⬐ mariusor

I would normally agree with you, but no voting system today can provide you an answer to this question.

The problem of unscrupulous operators can be circumvented if the votes are in a public ledger where the voter can backtrack their vote to the ledger "yes, its' my vote, nobody tempered with it", but the vote in the ledger can not be linked to the voter.

⬐ naniwaduni

To be clear, the property we want is, broadly speaking, "hard to tamper with (at scale) without getting caught". Ideally we would also catch tampering at small scale, but that's darn close to incompatible with denying vote buying. (A possible resolution is, of course, "well, what's wrong with vote buying between informed consenting adults?" But the unfortunate history shows that our electoral systems must compensate for underinformed coerced voters, and their regulations are written in blood.)

Existing voting systems do have a countermeasure, if not a fantastic one: creating a trail of physical artifacts that can be manually audited to verify vote totals, and a roll of accepted votes to compare the count of said physical artifacts against. It's not fantastic because the error rates on those physical artifacts are stupendous, but tampering with votes at scale can then require (a) physical access, which humans are well-equipped to reason about, and (b) generating and destroying big piles of said physical artifact, which is expensive and expensive to hide. The gold standard of tampering with physical elections that we know of is basically denying observers the chance to audit, which is rightly considered suspicious.

Tampering with electronic votes at scale does not have these cost properties. We can magnify costs without giving voters the ability to prove their votes to a third party (I am aware there are probabilistic constructions), but all such constructions (a) are much harder for the average voter to reason about than monitoring physical access (humans are quite optimized for monitoring physical access), yet (b) requires voters to actually audit their own votes and report non-inclusion en masse. You can see why this is a non-starter.

⬐ mariusor

I don't know if you realize, but you moved the goal posts a little. Yes I agree that an electronic system would be more difficult to wrap your mind around as a layperson, but if you go now on the street and you ask someone how paper ballots work in their district, I bet that even though they know the big picture, they will fail at the details.

So the common person will probably not understand the cryptographic underlayers of this theoretical new system, they need to have confidence "in the science". I know that doesn't sound as good, but we're heading towards a world where computing literacy is increasing, so in some years that could be possible.

⬐ charcircuit

>That's a bug, not a feature

It's a trade off. I want to be able to prove that my vote was counted. How can I trust that my voice was actually heard by the system?

>as nobody else can verify what you voted for.

You can mitigate this problem by giving people a way to fake any vote outcome. The voter knows how to verify their actual vote, but someone else would not be sure if what they verified was real or fake. Also I doubt this type of buying votes with verification is that big of an actual thing. You can trivially do it with paper voting to by just asking them to stream themself voting or by taking a picture of their ballot.

>You either have to blindly trust the system

Having someone else count votes without the ability for you yourself to count votes and check to see if your vote was included is the opposite of blindly trusting the system.

⬐ gjulianm

> How can I trust that my voice was actually heard by the system?

Most vote countings are public. I can go to my polling place, cast my vote, check that nobody tampers with the box, watch how they count every vote correctly, ensure that the written tallies are correct, and then verify that the central system tallies match with those I counted.

⬐ mw888

Great, ZKProofs present the possibility for everyone to do better than that with much less work.

⬐ codedokode

With paper voting you can see that there are real people casting votes. With electronic voting it is trivial to add fictious voters and vote for them, especially in countries where voter lists are not published.

⬐ gjulianm

Tell that to the people who now, instead of just going to a polling place and placing a paper on an envelope, have to download and store digital certificates, possibly download and install new programs and deal with the troubles of all that, just so "verifying votes" is slightly easier for the minority of people with the knowledge of the system and ZK proofs.

Also, you're assuming the system is perfectly implemented. In reality, such a system will be complex, will have many more pieces than the ZK system itself (and those pieces will have vulnerabilities), and will require users to do more which will also be prone to errors and vulnerabilities.

I don't understand the insistence on electronic voting for elections. It's less transparent to laypeople, offers small benefits and adds significant complexity both in the implementation and use.

⬐ JaimeThompson

Many in the US think that "they" are lying to us about basic physics so do you think they will accept those proofs?

⬐ eulenteufel

Paper ballots requiring a lot of work is the whole point. This makes tampering at scale a lot more difficult and a lot easier to detect.

⬐ johannes1234321

Less work isn't the optimisation goal, though. Reliability, trust, verifiability, secret ballot, etc. is what it is about. If things can be made more efficient without sacrificing the primary goals ok, but if I as a citizen can't verify the results anymore (by watching the count etc.) the purpose isn't met.

⬐ mw888

It seems like you don’t and don’t care to, understand.

⬐ Spooky23

The problem is that it solves a problem that nobody actually has and provides tinder to make a problem that actually exists worse.

Political machines exploiting nursing homes, pushing absentee ballots on the elderly, etc are already problematic, and allowing field GOTV teams to collect this type of data in mass is would make expanding these operations in size and scope.

You’d also create the new problem of hyper-partisan people crying about voter fraud. You’ll have a bunch of lunatics running around with fake ballot receipts to push whatever narrative they are trying to push.

In my state, it’s illegal to take pictures of ballots at the poll, and there are bipartisan poll inspectors that will shut that down if it happens.

⬐ jlokier

> Also I doubt this type of buying votes with verification is that big of an actual thing. You can trivially do it with paper voting to by just asking them to stream themself voting or by taking a picture of their ballot.

It's not so much selling votes, as to discourage voter intimidation: The husband forces his wife, the boss forces his subordinates, the local mafia forces their victims to vote a particular way.

I don't know the rules in the USA, but in the UK it is generally forbidden to stream yourself voting or take a photo in the polling station. Maintaining the secrecy of ballots is high priority.

Someone might still privately take that picture of their ballot paper, after all there's a private voting booth; the officials wouldn't know. You're allowed to say you made a mistake and ask for a replacement ballot paper, so you could show your boss the version they want to see, and then vote differently.

⬐ iso1210

> I don't know the rules in the USA, but in the UK it is generally forbidden to stream yourself voting or take a photo in the polling station. Maintaining the secrecy of ballots is high priority.

Except we allow postal voting pretty much willy nilly, especailly in areas where intimidation can happen

⬐ jlokier

That's due to a trade-off of requirements, to maximise free and fair representation.

Lack of postal votes makes the ballot less fair and representative, because it affects people with systematic bias in relevant sub-populations (wealth, working conditions, age, health, etc) and areas.

In areas where intimidation can happen... for going to the polling station. (All the intimidator has to do is post menacing guards, soldiers, etc. outside the station or on the routes to it. There are plenty of news reports of this happening in some countries. I'm not aware of this in the UK though.)

So the question is whether you get a more fair and representative vote outcome by allowing postal voting, or by disallowing it.

The balance of trade-offs has led to UK policy allowing postal votes, encouraging each individual to fill out and seal their vote in private, and use statistical and other investigation methods to look for signs of fraud, while maintaining a high standard of secret ballots when voting in person.

That might not be the balance that works best in other countries. In the UK it is said by the Electoral Commission that there is no evidence that postal voting has changed electoral outcomes to date, but some attempts at large scale fraud were discovered and prevented.

⬐ iso1210

I canvas in a rural ward, about half of voters are postal voters, many have adult children living with parents, and where one is postal, usually all are postal.

It's quite easy to see how a secret ballot can be not secret if the (typically patriarch) says "lets fill the forms out together and I'll take them all in"

⬐ eulenteufel

I don't know how it's done in the USA, but in Germany voting by post has to be carried out before the day of the election. The actual postal votes are stored and only opened on the day of the election. After somebody send in their postal vote they can go to the public voting office and declare to invalidate their postal vote. The people counting the postal votes will get a list with invalidated votes and remove these envelopes before the votes are opened. The person who invalidated can then either do another postal vote or vote at the ballot box.

So in Germany postal voting is secured against selling votes.

⬐ iso1210

If there is a way to invalidate a vote in the UK, I'm not aware of it, and as someone who's actively stood for election I've got a greater awareness of the average voter, and 50% of people have less awareness than the average voter.

It's not about selling, which would be easy to detect like all large conspiracies. It's about subtle coercion that postal voting can enable.

⬐ Spooky23

Electronic voting does not require centralization. Elections are administered at the county level.

This isn’t a rocket science problem. Best bet is to set mandatory requirements that machines must meet to get federal funding, let companies compete.

Security people tend to hand wave about election tally machines because it gets eyeballs. The reality is they work mostly fine, and the risks associated with them are usually more about process than nerd stuff.

⬐ charlieok

While not built for the purpose of voting, there have occasionally been some coin-weighted polls using the Zcash blockchain. The ability to post encrypted and immutable transactions, and selectively share viewing keys has interesting possibilities, certainly.

That said, we in the Zcash community have usually used another system when holding secret-ballot votes within our community: Helios.

https://vote.heliosvoting.org/

⬐ mariusor

I do not think that we have investigated electronic voting enough to be able to say it's not feasible with such certainty. I wouldn't start with national high stakes ballots, but I'm confident that if enough smart people put their mind to it, a solution is possible.

⬐ atq2119

The problem isn't one of technology but one of procurement processes. Electronic voting is largely a solution in search of a problem (purely manual processes work fine for tallying votes), and so the field is dominated by bad actors selling whatever to clueless politicians.

⬐ jffry

The US is not homogenous in the technology used to vote - running elections is left to the states, and different states use different polling technologies.

The systems we have for voting in Washington DC seem to be a best-of-both-worlds approach. There are touchscreen kiosks that you use to make your choices, then the kiosk prints out a properly marked paper ballot that it asks you to verify. Then you take your ballot over to the normal scanning machines. You can also request an unmarked ballot and fill it by hand if you prefer.

The kiosks can provide a wide range of assistive tech (larger fonts, instructions in a variety of languages, and headphone jack for audio prompts). They also help ensure you do not miss a question - you must explicitly choose "skip" - and they help ensure you select between 0 and N choices in choose-N questions. Also they print a clearly-marked ballot which helps avoid ambiguities like if somebody partially fills a circle by hand.

And best of all, the end product is still a physical, auditable piece of paper.

⬐ pmoriarty

This is all pretty meaningless if the vote counting is still done by machine.

The US should go back to hand-counted pen and paper voting.

⬐ meatmanek

If you suspect a problem with the vote-counting machines, you can audit the paper votes with pen and paper. But in the cases where there isn't much reason to doubt the outcome of the election, you can save the cost of all that labor by letting a machine do something machines do really well.

⬐ Teever

I highly doubt the assertion that spending money on buying and maintaining voting machines will ever exceed the cost savings from not paying people to count paper ballots.

“Wear gloves.”

— https://xkcd.com/2030/

Longer explanation: https://www.youtube.com/watch?v=w3_0x6oaDmI and https://www.youtube.com/watch?v=LkH2r-sNjQs

Obligatory Tom Scott videos:

Why Electronic Voting is a BAD Idea - Computerphile | https://www.youtube.com/watch?v=w3_0x6oaDmI

Why Electronic Voting Is Still A Bad Idea | https://www.youtube.com/watch?v=LkH2r-sNjQs

It's not about tallying digits, it's about maintaining the secret ballot, and making it really hard to commit election fraud. (As opposed to voter fraud, which is an insignificant problem.)

It's such a bad idea that Tom Scott has not one, but two videos on it:

https://www.youtube.com/watch?v=w3_0x6oaDmI (Computerphile channel)

https://www.youtube.com/watch?v=LkH2r-sNjQs (his channel, more recent)

And also, if 20 people can handle ballots from 1000 people (no clue if that's realistic but it doesn't matter), then if you add another 1000 people.

Well... since you added people and the resource you need to count is people it's a self scaling solution. Sure you might need larger facilities, but we're not exactly running out of schools (another thing tied to the population).

The only reasons to make voting electronic are:

* To make money

* To commit election fraud

which is why I said there are no "good" reasons. :)

I think the Tom Scott video on electronic voting from years ago remains the most convincing argument to me that it's a bad idea (https://www.youtube.com/watch?v=LkH2r-sNjQs). To summarize, even assuming you can solve properties like correctness, censorship resistance, privacy and coercion resistance. The fundamental problem with digital is that any exploit of any of these properties you ever have scales really well. Messing with a paper election requires a lot of people working together across the entire country. A digital hack just requires one smart person

⬐ mariusor

Personally I'm not convinced that an attack against an electronic ledger can scale in all cases.

If the model of an electronic vote relies on individual keys having cast votes (following something like a vote enrollment), the attacker will have to spoof all those keys for the result to look authentic and at the same time be malicious.

Depending on how those "keys" have been generated in the enrollment, this could be difficult to scale. The most basic premise would be that the "tallier" and the voter create this key together, and once committed to the ledger can't be tampered with by any of them. A vote must be signed with this key. The voter can override their vote at any time while the election runs. (This is something that I'm paraphrasing from the article actually)

This does not scale as it requires a malicious actor to hijack enrollment and voting for a large number of voters. If enrollment is being done based on a physical device (eg, electronic ID card) it's even less so.

⬐ villasv

Yet many rich democracies have been using electronic voting without issue. There’s an entire field of science and engineering for securing digital democracy, don’t take a single YouTuber as your source (ftr, I like Tom Scott’s videos too)

⬐ SXX

What countries except of Estonia actively using digital voting?

⬐ chayleaf

Russia is, albeit I wouldn't exactly call these elections democratic...

⬐ SXX

And on top of that there was massive fraud with votes due to re-voting option existing. Certainly Russia isn't a country that you want to take as example in anything related to democracy.

⬐ coolgeek

Electronic voting isn't a bad idea. Paperless electronic voting is a bad idea.

I will never trust voting machines that do not print and store a paper ballot. But it's practically impossible to change or remove votes with a machine that does store them.

Once the votes are recorded (on paper), you only need to do two things:

  - ensure the paper count matches the electronic counts
  - ensure the paper count matches the count of voters

You can also spot-audit or fully audit the results to ensure that the tallies for individual candidates match between paper and electronic tallies.

Because Electronic Voting is generally considered too attack-prone to be trusted.

Relevant Tom Scott video: https://www.youtube.com/watch?v=LkH2r-sNjQs

Why Electronic Voting Is Still A Bad Idea (Dec 2019): https://www.youtube.com/watch?v=LkH2r-sNjQs

Yeah, electronic voting is essentially like having a person in the voting booth that you have to tell your vote and trust that they will tally it correctly. [1]

It doesn't matter whether voting machines are actually secure, they probably mostly are right now, but whether a layperson can have faith in the system.

Paper voting is very secure if you involve people from opposing parties in the process and attacks are not very scalable. Most people can think of and understand mitigations for certain kinds of attacks. And if paper voting is too expensive for your country, you have bigger issues. [2]

[1] https://www.youtube.com/watch?v=LkH2r-sNjQs

[2] That said, I don't see how secure electronic voting can possibly be cheaper than paper voting. For voting machines to be secure, you have to manufacture them in a very audited manner, with little to no foreign sourcing of parts, you can't leave the machines unattended for long periods of time (aka, reusing them between elections is probably a no-go) and you have to build them in manner that is secure against voters tampering with them in their private booth.

I'm against doing electronic voting and tracking [0]. Others have commented on the tracking/anonymous issues, so I'll leave that.

Make the whole system as hard as possible to manipulate by involving a lot of people who distrust the person they're working with.

There is a tiny chance your personal vote will get lost in all the paper handling, but you can be assured that the system is a lot harder to manipulate simply because of the sheer number of people involved.

[0] https://www.youtube.com/watch?v=LkH2r-sNjQs

Relevant to HN's interests: a compelling, layperson-accessible argument against electronic voting: https://www.youtube.com/watch?v=LkH2r-sNjQs

Tom Scott made an excellent summary of why electronic voting is a bad idea, and explicitly covers both open source and blockchain as proposed solutions (hint: they don't solve the problems that make e-voting bad)

https://www.youtube.com/watch?v=LkH2r-sNjQs

⬐ tim333

It seems to me a fundamental problem of it all being electronic is any records if the system is hacked can be downloaded by the million fairly easy. On the other hand if the records of which voter number voted which way are printed on bits of paper and put in a big locked box it's pretty hard to reconstruct that on the fly unnoticed. But they are there if there is a court ordered investigation.

The UK system I think is a bit like that. When I go in my name is checked against a voting slip number (on paper) and then I vote on a bit of paper so someone could theoretically figure which way I voted but the odds of someone going through both paper lists is minimal.

No it isn't.

https://www.youtube.com/watch?v=LkH2r-sNjQs

Electronic/Mail ballot voting cannot guarantee both anonymity and easy auditing which results in a lack of trust in election results.

It must be removed. https://youtu.be/LkH2r-sNjQs

Congratulations. Terrible idea. Mandatory video (yes, the one by Tom Scott): https://youtu.be/LkH2r-sNjQs

Tom Scott still has the best argument against e-voting IMO [1].

Briefly: an election only counts if everybody can believe the results. Making an expert level understanding of CS a requirement to verify your voting system means that Joe Q. Average who doesn't hold a PhD (or maybe even a college degree) has to rely on spooky experts telling him what to believe. If I were in his shoes then I would have no confidence that I participated in a fair and valid election.

We kind of live in a bubble here on HN where most people are sort of in the tech space and could take a weekend or two to understand blockchain. I think its easy to forget that most people don't have the required background to learn it easily (or would want to use up their time to understand it). I almost have a PhD in the hard sciences and I don't fully understand the finer details of block chain. I think I would have to write my own implementation to fully appreciate it.

Simplicity and the ability to explain the system to every American is a requirement of any voting system.

[1] https://www.youtube.com/watch?v=LkH2r-sNjQs&t=12s

⬐ bhhaskin

I used to think the same thing until last night. Watching the different results come in. The average person already has no clue what is going on. You need a degree in high level statistics to understand why races are called when they are.

After you cast your vote what happens after that? Who counts them? How are they counted? How are those counts counted toward the total? Who is certifying all of this? How are those people chosen?

⬐ bryanlarsen

Almost every other western country manages to do this efficiently and quickly and transparently, and most of them use paper ballots.

⬐ Simulacra

Does size matter ?

⬐ dudul

Why would it? Each state is roughly the size of a country the parent is referring to, each state organizes their elections, so each state should be able to be equally efficient.

⬐ loopz

If countries had a slow count every 50 years, it'll be every year on average in US. Size has different distributions.

⬐ greenduck

That's not an argument against e-voting, but rather the election media circus and craziness of the electoral college. With e-voting you get the complexity of both.

⬐ majewsky

All this "calling races" bullshit is only because the ballot counting process is so utterly fucked up in the US. I live in Germany. When there is an election for federal or state parliament, polls close at 6 PM and results appear around 8-10 PM on the websites of the state election offices. Somewhere around midnight, the "preliminary official result" is released. (The official result follows about a week later, after the routine recounts are done, but they never differ by more than a few votes.)

We do also have predictions on TV as soon as the polls close at 6PM, and they are always off by a few percentage points, but they rapidly converge, especially because the official results come so fast. By 8 PM there is not much chance for surprises (maybe one or two parliament seats get reallocated as percentages shift), by 10 PM the predictions have pretty much reached their final destination.

(And by the way, we have a ton of mail-in ballots, too. The federal supreme court ruled in 2009 that everyone can have a mail-in ballot if they want, so it's getting more popular every election.)

If a citizen wants to check the election process, they can go to any polling place (including the ones where mail-in ballots are counted) and watch the polling workers count the paper ballots. The volunteers are obligated to announce the final tallies to all citizens that are present to observe. (There are not always people present, but I've seen it happen a few times when volunteering as a polling worker.)

Then afterwards they can go to the state election office's website and verify that the same numbers appear for that particular voting district. I've done it once just to see how the verification process works, and I think the whole process is very easy to understand and verify for every citizen.

⬐ lhorie

The flaw in the argument is the assumption that knowledge is a requirement for trust. But look for example at elections in Brazil: most people don't really understand how it works, but they like it nonetheless[1] because the good experience of instant gratification plants a positive initial seed in people's minds and association fallacy[2] is a thing.

There's plenty of other scenarios where we can see discrepancies between trust and understanding (for example, the general public's trust in recycling vs what actually happens w/ plastics). Heck, the US election system is quite complicated today and yet people trust it. For better or for worse, humans are often fallible and illogical.

[1] https://en.wikipedia.org/wiki/Electronic_voting_in_Brazil#Be...

[2] https://en.wikipedia.org/wiki/Association_fallacy

⬐ charliemil4

Why is my trust elevated we do some type of unified voting system (read: advanced that does require a CS to validate)?

Here's a potential 'common man's' reasoning why something more advanced could be needed: how easy would it be for a team of 10 to do the following:

1) Determine voters unlikely to vote (this data is available in any elementary voter management service for candidates) 2) Use the unlikely voter's Name, Address, Etc. to request a mail in ballot to a different location 3) Fill out the ballot and mail it in

The 'common man' knows of too many stories where a normal person figures out a slight advantage in a lottery, then pulls off impressive logistics to buy every possible combination and win it. Then by extension, what's to say when there's more money at stake than a few million, but an important election?

⬐ kbos87

I definitely see the point here, but it depends on what you mean by “understand”. I don’t think that understanding blockchain or the technical components of how such a system works would be important to the average voter.

If such a system could improve the visibility and auditability of results down to small regions, and intuitively show how that cascades up to state level results, it could be a win.

Making an e-voting system believable seems more like a UX/design challenge than a technical/engineering challenge.

⬐ trhway

>Joe Q. Average who doesn't hold a PhD (or maybe even a college degree) has to rely on spooky experts telling him what to believe.

The Joe is for example driving a car full of electronics and somehow he doesn't have issue trusting his life to it. And, if anything, i'm pretty sure that deep understanding of that car's electronics and software would make the Joe to only trust his car less (one can google the software expert's opinions during the Prius self-acceleration story)

⬐ randyrand

We aren't trusting the car. We're trusting the car has not been tampered with.

We know many people want to tamper with elections. The CIA has done that much. The same is not true for cars. Steal cars, yes. But cause a random car to crash on purpose? Thats pretty rare. If were common, I personally would not trust my cars electronics either. And neither should you.

⬐ dmalvarado

No issues with because he usually ends up at his destination intact. If, through no fault of his own, he didn't arrive intact, spooky experts probably didn't know what they were doing.

I can see how the argument still holds water if half the time the outcome of the election didn't go his way.

⬐ greenduck

Science and engineering don't care if people believe in them or not.

If people don't believe the results of an election, then it is de facto illegitimate.

⬐ superwayne

I can see that the car works by getting safely from A to B, thousands of times. If my vote counted or not is not observable.

⬐ trhway

any e-voting system of course must make it observable. Otherwise it just wouldn't make any sense.

⬐ kelnos

How is that observable in the current system? I mailed my ballot in a couple weeks ago, and BallotTrax told me when it was picked up by the post office, and then when it was delivered to election officials and accepted. But that's just an email telling me this; anyone can type up an email and send it, while dropping my ballot into a shredder.

Now, I do believe that my vote was actually counted, but I have no rational basis for this, as I don't have any kind of record or visibility into the process.

I don't think any voting process can actually really tell you that your vote was counted. At the end of the day you're just trusting that the people running it aren't corrupt, or at least that there are enough people involved that keeping shenanigans a secret would be incredibly difficult.

⬐ setr

Because I could, reasonably, find the damn thing; the evidence physically exists. And the threat of doing so increases trust in the system (even if no one does it), because if worst comes to worst, I can just find the slip.

In a digital system, I'm not finding jack shit. It doesn't exist anywhere except as a counter, I can't check whether it's my vote or randomly created after the fact (after suspicion was announced), and I can't trust the system itself, because it's defined by, developed by, and operated by some random group of people who managed to slap the thing together and make a sale. I can't get in there and check out any of it myself (even as just a vague threat), and the conspiracy group is sufficiently small as to be viable (I only have to "convince", what, 40 people, to cheat the votes?).

What I don't understand is why not use something like the SAT exams -- trivially hardware-counted, but also physically transparent and available -- and solve like 90% of the problem that way?

⬐ jodrellblank

I'm watching the US election from the outside, and the President declared a win, said the Democrats were trying to steal the election and he is going to the supreme court to stop voting. Twitter is packed with people apparently saying that it's impossible for PA to swing from Trump to Biden just by counting the postal votes, or that counting postal votes after the polls close is cheating, or that the postal votes were made up, or that the polling station votes are untrustworthy because there's no need to prove ID, or that polling stations were closed, or that the whole system is illegitimate if voting is not a public holiday, or not mandatory, or not proportional representation and no electoral college.

Again, whichever outcome, USA is going to have half a country that doesn't like or trust the election results. Not the voting booth ones, not the mail-in ones, not the popular vote, not the official result or the "official" result.

Seems to me that if people trust the leadership, they would trust the voting system endorsed by the leadership, not the other way round.

⬐ totony

The main issue with us is the strong divide of the country. It's obcene to me that a leader can be choosen whom ~50% of the population disagree with. I understand democracy is about pleasing the majority, but how is a 51%-49% split a majority in any major way?

⬐ eindiran

Hard disagree. The world is complex enough that every person in the world relies on the words of "spooky experts telling [them] what to believe".

Even outside of that, elections require trust in the process. Already, with a "simple" system in place, we have to trust that no one is committing fraud, that votes aren't being surreptitiously added or thrown out, etc. E-voting doesn't fundamentally change the trust dynamics at all: people ultimately need to believe that the people in charge of the process aren't up to any funny business or bad at their jobs.

This argument gets used a lot to argue in favor of first past the post. Explaining a Borda count or single non-transferable vote is harder than explaining: most votes = win. But I think it ultimately comes down to trust: if the people voting trust the people involved with the process (even if they don't understand the nitty-gritty details) they will accept the results of an election.

⬐ greenduck

> relies on the words of "spooky experts telling [them] what to believe".

Widespread distrust of subject matter experts already exists in the US. You can't just tell people to shut up and listen to the experts.

The efficacy of vaccines is one of those things that is almost impossible for the average person to verify. I can get in a plane and confirm for myself that it doesn't fall out of the sky. I can't get a vaccine and directly compare it with my chances of catching the flu without one. That's the reason why people widely trust the safety of planes, but there exists an anti-vax movement in the US.

Even with alternatives to first past the post, the complexity is of a wildly different scale than blockchain. I can sit down with someone and go step by step how ranked-choice works right now without looking up material. I'd have to pull out reference material and then start with the basics of hash functions or something to explain blockchain.

⬐ chrononaut

> E-voting doesn't fundamentally change the trust dynamics at all: people ultimately need to believe that the people in charge of the process aren't up to any funny business or bad at their jobs.

A notable difference is that any John or Jane Doe can become a poll worker or poll watcher with little barrier to entry no matter their background, and verify the integrity of their elections should they choose to do so.

To me, the lack of the ability for an average person to do this would significantly change the trust dynamics.

⬐ cblconfederate

Dont they use some kind of computer system to tally the results? I doubt jane will do a full audit on every line

I think you're missing a few things: Votes should never be identifiable and the count should be verifiable.

First of all: using somewhat public things like SSN, "numbers in your street address" and a credit card number is a terrible idea. All of those have been leaked and are present on things you present to identify yourself or pay. Also requiring a credit card or home to vote would almost certainly be unconstitutional.

Getting a "receipt" is also problematic: You should never be able to prove you voted A over B or vice versa since that opens up ways to intimidate people to vote one way and coerce them to prove it.

I'm not saying it's impossible but there are so many problems with electronic voting that I don't even know where to start. At least with physical ballots we can manually recount if we need.

And that's before we even start talking about how current systems are basically swiss cheese for hacks, just look at the voting village for the last couple of defcons.

Related (and amusing) links:

https://www.youtube.com/watch?v=w3_0x6oaDmI

https://www.youtube.com/watch?v=LkH2r-sNjQs

https://xkcd.com/2030/

⬐ jjeaff

I'm not talking about using SSN or other identifiers to validate voter identity, that would already be done at the polls or however we currently validate mail in ballots (should be something better than forensic signature comparison, though).

The identifiers would simply be used so that the individual could check and validate that their vote was counted and counted correctly. But perhaps those identifiers wouldn't be necessary since you could simply assign a random uuid after the person votes that they can then use to look up.

⬐ Twisell

Watching these links is really recommended if you don't yet see the issue with e-voting.

PS: Well at least the first two, third one being the mandatory xkcd meta-reference :D

⬐ wavefunction

The ballot itself could be a zk-SNARK written to a blockchain signed with a private key owned by the voter.

⬐ SahAssar

Sorry, I'm not well versed enough in zk-SNARK, can you explain how it solves the problems above?

If it does do you think that you can make the general public trust/understand it enough to run a election?

⬐ wavefunction

Sorry can't reply to your reply but... Making the ballot a zk-SNARK[0] would allow it to be queried for validity of certain assertions like "Did this ballot contain a vote for Candidate A or Proposition B" without leaking the identity of the voter. The voter's private key could decrypt the entire ballot perhaps for the voter's verification or even as another verifiable assertion that the ballot was signed with the specific key. Perhaps there would be a key provided by the voting authority body as another verifiable assertion that would allow the voting authority body to verify the user for their purposes if required.

I agree that the more difficult part of this would be encouraging adoption and supporting use. There are hardware keys like yubikeys or hardware crypto wallets that can be populated with voter-generated keys to be used in the voting process, and these hardware keys could be populated in a process similar to getting a driver's license perhaps, except not waiting for it to arrive in the mail. Perhaps you go into your local clerk's office and they have a one-time key generator that populates your hardware key. I definitely haven't fleshed this idea out beyond some basic musings.

[0]https://z.cash/technology/zksnarks/

⬐ kelnos

Doesn't that still allow for vote-selling and vote extortion? Like if my employer threatens to fire me unless I vote a certain way, they'll accept me giving them my receipt saying I voted the way they wanted. Now, they can't prove that the receipt actually belonged to me, but it's certainly harder to procure someone else's receipt (from someone who voted the way the employer wanted).

⬐ totony

>Getting a "receipt" is also problematic: You should never be able to prove you voted A over B or vice versa since that opens up ways to intimidate people to vote one way and coerce them to prove it.

Your receipt does not have to mention who you voted for in a way that's verifiable by a third party. But this problem is also a problem for mail-in ballots.

>using somewhat public things like SSN, "numbers in your street address" and a credit card number is a terrible idea.

Agreed, this does not mean that it is not feasible. You could use some zero-knowledge based proof that ensure that the person is allowed to vote and has voted only once without knowing his identity. Mail-in ballots are also problematic in that regard.

I dislike that people say evoting is a bad idea when we already have things like mail in ballots which are analogous to a poor e voting system.

>Also requiring a credit card or home to vote would almost certainly be unconstitutional.

But don't you need a registered address to vote?

⬐ SahAssar

> But don't you need a registered address to vote?

I'm not 100% sure here but I thought homeless could vote?

> mail in ballots which are analogous to a poor e voting system.

I think it is mostly about scale. It is hard to impersonate 10000 people it requires physical objects, it is easier if it is digital. One of the videos deals with this, timecode here: https://youtu.be/LkH2r-sNjQs?t=140

⬐ totony

That timestamp is talking about physical voting. I'd posit it's easier to impersonate 10k mail in ballots of the same state than (let's say) crack 10k private keys or whatever is used for that system. I agree though that a new system will bring about exploits vectors that are unknown, but I'm not convinced they are as bad as what is implied in that video and this thread.

Tom Scott has a great video about the issues with electronic voting, chief among which is a lack of trust and understanding by the general public of how electronic voting would work.

https://www.youtube.com/watch?v=LkH2r-sNjQs

Tom Scott: Why electronic voting is still a bad idea

https://www.youtube.com/watch?v=LkH2r-sNjQs

Electronic voting is a terrible idea.

Attacks on paper & pen ballot systems are much, much harder to scale.

Here's Tom Scott with a great explanation of the basics. https://www.youtube.com/watch?v=LkH2r-sNjQs

⬐ tdons

The same argument applies to the internet at large. Shall we move back to filing cabinets because that makes data leaks more difficult?

I'm sure that at some point we'll crack the electronic voting nut. But yeah: it's scary and the stakes are high. Then again, we've fixed electronic banking and that runs pretty nicely without many problems -- right?

⬐ mhh__

There are next to no stakes with electronic banking compared to voting. Money is a totally different prospect to rigging an election.

The Trump campaign did some extremely shady things with Wikileaks and the GRU, can you imagine if he was now leading the US through COVID after the Russians were able to compromise the voting system? The constitution does not have a mechanism to deal with it, as far as I can see.

What's the point when paper works already and is almost impossible to scale. Voting is easy

⬐ Swenrekcah

Electronic banking works prescicely because it isn't a secret semi-anonymous blockchain thing. If credit card payments end up in the wrong account, someone notices. If an electronic voting system assigns votes to the wrong candidate, who notices?

⬐ ianleeclark

> Attacks on paper & pen ballot systems are much, much harder to scale.

As it turns out, you can just impose austerity.

My whole startup is built on blockchain, and I'm an Estonian e-Resident (Estonia allows their citizens to vote digitally), so I find blockchain voting fascinating. That said, there are some problems with it. This Tom Scott video explains why: https://www.youtube.com/watch?v=LkH2r-sNjQs.

But this is a very cool idea: combining the USPS vote-by-mail infrastructure with a blockchain layer that sits on top, used mainly to provide anonymous provenance. We'll see if this ever gets implemented, but I think it's a great example of the non-hype uses for blockchains being explored.

⬐ peignoir

Oh cool, not related to the article directly but I m off to Estonia and working on a blockchain (tezos) voting system and community if interested : www.electis.io

⬐ sebmellen

Interesting. For lower stakes voting, this could be a great implementation. I have good friends building a Tezos startup right now (Tezsure) - certainly an interesting chain!

We're on Stellar mainly because of block times. You can see a beta of our timestamping service (mainly built for scientists... launch coming soon) here: https://assembl.app/chronos

⬐ amelius

Very nice video, though in the personally delivered sponsored message at the end he seems to be contradicting himself. Why would you still trust a password manager after seeing the video? And wouldn't it be incredibly stupid if an entire nation put their passwords in a vault controlled by some company in possibly another nation?

⬐ sebmellen

That's a good point.

I suppose it's poignant in a way — though we might wish to stop the tide, everything is digitizing. Voting will inevitably be swept up in this process, and it's not a matter of if we should do it or not, but how we do it best.

And for what it's worth, password managers are a very good idea (though probably not worth staking an election on). I would however recommend Bitwarden: https://bitwarden.com, which is open-source and well-audited.

In cryptography we trust (and we probably will for voting someday soon as well)!

⬐ cheph

> Why would you still trust a password manager after seeing the video? And wouldn't it be incredibly stupid if an entire nation put their passwords in a vault controlled by some company in possibly another nation?

I think you should use a password manager, I do, and the people I know that don't keep forgetting their passwords, keep reusing them, and generally just practice horrible security.

As to which one, I would recommend an open source one like BitWarden, but they won't fund YouTube videos on important issues because they don't have the money.

I doubt Tom Scott would recommend that everyone in the world use this one password manager, and it won't happen from him endorsing it. And I think that integrity of elections are more important than the security of passwords, even though I guess they are somewhat intertwined. For important things multi factor auth should be used which won't be defeated by passwords only.

It's not about it being compulsory, but the system being unverifiable end-to-end and any criticism of that being laughed at.

If you put it into business terms, would you trust an employee or vendor who told you that everything was alright, did not allow you to perform checks and audits and mocked both your and external partners concerns [0] about it? I don't think so. If the government is indeed for the people and not vice versa, then this is not acceptable.

[0] https://www.youtube.com/watch?v=LkH2r-sNjQs Tom Scott's video about e-voting. Funniest rebuttal I saw on Estonian social media was that we are secure, since he is talking about e-voting, but we have i-voting. So I guess once we will call it c-voting, it will be even better...?

⬐ aj3

I watched the video. It's a load of crap. I mean, here are his arguments (feel free to tell me if I missed something):

  - voting systems inevitably have to be closed source, loaded on easily compromisable USB stick, connected to internet unguarded and sitting that way for years. In what reality is this nihilistic fatalism a reasonable expectation?
  - voter has no way of independently verifying that their vote has been processed correctly. First of all, this is simply ignorant as there are many cryptographical schemes that allow verification, but most importantly - how do you know that your vote has been processed correctly in our current system? You don't, there is no way for you to do that.
  - US hacking machines are routinely exploited at Defcon. That's right. You know what else is routinely exploited there? Physical safes, which are used for storing you know paper ballots. Also cars. And Air Force has promised to bring a fucking satellite next year. Something having vulnerabilities in the past does not mean it still has them, something having vulnerabilities currently does not mean they are easy to exploit in practice or can't be detected and mitigated, some products in a certain category having vulnerabilities does not mean all products in this category will inevitably have vulnerabilities in the future and we should just give up on ever fixing them.
  - trusting a person in a voting booth to vote for you would be ridiculous, but filling a ballot yourself and trusting that it will get counted correctly along the way is somehow self obvious - I guess because in the first case you clearly see that a human is involved in the process and in the second example it sort of feels like the process is finished once you physically put your vote into a box?
  - the average voter won't understand checksums. Well, maybe the average voter shouldn't worry about bad bytes in that case? And how come deterministic and auditable cryptography is a problem while demonstrably non-deterministic process of current paper voting (look at how results always differ ever so slightly when votes are recounted) is a non-issue?
  - transferring votes over internet is problematic because you can't trust software on either end. Right, because you know (never mind trust) everybody that will handle your vote on the path from voting booth to the whatever-governing-body-is-announcing-results-in-your-country? 
  - central computer could be manipulating your votes and only a few people will have an opportunity to inspect it. Well, how many voting boxes have you been allowed to inspect in your life? Are you allowed to go to the central location where your votes are aggregated and recount all of them personally? How do you know that officials in your voting location, precinct or at a national level haven't agreed to manipulate the results?
  - casting doubts on the election is easy to do with electronic voting and nearly impossible with paper voting. Have you heard this cute story about medical masks becoming a conspiracy and symbol of oppression among certain population in US? Has nothing to do with electrical circuits and everything to do with politics. If a current incumbent happens to lose an election there you can be sure that election results will be called fake, no matter paper or digital.
  - malware exists, so voting from personal devices is ridiculous. Just as ridiculous as doing e-commerce or banking? Or in case of Estonia getting pretty much any other official business done, or so I hear.
  - a single vulnerability in someones computer can be scaled to millions of computers. Ok, let's say someone is still using Windows XP and got infected with something after downloading GTA from Pirate Bay. How does that affect people voting from their iPhones?
  - anecdotes, anecdotes, anecdotes

tl;dr: Stop spreading FUD.

⬐ nytgop77

1. Whole paper ballot process is monitored (and understood) by all parties. They keep each other in check. I can sign up for such monitoring and see for my self (at least in my country). Nobody will allow me to inspect actual machine used to count votes. 2. To hack paper ballot voting, conspirasy must include many more people than e-voting.

⬐ aj3

1. You feel that the process is well understood because that’s the only process you’re familiar with and likely it was taught to you since school. In reality other schemes such as electronic voting could be just as clear and transparent, while possibly even more natural as visiting websites and using apps is what people do every day as opposed to gathering physically in order to run an ancient form of poor cryptography manually. Also, no you never had an opportunity to see the whole process end-to-end, as you never were allowed to open and inspect voting ballots or boxes, or attending the central counting place in your state/at the federal level to make sure they are counting everything correctly as well. Think of the bits you saw this way: it your adversaries were evil versions of Penn and Teller, would they be able to fool you by presenting you completely boring looking yet larger than life process that feels completely fair yet of which - due to completely human reasons - you can only see a one facet at a time - all while in fact running a completely different play in the background? Sure, this isn’t how we normally think about adversaries in real life but that’s what the adversaries in cryptography are. When the guy in the video said that there have been some concerns about Estonian voting system which basically means anyone could have stolen the election - that’s what he meant really: Penn and Teller could have arranged in their stage show show such a contraption that would have fooled mock election participants into disclosing their vote or it being discounted, therefore basically anyone can steal our election. 2. This isn’t obvious at all nor substantiated by facts/reasoning. Parties still could hire/attract auditors to oversee the process, independent organizations and foreign counties still could be provided with visibility into the process, in fact the process could be made more verifiable by using preserving audit logs and forensic evidence for generations to come, so that single researcher could viably check their hypotheses across the whole election days, months or years later, not just one small fragment at a time in places they themselves got an opportunity to physically be present, like what you described. And the process could be made much more transparent to the public at large as their vote could be counted in soft real time, meaning they could verify it reached central tally right after voting.

⬐ nemetroid

> you never were allowed to open and inspect voting ballots or boxes

You are allowed to see that the boxes are empty in the morning, and you are allowed to see each ballot as it is retrieved from the box when it is being counted. Between those two points the box never leaves public eye. Why would you need to open it yourself?

> or attending the central counting place in your state/at the federal level to make sure they are counting everything correctly as well

Why not? All of those are open to the public in my country.

I think you are seriously underestimating the amount of openness that is possible - and practiced - with paper ballots.

⬐ bragh

Please try to think here in terms of probabilities, not absolutes and about the threat model.

1. Closed source and loaded on an USB stick is the simplest case. But in the end, how will you still know what is the actual code that the eventual tallying system is running?

2. Verification of votes is not about encryption. If you allow it to be unlimited, then you can actually sell your vote. In Estonia, you can verify your vote 3 times for 30 minutes after your vote was cast: https://www.oiguskantsler.ee/sites/default/files/field_docum... (point 14 on page 5)

3. Mostly agreed with you about the rate of vulnerabilities. But the issue here is that voting is such an important of how democractic society works that there should be no obvious vulnerabilities or any exploitations of vulnerabilities can be easily discovered. E-voting has neither of these because again, how can we know what code is actually being executed?

4., 5., 6., 7. Yes, one vote can get lost. Hell, thousands can get lost. But on average, I can still count on the process eventually working out due to the observability. Somebody will find ballots thrown in trash, pre-filled ballots, 117% of eligible people voting. Sure, in those cases the country is unsalvageable, but you will at least know that it is happening.

8. OK, but that is neither here nor there.

9., 10. If you open up Google Maps and look one country eastward, you will understand. As a reference, https://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia Not sure on what their planning divisions are cooking up, but I do not doubt that they will use any angle they can. What is the going price for a Windows 10 0-day anyway, on the order of a few hundred k to 1M, I assume? Peanuts.

⬐ aj3

You’re the one that seems to be thinking in absolutes (when it suits you).

  1. In cryptographical/philosophical sense that’s a tough problem. But our goal is to improve on existing solution not come up with an absolutely ideal scheme, right? So let’s look at what sort of trust our current system provides us. Do you get to see how the whole system works? No. Does any single person gets to see the whole system for that matter? No. But you are provided with the description of the process and large part of it is happening in the open even though though you can’t attend all the places / oversee everything in a single election due to real life and restrictions. Some people are also provided with the power to inspect arbitrary components of the whole scheme  when they see fit and even though they don’t inspect even the whole components all the time and no one is inspecting absolutely everything, these people are attracted from all interested parties and can act on random, so we believe that if there were any symptomatic fault play someone would have found it simply by chance. And we generally don’t believe in conspiracies but we try to counteract them by providing more incentives for people to speak up, get involved, become a whistleblower if that’s necessary so that any largish conspiracy would inevitably become public knowledge quickly enough. Well, we can arrange all of these in electronic voting as well and we can even double down on all the in depth mitigations by providing more monitoring capabilities in real time & possibly even making data openly available in whole after election.
  2. You can sell your vote in our current system as well. But somehow that’s fine because we have different standards for what we grandfathered already, am I right? Yeah, you could pay people if they film themselves voting, but there is no evidence of they being widespread so no need to worry. Mail ballots aren’t anonymous and could be spied/spoofed easily but there is no evidence of that ever happening, so no need to worry. Lack of strong ID requirements in US could lead to massive voter fraud but there is no evidence of they ever happening in a large enough numbers to skew the election, so no need to worry about. And yet when it comes to electronic voting, geek versions of Penn and Teller - cryptographers have shown us in their stage shows that they can conceive such situations where the victim gets unknowingly duped into disclosing their vote, or the vote being miscounted. So that means literally anyone could carry out the same attack in practice and at an arbitrary scale (or maybe not but we’d better err on side of caution).
  3. How do you know that that nice lady overseeing voting in your district isn’t a secret Trump/Clinton/Nazi/Communist sympathizer? You don’t, but you have a faith in the system as a whole that it won’t crumble because of a single person. Similarly we can use defense in depth tactics in designing election security. The hardware would only be able to run signed code in a minimal environment, you could even make the decided stateless, meaning the code gets reset before each new vote gets accepted, maybe even provide an option for voters to reflash the device themselves (with a click of a button on their phone). Devices themselves don’t have to be generic PCs with USB ports and what not, these could be a really dumb chips enclosed into sealed & transparent casing with each one being certified etc. You could make the system modular by having multiple devices each doing their small thing - like the Unix utilities but with each utility being separate hw and most of them disconnected from any networking / being air gapped with obvious input/output interfaces. There are so many things we could do it we approached this in a sane manner as a serious engineering challenge instead of trying to out-cynic each other.
  4,5,6,7 That’s exactly my point, electronic voting can be made even more transparent and with the records being forensically preserved they could be analyzed in full at any time after the votes have been casted (with the operational stuff being able to run all sort of threat hunting / anomaly detection during the Election Day). Granted this assumes the whole system uses the same protocols and is run/overseen by a joint committee which might or might not be viable in US, but the discussion started from Estonia - European country, where this would be totally expected.
  9, 10 Not all 0days are noclick RCEs present in a default configuration (of a desktop/mobile). In fact we haven’t seen such a beauty in a long time. So no, there isn’t a price for that as it’s not something you could buy off the shelf. And if you could get one you would burn it pretty fast by using it in such a campaign. Makes much more sense to keep it as a nuclear option as no matter how aggressive in your opinion nation state attackers are, their primary incentive is fear for the survival/integrity of their own country (yes the bears crap their pants thinking about possible armed intervention any year soon and so do the pandas). So no I don’t think there is any conceivable way to exploit large portion of private devices in a country in a uniform fashion. You totally could do that using top bottom approach - sort of like exploiting DC and pushing malware from it via group policy. But in case of Estonia voting apps would be the last tech to use for that. They are already mandated to use governmental services for various everyday tasks, they have centralized ID and there are just a couple of major banks - all of which require having an app for modern banking. So there are already plenty of avenues to wreck havoc for a skillful/motivated attacker. And yet we don’t have panic attacks over it, it’s just operational risk that we seek to understand & mitigate just like in every other enterprise.

⬐ likelyunaware

That video had outdated information regarding the Estonian e-voting system. The report from 2014 has been invalidated by the newer system, IVXV, which has been redesigned to address previous criticism. The newer system is open source, available at https://github.com/vvk-ehk/ivxv. A good source to quickly familiarize yourself with the architecure, is "Improving the verifiability of the Estonian Internet Voting scheme"[0] by Jan Willemson et al

[0] https://research.cyber.ee/~janwil/publ/ivxv-evoteid.pdf

Has it just been decided by Twitter now that the truth is that mail in ballots are 100% secure and anyone questioning our election integrity is just spreading dangerous misinformation? Seriously?

It seems like a really open-ended thing to fact check.

I wish we had asked more questions about election integrity before 2016. I think it is better that we have a robust discussion about this NOW, before the election.

The most important thing about elections is that they be trustworthy by the majority of the population. Without sufficient transparency and oversight, actual security is meaningless. The Computerphile did a two great videos about the dangers of electronic voting:

https://www.youtube.com/watch?v=w3_0x6oaDmI

https://www.youtube.com/watch?v=LkH2r-sNjQs

It seems like mail in ballots re-create the same problems with electronic voting, except that we are just adding an extra layer to it.

But, I know that countries like Germany and Switzerland have instituted some fairly robust means of securing mail in voting -- none of which we are considering. Simple things, like having the affidavit be on the same piece of paper as the ballot, and having ensuring chain of custody of the ballots by only having postal workers pick them up directly from voters.

Are we allowed to express our concerns about this? I for one do not want to make things worse this time around. Is the discussion about this really ending because Twitter decreed it so?

Many bank transactions can be reversed, and the ones that can't can be covered by insurance or self-insurance. You can't practically speaking reverse a tainted election.

Anyway, I'll let Tom Scott take it: https://www.youtube.com/watch?v=LkH2r-sNjQs

It's electronic voting. "Votes in transit" (Scott 2019):

Why Electronic Voting Is Still A Bad Idea: https://www.youtube.com/watch?v=LkH2r-sNjQs

It's also a standard incrementalism tatic.

⬐ dkarl

These are not votes. These are public tallies that can be verified by anyone who was present at the precincts.

> It’s also a standard incrementalism tatic

This assumes the public is smart enough to make an informed distinction now but will lose that ability in the future.

Summary of why e-voting is bad:

https://www.youtube.com/watch?v=w3_0x6oaDmI

A newer video basically reiterating the points:

https://www.youtube.com/watch?v=LkH2r-sNjQs

This was 2014. You might think with newer technologies this isn't a problem anymore. He also made "Why Electronic Voting Is Still A Bad Idea" last month: https://www.youtube.com/watch?v=LkH2r-sNjQs

Because, electronic voting is still a bad idea: https://www.youtube.com/watch?v=LkH2r-sNjQs