One important thing about any voting system – digital or not – is that it has to be good at producing agreeable consent. That means bitter, betrayed and hurt (but reasonable/democratic!) losing parties need to be able to say: yeah we accept the result because we are confident in the outcome of the election.
This is something all digital systems are really bad at, even if everything is readable and verifiable, unless all your members know how to read that code.
Edit: and even if they know how to read that code, can they trust the machines are running that code at the big day?
lesuorac 163 days ago [-]
Non-digital systems have claims of fake ballots being inserted all the time. I don't think the answer to people being suspicious of digital systems is to abandon them. It's to either disprove their suspicion or add controls so they become disproven.
Yeah but a ballot cannot potentially change the number of papers within it depending on who is looking and when they are looking. If your stupid mate from the pub questions the results he could literally look inside the box with a paper ballots and see if the votes are significantly wrong. If you let him guard the ballot box for the duration he could even see that nobody swapped the ballots. Try that with a computer.
Paper ballots also having problems isn't an argument for even more complex systems, it is an argument against it.
codedokode 162 days ago [-]
With analog voting you can at least count people coming and see their ballots when tallying. With digital systems this is typically a black box where you have to trust the government.
lesuorac 162 days ago [-]
I don't think you understand how wrong your post is.
Literally no election updates the raw tally of candidates the second a ballot comes in. If you count 1000 people entering and 1000 total votes that doesn't mean 1000 individials voted. Literally some of the cases of fraud are the same person entering multiple times and voting multiple times. You will need a control beyond "count people". (And if your control is to just do mail-in voting process in-person then what's the point).
Additionally, if you have 1000 people entering and 1050 total votes; which 50 do you discard? This is where the mail-in votes have a better control than a simplistic ballot box as you only start co-mingling the votes once you know it's legit.
W.r.t. Digital systems, there's nothing that stops there from being a paper audit trail you can verify. [1]
Also, you don't need to "trust the government" (aka your neighbors) you can volunteer yourself to be a poll worker at your local elections to see how things are done or you can run to be on the board of elections in your local government. And if you're working the election you only need to trust yourself to have made it secure.
That's a piece of information: you know there are 50 questionable vote.
You know how many questionable vote in the gland scheme of things. As a matter of fact: most of them are too small to make a different.
codedokode 161 days ago [-]
We might be talking about different forms of electronic elections. What I am talking about is remote electronic voting, when people vote from home using a website or app.
> If you count 1000 people entering and 1000 total votes that doesn't mean 1000 individials voted.
This means that if someone wants to vote 10 times, they need to come 10 times and hope that no election monitor will be surprised by seeing the same person 10 times. If you want to add million fake votes, you need to recruit 100 000 people voting 10 times each, you need to bribe thousands of election staff to let them vote 10 times, basically you need to involve a whole army of people and hope nobody notices nothing. Of course it is possible to find 100 000 corrupt people, but it is difficult to hide such large-scale operation.
For comparison, in electronic voting all you need is to have one patriotic sysadmin willing to enter fake data to 'save the country' from an undesirable candidate. The barrier for large-scale fraud is much lower.
So, basically with electronic voting election fraud requires corrupting less people and it is easier to hide.
> Additionally, if you have 1000 people entering and 1050 total votes; which 50 do you discard?
You nullify results at that polling station as the winner cannot be reliably determined.
> Also, you don't need to "trust the government" (aka your neighbors) you can volunteer yourself to be a poll worker at your local elections to see how things are done or you can run to be on the board of elections in your local government.
How can you be a poll worker in electronic elections? In my country typically the code and procedures are developed by a contractor or governmental organization. The code is not always even published. The best you can do is be an election monitor, but they have very limited tools in case of electronic elections, like observing stats on count of people voted. In contrast, election monitor at paper voting can see the whole process with their own eyes.
cryptonector 162 days ago [-]
Precinct-only elections don't quite have this problem because all the people voting are neighbors, and the poll watchers and ballot counters are all neighbors. Hard to engage in shenanigans when the people watching are your neighbors!
a_c_s 162 days ago [-]
Right: most systems with paper ballots are simple enough that the vast majority of the electorate, including those with lower-than-average IQ's (50% of the population), can understand and could participate in if they were inclined.
I have yet to see a digital system that I would trust myself to validate, much less the non-technical majority of the public.
baobabKoodaa 163 days ago [-]
Disagree. It's enough for the average voter to trust that some other people - independent experts - are able to verify the vote. Not everyone needs to be an expert at anything. I wrote more about this trust aspect in the appendix of my thesis on voting: https://attejuvonen.fi/thesis
rcxdude 163 days ago [-]
Yes, but then all that's needed to attack the voting system is to trot out your own experts that voice disagreement. Without the means to assess the system for themselves, voters will lose trust in it. Especially in this day and age, when trust in institutions and expects in general is extremely low. (Heck, this attack already works to some extent with the current, extremely transparent system of ballots)
rstuart4133 162 days ago [-]
> Yes, but then all that's needed to attack the voting system is to trot out your own experts that voice disagreement.
Which is precisely what Trump did in 2020.
I doubt people made up their minds on whether the 2020 vote was sound based on the mechanics of how the votes were counted. The counting procedure with it's interlocking checks is rather complex, and differs between states. They made up their minds based on what they trusted more - the Trump version of the facts or the testimonies of the people counting the votes and those administering it.
It will be exactly the same with computerised voting. Ideally the software will be open source with reproducible builds. Just as with the present voting system most won't be able the check the actual mechanics themselves, but they likely know someone who knows someone who knows someone who can.
By the by, it wasn't done that way with computerised voting and probably still isn't in many places. I vaguely recall the story of a voting machine breaking down, a technician waving his magic wand over it after voting had closed, and a whole pile of votes fell out. It made the people in charge of the voting process distinctly uncomfortable.
airtonix 162 days ago [-]
[dead]
eru 163 days ago [-]
> (Heck, this attack already works to some extent with the current, extremely transparent system of ballots)
Exactly, so the rest of your criticism isn't nearly as strong, if it applies to all means of voting.
atoav 162 days ago [-]
Huh? That is not how this works.
For a high stakes election I would take the most trustworthy system. So give me an argument why I should invest money into building a less trustworthy one?
Because it I get results faster? I don't care about speed, high stakes elections are rare enough for that not to matter.
Because it is more efficient? I don't care about efficiency, I want the result to be accurate and the process to be understandable by the stupid bloke in the pub with whom I have to discuss the result.
There is literally no reason why this should be replaced by a digital system other than it makes us needs feel special.
baobabKoodaa 162 days ago [-]
Paper ballot voting systems are generally more secure than electronic voting systems, but things are not black and white. There are differences amongst different paper ballot voting systems. There are also voting systems which combine both electronic and paper features. For example, a purely paper voting system can be trivially made more secure by adding electronic machines to prevent voters from accidentally spoiling ballots.
eru 162 days ago [-]
The argument you make here might be right, but it's beside the point I was making.
For what it's worth, I prefer paper ballots, but I don't think that makes all arguments for them automatically valid.
maxdamantus 163 days ago [-]
As a software developer myself, if an "independent expert" comes out and says that some software system is fully verified, I might trust their allegiance, but I probably won't trust their competence.
I wouldn't expect the general population to trust them either.
eru 163 days ago [-]
What if lots of experts come out that way, including people you already trust otherwise? Eg assume both Bill Gates and Linus Torvalds etc say they have reviewed the code?
atoav 162 days ago [-]
If we assume that:
- how do you know the code running on these machines on day X is actually the code they tested?
- how do you know the code running does the same thing the code they tested does, even if it is the same code (e.g. hardware instructions could be doing different things on the machine, the OS could provide different functionality, other programs could interfere)?
- how do you (and for that matter: every single voter) know their vote was counted towards the correct candidates in the whole process towards the end results, which likely involves transmitting data through the internet and/or people carrying USB thumb drives and sticking them into computers
I am not saying it can't be done, but I say you can tell appart who knows computers really well (hackers) from those who know it kinda (geeks), by how doable they think this is.
baobabKoodaa 162 days ago [-]
The voting system you described is not a verifiable voting system. If you have a verifiable voting system, you don't need to know what code is running on the election machines. That's the whole point of having a verifiable voting system.
You asked "how do you know your vote was counted". You can google for examples of how this works in verifiable voting systems.
j16sdiz 162 days ago [-]
In a verifiable voting system, voter usually get a recipe that he can verify, in later time, their vote have been counted.
But what stop same recipe is handed out twice? Do you do transparent log? Second system to audit those? How general voters are supposed to understand this?
Just pick a voting station with lower computer literacy, and you can do whatever you want ..
baobabKoodaa 161 days ago [-]
> In a verifiable voting system, voter usually get a recipe that he can verify, in later time, their vote have been counted. But what stop same recipe is handed out twice?
Different solutions exist for this problem, which is known as a "clash attack". For example, in the Floating Receipts voting scheme, those things that you call "recipes" are pre-printed on ballots and hidden under scratch strips. The scratch strip is removed at the time when the ballot is dropped into the ballot box. If the manufacturer of the ballots were to pre-print the same "recipe" on multiple ballots, it would be discovered during the verification phase, because you would in some cases have 2 different votes cast on 2 different ballots which would contain the same "recipe". So both voters look up the "recipe" online and they are supposed to discover only one vote corresponding to the "recipe".
eru 161 days ago [-]
> But what stop same recipe is handed out twice?
Cryptography. Your receipt is presumably only valid for yourself. So if you got someone else's receipt, it wouldn't be valid for you.
I support paper voting for political elections for most of the reasons you mentioned, but I don't think that automatically makes all arguments for paper voting good and valid, and all arguments for alternative voting systems null and void.
And even if political elections are better done on paper, there's plenty of other elections (eg in companies and clubs etc) with different requirements and threats, and they might benefit from the research and experimentation.
maxdamantus 162 days ago [-]
Then I would ask why the system they're reviewing is different to any other which is meant to be guaranteed-secure (or check that others are asking those questions). We're told every year or so about some SecureBoot vulnerability, which presumably involves code that has been reviewed.
The system doesn't only include the code directly related to voting. It also includes OSes and everything involved in the infrastructure for hosting and communication (the Belenios system in particular involves sending private keys by email, and we're also relying on end user systems being uncompromised (who here likes browser extensions?)). It's not feasible to claim that such a system is secure from a remotely controlled attack (eg, by a lone external actor).
Most of the attack scenarios against an offline voting system are ones that the general population can at least reason about, and they probably involve multiple insiders that would face a serious risk of being ratted out by one another.
Sending private keys (by mail or any other way) does sound bad, so the specific system mentioned in the article might not be worth bothering with.
j16sdiz 162 days ago [-]
Reviewed the code -- but did they inspect the machine? Check the network for reliability? Review the crypto for replayability? RNG that's is actually random?
How many expert do we need? Do we need cross-domain experts to check if any domain experts missing anything between the gaps?
For paper voting, it is literally just check the box is empty before voting and nobody get near the box unexpectedly
eru 161 days ago [-]
> For paper voting, it is literally just check the box is empty before voting and nobody get near the box unexpectedly
That depends on how complicated your voting system is. Have a look at the complications they have in Australia..
nihzm 163 days ago [-]
> It's enough for the average voter to trust that some other people - independent experts - are able to verify the vote.
I don't agree. This is plausible within a coesive electorate, but it feels like moving the problem. What guarantees that the experts are trusted by the voters? And more importantly, assuming that at some point the system (experts) is trusted, how is the trust in the voting system retained over time? (e.g. in case of disagreement over the results)
I have argued in another thread like GP that because the ultimate purpose of voting systems is to collectively take decisions, and because disagreements are very common when deciding, the system needs to be able to justify itself to retain the electorate's trust. Otherwise it will eventually be replaced by a different voting system (or tyranny).
A proxy for this is of course simplicity. If the voting system is clearly understood by everyone, it is more easy to persuade a losing party that the outcome is correct. Conversely, if a voting system needs high expertise to be understood, it is more difficult to bring everyone to agree on the result. So the latter is less robust than the former, especially if the disagreement is over a result that is close to a tie. A self-correcting mechanism is important to keep the voting system in place.
In appendix B of your thesis you raise an interesting point I had not considered.
> As an extreme example, consider the case where a voting system
lacks verifiability, is trusted by the public, and is compromised by a
foreign superpower: the people have lost their democracy and do not
even realize it. Compare that to a hypothetical case where a voting
system has perfect verifiability, thus can not be compromised (without
triggering a new election etc.), and, for whatever reason, is not trusted
by the people.
> Clearly, the outcome where people are suspicious of a perfectly
functioning voting system is superior to the outcome where people
are blindly trusting a compromised voting system. We hope that this
outlandish example is enough to support our argument that verifiability
is more important than trust.
The external threat is a very valid point but I do not think that this is sufficient to absolutely conclude that verifiability is more important than trust. If the system is rigged, it may eventually displease the electorate to the point that it will eventually be replaced.
Unless, the rigged system doesn't displease the electorate and is essentially a hidden benevolent dictator, which would be an interesting situation. Only in that case verifiability could unambiguously be more important.
rraghur 163 days ago [-]
Experts to verify but overall the entire system available for inspection to the populace at will (so open source, reproducible builds, verifiability) etc
There will still be questions around compromised keys/secrets
I suppose in this case paper ballots win
baobabKoodaa 162 days ago [-]
Sure the people can overthrow a government with a revolution, but the situation deteriorating to that point is pretty much the worst case scenario I can imagine.
nihzm 162 days ago [-]
But do you agree that there needs to be something that keeps reinforcing the collective trust in the voting system such that this worst case scenario is not reached? If so, do you have an idea what that something could be when using a complex e-voting system? The best I can come up is to educate the public, but that is almost wishful thinking.
rraghur says in the siblilng comment that keeping the voting systme open via OSS / reproducible builds / etc could be a source of trust, but I don't think that is sufficient for most people. We need a stronger argument, and I don't have one.
baobabKoodaa 162 days ago [-]
Of course there needs to be some level of public trust in the elections. I think that trust could come from the E2E verifiability of the voting system, and related to that, trust in the ability of independent experts to verify that the election was conducted fairly. (When the result of an election is verifiable by third parties, there is no longer a need to audit what software is running on the official machines, so there is no need for reproducible builds etc.)
nihzm 162 days ago [-]
It is possible, at least in principle, to have people trust that techonolgies such as E2E are secure and reliable. Indeed in some countries that is the case, but my point was slightly different.
If you concede that we cannot have everyone understand (to take an example) E2E verifiability, then this technology cannot justify its own correctness to everyone. This means it is necessary to have a (possibly small) group of experts to educate / persuade the public that E2E verifiability actually works.
But my point is essentially: why should they do it? There is no structural incentive for them to do so, other than the virtue of being a good citizen. There needs to be something that keeps reinforcing public trust. Self-evident systems do not require for this incentive structure to exist / be built.
I fear that this could end up becoming akint to the erosion of trust in scientific evidence for political decisionmaking. Science was considered very trustworthy by most people at some point, but because there is little to no incentive for the scientists to inform the public about why what they do works (other than perhaps their personal desire to share the cool thing they are working on) and because scientific results are usually very complex there has been a pretty steady decline in trusting scientific evidence.
guyomes 162 days ago [-]
The experts from Belenios do not recommend to use remote e-voting for high-stake elections [1]. Some issues they mention are the risks that the users sells their credentials or that a malware on their computer leaks who they voted for.
I don't recommend remote e-voting for high-stake elections either. But this is orthogonal to the point here.
makmanalp 162 days ago [-]
As a person who's from a country with, let's say, VERY VERY contested, controversial and eventful elections, the fact that independent poll watchers from different parties and NGOs can independently observe ballot boxes, take photo evidence of countersigned and publicly posted box tallies to send them to their HQs, and then compare and contrast results amongst each other as well as with the official results is a huge boon for transparency and trust in the electoral system.
It's not perfect: more remote and less popular areas go unobserved, and what happens after an official complaint is made is anyone's guess.
But at least almost anyone can add up numbers for themselves and come to a conclusion about what to trust and not trust. And you might think no one would bother, but in my brief experience as a volunteer poll worker they surely do, and zealously so. I can't even begin to imagine what'd happen if the paper ballot was replaced with "trust us, the machine says 37 for party A" or "the magical fingerprint number you don't understand says this ballot was cast for someone else".
jimhefferon 163 days ago [-]
My reading of the news is that in the US (and that I can see, in many places) a lot of people have been convinced not to believe experts.
mmaul 162 days ago [-]
The trend is growing here to, sadly. It's not people disagree with experts experts but that truth told by the, disagrees with a distorted perception or reality.
synecdoche 162 days ago [-]
Or the other way around; the so called experts are actually tools in a propaganda machine, and people choose to rather believe their own experiences than second hand information.
matheusmoreira 163 days ago [-]
It's not enough. It's not enough at all. Experts are easily compromised.
The system by which power is transferred from the people to representatives needs to be literally self-evident. Any system that the "average voter" cannot understand should be literally unconstitutional. Deviating from this puts the results of all elections in doubt. People will question the results, and they will have a point because the system is not actually verifiable and trustworthy to the average person and therefore they have no reason to accept the results. If you're lucky you'll end up with numerous political prisoners at the end of the whole process.
baobabKoodaa 162 days ago [-]
Okay, so you will only accept some theoretical, idealistic, perfect voting system, which at this time does not exist. And until one is invented, you want all non-perfect voting systems to be "literally unconstitutional". How do you want government to function until a perfect voting system is invented? Should we just have dictatorship until that time?
matheusmoreira 162 days ago [-]
No one said anything about "perfect". I said black box systems that nobody but "experts" understand should be literally outlawed. Nowhere did I claim the system had to be "perfect". It needs to be a simple enough system that even laymen can understand, not some computer black box.
What you fail to understand is that an "election" whose results can't be trusted is equivalent to a dictatorship. Actually they are even worse than dictatorships. In a dictatorship, at least you know you are being oppressed. When unreliable elections are institutionalized, they give an air of legitimacy to the dictator's rule, you're constantly gaslit by the dictator and his political and ideological supporters into believing that the oppression is just the democratic process at work.
baobabKoodaa 162 days ago [-]
The average voter does not understand how a typical paper ballot system can be audited, or what coercion resistance properties the system has. It is not "simple enough system that even laymen can understand".
unethical_ban 162 days ago [-]
Decentralized paper ballot systems are counted locally, by people who live in your communities, and are plainly readable.
This makes widespread, centralized election tampering much more difficult, in ways even a moron can usually grasp. (Edit: I mean the general public, not any reader here)
Election skepticism is only going to get worse with China and Russia ramping up their neverending quest to discredit democracy. An unfortunate reality is that we need to operate our elections in ways that are unquestionably understandable and plainly resistant to tampering.
Another example is voting systems. There are several voting systems that are objectively better than Instant Runoff Voting, but they require algebra to determine the winner. If the system isn't demonstrable in a short video or infographic, it is too complex for general population elections.
tivert 162 days ago [-]
> Disagree. It's enough for the average voter to trust that some other people - independent experts - are able to verify the vote.
It's interesting how attitudes about digital voting seemed to flip overnight once Trump challenged the 2020 election. Beforehand there as a lot of serious concern about the trustworthiness and security of digital voting machines, now I get the impression that's all been muted and its taboo to do anything except trust the authorities.
atoav 162 days ago [-]
I think in your thesis you make some interesting points on how E-Voting systems differ. But I have critizism. Let me paraphrase your points:
1. Paper ballots are in some ways more ambigous, because there are many ways to scribble a sign into a circle, a fraction of which will not result in the intended outcome
2. Understanding these handwritten symbols is harder than understanding the electronic system, because of that ambiguity
3. People understand the paper ballot system, but there are some statistical checks and security measures that they don't understand or know of, so their knowledge of the paper system is superficial
4. Trust in voting systems does not primarily arise from understandability but from trust in other people. To quote: your grandmum doesn’t have to become an expert cryptographer in order to trust a system like X. She just has to believe that cryptography experts exist and at least one of them would speak out if this transparent voting system was not as secure as the election officials claim
I don't want to question your thesis here, but I teach electronics and programming at a University level and points 1 and 2 are ridiculous and maybe even disingenuous. Sure, I understand that for a certain type of mind a digital/electronic system feels less ambigous and more clear. But most people are not like that – not even among academics – not even among academics that involve themselves with technology.
Point 3 is a rethorical trick that – if applied equally to E-Voting would be a strong argument against it. Yeah sure people don't understand X completely so lets do Y which is one-thousand magnitudes more complex is not an argument in favour of Y even if phrased in such a way.
Point 4 is the actual thought we disagree about, but given the unscientific nature of the 3 arguments before I can't simply trust you that you did research here (there are no sources cited that strengthen your point either). So as it is you just stated the opinion, as I stated the opposite. Sure, paper ballot elections are not dead simple, but any living being with basic understanding of object permanence could veryify a ballot isn't manipulated by just standing next to it. Meanwhile with computers you have to delegate that trust. And as computers can be reprogrammed, potentially remotely, even your experts can't be sure – especially in elections where powerful nation state actors seek to destroy the public trust in your election. This is a problem – just claiming that it isn't doesn't cut it. And people who claim that it isn't should not be the ones designing such systems.
The important thing to understand about agreeable consent is that a person's willingness to subject themselves to the will of a democratically elected majority is directly linked to their trust into the process. Your voting system has to produce that trust even if voters don't want to trust the process. The surest way to do that is to get a part of them involved into the process – ideally not always the same people. If then a single poll watcher claims a thing and 400 others that have been present plus three trusted NGOs can claim otherwise the election is not in question. Someone will have to convince me this works for E-Voting with a bit more than rethorical tricks.
Note that I am not against E-Voting per se. I just don't think the highest stake elections which have the potential to shift political powers should be electronic/computerized.
baobabKoodaa 162 days ago [-]
You speak as if I'm advocating for e-voting systems over paper voting systems. I'm not. In general, most paper voting systems that are used in practice are more secure than most e-voting systems that are used in practice.
> 1. Paper ballots are in some ways more ambigous, because there are many ways to scribble a sign into a circle, a fraction of which will not result in the intended outcome
Look, I tried to cover all aspects of how the integrity of the voting results can be compromised. There are big issues, like a foreign superpower attempting to hack the results, and then there are small issues, like this one: people accidentally spoiling ballots.
I'm struggling to understand why you feel the need to attack this minor point in my thesis with words like "ridiculous", "disingenuous" and "unscientific". Accidental spoiling is a real issue that happens and I even have a photograph of an ambiguously marked ballot in my thesis.
> 2. Understanding these handwritten symbols is harder than understanding the electronic system, because of that ambiguity
I wrote in Appendix B about how accidental spoiling could be resolved by adding electronics, but _only_ adding them to fix this specific issue (_not_ replacing the whole voting scheme with black box computers that can be hacked). When you say "the electronic system", it sounds to me like you are imagining something more.
Let me try to illustrate this specific point from Appendix B.
A) Fully paper system. You walk into a voting booth. You scribble down the number "7" on paper. You walk out of the booth and put the paper in the ballot box. Later some election official is counting the votes and they look at your scribble and they wonder, hmm, is this a "7" or is this a "1". Your vote is disqualified.
B) Same system but augmented with simple electronics to prevent accidental spoiling. You walk into a voting booth. You scribble down the number "7" on paper. Inside the booth you insert your paper into a scanner which interprets your scribble and prints out a new paper that is supposed to contain your vote. You look at the new paper to verify how your vote is going to be interpreted and you see... what the heck, it's a "1"? Why is it a "1"? I wrote down "7"! So you take a new paper, and now you very clearly write down "7" on the new paper and scan it again. The computer now prints out a paper that has a "7" on it. Good. So now you walk out of the voting booth and then drop the paper with the computer-written "7" on it into the ballot box.
See how B) is exactly the same system as A) except it offers voters the ability to see how their vote is going to be interpreted, before they cast the vote into the ballot box? The machine inside the booth doesn't have to be connected to the internet and it doesn't have to do anything more complex than read a number on a paper and then print the same number. If somebody hacks the machine to "misinterpret" votes, it will be caught very fast.
> 4. Trust in voting systems does not primarily arise from understandability but from trust in other people.
> And as computers can be reprogrammed, potentially remotely, even your experts can't be sure – especially in elections where powerful nation state actors seek to destroy the public trust in your election. This is a problem – just claiming that it isn't doesn't cut it. And people who claim that it isn't should not be the ones designing such systems.
The whole point of a verifiable voting system is that you don't have to trust the election computers. Even if all the official computers are hacked by Russia, I can still run the data on my own machine to verify the results of the election. As long as there is one clean computer in the world and one nerd who cares, the truth will come out.
And I'm not "just claiming that it is [verifiable]" - I wrote a whole thesis on these voting schemes. I did my best to identify the strengths and weaknesses of each scheme and as you can see in the comparison table, each scheme does have their weaknesses. A "perfect" verifiable voting scheme does not exist. That said, it sounds to me like you are imagining all electronic voting schemes to be "black box" schemes relying on blindly trusting both authorities and computers, and that is not the case at all. I would suggest that you familiarize yourself with at least one of these "verifiable" voting schemes before criticizing them. If you are interested in further discussing the specific weaknesses of a specific scheme which incorporates some electronic aspects, I would suggest that you read the description of "Floating Receipts" scheme from my thesis and then we can discuss specifics of that if you like.
atoav 162 days ago [-]
> You speak as if I'm advocating for e-voting systems over paper voting systems. I'm not. In general, most paper voting systems that are used in practice are more secure than most e-voting systems that are used in practice.
Keep in mind that my point was specifically about high stakes elections and you reacted to it without making that limitation. Don't you think my conclusion about your comment follows kind of naturally from that context? I also would argue there is a niche for E-voting to exist, but it is the responsibility of us technically literate to make it very clear for which purposes it is not suitable and why.
> There are big issues, like a foreign superpower attempting to hack the results, and then there are small issues, like this one: people accidentally spoiling ballots.
The slowness and amount of people needed for the paper ballot is a feature not a bug as it makes wide scale attacks extremely complex, labour intensive and risky AND regular people (those that need to believe in the results!) can understand what is going on if they want to. This comes at the cost that the correctness of the result can be not always guarantueed. A huge number of spoiled ballots isn't necessarily a sign that people don't understand how to make a cross, it is a sign of protest and used as such.
> Fully paper system. You walk into a voting booth. You scribble down the number "7" on paper. You walk out of the booth and put the paper in the ballot box. Later some election official is counting the votes and they look at your scribble and they wonder, hmm, is this a "7" or is this a "1". Your vote is disqualified.
I have never seen an election where a vote isn't ticking or checking a ballot box, maybe this is different in Finland? Also: The elections I voted in, in 2 different countries always came with precise pictured instruction how a valid vote looks like and what would be invalid. I am not sure if I should be worried about the vote of people who fail to put an X into a box when given pictured instructions. This is a weakness with one specific implementation of a paper ballot, not a inherent weakness of the system. If we are to look for a good comparison we should compare the best way to do paper based elections to the best way to do it digitally and draw our comparisons from that.
> See how B) is exactly the same system as A) except it offers voters the ability to see how their vote is going to be interpreted, before they cast the vote into the ballot box?
This isn't without it's own risk either. Having worked with computer vision systems and programmed them I can tell you there is no 100% guarantuee that the result that air-gapped machine showed the voter in the voting both is the same as what is reached later – not even if we assume the exact same machine to be used for the count. Also: That isn't necessarily what I'd call a E-Voting system.
> That said, it sounds to me like you are imagining all electronic voting schemes to be "black box" schemes relying on blindly trusting both authorities and computers
No you get me wrong. What I said is that for the majority of the electorate it would be that way. I can readily imagine building an electronic voting system that I can trust – and maybe even one where independent experts would trust it. But that is the easy part. The hard part is building a system into which the bloke from the pub that struggled with undergraduate math and stopped thinking about it since he left school two decades ago can trust. And not just by trusting an authority, but by checking for himself.
As much as I like the idea and challenge of such projects, I can't help put think that the inclusion of those who are less capable to understand is worth more than the potential gains in efficiency or interface-correctness of E-voting systems – especially if the fate of nations hinge on the fact that people trust it.
baobabKoodaa 162 days ago [-]
> Keep in mind that my point was specifically about high stakes elections and you reacted to it without making that limitation.
I was also thinking of high stakes elections when I wrote my response to you, even if I did not explicitly say so.
> I have never seen an election where a vote isn't ticking or checking a ballot box, maybe this is different in Finland?
In Finland you typically scribble down a number. Yes, it's harder to accidentally spoil a ballot if you only need to tick or check a box.
> Having worked with computer vision systems and programmed them I can tell you there is no 100% guarantuee that the result that air-gapped machine showed the voter in the voting both is the same as what is reached later – not even if we assume the exact same machine to be used for the count.
But in this hypothetical example the computer is not used to count the votes, it is used to write on paper. Because a computer can unambiguously draw the number "7" on a piece of paper, and the voter can unambiguously verify that the number is correct.
> Also: That isn't necessarily what I'd call a E-Voting system.
I wouldn't call it such either.
> If we are to look for a good comparison we should compare the best way to do paper based elections to the best way to do it digitally and draw our comparisons from that.
And that is what I did in my thesis. The best way to do in-person paper based elections is (a variant of) Floating Receipts, which is a better system than (a variant of) Civitas, which is the best way to do remote e-voting.
At this point I am very confused what you feel disagree about. We went into the weeds over some minor issue regarding spoiled ballots, and I feel like you are drawing way more conclusions from that than you should.
imtringued 162 days ago [-]
Agreed. One of the most common objections against democracy is that popular vote does not select for competence and therefore our politicians are not acting in the best interests of the population.
That isn't actually what voting is meant to do. The purpose of democracy is to kick out the old guy and stop the concentration of power by rotating the people in power frequently. The problem is that when you get rid of the old guy, you also need people to agree and consent that the new guy is indeed the new guy.
illiac786 162 days ago [-]
It’s a simple trust problem. No one is counting all ballots in the entire country, they trust others to do so, and do so in a truthful manner.
Same for machines, they’ll have to trust that some people did their job and checked these machines.
Not saying this will happen any time soon though ;)
9dev 162 days ago [-]
No, that's wrong. Democracy is a process involving the entire population of a country. A vote must be a process carried out by individual citizens to be trustworthy; if we delegate that to machines maintained by the government—because nobody else would be able to do so both trustable and professional—we'd create an incentive for the government to manipulate the system to stay in power.
If, in turn, elections are organised as distributed, local, and highly public countings, that get aggregated up to the final tally, citizens stay in control of their votes. Poll workers in a county may not count the votes of another county themselves, but they know there will be other volunteers all over the country doing so. It is extremely hard to manipulate a large-scale movement of politically inclined volunteers, and they can rely on that.
We cannot hand control over the vote to the government we possibly want to vote out. By reducing the massively distributed trust to a handful of computer wizards, we remove transparency from voting, turning it into a sham event that can be orchestrated by those in power to their liking.
illiac786 162 days ago [-]
> an incentive for the government to manipulate the system to stay in power.
Plenty of incentives and options even with paper ballots, as many dictators have shown.
> distributed, local, and highly public countings
Why wouldn’t this be possible with machines?
> We cannot hand control over the vote to the government
If you trust the people checking the machines have not been manipulated, this is not at all what would be happening.
9dev 162 days ago [-]
> Plenty of incentives and options even with paper ballots, as many dictators have shown.
Is that so? If anything, they ignore the ballots or fake the numbers—see Venezuela. That is another problem entirely.
> Why wouldn’t this be possible with machines?
With paper ballot countings, even the most plain citizen, can witness the counting and ensure themselves nothing shady is going on: Watching as people create heaps from ballots with a checkmark in the same box, then call out the numbers is not beatable in terms of accessibility.
With machines, complexity is orders of magnitude higher: Watching the computer is pointless. You don't get to see how it adds up votes, you have to trust its software is working as advertised. There is just no way to verify no component of the stack has been manipulated.
> If you trust the people checking the machines have not been manipulated, this is not at all what would be happening.
But that is the point! Why would you ever do that? What power does that grant to these people? How dangerous would it be to be such a person? Who even would these non-government election experts be? Why limit the number of people able to verify an election is going on truthfully to a small amount of technically literate experts, when we have a perfectly working democratic system in place?
Tell me this; how can you check the machines have not been manipulated with a 100 percent certainty? How do you verify the screen displays what it is supposed to, the software has no backdoors, the hardware has no backdoors, there are no parts swapped out, there are no second-order effects of transistors flipping bits if the ambient temperature reaches a certain point, the cables have not been messed with, the data it sends is not intercepted or altered, the packages won't be dropped, or arrive in duplicates, or any of the other myriad of possible failure conditions? An election is an extremely rewarding target for both internal and foreign/rival state actors. Just think of Stuxnet if you think this is paranoid, and that was 2010! How would you ensure that even the most sophisticated attackers won’t come up with an exploit?
You cannot. You cannot do this reliably for every machine involved in the election; the combined knowledge and experience involved in each of these questions far exceeds even most IT professionals. So you immediately remove the ability to witness the election from almost every citizen, by making the process infinitely more complex and harder to understand, for no reason at all.
I know there are lots of interesting problems to solve here, but democracy is not the right place for complex solutions to interesting problems.
There is virtually no compelling reason to drop a working process in favour of machines here.
Edit: and one more thing with elections is that you cannot just try again if something seems suspicious. You’ve completely shattered trust at that point, and the victor would rightfully claim the election had been stolen from them. Again: Democracy is no place for technological solutions.
atoav 162 days ago [-]
One question: How would a machine have to look that you use in a high stakes process, that someone else (potentially your adversary) purchases and setups and that you and the majority of the electorate can be able to trust?
Elections with paper ballots are somewhat straightforward in that regard. Any party member that doesn't trust the process can literally apply to check part of it and be able to see for themselves that there is nothing fishy going on in the part they checked. And they can do that with nearly no prior expertise. If they don't get to check it for themselves they can trust that enough people like them are envolved in the process that someone would collect evidence of wrongdoing if it happened. And these people are normal people and many, so bribing them doesn't make sense. Adversaries that want to make that election untrustworthy would have to insert so many people at so many steps and at such number, an attack against it quickly becomes impractical.
Not with a computer system, I am not even sure if I would trust a system that I myself setup and software that I myself had written if used in a high stakes election. But the few experts that are able to verify the process and have the computer knowledge to do so without naive optimism now are high stakes targets and each party now needs to have one at each polling station at some point after which the machines (air gapped?) need to be completely isolated unless you want that verification to become meaningless. The voter now needs to trust the expert and for a hint about how well that works I want to point you to the Covid pandemic.
So digital voting is a non-trivial problem to solve, especially for high stakes, anonymous, but transparent elections. And we computer people can't just hand-wave the doubts away, you need to address each attack vector a major nation state attacker could/would exploit. And even if we did that the result would be a system that nobody without special education could understand.
Sure, paper ballots are slow and the process lengthy and labour intensive. But the results are surprisingly stable and trustworthy even in many places where one would expect corruption and manipulation.
JanisErdmanis 162 days ago [-]
> But the few experts that are able to verify the process and have the computer knowledge
It sounds like you are not familiar with the concept of verifiability or more precisely E2E-V for evoting systems that can be attained. The goal is to never trust the software that is running the machines or officials and thoose are kept accountable with a public cryptographic evidence produced along with final tally. They still are trusted with not sabotaging the process and assuming that one or few parties are not corrupt to ensure vote anonimity, but never with integrity.
illiac786 162 days ago [-]
Example: in France you get a certificate of vote and a hash that can be looked up to verify your vote is counted, as well as verify what your vote hasn’t been modified. No one else get this, only you.
JanisErdmanis 162 days ago [-]
This is somewhat unrelated to what I posted, but interesting. At what time does voters get this hash? Is it after the cast their vote in which cases why wouldn’t coerces/bribers ask it as receipt that voters had cast their vote in a certain way?
mmaul 162 days ago [-]
Yea I guess the problem is with a party that is intent on disregarding truth or facts or verifiability or reality is not going to prevail against attacks against the system (unless it is rigged in their favor). What does code matter to them.
atoav 162 days ago [-]
The point I am trying to make here is that the creation of that agreeable consent ("I didn't like the result, but I am going to accept it") is easier when the process is tangible and people know that they can understand manipulation, tampering, tracking without an academic degree in computer science and decades of experience in the field.
However no voting system is perfect and 100% consent is next to impossible to achieve. But for major, high stakes elections we have to take any tiny sliver of trust we can take, even if it is at the expense of getting results fast or cheap.
As a young nerd I would've said: "How hard can it be", as an older nerd I understand that the computer part is the easy part, getting people to be able to trust and follow the process is the hard part.
EGreg 162 days ago [-]
All? Really?
How would you make such a sweeping statement? Can you list the systems you had looked at?
atoav 162 days ago [-]
Huh? Yeah, all. I teach electronics at the University level and I know:
1. How hard it is for already highly educated people to understand electronics and programming
2. What kind of complexity is needed on how many technological layers to just even have it work reliably and how much more complexity is needed to have it formally variable and tamper-proof
3. How many attack vectors exist in such systems — many of which mean a single motivated and skilled attacker could exploit on grand scale
All of that necessarily leads to a process that is less transparent than a paper ballot, because there are more moving parts. Your bloke from the pub will be able to understand how to check the integrity of a paper ballot. But of an E-voting system?
In my eyes it is a feature if within a democracy if all participants in that democracy can understand the whole election process.
EGreg 162 days ago [-]
That didn’t answer my question. What systems have you looked at?
Saying “all systems” is such a sweeping statement, it is very unlikely to be true.
Technology always improves and if you looked at any modern system, people some day in the past would be incredulous that it could possibly replace a bunch of smart humans with pen and paper.
Experts said airplanes couldn’t ever fly and the wright brothers were fools. Then they said there are many safety problems with airplanes. If you told someone it would be the safest form of travel for long distances, people would laugh. Just as you are laughing now. They would claim their logic would hold for “all” forms of air transportation.
People laughed that a chess playing program could beat a human, citing seemingly (to them) insurmountable challenges much as you do now.
You could have said exactly 1,2,3 about the Internet and many other things in the past.
Biganon 162 days ago [-]
You're missing their point.
It's not that it cannot be done. It's that even if you do it perfectly (whatever that means), you cannot expect people to trust it.
People trust papers in envelopes in transparent boxes in classrooms all around the country because it's intrinsically trustable, decentralised, easy to understand, extremely hard to manipulate at a global scale, etc.
People do not trust an electronic system. You can explain to them that it's safe until you're red in the face, it's not the point.
Democracy works if people have sufficient trust in it.
EGreg 161 days ago [-]
No, I'm not missing their point. The same exact things could have been said about the Internet. Their points 1, 2, 3 applied to the Internet. And even if the Internet could be implemented perfectly (whatever that means), you cannot expect people to trust it. And yet they do. People trust the Internet far more than they trust regular mail, for instance. But that wasn't always the case. It just kept getting better and adding error correction until it became far more reliable than manual systems.
People come to trust technology when it starts performing well. The same can be said about self-driving cars etc. etc.
exabrial 163 days ago [-]
Personally I love the idea of a fully verifiable election. I do the the current election protocol my county uses is pretty good: you present id in one room, they check your eligibility, then you’re given an anonymous ticket, in another room you vote using said ticket, and get a receipt. You can see your but counted online using said receipt.
There are two problems with this: 1. You can’t verify extra or in eligible voters voted. 2. It relies on trust that to tell you your vote was counted.
I am very interested in reading about this protocol, and it might make a fun hobby to re implement it as a research project.
The one issue I have is: the act of physically showing up is an important one. Mass stuffing of ballot boxes is nearly impossible when physical presence is required. It also puts ‘your ass in the game’, meaning you really care so to speak; as you have to do a minor piece of physical labor in order to get your vote counted.
If this protocol could be adapted to the physical world, I think it would be perfect barring any other issues.
tzs 163 days ago [-]
For in-person voting use "fill in the oval" ballots that can be hand counted or counted by offline optical card scanners, and augment that with Scantegrity II [1].
Scantegrity II is a system that adds end-to-end voter verifiability [2] to such systems by combining some clever chemistry with some clever cryptography. It requires no hardware modifications at the voting site except that special markers have to be used to mark the ballots.
Briefly, a code is printed inside each oval using a special ink that is invisible, which turns visible when that oval is marked by a special marker.
After the election all the ballots can be published, allowing any third party to independently verify the counts.
Voters that wish to verify that their ballot was included in the count and counted correctly can note the code from the oval and afterwards use it to verify the count. The code cannot be used to prove to a third party, such as a vote buyer or vote coercer, that the person voted the "right" way. Here's a proof of that [3].
> The code cannot be used to prove to a third party, such as a vote buyer or vote coercer, that the person voted the "right" way.
What if the vote buyer is with the government and can actually inspect the ballots after voting? Knowing the code is a proof that you saw a specific ballot.
thepra 163 days ago [-]
Please forget about showing up physically, it's noble to think of "you really care" but in places with organized crime they have ways to count if those that depend on them come and vote for their "right" choice.
It has been estimated that around 20-30% of IRL votes in Italy follow the organized crimes choice.
tossandthrow 163 days ago [-]
You don't think this is even more pronounced if the criminals can keep af gun to your head in your own home when voting?
That said - I am yet to see any protocol that is resilient against not showing up IRL (due to the exact reason above).
oivey 163 days ago [-]
Criminals showing up to your house, putting a gun to your head, and demanding your vote is a fantasy. You don’t need to defend against it because it’s a totally unscalable way to steal an election.
Ajedi32 162 days ago [-]
In most cases coercion probably won't be as obvious as someone literally pointing a gun to your head (though there certainly could be a literal or metaphorical gun to the head in some cases). Typically it'll probably be something more subtle like: "Hi, I'm going door to door to turn out the vote. Have you voted yet? No? Here, let me help you fill out your ballot. I'll even turn it in for you."
Coercion doesn't need to be overt to be effective, just a small amount of social pressure applied over a large number of people is enough to make a significant difference. That's why typically there are laws banning campaigning right outside polling places. Now what if the "polling place" is the entire country, over a period of multiple weeks? How are you going to enforce that? And how can the electorate trust that it is being effectively enforced?
gus_massa 162 days ago [-]
Here in Argentina each party has a big ballot. We can cut it and mix part of different parties, like a president from party A, a governor from party B and a major from party C. But most people are lazy and just select everyone from the same party.
A few years ago, some of the local county majors know that people liked them more than the candidate to governor or president of the same party. So they send helpers to each house to ask people and give them cut ballots with the combination they liked. No judgement. People can choose whoever they want. The county majors know it was better for them in average.
So it's possible to scale it if you distribute the task.
We have in person secret voting. So people can lie and accept the ballots provided by the helpers of the local major and then just pick another when voting. If people can vote remotely, they can be forced to vote under supervision.
tossandthrow 163 days ago [-]
Apparently it is not fantasy that these people do it at the locations.
I think more creative thinking on how the schemes could look will show some scalable solutions to coerce votes.
nicopappl 162 days ago [-]
If you are interested in creative voter coercion, and generally very creative ways of changing law so that the election results always end up how you like them, I recommend reading up on the very innovative Hungarian system https://www.journalofdemocracy.org/articles/how-viktor-orban...
> “Chain voting” ensures that people vote the right way. Voter 1 goes into the polling station,
> appears to vote by depositing an empty envelope into the ballot box, but comes out with a
> blank ballot. Voter 2 is then sent in with that ballot—now marked by a [party] operative—and
> told to put it in the ballot box and exit with another blank ballot in hand. Carried on down
> the line, the [...] party boss in the town can ensure that all have voted the proper way
> while the election workers find that they are short only one unaccounted-for vote
oivey 163 days ago [-]
You’re talking about voter intimidation at polling places, right? Yes, that is in fact well documented and not a fantasy.
You can send a couple guys with bats to a polling location and coerce hundreds of voters. What you’re describing would require a highly organized set of crimes taking years of man hours that would definitely attract law enforcement due to the prolonged time and scale. Fantasy.
“Creative thinking” is leading you down the path of made up problems with ludicrous solutions.
codesnik 163 days ago [-]
happened in annexed parts of Ukraine during "referendum"
oivey 163 days ago [-]
Source on that? That was a crooked vote, but it doesn’t really make sense for the Russians to send people door-to-door threatening people to send in coerced absentee ballots.
I assume they instead did the more normal things of local voter intimidation, outright not counting, and lying. If your government doesn’t want to follow democracy you’re fucked either way. No need for armed gunman to make you vote at gunpoint.
codesnik 163 days ago [-]
just door to door "vote at home" canvassing with two guys armed with AK. I wonder how many people assumed nobody would check where the tick went on the ballot. There were videos.
codesnik 163 days ago [-]
and yeah, I've been an election observer a couple of times, witnessing democracy deterioration in Russia proper, I have to say that they cheat on _every_ level, with ridiculous redundancy, and in many cases without any noticeable coordination. All it takes is to make elections in municipal organizations like schools and hospitals and just by convenience assign bureaucrats and other government paid officials (like teachers!) to manage voting districts. Those guys are very well trained to understand unofficial demand for "results". Otherwise you know, next time funding would be lower or day to day work would become harder.
Modified3019 163 days ago [-]
I get what you’re saying, but that’s not really relevant.
That was political theatre being made in a conquered territory, not an actual attempt at democracy. It’s like pondering the specifics of a vehicle’s engine performance/efficiency after it’s been hit by a fucking train.
There was/is no solution to fix voting problems in Russian held territory other than to violently force Russian thugs to leave.
onlyrealcuzzo 163 days ago [-]
I suspect you have bigger fish to fry than better voting systems if your problems are this bad.
mewpmewp2 162 days ago [-]
The digital platform would allow you to recast the vote after. Only the final vote counts. So unless you are kidnapped and guarded after rhe fact, it wouldn't work.
mixmax 163 days ago [-]
since you have to be alone in the voting booth and your vote is anonymous it can't be bought.
You can say that you voted for X, but vote for Y and noone will ever be able to tell.
aziaziazi 163 days ago [-]
In France vote choice are made by placing a predefined paper in an envelope. You enter the place, present an ID, take and envelope plus zero/one/several/all papers, go in the alone room to fill the envelope with the paper of your choice. You can take zero papers because some organiser will send them prior by post but it’s not always the case.
How does it work in Italie? I can picture easely how someone in the paper room can put pressure on you to only take one paper.
arlort 162 days ago [-]
All choices for a given question (we have bicameral elections and usually when we have referenda we have multiple at the same time) are on the same piece of paper.
Also they always give you all ballots, I don't recall ever being asked which ones I wanted. Plus at all points you are always in front of multiple people, I believe each candidate / party in an election gets to appoint someone to keep an eye on the proceedings
(Also the original claim about 20/30% seems like abject fantasy to me, unless we take the entirely different meaning of "20-30% vote for a candidate that organized crime is happy with, which is entirely unrelated to electoral interference)
ziofill 163 days ago [-]
Do you have a source for this 20-30%?
romwell 163 days ago [-]
Please forget about showing up physically because conflatingl caring* with your ability to do things physically is ableist as fuck, and not all disabilities are visible and/or certifiable.
Please forget about showing up physically because setting up a polling station in a place where there's effectively no public transportation cuts off poor people from voting.
Please forget about showing up physically because mail voting works fine, paper ballots are already anonymous and verifiable, and we don't need to argue about why showing up in person is better for the umpteenth time (or that adding extra friction is not a good thing).
Please forget about showing up physically because that "you really care" nonsense is in the same vein as literally testing, and democracy isn't about excluding voters who don't care enough.
This line of thought is, frankly, disgusting, and I'm ashamed that this is tolerated here.
gus_massa 162 days ago [-]
Here in Argentina, in some places there were a few types of fraud, for example chain voting. (I can't find local case, but see [1] [2].) People can be paid or coerced to participate in such a scheme.
The solution was that you get a signed envelope when you enter, go to a isolated room alone and put the ballot inside and they verify the signatures of the closed envelope before you vote.
With remote voting, nobody can check that people is alone when voting.
>Here in Argentina, in some places there were a few types of fraud, for example chain voting
Thanks for pointing out another vulnerability of in-person voting that mail-in voting doesn't have, due to its distributed nature.
Chain voting is something that's only practical to organize when everyone in the group is voting at the same place and at the same time, so the chain doesn't need to be coordinated in advance.
As long as people know what kind of guy to look for outside, they know there's quick money to be made.
Good luck coordinating a vote buying scheme with enough people to skew the vote by mail without anyone finding out.
>With remote voting, nobody can check that people is alone when voting.
Neither can any other system of voting, including in-person voting.
And if the person is truly on their own in the room, and they truly only have one ballot... they can snap a picture of their ballot to show how they voted.
The problem isn't "being alone" when voting, the problem is buying votes - and it's solved by going after the money in any case.
With chain voting, the schemers also have no way to verify that their pre-filled ballot was actually used (and didn't go into the trash bin). It works because the voters themselves are corrupt and lying to the state, but honest to the people who pay them - in which case the voting system is neither the problem nor the solution.
gus_massa 161 days ago [-]
> Thanks for pointing out another vulnerability of in-person voting that mail-in voting doesn't have, due to its distributed nature.
If they implement something like that here, I expect in some places that people is ask to go to the local party office and left the ballot/envelop with the code. It is easier. Voting chain is a trick to avoid the in-person checks.
synecdoche 162 days ago [-]
The in person secret paper ballot voting system on voting day appears to be a system with some of the least drawbacks, which is likely why it has been so popular.
Mail-in systems work too, with their own set of benefits and drawbacks, and is used in combination with the above in some countries.
romwell 162 days ago [-]
>in person voting appears to have least drawbacks
Citation needed.
Specifically, what are the drawbacks of mail-in voting compared to in-person voting?
>Mail-in system is used in some countries
The US is one of those some countries.
And in the US, with a long history of voter disenfranchisement and an abysmally low voter turnouts, where the election day is always a workday, mail-in voting is absolutely the best system currently in use, by a long shot.
Its benefit of being actually available and removing many of the artificial barriers to voting that exist across the US far outweighs any disadvantages it may have over in-person voting.
These barriers include:
-people having difficulty to vote on a workday
-difficulty getting to the polls
-lack of polling places in "undesirable" neighborhoods (and super long lines as a result)
-varied ID laws
-etc
Not coincidentally, the party that openly aims to decrease voter turnout for their benefit also opposes mail-in voting.
Nobody says that in-person voting should not be available. But it absolutely should not (and rarely is) the only option.
Unfortunately, its availability across the US is limited through the efforts of the aforementioned political party.
gus_massa 162 days ago [-]
Hi from Argentina:
> -people having difficulty to vote on a workday
We vote on Sunday.
> -difficulty getting to the polls
My poll station is half a mile away (or less). I can go walking or by bus that is free that day.
> -lack of polling places in "undesirable" neighborhoods (and super long lines as a result)
I vote in a school that has like 20 voting rooms. The waiting time is usually like 10 minutes. Last year in some rooms the waiting time was like 1 hour and people was angry. In that cases vote for the other party.
> -varied ID laws
Everyone has an ID here. It has a nominal cost, but if you ask nicely you can get it for free.
If the idiots here can organize an in-person voting election, anyone can.
romwell 162 days ago [-]
Hi from the US.
You don't seem to understand that what you see as problems to be solved are seen as features by half of our politicians, who would rather have people not vote at all.
These are the vulnerabilities of in-person voting that mail-in voting does not have.
>If the idiots here can organize an in-person voting election, anyone can.
No, that's not the case. I can't organize elections in Texas because I'm not in charge of organizing elections in Texas.
And people in charge of elections in Texas make sure that urban neighborhoods (which are likely to vote for the other party) don't have enough polling places to go to.
Oh, and did you know it's common in the US to have churches as polling locations? It's especially great when you're voting on issues like separation of church and the state, abortion, gay marriage, etc.
gus_massa 161 days ago [-]
> You don't seem to understand that what you see as problems to be solved are seen as features by half of our politicians, who would rather have people not vote at all.
I understand because we had the same problem until 1912 https://en.wikipedia.org/wiki/S%C3%A1enz_Pe%C3%B1a_Law that the problem was solved with secret obligatory in person elections. It was not easy. The 1930 were weird. All the last century was weird. This century is weird too, but at least elections are quite transparent.
> And people in charge of elections in Texas make sure that urban neighborhoods (which are likely to vote for the other party) don't have enough polling places to go to.
That's weird. I'm not sure how we ensure everyone has a good site to vote, because I expect some provinces to use all the dirty tricks that are barely legal. It's a good question. My guess is that elections are obligatory here (nobody really checks that, but there is a threat of a fee or something if you don't vote). So people wait outside the voting locations until they can vote, and if the queue is too long they get angry, and may start a small riot, and get the TV, and the federal government may decide to do something like investigating the local corruption.
codedokode 162 days ago [-]
> paper ballots are already anonymous and verifiable
I don't understand this part. What stops people responsible for giving out those ballots, from taking some of them and mail under someone's else name (for example, homeless person, drug addict etc)? You often need just several hundreds or thousands votes to win in a swinging state.
romwell 162 days ago [-]
>What stops people responsible for giving out those ballots, from taking some of them and mail under someone's else name (for example, homeless person, drug addict etc)?
A requirement to keep a record of which paper ballot envelopes were mailed out to whom, and to which address.
Ballot blanks are all identical, but the outer envelopes go through the USPS and have identifying numbers on them.
When the ballots are counted, the envelopes can be examined by all interested parties separately from the ballots. The ballots are taken one by one out of the outer envelopes, and put into a bin (they're folded in blank inner envelopes, so nobody can see anyone's vote at that stage).
Presence of an envelope that was received, but not mailed out is evidence of fraud.
Conversely, once put into the mail, the USPS can track each such envelope, and anyone other than the intended recipient tampering with that mail is committing a federal crime (regardless of what they do with it).
sinuhe69 163 days ago [-]
Why could they not verify against extra or ineligible voters?
If each ticket is tied to a national ID, then you can verify all tickets, right?
To ensure the secrecy of the vote, the votes should not be linked to the tickets. Each voter must verify that his vote has been counted. But once a vote has been counted, using blockchain can ensure that it cannot be undone or changed.
Could this work?
codedokode 162 days ago [-]
The government can create as many fake IDs as it wants, and vote in their name. Imagine a president that doesn't want to leave his post.
staindk 163 days ago [-]
Why is the act of physically showing up so important? I think reducing friction can be a great way to get more people to vote.
tossandthrow 163 days ago [-]
Because you need to ensure that the vote is given without anyone interfering.
mariusor 163 days ago [-]
I think a better measure against this is not physical presence, but allowing one individual to exercise their vote any number of times until the ballot period ends.
This means that a malevolent entity that wants to influence votes needs to sequester the voter(s) for the whole ballot period, which is vastly more difficult than putting a gun to someone's head for a single vote.
Executing this at scale so the effect can be statistically significant is even more difficult, and if it's still possible the entity holding the ballot can be assumed to have more pressing issues to care about than fair ballots. :D
codedokode 162 days ago [-]
Several years ago they used such system on election in Moscow, and there were claims (pretty plausible) that the government used second vote to change voter's vote to another candidate. There was noticeable difference between number of votes and number of voters.
The system used two blockchains: a public one which recorded votes, but without linking to a voter, and a private one that linked voters to vote records in a public blockchain. So the voter couldn't see how many times he voted because this info was on a private blockchain.
So when allowing to change a vote there are several issues:
- how do you invalidate previous vote? You need some way to link those votes, that they belong to the same person which might lead to disclosing their identity
- how do you prevent government from changing your vote by pretending that you voted the second time?
mariusor 162 days ago [-]
Do you have some links to that? It sounds very interesting.
> how do you invalidate previous vote?
All the votes are public on the ledger, you can clearly see which ones belong to which voter entry.
> how do you prevent government...
The government does not have your private key, also if a hacked vote happens, you as a voter ask for an audit of the vote entries.
I'm not saying there are no problems with electronic ballots, but I'm thinking that with enough time and elbow grease, they can be solved.
synecdoche 162 days ago [-]
This relies on the voter to have enough autonomy to be able to independently access their online ID. It would be easy to circumvent by separating the voter from their ability to identify themselves online. Either by keeping their means of identication from them during the voting period or by being the gatekeeper to the computer where their online ID is stored, for example with a password.
It also relies on the voter caring enough about their vote in the first place to be willing to attempt to do it, with whatever possible personal risk that entails.
mariusor 162 days ago [-]
The id is a physical card, where the private key and the data attached to it can be accessed through NFC. Sensitive data can be accessed through specific applications, public data can be accessed through a simple NFC reader.
And yes, if the government is corrupt in its entirety, from creating IDs to the ballot process itself and to sequestering citizens, then yes, you're fucked. But I don't see how that would be different for paper ballots or any other means of voting.
tossandthrow 163 days ago [-]
This is a interesting idea. I reckon the individual voting period would have to be randomized to ensure that the malevolent entity doesn't just assemble everyone on the last day?
nilsherzig 163 days ago [-]
It might be easy to extract this period from a potential victim, since the information would have to get delivered to them in some way.
I think it would already help a lot, that there are some physical limitations on how many people you could gather at the same time.
rrrrrrrrrrrryan 163 days ago [-]
I actually love this. I always cast my vote on election day because I want to have the most information.
What if I vote early, then the person I voted for has a major scandal the day before the polls close?
Being able to change one's vote would remove all the disincentive to voting early or whenever it's most convenient for you.
dmurray 163 days ago [-]
If you're changing your vote based on which side was the latest to have a major "scandal", you're part of the problem.
actionfromafar 163 days ago [-]
Generally yes, but it depends on what the scandal is.
actionfromafar 163 days ago [-]
It works like this in Sweden.
thegabriele 163 days ago [-]
For all Kinds of public elections? I would love to read more.
Thanks
Typically in the US, you can “spoil” your vote and get a replacement ballot, even after you mailed it. So this is already in effect in some ways
layer8 163 days ago [-]
For example, so that people aren’t forced by their spouses at home to vote a specific way.
romwell 163 days ago [-]
Great, so their spouses can just lock them in to prevent them from voting.
Or simpler, leave them with the kids (nobody else to watch them).
Disabled people must love this idea, too. And sick people. And elderly.
I think we could take this a notch further, and put the voting bin on top of a rock you have to climb.
Everyone sees people climbing the rock (ensures no vote staffing!), and once there, nobody can see who you vote for.
One person at a time, obviously, and if anyone is overstaying their welcome, the next person can simply push them off the rock.
It's actually a feature, not a bug, because it ensures that only really motivated people vote.
codedokode 162 days ago [-]
> You can see your but counted online using said receipt.
If the receipt allows to view whom you voted for, then it can be used to buy votes or pressure to vote for a specific candidate.
Nathanba 162 days ago [-]
I agree, but we need far more than just some online encryption.
1. We need a sort of blockchain system to make sure nobody can change votes later.
2. Every citizen can deposit their vote with their own key tied to their id number that nobody else has. Everyone should be able to look up their own vote via their key.
3. We need more proof of work, require every booth to record a video of the voter and have a unique physical marker so that the video cant be reused and require voters to write something specific to that location during their video.
4. Proof of location? Require voters to transmit their GPS at all times during the entire election day. Then at least group voting (beyond faking your own family members' votes perhaps) should be impossible and multi voting should also be impossible.
4. Make sure that the counting of ballots is instantaneous so that the cheaters have less room to cheat.
5. Proof of time? Surely we should be able to simply use time to our advantage, given that somebody who wants to cheat on a mass scale inherently has less time than the individual voters?
Maybe all of it together, we have so much data about citizens in most countries. It should be absurdly easy to have a citizen be forced via GPS to vote from his area or even his building where he is registered to live before he starts going to his local voting booth. This would give us a lot of confidence that this is really a separate, real person and also the person in question.
We need to use what we have to our advantage. People may be able to fake a lot of things but all of them? I rather trust a complex system like this than literal pieces of paper where any person with a bad mind can just choose to read it differently or stuff a few extra pieces of paper somewhere.
gloosx 162 days ago [-]
Personally I think the biggest flaw in any online voting system is that a network-connected computing device cannot be trusted by any party. Email inbox can not be trusted or verified. Such a simplistic online voting would never stand a chance against malicious actors who are somewhat more sophisticated and creative.
The future of paper voting can be something like a quick fingertip-actuated DNA sequencer which will imprint your DNA hash right into the paper ballot, but it will never be an effective system on top of the current network architecture. You have to show up personally to vote. Like can you imagine voting with SMS or something? This is complete non-sense.
However I think this tool would work pretty good on a smaller community scale.
noodlesUK 162 days ago [-]
In practice, I think that there are a number of fairly high quality voting systems available. A key part of that is maintaining a secret ballot.
1. Widespread voting in person at a number of distributed sites, with paper ballots and either hand counting or machine counting with risk limiting audits. This is pretty technologically trivial to implement, but requires manpower.
2. Widespread postal voting as it's done in places like Oregon, where there's a non-serialised ballot inside a serialised envelope. All voters are sent an envelope and ballot via postal mail, and the return can be done at either a drop box or through the postal system. On election day, all valid envelopes are opened and emptied under the watchful eyes of observers from each party. They are then counted by hand or with machines and risk limiting audits.
What should not exist are voting machines. There should always be a paper ballot in the process somewhere that is human readable.
Amezarak 162 days ago [-]
> The future of paper voting can be something like a quick fingertip-actuated DNA sequencer which will imprint your DNA hash right into the paper ballot,
This would mean the end to the secret vote.
gloosx 162 days ago [-]
Why so? It would calculate the hash, and to reverse it back to the original DNA is an irrationally expensive computation. On top of that, voter simply putting a random seed phrase for doing another 650000 pbkdf2 iterations would take this task to close to level impossible – at the same time the ballot itself will remain verifiable by the original voter.
a2128 161 days ago [-]
The thing about secret voting is that you want to make it impossible to verify that a particular person voted for a particular party. Otherwise it becomes possible to threaten people with violence if they don't show confirmation that they voted for the correct party, it also becomes possible to pay people $1000 if they can show confirmation of voting for the other party, people may start using the confirmation as a social thing to proudly prove which side they're on, etc.
gloosx 159 days ago [-]
Why would you ever want to make it impossible to verify that your vote really went for a particular party, you should just trust it blindly or what? It should be completely opposite of that in my opinion. It is impossible to prevent people from showing confirmation of voting for another party, since they are alone in the booth and they can write any confirmation code they want on a ballot and take a photo proof. Paying 1000$ for voting is a problem for tax institution not the election. There will always be a way to reimburse anyone for voting, but it comes with a risk since it is unlawful. In a true direct democracy system all votes are public, and looking at the wealth and wellbeing of countries which adopted such a system – I firmly believe it is a better one.
a2128 158 days ago [-]
Why? It's the norm in pretty much every country when it comes to making decisions at the national level. If secret voting is not ensured and there's a standard way to verify anybody's vote with 100% certainty, there will be employers firing people for voting for a particular candidate, there will be discounts/freebies for people who voted for a particular candidate, there will be violence and ostracism, celebrities and company executives will be harassed to justify their voting decisions, and all of this WILL pressure everyone's voting decisions (or the decision to not vote, to try to avoid being politicized), so it's not just a problem for the tax institution or police, it becomes a problem of elections fundamentally no longer being free or fair. For this reason we have the secret ballot, and documented election processes to ensure they can overall be trusted despite individual votes being kept secret.
"they can write any confirmation code they want on a ballot and take a photo proof"
Apart from the fact some jurisdictions (such as UK) will discard your vote for writing codes on the ballot, there are a million ways to photoshop or fake a ballot selfie some other way, there's no standard way to be 100% certain how anybody voted.
gloosx 155 days ago [-]
Fun fact, you don't even need to write anything on the ballot if you are in the UK, since every one of these has a unique number already, and every voter has a number which is printed down on the counterfoil of the ballot paper automatically. Secrecy of the ballot is not guaranteed in the UK, as officials do have access to the counterfoil and can determine how individual electors have voted. Even some US states require the ability to link ballots to voters, and it doesn't make these elections fundamentally non-free or unfair. People are fundamentally non-free to this day, nor will be free any elections they participate in, as long pseudo ballot secrecy is required to protect them from violence and graft and as long as they have no comtetence, knowledge and confidence in expressing and discussing their political decisions publicly.
atoav 162 days ago [-]
I think there is a niche for electronic voting for low impact decision making. Used as such it could actually make societies more democratic.
Elections that have the potential to shift the power structure of a state are not low impact decisions. Paper ballots being slow and labour intensive is a feature, not a bug for really high stake decisions like who is in charge of a nuclear arsenal for the next years.
The more I know about electronics and programming the worse I think the idea of E-voting is for such occasions.
tromp 163 days ago [-]
> Using the web interface, the voter enters her credential and selects her vote. Her computer then computes the ballot, which corresponds to the vote encrypted with the election public key.
Like most (or all?) online protocols, this doesn't protect against vote selling or vote coercion.
SamBam 163 days ago [-]
I was going to say. AFAIK, no one has worked out a way that you can verify that your own vote was counted, while preventing you from being able to sell your vote.
rcarback 163 days ago [-]
There are a number of such systems that do this via revoting or dummy ballots. One of my projects, Votexx, uses vote nullification (or flipping) via a trusted third party chosen by the voter.
The general idea for all of these is if you add uncertainty you reduce what a coercer is willing to pay creating a mutually assured destruction scenario whereby the system being in place ensures nobody ever tries it.
Votexx.org if you want to learn more.
JanisErdmanis 163 days ago [-]
The website on VoteXX and associated 4 page preprint does not offer comprehensive overview of the system. What happens to verifiabiloty when the vote is nullified? Does voter sees that the vote is cancelled and hence also coercer/briber?
peterhunt 163 days ago [-]
The same could be said of mail in paper ballots too, which have seen widespread adoption in the United States starting in 2020, so I don’t think this should be a knock against this system.
pessimizer 163 days ago [-]
You haven't heard people "knocking" about the widespread adoption of mail in paper ballots? They simply offer no protection against vote coercion which is not a good choice in any election of importance. Pretty sure at least one of the two parties has ending mail-in voting as a long-held position.
At the least, this will often result in heads of household voting for their entire families. At the most, it can result in people voting under the supervision of a local gang/militia member.
If anyone is looking for the right terminology to find papers, it's "no-receipt" voting. The holy grail is no-receipt, yet verifiable voting, but it might be mathematically impossible.
SamBam 163 days ago [-]
How would you prove that you voted how you said you did?
If you took a picture of your ballot, or even if you filmed yourself putting it in the envelope and putting it in the mailbox, there's nothing stopping you from taking it out later, tearing it up, and going to vote differently in person.
peterhunt 163 days ago [-]
Just do it in person. The voter fills out the ballot in front of the buyer, seals and signs the envelope, and hands it to the buyer in exchange for cash. The buyer then puts it in the mail on the voter’s behalf.
The voter could go to a polling place afterwards and attempt to cast a provisional ballot but my understanding is that this is difficult, varies significantly state to state, and in many cases is not possible given that mail in ballots are detached from the voter identity ahead of Election Day in many states.
163 days ago [-]
163 days ago [-]
codedokode 162 days ago [-]
First, this is too much trouble and many won't do this, second, you can lie to people that you have the means to verify their vote, third, you might require a person to write a code word on the ballot so that you can verify that they actually casted that ballot.
kylewatson 163 days ago [-]
The website says that your vote is last-write-wins. I think the idea is I could sell my vote and vote for A, then later re-vote for B. Since you can't trust that I won't just re-vote it won't be worth paying for.
But if you held a gun to my head and made me vote at 18:59, with polls closing at 19:00, then I guess it would work. Hell, if you held a gun to my head and had me vote a week early and then blew my brains out, that would probably also keep me from voting again.
So it's not complete, but neither is the current system. You could hold a gun to my loved-ones head and tell me to go vote for B in our current system. I could photograph the ballot from the box, cellphones are small these days. Or if I vote by mail I could easily prove to you I voted for B so you would let the hostage free.
So I guess it actually is an improvement over the status quo.
codedokode 162 days ago [-]
You don't need any guns here. Just call your employees and make them vote on their phone in your presense. Also lie that you have people able to see how they voted. Also give them some money so that they feel themselves as accomplice.
nmca 163 days ago [-]
hm - do random end times solve that particular issue?
In reality private keys will be mailed in insecure envelopes, issued multiple times (just to be sure) or issued to people, who are not citizens, moved away or died.
mariusor 163 days ago [-]
I think this will be prevented when these private keys will be part of the national IDs, similar to how Estonia and other European countries do it.
If there's a "national registry of citizens" comprised of public keys, I think it will be easy to organize ballots on top of that.
codedokode 162 days ago [-]
The government can issue fake IDs and vote in their name. Especially in countries where there are many migrants who receive citizenship, you can easily issue some extra IDs and nobody notices.
JanisErdmanis 162 days ago [-]
This attack vector is no different with paper ballots.
codedokode 161 days ago [-]
With paper voting you need both fake IDs and people. You need to recruit people ready to commit a crime, and transport them between polling stations. If you want to add million fake votes, you need somewhere about 100 000 accomplices, each voting 10 times. For comparison, with electronic voting to commit fraud, you need just one patriotic or corrupt system administrator willing to protect the country from an undesirable candidate. It is not difficult to find such type of person.
Electronic voting significantly lowers the barrier for commiting fraud by election administrators.
JanisErdmanis 161 days ago [-]
> For comparison, with electronic voting to commit fraud, you need just one patriotic or corrupt system administrator willing to protect the country from an undesirable candidate. It is not difficult to find such type of person.
The difference between having a passport or a national-issued digital identity card that has a private key inside is not much different. In passports, there are different security mechanisms in place that make it hard for an adversary to fake them. For digital identity cards, similar mechanisms exist so that their issuance does not depend on a single entity. The full list for which the identity cards are issued can be audited by sampling and finding follow-ups to see if the issued identity is owned by the claimed legitimate person and is independent, whether the thing is a passport or an identity card. Although, I don't know whether such checks are actually being done in practice. The security of digital identity is being assured with an increasing variety of documents that can be signed digitally using such government-issued cards.
Afterwards, when we have a list of public keys that are eligible to participate in the vote, E2E verifiable evidence prevents any involved party or coalition from deceiving the public with a manipulated election tally, as that would not produce valid cryptographic proof.
codedokode 161 days ago [-]
The list of eligible voters might be not published to protect personal identifiable information and to prevent misuse of such information (in my country it is not published). Therefore you cannot sample anything.
And even if you could, you see a name you never heard of, so how do you check whether it is a real person or not? Without having access to government databases.
JanisErdmanis 161 days ago [-]
> The list of eligible voters might be not published to protect personal identifiable information and to prevent misuse of such information (in my country it is not published). Therefore you cannot sample anything.
Trusted third-party auditors can have such access without linking the public key to a person's identity. They can also access government databases on a sample basis. This is no different than linking the passport serial number to the person's identity.
codedokode 161 days ago [-]
To clear possible misunderstanding, I meant remote electronic voting over Internet, not voting in a polling station in-person using voting machines. Those are more transparent and verifiable.
inhumantsar 163 days ago [-]
I don't disagree, the identity matching and uniqueness problem is a tough nut to crack.
it's worth keeping in mind though that this is an issue the current system faces. voters end up duplicated in the rolls under different addresses or old names, or they don't get removed from the rolls after losing eligibility or dying.
once upon a time I got two voter cards in the mail, one forwarded from an old address. I was eligible in two districts after nothing more extraordinary than moving across town. had to call in to get removed from the extra district.
throwaway48476 163 days ago [-]
The goal of a voting system is not verifiability, but trust. Without trust elections have no legitimacy.
the_snooze 163 days ago [-]
I think these are technically interesting systems, but "trust" really is the goal. "Verifiability" doesn't necessarily imply "trust," especially if it's shrowded behind inscruable crypto mumbo-jumbo. A voting system should be something voters and poll workers (i.e., local volunteers) can understand.
My opinion is that IT literacy is increasing fast enough that in the near future a significant percentage would understand enough about electronic ballots as people understand now about the paper ballots. And I think you're over estimating how many people "understand" paper ballots. Yes, they know the basics, but the details on how votes are counted, validated and secured might be a bit too much for a random Joe.
rayiner 163 days ago [-]
IT literacy is not increasing; if anything it's going down. My wife's Gen Z siblings grew up with iPads and think computers are magic.
Terr_ 163 days ago [-]
I believe that when Grandma laments/boasts that "kids these days just know technology", it's often a confusion of confidence with competence.
The elder generation grew up with stuff where you had to be more cautious of damaging it, while the younger generation is far more confident with "randomly mess around until it works", because they grew up with products that were designed to be more forgiving.
mariusor 163 days ago [-]
OK, fair.
I meant it in the sense of the younger generation has more exposure to concepts like encrypted communication and peer to peer communication and encrypted ledgers, etc. They might not know how exactly they work, but they know they exist and have an inkling of their attributes as they pertain to data secrecy, auditability, etc...
throwaway48476 163 days ago [-]
I'm far more familiar with cryptography concepts than the average person but I wouldn't trust myself to audit a crypto system or implementation.
mariusor 162 days ago [-]
Do you feel the need to audit the ballot process when casting a vote? Do you wait until the station is closed and watch the people count the votes? Do you know what to look for in regards to ballot tampering? Do you know who is allowed to count the votes?
I think that the details of the vote will indeed be opaque to most voters, but I think that's the case right now for most of us. As a voter you must have some trust in the process and in the fact that the correct auditors have vetted it. Hopefully it's going to get there for electronic voting some day.
throwaway48476 162 days ago [-]
Not really. I know the voting process is 'fortified'
dmurray 163 days ago [-]
You might trust yourself to read a bunch of blog posts on technical deep dives into the system and make up your mind based on that, though.
(Whether that's a good thing or not I don't know - perhaps you'd end up agreeing with whichever side has the most believable technological shibboleths, which isn't that much different from the current best practice of listening to the side with the better attack ads).
throwaway48476 163 days ago [-]
No, I'm aware of my limitations. Reading about how the system 'should' work does nothing to instill confidence that the implementation is correct or that there are no design flaws.
denton-scratch 162 days ago [-]
"Voter literacy" is obviously a good thing; but blockchain and encryption are not part of that. Very few software developers, for example, are qualified to evaluate a crypto scheme.
mightyham 163 days ago [-]
Or universal suffrage is fundamentally flawed. If people can't understand mildly complex voting systems then why should they be contributing to making political decisions that are significantly more complex.
debugnik 163 days ago [-]
But we don't vote on complex political decisions; we vote on our representatives, people whose interests allegedly align with ours, which is much simpler to understand, and delegate the complex decisions to them according to their qualifications.
Whether the candidates themselves, all of them, can be trusted is a much more serious problem with democracy, I think, than "dumb" people affecting the vote.
nhod 163 days ago [-]
this depends on where you live. there are many places in which people directly vote on complex issues. people in California voted to ban gay marriage. people in the UK voted on the incredibly complex topic of Brexit.
dumb people vote for dumb things, whether issues or candidates.
debugnik 163 days ago [-]
Well, referendums are kind of direct democracy, so yes, I agree those are at increased risk of dumb voting. But the actual problem there, to me, is such complex decisions being put to referendum in the first place; specially to a simple majority vote.
Also, gay marriage isn't really a complex issue: Even the dumbest person understood the consequences of banning it, they just were that sadistic. Agreed on Brexit though.
pcl 163 days ago [-]
Because systems that try to impose qualifications on voter characteristics historically end up being abused.
rayiner 163 days ago [-]
Maybe, but I don't agree with the cure. I think intellectualizing voting is a fool's errand in a representative democracy. I'd much rather filter on having good, democratic instincts. I'd rather have e.g. an Iowan who has a gut-level orientation toward De Tocquevillian democracy than a naturalized foreign elite who has been socialized to think of governance in terms of hierarchy.
wakawaka28 163 days ago [-]
Do you think any sitting politician, your physician, or your accountant really understands cryptography? Do you think studying cryptography needs to be a prerequisite to voting? I swear, sometimes nerds are insufferable snobs.
As for the implications of your premise: Do you feel comfortable in not having a say whether you are taxed more, have your hobbies criminalized, or get sent off to die in some awful war somewhere so that some jerk can get rich? Because that's what you ask for when you say some obnoxious technocrat is fine running the country with no input.
And before you mention passing an exam or something to vote, that's just a direct path to corruption and disenfranchisement.
crazygringo 163 days ago [-]
> especially if it's shrowded behind inscruable crypto mumbo-jumbo
HTTPS is shrouded behind inscrutable crypto, but nearly everyone trusts it with their credit card details.
Voting doesn't have to be any different. The implementation details don't matter, as long as there are easy-to-understand verification concepts such as receiving a "tracking number" for your vote that is then easy to see it was counted. And then journalists and other private election integrity observers who do random sampling from voter rolls and follow up on complaints. (This is not a complete list, just examples.)
And remember, physical voting is actually tremendously complicated as well -- inscrutable optical scanners detecting which bubbles you filled in, and then... what? Who's actually adding the numbers, and where, and how? The point is, the details aren't really important as long as we're vaguely aware that there are election observers and journalists trying to catch any irregularities, and we all know it will be major news whenever they're found.
schroeding 163 days ago [-]
> Voting doesn't have to be any different.
Yes, it has to be. If you break the ability for the average citizen to understand exactly how and why your vote is counted, you undermine trust. Trust into the democratic process is the thing keeping a democracy alive.
If someone currently says "<Country> / <Party> interfered with the voting process!", I can tell them to just observe their local polling station or even become part of the polling station staff themselves. Be there, check that the election staff doesn't start throwing away votes and count correctly. Check that the numbers they count are equal to the one on the official result for the polling station. It's all paper. It's easy to follow.
If we put anything between this, which requires trust into a magic box with a display, I cannot do this. If your credit card is abused, you see it on your bank account, always. You cannot have the same certainty the same for an anonymous election - yes, they may have proof that their vote was correctly counted, but what about the polling station as a whole? The votes of the other citizens? Most people will not check, just as you may only get one observer per polling station max today (which is already enough to prevent fraud for the whole station, in the case of paper ballots).
"Trust the journalists" does not fly.
> And remember, physical voting is actually tremendously complicated as well
It doesn't have to be. You don't need complex equipment, you can count directly in the polling station after it closes. Paper and people suffice.
crazygringo 163 days ago [-]
I completely disagree. You claim:
> Check that the numbers they count are equal to the one on the official result for the polling station. It's all paper. It's easy to follow.
I say that, using paper, it's not easy -- it's next to impossible for any individual to do.
On the other hand, if I can download a file of voting results, import it into Excel, and run SUM(), it's about a million times easier.
What's important to rely on is the fact that people are able to verify that their own votes are consistent with what's in the public votes (using something like tracking numbers), and we can also verify there isn't vote stuffing (which there's no room for, if the number of votes and "didn't-votes" equals the size of the voter rolls).
You claim this "requires trust into a magic box with a display" but that's simply not true. All it requires is the ability for everyone to verify that their vote got included accurately, that people who didn't vote got included as not voting, and that nothing got stuffed on top.
Paper and physical voting is actually far, far, far harder to independently verify and trust. It's just that until recently, we haven't had a practical alternative.
schroeding 163 days ago [-]
I don't know what the US does, but in Germany all ballots are poured onto a big table and then sorted into staples for each candidate / party. Especially since the votes / crosses are always at the same position for each staple, it is trivial to keep an eye on 5, 6 staples at once, and the remaining parties get almost no votes anyway. After that, the staples are split into 10s and counted by two people, independently, after each other. All results are called out loud. The results are also given to the city hall via phone, so everyone in the room can hear it. City hall publishes the official results per party per polling station as nice images, easily digestible. I don't see how this is next to impossible to supervise, even for a single individual.
If you want, you can even stay the whole day and keep an eye on the whole voting process except when the voters make their choice behind the privacy screen, you can see everything which enters the ballot box. I've seen myself someone regaining trust in the democratic process because of this - a guy who openly accused us, the polling station workers, of voting manipulation, being openly hostile, agreeing that everything was done correctly in the end. This would've been impossible while using electronic or online voting.
> it's about a million times easier.
If you, as a random citizen, know SUM() and even think about downloading the data for Excel, you are the top-n% in computer literacy. You are aware of that, right? ^^'
For most people, verifying their own vote on a website with no understanding of the underlying process is the absolute maximum you can expect, IMO. In this case, it is "trusting a magic box with a display". You compared it yourself with HTTPS, for which the same is true for the general public.
> What's important to rely on is the fact that people are able to verify that their own votes are consistent with what's in the public votes
But will people do this at scale and do people trust that they do so? The latter is the most important. It doesn't have to make statistical sense, it's about feelings in this case.
Because if most people (of a certain demographic like the elderly) don't check their own vote or a significant amount of people don't believe that they do so, you cannot automatically assume that all votes in the polling station have been counted correctly. It may have been e.g. only the votes of certain demographics (who are unlikely to check their own votes), which have been tampered, even if this believe is statistically unjustified.
If you supervise a whole analog polling station, you see for yourself this is not the case.
crazygringo 163 days ago [-]
>> What's important to rely on is the fact that people are able to verify that their own votes are consistent with what's in the public votes
> But will people do this at scale and do people trust that they do so? The latter is the most important.
Yes, absolutely. This is the most important, and that's what makes it all so easy! If you don't trust, verifying your own vote is a click away. If you think there's something fishy in your town, ping a few friends and ask them to verify. Journalists and international observers can sample a few thousand randomly chosen people and verify that the election is at least 99.9% accurate.
Because we all know that if journalists find even any pattern of people whose votes aren't getting counted, or were changed, it would be front-page national scandal news.
The whole process you're describing for physical polling places is a million times more work for any individual. It requires a massive amount of time and attention.
Meanwhile, with electronic/online voting, all you need to do is see if people are reporting discrepancies that hold up upon further investigation. If they're not, then it all works. I don't understand why you think people wouldn't trust this. It's dead simple.
schroeding 163 days ago [-]
Well, agree to disagree. :D
I see your points, and I would agree that the majority would still keep their trust.
> I don't understand why you think people wouldn't trust this.
Because people are not always rational beings, often don't understand statistics and, in my experience, the set of people not trusting journalists and having doubt on past elections having significant overlap. If you are not convinced the press isn't lying, and maybe just prints what the government wants, you will not expect that they uncover election intervention. And your friends may be on a list of the city hall, "they" know that they vote for certain parties[1]. This is basically verbatim what voters sometimes tell you, why they don't vote via mail. It's easy to transfer those fears onto electronic voting.
It's very hard to keep believing in serious election fraud if you see how (this kind of) analogue voting works, though. You have to trust nobody, only yourself, at least in regards to your local polling station.
> The whole process you're describing for physical polling places is a million times more work for any individual. It requires a massive amount of time and attention.
Yes, I don't disagree. It's significantly more work, inefficient and antiquated. All true. I'm just not convinced that the convenience of electronic / online voting is worth the risk that a) a fuck-up due to any kind of bug / security problem and b) people losing even the slightest bit of trust into elections because of "magic computer", even if they are caused by delusions, would pose.
[1] Germany has no "registration" as Republican or Democrat (w/ German parties of course) like the US has - they don't have such lists
somerandomqaguy 163 days ago [-]
>HTTPS is shrouded behind inscrutable crypto, but nearly everyone trusts it with their credit card details.
Credit card via HTTPS has a second layer to it though, the accountings/auditing layer. You can't achieve that with secret ballot voting without throwing out the secret part.
baobabKoodaa 162 days ago [-]
Yes you can, and that's the whole point of "verifiable" voting systems like OP.
nihzm 163 days ago [-]
> Voting doesn't have to be any different
From your long sibling thread I gather that for you it is more important to be able to verify the votes by yourself through the output of the voting system (the excel example) than to be able to reason through the voting system itself. Whereas for schroeding it is more important to be able to conceptually understand and scrutinize the voting process as a whole, even though it might be difficult for any single individual to check on that their own vote was counted. Correct me if the summary was not fair.
Suppose we bring the two ideas to the extreme and imagine two voting systems:
- an extermely complex, completely opaque voting system that can only be managed by experts to function correctly, but with a perfectly infallible way to individually check that their vote was correctly counted
- an extremely obvious and straightforward way of voting such as paper ballots that are securely physically transported to a central location (all of them) and counted by people surrounded by observers (all in one sitting). clearly any individual cannot check that their vote was actually counted
If there is a disagreement about the result of a vote because, let's say for the sake of the example that the losing party thinks they should have won; In the first system everybody can of course check their votes, but what if the losing party questions the checking system itself? Then it is on the experts to justify why the vote is correct (can they do it?). On the second system, because everybody can reason through it, it is on the losing party to prove that the vote was not performed correctly, by pointing at some part of the (simpler) voting procedure.
I think that the second system is more robust in the sense that when there is a disagreement, it is easier regain everyone's trust. With simple procedures, the disagreeing party can make more meaningful demands on the people who manage the voting system to check that the vote was correct. In the first system it is the opposite, and because by definitions it is only understood by experts the losing party cannot do anything but to claim that the whole system is rigged.
So, since voting systems are ultimately a tool to collectively take decisions, I'd say that there is more value in having a simple procedure than efficiency and extremely precise feedback for individual votes. The trust in voting systems is different than the one in credit card processing systems.
Of course real electronic voting and real paper voting are neither of these two extremes, but choosing the e-voting moves us closer to the first system, while paper voting to the second.
9dev 163 days ago [-]
> paper ballots that are securely physically transported to a central location (all of them) and counted by people surrounded by observers (all in one sitting).
That is unnecessary complexity already. Ballots can be counted directly in the voting stations, by the local citizens. If you want to check your vote is counted correctly, stay to witness the counting. After the results have been counted, they can be communicated to the city hall via phone, so everyone in the room can hear it.
nihzm 163 days ago [-]
This would be more realistic, and everyone can still understand it, so it is another good example. The point was to provide an extreme system to highlight the value of simplicity in the dynamics of trust in a voting system.
9dev 162 days ago [-]
No no, I got that. I wanted to highlight that part of the paper voting system in support of your argument, as I think democracy is a people business, and the paper system works by involving people at every step. If citizens are responsible for counting the ballots and watching the process, they also share responsibility for the trustworthiness of the system. By involving as many of them as possible, large-scale manipulation becomes nigh impossible.
paradox460 163 days ago [-]
> nearly everyone
I remember having a boss demand I put the authorize seal next to our credit card form, else it wouldn't be secure
We used stripe
wakawaka28 163 days ago [-]
The difference between trusting HTTPS with credit card details and trusting crypto BS for voting is that you can easily tell if your credit card ends up abused. You can't easily tell if your vote is or isn't counted.
You're generally right about each point in the process being a potential point of corruption. That's why voting systems need to be very simple and involve lots of people, even if it costs more. Ideally multiple independent parties would count the votes and compare results for discrepancies, until they reached an agreement.
crazygringo 163 days ago [-]
> You can't easily tell if your vote is or isn't counted.
That's why I said:
> such as receiving a "tracking number" for your vote that is then easy to see it was counted
There absolutely has to be a way to easily tell if your vote is or isn't counted, and that it's part of the sum total. I don't know if Belenios specifically does this in a way that is easy to see, but there's nothing inherently difficult or impossible about it.
wakawaka28 163 days ago [-]
I would concede that it's possible, but if you don't trust the system overall then it is basically impossible to solve the problem. And it's not just about making sure that your own vote is counted. It's about making sure there are no fake ballots cast. There are so many ways that illegitimate ballots can be cast, and I think an electronic system just makes it that much easier. At least with paper in person, someone has to show up and fool a poll worker. There's also a finite number of times that someone can commit fraud in person in one day.
crazygringo 163 days ago [-]
> It's about making sure there are no fake ballots cast.
Yup, I was clear that I wasn't giving an exhaustive list of the necessary things.
But that also has solutions that can be easy. The easiest is simply to make sure that the voting rolls are accurate, and that the size of the voting results has the exact same number of entries (because it also records every instance of not-voting).
So that if everyone who is an eligible voter, and therefore received a tracking number (even if they didn't vote), and they look up their tracking number and it's accurate (including "didn't vote") -- then there's no "place" to insert fake/stuffed ballots, because it would necessarily make the number of tracking numbers larger than the size of the voter roll. (And of course, voter rolls can be sampled randomly to determine they're made of actual real people as well, to whatever accuracy you desire.)
The point is, there are solutions to all of these things that don't involve some kind of blind faith in crypto. But rather just common-sense solutions where it's easy to understand that any massive gaming of the system will be detected.
throwaway48476 163 days ago [-]
A better heuristic is 'can you explain the system to a five year old'.
ratorx 163 days ago [-]
Ideally you want both. “Trust” is a bit qualitative and includes a lot of factors outside the voting system itself. Just because a voting system is “simple” doesn’t mean people trust it (e.g. Trump voting shenanigans). Obviously just because there are bad actors which can make trust impossible, doesn’t mean you should give up but it is a separate axis to the voting system itself.
On the other hand, “verifiability” is a more useful property on a larger scale. You may trust your local government but do you trust local government in all other districts? What if, with sufficient knowledge you could prove that their voting was right or wrong? I think that also seems like a useful property.
evantbyrne 163 days ago [-]
Trust is a social challenge, not a technological one. It is effectively impossible to stuff ballot boxes at scale in the US, but a large number of people still believe the last presidential election was stolen.
declan_roberts 163 days ago [-]
Who needs scale? Doesn't the election ultimately come down to a couple of counties in 2 or 3 swing states?
evantbyrne 163 days ago [-]
Even sneaking a single box of ballots into an American polling station would get caught in a key district. Please see my response to baggy_trough.
shrubble 163 days ago [-]
You literally have video evidence from 2020 of people driving up with their cars and shoving 100+ ballots into absentee boxes; and you wrote the above with a straight face?
idle_zealot 163 days ago [-]
Thank you for serving as demonstration of this poster's point.
paavope 163 days ago [-]
No, I haven’t seen evidence of that, and a quick googling for “2020 us ballot stuffing” doesn’t show me such
So there is a clip of someone dropping multiple ballots in a drop box. Apparently [1] that is not necessarily fraudulent, you can drop multiple ballots from family members.
There were international observers in the 2020 election and they found no evidence of fraud [2], and many mainstream media sources that I hold reliable, (e.g. [3]) fact-check multiple claims of election fraud and nothing has showed up that would suggest that the election was "stolen".
I don't think it is at all preposterous to assume that the 2020 US election was fair, unless you subscribe to a view that the global mainstream media apparatus is in on some grand conspiracy.
Different people could look at the same clip and assign different probabilities to P(ballot stuffer) vs P(Family ballot courier). It would depend on your Bayesians priors. If a person from a high trust society like Sweden or Finland were to see this video, they might have a prior expectation of someone being helpful. Whereas there are much lower trust societies in the world where that would not be the case.
We've gone from "haven't seen evidence" to "seen evidence at probability P-prime". Trust in an electoral system is an important enough issue that this should be investigated to the same thorough degree as a capital crime.
evantbyrne 162 days ago [-]
You're entitled to your own opinions, but not your own facts. Delivering absentee ballots on behalf of other people is not ballot box stuffing. Taking a clip of something completely mundane and attributing imagined facts and motives to it is not evidence of a stolen election. There is still an audit trail for all of those ballots from registration, to requesting the absentee ballot, to printing, and to shipping. Where are the people claiming they lost their absentee ballots and getting flagged as double-voting because someone took their ballot? This is according to all available data a made-up problem by people who are clearly worried that the "wrong" demographic is going to vote against their candidates of choice.
Timon3 162 days ago [-]
I've only watched the first minute (due to the presentation style), if there is better evidence later please link to it directly - but the supposed evidence does not show anybody "shoving 100+ ballots into absentee boxes". It seems to be maybe 10, at most 15 ballots, which is an absolutely realistic number for somebody dropping off ballots for their whole family.
Did you mean to send a different video? Or are you deliberately misrepresenting evidence to support your position?
baggy_trough 163 days ago [-]
Why do you believe so?
evantbyrne 163 days ago [-]
Representatives from both parties are present for voting and ballot counting. They have observation areas. Plus they keep electronic and paper records. The few people who attempt voting fraud are easily caught. Parties abandoned ballot box stuffing in favor of gerrymandering and other voter suppression tactics long ago.
baggy_trough 163 days ago [-]
Where I am located, there are ballot boxes literally on the side of the road, and we have universal absentee balloting. Anyone who can acquire ballots, perhaps from non interested voters, or those who can be pressured, can submit ballots and there would be no feasible way to know.
Election day, in person secret voting, with voter ID is the way.
evantbyrne 163 days ago [-]
The absentee voting process is still audited at every step. They even have observer areas in the ballot printing facilities now. How would a party ever subvert the process that exists to stuff ballots at any scale?
codedokode 162 days ago [-]
- those who print ballots can print some extra ballots in secret and put them in the box
- the ballots can be printed at non-monitored facility. I am sure FBI has such capabilities, there are many talented people
- those responsible for transporting ballots can "forget" some of them accidentally
- at polling stations where there are no election monitors, they can take as much ballots as they need
baggy_trough 163 days ago [-]
Control and visibility of absentee ballots (in my state, all of them) is completely missing between mailing and drop-off. That is how.
evantbyrne 162 days ago [-]
Sure, but how much can/should the state do about people in the same household hypothetically stealing each other's ballots? The registration process requires ID, so I'm not convinced additional authentication is needed.
baggy_trough 162 days ago [-]
Don't limit your imagination to households, although that's also a problem. What about apartments that receive all their ballots at the same time, or congregate living shelters, etc. etc.? It's not that hard to conceive of collecting tens or even hundreds of ballots if you have the right access to mail.
The state should eliminate this problem by requiring everyone to vote in person on election day with voter ID using a secret ballot.
evantbyrne 162 days ago [-]
People who order absentee ballots are presumably expecting them to arrive. It would be pretty obvious if someone started taking ballots from such a highly engaged voting demographic. If not from people looking for their missing ballots, then it would show up as double voting eventually. Every apartment I've ever lived at also had locking mail boxes. In the absence of evidence that any ballot box stuffing happening at any scale, and having so many controls in place, we can safely assume it is not happening. But sure, perhaps mailed ballots could be improved to further combat the possibility of mail theft.
baggy_trough 162 days ago [-]
I've tried to explain this, but I will repeat. Nobody orders them any more; they are sent by default. That includes to the lowest engagement voters who may not even be aware of them.
We should not expect there to be much evidence that this is happening because the system has in effect, if not by intention, been designed to prevent any such evidence from being collected.
That is why there is some legitimate doubt in the tamper proof nature of our elections.
evantbyrne 162 days ago [-]
Must be a state-specific thing. Here is Michigan we still need to request them separately. Either way, it's still authenticated at time of registration, and it would still be relatively easy to catch. Someone would notice for all of the reasons mentioned plus there are cameras everywhere in residential areas these days. People are occasionally convicted of voting fraud btw. It's just extremely rare because it's an incredibly high risk and low reward crime.
Why stuff ballot boxes when you can just make it harder for people that typically vote against your party to even get their ballots in the first place, or divide up cities in convoluted boundaries to prevent non-white communities from being able sway districts? All perfectly legal methods that have worked well for the GOP, which didn't even win the popular vote with their last president. That is the real reason GOP leadership pushes anti-absentee ballot narratives and DNC tries to expand those programs.
baggy_trough 162 days ago [-]
All of these things are problems that weaken trust in the system.
Widespread absentee ballots are bad, early voting is bad, gerrymandering is bad, lack of voter ID checking is bad, non-secret voting is bad. I'd like to see them all done away with.
baobabKoodaa 163 days ago [-]
If I had to choose between a broadly trusted voting system which has been secretly compromised by a hostile state actor, or a not-broadly-trusted verifiable voting system, I would choose the verifiable voting system any day.
ncr100 163 days ago [-]
An image illustrating why this (Belenios) approach is trustworthy could go a long way for many people. Images are a powerful tool for internalizing ideas.
I took a (lazy) crack at generating an image from a (could be 120% incorrect) ChatGPT conversation, FYI:
What if you want your citizens to be able to vote on policy matters in real time to make things more democratic?
It would be too burdensome with pencil and paper. Alternatives are useful.
nihzm 163 days ago [-]
> vote on policy matters in real time to make things more democratic
Discussion, debades and more generally exchanging opinions with others and pondering the options before committing to a decision are important if not essential for proper functioning of democracy. This necessarily takes time. How would real-time voting make things more democratic? I see no advantage in making the process hasty. If anything, it would trivialize the process, like voting for a game show on television, which would definitely be bad.
Gud 163 days ago [-]
We can get to that when we pick the low hanging fruit first.
In Switzerland, they hold votes 4 times per year, in municipal, cantonal and federal referendums.
Arguably there should be a non binding online based real time opinion voting to increase democratic input.
DemocracyFTW2 163 days ago [-]
efficiency != democracy
163 days ago [-]
V__ 162 days ago [-]
Talk about any issue you know a lot about to someone who knows nothing about it, and you will quickly understand why more direct democracy is an horrible idea.
mariusor 163 days ago [-]
Something being hard does not mean that it should not be tried.
There are methods for preventing all the issues Tom Scott raises.
nihzm 163 days ago [-]
Suppose for the sake of the argument we implement such methods that bring the level of security of the digital vote to be mostly equivalent to paper voting (though I do not think this is possible). Then why do you think it would be better to use a harder method of counting votes? I do not see a strong argument to justify the change. The burden of proof is on the new technology, not on the old one that has been working so far.
mariusor 163 days ago [-]
Why do you think it's harder to count votes? I'm not sure what belenios uses, but in the process I envision a ballot is a publicly accessible encrypted ledger, where the votes exist publicly.
nihzm 163 days ago [-]
> Why do you think it's harder to count votes?
I assumed this from the parent post
>> Something being hard does not mean that it should not be tried.
As opposed to paper voting, which does not have the issues raised by Tom Scott. If that is not what you meant, don't you agree that a more high-tech solution, complete with unspecified but granted methods that mitigate the security problems, requires more expertise and makes the process of voting as a whole more difficult than the low tech one? (eg infra / software maintenance, robustness to outage, educating people on how to use it, ... everything discussed by other threads)
> ballot is a publicly accessible encrypted ledger, where the votes exist publicly
It is cool, but I do not see how this improves upon voting on paper by mail.
mariusor 162 days ago [-]
> don't you agree that a more high-tech solution, ... requires more expertise and makes the process of voting as a whole more difficult than the low tech one
Sure, it takes more expertise to run a ballot, but not more expertise to cast a ballot. And that's where the democratic process fails in most of the western world at the moment. Entire demographics are not interested in voting due to the higher bar of going through the motions of going to a ballot booth and casting a paper ballot.
In a world where it's possible to vote from your personal mobile device there doesn't need to be a whole circus and the entire country needs to stop in its tracks for the election day. It can be just another day, another weekend, or another week. You can vote for the smallest things that are interesting for you. Local issues need not to be left to the latitude of mayors or councils, but you could now vote on them from the comfort of your own home.
sanbor 163 days ago [-]
Voting with pencil and paper is easy, everybody can participate in the voting process and understand it. Also, paper and pencil are more sustainable (can be made from recycled paper and trees, which you can plant, as opposed of mining minerals, shipping, and maintaining thoudsands of computers, with batteries in case there is a power outage).
_heimdall 163 days ago [-]
Especially with something like voting, it is worth considering those who actually can't use paper and pencil.
In college I worked in a research lab building accessible voting systems. We regularly ran test elections with the deaf and blind community. Its both amazing to see how adapted a person can become to living in a world that assumes a certain level of physical ability. Its also amazing to see how horribly inaccessible most voting systems are.
With paper ballots, for example, you are usually limited to sitting in a booth with a poll worker and telling them how to fill in your ballot. That does technically work, but breaks voter privacy and you have no way of knowing if they filled it in right because, well, you can't see the ballot.
throw0101d 163 days ago [-]
> We regularly ran test elections with the deaf and blind community.
Already a solved problem, e.g.:
> On election day and at advance polls, your polling station will have tactile and braille voting templates that you can use to mark your ballot. Simply fit your ballot into the template and use the braille and embossed numbers to find the space next to your chosen candidate's name.
Sure. I don't know if those specific devices were around 20 years ago, but there are various options.
Another part of our goal was to build a voting system that was accessible by default, meaning everyone was able to use the same device regardless of any disabilities they may have.
yoavm 163 days ago [-]
everyone _that can make it to the ballot_ can participate. also most people have computers already, so you don't need to ship anything. from a sustainable perspective, I'm assuming it's better to have everyone stay home instead of travel to the nearest ballot, and just use their anyway-always-on device.
mariusor 163 days ago [-]
Also "everyone that can be arsed" to make it to the ballot. Which is a notorious problem that democracies are faced with today. Younger demographics don't get involved considering the election process too much of a chore in comparison with the outcomes.
somerandomqaguy 163 days ago [-]
Not really, one of the goals in contradictory to the stated goal of an electronic voting system of voter verifiability.
The problem is that when you can verify that your own vote has been counted a certain way, that can be used to influence the vote. $100 Amazon gift card if you verify that you have voted Purple. Lack of verifiability has been a feature to prevent a voter from willingly participating in manipulation.
JanisErdmanis 163 days ago [-]
One way to achieve verifiability is through deniable tracking numbers computed locally in network-disconnected devices. To ensure that they are deniable, they can only be computed after all tracking numbers along the votes are made publically available, which can be realised by publishing a secret code that the voter inputs into the device. That way, when the coercer/briber asks for a vote to be cast in a certain way, the voter can select another tracking number from a public list and show it to them. Meanwhile, computation on the device ensures that it does not have access to resulting tracking numbers and corresponding votes with which it could deceive the voter. Meanwhile, the cryptographic proofs ensure that every voter has one unique tracking number. This is the general idea of the Selene system.
somerandomqaguy 163 days ago [-]
That genuinely doesn't seem to solve anything to me.
Sure you can generate all these secret codes but then why wouldn't a briber ask for you to take a picture or video of the screen with all the codes and secret? OCR and computer vision is quite good nowadays and most people are carrying a video camera in their pocket, so the process can potentially be scaled. Bonus points if its install the Purple App and ask the voter to point their camera at the screen with all the codes. Double bonus points if the app generates a nice easy password for the used to plug in to be used as your secret.
And the thing is that it doesn't need to be super accurate. Even if its only budgeted with $10 million worth of $100 gift cards and it's only about 70% of the cards were getting the desired outcome, that's still 70,000 votes going purple. Especially if you limit it to being the first 100,000 confirmed voters, you'll still get people participating if they think there is still hope for getting a card. Even more if you're convincing voters that are only voting for the sake of a gift card and don't actually care about the result of the election.
And ultimately that's just one of several attack vectors I can think of. And I'm not a smart person; I'd go as far to say that I'm actually pretty stupid. I can't imagine what a room full of actually smart folks with NSA-like budget and NSA-like permissions can come up with. Remember the gigantic mess with Dual_EC_DRBG in the FIPS 140-2 standard?
JanisErdmanis 162 days ago [-]
It is tough to convince oneself that all attack vectors are being considered. The key idea is that a coercer or briber cannot always monitor their subjects, which leaves a window of opportunity for voters to cast their desired vote and set up fake credentials for their devices. This assumption, however, falls apart when the coercer or briber asks for voters’ devices and corresponding PIN codes during the voting period. I am motivated by the belief that such an attack vector is, in most cases, unrealistic.
Regarding your suggested attack vector, where the briber asks for a video of the screen showing how the number is displayed on the screen, this can be resolved with fake credentials. When creating a fake PIN code, the voter can specify inputs and outputs to the device with which the video can be taken. Fake credentials can further create fake credentials, so it is not possible to distinguish them.
mariusor 163 days ago [-]
I have a different comment where I'm stating that one way to counter the influencing of votes is through allowing the voter to cast their ballot any number of times until it ends.
I can think of a method that allows a voter to decrypt the ballot payload only coupled with one or more keys from the parties that organized it. Ie, if I as an individual want to see the vote, I can't. But if I suspect my vote has been tampered with I can ask the organizers to audit it, and with both our keys, I can see the payload. (This is just back of the napkin theorizing, it might have other issues)
somerandomqaguy 163 days ago [-]
I'm not sure how the solves the issue of a voter that wants to reveal their vote.
mariusor 163 days ago [-]
I'm looking at the problem through the lens of "why does a voter want to see their ballot". The answer which prevents the issue of vote buying is "to audit the validity of the vote", which then is ensured through putting some stop-gaps in front of viewing the vote in the form of requiring intervention from the entities organizing the ballot.
Ie, if a malicious entity wants to make sure that the votes they have bought are corresponding with what they asked, they need to go through a more difficult process than just asking the people they bought from to reveal their vote.
JanisErdmanis 163 days ago [-]
> why does a voter want to see their ballot?
Because of potential malware on the client's device that can manipulate a vote before it is cast.
flanked-evergl 162 days ago [-]
It's not hard to make electronic voting as tamperproof and reliable as paper ballots, it's impossible.
thinkloop 163 days ago [-]
The criticisms in the videos do not appropriately counter the solution in the linked article. Scott's superficial discussion of blockchain at the end misses the entire ethos of blockchain. We agree that servers, devices, software and networks cannot be trusted, and possibly never will be. So we ignore them and instead rely solely on the output. Every stakeholder audits the final official "blockchain" (for lack of a better term) using their own tools, engineers, and techniques to verify its credibility. I'm not claiming that this has been solved, although Belenios seems damn close. But it definitely seems conceivable that we can one day come up with a functional scheme that distrusts the machines as a first principle. What specific problems do you see with the Belenios attempt?
flanked-evergl 162 days ago [-]
Blockchains are only verifiable and reliable in so far as everything that exists exits in the blockchain. As soon as it interfaces with the real world you start hitting the Oracle problem [1]. That you are not aware of this and still push for even considering it as an alternative to paper ballots is part of the problem. We need constitutional amendments that ban all forms of electronic voting in every democracy.
The main issue is that centralized electronic systems can be hacked at scale. That's what the paper solves, it slows everything down making it difficult compromise results en-masse. Verification is much simpler and cheaper than voting itself, and can be distributed. A distrusting community, for example, can build their own easily auditable tools, running on their own random machines, to verify the integrity of their community's votes. Thousands of communities around the country can do the same - again each using completely independent hardware, software and networks, all of which would have to be hacked. You may also be overlooking that we have the benefit of a reliable root of trust in the form of manually provided government documents and IDs that are carefully provisioned. You think in 10,000 years it will still be impossible to run a vote electronically?
flanked-evergl 161 days ago [-]
> You may also be overlooking that we have the benefit of a reliable root of trust in the form of manually provided government documents and IDs that are carefully provisioned.
I'm not overlooking it, self-interested political parties are, but you are conflating the authentication problem with the voting problem. Moving to electronic voting does not solve the authentication problem, it just adds one more problem.
> You think in 10,000 years it will still be impossible to run a vote electronically?
Yes.
sylware 163 days ago [-]
Nothing will beat the paper with physical verification/monitoring of people from different parties with the details of the end results properly published for everybody to double check.
The only way to trust voting machines (which could be rigged before delivery), would be to physically watch which buttons the voters did press, and manually account it... which would violate the core rule of anonymity, that to avoid retaliation.
cies 163 days ago [-]
A cachier roll, that is locked into the voting machine. The voter selects an option on the machine, each option has a number. Once the voter confirmed it's pick the number is printed on the cashier roll and "rolled" into view for the voter (a small slit window of some transparent material will do). The voter can then see the number was printed. After the voter presses the "done" button, or leaves the booth, the vote is rolled beyond the window so the next voter cannot see what the previous voter voted.
The rolls used can be marked uniquely.
The voting machine will print an opening and closing pattern so no votes can be added before or after.
baobabKoodaa 163 days ago [-]
There are various methods to trust voting machines. The simplest example is a machine which immediately prints out a paper trail that the voter verifies.
flanked-evergl 162 days ago [-]
I would love to see constitutional amendments in every western country that outlaws all forms of electronic voting.
gxt 162 days ago [-]
There is a contradiction on the first page. If "ballots are signed by the voter credential" then there is no vote privacy.
Electronic voting system must be prohibited across the board. Every system is vulnerable, electronic system are all remote controllable, I much prefer to have a person within the jurisdiction to go after than someone outside of it.
I don't understand howhy it's ever made out to be more complex than that.
catapart 163 days ago [-]
Awesome! I hadn't heard of this.
Obviously not something that seems reasonable for government implementation, but this seems like it would be great for soliciting a specific kind of feedback about a project or business. Board elections, or product reviews from third party stakeholders, or stuff like that.
Truly auditable voting is definitely a tough enough problem that I'd never want to tackle it myself, so I'm glad this is available should I ever find a use for it!
9dev 163 days ago [-]
Can you even reliably verify the entire voting process? From individuals using digital devices to votes being counted and tallies confirmed?
egberts1 163 days ago [-]
The many ways that an electronic ballot machine can lose its integrity:
Any idea how those apply to the current topic? Just on a quick glance some of the voter fraud methods don't seem to apply: unregistered voter, multiple voting, etc.
stoical1 163 days ago [-]
Current and past voting systems have always been counterpart to boundaries of land, thus government of that land. Physically showing up at the polling station is symbolic enough for that realisation
cqqxo4zV46cp 163 days ago [-]
As usual, good old fashioned pen and paper is worlds better than this or any other attempt by overzealous tech people with a hammer looking to hit this particular nail.
pessimizer 163 days ago [-]
Good old fashioned pen and paper has tons of problems, and doesn't meet most of the guarantees that these voting systems are going after. Also, good old-fashioned pen and paper, when used, is surrounded by various systems and various equipment in order to: keep it anonymous and to make sure that a voter can't prove their vote to others, prevent false votes from being added and real votes from being thrown away, etc.
Which is why you get things like voting booths, indelible ink marks on people's hands, elaborate secured containers for cast votes with elaborate seals, and extensive timed processes around how votes should be handled while being moved or counted, including complicated politically-aware algorithms about the selection of observers and counters, and counter-observers (and even foreign observers.) The rules about spoilage in most paper and pen voting systems are probably more complicated and involved than the core algorithms of any of these voting systems. There's was no golden age of voting when elections were trustworthy.
Anonymity is a hard problem.
schroeding 163 days ago [-]
> Also, good old-fashioned pen and paper, when used, is surrounded by various systems and various equipment
I don't know what the US does, but this is how it works in Germany:
Around half-ish of the polling station staff are clerks of the local administration (normal office workers of the city hall, who almost always serve their whole life - they are not re-appointed by the current ruling party), half (or more) are citizens. If not enough citizens sign up voluntarily, random citizens are drafted.
The equipment is: A list of all eligible citizens, who can vote (no registration is required), a ballot box with a very flimsy padlock, for which the polling station staff has the key, mobile privacy screens for the voters, pens and the actual ballots.
If a citizen wants to vote, they show their national ID (something which the US does not have, I know, but that's not the fault of the paper voting process) and get a ballot. They make their choice behind the privacy screen and put the ballot in the ballot box.
After the polling station closes, the ballot box is shaken around a bit and anyone[1] can come to look / supervise the polling station staff as they count the votes. The number of votes must be round about equal to the number of voters. The result if given to the city hall via phone, the ballots get put into the ballot box and can be recounted later, if necessary. City hall puts all results on their website, so the polling stations can verify.
If a ballot has more than the allowed number of votes or something written on it, the polling station staff holds a quick vote, majority decides.
That's all, the whole process. No ink, no complex seals (the key for the ballot box is in a box with the blank ballots, it's only there to prevent accidental opening of the ballot box), no timed process (except "voting until 18 o'clock"), no politically motivated selection of polling station staff or observers.
Would you really say that this is more complicated than electronic voting, including understanding the algorithms? Especially for someone with no CS background.
And it works - will you sometimes have one ballot more than voters? Yeah, sure, because someone may forgot to count a voter. But those tiny, human discrepancies IMO don't matter when you have >1000 ballots. The result is correct enough, and based on keeping each other in check, not on technical security measures. Everyone can understand the process, and everyone can be a part of it.
It does not meet the correctness guarantees of (perfect, untamperable) electronic voting, but it's IMO a heck of a lot simpler, just as trustworthy at scale and anonymous.
[1] literally anyone, even non-citizens, no registration required - we even give them coffee if some is still left :D
hereme888 163 days ago [-]
Except when mail-in ballots with the same signature and handwriting send in tens of votes each for unqualified "voters"/dead people.
So I'd amend your statement to "pen and paper, with official ID and in-person verification".
NorthTheRock 163 days ago [-]
In the US, there's no evidence that this happens - just a bunch of media narratives and failed lawsuits after the 2020 election that couldn't provide an ounce of proof when push came to shove.
lesuorac 163 days ago [-]
Eh, there's voter fraud in the US. Some of it is very ironic too [1].
> He voted by absentee ballot and again in person on election day but claimed in social media posts that he did it to show how insecure absentee voting is. He pleaded guilty to one of the charges and was sentenced to 6 months of probation and ordered to complete 40 hours of community service and pay $500 in restitution. [1] [2]
However, I didn't see any cases for 10+ votes as a deceased person for 2020. There is somebody that voted 26 times using alive people though [3].
The overall moral is though, there is fraud and it does get caught. When you think there's "widespread" fraud that isn't being detected it ends up always being a simple explanation (i.e. people lived in the state at the time of the election and moved afterwards).
I think that stamp and paper ballots are actually hampering the democratic process. There are many downsides of physical ballots: the need to physically be at one location, having to set aside a day to vote, lack of interest for younger demographics... all of these could go away with a good electronic ballot.
The more people can vote, the better the democratic process will be. Making it easier for _everyone_ to vote should be a priority.
jltsiren 163 days ago [-]
> having to set aside a day to vote
That only happens if the people in charge of the elections are enemies of democracy. It also means that the results are being manipulated and not particularly legitimate.
The election day is obviously a public holiday. There are plenty of polling locations, so you never have to go far to vote, unless you live in a particularly remote rural area. And because there are enough polling locations, you should not have to stand in line for more than a couple of minutes.
mariusor 163 days ago [-]
I don't know where you're voting from, but most of my adult life I had long queues to wait in - granted I was an expat crowding an embassy's corridor - and even if I don't have to work that day, I can think of better things that I could do with my time than that. And it's not all about me or you, it's about all the people that do have to take a day off even if it's a holiday, and the people that don't live next to a polling location, and about the people that are on vacation and need to vote in a train station or air port. There are always people inconvenienced by the act of physically going to a ballot station. Electronic voting would help them.
jltsiren 162 days ago [-]
I'm from Finland. I've never had to wait more than a couple of minutes to vote within the country. Once I had to wait for maybe 5 minutes in an embassy, but the other times I went to an embassy there was nobody except me.
There are also a few early voting days to give people more chances to vote if the actual voting day is too inconvenient.
As far as I understand, online voting has been shown to have minimal to no effect on voter turnout. Most of the time, people don't skip voting because it's too inconvenient but because they are not interested or they forgot.
baobabKoodaa 163 days ago [-]
Convenience over security. I don't like that.
The #1 goal of a voting system should be to prevent a hostile state from secretly hijacking your elections.
How convenient voting is can make a difference between 57% voter turnout versus 62% voter turnout. That's largely irrelevant.
mariusor 162 days ago [-]
I think you are severely overestimating the turnover for ballots. Yes, presidential elections might get ~50%, but anything else does not. The capability of having ballots cast from your own device would allow for more in depth participation into issues which currently are mostly ignored: local politics and even exercising the democratic process at national legislature level. When everyone can vote easily, they hardly need a bunch of corrupt old men in parliament to vote for them.
baobabKoodaa 162 days ago [-]
My point is that a small bump in voter turnout is not worth sacrificing the integrity of the voting scheme. That point applies just as well with a 50% turnout as it does with a 30% turnout. For example, a bump from 30% to 35% is largely irrelevant.
If everyone can conveniently vote and then no-one's votes are counted because Putin makes up tally numbers, that sucks.
schroeding 163 days ago [-]
Agreed, the classic process also requires no trust into something technical (which, to most people, is equal to magic - hell, even as a CS major it's non-trivial to understand this), but only trusting ten-thousands of your fellow citizens with very different political affiliations, keeping each other in check. Easy to understand, easy to implement, easy to be a part of.
codedokode 162 days ago [-]
This is not about government elections, right? Because it seems to have no protection from creating millions of fake accounts and voting in their name.
Another problem with electronic voting is that votes can be bought or people might be pressured to vote specific way. The voter might save hashes/keys as a proof that they voted for a certain candidate and this can be used as a basis for payout or not being punished.
illiac786 162 days ago [-]
this only solves one problem: make a vote verifiable. It does not solve who is entitled to vote and how to identify this person – how could it? it’s different in every country.
I do think it’s very useful though, it’s like one huge chunk of work done.
codedokode 162 days ago [-]
> It does not solve who is entitled to vote and how to identify this person
Without this the whole system can be easily compromised.
illiac786 162 days ago [-]
as I said, it’s one block in the solution. A big one. Also, identifying individuals online is a totally different problem.
sputr 162 days ago [-]
We did something similar with eglasovanje.si (currently only in Slovenian). Our idea is that secret online elections do not need a technological solution, but a procedural one.
I wonder why no one has introduced a hybrid of the two, for example, you have a private key on your Gov ID, you turn up to the polling station, sign your paper with your ID, bob's your dads brother.
Seems like this would solve the ballot stuffing issues as well as being easily electronically verifiable, it's just not a fully digital solution
162 days ago [-]
pjkundert 163 days ago [-]
Use homomorphic encryption to allow a voter to create multiple “valid” keys from their root key, and sell those votes to as many people as they want! Provide instructions publicly on exactly how to do so.
Then, the voter can vote using their root key, reversing all the sold votes and cast a vote for their preferred candidate.
Vote selling problem solved.
163 days ago [-]
mcny 163 days ago [-]
> The account creation failed because the password is too weak (it is too simplistic/systematic). Please try again with a different one.
What does it want in a password? Would be nice if it actually listed out the requirements from the get go.
nemoniac 163 days ago [-]
It's worth noting that it's licensed AGPL so the source code is open and available. Arguably this is necessary for a fully verifiable election system. Or is there some kind of zero knowledge approach to it?
ktzar 162 days ago [-]
a common problem of all systems that include a way for voters to verify their vote is that it opens the possibility of parties buying votes, as you can prove your voted for them.
JanisErdmanis 163 days ago [-]
Warning: This is going to be a rant.
The Belenios voting system is one of the E2E verifiable ones that allows the voter to ensure that their vote is correctly counted without submitting trust to a third party, which is necessary to prevent a corrupt election authority from deceiving and manipulating election results. However, it is also one of the underperforming ones in terms of usability. Like most of the existing E2E verifiable systems, deployability is a logistical nightmare if one wants to safeguard both privacy and resistance against sabotage.
In particular, if I understand correctly, individual verifiability is ensured through a challenge where the voter, after casting a vote to the server, has a chance to test the voting client by challenging it with revelling encryption exponent to the server, which then can decrypt the vote and show it on the screen. This one is a bit concerning in itself, as the voting client can decide to manipulate only votes cast for one candidate. Whereas checking and casting the same vote again would reveal the vote to potentially corrupt authority. Imagine explaining to ordinary voters such verifiability guarantees. There are better systems where one can get a tracking number at the end of the vote and check it with all cast votes when they are decrypted (one can look up Selene).
Another issue with the system and all existing E2E verifiable voting systems is the deployment of a threshold decryption ceremony. To recap for everyone. Before the elections, the authority manages the creation of a shared public key between multiple parties, which voters use to encrypt their votes during the vote. After the vote, all encrypted votes go through reencryption mixes or are homomorphically tallied and then finally, the votes are threshold decrypted. The challenge here is choosing the redundancy threshold of a number of all parties that need to come together to decrypt the election result. If too few come together, the election result can remain undecrypted, whereas if the hold is set too low, a small minority could collude and see how everyone has voted. Hence, securing both privacy and robustness is an expensive activity.
The website offers the service for those who don’t want to deploy the system themselves. The issue is that the voters’ privacy is handed over to the running service. There is no way to verify to what extent the parties used by the organisation are truly independent and would safeguard their vote privacy.
My biggest gripe is that theese arguments don’t land well to thoose who are acustomed to mathematical formalism of security definitions and proofs. The E2E verifiability with strong privacy guarantees can also be achieved in expoinentiation mix setting wihtout the need to threshold decryption ceremony [1, 2]. Receipt freeness is still an unresolved challenge here, but I see a path to resolve it with ideas similar to those used in Selene. Whereas if you are concerned about fairness not being distributed between multiple parties, please explain to me an attack vector there that can’t be accounted for!
Australia, with a first class reputation for election credibility, uses paper ballots.
egberts1 162 days ago [-]
Integrity
Verifiability
Absolute Privacy between the above two
Sounds like Time, Money, Resource: only pick two.
poopsmithe 163 days ago [-]
Does this solve Sybil attacks?
6r17 163 days ago [-]
Did anyone think of blockchain for a voting system ? I had a feeling it would be useful in this scenario as anyone could actually check it's own vote and the outcome. However reading comments here I may be delusionnal in regards to the requirements of such technology.
lesuorac 163 days ago [-]
Typically you want votes to be non-identifiable so you can't show that Person A voted for Candidate 1.
This is why your mail in ballots in the US have the double envelope system. The outer envelope identifies the ballot (but not your vote) and if there's only 1 submission then it's likely legit. At that point the inner ballot can be counted along with other legit ballots and it won't be identifiable back to you.
flanked-evergl 162 days ago [-]
The biggest problem with anything blockchain relating to the real world is the oracle problem. The benefits that blockchain offers are only applicable to things that exist on the blockchain, and people don't exist on the blockchain.
As long as we trust "certificate authorities", this is pure bulshit.
efitz 163 days ago [-]
Involving computers in vote tallying is an invitation to fraud.
In the US right now, our problems are well understood and primarily relate to ensuring that only legally eligible people vote, and that the vote was cast by that actual person.
These are fundamentally not technical problems. We have known about them for decades if not centuries and as recently as the early 2000s the Carter-Baker commission laid out the problems and the relatively straightforward solutions.
There have always been political “machines” in big cities, and if given the opportunity, they will try to stuff ballot boxes, intimidate voters, harvest ballots, exclude observers, apply voting laws unequally, and do any number of other shenanigans to give their party an advantage.
This has reached epic proportions since mail-in ballots for able bodied voters was normalized during COVID.
And the problems have all been exacerbated by the unwillingness of the courts to force states to abide by their own voting laws.
Election administration is not difficult, it is a straightforward set of tasks that require diligence and integrity, and that benefits greatly from having highly motivated partisan observers at every stage of the process.
Technology currently used in voting mostly just introduces more ways to mess up elections either intentionally (via manipulation, by administrators or hackers) or accidentally (as via bugs).
The fixes as I said, are simple but inconvenient:
1. Diligently clean voter rolls every year, or even throw them out and restart every year
2. Strongly authenticate voters via in-person registration with trusted nonpartisan agents (government officials) and verify eligibility to vote (citizenship, residency, age, selective service)
3. Vote in person. If intimidation is known to be a problem in a precinct, bring in state police (not local). Note that machine precincts are likely determinable via statistical and electoral analysis, eg where can small swings have big electoral impact). You don’t have to fortify everywhere.
4. Check voter id at the polls.
5. Paper ballots, hand counted on the day of election.
6. Invalidate the count and require revote from any precinct that counts any vote not in the presence of partisan observers from any party on the ballot that asks. Do not allow any vote to be counted after results are reported; the remedy for custody mistakes and “finding uncounted votes” is re-vote.
7. Publicly post precinct level results BEFORE reporting to the county or state. Publicly post county results before reporting to the state.
This allows independent channels to confirm that tallies at the county or state level are not tampered with or inadvertently miscomputed.
8. Fast track any election challenge hearings from any eligible voter in an election and do not allow judges to reject cases due to standing, mootness or laches.
9. Absentee ballots should be rare and require proof of need and extraordinary verification with partisan monitoring.
breuleux 163 days ago [-]
Voting is a deeply flawed decision making process compared to deliberation. If there are too many stakeholders for direct deliberation to scale, it is better to just pick a random sample of them and have them deliberate. You can have the sample vote afterwards to get the final result if they can't come to an agreement, but then you don't need fancy tech to check or tally the votes, you just need a room.
BSDobelix 163 days ago [-]
>you just need a room.
I know Switzerland is small but still to big to put us all in a room, also who decides who the "random sample" is? People from Cities, Land? French speaking or German? Voting is the the only provable and fair decision making, however the pre-vote-training of the voters (aka marketing, media and money) is the big problem for me.
breuleux 163 days ago [-]
What do you mean, who decides? Verifiably picking a random sample isn't technically difficult, you give everyone an ID, pick a known PRNG algorithm, publish a seed, let anyone send in a salt in public if they want to, and then anyone can run the whole selection process.
> the pre-vote-training of the voters (aka marketing, media and money) is the big problem for me.
It's not merely that. These are very complicated matters that take time and energy to understand, and voters don't have the necessary time and resources to dedicate. Voters are also asked to vote for people they cannot directly talk to. Everything has to be done through intermediaries and middlemen, because direct communication doesn't scale. That's why picking a smaller sample is interesting: if you pick a hundred people at random, you can pay them to simply think and talk to each other, and you can reduce (although not completely eliminate) the influence of marketing, media and money.
BSDobelix 158 days ago [-]
>random sample isn't technically difficult, you give everyone an ID
Have you ever had a gummy bear package with nearly just green bears in it?
declan_roberts 163 days ago [-]
Sure as long as I get to pick the sample.
AngriestLettuce 163 days ago [-]
Sure, as long as it's a random sample
declan_roberts 163 days ago [-]
Absolutely, as long as I get to pick the random number generator that generates the random sample.
breuleux 163 days ago [-]
The way it would likely work is that a cryptographically secure open source random algorithm is made known long in advance which takes, say, a full hour to run on top of the line computers. In the hour before it is run, anyone can send in a number of their choosing, which are all added up (or rather their concatenation is cryptographically hashed) to make the seed. Then anyone can check that their number was indeed included and run the algorithm themselves to verify. It really only takes a single honest person to send in a 20-digit number to make it basically impossible to manipulate. Maybe I'm missing something.
JanisErdmanis 163 days ago [-]
One way to resolve the issue is to use a distributed randomness generator like DRand which is threshold decryption based and hence can offer some robustness as well.
BSDobelix 163 days ago [-]
Why take random samples if you tell your citizens that everyone has a vote? How do you proof it was random, and what do you do if by random chance you got a really on sided group? Sorry we have now a fascist state but it was random so it's fair.
Rendered at 14:58:15 GMT+0000 (Coordinated Universal Time) with Vercel.
This is something all digital systems are really bad at, even if everything is readable and verifiable, unless all your members know how to read that code.
Edit: and even if they know how to read that code, can they trust the machines are running that code at the big day?
https://www.google.com/search?q=ballot+stuffing+2020
https://www.google.com/search?q=ballot+stuffing+2016
https://www.google.com/search?q=ballot+stuffing+2012
Paper ballots also having problems isn't an argument for even more complex systems, it is an argument against it.
Literally no election updates the raw tally of candidates the second a ballot comes in. If you count 1000 people entering and 1000 total votes that doesn't mean 1000 individials voted. Literally some of the cases of fraud are the same person entering multiple times and voting multiple times. You will need a control beyond "count people". (And if your control is to just do mail-in voting process in-person then what's the point).
Additionally, if you have 1000 people entering and 1050 total votes; which 50 do you discard? This is where the mail-in votes have a better control than a simplistic ballot box as you only start co-mingling the votes once you know it's legit.
W.r.t. Digital systems, there's nothing that stops there from being a paper audit trail you can verify. [1]
Also, you don't need to "trust the government" (aka your neighbors) you can volunteer yourself to be a poll worker at your local elections to see how things are done or you can run to be on the board of elections in your local government. And if you're working the election you only need to trust yourself to have made it secure.
[1]: https://en.wikipedia.org/wiki/Voter-verified_paper_audit_tra...
That's a piece of information: you know there are 50 questionable vote. You know how many questionable vote in the gland scheme of things. As a matter of fact: most of them are too small to make a different.
> If you count 1000 people entering and 1000 total votes that doesn't mean 1000 individials voted.
This means that if someone wants to vote 10 times, they need to come 10 times and hope that no election monitor will be surprised by seeing the same person 10 times. If you want to add million fake votes, you need to recruit 100 000 people voting 10 times each, you need to bribe thousands of election staff to let them vote 10 times, basically you need to involve a whole army of people and hope nobody notices nothing. Of course it is possible to find 100 000 corrupt people, but it is difficult to hide such large-scale operation.
For comparison, in electronic voting all you need is to have one patriotic sysadmin willing to enter fake data to 'save the country' from an undesirable candidate. The barrier for large-scale fraud is much lower.
So, basically with electronic voting election fraud requires corrupting less people and it is easier to hide.
> Additionally, if you have 1000 people entering and 1050 total votes; which 50 do you discard?
You nullify results at that polling station as the winner cannot be reliably determined.
> Also, you don't need to "trust the government" (aka your neighbors) you can volunteer yourself to be a poll worker at your local elections to see how things are done or you can run to be on the board of elections in your local government.
How can you be a poll worker in electronic elections? In my country typically the code and procedures are developed by a contractor or governmental organization. The code is not always even published. The best you can do is be an election monitor, but they have very limited tools in case of electronic elections, like observing stats on count of people voted. In contrast, election monitor at paper voting can see the whole process with their own eyes.
I have yet to see a digital system that I would trust myself to validate, much less the non-technical majority of the public.
Which is precisely what Trump did in 2020.
I doubt people made up their minds on whether the 2020 vote was sound based on the mechanics of how the votes were counted. The counting procedure with it's interlocking checks is rather complex, and differs between states. They made up their minds based on what they trusted more - the Trump version of the facts or the testimonies of the people counting the votes and those administering it.
It will be exactly the same with computerised voting. Ideally the software will be open source with reproducible builds. Just as with the present voting system most won't be able the check the actual mechanics themselves, but they likely know someone who knows someone who knows someone who can.
By the by, it wasn't done that way with computerised voting and probably still isn't in many places. I vaguely recall the story of a voting machine breaking down, a technician waving his magic wand over it after voting had closed, and a whole pile of votes fell out. It made the people in charge of the voting process distinctly uncomfortable.
Exactly, so the rest of your criticism isn't nearly as strong, if it applies to all means of voting.
For a high stakes election I would take the most trustworthy system. So give me an argument why I should invest money into building a less trustworthy one?
Because it I get results faster? I don't care about speed, high stakes elections are rare enough for that not to matter.
Because it is more efficient? I don't care about efficiency, I want the result to be accurate and the process to be understandable by the stupid bloke in the pub with whom I have to discuss the result.
There is literally no reason why this should be replaced by a digital system other than it makes us needs feel special.
My point was narrowly that most of the argument made in https://news.ycombinator.com/item?id=41156898 applies to paper voting as well.
For what it's worth, I prefer paper ballots, but I don't think that makes all arguments for them automatically valid.
I wouldn't expect the general population to trust them either.
- how do you know the code running on these machines on day X is actually the code they tested?
- how do you know the code running does the same thing the code they tested does, even if it is the same code (e.g. hardware instructions could be doing different things on the machine, the OS could provide different functionality, other programs could interfere)?
- how do you (and for that matter: every single voter) know their vote was counted towards the correct candidates in the whole process towards the end results, which likely involves transmitting data through the internet and/or people carrying USB thumb drives and sticking them into computers
I am not saying it can't be done, but I say you can tell appart who knows computers really well (hackers) from those who know it kinda (geeks), by how doable they think this is.
You asked "how do you know your vote was counted". You can google for examples of how this works in verifiable voting systems.
Just pick a voting station with lower computer literacy, and you can do whatever you want ..
Different solutions exist for this problem, which is known as a "clash attack". For example, in the Floating Receipts voting scheme, those things that you call "recipes" are pre-printed on ballots and hidden under scratch strips. The scratch strip is removed at the time when the ballot is dropped into the ballot box. If the manufacturer of the ballots were to pre-print the same "recipe" on multiple ballots, it would be discovered during the verification phase, because you would in some cases have 2 different votes cast on 2 different ballots which would contain the same "recipe". So both voters look up the "recipe" online and they are supposed to discover only one vote corresponding to the "recipe".
Cryptography. Your receipt is presumably only valid for yourself. So if you got someone else's receipt, it wouldn't be valid for you.
I support paper voting for political elections for most of the reasons you mentioned, but I don't think that automatically makes all arguments for paper voting good and valid, and all arguments for alternative voting systems null and void.
And even if political elections are better done on paper, there's plenty of other elections (eg in companies and clubs etc) with different requirements and threats, and they might benefit from the research and experimentation.
The system doesn't only include the code directly related to voting. It also includes OSes and everything involved in the infrastructure for hosting and communication (the Belenios system in particular involves sending private keys by email, and we're also relying on end user systems being uncompromised (who here likes browser extensions?)). It's not feasible to claim that such a system is secure from a remotely controlled attack (eg, by a lone external actor).
Most of the attack scenarios against an offline voting system are ones that the general population can at least reason about, and they probably involve multiple insiders that would face a serious risk of being ratted out by one another.
Sending private keys (by mail or any other way) does sound bad, so the specific system mentioned in the article might not be worth bothering with.
How many expert do we need? Do we need cross-domain experts to check if any domain experts missing anything between the gaps?
For paper voting, it is literally just check the box is empty before voting and nobody get near the box unexpectedly
That depends on how complicated your voting system is. Have a look at the complications they have in Australia..
I don't agree. This is plausible within a coesive electorate, but it feels like moving the problem. What guarantees that the experts are trusted by the voters? And more importantly, assuming that at some point the system (experts) is trusted, how is the trust in the voting system retained over time? (e.g. in case of disagreement over the results)
I have argued in another thread like GP that because the ultimate purpose of voting systems is to collectively take decisions, and because disagreements are very common when deciding, the system needs to be able to justify itself to retain the electorate's trust. Otherwise it will eventually be replaced by a different voting system (or tyranny).
A proxy for this is of course simplicity. If the voting system is clearly understood by everyone, it is more easy to persuade a losing party that the outcome is correct. Conversely, if a voting system needs high expertise to be understood, it is more difficult to bring everyone to agree on the result. So the latter is less robust than the former, especially if the disagreement is over a result that is close to a tie. A self-correcting mechanism is important to keep the voting system in place.
In appendix B of your thesis you raise an interesting point I had not considered.
> As an extreme example, consider the case where a voting system lacks verifiability, is trusted by the public, and is compromised by a foreign superpower: the people have lost their democracy and do not even realize it. Compare that to a hypothetical case where a voting system has perfect verifiability, thus can not be compromised (without triggering a new election etc.), and, for whatever reason, is not trusted by the people.
> Clearly, the outcome where people are suspicious of a perfectly functioning voting system is superior to the outcome where people are blindly trusting a compromised voting system. We hope that this outlandish example is enough to support our argument that verifiability is more important than trust.
The external threat is a very valid point but I do not think that this is sufficient to absolutely conclude that verifiability is more important than trust. If the system is rigged, it may eventually displease the electorate to the point that it will eventually be replaced.
Unless, the rigged system doesn't displease the electorate and is essentially a hidden benevolent dictator, which would be an interesting situation. Only in that case verifiability could unambiguously be more important.
There will still be questions around compromised keys/secrets
I suppose in this case paper ballots win
rraghur says in the siblilng comment that keeping the voting systme open via OSS / reproducible builds / etc could be a source of trust, but I don't think that is sufficient for most people. We need a stronger argument, and I don't have one.
If you concede that we cannot have everyone understand (to take an example) E2E verifiability, then this technology cannot justify its own correctness to everyone. This means it is necessary to have a (possibly small) group of experts to educate / persuade the public that E2E verifiability actually works.
But my point is essentially: why should they do it? There is no structural incentive for them to do so, other than the virtue of being a good citizen. There needs to be something that keeps reinforcing public trust. Self-evident systems do not require for this incentive structure to exist / be built.
I fear that this could end up becoming akint to the erosion of trust in scientific evidence for political decisionmaking. Science was considered very trustworthy by most people at some point, but because there is little to no incentive for the scientists to inform the public about why what they do works (other than perhaps their personal desire to share the cool thing they are working on) and because scientific results are usually very complex there has been a pretty steady decline in trusting scientific evidence.
[1]: https://www.belenios.org/faq.html
It's not perfect: more remote and less popular areas go unobserved, and what happens after an official complaint is made is anyone's guess.
But at least almost anyone can add up numbers for themselves and come to a conclusion about what to trust and not trust. And you might think no one would bother, but in my brief experience as a volunteer poll worker they surely do, and zealously so. I can't even begin to imagine what'd happen if the paper ballot was replaced with "trust us, the machine says 37 for party A" or "the magical fingerprint number you don't understand says this ballot was cast for someone else".
The system by which power is transferred from the people to representatives needs to be literally self-evident. Any system that the "average voter" cannot understand should be literally unconstitutional. Deviating from this puts the results of all elections in doubt. People will question the results, and they will have a point because the system is not actually verifiable and trustworthy to the average person and therefore they have no reason to accept the results. If you're lucky you'll end up with numerous political prisoners at the end of the whole process.
What you fail to understand is that an "election" whose results can't be trusted is equivalent to a dictatorship. Actually they are even worse than dictatorships. In a dictatorship, at least you know you are being oppressed. When unreliable elections are institutionalized, they give an air of legitimacy to the dictator's rule, you're constantly gaslit by the dictator and his political and ideological supporters into believing that the oppression is just the democratic process at work.
This makes widespread, centralized election tampering much more difficult, in ways even a moron can usually grasp. (Edit: I mean the general public, not any reader here)
Election skepticism is only going to get worse with China and Russia ramping up their neverending quest to discredit democracy. An unfortunate reality is that we need to operate our elections in ways that are unquestionably understandable and plainly resistant to tampering.
Another example is voting systems. There are several voting systems that are objectively better than Instant Runoff Voting, but they require algebra to determine the winner. If the system isn't demonstrable in a short video or infographic, it is too complex for general population elections.
It's interesting how attitudes about digital voting seemed to flip overnight once Trump challenged the 2020 election. Beforehand there as a lot of serious concern about the trustworthiness and security of digital voting machines, now I get the impression that's all been muted and its taboo to do anything except trust the authorities.
1. Paper ballots are in some ways more ambigous, because there are many ways to scribble a sign into a circle, a fraction of which will not result in the intended outcome
2. Understanding these handwritten symbols is harder than understanding the electronic system, because of that ambiguity
3. People understand the paper ballot system, but there are some statistical checks and security measures that they don't understand or know of, so their knowledge of the paper system is superficial
4. Trust in voting systems does not primarily arise from understandability but from trust in other people. To quote: your grandmum doesn’t have to become an expert cryptographer in order to trust a system like X. She just has to believe that cryptography experts exist and at least one of them would speak out if this transparent voting system was not as secure as the election officials claim
I don't want to question your thesis here, but I teach electronics and programming at a University level and points 1 and 2 are ridiculous and maybe even disingenuous. Sure, I understand that for a certain type of mind a digital/electronic system feels less ambigous and more clear. But most people are not like that – not even among academics – not even among academics that involve themselves with technology.
Point 3 is a rethorical trick that – if applied equally to E-Voting would be a strong argument against it. Yeah sure people don't understand X completely so lets do Y which is one-thousand magnitudes more complex is not an argument in favour of Y even if phrased in such a way.
Point 4 is the actual thought we disagree about, but given the unscientific nature of the 3 arguments before I can't simply trust you that you did research here (there are no sources cited that strengthen your point either). So as it is you just stated the opinion, as I stated the opposite. Sure, paper ballot elections are not dead simple, but any living being with basic understanding of object permanence could veryify a ballot isn't manipulated by just standing next to it. Meanwhile with computers you have to delegate that trust. And as computers can be reprogrammed, potentially remotely, even your experts can't be sure – especially in elections where powerful nation state actors seek to destroy the public trust in your election. This is a problem – just claiming that it isn't doesn't cut it. And people who claim that it isn't should not be the ones designing such systems.
The important thing to understand about agreeable consent is that a person's willingness to subject themselves to the will of a democratically elected majority is directly linked to their trust into the process. Your voting system has to produce that trust even if voters don't want to trust the process. The surest way to do that is to get a part of them involved into the process – ideally not always the same people. If then a single poll watcher claims a thing and 400 others that have been present plus three trusted NGOs can claim otherwise the election is not in question. Someone will have to convince me this works for E-Voting with a bit more than rethorical tricks.
Note that I am not against E-Voting per se. I just don't think the highest stake elections which have the potential to shift political powers should be electronic/computerized.
> 1. Paper ballots are in some ways more ambigous, because there are many ways to scribble a sign into a circle, a fraction of which will not result in the intended outcome
Look, I tried to cover all aspects of how the integrity of the voting results can be compromised. There are big issues, like a foreign superpower attempting to hack the results, and then there are small issues, like this one: people accidentally spoiling ballots.
I'm struggling to understand why you feel the need to attack this minor point in my thesis with words like "ridiculous", "disingenuous" and "unscientific". Accidental spoiling is a real issue that happens and I even have a photograph of an ambiguously marked ballot in my thesis.
> 2. Understanding these handwritten symbols is harder than understanding the electronic system, because of that ambiguity
I wrote in Appendix B about how accidental spoiling could be resolved by adding electronics, but _only_ adding them to fix this specific issue (_not_ replacing the whole voting scheme with black box computers that can be hacked). When you say "the electronic system", it sounds to me like you are imagining something more.
Let me try to illustrate this specific point from Appendix B.
A) Fully paper system. You walk into a voting booth. You scribble down the number "7" on paper. You walk out of the booth and put the paper in the ballot box. Later some election official is counting the votes and they look at your scribble and they wonder, hmm, is this a "7" or is this a "1". Your vote is disqualified.
B) Same system but augmented with simple electronics to prevent accidental spoiling. You walk into a voting booth. You scribble down the number "7" on paper. Inside the booth you insert your paper into a scanner which interprets your scribble and prints out a new paper that is supposed to contain your vote. You look at the new paper to verify how your vote is going to be interpreted and you see... what the heck, it's a "1"? Why is it a "1"? I wrote down "7"! So you take a new paper, and now you very clearly write down "7" on the new paper and scan it again. The computer now prints out a paper that has a "7" on it. Good. So now you walk out of the voting booth and then drop the paper with the computer-written "7" on it into the ballot box.
See how B) is exactly the same system as A) except it offers voters the ability to see how their vote is going to be interpreted, before they cast the vote into the ballot box? The machine inside the booth doesn't have to be connected to the internet and it doesn't have to do anything more complex than read a number on a paper and then print the same number. If somebody hacks the machine to "misinterpret" votes, it will be caught very fast.
> 4. Trust in voting systems does not primarily arise from understandability but from trust in other people.
> And as computers can be reprogrammed, potentially remotely, even your experts can't be sure – especially in elections where powerful nation state actors seek to destroy the public trust in your election. This is a problem – just claiming that it isn't doesn't cut it. And people who claim that it isn't should not be the ones designing such systems.
The whole point of a verifiable voting system is that you don't have to trust the election computers. Even if all the official computers are hacked by Russia, I can still run the data on my own machine to verify the results of the election. As long as there is one clean computer in the world and one nerd who cares, the truth will come out.
And I'm not "just claiming that it is [verifiable]" - I wrote a whole thesis on these voting schemes. I did my best to identify the strengths and weaknesses of each scheme and as you can see in the comparison table, each scheme does have their weaknesses. A "perfect" verifiable voting scheme does not exist. That said, it sounds to me like you are imagining all electronic voting schemes to be "black box" schemes relying on blindly trusting both authorities and computers, and that is not the case at all. I would suggest that you familiarize yourself with at least one of these "verifiable" voting schemes before criticizing them. If you are interested in further discussing the specific weaknesses of a specific scheme which incorporates some electronic aspects, I would suggest that you read the description of "Floating Receipts" scheme from my thesis and then we can discuss specifics of that if you like.
Keep in mind that my point was specifically about high stakes elections and you reacted to it without making that limitation. Don't you think my conclusion about your comment follows kind of naturally from that context? I also would argue there is a niche for E-voting to exist, but it is the responsibility of us technically literate to make it very clear for which purposes it is not suitable and why.
> There are big issues, like a foreign superpower attempting to hack the results, and then there are small issues, like this one: people accidentally spoiling ballots.
The slowness and amount of people needed for the paper ballot is a feature not a bug as it makes wide scale attacks extremely complex, labour intensive and risky AND regular people (those that need to believe in the results!) can understand what is going on if they want to. This comes at the cost that the correctness of the result can be not always guarantueed. A huge number of spoiled ballots isn't necessarily a sign that people don't understand how to make a cross, it is a sign of protest and used as such.
> Fully paper system. You walk into a voting booth. You scribble down the number "7" on paper. You walk out of the booth and put the paper in the ballot box. Later some election official is counting the votes and they look at your scribble and they wonder, hmm, is this a "7" or is this a "1". Your vote is disqualified.
I have never seen an election where a vote isn't ticking or checking a ballot box, maybe this is different in Finland? Also: The elections I voted in, in 2 different countries always came with precise pictured instruction how a valid vote looks like and what would be invalid. I am not sure if I should be worried about the vote of people who fail to put an X into a box when given pictured instructions. This is a weakness with one specific implementation of a paper ballot, not a inherent weakness of the system. If we are to look for a good comparison we should compare the best way to do paper based elections to the best way to do it digitally and draw our comparisons from that.
> See how B) is exactly the same system as A) except it offers voters the ability to see how their vote is going to be interpreted, before they cast the vote into the ballot box?
This isn't without it's own risk either. Having worked with computer vision systems and programmed them I can tell you there is no 100% guarantuee that the result that air-gapped machine showed the voter in the voting both is the same as what is reached later – not even if we assume the exact same machine to be used for the count. Also: That isn't necessarily what I'd call a E-Voting system.
> That said, it sounds to me like you are imagining all electronic voting schemes to be "black box" schemes relying on blindly trusting both authorities and computers
No you get me wrong. What I said is that for the majority of the electorate it would be that way. I can readily imagine building an electronic voting system that I can trust – and maybe even one where independent experts would trust it. But that is the easy part. The hard part is building a system into which the bloke from the pub that struggled with undergraduate math and stopped thinking about it since he left school two decades ago can trust. And not just by trusting an authority, but by checking for himself.
As much as I like the idea and challenge of such projects, I can't help put think that the inclusion of those who are less capable to understand is worth more than the potential gains in efficiency or interface-correctness of E-voting systems – especially if the fate of nations hinge on the fact that people trust it.
I was also thinking of high stakes elections when I wrote my response to you, even if I did not explicitly say so.
> I have never seen an election where a vote isn't ticking or checking a ballot box, maybe this is different in Finland?
In Finland you typically scribble down a number. Yes, it's harder to accidentally spoil a ballot if you only need to tick or check a box.
> Having worked with computer vision systems and programmed them I can tell you there is no 100% guarantuee that the result that air-gapped machine showed the voter in the voting both is the same as what is reached later – not even if we assume the exact same machine to be used for the count.
But in this hypothetical example the computer is not used to count the votes, it is used to write on paper. Because a computer can unambiguously draw the number "7" on a piece of paper, and the voter can unambiguously verify that the number is correct.
> Also: That isn't necessarily what I'd call a E-Voting system.
I wouldn't call it such either.
> If we are to look for a good comparison we should compare the best way to do paper based elections to the best way to do it digitally and draw our comparisons from that.
And that is what I did in my thesis. The best way to do in-person paper based elections is (a variant of) Floating Receipts, which is a better system than (a variant of) Civitas, which is the best way to do remote e-voting.
At this point I am very confused what you feel disagree about. We went into the weeds over some minor issue regarding spoiled ballots, and I feel like you are drawing way more conclusions from that than you should.
That isn't actually what voting is meant to do. The purpose of democracy is to kick out the old guy and stop the concentration of power by rotating the people in power frequently. The problem is that when you get rid of the old guy, you also need people to agree and consent that the new guy is indeed the new guy.
Same for machines, they’ll have to trust that some people did their job and checked these machines.
Not saying this will happen any time soon though ;)
If, in turn, elections are organised as distributed, local, and highly public countings, that get aggregated up to the final tally, citizens stay in control of their votes. Poll workers in a county may not count the votes of another county themselves, but they know there will be other volunteers all over the country doing so. It is extremely hard to manipulate a large-scale movement of politically inclined volunteers, and they can rely on that.
We cannot hand control over the vote to the government we possibly want to vote out. By reducing the massively distributed trust to a handful of computer wizards, we remove transparency from voting, turning it into a sham event that can be orchestrated by those in power to their liking.
Plenty of incentives and options even with paper ballots, as many dictators have shown.
> distributed, local, and highly public countings
Why wouldn’t this be possible with machines?
> We cannot hand control over the vote to the government
If you trust the people checking the machines have not been manipulated, this is not at all what would be happening.
Is that so? If anything, they ignore the ballots or fake the numbers—see Venezuela. That is another problem entirely.
> Why wouldn’t this be possible with machines?
With paper ballot countings, even the most plain citizen, can witness the counting and ensure themselves nothing shady is going on: Watching as people create heaps from ballots with a checkmark in the same box, then call out the numbers is not beatable in terms of accessibility.
With machines, complexity is orders of magnitude higher: Watching the computer is pointless. You don't get to see how it adds up votes, you have to trust its software is working as advertised. There is just no way to verify no component of the stack has been manipulated.
> If you trust the people checking the machines have not been manipulated, this is not at all what would be happening.
But that is the point! Why would you ever do that? What power does that grant to these people? How dangerous would it be to be such a person? Who even would these non-government election experts be? Why limit the number of people able to verify an election is going on truthfully to a small amount of technically literate experts, when we have a perfectly working democratic system in place?
Tell me this; how can you check the machines have not been manipulated with a 100 percent certainty? How do you verify the screen displays what it is supposed to, the software has no backdoors, the hardware has no backdoors, there are no parts swapped out, there are no second-order effects of transistors flipping bits if the ambient temperature reaches a certain point, the cables have not been messed with, the data it sends is not intercepted or altered, the packages won't be dropped, or arrive in duplicates, or any of the other myriad of possible failure conditions? An election is an extremely rewarding target for both internal and foreign/rival state actors. Just think of Stuxnet if you think this is paranoid, and that was 2010! How would you ensure that even the most sophisticated attackers won’t come up with an exploit?
You cannot. You cannot do this reliably for every machine involved in the election; the combined knowledge and experience involved in each of these questions far exceeds even most IT professionals. So you immediately remove the ability to witness the election from almost every citizen, by making the process infinitely more complex and harder to understand, for no reason at all. I know there are lots of interesting problems to solve here, but democracy is not the right place for complex solutions to interesting problems.
There is virtually no compelling reason to drop a working process in favour of machines here.
Edit: and one more thing with elections is that you cannot just try again if something seems suspicious. You’ve completely shattered trust at that point, and the victor would rightfully claim the election had been stolen from them. Again: Democracy is no place for technological solutions.
Elections with paper ballots are somewhat straightforward in that regard. Any party member that doesn't trust the process can literally apply to check part of it and be able to see for themselves that there is nothing fishy going on in the part they checked. And they can do that with nearly no prior expertise. If they don't get to check it for themselves they can trust that enough people like them are envolved in the process that someone would collect evidence of wrongdoing if it happened. And these people are normal people and many, so bribing them doesn't make sense. Adversaries that want to make that election untrustworthy would have to insert so many people at so many steps and at such number, an attack against it quickly becomes impractical.
Not with a computer system, I am not even sure if I would trust a system that I myself setup and software that I myself had written if used in a high stakes election. But the few experts that are able to verify the process and have the computer knowledge to do so without naive optimism now are high stakes targets and each party now needs to have one at each polling station at some point after which the machines (air gapped?) need to be completely isolated unless you want that verification to become meaningless. The voter now needs to trust the expert and for a hint about how well that works I want to point you to the Covid pandemic.
So digital voting is a non-trivial problem to solve, especially for high stakes, anonymous, but transparent elections. And we computer people can't just hand-wave the doubts away, you need to address each attack vector a major nation state attacker could/would exploit. And even if we did that the result would be a system that nobody without special education could understand.
Sure, paper ballots are slow and the process lengthy and labour intensive. But the results are surprisingly stable and trustworthy even in many places where one would expect corruption and manipulation.
It sounds like you are not familiar with the concept of verifiability or more precisely E2E-V for evoting systems that can be attained. The goal is to never trust the software that is running the machines or officials and thoose are kept accountable with a public cryptographic evidence produced along with final tally. They still are trusted with not sabotaging the process and assuming that one or few parties are not corrupt to ensure vote anonimity, but never with integrity.
However no voting system is perfect and 100% consent is next to impossible to achieve. But for major, high stakes elections we have to take any tiny sliver of trust we can take, even if it is at the expense of getting results fast or cheap.
As a young nerd I would've said: "How hard can it be", as an older nerd I understand that the computer part is the easy part, getting people to be able to trust and follow the process is the hard part.
How would you make such a sweeping statement? Can you list the systems you had looked at?
1. How hard it is for already highly educated people to understand electronics and programming
2. What kind of complexity is needed on how many technological layers to just even have it work reliably and how much more complexity is needed to have it formally variable and tamper-proof
3. How many attack vectors exist in such systems — many of which mean a single motivated and skilled attacker could exploit on grand scale
All of that necessarily leads to a process that is less transparent than a paper ballot, because there are more moving parts. Your bloke from the pub will be able to understand how to check the integrity of a paper ballot. But of an E-voting system?
In my eyes it is a feature if within a democracy if all participants in that democracy can understand the whole election process.
Saying “all systems” is such a sweeping statement, it is very unlikely to be true.
Technology always improves and if you looked at any modern system, people some day in the past would be incredulous that it could possibly replace a bunch of smart humans with pen and paper.
Experts said airplanes couldn’t ever fly and the wright brothers were fools. Then they said there are many safety problems with airplanes. If you told someone it would be the safest form of travel for long distances, people would laugh. Just as you are laughing now. They would claim their logic would hold for “all” forms of air transportation.
People laughed that a chess playing program could beat a human, citing seemingly (to them) insurmountable challenges much as you do now.
You could have said exactly 1,2,3 about the Internet and many other things in the past.
It's not that it cannot be done. It's that even if you do it perfectly (whatever that means), you cannot expect people to trust it.
People trust papers in envelopes in transparent boxes in classrooms all around the country because it's intrinsically trustable, decentralised, easy to understand, extremely hard to manipulate at a global scale, etc.
People do not trust an electronic system. You can explain to them that it's safe until you're red in the face, it's not the point.
Democracy works if people have sufficient trust in it.
People come to trust technology when it starts performing well. The same can be said about self-driving cars etc. etc.
There are two problems with this: 1. You can’t verify extra or in eligible voters voted. 2. It relies on trust that to tell you your vote was counted.
I am very interested in reading about this protocol, and it might make a fun hobby to re implement it as a research project.
The one issue I have is: the act of physically showing up is an important one. Mass stuffing of ballot boxes is nearly impossible when physical presence is required. It also puts ‘your ass in the game’, meaning you really care so to speak; as you have to do a minor piece of physical labor in order to get your vote counted.
If this protocol could be adapted to the physical world, I think it would be perfect barring any other issues.
Scantegrity II is a system that adds end-to-end voter verifiability [2] to such systems by combining some clever chemistry with some clever cryptography. It requires no hardware modifications at the voting site except that special markers have to be used to mark the ballots.
Briefly, a code is printed inside each oval using a special ink that is invisible, which turns visible when that oval is marked by a special marker.
After the election all the ballots can be published, allowing any third party to independently verify the counts.
Voters that wish to verify that their ballot was included in the count and counted correctly can note the code from the oval and afterwards use it to verify the count. The code cannot be used to prove to a third party, such as a vote buyer or vote coercer, that the person voted the "right" way. Here's a proof of that [3].
[1] https://www.usenix.org/legacy/event/evt08/tech/full_papers/c...
[2] https://en.wikipedia.org/wiki/End-to-end_auditable_voting_sy...
[3] https://eprint.iacr.org/2010/502.pdf
> The code cannot be used to prove to a third party, such as a vote buyer or vote coercer, that the person voted the "right" way.
What if the vote buyer is with the government and can actually inspect the ballots after voting? Knowing the code is a proof that you saw a specific ballot.
That said - I am yet to see any protocol that is resilient against not showing up IRL (due to the exact reason above).
Coercion doesn't need to be overt to be effective, just a small amount of social pressure applied over a large number of people is enough to make a significant difference. That's why typically there are laws banning campaigning right outside polling places. Now what if the "polling place" is the entire country, over a period of multiple weeks? How are you going to enforce that? And how can the electorate trust that it is being effectively enforced?
A few years ago, some of the local county majors know that people liked them more than the candidate to governor or president of the same party. So they send helpers to each house to ask people and give them cut ballots with the combination they liked. No judgement. People can choose whoever they want. The county majors know it was better for them in average.
So it's possible to scale it if you distribute the task.
We have in person secret voting. So people can lie and accept the ballots provided by the helpers of the local major and then just pick another when voting. If people can vote remotely, they can be forced to vote under supervision.
I think more creative thinking on how the schemes could look will show some scalable solutions to coerce votes.
> “Chain voting” ensures that people vote the right way. Voter 1 goes into the polling station,
> appears to vote by depositing an empty envelope into the ballot box, but comes out with a
> blank ballot. Voter 2 is then sent in with that ballot—now marked by a [party] operative—and
> told to put it in the ballot box and exit with another blank ballot in hand. Carried on down
> the line, the [...] party boss in the town can ensure that all have voted the proper way
> while the election workers find that they are short only one unaccounted-for vote
You can send a couple guys with bats to a polling location and coerce hundreds of voters. What you’re describing would require a highly organized set of crimes taking years of man hours that would definitely attract law enforcement due to the prolonged time and scale. Fantasy.
“Creative thinking” is leading you down the path of made up problems with ludicrous solutions.
I assume they instead did the more normal things of local voter intimidation, outright not counting, and lying. If your government doesn’t want to follow democracy you’re fucked either way. No need for armed gunman to make you vote at gunpoint.
That was political theatre being made in a conquered territory, not an actual attempt at democracy. It’s like pondering the specifics of a vehicle’s engine performance/efficiency after it’s been hit by a fucking train.
There was/is no solution to fix voting problems in Russian held territory other than to violently force Russian thugs to leave.
You can say that you voted for X, but vote for Y and noone will ever be able to tell.
How does it work in Italie? I can picture easely how someone in the paper room can put pressure on you to only take one paper.
Also they always give you all ballots, I don't recall ever being asked which ones I wanted. Plus at all points you are always in front of multiple people, I believe each candidate / party in an election gets to appoint someone to keep an eye on the proceedings
(Also the original claim about 20/30% seems like abject fantasy to me, unless we take the entirely different meaning of "20-30% vote for a candidate that organized crime is happy with, which is entirely unrelated to electoral interference)
Please forget about showing up physically because setting up a polling station in a place where there's effectively no public transportation cuts off poor people from voting.
Please forget about showing up physically because mail voting works fine, paper ballots are already anonymous and verifiable, and we don't need to argue about why showing up in person is better for the umpteenth time (or that adding extra friction is not a good thing).
Please forget about showing up physically because that "you really care" nonsense is in the same vein as literally testing, and democracy isn't about excluding voters who don't care enough.
This line of thought is, frankly, disgusting, and I'm ashamed that this is tolerated here.
The solution was that you get a signed envelope when you enter, go to a isolated room alone and put the ballot inside and they verify the signatures of the closed envelope before you vote.
With remote voting, nobody can check that people is alone when voting.
[1] https://crypto.stackexchange.com/questions/67486/what-is-cha...
[2] https://english.atlatszo.hu/2022/04/05/this-is-how-chain-vot...
Thanks for pointing out another vulnerability of in-person voting that mail-in voting doesn't have, due to its distributed nature.
Chain voting is something that's only practical to organize when everyone in the group is voting at the same place and at the same time, so the chain doesn't need to be coordinated in advance.
As long as people know what kind of guy to look for outside, they know there's quick money to be made.
Good luck coordinating a vote buying scheme with enough people to skew the vote by mail without anyone finding out.
>With remote voting, nobody can check that people is alone when voting.
Neither can any other system of voting, including in-person voting.
And if the person is truly on their own in the room, and they truly only have one ballot... they can snap a picture of their ballot to show how they voted.
The problem isn't "being alone" when voting, the problem is buying votes - and it's solved by going after the money in any case.
With chain voting, the schemers also have no way to verify that their pre-filled ballot was actually used (and didn't go into the trash bin). It works because the voters themselves are corrupt and lying to the state, but honest to the people who pay them - in which case the voting system is neither the problem nor the solution.
If they implement something like that here, I expect in some places that people is ask to go to the local party office and left the ballot/envelop with the code. It is easier. Voting chain is a trick to avoid the in-person checks.
Mail-in systems work too, with their own set of benefits and drawbacks, and is used in combination with the above in some countries.
Citation needed.
Specifically, what are the drawbacks of mail-in voting compared to in-person voting?
>Mail-in system is used in some countries
The US is one of those some countries.
And in the US, with a long history of voter disenfranchisement and an abysmally low voter turnouts, where the election day is always a workday, mail-in voting is absolutely the best system currently in use, by a long shot.
Its benefit of being actually available and removing many of the artificial barriers to voting that exist across the US far outweighs any disadvantages it may have over in-person voting.
These barriers include:
-people having difficulty to vote on a workday
-difficulty getting to the polls
-lack of polling places in "undesirable" neighborhoods (and super long lines as a result)
-varied ID laws
-etc
Not coincidentally, the party that openly aims to decrease voter turnout for their benefit also opposes mail-in voting.
Nobody says that in-person voting should not be available. But it absolutely should not (and rarely is) the only option.
Unfortunately, its availability across the US is limited through the efforts of the aforementioned political party.
> -people having difficulty to vote on a workday
We vote on Sunday.
> -difficulty getting to the polls
My poll station is half a mile away (or less). I can go walking or by bus that is free that day.
> -lack of polling places in "undesirable" neighborhoods (and super long lines as a result)
I vote in a school that has like 20 voting rooms. The waiting time is usually like 10 minutes. Last year in some rooms the waiting time was like 1 hour and people was angry. In that cases vote for the other party.
> -varied ID laws
Everyone has an ID here. It has a nominal cost, but if you ask nicely you can get it for free.
If the idiots here can organize an in-person voting election, anyone can.
You don't seem to understand that what you see as problems to be solved are seen as features by half of our politicians, who would rather have people not vote at all.
These are the vulnerabilities of in-person voting that mail-in voting does not have.
>If the idiots here can organize an in-person voting election, anyone can.
No, that's not the case. I can't organize elections in Texas because I'm not in charge of organizing elections in Texas.
And people in charge of elections in Texas make sure that urban neighborhoods (which are likely to vote for the other party) don't have enough polling places to go to.
Oh, and did you know it's common in the US to have churches as polling locations? It's especially great when you're voting on issues like separation of church and the state, abortion, gay marriage, etc.
I understand because we had the same problem until 1912 https://en.wikipedia.org/wiki/S%C3%A1enz_Pe%C3%B1a_Law that the problem was solved with secret obligatory in person elections. It was not easy. The 1930 were weird. All the last century was weird. This century is weird too, but at least elections are quite transparent.
> And people in charge of elections in Texas make sure that urban neighborhoods (which are likely to vote for the other party) don't have enough polling places to go to.
That's weird. I'm not sure how we ensure everyone has a good site to vote, because I expect some provinces to use all the dirty tricks that are barely legal. It's a good question. My guess is that elections are obligatory here (nobody really checks that, but there is a threat of a fee or something if you don't vote). So people wait outside the voting locations until they can vote, and if the queue is too long they get angry, and may start a small riot, and get the TV, and the federal government may decide to do something like investigating the local corruption.
I don't understand this part. What stops people responsible for giving out those ballots, from taking some of them and mail under someone's else name (for example, homeless person, drug addict etc)? You often need just several hundreds or thousands votes to win in a swinging state.
A requirement to keep a record of which paper ballot envelopes were mailed out to whom, and to which address.
Ballot blanks are all identical, but the outer envelopes go through the USPS and have identifying numbers on them.
When the ballots are counted, the envelopes can be examined by all interested parties separately from the ballots. The ballots are taken one by one out of the outer envelopes, and put into a bin (they're folded in blank inner envelopes, so nobody can see anyone's vote at that stage).
Presence of an envelope that was received, but not mailed out is evidence of fraud.
Conversely, once put into the mail, the USPS can track each such envelope, and anyone other than the intended recipient tampering with that mail is committing a federal crime (regardless of what they do with it).
Could this work?
This means that a malevolent entity that wants to influence votes needs to sequester the voter(s) for the whole ballot period, which is vastly more difficult than putting a gun to someone's head for a single vote.
Executing this at scale so the effect can be statistically significant is even more difficult, and if it's still possible the entity holding the ballot can be assumed to have more pressing issues to care about than fair ballots. :D
The system used two blockchains: a public one which recorded votes, but without linking to a voter, and a private one that linked voters to vote records in a public blockchain. So the voter couldn't see how many times he voted because this info was on a private blockchain.
So when allowing to change a vote there are several issues:
- how do you invalidate previous vote? You need some way to link those votes, that they belong to the same person which might lead to disclosing their identity
- how do you prevent government from changing your vote by pretending that you voted the second time?
> how do you invalidate previous vote?
All the votes are public on the ledger, you can clearly see which ones belong to which voter entry.
> how do you prevent government...
The government does not have your private key, also if a hacked vote happens, you as a voter ask for an audit of the vote entries.
I'm not saying there are no problems with electronic ballots, but I'm thinking that with enough time and elbow grease, they can be solved.
It also relies on the voter caring enough about their vote in the first place to be willing to attempt to do it, with whatever possible personal risk that entails.
And yes, if the government is corrupt in its entirety, from creating IDs to the ballot process itself and to sequestering citizens, then yes, you're fucked. But I don't see how that would be different for paper ballots or any other means of voting.
I think it would already help a lot, that there are some physical limitations on how many people you could gather at the same time.
What if I vote early, then the person I voted for has a major scandal the day before the polls close?
Being able to change one's vote would remove all the disincentive to voting early or whenever it's most convenient for you.
https://www.val.se/att-rosta/var-rostar-jag/fortidsrosta.htm...
Or simpler, leave them with the kids (nobody else to watch them).
Disabled people must love this idea, too. And sick people. And elderly.
I think we could take this a notch further, and put the voting bin on top of a rock you have to climb.
Everyone sees people climbing the rock (ensures no vote staffing!), and once there, nobody can see who you vote for.
One person at a time, obviously, and if anyone is overstaying their welcome, the next person can simply push them off the rock.
It's actually a feature, not a bug, because it ensures that only really motivated people vote.
If the receipt allows to view whom you voted for, then it can be used to buy votes or pressure to vote for a specific candidate.
1. We need a sort of blockchain system to make sure nobody can change votes later.
2. Every citizen can deposit their vote with their own key tied to their id number that nobody else has. Everyone should be able to look up their own vote via their key.
3. We need more proof of work, require every booth to record a video of the voter and have a unique physical marker so that the video cant be reused and require voters to write something specific to that location during their video.
4. Proof of location? Require voters to transmit their GPS at all times during the entire election day. Then at least group voting (beyond faking your own family members' votes perhaps) should be impossible and multi voting should also be impossible.
4. Make sure that the counting of ballots is instantaneous so that the cheaters have less room to cheat.
5. Proof of time? Surely we should be able to simply use time to our advantage, given that somebody who wants to cheat on a mass scale inherently has less time than the individual voters?
Maybe all of it together, we have so much data about citizens in most countries. It should be absurdly easy to have a citizen be forced via GPS to vote from his area or even his building where he is registered to live before he starts going to his local voting booth. This would give us a lot of confidence that this is really a separate, real person and also the person in question.
We need to use what we have to our advantage. People may be able to fake a lot of things but all of them? I rather trust a complex system like this than literal pieces of paper where any person with a bad mind can just choose to read it differently or stuff a few extra pieces of paper somewhere.
The future of paper voting can be something like a quick fingertip-actuated DNA sequencer which will imprint your DNA hash right into the paper ballot, but it will never be an effective system on top of the current network architecture. You have to show up personally to vote. Like can you imagine voting with SMS or something? This is complete non-sense.
However I think this tool would work pretty good on a smaller community scale.
1. Widespread voting in person at a number of distributed sites, with paper ballots and either hand counting or machine counting with risk limiting audits. This is pretty technologically trivial to implement, but requires manpower.
2. Widespread postal voting as it's done in places like Oregon, where there's a non-serialised ballot inside a serialised envelope. All voters are sent an envelope and ballot via postal mail, and the return can be done at either a drop box or through the postal system. On election day, all valid envelopes are opened and emptied under the watchful eyes of observers from each party. They are then counted by hand or with machines and risk limiting audits.
What should not exist are voting machines. There should always be a paper ballot in the process somewhere that is human readable.
This would mean the end to the secret vote.
"they can write any confirmation code they want on a ballot and take a photo proof"
Apart from the fact some jurisdictions (such as UK) will discard your vote for writing codes on the ballot, there are a million ways to photoshop or fake a ballot selfie some other way, there's no standard way to be 100% certain how anybody voted.
Elections that have the potential to shift the power structure of a state are not low impact decisions. Paper ballots being slow and labour intensive is a feature, not a bug for really high stake decisions like who is in charge of a nuclear arsenal for the next years.
The more I know about electronics and programming the worse I think the idea of E-voting is for such occasions.
Like most (or all?) online protocols, this doesn't protect against vote selling or vote coercion.
The general idea for all of these is if you add uncertainty you reduce what a coercer is willing to pay creating a mutually assured destruction scenario whereby the system being in place ensures nobody ever tries it.
Votexx.org if you want to learn more.
At the least, this will often result in heads of household voting for their entire families. At the most, it can result in people voting under the supervision of a local gang/militia member.
If anyone is looking for the right terminology to find papers, it's "no-receipt" voting. The holy grail is no-receipt, yet verifiable voting, but it might be mathematically impossible.
If you took a picture of your ballot, or even if you filmed yourself putting it in the envelope and putting it in the mailbox, there's nothing stopping you from taking it out later, tearing it up, and going to vote differently in person.
The voter could go to a polling place afterwards and attempt to cast a provisional ballot but my understanding is that this is difficult, varies significantly state to state, and in many cases is not possible given that mail in ballots are detached from the voter identity ahead of Election Day in many states.
But if you held a gun to my head and made me vote at 18:59, with polls closing at 19:00, then I guess it would work. Hell, if you held a gun to my head and had me vote a week early and then blew my brains out, that would probably also keep me from voting again.
So it's not complete, but neither is the current system. You could hold a gun to my loved-ones head and tell me to go vote for B in our current system. I could photograph the ballot from the box, cellphones are small these days. Or if I vote by mail I could easily prove to you I voted for B so you would let the hostage free.
So I guess it actually is an improvement over the status quo.
If there's a "national registry of citizens" comprised of public keys, I think it will be easy to organize ballots on top of that.
Electronic voting significantly lowers the barrier for commiting fraud by election administrators.
The difference between having a passport or a national-issued digital identity card that has a private key inside is not much different. In passports, there are different security mechanisms in place that make it hard for an adversary to fake them. For digital identity cards, similar mechanisms exist so that their issuance does not depend on a single entity. The full list for which the identity cards are issued can be audited by sampling and finding follow-ups to see if the issued identity is owned by the claimed legitimate person and is independent, whether the thing is a passport or an identity card. Although, I don't know whether such checks are actually being done in practice. The security of digital identity is being assured with an increasing variety of documents that can be signed digitally using such government-issued cards.
Afterwards, when we have a list of public keys that are eligible to participate in the vote, E2E verifiable evidence prevents any involved party or coalition from deceiving the public with a manipulated election tally, as that would not produce valid cryptographic proof.
And even if you could, you see a name you never heard of, so how do you check whether it is a real person or not? Without having access to government databases.
Trusted third-party auditors can have such access without linking the public key to a person's identity. They can also access government databases on a sample basis. This is no different than linking the passport serial number to the person's identity.
it's worth keeping in mind though that this is an issue the current system faces. voters end up duplicated in the rolls under different addresses or old names, or they don't get removed from the rolls after losing eligibility or dying.
once upon a time I got two voter cards in the mail, one forwarded from an old address. I was eligible in two districts after nothing more extraordinary than moving across town. had to call in to get removed from the extra district.
The elder generation grew up with stuff where you had to be more cautious of damaging it, while the younger generation is far more confident with "randomly mess around until it works", because they grew up with products that were designed to be more forgiving.
I meant it in the sense of the younger generation has more exposure to concepts like encrypted communication and peer to peer communication and encrypted ledgers, etc. They might not know how exactly they work, but they know they exist and have an inkling of their attributes as they pertain to data secrecy, auditability, etc...
I think that the details of the vote will indeed be opaque to most voters, but I think that's the case right now for most of us. As a voter you must have some trust in the process and in the fact that the correct auditors have vetted it. Hopefully it's going to get there for electronic voting some day.
(Whether that's a good thing or not I don't know - perhaps you'd end up agreeing with whichever side has the most believable technological shibboleths, which isn't that much different from the current best practice of listening to the side with the better attack ads).
Whether the candidates themselves, all of them, can be trusted is a much more serious problem with democracy, I think, than "dumb" people affecting the vote.
dumb people vote for dumb things, whether issues or candidates.
Also, gay marriage isn't really a complex issue: Even the dumbest person understood the consequences of banning it, they just were that sadistic. Agreed on Brexit though.
As for the implications of your premise: Do you feel comfortable in not having a say whether you are taxed more, have your hobbies criminalized, or get sent off to die in some awful war somewhere so that some jerk can get rich? Because that's what you ask for when you say some obnoxious technocrat is fine running the country with no input.
And before you mention passing an exam or something to vote, that's just a direct path to corruption and disenfranchisement.
HTTPS is shrouded behind inscrutable crypto, but nearly everyone trusts it with their credit card details.
Voting doesn't have to be any different. The implementation details don't matter, as long as there are easy-to-understand verification concepts such as receiving a "tracking number" for your vote that is then easy to see it was counted. And then journalists and other private election integrity observers who do random sampling from voter rolls and follow up on complaints. (This is not a complete list, just examples.)
And remember, physical voting is actually tremendously complicated as well -- inscrutable optical scanners detecting which bubbles you filled in, and then... what? Who's actually adding the numbers, and where, and how? The point is, the details aren't really important as long as we're vaguely aware that there are election observers and journalists trying to catch any irregularities, and we all know it will be major news whenever they're found.
Yes, it has to be. If you break the ability for the average citizen to understand exactly how and why your vote is counted, you undermine trust. Trust into the democratic process is the thing keeping a democracy alive.
If someone currently says "<Country> / <Party> interfered with the voting process!", I can tell them to just observe their local polling station or even become part of the polling station staff themselves. Be there, check that the election staff doesn't start throwing away votes and count correctly. Check that the numbers they count are equal to the one on the official result for the polling station. It's all paper. It's easy to follow.
If we put anything between this, which requires trust into a magic box with a display, I cannot do this. If your credit card is abused, you see it on your bank account, always. You cannot have the same certainty the same for an anonymous election - yes, they may have proof that their vote was correctly counted, but what about the polling station as a whole? The votes of the other citizens? Most people will not check, just as you may only get one observer per polling station max today (which is already enough to prevent fraud for the whole station, in the case of paper ballots).
"Trust the journalists" does not fly.
> And remember, physical voting is actually tremendously complicated as well
It doesn't have to be. You don't need complex equipment, you can count directly in the polling station after it closes. Paper and people suffice.
> Check that the numbers they count are equal to the one on the official result for the polling station. It's all paper. It's easy to follow.
I say that, using paper, it's not easy -- it's next to impossible for any individual to do.
On the other hand, if I can download a file of voting results, import it into Excel, and run SUM(), it's about a million times easier.
What's important to rely on is the fact that people are able to verify that their own votes are consistent with what's in the public votes (using something like tracking numbers), and we can also verify there isn't vote stuffing (which there's no room for, if the number of votes and "didn't-votes" equals the size of the voter rolls).
You claim this "requires trust into a magic box with a display" but that's simply not true. All it requires is the ability for everyone to verify that their vote got included accurately, that people who didn't vote got included as not voting, and that nothing got stuffed on top.
Paper and physical voting is actually far, far, far harder to independently verify and trust. It's just that until recently, we haven't had a practical alternative.
If you want, you can even stay the whole day and keep an eye on the whole voting process except when the voters make their choice behind the privacy screen, you can see everything which enters the ballot box. I've seen myself someone regaining trust in the democratic process because of this - a guy who openly accused us, the polling station workers, of voting manipulation, being openly hostile, agreeing that everything was done correctly in the end. This would've been impossible while using electronic or online voting.
> it's about a million times easier.
If you, as a random citizen, know SUM() and even think about downloading the data for Excel, you are the top-n% in computer literacy. You are aware of that, right? ^^'
For most people, verifying their own vote on a website with no understanding of the underlying process is the absolute maximum you can expect, IMO. In this case, it is "trusting a magic box with a display". You compared it yourself with HTTPS, for which the same is true for the general public.
> What's important to rely on is the fact that people are able to verify that their own votes are consistent with what's in the public votes
But will people do this at scale and do people trust that they do so? The latter is the most important. It doesn't have to make statistical sense, it's about feelings in this case.
Because if most people (of a certain demographic like the elderly) don't check their own vote or a significant amount of people don't believe that they do so, you cannot automatically assume that all votes in the polling station have been counted correctly. It may have been e.g. only the votes of certain demographics (who are unlikely to check their own votes), which have been tampered, even if this believe is statistically unjustified.
If you supervise a whole analog polling station, you see for yourself this is not the case.
> But will people do this at scale and do people trust that they do so? The latter is the most important.
Yes, absolutely. This is the most important, and that's what makes it all so easy! If you don't trust, verifying your own vote is a click away. If you think there's something fishy in your town, ping a few friends and ask them to verify. Journalists and international observers can sample a few thousand randomly chosen people and verify that the election is at least 99.9% accurate.
Because we all know that if journalists find even any pattern of people whose votes aren't getting counted, or were changed, it would be front-page national scandal news.
The whole process you're describing for physical polling places is a million times more work for any individual. It requires a massive amount of time and attention.
Meanwhile, with electronic/online voting, all you need to do is see if people are reporting discrepancies that hold up upon further investigation. If they're not, then it all works. I don't understand why you think people wouldn't trust this. It's dead simple.
> I don't understand why you think people wouldn't trust this.
Because people are not always rational beings, often don't understand statistics and, in my experience, the set of people not trusting journalists and having doubt on past elections having significant overlap. If you are not convinced the press isn't lying, and maybe just prints what the government wants, you will not expect that they uncover election intervention. And your friends may be on a list of the city hall, "they" know that they vote for certain parties[1]. This is basically verbatim what voters sometimes tell you, why they don't vote via mail. It's easy to transfer those fears onto electronic voting.
It's very hard to keep believing in serious election fraud if you see how (this kind of) analogue voting works, though. You have to trust nobody, only yourself, at least in regards to your local polling station.
> The whole process you're describing for physical polling places is a million times more work for any individual. It requires a massive amount of time and attention.
Yes, I don't disagree. It's significantly more work, inefficient and antiquated. All true. I'm just not convinced that the convenience of electronic / online voting is worth the risk that a) a fuck-up due to any kind of bug / security problem and b) people losing even the slightest bit of trust into elections because of "magic computer", even if they are caused by delusions, would pose.
[1] Germany has no "registration" as Republican or Democrat (w/ German parties of course) like the US has - they don't have such lists
Credit card via HTTPS has a second layer to it though, the accountings/auditing layer. You can't achieve that with secret ballot voting without throwing out the secret part.
From your long sibling thread I gather that for you it is more important to be able to verify the votes by yourself through the output of the voting system (the excel example) than to be able to reason through the voting system itself. Whereas for schroeding it is more important to be able to conceptually understand and scrutinize the voting process as a whole, even though it might be difficult for any single individual to check on that their own vote was counted. Correct me if the summary was not fair.
Suppose we bring the two ideas to the extreme and imagine two voting systems:
- an extermely complex, completely opaque voting system that can only be managed by experts to function correctly, but with a perfectly infallible way to individually check that their vote was correctly counted
- an extremely obvious and straightforward way of voting such as paper ballots that are securely physically transported to a central location (all of them) and counted by people surrounded by observers (all in one sitting). clearly any individual cannot check that their vote was actually counted
If there is a disagreement about the result of a vote because, let's say for the sake of the example that the losing party thinks they should have won; In the first system everybody can of course check their votes, but what if the losing party questions the checking system itself? Then it is on the experts to justify why the vote is correct (can they do it?). On the second system, because everybody can reason through it, it is on the losing party to prove that the vote was not performed correctly, by pointing at some part of the (simpler) voting procedure.
I think that the second system is more robust in the sense that when there is a disagreement, it is easier regain everyone's trust. With simple procedures, the disagreeing party can make more meaningful demands on the people who manage the voting system to check that the vote was correct. In the first system it is the opposite, and because by definitions it is only understood by experts the losing party cannot do anything but to claim that the whole system is rigged.
So, since voting systems are ultimately a tool to collectively take decisions, I'd say that there is more value in having a simple procedure than efficiency and extremely precise feedback for individual votes. The trust in voting systems is different than the one in credit card processing systems.
Of course real electronic voting and real paper voting are neither of these two extremes, but choosing the e-voting moves us closer to the first system, while paper voting to the second.
That is unnecessary complexity already. Ballots can be counted directly in the voting stations, by the local citizens. If you want to check your vote is counted correctly, stay to witness the counting. After the results have been counted, they can be communicated to the city hall via phone, so everyone in the room can hear it.
I remember having a boss demand I put the authorize seal next to our credit card form, else it wouldn't be secure
We used stripe
You're generally right about each point in the process being a potential point of corruption. That's why voting systems need to be very simple and involve lots of people, even if it costs more. Ideally multiple independent parties would count the votes and compare results for discrepancies, until they reached an agreement.
That's why I said:
> such as receiving a "tracking number" for your vote that is then easy to see it was counted
There absolutely has to be a way to easily tell if your vote is or isn't counted, and that it's part of the sum total. I don't know if Belenios specifically does this in a way that is easy to see, but there's nothing inherently difficult or impossible about it.
Yup, I was clear that I wasn't giving an exhaustive list of the necessary things.
But that also has solutions that can be easy. The easiest is simply to make sure that the voting rolls are accurate, and that the size of the voting results has the exact same number of entries (because it also records every instance of not-voting).
So that if everyone who is an eligible voter, and therefore received a tracking number (even if they didn't vote), and they look up their tracking number and it's accurate (including "didn't vote") -- then there's no "place" to insert fake/stuffed ballots, because it would necessarily make the number of tracking numbers larger than the size of the voter roll. (And of course, voter rolls can be sampled randomly to determine they're made of actual real people as well, to whatever accuracy you desire.)
The point is, there are solutions to all of these things that don't involve some kind of blind faith in crypto. But rather just common-sense solutions where it's easy to understand that any massive gaming of the system will be detected.
On the other hand, “verifiability” is a more useful property on a larger scale. You may trust your local government but do you trust local government in all other districts? What if, with sufficient knowledge you could prove that their voting was right or wrong? I think that also seems like a useful property.
There were international observers in the 2020 election and they found no evidence of fraud [2], and many mainstream media sources that I hold reliable, (e.g. [3]) fact-check multiple claims of election fraud and nothing has showed up that would suggest that the election was "stolen".
I don't think it is at all preposterous to assume that the 2020 US election was fair, unless you subscribe to a view that the global mainstream media apparatus is in on some grand conspiracy.
[1] https://apnews.com/article/fact-check-election-ohio-ballots-...
[2] https://en.wikipedia.org/wiki/2020_United_States_presidentia...
[3] https://www.bbc.com/news/election-us-2020-55016029
We've gone from "haven't seen evidence" to "seen evidence at probability P-prime". Trust in an electoral system is an important enough issue that this should be investigated to the same thorough degree as a capital crime.
Did you mean to send a different video? Or are you deliberately misrepresenting evidence to support your position?
Election day, in person secret voting, with voter ID is the way.
- the ballots can be printed at non-monitored facility. I am sure FBI has such capabilities, there are many talented people
- those responsible for transporting ballots can "forget" some of them accidentally
- at polling stations where there are no election monitors, they can take as much ballots as they need
The state should eliminate this problem by requiring everyone to vote in person on election day with voter ID using a secret ballot.
We should not expect there to be much evidence that this is happening because the system has in effect, if not by intention, been designed to prevent any such evidence from being collected.
That is why there is some legitimate doubt in the tamper proof nature of our elections.
Why stuff ballot boxes when you can just make it harder for people that typically vote against your party to even get their ballots in the first place, or divide up cities in convoluted boundaries to prevent non-white communities from being able sway districts? All perfectly legal methods that have worked well for the GOP, which didn't even win the popular vote with their last president. That is the real reason GOP leadership pushes anti-absentee ballot narratives and DNC tries to expand those programs.
Widespread absentee ballots are bad, early voting is bad, gerrymandering is bad, lack of voter ID checking is bad, non-secret voting is bad. I'd like to see them all done away with.
I took a (lazy) crack at generating an image from a (could be 120% incorrect) ChatGPT conversation, FYI:
* IMAGE https://www.plantuml.com/plantuml/png/RLAzJiD03DxlAQnECF023A... (ChatGPT's images look bad)
* CONVERSATION https://chatgpt.com/share/142a2eca-1f66-4087-9568-cbf49e7c3c...
https://youtu.be/w3_0x6oaDmI?si=kGDOYOb_RiiQaZ3u
https://youtu.be/LkH2r-sNjQs?si=YdQgNC4uUZDUDbab
It would be too burdensome with pencil and paper. Alternatives are useful.
Discussion, debades and more generally exchanging opinions with others and pondering the options before committing to a decision are important if not essential for proper functioning of democracy. This necessarily takes time. How would real-time voting make things more democratic? I see no advantage in making the process hasty. If anything, it would trivialize the process, like voting for a game show on television, which would definitely be bad.
https://en.wikipedia.org/wiki/Voting_in_Switzerland
There are methods for preventing all the issues Tom Scott raises.
I assumed this from the parent post
>> Something being hard does not mean that it should not be tried.
As opposed to paper voting, which does not have the issues raised by Tom Scott. If that is not what you meant, don't you agree that a more high-tech solution, complete with unspecified but granted methods that mitigate the security problems, requires more expertise and makes the process of voting as a whole more difficult than the low tech one? (eg infra / software maintenance, robustness to outage, educating people on how to use it, ... everything discussed by other threads)
> ballot is a publicly accessible encrypted ledger, where the votes exist publicly
It is cool, but I do not see how this improves upon voting on paper by mail.
Sure, it takes more expertise to run a ballot, but not more expertise to cast a ballot. And that's where the democratic process fails in most of the western world at the moment. Entire demographics are not interested in voting due to the higher bar of going through the motions of going to a ballot booth and casting a paper ballot.
In a world where it's possible to vote from your personal mobile device there doesn't need to be a whole circus and the entire country needs to stop in its tracks for the election day. It can be just another day, another weekend, or another week. You can vote for the smallest things that are interesting for you. Local issues need not to be left to the latitude of mayors or councils, but you could now vote on them from the comfort of your own home.
In college I worked in a research lab building accessible voting systems. We regularly ran test elections with the deaf and blind community. Its both amazing to see how adapted a person can become to living in a world that assumes a certain level of physical ability. Its also amazing to see how horribly inaccessible most voting systems are.
With paper ballots, for example, you are usually limited to sitting in a booth with a poll worker and telling them how to fill in your ballot. That does technically work, but breaks voter privacy and you have no way of knowing if they filled it in right because, well, you can't see the ballot.
Already a solved problem, e.g.:
> On election day and at advance polls, your polling station will have tactile and braille voting templates that you can use to mark your ballot. Simply fit your ballot into the template and use the braille and embossed numbers to find the space next to your chosen candidate's name.
* https://www.elections.ca/content.aspx?section=vot&dir=spe/to...
Another part of our goal was to build a voting system that was accessible by default, meaning everyone was able to use the same device regardless of any disabilities they may have.
The problem is that when you can verify that your own vote has been counted a certain way, that can be used to influence the vote. $100 Amazon gift card if you verify that you have voted Purple. Lack of verifiability has been a feature to prevent a voter from willingly participating in manipulation.
Sure you can generate all these secret codes but then why wouldn't a briber ask for you to take a picture or video of the screen with all the codes and secret? OCR and computer vision is quite good nowadays and most people are carrying a video camera in their pocket, so the process can potentially be scaled. Bonus points if its install the Purple App and ask the voter to point their camera at the screen with all the codes. Double bonus points if the app generates a nice easy password for the used to plug in to be used as your secret.
And the thing is that it doesn't need to be super accurate. Even if its only budgeted with $10 million worth of $100 gift cards and it's only about 70% of the cards were getting the desired outcome, that's still 70,000 votes going purple. Especially if you limit it to being the first 100,000 confirmed voters, you'll still get people participating if they think there is still hope for getting a card. Even more if you're convincing voters that are only voting for the sake of a gift card and don't actually care about the result of the election.
And ultimately that's just one of several attack vectors I can think of. And I'm not a smart person; I'd go as far to say that I'm actually pretty stupid. I can't imagine what a room full of actually smart folks with NSA-like budget and NSA-like permissions can come up with. Remember the gigantic mess with Dual_EC_DRBG in the FIPS 140-2 standard?
Regarding your suggested attack vector, where the briber asks for a video of the screen showing how the number is displayed on the screen, this can be resolved with fake credentials. When creating a fake PIN code, the voter can specify inputs and outputs to the device with which the video can be taken. Fake credentials can further create fake credentials, so it is not possible to distinguish them.
I can think of a method that allows a voter to decrypt the ballot payload only coupled with one or more keys from the parties that organized it. Ie, if I as an individual want to see the vote, I can't. But if I suspect my vote has been tampered with I can ask the organizers to audit it, and with both our keys, I can see the payload. (This is just back of the napkin theorizing, it might have other issues)
Ie, if a malicious entity wants to make sure that the votes they have bought are corresponding with what they asked, they need to go through a more difficult process than just asking the people they bought from to reveal their vote.
Because of potential malware on the client's device that can manipulate a vote before it is cast.
[1]: https://chain.link/education-hub/oracle-problem
I'm not overlooking it, self-interested political parties are, but you are conflating the authentication problem with the voting problem. Moving to electronic voting does not solve the authentication problem, it just adds one more problem.
> You think in 10,000 years it will still be impossible to run a vote electronically?
Yes.
The only way to trust voting machines (which could be rigged before delivery), would be to physically watch which buttons the voters did press, and manually account it... which would violate the core rule of anonymity, that to avoid retaliation.
The rolls used can be marked uniquely.
The voting machine will print an opening and closing pattern so no votes can be added before or after.
Electronic voting system must be prohibited across the board. Every system is vulnerable, electronic system are all remote controllable, I much prefer to have a person within the jurisdiction to go after than someone outside of it.
I don't understand howhy it's ever made out to be more complex than that.
Obviously not something that seems reasonable for government implementation, but this seems like it would be great for soliciting a specific kind of feedback about a project or business. Board elections, or product reviews from third party stakeholders, or stuff like that.
Truly auditable voting is definitely a tough enough problem that I'd never want to tackle it myself, so I'm glad this is available should I ever find a use for it!
https://x.com/TallJohnSilver/status/1721918130568511822
Which is why you get things like voting booths, indelible ink marks on people's hands, elaborate secured containers for cast votes with elaborate seals, and extensive timed processes around how votes should be handled while being moved or counted, including complicated politically-aware algorithms about the selection of observers and counters, and counter-observers (and even foreign observers.) The rules about spoilage in most paper and pen voting systems are probably more complicated and involved than the core algorithms of any of these voting systems. There's was no golden age of voting when elections were trustworthy.
Anonymity is a hard problem.
I don't know what the US does, but this is how it works in Germany: Around half-ish of the polling station staff are clerks of the local administration (normal office workers of the city hall, who almost always serve their whole life - they are not re-appointed by the current ruling party), half (or more) are citizens. If not enough citizens sign up voluntarily, random citizens are drafted.
The equipment is: A list of all eligible citizens, who can vote (no registration is required), a ballot box with a very flimsy padlock, for which the polling station staff has the key, mobile privacy screens for the voters, pens and the actual ballots.
If a citizen wants to vote, they show their national ID (something which the US does not have, I know, but that's not the fault of the paper voting process) and get a ballot. They make their choice behind the privacy screen and put the ballot in the ballot box.
After the polling station closes, the ballot box is shaken around a bit and anyone[1] can come to look / supervise the polling station staff as they count the votes. The number of votes must be round about equal to the number of voters. The result if given to the city hall via phone, the ballots get put into the ballot box and can be recounted later, if necessary. City hall puts all results on their website, so the polling stations can verify.
If a ballot has more than the allowed number of votes or something written on it, the polling station staff holds a quick vote, majority decides.
That's all, the whole process. No ink, no complex seals (the key for the ballot box is in a box with the blank ballots, it's only there to prevent accidental opening of the ballot box), no timed process (except "voting until 18 o'clock"), no politically motivated selection of polling station staff or observers.
Would you really say that this is more complicated than electronic voting, including understanding the algorithms? Especially for someone with no CS background.
And it works - will you sometimes have one ballot more than voters? Yeah, sure, because someone may forgot to count a voter. But those tiny, human discrepancies IMO don't matter when you have >1000 ballots. The result is correct enough, and based on keeping each other in check, not on technical security measures. Everyone can understand the process, and everyone can be a part of it.
It does not meet the correctness guarantees of (perfect, untamperable) electronic voting, but it's IMO a heck of a lot simpler, just as trustworthy at scale and anonymous.
[1] literally anyone, even non-citizens, no registration required - we even give them coffee if some is still left :D
So I'd amend your statement to "pen and paper, with official ID and in-person verification".
> He voted by absentee ballot and again in person on election day but claimed in social media posts that he did it to show how insecure absentee voting is. He pleaded guilty to one of the charges and was sentenced to 6 months of probation and ordered to complete 40 hours of community service and pay $500 in restitution. [1] [2]
However, I didn't see any cases for 10+ votes as a deceased person for 2020. There is somebody that voted 26 times using alive people though [3].
The overall moral is though, there is fraud and it does get caught. When you think there's "widespread" fraud that isn't being detected it ends up always being a simple explanation (i.e. people lived in the state at the time of the election and moved afterwards).
[1]: https://www.heritage.org/voterfraud/search?combine=&state=Al...
[2]: herit.ag/3WpMOb9
[3]: herit.ag/3yE3mD3
The more people can vote, the better the democratic process will be. Making it easier for _everyone_ to vote should be a priority.
That only happens if the people in charge of the elections are enemies of democracy. It also means that the results are being manipulated and not particularly legitimate.
The election day is obviously a public holiday. There are plenty of polling locations, so you never have to go far to vote, unless you live in a particularly remote rural area. And because there are enough polling locations, you should not have to stand in line for more than a couple of minutes.
There are also a few early voting days to give people more chances to vote if the actual voting day is too inconvenient.
As far as I understand, online voting has been shown to have minimal to no effect on voter turnout. Most of the time, people don't skip voting because it's too inconvenient but because they are not interested or they forgot.
The #1 goal of a voting system should be to prevent a hostile state from secretly hijacking your elections.
How convenient voting is can make a difference between 57% voter turnout versus 62% voter turnout. That's largely irrelevant.
If everyone can conveniently vote and then no-one's votes are counted because Putin makes up tally numbers, that sucks.
Another problem with electronic voting is that votes can be bought or people might be pressured to vote specific way. The voter might save hashes/keys as a proof that they voted for a certain candidate and this can be used as a basis for payout or not being punished.
I do think it’s very useful though, it’s like one huge chunk of work done.
Without this the whole system can be easily compromised.
We wrote a whole bunch on the topic here (again, use automatic translation) https://eglasovanje.si/vsi-clanki
Seems like this would solve the ballot stuffing issues as well as being easily electronically verifiable, it's just not a fully digital solution
Then, the voter can vote using their root key, reversing all the sold votes and cast a vote for their preferred candidate.
Vote selling problem solved.
What does it want in a password? Would be nice if it actually listed out the requirements from the get go.
The Belenios voting system is one of the E2E verifiable ones that allows the voter to ensure that their vote is correctly counted without submitting trust to a third party, which is necessary to prevent a corrupt election authority from deceiving and manipulating election results. However, it is also one of the underperforming ones in terms of usability. Like most of the existing E2E verifiable systems, deployability is a logistical nightmare if one wants to safeguard both privacy and resistance against sabotage.
In particular, if I understand correctly, individual verifiability is ensured through a challenge where the voter, after casting a vote to the server, has a chance to test the voting client by challenging it with revelling encryption exponent to the server, which then can decrypt the vote and show it on the screen. This one is a bit concerning in itself, as the voting client can decide to manipulate only votes cast for one candidate. Whereas checking and casting the same vote again would reveal the vote to potentially corrupt authority. Imagine explaining to ordinary voters such verifiability guarantees. There are better systems where one can get a tracking number at the end of the vote and check it with all cast votes when they are decrypted (one can look up Selene).
Another issue with the system and all existing E2E verifiable voting systems is the deployment of a threshold decryption ceremony. To recap for everyone. Before the elections, the authority manages the creation of a shared public key between multiple parties, which voters use to encrypt their votes during the vote. After the vote, all encrypted votes go through reencryption mixes or are homomorphically tallied and then finally, the votes are threshold decrypted. The challenge here is choosing the redundancy threshold of a number of all parties that need to come together to decrypt the election result. If too few come together, the election result can remain undecrypted, whereas if the hold is set too low, a small minority could collude and see how everyone has voted. Hence, securing both privacy and robustness is an expensive activity.
The website offers the service for those who don’t want to deploy the system themselves. The issue is that the voters’ privacy is handed over to the running service. There is no way to verify to what extent the parties used by the organisation are truly independent and would safeguard their vote privacy.
My biggest gripe is that theese arguments don’t land well to thoose who are acustomed to mathematical formalism of security definitions and proofs. The E2E verifiability with strong privacy guarantees can also be achieved in expoinentiation mix setting wihtout the need to threshold decryption ceremony [1, 2]. Receipt freeness is still an unresolved challenge here, but I see a path to resolve it with ideas similar to those used in Selene. Whereas if you are concerned about fairness not being distributed between multiple parties, please explain to me an attack vector there that can’t be accounted for!
[1]: https://www.usenix.org/legacy/events/evtwote11/tech/final_fi...
[2]: https://eprint.iacr.org/2024/1040
Verifiability
Absolute Privacy between the above two
Sounds like Time, Money, Resource: only pick two.
This is why your mail in ballots in the US have the double envelope system. The outer envelope identifies the ballot (but not your vote) and if there's only 1 submission then it's likely legit. At that point the inner ballot can be counted along with other legit ballots and it won't be identifiable back to you.
https://chain.link/education-hub/oracle-problem
As long as we trust "certificate authorities", this is pure bulshit.
In the US right now, our problems are well understood and primarily relate to ensuring that only legally eligible people vote, and that the vote was cast by that actual person.
These are fundamentally not technical problems. We have known about them for decades if not centuries and as recently as the early 2000s the Carter-Baker commission laid out the problems and the relatively straightforward solutions.
There have always been political “machines” in big cities, and if given the opportunity, they will try to stuff ballot boxes, intimidate voters, harvest ballots, exclude observers, apply voting laws unequally, and do any number of other shenanigans to give their party an advantage.
This has reached epic proportions since mail-in ballots for able bodied voters was normalized during COVID.
And the problems have all been exacerbated by the unwillingness of the courts to force states to abide by their own voting laws.
Election administration is not difficult, it is a straightforward set of tasks that require diligence and integrity, and that benefits greatly from having highly motivated partisan observers at every stage of the process.
Technology currently used in voting mostly just introduces more ways to mess up elections either intentionally (via manipulation, by administrators or hackers) or accidentally (as via bugs).
The fixes as I said, are simple but inconvenient:
1. Diligently clean voter rolls every year, or even throw them out and restart every year
2. Strongly authenticate voters via in-person registration with trusted nonpartisan agents (government officials) and verify eligibility to vote (citizenship, residency, age, selective service)
3. Vote in person. If intimidation is known to be a problem in a precinct, bring in state police (not local). Note that machine precincts are likely determinable via statistical and electoral analysis, eg where can small swings have big electoral impact). You don’t have to fortify everywhere.
4. Check voter id at the polls.
5. Paper ballots, hand counted on the day of election.
6. Invalidate the count and require revote from any precinct that counts any vote not in the presence of partisan observers from any party on the ballot that asks. Do not allow any vote to be counted after results are reported; the remedy for custody mistakes and “finding uncounted votes” is re-vote.
7. Publicly post precinct level results BEFORE reporting to the county or state. Publicly post county results before reporting to the state. This allows independent channels to confirm that tallies at the county or state level are not tampered with or inadvertently miscomputed.
8. Fast track any election challenge hearings from any eligible voter in an election and do not allow judges to reject cases due to standing, mootness or laches.
9. Absentee ballots should be rare and require proof of need and extraordinary verification with partisan monitoring.
I know Switzerland is small but still to big to put us all in a room, also who decides who the "random sample" is? People from Cities, Land? French speaking or German? Voting is the the only provable and fair decision making, however the pre-vote-training of the voters (aka marketing, media and money) is the big problem for me.
> the pre-vote-training of the voters (aka marketing, media and money) is the big problem for me.
It's not merely that. These are very complicated matters that take time and energy to understand, and voters don't have the necessary time and resources to dedicate. Voters are also asked to vote for people they cannot directly talk to. Everything has to be done through intermediaries and middlemen, because direct communication doesn't scale. That's why picking a smaller sample is interesting: if you pick a hundred people at random, you can pay them to simply think and talk to each other, and you can reduce (although not completely eliminate) the influence of marketing, media and money.
Have you ever had a gummy bear package with nearly just green bears in it?