Remote attestation via trusted execution environments is a thing. It is not a theoretical one either. See, for example, Graphene OS's Auditor app[0]. Solving this for voting machines in particular would be a matter of good design, not of solving fundamentally hard problems.
* Opens Cargo.lock [1] and pnpm-lock.yaml [2]
* Closes Cargo.lock and pnpm-lock.yaml
* Goes to find a Tylenol
At least with open source we can see the sausage getting made...
[1] https://github.com/votingworks/vxsuite/blob/main/Cargo.lock
[2] https://github.com/votingworks/vxsuite/blob/main/pnpm-lock.y...
Watch out that you don't catch the autism :) /s
> [1] https://github.com/votingworks/vxsuite/blob/main/Cargo.lock
> [2] https://github.com/votingworks/vxsuite/blob/main/pnpm-lock.y...
These files are actually cursed and I want all drives that contain their data destroyed with acid. But I have a slight feeling other voting software isn't really any better, even though in theory it should be relatively simple software in the grand scheme of things.
Auditing the software isn't enough if you can't reliably verify that this is actually what's running on the machines, or if the machines weren't otherwise tampered with in some way.
Note that ananymous is also a required part of voting.
• Why Electronic Voting is a BAD Idea <https://www.youtube.com/watch?v=w3_0x6oaDmI>
• Why Electronic Voting Is Still A Bad Idea <https://www.youtube.com/watch?v=LkH2r-sNjQs>
Humans are actually quite bad at hand-tallying hundreds of millions of datapoints. Our eyes go glassy but we press on anyway.
Machines are very good at doing that kind of tedious labor accurately.
Whether human beings will put more trust in a system that we know will be wrong, but it's wrong for comfortable meat reasons, over a system that might be compromised but will be more accurate its more of a psychology question than a technical question though.
Having a paper trail and an observable counting process is worth a small error margin.
The problem with the accuracy assumption of electronic voting is that a) its all coded without errors and b) someone hasn't deliberately but code into manipulate the vote numbers.
If you're saying we should be writing voting machine code in ML and keeping the firmware in Fort Knox, I'm going to make the argument that it's a lot cheaper to do sampled hand-counts to check against machine error or tampering... Which we already do.
It doesn't because even with unit and integration testing, software still fails and get hacked/exploited on a regular basis. What's worse with software voting is that a single good exploit could affect all the votes.
> no software or programmable hardware
That's obviously too stringent. Consider:
1. Precinct hand-counts every single paper ballot bubble sheet.
2. Precinct hand-counts every single paper ballot bubble sheet, then confirms the hand count by feeding all the ballots into an electronic bubble-sheet reader.
Your claim is that #1 is more trustworthy than #2. That's an extraordinary claim that requires more evidence than two youtube links!
Edit: to be clear, I want the requirement that all voting must be paper ballots like the human-readable bubble sheets mentioned above. But saying that no software or programmable hardware can be used "in the election process" is so extreme that it sounds like a parody of my own position.
We've been using mechanical, semi-mechanical, and electronic systems for decades at this point. The new concern for accuracy is pretty unfounded (and, it is worth noting, was heavily drum-beat into existence by a Presidential candidate who then went on to win an election).
If we want to talk problems with electronic systems, I'm a lot more concerned about how people don't actually know how to use touch screens (and I am myself in favor of pencil-and-paper ballots for that reason alone) than I am about people being able to sneak a super-double-secret modification to an electronic tabulator in against all the ways that attack could fail (including "The county can just decide to hand-count the pencil and paper ballots anyway, which would discover the deception").
Fully electronic, no-paper-output systems are past my personal trust threshold.
More seriously, even though some cars are programmable, I did not mean that nobody could use cars to transport ballot boxes. I obviously meant that the official results should be the manually-counted one; machines could conceivably be used to get interim results faster, and/or to double-check a count to see if it needs to be counted again. But I was serious about requiring absolutely no machines involved in the counting of the official results.
In addition, most states have a mechanism by which a candidate can formally challenge the results in a precinct, forcing a hand-recount. This usually has some kind of onus on the requester (I believe in PA for example you have to put up a bounty and if the hand recount results come out to the same result as the previous tabulation the state keeps the bounty as payment for the added cost of the forced audit). However, it is an option (and, most notably, not an option that anyone who claimed shenanigans in 2016 or 2024 exercised).
The problem of election integrity doesn't exist in a vacuum and didn't pop up overnight in 2016; states have been working the issue for a couple centuries and have a pretty good system. But it's a system that requires some detailed statistics and process control theory to understand, so I'm not surprised the median voter doesn't get it. There is, perhaps, a case to be made that for that reason alone we should go to manual, but someone's gonna have to spend the money on that if we're going to do it; it's going to be drastically more expensive than electronically-facilitated counting. And, indeed, people will have to accept that human counters will be less accurate than machine counters (because they're human; we don't train "computers" anymore as a discipline).
This places a lot of trust in that “random” selection.
Not sure why you're scare-quoting random. Do you have reason to believe it's not random?
proven for the private market(s) != proven (or even acceptable) for governments
do the risk analysis. what happens when an industry-standard quality control measure fails in whatever way for a private company? some hit to their reputation, stock price, market share, maybe they even fail. these are perfectly acceptable outcomes for a private organization. they are not acceptable outcomes for governments. governments demand (much) higher standards and more stringent processes. slowness is a feature, not a bug.
The main benefit of manual tallying is that election tampering at scale becomes a rather labor-intensive and physical process that is more likely to leave detectable traces. Compare that to the the last US presidential election that has statistical oddities in machine-tallied voting results of kinds that have historically been shown to correlate with election fraud. If this was indeed caused by fraudulent voting software, it happened without leaving any other obvious traces of tampering.
When and where was this?
- in New York there is statistical anomaly correlated with a couple small-town polling stations. Those towns are small enough that they have a huge population of one religion, and one explanation is that the Democrat party's perceived "soft on Israel" stance tilted 100% of voters in those locations away from supporting the Democrat presidential candidate.
- in Pennsylvania a standard statistical analysis tool used to detect vote disruption suggested disruption occurred. The form of the disruption could be fraud, but it can also be things like voter intimidation (which was observed and reported in Philadelphia) and sudden discontinuity in voter behavior (the aforementioned "soft on Palestine" issue).
Correlation does not imply causation, and the lack of evidence of tampering of the machines in the audit logs is lack of evidence of tampering of the machines, not indication that the audit logs were compromised.
People who think it's not safe should really spend some time learning how it works. It's impossible to cheat at scale. Each ballot is verified to be correct my multiple eyes. A person is reading, one is writing down the name, one is verifying and some other things I don't remember.
To cheat you need to have everyone in on it. A whole town involved to cheat and to at best win one polling station. It's safe because anyone can attend the counting, so each party can send someone to check no shenanigans is going on.
So the more votes you want to be winning by cheating the more people must be brought in the conspiracy. That's impossible to be unnoticed at the scale of a city, much less at the scale of a country.
Every single vote must be checked against publicly available lists of voters. Every ballot can only be given somebody whose identification is checked against this publicly available list and marked. The lists must have multiple copies some in the hands of opposition observers. They need to be published.
Yeah, do that by hand please, without relying on electronic means.
Paper ballots with "honour" based out of circumscription participation is not secure. My country also suffered from this issue and it's not an authoritarian regime. They fixed it by adding and checking IDs on a ballot participation list. Nobody explained how that works to the average voter.
What I was trying to underscore is that even for something that's presented as simple and fool proof as paper ballots one can find vulnerabilities, especially when you're dealing with nation level threats. So in my opinion we shouldn't ask electronic ballots to be more security than what is already in wide use.
And in fairness, electronic ballots don't need to be more (or as) secure as paper ballots, but 'mail in' ballots. If we can come up with a method that's as secure as mail ballots I'd call it a success, despite what Tom Scott says.
I really recommend people volunteer for it, if you're American and you're concerned. All you have to do is call your county elections office; they always want more people. You get paid near-minimum wage and it takes two days a year, but that's it.
What you will discover is that most of what people are asking for in this thread is stuff the states of the United States already do.
If a person is deeply concerned how the election is run? Go get involved. It's your country and your election system.
Elon did it, and they both bragged about it, publically.
Why do we believe the liar on this topic?
Humans just need to be able to separate a few hundreds of ballots into a couple of piles. When introducing double checking this makes an incredibly rigorous process, which can be open to the public. This is the case here in Germany.
Everything after that can be done by computers as all the data after that is published.
And the other related issue is that in 2025, it simply should be possible to vote from your phone in a way that verifies your identity, if you'd like, using the faceId/fingerprint biometrics that most smartphones from recent years have.
Paper ballots are fine. It is not complicated at all and an election is the one thing you just cannot get wrong in a representative democracy. It can cost a bit and you only do it once every few years.
And if anyone can make up a reason to doubt the outcome of the election, it will fail it's objective: Peaceful transfer of power.
The usual way to try to solve this is the ability to override previously cast votes, in secret. But the combination of that and the ability for all interested parties to independently verify the count is not trivial. But not impossible either, much has been written on the subject since e-voting was all the rage in the 90s. One would do good to study this work before designing yet another voting system.
They can see whether another candidate's ballots are piling up faster than yours, they can estimate whether a table counting ballots for a district you're expected to dominate is being given way fewer ballots to count than you'd expected...
Yes, they would obviously spot if some election worker is like adding a pile of pre-marked mass produced ballots to a pile or something, or if they were just putting half of your ballots in the wrong pile - but stuff like that basically never happens, whereas somebody will win and it'd be nice to know before it's announced if that's achievable.
Software and hardware is still magnitude more vulnerable to intentional misbehavior, and even accidental mishaps has a higher risk of massive negative consequences, and its harder to discover failure compared to boxes of votes that has a physical presence.
Sounds like externally verifiable logic systems is an upcoming need.
E.g. You as a Citizen walk around with your own System Verification toolkit and can at any time Verify that the voting system tabulates your vote. Something fantastical like that.
Trust is hard to maintain with human. Digital trust is not a human concept, the way I think at least. So this area is tricky.
This complicates a formerly intuitive subject, introducing radical change hidden within an often literal black box .. and nowadays that box is in 'the cloud' .. making it difficult for humans to retain a mental model, which can then reduce the sense of trustworthiness of that subject!
Corruptible humans are here to stay, forever. We are alive until we are not, and we are a successful species, so we "get it done, whatever it takes" in order to survive. That includes grifting.
People are motivated to resource-hog (power, money, votes in favor of their own interest) by brain chemistry / structures. "Feels good to win."
So - in my view - regulation is key to ensure that shared values win, over personal values.
Technology doesn't care, and can be crafted to add "guardrails" that prevent corruption.
The trick, again in my view, is maintaining those guardrails as anti-guardrail technology is developed by self-interested grifters!!!
What a world! (ncr100 sprays chrome spraypaint on mouth an drives off into the desert ...)
Arguments against electronic voting: 1) one person can change millions of votes 2) vulnerable even outside the country 3) even if you audit the software, it's hard to verify that the audited software is what is actually loaded on the machines 4) even if you check hashes of the software, how do you check the software that checks the software (this is a restatement of the Ken Thompson Hack) 5) proprietary software 6) USB sticks are insecure 7) final computer tallying everything is owned and located in a single place 8) XSS attacks on e-voting pages.
Arguments for physical voting: 1) centuries old, many attacks have already been tried and failed 2) no identifying marks on ballot = no opportunity to pressure voters to change their vote 3) multiple people involved in each stage of the process
I realized after typing that out that YouTube has a "Show Transcript" function, so try that for the second video.
These are fair criticisms.
And I personally feel that electronic voting can be made secure and trustworthy, in the human sense of trust and the digital sense. Looking at this from a 'voting accuracy advocate' position, one could add verifiability at all stages, allowing external validation by the invested party .. the citizens could count their own votes and vet the State's tabulation.
I could be wrong, though. As far as I know, hardware companies nowadays cannot even be reasonably sure that the chips they use don't contain backdoors.
If you can not independently verify election results, what good does published source code do?
Elections are a process, not a result.
The huge takeaway for me was not the technology (or lack thereof). Ultimately all existing (and proposed) systems have flaws. The key was public trust in the result.
The first step to sidestepping democracy is to attack the legitimacy of elections. One can attack the process, software, hardware, ballot security, eligibility, and so on. It doesn't really matter what you attack - it doesn't matter if your gripe is legit or not. It only matters that you erode trust in the result.
If you can make people think the elections are rigged, then you can bypass them and move straight to authoritarianism.
Quibbling over open-source or not is irrelevant. We can cast doubt on the software either way. Quibbling over electronic or paper voting is equally irrelevant (there are plenty of paper-only elections worldwide that are very suspect.)
Naturally the Open Source company promotes Open Source voting machines. But in truth being Open Source has no (real) benefit. Software is easy to tweak, Open or not.
In the US for example, distrust is very high. Promoted by accusations of mail-ballot fraud, of illegals voting, by anything at all. This continues despite winning the 2024 elections.
But that's not the truth though. Open source software is not easy to tweak when it's deterministically compiled using reproducible builds and there are provisions for on-demand inspection of executables and hardware.
Firstly, inspection of code is a very technical skill, so there's a certain amount of reliance on a tiny group here. That tiny group then simply declares whatever they like. Understanding a complex C program, looking for obfuscated behavior is a very specific skill.
Secondly, given the tens of thousands of machines in play it becomes impossible to guarantee the code inspected is the code that runs. The GCC compiler itself, used to build the software could be altered. The kernel of the machine could be altered, and so on.
Yes, ultimately given enough time, it would be possible to detect problems. But getting a report years after the election is fruitless. Also, no doubt, with time, security issues in the OS and code will be retroactively discovered. There will be no way to determine if those flaws were used or not.
In short, you cannot determine veracity or correctness of the machine, in reasonable time. Making the code Open Source does not change this.
And again, it doesn't matter if the code is honest or not. It only matters what people believe. If anything having the code Open just means more opportunity for malicious actors to claim they've "found issues" without being specific.
The issue is not the software. And its not the software license. It's the environment of mistrust coupled with the willingness of people to accept obvious and blatant misinformation. (See vaccines etc).
Don't put all eggs into a single basket.
Independent testing laboratories exist that do specialize in the specific skills you're talking about. Pretty much all of the software involved is certified and saved, source is saved, compiled binaries are saved, hashes are logged of the compiled binaries. Binaries run from EPROMS or write-protected partitions making it very difficult to change them once installed. Cabinets have tamper-apparent sealing.
The machines are designed so that an auditor can inspect a machine on a casino floor in under 5 minutes, verifying that the software that's installed is the one that's supposed to be and that the physical seals haven't been broken.
I'd imagine there are a lot of similar processes for ATMs.
Electronic voting is fine. Why can't we just have a printer in the polling booth? I run my ballot, then hit print, then I can manually verify it, and then drop the printed ballot in a box.
Literally the easiest thing to do.
Printing paper is cheap. Shipping it is cheap. Checking it is cheap and obvious. Reprinting is cheap. You don't even need to ship them. Most of the cities are close to industrial areas which has big printers and paper mills.
Making stamps or buying pens is cheap. You validate ballots at the polling stations which is scalable and cheap. It is the members of public who validate it. You don't need to pay most of them. They are just local constituents! It is their vote!
You are not aware how far away you are from the point!
Your comment here, for example, would be fine without the last bit ("you've missed the point entirely").
If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.
If you want this, the next step would be to get involved at your county or state level (depending on how your state makes voting technology decisions).
You didn't define how paper ballots are better. Given that many electronic systems print paper ballots, I'm not sure how they could be said to be universally better.
Electronic ballots can be much better than paper in two ways. Firstly, they are faster to count. I'm not sure why that matters, but it's true and seem people seem to think knowing the outcome quickly is important.
Far more importantly to me: they are easier to use. In Australia we have compulsory voting. A lot of attention is paid to how many votes are invalid. It currently runs at 5%, but ranges up to 10% in areas with lower education levels or non-English speaking. Voting machines can tell you verify if the vote is valid, help you if they aren't, provide information from the candidates if you want to know more.
One the downside, a poorly designed voting machine can be far less secure than out current paper system. Sadly, I don't think I've seen proprietary voting voting machine that didn't have significant design flaws. Making the situation worse is the voting machine companies like to keep their flaws well hidden (flaws aren't good for sales). In Australia, we've had examples of the Australian Electoral Commission perusing academic researchers in the courts for revealing flaws. [0] Mandating open source mandate is a solution to that.
https://www.unimelb.edu.au/newsroom/news/2019/november/flaws...
What a farce.
It depends on what you are after I guess, but it's almost certain that if the USA has compulsory voting Trump would not have won the last election. The people who don't usually vote; the feeble-minded as you call them, pull the vote toward the centre. Whatever Trump may be, he doesn't represent the centre of politics.
If the current USA polls are any indication, most USA voters are now wistfully thinking what might have been, had a system that forced those feeble-minded voters to get off their arses and vote been in place back in November.
Terrible people just corrupt the qualification-mechanism instead. That evil tactic tends to be more-effective and longer-lasting than trying to appeal to the lazy-stupid vote.
You think this is a fair characterization of what I wrote? That it not being worth sacrificing the security of a voting system to get the most disinterested and incapable to vote, is equivalent to some unstated "qualification" test?
They don’t have stellar democracy grades from The Economist’s index: https://en.wikipedia.org/wiki/The_Economist_Democracy_Index and both seem worse off in the last ten years than the ten years before.
Enjoy: https://en.wikipedia.org/wiki/The_Economist_Democracy_Index
Our elected representatives have tried to add a paper trail to the machines twice now and it was ruled unconstitutional for total bullshit reasons. Our former president was banned from future presidential races because he questioned the machines. We have a judge loudly proclaiming that the machines are UNQUESTIONABLE with such unwavering pride you'd think he'd have the balls to start a billion dollar bug bounty and post it here on HN. He only allows you to "audit" the system by appointment behind closed doors and the only tools you're allowed to bring with you is a pen and a piece of paper. People found issues even with these restrictions. There are people protesting to this day, laymen asking for source code, completely unaware of the existence of supply chain attacks and the fact the source code would prove nothing and serve only to humiliate them. We have former US president Biden's top CIA guy telling our former president to stop questioning the machines, wouldn't be surprised if they had access to this shit.
Germany did it right: voting machines are unconstitutional because citizens do not understand it. Elections must be fully auditable by the average person. This is the correct stance.
Bolsonaro didn't question the electoral process, in fact, I doubt he even understand it himself. He questioned only the results, because in his mind he should have won by a lot.
Not dissimilar than Trump's "stop the count!" on US paper ballots.
He did. For years, and during his mandate. I was there. Out of every stupid thing he said and did, they cited his perfectly valid criticism of the voting machines as the reason for his banishment from politics until 2030. I submitted news of that event to HN.
> Not dissimilar than Trump's "stop the count!" on US paper ballots.
Completely different matter. I'm very skeptical of claims of election fraud in the USA because it uses paper ballots. I have no trouble at all believing that our Magnitsky sanctioned judge literally named Lula president. They broke the guy out of prison to run against Bolsonaro for a reason.
In the end it's irrelevant. Bolsonaro's ordeal has revealed the deep truth of Brazil to the masses: the real power is in the supreme court. Discussing elections is utterly pointless since these judges are not elected. Elections are just a game they play to give this shithole a veneer of democracy.
https://www.bbc.com/news/articles/cj9w43p7741o.amp
Things have always been iffy. No one knows for sure.
Edit: That link is the most recent example. Googling for voting machines themselves would bring more examples. Every election cycle we go through reports of malfunctioning, no audit, audit not matching, extra machines appearing, machines being taken around by politically connected, even things like pressing any button on the machine voting for the same party…etc., but ECI has been pushing it aside and refusing to open up. This recent one became an issue because the manipulation (allegedly) went a layer deeper into the voter rolls themselves and they are public data.
We don’t know what’s up with the machines.
The cost of human labor to count all ballots by hand will be enormous. Probably worth it I suppose, but this really is something that should be primarily automated. But again, trust in software. Sigh, why can't we just have nice things?
What's important is being able to segment the population in enough voting places so that each voting place is maneaganle just by a small number of people. The Chilean system is scalable because you can always just add more voting places as the population grows.
Usually these voting places are civic centres, stadiums, schools.
It's a good system and generally for a presidential election we get the results in about 4 hours after voting ends.
In Taiwan, this is how it's done. Every ballot is counted by human. It's completely public: you can just walk in any polling station during the counting process and watch they count.
The US casts 10 times as many votes - so it seems reasonable for the US to hire 10 times as many poll workers? Hand-counting is O(n) i.e. constant per-capita, and it scales horizontally.
Local and state ballots in the US can feature tens of elected positions and propositions, I could imagine hand-counting them to be quite expensive.
In actually democratic countries the elections are done on holidays(Sunday) and the polling stations are in where you live.
It is your vote you silly. It is your democratic duty, right and responsibility to guard it if you don't trust the observers by becoming one. Everybody should be able to watch the process and the count!
Losing one day of revenue would not hurt. Especially on a holiday.
Every problem Tom mentions can be worked on and overcome. Maybe not today, maybe not by the next big election, but we should still start now, rather than later. We need to do everything possible to increase participation in the democratic process, especially for the demographics that are currently not very involved, which are also the demographics that are more likely to adopt electronic methods of voting.
Do we? Participation should be made easy for those eligible and inclined to do so, but I don't see the benefit of encouraging participation from people who can't be bothered to put some effort into it, or are ignorant of the issues and candidates and are easily swayed by trashy campaign ads. I've seen the statistic thrown around that less than half of americans can even name the 3 branches of government, and if that's true I think those people have a civic duty not to vote.
Seeing the constant barrage of campaign ads every couple years made me think about it- Why does campaign financing matter, how do they turn money into votes anyways? The answer apparently is ads, but I see these bottom-of-the-barrel slop political advertisements and wonder how that trash could possibly have a measurable effect on the outcome of an election. But it must work, otherwise they wouldn't spend so much money on it. And the fact that elections can be meaningfully influenced by the amount of ads a campaign can run is a signal to me that the democratic process is broken in some fundamental way. The votes of well-informed constituents are drowned out by the more numerous cohorts of partisans, reactionaries, and the apathetic just going through the motions to fulfill their 'civic duty', so it seems to me that increasing voter participation without changing anything else is only going to exacerbate the problem
Democracy means that everyone gets a vote, uneducated, bigoted, communist, fascist, everyone. If you don't accept that, you don't accept democracy.
That's probably rational ignorance. It's hard to get people to investigate the details of policy and their consequences when theirs is just one vote out of millions. It's too much work. But that leaves the voters susceptible the kind of ads you mention.
Or stated more simply: getting informed doesn't scale, but mass advertising does.
Athenian-style democracy might handle this problem better. Randomly select, in some unbiased manner, a smaller number of people who then decide. But I suspect sortition is a little too unusual and feels a little too chancy for people to accept as a serious proposal.
It would certainly be exhausting to share an opinion on every single resource you want to share with someone.
In fact, I'd argue that having 50 different voting systems with 50 different ways to prove eligibility makes our elections more resilient to large-scale voter fraud, even if it makes it more difficult to verify voter rolls wholesale.
That's pretty much the problem they were designed to solve no? It's called the double spend problem, and it's crypto's big comp-sci innovation. The whole paper was about it.
Ballots do not have any identifying information, intentionally. There is no tracking number or possible mechanism to de-anonymize a ballot back to the human who cast it. Notably, there is not even a unique identifier for a single ballot that could potentially be used to identify a person.
Most importantly, there is no value that is unique to the ballot that I can use to verify that I am indeed the person who filled it out, so some nefarious organization could threaten me or my family to produce proof of how I voted. Or pay me, or influence me based on the outcome.
So there is no "identity" that you can record in a blockchain to prevent that identity from casting two ballots in the same election.
At some point, one needs determine whether voting transaction 123 by votecoin address 3456 was made by a valid voter and that the voter has only voted once.
So how do you do that? If a central authority does it by say, issuing votecoin addresses to voters or asks voters for their self-generated addresses, then your ballot is no longer secret since they can see exactly who voted for what.
If a voter shares their votecoin address with anyone, then anyone can see how they voted inviting vote buying and pressure schemes.
I'm not a super expert, but from the little I know, I think it's possible to issue a one time use key that lets you sign a private/public key pair.
So when that public key enter the network with 1 vote and cast it on the distributed ledger, the network can validate the key is signed by the authority.
You know that the authority allowed the key to exist, but not who the key ties back too.
And the user could only sign one key, so they can't create more.
Keys are just numbers, there's nothing inherent to them that prevents their reuse. These one-time-use schemes rely on out-of-band protocols to honor that they should not be reused, for example by trusting in a central authority to check and reject such keys, which defeats the purpose of using the cryptographic scheme in the first place.
> You know that the authority allowed the key to exist, but not who the key ties back too.
That's not the point of ballot secrecy. Under this scheme, I can be coerced into revealing my vote, because you can't create a control to prevent me from storing the signing key or signed keypair; either of which would suffice for a third party to find the public key on the chain which corresponds to my signing key. If you make these actions entirely remote, so I have no access to key material, then you are trusting the remote authority to issue me a secure keypair that can't be reused.
That said, there's no good reason to issue a keypair or use PKI for this, as there is no encryption happening and there's only one subject (the voter). A cryptographically-signed ID in this case can only be useful to tie votes to voters, which we have established violates the secret-ballot constraint.
As for coercion, there are really two types: coercing someone into voting a certain way, and coercing them afterward to reveal how they voted.
I don’t think the second one is much of a problem, because you can just delete your keys after using them if you don’t want to be coerced. It might suck if the coercer doesn’t believe you and you really did delete them, but at that point thugs beating you up is kind of its own separate problem. Similar to if they asked you to take a photo or video at the poll booth and if you didn't they might beat you up.
If the coercion is about making you vote a particular way, some schemes let you vote multiple times and only count the last one, so you can just vote again after the coercer leaves.
And even then, I believe some schemes actually make it impossible to show proof of your vote.
Here's two papers that are promising in all those areas for example:
- https://www.semanticscholar.org/paper/zkVoting-%3A-Zero-know...
- https://www.semanticscholar.org/paper/SmartphoneDemocracy%3A...
These amount to the same thing. The ability to reveal how one votes is what allows them to be coerced.
> It might suck if the coercer doesn’t believe you and you really did delete them, but at that point thugs beating you up is kind of its own separate problem.
The point of the secret ballot requirement is to make potential thugs aware that evidence of how someone voted does not exist. It is this problem that creates the need for the secret ballot requirement.
> If the coercion is about making you vote a particular way, some schemes let you vote multiple times and only count the last one, so you can just vote again after the coercer leaves.
You can do this in the poll booth as well; because the ballots cannot be distinguished, you can fill out a fake ballot and simply avoid depositing it. But being able to vote multiple times in an online election doesn't prevent coercion, because presumably the election has to have a result and voting can no longer occur after a certain time; so the coercer only needs to wait until after the election results are "locked" before requesting proof.
The first paper you link is a marked downgrade from existing voting systems which can achieve ballot secrecy without requiring fake ballots.
The second paper is more fleshed-out from a voting systems standpoint, but it makes a poignant qualification around registration security:
> Network-level anonymity remains vulnerable to timing correlation attacks. An adversary observing network patterns could potentially link registration and voting transactions from the same IP address. Mitigation strategies could include randomized transaction delays, Tor integration for network anonymity, or mixing services at the application layer. However, these additions would significantly complicate the user experience and mobile deployment.
And this is what makes electronic voting so hard to recommend even as a computer scientist. I think folks don't truly understand the breadth of side channels we create when we take a physical process (show ID, fill out ballot, drop in box) and move it to the Internet. The side channels are concerning because they can be observed and correlated without getting caught or impeding the process, unlike someone planting cameras or following you into the voting booth.
Trade offs, that's the known answer to all comp sci problems :p. Here too it applies.
- We should know whether you may vote (you are a citizen, over the legal voting age, and haven't been taken away that right because of a crime, etc.) - We should know whether you did or didn't cast a vote (to prevent you from voting twice) - We should NOT know who you voted for - You should be able to know the votes are counted towards the party intended
You can't solve that with crypto, since you need a way of proving your identity, while at the same time making the payload anonymous and not traceable back to you.
> You should be able to know the votes are counted towards the party intended
These requirements are contradictory. If you can verify that your vote was counted toward one outcome or another, your vote can be coerced as that verification can be demonstrated to a third party.
Dropping votes is as problematic as allowing too many.
In general, money transactions have failure modes that don't match what we want for other use cases. That's the same trap as using credit card payments for ID verification, it only works if you don't actually care about the ID.
Assuming you can vote from the comfort of your phone or home, that's kind of the whole point, it doesn't matter much if you have to wait even 30 min to get confirmation.
We'd still have an old fashioned government employed person validate you can vote and are human.
the core problem with keypair-based systems is that people will lose their private keys, and that has to be accommodated, which requires trust delegation, which blah blah blah we've already worked thru these issues 1000 years ago and the result is representative government
- The Human Identification Problem (not sure if there is a more official name): uniquely identifying a human being. If you solve this, you solve many forms of fraud (anything rooted in identity fraud) and eliminate entire industries dedicated to reducing fraud losses. Best attempt so far has been the Estonian ID system [0]; Sam Altman tried with Worldcoin but that ended up being yet another crypto grift. Incidentally, Estonia uses its identity system for electronic voting.
- Proof of citizenship; citizenship in the US for most people is a birth certificate issued by a hospital or other authority several decades ago, or a proxy to this document such as a passport. Naturalized citizens have it easier here because they have a state-issued document declaring their citizenship.
- Proof of residence: This is also something not verifiable via a blockchain or smart contract, because it depends on the state and relies in part on your physical location and your intent. Legally you can only vote from one voting address, but there are countless people registered with multiple addresses across states as they move residences.
- Secret ballots: You cannot tie votes back to voters in a free election. Blockchains are open and publicly-verifiable, which is good; but cast ballots cannot be verified _even by the voter_. Blockchain doesn't bring anything to the table here over, say, a database; because the recorded ballots must not be tied back to human identities, you cannot use any of the work done to verify the three previous points to verify the election outcome. Blockchain would boil down to replacing or augmenting paper ballots with a provably immutable record, where you still need to place trust in the system recording votes on the chain.
I believe you can do this with crypto. It's still anonymous. The government verify you, then give you a signed key that you use to generate your voter ID locally yourself. The network accepts your voter ID because it's signed. I think there's even ways to allow single use signatures and so on.
Now everyone gets one and only one voter ID (which is like their wallet) but for voting.
You can decide how many years that's valid for.
I live in California, where the voting method is vote-by-mail and you sign your ballot. That breaks anonymity right there, plus there's a barcode that matches address and ballot for traceability, so in theory anyone involved in the election process could look at my ballot, cross-reference against address, and figure out how I voted. In practice I've never heard of anyone being pressured or confronted based on how they voted, so my default assumption is this doesn't happen much or at all.
But even broader, in the U.S. your party registration is public information. That's why whenever there's a political shooting, the media always says "He was a registered Republican" or "registered Democrat" or "was not registered to vote". And this mechanism is actively and publicly being exploited to alter elections. Since the U.S. is a two-party system and party membership is public, you have a fairly good idea how each precinct is going to vote before they vote, and can gerrymander maps to get the outcomes you want.
Plenty of trust issues in physical ballot transfer as well. California is vote-by-mail, but that assumes the postal service is a reliable carrier, while there was just a recent news story [1] about ballots being stolen. Before I lived in California, I was in Massachusetts, where we voted on 1930s-era lever voting machines where you hit a lever down and it marks a paper ballot without you ever seeing the real ballot. Between elections, these were stored backstage at the local middle school, so a mechanically-inclined middle schooler with knowledge of how an upcoming election's ballots would be formatted (and we did mock elections in middle school) could have rigged the machines to deliver the local precinct to their preferred candidate.
The useful points in the video were basically that decentralization and redundancy are what make physical elections hard to rig: you have to hack multiple locations to influence the overall election, and at each point you have multiple eyes watching you. He sets up the contrast with software voting, where you have the same software running on each machine, and even if the software is open-source, you can't be sure that the rest of the stack it's running on is secure (an oblique reference to the Ken Thompson Hack [2]).
But decentralization and redundancy are properties that you can introduce into software systems just as easily as real-wold systems. The KTH can be countered through Diverse Double-Compiling, for example [3]. zkStarks and digital signatures give you ability to prove that you authored something without revealing what that something is or who you are. The importance of client diversity for the security of the network as a whole has been well-known in the filesharing and crypto worlds. And anyone who has worked in Big Tech, aviation, or telecom could tell you that having multiple paths to success that are developed by independent teams is important for any computer system that is in a safety- or reliability-critical area.
[1] https://www.almanacnews.com/election/2025/10/14/ballots-stol...
As far as party registration goes, is that required where you are? Because if so that's insane and the government there needs to change that. Everywhere I've lived you don't need to register any kind of party affiliation (and indeed some places you couldn't), you just register as a voter and you're good. Maybe it's different where you are, but if so just be aware that it is (thankfully) not universally done wrong in the way you describe.
(1) California does not require party preference to vote in primaries generally;
(2) California primaries are not (except for the Presidential primary) party nominating elections, they are essentially the open first-round of a two-round general election. (Basically, it is majority/runoff except that there is always a runoff even with a first-round majority.)
(3) For the Presidential primary, California does not require party registration to vote, but does prohibit party-registered voters from voting in cross-party primaries; it is the party (not the state) the decides whether their primaries are open to “no party preference" voters (of the six parties with permanent ballot access in California, the Republican, Green, and Peace & Freedom parties do not allow NPP voters in their presidential primaries, while the Democratic, Libertarian, and American Independent parties do allow them.)
They actually go through quite a bit of effort to prevent breaking anonymity.
The incoming ballots are scanned and sorted by machine to record that they arrived. Later, signatures on the envelope are checked. The signature verified sealed ballots are then moved and fed into a high speed extractor separating the ballot from the envelope so the envelope label isn't visible, breaking any linkage between the ballot and the voter's identity. Ballots are stacked with other ballots, still folded and moved elsewhere to be counted. The empty envelopes are kept and scanned again.
All of this happens with multiple people and on camera.
The ballot barcodes don't record any unique information that can identify voters - they're just things like precinct, ballot language and page number.
Here in Germany, the Pirate Party has discussed the topic at length, since they (1) love voting innovations, and (2) have generally good knowledge on CS stuff, and so far I think no real solution is known for anonymous, confidential, secure digital voting with verifiable results, which is easy to reach with paper ballots and public observers of the counting.
(Splitting hairs here but) this isn't true: in some countries, but not all.
In some countries ID is an optional document you only need to acquire if you want to drive, vote or travel internationally.
how then should voters who are not physically present in their voting district cast their votes?
If you want people temporarily out of their district to vote, then in district X you could have a box for district Y, put paper ballots in, and send the sealed box to Y to be counted. The important thing is that the vote is cast in person by the right voter and put immediately into the box.
(hint: the answer is mail-in ballots)
There is fundamentally no difference between a mail-in ballot and a ballot you drop at an arbitrary box somewhere.
This means anything more complex than a pen or a stamp on an approved paper is too complex.
Many countries have secret ballots, mine doesn't, for reasons which are extremely sketchy (and presumably why my country is blue, not dark blue like New Zealand on the democracy map)
- Secrecy of who voted for whom
- Transparency of everything else. The names of everybody in the process, the process itself and all the statistics should be verifiably public.
Being an observer to your polling station must be a guaranteed voter right. Similarly all participating parties must have the right to send representatives to observe the entire process.
Before opening the polling station all ballots are counted by multiple observers from all sides. This is recorded into files / documentation of each observer. So the number of possible ballot papers that can be voted on is documented.
Then each ballot paper needs to be stamped with a official local seal. This is also observed by every observer. The number of stamped ballots is also counted and documented. The number has to match the original ones.
The number of people who can vote in that voting station is determined by a population survey. In bigger cities each region must have roughly the same number of constituents.
The number of ballots that are stamped must match the number of eligible voters in the polling station. A voter can request to change a damaged ballot paper. The replacement should be done in front of all observers and the voter. The replaced ballot is destroyed in front of everyone.
After putting their ballot into the box, the voter has to sign their name in multiple printouts of the list of eligible voters of that polling station. These printouts of the lists are held by observers from multiple sides. The number of signatures has to match the number of ballots in the box.
Everybody can observe the count. All the numbers are checked against each other.
If you think that this is infeasible, I come from a country of 80 million people and live in a similarly sized one. Both of them use the same system. It works. It scales since it is an almost trivially parallelizable problem. We get the election results in the same day of voting.
First the box is in front of everybody. Second, before allowing people to throw votes in, you seal the box with an tamper evident seal. Usually pouring beeswax over a string works. You can have multiple seals for all sides.
Having a mark anywhere else but the box you cross / stamp invalidates the ballot. You put ballots in envelopes. Each envelope must have a single ballot inside.
A voter can replace the ballot if they made a mistake. They need to destroy their ballot in front of everyone.
Is there any way to prevent the observers from knowing who votes? I could see a scenario where a party chooses observers that are likely to intimidate potential voters (e.g. KKK members in a majority black polling station).
If the police does not uphold the laws that guarantee just elections, if they allow intimidations or treat citizens differently, or if the military tries to influence election results, then you do not have a democracy.
If those people still feel unsafe, they are not living in a democracy but under an authoritarian regime. You cannot really have a non-violent, fair democracy under such regime. Democracy isn't just elections. It is creation of bunch of non-elected institutions that guarantee the fairness of the elected stuff. Judicial branch, expert organizations and regulators are all part of it. This has to come from realization that the alternative is violence. Sometimes needed violence. Most resilient democracies in the world like France are direct results of multiple violent events happened because institutions were not capable of striking the balance. Suppressing large swaths of people is just a powder keg. In true democracies, people from all views should have a good mutual understanding that alternative governance systems exist and may even be viable or more stable, but they will be murdering each other and they themselves will eventually be victims to the violence too.
My point: reality is messy and simplicity isn't a guarantee of reliability. The things hat really work in our societies are pragmatic, not simple.
Now try explaining any kind of encryption system that gives the same level of confidence to a high-scholer or even CS students in as many words as I used in that comment.
It reminds me of a youtube channel explaining the Visa/Mastercard duopoly using monkeys and bananas. It doesn't perfectly fit, but works surprisingly well for such a subject.
Besides that what other scaling problems are there?
Coming from Ireland (tiny population, low pop density) I've heard this argument countless times (we're an obvious target for this critique), but I still to this day don't see the logic of it. At all.
Constituencies are sized per capita, count centres are staffed per capita, if you have higher pop-density you'll either have more observers at count centres, or the same number at more count centres. This is a distributed system - it's the definition of scalable.
Fwiw the last count I tallied at (Dublin MEP) had an electorate of 890k. It was the smallest constituency in Ireland in that election, but still bigger than the largest congressional district electorate in the US. We counted in one large open warehouse. There were 23 candidates & 19 separate repeating counts.
That could work in favour or against your argument - I don't really know - I don't really think it matters either direction though.
I don't quite understand how a country with a mere 5 times more population is unable to enact the same solution at their 'so much bigger' scale.
And France is spread over more time zone than the U.S., so that argument doesn't work either.
It's 100% paper PRSTV & so the counts are slow. Not only is this generally OK (because getting a rapid result is absolutely not a requirement of any well-functioning voting system) but it also has actual benefits.
The main benefit is predicated on the count being engaging in and of itself. Other countries put a lot of effort into jazzing up statistical presentations on constituency predictions, cloropleths aplenty, to engage viewers. In Ireland, count centres are not only manned by trained count staff, they're also flooded with volunteer tallymen who verify the counting in realtime. Count coverage is on the ground, showing a real physical process that's intricate enough to be watchable. The entire process also serves as an education-through-doing in how our voting system works, so you get a more engaged & informed electorate (when it comes to the mechanics of voting - still unfortunately not that informed on policy, that's a worldwide problem).
In practice it doesn't seem to matter that much. The counters even out the first-level effects of this, so it only matters for votes that have been transferred more than once; it can be determined statistically that it changes the result only in a very small number of cases; and there are plenty of other weird threshold effects to care about instead. But it's one property you might expect of a fair voting system that Ireland doesn't give you.
That said, surplus distribution tends to be the main flaw raised time & time again, & whenever improvements are discussed the general conclusion tends to be that the current distribution mechanism goes a very long way toward fair representation of the actual preference distribution. It's notable that the more computationally intensive alternatives to get "fairer" outcomes are pretty recent inventions & it's really hard to justify the effort given the tiny number of cases affected.
Once you start with non-transparent mechanisms, there is no end to it.
Every time I try to get to the bottom of this, it always boils down to "trust the system" which makes me uneasy.
IMO the best solution here is to have electronic counting with an auditable and traceable paper trail as a backup. Every time I've voted for the past 10 years has been like this. First, I get a ballot paper from the front desk and stick it into an airgapped ballot marking machine. I then make my choices and the machine prints them onto the ballot paper. I'm able to read the paper and verify that it matches the choices I made. I then stick it into a separate airgapped ballot counting machine, which scans my ballot and deposits the paper copy into a sealed box. The entire process of setting up the machines, transporting the paper ballots, and reading the results from the machines is cross-checked and signed off on by volunteer poll workers from both parties.
> how can a constituent know with absolute certainty that their vote was counted
The representative of your party plus independent observer said all votes at your polling station were counted. You know both those community members and know them to be generally honorable. Ergo your vote was counted.
> every voter in the system was legal
None of the observers at the polling station, or the station head claimed any illegal person voted.
> the final tally was authentic
The observers all signed as witnesses on the final tally.
This is not the "system. it is humans you know who are telling you what they saw. If you can't trust other humans at their word, democracy cannot fundamentally work.
This, but also, important to point out that this is a question of scale: "If you can't trust other human*s*" - plural.
Surely we could do better? Testimony doesn't assuage my concerns that the process may not be tamper proof.
You should trust political volunteers after you have seen their track record of being honest and truthful. (Though there is some default amount of trust the process gets because of the adversarial nature of volunteers with opposing biases checking the process).
This is along the same vein as
You should trust candidates for the seat after you have done your due diligence that they have honest and truthful, and will faithfully represent you in the legislature/administration.
as well as
You should trust civil servants to have done state activities justly and produced truthful records and reports of state activities after you have seen a record of them doing these things correctly over time.
Democracy with humans is built on a lot of trust in humans. We have to keep this in mind when arguing about these things.
You do not have to watch every district, every election, every time. But given that enough people do it, at least once, at least in their own district, then it is easy to see why the system as a whole is trustworthy.
It's not that developing voting software should be open-source, its that actual voting should be "open-source" in the physical sense.
Trusting the system is possible if you can (you, yourself) readily observe every part of the system. I don't think giving members of the public access to the server your voting software is hosted on is a very viable idea, but giving members of the public access to paper count centres is (it's done very successfully in many countries).
One of the weaknesses in our democracy is the insistency of doing things virtually - it's the same weakness exposed by social media.
Electronic systems are always going to be subject to hacking and manipulation, and are more easy to hack and manipulate at a large scale (scaling is the point of software). In-person voting is still subject to manipulation, but you can just go back and look at the ballots on paper as they are. You get more targeted manipulation, but it's probably easier for a single person to uncover and reason about.
I guess in some sense I'm arguing for the existing system [1], and not to move to any sort of electronic voting, but adding in a new federal holiday for the actual Election Day. It should be a celebration of democracy, a day of reflecting on our republic, and an opportunity to be patriotic with special programming and events, parades, etc. Just a hope/dream there.
I guess the main thing I'd like to say is, I think we should have the day off from work and we should all get together as much as possible as a society and celebrate this damn thing we have instead of sitting at home on the Internet just complaining and doing nothing all the time.
[1] Today we have ballot markets which electronically mark and print the ballot. I'm not quite as concerned about those being hacked (from a layman's perspective not any expertise), and then we have the actual ballot that was cast by the citizen that we can reference. When I think about open-source voting systems, electronic voting, etc. I think of doing it through your computer.
Why do we need machines? Counting the votes for e.g. the parliament only takes 24 hours or so, generally. And we don’t have elections every week, right?
It might not happen much in the Netherlands, but for instance making it so fewer people reach voting stations is a classic move. That's one of the failure mode avoided by the other means.
Voting ballots straight getting lost/destroyed is another failure mode, and yes it happens more than we want it to.
The sheer time to get the vote counted is also an issue, and we've seen voter sentiment shifting while the vote is still ongoing, with the media reporting directly influencing the outcome.
It could still be the saner tradeoff in the end, but it's misleading to present it as some ideal or inherently reliable solution.
In first past the post system, between 1% to 49% of votes are stolen and tossed by design. This actually, not hypothetically happens, in real life. Electronic voting maybe can be abused, and maybe some significant number votes may be defrauded. But in FPTP it has actually happened already and at a much worse scale. Imo the real high priority issue is obvious.
Unless something has changed recently, election integrity demands a voter-verified paper ballot that is retained with security by the authority, and can be physically counted, as a check against compromised or defective digital systems.
Open source is not sufficient. Don't let marketing sound bites be a confusing diversion from the problem.
If the US understands anything this year, it's how important elections are. Hopefully we get another one.
Who gives a shit man, it's not going to be the end of the world or even substantially change things no matter what methods we choose. You might as well choose the ones that make things easier on people. Crazy that the world wide information network that we've built and defines our current age in history is treated like some horrible evil. It's not, it will be fine. But with vote by website now every home, school, and library in the country becomes a polling place.
There is no amount of transparency that will achieve the mythical "public trust" that's being envisioned. Our current voting system is all paper right now, actual voting fraud—meaning literal ballot stuffing is nonexistent and still people buy into conspiracy theories. Voting manipulation happens in broad daylight at the systems level and is done by carefully restricting access. Expand access and the problem vanishes.
I'm at a loss for why you would assume something about my racial background from my view that voting should be made easy and convenient in a democracy. I'll go even further, in addition to being able to vote digitally you should automatically be registered to vote when you establish residency, voting should be compulsory*, and it should be a national holiday. But outside the bigger picture I selfishly want this because I don't want to bother driving to my polling place when I could voted in less time than it took to type this reply.
* I wouldn't have any punishment for not voting, that would be a huge mess. But I would have it on the books in the hopes that people would follow it simply because it's the law.
But I'm not sure that logic is sound even if it was my motivation. Old folks and rural folks would probably benefit most from voting access that wasn't tied to a physical location. So I don't know. I want to expand voting access because our turnout is so low, not because "the right people" aren't voting or whatever nonsense.
If people in power want to cheat, they will. Shuffling around the tech isn’t going to do all that much to change things.
As another example, you don’t have to swap the ballots at all. Somewhere in the chain of custody, someone could just “lose” ballots for a region that is projected to vote against whoever they’re trying to fix the election for. They could forge or lose some other accompanying paperwork that was to manage those ballots, too. Or they could not bother doing that either because what are you going to do, redo the election?
Cooking up examples is sort of pointless. There are always going to be new and unexpected ways to commit fraud. The actual root issue isn’t technological. It’s sociological trust.
And if all you want is political polling, every elected representative does this already (well, they generally pay someone else to do it). So I'm not sure what it would mean for the US gov to do it separately. Do you imagine that a "non-partisan agency" like the CBO would do it with taxpayer dollars, as a publi service for the politicians who would still vote however they do?
If the goal is public trust, open source isn't helpful for the general public.
But still it is not a way to fight a political party that will use dummy machine that counts each ballot as a vote for them, and then accusing all others that they are trying to steal the elections. It is an unbelievable stupid tactic, but I think it may work in USA, judging by people eager to believe any BS if it supports their party.
The US has the worst voting system intentionally, not accidentally. And mail-in voting shows we aren't even a little serious about election integrity. We're militantly against it: you can get people to rabidly support universal IDs for trivial, nonsensical reasons that have never resulted in significant problems; and to demand digital IDs, device attestation, and real names on social media; but to the same people showing IDs to vote is supposed to be the end of democracy.
People have made this proposal every year since the 90s, and depending on the year it was the Republicans rabidly opposing it or the Democrats rabidly opposing it. Good luck getting things accomplished with a good argument. That's not how things get done. The people who get the final say about this would love to get rid of voting altogether, but they'll settle for vendor kickbacks.
A signed affidavit or local ID should be fine to establish identity. That can be done when signing up for mail in voting (although I personally prefer in person).
Voter fraud is extremely rare under the current system.
RealID is a national ID system (that they pushed since the 90s for no reason), and we're all issued voter IDs when we register as voters.
> A signed affidavit or local ID should be fine to establish identity.
I don't think you understand that people are against showing any ID to vote; if you pull one out, the poll workers' eyes get big and they fall over themselves trying to get you to put it away (I just took it out so you could read my address to pick my precinct, ma'am.) An ID which, very soon, will be required to be a RealID if it isn't already in your state. It is in mine.
I also don't think you really mean that a signed affidavit is enough to establish identity, even though you said it clearly. If you actually do mean what you said, I'd love to hear the argument.
> That can be done when signing up for mail in voting
Mail-in voting allows other people to watch you as you vote, and is the opposite of voter integrity. You should not be able to prove who you've voted for, or else you can be forced to prove who you voted for. This is why you are not allowed to take pictures of your ballot in the voting booth.
There's absolutely no reason to spend any time on open source voting code if you'll allow churches to call their entire memberships in to fill out their mail-in ballots together (under pain of expulsion), or hypothetical gangsters to go door to door threatening to shoot people if they don't give their ballots up.
> Voter fraud is extremely rare under the current system.
1) There is no way to know, and 2) if so, that makes this proposal even sillier.
I personally am very interested in electronic voting and voting algorithms. I've read a million papers and think about it all the time. But this is not a technical problem. There is no country that has a worse voting system than the US. Normal countries don't take weeks to count up the votes.
I don’t think you know what you’re talking about. I have never been issued a voter ID at the time of registration.
> Mail-in voting allows other people to watch you as you vote, and is the opposite of voter integrity.
Or you could just vote in person which is an option even in universal vote-by-mail states.
> hypothetical gangsters to go door to door threatening to shoot people if they don't give their ballots up.
Why make up hypothetical situations and invent a problem that doesn’t exist? You can just as easily cite made up problems for any proposed solution.
High tech electronic voting schemes and voter ID schemes solve problems that literally do not exist, and frankly do a poor job at solving even those made up problems.
I had the privilege of helping count votes in my small town 2012. Volunteers stayed up after voting ended and all of the ballots were double checked - counted by two separate people, working together at a long table. Cheating or manipulation was inconceivable, and there were many layers of double checking.
The beauty of this system is it is infinitely scalable. The more voters there are, the more vote counting volunteers there are. For larger cities you can split up by blocks or per polling place. There should be many polling places to make voting easy and accessible.
It isn’t fast or fancy or glamorous. But communities ignore the power of communal activities at their peril.
Even with that utopian scenario the remaining problem is that the goal of elections is agreeable consent. Mewning the goal isn't just to get a decision. The goal is to get a decision, people can agree with because they trust the process must have been okay. If your vote is low stakes, like where you go for lunch with your collegues, then that trust doesn't matter, who cares if it was wrong? But if it is high stakes even a perfect digital system is problematic, because even intelligent, technological expert voters have no chance of understanding which of the moving parts might influence what in which way in practise.
Meaning a paper ballot with the right process can more or less be understood by everybody who can count and has mastered the cognitive skill of object permanence.
A Rust project with a 30k Cargo.lock file filled with dependencies on an even more complex operating system, running complex (in a different way) hardware, that might differ for each voting location isn't that. And that isn't about the programming language or the tech stack. It is about the intransparent nature of electronic systems themselves.
I spent a three quarters of my life learning programming and electronics including hardware design and I teach that stuff on a university level. Even I would have a hard time ensuring there is really no backdoor in the whole stack. And this fact means even if there is no backdoor in it, there might be and there is no realistic way for a normal person to check. I understand the nerd appeal. It is cool to toy around and figure that problem out. But the core of the problem is not technological it is sociological.
That is such a big flaw that IMO it is not worth it for high stakes elections.
Anyone who talks about election security should be required to spend at least a few moments walking around Defcon in the election machine hacking village. Even absent electronic voting machines we still need to apply that same level of rigor to security across all domains of the election system no matter what format is used.
More fundamentally, the epistemic meaning of a ballot, a vote, or an option on the ballot, how options are even decided for inclusion or their exclusion, which outcome deciding algorithms are used, and how "the result" is interpreted by society or implemented by a political agent is deeply confused. The vote itself has very little resemblance to what actually happens. Such things likely cannot be formally specified anyway. Massive amounts of ambiguity, noise, error rate, and insecurity are to be expected in these kinds of systems. So what then are we even doing with all this? I am not referring to what we say we are achieving, or what we say we are intending to achieve, but rather what kind of actual outcomes be can supported by careful engineering of all these components?
Blockchain is no solution here. See:
"Going from bad to worse: from Internet voting to blockchain voting" https://www.dci.mit.edu/s/VotingPaper-RivestNarulaSunoo-3.pd...
The voter needs to be able to see their vote on the paper.
Reading the rolls needs to be done by machines, but by several different machines reading the same rolls. So we can verify.
Software is not the problem. The medium of persistence is.
For those who don't know the VotingWorks software is both Open Source and their machines create and count paper ballots. You can read about it here: https://www.voting.works/machines
Essentially they have a computer, a ballot marking device, that people can use to mark their ballot. That ballot is printed on paper. Then the paper can be validated visually. Then fed into a machine to scan and count. The paper ballot is preserved and can be later audited.
The ballot marking device has a number of advantage over pre-printed and hand marked ballots:
- American Disabilities Act (ADA) compliant using standard web technologies
- Available in applicable languages without lots of translated papers on hand
- Errors or typos in ballots can be fixed days before election instead of weeks (due to print shop lead times)
- Better UX for complex races where things like ranked choice, choose three, etc with rules which can cause people to mismark and then have their ballots rejected
- Avoids sloppy/incomplete markings that must be interpreted and judged by counters/auditors
The entire system runs offline. It is open source.
They also have separate open source software for running risk limiting audits using the paper ballots: https://www.voting.works/audits
Disclosure: I am a donor to VotingWorks.
Probably a difficult task to ensure all readers of all pages on the entire website are fully aware of this context in advance - I'd imagine this kind of averse reaction will continue to be common until these kind of hybrid systems become more widespread (or the interests pushing paperless are comprehensively silenced, which seems less likely).
---
That said, now that I do have full context, I do have two criticisms:
1. Clicking through to the VotingWorks frontpage, the copy still doesn't really highlight in a very obvious manner the paper nature of the system. You really have to analyse the website to figure this detail out.
2. The homepage does contain a section entitled "Faster Election Results" - which I do think flies directly in the face of many criticisms in the HN comments here & I personally believe to be an approach that's incompatible with democratic integrity. Counts should simply not be trying to be fast as a high priority - verifying the automated count by hand is insufficient if it isn't done as a matter of course. Ideally, live, while the count is taking place. The latter is not feasible with an automated system, & the former is a lot more likely to be overlooked if speed is a priority.
We don't just need systems that can be fair, we need systems that incentivize fairness & don't contain perverse incentives - count speed is exactly such an incentive.
https://sites.pitt.edu/~rbrandom/Courses/Antirepresentationa...
This isn't and has never been true in a universal sense. Athens was democratic plutocracy with slaves. The United States didn't have popular democracy until well until the 20th century and it's worth noting that it was the Southern Democrats which wanted to restrict the basic political rights of blacks in the name of, "popular sentiment." The Fukuyamist position which takes a naive view of western democracy as totalizing in a historical sense is being rapidly called into question all over the world. People (almost) universally want the expansion of the their quality of living and political autonomy in a sense which includes but also transcends the ability to cast a paper ballot. We see with Trump that this naive notion has, "serious flaws." In the 1930's the Nazis came to power under a democratically elected conservative government. Democracy means pragmatism. Pragmatism means something about, "having a superior conversation about what we would like to be." The ability to cast a vote is an extension of this sentiment-- it isn't its foundation. We see that in the general experience of the Chinese middle class. They live under a totality but neighborhood associations and not actively being managed by the CCP results in many reporting feeling freer under this system than under ancillaries geopolitically.
It's a simple, cost-effective system which is impossible to hack. Electronic voting offers no advantage over this.
A vote recount and/or judicially called audit can take months to resolve. This can lead to a loss in confidence in the outcome and for political shenanigans (e.g. Bush v. Gore).
I feel far more confident in a system where the software is open source because it increases trust for free. As a citizen having the software be open source is only upside to me.
Verifying that requires more expertise than verifying the physical ballots themselves.
Here in Germany every single vote is on paper and is counted publicly, where any citizen has the right to observe the counting process. There is a list of all people eligible to vote at a certain voting location, where all voters are crossed out when they come to vote. While errors of course happen, I have absolutely no doubt that the results are free from intentional interference and that the only people voting are those who are eligible to vote.
The idea that my vote is digitally recorded seems absurd. And I do believe that the consistent distrust of Americans in the integrity of their elections is caused by the design of the voting system. There just seem to be so many completely unaddressed flaws. Open sourcing only addresses some part of the flaws and I do not think that electronic voting should ever be trusted.
Trust in a democracy starts with trust in elections, which I do not think can be reasonably provided by electronic voting mechanisms.
Paper trails on the other hand can be verified and secured physically with chain of custody and proper attestation. Paper output can still be designed to be easy scan, verify and re-tabulate. I would like to see the paper trails scanned and uploaded to a centralized block chain so we can see if one of these things is not like the other. I would also like to see higher definition CCTV cameras monitoring the entire voting process and more of those cameras. That should also be uploaded somewhere they can not be tampered with and if a camera goes offline oopsie doopsie it's all hands on deck. Ballot drop-off boxes and mail in votes need to be outlawed and every state needs voter ID.
I've only worked a couple elections in a single US county, so I don't claim to be an expert. But the projects described by the company align with each of the devices we use in elections today. Using their software would be the equivalent of moving from MS Office to LibreOffice for operating the government. It won't solve everything, could have bugs, but there are some significant long term advantages, like not depending on a company that could go out of business for security patches.
The first device voters encounter is people working the electronic poll books. We still have a paper backup available, but prefer the electronic versions. First, they can scan the barcode on the drivers license for a quick check-in (usually). When person shows up at the wrong location, we immediately know without spending a couple minutes looking through the paper list. We can even tell them where their voting location is rather than "you're not on the list, we don't know why". When someone needs to vote from their car, we can take a poll book with us and check them in curbside, no extra back and forth. And anyone can check-in at any poll book, rather than splitting the list up by last name. If there is ever a hack of the poll book, changing the list of voters, that could have also been done with the paper backup, and that's why there's a provisional voting process.
After that, over 99% of voters get a paper ballot. They mark their oval with a pen, and take it over to the scanner. This is where the security happens. There's a paper audit of the vote, and the vote is anonymous, your name is not on the ballot.
Less than 1% of the voters ask to use a ballot marking device. They are there for ADA requirements, allowing people that have difficulty marking a ballot by hand to vote. They have headphones to read the choices if needed for the blind. When finished, their choices are printed on their paper ballot, human readable and verifiable, and taken to the same scanner used by other voters. Most people don't even realize ballot marking devices exist, I didn't before I started working the election, and I've yet to see anyone request to use it.
The next step is where people get suspicious. The paper ballots are run through a scanner at the precinct, by the voter. These are monitored by an election worker to ensure the voter scans their ballot, but we stand so we can't see the ballot choices for voter privacy/secret ballots. These machines output a tally in multiple forms at the end of the election, including multiple paper copies and USB drives. The various copies get split up and separately delivered, each by a team of workers, for both redundancy and to ensure no one person is ever alone with the results.
A very important process happening throughout the day is counting the votes. The number of voters that register in the poll books is compared with the number of ballots given out (when ballots are unwrapped, they are counted, and what remains at the end of the day is counted again), and also the number that went through the scanner. Things get complicated (I assume reports are made after an extensive search is done) if we are ever off by one ballot in those counts.
The common fear that someone could stuff the ballot box, even by an insider, doesn't match my experience. In addition to the counts above, multiple workers, from multiple parties, are assigned to each precinct. We don't leave the ballots at any stage unattended at any time.
At the end of the day, the tallied ballots are sealed in a box. All equipment is locked back up. And lots of items (tallies, USB disks, sealed ballot boxes, provisional ballots, etc) are returned by a team of people that night to the county government building. From there, initial counts are released and then the election needs to get certified. That's where my personal experience ends.
The certification process includes deciding which provisional ballots to accept, and then counting them. But it also includes audits of the equipment. And those audits are supposed to take some boxes of ballots from select precincts and run them through a different a scanner to verify the tally is the same. The precinct scanners are also audited before we receive them, which is visible because a permanent count is tracked on the machine that's never zero for us, even when it's a new machine that's never been used in a previous year's election. In addition to all those electronic counts on different equipment, some percentage of ballots is likely hand counted. This certification process all happens over the course of days, if not weeks, but the initial count is usually out in a few hours when a first team of workers brings back one of the two USB disks (along with other items).
There are ways to hack an election, but these electronic machines are at the bottom of my list. Someone would have to alter the counts from the scanners without adding or removing votes, in a way that doesn't get caught in an electronic or hand audit in the future on independent equipment, and doesn't get detected in an audit of the machine before it is placed in service. And the whole process is constantly watched by workers from more than one party affiliation.
Instead, if you wanted to hack the election, you'd first become a billionaire, and buy all the media companies to ensure the population only sees one opinion. Then you'd gerrymander the election districts so most elections aren't really contested. And in locations where it might be close, you fill it with ads and social media misinformation so that voters don't know what to believe and they follow the loudest voices that repeated the most. Not only is that a lot more likely to work, but there's no chance of any consequences if you get caught since it's not illegal.
• Use paper ballots that are marked by the voter filling in ovals next to the name of the candidate or proposition they are voting for using a marker supplied by the election officials.
• These paper ballots can be hand counted or counted by simple optical scan machines that are already widely in use in many places.
• By using some clever chemistry in the ink when you print the ballots and in the marker used to mark it you can print a code in each of the ovals that is invisible until the oval is filled in using that special marker.
By using some clever cryptographic techniques to come up with those invisible codes you can make a system with the following properties.
1. After the election all of the cast ballots can be published, allowing anyone to do an independent recount.
2. Any individual voter after the election can, if they noted the code that was on their ballot for a particular candidate, verify that their particular ballot was included in the count and that their vote counted toward the correct candidate.
3. An individual cannot prove to a third party that they voted for a particular candidate.
Here is a paper on such a system: https://eprint.iacr.org/2010/502.pdf
Wikipedia article on it: https://en.wikipedia.org/wiki/Scantegrity
Here is a paper showing how it satisfies item #3: https://eprint.iacr.org/2010/502
We should have made it clear in that post that our voting system is not just open-source, it's also always paper ballots, mostly filled out by hand, sometimes by ballot-marking devices for voters who need or choose it.
Many good points in the thread about open-source not being enough. Indeed! But open-source is, in my opinion, necessary for public trust. Not sufficient, but necessary.
Reproducible builds – we hope to get there in the not-too-distant future!
Attestation – yes we have that! there's a quick and hardware-TPM-rooted way to check that a VotingWorks paper-ballot tabulator has not been modified since it left the VotingWorks floor. Takes 30 seconds, with a QR code on screen that contains all the attestation data and digital signature, unlocked only on successful secure boot.
Also, the build of the system from source is not done by us, it's done by a third-party testing lab, accredited by the Election Assistance Commission. States that want to can request the installation medium straight from the lab and install it themselves.
And if you want more, I spoke recently at USENIX security about what it takes to build a voting machine everyone can trust. It's a lot more about resiliency engineering than security.
https://www.usenix.org/conference/usenixsecurity25/presentat...
AndyMcConachie•3mo ago
astroflection•3mo ago
goda90•3mo ago
fabian2k•3mo ago
It is possible to do small-scale fraud with paper ballots, you can never fully eliminate that option. But it is exceedingly hard to do larger scale fraud without it being extremely obvious to any observer.
brendoelfrendo•3mo ago
fabian2k•3mo ago
vlovich123•3mo ago
0x457•3mo ago
mjparrott•3mo ago
horacemorace•3mo ago
kelnos•3mo ago
Yes, I know: before computers and other mechanical systems, people had to count ballots by hand. There were many fewer people voting then, and regardless, that's not really the point: they counted by hand because they had no alternative.
Electronic voting certainly brings new problems into the mix. I don't think those problems are insurmountable. The problem isn't the technology itself. It's the legal and social landscape around voting technology. Open source, with reproducible builds and a method to verify that the code running on a machine was built from a particular version of source, is a start. Verification of that software's functionality, on par with the verification done of critical software (medical devices, things that go into space, slot machines, etc.) would be another good move.
Voters can also receive paper receipts, and I'm sure we can come up with some sort of scheme to take a representative sample of the electronically-recorded votes and validate them against the paper receipts, while maintaining voter privacy.
mjparrott•3mo ago
luxuryballs•3mo ago
fabian2k•3mo ago
Other countries do paper ballots and manual counting without issues. The US isn't that special or unusual.
dogleash•3mo ago
As soon as you try to be more clever than electronic counting of paper ballots, yes they are.
You can either audit the count by replaying the input event stream, or you can't.