Ask HN: Do you trust digital voting for the election of the President?
23 comments
No and I never will
A basic requirement for democracy is the process must be transparent and understandable for everyone. Telling non-technical people to "trust" the machine is how you erode it.
Paper voting is dead simple: you (and your opponents) can observe the count in person. Electronic voting has far too many potential attack vectors. Once a weakness is found, you can potentially overturn an entire election. At least with paper ballets, you have to potentially bribe everyone which is infeasible on a large scale or democracy has already fallen.
A basic requirement for democracy is the process must be transparent and understandable for everyone. Telling non-technical people to "trust" the machine is how you erode it.
Paper voting is dead simple: you (and your opponents) can observe the count in person. Electronic voting has far too many potential attack vectors. Once a weakness is found, you can potentially overturn an entire election. At least with paper ballets, you have to potentially bribe everyone which is infeasible on a large scale or democracy has already fallen.
No. There must always be a paper trail.
I used to teach web programming. One of the exercises I had for students was to create a ballot box.
The first step was making it work as expected — accept votes and only display a count when “Election Day” has ended.
Then, I suggested constraints — code it so your preferred choice always wins; make it so the vote totals check out (don’t just add an arbitrary to the preferred total); make sure the margin of victory never triggers an automatic recount, etc.
That opened a lot of eyes, especially for beginning programmers. If they could do it…
I used to teach web programming. One of the exercises I had for students was to create a ballot box.
The first step was making it work as expected — accept votes and only display a count when “Election Day” has ended.
Then, I suggested constraints — code it so your preferred choice always wins; make it so the vote totals check out (don’t just add an arbitrary to the preferred total); make sure the margin of victory never triggers an automatic recount, etc.
That opened a lot of eyes, especially for beginning programmers. If they could do it…
Paper and pencil ballots run by a non-partisan electoral commission. Those ballots are then counted by members of the electoral commission while being supervised by one or more members of the parties involved.
I would not trust any digital, electronic or electrical voting system. Actually I wouldn't trust any mechanical voting system either.
I would not trust any digital, electronic or electrical voting system. Actually I wouldn't trust any mechanical voting system either.
To offer a counter view: paper ballots were a huge source of fraud in India's elections until electronic voting machines were introduced. I don't wish to ever go back.
EVMs in India did reduce many of the previous issues with the paper ballot.
Some of the few security measures include:
- EVMs have no network connections. The EVMs are standalone and are connected to a control unit managed by the polling officials. They are sealed and secured after the polling is complete and unsealed only on counting day in the presence of election commission officials and authorized party observers who monitor the counting. - EVMs use a VVPAT (voter verified paper audit trail) where the EVM prints a log that your vote has been cast with the candidate name and party symbol. It shows the printed output in a glass window for 7 seconds and then cuts that and drops it into a sealed box automatically. This box is sealed and secured at the end of polling.
VVPAT is used for secondary auditing if any instance of EVM tampering or other malpractice is alleged at the polling station.
It is still not perfect. There are some residual risks. But far better than the earlier system.
Some of the few security measures include:
- EVMs have no network connections. The EVMs are standalone and are connected to a control unit managed by the polling officials. They are sealed and secured after the polling is complete and unsealed only on counting day in the presence of election commission officials and authorized party observers who monitor the counting. - EVMs use a VVPAT (voter verified paper audit trail) where the EVM prints a log that your vote has been cast with the candidate name and party symbol. It shows the printed output in a glass window for 7 seconds and then cuts that and drops it into a sealed box automatically. This box is sealed and secured at the end of polling.
VVPAT is used for secondary auditing if any instance of EVM tampering or other malpractice is alleged at the polling station.
It is still not perfect. There are some residual risks. But far better than the earlier system.
+1.
We would have to deal with booth capturing again.
https://en.wikipedia.org/wiki/Booth_capturing
We would have to deal with booth capturing again.
https://en.wikipedia.org/wiki/Booth_capturing
I think voting machines can work as long as they print out a voter-readable paper copy of the ballot that is stored and statistically sampled.
Related question: Do you trust voting by mail?
Some reasons to maybe not trust it:
- The mail can be gamed. Say, stop delivering mail from areas that politically lean one way or the other.
- There's no check on who voted. We get ballots for children who have moved out of state. We could vote several times, if we chose to (and were willing to break certain laws to do so).
Like digital voting, it doesn't really matter whether this happens or not. It matters whether people think it happens, and whether you can prove that it didn't. And it's going to be impossible to prove that someone didn't vote for their kids. Under current conditions, it's going to be impossible to get either side to think that the other side isn't willing to systematically break the rules.
Some reasons to maybe not trust it:
- The mail can be gamed. Say, stop delivering mail from areas that politically lean one way or the other.
- There's no check on who voted. We get ballots for children who have moved out of state. We could vote several times, if we chose to (and were willing to break certain laws to do so).
Like digital voting, it doesn't really matter whether this happens or not. It matters whether people think it happens, and whether you can prove that it didn't. And it's going to be impossible to prove that someone didn't vote for their kids. Under current conditions, it's going to be impossible to get either side to think that the other side isn't willing to systematically break the rules.
Digital voting represents too much of a centralized juicy target for me to ever trust it.
When the target is big enough, a state funded, motivated, bad actor will eventually manage to disrupt it.
When the target is big enough, a state funded, motivated, bad actor will eventually manage to disrupt it.
Aren't some technical solutions too reliable to be destroyed?
"Disrupt" could be just sowing enough doubt in the system so that the general public stops trusting the results.
Theres a saying the only secure computer is one thats turned off with no networking buried in a block of concrete. I haven't heard of a technical solution which is impervious to destruction.
Depends on the setup. I wouldn't trust anything network connected. I would also want paper backup for validation.
I once used a touch screen voting machine about 10 years ago. The screen calibration or button values must have been atrocious. I got to the review screen and it said I was about to vote for the opposite candidates in a couple races. I had to go back and very carefully select everything again. Some of the buttons were not matching with the touch areas that should be associated with them.
Overall, the best system I've used are the bubble sheets. It has a verifiable paper ballot, can be electronically counted, not network connected, and is simple to use just like in school.
I once used a touch screen voting machine about 10 years ago. The screen calibration or button values must have been atrocious. I got to the review screen and it said I was about to vote for the opposite candidates in a couple races. I had to go back and very carefully select everything again. Some of the buttons were not matching with the touch areas that should be associated with them.
Overall, the best system I've used are the bubble sheets. It has a verifiable paper ballot, can be electronically counted, not network connected, and is simple to use just like in school.
Paper ballots cannot be hacked remotely by foreign actors, or manipulated in seconds using an exploit. I could see a blockchain-based one work though.
Voting needs to be done via a system that the vast majority of people can understand, or they will not trust it. With all of the maleficence that happens around blockchain, I doubt we could ever trust it for such important issues
This is a rare case that I too could see something like blockchain, but it would have to be highly documented and transparent. e.g. What organizations and companies are running the ledgers. Who has control of what and access to what. Public confidence would have to be priority one at every step of the way. It would need something like certificate transparency, except it would have to be mandatory with attestation and validation at every step of the way and it should be possible to take the logs from any of the multiple locations and use them to prove each other real time. Meaning, even the most subtle tampering should set off alarms everywhere almost instantly and machine learning should be able to use this data and video surveillance data to show who was tampering with what and when.
People at each ledger location would have to be on a list and if found doing something malicious, heads would literally roll and the legal system would have to reflect this. There can't be one iota of "oops we made a boo-boo, sowwy". No covering up system tampering by congress. No memory-holing of system compromises like the previous mechanical voting systems. The entire system has to be capable of being audited by literally the entire planet provided they follow a bug reporting process and do not sit on discoveries.
There would be one and only one API port. Everything else is firewall restricted and monitoring on each device would look for a socket opening. The API port can be told to check for system updates and that's it. No remote management of the device. Cattle vs Pets. If a device fails it gets sent to a specific location. The device would use its own pre-shared mutual auth VPN mesh, pre-shared mutual auth on the OS and pre-shared mutual auth in the applications that update the system. A display on the box must show that this updated was triggered and by whom. Every devices must log each step of the update process to the ledger with details of who triggered the update and why and links to what changed in a public repo.
Anything short of what I described and the hundreds of millions dumped into the system would just line some pockets as the system would be deprecated like many systems before it. Public confidence would have to be priority one at every step of the way. No secrecy. No obfuscation. No classification set on anything, not even "confidential". All documents would contain the label "Unclassified". The entire planet by default gets the legal clearance of "Public Trust". 100% of the firmware, BIOS, OS and Application must be in a public repository, no exception. All binaries/blobs must be signed and checksummed. Anyone that wants one of these devices may order one from the manufacturer, minus the keys, obviously. Pen-testers have to make their own keys for their own lab.
Anyone on earth with an internet connection should be able to see real time what is being voted on and voters should be able to use a private key they generated to see their votes in action. Groups of people that wanted to should be able to see their collective votes in action.
If someone can successfully tamper with a system with proof of how they did this, they are awarded $100,000. The number of times someone may receive this award is unlimited and there are no restrictions on who may receive this award. Even members of sanctioned countries may participate. A member of congress will fly there and hand them the cash and an award certificate. If said country would perceive this as an act of war, then instead a popular youtuber would fly there and hand them the cash. These awards are deducted from the DHS and FEC budgets. If 50% of their budget is depleted, the remainder of their budget is folded into the NSA budget and their organizations are disbanded. This process repeats until there are no vulnerabilities or there are no more three letter agencies remaining at which point we move to four letter agencies.
People at each ledger location would have to be on a list and if found doing something malicious, heads would literally roll and the legal system would have to reflect this. There can't be one iota of "oops we made a boo-boo, sowwy". No covering up system tampering by congress. No memory-holing of system compromises like the previous mechanical voting systems. The entire system has to be capable of being audited by literally the entire planet provided they follow a bug reporting process and do not sit on discoveries.
There would be one and only one API port. Everything else is firewall restricted and monitoring on each device would look for a socket opening. The API port can be told to check for system updates and that's it. No remote management of the device. Cattle vs Pets. If a device fails it gets sent to a specific location. The device would use its own pre-shared mutual auth VPN mesh, pre-shared mutual auth on the OS and pre-shared mutual auth in the applications that update the system. A display on the box must show that this updated was triggered and by whom. Every devices must log each step of the update process to the ledger with details of who triggered the update and why and links to what changed in a public repo.
Anything short of what I described and the hundreds of millions dumped into the system would just line some pockets as the system would be deprecated like many systems before it. Public confidence would have to be priority one at every step of the way. No secrecy. No obfuscation. No classification set on anything, not even "confidential". All documents would contain the label "Unclassified". The entire planet by default gets the legal clearance of "Public Trust". 100% of the firmware, BIOS, OS and Application must be in a public repository, no exception. All binaries/blobs must be signed and checksummed. Anyone that wants one of these devices may order one from the manufacturer, minus the keys, obviously. Pen-testers have to make their own keys for their own lab.
Anyone on earth with an internet connection should be able to see real time what is being voted on and voters should be able to use a private key they generated to see their votes in action. Groups of people that wanted to should be able to see their collective votes in action.
If someone can successfully tamper with a system with proof of how they did this, they are awarded $100,000. The number of times someone may receive this award is unlimited and there are no restrictions on who may receive this award. Even members of sanctioned countries may participate. A member of congress will fly there and hand them the cash and an award certificate. If said country would perceive this as an act of war, then instead a popular youtuber would fly there and hand them the cash. These awards are deducted from the DHS and FEC budgets. If 50% of their budget is depleted, the remainder of their budget is folded into the NSA budget and their organizations are disbanded. This process repeats until there are no vulnerabilities or there are no more three letter agencies remaining at which point we move to four letter agencies.
There's to my knowledge no digital voting system used in practice that wasn't found to be severely lacking in terms of security. The famous Estonian iVote system is a case in point; it wouldn't be infeasible for a large, dedicated actor (e.g. Russia) to manipulate it, or at least to cast severe doubt upon its results.
Mainly that's because it's really hard to simultaneously maintain both anonymity and integrity, both of which are essential to voting. Lest you think anonymity is not important, think about what happens if I can see how you voted: I could simply pay you for voting "the right way".
The research literature is full with proposed electronic voting schemes, and security reviews thereof. As far as I can see, current mainstream consensus in the security community is that there is no system secure enough to be recommended, and many doubt that it can ever be done.
Mainly that's because it's really hard to simultaneously maintain both anonymity and integrity, both of which are essential to voting. Lest you think anonymity is not important, think about what happens if I can see how you voted: I could simply pay you for voting "the right way".
The research literature is full with proposed electronic voting schemes, and security reviews thereof. As far as I can see, current mainstream consensus in the security community is that there is no system secure enough to be recommended, and many doubt that it can ever be done.
No, I'll never trust only a computer. There must be something that can be counted by hand, a physical record with a chain of custody.
From what I've heard, the best way to run an election is the process used in Australia.[1]
From what I've heard, the best way to run an election is the process used in Australia.[1]
1 - https://www.aec.gov.au/voting/counting/even if I trust a system, it's hard to see how to spread that trust to others. The systems we have now for electronic voting are complicated and it'd require some confidence in your understanding of the subsystems its built of and how they connect to claim you trust the assemblage. It's far too much to ask the average voter to gain that background so that they can trust their vote is being handled correctly.
Simple paper ballots are quite complicated enough, thanks. There's those who can't understand the check and correction mechanisms we use for paper ballot elections, but that complexity is far closer to comprehension than any of the fancier methods proposed to replace it.
Simple paper ballots are quite complicated enough, thanks. There's those who can't understand the check and correction mechanisms we use for paper ballot elections, but that complexity is far closer to comprehension than any of the fancier methods proposed to replace it.
If the result could be publicly verifiable like a bitcoin transaction then yea makes sense.
We could create a distributed public ledger of votes with a setup similar to bitcoin. Every vote is encrypted with malleable encryption so that I can not tell what way an individual voted but I can add up the votes and I can find which candidate has the greater number of votes. Private votes with a publicly verifiable result!
- Edit -
As far as I know all current systems are black boxes which require blind trust of the box, the company that made the box and the software inside it. This is the worst possible setup for security that I can think of.
We could create a distributed public ledger of votes with a setup similar to bitcoin. Every vote is encrypted with malleable encryption so that I can not tell what way an individual voted but I can add up the votes and I can find which candidate has the greater number of votes. Private votes with a publicly verifiable result!
- Edit -
As far as I know all current systems are black boxes which require blind trust of the box, the company that made the box and the software inside it. This is the worst possible setup for security that I can think of.
I agree with this comment, except its feasibility.
Non tech people do not trust tech, even if (unaffiliated) tech people assure them it's trustworthy.
An example: a poker room near me had electronic tables. They were fantastic--super fast deals, no miscounting, no acting out of turn, etc. But people thought they were rigged.
For who? There's no obvious way for the table to pick favorites. Nobody thought there was a dial some guy could turn for his friend.
They thought it was rigged for the house, to get the maximum rake more often. Nevermind that they get the maximum rake virtually every pot anyway, and introduce a huge risk.
The guys knew me, knew I was in tech, and still didn't trust my opinion on it.
Anyway the game died and the tables were taken away. We still don't have a local poker game, to my detriment.
Even if the results were public and we ran analysis on them and found them to be legit, I think that would increase the average person's trust by 1-2%. They don't even understand the system.
At least they can understand paper ballot voting. I think it would make the most sense to film all the sorting and counting, and make it publicly available. Then people can study it until they're content.
Non tech people do not trust tech, even if (unaffiliated) tech people assure them it's trustworthy.
An example: a poker room near me had electronic tables. They were fantastic--super fast deals, no miscounting, no acting out of turn, etc. But people thought they were rigged.
For who? There's no obvious way for the table to pick favorites. Nobody thought there was a dial some guy could turn for his friend.
They thought it was rigged for the house, to get the maximum rake more often. Nevermind that they get the maximum rake virtually every pot anyway, and introduce a huge risk.
The guys knew me, knew I was in tech, and still didn't trust my opinion on it.
Anyway the game died and the tables were taken away. We still don't have a local poker game, to my detriment.
Even if the results were public and we ran analysis on them and found them to be legit, I think that would increase the average person's trust by 1-2%. They don't even understand the system.
At least they can understand paper ballot voting. I think it would make the most sense to film all the sorting and counting, and make it publicly available. Then people can study it until they're content.
In the US you are asking if I trust "digital voting"/a bug to not start a civil war.
If not, what should digital voting have to do in order for you to start trusting it?