Maybe this is a dumb idea, but what if for each election we issued a ballot containing a unique, random, sequential prime number to every registered voter?
Then, when counting the votes for each candidate we display the running product of all the primes counted for that candidate as a "checksum", or "check product". This retains privacy while allowing individual voters to easily verify that their vote was counted by simply dividing their party's checksum by their prime ballot number and confirming that it is a factor of the check product. By displaying a running product of votes, you can also verify that your vote was not counted before you voted. Additionally, this prevents double counting because the "checksum" for N primes must match exactly N votes and no two candidates can share a factor. By issuing sequences of primes to certain regions, you can get some metrics by state.
Then you institute a rule that if some % of primes dispute that theirs was counted correctly, a recount is automatically triggered.
The number you're proposing has about 1.4 billion digits in it. It has more digits than just listing a number for everyone who votes and contains the same information.
This setup seems mostly pointless to me. Instead of publishing the product, why not just list the primes themselves? Both should be roughly equivalent and just publishing the list of primes would be simpler. And then once you do that, why even use prime numbers? Just assign unique tokens to voters.
What exact security garantee are you trying to provide that wouldn't also be satisfied by just giving each voter a token and publishing the token lists?
It can be verified with a pencil and piece of paper and a calculator, so anybody can do it. As long as you agree about the number of sequential primes issued, you can calculate how many votes are still outstanding and keep voting booths open until 99% has voted. By issuing ranges of primes to states, you know where you have to keep booths open.
> t can be verified with a pencil and piece of paper and a calculator, so anybody can do it.
The size of the resulting number would be so incredibly large that no person with pencil and paper and calculator would have even the tiniest chance of being able to verify their number. The chance of even copying it down correctly once would be tiny. The number of pages to write it out is huge. The time for a person to check it by your method would require more than their lifetime.
Thus nobody, not a single human, could check it by your method.
This is a non-idea.
For the math inclined, the nth prime is around n ln n. We need ~130,000,000 of them. Each side will multiply ~half of them. The resulting number is ~(10^9)^(10^9), which has 10^10 digits. Writing one step of the calculation at 5 digits per second would take 62 years.
Since most voting is handled and tallied by county/sub-divisions of that county, and are published as such, wouldn't the number be much smaller? A few thousand per district since you only need to be unique to the place your vote is tallied.
At any scale this method is unusable by the vast majority of people, and it doesn’t prevent tons of other problems such as fake votes added.
Next, votes were once public, but it was too easy to prove who you voted for, making buying votes more valuable. These methods would bring that back, since a voter could prove who they voted for. The US did this for its first 50 years, and Kentucky even had it till ~1890. The modern private vote made it harder to determine who someone voted for, since if someone paid me for a vote I could still vote how I pleased and they couldn’t check me.
The above simplistic method would bring back vote buying.
You're claiming extra votes are never added? That everyone knows this? Citation?
In the 2018 North Carolina 9th Congressional District election had votes added illegally, changing the outcome. The subsequent investigation threw out the fraudulent votes, the illegally elected Mark Harris stepped down, and so far about a dozen people have been charged with felonies.
"At the center of the scandal was the Republican operative Harris had employed in Bladen County, Leslie McCrae Dowless, whose operation, according to investigators, included filling out at least a thousand mail-in-ballot requests, many without voters’ knowledge, and deploying a team of friends, family members, and other associates to pose as election officials and collect them." [1]
There's even a case where in Brussels where a bit flip (often the result of a cosmic ray or soft neutron decay) flipped an election, and it was only caught since suddenly there were 4096 more votes than eligible voters.
So ignoring the possibility of fake votes added is short sighted.
Your claim "everyone knows we can prove this never happens" is demonstrably false.
How do you know how many votes there should be? Don’t you just have to trust whoever gave you the ballot/prime? Why wouldn’t they just generate the checksums ahead of time, they already know your prime exists. They gave it to you.
It allows for verification not only by the voter but also by third parties, doesn't it? That would make it possibly to sell votes (with proof!) or threaten people with repercussions unless they vote a certain way.
If you see my above comment on a "Right to Vote" token system, which would abstract away the identity of any given vote, there is a solution for this:
Because the Right to Vote tokens and the accounts that they are voted with by are anonymous, no third-party knows which vote belongs to which person (except for arbitrary public-key strings). However, if a voter wants to check that their vote was counted, they can easily see that the token sent from their account was used to vote for a certain party.
Now, if a second layer of privacy and abstraction is needed, zero-knowledge proofs can offer that. This, however, is a completely different ball game.
That is a great system, but there could still be coarcion to show your "prime number" token to someone, say your employer. Probably not common in the US or the EU, but in Venezuela for example there is a lot of pressure for employees of state owned companies to vote for the government and they use many tactics to make sure you do. I'd be worried about making it simpler for them. Maybe there's a way of addding an extra layer of security?
Or coercion. If at any point your vote can be known, there is very high risk that someone forces you to vote like they want.
Only way to prevent this is total anonymity of which vote was by which person.
is coercion really a threat on a large scale in the US (I'm sure in other countries it is). But if the onl way to know my vote is to have my random identifier, if I dispose of my random identifier, they can't know my vote.
i.e. I feel we can both have total anonymity if a person desires, while also having verifiability.
as an example: a random uuid is assigned to me and my votes are printed out on a slip of paper with the uuid (and with a cryptographic signature to verify that it was produced by a voting machine). I can choose to burn the paper and no one can know how I voted or I can keep the paper and anonymously verify that my vote was recorded correctly (i.e. download the whole set of uuid -> vote mappings).
if the number of uuids submitted at each polling place is recorded reliably (i.e. observers from multiple sides having agreed upon counts), you have a good belief that no votes were added or removed.
if every voter who chose to keep their slip is able to verify their vote is recorded correctly you have a good belief that the votes weren't manipulated (assuming enough people verify their votes).
yes, there are issues, vote buying / coercion, but I'm just not convinced that those issues are severe enough or probable enough (at least in the USA) to want to avoid simple steps that will make people more comfortable with the election outcomes.
i.e. make the punishments harsh enough for anyone caught coercing / paying others for their votes to make it unlikely to happen at a scale that will negatively impact things.
> is coercion really a threat on a large scale in the US
No, largely because of the secret vote and the fact that there is no way anyone can verify how "you" voted after the fact. So you can lie to the thug threatening you with a wrench that you voted for "candidate A" and the thug has no way to know otherwise.
> But if the onl way to know my vote is to have my random identifier, if I dispose of my random identifier, they can't know my vote.
If the thug with the wrench who has /suggested/ you vote for candidate A lest he break your kneecaps also knows you can verify your vote by using your random identifier, then if after the election you have disposed of your random identifier, the thug breaks your kneecaps because you disposed of your random identifier. Therefore you are still coerced to reveal your vote, because you are also coerced not to dispose of your random identifier until after the thug has verified you voted "the proper way". I.e. the thug changes tactics from "vote for A lest I break your kneecaps" to "vote for A and do not dispose of your identifier until I verify you voted my way lest I break your kneecaps".
> I feel we can both have total anonymity if a person desires, while also having verifiability.
If there is any form of ability to verify your actual individual vote, in any way, then there is no anonymity.
Anonymity is only available if there is no ability to verify an individual voted a particular way after the fact. Any opening of verification destroys all anonymity.
and what would happen if you forced a random sampling of individuals to destroy their slips? so random group can verify but you have no idea who is in that random group?
edit: or perhaps better, a random sampling were permitted to print out a proof of vote slip, but didn't have to. But if not chosen, you didn't get a proof of vote slip.
Now, in thinking it through, it might not help much. if someone can manipulate the voting machines, they can know who printed out their slips and manipulate the other votes. With that said, if done correctly, with a paper trail, I think it be difficult.
i.e. users are giving 1 or 2 outputs. piece 1 is a paper print out with a uuid and their votes that gets deposited in big box and counted as deposited. piece 2 that not everyone even has an option to get, can be kept. there has to be no way to distinguish the different piece 1s of those who get a piece 2 or not. If so, if everyone who got a piece 2 sees that their vote was recorded per the record they have, they can be confident that their vote was recorded correctly.
if their vote is not recorded correctly, they should have an anonymous mechanism to deposit their slips to make known that their vote was not recorded correctly. (hand waving at that, as unsure how to do that).
>No, largely because of the secret vote and the fact that there is no way anyone can verify how "you" voted after the fact. So you can lie to the thug threatening you with a wrench that you voted for "candidate A" and the thug has no way to know otherwise.
Sadly, the thug also knows this. But what the thug (=ruling party) does know is whether an entire voting district votes for the opposition.
Then they come down hard on the entire district. In all sorts of creative ways.
> Sadly, the thug also knows this. But what the thug (=ruling party) does know is whether an entire voting district votes for the opposition.
It's not so much about the ruling party - if they want to steal the vote, they can just just send an officer into the booth with you that makes sure you're not cheating.
It's more about those that don't have that ability, e.g. religious groups, families, social circles. That's why ballot selfies are sometimes outlawed and generally strongly discouraged: if it's illegal and punishable to prove to third parties how you voted, you have plausible deniability for why you can't produce proof.
Why not simply print a receipt after voting with the vote printed verbatim and a digital token that allows the voter to easily check whether the vote has actually been counted correctly.
The token could be a hash of some relevant parameters that are easy to check and maybe digitally signed by the voting machine or whatever.
A scenario where a family or workplace or other organization has everyone fill in their ballot in front of each other and then drop it off in the mail together.
“For convenience,” “to make sure everyone gets their vote in.”
The difference is there is no designated, guaranteed-private voting booth for the act of voting.
This really doesn't help, because the average voter will have no understanding of what that "digital token" is or how it can be used to "check" anything. Are we imagining some kind of unique QR-code or similar, that I scan to get a confirmation my vote was recorded? That's pure black-box voodoo... why should I believe that there's any connection between that "check" and the official count?
Indeed, a record of proof of the transaction instills more confidence in the system (i.e. votes aren't just in this "black box") and provides a redundancy in the case of issues with the electronic system.
If you vote from home, what sort of receipt do you get? A digital receipt for every candidate can't be recorded unless it's mailed in (and if people are all mailing in anyway then it sounds like you're just overcomplicating things), and people keeping a record of their vote at home where they can show others will let people systemically validate blackmail - "show me you voted <candidate> or I'll break your kneecaps". Although to be fair, if you seize someone's mail-in ballot you could force them to write it out under supervision.
Other than possible cost savings, the only useful benefit of electronic voting is if it lets people vote from home/vote more conveniently. Requiring a paper backup nullifies that benefit, and making it optional damages the usefulness of having a paper backup in the first place and adds privacy problems.
In WA the ballot has a tab you peel off and can track through a webpage. It’s basically the system outlined above but we actually fill out a paper ballot then mail it in. The postage is prepaid.
This solves basically all problems and works great.
If elections in my district are historically won by a 10-20% margin, and my corporation directly employs 20% of the people in the district, then I think I could make blackmail scale just fine.
I’m not sure I follow. Are you threatening people’s jobs? Do you think you can reliably get away with that? This is the part where it doesn’t scale. You’re taking on an enormous risk to maybe swing a tight election by committing widespread extortion. It’s totally unrealistic and has nothing to do with voting in person, online or by mail. Your threat would apply to all of them.
> Do you think you can reliably get away with that?
Robber barons did reliably get away with it throughout the nineteenth century. That's the whole reason that you don't get to take a copy of your ballot home today.
There are a lot of comments here, but for anyone who’s looking for a well thought out implementation of publicly verifiable ballots, I suggest taking a look at Scantegrity [1]. Gotta love all the brilliant minds who worked (and implemented in the US!) it (David Chaum, Richard Carback, Jeremy Clark, Aleksander Essex, Stefan Popoveniuc, Ronald L. Rivest, Peter Y. A. Ryan, Emily Shen, and Alan T. Sherman)
Note: They published several papers on the implementation and design of the Scantegrity system. I just linked to one of them (the most recent I believe).
And couldn't you just have one flat log file as an append-only ledger of all the votes? Maybe add a time stamp and location stamp to each prime recorded for context.
1 million primes is about 2mb zipped. Even with additional information, a national election result of 130 million votes could fit on a CD.
The beauty of this is we have a completely transparent record that requires no unique software to view or test. No black boxes, and no magic beyond the magic of primes.
Issue 1, 3, 5, 7, 11, 13, 17... up to N for N registered voters.
Mix them up and hand out randomly. So let's say you get 5 and I get 7.
To vote, you cast your prime for a candidate, thereby consuming it. No two candidates can share a prime, because their checksums will have a common factor, which is not allowed.
If we both vote for candidate A, his checkproduct is now 35.
If ballots 11, 13 and 17 vote for candidate B, his checkproduct is 2431. Because 2431/5 = 486.2 (non-integer), you can verify that your vote was not counted for B, but it was for A, because 35/5 = 7 (an integer). And because 2431 and 35 don't share any factors, no two votes were counted twice.
Why do you need primes? You could just give everyone a number and publish which numbers voted for each candidate. That is effectively equivalent to what you are doing since each total product can be factored into the primes that voted for it anyways.
It doesn't work: let's take 4 people and they vote for two choices "1" or "2".
I cheat when I give people their random numbers: A gets 5, B gets 5, C gets 7, D gets 11.
Now they all cast their vote:
A -> 1
B -> 1
C -> 2
D -> 2
Let's tally the votes, the result for choice 1 is 5 and the result for choice 2 is 77.
A checks that its vote has been counted 5%5 == 0 so it's good.
B checks that its vote has been counted 5%5 == 0 so it's good.
C checks that its vote has been counted 77%7 == 0 so it's good.
D checks that its vote has been counted 77%11 == 0 so it's good.
For everybody the result appears to be one vote for choice 1, 2 votes for choice 2 and 1 abstention, your scheme does not detect any wrongdoing here.
In this system you have to trust that the issuing authority never reuses primes. That seeems like a major downside, and something that is hard to overcome with transparency.
People would definitely notice if the checkproduct for two candidates had a nontrivial gcd. Which is almost guaranteed to happen if primes are recycled to a significant degree.
Not necessarily a dumb idea, but blockchains provide us an easier way to do something similar.
Every voter would be provided 1 (one) "Right to Vote" token after verifying their identity or receiving it by mail (as is the proposed solution from the USPS). This is arguably just as secure as mail-in voting.
Each voter would also have an "on-chain voter ID", which would just be an anonymous public-private keypair in possession of 1 "Right to Vote" token. This on-chain voter ID would never have to be "mapped" directly to a voter. All that's provisioned by the the election overseers is the right to vote with one account by using this token.
Then, the vote is cast by redeeming this right to vote token, without the voting account ever being linked to a "real identity".
Of course, there are problems here too. Mainly with UX, and then at a low level the hardware used (the general public is very easy to hack if you have nation-state power).
What's stopping them from not properly separating the outer and inner envelopes in mail-in voting? Or correlating poll booth entries with checkins? Nothing. The system fundamentally assumes the organization operating the poll is trustworthy.
In case you are interested, the thing preventing those types of shenanigans from happening is volunteer observers from various parties. The inperson and physical nature of things makes it much more difficult to break.
Yes, and volunteer observers could also ensure that the keypairs mailed out to people are never revealed.
1. An airgapped computer running a keypair generation program generates millions of keypairs.
2. This prints these millions of secure keypairs with the keypair facing "downward".
3. In a publicized setting with volunteer observers, the private keys are sealed into envelopes which don't yet have names or addresses on them, and secured with tamper-proof seals.
4. These ballots are sent through another printing system, which adds an address and name to each ballot, at random.
The level of complexity for auditing here is much, much higher than the paper system. How do you verify that the software wasn't backdoored? How do you verify that the computer actually ran that software? What if the hardware had a backdoor? What about the compiler? Even the printers could be compromised.
Normally, I would consider these types of issues simply paranoia, but in this case we are talking about very high stake elections that control the spending of trillions of dollars.
You could easily replace the word Blockchain in this patent application with the word database and it would all still make sense.
Blockchains (I prefer to call them Merkle trees) were invented 40 years ago. The interesting part about cryptocurrency based Blockchains that makes them unforgeable is that they contain proof of work. The work to create an entire Blockchain is equal to the sum of the work contained in each node. Without proof of work Blockchains are easily forgeable.
I strongly disagree. This is a comment from someone who (I presume) is unaware of the advances in Proof-of-Stake blockchains, and other consensus protocols like the Stellar Consensus Protocol. Databases do not have a distributed way to manage consensus - one of the main things that sets a blockchain apart from a distributed database.
This consensus mechanism is what's important when something important (like an election) hinges on the blockchain being an accurate representation of state. This requires a Byzantine-fault-tolerant agreement. See https://medium.com/loom-network/understanding-blockchain-fun....
If you define "third party" as your first link does, everything relies on trust in a third party. The counting of ballots also relies on a third party, albeit a less homogenous and "centralized" third party (though that term is also hard to define).
The difference is that a public blockchain provides an open and auditable overview of the actions of the third party, and what the state of the entire "database" is. This is something that a Merkle tree whose root is published in a newspaper once a week can't achieve (an anecdote from a story Roberto Di Cosmo of the Software Heritage Foundation told me).
To your second link — I'm not arguing for such a system today. Of course there are many roadblocks and hurdles in getting to full proof-of-stake or full "decentralization". But in 5-10 years I'm sure we'll be there. There are hundreds of teams, from Algorand to Casper to Ethereum, working on this issue.
> The counting of ballots also relies on a third party,
A third party counting all ballots, unless audited, would be a terrible way to conduct a public vote.
In pen-and-paper voting systems, counting is carried out by the very same people that vote, publicly, in the open. Then there are also auditing systems in place.
Yes, Raft (and Paxos) are indeed distributed consensus protocols.
But the GP is talking about distributed in blockchain-land, which uses terms differently.
In blockchain-land, it means "consensus among peers who do not trust each other".
In non-blockchain-land, there are what's called byzantine distributed consensus protocols, which as robust again deliberate subversion by some nodes in the network. Basically if nearly everyone votes one way, it doesn't matter what a few subversive nodes do. But byzantine robustness does have a cost (in time), so protocols are usually designed on the assumption that there may be faulty nodes, but the errors are not deliberate.
But even byzantine protocols assume the network is somewhat predefined.
Whereas in blockchain-land, you don't know how many peers there are, who they are, and you don't trust them. What you do trust is their motivations en masse, because there's money and power in it.
It uses economic and evenness-of-technological-progress factors to provide a level of collective trust. A core assumption is no motivated actor is sufficiently powerful to subvert everyone else. This assumption is not guaranteed by protocols, and can also be broken by collusion among large actors, because collusion makes them more powerful.
With proof-of-work, the assumption can also be broken if a sufficiently powerful new technology becomes available to one actor before anyone else. (I'm not sure what the situation is with proof-of-stake, which to be honest smells like RichGetRicher 3.0, but I don't know much about it.)
You are right that Raft and Paxos provide for distributed consensus. However, they don't do so in an open, byzantine environment where some fraction of the nodes in the network may not be honest.
edit: there are byzantine variants of paxos --- i'm not 100% familiar with these (and tbh i'm take it or leave it on the whole thing), just wanted to note that i think the parent was trying to get at something slightly different than consensus in an environment with nodes that fail, i.e. "traditional" consensus algorithms
You absolutely do not want consensus anywhere near an election. Consensus is not about agreeing on the total balance of transactions, it's about agreeing on individual transactions. It implies that multiple people know what your vote was which is absolutely not what you want.
This is not true if the voting apparatus is separate from the identity of the voter. There are two ways to accomplish this, and the USPS is proposing that they ship voters a sort of "private key", which is fully anonymous, which has no connection to their identity. This key is used once, with the right to cast one vote.
In such a system, the whole blockchain will know what each public key voted for. The difference is that there is no connection between this public key and the vote of an individual. This would allow for a massively snd openly auditable system, without sacrificing privacy or convenience.
I am not a proponent of this, as I think that in the near and mid-term futures, there are too many technical problems to be worked out. If, however, we end up giving every citizen digital ID cards as Estonia has done, and using those as secure hardware used for voting, we could distribute the voting process. Essentially, there would be no more vote-counting. There would only be vote casting and the election results would be apparent to everyone, immediately.
Consensus is absolutely necessary for such a system.
I look forward to the national outrage in year 2075 when it is discovered that 90% of "voting citizens" were tokens stored in the basement of the White House, and nobody noticed for 50 years.
SSNs are probably the closest existing parallel. How many people in the US of voting age haven't had their SSN leaked yet? Obviously SSN is abused in the things it is used for (I.e. identification), but I don't see any indication voter IDs wouldn't be abused the same way.
SSN is a (mostly) permanent number you use for many many things. A voter ID would be unique with every upcoming vote. Election specific public key would probably be a more correct term.
Abuse of it would definitely be bad, but it would be more difficult as you'd have to repeat the identity theft every election, rather than knowing someone's lifetime secret number.
I agree, when consensus is the per-transaction kind used in, say, Bitcoin.
However, a Zero-Knowledge Proof-based consensus (https://zkproof.org) can produce agreement on a combined result without revealing the individual inputs.
It's not easy, and you still have to prove the protocol has been followed, that is that everyone voted even though you don't know what they voted for.
A database is a central point of failure. Nothing stopping a sysadmin or a hacker able to get shell access from just deleting a bunch of votes, or taking the whole system offline. A blockchain system over a p2p network is way more fault tolerant and available than a database.
Also, in a blockchain system, any person can connect a node to the network and can see all of the votes that are occurring/have occurred, and can somewhat verify the results of the election.
Make it public and put it in version control, every time a vote is counted you publicise a new revision, everybody with an interest can download regularly and check for tampering?
Or, you know, use a hash of the previous row as a column value of the current row. That way, you can’t tamper with any data already stored in the database.
My whole startup is built on blockchain, and I'm an Estonian e-Resident (Estonia allows their citizens to vote digitally), so I find blockchain voting fascinating. That said, there are some problems with it. This Tom Scott video explains why: https://www.youtube.com/watch?v=LkH2r-sNjQs.
But this is a very cool idea: combining the USPS vote-by-mail infrastructure with a blockchain layer that sits on top, used mainly to provide anonymous provenance. We'll see if this ever gets implemented, but I think it's a great example of the non-hype uses for blockchains being explored.
Very nice video, though in the personally delivered sponsored message at the end he seems to be contradicting himself. Why would you still trust a password manager after seeing the video? And wouldn't it be incredibly stupid if an entire nation put their passwords in a vault controlled by some company in possibly another nation?
> Why would you still trust a password manager after seeing the video? And wouldn't it be incredibly stupid if an entire nation put their passwords in a vault controlled by some company in possibly another nation?
I think you should use a password manager, I do, and the people I know that don't keep forgetting their passwords, keep reusing them, and generally just practice horrible security.
As to which one, I would recommend an open source one like BitWarden, but they won't fund YouTube videos on important issues because they don't have the money.
I doubt Tom Scott would recommend that everyone in the world use this one password manager, and it won't happen from him endorsing it. And I think that integrity of elections are more important than the security of passwords, even though I guess they are somewhat intertwined. For important things multi factor auth should be used which won't be defeated by passwords only.
I suppose it's poignant in a way — though we might wish to stop the tide, everything is digitizing. Voting will inevitably be swept up in this process, and it's not a matter of if we should do it or not, but how we do it best.
And for what it's worth, password managers are a very good idea (though probably not worth staking an election on). I would however recommend Bitwarden: https://bitwarden.com, which is open-source and well-audited.
In cryptography we trust (and we probably will for voting someday soon as well)!
Oh cool, not related to the article directly but I m off to Estonia and working on a blockchain (tezos) voting system and community if interested : www.electis.io
Interesting. For lower stakes voting, this could be a great implementation. I have good friends building a Tezos startup right now (Tezsure) - certainly an interesting chain!
We're on Stellar mainly because of block times. You can see a beta of our timestamping service (mainly built for scientists... launch coming soon) here: https://assembl.app/chronos
All blockchain (and electronic for that matter) voting systems are inherently bad because they are not easy to verify.
Nothing beats pen and paper in verifiability and ease of use. If done right with many eyes on the ballots, manipulation requires thousands of co-conspirators. The only downside is the slow speed.
You give one citizen one vote on the chain. They can personally verify that their vote was counted because the chain is visible. Counts can't be rigged because the entire chain is public. Voters can only vote by going to a physical location where they use a multi-key signature, one by the voter, and one by the local polling station, avoiding people selling off their keys. This is anonymous, traceable, and the vote can't be altered.
As I see, the problem is not that the vote can be altered, but that the vote can be bought and the fact that person voted in the right fashion could be verified by 3-rd party much more easily (screenshots/whatever).
The privacy of voting booth could give at least some chance to change mind/lie to the third party.
In theory, mail-in voting carries these same problems, and we're about to hold the largest mail-in voting election ever. Not sure this is really an argument against an electronic voting system.
In fact, with a blockchain-based system, the vote could be held in "limbo" until the voter decides to cast it, or you could give the option of creating fake screenshots to deter anyone "buying votes". You can't do this with a paper ballot.
The only reason for a big mail-in election is a historic exploit of an availability vulnerability of our in-person voting system, that it depends on lots and lots of (in practice, mostly older) people willing to spend a day in close contact with each other and other people for almost no pay.
> And the president is - right now - conducting a denial of service attack on it.
Or at least miming one, perhaps to provide political cover for Republican-governed swing state legislatures, seeing the problems of in-person voting in the pandemic and armed with the telegraphed disruption of vote by mail as cover and polling data as motivation, to simply exercise their prerogative to cancel public voting and assign a set of Presidential electors without it, which the Republican control of the Senate can guarantee withstand any challenge in the electoral vote count.
If he really wanted electoral chaos by disrupting vote-by-mail, there'd by no reason to telegraph it; the reason to telegraph it is because he desires a response that it either provokes or justifies, as much, more than, or perhaps even instead of the disruption itself.
This is possible today anyway. People can take a picture of their ballot in the booth. Hell, with mail-in voting, you can literally go door-to-door and buy mail-in ballots.
>People can take a picture of their ballot in the booth.
This is insufficient. In-person paper voting allows the voter to toss out their marked ballot and get a fresh one. You can take a photo of your ballot, but it's hard to prove that's what you actually casted. Poll workers will tell you to put your camera away near the ballot box, to protect other voters' privacy as they submit their completed ballots.
Just because the blockchain is public doesn't mean that the identity of voters is public. You know which one your vote is; that information isn't otherwise public.
When you vote right now, your vote is (theoretically) tied to your identity, because every ballot has an id tied to it, so it's not like you'd be giving up any more anonymity than you had. I don't know of any practical fully anonymous election systems that are post-hoc verifiable, but maybe somebody does.
How does the average citizen verify what is actually happening and that their vote is actually being counted? That when they vote for X that the counter for X is increasing by 1? By verify I mean full understanding of the process without the need to believe somebody who calls themselves an "expert".
This is a tricky UX issue at the moment, but I'm sure this will be doable in time.
The nice thing about blockchains is that once transactions are finalized, the state is known, independently of whether or not the user was hacked. With zero-knowledge proofs, voters could theoretically verify that their "right to vote token" (as I've explained in another answer above) was used to cast a certain vote, without revealing their identity.
Now, if the software they're using is malicious, or their device is vulnerable, the election is screwed.
It's worth noting that Estonia manages digital elections quite nicely with their digital ID cards, which use an underlying blockchain-type system to ensure system integrity
> their digital ID cards, which use an underlying blockchain-type system
The arguments outlined above are really hard to follow, and doesn't really help the blockchain voting case.
Unless something exceptional happened recently, Estonian eID cards are just bog standard ISO 7810/7816 cards.
No blockchain or blockchain-like system involved. Just regular X.509 style PKI. They were even affected by the insecure proprietary RSAlib code a few years ago, like so many others, and all cards had to be replaced.
You're correct, I misphrased that somewhat. The government uses a blockchain (the Keyless-Serveless Infrastructure or KSI blockchain) to ensure data integrity in their government systems. As I understand, this is also used for their digital voting system.
> The Estonian Government started testing blockchain technology in 2008, as a response to 2007 cyber attacks and with an aim to mitigate possible insider threats. Estonia was the first nation state in the world to deploy blockchain technology in production systems - in 2012 with the Succession Registry kept by the Ministry of Justice.
> Which Estonian state agencies are utilising blockchain technology today?
> → Ministry of Economic Affairs and Communications
It's not a UX issue, it's a logic issue. Voting has to count each vote exactly once, must be easily (!) verifiable at every step, and must be anonymous. Every blockchain systems violates at least one of those constrains, mostly the verifiable part.
Estonia is more or less unimportant on the global scale. There is very little incentive to manipulate an election from the outside.
Estonia is probably the most vulnerable country to election tampering in Europe aside from Belarus. Their entire internet and e-voting infrastructure was built up after the largest cyber-attack on a foreign nation, which came from Russia after Estonia removed a Soviet-era war memorial.
This attack also led to the NATO Cybersecurity Center of Excellence being based in Tallinn, and Estonian firms becoming leaders in cybersecurity consulting worldwide. The Estonian example is a splendid example of decentralization and self-sovereign identity done right. All medical records, civil data, banking information, is stored in a decentralized mesh called X-Road.
Finland and other Nordic countries are now adopting X-Road after Estonia's success with it.
If you wish to speak more about this, I'd be glad to, but you're wrong on all fronts. I don't want to regurgitate my blockchain arguments, but if you Ctrl-F this thread for "Right to Vote", you will find my contention about how verifiable, anonymous, and single-vote elections can be held on-chain.
But don't get me wrong, I'm not a proponent of it. I still thing in-person paper-ballot voting is the most reasonable way to vote.
> How does the average citizen verify what is actually happening and that their vote is actually being counted?
Volunteer to be a poll worker and to be one of the witnesses during the counting process. You can then watch every step of the process occur openly and see that the votes are being counted accurately.
If you watch the process accurately count all of the vote papers in the box at the end of the day, you can reasonably conclude that everyone's vote in that precinct was counted accurately.
If there are enough randomly selected volunteers, you can reasonably assume trust in their witness accounts together.
You don't need to volunteer there personally.
But wait... what if everyone assumes the volunteers are mostly ordinary citizens doing their civic duty? What if, in reality, anyone can apply to be a volunteer but the system systematically always chooses its own plants...?
And when you volunteer, as luck would have it they pick someone else "at random".
I’m not American and I’ve never voted in a US election but I can tell you how it’s done in Germany (where electronic is all but impossible due to the standards the voting process is held to be the constitutional court)
- Election Day is always a Sunday; most folks don’t work on Sunday. Germany is pretty strict on that in general. Works well for this case.
- Each parliamentary district is subdivided into smaller voting districts.
- Each voting district is for ~2500 eligible voters. This keeps the lines short.
- Each voting district has one polling station (there are exceptions to this, a voting district with a prison or retirement home in it might have 2nd location)
- The voting district is run by volunteers. If there aren’t enough volunteers the municipality can draft citizens to do it and I’ve seen that happen. More often though the ranks are filled up with city employees, I’ve twice filled a leadership position in my voting district so I’m quite familiar with the rules.
- The diverse set of folks in the voting district keep the process in check but any citizen has the right to be in the room and observe the whole process. I’ve never seen anyone stay the whole day (at that point why not volunteer?) but I’ve seen folks show up for the counting.
- the process starts by showing the empty ballot container to all people present. During voting the container can’t be opened (multiple locks)
- as we do the count (manually & in a prescribed algorithm) the certain in-between results must be loudly announced to the room
- the final results must be loudly announced to the room. Since we’re usually in a class room in a school we also put it on the blackboard
- results are tallied up by election commissions on the city, county, state and federal level. City and county election commissions are usually run by the elected leader (unless they’re running for an election themselves), state and federal and run by the the office of statistics
- all the results, down the voting district level are available online
- I myself have checked numerous times that they count we arrived at in the voting district is correctly reflected on the city website
- it’s trivial from there to check if the count of all voting districts adds up to the final end result or not
- there are some watchdog organizations observing the overall processes. I trust that and error in adding the results gets caught by them but I could verify this myself since the data is public
This is a manual, somewhat expensive (in time, money wise it’s not too bad as volunteers aren’t paid and just get some refreshment money) way of voting. But I see no way of significantly manipulating this process without the involvement of thousands of people.
TL;DR if you take the time it’s trivial to check if you’re vote was counted correctly. You’re there to check if the ballot box is empty, you vote, you observe that no one is stuffing votes, you observe the count in the voting district and you check if your voting districts count was accurately reflected in the total
In the US there is no standard way of voting. Elections are run by each of the 54 states and territories. Each one of those have varying standards. Within most states the state itself provides certain rules that must be followed but the election is actually overseen by the local government and there may substancial leeway regarding how the locality implements the rules. Within each locality different polling places may use different technologies. I have even been to polling places where there were differing ways to vote within the same location. In general polling places are run by volunteers and each candidate is allowed to have representatives at the polling place.
Some people also argue that the pen and paper method, by not being instant, drive some extra engagement in the political process, so could be seen as another positive rather than a downside — coverage of vote counting can go on for hours (or days) and it's the one time that democracy is visibly "exciting".
This feels like it has a ring of truth to it, but then personally I'm interested in politics so maybe that's a self selection bias — would be interesting if there was a formal study on this.
- Won't work. People will lose their private keys. Apparently the key is distributed to people on a piece of paper in the mail. That will get stolen--or claimed to be stolen. It will be a mess.
- What's the point of a blockchain here? Is USPS raising money with an ICO? The use of digital signatures is enough. By having a "distributed public ledger" now you open the possibility of getting Sybil attacked. But wait, you say, USPS has their own canoncial version of the chain that they can force everyone to rollback to in case of an attack--then what was the point of a blockchain? You could just have a website that shows a list of public keys and who they voted for. It would be totally auditable by anyone, just as a blockchain would be, without any of the security risks of a blockchain.
Did they also invent a system which protects against voter coercion? If they did not, they might as well stop now since no matter how secure the voting system is its relevance falls down to zero if it is possible for the local gang leader to coerce voters to vote for 'his' candidate - "my man stands behind you to watch you vote for candidate X, if you so much as twitch your little girl gets whipped" (which works but doesn't scale that well) or "you show me proof of you voting for candidate X or we'll burn down your house" (which scales but depends on vote verifiability and as such is rather easily foiled).
This is a ridiculous argument, because it could just as well apply to mail-in voting as blockchain-based voting. I also think this fear is far overstated (do we have any stories of this happening in the US?) and the more pernicious forms of voter suppression and misinformation are downplayed.
If blockchain systems allow 90% of the populace to vote unencumbered, with a 5% inaccuracy rate (which is far higher than to be expected), that's still more democratic than only 70% voting.
EDIT: There are also ways to guard against voter coercion, for example by allowing "fake votes" to be cast, which if not cast with a certain memo in the transaction, will not be counted. This memo can be a PIN that the user is given as their "legitimate vote PIN", without which the vote would be invalid. When the user wants to appease their "mob boss", they would simply vote with another pin, and the vote would show as having gone through.
This is a surface-level solution, but the technical architecture that can be built to avoid voter coercion in a digital system is far greater than that with mail-in voting. With mail-in voting, your "mob boss" just forces you to tick a box, and put the sealed ballot in the nearest USPS drop box.
It is most certainly not. It is the reason votersecrecy in considered a cornerstone of a legitimate public vote.
There are whole organizations, like the OSCE Election Observation, who audit these sort of things internationally.
> it could just as well apply to mail-in voting
It does, very much so. Every mail-in voting has to take this into account. Any introductory political science course will touch on these things. Commonly this is done by way of a method to override or revoke votes. A mail-in voting system would be problematic if it was the only way to vote. This is the most common objection to electronic voting systems, that it's hard for them to stand on their own.
It's certainly not a ridiculous argument. Anonymity is a cornerstone of fair voting systems, and any system that allows votes to be deanonymised increases the risk of coercion.
The same type of risk applies to postal voting, although with less severity, as with postal voting there is only one opportunity to check the coerced vote. Blockchain based votes can be checked after the fact.
Still, for this reason, postal voting is rare, and most countries that allow it do so only for citizens living abroad or who cannot travel to a polling station die to injury or illness.
Countries like the UK and Australia that allow any eligible voter to do so by mail are rare.
For example the system used for postal voting or more exactly early voting in Finland is one where there is time period(around week) when voters can vote in any early voting location around country, or in such places like embassies around the world.
The process is same as regular voting. Only difference is that vote is enclosed in envelope which is enclosed in second envelope and shipped to voting precinct to be opened later and counted with rest of the votes. During the voting process identity of voter is verified.
There is some risks here, but there really isn't much to fix that. In the end if you trust enough the step between voting and shipping votes it's very decent. Anonymity is there and also voter is verified.
The results of blockchain-based elections can be checked after the fact, that's true. But if the votes of the individuals in the electorate can be checked after the fact, the system was badly architected. The USPS solution linked by OP does not link the identity of a voter to their blockchain identity, so coercion remains as much of a threat as in postal voting.
Blockchain-based voting systems can be either the least or the most anonymous voting systems. Electronic voting allows the abstraction of many voter-suppression tactics which are still in play in the US.
I may have misjudged the audience, because the postal voting argument is very US centric, at a time when the prevailing media narrative is that postal voting is an essentially infallible system which should not be questioned. I would find it hypocritical if people strongly supported mail-in voting while not considering that blockchain-based voting carries similar advantages and risks (which is why the USPS proposed this, I'm sure).
If you read my other comments in this thread, you'll see I'm not in favor of implementing a blockchain-based voting system yet. I just think the above argument was made from a fundamental misunderstanding of blockchain technology.
> I just think the above argument was made from a fundamental misunderstanding of blockchain technology.
It isn't blockchain which is the problem but wide-spread absentee voting. It doesn't matter whether this is done through mail-in voting, through some blockchain-based app or site, phone-in voting or anything else. The problem is that the person casting the vote can not be assured to do so with privacy and without coercion.
> I just think the above argument was made from a fundamental misunderstanding of blockchain technology.
Which misunderstanding of blockchains/merkle trees do you believe has caused the argument above to be incorrect?
The system as described in the patent provides no protection that I can see against voter coercion, and in some embodiments, allows a voter to verify that their vote has been counted as cast, which is significantly more ripe for abuse than in-person or even postal voting.
I did read your other comments in this thread, but it seems to me that you have a fundamental misunderstanding of blockchain technology and the problems that it can solve. Your proposed right-to-vote token solution is worse in every way than paper ballots cast in-person at polling stations with private areas, counted by hand in publicly observable count centres.
To be clear, most of my other comments in this thread are solutions to problems I took from the top of my head. I'm not suggesting we implement a voting system off of my comments.
I also am not in favor of blockchain-based voting. Of course a "right-to-vote" token is, at the moment, a far worse solution than paper ballots at polling stations. Mostly, this limitation is pragmatic — we don't have good ways to store private keys, low-level hardware and software is not easily auditable, UX/UI issues, etc.
In the US, we are considering having the largest vote-by-mail election ever. This is a politically charged issue, where Trump claims mail-in-voting will lead to massive voter fraud, and the Democratic party claims otherwise. If you suggest that mail-in-voting may be insecure, you're labelled as a Trump supporter.
With this political landscape in mind, electronic voting vs. postal voting is certainly a pertinent discussion. This comes especially as Trump has made efforts to "DDoS" the USPS by kneecapping its throughput. This would, depending on the system's design, be harder to do with electronic voting. Estonia is a good example of how digital voting can be implemented securely, with the approval and understanding of the populous.
But my main contention is that there are ways that blockchain voting can be fully anonymous, even if we don't have the implementation capability right now. Zero-Knowledge proofs, combined with a system where the voter's real identity is never mapped to their on-chain public key, allow for this. The individual voter would receive a private key in the mail, or using a Monero-like blockchain they would generate their private key and redeem one "Right to Vote" token, which would be sent to their account. They would then vote with this token, and using a "view key" would be able to audit that their vote was cast for X party.
Nowhere in this system would real identity be mapped to blockchain identity. The risk of "deanonymization" is therefore about the same as with mail-in voting. A coercer could force you to show them the results of your vote afterwards, true, but there are ways around this as well. Most simply, all view keys could be revoked after casting a vote. The public "token balances" of each candidate would be viewable, but the results of an individual vote not.
"blockchain systems" - which I notice you're invested in by virtue of leading a startup which in some way utilises blockchain technology - may be able to help in reducing the opportunities to cheat on the technology side. This is not the main problem when combating voter coercion, a problem which you noted also exists with mail-in voting. This is true and it is one of the reasons why mail-in voting (as compared to absentee ballots which have to be personally requested by the voter) is rife with problems. Technical solutions can only go so far, even that pin-code system with "fake votes" can be thwarted by using the same threat of force to obtain the "legitimate vote PIN". As far as I can see there are currently no reliable technical solutions to this problem and with that the personal vote at the voting station, using a ballot form and a pencil, is still the best solution.
Sometimes a low-tech solution is the best because it provides a low attack surface and is not easily abused at a massive scale. While there are still some opportunities to mess up things - lost ballot boxes, missing ballot forms, etc - these are easily detected and can be rectified.
For now, I vote for simplicity when it comes to casting my vote.
I vote for simplicity too. As I've tried to be clear in mentioning, I am not in favor of a voting system like this.
For the foreseeable future, paper ballots cast at a polling station are all that make sense.
The discussion is in part relevant because the US is on the verge of having the largest mail-in election ever. Trump claims this is insecure, the Democratic party claims otherwise. It's a political hot-button issue, and seems likely to happen. For this reason, I think exploring alternate systems is worthwhile.
Maybe they should maintain the postal boxes, have enough sorting machines, maintain the necessary manpower/processes, and remain independent enough to deliver the fucking mail.
Even if they did all that, all the states would need reliable mailing lists. Oregon and Washington have been rigorously checking their lists precisely because of this problem, while other states don't need to do that if the onus is on the voter to show up at the correct poll.
It turns out that 17% of Nevada primary ballots had the wrong address.
If over 10% of votes are mailed to the wrong address, it would be a major crisis in a hotly contested election.
So, we are making all the votes a matter of public record?
It's either do that, or the voter is forced to blind trust whatever system is used to record their voter intent.
To consider this problem properly, think about the problem a blind voter has with a ballot. They cannot see the record of their vote, when it's made by a mark. With a punch card, they cannot see the candidate associated with their record either.
They have to trust whoever helps them cast their vote actually does cast it correctly. There is no chain of trust between voter intent and the record of vote cast.
Now, in the context of electronic voting, a person touches a screen gives an audio input, whatever. They have to trust the system does what they intend. There is no meaningful verification due to the fact that the system could tell them anything.
When a vote is cast on media with a mark, and that mark and media are used for the final tally, the voter knows their intent was recorded, and that intent could be used directly to determine the outcome of the election.
(other corruption can happen, and is outside the scope of this comment)
Without a public vote record, voters have no idea whether they can trust the election. Blockchain does not help with this problem, unless it's a public affair, everyone sees how everyone else voted.
Banking gets around this by always having redundancies. Books are kept in many locations and all must and can be reconciled.
Voting has no such redundancy, and due to that, electronic input has a basic trust problem not being discussed enough in my opinion.
But you can't use those things to insure a voter intent is actually used for the tally.
Without publically identifiable votes, records like banking has for good reason, voter intent cannot be trusted to contribute to the final tally accurately.
This seems to be the tech underneath Algorand. If the USPS created a "Vote Token" and it was truly anonymized, how would a central entity ensure that people were not double-voting etc?
It's the illusion of safety. There is no facility for identity verification baked into blockchain. You have integrity for the data allowed on the chain but if you let Russian hackers write to it, it undermines the whole thing. Personally I'd rather go with a PKI system that offers non-repudiation.
Exactly. This is the entire problem with blockchain: it has absolutely nothing to say about the quality of the data entering the system, which is usually the hard part anyway. But it provides this false sense of security because most people have no idea what it actually means.
It's only useful when the entire problem space lives inside the blockchain. As soon as it has to reflect something in the real world, all bets are off.
It's pretty much par for the course for blockchain bullshit. They promise the world but aren't honest about the limitations of the tech. Yeah, you get data integrity assurance within the blockchain, but that says nothing about the accuracy of that data as it's coming in.
In theory, this on-chain voter ID would never have to be "mapped" directly to a voter. Rather, IDs are simply private-public keypair accounts, and all that's provisioned by the holders of the election is the right to vote with one account. Then, the vote is cast by redeeming this right to vote token, without the voting account ever being linked to a "real identity". Of course, there are problems here too. Mainly with UX, and then at a low level the hardware used (the general public is very easy to hack if you have nation-state power).
How does this compare with Estonia and their use of public ID numbers? I just know they don't consider their ID numbers secret the way SSNs are in the US, yet they use them for everything. How do they prevent fraud and ID theft?
Many countries have id numbers which are not a secret. In those countries you simply can‘t do anything with the number. Creating a bank account by mail with a ssn? Impossible you have to be at the department and show your passport.
You cant be at a department? The postal service in germany can verify your identity if you are there, or there are some online webcam solutions where you have to show your passport in the webcam, rotate it by instructions etc.
In Estonia, a user has a digital ID card, which contains a secure chip. Neither they or their computers can ever read the private keys contained in this chip. The card is minted like a passport or driver's license, so it's basically impossible to get a card for someone you aren't.
The voting system works similarly to this "right to vote" token model in the backend, from what I know of it. The only difference is that the ID card is where the sensitive data is statically encoded (not on a theoretically hackable computer).
They did have some cryptography problems a while back though. The government says it was not too big of a deal because they caught the bug, and would never have held an election with the bug still present.
What happens when an ID is stolen? If there is nothing mapping "John Smith" to "ID #12345", then you have no way to revoke IDs because you cannot know if the person claiming the ID is the true owner.
Wouldn't that mean stealing IDs will be virtually un punishable, and reselling them very lucrative?
You don't want to issue new tokens either, because you can't know for sure that the token was really stolen.
In which it won't take many users who demonstratably can't vote because someone stolen their token for someone to question the outcome. The only point of democratic elections is the legitimacy of the result.
When a large-scale vote is really tight, there will be people questioning its legitimacy anyway, no matter if it's technically correct.
When a vote outcome is clearly in favour of one direction, people don't tend to argue about the legitimacy of it, provided the process was reasonable enough. In that case, the numbers might be argued, but not the outcome unless there is a stronger belief in vote-rigging or voter-suppression.
In the UK, it's quite easy for a small number of individuals to cheat in elections and double-vote, due to how voting wards are assigned when people move home, or have multiple places they live. Or to cheat by pretending to be someone else.
But we assume cheating isn't widespread enough to matter in the grand scheme of things (even if the occasional "wrong" MP did get in on a knife edge), and consider ease of voter participation to be a sounder basis of governance, compared with draconian identity-tracking schemes that deter representation because of all the actual people who for one reason or another would not participate.
Ideally you should be able to produce a unique hash each time you vote, derived from your master key. The server doesn't need to know your private key. This is how crypto works now,
generating unique and theoretically unlinkable wallet addresses from a secret key.
Parties want to increase enfranchisement when they are in a position to gain from it. Once they've gained power they usually no longer need the help that increased enfranchisement would provide (survivorship bias). This is the same problem that prevents fixing many problems in government, like underrepresentation due to the 2-party system. Those in power want to maintain the status quo.
> it would be a simple solution to spread in person voting out a few days.
Don't you need volunteers to sit at all polling stations for all this time? So your simple solution is "we just need five times as many volunteers" and that at a time where all this contact is risky and where the president is claiming elections are fraudulent? That sounds difficult.
Yeah, I meant simple, not easy in the current environment.
Proper distancing and masking is relatively easy and just pay the workers a bit and everyone is happy.
I'm just saying holding fair elections is a solved problem. People should hold their representatives accountable to use the tried and tested methods.
The federal government also doesn't set the drinking age.
The Trump administration seems to be trying to ratfuck an entire election. They won't succeed, but "Will no one rid me of this turbulent priest"-style comments from trump about fraud and months of delays in the results are beyond asinine. I'm slightly amazed that HN seems to have a contingent of I'm alright jack supporters of him. Maybe that says something about our ethics but I won't go there.
It's way too easy for the ruling party to put the thumb on the scale and That's what's actually been happening for centuries.
These days it's ID laws where certain IDs are accepted and others aren't based on who is likely to have what.
It's closing the places to acquire the ID in the areas that will vote against you
It's closing the polling stations, putting them in inconvenient locations, reducing the number of machines, putting only new people at the polling place, reducing the hours of operation, making the directions intentionally confusing ... there's many ways these are being manipulated.
Historically it was much worse. Ballots were the parties responsibilities and lots of shenanigans happened there, making the slots too small to fit some ballots, giving the counters a way to "prefer" which ones to count first and thus give a candidate momentum.
There's also lots of instances of "losing" ballots or finding stashes after the results were announced.
I mean really, it's not a panacea, it's susceptible to dishonesty and manipulation like any other human institution.
There's a number of great precautions other countries have done but the blinders of American exceptionalism strikes again and we're still stuck in the relative dark ages.
That's only issues because you choose them to be issues since there's no central constitutionally guaranteed process.
Most first-world countries simply require a polling location with certain number of booths per X people, require the maximum distance to one be Y kilometers which makes voting go swiftly. I've never waited in line to vote. Place elections on Sundays and ID's are already ubiquitous because you need them to function in modern societies. Like, I want to show my ID and then see my name be crossed of the list. It gives me the feeling of doing my part of upholding the integrity of the process.
The whole election is public, you can observe the polling locations and count. Just show up. This is mostly done by the political parties and watchdog groups.
Due to the size of the locations the first count is done a couple of hours after the election closes and the result is published the same evening.
We also simplified the process even more to allow you to vote up to 18 days advance of the election day at any place in the country. If you then decide to change your vote you can go to your polling location on the election day and the advance vote is thrown out.
The same argument applies to the internet at large. Shall we move back to filing cabinets because that makes data leaks more difficult?
I'm sure that at some point we'll crack the electronic voting nut. But yeah: it's scary and the stakes are high. Then again, we've fixed electronic banking and that runs pretty nicely without many problems -- right?
Electronic banking works prescicely because it isn't a secret semi-anonymous blockchain thing.
If credit card payments end up in the wrong account, someone notices. If an electronic voting system assigns votes to the wrong candidate, who notices?
There are next to no stakes with electronic banking compared to voting. Money is a totally different prospect to rigging an election.
The Trump campaign did some extremely shady things with Wikileaks and the GRU, can you imagine if he was now leading the US through COVID after the Russians were able to compromise the voting system? The constitution does not have a mechanism to deal with it, as far as I can see.
What's the point when paper works already and is almost impossible to scale. Voting is easy
If you were creating a society on Mars, would you use a system of people lining up in-person to vote? Probably not.
Rigged elections have been a thing for a very long time. The shenanigans in Belarus is only the latest example.
Covid-19 will accelerate the inevitable. We're having a mail-in election this year, people will get comfortable voting from home and it's only a matter of time before people start asking why they can't just do it on their phone. I'm excited for blockchain voting.
The vote in Belarus was rigged by the government: "Lukashenko controls vote counting, [and abused] a vast security apparatus and a noisy state media machine unwavering in its support for him and contempt for his rivals". In other words: it required a vast conspiracy with many people cooperating in various ways to pull off. We've seen the same with rigged elections in Russia and some other places.
Compare this to an electronic system where a very small group of people (possibly even just one person) can potentially significantly skew the election results.
Wait until people realize there is no need for intermediate people in a lot of areas that can be eliminated with direct voting. Then you'll see a lot of social distress. Current rioting is nothing compared with what's coming
There's already a few cryptotokens that allow voting on maintenance of said cryptotokens (or affiliated ones) would these not invalidate such a patent?
Edit:
On another side, what if we did use Blockchain to supplement votes in a different approach. I have not yet looked at how other Cryptotokens handle voting on policies but say we distribute to each state enough tokens per their legal citizen population, and voting places use a single token per voter, maybe a code is attached to their ballot (maybe a district code, only identifying their region?), this in turn pushes the vote into the blockchain for a permanent record, then when all the manual / machine counting is done we compare the blockchain results to see who screwed up, but it would also allow for a slightly more live view of voting in real-time.
I received two separate ballots on two different people who resided in this house in the past. What’s stopping me from filling both these ballots and mailing them. The point is unless and until the voter roll integrity is guaranteed there is always a possibility of fraud.
If you already have working electronic voting (for the sake of argument) you don't need to elect representatives any more, you can just vote on issues directly and set quorums and thresholds. For that matter you don't really need ballots any more either, you can have the corpus of laws as a wiki and just edit it.
Blockchain is important, but perhaps equally as important is the ability for every user of the system to be able to audit every other user, that is, vote/voter exact information transparency...
Does that mean they can now further de-prioritize mail delivery? I'm waiting for weeks on my EDD debit card. If only someone would have invented a way to transfer funds electronically ...
A distributed ledger approach is a very bad idea because a foreign country can launch a 51% attack on the ledger and has the resources to win and thus modify the ledger.
Isn't the bigger issue here that someone can file a patent for something so blatantly obvious? Patents in software seem to do nothing good for innovation.
lots of enterprise-y companies and organizations get small groups to look at buzzword topics, and blockchain has been hyped for a bunch of postal-adjacent topics. Good chunk of the patent authors seem to be external consultants too... Couldn't find anything specific about in what context USPS specifically looked at that.
We should be experimenting with electronic voting for 30 years and innovate solutions to its problems. Nobody thinks it doesn't have problems, but to just stop at pen and paper voting just means to affirm the problems of pen and paper which are IMO much worse. (scarce voting, batched issues)
Most european countries simply don't have any problems with pen and paper voting. Turnout is typically much larger than in the US with its crazy mix of electronic/mail-in/in-person voting. Probably this is due to automatic voter registration for all citizens, having the elections on Sunday or on a holiday, and (in some cases) not having a first-past-the-post system where a large fraction of votes don't matter anyway.
Yes we do, everyone has them. There is an unimaginable difference between a system where you can have a referendum on =X once per year and it costs 10mil or a system where you can have a referendum every second and it costs ~0. We can then vote for issues directly instead of having people that may or may not (as is most often the case) vote in a way they signal they would before elected.
Think about Brexit - bad faith arguing from one side, constant lying, no plan about how to actually leave, and then a protest vote pushed it last 50% so now we have to leave on a no deal because it's an impossible policy to do in a few years.
A referendum is OK for deep constitutional issues, but policy should not be decided by referenda especially vague ones.
Policy is also quite hard to undo, a direct voting system would like lead to us living in a rent-controlled, capital punishment-ing, overtaxed reactionary world.
And yet, the option to take part in a series of referendums works splendidly in Switzerland [1]. This is also what I've anecdotally observed from living in Switzerland.
Perhaps, if the option to vote on an issue were presented often, people would have time to change their minds and would become more involved in the voting process. The reason a second referendum on Brexit wasn't held was because it was deemed infeasible. Not so with electronic voting.
I would argue that the Swiss system only "works" because the people reject the vast majority of referendums and let the elected parliament do the actual policy work. In total, only 22 have been successful since 1891. Most of them were on populist issues (often fueled by xenophobia) and had little to no influence on everyday life.
That is simply not true. There have been hundreds of successful referendums, many on non-xenophobic issues, and what's the problem with populism? The point of a democracy is to be populist!
Take 2006:
- Financial aid to new EU members, 2006-11-26, overall result: YES
- Standardized extra pay for families, 2006-11-26, overall result: YES
----
> How many referendums are successfully passed?
> The Swiss have been called on to vote around 306 times since 1848 for a total of 617 proposals. In total, 299 proposals have been passed while 334 have been rejected.
Am I the only one still against network-based, and to a lesser extent electronic-based, voting?
It's near impossible to rig or suppress a physical election without a lot of effort, but one person can DDoS an entire network and no one can vote and the whole election needs to be scrapped.
Not even the strongest cryptographic or software systems are free from exploits (especially over time) and there's no way to be sure the open source code for the system is the same code actually being served on the system.
A lot of software has died by its own hubris by assuming their systems are secure and then a single 17 year old on 4chan finds a bug and ruins it all. You can't afford for that to happen in an election. Forget hackers, some skilled social engineering gets you the votes of thousands, but you cannot do that in person so easily.
I'm sure the problems have been discussed extensively but other niche problems include lack of availability for rural areas (which has been a huge problem even with paper voting). I think the only reliable voting system at scale is in person.
You are not the only one. However I don't think security is even a relevant concern, because there is one much more fundamental flaw in all electronic voting systems:
The goal of voting is to produce agreeable consent — so it doesn't really matter how you organise voting, as long as everybody afterwards can agree who won, who lost and by how much.
So phrased differently, one of the most important properties of any voting systems is that people afterwards can't just call the result into question. This can only be true if most people voting understand the mechanism, can verify it themselves and manipulation on big scales is hard.
This is why I think any electronic voting system is problematic. Even a total expert would have a hard time proving that one machine worked as it should on election day. If you then have some Autocrat who raises doubt about the election result whom do you trust? That expert who tells you that manipulation was mathematically impossible or that autocrat whose party you vote?
Wouldn't a blockchain voting system help here, if everyone can examine the time, place, and votes in the history, and see that all the block hashes match what's expected?
That gives much stronger guarantees than paper, and while the average Joe can't verify it himself, there would be three million programmers in the US alone who easily could.
Whereas with paper I can't count the votes myself, I have to trust the authorities who did that.
Poll workers who do the count aren't "authorities" who lord over us. They are us. I volunteer to be a poll worker. You can too. Anyone who's an eligible voter can be part of the counting process and see how it's done. In my precinct, it's exactly what people see when they vote: they feed the machine their completed ballots and the machine spits out the count at the end of the night. If there's a problem, all the ballots are kept in sealed boxes and can be re-tallied independent of the scanner software/hardware.
If you think there's monkey business going on in your precinct, you're free to participate in the process and verify it for yourself.
2000 and Bush Gore. They had three official recounts. The number was always different, but not by much .. but it was still higher than a 1% margin of error. The FL ballot was pretty garbage and since then, most states have avoided punch-out/butterfly ballots. The Supreme Court ended up appointing Bush and the nation's voting commissions learned an important lesson.
But like OP said, volunteers could see the process. The recounts were actually pretty damn close; it was just the election was way too close for that to be acceptable.
In general the US system, as crap as it is (first past the post is garbage; no possibility for 3rd parties as with ranked or MMP systems), the electoral and state-based rules do mean that election fraud isn't too big a deal. New York will likely always go Blue. Tennessee will always go Red. Even if there is same fraud there, it doesn't matter that much because of the way votes are allocated per state. It's not fair, but that's the system the US has.
Fraud matters greatly in states were elections are close (Florida, Ohio, Arizona, etc.) and it will get even worse thanks to National Popular Vote Interstate Compact, if that gets triggered.
Potential fraud in swing states or NaPoVolIterCo are incredibly dangerous right now, because what we cannot have in America is loss of faith in the election system. That will be disastrous. We would not survive the 2000 Bush/Gore election today.
>The number was always different, but not by much .. but it was still higher than a 1% margin of error. The FL ballot was pretty garbage and since then, most states have avoided punch-out/butterfly ballots.
This shows that recount disputes almost always boil down to whether to accept a particular ballot one way or another. It's not fraud. You're just bound to run into ambiguity once or twice in a large election. It usually doesn't matter, but it can pop up when an election is really close.
> first past the post is garbage; no possibility for 3rd parties as with ranked or MMP systems
I'm guessing you watch a lot of CPG Grey. You should check out Cardinal Voting systems[0], specifically Approval[1] and STAR[2], as these better fix a lot of the problems. Fargo recently had great success with approval[3]
Whatever objections there may be to the (mostly) winner take-all system by state, one advantage is that it tends to contain disputed results/recounts to one or maybe two states which is generally a lot more manageable than if it were the whole country.
>You cannot argue much with a public algorithm doing public tabulation, where you can literally follow your vote.
But that also means the guy with the big wrench can follow your vote and so see whether you voted the way he told you or not, and that allows him to decide whether to smash your kneecaps in.
I have seen systems that allow for a real vote as well as a masked vote - so you get verified votes but have a fake vote to show if you want or need.
But consider: at this very moment, right above you is a comment with a picture of ballot that was filled out improperly and lead to a tied election. If we can’t teach people to fill in a circle properly, how in the world do we expect them to use or understand a system that guarantees verifiability as well as anonymity.
A system that was used in some counties in California a few years ago used a paper ballot that was marked by the voter,
and then fed by the voter into an optical scanner (made by Eagle, IIRC) which either
successfully scanned the ballot, xor returned it to the voter
in cases like: extraneous marks, votes for too many candidates in a multi-seat poll (like 4 candidates marked
for 3 city council seats among 11 candidates) and similar.
The voter could exchange their improperly marked ballot
for a fresh blank ballot and start over. The net effect
was that all ballots scanned by the voter needed no further
inspection - an effect that is sadly lost in vote-by-mail.
Is the problem "people not filling in circles properly" or is the problem that there are other errors. If I'm not mistaken you're referring to the hanging chad issue. The reason it was an issue is because it is hard to see the chad. We're in tech, this should be unsurprising that machines don't work with 100% efficiency. If your machine (human or computer) is marking a ballot it would be unsurprising if the mark is transposed or warped or incomplete. Instead we should design a system that accounts for these errors in a clear and concise manner.
Teaching people to use and trust an insanely complex system is. I’ve yet to hear any proposal for an electronic voting system that offers any advantages over current systems AND doesn’t require a PhD in mathematics to grasp.
I'm still mixed on electronic voting, but I do think it should be further researched.
The simple answer I've seen is giving people a hash or code that can be used to verify their vote in a database. Obviously you have to trust the database, but you also have to trust the people counting. I do think there are enabling technologies like zero-knowledge proofs and locally differential privacy that do help with many of the problems, but my understanding is that neither of these is mature enough for use in voting, yet.
But as to general advantages, I think there's two major ones I see. 1) Electronic voting better enables access to voting since people can vote in the comfort of their homes (especially relevant in a situation live covid). 2) Enables better research about candidates. I live in a state with mail in voting and how I vote is with my ballot in front of me while I research all the candidates. In fact, I spend several days voting (sure, not everyone will do this but it makes it easier). Links to official campaign pages or voter guides (we have this in my state with the ballot) would be helpful (and encourage candidates to create them! Because often they don't even have a website, at least on local levels).
As a minor advantage I do see having the ability to perform different voting testing and better answer questions to things like ordinal and cardinal voting systems (by participation not forced A/B testing).
Just because enabling technologies aren't there yet doesn't mean we should shutdown the conversation about how to solve those technological challenges.
>Instead we should design a system that accounts for these errors in a clear and concise manner.
We already have these systems in deployment. My precinct uses optical-scan paper ballots where any mark inside the bubble is valid. You can fill, dot, cross, check, whatever---the machine will count it as a mark. If you have a stray mark that results in an overvote, the machine will reject your ballot, then prompt you to either correct the overvote or override the error. The scanner will also accept ballots fed in any orientation as long as it's not folded or wrinkled.
Looking at that ballot for Newport News doesn't seem at all ambiguous to me.
The instructions aren't just for those filling it out. The reader should only have interpreted the properly filled in circle. The ones with marks through them are a near universal indication of "Don't count this," everywhere I go. I've also been known to either annotate, leave an instruction to th He reader, or say screw it and ask for a new ballot.
Given the significant other was completely flummoxed though when asked cold, I see your point.
What do you consider "very very small?" Tabuation is done at the precinct level, and there are many many precincts involved in an election.
Also jurisdictions can do risk-limiting audits (RLA) to spot-check that the electronic counts are in line with the results. "Following your vote" is dangerous because it opens up the possibility of at-scale voter intimidation or vote-buying. "Receipt-freeness" is a desirable property because it eliminates this risk. RLAs allow for aggregate verification while maintaining receipt-freeness.
Receipts (paper records received after voting) are OK as long as they don't reveal who you voted for. Confusingly, sometimes this is called "receipt-free".
If you can verify that your vote was correctly counted, your vote can't be kept secret, and intimidation and vote buying becomes impossible to stop.
> Whereas with paper I can't count the votes myself, I have to trust the authorities who did that.
The way it works in my home country is that the paper ballots are handled in an inspectable way and anyone can observe the counting process. You can't check your vote, but you can control all the votes.
You can make the vote anonymous with electronic voting, in a way only you can verify if you wanted. There are existing voting systems with that property.
But, if "you" can verify it, then "you" can also be coerced into revealing that verification in order to avoid physical punishment (guy with big wrench who /requested/ you vote for A lest he begin breaking knee caps mentioned in a sibling post).
There are ways to provide verifiability without that vulnerability. But since there's no way to prevent the wrench guy standing over your shoulder, I think you could only really solve that problem if you vote in person. If you're doing that I still think blockchain voting is great, but then you should also print out a paper trail and tally that separately. Then you have two overlapping systems with different trust properties and both must be in agreement for the election result to be valid.
There’s so much to be said for voting in person, the reason you stated chief amongst them. However, attending to the polling place on Election Day is very healthy for a community, IME. Also, there’s something virtuous in expecting people to get their shit together enough to walk in on Election Day, so long as early voting is there to accommodate those who cannot make it that day.
The rush to vote by mail (with risk of ballot harvesting, which I saw in my own city (a Republican incidentally) and online voting (with associated risks) seems foolish to me. The secret ballot, completed by oneself in guaranteed isolation, is the pillar of my confidence in our system. Pandemic be damned - it’s not a severe enough crisis (by the number of deaths) to warrant overhauling the system the night before. Feels very much like a useful opportunity to advance an erosion of faith in the electoral system. If I were Russia or China, I would be looking on at the discord with glee right now.
You can already be compelled to do that with your cell phone. People take pictures/videos of their ballots all the time (making it illegal doesn’t stop it).
Someone else mentioned a real/mask vote solution with blockchain so that issue could be solved by electronic voting.
In most elections the number of absentee ballots is so small as to be statistically irrelevant. I'm not even certain absentee ballots are always counted because of this, winners are surely announced and concession speeches are made long before absentee ballots are counted. So whatever security/intimidation issues might be higher in absentee ballots aren't that big of a deal due to the small number of them. That may be changing this election with wide spread/universal mail in balloting.
> I'm not even certain absentee ballots are always counted because of this
This is a misconception. All ballots received according to the laws of the state must be counted before the secretary of state certifies the results.
News networks will call an election as soon as they're certain it's gone one way or another. If Trump is up 30% in Wyoming on election night with 500 absentee ballots outstanding, CNN will call it. This doesn't mean Wyoming won't count those ballots. They have to in order to certify the results, which happens a few days after election night. States maintain detailed election results for historical and legal purposes. They don't throw away absentee ballots just because they won't change the outcome.
States will, however, toss out absentee ballots that aren't received according to their laws (i.e., some states require those to be received by election day, while others merely require them to be postmarked), as well as those without a verifiable signature on them.
This is a really common misconception. Absentee ballots absolutely count as long as they're received correctly. States need accurate vote counts. Absentee and provisional ballots aren't "lesser" ballots. They're just subject to some scrutiny before they're counted.
What you’re saying about certification is true but the comment you’re replying to was making the point that the volume is low enough that most elections can be safely called without having completed the count, e.g. you have 5 absentee ballots to count but one politician is up by 20 - doesn’t matter what the absentee ballots say. So while intimidation with absentee ballots isn’t a factor, that comment was saying the now material volume of mailed in ballots creates a greater risk exposure than we associated with the absentee system.
But with absentee voting, the votes are still counted by hand. That's the part that has to be the most secure. With any paper voting system, votes can be impacted by some criminal scheme, yes, but only one at a time and with great individual effort. You have to blackmail a LOT of people to swing an election. Whereas with an electronic election, one attacker can change millions of votes with a single bit of malware code, with nobody the wiser.
>But with absentee voting, the votes are still counted by hand.
The verification is manual, but the counting probably isn't. At least in California, absentee (mail) ballots are exactly the same ones you get at the polling place. You put them in an unmarked envelope, which you place inside another envelope with your information and signature.
The counting center verifies the information on the outer envelope and ensures you didn't already vote elsewhere in-person. If it's good, then the inner (unmarked) envelope is taken out and a machine processes the ballot as if you were in the physical precinct.
Nonetheless, there is a physical paper record of every vote that can be counted by hand, the machine is just for a quick estimate of the count. There are only 2 points of trust in a mail election: the vote itself which could be compromised by blackmail or whatever (low risk because only one vote can be influenced at a time), and the scantron machine (low risk because the ballots can still be counted by hand to verify).
But if your vote is just a byte getting added to a database on a server from your personal computer over the internet, there are a hundred high-risk trust points. You have to trust the user, but also the website, the browser, the operating system, the network, the hardware, the server, the software running on the server and everybody who has ever worked on it, the counting software, the people operating the counting software, and a compromise at any single one of these points could change millions of votes without any possibility of detection.
In other words, in a scantron election, the legal vote is the paper, the electronics are just convenience. In an internet election, the legal vote is the ephemeral machine-generated bits on a wire, and that's where the problem comes from.
Does it apply at the same level? I could see some ransomware that says if your vote doesn’t appear on the blockchain you are not getting your files back. Meanwhile to achieve intimidation with absentee voting, wouldn’t you have to check the physical ballot in person?
> If you can verify that your vote was correctly counted, your vote can't be kept secret
This is false. Votes (transactions) in Bitcoin are pseudonymous, meaning everyone can see what votes were placed, but nobody knows who was responsible for the specific votes. Only the owner knows, unless they choose to reveal to others.
Yes, that makes more sense and I think that's a valid point, thanks.
To be fair I thought you meant that it couldn't be kept secret from a global view - that anyone who wanted could look at the blockchain and attach votes to identities.
The overwhelming majority of the population doesn't have the capacity to understand what you wrote or why that is true. Even the majority of those who understand why it may be true, cannot say for certain that it is true without inspecting the codebase and its operation. That's a major problem.
I mean, you could say the same thing about current electronic voting or even about how aggregate paper voting is counted behind the scenes. Those things involve some level of trust.
I don’t think what I wrote is that difficult to understand. I think you’re underestimating people when you say “the overwhelming majority of the people do not have the capacity to understand what you said.” Really? Not even the capacity to understand?
In any case, the trust involved for a blockchain-based voting system with pseudonymity is much less than the other systems, because they can be 3rd-party audited, or even open source. And that auditing only needs to happen once rather than for each local vote collection method.
Explaining to the end-user is just a matter of communication. That’s not a “major problem.” People don't need to know how a blockchain works just like they don't need to know how UPS works. They just need to know that they're able to place a vote anonymously and verify themselves later if they want to.
In most democratic nations everybody can volunteer to be present at counting. This is in itself a control mechanism, as it would be highly unlikely that meaningful voting fraud would be carried out under the eyes of the observers from multiple parties without anyone making a ruckus.
This is an effective mechanism which apparently convinces enough people that the votes are legitimate.
With blockchain you would have to:
- have them understand blockchain algorithms
- have them understand computers (so they understand why blockchain might be safe here)
- have them understand networking technologies
- convince them all of that (and no more/less) is on the actual machines on voting day, for every vote
Have you ever tried explaining what an URL is to your parents? Or how passwords are stored? I am positively convinced that not an insignificant amount of the electorate would just say "there was some hack" when things didn't go their way. And they don't even need to show you proof, because you won't be able to proof the opposite because they won't understand it.
Ultimately to me the benefits of a blockchain system don't really show. It is far to complicated and has too many moving parts.
Yup. I'm pretty sure most software engineers don't even know how something as basic as hashing works. They just put lego blocks together, without much understanding of even how those lego blocks work.
When it comes to traditional voting, it's fairly easy to understand. You cast your vote, then someone counts them. You don't care how they count it, even if it's with an aid of a machine. You just care that you cast, someone fairly counts.
With a blockchain, there is no person involved and there is no counting. You vote and some piece of software that most software engineers don't even understand tells you who won. That is really not going to engender trust from anyone, not even software engineers.
I work on blockchains all the time and even I wouldn't trust that thing. Good luck convincing someone who doesn't even know how to reboot their iPhone.
No, because it violates this principle the GP pointed out:
> This can only be true if most people voting understand the mechanism, can verify it themselves
Most people, i.e., most voters, will not be able to understand the mathematics behind a blockchain system sufficiently to either "understand the mechanism" or to "verify it themselves".
Most voters can understand the paper ballot counting system:
1) turn over next ballot
2) count filled ovals/check marks/whatever it is on this particular ballot sheet that signifies a "vote"
3) add count to running tally
4) return to step 1
Observers can also watch the individuals doing the counting, and believe that they (the observers) are accurately following along in the process.
Blockchain does not provide for that transparency in the process of counting the votes.
> That gives much stronger guarantees than paper, and while the average Joe can't verify it himself, there would be three million programmers in the US alone who easily could.
I think the current US population that really understands blockchains is less than 1% of the population.
The average Joe doesn't want the nerds to pick the president.
Also, don't forget it's a secret ballot, and we do not have any good database of people with public keys in this country. What the hell am I supposed to make of a ledger with 100s of million anonymous public keys? Surely I cannot claim that relates 1-1 with the choices of real people.
I'm definitely opposed to 'electronic' voting, but the problem you are describing is easily solvable with asymmetric cryptography.
You'd have your private key on your 'voting card' (unsure how you call it in the US) with some pw and the machine would just scan it, ask your password. You just need the proof that someone having a private key associated with a public key on a public record has signed, not necessarily know to which public key it is associated.
But there would be so much problems with such a system that I would'nt even know where to start..
Right. It's not that anonymity is impossible, but that anonymity is one requirement we can remove and make the problem tractable again.
There may be other such "straws that broke the camels back", but IMO anonymity is one property that makes a cryptosystem far less intuitive even to me. It's the bridge I never advocate crossing unless people with more security knowledge than me go to great lengths to demonstrate otherwise.
This is America. Your social security number will make a perfectly fine secret key! It works so well as a secret for everything else in your life, after all. I'm sure nobody else has has it, or can acquire it for use in mass voter fraud!
> Your social security number will make a perfectly fine secret key!
Never in its history was it a secret key anymore than your drivers license number, it’s an ID number that can be used to look you up in a DB like a username would be.
The problem is, that despite everyone just instinctively knowing a username needs to be paired with a password (or ideally multiple factors, but that isn’t as universal in understanding yet), no such thing exists currently to pair with your social security number.
The first point is a strawman. The second is obviously something the system would have to be built for, and that would be arguably more verifiable than what we have now.
The OP was trying to point out that whilst you and I may understand the mechanism in order to trust it, others can't, because they won't be able to understand why it's trustworthy. My friends don't understand crypto, so they can only ever trust it if they trust me (or the person telling them it's trustworthy).
Imagine this, you rig a crypto-vote not through technical means, you just say you won even though the blockchain says you didn't. How many people in your country do you think will believe the experts over the politicians? My honest opinion about the US, is that the experts will lose.
It doesn't matter if you're right if no one believes you, and currently people believe the paper vote because they can understand how it would be executed fairly.
The fact is that currently, America's democracy is in danger because people are going to find it hard to trust even a paper vote during this election. No matter which way the vote swings, by planting the seed of doubt, the current administration has undermined the vote.
It won't matter in presidential elections in the US. It's the electoral college that picks. It's in the constitution. States aren't even required to let the citizens pick -- we vote at our individual states pleasure.
We can't even have nearly half the nation agree on mask wearing. People completely disregard what doctors and scientists think. What makes you believe they'll listen to some San Fran programmer??
And don't forget that the US operates on the Electoral College, which a shocking number of people don't even understand. Since each state has different rules about their EC delegates, popular vote does not necessarily equal winner...
Now try telling that to people when there's a big screen with "official" numbers that were all provided electronically an hour after polls closed...
Taiwan has the best way of counting votes. Ballot is hold in the air, the name is called out and someone in the back keeps the score. Everyone can see what is going on.
There are practical limitations that prevent us from doing that in the US. Specifically, our ballots tend to be long and complicated. A California ballot on a presidential year can have dozens of contests, from president to dog catcher to referenda. Reading out all ballots would be very time-consuming and likely very error-prone as poll workers are pretty tired by the end of the night.
This is why we have scanners to speed up counting paper ballots. And paper ballots are retained for targeted manual counts if there's a need for auditing or recounts.
I’m in the US and the weird mechanical machine that casts my vote is a black pen filling in a circle. That can be read quickly by a simple electronic machine or more slowly by humans if there is a question. It’s low tech and hard to influence on a non-trivial scale.
It is true that some places use much more complex systems and I don’t really understand the interest in those. It definitely don’t see any benefit to fully electronic voting, block-chain or otherwise. Voting doesn’t have to be efficient. It needs to be reliable, understandable, and believable.
I have like a 1-2 year old's level of Mandarin at this point, sigh, but I don't think there is a detail I'm missing once the process gets going. This is a good, accessible voting system.
..the study provides strong evidence that the introduction of EVMs led to (i) a significant decline in electoral fraud, (ii) strengthening the weaker and vulnerable sections of the society, and (iii) a more competitive electoral process.
Under the paper ballot system, polling booths would often be captured and ballot boxes would be stuffed, resulting in an unusually high voter turnout. EVMs helped tackle this risk by incorporating an important feature—registering only five votes per minute. Committing electoral fraud would require capturing polling booths for longer periods.
The success of the EVMs in India warranted a comprehensive audit mechanism to verify the votes cast. In 2013, the Election Commission of India formally incorporated Voter Verified Paper Audit Trail (VVPAT) machines in the electoral systems. The VVPAT—leaving behind a paper trail of the vote cast—acts as an additional layer of verifiability and assurance in the electoral process. A paper record ensures that the vote has indeed gone to the intended candidate and is recorded as such.
> So phrased differently, one of the most important properties of any voting systems is that people afterwards can't just call the result into question.
This is a solved problem with in person voting, I would say that is one thing where South Africa has gotten it down quite well.
There is voter ID at the polls with voter registers to ensure only citizens can vote and nobody can vote twice, vote boxes are sealed and only unsealed with observers present from all parties and international observers, there is also observers at the polling stations from all parties, overall there is nothing to dispute and even in one of the most corrupt countries in the world election results are not disputed because everybody knows it would be absurd to dispute.
Which is precisely the strength of such a system. People often complain about voting being slow — but being slow is a feature not a bug in this case. Better slow and right than fast and wrong.
Definitely, I would have it 10 times slower to increase integrity. I think people that have not lived under despotic regimes maybe don't understand the potential downsides of a loss in election integrity.
No, you're not. This is the consensus in tech. Well, at least in the infosec community, this opinion is held by the majority. For example, Bruce Schneier is an advocate of paper ballot for 20 years.
> There are lots of very smart people doing fascinating work on cryptographic voting protocols. We should be funding and encouraging them, and doing all our elections with paper ballots until everyone currently working in that field has retired.
You can't prove who you voted for today: that's a crucial part of the electoral system, not a minor feature. How are you thinking that you could you prove who you voted for?
(Keep in mind that you can always request a new ballot if you've "spoiled" your original one, so a photo showing your completed ballot could easily be faked. And my memory is that it's officially illegal to take photos in a polling place anyway, so if you tried to take a picture as your ballot was being fed into the machine, the poll workers would stop you.)
No, at least in my circles nobody thinks electronic voting is a good idea.
I think Tom Scott has the best argument: you can't build a system that requires you to have a PhD in computer science to fully understand why you should trust it. Every day people need to have faith in voting and not just because a group of experts say they should.
We put our faith into systems built by PhDs every day. People don’t have to understand why airplanes stay in the air in order for them to be the only practical means of rapid international transport.
I can watch an airplane fly and be confident that it's actually flying. I can watch election workers count and be confident that they're actually counting. I don't need to know why something works when I can personally observe it working.
But I can't observe the operation of an electronic voting system. All I can see is the result, and a fraudulent result looks very much like a legitimate result. I'm forced to understand it (which is likely impossible considering the complexity of modern hardware) or to trust people who have incentives to cheat me.
It's also inconsequential when people say that planes are a lie from the fake news media. Science works whether or not you believe in it. Elections, not so much.
If people just decide not to believe the results of an election, then democracy falls apart.
Because the fact that the maths add up to allowing for planes to fly doesn't need to be understood to be accepted. On the other hand, the process of electing a representative from a group must be understood to not be contested or misrepresented.
But people do have to understand at least at a high level why the announced result matches what the voters put in. The whole point of a voting system is not to pick a winner, but convincingly show that the loser(s) lost.
Undermining trust in the voting system is an old trick. Unless the voting system can show such allegations to be wrong, its results will remain disputed.
OTOH you have people who don't know how vaccines work, don't trust doctors, and have opted not to get them, jeopardizing public health. If such people can exist, just imagine what would happen if there was a misinformation campaign targeting the losing side, with the aim of convincing that the e-voting election was rigged/flawed/broken, and that they should stage an insurrection to remove the current "illegitimate" government.
Yes? The whole point is that paper voting works, and is still semi-provably secure. Ten year olds can understand how voting works with paper, with an electronic system you need to read papers just to understand it.
You also forget that you still have to put blind faith in the implementation of the electronic system - you've just moved the social aspect.
Also, with a aeroplane you can trust the engineering because the proof is in the pudding - they're safe as safe can be with flights every minute of everyday. With an election if something goes wrong you are almost literally fucked as a country.
Add to that, that the average person have a right to understand how voting works and how their vote is counted.
Trying to make voting electronic, regardless of it being block chain or something else, ensures that only a few people are able to understand the system.
Right now it easy to verify that count was done correctly, in theory you could go do it your self. Computers will back voting a black box system where verification is going to be almost impossible for all but a few.
Pen and paper works, it simple, easy to understand and the process is transparent in all steps except for the few seconds where the voter is in the booth.
>Trying to make voting electronic, regardless of it being block chain or something else, ensures that only a few people are able to understand the system.
This. Too many Internet/blockchain voting proponents tout their systems without appreciating the fact that people need to trust their elections. Trust comes from being open and scrutable. It's amazingly tonedeaf and elitist to insist that election systems need to be cloaked in cryptographic mumbo-jumbo to be trustworthy. It's also dangerous because the poll workers actually carrying out the election won't be able to tell when there's a failure.
Exactly. The other thing the current system does is that it involves LOTS of people. The people counting a specific polling place may only count 1000 votes. They know their count. They can talk to the other counters at other locations. So if your state or area all of a sudden miraculously goes blue/red, you can know it instantly and have the paper to prove it. This is the beauty of the system. It can't be hacked at scale and you have a hard time inserting fake ballots because each location can triple check their reported district counts.
That’s a good point. Based on that idea, do you think large scale mail in ballots would have similar issues to an electronic system? Normally I don’t follow the news cycle, but this makes it seem large scale mail in ballots would be more readily corrupted at scale?
Maybe, but it still involves doing various difficult tasks at huge scale.
The paper trail for fraud of that scale is enormous - think of the Watergate slush fund only way bigger and in the age of twitter. This is why paper voting works - you can maybe fraudulently gain a few votes but good luck doing it at a national scale (also an argument against FPTP). Look up granny farming for a more realistic election fraud strategy
No, you are in good company. There are those that believe technology would eventually be the solution for any problem, and those that have lived through this phase already and sobered up, eventually coming to the conclusion that technology is not some magic dust able to solve any problem you throw it on, but just a tool like other tools, each of which has its purposes. All of them, not just modern technology, are fascinating, but none of them is magic.
The Spanish government tried to suppress the Catalan succession vote, but they used IPFS to host the voting system to prevent DDOS and DNS blocking to successfully cast votes anyway.
Nope, it's an idiotic idea. In the UK we have an ENTIRELY manual process, no ridiculous voting machines, butterfly ballots or hanging chads and no OCR machines. Just marking a box with a cross, sticking it in a box and then a load of volunteers physically counting the votes while representatives of the parties and anyone else who wants to wander in watches. Postal votes are treated the same and counted at the same time in the same place. The system literally couldn't be simpler or less corruptible. There is no need for anything more complicated because the system works and can be understood by a five year old.
How many contests do you have on your ballot? Here's a sample ballot from Alameda County, California in 2018 (starting on page 12 going to page 25). That wasn't a presidential year, so this is a bit on the low side. https://www.acgov.org/rovapps/vig/236/38.pdf
Manual counts aren't practical in the US because our ballots can be crazy long with tons of contests and candidates. It would be very error-prone to do this manually.
1. If there is more than 1 contest going on at a time you have more than 1 ballot. Again this is a simple solution to a dumb problem, you have poorly designed ballots.
The ballots are designed to accomodate the governments we have in place. We can't easily change the structure of national, state, and local governments. In California, one-ballot-per-contest would mean a voter would get a stack of up to 75 ballots on a presidential year.
Whereas currently they get a multi page document. Seriously, as logistical problems go, print separate ballots is really not a hard one and would cut down on the number if people who accidentally vote for the wrong candidate for the wrong thing. Counting may take longer. It may stretch over a few days. Well, fine. Count the presidential ballots first, announce the results and move on down the list until you get to the dog catcher.
I'm not sure then what urgent problem you're trying to solve that warrants the cost of errors introduced by the manual counting of huge amounts of paper ballots. It would also be a logistical nightmare getting reams of paper to voters and getting them back and tracking them; at my polling place, we have to make sure that the number of ballots we issued out equals the number reported by the scanner (plus the number of spoiled ballots voters returned to us for disposal). I'm just pointing out that cost.
If you don't trust the tabulating machines, we have mechanisms to check them at scale. Basically, randomly sample the paper ballots and check them against the machine results. https://en.wikipedia.org/wiki/Risk-limiting_audit
If you don't trust the people running elections, you should know that polling places in the US are run by community volunteers. Literally anyone who's a registered voter can participate and see how the sausage is made. In fact, there's a shortage of these folks, so boards of election are thrilled to get more people participating.
This system relies on tens of millions of people trusting a few thousand people not to have been bribed. Seems entirely corruptible and you have no idea whether it has been corrupted or not. You're just left hoping it hasn't been.
A system based on math, software, and publicly available data would be accessible to independent audit and verification. And could still be backed by a physical system as well, for added security.
Citizens would be much better off not having to trust and be able to verify.
Oddly, even most people that work in technology are incredibly pessimistic about solving technical problems.But anyone doubts that internet voting will be commonplace and incredibly secure in the future is a level beyond pessimistic. The only open questions are when and how.
Nope, it relies on me being able to go to my local church Hall and watch the ballots being counted or take part in the count myself. All the parties in the election send their own representatives along to watch over the ballot and they also keep a running total. It is a process that I can verify is being carried out correct with my own eyes.
Saying "citizens would be much better off not having to trust and be able to verify" In an e voting situation is just wrong, since I can verify the current process by going and watching it or taking part in it, whereas in magical block chain land I am losing the ability to verify because i am replacing a simple process with one that relies me to trust a bunch of code written by and understood by probably a few dozen people. This requires much more trust than the current situation.
You can only observe a single ballot counting location, while there are hundreds or thousands to observe. Someone could be bribing people in dozens or hundreds of locations and there are lots of tricks to pull.
You're not really verifying much at all by watching the counting process. It's really just a false sense of security. You actually have no idea if all the ballots are being counted, if they're all real ballots, or if some have been tampered with, etc.
There are millions of programmers in the world, any number of them could decide to audit the code, and if they discover flaw, everyone could be told in an instant. There could be huge security bounties to incentive audits. We trust math and software to maintain all of civilization but for some reason it's impossible to make it work for voting? That seems incredibly unlikely.
Again, I can be one of the people doing the counting. Not being funny but if you have an already corrupt electoral system then your government is not going to adopt your magical, totally secure, block chain based, bug free system. They're going to adopt a compromised, proprietary, back doored e voting solution say "look, magical block chain verification as recommended by geeks" and then attack / arrest / kill anyone who questions it's veracity. You're trying to solve a social problem, a corrupt government, with a technological solution that the government itself will undermine or reject. On the other hand you can run free and fair elections by leveraging the powers of observers and volunteers in a war zone or with a corrupt government using paper, pens, boxes and locks.
> A system based on math, software, and publicly available data would be accessible to independent audit and verification.
So instead of trusting a few thousands (several thousands, in reality) and a system where you can literally walk in the place where they are counting votes and observe them, you'd rather trust a few tens of people to write the software and audit it? How does that follow?
And this doesn't even take into account the fact that a voting system, as it was mentioned, should be understood by the people voting. Good luck explaining to people what the software and the hardware are doing.
> ...you'd rather trust a few tens of people to write the software and audit it?
Of course not. All of the software should be open source, with multiple independent implementations, test suites, etc. And the data should be open to analysis by any number of people while preserving people's right to privacy (this is one of the hard parts).
Most people have no any idea how electronic voting machines work today, so why does it matter if laymen understand the internet voting system?
The point is that anyone that is willing and able could verify for themselves that the system does work as intended. Not that most people will actually put in the effort. Most will rely on trusting experts, but anyone is free to verify.
With paper ballots and a handful of officials involved, there is no way for a voter to verify anything, they are forced to rely on trust alone.
This is bull. You can be one of the people who does the counting or you can watch it take place. There should be no electronic voting machines involved, that's the whole point of having a manual system. That allows basically anyone who wants to, including a hypothetical five year old, to verify that the system is working as intended. Your system relies on me going out and getting a PhD in cryptography to verify that the system is working as intended. Your system requires basically everyone to rely on trust, a well designed manual system requires basically no one to rely on trust. I know which one I'd prefer.
You're trusting that all the ballots are present, that no fake ballots have been added, and none have been tampered with, that the officials are all acting in good faith, aren't making mistakes, haven't been bribed, etc.
Do you really think paper ballots have not been used to rig elections? Because that's absurd given the current situation in Belarus and the long history of ballot tampering going back thousands of years.
Paper ballot counting is security theater. A system based on math and software could be provably secure.
Of course paper ballots can be undermined. The point is that you can easily tell that they have been undermined by the big burly blokes following people into polling stations and threatening you if you don't vote for the preferred candidate, or the ballot boxes turning up in the swamp. You're asking us to trust a magic algorithm that, as I pointed out in another comment, is likely to be proprietary and back doored to hell and back because it is controlled and implemented by the sort of government that rigs elections. This opens up the possibility of subtle, undetectable election tampering, which is much harder to do with a properly run manual system that everyone can understand and participate in.
You rely on "magic" algorithms every time you fly in an airplane or drive a car. Because they're not "magic" at all but based in reality, on math and science.
1. Traditional paper ballots, manual counting are easy for voters to understand and increases trust in the system.
2. I also agree that traditional voting seems to increase the cost of substantial rigging (with multiple points of failure) compared to all electronic systems we have seen.
And yet: we all know the election rigging has always existed and will always exist and many times voters don't always understand how that is possible. I'm in a country where elections are considered by international standards to be fair: and yet, every election common people see reports and talk about rigging through various physical means (ie. Disappearing ballot boxes, stuffing ballot boxes, dead people voting). I agree that as a principle electronic voting seems to expose to rigging at lower cost and higher scale but I don't think it would be necessarily less trusted by the people.
Give everyone a random ID/password combination (in an unmarked envelope, so no one knows who got what).
To vote, you connect to the system, either through a website or even an old, DTMF-based phone system for rular areas, and you cast your vote.
After voting ends, a list of all IDs and their votes is published. If an ID didn't vote, it's marked appropriately.
There should be lots of separate lists, perhaps one per street/district/village, depending on population density. That way, it would be hard to add fake IDs, while still maintaining voter anonymity.
The system is easy for anyone to understand, works on paper as well as electronically, doesn't require complicated cryptographic implementations which might contain bugs, and is much easier to reason about, write and audit.
The only drawback is the ability to prove who you voted for, perhaps with a photo, but all current mail-in-voting systems and some in-person-voting system suffer from that problem too, and bribing voters isn't really that much of a problem.
This is still vulnerable to a DoS attack as the parent suggested. Not terribly difficult for an individual to tie up all the phone lines or overload the web voting portal.
I also agree with the parent comment re hubris about this stuff: the incentives are immensely high for someone to compromise a system like this, and it only takes a small oversight to cause a huge disaster. Everyone gets a random password? Better hope whoever is generating them used a good RNG and a proper source of entropy...
I'm against it for all your points and many more. We're stupid, electronic voting puts the onus on you to figure out so many things from why your operating system broke voting to why the apostrophe in your last name still breaks things.
No, and I just dropped a comment. E-voting of any kind, unless it results in a public record of the vote, has basic trust issues. Voters cannot know their intent was reflected in the final tally.
> Am I the only one still against network-based, and to a lesser extent electronic-based, voting?
I think that’s an extreme position that would be hard to argue keeping, in particular in the current situation.
I see it the same way we deal with money: what is fundamentally different that makes us accept electronic money transfers as core part of our life but argue there’s no way electronic voting could be possible ? Saying current proposed solutions are not good is different from being against it on principle.
>what is fundamentally different that makes us accept electronic money transfers as core part of our life but argue there’s no way electronic voting could be possible ?
The requirements aren't as strict for money as they are for civil elections. Financial transactions are frequent, so an error isn't that big of a deal in the grand scheme of things. All parties to a transaction know what everyone did; there's no requirement for strong privacy, so being able to roll things back is an achievable (and desirable) failsafe. Money also solves money problems, so you can insure transactions and mitigate losses.
Anonymity/privacy is only on the vote content, everything else needs to be traceable (who voted, where, when etc.)
And no, losing transactions is a big deal. Not receiving your house sale transfer when the sending bank emited the operation is a big deal, and you won’t solve it with a phone call. It can be repaired with money by the bank, but the system is heavily built to prevent it from happening.
Actually if the last mile issue is to have a paper in a box, you could connect a physical printer to a central secured voting machine.
To compare, election votes error margin is not small either, and those errors are mostly ignored as of now. I don’t see the status quo as some perfect state that should be preserve ad vitam eternam, and it is more and more preventing some people to vote.
Political people play all sorts of games with elections physically. Don’t underestimate the lack of good faith that people will act with. But the system itself works.
The scary thing about electronic voting to me is the centralized nature. It needs to be decentralized to protect the overall system. The current scenario where a trusted entity (the USPS) is being de-legitimized needs to be factored in to protect democracy.
You can read a some of my comments in this thread addressing various concerns. That said, I would still agree. At least for the next 5-10 years (until we have Starlink-level internet and advances in cryptography/UX), electronic voting systems are not feasible.
The nice thing about blockchains is you can avoid DDoS by only allowing people who are "authorized" to "talk to" the blockchain. This can be done by ensuring that "Right to Vote" tokens are only sent to those who would otherwise be participating in the election, and ensuring they can only submit one vote, and one transaction, by sending that token to a specific burn account. This way, with 300 million voters, you would have a cap of 300 million votes. No one else could "submit" a vote, because they wouldn't have permission to on the blockchain network.
This is how blockchains avoid DDoS attacks already, but open and public blockchains have the problem that anyone can buy their native currencies, and with enough money can spam the network. With a "permissioned" system for elections, this risk would be mitigated.
EDIT: I would appreciate if the downvoters engaged with me or explained their reason for downvoting.
My main criticism is that these systems don't address the actual challenges that elections face, and the introduction of networked technology likely introduces a lot of poorly-understood risks.
I'm a poll worker and a security researcher. Doing the former has really given me perspective on the latter. While a lot of blockchain voting proponents come up with all sorts of schemes to solve ballot-stuffing attacks, the reality is that we really don't care about that on the ground; it's just not a problem we encounter. The real problems come from more mundane things like power outages, being physically locked out of the polling place, poll worker exhaustion, out-of-date records used to verify eligiblity, and voters taking a bathroom break and subsequently walking away with their ballots unaccounted for.
Technology really doesn't solve any of that. In fact, introducing networked computers into elections only makes it less scrutable to the public. In my precinct, the first voter to show up gets to verify that the ballot bin is empty and that the scanner reports all zeroes for the count. Then they witness us putting security seals on the equipment and reporting the serial numbers to the county. Anyone from the voting public can understand this and do their part to keep us honest. Computers make this sort of simple check inaccessible to most people.
This is why I've also repeatedly stated in this thread that I am not in favor or blockchain-based voting, or even broad-scale mail-in voting (yet).
You're correct to an extent, but I believe with advances in cryptography (zero-knowledge proofs, quantum-secure encryption, etc.), these concerns will fall away. People regularly use their smartphones to do things that are high-risk and need to be secure. Take online banking.
Of course, elections carry an entirely different set of challenges, but to say they can't in theory be solved with careful encryption, analysis, and review, is (in my opinion) foolish. I will again bring up the example of Estonia, which has had massive success with its hybrid in-person / e-Voting system. Estonians have been educated by their government on how the technology works and how it is auditable. Every Estonian carries an ID card which they use to access their bank details, get healthcare, and vote.
I would also argue that technology does solve the problems you listed, and very well!
> Blockchain voting proponents come up with all sorts of schemes to solve ballot-stuffing attacks, the reality is that we really don't care about that on the ground; it's just not a problem we encounter. The real problems come from more mundane things like power outages, being physically locked out of the polling place, poll worker exhaustion, out-of-date records used to verify eligiblity, and voters taking a bathroom break and subsequently walking away with their ballots unaccounted for.
Except for power outages, none of these issues would occur in a remote, electronic voting system. A well implemented e-Voting system could expand voter rights and access to voting tremendously.
It's worth working on to be sure. Another thing I think is worth working on is educating people on what blockchain actually is (which it seems you are doing). I think paper voting works primarily because people know and trust how the votes are counted and how they get to the counters, for the most part. But personally I barely understand transistors and flip flops let alone blockchain and that makes me slightly worried about how it might be possible to exploit them.
I fully share your concerns. There is a massive amount of blockchain infrastructure which 0.0001% of the world population comprehends. Beyond further technical development and the creation of UX and UI libraries around blockchain internals (like https://blockstack.org is trying to do), we need more education.
I'd love to have more debates like this, but I'm trying to help researchers with simple to use blockchain-based tools (like https://assembl.app/chronos, our timestamping service for research outputs).
Paper voting is, in my opinion, still the most "secure" way to vote. This is mainly because any sort of voter fraud requires a lot of people and a lot of time, whereas flawed technology can be hacked by very few in a very short amount of time.
I'm interested to see how this discussion develops.
The requirements aren't as strict for money as they are for civil elections. Financial transactions are frequent, so an error isn't that big of a deal in the grand scheme of things. All parties to a transaction know what everyone did; there's no requirement for strong privacy, so being able to roll things back is an achievable (and desirable) failsafe. Money also solves money problems, so you can insure transactions and mitigate losses.
Keep in mind, network packets could be delivered by carrier pigeons.
I’m all for paper ballots and conventional signature based system based system but combine that with cryptographically secure techniques for distributed systems (on paper).
Aviation and elevators both run on software written by professioanl programmers so I'm not sure that comic makes a good point.
The problem with voting is that it's a distributed systems problem that requires coordination between not just many computers but people that cannot be controlled by code. An elevator can operate as a self-contained system without coordination with other systems. That's why it can be reliable while websites and apps cannot.
Our entire field is bad at what we do, because it's full of coders instead of engineers.
Think about it. Building airplanes reliably has been figured out by aircraft engineers, building elevators safely has been figured out by building engineers, and building software reliably has been figured out by software _engineers_ (the NASA kind, who landed a spacecraft on the moon).
However, this isn't the experience you have on your regular job. "Oh, oops, everything failed because I forgot to do X". Can you imagine if the moon lander crashed because some guy forgot to do that manual thing he's always supposed to do? Of course you can't imagine, because they put actual engineers in charge of that, not coders.
> building software reliably has been figured out by software _engineers_
This is patently untrue when it comes to security. OpenBSD is the closest thing I'm aware of to a "secure" widely used system, and I'm sure that OpenBSD machines are compromised every day.
The day that a network exploit is treated with the same seriousness as a commercial jetliner crash is the day I'll believe software security has grown up.
I hate to say it, but it looks like this has been the case for a while. Look at the history of gerrymandering.
What I see is something that could potentially change the basis of trust for elections in a positive way. It won't be perfect, it won't be without its flaws. But it could significantly reduce multiple forms of fraud, and enfranchise more citizens to vote.
Again, I've always viewed blockchain as a solution in search of a problem. And this might ... might ... be a problem potentially solvable by an appropriately designed/implemented system.
> It's near impossible to rig or suppress a physical election without a lot of effort
No, sadly, it's not [1][2][3]. As some of the texts note, the premise that fraud happens or not is highly politicized. People on one side believe it happens/happened. On the other side, they believe it to be impossible.
Though, curiously, those who believe it to be impossible also strongly believe in voter suppression, which would be a form of election fraud. See the Georgia US governor race from 2018 as an example of this dichotomy. Can't have suppression without fraud[4]. Can have fraud without suppression, as this would be one potential form of fraud. Suppression requires fraud. Arguments to the contrary aren't logical.
Right now the one I am most concerned with is the vote harvesting operations, which appear to be completely legal in California, despite the rather significant perception of impropriety that handing ones ballot to a non-election person has. I'd be much happier if all these people were non-partisan deputized election workers/officials, oath bound under pain of criminal code to serve the same function. Instead, we have a single party set of "volunteers" to collect votes, with a huge chain of control issue, that is apparently acceptable in one state.
Here in MI, I voted by "mail". I got my ballot, marked it, sealed and signed it, then dropped it off in the specific election drop box on the side of city hall. I would not ever hand it to a third party for any reason.
For blockchain, I think its been a solution in search of a problem. And I think that this might actually be a reasonable problem to solve, and this one might work.
For those worried about DDoS, this would simply require releasing ballots early, returning up to and including the official due date. By mail, electronic, in person via a phone app or similar. You can change your vote up to the end of election day. Only the final vote counts. No conditional ballots counted. Send official election people around to addresses that don't have votes on file starting a month before election day.
And it would (if designed/built correctly) enable chain of control, identity/citizen confirmation, etc. That is, it could provide better, more accurate, more complete, more engagement.
Or we can retain the mess we have now, with completely inconsistent voting across the states and territories, which is overtly suspect in a number of states, and in some ways, rigged.
This is a step in the right direction. It need not be perfect, and we need to take it.
[edit: fixed a mis-wording, and deleted a poorly worded sentence]
> the premise that fraud happens or not is highly politicized. People on one side believe it happens/happened. On the other side, they believe it to be impossible.
> Though, curiously, those who believe it to be impossible also strongly believe in voter suppression, which would be a form of election fraud.... Can't have suppression without fraud[4]. Can have fraud without suppression, as this would be one potential form of fraud. Suppression requires fraud. Arguments to the contrary aren't logical.
No, you're missing the point. There is a difference between election fraud (the election itself meddled with by those who administer it) and voter fraud (whereby US or foreign citizens not involved in the administration of the election nevertheless interfere by submitting fraudulent ballots / hacking / etc).
The correct statement is "the premise that VOTER FRAUD happens or not is highly politicised". Everyone agrees there is fraud, we just disagree about which kind:
The Republican party frequently claims that voter fraud is common. Everyone else (including historians and cryptographers) claims that electoral fraud is a more common and widespread problem. In recent years we have seen:
* voter registration purges
* shutting down of polling places
* refusal to provide voting infrastructure to native american reservations and other "remote" places
* extreme gerrymandering
* sabotage of the USPS
* misinformation spread through social media (advertising false election dates, etc.)
* inability of voting box manufacturers to make guarantees about security and dodginess when it comes to conflicts of interest (like investments/ownership by politicians or foreign entities)
All of the above are examples of electoral fraud, not voter fraud.
> No, you're missing the point. There is a difference between election fraud (the election itself meddled with by those who administer it) and voter fraud (whereby US or foreign citizens not involved in the administration of the election nevertheless interfere by submitting fraudulent ballots / hacking / etc).
No, I don't think I was "missing the point." I carefully used the word "fraud". Not "electoral fraud". Nor "voter fraud." Specifically, as I did not wish to set up a straw man argument.
Your statement of "the premise that VOTER FRAUD happens or not is highly politicised" is, quite literally, the straw man argument.
First off, fraud, of all forms occurs. Second, the nature of that fraud, who performs it, is who acknowledges it is the issue. Some groups do not believe in voter fraud. Yet, ballot harvesting, which falls clearly under potential fraud, occurs widely in some states, particular those with a strong political leaning in one particular direction. Some groups do not believe in suppression, yet poorly managed elections disenfranchising voters. Again, GA, MI, and others.
Insisting that one or the other doesn't occur is simply factually wrong, there is ample evidence, trivially searchable, that all forms of fraud happen in elections.
The democratic party erroneously thinks one form doesn't happen, and makes arguments like what you made. The republican party doesn't care about the other form, and allows it to happen.
Both parties are at fault here. No one more so than the other.
I think I should have been more careful with my "revised" statement, as I set up a straw man for my own position. You are absolutely right that both voter fraud and electoral fraud occur. We should take efforts to minimize both kinds. The divisive question is whether VOTER FRAUD or ELECTORAL FRAUD is currently a bigger threat to our government / society.
I maintain that it is important to clearly distinguish between voter vs election fraud. As your comments have shown, conflating the two risks confusion. I think the idea that "both sides are the same" is ignorant at best and intentionally misleading at worst.
I have so far seen no evidence that voter fraud has significantly impacted the outcome of any state or national elections. There is, however, overwhelming evidence that electoral fraud is widespread, and in most cases enabled by members of the Republican party, either through negligence or malice.
Again, assigning blame to a single party is simply incorrect. It shows bias. From today[1]. And previous reporting on this identifies the party[2]. Not the GOP.
Fraud occurs[3], and it is not only from one particular party or group. The idea is to simply reduce any potential impact from attempts at fraud. We aren't there yet. We need to be in order to have an election that people might accept.
I am, however, of the belief that no matter how this November 3rd goes, about 50% of the population will not accept the outcome. Just like in 2016.
Younger software engineers who grew up doing everything on their phones see this as something worth solving, because it would vastly improve access, end voter suppression, and people wouldn't have to take time off work to vote anymore. Universal mail-in ballots do address many of those points, but also have downsides (signature verification is tricky).
Older engineers on the other hand don't seem to want this to be solved.
I don't think that's fair. I'm young enough? And thing that given our current electoral systems and shoddy educations, paper voting is definitely better.
If everyone knowingly did some basic applied asymmetric key cryptography every day, and it was thought in grade school, that could change things.
If we voted far more often, so that the benefit of a single compromised vote was far less, that could change things.
I don't think first electrifying the vote, and then trying to bring about the above reforms, is a good strategy at all.
Meanwhile people have difficulty filling out paper ballots, because it's terrible UX. If you want to have a nice voting system like STV or even ranked-choice, shading ovals on paper ballots is not ideal.
Sometimes it feels as though existing problems get a free pass because of tradition, but new issues (even if addressed) are scary and so the entire thing should be stopped.
I think the right strategy is to pick a state, implement a voting system there for people to vote on their phones, and then see if it works out or not. Had this been done a couple of years ago, we would have been more prepared for covid-19 this election. And we're only going to have more pandemics and other disasters going forward.
> Sometimes it feels as though existing problems get a free pass because of tradition
In safety-critical systems, known problems are often tolerated because they are predictable. In these cases, mitigations are understood, and there's a well-defined upper bound on the amount of damage that can be caused if the mitigations fail.
> but new issues (even if addressed) are scary and so the entire thing should be stopped.
New issues are unpredictable, and do not have known mitigations. (Once they can be reliably predicted and mitigated, they are no longer "new".) There's also no known upper bound on the amount of damage these issues can cause.
As an added bonus, the quantity of bugs in a long-deployed system is generally well understood, while it's difficult to place an upper bound on the number of bugs in a system that hasn't been tested in production yet.
To make this concrete: Imagine finding a bug that causes several thousand phones to occasionally reboot unexpectedly. Pleased with yourself, you publish a patch and push it out to all affected devices.
One week later, a thousand of those devices power off and never power on again--they've been permanently bricked by your update.
Are your users angry because you refused to give the random reboots a "free pass" because of "tradition"? Or are they angry because you made drastic changes to a system that basically worked without taking the time to understand the consequences?
> In safety-critical systems, known problems are often tolerated because they are predictable. In these cases, mitigations are understood, and there's a well-defined upper bound on the amount of damage that can be caused if the mitigations fail.
Oh, voter suppression is well-understood and predictable. I disagree with you that mitigations have been effective.
> Meanwhile people have difficulty filling out paper ballots, because it's terrible UX. If you want to have a nice voting system like STV or even ranked-choice, shading ovals on paper ballots is not ideal.
I am 100 for voting with machines that spit out the cannonical paper which can be hand-reviwed. The point is not the paper UX, but the paper trail.
> Sometimes it feels as though existing problems get a free pass because of tradition, but new issues (even if addressed) are scary and so the entire thing should be stopped.
As somebody who has spent weird years pushing Haskell where it wasn't requested I know the feeling exactly, OK? :). It's just an unfortunately truth that the messy unprincipled systems today happens to involve using paper, which is in fact good in principle.
I would love if we had a 3 way discourse on 1) good paper systems 2) bad current hodge-podge 3) bad purely-electronic, in order to speak truths while avoiding status quo bias.
The general public wasn't informed about it, the app was from a company nobody had heard of, and evidently hadn't been tested well.
No, this should be an open transparent effort, with code published online (they need not accept PR's with code BTW). It should be trialled in a few states during an off-year election.
Signature verification only really matters if you have several ballots purporting to be from the same person.
Otherwise, they usually don't bother checking the signature.
How do you propose to do user authentication more securely on your phone? Keep in mind that several people may have access to this phone, including spouses and children.
I only bring it up because they suggested that they had a verification method in mind better than signatures.
A kid can access the paper ballot or the phone, for sure. The kid might be able to convincingly forge their parents' signature. They can almost certainly do whatever "e-verification" that diebeforei485 had in mind.
I never understood why voting remains such an issue.
Why not have the credit card companies handle voting? The cost of a card with the chip is less than $2 isn't it?
The card is swiped into a reader, the ballot is displayed on screen, choices are made and confirmed, a laser printer prints out a paper ballot which is dropped into a secure box.
We would know within 1 hour of polls closing the accurate tally of every race.
Suppose I'm a bad guy with Trump, I command the credit card company to issue 1 million fake cards with names which are passed away in last century. Ask my agents to sweep these cards and vote for me. How could you civilians prevent these things from happening?
A lot of issues being brought up with electronic voting seem to me to be solvable via a blockchain technology like Ethereum.
> Even if the code is open source you cannot know that's the software running on the polling machine.
If the entire election happened on an Ethereum smart contract and every voter was given an address to vote with they could verify that their transaction cast a vote to the correct smart contract address and they could know what function was called so they would know how it would behave. You wouldn't have to blindly trust the system because you could verify that your vote went where it was supposed to go.
> Social engineering/hacking an online voting pool
This is definitely still possible. Any smart contract to handle this would need to be rigorously audited to make sure there are no vulnerabilities. As for social engineering, I do not think this is that big of a deal as long as you emphasize the importance of never sharing your private key.
I also do not think it's all or nothing. You could potentially have electronic voting built on blockchain technology but still have it all done in normal polling booths like we do now. The benefit to this is that you have the reliability of in-person polling but the citizen can then also track their vote to add a second layer of verification. Idk, what am I missing that makes this obviously a bad idea?
Because it's utterly utterly unnecessary and can be solved by the very simple tick box, count ballot in public, let anyone watch or volunteer to do so system. The existing problems with the American system of dodgy ballots, hanging chads, OCR errors etc. are causes by too much technology. Get rid of it all and use a wholly manual system. Treat postal votes the same way and count them at the same time as other ballots.
Then, when counting the votes for each candidate we display the running product of all the primes counted for that candidate as a "checksum", or "check product". This retains privacy while allowing individual voters to easily verify that their vote was counted by simply dividing their party's checksum by their prime ballot number and confirming that it is a factor of the check product. By displaying a running product of votes, you can also verify that your vote was not counted before you voted. Additionally, this prevents double counting because the "checksum" for N primes must match exactly N votes and no two candidates can share a factor. By issuing sequences of primes to certain regions, you can get some metrics by state.
Then you institute a rule that if some % of primes dispute that theirs was counted correctly, a recount is automatically triggered.