Electronic voting machines suck, the comprehensive 2016 election edition


#1

Originally published at: http://boingboing.net/2016/09/30/electronic-voting-machines-suc.html


#2

Look on the positive side; democracy doesn’t have much time left anyway.*

 

  • Trump 2016!

#3

There may be legal magicks as to why not, but why hasn’t anybody made an open-source, low cost, high security voting machine? Do we need to nerd harder?

And if they have, what do we need to do to get the SOSes to adopt them? Aside from being billionaires.


#4

“Hey, we got stuck with this huge lot of new, unused ZIP drives from 1999. What should we do with them?”


#5

can’t get my ballot counted but whitey’s on the moon.


#6

Paper simulations don’t work as well as paper ballots.


#7

“Obsolete?” Really?

Home computers in the 1980’s were crappy, broken, and “obsolete” as opposed to familiar ways of doing the same things. Same, though less so, in the 1990’s (Windows 3.1). Same, though less so, in the 2000’s (Windows Vista). Same, though less so, in the 2010’s (Windows 8).

I’m sure there were people who looked at the Commodore 64, or an Intel 386 running Windows 3.1, and said: “These things are just hopelessly primitive and unreliable. They crash all the time and lose data. They make everything harder to use, with their ‘modems’ and ‘ethernet’ and ‘gopher’ and ‘world-wide web.’ I can work much faster and more reliably with a Smith-Corona typewriter, a telephone, and the Yellow Pages.”

Fortunately, the industry didn’t listen to those troglodytes, because we saw the inherent value and promise of computers. Today… well, today, our machines are still broken - but incrementally less so - and no one under the age of 30 is afflicted with “the old ways are best” anti-technology fervor.

How about e-voting machines?

E-voting machines, in general, have one huge advantage over paper ballots: the promise of end-to-end verifiability.

Here’s a simple model:

  • Every voter is issued a unique code for the election.

  • Every voter votes electronically, and receives a ballot receipt that identifies their unique ID and their vote.

  • The election results are reported as the complete list of (unique ID --> vote).

That combination makes many forms of election fraud nearly impossible:

  • Every voter can establish that their vote was properly recorded. If a voter’s ballot receipt doesn’t doesn’t match how they voted, they’ll instantly notice and can report it.

  • Every voter can establish that their proper vote was counted in the tally, or prove otherwise. (Alternatively, if a voter did not vote, they can prove that a vote was not cast in their place.)

  • Every voter can establish that the number of recorded votes matches the expected number of valid votes.

  • If new voters are manufactured, the total size of the list won’t match the number of registered voters.

  • If votes are removed or changed, people can present their paper ballot as evidence that their properly cast vote was altered.

  • If the results don’t reflect the actual tallies, it will be immediately obvious just by summing the individual votes in the report.

Contrast these advantages with the obvious vulnerabilities of paper ballots:

  • Ballots can always be added. Unless inflation rises to extreme levels, no one will ever know. (And if they do, they will simply shrug their shoulders and accept the result anyway, because it’s nearly impossible to investigate.)

  • Ballots can always be changed or removed.

  • The tallying process is always a black box. Everyone casts a vote, the ballot box gets taken into a back room, and someone comes out and announces a result that we accept largely on faith.

  • And most critically: Since this entire process is unverifiable and based on trust, some people will always doubt it. Every election is plagued with accusations of “rigging” that are impossible to investigate and possible to dispel. People still doubt the 2000 election, the 2004 election, the 2008 election, the 2012 election… etc.

These problems are endemic, and they are intractable. The fact that they are familiar, as compared with e-voting problems, is little comfort.

If e-voting is possible to get right - and with these enormous advantages - then why do current e-voting machines suck?

Answer: Privatization. The federal government is failing to lead an effort to develop the best e-voting system we can have. Local governments hire these shady companies like Diebold and Sequoia, with lots of back-room deals and personal favors, and end up with proprietary machines and lax security.

Until the federal government initiates a NASA-like effort to create a robust, open, and verifiable e-voting system that the entire country can use, the United States will continue to suffer from vulnerable elections - and endemic mistrust in the results.


#8

How do you propose issuing the voter IDs without compromising the ideal of a secret ballot?


#9

You can secure the process of generating the IDs. Stick it all into an encrypted database, distribute shards of the key among several individuals, and pass laws that prevent them from putting it back together to decrypt the database unless certain conditions arise, like evidence of election fraud and a court subpoena.

Yes, it’s not guaranteed 100% anonymous. However:

  1. No election is guaranteed 100% anonymous - including paper ballots. If people are willing to commit crime to track votes, they’ll put cameras in polling places, or find ways to mark ballots, or pay polling officials to watch how you vote, etc.

I’m tired of seeing complaints that e-voting is inherently flawed because it’s not a perfect system. The question is whether it could be more perfect than paper-ballot voting, and the answer is an undeniable yes. It’s not rational to pretend or deny that paper ballots have no vulnerabilities: see above.

  1. If you have to pick between two kinds of election traits - (a) completely anonymous but completely unverifiable accuracy, and (b) nearly-complete anonymity and extremely verifiable accuracy - which would you choose?

An election process that is not verifiable is useless. If the result can be changed and cannot be trusted, then the votes don’t matter.


#10

elections have stayed safe because they are distributed and local. ( it takes concerted effort to rig more than a district or two. and barring bush v gore, you pretty much have to go back to tamney hall. ) centralized voting is the antithesis of this.

the only really good argument ive heard against this so far is in regards to mail in voting, if only because it broadens voter participation.

states where voter rolls are used to deny voting - re: flordia purging voters based on name matches with texas felons - are the closest thing we have to centralized voting ids, and it’s terrible. same day registration, even if it needs provisional ballots to make angry white people happy, is key to getting good voter turnout. an id that people have to keep track of, keep private, and keep updated is just one more barrier to entry.

in person paper ballots and voting by mail are not broken. let’s not try to fix them.


#11

elections have stayed safe because they are distributed and local.

No, see - you can use exactly the same structure for issuing voter IDs as you currently use for issuing a list of registered voters. You can have districts collect ballots and submit their results, exactly the same as we do now.

This process is no more “centralized.” The only difference is that it is now verifiable - publicly! - without sacrificing anonymity. When statistical anomalies arise, you can actually audit the process - instead of what we have now, which is: everyone shrugs their shoulders and accepts the result anyway.

In person paper ballots and voting by mail are not broken. let’s not try to fix them.

If they “are not broken,” then why is there lingering doubt over the results of every election - going as far back as 2000?

Why do so many Americans think that elections are “rigged?”

Why do we come across evidence of statistical anomalies, in every major election, that we absolutely cannot investigate - because the process itself is vulnerable to manipulation in ways that can’t be investigated?

And as I noted above - even if the elections aren’t rigged, no one can prove it - because, again, it’s all centrally based on trust without proof.

You accept the inherent vulnerabilities of paper ballots because people tell you that computers are scary. Do you think that computers are scary when you conduct your banking over the internet? Or buy stuff from e-commerce sites, or submit your taxes? Or access your health records or your 401k? No, you conduct all of those most sensitive transactions via a computer. Yet, when it comes to voting, computers are suddenly scary and untrustworthy because… why?


#12

1: Computers aren’t trustworthy, as such for those other transactions.
2: All of the E2E auditable voting systems endorsed by cryptographers have a paper component. Perhaps some study into what is necessary to have auditability and anonymity is in order.


#13

1: Computers aren’t trustworthy, as such for those other transactions.

Surely you realize that very nearly 100% of the world’s financial transactions - especially among companies, banks, and governments - are conducted electronically, specifically because it is the most secure model that we have for these types of transactions.

Banks don’t feel compelled to keep a paper trail as a backup to their vastly complex financial records, nor to resort to caveman forms of exchange like gold ingots.

Yet, somehow, the global economy manages not to collapse due to rampant banking fraud. In the financial sector, the most grievous forms of electronic theft that thieves manage to pull off is penny-ante stuff - like the gang of 100+ people who knocked over a bunch of ATMs and managed to net $13 million., which in the global market is like pocket change.

You cannot look at the world banking model, in which purely electronic systems manage to achieve nearly-impervious security against the most motivated hackers imaginable - and then turn around and look at voting and say, “oh, we can’t use electronic machines for voting because they’re unsecure.” There is a vast disconnect in that reasoning that you’ll need to explain.

All of the E2E auditable voting systems endorsed by cryptographers have a paper component.

Much like all of the first electronic banking systems were backed by paper records. They aren’t any more, because when the systems are developed enough to achieve a certain high level of confidence, paper is useless.

But we’re not actually getting there with paper, because too many people are content to settle for the hopelessly vulnerable paper ballot system we have today. The luddites are winning, and the victim is our democratic process.


#14

Banking is a different matter. It’s backed by insurance. losses are measured in the same units as transactions. Information is different. Everyone who lost PII in the OPM breach got little more than free credit monitoring. That’s not a substitute for losing information that can be used by foreign governments to target people with security clearance, yet it is all the politicians and lawmakers could think to offer.

Voting has it’s own set of issues. The anonymity aspect is one that banking doesn’t have to deal with either. The issue is far more nuanced than “computers are scary”.


#15

Banking is a different matter. It’s backed by insurance. losses are measured in the same units as transactions.

Insurance is possible with the electronic systems that banks use because the losses are promptly detectable and measurable.

With paper ballots, most fraud is literally undetectable.

At most, people find some weird “statistical anomalies,” like wide deviance from exit polls, or reported results that appear at most implausible. You never know; you can never prove anything. Everyone just shrugs and moves on to the next election, where the same thing happens.

The mistake that you and others are making is looking at the security of electronic voting systems in isolation. You aren’t comparing them with paper ballots - which exhibit endemic, intractable, frightening levels of insecurity, and a fundamental reliance on unprovable trust - and asking which is more secure. The answer is blindingly obvious.

The anonymity aspect is one that banking doesn’t have to deal with either.

Are you kidding? Banking depends very heavily on maintaining client confidentiality. Transactions are typically made with strict preservation of anonymity: money flows from account A to account B.

Of course, banks are also auditable, because if fraud happens, regulators need to be able to trace things back to find the evildoers - as opposed to paper voting, where widespread fraud could happen, and everyone just buries their heads in the sand and accepts it.


#16

Client confidentiality and anonymity are not the same thing. Let’s back up for one second, because I think we are coming at this from completely different backgrounds. Are you familiar with the dining cryptographers problem?

The mistake that you and others are making is looking at the security of electronic voting systems in isolation.
You aren’t comparing them with paper ballots - which exhibit endemic,
intractable, frightening levels of insecurity, and a fundamental
reliance on unprovable trust - and asking which is more secure. The answer is blindingly obvious.

You apparently haven’t looked at any of the E2E accountable systems out there. I’m not saying the current system can’t be improved upon. I’m saying the idea that going completely electronic has issues as well.


#17

Sure. Works great if you have a small number of people - let’s say three - and you expect to receive three results and receive a result.

Not relevant to voting for several reasons.

First - it’s very difficult to imagine using those kinds of techniques when you don’t actually know who’s going to vote.

Second - it’s readily prone to manipulation. You have to trust that everyone will follow the rules and not inject random noise into the process.

Third - anyone who participates will get their actual vote shredded and mixed with a bunch of other votes. It vanishes into the process, and out comes… a result. They cannot verify that their vote was actually counted, and therefore have no basis of trust in the process. If the process isn’t straightforward enough for the average voter to understand, then they’re not going to trust it.

The system that I described in my first post is extraordinarily straightforward. A child can understand how it works.

You apparently haven’t looked at any of the E2E accountable systems out there.

I have. Many of them are painfully contorted in pursuit of absolute secrecy and absolute transparency, and are so overcomplicated that voters must simply trust the math to work out. These tortured solutions are dead ends, and they enable opponents to say: “Electronic voting is impossible to secure, so let’s just stick with tried-and-true paper ballots.”

The e-voting research community is spinning its wheels in pursuit of a perfect system. It’s like classical AI: everyone was so sure that AI could be accomplished and would be available soon, that they spent decades chasing these unworkably complicated mathematical models. It took a group rethink to step back and say: “Maybe we should stop trying to invent an artificial mind, and instead develop things that are small and practical, like pattern-recognition neural networks, that we can use everywhere.” The same is happening with e-voting; perfect solutions will remain a mirage, until someone steps forward and says: “What’s really important here?” … cue the types of processes I described above.


#18

How about a cryptographic hash of the voter’s name (plus SSN or something) + random salt generated at the polling station? The voter knows their own info, and you can print out the salt on a ticket so the hash could be reconstructed for them at their request for checking their vote.


#19

In California, they use paper ballots you mark off and which are then read by scan-trons for the first-run counting. Ballots are kept for some period, allowing for a manual recount if need be. Not much money in it, I guess, for giant data companies, but it’s a far better approach.


#20

this. electronic transactions are inherently unsafe if you cant trust the code. scantrons incorporate technology in an appropriate way: accelerating counting, not replacing it.

@sfsdfd, it works most of the time for banking for a set of reasons: financial interest, the verified identity of the parties, and the fact all transactions involve three more parties ( woohoo! no, the other kind. ) each party ( the store, the bank, the consumer ) is watching the other closely.

moreover, there is fraud and there are data breeches all the time. it’s part of why credit interest is high, the fraud calculation is built into the system. it’s why you’re more protected when you use credit than directly linking your bank account for transactions. use technology, yes, but try to do so wisely.

fwiw, i personally find it worrisome how freely available something like my medical info is online. itd be better locked off. convenience isnt always best. ( yahoo says maybe actually near a billion accounts have been hacked. speaking of parties ( woohoo! ) someone is having one.

we are not yet to the point where we should give over voting to devices. the hanging chad debacle showed in a mechanical way why we don’t want to trust aging machines built by the likes of diebold. we need graceful fallback, security, privacy ( and on and on ) and nothing, absolutely nothing, has been invented that’s better for that than paper…

yet.