The new forums will be named Coin Return (based on the most recent
vote)! You can check on the status and timeline of the transition to the new forums
here.
The Guiding Principles and New Rules
document is now in effect.
Election security, e-voting, and voter registration systems
Posts
So depending on what we want electronic voting for, this could be completely out of the question.
So What do we want electronic voting for anyway?
- To vote from home!
No, you do not want this.
You can't have people voting from their home PCs without also having other attackers voting from their home PCs.
Postal votes aren't necessarily great either, but at least they're somewhat easier to control.
Best thing would be to keep the voting booth open for more than a day.
- To ensure someone can only vote once!
If you have a central electoral roll that's updated by every voting station, then it's likely that the roll could be updated by other attackers to prevent people from voting at all.
You could potentially have a separate electoral roll per voting station, and then cross-check them after the election, but that's not much different to having a phonebook of all the residents and checking them off. It might be quicker, but it might be easier to corrupt.
- Quicker vote counting!
I assume that's what a scantron is? It counts physical votes by scanning them?
Either way, having a physical copy of the count allows cross-checking, even if there's an electronic copy.
- Quicker result repoting!
So supposing that the people manning the voting station can't be trusted to pick up the phone and give the result, then having encrypted channels set up before the day could ensure the correct result makes it back to the central voting authority.
Otherwise if you can trust the people manning the vote station, a phone is easier.
Disagree about voting from home. All you need is a password/pin. Shift the authentication of your citizenship/residency to when you register. That is when you prove you are you, and at the end of it you select a 6 digit pin or a password. Then when you go to vote you just authenticate with your password.
Now someone is probably going to argue that the above setup can be used to disenfranchise people (what if you forget your password?) but that isn’t much different than what we have now in a lot of places. If we are going to overhaul the voting system anyway then we would need rules in place no matter what the system to ensure ease of access and readily available assistance.
Also, I think no matter what we do there should be easier verification of our actual vote. With electronic voting there would hopefully be some way to access what your vote was after the election, as well as a way to report errors.
Why not? Presumably you trust electronic banking. And there has to be just as much incentive for hacking there.
Stealing your identity can also be done mostly electronically, maybe requires some phone calls?
Apparently much of the voter registration data has already been digitized.
I feel like the ship has sailed on keeping the important information offline.
Japan, Singapore, some northern European countries might be able to get there within two or three generations, if they make an organized effort to educate their population on good cybersecurity habits starting from childhood.
the "no true scotch man" fallacy.
Because I have back-ups, statements, etc that let me back into or tie back into my individual account balances. It's a lot easier to reconstruct what my cost basis is on investments than it is to say, have to get everyone to re-affirm that they voted and who they voted for to test the system.
I just don't trust the black box.
I think it's inevitable that we will have electronic voting...but that day is not today.
Enlist in Star Citizen! Citizenship must be earned!
I would if and only if there was a serialized paper record and I had the opportunity to compare my serialized paper record to what the election authority has in it's database.
the "no true scotch man" fallacy.
I mean I don’t think anyone is saying make it a black box. I literally added to my original post that some kind of verification, or alternative recording method is needed. Just as we need extra rules or verification steps for paper ballots. I just don’t think the issues with electronic voting are so vast as to make it outright dissmisable.
These are called negative confirmations and they, as an auditor, have a historically shit rate of granting any assurance because they require people to speak up when there's something wrong. We discourage their use, typically, in higher risk areas.
1) If your bank account gets compromised, it doesn't affect my money. I can take a number of evidence-based measures to protect my banking profile: use a completely randomized password with a high level of entropy, use two-factor authentication, avoid phishing attempts. I have no confidence that the majority of voters would do these things.
2) Suspicious activity on a bank account can have it temporarily suspended. This is an inconvenience to me, but ultimately not a disaster. Imagine, though, that suspicious activity across e-voting profiles resulted in temporary suspensions that just happened to coincide with early voting week.
Also, it is very easy for people like us - mostly nerds who enjoy posting on an Internet forum about video games - to overestimate the familiarity that the general populace has with Internet banking.
About 20% of American households are underbanked - meaning they either have no bank account at all, or they have a basic deposit account but heavily rely on non-banking instruments like prepaid cards and payday loans. About one-third of Internet users do not use online banking on a regular basis; and I've seen some similar factoids around that suggest that about one-third of bank account holders do not use their online tools on a regular basis either, preferring to do their banking at retail branches and their budgeting using paper statements.
the "no true scotch man" fallacy.
It also means overturning one of the principles of American elections: that who you voted for is a secret.
It is a public record whether or not you voted in a given election but our polling authorities are not supposed to maintain records of who you voted for.
If it's possible to snail mail you the results from your own ballot, then that means there's a database somewhere where your name and address is linked to your voting history.
That may or may not be a problem. I'm not arguing that this would be bad. However, it would be incompatible with the way the US does voting right now.
the "no true scotch man" fallacy.
Being able to register the day of with the use of a witness, ID, or bill works pretty well.
Automatically updating voter registration through coordination with other agencies that deal with people more regularly helps too.
1. If any flaw exists, it is impossible to know how big the influence of the flaw is. If a vote can be changed, so can 1000. Or 1000000.
If a single person can change a vote, he may be able to change all of them with the same ease.
This means a single person can totally invalidate a vote.
2. It may be impossible to know if the system has been tampered with.
This means you can never be sure if the outcome of an election is valid.
3. Any kind of logging votes to mitigate 1. or 2. de-anonymizes votes.
The combination of these 3 problems is disastrous. No digital vote can be legitimate and anonymous at the same time.
The reason votes are inherently different from banking is that with voting there is no perfect information, no final ledger to be referred to afterwards.
Interfering with handcounted paperballots is possible, but requires a lot of physical action. You need people at different voting boots, corrupt officials, no neutral observers....a relative laymen can be a pretty decent neutral arbiter.
The code of a voting computer is not parseable to 99.99% of people. And even hardware exploits can be done.
The Netherlands has moved away from all electronic voting in 2009, after both the security of the software, the security of the hardware (Someone found out where the machines were stored and got access to them) as well concerns about the EM radiation given off as the machine processed a vote may be read at distance hit in close succession.
And that was some ancient offline tech.
After a decade of paper ballots, the government is going to run a test on modified ballots that can be machine counted. (This runs into the problem that Dutch ballots are large, typically holding 300-500 names because all members of each party appear on the ballot)
3 isn't entirely true. Consider the following process (similar processes are already in use in some countries and US states but none that are precisely identical):
E-voting still happens in a polling place.
When you vote, the machine spits out two paper records. They are anonymous but have a unique, pseudorandom serial number that is also recorded in the database record.
They show the entire ballot and all selections. They're identical in every way except one paper is clearly marked "TAKE ME HOME" and the other is clearly marked "PUT ME IN THE BALLOT BOX.
Most of the vote is counted electronically, but election officials can do spot checks to compare a subset of paper receipts to their corresponding database records.
One benefit of this system is that the voting machines can interactively prevent common forms of ballot spoilage due to voter error: double entry, hanging Chad's, incorrectly marked bubbles, etc.
the "no true scotch man" fallacy.
This is a staggeringly naive view of cybersecurity. First: even if a small percentage of the population pick terrible passwords/PINs (eg "password", 1234, etc.) it opens the door for rampant hijacking of election accounts very easily -- you can try to allow fixes to this, but I don't see any way that wouldn't basically result in potentially millions of people needing to have their vote invalidated because of "hacking" every election cycle, which is a fucking disaster. Second: even people who use competent or semi-competent passwords (let's not even address PINs, because what the fuck were you even thinking there?) can fall for phishing attacks and so on, leaking their credentials to attackers. Third: compromised computers could easily MITM this and alter your vote choices before submission without you knowing -- again, there are ways you could remediate this issue, but the cost would be (eg) keeping a database of who everyone voted for, which is fucking disastrous.
Seriously, any "vote from your home PC!" type system needs to be secured against fucking state level actors! The shit you've proposed isn't secured against the teenager next door who's good with computers. Jesus Christ.
Also, you really don't want the ability to prove you voted a particular way, because then people can sell their vote, or be pressured into voting a specific way.
Lets talk about trustability. One foundational element of democracy is that once the ballots have been added up, the losing party will acknowledge that fact and leave power peacefully. If the losing party instead says that the ballots are wrong, and they actually won, things turn bad very quickly. Even assuming electronic voting was perfect, it doesn't have the level of trust that paper ballots do, and a ballot system that a lot of people don't trust is not a good ballot system. (And that's before any reputable incidents of electronic vote tampering have occurred.)
1) Early/absentee ballots up to a month prior to election. Available to anyone who asks for it.
2) Voting at the polls uses machine-readable paper ballots.
3) Voter registration can be done at the polls
4) The physical polls are open for a few days minimum
Now, if you want to propose an electronic voting system, go for it, but I expect you to be able to argue why it improves upon this system for cost or convenience without sacrificing security.
3DS: 0473-8507-2652
Switch: SW-5185-4991-5118
PSN: AbEntropy
No paper record ballot machines offer no needed advantages over ones which do have paper records, so no need for them.
Machine counting is fine provided that 10% of precincts are recounted at random by humans. And those humans never ever ever get to appeal any decisions after the recount is done. God, remember that guy who appealed the election based on the fact that he thought he threw put the wrong vote... That guy is a disgrace.
Properly implemented, the vulnerabilities it introduces are minor and easily mitigated. But, of course, IT systems are rarely properly implemented.
the "no true scotch man" fallacy.
Consider that we only did a partial recount in Bush v Gore because a full Florida statewide recount would have taken longer and been more expensive.
Had we been able to perform a statewide recount (without the hanging chad issue) we might have had President Gore.
the "no true scotch man" fallacy.
People can't even deal with using *keys* safely and they've been around for centuries.
*hides spare set under flowerpot*
I'm not sure it does offer "fast, accurate recounts" though: the computer is never going to come to a different count (one hopes!), so any actual recount would still be the standard sort of fighting over individual ballots affair we're all familiar with. Resilience against loss/destruction/theft is mirrored by susceptibility to false records being placed -- if you trust the database over the paper record, the database is intrinsically a target for anyone who wants to influence the election. And if you don't trust the database over the paper record, why bother with it?
The reason you do paper+electronic (through scantron or whatnot) is so that you need fewer volunteers to do the ballot counting.
In what sense, though? Either you trust the scantron's initial count or you run things through the scantron again and get... exactly the same count. There's no point in storing a database, because that reinforces the issue: you'll never get a different value for a "recount", and therefore any so-called "recount" is ultimately just for show. Why would you ever run the same ballot through a scantron twice and expect a different result? If the machines are not reliable we shouldn't use them in the first place, and if they are reliable they will always return the same result! The meaningful recount comes in at the edge cases, the shit that scantrons reject and that need to be counted by hand -- and a database will not fundamentally ease this task.
Edit: Oops, sorry, I just realized you meant for the initial count. I'm perfectly fine with using a scantron or whatever to do the tallying for the initial count provided we aren't using it as some sort of gold standard for recounts! Again, I don't think a database adds anything to this situation, except insofar as a very very simple database is maintained on the scantron machine during scanning.
Edit 2: I feel obligated to also say fuck anyone who is concerned with cost-reduction when it comes to running elections, we spend shitloads of money on the stupidest shit imaginable and elections are the absolute core of any government that wants to call itself a democracy. Our elections cost very little in the grand scheme of things, and attempts to reduce cost that also reduce security should be roundly rejected.
Ideally, e-voting would use two or even three factor authentication. Some highly secure systems use password + app/token-generated one time code + client SSL certificate.
You could even expire the SSL certificate on a yearly basis so it's only good for one election cycle.
The problems there are A) maybe 1% or 0.5% of the electorate could handle that without their pants ending up on their head, and it's more vulnerable to back-end tampering than ballot box systems.
the "no true scotch man" fallacy.
I was definitely thinking of A) as the reason why it's not going through.
If we did, we'd get a technocratic genius as a President, though, as only people who delight in technology would be able to figure it out.
A) Ballot counting isn't done all at once, even in an electronic system, as long as paper mail-in ballots are a thing. So you could, for example, do an election night electronic count to see if there's a clear victor, then do spot audits of the paper receipts plus counts of mail in ballots as they come in. You'd have better accuracy and faster results across the whole process. It isn't technically a "recount" but it serves the same purpose: verification of the electoral process over time.
it isn't a question of mindlessly trusting paper over electronic or vice versa. That's an oversimplification. It's more about having redundant systems (paper and electronic) where you only suspect one or the other when inconsistencies appear. Then you judge which record is more accurate based on the nature of the inconsistency and any relevant information that emerges during the investigation.
the "no true scotch man" fallacy.
I don't give a shit about how fast it is to count. If we could maximize the two things above, but it means determining the results takes a week or two? I'm fine with that. Faster vote counting is nice, but democracy does not hinge upon catering to our impatience.
I don't give a shit about convenience, except to the extent that it affects accessibility.
The problem with electronic voting is that it doesn't maximize either of the things I consider important. The things it improves upon are bells and whistles that do not affect the functioning of our democracy. And it seems like people like it just because it's high tech and cool sounding and everything is better when the internet is involved, right?
Pretty much every argument for it i'm seeing in this thread consist largely of ways to solve problems that don't exist if we just stick with machine-counted paper ballots overseen by representatives from various political parties.
The mechanics of voting systems strike me as a solved problem, and the only issue is preventing certain groups (*cough* Republicans) from trying to disenfranchise people, something that I don't think electronic voting really addresses. Basically, we need a combination of mail ballots and polling places open for a couple weeks before election day. Boom, done.
A properly implemented paper+electronic system would both reduce costs and improve security from what we have now.
But, as I said above, IT systems are rarely properly implemented.
the "no true scotch man" fallacy.
Paper ballots routinely go missing. You can get ample examples from just googling "lost election ballots." Here's just one example from my region that I found from a lazy Google search.
This happens across multiple precincts in every election.
the "no true scotch man" fallacy.
Fair enough, I was reading more into database+paper than you meant, I think. I'm basically fine with this in theory.
Edit: Grammar fail.