DARPA Is Building a $10M, Open-Source, Secure Voting System(motherboard.vice.com)
> Kiniy said Galois will design two basic voting machine types. The first will be a ballot-marking device that uses a touch-screen for voters to make their selections. That system won’t tabulate votes. Instead it will print out a paper ballot marked with the voter’s choices, so voters can review them before depositing them into an optical-scan machine that tabulates the votes. Galois will bring this system to Def Con this year.
This sounds great: paper trail, no chance of "hanging chads" or bad handwriting, verifiable by the voter at the moment before scanning and hand-countable if necessary.
I hate being outright dismissive but it sounds like an expensive html/pdf form with a printer attached.
I do agree that the paper trail is a great thing. I'm not fundamentally against electronic voting, but I haven't heard of a system that can really compete with the simplicity and verifiability of the immutablility you get from paper ballots inside ballot boxes being watched over by interested parties on all sides.
> I hate being outright dismissive but it sounds like an expensive html/pdf form with a printer attached.
And I like it. The simpler the design, the better. Sometimes it takes a billion dollars and a couple of smart researchers to invent the "obvious" solution to a problem.
We've got butterfly ballots, confusing electronics-only machines, and a variety of bad standards as the basis of our current voting infrastructure. Telling everybody to use a damn PDF + printer would be a gross improvement.
And suddenly I have another use case for my language for specifying scientific protocols. Counting votes in a way that is scientifically verifiable. Turns out keeping verifiable lab notebooks for legal reasons is a really similar problem to keeping verifiable vote tallies, also for legal reasons (hopefully). It is telling that we have better provenance systems for far more complex processes but we still haven't managed one for person one vote ....
The problem is not very similar. Scientists don't work anonymously, and we aren't trying to prevent scientists from selling their vote.
I may be misunderstanding but what language "specifying scientific protocols" do you mean ? Is this published? How does it work (a generic workflow language? The t sounds interesting whatever it is)
Probably not the same thing that guy was walking about, but this is a cool project going on at University of Washington - it's made for biological science workflows but it's really quite flexible.
Simplicity is hard, it takes thought and often, the refinement of quite a few prototypes.
or just use paper ballots like other countries do ..
The Butterfly ballots WERE paper ballots.
Give America an idea, and SOMEONE in America will royally screw it up. Its a big country filled with lots of smart people, but also filled with lots of dumb people.
DARPA is working to come up with the standard that the whole country should follow. That's good and useful research. Even if it comes out to be the obvious solution (a paper ballot off of a damn printer), there's benefit to one of the major research institutions of this country telling the rest of the country how things should be done.
> The Butterfly ballots WERE paper ballots.
They were particularly badly arranged punch card ballots; the solutions to both the bad arrangement (“don't do that, like most people didn't do previously”) and the punch card (”use optical scan”) related problems are not only well known but pretty widely adopted.
I agree. But why did butterfly ballots proliferate in Florida?
Ultimately: the administrators weren't thinking about ballot issues. Palm Beach, Florida, was understaffed and underpaid, under-invested. They had other things on their mind when they deployed their machines.
They needed to move off of the punch-card system ASAP, but they couldn't afford to. They had the same issue in 1996 before the famous year 2000 issue. It was known, but not much could be done about it.
I guess this printer methodology from DARPA might be too expensive. Or maybe the scanning machines can be owned by the state, so that poorer areas won't have to invest into the machines. Etc. etc.
There's a lot of issues aside from "use paper ballots". The entire voting system needs to be considered. I hope that DARPA's challenge will include these issues in their design process.
> They needed to move off of the punch-card system ASAP, but they couldn't afford to
Sure, but moving money around to deal with that problem is easy (and mostly doable intrastate, but, a federal role isn't unreasonable.)
But this isn't a problem calling for novel technology. (As has already been demonstrated by the move to e-voting that happened in many places after 2000, though some people got the wrong message and decided that we just chose the wrong technical solution—but a lot of that is due to lobbying by the people selling technical solutions.)
> Give America an idea, and SOMEONE in America will royally screw it up. Its a big country filled with lots of smart people, but also filled with lots of dumb people.
More specifically - it's a big country with a fantastic amount of decentralization. Elections are run and ballots are designed not, by national governments, not by state governments, but by county governments. The chance that someone will mess up is a lot higher.
(Of course, this does have the advantage that centralized tampering with the ballot is harder.)
Give America an idea, and SOMEONE will find a way to exploit it
In this case perhaps paper where you don't see anything, but that will trip up the scanner. You only need to have votes declared invalid. Of course, preferably just a random subset of them. You can choose for districts you don't like and distribute that paper there.
And add fingerprint identification, like other countries do.
You mean like the purple finger thing?
I've always wondered why nobody suggests doing that in the US to help prevent or ease people's concerns about potential voter fraud. It's simple, low-tech, and hard to screw up.
Unless if I'm missing something, which of course is possible. Can someone tell me what the downsides are to an idea like that?
> I've always wondered why nobody suggests doing that in the US
In this case, Occam's Razor beats Hanlon's Razor: The simplest explanation is malice, not stupidity. The groups who are the most hysteric about hypothetical voter-fraud are dishonest. Their actual goal is not to prevent vanishingly-rare crime, but to suppress legitimate voters in a partisan fashion.
Finger-inking at the poll-site does not offer them a useful tool for skewing the election results. It imposes no special discouragement or advantage to a particular group, and it also does not create a system for arbitrary "enforcement." (In contrast, consider poll-taxes or name-similarity databases with insanely high rates of false-positives.)
Some might retort: "I don't suggest finger-inking because it won't stop someone from impersonating another voter." True, it won't stop that from happening the first time, but it limits it to once. This means N improper votes require N humans, and as N gets large the odds of keeping it secret go to zero.
Because voter fraud is exceedingly rare in the US. Now election fraud is a different issue.
There have been lots of reports of non-citizens being registered to vote in the US. It is very rare, but elections are also generally very close races.
I dont get how people can just shrug off reports of dead people and non-citizens being registered to vote as a non-issue.
Registration errors are not voting errors.
How many of those dogs registered to vote showed up and cast a ballot?
If anyone actually cares enough to have a mostly accurate cost effective voter registration database, they'd reuse any one of our existing national demographic databases. But they don't. Because the recurring drama caused by our existing fragmented poorly funded more error prone system is too useful.
Perhaps the reports are false?
Yeah I'm sure all of them are false, and our voter registration systems with practically zero layers of authentication have proven to be infallible over the years.
Perhaps they're true but since non citizens and dead people vote left overwhelmingly it gets shrugged off by leftist media and leftist tech site commenters?
Being registered != voting
When a National Voter ID is required all the big blue states will flip back to red.
Voter fraud of that form basically doesn't exist. You are already marked as voted at your designated polling place. A purple finger is just for show, even in other countries. Its like a "I Voted" sticker.
How will the voters who are (reportedly) unable to obtain ID be able up get their prints into the verification system?
I have been informed by social scientists that requiring voter ID is racist, so it seems that fingerprint checks would also be racist via the same logic.
> I have been informed by social scientists that requiring voter ID is racist
Do you have a personal opinion on that? I don't see it as racist in any way, because it applies equally to everybody.
We have a few basic rules for voters in this country, one is that they are citizens, two is that they are registered. Being able to demonstrate that you are the registered voter you claim to be seems to me to be essential to a fair election process.
> I don't see it as racist in any way, because it applies equally to everybody
Would you say the same thing about poll taxes?
The idea of ID laws is not inherently racist. It's the implementations that are problematic.
For example, one jurisdiction that got in trouble for its voter ID law (I forget which one) was found by the courts to have, when writing their law, did a study of what forms of ID voters had, found out which of those had the biggest differences between prevalence among whites and among blacks, and then picked as the allowed forms of ID those that would most favor whites and disfavor blacks.
Places that aren't as blatant about it (or at least aren't dumb enough to actually talk about it in legislative committees for which subpoenable records are kept...) often leave hints that their motive is racial. For example, they might limit the number of places that can issue IDs, and reduce their operating hours, so that a poor person without a car (more likely to be black than white) has to take a long bus ride there and back, and has to take time off work to do so. This can be a serious hardship. (Worse, it might take more than one trip if there is any problem with the supporting documentation for the ID application. Unsurprisingly, it has been found that minor errors that tend to be overlooked when a middle class white person applies are much more likely to derail things for a poor black person).
Another hint that their motives are suspect is that such efforts are usually accompanied by efforts to make it harder for minorities to vote that have nothing to do with ID, such as closing polling places in minority neighborhoods and limiting voting hours, or reducing the number of voting machines at minority neighborhood polling places so that lines will be long.
If voter ID laws were actually about preventing voter fraud rather than about suppressing legitimate votes from poor and minorities, they would be accompanied by changes to make it cheap and easy for people to get the appropriate ID.
Also, they would be about registration ID, not voting ID, since what little fraud there actually is usually takes place via absentee ballots.
>Do you have a personal opinion on that? I don't see it as racist in any way, because it applies equally to everybody.
“The law, in its majestic equality, forbids the rich as well as the poor to sleep under bridges, to beg in the streets, and to steal bread.”
In practical terms, there are a lot of people in the US that simply cannot afford to buy an ID - both because of the actual cost and because of the logistics and documentation required. Trying to get a certified birth certificate from another state when you are homeless is, I imagine, pretty damn hard and relatively expensive to do.
If the US had a system where ID was available to all completely without cost (and only taking a trivial amount of time) then I’d agree with you more.
Usually you need that ID to exercise your constitutional right to bear arms. If we can demand an ID for a right that is actually listed in our constitution, then surely we can demand one for voting.
If requiring the ID is really so discriminatory, then it has to go away for bearing arms as well. Is this something you want?
BTW, in terms of potential hazard, voting is a lot worse. Voting can lead to wars.
> Usually you need that ID to exercise your constitutional right to bear arms.
12 states have constitutional carry laws. I can buy and carry with no ID needed.
As for voting and issues in obtaining valid ID, I can guarantee if you're on HN, you are not the group being talked about getting an ID.
I had to obtain a birth certificate from my state. I had to drive 3 hours away, and pay $25, and drive 3 hours back to get it. And for someone who doesn't have a car, lives in the city, and lives week to week, they won't be getting a valid ID anytime soon.
Oh yeah, and they're primarily black and poor. That's why the racist claims are made.
>I don't see it as racist in any way, because it applies equally to everybody.
To build a little on what the other commenters are saying, I recently watched a talk about equity and how it compares to equality. There's a famous image of people of different heights looking over a fence that shows well how equality does not always lead to justice. I have found it worthwhile, every time I see "equality" featured, to ask about how this is different than equity. In this case, it's inequitable (to a degree) because it is disadvantageous for the poor or other marginalized groups to jump through these hoops even if they're the same hoops that the advantaged groups have.
I'll also note this equality-equity distinction is making its way into mainstream American politics. On page 6 of the Green New Deal is a provision that the federal government has the duty of promoting equity and justice for people oppressed because of their race or circumstance. This is noteworthy because (as far as I'm aware) federal law has only been providing equality so far, but now there's a shift in policy to provide equity and not ask for equality.
No strong opinion! But I understand there exists a legal precedent of disparate impact, such that a policy "applies equally to everyone" can end up being illegal because it effectively targets a protected class even though it doesn't have any language to that extent.
You like that it cost 10mil ? Ok man, Ok.
> I hate being outright dismissive but it sounds like an expensive html/pdf form with a printer attached.
I don't think that's dismissive at all. That's what it is, and it sounds good to me. Basically the computer is a scribe with perfect handwriting that fills out the paper ballot for the voter while the voter watches. Absolutely any voter is qualified to assert whether the ballot contains the votes they intended to cast.
From there, you could have the voter carry the ballot and drop it in a box that's being observed by any number of interested parties, providing old-fashioned accountability. Counting by scanner is an optional time saver, with hand counts as the alternative / double-check.
Don't forget that electronic voting machines can have accessibility features that paper ballots lack - having a glorified form printer is actually a sound design that lets us gain these benefits without the negatives.
There is no reason an electronic count can't be kept along with the paper ballots.
How does that help? The paper ballots still need to be counted as they are the authoritative source of the final tally. An electronic tally does nothing useful and adds complexity.
Speed. One of the reasons some politicians want electronic voting is to have the tentative results in as fast as possible, so they can sod off to their respective celebration/mourning shindigs and call it a night. That the actual, lawful count follows in the course of hours or even days is, to them, then acceptable.
Having these machines do a preliminary tally gives you a more accurate forecast of the votes cast than exit polls.
Optical scan machines solve that issue quite nicely and more robustly, especially when a ballot needs to be spoiled due to error (it can be physically destoryed before tally instead of needing to support deletion or modification of records in the voting machine).
This is missing two completely unnecessary failure modes that pen and paper don't have:
1. You cannot know whether the device leaks your vote, i.e., whether your vote is secret. Mind you that in addition to an attack inside the device, this can also happen via simple electromagnetic side channels inherent in the device--as has been demonstrated quite a while ago for Nedap voting computers by the dutch campaign against voting computers, where you could distinguish selected candicates by tuning an AM radio to the right frequency.
2. When the device malfunctions, whether due to a defect or sabotage, and only particular candidates can not be selected, that creates a side channel where the voter is effectively forced to unveil who they want to vote for.
Neither of those failure modes exist with paper ballots.
> Neither of those failure modes exist with paper ballots.
Paper ballots stop secret cameras in the ballot room? I mean, they really don't. It depends on your threat-model. A lot of things will come down to trust.
> 2. When the device malfunctions, whether due to a defect or sabotage, and only particular candidates can not be selected, that creates a side channel where the voter is effectively forced to unveil who they want to vote for.
See Butterfly ballots. Paper ballots in USA (Florida specifically) which basically had this flaw. It was confusing to know which circles and lines were going to the correct candidate you wished to vote for. Asking for help on the ballot would leak information on who you wanted to vote for.
A poorly done paper-ballot has its own set of issues.
> Paper ballots stop secret cameras in the ballot room?
And neither do touchscreens. Paper is better if it's not done comically wrong.
And even the worst paper ballots have a much smaller attack surface for plain old analog rumors than the best possible electronic system. The most powerful way to undermine a democracy is not flipping some votes to one candidate in perfect secrecy, it's making all candidates/camps believe that the other did. This could destroy a democracy even without a single vote having actually been tampered with.
Electronic voting, only understood by experts, is perfect soil for such rumors and no amount of open sourcing can change that. The many human counters involved in a hierarchical paper vote counting scheme are not just an unfortunate inefficiency left over from a time when machines could not count yet, they also serve as witnesses, not only for keeping their peers in check but also for dampening any unfounded rumors that might come up. They increase trust even when they are not actively speaking up against rumors, just by being there, in numbers, as passive dampening elements like the moderator rods in a fission plant.
And the solution to the flaws of butterfly ballots was the proliferation of insecure, dangerous touchscreen machines. Screw that. Give me a well-designed paper ballot.
> Paper ballots stop secret cameras in the ballot room?
Ballot rooms are just about as decentralised and non-standard as it's possible to get your head around. Voting machines are the exact opposite.
Are we actually discussing that someone could or would roll out a (nationwide?) network of hidden cameras across church halls, schools, and other places where people go to cast paper ballots. Undetected?
Distributing compromised software - or designing your attack into the hardware - for voting machines would be child's play by comparison.
> You cannot know whether the device leaks your vote, i.e., whether your vote is secret.
The electronic voting machine never is granted your identity. But I'll grant it's possible that records of the voter identity with the ballot identity exist and could be used to map the voter's vote.
These might be good arguments for letting people fill the ballot in manually, if they wish. Based on the design as I understand it, it seems like users aren't prohibited from printing a blank ballot and taking a pen to it themselves.
Could any of these problems be at least partially fixed by randomising how the choices are displayed in the input UI and on the printouts?
If these are open source hardware and software, then it is unlikely bugs like what you are talking about will slip through.
The part I don't like is the printer. They're woefully unreliable devices. Having been an election judge, handling a bunch of flaky tech in polling places is the last thing the poll workers need. They have a lot to do already.
In MN, we use paper ballots with Scantron readers for excellent results. I'm not sure what problem this new system is supposed to solve that the Scantron model doesn't.
My grandma has shaky hands. She can’t really fill out a scantron. I have no problem with people filling out their own ballots. The pristine filled out and verified by the voter ballot seems harder to spoil than a hand filled out ballot.
My preference is for plenty of machines available to fill out paper ballots, but give voters the option of filling out by hand.
Paper ballots are pretty trivial to cheat too, you’re dependent on the honesty of party officials and poll watchers.
That’s why anyone should be permitted to watch the process from start to finish. Heck, videotape the collection box from the moment it is shown to be empty and sealed till the ballots are retrieve. Videotape the counting process. Do all this in the public square, televised and streamed.
This happens in Ireland. results are all hand counted with representatives from all parties and public access to watch the counting.
After a vote we get to watch the news go from counting station to station to announce the results.
There are usually a few recounts etc but it rarely takes longer than a day or two and tbh which is more important done right or fast?
It’s also easy to design paper ballots that are really hard to use.
If you live in a place like I do, we’re a one party place where primary elections are the real elections, and you don’t have the competitive pressures that are inherent to a multi-party contest.
We also had a huge upsurge in “write in” votes, as the paper forms are difficult to interpret.
Poll based opscans are (should be) configured to reject spoiled (or unreadable) ballots.
So ballot marking technologies have marginal utility. Expensive fix for a non-problem.
For complying with HAVA mandated accessibility, the Automark is slightly less bad than the others. The only solution which actually fulfilled all the requirements and was preferred by the disabled community is a non-electronic protective ballot sleeve called the Vote-PAD. Alas, it hasn't been available for quite some time. Being cost effective, meaning less pork, it didn't have any champions.
Fortunately, a new ballot marker, twenty years too late, doesn't help with the increasingly fashionable postal balloting, so there's no danger this latest noble effort will have any benefit.
I'd say that the massive investment is necessary because of how uncomplicated this particular system is. Without a large, sprawling, and well-funded project backing it, a simple (and probably far more reliable) solution can lack credibility when compared to more complicated alternatives.
> I hate being outright dismissive but it sounds like an expensive html/pdf form with a printer attached.
I don't think you're being dismissive enough, it's an expensive pencil and paper.
seems like it would be easier to print out thousands of ballots to stuff.
If you have to fill something out by hand, it makes it hard to do this.
Only part I don't care for is the touchscreen.
People consistently overestimate the reliability of that solution, especially for older voters with mobility challenges. Pushbuttons or levers that demand macroscopic elbow/shoulder motion are easier for that demographic to use than sensitive screens requiring fine motor control.
And that's all to say nothing of what happens when the screens become miscalibrated and accept taps a few pixels off. I'm fairly confident most of the "It switched my vote" reports we hear are actually this category of "user-error" (which should really be counted as "machine malfunction").
It is still impossible to submit a vote without personally verifying it or deciding that you don't really care enough to review your choices. A peripheral device is one more thing than can break or be tampered with. The user experience issue is up to them to implement.
In general, getting elderly people, low-income populations and other late adopters of technology to use touchscreens correctly has been much easier than getting people to use a mouse. The mouse is less physically intuitive than "poke the thing you want." For most of us, though, we hardly notice a difference.
I'm a poll worker so I have some experience with the problem. I agree with you that a peripheral is one more thing that can break or be tampered with, and I wouldn't recommend a mouse. Here's what I've observed (at least in the iVotronic systems we use in Pennsylvania):
- since there's only one screen, and it's all touchscreen, users get consistently confused between pictures of buttons describing what the buttons do and the buttons themselves
- the touchscreen is itself a peripheral and prone to wearing out. When it does, the fact it's wearing out is difficult to observe during the election day; there's no cursor indicator, so a poll worker can't check calibration.
- users with fine-motor-coordination issues have to brace against the box to steady themselves to touch the tiny targets they want. There's nowhere to brace against a touchscreen that isn't also touch-sensitive input, and the screens don't accept multi-touch.
A row of buttons along each side of the screen, not unlike the solution used at many ATMs, would ameliorate all these problems. These boxes are already custom hardware jobs, so switching out touchscreens for a couple of button banks would be cheaper, equally usable for most voters, and more usable for mobility-impaired voters. It would improve all three observed problems.
Wishes and horses though; the machines we have are the ones we use.
Burins around the edge of a screen is also what a fair few plane cockpits do, it’s a common and proven design.
The paper trail is not so wonderful.
What we saw in 2016 was that even if a candidate were to contest a result, none of the election committees were willing to commit to a full hand recount; instead, the only options were to retabulate through the very same tabulation processes and machines that had produced the questionable results in the first place.
Without low barrier to recount by hand, the electronic systems production of paper trails is worthless. Arguably worse than worthless, because it leaves everyone thinking there is a usable backup, when there isn't.
This is absolute hogwash, there are other methods than a full hand recount if you have a paper trail, some of which only require counting a small number of the ballots by hand.
The best example of this is a Risk Limiting Audit (RLA). You only have to re-count a smaller number of ballots until the overwhelming probability is that the vote is confirmed, or that the vote is rejected. Depending on the disparity between the ballot options, this count can actually be very small.
This system is perfect for this kind of an audit -- essentially a ballot marking device written by an organization known for formal verification.
During the mid aughts, the consensus of the Election Verification Network (EVN) crowd (academics, election administrators, feds) was that audits were no better than manual recounts and just as expensive.
I'll read the paper you linked, but know that it's contrary to the received wisdom, and I'm very skeptical of any claims that auditing elections are feasible or worthwhile. By audit, I mean anything short of a full manual recount.
Okay. I lightly read that paper.
First, it specifically says to only audit the VVPR, meaning the actual ballots, not the VVPAT, which is just what the computer says it recorded. So there might be some miscommunication. I assumed #bdamm was referring to the VVPAT.
Second, the meat of the paper is refinements for calculating the confidence that the official result is correct based on recounting a sample. All of the caveats with audits, not within the scope of this paper, remain the same.
Colorado successfully performed an RLA, and didn't have to recount every ballot. If you really want to read more, Free and Fair (IIRC, the same group bidding on the DARPA grant) has open source software and instructions on how to perform RLAs: https://github.com/FreeAndFair/ColoradoRLA
> none of the election committees were willing to commit to a full hand recount
I don't see how any system can work if nobody is willing to double-check it.
You don't have to recount "by hand". You start with auditing by hand - looking at a sample and seeing if it's accurate. Then you run the original paper ballots through another scanner.
With too low a barrier to recount-by-hand, every election becomes contested because the cost to demand a recount is minimal and the losing candidate might win.
Where's the problem? I've been leaning towards the idea that maybe every election should have a hand count. You can get your electronic count first for the early announcements, but it should be verified by the hand count. What's the downside, just the cost? Seems likely worthwhile to me.
The problem is that the vast majority of elections aren't counted incorrectly, and you're vastly increasing the cost on an under-funded system for no benefit in five-nines of the cases (and the remaining cases can have a recount triggered by one of the candidates, but not at no cost to them).
I fail to see what the downside is of counting every election twice.
Frankly the cost of elections doesn't seem to be a serious problem for any government. They're choosing to fix some roads instead of boosting the quality of elections. Frankly I'll take the election over potholes or whatever else the government is spending money on, because if I can't trust the election, I can't trust the government.
Not sure why hand counting is so difficult. In the UK we hand count elections. It is just a matter of sorting ballot papers into a pile for each candidate. This pile can then be easily checked to make sure that no vote has been mis-recorded.
Sort and stack is pretty good. When done at poll sites, it's fairly manageable (many hands make light work).
In the USA, federal, state, and local contests are all on the same ballot. Where I live, general election ballots have 30+ items.
For manual counting to be feasible, we'd have to split into separate ballots.
Of all the people I've spoken with over the years, there's been no objections to this. But it is a big change and there's been no advocacy.
Having too many races on the same ballot already compromises ballot secrecy, to an extent.
"We want you to vote for Jim Totes-Legitimate for President. But so that we can recognize your ballot paper and we can verify that you voted for him and we don't have to break your kneecaps, please also mark your other ballot races as follows: Fred Also-Ran for First Assistant Flangedoodle, Sheila Plausible for Second Assistant Flangedoodle, Hazel Placeholder for Junior Hog Counsellor."
Browser fingerprinting for ballots -- how many bits of entropy on a long ticket?
Not hard if you've got 10 or so multi-way contests or 20 or so ballot measures.
Which is also why the cryptographic voting systems cannot protect voter privacy. Those systems require hash collisions to hide your ballot in the herd of ballots. But the combination of precinct size and complicated ballots means any particular ballot is utterly unique (no hash collision).
I'd be far more charitable towards crypto advocates if they also specified the conditions required for their system to work correctly.
Similarly, with postal balloting (vote by mail), your ballot is batched (upon receipt), so will be mixed with ballots from other precincts, therefore more easily tied back to its voter.
During one of VVPAT audits I observed, they just switched out the unreadable memory stick.
Best as I can tell, the only thing determined from the audit was that the machines still powered on and the printers worked.
> The first will be a ballot-marking device that uses a touch-screen for voters to make their selections. That system won’t tabulate votes. Instead it will print out a paper ballot marked with the voter’s choices, so voters can review them before depositing them into an optical-scan machine that tabulates the votes.
That seems backwards. Touch screens suck. Why not build a validation machine that voters can feed manually-completed optical scan ballots into, before they go to the tabulator? Clear feedback would help catch incorrectly filled out votes before they're cast, no touch screen required.
The validation machine could have a very clear and user-friendly display, which candidate pictures are large type. That would definitely be easier to verify than a computer-generated optical scan ballot.
"Why not build a validation machine that voters can feed manually-completed optical scan ballots into, before they go to the tabulator?"
That's precisely how poll-based opscans work.
Central count (for postal ballots processing) is necessarily different, because that sanity check cannot be done, so voter intent must be adjudicated when ballots (or individual votes) are unreadable. It's a sausage factory.
> That's precisely how poll-based opscans work.
I know, we have them in my district, but they don't do all the validation I was talking about. I think all that the current machines do is validate that there were no overvotes, etc. I was proposing a separate machine that would let the voter validate that the ballot would be read as they intended.
Ah. Ya, that'd be neat. Thanks.
I think they want to simplify the human interaction as much as possible to eliminate things like hanging chads, misreads due to erasures etc. This also requires less importance on the other human step which is reviewing as there are hopefully fewer errors in the first place
Although I would favor a screen with physical buttons next to it (not like the garbage you see on ATMs and gas pumps though)
> not like the garbage you see on ATMs and gas pumps though
What don't you like about these buttons? As mentioned elsewhere in the comments, this is a proved design that works well for a great number of people. Plus, the elderly / tech averse are likely to already know how it works.
The code should be anonymous, so that it can't be used to trace who made the vote, yet still can be used to verify that is counted. This way, anyone can verify that they're vote was actually counted, so the voting system will be verifiable later on.
If the user can verify their vote, then they can be coerced to verify their vote by, say, their boss, or be bribed into voting a certain way.
Does this system address that concern?
The best thing about it is assuring voter confidence. And this is something I have been looking forward to for years; I hope it will be implemented soon enough.
Close to a billion people are going to vote using this method in a month's time.
>The systems Galois designs won’t be available for sale. But the prototypes it creates will be available for existing voting machine vendors or others to freely adopt and customize without costly licensing fees or the millions of dollars it would take to research and develop a secure system from scratch.
I guess the devil is always in the details. "freely adopt and customize" to me says that the code will not be verifiable or open source anymore? Or that the implementation could be flawed. Open sourcing the code, and then letting commercial entities change it, cut corners, make money, etc seems to be a good way to ensure that all the hard work that went into designing the system is rapidly compromised.
Isn't there a law in the US prohibiting public institutions from competing with private businesses? This may provide a cause for not rolling it out, but rather handing it over to private enterprises for implementation.
Edit: I recall the US having to withdraw from the Human Genome Project because of this as soon as a private enterprise claimed it as a field of business.
No, that’s not true. I’m unaware of such a law and could point to many counter examples. The human genome project was declared “complete”.
Actually, the HGP was on the verge of being scrapped, but then the U.K. came to the rescue with a major investment to make up for the US. If I recall this right, the US enterprise (Celera) wanted to take an algorithmic shortcut in mapping and verifications, by this overtaking the HGP regarding final results in order to provide the data as a paid service. This happened 7 years before the scheduled finalization of the HGP. Eventually, they finished in a tie. (However, this has been some years ago now and I'm not a US citizen.)
I've heard of that too, but I believe that only comes to tax software.
In some other countries they mail you a postcard with how much taxes you owe, but if you have deductions they didn't know about you have to correct it... They wanted to a similar system here but the major companies like Intuit and H&R Block lobbied agaisnt it...
Adam's Ruins everything talked about this https://youtu.be/Fj4anUL-LvY
California has their own tax software you can use online, although it doesn't cover as many use cases as TurboTax.
Yes, kind of. US Tax-Exempt entities directly engaged in "unrelated business activites" can be subject to "unrelated business income tax" or UBIT at the federal level. But that's unlikely to deter an agency of the federal government which would not be subject to UBIT.
> "impervious to certain kinds of hacking"
guess that about sums it up. it's DARPA after all folks..
When the military is building voting systems you should be a little leery.
DARPA's experimental computer network protocols (Arpanet) seem to be working quite fine these days.
I know DARPA is military, but they contribute so much to general research that its kinda normal to use their stuff.
The benefit of open source is that it is verifiable by peer review.
I would take an open source and peer reviewed voting system that was originated by the NSA and CIA and every other spook organization over one that was closed-source and hand-coded by Larry Lessig or whomever is your favorite person of integrity.
Galois has a reputation for being one of the most visible and well-known shops associated with Haskell. I'm curious to see what they can accomplish. A little bit of poking showed this coming up -- I definitely wonder if that's around the same direction they'll be taking.
Why does this keep coming up? What is the compelling argument against paper ballots? There is no need for results to be known immediately, so how does making voting an exercise done by computers make anything better, particularly when computers are much more vulnerable to remote interference?
Aren't counting ballots always wrong? Like every time there is a recount the number changes...
What's wrong with electronic ballots? If we can have a secure and audit-able banking system (and every other aspect of our lifes), surely we can have the same for voting?
> If we can have a secure and audit-able banking system (and every other aspect of our lifes), surely we can have the same for voting?
There's one major requirement in voting systems that throws a huge wrench in everything, anonymity. In order to prevent vote buying and coercion voters can't be tied to specific votes. So any system that allows a person to check that their vote got counted for their candidate isn't workable because that violates the anonymity requirement.
There's a million reasons that votes change as they're counted and recounted. For one in some states absentee ballots can be postmarked up to the day of the election so they can trickle in for a while after the day of. Another is machine breakdowns and just mistakes as the complete numbers are gathered.
The way this (anonymity) is handled in the Estonian system is that votes can be validated out-of-band for 30 minutes after they were cast, then they're locked. Additionally, a voter can overwrite their previous vote at any time during the vote period, so they could always prove their first vote, and then overwrite it privately later.
There are several other major problems with their system , but I think they should at least get credit for their approach.
There's still the voting server where the (voter,vote) pair exists and could be exfiltrated in theory. It does solve the low level organized vote buying/coercion campaigns at least.
The numbers change with electronic ballots too, so again, what's the compelling reason?
Why would they change?
> What's wrong with electronic ballots?
First of all, you can't observe the counting project, and now if somebody want to mess with the results, it becomes super easy to do so.
Electronic voting is a great opportunity for dictatorship.
Are you saying no one ever messes with the results of paper ballots? There's plenty of dictatorships committing voting fraud as it is.
>Are you saying no one ever messes with the results of paper ballots? There's plenty of dictatorships committing voting fraud as it is.
And we know they do, because it's trivial to observe. Without paper it would be totally opaque, you would just have a raw number and nothing else.
That's the paradox with e-voting/internet voting. You need to verify the voter is who they say they are, but it also has to be completely anonymous. The banks know who you are and what you do with your bank account, you can't have that with voting.
Bank records aren't anonymous, and people are allowed to challenge their individual results, up to and including suing in court.
The US requires that once you leave the polling station you must not be able to prove to anyone how you voted.
Banking doesn't require ballot secrecy.
Because paper ballots increase the cost of manipulating elections.
Ironically the one recent confirmed case of a rigged election in the U.S. was rigged through paper absentee ballots.
This is survivorship bias. Instead:
1. Assume that there are enough high-powered actors to want to rig an election
2. Note that confirmed case of a rigged election happens through paper absentee ballots
3. Note that there are very few known cases of a rigged election happening through electronic voting machines.
4. One probable conclusion is that election rigging is possible and undetectable through electronic voting machines.
Is it really ironic when pretty much all voting is done with paper? Of course the rigged voting would have been through paper ballots when that is what we use.
It’s ironic when I’m responding to someone framing the use of paper ballots as a security feature, yes.
And it was detected.
That's a big part of the advantage of paper ballots. The cost of subversion is high because more people need to be in on any conspiracy to subvert the system. More conspirators means more and more incentive to defect against co-conspirators.
Electronic systems do not scale subversion cost with electorate size. But they do scale the payoff of subversion.
As opposed to many potential others which were electronic and not confirmed/confirmable? Gimme the paper absentee ballot any day.
Not always true. Where I live, small parties have the problem of not being able to allocate sufficient resources to monitor all voting rooms. Then if it happens that only representatives of two of the biggest political parties are observing the counting, strange things can happen (e.g. the small parties not getting any votes).
What's wrong with paper as a technology? Nothing. What's wrong with paper as a proposed solution? Education and public perception.
People who work with computers understand their limitations. But the average person on the street doesn't seem to see them the same way. They think computers equal modernization equal reliability. True or not, if you want to voting system to be a political reality, you'd have to change public opinion, and we've spent more than a decade trying to but haven't gotten that done.
> What is the compelling argument against paper ballots?
To play devil's advocate...
Paper is just a medium. With apologies to Claude Shannon, critical properties of information are best ensured through secure protocols, not by picking a particular medium.
E.g., if the property you want is security, encryption is more provably secure than invisible ink. The properly encrypted message can be stored on paper, radio, magnets, or neurons, it doesn't matter.
The properties we want from ballots are somewhat uncommon and therefore very unintuitive. They are still properties of information. Availability and deniability simultaneously? (So you can personally confirm, but never provably sell your vote).
We could design a cryptographic protocol to meet those unique design goals. But not using paper alone, because the math would be too hard.
Paper appears to guarantee availability and privacy, just as invisible ink appears to guarantee security. In practice, each often fall short. Ballot boxes disappear. Absentee ballots travel through the postal system, which is a bit like blasting one unencrypted UDP packet and hoping for the best. No individual can take their paper ballot and later confirm how it was counted.
You could do these things with electrons though. It would require some fast math, like almost all useful protocols in information theory.
If you could make voting much cheaper and faster, it could be used to decide more things. (If your immediate reaction is "But voting is a terrible way to make decisions!", well, there's considerable evidence in your favor. I think we should be researching collective decision-making a lot more broadly, but voting tech could be one building block.)
In Switzerland the swiss Post is implementing something similar => my thoughts are very similar to yours (we can even vote by letter, and an electronic vote might in comparison save me at most 5 seconds out of the avg 3 hours of debate with friends and family & reading & watching debates on TV for each round of voting).
The swiss Post organized recently a public review (with awards to identify bugs - see another older thread on HN) for the software that they'll try to launch.
On one hand the swiss Post's solution would allow me to actively check if my vote was part of the total, which I think is absolutely fantastic.
On the other hand I did access the source repository of the new potential voting system <with sparkling eyes expecting something "special"> but I didn't even start digging into it as soon as I saw that it was written in Java.
I thought that such a software, which is the foundation to the future of a nation (voting system), would have as its foundation 1) a language that leaves very little room for technical and functional bugs (e.g. something used in the aerospace industry?), 2) would be structured using an extremely well-known-for-its-reliability workflow-engine and 3) was submitted to testing covering basically ALL possible combinations at ALL levels (not just e.g. "10000 cycles of randomness" but all possible input-values, for all layers).
When I saw that it was written in Java (nothing against Java - same thing for e.g. C/C++) I immediately gave up because, even if that SW is made to be absolutely unhackable >>now<<, this won't be true anymore starting from the next releases as the $ and "attention" will inevitably be reduced more and more and the whole tower will start to crumble.
Summarized: I'd like such a system, but I would need it to implemented in an extremely strict way that is able to survive times of low budgets and/or bad employees and/or bad management and/or of course corruption, which is when coincidentally a stable solution would be needed the most.
I usually (have to) choose between dark- or light-grey when I vote, but in this case, to replace the current system, it's one of the rare occasions for which I would need a "pure white" solution :)
Paper ballots aren't scalable or transparent. Open source hardware and software can be audited by anyone and every one and can be formally verifiable.
> Paper ballots aren't scalable
Paper ballot operational complexity scales linearly with the size of the electorate, which makes them adequately scalable for any practical use. (There's maybe an issue with using paper ballots for some esoteric election methods, because of how operational complexity scales with number of candidates for some type of tallying, but absent a decision that use of one of those methods is desirable that's immaterial.)
> Paper ballots aren't scalable or transparent.
Australia holds elections this way and has done so for a century. Scaling has not been an issue. Neither has transparency.
So is paper. smacks head.
"What is the compelling argument against paper ballots?"
Repudiation, verification etc..
I suggest this technology is part of a 'pro democracy' agenda, as opposed to some kind of existential need within the US.
The tech might ostensibly be destined for S. America, Africa and parts of Asia.
>I suggest this technology is part of a 'pro democracy' agenda
The opposite is true, for example Russian government is actively pushing for electronic voting at the moment. No more videos like this , only the number "your dictator got 70% of people's votes"
Because of the reasons explained in the article - you can verify that your vote was recorded, and you can calculate the total yourself. There's also no need for recounts, it uses less labour and you know the result immediately.
Paper voting isn't perfect.
why cant we just issue paper ballots with a signed sha256 hash?
Title is misleading. This is 3rd party contractor that won an RFP bid yo push out hard copy verification of ballot and voter's choice with some "DARPA techniques". Not quite the secure confidential system with data integrity I was hoping for.
> We will show a methodology that could be used by others to build a voting system that is completely secure.
This really feels like a Proof-of-concept or reference architecture, at best.
That said, at least it's progress in the right direction (I Hope). We'll see how it turns out.
"This really feels like a Proof-of-concept or reference architecture, at best."
I think that's DARPA's primary mission, though, isn't it?
I don't believe that putting a price tag on a piece of software legitimizes it for a given use case.
I get this same feeling from posts that say "Product X written in language Y". While I agree that there exists a right programming language for a given task, it is not in itself a reason to use product X.
I use this premise as one of my architectural interview questions- design a voting system.
Having asked it dozens of times, I’ve come to the conclusion that I don’t trust anyone to build a voting system. I like it as a question tho, since it’s open ended enough to really let the candidate focus on the domains interesting to them; scalability, security, data modeling, whatever they want really.
That's a huge leap from "arbitrary candidates can't give a satisfactory answer during an interview" to "I don't trust it can be done."
Do you apply the same test to cryptographic algorithms?
I'm a fan of Galois, so I'll keep tabs on this project.
Agreed. I was about to write this off as a boring project that might go nowhere, but I have a huge confidence that Galois will treat this with the gravitas necessary from a computing and security theory point of view.
It might still go nowhere, but I expect there will be very interesting developments as a result of it.
More information about the idea: https://en.wikipedia.org/wiki/End-to-end_auditable_voting_sy...
Thought experiment: Have, like in aviation, units built of two separate, but parallel architectures designed and built by unrelated, independent manufacturers with software written by independent teams in different languages and deploy them redundantly. (E.g., Airbus does this.) Now you have cranked up the cost for any manipulations to the requirements of successfully attacking two separate architectures in the same realtime timeframe, maybe at several redundant units at once. Leaving the message path. So you're still screwed. (Simply, because the win to cost ratio may be near to infinity. If we have concerns regarding personal messages, how could we possibly guarantee for this one?) Enter the paper trail and printers. – However, does anyone remember the Xerox scanner debacle of misarranged and falsely duplicated data by the compression algorithm, or the debates about Obama's birth certificate (due to image portions duplicated by the compression algorithm)? Things like these went unnoticed for years.
What we may learn from this, a) there's no perfect system involving software, b) if we do not want to invest as much in democracy as we do in shuffling around a few people by aviation, how may we be worth it? Anyway, voting methods shouldn't be about cost reduction.
For those who were perhaps intrigued, as I was--here is a bit more information I found through a cursory search about how Airbus's consensus system works. Interesting stuff. 
Thanks for the complementary links!
Regarding Xerox scanner compression issues, compare this great CCC-talk by David Kriesel, "Traue keinem Scan, den du nicht selbst gefälscht hast"  – Sorry, German only.
(Didn't MS's PDF-viewer have similar issues?)
Sounds good. But in practice it's complicated.. In Brazil we have been using electronic voting systems for 20 years. Since then, there's been absolutely NO EVIDENCE of fraud. Specialists are regularly invited to know the code and try to find vulnerabilities (the code wasn't open-sourced, and personally I don't think it should).
And, even so, the losing parties ALWAYS claim there's been some fraud, and a significant part of their respective voters buy such discourse.
There's been turnover of power pretty regularly in most parts, and even this doesn't stop folks of accusing electoral fraud.
Last year, thanks Whatsapp, the debate's gained special contours. Lots of malicious people shared videos showing fake frauds, which were dismissed after some hours.
There's been also lots of stupid people mistyping into the ballot and screaming around with a camera accusing a fraud.
It was a bit of a mess and things tend to get serious in very tight scores, since there won't be a safe, auditable way of recounting the votes without having to fully believe in the government agency responsible for operating the system.
The system makes the process extremely efficient. We are 100 million voters, voting is mandatory, and we always know the winners within a couple of hours past the end of the voting process. But..
My ideal voting system would allow me to have a real time feed of votes as they come in, so that at the end of the night I can check my records vs the "official" records. Names can be detached, all I need is a Ballot id. BallotId can be something as simple as the hash of RegisteredVoterId + password + Salt + ElectionId.
As long as the voter remembers their password, they can look up their record, and the record can be a fully public record with anominity.
Your ideal voting system is vulnerable to coercion ("log in and show me who you voted for or else") and phishing.
Voting systems should provide confidence to voters that votes are counted correctly, but not permit anyone, including the voters themselves, to learn how they voted after the ballot is cast.
Yes, thank you. People frequently forget critical lessons from history :p
like republicans are making US voting system horrible so that they could have a chance of winning, that lesson?
how does the current system, or any voting system, prevent coercion? If there's a gun to your head, or some other ultimatum, it seems far too late to be worrying about your vote being shared. Even if votes aren't all logged, you can still be tortured for the answer. I would much rather the country have an individual coercion problem than a mass voting fraud problem.
"Voting systems should [...] not permit anyone, including the voters themselves, to learn how they voted" What could possibly be the benefit of that?
> how does the current system, or any voting system, prevent coercion?
By only allowing you alone into the voting booth, not allowing you to show your ballot to anyone, collecting the ballots in a sealed ballot box that's located in public that anonymizes the votes
> Even if votes aren't all logged, you can still be tortured for the answer.
No, you can't if there is no way for you to prove how you voted.
> I would much rather the country have an individual coercion problem than a mass voting fraud problem.
Why would one have anything to do with the other?
Also, one way to keep a country free from individual coercion problems is by having a reliable election process.
Ok, you put a gun to my head and tell me to vote for Hillary. I go into the ballot box and vote for Trump. I come out and you ask me if I voted Hillary. I say yes, I voted for Hillary, of course.
If there is no possible way for you or me to know (edit: prove) if I'm telling the truth, how is that worth your time and energy? It's not.
The benefit of a secret ballot is that it greatly reduces, if not removes, the incentive for coercion.
Seems like burning an orchard for a few bad apples. It's this really that large of a concern vs voter fraud?
Yes. The U.S. originally did not use secret ballots in federal elections and we switched to them because of widespread coercion.
A durable record that maps votes to voters does not prevent voter fraud, it enables it.
Postal voting allows the same type of fraud, so an electronic system would only be as vulnerable as our current system in this respect.
computers enable easy mass voter fraud... so we need to stay with paper ballot or we need a way to see if our vote is in the total number of votes, coercion aside...
This is how it actually works:
1. Mobster goes in to vote but doesn't put it in the box - he takes the blank ballot paper outside with him.
2. He fills the vote on the ballot and gives it to the coerced voter 1. He expects a blank ballot back, or else. He has his goons watching the voter throw the real ballot in the box, or else.
3. Using the new blank ballot he goes to coerced voter 2, and the cycle continues.
Of course this is hard to scale.
This scheme is prevented by having scrutineers appointed by multiple candidates. Australia does this and it works well.
How would they stop that?
By having dozens of people watching everything except the actual marking of the ballot. Scrutineers are highly motivated: they want to catch the other candidate cheating.
I've been a scrutineer in a polling room. I could watch and challenge anything except the marking of a ballot. And I did. So did other scrutineers. The odds of the mobster keeping a rotating scheme without detection approach zero with great rapidity, especially since staying in the ballot after casting your vote is not permitted.
Yup. In the U.S. they are generally called poll watchers.
Also, a voter who is being intimidated by a mobster could just walk up to a poll worker or police officer and report it.
He wouldn't stay in the ballot - he'd pocket the slip and take it outside...
Returning to my point, which is that he'd need to do this without anyone noticing.
A bit difficult since there are officials watching you put the ballot into the box. Or, gee, that's weird, failing to put the ballot into the box.
Couldn't they put a random piece of paper in the ballot box?
What happens if a white piece of paper is found? Do all the votes in the box get cancelled?
If you really want a secret voting system such that the voter can’t access their own history, then just do not offer the password option. Instead a unique private key is generated, but never distributed to the voter or any other party.
- Key: Encrypted SSN
- Value: Unencrypted Vote
However, I’d personally prefer a system that was fully public. Problems: Social Pressure, Violent/Non-Violent Coercion, Retaliation.
Coercion could be a problem but with enough humans seems unlikely to be effective without the details of the conspiring entity to leak. If here are 10 jurors or a few judges coercion matters because it is easy to cover up. Coercion at scale has never occurred. Coercing any double digit percentage of 300 MM voters through violence or bribes or etc will leak based on the law of large numbers. Conspiracies stop being theories when they are validated by thousands/millions of people.
Social pressure is a bit trickier. It does force any minority voice to reconsider their vote. However, this isn’t different from most of history where a violent or non-violent revolution occurs. Most people lie about their opinion officially but build consensus privately. Until a point where the scale tips and both opinions are appropriate and debatable.
Retaliation is the biggest issue. But we already have some pretty good laws in place around discrimination based on politics. We can improve those, but also as a society we need to get better at debate without retaliation and hiding opinions doesn’t help that societal improvement.
The ballot was not always secret.
It was made secret because all the problems you say aren't important, were very important.
Always fun to see how easy it is to design a system when one can just hand-wave away important constraints.
Laws can prevent coercion, at least by major businesses, but another concern is people selling their votes on a black market. Still, to me, the benefits of an open and verifiable voting system would outweigh the downsides.
I'll take a paper ballot system with electronic counting, thus something that can be verified, over something that leaves people afraid to vote because it's no longer truly anonymous.
I've been around too many women in abusive relationships to feel comfortable with that approach.
A simple secret ballot by paper is both open (anyone can observe the ballot casting and counting) and verifiable (the vote count can be repeated to confirm the totals).
Voters don't need to be able to verify their vote post-election because a) they cast their ballot, so they can just remember who they voted for, and b) they can't change their decision, so there is no need to have a record of it.
Fair enough, this idea came to me before 2016. Post 2016, in this world where people are ready to commit violence purely based off their judgement of your political beliefs, this is a legitimate concern.
as we all know, political violence and coercion did not exist before 2016
Not what I said. It was not obviously a problem to me before the election.
I love voting by mail, but I don't understand how that's legal since you could just coerce someone that way?
Force them to vote by mail, watch them fill out the ballot (or fill it out for them), and mail it in.
Generally all mail in voting systems let you override your vote. If someone coerces you once and you send in another ballot postmarked after the first or go to your polling location in person on election day you can override that vote.
You basically need to hold someone hostage or under total surveillance from when the ballot is mailed to when the polls are closed to avoid them just sending in their actual ballot afterwards.
With an electronic voting system the window of time you have to hold someone hostage is much shorter - simply force their vote an hour before the polls close and then hold them prisoner for the hour.
This is an interesting answer and makes more sense - still possible to do, but harder.
At least here in Denmark mail voting does not just mean that you send your vote by mail.
It means that you before the voting date go to a public office, a consulate in a foreign country, etc., show you ID, go into a voting booth and votes, and they put you vote into an envelope, that is sealed and mailed to voting place.
Or that two appointed volunteers goes to e.g., a assisted living facility and witness residents voting and placing their vote in a envelope that is then sealed and mailed to a voting place.
Voting by mail is indeed vulnerable to fraud, as we saw in North Carolina last election.
When thinking about voting by mail I wouldn't consider North Carolina's system as exemplar, since it is still primarily a polling-place election. Instead, look towards Washington, Oregon, and Colorado which are states where elections are entirely by mail. Evidence of coercion or fraud is low, and engagement is high.
How do we know how many spouses are (or simply feel) compelled to vote a certain way?
I’m not saying fraud is rampant, but there’s no denying the fact that on the individual level fraud and coercion are much easier to achieve when voting is done outside the polling booth.
In many states it is possible to get an absentee ballot for any reason, which allows the same coersion potential but without the convenience of full vote by mail. Forcing voting in person also has a large effect on who actually votes (due to work or other issues getting in the way, which could also include coersion from a spouse who thought you might vote the wrong way or doesn't think you should be able to vote). Presumably people are checking if there are large swings in voting patterns when vote by mail is started that would indicate widespread coersion. Coersion can also be effective in practice even when the actual voting is done in secret.
I wouldn't recommend vote by mail for Mexico, where there is widespread vote buying even with secret ballots, but for the US it seems to me that vote by mail is likely to be more representative and increase the chance that voters will research the candidates as they are voting. No system is perfect so it is a question of what tradeoffs seem to make the most sense for particular situations.
The problem with any voting system that allows you to verify the vote after the fact is that it makes it too easy to coerce someone to vote a certain way.
I can promise you money (or threaten you with violence) to vote a certain way, but you can't follow me into the booth, and no matter how you make me "verify" I can always change the vote between verification and depositing it in the box.
If there is a way to verify after, then I can withhold payment until you verify your vote, or hurt you after I've seen your vote isn't what I wanted. By not allowing after the fact verification, it means that can't happen, and greatly reduces coerced votes.
So as cool as it would be to verify my vote after the fact, it has too many unintended consequences.
Using 'something you know' it's possible to both verify how your vote went and at the same time not allow someone else to know, even if forced.
A simple example would be assigning a random color to each option per person. So blue means Trump for you. Hilary for someone else.
You only need to get people into a booth once, to learn which color is which option.
From there on in, verification is as simple as looking at the color to make sure it's correct. No one else can be sure what the color means.
Same principle can be done on multiple votes, though information will leak. So if you're coerced more than once you'd need to regenerate your colors. So while this solution stops the 'violence' coercion it won't stop 'sale' coercion.
Also the other problem is people will write their colors down or forget them - which is why as you say verification after the fact causes way too many problems.
But there would be no way to know that the colors and their meanings weren't switched in the case you wanted actual verification.
A feature/detriment of per vote verification is that it opens up the entire system to vote buying - are you describing verifying that your vote happened, or who it was cast for?
Not necessarily. Systems that allow you to verify that your vote was included and counted toward the candidate you selected in the booth, but do not allow you to prove to a third party who you voted for, are known, such as Scantegrity .
It sounds like the new system has this feature, and also another key feature of Scantegrity which is that the tallying can be done publicly and independently verified. From the article:
> The optical-scan system will print a receipt with a cryptographic representation of the voter’s choices. After the election, the cryptographic values for all ballots will be published on a web site, where voters can verify that their ballot and votes are among them.
> “That receipt does not permit you to prove anything about how you voted, but does permit you to prove that the system accurately captured your intent and your vote is in the final tally,” Kiniry said.
> Members of the public will also be able to use the cryptographic values to independently tally the votes to verify the election results so that tabulating the votes isn't a closed process solely in the hands of election officials.
> “Any organization [interested in verifying the election results] that hires a moderately smart software engineer [can] write their own tabulator,” Kiniry said. “We fully expect that Common Cause, League of Women Voters and the [political parties] will all have their own tabulators and verifiers.”
Thanks for taking the time to reply, I had not heard of Scantegrity before and it seems like a really novel approach.
In addition to the issues of vote buying described in other comments, you’re also amplifying the spoiler effect to a massive degree with a real time vote feed.
Anyone in later time zones will be less incentivized to vote if they can see the results of all the votes that came before them.
IMHO even exit polling should be outlawed. This day-long televised circus during elections is really damaging to democracy...
How do you validate that there are no 'additional' votes? Why do you require a password? Simply give them an anonymous id when they vote.
I saw value in being able to confirm the public record matches what you did in the booth.
When you vote there would be a record of the registration Id voted for this particular election id. Information that you voted is already available... so this component is not a change to the system really.
Altering your vote after the fact is not the actual problem, though.
Anyone building or designing voting systems should first be familiar with the concept of _software independence_.
It's an extremely important and useful concept, and should form the basis of the first question (or one of the first) asked of any voting system provider.
Max Kaye from the Flux party has been building a blockchain based one here https://github.com/voteflux/THE-APP
It's open source and it's actually got a sound philosophy behind it. It's near completion and hopefully it'll change the way we vote globally (not just in Aus)
Maybe they'll succeed were Switzerland has just recently failed: https://www.technologyreview.com/the-download/613107/a-major...
This amazing talk by Ben Adida is really relevant. He has worked on solving voting for a long time now and does a great job here of breaking down some of the salient parts of the problem.
I have the impression that Ben Adida is no longer advocating cryptographic voting technologies. Which is encouraging.
My design uses paper and pen.
Deployment requires mailing ballots out and having places where people can come in to fill them out.
10 million dollars please.
How well does it work for people with motor disabilities? Vision disabilities? Does an X mean a choice or they crossed out their choice? What happens when the pens run out of ink? What if they can’t read English?
Helpers? What do you pay them? Can they understand that dialect of that obscure language? Do you trust them not to lie about what they’re marking on the ballot for someone?
The truth is electronic voting machines have upsides. Having the system fill out the ballot which the voter then hands in seems like an almost ideal use to me. It’s totally verifiable but can help many people who wouldn’t be able to vote without help.
Australia scales pen and paper up to tens of millions of ballots cast in one day. These problems have all been solved before and don't need machines to introduce much worse ones.
> Do you trust them not to lie about what they’re marking on the ballot for someone?
Do we really think that a large conspiracy of translators for obscure languages is a viable attack?
I was thinking more when helping the visually impaired.
Don't care, my system is still better.
Your system is stupid.
Yes, but it's less stupid than the alternatives.
No, more stupid.
I legitimately don't understand what's the invention here. If all you're trying to do is avoiding having an invalid or ambiguous ballot and you print out a paper copy anyway, why invest 10 million into a new system instead of just using some bog standard computer + printer?
If you're going to get the physical ballot anyway what's the point?
Systems comprising entirely of pen/paper and manual counters with oversight by the parties, where sufficient engagement in the community provides the volunteer manpower to oversee the election, are impervious to electronic interference.
How is that better than whatever we have now?
The pens in poor neighborhoods have ink.
homeless people can’t under this system
Surely it doesn't cost $10m to build a secure ballot form. Existing solutions have had so many obvious flaws that it seemed like e-voting companies weren't actually interested in accurately counting votes. They really need 50+ people to make a checkbox form and print the result?
Secure hardware sounds like the wrong idea, I think. I think the correct idea will be something more similar to block chains. A system where the security of the system lies in the ability for anyone to make a copy of the voting data at any point in time. So there will be multiple copies of the voting data, owned both by the authorities and by ordinary people.
If the authorities try to tamper with the central copy of the voting data, it will be checked by the multiple copies owned by the general public.
I think that's the general idea one should pursue. Not "secure hardware".
DARPA Is Building a $10M, Open-Source, Secure Voting System
DARPA Is Building a $10M, Open-Source Voting System
 - https://js1k.com/
> Have there been any competitions to make an open source, highly scalable and verifiable anti-tampering voting system
Yes, for thousands of years. The result is called the paper ballot.
You cannot have a verifiable anti-tampering voting system using computers. You need verifiability by the general public. Auditing a microchip is not something members of the general public know how to do, and in any case, it detroys the chip, so it's kinda useless anyway.
Are those tamper proof? I recall some engineers testifying before congress about specifically making paper ballot systems that were designed to allow altering results. DieBold I think? I don't have a link handy, but it seems that is just as fallible.
Or do you mean hand written ballots? Does anyone still use those?
And yeah, the digital ones have been hacked at DefCon by children. (their parents taught them how to hack the devices, so I guess that is cheating)
Maybe throw in some Blockchain or did I use a BS Bingo term?
In the UK, ballots are still done with pen and paper. You put a cross in one of the labelled squares and fold the paper, then drop it into the ballot box.
Also, while the guidelines say it has to be a cross, it could be any clear mark (though best not to risk it), as soneone drew a rude symbol in a square and it was counted as a vote! (https://www.bbc.co.uk/news/magazine-32693485)
> Or do you mean hand written ballots? Does anyone still use those?
Yes. The constitutional court of Germany ruled that electronic voting is essentially illegal in Germany due to all the inherent flaws, so all elections are done with pen and paper, ballot boxes, and manual counting.
That's very impressive.
> Does anyone still use those?
Most of the world's leading democracies.
The USA is actually the outlier.
Not to sound overly cynical but open source isn't a panacea. Yes, it adds transparency. That's a positive. But that doesn't ensure it'll work.
As for secure, if it's connected to the internet, then it's always going to be a target.
It seems to me, that - if voting integrity is priority #1 - a return to traditional analogue voting should be given strong consideration.
Now if only they would introduce something like Single Transferable Vote (entertaining CGPGrey video: https://www.youtube.com/watch?v=l8XOZJkozfI), or another more effective voting system.
Probably won't happen though, as it would seriously shake up politics as we know it.
Could this be a useful application of blockchain?
Can you elaborate? It seems each vote would be harder to tamper if blockchain is applied. (or some other techniques chaining data together to be verified)
Could be a good application of hash chaining as it has existed since the 80’s. Block chains wouldn’t add much value over that here, however.
> Members of the public will also be able to use the cryptographic values to independently tally the votes to verify the election results so that tabulating the votes isn't a closed process solely in the hands of election officials.
This sounds like they are using homomorphic encryption?
Thank god. Now this is a good investment. They should be getting 10x that budget though.
Finally. I've been saying this for years, as I'm sure others have.
Secure voting system... right... I wonder how this will unfold... =/
I doubt it can fix https://en.m.wikipedia.org/wiki/Electoral_fraud
Ironic that an Oregon-based company is fixing voting machines, when Oregon has a paper-based vote-by-mail system that has encountered few problems.
> allow voters to verify that their votes were recorded accurately
This sounds like it means it's no longer a secret vote and voters can be bribed or blackmailed to vote a particular way.
Only if the voter is allowed to keep the receipt. The system could require voters to put the paper in a box before they leave like we do now.
Bad DARPA. Any centralized control is corrupting. You need analog and decentralized to make cheating costly to pull off.
Software is perfectible, skinware is not. As long as corruptible human beings are in charge, there will be room for fraud.
Software is perfectible, skinware is not. As long as corruptible human beings are in charge, there will be room for fraud.
Skinware writes the software.
(Is "skinware" the new "wetware?")
You're right, but that doesn't mean it's a waste of time to design systems more resilient to the human element.
A corrupt human being can change one vote, or a few hundred if they're very industrious, in a paper ballot system. A corrupt human being can change every vote in an electronic ballot system. I would rather use the system where fraud is difficult and expensive and low-impact.
Corruptible humans will always be in charge, until Terminator. The question is, how much corruption are we willing to put up with, how would we know it is happening, and how robust are the apparatus for correcting those abuses?
Can anyone attest to this new system's engagement or possible effects on blockchain technology?
Good news. An Agora voting system's fork powered by SGX/TrustZone and verified by Cryptol?
You know what has the best paper trail?
Every now and again you realize that US government actually does a lot of stuff right.
For a good chuckle, search Youtube for Diebold voting machines. LOL.
Allowing everyone to verify that their vote was counted as they intend is a start, but....I'm not saying it has to use block chain, but for its veracity to actually be openly verifiable, the voting ledger has to be publicly visible.
Votes can't be public. Leads to coercion.
Say goodbye to democracy wherever electronic voting is rolled out.
If there are decent identity foundations, then we have a repudiation benefit here which is better than what we have now.
In places where elections are fabricated, this might help quite a lot.
It won't make a difference in well functioning countries.
You still have paper ballots - with audits.
Those audits are only triggered when the vote counts are close enough, within a certain margin.
Since whoever controls or hacks the machines gets to set the vote counts, the audit only happens if they want it to.
In California we audit 1% of all ballots, regardless of the outcome.
What does that prove?
Your electronic voting machine could completely tell you the truth about every ballot you ask it about, but lie about the total.
Because we count an entire precinct and check the totals. We don't just ask it what it got for individual ballots.
But think of the children!
Everyday someone trying to "fix democracy"
$10M sounds like spare change for DARPA?
Nothing beats paper.
Open source, open hardware? What a joke. Neither are resistant to chip/compiler level attacks such as https://www.schneier.com/blog/archives/2018/03/adding_backdo... and https://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html
That's all assuming the voting machine is actually running the software/hardware they tell you - how would a voter check?
The article briefly mentions "That receipt does not permit you to prove anything about how you voted, but does permit you to prove that the system accurately captured your intent and your vote is in the final tally,". But if that receipt doesn't let you prove anything about how you voted, how can you tell from it that your vote was captured 'correctly'? The machine can print anything on the receipt!
Then there is the question - what problem is e-voting trying to solve? Hand-counting scales perfectly and is extremely difficult to covertly tamper with. So the only 'problem' e-voting solves is that of being unable to covertly and fully subvert elections.
> That's all assuming the voting machine is actually running the software/hardware they tell you - how would a voter check?
Have dedicated hardware compute a hash from the content of program ROM on demand with a button press and present it on an auxilliary 7-segment display. Compare against the hash of the vetted image. No software need be involved.
At some point in the process, machines will be used for tabulation. You have to trust the hardware to some extent. Just keep it as simple as possible to minimize confounding complexity that an attacker can hide in.
> Have dedicated hardware compute a hash from the content of program ROM
How do you check the circuit of that hardware?
How do you know the ROM you are reading is the ROM the CPU is executing from?
How do you know the CPU is the architecture you think it is and the program means what you think it means?
> You have to trust the hardware to some extent.
No, you don't, and you shouldn't. You can do all of that calculation by hand. And at the very least you can check a random selection by hand.
> Just keep it as simple as possible to minimize confounding complexity that an attacker can hide in.
In other words: Don't use electronics. You can't get simpler than pen and paper.
If the compiler was compromised, how do you know the vetted image is correct? If the hardware was compromised, then the software will still hash to the correct value. And once the attacker knows where you're getting the dedicated hardware for the hash, he can compromise that as well.
And the entire system relies on the people implementing it to not have been compromised. Because if they were, if the government itself compromised the machines, the voters could never tell. How good is a voting system that only works if your government is honest?
I think it's unfair to say there is no point in e-voting besides malice.
e-Voting could make it easier / cheaper to deploy polling stations, collect ballots faster, and potentially to use more complex (but more fair and accurate) voting methods like Ranked Choice or others.
As for the "We won't tell you how you voted but you can validate it", my first guess would be some kind of PKI where you are given the equivalent of a private key, and your results are signed.
There are issues trusting hardware vs. trusting the sight of paper and two humans, I get that. But it's worth researching.
> e-Voting could make it easier / cheaper to deploy polling stations, collect ballots faster, and potentially to use more complex (but more fair and accurate) voting methods like Ranked Choice or others.
In Australia we use IRV (what you call ranked-choice) and we don't have any forms of electronic voting for federal elections, and the overwhelming majority of votes cast in state elections are paper ballots (which are hand-filled). You don't need e-Voting to solve that problem.
Your votes are still probably counted by a computer. In San Francisco, we use optical scan ballots. This system is very similar. It prints out a ballot that you validate and feed into an optical scan machine. Marking the ballot is electronic, which allows for more language choices, assistance for hearing impaired people, etc.
> Your votes are still probably counted by a computer.
They are not. The count is done thrice, by hand, under supervision by scrutineers appointed by candidates.
It works very well.
Maybe not for IRV specifically, though it would arguably be easier anyway.
There are more esoteric (see, mathematically dependent) voting systems that meet the Condorcet criterion.
Sure, but computer vote tallying and e-Voting are not the same thing.
> But it's worth researching.
Yet they keep pushing for half-baked insecure systems long before any of this research has been finished.
Do you want it looked at, or not? You make no point. You get mad about the research, then get mad about some wanting to do it without enough research.
Is your point that we should never, for the rest of time, investigate the use of electronics for secure voting?
I'm sorry if this comes off as a bit hostile, but did you read at least the title of the article? "DARPA is building", not researching.
The content of the article reflected this - mostly about actually making a system, very little about research on the math behind secure voting on untrusted hardware. It's clear they want to use this.
I'm sorry, do you know what the acronym D.A.R.P.A. stands for, or that they explicitly stated they aren't the production implementer of any such system? Do you know what the network you're throwing packets at is based on?
Anything that relies on secure hardware/software is broken, since those are impossible to assure. The only part that can actually guarantee secure voting is everything that's outside the hardware. Things like cryptographic signatures, hashes, paper trails, whatever. Things that don't rely on the black box you're presented with when you vote to work how you think it works.
Researching that doesn't require a prototype. So why are they building one? As a first step to using a voting system based on it. This isn't 'research', it's propaganda to sell the idea that hardware can be secure. They'll give it to Defcon or whoever, and once they fix all the weaknesses hackers can find, they'll triumphantly declare it's 'secure', and that we can switch to e-voting, and not to worry our pretty little heads about chip/compiler-level backdoors, or if the builders of the system themselves subvert it.
They can state they won't be the implementer of such systems all they like, that doesn't change the intent of this program - to push e-voting reliant on 'secure' hardware.
DARPA isn't a voting system end user, and things built by DARPA tend to be proof-of-concept things that explore the possibility space and help later users set requirements for follow-on procurement.
I know it is being beaten to death, but a major issue with voting is the counting part. The counting is where the fraud is being perpetrated (and no, I'm not so naive to think it doesn't happen). Seattle. Minneapolis. Milwaukee. Detroit. Philadelphia. Broward County. And those are just recent examples.
I think there is counting fraud from sea to shining sea. What are we going to do to make the vote counters less able to rig the vote and cease "finding" boxes of absentee ballots or whatever at the last minute with 99% precincts reporting?
With voting systems the hardware implementation should be both open source and open to investigation by the public throughout its lifecycle (from manufacturing to operation).
castles and pitchforks is better
The Republicans will never allow this
Relephant xkcd in the room : https://xkcd.com/927/
What I truly don’t understand is why we can’t vote with our phones in this age
Because you cannot verify your phone is not compromised at either a software or hardware level.
You would need independently verifiable hardware and all software running on a closed system (ie, no third party modifications to running software which would mean at most a trusted sandbox for other applications outside the proven path) to be able to trust it to reliably take your vote.
Thats on the order of correctness provability that NASA puts into launch vehicles but NASA doesn't have to contend with hostile actors seeking to undermine their software and hardware.
TL;DR: hardware security, software security, authentication of voters, and the tech literacy of the average person.
Because now instead of securing centralized voting locations and machines you somehow have to create perfectly secure software running on you Aunt Flourence's machine with 51 tool bars and 3 different bot nets installed and also make sure she can use it properly and securely. Oh also now you're accepting votes as bits over the internet giving nation states probably the juiciest target and the widest possible attack surface (see securing every voters computer).
Even using something like the IME and secure enclaves to take the computation outside the the range of your average exploit it's still vulnerable to attack.
Then even if you've perfectly secured the hardware and software you're just left with the largest login/key infrastructure problem of all time with the average voter having to understand how to not be tricked into not actually using your secured software and hardware environment...