Don't trust computers for voting. Bits are easy to tamper with, specially when the populace doesn't know shit about computers (and rightfully so).
You can envision a system as complicated as you want, but it'll always have some sort of flaw because, well, bits are bits. I've had this discussion with many people and the same solutions arise again and again... but most are useless.
You could get the source code for the voting program... what if your compiler is backdoored? You could compile the compiler yourself, with which compiler? The backdoored one?
And even if the compiler is trustworthy... who's guaranteeing that the real binary is installed in the machine? You could download it in an USB drive and check yourself or get a hash from the machine but... how can you be sure the machine is reporting the binary that's actually running and not just a fake reply? Could you trust the reported MD5/downloaded binary from the machine?
Easy! - you say - You could upload the binary yourself to the machine! But how would you be sure you're running the uploaded binary and not a fake one?
And what if any of the machines inbetween are rigged?
Then cryptoguys come in: you could digitally sign your vote (forget secrecy) with a state-issued certificate (we have those in Spain with our NID). Maybe encrypt it so that only the far end could read it. You'd then check if your vote's been cast fine online. But how'd you be sure you got the real result?
Once the data left the machine you have to trust that everything's fine on the receiving end. What if the vote count just ignores votes and just does whatever it wants?
And the worst of all... how's your granny supposed to check it herself?
There are some advanced cryptographic techniques relevant to e-vote (some are quite clever) but even the best cryptographers will tell you: do not trust electronic voting!
My advice is: keep with pen and paper! It's easy to tamper with too, but more people know how it works and it's easy to see the inner workings compared to bits over the wire.
Verifying that the right binary was uploaded is solving the wrong problem. Who cares what the source code claims to do? We care about what it actually does.
Real cryptographic voting systems use verifiable protocols. You don't trust the machine, you force it to follow a protocol that involves proving its actions are correct at every step.
You can verify basically everything except destruction of information (i.e. there's no way to prove with cryptography that a video camera didn't record the voter).
Yeah, it was just a tour over the most common flawed arguments in favor of e-vote. I just got tired and stopped somewhere (you can see I got a bit into secure protocols instead of secure programs).
Last time I checked the protocols had several drawbacks (including the "destruction" problem, vulnerable to collusion, etc.) Maybe I missed good protocols? Could you please point me to good papers? (a video is too slow and hard to skim over).
Thanks! I'll check the video ASAP and report back if I have questions!
I don't know enough to point you at good protocols. The video covers basically all I know, and it's five years old.
I mainly commented to remind people that computer voting systems don't have to be glorified counters. You can actually use their strengths (crypto), instead of only inheriting their weaknesses (malleability).
You are right that it is not about the software. I think you are wrong thinking that it is about the protocol.
It probably should be about the data. The data should be openly available to everyone.
But there are some requirements to the data that make this tricky (understatement).
With the data in your hand it should be possible to independently verify the results. It should be possible to individually verify that your vote is somehow in there. But it should NOT be possible to link votes to individuals, it should be completely anonymous.
This is not a problem that is likely to be solved by software engineers. If there is a solution, it is in crypto and math more than software.
I do think this is an important problem to solve. It would enable the ultimate democratization. Instead of voting for representatives it would become feasible to directly vote on issues by referendum. If tech is about anything, it's about democratization and cutting out the middle man.
Maybe with some bitcoin technology with a voting blockchain where it protects double voting and each one can verify their own vote integrity but still remain anonymous to everyone else.
I would take the approach of broadcasting the vote to several monitors. When you place a vote you get a confirmation number. That vote is then uploaded to N third parties that later verify that they all got the same votes. Then the voter could go online, type in this special ID and verification code and see that indeed his vote was counted as voted.
This doesn't mean that you couldn't or shouldn't have a paper trail as well. As long as you have a single end-point, then yes, the issues you brought up are valid.
Cryptography for vote is super easy : each voter submits a secret prime number with the ballot and then the product of all such numbers is published together with the vote. It's as secret as factorization and everybody can check if their vote has been counted.
Does this stop multiple votes by same person? Votes by imaginary people? Does this stop keeping your secret prime number but discarding or changing your vote?
No, it also does not cure cancer and does not ensure the world peace. It only ensures that one can prove they voted and makes re-counting possible if needed.
Well, the grandparent's comment isn't asking if your scheme cures cancer and ensures world peace. Instead they're asking if your scheme is at least as secure as other current cryptographic voting protocols out there, the answer to which is "no."
If this problem were so trivial, then I think some of the big names in crypto would not have wasted their time on studying solutions. As it is, though, I don't think there are any convincing arguments for why this problem is "trivial." Instead, there's a laundry list of properties you want a good voting protocol to have, and developing a cryptographically secure protocol that satisfies those properties is highly nontrivial.
This scheme is more secure than paper ballots, which are advocated as better than the current cryptographic protocols, whichever they are. Better in a sense that every property of paper ballots can be also applied to the prime multiplication plus it allows verification that you cannot have with the paper ballots.
My opponent did not question particular properties of this scheme but instead went on the tangent of properties, which none of voting methods currently has. Hence, she or he could as well request cancer cure.
If we know all the primes issued by voters we can verify everything. It's a problem of splitting a set of primes between two disjoint sets. Knowing the product of both sets defines pretty much everything you want to know about them (including the fact that the sets are not disjoint or have members other than from the original set).
Mostly agree, but paper ballots are expensive to administer and count and we currently don't like to spend very much on our elections. Also, you still need a system for the disabled that ideally also preserves secrecy - not everyone can hold a pen.
Coming from a country with sane election practices, paper ballots don't cost anything but volunteer time to operate and there is no barrier to participating. On accessibility, we have printed papers each with a name on them that we secretly stuff inside an envelope. A blind person who didn't get Braille papers or prepare their envelope on their own can ask the officials (multiple volunteers from a plurality of parties) to read the papers for them so that they can remember the order.
Secure, anonymous voting for the disabled is a big reason we have so many electronic voting machines. It was a big part of the Help America Votes Act. There are many vendors with solutions. The AutoMark is a popular one -- it can enlarge type or even read you the choices and let you make a selection by blowing in a tube.
There are many systems for the disabled -- it was a big priority of the Help America Votes Act, which is what prompted this wave of computerized voting machines. The Auto
And the contracts for these machines are what, cheap? I've be interested to see a source for the contention that paper's actually more expensive -- not saying you're wrong, but I'd have guessed paper is cheaper with all of the volunteer labor involved.
The great thing about this comment is our security measures stop like 2 or 3 levels before even reaching the point you're describing as insecure. Like the people involved even know what an MD5 is?
I'm utterly opposed to electronic ballots. No touchcreens, no email voting, no internet voting. Elections with electronic ballots (records) cannot be audited. Nor can the voter's privacy be protected. [1]
That said, in my opinion, Clint Curtis is not a credible witness. What he claims is certainly plausible. But he doesn't have the technical chops to pull it off.
VoterAction proved that Kerry won NM in 2004. What happened in NM certainly happened elsewhere. Especially Ohio, which had so much going on in so many directions, there's no way to summarize other than to say "death by a thousand cuts".
Briefly, in NM, spanish language touchscreens did not count votes cast for Kerry. Further, "faulty" storage devices (memory cards) were sent to back vendor HQ to be fixed, totally mooting the chain of custody, etc.
The whole election integrity thing is like a jumping down the rabbit hole. Things are so ridiculous, it's hard to believe. And when you try to explain to people what's happened, you're dismissed as a "sweaty paranoid kook" (that's a quote).
Speaking for myself, I used to think that I mail my ballot and it gets counted, what could be more simple? The more I learned, the more my confidence was shaken.
I could go on and on and on about this topic...
[1] Yes, I've studied the crypto proposals. They're included. Briefly, crypto schemes rely on a secure one-way hash to hide your ballot in the herd of ballots. Alas, US elections are administered per precincts (1-1000 voters) and typically have a dozen or more issues per ballots. Meaning combinatorially there's no way to hide an individual's ballot. Crypto works for simple ballots with thousands of voters.
Electronic ballots, well implemented (in the open) and well administered would actually be the absolutely most secure and tamper-proof system at the local level, because the computer has no inherent reason to miscount, unlike the people who volunteer to be poll workers who are often the most partisan voters of all.
Of course such a system will never be implemented because doing so requires the cooperation of those in power including those who stand to lose from such a change, so it is in the pile of things like real lobby reform that just about every citizen (who isn't a lobbyist or directly benefiting from the corruption) can agree should happen but never will.
In Russia, there are ballot boxes that automatically count ballots. No fancy technology here - they just scan ballot, detect mark position, and after the end of the election day these ballot boxes just print resulting report.
These ballot boxes are installed on some small percent of polling stations(like 5% or 10% - I don't remember the exact number). But statistical analysis shows that electoral fraud is commited considerably less often on such polling stations. I don't know, whether it is actually more difficult to cheat on such stations(at least there is a physical limitation - you can't put more than one ballot at a time, because it is needed to be scanned, - as opposed to normal ballot box where you can easily put 10-20 ballots at once), or whether they decided to install such automated boxes on polling stations where they had no intention to commit fraud. But my point is:
1) "Paper-voting" is no guarantee of fair elections.
2) Sometimes "hi-tech" may even help you, if you use it properly.
You make a fair point about electronic voting(and I wholeheartedly agree with you), but it looks like you overestimate the reliability of old-fashioned methods.
To summarize, I'm calling you "not-enough-paranoid kook". :)
I believe you're describing the mark sense style ballot scanners. Because you still have a paper ballot, they are not electronic ballots. (Apologies for not being more clear.)
I agree with your point, and only would add that the consensus among the election integrity experts is that poll-based ballot scanners which tally onsite immediately after the polls close are the most correct answer. This system has the lowest error rate. It is the easiest to audit (eg conduct a manual recount). Tampering with the results would be the most difficult (largest attack surface area).
The crucial trait of paper ballots cast and tabulated at poll sites is that such as system CAN be done correctly. Meaning enable the public vote count while ensuring the secret ballot. No electronic ballot system can make those guarantees, under any circumstances.
PS- I worked as a poll judge and poll inspector for a handful of elections. The jurisdiction where I reside had the same system as you described. It worked fabulously well. It was cheap. We've since moved to all postal ballots (vote by mail). Central count is a sausage factory. I fought against the transition, lost but was able to get some concessions, such as improved accounting (ballot processing) procedures.
Neither the description nor the first few minutes of the video state what Court or tribunal or committee or whatever this testimony is for, nor when it is taking place, nor what other witnesses might have testified that contradicted this witness.
Without that context, this is pretty meaningless.
Several comments so far have discussed ways to improve voting. Good cryptographers have already solved this problem. See http://scantegrity.org
I think a startup to fix voting would actually be a really cool (anyone here doing that already?), although I imagine it would be fraught with danger.
I think we need to step back to first principles here. In an ideal voting system, we need two properties:
1.) The vote must be anonymous (to remove the possibility of persecution)
2.) There has to be some way to detect if a vote has been tampered with.
Here's the thing... we can solve BOTH those problems with common cryptographic algorithms. Problem #1 can be solved with a hashed identity, problem #2 can be solved with a checksum.
Right now we try to solve that with a "paper trail". That's one solution, but it's very problematic. First, you're putting a lot of trust in the people doing the counting. Second, we can't trace those pieces of paper back to people to ask them "is this really who you voted for?"
I'm not claiming these are /easy/ problems to solve. There are a lot of considerations. But I will claim that we already have the required cryptographic toolset to make it possible, and that simple counting machines are entirely inadequate.
Paper ballots satisfy both of those properties. What problem are computerised ballots trying to solve? I've seen cost mentioned but haven't seen any evidence that it's cheaper. I imagine that it's mostly about getting the election results faster but is that really a goal of an election? Speed over accuracy?
You can get the speed of e-voting with paper ballots if you tally up the totals twice: once with a scanner when the ballot is put in the box (appropriate design of ballot and box required ofcourse), so you get immediate digital results, and once with manual counting to give the vote legal standing. The fact that only a manually counted result would have legal standing ensures nobody will see the point in tampering with the digital counter.
I would agree that there's no reason to have e-voting instead of paper ballots. The only possible excuse I might imagine for e-voting is that it lets people vote from home which enfranchises more voters, but that would just lead to a wave of vote selling so...
Accessibility is one area where paper ballots perform very poorly.
The Help America Votes Act, which spurred much of this new voting technology, specifically says voting places and ballots should be accessible by voters with disabilities such as the blind. This is very hard to accomplish in a secure, protected way without a machine. Some polling places have paper ballots for most, and machines reserved for the disabled.
That's not enough. You'd be trusting the compiler, the build environment, and believing that the hardware runs the binary code you expect. Tampering with the hardware is demonstrably easy, there are plenty of reports of people reflashing Diebold machines.
You're thinking of a very limited subset of cryptography (I assume: ciphers).
As a counter-example of having to trust the receiving end, consider zero knowledge proofs [1]. Even if you don't trust the prover, you become convinced of what they're trying to prove to you (if it's true).
The basic trick to proper cryptographic voting machines is zero-knowledge-proving that they are working correctly. Any tampering, whether it be in the source code or at the hardware level, will either not affect the tally or break the zero knowledge proofs.
Most protocols I saw did let you verify your own vote, but how can you check other's votes not knowing what they voted? You can't, and >90% of people wouldn't even know how to check their votes.
Everybody understands paper voting and there are several (more or less) trustworthy protocols for paper-based vote count.
Maybe I'm pessimistic, but I can't picture a near future where the populace understands computers enough to be able to trust e-voting.
But how can you check that their encrypted vote is not tampered with even if it's well formed? I can craft "virtual individuals" which replace the real people voting and you wouldn't even notice. The vote is cast and well-formed, it's just not their vote.
If vote is secret you just know that someone voted X. Who is that someone? Is he even real?
Since we need secrecy we need to know X, but not who is "someone", so we're blind there.
Every encrypted vote is linked to a voter registration. As with the current system, you can determine if someone has voted but not who they voted for.
If you can't prevent fake voters from registering, you've failed before the election even begins.
(Yes, this does allow you to coerce people with known preferences into not voting in order to affect the result. This issue, and many others, are discussed in the video.)
Less is demanded of our voting system than of our ATM system. The irony is that it is the same system. People vote with their money every day. Western democracy is realized through the market system on a national level. Locally it is still in tact as a function of voting ballots and money.
Governance is largely about the use of limited resources and less about civil liberties. Civil liberties are largely a function of popular majority and politicians just reflect the popular opinion of the day.
"We the People" don't actually vote for the President, this is reserved for the "Electoral College."
The only "people" who "vote with their money" are the corporate interests, as most of us are far too poor to do to so.
I highly doubt that the current domestic surveillance program is a reflection of the popular opinion, nor do I believe that drone attacks on the other side of the world are supported by the majority of the populace.
Both tables are published. The one thing I forgot to mention though is that the vote_id is encrypted with the users public key. This way any individual voter can check that his vote is what is should be and people on the whole can check that votes were tallied properly. Furthermore, we dont need to worry about hacking compilers, etc. because this can be done on the internet. The last thing we need to worry about is that the machine is lying to people when they go to check their vote. The only solution to this is to have the code which decrypts the persons row in the voterVoteId open source, but still since the protocol is open source and the data is open source, we can bet that there exists one honest person to build a tool to check. One more thing: how can we tell that extra rows werent added to VoterVote? We can check that the number of people in a city matches the number of keys issued to every person in that city (which again is backed by SSN).
This will probably fail miserably at something simple I've overlooked, but it was fun to dream up :)
Some people don't vote, you can't assume than if the number of votes is lower than the number of citizens then there was no fraud.
Furthermore, voters shouldn't be able to prove how they voted - otherwise somebody could pay people who can prove having voted for him or threaten people who can't.
I actually believe this testimony is from the mid 2000s (Tom Feeney was in congress from 2003-2009).
While in the video, Mr. Curtis has a point that voting code should be reviewed by independent experts... even if the code has been vetted there could be code injection through the operating system or compiler, however unlikely. And that's not even considering anything malicious with the network or databases. There's simply too many moving parts in electronic voting for it to ever ensure 100% honesty. Possibly making it law to require a hand count of all receipts/ballots to ensure a match would catch the fraud afterwards, when time is no longer such a factor. Or better yet, running paper ballots through two separate electronic voting systems by each voter and comparing counts.
But to answer your question, no I don't believe anything has been done.
For anybody who is interested in the concept of verifiable voting protocols, and a real life election applying them, I am currently working on the front end of such an application, with the election to be held in November 2014 for our state election.
We are working with academics in Surrey, UK, and elsewhere on the cryptography and verifiability of the election. So I can't answer any of the hard questions, but can point you at some of the documentation that Surrey has developed, shown below.
When you vote, you get a piece of paper saying your name, your vote, voter-id, and the machine's salt.
Whenever a vote is counted, it is added to a public website of HASHES. Thus anybody can verify the totals.
If anybody's recorded vote on the website (taken by hashing their info) doesn't match their receipt, fraud is caught (thus removing votes or changing votes isn't possible). Also, if I didn't vote or am dead, and my info is entered, we can verify no tally appears for my hash.
If the hashes don't match up with all the registered voters via registration forms, then votes have been added. Thus in order to add fake votes, fake voter registration forms must be filled out manually [leaving a paper trail to catch the perpetrator].
Check out the other videos posted by 91177info on YouTube. A huge variety of paranoid fantasies mixed in with lots of half-truths. Their focus seems to be pro-Iran and anti-US and Israel propoganda.
Also it would be nice to know what the forum was where these statements were being made. Just because they are in a fancy looking room does not indicate it is actually meaningful that the statements are "under oath".
That said you can definitely rig almost any large scale election. There are just too many way to attack the process. In theory computers could help make elections more reliable but in practice they just add new and powerful ways to attack the process.
Actually, especially given the fact that US organizations regularly step over the boundaries of the law: What would you do when a government agency orders you to rig stuff and threatens you with judicial problems for disclosure or non-compliance?
As soon as you use something you did not make yourself, your project could theoretically be compromised. This ranges from drivers, compilers, OSs, hardware, to the text editor you wrote anything and everything with.
In the real world, we can protect things with a reasonable expectation of security. We can't exactly have a CCTV camera watch an incredibly small count of bits tamper with every other one in countless server closets and data centers, but we can have CCTV cameras watch an unscrupulous public servant write some extra ballots and put them in a box to be sent to DC (or wherever else).
I get the feeling that this guy isn't trustworthy. He starts by saying that he was directly told to build software to fix the election. Then he says that he 'thought' he was told to see if it was possible to build software to fix the election, then finding out that he was supposed to actually build it.
You can envision a system as complicated as you want, but it'll always have some sort of flaw because, well, bits are bits. I've had this discussion with many people and the same solutions arise again and again... but most are useless.
You could get the source code for the voting program... what if your compiler is backdoored? You could compile the compiler yourself, with which compiler? The backdoored one?
And even if the compiler is trustworthy... who's guaranteeing that the real binary is installed in the machine? You could download it in an USB drive and check yourself or get a hash from the machine but... how can you be sure the machine is reporting the binary that's actually running and not just a fake reply? Could you trust the reported MD5/downloaded binary from the machine?
Easy! - you say - You could upload the binary yourself to the machine! But how would you be sure you're running the uploaded binary and not a fake one?
And what if any of the machines inbetween are rigged?
Then cryptoguys come in: you could digitally sign your vote (forget secrecy) with a state-issued certificate (we have those in Spain with our NID). Maybe encrypt it so that only the far end could read it. You'd then check if your vote's been cast fine online. But how'd you be sure you got the real result?
Once the data left the machine you have to trust that everything's fine on the receiving end. What if the vote count just ignores votes and just does whatever it wants?
And the worst of all... how's your granny supposed to check it herself?
There are some advanced cryptographic techniques relevant to e-vote (some are quite clever) but even the best cryptographers will tell you: do not trust electronic voting!
My advice is: keep with pen and paper! It's easy to tamper with too, but more people know how it works and it's easy to see the inner workings compared to bits over the wire.