Being open source is a very good idea, but it doesn't mean the software that's actually loaded into the machines isn't compromised.
The way to minimize the risk of that is to have two voting machines, with independently developed software in each. Then see if the two produce the same result.
What's important for voting confidence is having the count be auditable, which is much more important than having the machines be secure. After all, banks learned how to do that with money long ago. Banking software has been compromised in the past, but the audit ability catches it.
The problem isn't in the technology, the problem is with people. The idea of voting is that 2 groups with opposing views agree on a compromise - a fair set of rules that determines which side won. So if the losing is convinced that they've lost fair and square, they will focus on a better campaign next time, rather than on starting a revolt.
Except for the past half-a-decade the media is increasingly pitting people against each other. Each side considers their rivals evil or crazy and is not ready to respect their opinion, listen or compromise. This creates incentives to cheat and legitimate reasons to suspect cheating. No matter what algorithmical or organizational approach you take, there will be always human factor, and hence reason for doubt. And the only way to resolve it is to make sure that you can always recheck the results in a way that satisfies the losing party, rather than screaming "blasphemy" to shut them up.
That's why you need a process so transparent there is no possible suspicion of cheating. Software is exactly the opposite of transparency. Paper ballots opened locally and counted publicly is the only solution.
The damage is done. Currently I don't think there are ways to convince people that vote results are legit, short of eliminating secrecy and have every single person put their preference on a record that can be accessed anytime from anywhere. That however has its pros and cons, and is considered anti democratic.
I think the only way to improve things is to have a representative based system. Local community picks a rep, sends them to a higher level meeting, all the chosen reps pick a rep from among them to send to the next level, repeat and scale the number of layers as needed. Then there’s no mystery because everyone at each level knows who they agreed to send to represent them. Your party should just be your literal party, your local community.
This whole top-down thing where powerful established groups that already have their own agenda tell you and your neighbors that you can only choose between a few of their chosen people to represent you has got to go, the agenda should be your agenda, the rep should be your rep. This is totally doable, repeal the 17th amendment for starters. Add more meeting houses next, counties/districts can have their own house that each elect the state Congress, etc, micro-service distributed architecture!
This was how the US Constitution was designed by the smart people, before various idiots screwed it up with the 17th Amendment and Permanent Apportionment Act. Your US representative was supposed to represent about ~30,000 people and your state representatives even fewer than that. Now each representative represents close to a million.
So glad to see others calling-out the Permanent Apportionment Act. Maybe it made sense in a world without communications technology, but today we're able to scale to the numbers needed to support that ratio of representatives:constituents.
The episode "Power To The People" in the satirical comedy Yes Prime Minister deals with exactly this. It also looks at the trade-offs, which explains why this will almost certainly not actually happen. Well worth a watch :-)
- You publish a public list of randomly generated numbers/IDs (the number of IDs corresponding to the number of eligible voters, guess you need a reasonably accurate census data for this)
- Divide up into subsets and distribute these IDs to each voting booth.
- When you go to vote you draw on of those numbers and attach it to your vote.
- Election results are published as "ID X voted for Y".
Now everyone can check that their vote was counted, and everyone can check that the original list of of IDs matches the final results (or in reality, count(final list) < count(original list) since not everyone votes).
These things may seem farfetched, but happen very often in certain parts of the world.
Here very recently the Federal Road Administration was caught stopping buses in regions where the left leaning presidential candidate had the strongest support. We also had a few tens of cases where business owners were discussing strategies on how to get their employees to vote for the right-wing candidate, and some strategies depended on breaking the law by taking you smartphone to the voting booths and taking a picture (breaking the law in the process).
.. in a country where many people think ¼ is bigger than ⅓.
Seriously. We are talking about people who would claim rain is not wet, while it pours down their face if it was somehow helping them "owning" the other side. No clever system is going to fix people not wanting democracy anymore.
This is an issue of decades of uncontrolled "news" media and a lack of education and the US is going to harvest the fruit of that neglect for the next decades at least.
It might be my education about the roots of fascism that I got by growing up within the borders of former Nazi Germany, but US democracy is in an extremely dangerous spot right now. The specific mixture of economic pressures, media bubbles, lack of education, corrupt political actors and processes and split culture is a volatile explosive mix.
Placing the blame on "the media" over the last five years is not really correct. People have been undermining basic election rights and processes for quite a while and while both parties engage in it the right is far more active and devious in gerrymandering, eroding legal protections, etc. Trust in government in general is low but elections have been quite fairly run and provably so to a reasonable doubter. But doubters have been given free rein to be unreasonable, hence they doubt the auditors, and the auditors of the auditors, all the way up. Losing fair and square is no longer something many people think is possible for their party.
The media has covered this with varying effect but we hardly conjured it into existence. In fact the media can barely keep the lights on, let alone fund the lawsuits, "grassroots" redistricting efforts, organized disinfo campaigns, etc that have shaped politics at the state level — including anti-media campaigns that paint the elite mainstream media as the authors of the present electoral crisis.
However I actually advocate for fully manual, several-humans-in-the-loop counting as it's been done forever and is still done in many other first world countries.
That and scrupulous chain-of-trust on the actual ballots is , in my opinion, the only truly safe way.
Exactly. The problems in the US run way deeper than just the technicalities of voting. Both sides have been trying to bend the processes and rules their way for decades. Gerrymandering, campaign financing, elaborate propaganda campaigns, special interest lobbying (including by companies making voting machines), foreign interference (e.g. https://www.themoscowtimes.com/2022/11/07/putin-linked-busin...), etc.
There is no basis for trust here that parties are even trying to play by the rules. They are actively using every trick known to them to gain an advantage and the financial stakes are high enough for people to look the other way given enough plausible deniability.
So, start with making the voting process as transparent as possible and just go back to counting votes manually. It won't solve all the issues but it will reduce the endless bickering about who actually won the votes that were issued.
I believe the generally accepted way of solving this problem is to do Risk Limiting Audits of the system; randomly sample districts, and then manually recount until you're confident to X sigma that the results are correct (or, if the audit diverges, you trigger a full manual recount). Citation: https://verifiedvoting.org/audits/whatisrla/
Banks don't randomly apply banking controls to check for fraud, they do it for all the money flows.
The original idea of double entry bookkeeping was to:
1. catch errors
2. make fraud much more difficult
It's been in continuous use since the 13th century. It works. The reason it works is because an error, to remain undetected, requires a matching error somewhere else.
I like double-entry bookkeeping as much as the next guy. But your proposal isn't double-entry (which requires every ledger entry to net out to zero), it's more akin to aerospace/NASA style reduntant control systems where you have independent implementations that must agree with each other for their output to be propagated.
Redundant control is a great system if you need to provide realtime output with high correctness requirements (though for this of course three implementations is better than two as you can discard one faulty output and continue with the quorum output).
In elections, we don't need to provide real-time control; in the happy path the random audits don't add an unreasonable delay, and when they do find a discrepancy we're fine to wait a week or two if needed for a full hand count.
Another reason why banking/accounting is a poor analogy: in banking, you don't have anonymity requirements. Each transaction is tied out to a known individual (even more granular than that really); you can do double-entry bookkeeping because you know which accounts to debit and credit for each transaction, and maintain the accounting invariant that all accounts sum to zero. In voting, we have strict anonymity requirements, so there's no equivalent "debit Alice's account of a vote, and credit Candidate Bob's account" operation, and there is no equivalent to "netting the voting accounts to zero" that I can see.
Another way of thinking about this is the RLA is simply a different approach to provide your second implementation of a vote tallying machine. It's an implementation that uses manual (human) counting, and for pragmatic cost/time reasons doesn't count every vote, just enough votes to get statistical confidence that the result is correct. And, if you have two machine implementations, who's to say that everyone will trust one of them? You still need to solve "trusting trust" for each one, and while it's harder to subvert two systems, there's no reason it's impossible. Whereas I think it's a lot easier to produce a human-powered vote counting system that is transparent and trustable by virtue of its simplicity.
Down the road I'd be happy to put a second vote tallying machine in place to provide better assurance of the initial counts (and I'd love to stop using closed-source private implementations), but I think it's important to be pragmatic here and focus on the best ROI steps, and I think implementing RLAs and abolishing DREs are two of the very-high ROI items we should be focusing on first. Adding RLAs to all states would be a much better improvement than adding a second open-source machine tabulator to all states.
Right, we’re not dealing with banks here. Ultimately we’re picking between N alternatives. The size of the gap between them doesn’t really matter, as long as it preserves the correct ordering of winners. Given that, using statistics to reduce your work is a completely reasonable efficiency here.
I don't really understand why we are always stuck in the past on things like this. 155 million votes, spread out over thousands of polling stations is a minuscule number. Why not have each voting station digitally scan/print every ballot cast, and then once the stations close - upload everything to a centralized and publicly accessible server organized by station and their reported polling result. If anybody wants to do a recount, they can - to whatever degree of confidence, and using whatever method they prefer.
One might still make claims of ballot stuffing or exclusion, but there would be literally zero doubt that the count itself was accurate.
Have a look at the links I shared above, particularly https://verifiedvoting.org/votingequipment/ for a quick summary; it gives some analysis of different voting equipment and concerns thereof.
In particular, purely-digital systems are widely regarded to be too vulnerable to hacking to be safe. What you're describing sounds like DRE with VVPAT, which isn't considered to be a secure option, though it's better than DRE without VPAT since as you note you can in principle audit it. (However, note that most jurisdictions don't yet do RLAs to randomly audit, so right now digitizing, even with VPAT, could weaken the system.)
I think the basic idea here is -- if paper is secure and will be your fallback, and digital is insecure, you should just build your process to be optimized for paper-first, rather than digital-first. Digitizing as you suggest doesn't really gain anything over paper (except perhaps reporting provisional results faster, but you'd still need to do a risk-limiting audit to verify that your digital votes didn't get hacked so this might be a wash), but it does add more attack surfaces along the chain of custody.
Ultimately, paper is a very robust solution to the problem of making the system hard to subvert at scale; you can think of it as a sort of "proof of work", where it would be extremely difficult for, say, Russia, or the DNC / RNC to tamper with large quantities of ballots across the nation. Compare that robustness with a digital system, where IF it works you have the same properties... but around here we all know that almost all digital systems can be owned by a persistent enough adversary.
If you're willing to relax some of the requirements around refutability, there are some interesting e-voting schemes, for example you can do some cool stuff with homomorphic encryption like https://github.com/microsoft/electionguard/. But there is something to be said for having a tallying algorithm like "count the pieces of paper" that doesn't require a PhD to understand.
Perhaps I phrased it poorly. When I refer to "scanning", I mean as in making an image of a physical source, as in a digital scanner, not scanning as in processing data.
The idea is to create a publicly accessible collection of an image of every single ballot, organized by the station from which they were collected. This can then be manually cross referenced, by anybody, against the reported vote count and result.
And yes, digital only ballots would pose a major problem here and in general.
The concern because of this is reasonable: identification would allow voter coercion or vote buying. But I think there are two issues with this concern. The first is that our current system doesn't prevent this. Bringing recording equipment into voting booths is not allowed, but in practice has 0 enforcement or enforceability since many (most?) locations offer shielded voting booths that even include privacy curtains.
The other practical issue with this concern is that buying or coercion would need to be of substantial scale, centralized, advertised, involved traceable transactions, and so on. And this is a criminal felony so the consequences for a leak are substantial. Ultimately, it just does not seem like a realistic attack vector.
So in many ways, I would consider this a feature more than a bug. You can personally verify that your ballot did indeed get counted (at least if you're willing to dig through thousands of ballots looking for your 'secret code') without allowing anybody else to see how you voted.
The current system does make this expensive. Making the ballots public will effectively make the votes public once some student posts a model on github.
To be clear, you do mean makes the voters public right? Because the whole idea of this suggestion is precisely to make the votes public. And I do agree that, within hours, there would be models developed to effectively parse the ballots and help detect any discrepancy - something the current centralized operators just can't seem to manage.
The problem is if the people casting the ballots can be identified by third parties. And in this regard, I don't understand what you mean or if that is what you are even talking about.
People casting ballots will be identified by anyone with an AWS account, yes. The location of the vote and the handwritten checkmark are likely enough to identify the voter.
I prefer to think in ratios rather than absolute numbers. If the whole country is voting then that’s a lot of votes, but it’s also a lot of manual labor made available to run the vote.
A counter can get through 10,000 single issue ballots in a four hour hand count. If an election has 10 issues then, on average, one person can count a thousand votes.
There have been various proposals to publish all the records after an election has been been certified. Which is always shot down on the basis of voter privacy (protecting the secret ballot).
A fundamental limitation of RLAs is that they don't follow the ballot chain of custody, only the counting procedure. So if you have an old-fashioned political machine with dead people voting or people in nursing homes being scammed out of their votes it will not appear in RLAs.
Technology strangely enough doesn’t solve voting — if there are publicly available machines, you can’t verify what is actually ran there, if they are some decentralized crypto-based “smart contract” you lose the ability to refrain from voting (e.g. an agressive husband can make her wife vote as he pleases, while with the traditional approach she can just go inside and say that she voted, while it’s truly up to her what she does.
I think paper votes with people who count votes (getting representation from every party, as well as volunteers) is a fair and okay system — it’s not like it will scale. The problem is parties (their very limited number, and tendency to find small, often unimportant differences and use “us vs them” against us), electorates and that humans are dumb as a whole. Not sure how to solve these.
The insistence of pro-machines is tiring. There is no argument in favor, in France with <5% voting machines, we know who’s the president with 95% certainty at 20:00:02 through television (through surveys, of course). So the argument “but it’s a big country!” doesn’t stand - France is already 67m.
OTOH, if I were a foreign power intent on falsifying an american election, I’d push as hard as I can for voting machines.
Same in situation in Germany. Polls close at 18:00 and 18:01 everybody knows the general results. It will only change by ~0.1% over the next 1-2 days and only really matters if a party is close to the 5% hurdle.
This is a novel take on the problem of election integrity.
Auditing in elections is called a full manual recount.
Verification in elections is the phrase for inspecting the hardware, software, processes, results. Which is probably why election integrity focused orgs have names like Election Verification Network and Verified Voting.
You did say "confidence", which is the correct framing, rather than "trust".
Much like our Constitution, confidence in our elections are built on "an orgy of mistrust", eg I watch you and you watch me, and when ultimately all the participants abide by the final results.
Which is moot when one party's platform is to reject the results, regardless of objective reality.
I don't have a clue how to address the cultural, sociological, and realpolitick parts of our country's current discord wrt election integrity. Though I do know there's no technical fix. Perhaps someday that party's voters will stop rewarding such belligerence.
> The way to minimize the risk of that is to have two voting machines, with independently developed software in each. Then see if the two produce the same result.
How could this possibly work, without having the precise same votes entered into each machine (an impossible to guarantee prerequisite)?
It can scan a scantron sheet in which the page, side, column and row are used to generate a number. For example a bubble filled in on page 1, side 1, column 4, row 8 would generate 110408. There is some business logic here that says that "For page 1, side 1, only one of 0408, 0409, 0410 may be entered".
At the end, however, you get a number counted that is then tallied for and then that is mapped back to Bob Smith for the votes.
If the scanner detects a barcode page being entered (that was generated by a touch screen system), then one of the barcodes encodes the number 110408, and the barcode is read rather than trying to go from the scantron page guides.
---
In the case, you've got the scanner here, you enter them into the scanner and get the vote counts "live". Then, you take them out of the secured spot and scan them all in to the other machine and compare the vote tallies.
There is a paper ballot that is recording this.
In the event that there is a recount, then the paper ballot is examined and the name next to the bubble is what the human auditor uses to count votes.
Start with a stack of ballots. Run the stack through one machine. Run the same stack through another machine. Check the tallies. If they differ, then the counts are discarded and the stack goes to perhaps a hand count.
Each stack is handled by two people, one from each party. One feeds the machine, the other watches him.
> What's important for voting confidence is having the count be auditable, which is much more important than having the machines be secure. After all, banks learned how to do that with money long ago.
Having the count be auditable doesn't really help you. If you have a pile of ballots, and you can prove with certainty that you've correctly counted what they say, you've made zero steps toward legitimacy. Where did the ballots come from?
This is a huge problem for secret ballots, where the goal of the system is that ballots can't be audited. It is not a problem for cash counting machines, because the only problem they're trying to solve is determining how much cash you have.
The same way the cops do it. Each bag of ballots has a chain-of-evidence protocol like the cops do.
Ballot boxes are opened by two people, one from each party. The ballots are put into the ballot bag, which is sealed. Both people then sign the bag and log its serial number. Every transfer up to the voting machine is witnessed and logged and signed for by two people, one from each party.
It's local volunteers counting their local votes and the public is welcome to witness it (if they manage to behave and not try to disrupt the count).
Until the proceedings are done the ballots do not move more than a few meters from where they were distributed and filled out.
Switzerland regularly manages large referendums on paper just fine and AFAIK they use a similar system.
But then these countries all vote on Sundays and with a sufficient number of polling stations (and higher voter turnout) so it usually takes no more than a few minutes.
The US has some serious operational problems regarding it's election system even before talking about the political side.
Penn and Teller, in one of my favorite jokes of theirs, say that an unwritten rule of the cups and balls trick is that you must not ever perform the cups and balls trick with clear plastic cups.
However, magicians do frequently make something about a trick of theirs transparent - figuratively or literally - as a way of making you more surprised when they pull the trick off anyway. You were looking in the wrong place, at the transparent part of the trick.
That's not to say transparent boxes are a bad idea. They really do make some attacks harder.
why can't voting happen on machine-online in realtime basis?
we can do polls for thousands and millions on facebook for example and the results are instant. everyone gets one vote and there is no double spend problems so why is political voting living in dark ages?
sure it has open source software now but in india for example, machines are transported physcially, they are tampered with in the interim, machines get lost on and on
Facebook polls are neither secret nor verifiable. Facebook knows how everyone voted, and voters cannot verify that Facebook is reporting the correct result. Those problems can theoretically be solved with cryptography (assuming the voter has full control of the device used to cast their vote), but not in a way the average voter can understand and verify.
Another problem with online voting is that malware can infect a voter's device to spy on how they vote and/or change their vote. I don't think there is a solution to that problem.
Online voting is a terrible idea. The only way to have secure elections is to publicly count every ballot by hand. If you think that's too expensive, you think electoral democracy is too expensive.
The way to minimize the risk of that is to have two voting machines, with independently developed software in each. Then see if the two produce the same result.
What's important for voting confidence is having the count be auditable, which is much more important than having the machines be secure. After all, banks learned how to do that with money long ago. Banking software has been compromised in the past, but the audit ability catches it.