20 years ago I attended an international conference on electronic voting. There were various papers on the form of elections (not on specific products.)
The huge takeaway for me was not the technology (or lack thereof). Ultimately all existing (and proposed) systems have flaws. The key was public trust in the result.
The first step to sidestepping democracy is to attack the legitimacy of elections. One can attack the process, software, hardware, ballot security, eligibility, and so on. It doesn't really matter what you attack - it doesn't matter if your gripe is legit or not. It only matters that you erode trust in the result.
If you can make people think the elections are rigged, then you can bypass them and move straight to authoritarianism.
Quibbling over open-source or not is irrelevant. We can cast doubt on the software either way. Quibbling over electronic or paper voting is equally irrelevant (there are plenty of paper-only elections worldwide that are very suspect.)
Naturally the Open Source company promotes Open Source voting machines. But in truth being Open Source has no (real) benefit. Software is easy to tweak, Open or not.
> But in truth being Open Source has no (real) benefit. Software is easy to tweak, Open or not.
But that's not the truth though. Open source software is not easy to tweak when it's deterministically compiled using reproducible builds and there are provisions for on-demand inspection of executables and hardware.
World went down on a completely different path. New wave authoritarians want to pretend that there is democracy, and they want to keep up the trust, even when elections are not free or fair at all.
One of the few things I was happy with Texas legislation this year was moving all to paper ballots. They still use the "bubble counter" machinery though and not human eyeballs. But it's not like it still relies on honest people and a government that is neutral when it comes to counting votes. That's starting to look like it is less and less possible with the current regime's banana republic chaos.
I agree insofar as ensuring all e-voting implementation attempts are open source will enable us to more comprehensively prove that it is a fundamentally bad idea.
You didn't define how paper ballots are better. Given that many electronic systems print paper ballots, I'm not sure how they could be said to be universally better.
Electronic ballots can be much better than paper in two ways. Firstly, they are faster to count. I'm not sure why that matters, but it's true and seem people seem to think knowing the outcome quickly is important.
Far more importantly to me: they are easier to use. In Australia we have compulsory voting. A lot of attention is paid to how many votes are invalid. It currently runs at 5%, but ranges up to 10% in areas with lower education levels or non-English speaking. Voting machines can tell you verify if the vote is valid, help you if they aren't, provide information from the candidates if you want to know more.
One the downside, a poorly designed voting machine can be far less secure than out current paper system. Sadly, I don't think I've seen proprietary voting voting machine that didn't have significant design flaws. Making the situation worse is the voting machine companies like to keep their flaws well hidden (flaws aren't good for sales). In Australia, we've had examples of the Australian Electoral Commission perusing academic researchers in the courts for revealing flaws. [0] Mandating open source mandate is a solution to that.
Candidates drop out, die, or become ineligible in all kinds of ways. Paper is not strictly better and can create costs and complications on the day of the election itself.
Electronic voting is fine. Why can't we just have a printer in the polling booth? I run my ballot, then hit print, then I can manually verify it, and then drop the printed ballot in a box.
Can you please edit out swipes from your HN comments, and generally stop posting aggressively? You haven't been doing it extremely (which is good) but you have been doing it repeatedly (which is bad).
Your comment here, for example, would be fine without the last bit ("you've missed the point entirely").
You still have to securely distribute those machines. All of the things still apply. Actually you need even more security!
Printing paper is cheap. Shipping it is cheap. Checking it is cheap and obvious. Reprinting is cheap. You don't even need to ship them. Most of the cities are close to industrial areas which has big printers and paper mills.
Making stamps or buying pens is cheap. You validate ballots at the polling stations which is scalable and cheap. It is the members of public who validate it. You don't need to pay most of them. They are just local constituents! It is their vote!
You are not aware how far away you are from the point!
IIRC, last presidential election that was what we did in our county, voted on a machine, got a prinout, verified it, stuck it in the scanner and was done. I think I'm remembering it right?
What you have just described is an ExpressVote voting system, manufactured by ES&S (https://www.essvote.com/products/expressvote-3/). Here is an example how-to on using it from Micigan (https://www.youtube.com/watch?v=ebqktli8bRk). The only salient difference between what you describe and the actual system is that the paper run through the machine is also audited (to guard against someone ballot-stuffing by creating additional ballots when nobody is looking).
If you want this, the next step would be to get involved at your county or state level (depending on how your state makes voting technology decisions).
I agree but worry about what this implies for accounting and other financial systems. If we can't trust the voting machines to tell us what the vote totals are, how can we trust the bank computers to tell us who owns what?
I would be very worried about banking security if there was only one bank and it was run by the government. Obviously, that's not the case, banks are private companies and there are thousands of them constantly competing for each other. They have a strong interest in tight security to remain trustworthy. They're also heavily regulated, probably even more than the voting system, and they're subject to financial auditing. I'm not an expert but would estimate that for these reasons banking is overall more secure than electronic voting.
I could be wrong, though. As far as I know, hardware companies nowadays cannot even be reasonably sure that the chips they use don't contain backdoors.
For clarification, my position is that electronic voting is not secure and cannot be made sufficiently secure to safeguard against catastrophic failure and abuse. That's orthogonal to the issue whether voters trust in the voting mechanism, which is also important.
Haven't watched it, but to summarize what I imagine someone aligned with me would say: A ballot's entire lifecycle can be watched as it goes from the stack to the booth to the dropbox to the counting pile. Poll watchers are vestigial as soon as voting machines are involved; it becomes the honor system, which is not trustworthy enough in a system where the parties do not trust each other. The best you have is 'we have found no evidence of widespread voter fraud', a carefully couched statement from media organs you don't necessarily trust either. You, a (Democrat/Republican), can trust a system with paper ballots, because people from your party will observe all relevant details of the process everywhere the process occurs.
The lifecycle do get interrupted with early voting and postal voting, and as past elections where I live have shown (Sweden), some number of boxes of votes will generally be discovered after elections. The postal system are not designed to be 100% reliable and some portion of mail do get lost, fail in the sorting process, or get sent to the wrong location and put into the "fix it later" process which will miss the election deadline.
Software and hardware is still magnitude more vulnerable to intentional misbehavior, and even accidental mishaps has a higher risk of massive negative consequences, and its harder to discover failure compared to boxes of votes that has a physical presence.
In practice by the way the actual role of your appointed watchers is to figure out early whether you've won.
They can see whether another candidate's ballots are piling up faster than yours, they can estimate whether a table counting ballots for a district you're expected to dominate is being given way fewer ballots to count than you'd expected...
Yes, they would obviously spot if some election worker is like adding a pile of pre-marked mass produced ballots to a pile or something, or if they were just putting half of your ballots in the wrong pile - but stuff like that basically never happens, whereas somebody will win and it'd be nice to know before it's announced if that's achievable.
The thing is, a software based voting system with a sufficient number of checks and balances preventing tampering seems to be a lot more trustworthy to me than human poll watchers and workers. It wouldn't surprise me at this point that there may be moles in parties that are secretly from the other party.
And the other related issue is that in 2025, it simply should be possible to vote from your phone in a way that verifies your identity, if you'd like, using the faceId/fingerprint biometrics that most smartphones from recent years have.
An election needs to be trusted by everyone, and explainable to all voters. It does not help that you believe it is safe. You have to trust the compiler, and the chips, and everything, and convince all voters it works.
Paper ballots are fine. It is not complicated at all and an election is the one thing you just cannot get wrong in a representative democracy. It can cost a bit and you only do it once every few years.
The obvious problem with smartphone voting is that it's hard to combine with voter secrecy. An abusive spouse or someone bribing the voter could demand to see what vote was cast.
And if anyone can make up a reason to doubt the outcome of the election, it will fail it's objective: Peaceful transfer of power.
The usual way to try to solve this is the ability to override previously cast votes, in secret. But the combination of that and the ability for all interested parties to independently verify the count is not trivial. But not impossible either, much has been written on the subject since e-voting was all the rage in the 90s. One would do good to study this work before designing yet another voting system.
Arguments against electronic voting: 1) one person can change millions of votes 2) vulnerable even outside the country 3) even if you audit the software, it's hard to verify that the audited software is what is actually loaded on the machines 4) even if you check hashes of the software, how do you check the software that checks the software (this is a restatement of the Ken Thompson Hack) 5) proprietary software 6) USB sticks are insecure 7) final computer tallying everything is owned and located in a single place 8) XSS attacks on e-voting pages.
Arguments for physical voting: 1) centuries old, many attacks have already been tried and failed 2) no identifying marks on ballot = no opportunity to pressure voters to change their vote 3) multiple people involved in each stage of the process
I realized after typing that out that YouTube has a "Show Transcript" function, so try that for the second video.
In addition, and I think the punch line, if you take measures to decentralize and audit every single part of the digital process, you have just made the most expensive pencil and it'll not perform that much better against manual voting to begin with.
This isn't a technology problem, really. It's a problem of corruptible humans. In US elections, there are billions and even trillions of dollars at stake. Observe the grifting being done by the current administration. Thus, humans are extremely incentivized to corrupt the process. Technology just makes the corruption easier. Technology enables the grifter.
An optical hollerith machine would be useful. It would sort paper ballots into buckets based on selection. It's relatively easy to flip through a stack of ballots and ensure that every one has the same selection. Saves the effort of hand sorting which is not error free.
Are they using only the electronic version or the mixed version? We used the mixed version in some elections here in Argentina. The paper trail is harder to fake, and the electronic part close a few problems of theonly paper version.
Things have always been iffy. No one knows for sure.
Edit: That link is the most recent example. Googling for voting machines themselves would bring more examples. Every election cycle we go through reports of malfunctioning, no audit, audit not matching, extra machines appearing, machines being taken around by politically connected, even things like pressing any button on the machine voting for the same party…etc., but ECI has been pushing it aside and refusing to open up. This recent one became an issue because the manipulation (allegedly) went a layer deeper into the voter rolls themselves and they are public data.
Haha no. Voting machines caused absurd amounts of political instability here in Brazil. It's essentially become wrongthink to question the system.
Our elected representatives have tried to add a paper trail to the machines twice now and it was ruled unconstitutional for total bullshit reasons. Our former president was banned from future presidential races because he questioned the machines. We have a judge loudly proclaiming that the machines are UNQUESTIONABLE with such unwavering pride you'd think he'd have the balls to start a billion dollar bug bounty and post it here on HN. He only allows you to "audit" the system by appointment behind closed doors and the only tools you're allowed to bring with you is a pen and a piece of paper. People found issues even with these restrictions. There are people protesting to this day, laymen asking for source code, completely unaware of the existence of supply chain attacks and the fact the source code would prove nothing and serve only to humiliate them. We have former US president Biden's top CIA guy telling our former president to stop questioning the machines, wouldn't be surprised if they had access to this shit.
Germany did it right: voting machines are unconstitutional because citizens do not understand it. Elections must be fully auditable by the average person. This is the correct stance.
>Our former president was banned from future presidential races because he questioned the machines.
Bolsonaro didn't question the electoral process, in fact, I doubt he even understand it himself. He questioned only the results, because in his mind he should have won by a lot.
Not dissimilar than Trump's "stop the count!" on US paper ballots.
He did. For years, and during his mandate. I was there. Out of every stupid thing he said and did, they cited his perfectly valid criticism of the voting machines as the reason for his banishment from politics until 2030. I submitted news of that event to HN.
> Not dissimilar than Trump's "stop the count!" on US paper ballots.
Completely different matter. I'm very skeptical of claims of election fraud in the USA because it uses paper ballots. I have no trouble at all believing that our Magnitsky sanctioned judge literally named Lula president. They broke the guy out of prison to run against Bolsonaro for a reason.
In the end it's irrelevant. Bolsonaro's ordeal has revealed the deep truth of Brazil to the masses: the real power is in the supreme court. Discussing elections is utterly pointless since these judges are not elected. Elections are just a game they play to give this shithole a veneer of democracy.
A solid starting point, but it's easy to lose sight of the other critical part of the puzzle--integrity of the voting rolls. High quality vote tabulation needs to start from voters, where _only_ legitimate voters vote, and each only votes (at most) once, after which yes, their vote is accurately tabulated.
Voter rolls are public information in the US; there are several watchdog groups that perform verification services and have done so for decades; and to date, none have uncovered the kind of large-scale voter fraud that would necessitate doing anything differently from what we do now.
In fact, I'd argue that having 50 different voting systems with 50 different ways to prove eligibility makes our elections more resilient to large-scale voter fraud, even if it makes it more difficult to verify voter rolls wholesale.
Cryptocurrencies don't need to do things like make sure that no human gets more than one vote, only humans (no bots) from a specific part of the world get a vote, and keep votes secret. Blockchain is not the solution.
> Cryptocurrencies don't need to do things like make sure that no human gets more than one vote
That's pretty much the problem they were designed to solve no? It's called the double spend problem, and it's crypto's big comp-sci innovation. The whole paper was about it.
The secret ballot requirement foils this. Transaction identities are well-known and public; voter identities are secret and unverifiable. Any attempt to link ballots with identities to prevent double-voting also reveals how someone voted.
Crypto identities are identities, as much as human names or Social Security numbers. If you know who the identity represents, then you know that human's transaction history for all time on that blockchain.
Ballots do not have any identifying information, intentionally. There is no tracking number or possible mechanism to de-anonymize a ballot back to the human who cast it. Notably, there is not even a unique identifier for a single ballot that could potentially be used to identify a person.
Most importantly, there is no value that is unique to the ballot that I can use to verify that I am indeed the person who filled it out, so some nefarious organization could threaten me or my family to produce proof of how I voted. Or pay me, or influence me based on the outcome.
So there is no "identity" that you can record in a blockchain to prevent that identity from casting two ballots in the same election.
At some point, one needs determine whether voting transaction 123 by votecoin address 3456 was made by a valid voter and that the voter has only voted once.
So how do you do that? If a central authority does it by say, issuing votecoin addresses to voters or asks voters for their self-generated addresses, then your ballot is no longer secret since they can see exactly who voted for what.
If a voter shares their votecoin address with anyone, then anyone can see how they voted inviting vote buying and pressure schemes.
Haven't crypto an opposite bias, with no guarantee that any given transaction's ledger will stay relevant ?
Dropping votes is as problematic as allowing too many.
In general, money transactions have failure modes that don't match what we want for other use cases. That's the same trap as using credit card payments for ID verification, it only works if you don't actually care about the ID.
Yes and no. Confirmation takes time. But it heavily depends on the crypto. Some can be pretty fast. Once confirmed it's guaranteed, it won't drop off.
Assuming you can vote from the comfort of your phone or home, that's kind of the whole point, it doesn't matter much if you have to wait even 30 min to get confirmation.
Correct, there are several aspects to voting that blockchains don't address:
- The Human Identification Problem (not sure if there is a more official name): uniquely identifying a human being. If you solve this, you solve many forms of fraud (anything rooted in identity fraud) and eliminate entire industries dedicated to reducing fraud losses. Best attempt so far has been the Estonian ID system [0]; Sam Altman tried with Worldcoin but that ended up being yet another crypto grift. Incidentally, Estonia uses its identity system for electronic voting.
- Proof of citizenship; citizenship in the US for most people is a birth certificate issued by a hospital or other authority several decades ago, or a proxy to this document such as a passport. Naturalized citizens have it easier here because they have a state-issued document declaring their citizenship.
- Proof of residence: This is also something not verifiable via a blockchain or smart contract, because it depends on the state and relies in part on your physical location and your intent. Legally you can only vote from one voting address, but there are countless people registered with multiple addresses across states as they move residences.
- Secret ballots: You cannot tie votes back to voters in a free election. Blockchains are open and publicly-verifiable, which is good; but cast ballots cannot be verified _even by the voter_. Blockchain doesn't bring anything to the table here over, say, a database; because the recorded ballots must not be tied back to human identities, you cannot use any of the work done to verify the three previous points to verify the election outcome. Blockchain would boil down to replacing or augmenting paper ballots with a provably immutable record, where you still need to place trust in the system recording votes on the chain.
Well it would still be the government that gives you a "voter id". That part wouldn't change. It would still be a manual verification of your IDs and what not. But once you have a "voter ID" you actually vote online.
I believe you can do this with crypto. It's still anonymous. The government verify you, then give you a signed key that you use to generate your voter ID locally yourself. The network accepts your voter ID because it's signed. I think there's even ways to allow single use signatures and so on.
Now everyone gets one and only one voter ID (which is like their wallet) but for voting.
Aren't most paper ballots processed by machine anyway? Every ballot I've ever cast has gone through something akin to a Scantron machine.
The cost of human labor to count all ballots by hand will be enormous. Probably worth it I suppose, but this really is something that should be primarily automated. But again, trust in software. Sigh, why can't we just have nice things?
A single polling station usually only has a few thousand voters. During the day, polling officers at the station processed (signed/stamped/tore/etc) every single ballot that went into the boxes. They also verified every person's ID. When polling closes, why is it enormous human labor to count the votes, but all the processing during the day is not?
> The cost of human labor to count all ballots by hand will be enormous
In Taiwan, this is how it's done. Every ballot is counted by human. It's completely public: you can just walk in any polling station during the counting process and watch they count.
Chile has a very good election system and there's basically no machine input in the process.
What's important is being able to segment the population in enough voting places so that each voting place is maneaganle just by a small number of people. The Chilean system is scalable because you can always just add more voting places as the population grows.
Usually these voting places are civic centres, stadiums, schools.
It's a good system and generally for a presidential election we get the results in about 4 hours after voting ends.
Australia hand-counts. In a federal election, a voter will typically cast a preferential vote for the lower house, and a more complicated proportional vote for 3 senate seats. Rarely, they'll vote on 1 or 2 propositions ("referenda"). This seems comparable to a federal US ballot (first-past-the-post votes for house/senate/president).
The US casts 10 times as many votes - so it seems reasonable for the US to hire 10 times as many poll workers? Hand-counting is O(n) i.e. constant per-capita, and it scales horizontally.
Local and state ballots in the US can feature tens of elected positions and propositions, I could imagine hand-counting them to be quite expensive.
I'm much less concerned about automated vote counters, as long as they are not connected to the Internet, enough ballots are hand-reviewed to make sure that the values from the machine don't seem way off, and the specific type of counting machine isn't uniform across the whole election.
The cost of human labor? Maybe US-exceptionalism is peeking through?
In actually democratic countries the elections are done on holidays(Sunday) and the polling stations are in where you live.
It is your vote you silly. It is your democratic duty, right and responsibility to guard it if you don't trust the observers by becoming one. Everybody should be able to watch the process and the count!
Losing one day of revenue would not hurt. Especially on a holiday.
If your paper ballot are counted by simple, airgapped machines - that's both a vastly reduced attack surface, and is easy (if laborious) to physically audit.
I'm watching him talk about the two key ingredients of an election (anonymity and trust, for those not watching the video) and thinking "We don't have those in U.S. elections".
I live in California, where the voting method is vote-by-mail and you sign your ballot. That breaks anonymity right there, plus there's a barcode that matches address and ballot for traceability, so in theory anyone involved in the election process could look at my ballot, cross-reference against address, and figure out how I voted. In practice I've never heard of anyone being pressured or confronted based on how they voted, so my default assumption is this doesn't happen much or at all.
But even broader, in the U.S. your party registration is public information. That's why whenever there's a political shooting, the media always says "He was a registered Republican" or "registered Democrat" or "was not registered to vote". And this mechanism is actively and publicly being exploited to alter elections. Since the U.S. is a two-party system and party membership is public, you have a fairly good idea how each precinct is going to vote before they vote, and can gerrymander maps to get the outcomes you want.
Plenty of trust issues in physical ballot transfer as well. California is vote-by-mail, but that assumes the postal service is a reliable carrier, while there was just a recent news story [1] about ballots being stolen. Before I lived in California, I was in Massachusetts, where we voted on 1930s-era lever voting machines where you hit a lever down and it marks a paper ballot without you ever seeing the real ballot. Between elections, these were stored backstage at the local middle school, so a mechanically-inclined middle schooler with knowledge of how an upcoming election's ballots would be formatted (and we did mock elections in middle school) could have rigged the machines to deliver the local precinct to their preferred candidate.
The useful points in the video were basically that decentralization and redundancy are what make physical elections hard to rig: you have to hack multiple locations to influence the overall election, and at each point you have multiple eyes watching you. He sets up the contrast with software voting, where you have the same software running on each machine, and even if the software is open-source, you can't be sure that the rest of the stack it's running on is secure (an oblique reference to the Ken Thompson Hack [2]).
But decentralization and redundancy are properties that you can introduce into software systems just as easily as real-wold systems. The KTH can be countered through Diverse Double-Compiling, for example [3]. zkStarks and digital signatures give you ability to prove that you authored something without revealing what that something is or who you are. The importance of client diversity for the security of the network as a whole has been well-known in the filesharing and crypto worlds. And anyone who has worked in Big Tech, aviation, or telecom could tell you that having multiple paths to success that are developed by independent teams is important for any computer system that is in a safety- or reliability-critical area.
> I live in California, where the voting method is vote-by-mail and you sign your ballot. That breaks anonymity right there, plus there's a barcode that matches address and ballot for traceability, so in theory anyone involved in the election process could look at my ballot, cross-reference against address, and figure out how I vote
They actually go through quite a bit of effort to prevent breaking anonymity.
The incoming ballots are scanned and sorted by machine to record that they arrived. Later, signatures on the envelope are checked. The signature verified sealed ballots are then moved and fed into a high speed extractor separating the ballot from the envelope so the envelope label isn't visible, breaking any linkage between the ballot and the voter's identity. Ballots are stacked with other ballots, still folded and moved elsewhere to be counted. The empty envelopes are kept and scanned again.
All of this happens with multiple people and on camera.
The ballot barcodes don't record any unique information that can identify voters - they're just things like precinct, ballot language and page number.
Because of the extreme diversity in voting methods in the US (it varies not only by state, but by county within the state) it's impossible to accurately make any generalization about voting in the US. For example, in my parents' county in Wisconsin, you show up at the polling place, they check you off the list of registered voters, and they hand you a ballot with no individual markings at all. Once you finish filling it out, you put it in a box with the other identical ballots, to be counted later. It's as anonymous as you could possibly ask for, except that they know that someone claiming to be you showed up and voted.
As far as party registration goes, is that required where you are? Because if so that's insane and the government there needs to change that. Everywhere I've lived you don't need to register any kind of party affiliation (and indeed some places you couldn't), you just register as a voter and you're good. Maybe it's different where you are, but if so just be aware that it is (thankfully) not universally done wrong in the way you describe.
Party registration isn't required (I'm unaffiliated, for example) but enough people do it that you can make a reasonable prediction of how a precinct is going to vote before they actually vote. This is the input data for gerrymandering: you don't need to know every single voter, as soon as you get a statistical sample you know how the area is likely to vote, and then you can construct districts out of precincts such that there's a safe margin of victory for each one.
Unfortunately, in that case there isn't much to be done. I think those people shouldn't do that, but if they insist I don't see how they could be stopped.
Many states require party registration to vote in primary elections, and in states like California the primary is the only election that realistically matters.
(1) California does not require party preference to vote in primaries generally;
(2) California primaries are not (except for the Presidential primary) party nominating elections, they are essentially the open first-round of a two-round general election. (Basically, it is majority/runoff except that there is always a runoff even with a first-round majority.)
(3) For the Presidential primary, California does not require party registration to vote, but does prohibit party-registered voters from voting in cross-party primaries; it is the party (not the state) the decides whether their primaries are open to “no party preference" voters (of the six parties with permanent ballot access in California, the Republican, Green, and Peace & Freedom parties do not allow NPP voters in their presidential primaries, while the Democratic, Libertarian, and American Independent parties do allow them.)
Belgium has been doing it for 25 years, though not without some issues. I'm happy to let other countries lead the way on this since we have a perfectly viable alternative.
Humans are actually quite bad at hand-tallying hundreds of millions of datapoints. Our eyes go glassy but we press on anyway.
Machines are very good at doing that kind of tedious labor accurately.
Whether human beings will put more trust in a system that we know will be wrong, but it's wrong for comfortable meat reasons, over a system that might be compromised but will be more accurate its more of a psychology question than a technical question though.
Human tallying is a source of errors, but it typically doesn't affect the outcome in major ways. This is more of an argument against large scale winner-takes-it-all election systems, as they have the least resilience against this kind of error.
The main benefit of manual tallying is that election tampering at scale becomes a rather labor-intensive and physical process that is more likely to leave detectable traces. Compare that to the the last US presidential election that has statistical oddities in machine-tallied voting results of kinds that have historically been shown to correlate with election fraud. If this was indeed caused by fraudulent voting software, it happened without leaving any other obvious traces of tampering.
> Compare that to the the last US presidential election that has statistical oddities in machine-tallied voting results of kinds that have historically been shown to correlate with election fraud.
It's being litigated, but in general the answer is there is not yet evidence that machine voting systems were compromised.
- in New York there is statistical anomaly correlated with a couple small-town polling stations. Those towns are small enough that they have a huge population of one religion, and one explanation is that the Democrat party's perceived "soft on Israel" stance tilted 100% of voters in those locations away from supporting the Democrat presidential candidate.
- in Pennsylvania a standard statistical analysis tool used to detect vote disruption suggested disruption occurred. The form of the disruption could be fraud, but it can also be things like voter intimidation (which was observed and reported in Philadelphia) and sudden discontinuity in voter behavior (the aforementioned "soft on Palestine" issue).
Correlation does not imply causation, and the lack of evidence of tampering of the machines in the audit logs is lack of evidence of tampering of the machines, not indication that the audit logs were compromised.
I've counted paper ballots for multiple presidential elections in my country.
People who think it's not safe should really spend some time learning how it works. It's impossible to cheat at scale. Each ballot is verified to be correct my multiple eyes. A person is reading, one is writing down the name, one is verifying and some other things I don't remember.
To cheat you need to have everyone in on it. A whole town involved to cheat and to at best win one polling station. It's safe because anyone can attend the counting, so each party can send someone to check no shenanigans is going on.
So the more votes you want to be winning by cheating the more people must be brought in the conspiracy. That's impossible to be unnoticed at the scale of a city, much less at the scale of a country.
It is not the paper ballots that's taken advantage of. They have no general public participation and opposition. The public simply do not give a damn about polling stations in places where Carousel voting is possible. There is no opposition observers or they cannot be because the examples in the Wikipedia page are dictatorships, not democracies. You cannot turn a dictatorship into democracy by voting.
Every single vote must be checked against publicly available lists of voters. Every ballot can only be given somebody whose identification is checked against this publicly available list and marked. The lists must have multiple copies some in the hands of opposition observers. They need to be published.
> Every single vote must be checked against publicly available lists of voters
Yeah, do that by hand please, without relying on electronic means.
Paper ballots with "honour" based out of circumscription participation is not secure. My country also suffered from this issue and it's not an authoritarian regime. They fixed it by adding and checking IDs on a ballot participation list. Nobody explained how that works to the average voter.
What I was trying to underscore is that even for something that's presented as simple and fool proof as paper ballots one can find vulnerabilities, especially when you're dealing with nation level threats. So in my opinion we shouldn't ask electronic ballots to be more security than what is already in wide use.
And in fairness, electronic ballots don't need to be more (or as) secure as paper ballots, but 'mail in' ballots. If we can come up with a method that's as secure as mail ballots I'd call it a success, despite what Tom Scott says.
The more comments I read on this specific HN topic, the fewer people I see actually involved in the polling process.
I really recommend people volunteer for it, if you're American and you're concerned. All you have to do is call your county elections office; they always want more people. You get paid near-minimum wage and it takes two days a year, but that's it.
What you will discover is that most of what people are asking for in this thread is stuff the states of the United States already do.
If a person is deeply concerned how the election is run? Go get involved. It's your country and your election system.
>Humans are actually quite bad at hand-tallying hundreds of millions of datapoints.
Humans just need to be able to separate a few hundreds of ballots into a couple of piles. When introducing double checking this makes an incredibly rigorous process, which can be open to the public. This is the case here in Germany.
Everything after that can be done by computers as all the data after that is published.
These system used for voting means that humans don't hand tally hundred of millions of votes. They tally those in a voting district only. Those them get aggregated with other districts and so on until the whole states and then the country is counted.
The problem with the accuracy assumption of electronic voting is that a) its all coded without errors and b) someone hasn't deliberately but code into manipulate the vote numbers.
That pretty much undermines the entire concept of unit and integration testing.
If you're saying we should be writing voting machine code in ML and keeping the firmware in Fort Knox, I'm going to make the argument that it's a lot cheaper to do sampled hand-counts to check against machine error or tampering... Which we already do.
I mean, you left yourself open to that glib, low-effort criticism when you wrote this:
> no software or programmable hardware
That's obviously too stringent. Consider:
1. Precinct hand-counts every single paper ballot bubble sheet.
2. Precinct hand-counts every single paper ballot bubble sheet, then confirms the hand count by feeding all the ballots into an electronic bubble-sheet reader.
Your claim is that #1 is more trustworthy than #2. That's an extraordinary claim that requires more evidence than two youtube links!
Edit: to be clear, I want the requirement that all voting must be paper ballots like the human-readable bubble sheets mentioned above. But saying that no software or programmable hardware can be used "in the election process" is so extreme that it sounds like a parody of my own position.
If your proposed process is implemented, it will take about 5 seconds before the precinct realizes that they can just feed it all to the machine and sign whatever number which comes out as the “hand-counted” one. Especially as they will be dinged whenever their count differs from the machine, which will be assumed by their superiors to be more trustworthy.
More seriously, even though some cars are programmable, I did not mean that nobody could use cars to transport ballot boxes. I obviously meant that the official results should be the manually-counted one; machines could conceivably be used to get interim results faster, and/or to double-check a count to see if it needs to be counted again. But I was serious about requiring absolutely no machines involved in the counting of the official results.
Most states (I don't have all fifty states' laws in my head) have a sample recount process; they generally trust the machine numbers but they will randomly sample some percent of precincts for a detailed hand-audit count. Any attempt to generally infect electronic systems falls afoul of this back-stop.
In addition, most states have a mechanism by which a candidate can formally challenge the results in a precinct, forcing a hand-recount. This usually has some kind of onus on the requester (I believe in PA for example you have to put up a bounty and if the hand recount results come out to the same result as the previous tabulation the state keeps the bounty as payment for the added cost of the forced audit). However, it is an option (and, most notably, not an option that anyone who claimed shenanigans in 2016 or 2024 exercised).
The problem of election integrity doesn't exist in a vacuum and didn't pop up overnight in 2016; states have been working the issue for a couple centuries and have a pretty good system. But it's a system that requires some detailed statistics and process control theory to understand, so I'm not surprised the median voter doesn't get it. There is, perhaps, a case to be made that for that reason alone we should go to manual, but someone's gonna have to spend the money on that if we're going to do it; it's going to be drastically more expensive than electronically-facilitated counting. And, indeed, people will have to accept that human counters will be less accurate than machine counters (because they're human; we don't train "computers" anymore as a discipline).
Indeed. That is what I was responding to; if I over-assumed the GP's position, my apologies.
We've been using mechanical, semi-mechanical, and electronic systems for decades at this point. The new concern for accuracy is pretty unfounded (and, it is worth noting, was heavily drum-beat into existence by a Presidential candidate who then went on to win an election).
If we want to talk problems with electronic systems, I'm a lot more concerned about how people don't actually know how to use touch screens (and I am myself in favor of pencil-and-paper ballots for that reason alone) than I am about people being able to sneak a super-double-secret modification to an electronic tabulator in against all the ways that attack could fail (including "The county can just decide to hand-count the pencil and paper ballots anyway, which would discover the deception").
Fully electronic, no-paper-output systems are past my personal trust threshold.
Posting those links without any insight from your side is just quoting dogma and, to me, it shows that you haven't really spent any time to consider the arguments. In my opinion shows that you lack imagination.
Every problem Tom mentions can be worked on and overcome. Maybe not today, maybe not by the next big election, but we should still start now, rather than later. We need to do everything possible to increase participation in the democratic process, especially for the demographics that are currently not very involved, which are also the demographics that are more likely to adopt electronic methods of voting.
>We need to do everything possible to increase participation in the democratic process
Do we? Participation should be made easy for those eligible and inclined to do so, but I don't see the benefit of encouraging participation from people who can't be bothered to put some effort into it, or are ignorant of the issues and candidates and are easily swayed by trashy campaign ads. I've seen the statistic thrown around that less than half of americans can even name the 3 branches of government, and if that's true I think those people have a civic duty not to vote.
I'm not advocating that people not be allowed to vote, I'm just pushing back on the dogma of more voter participation = better, IE. just because you can vote doesn't mean you should if you dont understand what you're voting for and don't really care enough to learn.
Seeing the constant barrage of campaign ads every couple years made me think about it- Why does campaign financing matter, how do they turn money into votes anyways? The answer apparently is ads, but I see these bottom-of-the-barrel slop political advertisements and wonder how that trash could possibly have a measurable effect on the outcome of an election. But it must work, otherwise they wouldn't spend so much money on it. And the fact that elections can be meaningfully influenced by the amount of ads a campaign can run is a signal to me that the democratic process is broken in some fundamental way. The votes of well-informed constituents are drowned out by the more numerous cohorts of partisans, reactionaries, and the apathetic just going through the motions to fulfill their 'civic duty', so it seems to me that increasing voter participation without changing anything else is only going to exacerbate the problem
> And the fact that elections can be meaningfully influenced by the amount of ads a campaign can run is a signal to me that the democratic process is broken in some fundamental way.
That's probably rational ignorance. It's hard to get people to investigate the details of policy and their consequences when theirs is just one vote out of millions. It's too much work. But that leaves the voters susceptible the kind of ads you mention.
Or stated more simply: getting informed doesn't scale, but mass advertising does.
Athenian-style democracy might handle this problem better. Randomly select, in some unbiased manner, a smaller number of people who then decide. But I suspect sortition is a little too unusual and feels a little too chancy for people to accept as a serious proposal.
Wouldn't banning political ads, and large sum political spending, and PACs and lobbying (I assume you're from the US based on the comments) be a better solution than whatever the f*ck "don't vote if you don't understand" is?
Democracy means that everyone gets a vote, uneducated, bigoted, communist, fascist, everyone. If you don't accept that, you don't accept democracy.
These files are actually cursed and I want all drives that contain their data destroyed with acid. But I have a slight feeling other voting software isn't really any better, even though in theory it should be relatively simple software in the grand scheme of things.
Public trust cannot exist if the voting system requires *any* expertise. Voting systems should be idiot-proof. If you cannot explain how voting system is manipulation-proof to a 7 year old, your voting system is untrustworthy.
This means anything more complex than a pen or a stamp on an approved paper is too complex.
I live in Ireland which I think has one of the best voting systems in the world (don't worry we've still got plenty of other serious problems with our electoral system).
It's 100% paper PRSTV & so the counts are slow. Not only is this generally OK (because getting a rapid result is absolutely not a requirement of any well-functioning voting system) but it also has actual benefits.
The main benefit is predicated on the count being engaging in and of itself. Other countries put a lot of effort into jazzing up statistical presentations on constituency predictions, cloropleths aplenty, to engage viewers. In Ireland, count centres are not only manned by trained count staff, they're also flooded with volunteer tallymen who verify the counting in realtime. Count coverage is on the ground, showing a real physical process that's intricate enough to be watchable. The entire process also serves as an education-through-doing in how our voting system works, so you get a more engaged & informed electorate (when it comes to the mechanics of voting - still unfortunately not that informed on policy, that's a worldwide problem).
One of the weird things for computer people about the Irish voting system is that it's non-deterministic! You can count the same ballots in a different order and get a different result (because it depends which votes you choose as "surplus" to redistribute).
In practice it doesn't seem to matter that much. The counters even out the first-level effects of this, so it only matters for votes that have been transferred more than once; it can be determined statistically that it changes the result only in a very small number of cases; and there are plenty of other weird threshold effects to care about instead. But it's one property you might expect of a fair voting system that Ireland doesn't give you.
Yeah. I think it's the best voting system in the world because I've yet to encounter one I think is better but you're right, it's far from perfect.
That said, surplus distribution tends to be the main flaw raised time & time again, & whenever improvements are discussed the general conclusion tends to be that the current distribution mechanism goes a very long way toward fair representation of the actual preference distribution. It's notable that the more computationally intensive alternatives to get "fairer" outcomes are pretty recent inventions & it's really hard to justify the effort given the tiny number of cases affected.
True! In The Netherlands, where I live, we still vote on paper ballots. The ballots are counted by hand. The counting is public, anyone can go and observe the counting.
This is in no way intended to be disparaging: there are processes that work within the scale of small European nations that simply won't at larger scales.
> there are processes that work within the scale of small European nations that simply won't at larger scales
Coming from Ireland (tiny population, low pop density) I've heard this argument countless times (we're an obvious target for this critique), but I still to this day don't see the logic of it. At all.
Constituencies are sized per capita, count centres are staffed per capita, if you have higher pop-density you'll either have more observers at count centres, or the same number at more count centres. This is a distributed system - it's the definition of scalable.
Fwiw the last count I tallied at (Dublin MEP) had an electorate of 890k. It was the smallest constituency in Ireland in that election, but still bigger than the largest congressional district electorate in the US. We counted in one large open warehouse. There were 23 candidates & 19 separate repeating counts.
That could work in favour or against your argument - I don't really know - I don't really think it matters either direction though.
This doesn't make sense. In the same way that police, firefighters, ambulance, farmers, etc, can scale to any country population, so can ballot counting.
Just the fact that there are millions of citizens means you have to trust the process. When I go vote and stamp my votes, you need to trust my county’s counters. I find it strange we focus so much on tampering with an individual vote (machine says you voted for X instead of Y) rather than tampering with aggregation
That's an inquisitive 7 year old. Definitely reward them. Let's explain. A good voting system needs to guarantee
- Secrecy of who voted for whom
- Transparency of everything else. The names of everybody in the process, the process itself and all the statistics should be verifiably public.
Being an observer to your polling station must be a guaranteed voter right. Similarly all participating parties must have the right to send representatives to observe the entire process.
Before opening the polling station all ballots are counted by multiple observers from all sides. This is recorded into files / documentation of each observer. So the number of possible ballot papers that can be voted on is documented.
Then each ballot paper needs to be stamped with a official local seal. This is also observed by every observer. The number of stamped ballots is also counted and documented. The number has to match the original ones.
The number of people who can vote in that voting station is determined by a population survey. In bigger cities each region must have roughly the same number of constituents.
The number of ballots that are stamped must match the number of eligible voters in the polling station. A voter can request to change a damaged ballot paper. The replacement should be done in front of all observers and the voter. The replaced ballot is destroyed in front of everyone.
After putting their ballot into the box, the voter has to sign their name in multiple printouts of the list of eligible voters of that polling station. These printouts of the lists are held by observers from multiple sides. The number of signatures has to match the number of ballots in the box.
Everybody can observe the count. All the numbers are checked against each other.
If you think that this is infeasible, I come from a country of 80 million people and live in a similarly sized one. Both of them use the same system. It works. It scales since it is an almost trivially parallelizable problem. We get the election results in the same day of voting.
That sounds like a solid system! Thanks for explaining!
Is there any way to prevent the observers from knowing who votes? I could see a scenario where a party chooses observers that are likely to intimidate potential voters (e.g. KKK members in a majority black polling station).
That's why participation from opposition and actual members of the public in the area of election is important. If you and your friends / family are afraid of intimidation, you show up. Gather as many people as you can as observers. In my countries (of residence), being there is your unalienable right. Nobody can legally kick you out. If 50 black people show up in a station where KKK tries to intimidate them, KKK will back down given an actual democratic state.
If those people still feel unsafe, they are not living in a democracy but under an authoritarian regime. You cannot really have a non-violent, fair democracy under such regime. Democracy isn't just elections. It is creation of bunch of non-elected institutions that guarantee the fairness of the elected stuff. Judicial branch, expert organizations and regulators are all part of it. This has to come from realization that the alternative is violence. Sometimes needed violence. Most resilient democracies in the world like France are direct results of multiple violent events happened because institutions were not capable of striking the balance. Suppressing large swaths of people is just a powder keg. In true democracies, people from all views should have a good mutual understanding that alternative governance systems exist and may even be viable or more stable, but they will be murdering each other and they themselves will eventually be victims to the violence too.
Having elections is in no way enough to have a democracy. You also need a functioning justice system and free media. What you describe is not part of the election system but of the justice system.
If the police does not uphold the laws that guarantee just elections, if they allow intimidations or treat citizens differently, or if the military tries to influence election results, then you do not have a democracy.
You may ask how do you make sure nobody changes the votes in the box somehow?
First the box is in front of everybody. Second, before allowing people to throw votes in, you seal the box with an tamper evident seal. Usually pouring beeswax over a string works. You can have multiple seals for all sides.
Having a mark anywhere else but the box you cross / stamp invalidates the ballot. You put ballots in envelopes. Each envelope must have a single ballot inside.
A voter can replace the ballot if they made a mistake. They need to destroy their ballot in front of everyone.
That's a lot to digest for a 7 years old, and you're still brushing over how you do a population survey, count the constituents and how to make that a trustworthy process.
My point: reality is messy and simplicity isn't a guarantee of reliability. The things hat really work in our societies are pragmatic, not simple.
Sure. Probably you shouldn't dump it at once but let the 7 year old ask questions one at a time. I think you can still explain it one at a time. I am aware that readers of HN are not 7 year olds.
Now try explaining any kind of encryption system that gives the same level of confidence to a high-scholer or even CS students in as many words as I used in that comment.
I'd say you can ELI5 most technical systems, it's a matter of finding the appropriate abstractions and spending enough time (for instance, just explaining the paper ballot system, we're already writing a full page or more)
It reminds me of a youtube channel explaining the Visa/Mastercard duopoly using monkeys and bananas. It doesn't perfectly fit, but works surprisingly well for such a subject.
What signature or stamp? In my country we make any mark, although conventionally a cross is used in illustrations.
Many countries have secret ballots, mine doesn't, for reasons which are extremely sketchy (and presumably why my country is blue, not dark blue like New Zealand on the democracy map)
The comments on this have lots of folks focused purely on the software, talking about a lack of paper ballots, etc. So, let me provide some more context that is missing from the post.
For those who don't know the VotingWorks software is both Open Source and their machines create and count paper ballots. You can read about it here: https://www.voting.works/machines
Essentially they have a computer, a ballot marking device, that people can use to mark their ballot. That ballot is printed on paper. Then the paper can be validated visually. Then fed into a machine to scan and count. The paper ballot is preserved and can be later audited.
The ballot marking device has a number of advantage over pre-printed and hand marked ballots:
- American Disabilities Act (ADA) compliant using standard web technologies
- Available in applicable languages without lots of translated papers on hand
- Errors or typos in ballots can be fixed days before election instead of weeks (due to print shop lead times)
- Better UX for complex races where things like ranked choice, choose three, etc with rules which can cause people to mismark and then have their ballots rejected
- Avoids sloppy/incomplete markings that must be interpreted and judged by counters/auditors
The entire system runs offline. It is open source.
They also have separate open source software for running risk limiting audits using the paper ballots: https://www.voting.works/audits
This is an excellent overview & much needed context. I read the (very short) OP but didn't dive into other sections of the website (which is not an initiative I'd previously been aware of).
Probably a difficult task to ensure all readers of all pages on the entire website are fully aware of this context in advance - I'd imagine this kind of averse reaction will continue to be common until these kind of hybrid systems become more widespread (or the interests pushing paperless are comprehensively silenced, which seems less likely).
---
That said, now that I do have full context, I do have two criticisms:
1. Clicking through to the VotingWorks frontpage, the copy still doesn't really highlight in a very obvious manner the paper nature of the system. You really have to analyse the website to figure this detail out.
2. The homepage does contain a section entitled "Faster Election Results" - which I do think flies directly in the face of many criticisms in the HN comments here & I personally believe to be an approach that's incompatible with democratic integrity. Counts should simply not be trying to be fast as a high priority - verifying the automated count by hand is insufficient if it isn't done as a matter of course. Ideally, live, while the count is taking place. The latter is not feasible with an automated system, & the former is a lot more likely to be overlooked if speed is a priority.
We don't just need systems that can be fair, we need systems that incentivize fairness & don't contain perverse incentives - count speed is exactly such an incentive.
I live in The Netherlands. We are a reasonable modern country, where a lot of things are automated, even in governmental organizations. However, voting is still done on paper ballots. And those paper ballots are then counted manually. This has huge benefits. There always is a paper trail. It’s hard to manipulate votes without getting caught. If there’s any doubt about a certain district’s results, the votes can be recounted. This happens regularly.
Why do we need machines? Counting the votes for e.g. the parliament only takes 24 hours or so, generally. And we don’t have elections every week, right?
You should acknowledge the tradeoff: physical presence is the condition.
It might not happen much in the Netherlands, but for instance making it so fewer people reach voting stations is a classic move. That's one of the failure mode avoided by the other means.
Voting ballots straight getting lost/destroyed is another failure mode, and yes it happens more than we want it to.
The sheer time to get the vote counted is also an issue, and we've seen voter sentiment shifting while the vote is still ongoing, with the media reporting directly influencing the outcome.
It could still be the saner tradeoff in the end, but it's misleading to present it as some ideal or inherently reliable solution.
The software doesn't matter that much. If you want to use voting machines, you need to create a paper trail with them that can be audited.
Auditing the software isn't enough if you can't reliably verify that this is actually what's running on the machines, or if the machines weren't otherwise tampered with in some way.
So they open the source ... how do I know that's what's running on the voting machine? There's really no good practical solution to this problem. What matters more is that there is a voter-verified paper audit trail and that this record is actually counted. At least by spot check risk-limiting audits, but ideally just count every vote manually to verify.
> There's really no good practical solution to this problem.
Remote attestation via trusted execution environments is a thing. It is not a theoretical one either. See, for example, Graphene OS's Auditor app[0]. Solving this for voting machines in particular would be a matter of good design, not of solving fundamentally hard problems.
I would be fine if they had at least the same level of scrutiny as slot machines --- can we turn Citizens United around and argue that since dollars can be used to buy speech which influences votes, voting machine should have the same level of scrutiny/verification/auditing which applies to finance?
There seems to be a news story every year about how someone won a jackpot or other large prize on a slot machine, only for it to be denied because the slot machine was "malfunctioning".
From a process perspective, how can a constituent know with absolute certainty that their vote was counted, every voter in the system was legal, and the final tally was authentic? Especially when there's no way to even audit what you voted for after the fact?
Every time I try to get to the bottom of this, it always boils down to "trust the system" which makes me uneasy.
Not being able to audit what you voted for after the fact is by design. Otherwise, it would make buying votes a viable strategy since you'd be able to show them who you voted for. Yes, taking a picture of the ballot is an option, but you can always ask for another ballot paper after you take the photo. Where I live, you're not even allowed to have a camera out in the same room as a voting booth for this exact reason.
IMO the best solution here is to have electronic counting with an auditable and traceable paper trail as a backup. Every time I've voted for the past 10 years has been like this. First, I get a ballot paper from the front desk and stick it into an airgapped ballot marking machine. I then make my choices and the machine prints them onto the ballot paper. I'm able to read the paper and verify that it matches the choices I made. I then stick it into a separate airgapped ballot counting machine, which scans my ballot and deposits the paper copy into a sealed box. The entire process of setting up the machines, transporting the paper ballots, and reading the results from the machines is cross-checked and signed off on by volunteer poll workers from both parties.
Each polling station should have representatives from multiple parties as well as independent observers.
> how can a constituent know with absolute certainty that their vote was counted
The representative of your party plus independent observer said all votes at your polling station were counted. You know both those community members and know them to be generally honorable. Ergo your vote was counted.
> every voter in the system was legal
None of the observers at the polling station, or the station head claimed any illegal person voted.
> the final tally was authentic
The observers all signed as witnesses on the final tally.
This is not the "system. it is humans you know who are telling you what they saw. If you can't trust other humans at their word, democracy cannot fundamentally work.
You should trust political volunteers after you have seen their track record of being honest and truthful. (Though there is some default amount of trust the process gets because of the adversarial nature of volunteers with opposing biases checking the process).
This is along the same vein as
You should trust candidates for the seat after you have done your due diligence that they have honest and truthful, and will faithfully represent you in the legislature/administration.
as well as
You should trust civil servants to have done state activities justly and produced truthful records and reports of state activities after you have seen a record of them doing these things correctly over time.
Democracy with humans is built on a lot of trust in humans. We have to keep this in mind when arguing about these things.
You do not have to watch every district, every election, every time. But given that enough people do it, at least once, at least in their own district, then it is easy to see why the system as a whole is trustworthy.
I think the sentiment of the OP actually gets to the heart of this (the idea of open-source is transparency, visibility, auditability) but the problem here is it need to be applied to the actual process, not to the process of building tools for the actual process.
It's not that developing voting software should be open-source, its that actual voting should be "open-source" in the physical sense.
Trusting the system is possible if you can (you, yourself) readily observe every part of the system. I don't think giving members of the public access to the server your voting software is hosted on is a very viable idea, but giving members of the public access to paper count centres is (it's done very successfully in many countries).
Stop me if you heard it before, but paper ballot with automatic counting machine is the way to go. You still get real time update, and you have a physical ballot box that's constantly under watch of volunteers from multiple parties. And if there's any dispute (there will be disputes) you can simply bring out the boxes and count again.
It's a simple, cost-effective system which is impossible to hack. Electronic voting offers no advantage over this.
Did you look at the link at all? That's what this company sells. They make ballot marking devices that print your vote on a ballot paper, then a separate ballot box that counts the votes by scanning the ballot papers.
How do you feel that the paper bill counter in your bank is closed source? It does not matter because it's trivial to verify. The counter says "here is a pack of one hundred ballots for candidate A," and if you're in doubt, you just count them again. While representatives from candidate A's and B's team are watching.
The difference is that I know the sum ahead of time and can object in the moment at the bank.
A vote recount and/or judicially called audit can take months to resolve. This can lead to a loss in confidence in the outcome and for political shenanigans (e.g. Bush v. Gore).
I feel far more confident in a system where the software is open source because it increases trust for free. As a citizen having the software be open source is only upside to me.
Something being open source does not mean anyone has even the slightest clue how it is running. People would have to see a read-only view of the active production run-time in trace/debug in real time to have a clue which of course would not be permitted. All code can be live-patched without leaving a trace by custom firmware or a thumb drive in production to conditionally change behavior on the fly to achieve any means or results. All electronic voting equipment can be tinkered with and any news stories about engineers testifying to congress will be erased for fear of reducing confidence in voting systems. Bribed developers take bigger risks for smaller gains all the time such as wireless front-line support selling or changing SIM information in SIM swaps.
Paper trails on the other hand can be verified and secured physically with chain of custody and proper attestation. Paper output can still be designed to be easy scan, verify and re-tabulate. I would like to see the paper trails scanned and uploaded to a centralized block chain so we can see if one of these things is not like the other. I would also like to see higher definition CCTV cameras monitoring the entire voting process and more of those cameras. That should also be uploaded somewhere they can not be tampered with and if a camera goes offline oopsie doopsie it's all hands on deck. Ballot drop-off boxes and mail in votes need to be outlawed and every state needs voter ID.
> Public Trust Demands Open-Source Voting Systems (voting.works)
Unless something has changed recently, election integrity demands a voter-verified paper ballot that is retained with security by the authority, and can be physically counted, as a check against compromised or defective digital systems.
Open source is not sufficient. Don't let marketing sound bites be a confusing diversion from the problem.
If the US understands anything this year, it's how important elections are. Hopefully we get another one.
I don’t really understand the blind trust in paper in person ballots. Historically and currently, elections are stolen all the time whether paper or not. Off the top of my head some recent ones: election irregularities in Venezuela and the Russian referendums in Crimea.
If people in power want to cheat, they will. Shuffling around the tech isn’t going to do all that much to change things.
That's a non-sequitur. Election manipulation is orders of magnitudes easier with voting machine manipulation and might not even be traceable. With paper ballots, you have to swap thousands of ballots that are handled by thousands of people, corrupt or prohibit independent observers, deal with election commissions and overseers, and so on. You can have recounts. With voting machines, you just have to push a software patch to these machines or manipulate the software that interfaces with them. No recount will help.
It’s not a non-sequitur. The thesis behind the push for in person paper is predicated on the idea that it makes it prohibitively difficult to steal an election. That’s demonstrably untrue based on current and historical examples.
As another example, you don’t have to swap the ballots at all. Somewhere in the chain of custody, someone could just “lose” ballots for a region that is projected to vote against whoever they’re trying to fix the election for. They could forge or lose some other accompanying paperwork that was to manage those ballots, too. Or they could not bother doing that either because what are you going to do, redo the election?
Cooking up examples is sort of pointless. There are always going to be new and unexpected ways to commit fraud. The actual root issue isn’t technological. It’s sociological trust.
Under appreciated benefit of hand-counting paper ballots: it is an opportunity for participation in your democracy.
I had the privilege of helping count votes in my small town 2012. Volunteers stayed up after voting ended and all of the ballots were double checked - counted by two separate people, working together at a long table. Cheating or manipulation was inconceivable, and there were many layers of double checking.
The beauty of this system is it is infinitely scalable. The more voters there are, the more vote counting volunteers there are. For larger cities you can split up by blocks or per polling place. There should be many polling places to make voting easy and accessible.
It isn’t fast or fancy or glamorous. But communities ignore the power of communal activities at their peril.
Throughout most of the non-US parts of the western world voting works quite well using paper ballots and hand counts. Any organization treating voting like a tech problem is willfully oblivious of the existing very good low-tech solutions. I think the intention is often good. But tech is also a new vector for attacking elections, so sometimes it's malicious. And it's very hard to tell the difference, and with elections even the appearance of interference is risky. We should outright reject technical solutions to voting, all it does is add risk.
Why stop at software? Open-source software is a good idea in election systems. The principle could be better generalized as an "open" (copyleft licensed) process for the entire system, regardless of whether the election system is implemented as software or not.
Anyone who talks about election security should be required to spend at least a few moments walking around Defcon in the election machine hacking village. Even absent electronic voting machines we still need to apply that same level of rigor to security across all domains of the election system no matter what format is used.
More fundamentally, the epistemic meaning of a ballot, a vote, or an option on the ballot, how options are even decided for inclusion or their exclusion, which outcome deciding algorithms are used, and how "the result" is interpreted by society or implemented by a political agent is deeply confused. The vote itself has very little resemblance to what actually happens. Such things likely cannot be formally specified anyway. Massive amounts of ambiguity, noise, error rate, and insecurity are to be expected in these kinds of systems. So what then are we even doing with all this? I am not referring to what we say we are achieving, or what we say we are intending to achieve, but rather what kind of actual outcomes be can supported by careful engineering of all these components?
We’ve been using mail ballots for decades, as a voter this system is convenient and afaik hasn’t been seriously challenged.
Your suggestion for its abolition aligns with treasonous players like Vought.
If you moved to another district you should vote there.
If you want people temporarily out of their district to vote, then in district X you could have a box for district Y, put paper ballots in, and send the sealed box to Y to be counted. The important thing is that the vote is cast in person by the right voter and put immediately into the box.
In other countries everyone has an ID automatically. That is a requirement to use IDs for voting. You need a proper national ID system, not the hodgepodge of random identity documents the US uses.
I don't believe that. Even in the most backward places where people can barely read they can manage to get an ID. If anything, it would have a leveling effect, by decoupling the voter id from things like driving, which have nothing to do with voting.
I heard this concern and looking at the MAGA it is totally believable. But really, how can a country disenfranchise anyone, if they will issue a mandatory national ID? If it is not national (state or lower) or if it not mandatory (voluntary and/or paid for), then I can see parth for corruption. But if it is mandatory national document, issued to every citizen without exception and only to citizens, then I honestly don't see where the corruption may happen. If anything, USA SSNs are much bigger vector of corruption, a proven vector of corruption, but again, like with FPTP no one bats the eye.
My preference (I think) is we have a federal holiday "America Day", (call it Trump day for all I care) where we celebrate, hand out cookies, friends and family get together, etc. and we all vote in person.
One of the weaknesses in our democracy is the insistency of doing things virtually - it's the same weakness exposed by social media.
Electronic systems are always going to be subject to hacking and manipulation, and are more easy to hack and manipulate at a large scale (scaling is the point of software). In-person voting is still subject to manipulation, but you can just go back and look at the ballots on paper as they are. You get more targeted manipulation, but it's probably easier for a single person to uncover and reason about.
National mandatory holiday for voting would eliminate soo many issues and concerns. It really should be a must in every country, at least for the biggest elections. Inbefore "lazy urupeons are wrong, no holidays is the only true way!!!" there are 11 federal holidays in the USA, same as in many European countries, and the sky didn't fall down because of that. Adding 0.20-0.25 holiday per year won't return a country to dark ages or anything.
I agree with paper ballots, completely. But requiring voting to be in-person: how do you deal with citizens who are homebound, traveling, or working? Not literally everyone can get the day off--even if you suggest "shifts", there will be some people who won't be able to, whether because the hospital is understaffed and people will literally die, or because they don't have the resources to get to the voting hall on their lunch break.
In Ohio we have early voting, and then we also have absentee ballots which I think solves both of those challenges. We even have what's called curbside voting for folks who can't get out of their car.
I guess in some sense I'm arguing for the existing system [1], and not to move to any sort of electronic voting, but adding in a new federal holiday for the actual Election Day. It should be a celebration of democracy, a day of reflecting on our republic, and an opportunity to be patriotic with special programming and events, parades, etc. Just a hope/dream there.
I guess the main thing I'd like to say is, I think we should have the day off from work and we should all get together as much as possible as a society and celebrate this damn thing we have instead of sitting at home on the Internet just complaining and doing nothing all the time.
[1] Today we have ballot markets which electronically mark and print the ballot. I'm not quite as concerned about those being hacked (from a layman's perspective not any expertise), and then we have the actual ballot that was cast by the citizen that we can reference. When I think about open-source voting systems, electronic voting, etc. I think of doing it through your computer.
I've been saying it for years. We are more than capable of creating an official USA app that every American can download, test their knowledge on a topic, and vote. If X.com can implement polling, why can't the US Gov? In my opinion, they want to portray the illusion of democracy, not actually implement it.
There are many Americans that can't or won't download a "USA app". Owning a smartphone must not be a requirement for participating in democracy.
And if all you want is political polling, every elected representative does this already (well, they generally pay someone else to do it). So I'm not sure what it would mean for the US gov to do it separately. Do you imagine that a "non-partisan agency" like the CBO would do it with taxpayer dollars, as a publi service for the politicians who would still vote however they do?
Complaining about electronic voting (absolutely valid and reasonable take btw) while living in the country with first past the post election system, is like complaining about bad wall insulation in a house which is on fire. Yes, insulation is a actual valid problem. But maybe not a Priority 1 at that particular moment.
In first past the post system, between 1% to 49% of votes are stolen and tossed by design. This actually, not hypothetically happens, in real life. Electronic voting maybe can be abused, and maybe some significant number votes may be defrauded. But in FPTP it has actually happened already and at a much worse scale. Imo the real high priority issue is obvious.
I think, that there is only one way to make voting machines to be trustworthy. If anyone can run ballots through their own machine to verify results, AND there will be multiple parties doing exactly this, then you can trust the outcome.
But still it is not a way to fight a political party that will use dummy machine that counts each ballot as a vote for them, and then accusing all others that they are trying to steal the elections. It is an unbelievable stupid tactic, but I think it may work in USA, judging by people eager to believe any BS if it supports their party.
It might be an aside but it would be, "really groovy" if the general public started to realize that, "democracy" is a way of life and a set of considerations that furthers an open public discourse and attempts to maximize human felicity and reduce cruelty. In an oxymoronic sense it's the public voting on things that actually kills real democracy.
No. Democracy is not about reducing cruelty, or any other vaguely activists points of views. It is about having people choose where they want to go. It might be that these choices unveil that humanity, statistically speaking, is actually a cruel bunch. And, what you think is cruel, might be just fair to someone else. Democracy is about surfacing the human nature.
I can't edit my previous comment so I'll continue:
This isn't and has never been true in a universal sense. Athens was democratic plutocracy with slaves. The United States didn't have popular democracy until well until the 20th century and it's worth noting that it was the Southern Democrats which wanted to restrict the basic political rights of blacks in the name of, "popular sentiment." The Fukuyamist position which takes a naive view of western democracy as totalizing in a historical sense is being rapidly called into question all over the world. People (almost) universally want the expansion of the their quality of living and political autonomy in a sense which includes but also transcends the ability to cast a paper ballot. We see with Trump that this naive notion has, "serious flaws." In the 1930's the Nazis came to power under a democratically elected conservative government. Democracy means pragmatism. Pragmatism means something about, "having a superior conversation about what we would like to be." The ability to cast a vote is an extension of this sentiment-- it isn't its foundation. We see that in the general experience of the Chinese middle class. They live under a totality but neighborhood associations and not actively being managed by the CCP results in many reporting feeling freer under this system than under ancillaries geopolitically.
Only the deployed hardware matters. Or only the person reading the result of the machine matters. Or only the USB key which is transferring the results matters. Or…
Once you start with non-transparent mechanisms, there is no end to it.
As the CCC has stressed almost 20 years ago already, "public trust" demoands pure analog, no software at all, voting. Whenever someone comes back and tries to introduce some sort of voting machines, they are trying to fool you. Never EVER trust an electronic voting machine, no matter WHO is trying to sell it to you.
To understand criticism with electronic voting system let's assume the best case: say you make the perfect, mathematically verified voting software. That is perfectly up to date each election. That runs on open yet tampersafe hardware that is as the stickers say never obsolete. That notices any human error and hacking attempt (not that such a thing exists).
Even with that utopian scenario the remaining problem is that the goal of elections is agreeable consent. Mewning the goal isn't just to get a decision. The goal is to get a decision, people can agree with because they trust the process must have been okay. If your vote is low stakes, like where you go for lunch with your collegues, then that trust doesn't matter, who cares if it was wrong? But if it is high stakes even a perfect digital system is problematic, because even intelligent, technological expert voters have no chance of understanding which of the moving parts might influence what in which way in practise.
Meaning a paper ballot with the right process can more or less be understood by everybody who can count and has mastered the cognitive skill of object permanence.
A Rust project with a 30k Cargo.lock file filled with dependencies on an even more complex operating system, running complex (in a different way) hardware, that might differ for each voting location isn't that. And that isn't about the programming language or the tech stack. It is about the intransparent nature of electronic systems themselves.
I spent a three quarters of my life learning programming and electronics including hardware design and I teach that stuff on a university level. Even I would have a hard time ensuring there is really no backdoor in the whole stack. And this fact means even if there is no backdoor in it, there might be and there is no realistic way for a normal person to check. I understand the nerd appeal. It is cool to toy around and figure that problem out. But the core of the problem is not technological it is sociological.
That is such a big flaw that IMO it is not worth it for high stakes elections.
The system is a whole bunch of people from different parties being present when votes are collected and counted. And with paper ballots you need to do the fraud in many different polling stations.
It is possible to do small-scale fraud with paper ballots, you can never fully eliminate that option. But it is exceedingly hard to do larger scale fraud without it being extremely obvious to any observer.
Yes, and it's incredible how many problems are solved by hand-counted paper ballots. I get that it's a big task, that it takes time (and some US administrations seem to despise not knowing election results the night of the election), and that it's very tempting to automate, but the basic formula of 1) everyone gets a paper ballot; 2) the ballots are collected at a polling station; 3) the ballots are counted by hand is much harder to corrupt. Maybe build the fancy stuff on top of the paper ballot, like serialized ballots to prevent duplication or timed locks on ballot boxes to prevent tampering, but for the love of Democracy, keep it simple!
These kinds of comments always annoy me a bit. It's 2025. 155,238,302 people voted in the most recent US presidential election. It is entirely silly that we expect people to manually count that many ballots in this day and age. And count them without errors! (And yes, we can make those paper ballots machine-readable, but you still need software to count them.)
Yes, I know: before computers and other mechanical systems, people had to count ballots by hand. There were many fewer people voting then, and regardless, that's not really the point: they counted by hand because they had no alternative.
Electronic voting certainly brings new problems into the mix. I don't think those problems are insurmountable. The problem isn't the technology itself. It's the legal and social landscape around voting technology. Open source, with reproducible builds and a method to verify that the code running on a machine was built from a particular version of source, is a start. Verification of that software's functionality, on par with the verification done of critical software (medical devices, things that go into space, slot machines, etc.) would be another good move.
Voters can also receive paper receipts, and I'm sure we can come up with some sort of scheme to take a representative sample of the electronically-recorded votes and validate them against the paper receipts, while maintaining voter privacy.
The absolute number of people doesn't matter. If you have more people voting, you can have more people counting. If you have more people, you have more polling stations, you can keep the size of them constant no matter your total population.
Other countries do paper ballots and manual counting without issues. The US isn't that special or unusual.
There is too much power at stake and too many dollars in the mix for this to work. Take a look at how expensive it is to break electronic voting machines then compare that to the billions of dollars that flow into an election cycle.
it’s called distributed voting centers, there’s this many people so there’s plenty of people available who can count their block’s ballots, there’s no motive of convenience in using electronics for voting that could ever surpass the motive for simplicity and trust, it’s just not that hard of a thing, there was no new problem that suddenly emerged when electronics became available for this, this notion should inform you of the various motives of why someone started to market them to decision makers
we need a system that's based on paper. the machine can be digital, but, for instance, the vote needs to be written on a "roll of cash register paper".
The voter needs to be able to see their vote on the paper.
Reading the rolls needs to be done by machines, but by several different machines reading the same rolls. So we can verify.
Software is not the problem. The medium of persistence is.
Some of the comments here seem to be associating electronic voting with these electronic voting systems. The systems described by this project all have paper ballots and audit trails, they're electronic assistants in running a paper ballot election.
I've only worked a couple elections in a single US county, so I don't claim to be an expert. But the projects described by the company align with each of the devices we use in elections today. Using their software would be the equivalent of moving from MS Office to LibreOffice for operating the government. It won't solve everything, could have bugs, but there are some significant long term advantages, like not depending on a company that could go out of business for security patches.
The first device voters encounter is people working the electronic poll books. We still have a paper backup available, but prefer the electronic versions. First, they can scan the barcode on the drivers license for a quick check-in (usually). When person shows up at the wrong location, we immediately know without spending a couple minutes looking through the paper list. We can even tell them where their voting location is rather than "you're not on the list, we don't know why". When someone needs to vote from their car, we can take a poll book with us and check them in curbside, no extra back and forth. And anyone can check-in at any poll book, rather than splitting the list up by last name. If there is ever a hack of the poll book, changing the list of voters, that could have also been done with the paper backup, and that's why there's a provisional voting process.
After that, over 99% of voters get a paper ballot. They mark their oval with a pen, and take it over to the scanner. This is where the security happens. There's a paper audit of the vote, and the vote is anonymous, your name is not on the ballot.
Less than 1% of the voters ask to use a ballot marking device. They are there for ADA requirements, allowing people that have difficulty marking a ballot by hand to vote. They have headphones to read the choices if needed for the blind. When finished, their choices are printed on their paper ballot, human readable and verifiable, and taken to the same scanner used by other voters. Most people don't even realize ballot marking devices exist, I didn't before I started working the election, and I've yet to see anyone request to use it.
The next step is where people get suspicious. The paper ballots are run through a scanner at the precinct, by the voter. These are monitored by an election worker to ensure the voter scans their ballot, but we stand so we can't see the ballot choices for voter privacy/secret ballots. These machines output a tally in multiple forms at the end of the election, including multiple paper copies and USB drives. The various copies get split up and separately delivered, each by a team of workers, for both redundancy and to ensure no one person is ever alone with the results.
A very important process happening throughout the day is counting the votes. The number of voters that register in the poll books is compared with the number of ballots given out (when ballots are unwrapped, they are counted, and what remains at the end of the day is counted again), and also the number that went through the scanner. Things get complicated (I assume reports are made after an extensive search is done) if we are ever off by one ballot in those counts.
The common fear that someone could stuff the ballot box, even by an insider, doesn't match my experience. In addition to the counts above, multiple workers, from multiple parties, are assigned to each precinct. We don't leave the ballots at any stage unattended at any time.
At the end of the day, the tallied ballots are sealed in a box. All equipment is locked back up. And lots of items (tallies, USB disks, sealed ballot boxes, provisional ballots, etc) are returned by a team of people that night to the county government building. From there, initial counts are released and then the election needs to get certified. That's where my personal experience ends.
The certification process includes deciding which provisional ballots to accept, and then counting them. But it also includes audits of the equipment. And those audits are supposed to take some boxes of ballots from select precincts and run them through a different a scanner to verify the tally is the same. The precinct scanners are also audited before we receive them, which is visible because a permanent count is tracked on the machine that's never zero for us, even when it's a new machine that's never been used in a previous year's election. In addition to all those electronic counts on different equipment, some percentage of ballots is likely hand counted. This certification process all happens over the course of days, if not weeks, but the initial count is usually out in a few hours when a first team of workers brings back one of the two USB disks (along with other items).
There are ways to hack an election, but these electronic machines are at the bottom of my list. Someone would have to alter the counts from the scanners without adding or removing votes, in a way that doesn't get caught in an electronic or hand audit in the future on independent equipment, and doesn't get detected in an audit of the machine before it is placed in service. And the whole process is constantly watched by workers from more than one party affiliation.
Instead, if you wanted to hack the election, you'd first become a billionaire, and buy all the media companies to ensure the population only sees one opinion. Then you'd gerrymander the election districts so most elections aren't really contested. And in locations where it might be close, you fill it with ads and social media misinformation so that voters don't know what to believe and they follow the loudest voices that repeated the most. Not only is that a lot more likely to work, but there's no chance of any consequences if you get caught since it's not illegal.
Here in Germany every single vote is on paper and is counted publicly, where any citizen has the right to observe the counting process. There is a list of all people eligible to vote at a certain voting location, where all voters are crossed out when they come to vote. While errors of course happen, I have absolutely no doubt that the results are free from intentional interference and that the only people voting are those who are eligible to vote.
The idea that my vote is digitally recorded seems absurd. And I do believe that the consistent distrust of Americans in the integrity of their elections is caused by the design of the voting system. There just seem to be so many completely unaddressed flaws. Open sourcing only addresses some part of the flaws and I do not think that electronic voting should ever be trusted.
Trust in a democracy starts with trust in elections, which I do not think can be reasonably provided by electronic voting mechanisms.
The technology forum that despises technology, what a world. We should be expanding voting access, not taking it back to the 19th century. Vote with whatever means you have: wanna show up physically and hand-write your ballot, great!, wanna mail it in, go for it!, wanna vote via website or app, have fun!
Who gives a shit man, it's not going to be the end of the world or even substantially change things no matter what methods we choose. You might as well choose the ones that make things easier on people. Crazy that the world wide information network that we've built and defines our current age in history is treated like some horrible evil. It's not, it will be fine. But with vote by website now every home, school, and library in the country becomes a polling place.
There is no amount of transparency that will achieve the mythical "public trust" that's being envisioned. Our current voting system is all paper right now, actual voting fraud—meaning literal ballot stuffing is nonexistent and still people buy into conspiracy theories. Voting manipulation happens in broad daylight at the systems level and is done by carefully restricting access. Expand access and the problem vanishes.
It's frustrating, honestly. Everyday we trust some tech with our lives, but voting? It's unacceptable. Oh, you can have this cryptocurrency that you can use to buy things without the government or anyone else getting to spy on you! But voting should be only with paper and pen because you can not trust machines!!!
I can assure you I am as white as they come, my family being a mix of Quebecois and Irish I'm "wears sunscreen in the winter" pale.
I'm at a loss for why you would assume something about my racial background from my view that voting should be made easy and convenient in a democracy. I'll go even further, in addition to being able to vote digitally you should automatically be registered to vote when you establish residency, voting should be compulsory*, and it should be a national holiday. But outside the bigger picture I selfishly want this because I don't want to bother driving to my polling place when I could voted in less time than it took to type this reply.
* I wouldn't have any punishment for not voting, that would be a huge mess. But I would have it on the books in the hopes that people would follow it simply because it's the law.
The US has the worst voting system intentionally, not accidentally. And mail-in voting shows we aren't even a little serious about election integrity. We're militantly against it: you can get people to rabidly support universal IDs for trivial, nonsensical reasons that have never resulted in significant problems; and to demand digital IDs, device attestation, and real names on social media; but to the same people showing IDs to vote is supposed to be the end of democracy.
People have made this proposal every year since the 90s, and depending on the year it was the Republicans rabidly opposing it or the Democrats rabidly opposing it. Good luck getting things accomplished with a good argument. That's not how things get done. The people who get the final say about this would love to get rid of voting altogether, but they'll settle for vendor kickbacks.
The US doesn’t have a national ID system, so your proposal doesn’t make sense. The closest thing is social security cards but those are not photo IDs.
A signed affidavit or local ID should be fine to establish identity. That can be done when signing up for mail in voting (although I personally prefer in person).
Voter fraud is extremely rare under the current system.
> The US doesn’t have a national ID system, so your proposal doesn’t make sense. The closest thing is social security cards but those are not photo IDs.
RealID is a national ID system (that they pushed since the 90s for no reason), and we're all issued voter IDs when we register as voters.
> A signed affidavit or local ID should be fine to establish identity.
I don't think you understand that people are against showing any ID to vote; if you pull one out, the poll workers' eyes get big and they fall over themselves trying to get you to put it away (I just took it out so you could read my address to pick my precinct, ma'am.) An ID which, very soon, will be required to be a RealID if it isn't already in your state. It is in mine.
I also don't think you really mean that a signed affidavit is enough to establish identity, even though you said it clearly. If you actually do mean what you said, I'd love to hear the argument.
> That can be done when signing up for mail in voting
Mail-in voting allows other people to watch you as you vote, and is the opposite of voter integrity. You should not be able to prove who you've voted for, or else you can be forced to prove who you voted for. This is why you are not allowed to take pictures of your ballot in the voting booth.
There's absolutely no reason to spend any time on open source voting code if you'll allow churches to call their entire memberships in to fill out their mail-in ballots together (under pain of expulsion), or hypothetical gangsters to go door to door threatening to shoot people if they don't give their ballots up.
> Voter fraud is extremely rare under the current system.
1) There is no way to know, and 2) if so, that makes this proposal even sillier.
I personally am very interested in electronic voting and voting algorithms. I've read a million papers and think about it all the time. But this is not a technical problem. There is no country that has a worse voting system than the US. Normal countries don't take weeks to count up the votes.
> we're all issued voter IDs when we register as voters.
I don’t think you know what you’re talking about. I have never been issued a voter ID at the time of registration.
> Mail-in voting allows other people to watch you as you vote, and is the opposite of voter integrity.
Or you could just vote in person which is an option even in universal vote-by-mail states.
> hypothetical gangsters to go door to door threatening to shoot people if they don't give their ballots up.
Why make up hypothetical situations and invent a problem that doesn’t exist? You can just as easily cite made up problems for any proposed solution.
High tech electronic voting schemes and voter ID schemes solve problems that literally do not exist, and frankly do a poor job at solving even those made up problems.
No. Public trust demands no software or programmable hardware in the election process.
• Why Electronic Voting is a BAD Idea <https://www.youtube.com/watch?v=w3_0x6oaDmI>
• Why Electronic Voting Is Still A Bad Idea <https://www.youtube.com/watch?v=LkH2r-sNjQs>
I agree that paper ballots are better, but also agree that electronic voting, when used, should be open source.
If you can independently verify the election result, then it does not matter if any of the counts were made using proprietary software.
If you can not independently verify election results, what good does published source code do?
Elections are a process, not a result.
20 years ago I attended an international conference on electronic voting. There were various papers on the form of elections (not on specific products.)
The huge takeaway for me was not the technology (or lack thereof). Ultimately all existing (and proposed) systems have flaws. The key was public trust in the result.
The first step to sidestepping democracy is to attack the legitimacy of elections. One can attack the process, software, hardware, ballot security, eligibility, and so on. It doesn't really matter what you attack - it doesn't matter if your gripe is legit or not. It only matters that you erode trust in the result.
If you can make people think the elections are rigged, then you can bypass them and move straight to authoritarianism.
Quibbling over open-source or not is irrelevant. We can cast doubt on the software either way. Quibbling over electronic or paper voting is equally irrelevant (there are plenty of paper-only elections worldwide that are very suspect.)
Naturally the Open Source company promotes Open Source voting machines. But in truth being Open Source has no (real) benefit. Software is easy to tweak, Open or not.
> But in truth being Open Source has no (real) benefit. Software is easy to tweak, Open or not.
But that's not the truth though. Open source software is not easy to tweak when it's deterministically compiled using reproducible builds and there are provisions for on-demand inspection of executables and hardware.
World went down on a completely different path. New wave authoritarians want to pretend that there is democracy, and they want to keep up the trust, even when elections are not free or fair at all.
One of the few things I was happy with Texas legislation this year was moving all to paper ballots. They still use the "bubble counter" machinery though and not human eyeballs. But it's not like it still relies on honest people and a government that is neutral when it comes to counting votes. That's starting to look like it is less and less possible with the current regime's banana republic chaos.
I agree insofar as ensuring all e-voting implementation attempts are open source will enable us to more comprehensively prove that it is a fundamentally bad idea.
> I agree that paper ballots are better,
You didn't define how paper ballots are better. Given that many electronic systems print paper ballots, I'm not sure how they could be said to be universally better.
Electronic ballots can be much better than paper in two ways. Firstly, they are faster to count. I'm not sure why that matters, but it's true and seem people seem to think knowing the outcome quickly is important.
Far more importantly to me: they are easier to use. In Australia we have compulsory voting. A lot of attention is paid to how many votes are invalid. It currently runs at 5%, but ranges up to 10% in areas with lower education levels or non-English speaking. Voting machines can tell you verify if the vote is valid, help you if they aren't, provide information from the candidates if you want to know more.
One the downside, a poorly designed voting machine can be far less secure than out current paper system. Sadly, I don't think I've seen proprietary voting voting machine that didn't have significant design flaws. Making the situation worse is the voting machine companies like to keep their flaws well hidden (flaws aren't good for sales). In Australia, we've had examples of the Australian Electoral Commission perusing academic researchers in the courts for revealing flaws. [0] Mandating open source mandate is a solution to that.
https://www.unimelb.edu.au/newsroom/news/2019/november/flaws...
Candidates drop out, die, or become ineligible in all kinds of ways. Paper is not strictly better and can create costs and complications on the day of the election itself.
Electronic voting is fine. Why can't we just have a printer in the polling booth? I run my ballot, then hit print, then I can manually verify it, and then drop the printed ballot in a box.
Literally the easiest thing to do.
If there is a most HN comment award, this comment must get it. Congrats you invented the most expensive pen / stamp!
[flagged]
Can you please edit out swipes from your HN comments, and generally stop posting aggressively? You haven't been doing it extremely (which is good) but you have been doing it repeatedly (which is bad).
Your comment here, for example, would be fine without the last bit ("you've missed the point entirely").
If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.
You still have to securely distribute those machines. All of the things still apply. Actually you need even more security!
Printing paper is cheap. Shipping it is cheap. Checking it is cheap and obvious. Reprinting is cheap. You don't even need to ship them. Most of the cities are close to industrial areas which has big printers and paper mills.
Making stamps or buying pens is cheap. You validate ballots at the polling stations which is scalable and cheap. It is the members of public who validate it. You don't need to pay most of them. They are just local constituents! It is their vote!
You are not aware how far away you are from the point!
[flagged]
This is not electronic voting imo. Just optimization for someone who finds taping faster than putting X with pen
IIRC, last presidential election that was what we did in our county, voted on a machine, got a prinout, verified it, stuck it in the scanner and was done. I think I'm remembering it right?
Ohio has this.
What you have just described is an ExpressVote voting system, manufactured by ES&S (https://www.essvote.com/products/expressvote-3/). Here is an example how-to on using it from Micigan (https://www.youtube.com/watch?v=ebqktli8bRk). The only salient difference between what you describe and the actual system is that the paper run through the machine is also audited (to guard against someone ballot-stuffing by creating additional ballots when nobody is looking).
If you want this, the next step would be to get involved at your county or state level (depending on how your state makes voting technology decisions).
there are even ways that paper ballots can fail. there needs to be a better process that has proper controls and checks regardless of the format used.
I wouldn't trust any democracy that uses electronic voting. It is not possible to secure voting machines and make them democratically accountable.
I agree but worry about what this implies for accounting and other financial systems. If we can't trust the voting machines to tell us what the vote totals are, how can we trust the bank computers to tell us who owns what?
I would be very worried about banking security if there was only one bank and it was run by the government. Obviously, that's not the case, banks are private companies and there are thousands of them constantly competing for each other. They have a strong interest in tight security to remain trustworthy. They're also heavily regulated, probably even more than the voting system, and they're subject to financial auditing. I'm not an expert but would estimate that for these reasons banking is overall more secure than electronic voting.
I could be wrong, though. As far as I know, hardware companies nowadays cannot even be reasonably sure that the chips they use don't contain backdoors.
Now you're getting it. Trust is the overriding problem, and it is a people problem, not a tech one.
For clarification, my position is that electronic voting is not secure and cannot be made sufficiently secure to safeguard against catastrophic failure and abuse. That's orthogonal to the issue whether voters trust in the voting mechanism, which is also important.
Particularly where the machines are all of the same type or connected to the Internet. If
(META: Anyone want to summarize the 20 minutes of video, and make it more relevant to this conversation than simply, "No." ?)
Haven't watched it, but to summarize what I imagine someone aligned with me would say: A ballot's entire lifecycle can be watched as it goes from the stack to the booth to the dropbox to the counting pile. Poll watchers are vestigial as soon as voting machines are involved; it becomes the honor system, which is not trustworthy enough in a system where the parties do not trust each other. The best you have is 'we have found no evidence of widespread voter fraud', a carefully couched statement from media organs you don't necessarily trust either. You, a (Democrat/Republican), can trust a system with paper ballots, because people from your party will observe all relevant details of the process everywhere the process occurs.
The lifecycle do get interrupted with early voting and postal voting, and as past elections where I live have shown (Sweden), some number of boxes of votes will generally be discovered after elections. The postal system are not designed to be 100% reliable and some portion of mail do get lost, fail in the sorting process, or get sent to the wrong location and put into the "fix it later" process which will miss the election deadline.
Software and hardware is still magnitude more vulnerable to intentional misbehavior, and even accidental mishaps has a higher risk of massive negative consequences, and its harder to discover failure compared to boxes of votes that has a physical presence.
In practice by the way the actual role of your appointed watchers is to figure out early whether you've won.
They can see whether another candidate's ballots are piling up faster than yours, they can estimate whether a table counting ballots for a district you're expected to dominate is being given way fewer ballots to count than you'd expected...
Yes, they would obviously spot if some election worker is like adding a pile of pre-marked mass produced ballots to a pile or something, or if they were just putting half of your ballots in the wrong pile - but stuff like that basically never happens, whereas somebody will win and it'd be nice to know before it's announced if that's achievable.
The thing is, a software based voting system with a sufficient number of checks and balances preventing tampering seems to be a lot more trustworthy to me than human poll watchers and workers. It wouldn't surprise me at this point that there may be moles in parties that are secretly from the other party.
And the other related issue is that in 2025, it simply should be possible to vote from your phone in a way that verifies your identity, if you'd like, using the faceId/fingerprint biometrics that most smartphones from recent years have.
An election needs to be trusted by everyone, and explainable to all voters. It does not help that you believe it is safe. You have to trust the compiler, and the chips, and everything, and convince all voters it works.
Paper ballots are fine. It is not complicated at all and an election is the one thing you just cannot get wrong in a representative democracy. It can cost a bit and you only do it once every few years.
The obvious problem with smartphone voting is that it's hard to combine with voter secrecy. An abusive spouse or someone bribing the voter could demand to see what vote was cast.
And if anyone can make up a reason to doubt the outcome of the election, it will fail it's objective: Peaceful transfer of power.
The usual way to try to solve this is the ability to override previously cast votes, in secret. But the combination of that and the ability for all interested parties to independently verify the count is not trivial. But not impossible either, much has been written on the subject since e-voting was all the rage in the 90s. One would do good to study this work before designing yet another voting system.
First video:
Arguments against electronic voting: 1) one person can change millions of votes 2) vulnerable even outside the country 3) even if you audit the software, it's hard to verify that the audited software is what is actually loaded on the machines 4) even if you check hashes of the software, how do you check the software that checks the software (this is a restatement of the Ken Thompson Hack) 5) proprietary software 6) USB sticks are insecure 7) final computer tallying everything is owned and located in a single place 8) XSS attacks on e-voting pages.
Arguments for physical voting: 1) centuries old, many attacks have already been tried and failed 2) no identifying marks on ballot = no opportunity to pressure voters to change their vote 3) multiple people involved in each stage of the process
I realized after typing that out that YouTube has a "Show Transcript" function, so try that for the second video.
In addition, and I think the punch line, if you take measures to decentralize and audit every single part of the digital process, you have just made the most expensive pencil and it'll not perform that much better against manual voting to begin with.
Too easy to cheat.
This isn't a technology problem, really. It's a problem of corruptible humans. In US elections, there are billions and even trillions of dollars at stake. Observe the grifting being done by the current administration. Thus, humans are extremely incentivized to corrupt the process. Technology just makes the corruption easier. Technology enables the grifter.
An optical hollerith machine would be useful. It would sort paper ballots into buckets based on selection. It's relatively easy to flip through a stack of ballots and ensure that every one has the same selection. Saves the effort of hand sorting which is not error free.
Brazil and India are doing fine
How do you know? How can their citizens know?
They don’t have stellar democracy grades from The Economist’s index: https://en.wikipedia.org/wiki/The_Economist_Democracy_Index and both seem worse off in the last ten years than the ten years before.
Are they using only the electronic version or the mixed version? We used the mixed version in some elections here in Argentina. The paper trail is harder to fake, and the electronic part close a few problems of theonly paper version.
Umm.. I wouldn’t say fine.
https://www.bbc.com/news/articles/cj9w43p7741o.amp
Things have always been iffy. No one knows for sure.
Edit: That link is the most recent example. Googling for voting machines themselves would bring more examples. Every election cycle we go through reports of malfunctioning, no audit, audit not matching, extra machines appearing, machines being taken around by politically connected, even things like pressing any button on the machine voting for the same party…etc., but ECI has been pushing it aside and refusing to open up. This recent one became an issue because the manipulation (allegedly) went a layer deeper into the voter rolls themselves and they are public data.
We don’t know what’s up with the machines.
Placed 56 and 41, respectively, on the Democracy Index.
US and France are marked as "Flawed democracy" (nr. 28 and 26 respectively).
Enjoy: https://en.wikipedia.org/wiki/The_Economist_Democracy_Index
I did certainly enjoy, thank you.
Haha no. Voting machines caused absurd amounts of political instability here in Brazil. It's essentially become wrongthink to question the system.
Our elected representatives have tried to add a paper trail to the machines twice now and it was ruled unconstitutional for total bullshit reasons. Our former president was banned from future presidential races because he questioned the machines. We have a judge loudly proclaiming that the machines are UNQUESTIONABLE with such unwavering pride you'd think he'd have the balls to start a billion dollar bug bounty and post it here on HN. He only allows you to "audit" the system by appointment behind closed doors and the only tools you're allowed to bring with you is a pen and a piece of paper. People found issues even with these restrictions. There are people protesting to this day, laymen asking for source code, completely unaware of the existence of supply chain attacks and the fact the source code would prove nothing and serve only to humiliate them. We have former US president Biden's top CIA guy telling our former president to stop questioning the machines, wouldn't be surprised if they had access to this shit.
Germany did it right: voting machines are unconstitutional because citizens do not understand it. Elections must be fully auditable by the average person. This is the correct stance.
>Our former president was banned from future presidential races because he questioned the machines.
Bolsonaro didn't question the electoral process, in fact, I doubt he even understand it himself. He questioned only the results, because in his mind he should have won by a lot.
Not dissimilar than Trump's "stop the count!" on US paper ballots.
> Bolsonaro didn't question the electoral process
He did. For years, and during his mandate. I was there. Out of every stupid thing he said and did, they cited his perfectly valid criticism of the voting machines as the reason for his banishment from politics until 2030. I submitted news of that event to HN.
> Not dissimilar than Trump's "stop the count!" on US paper ballots.
Completely different matter. I'm very skeptical of claims of election fraud in the USA because it uses paper ballots. I have no trouble at all believing that our Magnitsky sanctioned judge literally named Lula president. They broke the guy out of prison to run against Bolsonaro for a reason.
In the end it's irrelevant. Bolsonaro's ordeal has revealed the deep truth of Brazil to the masses: the real power is in the supreme court. Discussing elections is utterly pointless since these judges are not elected. Elections are just a game they play to give this shithole a veneer of democracy.
A solid starting point, but it's easy to lose sight of the other critical part of the puzzle--integrity of the voting rolls. High quality vote tabulation needs to start from voters, where _only_ legitimate voters vote, and each only votes (at most) once, after which yes, their vote is accurately tabulated.
Voter rolls are public information in the US; there are several watchdog groups that perform verification services and have done so for decades; and to date, none have uncovered the kind of large-scale voter fraud that would necessitate doing anything differently from what we do now.
In fact, I'd argue that having 50 different voting systems with 50 different ways to prove eligibility makes our elections more resilient to large-scale voter fraud, even if it makes it more difficult to verify voter rolls wholesale.
Crypto could be argued similarly no? But it seems to have sustained trust.
Cryptocurrencies don't need to do things like make sure that no human gets more than one vote, only humans (no bots) from a specific part of the world get a vote, and keep votes secret. Blockchain is not the solution.
> Cryptocurrencies don't need to do things like make sure that no human gets more than one vote
That's pretty much the problem they were designed to solve no? It's called the double spend problem, and it's crypto's big comp-sci innovation. The whole paper was about it.
The secret ballot requirement foils this. Transaction identities are well-known and public; voter identities are secret and unverifiable. Any attempt to link ballots with identities to prevent double-voting also reveals how someone voted.
Crypto identities are anonymous. I don't see the issue?
Crypto identities are identities, as much as human names or Social Security numbers. If you know who the identity represents, then you know that human's transaction history for all time on that blockchain.
Ballots do not have any identifying information, intentionally. There is no tracking number or possible mechanism to de-anonymize a ballot back to the human who cast it. Notably, there is not even a unique identifier for a single ballot that could potentially be used to identify a person.
Most importantly, there is no value that is unique to the ballot that I can use to verify that I am indeed the person who filled it out, so some nefarious organization could threaten me or my family to produce proof of how I voted. Or pay me, or influence me based on the outcome.
So there is no "identity" that you can record in a blockchain to prevent that identity from casting two ballots in the same election.
Crypto doesn't limit participation, unlike voting.
At some point, one needs determine whether voting transaction 123 by votecoin address 3456 was made by a valid voter and that the voter has only voted once.
So how do you do that? If a central authority does it by say, issuing votecoin addresses to voters or asks voters for their self-generated addresses, then your ballot is no longer secret since they can see exactly who voted for what.
If a voter shares their votecoin address with anyone, then anyone can see how they voted inviting vote buying and pressure schemes.
Haven't crypto an opposite bias, with no guarantee that any given transaction's ledger will stay relevant ?
Dropping votes is as problematic as allowing too many.
In general, money transactions have failure modes that don't match what we want for other use cases. That's the same trap as using credit card payments for ID verification, it only works if you don't actually care about the ID.
Yes and no. Confirmation takes time. But it heavily depends on the crypto. Some can be pretty fast. Once confirmed it's guaranteed, it won't drop off.
Assuming you can vote from the comfort of your phone or home, that's kind of the whole point, it doesn't matter much if you have to wait even 30 min to get confirmation.
keypair != human
Ballot papers != Human either.
We'd still have an old fashioned government employed person validate you can vote and are human.
Correct, there are several aspects to voting that blockchains don't address:
- The Human Identification Problem (not sure if there is a more official name): uniquely identifying a human being. If you solve this, you solve many forms of fraud (anything rooted in identity fraud) and eliminate entire industries dedicated to reducing fraud losses. Best attempt so far has been the Estonian ID system [0]; Sam Altman tried with Worldcoin but that ended up being yet another crypto grift. Incidentally, Estonia uses its identity system for electronic voting.
- Proof of citizenship; citizenship in the US for most people is a birth certificate issued by a hospital or other authority several decades ago, or a proxy to this document such as a passport. Naturalized citizens have it easier here because they have a state-issued document declaring their citizenship.
- Proof of residence: This is also something not verifiable via a blockchain or smart contract, because it depends on the state and relies in part on your physical location and your intent. Legally you can only vote from one voting address, but there are countless people registered with multiple addresses across states as they move residences.
- Secret ballots: You cannot tie votes back to voters in a free election. Blockchains are open and publicly-verifiable, which is good; but cast ballots cannot be verified _even by the voter_. Blockchain doesn't bring anything to the table here over, say, a database; because the recorded ballots must not be tied back to human identities, you cannot use any of the work done to verify the three previous points to verify the election outcome. Blockchain would boil down to replacing or augmenting paper ballots with a provably immutable record, where you still need to place trust in the system recording votes on the chain.
[0]: https://en.wikipedia.org/wiki/Estonian_identity_card
Well it would still be the government that gives you a "voter id". That part wouldn't change. It would still be a manual verification of your IDs and what not. But once you have a "voter ID" you actually vote online.
I believe you can do this with crypto. It's still anonymous. The government verify you, then give you a signed key that you use to generate your voter ID locally yourself. The network accepts your voter ID because it's signed. I think there's even ways to allow single use signatures and so on.
Now everyone gets one and only one voter ID (which is like their wallet) but for voting.
You can decide how many years that's valid for.
As I wrote in the other thread, tying a vote to an ID that is unique per-person violates the secret-ballot requirement.
Aren't most paper ballots processed by machine anyway? Every ballot I've ever cast has gone through something akin to a Scantron machine.
The cost of human labor to count all ballots by hand will be enormous. Probably worth it I suppose, but this really is something that should be primarily automated. But again, trust in software. Sigh, why can't we just have nice things?
A single polling station usually only has a few thousand voters. During the day, polling officers at the station processed (signed/stamped/tore/etc) every single ballot that went into the boxes. They also verified every person's ID. When polling closes, why is it enormous human labor to count the votes, but all the processing during the day is not?
> The cost of human labor to count all ballots by hand will be enormous
In Taiwan, this is how it's done. Every ballot is counted by human. It's completely public: you can just walk in any polling station during the counting process and watch they count.
Chile has a very good election system and there's basically no machine input in the process.
What's important is being able to segment the population in enough voting places so that each voting place is maneaganle just by a small number of people. The Chilean system is scalable because you can always just add more voting places as the population grows.
Usually these voting places are civic centres, stadiums, schools.
It's a good system and generally for a presidential election we get the results in about 4 hours after voting ends.
Australia hand-counts. In a federal election, a voter will typically cast a preferential vote for the lower house, and a more complicated proportional vote for 3 senate seats. Rarely, they'll vote on 1 or 2 propositions ("referenda"). This seems comparable to a federal US ballot (first-past-the-post votes for house/senate/president).
The US casts 10 times as many votes - so it seems reasonable for the US to hire 10 times as many poll workers? Hand-counting is O(n) i.e. constant per-capita, and it scales horizontally.
Local and state ballots in the US can feature tens of elected positions and propositions, I could imagine hand-counting them to be quite expensive.
I'm much less concerned about automated vote counters, as long as they are not connected to the Internet, enough ballots are hand-reviewed to make sure that the values from the machine don't seem way off, and the specific type of counting machine isn't uniform across the whole election.
The cost of human labor? Maybe US-exceptionalism is peeking through?
In actually democratic countries the elections are done on holidays(Sunday) and the polling stations are in where you live.
It is your vote you silly. It is your democratic duty, right and responsibility to guard it if you don't trust the observers by becoming one. Everybody should be able to watch the process and the count!
Losing one day of revenue would not hurt. Especially on a holiday.
If your paper ballot are counted by simple, airgapped machines - that's both a vastly reduced attack surface, and is easy (if laborious) to physically audit.
I'm watching him talk about the two key ingredients of an election (anonymity and trust, for those not watching the video) and thinking "We don't have those in U.S. elections".
I live in California, where the voting method is vote-by-mail and you sign your ballot. That breaks anonymity right there, plus there's a barcode that matches address and ballot for traceability, so in theory anyone involved in the election process could look at my ballot, cross-reference against address, and figure out how I voted. In practice I've never heard of anyone being pressured or confronted based on how they voted, so my default assumption is this doesn't happen much or at all.
But even broader, in the U.S. your party registration is public information. That's why whenever there's a political shooting, the media always says "He was a registered Republican" or "registered Democrat" or "was not registered to vote". And this mechanism is actively and publicly being exploited to alter elections. Since the U.S. is a two-party system and party membership is public, you have a fairly good idea how each precinct is going to vote before they vote, and can gerrymander maps to get the outcomes you want.
Plenty of trust issues in physical ballot transfer as well. California is vote-by-mail, but that assumes the postal service is a reliable carrier, while there was just a recent news story [1] about ballots being stolen. Before I lived in California, I was in Massachusetts, where we voted on 1930s-era lever voting machines where you hit a lever down and it marks a paper ballot without you ever seeing the real ballot. Between elections, these were stored backstage at the local middle school, so a mechanically-inclined middle schooler with knowledge of how an upcoming election's ballots would be formatted (and we did mock elections in middle school) could have rigged the machines to deliver the local precinct to their preferred candidate.
The useful points in the video were basically that decentralization and redundancy are what make physical elections hard to rig: you have to hack multiple locations to influence the overall election, and at each point you have multiple eyes watching you. He sets up the contrast with software voting, where you have the same software running on each machine, and even if the software is open-source, you can't be sure that the rest of the stack it's running on is secure (an oblique reference to the Ken Thompson Hack [2]).
But decentralization and redundancy are properties that you can introduce into software systems just as easily as real-wold systems. The KTH can be countered through Diverse Double-Compiling, for example [3]. zkStarks and digital signatures give you ability to prove that you authored something without revealing what that something is or who you are. The importance of client diversity for the security of the network as a whole has been well-known in the filesharing and crypto worlds. And anyone who has worked in Big Tech, aviation, or telecom could tell you that having multiple paths to success that are developed by independent teams is important for any computer system that is in a safety- or reliability-critical area.
[1] https://www.almanacnews.com/election/2025/10/14/ballots-stol...
[2] https://aeb.win.tue.nl/linux/hh/thompson/trust.html
[3] https://dwheeler.com/trusting-trust/
> I live in California, where the voting method is vote-by-mail and you sign your ballot. That breaks anonymity right there, plus there's a barcode that matches address and ballot for traceability, so in theory anyone involved in the election process could look at my ballot, cross-reference against address, and figure out how I vote
They actually go through quite a bit of effort to prevent breaking anonymity.
The incoming ballots are scanned and sorted by machine to record that they arrived. Later, signatures on the envelope are checked. The signature verified sealed ballots are then moved and fed into a high speed extractor separating the ballot from the envelope so the envelope label isn't visible, breaking any linkage between the ballot and the voter's identity. Ballots are stacked with other ballots, still folded and moved elsewhere to be counted. The empty envelopes are kept and scanned again.
All of this happens with multiple people and on camera.
The ballot barcodes don't record any unique information that can identify voters - they're just things like precinct, ballot language and page number.
Because of the extreme diversity in voting methods in the US (it varies not only by state, but by county within the state) it's impossible to accurately make any generalization about voting in the US. For example, in my parents' county in Wisconsin, you show up at the polling place, they check you off the list of registered voters, and they hand you a ballot with no individual markings at all. Once you finish filling it out, you put it in a box with the other identical ballots, to be counted later. It's as anonymous as you could possibly ask for, except that they know that someone claiming to be you showed up and voted.
As far as party registration goes, is that required where you are? Because if so that's insane and the government there needs to change that. Everywhere I've lived you don't need to register any kind of party affiliation (and indeed some places you couldn't), you just register as a voter and you're good. Maybe it's different where you are, but if so just be aware that it is (thankfully) not universally done wrong in the way you describe.
Party registration isn't required (I'm unaffiliated, for example) but enough people do it that you can make a reasonable prediction of how a precinct is going to vote before they actually vote. This is the input data for gerrymandering: you don't need to know every single voter, as soon as you get a statistical sample you know how the area is likely to vote, and then you can construct districts out of precincts such that there's a safe margin of victory for each one.
Unfortunately, in that case there isn't much to be done. I think those people shouldn't do that, but if they insist I don't see how they could be stopped.
Many states require party registration to vote in primary elections, and in states like California the primary is the only election that realistically matters.
These are combined as if they go together, but:
(1) California does not require party preference to vote in primaries generally;
(2) California primaries are not (except for the Presidential primary) party nominating elections, they are essentially the open first-round of a two-round general election. (Basically, it is majority/runoff except that there is always a runoff even with a first-round majority.)
(3) For the Presidential primary, California does not require party registration to vote, but does prohibit party-registered voters from voting in cross-party primaries; it is the party (not the state) the decides whether their primaries are open to “no party preference" voters (of the six parties with permanent ballot access in California, the Republican, Green, and Peace & Freedom parties do not allow NPP voters in their presidential primaries, while the Democratic, Libertarian, and American Independent parties do allow them.)
Belgium has been doing it for 25 years, though not without some issues. I'm happy to let other countries lead the way on this since we have a perfectly viable alternative.
Ironically, that results in worse count accuracy.
Humans are actually quite bad at hand-tallying hundreds of millions of datapoints. Our eyes go glassy but we press on anyway.
Machines are very good at doing that kind of tedious labor accurately.
Whether human beings will put more trust in a system that we know will be wrong, but it's wrong for comfortable meat reasons, over a system that might be compromised but will be more accurate its more of a psychology question than a technical question though.
Human tallying is a source of errors, but it typically doesn't affect the outcome in major ways. This is more of an argument against large scale winner-takes-it-all election systems, as they have the least resilience against this kind of error.
The main benefit of manual tallying is that election tampering at scale becomes a rather labor-intensive and physical process that is more likely to leave detectable traces. Compare that to the the last US presidential election that has statistical oddities in machine-tallied voting results of kinds that have historically been shown to correlate with election fraud. If this was indeed caused by fraudulent voting software, it happened without leaving any other obvious traces of tampering.
> Compare that to the the last US presidential election that has statistical oddities in machine-tallied voting results of kinds that have historically been shown to correlate with election fraud.
When and where was this?
It's being litigated, but in general the answer is there is not yet evidence that machine voting systems were compromised.
- in New York there is statistical anomaly correlated with a couple small-town polling stations. Those towns are small enough that they have a huge population of one religion, and one explanation is that the Democrat party's perceived "soft on Israel" stance tilted 100% of voters in those locations away from supporting the Democrat presidential candidate.
- in Pennsylvania a standard statistical analysis tool used to detect vote disruption suggested disruption occurred. The form of the disruption could be fraud, but it can also be things like voter intimidation (which was observed and reported in Philadelphia) and sudden discontinuity in voter behavior (the aforementioned "soft on Palestine" issue).
Correlation does not imply causation, and the lack of evidence of tampering of the machines in the audit logs is lack of evidence of tampering of the machines, not indication that the audit logs were compromised.
You can introduce procedures to minimize the error to a point that it’s not significant anymore.
Having a paper trail and an observable counting process is worth a small error margin.
I've counted paper ballots for multiple presidential elections in my country.
People who think it's not safe should really spend some time learning how it works. It's impossible to cheat at scale. Each ballot is verified to be correct my multiple eyes. A person is reading, one is writing down the name, one is verifying and some other things I don't remember.
To cheat you need to have everyone in on it. A whole town involved to cheat and to at best win one polling station. It's safe because anyone can attend the counting, so each party can send someone to check no shenanigans is going on.
So the more votes you want to be winning by cheating the more people must be brought in the conspiracy. That's impossible to be unnoticed at the scale of a city, much less at the scale of a country.
Yet there are many ways in which paper ballots can be taken advantage of. As an example do a search for Eastern European Carousel Voting[1].
[1] https://en.wikipedia.org/wiki/Carousel_voting
It is not the paper ballots that's taken advantage of. They have no general public participation and opposition. The public simply do not give a damn about polling stations in places where Carousel voting is possible. There is no opposition observers or they cannot be because the examples in the Wikipedia page are dictatorships, not democracies. You cannot turn a dictatorship into democracy by voting.
Every single vote must be checked against publicly available lists of voters. Every ballot can only be given somebody whose identification is checked against this publicly available list and marked. The lists must have multiple copies some in the hands of opposition observers. They need to be published.
> Every single vote must be checked against publicly available lists of voters
Yeah, do that by hand please, without relying on electronic means.
Paper ballots with "honour" based out of circumscription participation is not secure. My country also suffered from this issue and it's not an authoritarian regime. They fixed it by adding and checking IDs on a ballot participation list. Nobody explained how that works to the average voter.
What I was trying to underscore is that even for something that's presented as simple and fool proof as paper ballots one can find vulnerabilities, especially when you're dealing with nation level threats. So in my opinion we shouldn't ask electronic ballots to be more security than what is already in wide use.
And in fairness, electronic ballots don't need to be more (or as) secure as paper ballots, but 'mail in' ballots. If we can come up with a method that's as secure as mail ballots I'd call it a success, despite what Tom Scott says.
The more comments I read on this specific HN topic, the fewer people I see actually involved in the polling process.
I really recommend people volunteer for it, if you're American and you're concerned. All you have to do is call your county elections office; they always want more people. You get paid near-minimum wage and it takes two days a year, but that's it.
What you will discover is that most of what people are asking for in this thread is stuff the states of the United States already do.
If a person is deeply concerned how the election is run? Go get involved. It's your country and your election system.
>> It's impossible to cheat at scale
Elon did it, and they both bragged about it, publically.
Isn't our source on Elon cheating at scale... Elon?
Why do we believe the liar on this topic?
>Humans are actually quite bad at hand-tallying hundreds of millions of datapoints.
Humans just need to be able to separate a few hundreds of ballots into a couple of piles. When introducing double checking this makes an incredibly rigorous process, which can be open to the public. This is the case here in Germany.
Everything after that can be done by computers as all the data after that is published.
These system used for voting means that humans don't hand tally hundred of millions of votes. They tally those in a voting district only. Those them get aggregated with other districts and so on until the whole states and then the country is counted.
The problem with the accuracy assumption of electronic voting is that a) its all coded without errors and b) someone hasn't deliberately but code into manipulate the vote numbers.
We have good reason to believe a is true and b is false; the machines get tested to death before election day.
As mentioned in the video, there is no amount of “testing” which could prove the absence of malicious software or hardware. None.
That pretty much undermines the entire concept of unit and integration testing.
If you're saying we should be writing voting machine code in ML and keeping the firmware in Fort Knox, I'm going to make the argument that it's a lot cheaper to do sampled hand-counts to check against machine error or tampering... Which we already do.
User name checks out.
I mean, you left yourself open to that glib, low-effort criticism when you wrote this:
> no software or programmable hardware
That's obviously too stringent. Consider:
1. Precinct hand-counts every single paper ballot bubble sheet.
2. Precinct hand-counts every single paper ballot bubble sheet, then confirms the hand count by feeding all the ballots into an electronic bubble-sheet reader.
Your claim is that #1 is more trustworthy than #2. That's an extraordinary claim that requires more evidence than two youtube links!
Edit: to be clear, I want the requirement that all voting must be paper ballots like the human-readable bubble sheets mentioned above. But saying that no software or programmable hardware can be used "in the election process" is so extreme that it sounds like a parody of my own position.
If your proposed process is implemented, it will take about 5 seconds before the precinct realizes that they can just feed it all to the machine and sign whatever number which comes out as the “hand-counted” one. Especially as they will be dinged whenever their count differs from the machine, which will be assumed by their superiors to be more trustworthy.
More seriously, even though some cars are programmable, I did not mean that nobody could use cars to transport ballot boxes. I obviously meant that the official results should be the manually-counted one; machines could conceivably be used to get interim results faster, and/or to double-check a count to see if it needs to be counted again. But I was serious about requiring absolutely no machines involved in the counting of the official results.
Most states (I don't have all fifty states' laws in my head) have a sample recount process; they generally trust the machine numbers but they will randomly sample some percent of precincts for a detailed hand-audit count. Any attempt to generally infect electronic systems falls afoul of this back-stop.
In addition, most states have a mechanism by which a candidate can formally challenge the results in a precinct, forcing a hand-recount. This usually has some kind of onus on the requester (I believe in PA for example you have to put up a bounty and if the hand recount results come out to the same result as the previous tabulation the state keeps the bounty as payment for the added cost of the forced audit). However, it is an option (and, most notably, not an option that anyone who claimed shenanigans in 2016 or 2024 exercised).
The problem of election integrity doesn't exist in a vacuum and didn't pop up overnight in 2016; states have been working the issue for a couple centuries and have a pretty good system. But it's a system that requires some detailed statistics and process control theory to understand, so I'm not surprised the median voter doesn't get it. There is, perhaps, a case to be made that for that reason alone we should go to manual, but someone's gonna have to spend the money on that if we're going to do it; it's going to be drastically more expensive than electronically-facilitated counting. And, indeed, people will have to accept that human counters will be less accurate than machine counters (because they're human; we don't train "computers" anymore as a discipline).
Indeed. That is what I was responding to; if I over-assumed the GP's position, my apologies.
We've been using mechanical, semi-mechanical, and electronic systems for decades at this point. The new concern for accuracy is pretty unfounded (and, it is worth noting, was heavily drum-beat into existence by a Presidential candidate who then went on to win an election).
If we want to talk problems with electronic systems, I'm a lot more concerned about how people don't actually know how to use touch screens (and I am myself in favor of pencil-and-paper ballots for that reason alone) than I am about people being able to sneak a super-double-secret modification to an electronic tabulator in against all the ways that attack could fail (including "The county can just decide to hand-count the pencil and paper ballots anyway, which would discover the deception").
Fully electronic, no-paper-output systems are past my personal trust threshold.
Posting those links without any insight from your side is just quoting dogma and, to me, it shows that you haven't really spent any time to consider the arguments. In my opinion shows that you lack imagination.
Every problem Tom mentions can be worked on and overcome. Maybe not today, maybe not by the next big election, but we should still start now, rather than later. We need to do everything possible to increase participation in the democratic process, especially for the demographics that are currently not very involved, which are also the demographics that are more likely to adopt electronic methods of voting.
>We need to do everything possible to increase participation in the democratic process
Do we? Participation should be made easy for those eligible and inclined to do so, but I don't see the benefit of encouraging participation from people who can't be bothered to put some effort into it, or are ignorant of the issues and candidates and are easily swayed by trashy campaign ads. I've seen the statistic thrown around that less than half of americans can even name the 3 branches of government, and if that's true I think those people have a civic duty not to vote.
That's what democracy is though. If only the right people are allowed to vote then you have a problem because their definition can change on a dime.
I'm not advocating that people not be allowed to vote, I'm just pushing back on the dogma of more voter participation = better, IE. just because you can vote doesn't mean you should if you dont understand what you're voting for and don't really care enough to learn.
Seeing the constant barrage of campaign ads every couple years made me think about it- Why does campaign financing matter, how do they turn money into votes anyways? The answer apparently is ads, but I see these bottom-of-the-barrel slop political advertisements and wonder how that trash could possibly have a measurable effect on the outcome of an election. But it must work, otherwise they wouldn't spend so much money on it. And the fact that elections can be meaningfully influenced by the amount of ads a campaign can run is a signal to me that the democratic process is broken in some fundamental way. The votes of well-informed constituents are drowned out by the more numerous cohorts of partisans, reactionaries, and the apathetic just going through the motions to fulfill their 'civic duty', so it seems to me that increasing voter participation without changing anything else is only going to exacerbate the problem
> And the fact that elections can be meaningfully influenced by the amount of ads a campaign can run is a signal to me that the democratic process is broken in some fundamental way.
That's probably rational ignorance. It's hard to get people to investigate the details of policy and their consequences when theirs is just one vote out of millions. It's too much work. But that leaves the voters susceptible the kind of ads you mention.
Or stated more simply: getting informed doesn't scale, but mass advertising does.
Athenian-style democracy might handle this problem better. Randomly select, in some unbiased manner, a smaller number of people who then decide. But I suspect sortition is a little too unusual and feels a little too chancy for people to accept as a serious proposal.
Wouldn't banning political ads, and large sum political spending, and PACs and lobbying (I assume you're from the US based on the comments) be a better solution than whatever the f*ck "don't vote if you don't understand" is?
Democracy means that everyone gets a vote, uneducated, bigoted, communist, fascist, everyone. If you don't accept that, you don't accept democracy.
> Posting those links without any insight from your side is just quoting dogma
It would certainly be exhausting to share an opinion on every single resource you want to share with someone.
Considering where we are and what we're doing now, are you trying to be funny?
* Opens Github repo
* Opens Cargo.lock [1] and pnpm-lock.yaml [2]
* Closes Cargo.lock and pnpm-lock.yaml
* Goes to find a Tylenol
At least with open source we can see the sausage getting made...
[1] https://github.com/votingworks/vxsuite/blob/main/Cargo.lock
[2] https://github.com/votingworks/vxsuite/blob/main/pnpm-lock.y...
Even after reading your comment I was not quite ready for that. I am gobsmacked, over 30K lines of lock file! Are we supposed to have trust in that?
To be fair... What I gather from the readme is that this is monorepo containing 7 sub projects.
EW. Here, I’ll share some of my Extra Strength Acetaminophen. Those are some cursed lock files.
> * Goes to find a Tylenol
Watch out that you don't catch the autism :) /s
> [1] https://github.com/votingworks/vxsuite/blob/main/Cargo.lock
> [2] https://github.com/votingworks/vxsuite/blob/main/pnpm-lock.y...
These files are actually cursed and I want all drives that contain their data destroyed with acid. But I have a slight feeling other voting software isn't really any better, even though in theory it should be relatively simple software in the grand scheme of things.
Public trust cannot exist if the voting system requires *any* expertise. Voting systems should be idiot-proof. If you cannot explain how voting system is manipulation-proof to a 7 year old, your voting system is untrustworthy.
This means anything more complex than a pen or a stamp on an approved paper is too complex.
I live in Ireland which I think has one of the best voting systems in the world (don't worry we've still got plenty of other serious problems with our electoral system).
It's 100% paper PRSTV & so the counts are slow. Not only is this generally OK (because getting a rapid result is absolutely not a requirement of any well-functioning voting system) but it also has actual benefits.
The main benefit is predicated on the count being engaging in and of itself. Other countries put a lot of effort into jazzing up statistical presentations on constituency predictions, cloropleths aplenty, to engage viewers. In Ireland, count centres are not only manned by trained count staff, they're also flooded with volunteer tallymen who verify the counting in realtime. Count coverage is on the ground, showing a real physical process that's intricate enough to be watchable. The entire process also serves as an education-through-doing in how our voting system works, so you get a more engaged & informed electorate (when it comes to the mechanics of voting - still unfortunately not that informed on policy, that's a worldwide problem).
One of the weird things for computer people about the Irish voting system is that it's non-deterministic! You can count the same ballots in a different order and get a different result (because it depends which votes you choose as "surplus" to redistribute).
In practice it doesn't seem to matter that much. The counters even out the first-level effects of this, so it only matters for votes that have been transferred more than once; it can be determined statistically that it changes the result only in a very small number of cases; and there are plenty of other weird threshold effects to care about instead. But it's one property you might expect of a fair voting system that Ireland doesn't give you.
Yeah. I think it's the best voting system in the world because I've yet to encounter one I think is better but you're right, it's far from perfect.
That said, surplus distribution tends to be the main flaw raised time & time again, & whenever improvements are discussed the general conclusion tends to be that the current distribution mechanism goes a very long way toward fair representation of the actual preference distribution. It's notable that the more computationally intensive alternatives to get "fairer" outcomes are pretty recent inventions & it's really hard to justify the effort given the tiny number of cases affected.
True! In The Netherlands, where I live, we still vote on paper ballots. The ballots are counted by hand. The counting is public, anyone can go and observe the counting.
This is in no way intended to be disparaging: there are processes that work within the scale of small European nations that simply won't at larger scales.
> there are processes that work within the scale of small European nations that simply won't at larger scales
Coming from Ireland (tiny population, low pop density) I've heard this argument countless times (we're an obvious target for this critique), but I still to this day don't see the logic of it. At all.
Constituencies are sized per capita, count centres are staffed per capita, if you have higher pop-density you'll either have more observers at count centres, or the same number at more count centres. This is a distributed system - it's the definition of scalable.
Fwiw the last count I tallied at (Dublin MEP) had an electorate of 890k. It was the smallest constituency in Ireland in that election, but still bigger than the largest congressional district electorate in the US. We counted in one large open warehouse. There were 23 candidates & 19 separate repeating counts.
That could work in favour or against your argument - I don't really know - I don't really think it matters either direction though.
The total number of people voting at each polling station should be the same irrespective of the population of the country.
Besides that what other scaling problems are there?
France has 68M inhabitants and is on paper ballots (and function identically to Ireland on such matter).
I don't quite understand how a country with a mere 5 times more population is unable to enact the same solution at their 'so much bigger' scale.
And France is spread over more time zone than the U.S., so that argument doesn't work either.
The Netherlands is 18m people. Germany is 83m with its MMP system. There are ways to adjust and scale these other systems.
This doesn't make sense. In the same way that police, firefighters, ambulance, farmers, etc, can scale to any country population, so can ballot counting.
The same process is used for the Dutch part of the elections for the European Parliament.
The Netherlands would be the 4th biggest state if it was part of the US.
You don’t understand how scale works.
Just the fact that there are millions of citizens means you have to trust the process. When I go vote and stamp my votes, you need to trust my county’s counters. I find it strange we focus so much on tampering with an individual vote (machine says you voted for X instead of Y) rather than tampering with aggregation
If it’s just a signature or stamp, won’t the 7 year old ask why those can’t be faked or forged?
That's an inquisitive 7 year old. Definitely reward them. Let's explain. A good voting system needs to guarantee
- Secrecy of who voted for whom
- Transparency of everything else. The names of everybody in the process, the process itself and all the statistics should be verifiably public.
Being an observer to your polling station must be a guaranteed voter right. Similarly all participating parties must have the right to send representatives to observe the entire process.
Before opening the polling station all ballots are counted by multiple observers from all sides. This is recorded into files / documentation of each observer. So the number of possible ballot papers that can be voted on is documented.
Then each ballot paper needs to be stamped with a official local seal. This is also observed by every observer. The number of stamped ballots is also counted and documented. The number has to match the original ones.
The number of people who can vote in that voting station is determined by a population survey. In bigger cities each region must have roughly the same number of constituents.
The number of ballots that are stamped must match the number of eligible voters in the polling station. A voter can request to change a damaged ballot paper. The replacement should be done in front of all observers and the voter. The replaced ballot is destroyed in front of everyone.
After putting their ballot into the box, the voter has to sign their name in multiple printouts of the list of eligible voters of that polling station. These printouts of the lists are held by observers from multiple sides. The number of signatures has to match the number of ballots in the box.
Everybody can observe the count. All the numbers are checked against each other.
If you think that this is infeasible, I come from a country of 80 million people and live in a similarly sized one. Both of them use the same system. It works. It scales since it is an almost trivially parallelizable problem. We get the election results in the same day of voting.
That sounds like a solid system! Thanks for explaining!
Is there any way to prevent the observers from knowing who votes? I could see a scenario where a party chooses observers that are likely to intimidate potential voters (e.g. KKK members in a majority black polling station).
That's why participation from opposition and actual members of the public in the area of election is important. If you and your friends / family are afraid of intimidation, you show up. Gather as many people as you can as observers. In my countries (of residence), being there is your unalienable right. Nobody can legally kick you out. If 50 black people show up in a station where KKK tries to intimidate them, KKK will back down given an actual democratic state.
If those people still feel unsafe, they are not living in a democracy but under an authoritarian regime. You cannot really have a non-violent, fair democracy under such regime. Democracy isn't just elections. It is creation of bunch of non-elected institutions that guarantee the fairness of the elected stuff. Judicial branch, expert organizations and regulators are all part of it. This has to come from realization that the alternative is violence. Sometimes needed violence. Most resilient democracies in the world like France are direct results of multiple violent events happened because institutions were not capable of striking the balance. Suppressing large swaths of people is just a powder keg. In true democracies, people from all views should have a good mutual understanding that alternative governance systems exist and may even be viable or more stable, but they will be murdering each other and they themselves will eventually be victims to the violence too.
Having elections is in no way enough to have a democracy. You also need a functioning justice system and free media. What you describe is not part of the election system but of the justice system.
If the police does not uphold the laws that guarantee just elections, if they allow intimidations or treat citizens differently, or if the military tries to influence election results, then you do not have a democracy.
You may ask how do you make sure nobody changes the votes in the box somehow?
First the box is in front of everybody. Second, before allowing people to throw votes in, you seal the box with an tamper evident seal. Usually pouring beeswax over a string works. You can have multiple seals for all sides.
Having a mark anywhere else but the box you cross / stamp invalidates the ballot. You put ballots in envelopes. Each envelope must have a single ballot inside.
A voter can replace the ballot if they made a mistake. They need to destroy their ballot in front of everyone.
That's a lot to digest for a 7 years old, and you're still brushing over how you do a population survey, count the constituents and how to make that a trustworthy process.
My point: reality is messy and simplicity isn't a guarantee of reliability. The things hat really work in our societies are pragmatic, not simple.
Sure. Probably you shouldn't dump it at once but let the 7 year old ask questions one at a time. I think you can still explain it one at a time. I am aware that readers of HN are not 7 year olds.
Now try explaining any kind of encryption system that gives the same level of confidence to a high-scholer or even CS students in as many words as I used in that comment.
I'd say you can ELI5 most technical systems, it's a matter of finding the appropriate abstractions and spending enough time (for instance, just explaining the paper ballot system, we're already writing a full page or more)
It reminds me of a youtube channel explaining the Visa/Mastercard duopoly using monkeys and bananas. It doesn't perfectly fit, but works surprisingly well for such a subject.
What signature or stamp? In my country we make any mark, although conventionally a cross is used in illustrations.
Many countries have secret ballots, mine doesn't, for reasons which are extremely sketchy (and presumably why my country is blue, not dark blue like New Zealand on the democracy map)
I cannot upvote this enough.
Who gets to pick the 7 year old?
The comments on this have lots of folks focused purely on the software, talking about a lack of paper ballots, etc. So, let me provide some more context that is missing from the post.
For those who don't know the VotingWorks software is both Open Source and their machines create and count paper ballots. You can read about it here: https://www.voting.works/machines
Essentially they have a computer, a ballot marking device, that people can use to mark their ballot. That ballot is printed on paper. Then the paper can be validated visually. Then fed into a machine to scan and count. The paper ballot is preserved and can be later audited.
The ballot marking device has a number of advantage over pre-printed and hand marked ballots:
- American Disabilities Act (ADA) compliant using standard web technologies
- Available in applicable languages without lots of translated papers on hand
- Errors or typos in ballots can be fixed days before election instead of weeks (due to print shop lead times)
- Better UX for complex races where things like ranked choice, choose three, etc with rules which can cause people to mismark and then have their ballots rejected
- Avoids sloppy/incomplete markings that must be interpreted and judged by counters/auditors
The entire system runs offline. It is open source.
They also have separate open source software for running risk limiting audits using the paper ballots: https://www.voting.works/audits
Disclosure: I am a donor to VotingWorks.
This is an excellent overview & much needed context. I read the (very short) OP but didn't dive into other sections of the website (which is not an initiative I'd previously been aware of).
Probably a difficult task to ensure all readers of all pages on the entire website are fully aware of this context in advance - I'd imagine this kind of averse reaction will continue to be common until these kind of hybrid systems become more widespread (or the interests pushing paperless are comprehensively silenced, which seems less likely).
---
That said, now that I do have full context, I do have two criticisms:
1. Clicking through to the VotingWorks frontpage, the copy still doesn't really highlight in a very obvious manner the paper nature of the system. You really have to analyse the website to figure this detail out.
2. The homepage does contain a section entitled "Faster Election Results" - which I do think flies directly in the face of many criticisms in the HN comments here & I personally believe to be an approach that's incompatible with democratic integrity. Counts should simply not be trying to be fast as a high priority - verifying the automated count by hand is insufficient if it isn't done as a matter of course. Ideally, live, while the count is taking place. The latter is not feasible with an automated system, & the former is a lot more likely to be overlooked if speed is a priority.
We don't just need systems that can be fair, we need systems that incentivize fairness & don't contain perverse incentives - count speed is exactly such an incentive.
I live in The Netherlands. We are a reasonable modern country, where a lot of things are automated, even in governmental organizations. However, voting is still done on paper ballots. And those paper ballots are then counted manually. This has huge benefits. There always is a paper trail. It’s hard to manipulate votes without getting caught. If there’s any doubt about a certain district’s results, the votes can be recounted. This happens regularly.
Why do we need machines? Counting the votes for e.g. the parliament only takes 24 hours or so, generally. And we don’t have elections every week, right?
You should acknowledge the tradeoff: physical presence is the condition.
It might not happen much in the Netherlands, but for instance making it so fewer people reach voting stations is a classic move. That's one of the failure mode avoided by the other means.
Voting ballots straight getting lost/destroyed is another failure mode, and yes it happens more than we want it to.
The sheer time to get the vote counted is also an issue, and we've seen voter sentiment shifting while the vote is still ongoing, with the media reporting directly influencing the outcome.
It could still be the saner tradeoff in the end, but it's misleading to present it as some ideal or inherently reliable solution.
The software doesn't matter that much. If you want to use voting machines, you need to create a paper trail with them that can be audited.
Auditing the software isn't enough if you can't reliably verify that this is actually what's running on the machines, or if the machines weren't otherwise tampered with in some way.
The audit needs to be a process that the non technical person can understand and run correctly.
Note that ananymous is also a required part of voting.
Why go through all of that? If you vote on paper ballots, the paper trail is baked in.
I prefer paper ballots. I'm in a country that uses paper ballots exclusively. I didn't make that argument here because the topic was voting machines.
So they open the source ... how do I know that's what's running on the voting machine? There's really no good practical solution to this problem. What matters more is that there is a voter-verified paper audit trail and that this record is actually counted. At least by spot check risk-limiting audits, but ideally just count every vote manually to verify.
> There's really no good practical solution to this problem.
Remote attestation via trusted execution environments is a thing. It is not a theoretical one either. See, for example, Graphene OS's Auditor app[0]. Solving this for voting machines in particular would be a matter of good design, not of solving fundamentally hard problems.
[0] https://attestation.app/
I would be fine if they had at least the same level of scrutiny as slot machines --- can we turn Citizens United around and argue that since dollars can be used to buy speech which influences votes, voting machine should have the same level of scrutiny/verification/auditing which applies to finance?
There seems to be a news story every year about how someone won a jackpot or other large prize on a slot machine, only for it to be denied because the slot machine was "malfunctioning".
Small and large scale cheating happens in casinos and financial firms on a regular basis. We need a much better bar than that for votes.
From a process perspective, how can a constituent know with absolute certainty that their vote was counted, every voter in the system was legal, and the final tally was authentic? Especially when there's no way to even audit what you voted for after the fact?
Every time I try to get to the bottom of this, it always boils down to "trust the system" which makes me uneasy.
Not being able to audit what you voted for after the fact is by design. Otherwise, it would make buying votes a viable strategy since you'd be able to show them who you voted for. Yes, taking a picture of the ballot is an option, but you can always ask for another ballot paper after you take the photo. Where I live, you're not even allowed to have a camera out in the same room as a voting booth for this exact reason.
IMO the best solution here is to have electronic counting with an auditable and traceable paper trail as a backup. Every time I've voted for the past 10 years has been like this. First, I get a ballot paper from the front desk and stick it into an airgapped ballot marking machine. I then make my choices and the machine prints them onto the ballot paper. I'm able to read the paper and verify that it matches the choices I made. I then stick it into a separate airgapped ballot counting machine, which scans my ballot and deposits the paper copy into a sealed box. The entire process of setting up the machines, transporting the paper ballots, and reading the results from the machines is cross-checked and signed off on by volunteer poll workers from both parties.
Each polling station should have representatives from multiple parties as well as independent observers.
> how can a constituent know with absolute certainty that their vote was counted
The representative of your party plus independent observer said all votes at your polling station were counted. You know both those community members and know them to be generally honorable. Ergo your vote was counted.
> every voter in the system was legal
None of the observers at the polling station, or the station head claimed any illegal person voted.
> the final tally was authentic
The observers all signed as witnesses on the final tally.
This is not the "system. it is humans you know who are telling you what they saw. If you can't trust other humans at their word, democracy cannot fundamentally work.
> If you can't trust other humans at their word, democracy cannot fundamentally work.
This, but also, important to point out that this is a question of scale: "If you can't trust other human*s*" - plural.
To rephrase: "You should trust political volunteers."
Surely we could do better? Testimony doesn't assuage my concerns that the process may not be tamper proof.
It's a bit more than that.
You should trust political volunteers after you have seen their track record of being honest and truthful. (Though there is some default amount of trust the process gets because of the adversarial nature of volunteers with opposing biases checking the process).
This is along the same vein as
You should trust candidates for the seat after you have done your due diligence that they have honest and truthful, and will faithfully represent you in the legislature/administration.
as well as
You should trust civil servants to have done state activities justly and produced truthful records and reports of state activities after you have seen a record of them doing these things correctly over time.
Democracy with humans is built on a lot of trust in humans. We have to keep this in mind when arguing about these things.
Hopefully one of those volunteers is yourself.
You do not have to watch every district, every election, every time. But given that enough people do it, at least once, at least in their own district, then it is easy to see why the system as a whole is trustworthy.
delegation of trust is an essential and unavoidable property of any system that serves a non-trivial number of human participants
I think the sentiment of the OP actually gets to the heart of this (the idea of open-source is transparency, visibility, auditability) but the problem here is it need to be applied to the actual process, not to the process of building tools for the actual process.
It's not that developing voting software should be open-source, its that actual voting should be "open-source" in the physical sense.
Trusting the system is possible if you can (you, yourself) readily observe every part of the system. I don't think giving members of the public access to the server your voting software is hosted on is a very viable idea, but giving members of the public access to paper count centres is (it's done very successfully in many countries).
It's ultimately an impossible problem. There's little thing you can trust 100%.
Stop me if you heard it before, but paper ballot with automatic counting machine is the way to go. You still get real time update, and you have a physical ballot box that's constantly under watch of volunteers from multiple parties. And if there's any dispute (there will be disputes) you can simply bring out the boxes and count again.
It's a simple, cost-effective system which is impossible to hack. Electronic voting offers no advantage over this.
Did you look at the link at all? That's what this company sells. They make ballot marking devices that print your vote on a ballot paper, then a separate ballot box that counts the votes by scanning the ballot papers.
And how would you feel if those counting machines were closed source?
How do you feel that the paper bill counter in your bank is closed source? It does not matter because it's trivial to verify. The counter says "here is a pack of one hundred ballots for candidate A," and if you're in doubt, you just count them again. While representatives from candidate A's and B's team are watching.
The difference is that I know the sum ahead of time and can object in the moment at the bank.
A vote recount and/or judicially called audit can take months to resolve. This can lead to a loss in confidence in the outcome and for political shenanigans (e.g. Bush v. Gore).
I feel far more confident in a system where the software is open source because it increases trust for free. As a citizen having the software be open source is only upside to me.
Even if it's open sourced, how do you know the machine actually runs the same code as you see on Github (or wherever the repo is hosted)?
Verifying that requires more expertise than verifying the physical ballots themselves.
Something being open source does not mean anyone has even the slightest clue how it is running. People would have to see a read-only view of the active production run-time in trace/debug in real time to have a clue which of course would not be permitted. All code can be live-patched without leaving a trace by custom firmware or a thumb drive in production to conditionally change behavior on the fly to achieve any means or results. All electronic voting equipment can be tinkered with and any news stories about engineers testifying to congress will be erased for fear of reducing confidence in voting systems. Bribed developers take bigger risks for smaller gains all the time such as wireless front-line support selling or changing SIM information in SIM swaps.
Paper trails on the other hand can be verified and secured physically with chain of custody and proper attestation. Paper output can still be designed to be easy scan, verify and re-tabulate. I would like to see the paper trails scanned and uploaded to a centralized block chain so we can see if one of these things is not like the other. I would also like to see higher definition CCTV cameras monitoring the entire voting process and more of those cameras. That should also be uploaded somewhere they can not be tampered with and if a camera goes offline oopsie doopsie it's all hands on deck. Ballot drop-off boxes and mail in votes need to be outlawed and every state needs voter ID.
> Public Trust Demands Open-Source Voting Systems (voting.works)
Unless something has changed recently, election integrity demands a voter-verified paper ballot that is retained with security by the authority, and can be physically counted, as a check against compromised or defective digital systems.
Open source is not sufficient. Don't let marketing sound bites be a confusing diversion from the problem.
If the US understands anything this year, it's how important elections are. Hopefully we get another one.
I don’t really understand the blind trust in paper in person ballots. Historically and currently, elections are stolen all the time whether paper or not. Off the top of my head some recent ones: election irregularities in Venezuela and the Russian referendums in Crimea.
If people in power want to cheat, they will. Shuffling around the tech isn’t going to do all that much to change things.
That's a non-sequitur. Election manipulation is orders of magnitudes easier with voting machine manipulation and might not even be traceable. With paper ballots, you have to swap thousands of ballots that are handled by thousands of people, corrupt or prohibit independent observers, deal with election commissions and overseers, and so on. You can have recounts. With voting machines, you just have to push a software patch to these machines or manipulate the software that interfaces with them. No recount will help.
It’s not a non-sequitur. The thesis behind the push for in person paper is predicated on the idea that it makes it prohibitively difficult to steal an election. That’s demonstrably untrue based on current and historical examples.
As another example, you don’t have to swap the ballots at all. Somewhere in the chain of custody, someone could just “lose” ballots for a region that is projected to vote against whoever they’re trying to fix the election for. They could forge or lose some other accompanying paperwork that was to manage those ballots, too. Or they could not bother doing that either because what are you going to do, redo the election?
Cooking up examples is sort of pointless. There are always going to be new and unexpected ways to commit fraud. The actual root issue isn’t technological. It’s sociological trust.
Under appreciated benefit of hand-counting paper ballots: it is an opportunity for participation in your democracy.
I had the privilege of helping count votes in my small town 2012. Volunteers stayed up after voting ended and all of the ballots were double checked - counted by two separate people, working together at a long table. Cheating or manipulation was inconceivable, and there were many layers of double checking.
The beauty of this system is it is infinitely scalable. The more voters there are, the more vote counting volunteers there are. For larger cities you can split up by blocks or per polling place. There should be many polling places to make voting easy and accessible.
It isn’t fast or fancy or glamorous. But communities ignore the power of communal activities at their peril.
Throughout most of the non-US parts of the western world voting works quite well using paper ballots and hand counts. Any organization treating voting like a tech problem is willfully oblivious of the existing very good low-tech solutions. I think the intention is often good. But tech is also a new vector for attacking elections, so sometimes it's malicious. And it's very hard to tell the difference, and with elections even the appearance of interference is risky. We should outright reject technical solutions to voting, all it does is add risk.
Why stop at software? Open-source software is a good idea in election systems. The principle could be better generalized as an "open" (copyleft licensed) process for the entire system, regardless of whether the election system is implemented as software or not.
Anyone who talks about election security should be required to spend at least a few moments walking around Defcon in the election machine hacking village. Even absent electronic voting machines we still need to apply that same level of rigor to security across all domains of the election system no matter what format is used.
More fundamentally, the epistemic meaning of a ballot, a vote, or an option on the ballot, how options are even decided for inclusion or their exclusion, which outcome deciding algorithms are used, and how "the result" is interpreted by society or implemented by a political agent is deeply confused. The vote itself has very little resemblance to what actually happens. Such things likely cannot be formally specified anyway. Massive amounts of ambiguity, noise, error rate, and insecurity are to be expected in these kinds of systems. So what then are we even doing with all this? I am not referring to what we say we are achieving, or what we say we are intending to achieve, but rather what kind of actual outcomes be can supported by careful engineering of all these components?
Blockchain is no solution here. See:
"Going from bad to worse: from Internet voting to blockchain voting" https://www.dci.mit.edu/s/VotingPaper-RivestNarulaSunoo-3.pd...
Just use paper, count by hand, and abolish mail-in ballots and you should be fine.
We’ve been using mail ballots for decades, as a voter this system is convenient and afaik hasn’t been seriously challenged. Your suggestion for its abolition aligns with treasonous players like Vought.
> abolish mail-in ballots
how then should voters who are not physically present in their voting district cast their votes?
If you moved to another district you should vote there.
If you want people temporarily out of their district to vote, then in district X you could have a box for district Y, put paper ballots in, and send the sealed box to Y to be counted. The important thing is that the vote is cast in person by the right voter and put immediately into the box.
And enforce national photo ID finally, like all other countries. I know this is a REP take, but they are absolutely correct in this particular issue.
In other countries everyone has an ID automatically. That is a requirement to use IDs for voting. You need a proper national ID system, not the hodgepodge of random identity documents the US uses.
> In other countries everyone has an ID automatically
(Splitting hairs here but) this isn't true: in some countries, but not all.
In some countries ID is an optional document you only need to acquire if you want to drive, vote or travel internationally.
Correct on the idea maybe, but their implementation schemes are designed to disenfranchise those less likely to vote for them.
I don't believe that. Even in the most backward places where people can barely read they can manage to get an ID. If anything, it would have a leveling effect, by decoupling the voter id from things like driving, which have nothing to do with voting.
I heard this concern and looking at the MAGA it is totally believable. But really, how can a country disenfranchise anyone, if they will issue a mandatory national ID? If it is not national (state or lower) or if it not mandatory (voluntary and/or paid for), then I can see parth for corruption. But if it is mandatory national document, issued to every citizen without exception and only to citizens, then I honestly don't see where the corruption may happen. If anything, USA SSNs are much bigger vector of corruption, a proven vector of corruption, but again, like with FPTP no one bats the eye.
My preference (I think) is we have a federal holiday "America Day", (call it Trump day for all I care) where we celebrate, hand out cookies, friends and family get together, etc. and we all vote in person.
One of the weaknesses in our democracy is the insistency of doing things virtually - it's the same weakness exposed by social media.
Electronic systems are always going to be subject to hacking and manipulation, and are more easy to hack and manipulate at a large scale (scaling is the point of software). In-person voting is still subject to manipulation, but you can just go back and look at the ballots on paper as they are. You get more targeted manipulation, but it's probably easier for a single person to uncover and reason about.
National mandatory holiday for voting would eliminate soo many issues and concerns. It really should be a must in every country, at least for the biggest elections. Inbefore "lazy urupeons are wrong, no holidays is the only true way!!!" there are 11 federal holidays in the USA, same as in many European countries, and the sky didn't fall down because of that. Adding 0.20-0.25 holiday per year won't return a country to dark ages or anything.
I agree with paper ballots, completely. But requiring voting to be in-person: how do you deal with citizens who are homebound, traveling, or working? Not literally everyone can get the day off--even if you suggest "shifts", there will be some people who won't be able to, whether because the hospital is understaffed and people will literally die, or because they don't have the resources to get to the voting hall on their lunch break.
In Ohio we have early voting, and then we also have absentee ballots which I think solves both of those challenges. We even have what's called curbside voting for folks who can't get out of their car.
I guess in some sense I'm arguing for the existing system [1], and not to move to any sort of electronic voting, but adding in a new federal holiday for the actual Election Day. It should be a celebration of democracy, a day of reflecting on our republic, and an opportunity to be patriotic with special programming and events, parades, etc. Just a hope/dream there.
I guess the main thing I'd like to say is, I think we should have the day off from work and we should all get together as much as possible as a society and celebrate this damn thing we have instead of sitting at home on the Internet just complaining and doing nothing all the time.
[1] Today we have ballot markets which electronically mark and print the ballot. I'm not quite as concerned about those being hacked (from a layman's perspective not any expertise), and then we have the actual ballot that was cast by the citizen that we can reference. When I think about open-source voting systems, electronic voting, etc. I think of doing it through your computer.
I've been saying it for years. We are more than capable of creating an official USA app that every American can download, test their knowledge on a topic, and vote. If X.com can implement polling, why can't the US Gov? In my opinion, they want to portray the illusion of democracy, not actually implement it.
There are many Americans that can't or won't download a "USA app". Owning a smartphone must not be a requirement for participating in democracy.
And if all you want is political polling, every elected representative does this already (well, they generally pay someone else to do it). So I'm not sure what it would mean for the US gov to do it separately. Do you imagine that a "non-partisan agency" like the CBO would do it with taxpayer dollars, as a publi service for the politicians who would still vote however they do?
democracy is an awful idea, the average person is barely even sentient
Public trust demands paper voting systems...
Complaining about electronic voting (absolutely valid and reasonable take btw) while living in the country with first past the post election system, is like complaining about bad wall insulation in a house which is on fire. Yes, insulation is a actual valid problem. But maybe not a Priority 1 at that particular moment.
In first past the post system, between 1% to 49% of votes are stolen and tossed by design. This actually, not hypothetically happens, in real life. Electronic voting maybe can be abused, and maybe some significant number votes may be defrauded. But in FPTP it has actually happened already and at a much worse scale. Imo the real high priority issue is obvious.
I think, that there is only one way to make voting machines to be trustworthy. If anyone can run ballots through their own machine to verify results, AND there will be multiple parties doing exactly this, then you can trust the outcome.
But still it is not a way to fight a political party that will use dummy machine that counts each ballot as a vote for them, and then accusing all others that they are trying to steal the elections. It is an unbelievable stupid tactic, but I think it may work in USA, judging by people eager to believe any BS if it supports their party.
The only voting machine we should be trusting is a printer.
If the goal is public trust, open source isn't helpful for the general public.
We need quadratic or ranked choice voting.
It might be an aside but it would be, "really groovy" if the general public started to realize that, "democracy" is a way of life and a set of considerations that furthers an open public discourse and attempts to maximize human felicity and reduce cruelty. In an oxymoronic sense it's the public voting on things that actually kills real democracy.
https://sites.pitt.edu/~rbrandom/Courses/Antirepresentationa...
https://en.wikipedia.org/wiki/A_Theory_of_Justice
No. Democracy is not about reducing cruelty, or any other vaguely activists points of views. It is about having people choose where they want to go. It might be that these choices unveil that humanity, statistically speaking, is actually a cruel bunch. And, what you think is cruel, might be just fair to someone else. Democracy is about surfacing the human nature.
Define, "human nature." Don't compare me with an activist.
I can't edit my previous comment so I'll continue:
This isn't and has never been true in a universal sense. Athens was democratic plutocracy with slaves. The United States didn't have popular democracy until well until the 20th century and it's worth noting that it was the Southern Democrats which wanted to restrict the basic political rights of blacks in the name of, "popular sentiment." The Fukuyamist position which takes a naive view of western democracy as totalizing in a historical sense is being rapidly called into question all over the world. People (almost) universally want the expansion of the their quality of living and political autonomy in a sense which includes but also transcends the ability to cast a paper ballot. We see with Trump that this naive notion has, "serious flaws." In the 1930's the Nazis came to power under a democratically elected conservative government. Democracy means pragmatism. Pragmatism means something about, "having a superior conversation about what we would like to be." The ability to cast a vote is an extension of this sentiment-- it isn't its foundation. We see that in the general experience of the Chinese middle class. They live under a totality but neighborhood associations and not actively being managed by the CCP results in many reporting feeling freer under this system than under ancillaries geopolitically.
Paper is open source.
Computer-free voting only. Open source in this context is a ruse, only the deployed binary matters.
Only the deployed hardware matters. Or only the person reading the result of the machine matters. Or only the USB key which is transferring the results matters. Or…
Once you start with non-transparent mechanisms, there is no end to it.
As the CCC has stressed almost 20 years ago already, "public trust" demoands pure analog, no software at all, voting. Whenever someone comes back and tries to introduce some sort of voting machines, they are trying to fool you. Never EVER trust an electronic voting machine, no matter WHO is trying to sell it to you.
To understand criticism with electronic voting system let's assume the best case: say you make the perfect, mathematically verified voting software. That is perfectly up to date each election. That runs on open yet tampersafe hardware that is as the stickers say never obsolete. That notices any human error and hacking attempt (not that such a thing exists).
Even with that utopian scenario the remaining problem is that the goal of elections is agreeable consent. Mewning the goal isn't just to get a decision. The goal is to get a decision, people can agree with because they trust the process must have been okay. If your vote is low stakes, like where you go for lunch with your collegues, then that trust doesn't matter, who cares if it was wrong? But if it is high stakes even a perfect digital system is problematic, because even intelligent, technological expert voters have no chance of understanding which of the moving parts might influence what in which way in practise.
Meaning a paper ballot with the right process can more or less be understood by everybody who can count and has mastered the cognitive skill of object permanence.
A Rust project with a 30k Cargo.lock file filled with dependencies on an even more complex operating system, running complex (in a different way) hardware, that might differ for each voting location isn't that. And that isn't about the programming language or the tech stack. It is about the intransparent nature of electronic systems themselves.
I spent a three quarters of my life learning programming and electronics including hardware design and I teach that stuff on a university level. Even I would have a hard time ensuring there is really no backdoor in the whole stack. And this fact means even if there is no backdoor in it, there might be and there is no realistic way for a normal person to check. I understand the nerd appeal. It is cool to toy around and figure that problem out. But the core of the problem is not technological it is sociological.
That is such a big flaw that IMO it is not worth it for high stakes elections.
Is paper considered open source?
Yes and it's inner workings are 100% transparent.
Paper still needs a system to verify ballots aren't forged, and that system should be robust and transparent too.
The system is a whole bunch of people from different parties being present when votes are collected and counted. And with paper ballots you need to do the fraud in many different polling stations.
It is possible to do small-scale fraud with paper ballots, you can never fully eliminate that option. But it is exceedingly hard to do larger scale fraud without it being extremely obvious to any observer.
Yes, and it's incredible how many problems are solved by hand-counted paper ballots. I get that it's a big task, that it takes time (and some US administrations seem to despise not knowing election results the night of the election), and that it's very tempting to automate, but the basic formula of 1) everyone gets a paper ballot; 2) the ballots are collected at a polling station; 3) the ballots are counted by hand is much harder to corrupt. Maybe build the fancy stuff on top of the paper ballot, like serialized ballots to prevent duplication or timed locks on ballot boxes to prevent tampering, but for the love of Democracy, keep it simple!
Other countries get preliminary election results the same day even with hand-counted paper ballots. So even that isn't impossible.
You can also use statistical techniques to audit results that are for the most part automatically tabulated by machine.
Some stakes couldn't start counting mail-in ballots before the election day. That slowed down counting a lot.
Mail in ballots are even less secure
Source?
These kinds of comments always annoy me a bit. It's 2025. 155,238,302 people voted in the most recent US presidential election. It is entirely silly that we expect people to manually count that many ballots in this day and age. And count them without errors! (And yes, we can make those paper ballots machine-readable, but you still need software to count them.)
Yes, I know: before computers and other mechanical systems, people had to count ballots by hand. There were many fewer people voting then, and regardless, that's not really the point: they counted by hand because they had no alternative.
Electronic voting certainly brings new problems into the mix. I don't think those problems are insurmountable. The problem isn't the technology itself. It's the legal and social landscape around voting technology. Open source, with reproducible builds and a method to verify that the code running on a machine was built from a particular version of source, is a start. Verification of that software's functionality, on par with the verification done of critical software (medical devices, things that go into space, slot machines, etc.) would be another good move.
Voters can also receive paper receipts, and I'm sure we can come up with some sort of scheme to take a representative sample of the electronically-recorded votes and validate them against the paper receipts, while maintaining voter privacy.
The absolute number of people doesn't matter. If you have more people voting, you can have more people counting. If you have more people, you have more polling stations, you can keep the size of them constant no matter your total population.
Other countries do paper ballots and manual counting without issues. The US isn't that special or unusual.
There is too much power at stake and too many dollars in the mix for this to work. Take a look at how expensive it is to break electronic voting machines then compare that to the billions of dollars that flow into an election cycle.
> I don't think those problems are insurmountable.
As soon as you try to be more clever than electronic counting of paper ballots, yes they are.
You can either audit the count by replaying the input event stream, or you can't.
it’s called distributed voting centers, there’s this many people so there’s plenty of people available who can count their block’s ballots, there’s no motive of convenience in using electronics for voting that could ever surpass the motive for simplicity and trust, it’s just not that hard of a thing, there was no new problem that suddenly emerged when electronics became available for this, this notion should inform you of the various motives of why someone started to market them to decision makers
Obligatory XKCD:
https://xkcd.com/2030/
we need a system that's based on paper. the machine can be digital, but, for instance, the vote needs to be written on a "roll of cash register paper".
The voter needs to be able to see their vote on the paper.
Reading the rolls needs to be done by machines, but by several different machines reading the same rolls. So we can verify.
Software is not the problem. The medium of persistence is.
Some of the comments here seem to be associating electronic voting with these electronic voting systems. The systems described by this project all have paper ballots and audit trails, they're electronic assistants in running a paper ballot election.
I've only worked a couple elections in a single US county, so I don't claim to be an expert. But the projects described by the company align with each of the devices we use in elections today. Using their software would be the equivalent of moving from MS Office to LibreOffice for operating the government. It won't solve everything, could have bugs, but there are some significant long term advantages, like not depending on a company that could go out of business for security patches.
The first device voters encounter is people working the electronic poll books. We still have a paper backup available, but prefer the electronic versions. First, they can scan the barcode on the drivers license for a quick check-in (usually). When person shows up at the wrong location, we immediately know without spending a couple minutes looking through the paper list. We can even tell them where their voting location is rather than "you're not on the list, we don't know why". When someone needs to vote from their car, we can take a poll book with us and check them in curbside, no extra back and forth. And anyone can check-in at any poll book, rather than splitting the list up by last name. If there is ever a hack of the poll book, changing the list of voters, that could have also been done with the paper backup, and that's why there's a provisional voting process.
After that, over 99% of voters get a paper ballot. They mark their oval with a pen, and take it over to the scanner. This is where the security happens. There's a paper audit of the vote, and the vote is anonymous, your name is not on the ballot.
Less than 1% of the voters ask to use a ballot marking device. They are there for ADA requirements, allowing people that have difficulty marking a ballot by hand to vote. They have headphones to read the choices if needed for the blind. When finished, their choices are printed on their paper ballot, human readable and verifiable, and taken to the same scanner used by other voters. Most people don't even realize ballot marking devices exist, I didn't before I started working the election, and I've yet to see anyone request to use it.
The next step is where people get suspicious. The paper ballots are run through a scanner at the precinct, by the voter. These are monitored by an election worker to ensure the voter scans their ballot, but we stand so we can't see the ballot choices for voter privacy/secret ballots. These machines output a tally in multiple forms at the end of the election, including multiple paper copies and USB drives. The various copies get split up and separately delivered, each by a team of workers, for both redundancy and to ensure no one person is ever alone with the results.
A very important process happening throughout the day is counting the votes. The number of voters that register in the poll books is compared with the number of ballots given out (when ballots are unwrapped, they are counted, and what remains at the end of the day is counted again), and also the number that went through the scanner. Things get complicated (I assume reports are made after an extensive search is done) if we are ever off by one ballot in those counts.
The common fear that someone could stuff the ballot box, even by an insider, doesn't match my experience. In addition to the counts above, multiple workers, from multiple parties, are assigned to each precinct. We don't leave the ballots at any stage unattended at any time.
At the end of the day, the tallied ballots are sealed in a box. All equipment is locked back up. And lots of items (tallies, USB disks, sealed ballot boxes, provisional ballots, etc) are returned by a team of people that night to the county government building. From there, initial counts are released and then the election needs to get certified. That's where my personal experience ends.
The certification process includes deciding which provisional ballots to accept, and then counting them. But it also includes audits of the equipment. And those audits are supposed to take some boxes of ballots from select precincts and run them through a different a scanner to verify the tally is the same. The precinct scanners are also audited before we receive them, which is visible because a permanent count is tracked on the machine that's never zero for us, even when it's a new machine that's never been used in a previous year's election. In addition to all those electronic counts on different equipment, some percentage of ballots is likely hand counted. This certification process all happens over the course of days, if not weeks, but the initial count is usually out in a few hours when a first team of workers brings back one of the two USB disks (along with other items).
There are ways to hack an election, but these electronic machines are at the bottom of my list. Someone would have to alter the counts from the scanners without adding or removing votes, in a way that doesn't get caught in an electronic or hand audit in the future on independent equipment, and doesn't get detected in an audit of the machine before it is placed in service. And the whole process is constantly watched by workers from more than one party affiliation.
Instead, if you wanted to hack the election, you'd first become a billionaire, and buy all the media companies to ensure the population only sees one opinion. Then you'd gerrymander the election districts so most elections aren't really contested. And in locations where it might be close, you fill it with ads and social media misinformation so that voters don't know what to believe and they follow the loudest voices that repeated the most. Not only is that a lot more likely to work, but there's no chance of any consequences if you get caught since it's not illegal.
American elections just seem totally absurd.
Here in Germany every single vote is on paper and is counted publicly, where any citizen has the right to observe the counting process. There is a list of all people eligible to vote at a certain voting location, where all voters are crossed out when they come to vote. While errors of course happen, I have absolutely no doubt that the results are free from intentional interference and that the only people voting are those who are eligible to vote.
The idea that my vote is digitally recorded seems absurd. And I do believe that the consistent distrust of Americans in the integrity of their elections is caused by the design of the voting system. There just seem to be so many completely unaddressed flaws. Open sourcing only addresses some part of the flaws and I do not think that electronic voting should ever be trusted.
Trust in a democracy starts with trust in elections, which I do not think can be reasonably provided by electronic voting mechanisms.
The technology forum that despises technology, what a world. We should be expanding voting access, not taking it back to the 19th century. Vote with whatever means you have: wanna show up physically and hand-write your ballot, great!, wanna mail it in, go for it!, wanna vote via website or app, have fun!
Who gives a shit man, it's not going to be the end of the world or even substantially change things no matter what methods we choose. You might as well choose the ones that make things easier on people. Crazy that the world wide information network that we've built and defines our current age in history is treated like some horrible evil. It's not, it will be fine. But with vote by website now every home, school, and library in the country becomes a polling place.
There is no amount of transparency that will achieve the mythical "public trust" that's being envisioned. Our current voting system is all paper right now, actual voting fraud—meaning literal ballot stuffing is nonexistent and still people buy into conspiracy theories. Voting manipulation happens in broad daylight at the systems level and is done by carefully restricting access. Expand access and the problem vanishes.
It's frustrating, honestly. Everyday we trust some tech with our lives, but voting? It's unacceptable. Oh, you can have this cryptocurrency that you can use to buy things without the government or anyone else getting to spy on you! But voting should be only with paper and pen because you can not trust machines!!!
You can trust machines. You can't trust computers.
Brown hands typed this comment
I can assure you I am as white as they come, my family being a mix of Quebecois and Irish I'm "wears sunscreen in the winter" pale.
I'm at a loss for why you would assume something about my racial background from my view that voting should be made easy and convenient in a democracy. I'll go even further, in addition to being able to vote digitally you should automatically be registered to vote when you establish residency, voting should be compulsory*, and it should be a national holiday. But outside the bigger picture I selfishly want this because I don't want to bother driving to my polling place when I could voted in less time than it took to type this reply.
* I wouldn't have any punishment for not voting, that would be a huge mess. But I would have it on the books in the hopes that people would follow it simply because it's the law.
[dead]
[dead]
This is a power problem, not a technical problem.
The US has the worst voting system intentionally, not accidentally. And mail-in voting shows we aren't even a little serious about election integrity. We're militantly against it: you can get people to rabidly support universal IDs for trivial, nonsensical reasons that have never resulted in significant problems; and to demand digital IDs, device attestation, and real names on social media; but to the same people showing IDs to vote is supposed to be the end of democracy.
People have made this proposal every year since the 90s, and depending on the year it was the Republicans rabidly opposing it or the Democrats rabidly opposing it. Good luck getting things accomplished with a good argument. That's not how things get done. The people who get the final say about this would love to get rid of voting altogether, but they'll settle for vendor kickbacks.
The US doesn’t have a national ID system, so your proposal doesn’t make sense. The closest thing is social security cards but those are not photo IDs.
A signed affidavit or local ID should be fine to establish identity. That can be done when signing up for mail in voting (although I personally prefer in person).
Voter fraud is extremely rare under the current system.
> The US doesn’t have a national ID system, so your proposal doesn’t make sense. The closest thing is social security cards but those are not photo IDs.
RealID is a national ID system (that they pushed since the 90s for no reason), and we're all issued voter IDs when we register as voters.
> A signed affidavit or local ID should be fine to establish identity.
I don't think you understand that people are against showing any ID to vote; if you pull one out, the poll workers' eyes get big and they fall over themselves trying to get you to put it away (I just took it out so you could read my address to pick my precinct, ma'am.) An ID which, very soon, will be required to be a RealID if it isn't already in your state. It is in mine.
I also don't think you really mean that a signed affidavit is enough to establish identity, even though you said it clearly. If you actually do mean what you said, I'd love to hear the argument.
> That can be done when signing up for mail in voting
Mail-in voting allows other people to watch you as you vote, and is the opposite of voter integrity. You should not be able to prove who you've voted for, or else you can be forced to prove who you voted for. This is why you are not allowed to take pictures of your ballot in the voting booth.
There's absolutely no reason to spend any time on open source voting code if you'll allow churches to call their entire memberships in to fill out their mail-in ballots together (under pain of expulsion), or hypothetical gangsters to go door to door threatening to shoot people if they don't give their ballots up.
> Voter fraud is extremely rare under the current system.
1) There is no way to know, and 2) if so, that makes this proposal even sillier.
I personally am very interested in electronic voting and voting algorithms. I've read a million papers and think about it all the time. But this is not a technical problem. There is no country that has a worse voting system than the US. Normal countries don't take weeks to count up the votes.
> we're all issued voter IDs when we register as voters.
I don’t think you know what you’re talking about. I have never been issued a voter ID at the time of registration.
> Mail-in voting allows other people to watch you as you vote, and is the opposite of voter integrity.
Or you could just vote in person which is an option even in universal vote-by-mail states.
> hypothetical gangsters to go door to door threatening to shoot people if they don't give their ballots up.
Why make up hypothetical situations and invent a problem that doesn’t exist? You can just as easily cite made up problems for any proposed solution.
High tech electronic voting schemes and voter ID schemes solve problems that literally do not exist, and frankly do a poor job at solving even those made up problems.