LWN: Comments on "Open-source voting for San Francisco"

Open-source voting for San Francisco

anselm — Wed, 11 Sep 2019 15:25:17 +0000

Electronic voting “works” in the sense that people can cast ballots and there is a tally of votes at the end of the day. The problem is that the connection between the ballots that have been cast and the tally that the voting computer outputs is not obvious; it is usually difficult for an outside observer to ascertain that the tally is an accurate representation of the ballots that have been cast, and it is often also difficult to verify this independently after the fact (unlike, e.g., when paper ballots are being used, which can be recounted). In other words, the question is not whether the electronic voting “works”, it's whether it works reliably and transparently.

Open-source voting for San Francisco

cesarb — Wed, 11 Sep 2019 14:12:18 +0000

> > Electronic voting is just stupid. It does not work. [...]

> [...] electronic voting is not feasible [...]

And yet, we've been been using voting machines in the municipal, state, and federal elections for over two decades in my country. Saying "it does not work", when it clearly has been working for two decades, stretches credulity. You might say "it's not secure" or "it's impossible to make secure", but just saying "it does not work" is not a good argument.

Open-source voting for San Francisco

rdicosmo — Sat, 07 Sep 2019 19:11:22 +0000

Besides electronic voting, I seem to understand that SF elections use a ranked voting method.
This is a *bad* idea, as it lends itself to vote selling, see details here: http://hal.archives-ouvertes.fr/hal-00142440

Open-source voting for San Francisco

rdicosmo — Sat, 07 Sep 2019 19:08:29 +0000

It is indeed pretty sad to see that in 2019 we still need to explain, again and again, why electronic voting is not feasible.
I have been involved in public debate about electronic voting since the early 2000, when it was unfortunately introduced in France.
Here is a recent summary of the key points, in English, that should make a nice reading.

http://www.dicosmo.org/MyOpinions/index.php?post/2016/02/...

Open-source voting for San Francisco

rgmoore — Fri, 06 Sep 2019 18:00:33 +0000

But those vulnerabilities are so obvious that an ordinary voter can reasonably assume the relevant authorities have already thought of them and put sufficient checks in place

Which they actually have. I didn't bother listing the ways our system protects against those kinds of problems because I was specifically talking about secrecy of mail-in ballots, but they're there. The key point of all this stuff is that the system is designed to protect against attacks by making the system open to observation and audit, rather than trying to make security that is theoretically impenetrable. A key part of that is making the procedures comprehensible, which expands the pool of people who are capable of observing and auditing them and gives everybody else confidence that any attempt to cheat is likely to be caught.

An example of this is the question somebody raised above about ballots that are designed to be both human and machine readable: how do we know that the machine-countable markings match the human-readable ones? The answer is audit. We select a subset of the polling locations, hand-count the ballots, and compare the results to the machine-counted results. You could select the polling locations at random, or you could allow candidates to select polling locations so they can satisfy their curiosity about suspect locations. That type of audit makes it very likely to catch any kind of cheating that's significant enough to top the election.

No. Just say no.

jhhaller — Fri, 06 Sep 2019 17:42:38 +0000

On the last voting machine I used, there was a small area which printed which candidates I selected. Once I confirmed it was corrected, the paper advanced and was not visible to the next voter. I'm not sure what would have happened if I selected that the information was incorrect, but presumably could void that ballot and let me re-vote. That's the way it works with paper ballots which are mismarked. One could then audit the paper version of the vote with what the machine recorded. An after-the-fact hand audit (or even a machine OCR of the paper tape) of 1% of the machines after the election was over could detect if there was substantial fraud. I could also only use the machine if I had a smart-card which was configured when I went in and verified that I was on the election rolls as a voter.

No. Just say no.

Tara_Li — Thu, 05 Sep 2019 05:17:46 +0000

Sorry - how do you verify, other than the hand count later, that the vote printed out is the same as the vote the machine records? And there are numerous other levels of verifying that is nearly impossible to fix. This is, in a sense, a variation of the Two Generals Problem.

https://www.youtube.com/watch?v=w3_0x6oaDmI (Why Electronic Voting Is A Bad Idea)

https://www.youtube.com/watch?v=IP-rGJKSZ3s (Two Generals Problem)

Open-source voting for San Francisco

kragil — Thu, 05 Sep 2019 04:51:10 +0000

Electronic voting is just stupid. It does not work. German CCC has tried years and years to explain to people, but they just won't listen.

Open-source voting for San Francisco

excors — Wed, 04 Sep 2019 09:28:04 +0000

> FWIW, this has a clear and obvious advantage over the system in the paper you linked to: it's simple enough that an ordinary voter can understand the process and have confidence that it works as promised. This is not true of any complex cryptographic system. [...] The ability for ordinary voters to understand the security protecting their ballot is critical for an election to have legitimacy.

I think that's probably true even if the simple system has obvious vulnerabilities. That's still better than a system that promises to be perfect but cannot be understood.

In your example, the election official could e.g. guess the ethnicity of the name on the outer envelope and discard votes from certain groups to bias the result. Or they could open both envelopes at once and record the deanonymised votes. But those vulnerabilities are so obvious that an ordinary voter can reasonably assume the relevant authorities have already thought of them and put sufficient checks in place (like having observers watching for these specific issues), and if there is some anomaly (e.g. one party's observers being forbidden access to the count) then a journalist can report it and readers will probably understand the implications and there can be appropriate outrage. It won't be theoretically perfect but that feedback mechanism can ensure it remains good enough in practice.

With a cryptographic system, the average voter can't even begin to understand what vulnerabilities there might be and how they might be exploited. If there's a news report saying all the tellers generated their key pairs using a buggy low-entropy PRNG, nobody will have a clue what that means. Maybe some experts will say "trust us, this is really bad", but the voting machine companies will present other experts saying "trust us, everything is fine", and then the losing candidate will say "don't trust any of these so-called experts with their gobbledygook, trust your gut - I should have won a landslide. Grab your pitchforks!". Even if that system still gave a numerically perfect count of votes, the doubt over its legitimacy could cause more serious damage than a little bit of fraud would have.

Open-source voting for San Francisco

rgmoore — Tue, 03 Sep 2019 22:49:35 +0000

However, can voters keep their ballot secret?

Yes, and it isn't that hard. The voter seals their ballot in a plain envelope, then puts that envelope in a mailing envelope which has their personal information on it. When the election officials receive the ballot, they can check the information on the outer envelope to make sure it was sent by a registered voters who did not also vote in person on election day. Once they have confirmed this, they open the outer envelope and put the inner envelope in a ballot box for that voter's precinct. When one of those ballot boxes starts to get full (or when there are no more ballots to process), it is opened and the ballots are taken out and processed. Mixing the sealed ballots in the ballot box prevents anyone from connecting any ballot to the voter who cast it.

FWIW, this has a clear and obvious advantage over the system in the paper you linked to: it's simple enough that an ordinary voter can understand the process and have confidence that it works as promised. This is not true of any complex cryptographic system. Very few people know enough about implementing cryptography to analyze such a scheme and be sure it doesn't have a flaw that would allow someone to either deanonymize ballots or secretly change the results. The ability for ordinary voters to understand the security protecting their ballot is critical for an election to have legitimacy.

Open-source voting for San Francisco

zoobab — Tue, 03 Sep 2019 14:12:56 +0000

"Ah, good old counting. However, can voters keep their ballot secret?"

That's why the voting booth was invented. Nothing prevents your husband or your wife to pressure you to vote in one direction with remote voting.

No. Just say no.

cpitrat — Mon, 02 Sep 2019 11:11:10 +0000

By the way, this article mentions for Beligum that in may 2003, at Schaerbeek (Beligum), the number of votes was 4096 times higher than the number of voters. The experts attributed the error to "a bit inversion potentially caused by cosmic rays".
I suppose using high technology such as redundancy, correcting code and so forth is not worth it for such a complex machine, especially if you want to maintain the incredibly low cost of 3000€ to 6000€ (before taxes).

No. Just say no.

cpitrat — Mon, 02 Sep 2019 11:04:50 +0000

It depends where you are in France. The decision to use voting machines is left to the city (which organizes elections and has the burden of providing human resources for it). In my city, it's been voting machines for the past 10 years or so. Some cities tested them and stopped using them after this kind of issues.
More information: https://fr.wikipedia.org/wiki/Vote_électronique#France

No. Just say no.

mfuzzey — Mon, 02 Sep 2019 10:31:23 +0000

>>> In France, there were cases where the number of votes reported by the machine was different from the number of voters

I live in France and have never seen voting machines.

Everything is paper, there isn't even a printed ballot paper with the list of candidates but one paper per candidate.
All the papers and a stock of envelopes are on a table. You take several different candidate papers, go into a booth and secretly place one of them in the envelope.
You throw the other papers you took in the bin.
Then you go to a poll worker who checks your ID and your registration on the list and allows your envelope to to into the ballot box.
Finally you sign off the list to prevent you voting again.

I'm pretty sure this is the same procedure in all political elections here (everything is pretty centralized, cities don't get to decide their own voting systems).
We did have internet voting for the last worker representatives election at the company I work for but, though required by law, those are not political elections and each company is free to organise them how they like.

Open-source voting for San Francisco

ale2018 — Sun, 01 Sep 2019 09:47:26 +0000

> there's a laborious process to ensure all the mail-in votes were cast by registered voters who did not also vote in person.

Ah, good old counting. However, can voters keep their ballot secret?

By comparison, let me quote part of the design of an electronic poll system:

[W]hen they cast their vote in a booth, voters get a receipt showing their vote in encrypted form. [...] The point of the encrypted receipt is to provide the voter with the means to check that her ballot is entered into the tallying process and, if her receipt has not been included, to prove this to a third party. The fact that her vote is in encrypted form ensures that there is no way for her to prove to a third party which way she voted. Voters can visit the web bulletin board and check that their (encrypted) ballot receipt has been correctly posted. The tellers process these posted receipts and there are mechanisms in place to ensure that all posted receipts are entered into the tallying process.
A Practical, Voter-Verifiable Election Scheme

Doing so by [e]mail is more challenging...

Open-source voting for San Francisco

rgmoore — Sat, 31 Aug 2019 19:42:55 +0000

Canada can use paper ballots and count pretty much the whole country in a day - maybe not Nunavut?

FWIW, the limitation on how quickly California can count its votes isn't with the actual vote counting. If all the votes were received and validated by the end of election day, we could have them counted on election day, too. But something like half the votes in California are mailed in, and they're valid as long as they're post marked by election day. That means the votes can trickle in for at least a week after election day, and then there's a laborious process to ensure all the mail-in votes were cast by registered voters who did not also vote in person. And California has adopted the general principle that it's more important to count every legitimate vote than to get the counting process done as quickly as possible. We are generally slower to count the vote than other states, but we have far fewer controversies surrounding the correctness of our count than states that hurry the process.

My impression is that one goal of the new voting technology- certainly here in LA County, and I assume in San Francisco as well- is to make early voting in person easier. Most people who choose to vote by mail do so because it's convenient- they can do it on their own schedule and take as much time as they like to make their decisions- rather than because they can't make it to the polls on election day. Making early voting in person more convenient should reduce the number of slow to process mail-in votes and thus speed up the overall process.

Maybe LA and California need to consider a sane rationalisation of issue counts, political boundaries and the number of candidates per ballot. California as a state has more than enough budget to do this if the will is there before the systems implode under their own weight.

This strikes me as precisely backward. The way California runs its elections and government is the result of more than a century and a half of experience about how we want to do things. It makes much more sense to develop technology to allow us to run our state as we believe is best than to change the way we run out state to accommodate the limitations of existing technology. That's especially true because the limits on developing better election equipment are much more social and bureaucratic than technological, so they're inherently amenable to being fixed if the political will is there.

Open-source voting for San Francisco

amacater — Sat, 31 Aug 2019 09:59:07 +0000

If you can teach people to GPG sign votes - and keep their keys safe - Debian's been using electronic voting relatively successfully. Paper ballots are the only answer, hand counted by humans for anything complex.

Canada can use paper ballots and count pretty much the whole country in a day - maybe not Nunavut?

Maybe LA and California need to consider a sane rationalisation of issue counts, political boundaries and the number of candidates per ballot. California as a state has more than enough budget to do this if the will is there before the systems implode under their own weight.

Open-source voting for San Francisco

ale2018 — Sat, 31 Aug 2019 09:33:04 +0000

Heck, I would have expected a concise summary of voting systems, rather than a list of bureaucratic hindrances and money wastes. For example, does any voting system provide for casting anonymized votes by email?

I found comments more interesting than the article. Sorry Jake, but bureaucracy is boring...

No. Just say no.

k8to — Thu, 29 Aug 2019 21:02:03 +0000

I would expect a system where you select your votes electronically, a ballot is printed, and then the ballet is both scanned for results and stored. That's what I've seen from in-person reasonable designs.

This means that the paper is the source of truth, and can be re-counted the same way. It gives a voter the way to verify validity, and raises the bar for tampering and eases recounts.

Open-source voting for San Francisco

kpfleming — Thu, 29 Aug 2019 16:45:08 +0000

> For example, OSVTAC meetings must be announced 72 hours in advance and OSVTAC members cannot privately email each other
> about anything related to the OSVTAC. If he wants to send something out to the rest of the committee, he has to send it to the chair,
> who will distribute it to the members.

It's 2019, they could use any of a number of discussion forum tools which would keep the discussion in the open (for transparency) but also allow only the committee members to post. If they are doing things this way, they are unnecessarily slowing down their own work.

No. Just say no.

iabervon — Thu, 29 Aug 2019 15:42:05 +0000

I was assuming that they'd ruled out electronic voting entirely, given the discussion of the paper ballots. On the other hand, meeting the requirements for printing the paper ballots without using any software seems impossible, and counting the paper ballots without using software is just as bad (even if humans were looking at each page, incrementing a tally hundreds of thousands of times by hand is implausible to do perfectly).

The best system for sighted people I know of has paper ballots that are designed such that the marks that constitute some valid vote are easy for a human to distinguish from any other valid vote, but also easy for an optical scanner to interpret, and the voter feeds the ballot through a scanner into a box. This also has the advantage that it can reject any ballot that's not clear, and have the voter try again. This obviously requires a device with software.

No. Just say no.

rgmoore — Thu, 29 Aug 2019 15:28:25 +0000

This seems like a reasonable idea, except that such a system is effectively a very expensive pencil.

A good electronic ballot marker is a bit more than a fancy pencil. The biggest thing is, as the article points out, that voting in the US is complicated, so that a single election may require dozens or hundreds of unique ballot designs even in a jurisdiction the size of San Francisco. A well designed electronic system (whether direct recording or a ballot printer) can help to manage that complexity. It can also help with issues like the need for ballots in multiple languages*, making it easy for blind people to vote without needing an assistant, etc.

Not to mention that it seems likely (while paper recounts are technically possible) that such recounts would be quite rare.

Recounts are aren't as rare as you'd think. In most jurisdictions, the loser of a sufficiently close election can demand a recount, and if the election is very close such a recount may be mandatory. The article also points out that it's standard practice to perform an audit on a subset of polling places to ensure the system is performing correctly. An obvious discrepancy in such an audit can trigger a recount.

Also, given that there are known cases in the US where voters didn't understand the process of using the existing voting machines (resulting in them not pressing the "confirm" button and allowing election officials to change their vote if they wanted to), I'd be shocked if there weren't similar problems with any other electronic voting system.

And there are routinely stories about people misunderstanding the design of paper ballots in ways that result in them failing to vote for some races, voting for the wrong person, mismarking their ballot in a way that invalidates their vote, etc. Bad design is not limited to any one technology.

*This is a big issue in some places. Here in Los Angeles County, there is a legal requirement to provide ballots in 9 languages (English, Armenian, Farsi, Khmer, Korean, Mandarin, Spanish, Tagalog, and Vietnamese) and the voting system provides them in 4 additional languages (Hindi, Japanese, Russian, and Thai) even though they aren't legally required to.

No. Just say no.

cyphar — Thu, 29 Aug 2019 13:47:03 +0000

This seems like a reasonable idea, except that such a system is effectively a very expensive pencil. Not to mention that it seems likely (while paper recounts are technically possible) that such recounts would be quite rare. There's no point having a system for fast vote counting if you always do a recount, you'd probably only do it if there was some evidence of election hacking (the important follow-up question would be how many cases of election hacking would go undetected?).

Also, given that there are known cases in the US where voters didn't understand the process of using the existing voting machines (resulting in them not pressing the "confirm" button and allowing election officials to change their vote if they wanted to), I'd be shocked if there weren't similar problems with any other electronic voting system. Paper ballots are comparatively simple and have been developed and hardened for hundreds of years (with the collective experience of all attempted attacks to date) -- no new software-based voting system developed today will be anywhere near as secure for a long time.

No. Just say no.

cpitrat — Thu, 29 Aug 2019 12:54:38 +0000

I think a nice solution would be a voting machine that print your vote. You then put it in an envelope which goes in a ballot box.

This way, you have the fast result of the electronic system, lower cost of printing ballots, etc ... with the possibility to recount in case of issue and a clear understanding of the procedure of recount by all voters.

In France, there were cases where the number of votes reported by the machine was different from the number of voters from the signing sheet (it happens with regular ballots too but here the difference was much higher, around 10% IIRC). Recounting on the machine is done by pressing a button which, obviously, gave the same result.

Open-source voting for San Francisco

kleptog — Thu, 29 Aug 2019 12:38:32 +0000

It a real pity that people tend not to work across border on this kind of thing. everyone likes to imagine their voting process is unique and special, but really they are all just variations on a theme.

EVACS is a system used in the ACT in Australia for more than 10 years, but it is really started as a vote counting system first (due to Hare-Clarke preferences), and also allows electronic entry but these are really separate components. But while you can see the source code, it's owned by a company.

I think the real problem is that voting as a concept is so easily understandable that any system is subject to endless bike-shedding, meaning that any kind of working together across borders is doomed to failure. Within a company it's not a democracy so something actually gets built.

No. Just say no.

dskoll — Thu, 29 Aug 2019 11:37:28 +0000

The issue with electronic voting is not closed-source vs open-source. The issue is the ease with which a security flaw can be exploited with devastating consequences.

Open-source code has no such flaws, right? 👀

The only voting system with any semblance of resistance to an organized attack is one that keeps a physical token for each vote for auditing. Here in Canada, we still use paper ballots and there has never been a serious issue with our elections... Certainly never any hint of a material security flaw.

Open-source voting for San Francisco

clugstj — Thu, 29 Aug 2019 00:36:29 +0000

Your tax dollars at work (at least in SF).