Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Disagree. It's enough for the average voter to trust that some other people - independent experts - are able to verify the vote. Not everyone needs to be an expert at anything. I wrote more about this trust aspect in the appendix of my thesis on voting: https://attejuvonen.fi/thesis


Yes, but then all that's needed to attack the voting system is to trot out your own experts that voice disagreement. Without the means to assess the system for themselves, voters will lose trust in it. Especially in this day and age, when trust in institutions and expects in general is extremely low. (Heck, this attack already works to some extent with the current, extremely transparent system of ballots)


> Yes, but then all that's needed to attack the voting system is to trot out your own experts that voice disagreement.

Which is precisely what Trump did in 2020.

I doubt people made up their minds on whether the 2020 vote was sound based on the mechanics of how the votes were counted. The counting procedure with it's interlocking checks is rather complex, and differs between states. They made up their minds based on what they trusted more - the Trump version of the facts or the testimonies of the people counting the votes and those administering it.

It will be exactly the same with computerised voting. Ideally the software will be open source with reproducible builds. Just as with the present voting system most won't be able the check the actual mechanics themselves, but they likely know someone who knows someone who knows someone who can.

By the by, it wasn't done that way with computerised voting and probably still isn't in many places. I vaguely recall the story of a voting machine breaking down, a technician waving his magic wand over it after voting had closed, and a whole pile of votes fell out. It made the people in charge of the voting process distinctly uncomfortable.


> (Heck, this attack already works to some extent with the current, extremely transparent system of ballots)

Exactly, so the rest of your criticism isn't nearly as strong, if it applies to all means of voting.


Huh? That is not how this works.

For a high stakes election I would take the most trustworthy system. So give me an argument why I should invest money into building a less trustworthy one?

Because it I get results faster? I don't care about speed, high stakes elections are rare enough for that not to matter.

Because it is more efficient? I don't care about efficiency, I want the result to be accurate and the process to be understandable by the stupid bloke in the pub with whom I have to discuss the result.

There is literally no reason why this should be replaced by a digital system other than it makes us needs feel special.


Paper ballot voting systems are generally more secure than electronic voting systems, but things are not black and white. There are differences amongst different paper ballot voting systems. There are also voting systems which combine both electronic and paper features. For example, a purely paper voting system can be trivially made more secure by adding electronic machines to prevent voters from accidentally spoiling ballots.


The argument you make here might be right, but it's beside the point I was making.

My point was narrowly that most of the argument made in https://news.ycombinator.com/item?id=41156898 applies to paper voting as well.

For what it's worth, I prefer paper ballots, but I don't think that makes all arguments for them automatically valid.


As a software developer myself, if an "independent expert" comes out and says that some software system is fully verified, I might trust their allegiance, but I probably won't trust their competence.

I wouldn't expect the general population to trust them either.


What if lots of experts come out that way, including people you already trust otherwise? Eg assume both Bill Gates and Linus Torvalds etc say they have reviewed the code?


If we assume that:

- how do you know the code running on these machines on day X is actually the code they tested?

- how do you know the code running does the same thing the code they tested does, even if it is the same code (e.g. hardware instructions could be doing different things on the machine, the OS could provide different functionality, other programs could interfere)?

- how do you (and for that matter: every single voter) know their vote was counted towards the correct candidates in the whole process towards the end results, which likely involves transmitting data through the internet and/or people carrying USB thumb drives and sticking them into computers

I am not saying it can't be done, but I say you can tell appart who knows computers really well (hackers) from those who know it kinda (geeks), by how doable they think this is.


The voting system you described is not a verifiable voting system. If you have a verifiable voting system, you don't need to know what code is running on the election machines. That's the whole point of having a verifiable voting system.

You asked "how do you know your vote was counted". You can google for examples of how this works in verifiable voting systems.


In a verifiable voting system, voter usually get a recipe that he can verify, in later time, their vote have been counted. But what stop same recipe is handed out twice? Do you do transparent log? Second system to audit those? How general voters are supposed to understand this?

Just pick a voting station with lower computer literacy, and you can do whatever you want ..


> In a verifiable voting system, voter usually get a recipe that he can verify, in later time, their vote have been counted. But what stop same recipe is handed out twice?

Different solutions exist for this problem, which is known as a "clash attack". For example, in the Floating Receipts voting scheme, those things that you call "recipes" are pre-printed on ballots and hidden under scratch strips. The scratch strip is removed at the time when the ballot is dropped into the ballot box. If the manufacturer of the ballots were to pre-print the same "recipe" on multiple ballots, it would be discovered during the verification phase, because you would in some cases have 2 different votes cast on 2 different ballots which would contain the same "recipe". So both voters look up the "recipe" online and they are supposed to discover only one vote corresponding to the "recipe".


> But what stop same recipe is handed out twice?

Cryptography. Your receipt is presumably only valid for yourself. So if you got someone else's receipt, it wouldn't be valid for you.

I support paper voting for political elections for most of the reasons you mentioned, but I don't think that automatically makes all arguments for paper voting good and valid, and all arguments for alternative voting systems null and void.

And even if political elections are better done on paper, there's plenty of other elections (eg in companies and clubs etc) with different requirements and threats, and they might benefit from the research and experimentation.


Then I would ask why the system they're reviewing is different to any other which is meant to be guaranteed-secure (or check that others are asking those questions). We're told every year or so about some SecureBoot vulnerability, which presumably involves code that has been reviewed.

The system doesn't only include the code directly related to voting. It also includes OSes and everything involved in the infrastructure for hosting and communication (the Belenios system in particular involves sending private keys by email, and we're also relying on end user systems being uncompromised (who here likes browser extensions?)). It's not feasible to claim that such a system is secure from a remotely controlled attack (eg, by a lone external actor).

Most of the attack scenarios against an offline voting system are ones that the general population can at least reason about, and they probably involve multiple insiders that would face a serious risk of being ratted out by one another.


See https://news.ycombinator.com/item?id=41158861

Sending private keys (by mail or any other way) does sound bad, so the specific system mentioned in the article might not be worth bothering with.


Reviewed the code -- but did they inspect the machine? Check the network for reliability? Review the crypto for replayability? RNG that's is actually random?

How many expert do we need? Do we need cross-domain experts to check if any domain experts missing anything between the gaps?

For paper voting, it is literally just check the box is empty before voting and nobody get near the box unexpectedly


> For paper voting, it is literally just check the box is empty before voting and nobody get near the box unexpectedly

That depends on how complicated your voting system is. Have a look at the complications they have in Australia..


> It's enough for the average voter to trust that some other people - independent experts - are able to verify the vote.

I don't agree. This is plausible within a coesive electorate, but it feels like moving the problem. What guarantees that the experts are trusted by the voters? And more importantly, assuming that at some point the system (experts) is trusted, how is the trust in the voting system retained over time? (e.g. in case of disagreement over the results)

I have argued in another thread like GP that because the ultimate purpose of voting systems is to collectively take decisions, and because disagreements are very common when deciding, the system needs to be able to justify itself to retain the electorate's trust. Otherwise it will eventually be replaced by a different voting system (or tyranny).

A proxy for this is of course simplicity. If the voting system is clearly understood by everyone, it is more easy to persuade a losing party that the outcome is correct. Conversely, if a voting system needs high expertise to be understood, it is more difficult to bring everyone to agree on the result. So the latter is less robust than the former, especially if the disagreement is over a result that is close to a tie. A self-correcting mechanism is important to keep the voting system in place.

In appendix B of your thesis you raise an interesting point I had not considered.

> As an extreme example, consider the case where a voting system lacks verifiability, is trusted by the public, and is compromised by a foreign superpower: the people have lost their democracy and do not even realize it. Compare that to a hypothetical case where a voting system has perfect verifiability, thus can not be compromised (without triggering a new election etc.), and, for whatever reason, is not trusted by the people.

> Clearly, the outcome where people are suspicious of a perfectly functioning voting system is superior to the outcome where people are blindly trusting a compromised voting system. We hope that this outlandish example is enough to support our argument that verifiability is more important than trust.

The external threat is a very valid point but I do not think that this is sufficient to absolutely conclude that verifiability is more important than trust. If the system is rigged, it may eventually displease the electorate to the point that it will eventually be replaced.

Unless, the rigged system doesn't displease the electorate and is essentially a hidden benevolent dictator, which would be an interesting situation. Only in that case verifiability could unambiguously be more important.


Experts to verify but overall the entire system available for inspection to the populace at will (so open source, reproducible builds, verifiability) etc

There will still be questions around compromised keys/secrets

I suppose in this case paper ballots win


Sure the people can overthrow a government with a revolution, but the situation deteriorating to that point is pretty much the worst case scenario I can imagine.


But do you agree that there needs to be something that keeps reinforcing the collective trust in the voting system such that this worst case scenario is not reached? If so, do you have an idea what that something could be when using a complex e-voting system? The best I can come up is to educate the public, but that is almost wishful thinking.

rraghur says in the siblilng comment that keeping the voting systme open via OSS / reproducible builds / etc could be a source of trust, but I don't think that is sufficient for most people. We need a stronger argument, and I don't have one.


Of course there needs to be some level of public trust in the elections. I think that trust could come from the E2E verifiability of the voting system, and related to that, trust in the ability of independent experts to verify that the election was conducted fairly. (When the result of an election is verifiable by third parties, there is no longer a need to audit what software is running on the official machines, so there is no need for reproducible builds etc.)


It is possible, at least in principle, to have people trust that techonolgies such as E2E are secure and reliable. Indeed in some countries that is the case, but my point was slightly different.

If you concede that we cannot have everyone understand (to take an example) E2E verifiability, then this technology cannot justify its own correctness to everyone. This means it is necessary to have a (possibly small) group of experts to educate / persuade the public that E2E verifiability actually works.

But my point is essentially: why should they do it? There is no structural incentive for them to do so, other than the virtue of being a good citizen. There needs to be something that keeps reinforcing public trust. Self-evident systems do not require for this incentive structure to exist / be built.

I fear that this could end up becoming akint to the erosion of trust in scientific evidence for political decisionmaking. Science was considered very trustworthy by most people at some point, but because there is little to no incentive for the scientists to inform the public about why what they do works (other than perhaps their personal desire to share the cool thing they are working on) and because scientific results are usually very complex there has been a pretty steady decline in trusting scientific evidence.


The experts from Belenios do not recommend to use remote e-voting for high-stake elections [1]. Some issues they mention are the risks that the users sells their credentials or that a malware on their computer leaks who they voted for.

[1]: https://www.belenios.org/faq.html


I don't recommend remote e-voting for high-stake elections either. But this is orthogonal to the point here.


As a person who's from a country with, let's say, VERY VERY contested, controversial and eventful elections, the fact that independent poll watchers from different parties and NGOs can independently observe ballot boxes, take photo evidence of countersigned and publicly posted box tallies to send them to their HQs, and then compare and contrast results amongst each other as well as with the official results is a huge boon for transparency and trust in the electoral system.

It's not perfect: more remote and less popular areas go unobserved, and what happens after an official complaint is made is anyone's guess.

But at least almost anyone can add up numbers for themselves and come to a conclusion about what to trust and not trust. And you might think no one would bother, but in my brief experience as a volunteer poll worker they surely do, and zealously so. I can't even begin to imagine what'd happen if the paper ballot was replaced with "trust us, the machine says 37 for party A" or "the magical fingerprint number you don't understand says this ballot was cast for someone else".


My reading of the news is that in the US (and that I can see, in many places) a lot of people have been convinced not to believe experts.


The trend is growing here to, sadly. It's not people disagree with experts experts but that truth told by the, disagrees with a distorted perception or reality.


Or the other way around; the so called experts are actually tools in a propaganda machine, and people choose to rather believe their own experiences than second hand information.


It's not enough. It's not enough at all. Experts are easily compromised.

The system by which power is transferred from the people to representatives needs to be literally self-evident. Any system that the "average voter" cannot understand should be literally unconstitutional. Deviating from this puts the results of all elections in doubt. People will question the results, and they will have a point because the system is not actually verifiable and trustworthy to the average person and therefore they have no reason to accept the results. If you're lucky you'll end up with numerous political prisoners at the end of the whole process.


Okay, so you will only accept some theoretical, idealistic, perfect voting system, which at this time does not exist. And until one is invented, you want all non-perfect voting systems to be "literally unconstitutional". How do you want government to function until a perfect voting system is invented? Should we just have dictatorship until that time?


No one said anything about "perfect". I said black box systems that nobody but "experts" understand should be literally outlawed. Nowhere did I claim the system had to be "perfect". It needs to be a simple enough system that even laymen can understand, not some computer black box.

What you fail to understand is that an "election" whose results can't be trusted is equivalent to a dictatorship. Actually they are even worse than dictatorships. In a dictatorship, at least you know you are being oppressed. When unreliable elections are institutionalized, they give an air of legitimacy to the dictator's rule, you're constantly gaslit by the dictator and his political and ideological supporters into believing that the oppression is just the democratic process at work.


The average voter does not understand how a typical paper ballot system can be audited, or what coercion resistance properties the system has. It is not "simple enough system that even laymen can understand".


Decentralized paper ballot systems are counted locally, by people who live in your communities, and are plainly readable.

This makes widespread, centralized election tampering much more difficult, in ways even a moron can usually grasp. (Edit: I mean the general public, not any reader here)

Election skepticism is only going to get worse with China and Russia ramping up their neverending quest to discredit democracy. An unfortunate reality is that we need to operate our elections in ways that are unquestionably understandable and plainly resistant to tampering.

Another example is voting systems. There are several voting systems that are objectively better than Instant Runoff Voting, but they require algebra to determine the winner. If the system isn't demonstrable in a short video or infographic, it is too complex for general population elections.


> Disagree. It's enough for the average voter to trust that some other people - independent experts - are able to verify the vote.

It's interesting how attitudes about digital voting seemed to flip overnight once Trump challenged the 2020 election. Beforehand there as a lot of serious concern about the trustworthiness and security of digital voting machines, now I get the impression that's all been muted and its taboo to do anything except trust the authorities.


I think in your thesis you make some interesting points on how E-Voting systems differ. But I have critizism. Let me paraphrase your points:

1. Paper ballots are in some ways more ambigous, because there are many ways to scribble a sign into a circle, a fraction of which will not result in the intended outcome

2. Understanding these handwritten symbols is harder than understanding the electronic system, because of that ambiguity

3. People understand the paper ballot system, but there are some statistical checks and security measures that they don't understand or know of, so their knowledge of the paper system is superficial

4. Trust in voting systems does not primarily arise from understandability but from trust in other people. To quote: your grandmum doesn’t have to become an expert cryptographer in order to trust a system like X. She just has to believe that cryptography experts exist and at least one of them would speak out if this transparent voting system was not as secure as the election officials claim

I don't want to question your thesis here, but I teach electronics and programming at a University level and points 1 and 2 are ridiculous and maybe even disingenuous. Sure, I understand that for a certain type of mind a digital/electronic system feels less ambigous and more clear. But most people are not like that – not even among academics – not even among academics that involve themselves with technology.

Point 3 is a rethorical trick that – if applied equally to E-Voting would be a strong argument against it. Yeah sure people don't understand X completely so lets do Y which is one-thousand magnitudes more complex is not an argument in favour of Y even if phrased in such a way.

Point 4 is the actual thought we disagree about, but given the unscientific nature of the 3 arguments before I can't simply trust you that you did research here (there are no sources cited that strengthen your point either). So as it is you just stated the opinion, as I stated the opposite. Sure, paper ballot elections are not dead simple, but any living being with basic understanding of object permanence could veryify a ballot isn't manipulated by just standing next to it. Meanwhile with computers you have to delegate that trust. And as computers can be reprogrammed, potentially remotely, even your experts can't be sure – especially in elections where powerful nation state actors seek to destroy the public trust in your election. This is a problem – just claiming that it isn't doesn't cut it. And people who claim that it isn't should not be the ones designing such systems.

The important thing to understand about agreeable consent is that a person's willingness to subject themselves to the will of a democratically elected majority is directly linked to their trust into the process. Your voting system has to produce that trust even if voters don't want to trust the process. The surest way to do that is to get a part of them involved into the process – ideally not always the same people. If then a single poll watcher claims a thing and 400 others that have been present plus three trusted NGOs can claim otherwise the election is not in question. Someone will have to convince me this works for E-Voting with a bit more than rethorical tricks.

Note that I am not against E-Voting per se. I just don't think the highest stake elections which have the potential to shift political powers should be electronic/computerized.


You speak as if I'm advocating for e-voting systems over paper voting systems. I'm not. In general, most paper voting systems that are used in practice are more secure than most e-voting systems that are used in practice.

> 1. Paper ballots are in some ways more ambigous, because there are many ways to scribble a sign into a circle, a fraction of which will not result in the intended outcome

Look, I tried to cover all aspects of how the integrity of the voting results can be compromised. There are big issues, like a foreign superpower attempting to hack the results, and then there are small issues, like this one: people accidentally spoiling ballots.

I'm struggling to understand why you feel the need to attack this minor point in my thesis with words like "ridiculous", "disingenuous" and "unscientific". Accidental spoiling is a real issue that happens and I even have a photograph of an ambiguously marked ballot in my thesis.

> 2. Understanding these handwritten symbols is harder than understanding the electronic system, because of that ambiguity

I wrote in Appendix B about how accidental spoiling could be resolved by adding electronics, but _only_ adding them to fix this specific issue (_not_ replacing the whole voting scheme with black box computers that can be hacked). When you say "the electronic system", it sounds to me like you are imagining something more.

Let me try to illustrate this specific point from Appendix B.

A) Fully paper system. You walk into a voting booth. You scribble down the number "7" on paper. You walk out of the booth and put the paper in the ballot box. Later some election official is counting the votes and they look at your scribble and they wonder, hmm, is this a "7" or is this a "1". Your vote is disqualified.

B) Same system but augmented with simple electronics to prevent accidental spoiling. You walk into a voting booth. You scribble down the number "7" on paper. Inside the booth you insert your paper into a scanner which interprets your scribble and prints out a new paper that is supposed to contain your vote. You look at the new paper to verify how your vote is going to be interpreted and you see... what the heck, it's a "1"? Why is it a "1"? I wrote down "7"! So you take a new paper, and now you very clearly write down "7" on the new paper and scan it again. The computer now prints out a paper that has a "7" on it. Good. So now you walk out of the voting booth and then drop the paper with the computer-written "7" on it into the ballot box.

See how B) is exactly the same system as A) except it offers voters the ability to see how their vote is going to be interpreted, before they cast the vote into the ballot box? The machine inside the booth doesn't have to be connected to the internet and it doesn't have to do anything more complex than read a number on a paper and then print the same number. If somebody hacks the machine to "misinterpret" votes, it will be caught very fast.

> 4. Trust in voting systems does not primarily arise from understandability but from trust in other people.

> And as computers can be reprogrammed, potentially remotely, even your experts can't be sure – especially in elections where powerful nation state actors seek to destroy the public trust in your election. This is a problem – just claiming that it isn't doesn't cut it. And people who claim that it isn't should not be the ones designing such systems.

The whole point of a verifiable voting system is that you don't have to trust the election computers. Even if all the official computers are hacked by Russia, I can still run the data on my own machine to verify the results of the election. As long as there is one clean computer in the world and one nerd who cares, the truth will come out.

And I'm not "just claiming that it is [verifiable]" - I wrote a whole thesis on these voting schemes. I did my best to identify the strengths and weaknesses of each scheme and as you can see in the comparison table, each scheme does have their weaknesses. A "perfect" verifiable voting scheme does not exist. That said, it sounds to me like you are imagining all electronic voting schemes to be "black box" schemes relying on blindly trusting both authorities and computers, and that is not the case at all. I would suggest that you familiarize yourself with at least one of these "verifiable" voting schemes before criticizing them. If you are interested in further discussing the specific weaknesses of a specific scheme which incorporates some electronic aspects, I would suggest that you read the description of "Floating Receipts" scheme from my thesis and then we can discuss specifics of that if you like.


> You speak as if I'm advocating for e-voting systems over paper voting systems. I'm not. In general, most paper voting systems that are used in practice are more secure than most e-voting systems that are used in practice.

Keep in mind that my point was specifically about high stakes elections and you reacted to it without making that limitation. Don't you think my conclusion about your comment follows kind of naturally from that context? I also would argue there is a niche for E-voting to exist, but it is the responsibility of us technically literate to make it very clear for which purposes it is not suitable and why.

> There are big issues, like a foreign superpower attempting to hack the results, and then there are small issues, like this one: people accidentally spoiling ballots.

The slowness and amount of people needed for the paper ballot is a feature not a bug as it makes wide scale attacks extremely complex, labour intensive and risky AND regular people (those that need to believe in the results!) can understand what is going on if they want to. This comes at the cost that the correctness of the result can be not always guarantueed. A huge number of spoiled ballots isn't necessarily a sign that people don't understand how to make a cross, it is a sign of protest and used as such.

> Fully paper system. You walk into a voting booth. You scribble down the number "7" on paper. You walk out of the booth and put the paper in the ballot box. Later some election official is counting the votes and they look at your scribble and they wonder, hmm, is this a "7" or is this a "1". Your vote is disqualified.

I have never seen an election where a vote isn't ticking or checking a ballot box, maybe this is different in Finland? Also: The elections I voted in, in 2 different countries always came with precise pictured instruction how a valid vote looks like and what would be invalid. I am not sure if I should be worried about the vote of people who fail to put an X into a box when given pictured instructions. This is a weakness with one specific implementation of a paper ballot, not a inherent weakness of the system. If we are to look for a good comparison we should compare the best way to do paper based elections to the best way to do it digitally and draw our comparisons from that.

> See how B) is exactly the same system as A) except it offers voters the ability to see how their vote is going to be interpreted, before they cast the vote into the ballot box?

This isn't without it's own risk either. Having worked with computer vision systems and programmed them I can tell you there is no 100% guarantuee that the result that air-gapped machine showed the voter in the voting both is the same as what is reached later – not even if we assume the exact same machine to be used for the count. Also: That isn't necessarily what I'd call a E-Voting system.

> That said, it sounds to me like you are imagining all electronic voting schemes to be "black box" schemes relying on blindly trusting both authorities and computers

No you get me wrong. What I said is that for the majority of the electorate it would be that way. I can readily imagine building an electronic voting system that I can trust – and maybe even one where independent experts would trust it. But that is the easy part. The hard part is building a system into which the bloke from the pub that struggled with undergraduate math and stopped thinking about it since he left school two decades ago can trust. And not just by trusting an authority, but by checking for himself.

As much as I like the idea and challenge of such projects, I can't help put think that the inclusion of those who are less capable to understand is worth more than the potential gains in efficiency or interface-correctness of E-voting systems – especially if the fate of nations hinge on the fact that people trust it.


> Keep in mind that my point was specifically about high stakes elections and you reacted to it without making that limitation.

I was also thinking of high stakes elections when I wrote my response to you, even if I did not explicitly say so.

> I have never seen an election where a vote isn't ticking or checking a ballot box, maybe this is different in Finland?

In Finland you typically scribble down a number. Yes, it's harder to accidentally spoil a ballot if you only need to tick or check a box.

> Having worked with computer vision systems and programmed them I can tell you there is no 100% guarantuee that the result that air-gapped machine showed the voter in the voting both is the same as what is reached later – not even if we assume the exact same machine to be used for the count.

But in this hypothetical example the computer is not used to count the votes, it is used to write on paper. Because a computer can unambiguously draw the number "7" on a piece of paper, and the voter can unambiguously verify that the number is correct.

> Also: That isn't necessarily what I'd call a E-Voting system.

I wouldn't call it such either.

> If we are to look for a good comparison we should compare the best way to do paper based elections to the best way to do it digitally and draw our comparisons from that.

And that is what I did in my thesis. The best way to do in-person paper based elections is (a variant of) Floating Receipts, which is a better system than (a variant of) Civitas, which is the best way to do remote e-voting.

At this point I am very confused what you feel disagree about. We went into the weeds over some minor issue regarding spoiled ballots, and I feel like you are drawing way more conclusions from that than you should.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: