Virginia Scraps Electronic Voting Machines Hackers Destroyed At DefCon

Following the DefCon demonstration in July that showed how quickly Direct Recording Electronic voting equipment could be hacked, Virginia's State Board of Elections has decided it wants to replace their electronic voting machines in time for the gubernatorial election due on November 7th, 2017. According to The Register, "The decision was announced in the minutes of the Board's September 8th meeting: 'The Department of Elections officially recommends that the State Board of Elections decertify all Direct Recording Electronic (DRE or touchscreen) voting equipment." From the report: With the DefCon bods showing some machines shared a single hard-coded password, Virginia directed the Virginia Information Technology Agency (VITA) to audit the machines in use in the state (the Accuvote TSX, the Patriot, and the AVC Advantage). None passed the test. VITA told the board "each device analyzed exhibited material risks to the integrity or availability of the election process," and the lack of a paper audit trail posed a significant risk of lost votes. Local outlet The News Leader notes that many precincts had either replaced their machines already, or are in the process of doing so. The election board's decision will force a change-over on the 140 precincts that haven't replaced their machines, covering 190,000 of Virginia's ~8.4m population.

Let's face it

[mwvdlee]

Despite the ongoing efforts of all political parties; democracy is too important to entrust to for-profit organizations.

Re:Let's face it

[jandersen]

Despite the ongoing efforts of all political parties; democracy is too important to entrust to for-profit organizations.

Very true, but how can we solve the problems in a way that is not open to easy, electoral fraud, while at the same avoiding the problems with paper ballots - especially the issues causing invalid ballots? Perhaps a scheme similar to the way lottery tickets work, but anonymously; perhaps something where the machine stores the vote together with some sort of checksum - and then prints out two (anonymised) copies that are given to an official representative from each party. In case of a contest, a recount can be made which compares the ballots kept by each party. Unlike lottery tickets, the voter shouldn't get to keep a copy, and the printed information shouldn't readily reveal the actual vote.

Re:Let's face it

Out of curiosity, what issues have invalid ballots caused in the past? Have they invalidated elections so they had to be repeated?

Re:Let's face it

> while at the same avoiding the problems with paper ballots

You'll never avoid "the problems with X ballots", for whatever value of X. And there'll be always some incentive for cheating.

The absolute advantage for the case of "X == paper" is that people understands this kind of problems far better -- at least as long as the level of computer literacy is as it is now. And understanding is a necessary precondition of trust.

I have no qualms with e-voting whithin a highly computer literate community (e.g. Debian, where the geeks discuss about the ins and outs of the Condorcet system and use their favorite visualization package to show the results).

Re:Let's face it

[TWX]

Don't use the computer to take the voter input and then generate a paper receipt, use the paper ballot with on-site optical scan to record the result that the voter marked on the paper. If you want to get 1980s-fancy, implement an on-ballot print technique that puts one pattern of ink dot next to each entry that the voter filled-out correctly, and possibly another next to those that the voter did not fill-out correctly (like those pick 3 entries for county commissioners etc, or where the voter left the field empty) in case later manual review is necessary. Could even go so far as to generate serial numbers on the now-scanned-and-printed ballots, where those ballots that had issues have their serial numbers noted for manual review if necessary (ie, at a minimum if the voting is too close to call for some particular initiatives) and for that serial number to be machine-readable in the future (ie, also helps the computer know the ballot is already scanned, so that it doesn't tally multiple times if scanned multiple times). We had this technology with optical-scan "scantron" forms for school tests from at least the 1980s, if not the 1970s, so this should not be a hard thing to do.

If an election goes well then board of elections can perform a small audit, looking at perhaps a few polling places to confirm that the paper matches the electronic, and then perhaps a random sampling of ballots at other polling places, and then pat itself on the back. If an election goes spectacularly badly, the board of elections can hand-tally each and every paper ballot if necessary, because they were human-readable when marked by a voter. The ballots, not the computer, is the official result of the election. The computer merely helps speed-up the process of counting the results.

Re:Let's face it

[Opportunist]

We entrust our parties and politicians to them, why does it bother you that the way to choose between the whores is in their hands, too?

Re:Let's face it

[Opportunist]

WTF is the US' problem with paper ballots? Are you too stupid to count the votes or too lazy to carry the ballot to the voting committees?

I mean, for real, folks, why the hell is it that it works in third world countries in Africa (provided the local warlord doesn't stop it at gunpoint) but it's completely impossible for the country that pretty much invented process management?

Re:Let's face it

[Curunir_wolf]

The city of Richmond replaced all their touch-screen voting machines 3 years ago. The replacement? Paper ballots and scanners.

As an election officer, I prefer the paper ballots. Easy to track and easy to recount when necessary. I trust the system a lot more than the old touch screens. What's wrong with paper ballots? It's just as fast getting voters through and counting is actually easier.

Re:Let's face it

You can't build integrity where it will be discarded at the earliest convenience. The issues you describe are not an issue caused by the machine, but an issue caused by it's operators. No amount of print outs or checksums, (inb4 blockchain) will save you if the hardware is compromised, or the person receiving or reporting the data is untrustworthy.

Go look at California, there were claims of voting precinct managers taking home the filled out voting cards / printouts / etc. after the election.* Hell, there were claims of the voting machines sitting at the manager's homes the night before the election. What makes you think ANY of that should be considered trustworthy?

As always we have a bunch of people trying to throw tech at a societal issue, in misguided hopes that tech will "fix" the problem for them, instead of actually fixing the problem. Yes, you don't want to fix the problem because it's harder to do, but fixing the problem requires much less complexity than throwing tech at it, and fixing the problem doesn't introduce a new "authoritative" point of failure to be abused by the real problem that tech does.

Of course we can't even agree to disagree on the fact that the problem exists in the first place, because there is still too many people blinded by the letter next to the person's name. So, this fixing this hasn't gone anywhere. I just hope people are paying attention to what happens when they choose to not fix issues, because otherwise this country won't be around much longer to justify worrying about it.

*WARNING: As the video is political in nature, children who are triggered by it should go watch PBS instead.

Re:Let's face it

[hackwrench]

Then people will be figuring out how to slip both parties invalid ballots.

Re:Let's face it

[Sique]

There is a fundamental problem with e-voting.

If we look at the conditions of a fair election, we have certain criteria to be met. Elections should be fair, meaning that voting should be no undue burden to each of the voters. Elections should be free, meaning no one should be able to force you to vote a certain way. Elections should be equal, meaning, that each vote counts the same, votes are not tampered with, and no additional votes should be added (e.g. ballot stuffing or changing invalid votes into valid ones).

The problem with e-voting is that it can't warrant free and equal at the same time. If voting is free, no one should be able to know how you have voted, and you should not be able to keep any proof how you voted. Because if you could prove your vote, a "voting enforcer" could either pay you if you provide proof to have voted correctly, or punish you for not having the proof. For e-voting that means that there should be no electronic or physic trail from a vote back to you. On the other hand, there has to be proof that all valid votes have been counted, no vote has been tampered with, and no additional votes have been added to ensure the equality of votes. How do you keep track of immaterial entities? You can't sign them with the voter's key, otherwise they aren't free anymore. If you sign them with another key, how do you ensure that this key is not used to add votes? And how do you ensure that the votes are really counted the way they were cast? And how do you watch the count? One important argument why to use computers in the first place is to speed up the counting process. I disagree. Counting should never be faster than the watchers can count.

It takes a team of specialists to go through the code of the voting application itself to ensure it does only what it is supposed to do. And the Underhanded C Contest shows how easy it is to hide side effects within code. And this only looks at the application itself. It doesn't even look at the operating system or hardware tampering. Who does audit the millions of lines of code for the operating system and the billions of transistors on today's processors and RAM chips?

Having people watching the sealing of the ballot box and people watching the ballot boxes during the voting process until the seal is broken and the votes are counted by hand, and then the resealing of the boxes and the transport to the central voting office together with the counting tabs, and then watching how the final tab is counted does not require any specialist knowledge.

Re:Let's face it

[kilfarsnar]

Out of curiosity, what issues have invalid ballots caused in the past? Have they invalidated elections so they had to be repeated?

Do you not remember the 2000 election and the "hanging chads"? I am still all for paper ballots, but they are not without issue.

Re:Let's face it

Every individual human being operates on a for-profit basis. It is literally impossible to have an association of two or more humans that DON'T operate on a for-profit basis.

Re:Let's face it

You basically hit it on the nose, its much harder to rig a paper election. Or if you're an optimist, because the people making the decisions are incompetent at security on electronics. Its a feature, not a bug.

Re: Let's face it

Blockchains to the rescue! And 3D printed graphene!

Re:Let's face it

[Immerman]

Seems like it should be easy enough to avoid a "hanging chad" fiasco just by designing a more robust ballot-punch. e.g. give the arm a ratchet-lock so that it must be pulled down fully before it can be raised again.

Or alternately, if you really like the digital stuff - just print out a ballot card with the appropriate votes clearly marked, and display it to the voter for confirmation before it's cast (or shredded if they don't confirm). Ideally the confirmation should require mechanical intervention so that a hacked machine can't silently cast-and-confirm votes when no one is looking.

And don't involve machines in the counting - it introduces hugely valuable attack targets and no real benefits.

Re:Let's face it

[Bob+the+Super+Hamste]

Those were some shitty ballots so I choose to blame Florida for that. Sane states would use paper ballots like what we have in Minnesota and have been using for ages. You get your ballot and a black sharpie and the ballot is basically a scantron sheet that everyone is already familiar with. Since scantrons have been around for ages now everyone should be familiar with them and even if not they are really simple compared to the disaster that was those Florida ballots. Add in that at some point you just have to say some ballots are disqualified because the person who filled them out was too incompetent. I know when I sign in to vote I have to sign stating that I am competent enough to vote and if you can't completely fill in the right bubble on a scan tron maybe you really aren't competent enough to be casting a vote. Add in that if you do fuck it up you can go and get a new ballot. Further more if you can't even read the ballot or can't physically fill out the ballot you can go get a couple of election judges and they can fill it out for you. Given all that if you are still having problems filling out your ballot correctly you really aren't competent enough to be voting and I am surprised you haven't choked on your own tongue.

Re:Let's face it

It's not only humans, it is all of life.

Re:Let's face it

[Immerman]

So then, how do you tell if an election goes badly?

Counting the ballots is one thing that should absolutely NOT be done automatically - the counting machine is a prime target to be compromised, and how would you know unless you also count the ballots by hand? A random sampling is unlikely to catch strategic compromises unless you double-check a significant portion of them, in which case why not just count them all manually in the first place? There's not really any advantage to machine counting except not needing to provide a place for volunteers to count the votes

Even a perfectly secured counting machine compromises the integrity and confidence of the vote by letting the media broadcast results before voting has finished in all precincts. Knowing who's currently winning tends tends skew voter preferences, and leaves later-voting precincts to feel disenfranchised if one candidate has already acquired an insurmountable lead.

About the only place a machine has anything to contribute worth the inevitable chance of compromise is to make sure ballots are filled out correctly. Either by having them print a perfect ballot from validated digital inputs (to be verified by the voter before casting), or to scan the ballot before the voter leaves so they can fix/replace their ballot if there are any problems. In either case the dangers of a compromised machine are small, while they solve virtually all the problems with a paper ballot.

Re:Let's face it

[MobyDisk]

On the other hand, there has to be proof that all valid votes have been counted, no vote has been tampered with, and no additional votes have been added to ensure the equality of votes. How do you keep track of immaterial entities? You can't sign them with the voter's key, otherwise they aren't free anymore. If you sign them with another key, how do you ensure that this key is not used to add votes? And how do you ensure that the votes are really counted the way they were cast? And how do you watch the count?

You are asking the right questions, but there is indeed an answer. It's called "blind signature" AKA the "digital cash problem." There are a few researchers who posted solutions to this over a decade ago, even before blockchains. So it could be solved, but it is a significant effort and most people wouldn't understand it. So in the end, you are right that paper is the way to go.

Re:Let's face it

[Pascoea]

WTF is the US' problem with paper ballots? Are you too stupid to count the votes or too lazy to carry the ballot to the voting committees?

Pure speculation here, but thinking is that "we" don't like paper ballots because it doesn't give the news networks access to "real time" voting information. Elections are a spectator sport around here, complete with viewing parties, we need our information now dammit!

In reality though, I like the way my county does the voting. When I show up they cross my name off the list of registered voters or write my information down if I'm not on the list. I get a paper ballot, go into my little cubicle to fill in the bubble form, then cram it into a vote counting machine. The county/state/nation gets their fast counting information, and you have an auditable information trail to verify later.

Re:Let's face it

[Immerman]

Three things spring immediately to mind:

There's no blinkenlights - how can we claim to be the greatest country on earth if our voting doesn't even involve any blinkenlights?

It's too difficult to steal the election.

There's not enough money to be made by voting-related corporations. Do you want the Diebold executives to starve after all the bribes (sorry "lobbying") they've spread around?

Re:Let's face it

[Immerman]

I can see the appeal of touchscreens (or screens with voting buttons along the side, to avoid any possible calibration issues) to create a paper ballot - you can have much clearer ballot, with plenty of information available, while guaranteeing no improperly cast votes due to user error. It does require voters to double-check their paper ballot to make sure nothing was compromised though.

Immediately scanning a paper ballot to detect problems gets you much the same benefit of course, with even fewer risks - but far too often it seems that scanner is also used to count the ballots - which makes it an incredibly valuable target to be compromised, and nobody ever actually does recounts.

Really, the counting should always be done as paper ballots by hand - there's just no benefit to automated counting that even begins to compare to the risks. It's a bit annoying because counting is what computers really excel at - but they just can't offer the level of integrity needed to do the job right.

Re:Let's face it

[JohnFen]

Do you not remember the 2000 election and the "hanging chads"? I am still all for paper ballots, but they are not without issue.

The "hanging chad" thing is an issue, but a very minor one. It was blown all out of proportion by the politics of that particular election.

There is no scheme that is perfect, but paper ballots, even with their issues, are much more trustworthy than electronic voting machines. At least with paper ballots, if there's a problem then it is usually obvious to everybody.

Re:Let's face it

[JohnFen]

So it could be solved, but it is a significant effort and most people wouldn't understand it.

And a lot of people would understand it just fine, but it still requires an unacceptable amount of blind faith that it's been implemented properly.

Re:Let's face it

[Opportunist]

Then paper ballots are the best thing since sliced bread! Some count faster, some count slower, you can do coverage round the clock, from the first early counts to statisticians blowing it out of proportion and predicting the outcome from the voting result of some backwater county with a handful of votes that could easily be counted in a few minutes while we're waiting for the results from NY and LA.

You can make that show last through the night. Hell, with recounts you can make it last days!

Re:Let's face it

[Opportunist]

Do you want the Diebold executives to starve after all the bribes (sorry "lobbying") they've spread around?

Is that a rhetoric question?

Re:Let's face it

[JohnFen]

Elections are a spectator sport around here, complete with viewing parties, we need our information now dammit!

This. I think this is one of the largest factors for why our elections aren't terribly trustworthy.

We need to have a 24 hour national holiday for voting day, not staggered by time zones. No counting of votes until voting day is over. Also, a media blackout on election coverage (and ads) during that 24 hours.

And paper ballots.

Re:Let's face it

[JohnFen]

while guaranteeing no improperly cast votes due to user error.

No matter what system is used, this is something that can never be guaranteed. There will always be user error.

The trick is to keep the error rate low enough that it doesn't affect the outcome of elections -- something that can be easily accomplished with paper ballots.

Re:Let's face it

People are compromised even more easily than machines (so much so that most of us come with a pre-installed preference on how the election will go).

Re:Let's face it

[Kohath]

Electronic voting machines were just a mistake some people in some places made historically. Elections are managed locally in the US, so there are 1000s of people making these decisions in different places across the country. Now that electronic voting machines are more-or-less universally understood to be a mistake, they are being gradually replaced with scanned paper ballots.

It's not very meaningful. People make mistakes. They get corrected. It takes time.

Re:Let's face it

[myth24601]

It isn't that democracy is being entrusted to for-profit organizations, it is that politicians are trying to use technology for technologies sake. If you want to create high-tech voting booths, you have to have a team of specialists to audit and maintain them. For this task, computer/human readable paper ballots are the sweet spot we should be looking toward. Humans can use them in the absence of tech in order to audit the machine that can count and tabulate much faster with great accuracy.

Re:Let's face it

If you are *really* interested in why the USA has geared away from paper ballots, the reason is because it's slow to count compared to digital and paper ballots do get miscounted at times due to slippage if machines are used. It's not like it's fool proof, and now you know.
Africa isn't exactly a great country to say "hey usa, you could be like this", you know that right?

Re:Let's face it

[Immerman]

One of the few good uses of a computer in an election I can think of, is a scanner to immediately scan your ballot and confirm that everything is valid before you leave.

Just don't use the damned thing to actually count the votes, no matter how tempting it is.

Re: Let's face it

"I'm 'Landslide Lyndon' Johnson, an I approve this message."

Re:Let's face it

[phantomfive]

Don't use the computer to take the voter input and then generate a paper receipt, use the paper ballot with on-site optical scan to record the result that the voter marked on the paper.

How is that better than printing the result of what the user selected on the screen?

Re:Let's face it

[thevirtualcat]

Every election I've voted in since 2012 has used optical scan ballots.

Re:Let's face it

[Immerman]

True. But scanning the ballot for anything questionable, in the presence of the voter, gives them a chance to fix any problems so that no errors reach the counting stage. Ideally you'd do it in the voting booth, with a screen or printout that highlights exactly where the errors are, and explains how to fix them (need to vote here, can only vote for one candidate, etc). Your ballot doesn't get accepted until it scans as flawless. Add explicit "abstain" option for each issue/office and you can even ensure there are no accidental oversights.

Though yeah, there'll still probably be some corner cases that slip through somehow, but such a vanishingly small percentage as to be irrelevant.

Re:Let's face it

you can have much clearer ballot, with plenty of information available, while guaranteeing no improperly cast votes due to user error

This is an *idiotic* and minuscule concern next to the prospect of wide scale tampering with the election facilitated by the use of electronic voting machines.

Re:Let's face it

I'd guess the same "problem" a group of advocates in my country bring up every election (we do paper): it's old, there is a newer option, therefore the newer option must be better. What makes the argument so insidious is that it is not based on logic: it is a statement of faith. Counter-arguments will be met not with logic but with "stop being such a Luddite" style derision - again, note this is not logic, it is an epitaph thrown against people who do not share the faith that gets eaten up by those who want to belong to the cool group.

I just hope that eventually the sheer weight of example of why e-voting is a terrible idea will hold back the tide of techno-idealogues here, but so far they seem impervious, so only time will tell.

Re:Let's face it

You do know that a large portion of the us workers don't get paid if they don't work right? So now you propose a holiday, so a large portion of people now lose 15-20% of their pay on voting week? Sounds very useful. Not counting votes til after the voting is done. Now that is useful. Would deal with a lot of issues. It'll never happen in the US of 'I need everything instantly' A

Re:Let's face it

[Altrag]

Not really. Purchasing bodies just need to include security audit requirements as part of the bid criteria.

The bigger issue right now however isn't so much profiteering as it is political partisanship. There are few companies that don't lean to one side or the other, and the people in government obviously aren't neutral since you know.. its their job to be political and partisanship is the name of the game these days.

And I mean paper ballots aren't exactly the panacea that people like to believe either. Its not exactly hard to tally up 150,000 votes and tell the public that you only counted 130,000. We "prevent" this by having multiple counts and commissioners watching the count and whatever but that still adds up to only a small number of people and again its super hard to find a truly neutral party these days, so its not really all that much safer than the electronic voting -- the point of failure is just moved a few steps down the line.

Yeah sure there's a paper trail but who will they authorize to follow it if there's some question about the outcome? Again you have a neutrality issue to solve.

I don't especially have a fool-proof answer. There may not be one. But electronic voting isn't a bad idea in principle -- its only been implemented poorly because we're constantly taking the lowest bidder without any sort of oversight or followup to ensure that we aren't falling into a "you get what you pay for" trap.

Re: Let's face it

Africa isn't a country. US education, eh?

Re:Let's face it

[Altrag]

The problem is almost all of your arguments against e-voting also apply to paper ballots. What proof do you have that all paper ballots have been counted? You drop your slip in to a box and then trust that the people doing the tallying (and their overseers) are going to be honest. You don't retain any sort of receipt to indicate how you voted (because if you did you'd have that whole voting enforcer issue again.)

Similarly, how do you know the paper ballot is going to be counted as it was cast? Once again you're simply trusting the people doing the tallying.

And counting speed? That's entirely irrelevant. The counting in an electronic machine is done on the fly, so the watchers can count the number of voters by simply counting how many people go into a booth -- something that generally happens well slow enough to keep track of. Of course in that case the watchers wouldn't be able to distinguish who each voter voted for, but they'd be able to maintain an overall count if they really wanted.

Overall though, all you're doing is shifting trust from the makers of the voting machines to the people tallying the votes. You, personally, will never know if your particular vote out of the thousands at your station was counted the right way, never mind knowing if all of them were. Even a voting receipt, if you wanted to issue those, are pretty pointless since you'd never be able to convince everyone to bring their receipts back in should you decide that the ballots were tampered with, so a recount would almost certainly differ from the original count if you tried to do it that way.

The only argument I've seen against e-voting that isn't exactly the same problem with paper ballots is the number of vote counters: If a jurisdiction buys e-voting machines, they typically will buy the same one for all of their polling stations meaning they're placing their trust entirely within the realm of the one provider where as with paper ballots, each polling station has a couple of counters and one or two overseers meaning a whole lot more people would need to be corrupted in order to affect even a slightly significant number of polling stations. Which is definitely a valid argument, but one that could be entirely overridden if we ever manage to find a supplier of e-voting machines that is actually trustworthy.

And as others have pointed out, there are encryption-based voting schemes that can provide even stronger guarantees than any paper ballot -- but they still have to be implemented by a trustworthy supplier so that's still an issue.

Re:Let's face it

[Altrag]

Nah. Its primarily cost. Paper ballots are expensive to print and once the counts are confirmed, they're entirely useless and just get burned. So you have a few hundred million sheets of paper to print and distribute across the country that you just dispose of a day or two later.

E-voting removes the majority of that cost. You just pull them out from storage, plug them in and away you go.

Or at least they would remove the majority of the cost if we'd start auditing the suppliers of these things instead of just trusting the lowest bidder without any form of oversight whatsoever and having to buy an entire new set of machines every year or two after the black hat conference proves that yes, companies still do the bare minimum with regards to computer security if they think they can get away with it, even when they're not acting intentionally malicious.

Re:Let's face it

[Altrag]

just print out a ballot card with the appropriate votes clearly marked

Trouble with that (and trouble with the opposite direction of scanned ballots) is that there's no technical reason that the machine has to print the same thing that it recorded (or record the same thing that it scanned.) You're just having to trust it.

It always comes down to trust. We have yet to come up with any ballot system (even paper ballots) that don't require you to trust someone along the line. Or at least if anyone thinks they've come up with one, we haven't tried putting it into practice yet.

Re:Let's face it

[Immerman]

It's pretty much the only legitimate concern I can think of that's addressed by electronic voting machines. And it makes a compromise easily detected and low impact, as the *only* purpose for the machine is to provide an easy to use interface to generate a valid paper ballot, which is then reviewed for accuracy before being hand counted.

Re:Let's face it

[Immerman]

Why would it record it? I guess I wasn't clear enough that the paper ballot is what should be counted, the machine exists only to generate it. Just a more compact and easy-to-use version of the mechanical ballot-punchers.

I firmly believe that computers shouldn't be involved in official ballot-counting at all. At most it should do a redundant "sanity check" count, so that if the machine count disagrees with the official count by more than the accepted margin of error, you can know to look for "funny business" either in the machine (easiest target, but low benefit) or the chain of custody of the uncounted ballots.

Re:Let's face it

[Immerman]

Oh, and someone brought up Scantegrity sheets earlier, designed to allow end-to-end verification that your ballot was accurately included in the final tally, while preserving vote secrecy and not allowing you to prove how you voted. You might find it interesting: https://en.wikipedia.org/wiki/...

Seems like grandiose claims, and I haven't read any of the reference papers to get a sense of whether they can actually deliver. But if they can...

Re:Let's face it

[david_thornley]

For elections that aren't close, having machine counting with spot checks involving hand counting is probably good enough. For close elections (such as the 2008 Minnesota Senate race), there's no substitute for hand counting.

Re:Let's face it

[Marxist+Hacker+42]

Biometric id for voting would also help immensely. Use two separate firewalled databases- an authentication database and a vote recording database- with biometric passwords only even for admin and a paper backup of the vote recording database.

Re:Let's face it

[david_thornley]

In my state, ballot boxes are sealed at the polling station and transported with care. Any significant action will have at least one observer from each major party. These are simple, effective, and understandable security measures.

Re:Let's face it

[david_thornley]

I fail to understand what you mean by "strategic compromises", or why they are safe from random spot checks. The machines report the totals, and some precincts are randomly selected for a hand count (with observers, of course). If one precinct has a ridiculous amount of votes for one side, that's suspicious (and unlikely to change the winner in a state or federal election anyway).

Statewide elections usually end at a fixed time for all precincts, so there is no counting of official ballots that can affect voting. It is a problem in Presidential elections, since an 8 PM close of voting in the Eastern states allows Pacific coast voters to know the early results shortly after 5 PM, but it's possible to do fast hand counting for a single election anyway.

Re:Let's face it

[david_thornley]

The solution here is partisanship. Each major party supplies an observer for each precinct, and there's security precautions to make tampering while not under observation evident. If people are miscounting ballots, it's going to favor one party or another, and the observer from the wronged party calls the appropriate authorities, and the tamperers find out that interfering with a fair election is a serious felony.

Re:Let's face it

[jbr439]

Paper ballots are perfectly fine. Paper ballots are used in all elections in Canada (federal, provincial, municipal). Sadly, online voting keeps being raised as a way to increase voter participation - a brain-dead idea for a number of reasons.

Re:Let's face it

[Immerman]

How do you guarantee (or a least get reasonable certain) that your spot-checks are thorough enough to catch any cheating? And in practice, how do you prevent an insider from leaking the information as to which systems will get the checks, so that the attacker leaves those ones alone? I mean yeah, you could pull machine numbers out of a lottery cage after the tallies are all in, but who's going to do that?

Basically yeah, you could probably get it "good enough" to stop a not-that-dedicated attacker - but by that point you're already doing a sizable portion of the work of manually counting everything anyway. And the man-hours spent casting votes already totally dwarfs the man-hours required to count them, so why not just count them by and and be *sure*? Especially if the counters are volunteers.

Re:Let's face it

[Immerman]

Most elections these days are pretty close - flipping a few precincts may well be enough to do the job. Strategically choose just the few that will make the biggest impact, and you can remain relatively certain that a sparse random spot-check will miss it. For added security, you can compromise the "randomness" as well, unless it's something extremely public.

Re:Let's face it

[david_thornley]

Precincts to be spot-checked can be randomly selected after the election. The random selection can have observers. It would be possible to have individual candidates nominate precincts for spot checks.

In order to affect an election, enough votes have to be changed, and in an election with a large margin of victory, that would require sizable cheating in the average precinct, so spot checking with a reasonable number of precincts should find it. If it's a close election, so that only a small amount of cheating per precinct would be sufficient, in my state there will be automatic manual recounts.

So, it's possible to achieve a high degree of confidence with much less manual vote-counting.

We had paper ballots here in Virginia Beach

[fahrbot-bot]

In my Virginia Beach precinct, we had electronic voting machines a while ago, but have had paper -- fill in the bubble, then scanned -- ballots for the past several years including the 2016 election. The ballots are scanned on their way into the locked ballot box. This system is easier and faster than the electronic versions were, plus there's a paper trail.

Re:We had paper ballots here in Virginia Beach

[TWX]

Yep. The computer merely makes counting ballots in a well-run election faster. It makes the paper the authoritative documentation, with the computer merely a tabulation device so that many fewer people can actually run the election to bring costs down.

Re:We had paper ballots here in Virginia Beach

[swillden]

In my Virginia Beach precinct, we had electronic voting machines a while ago, but have had paper -- fill in the bubble, then scanned -- ballots for the past several years including the 2016 election. The ballots are scanned on their way into the locked ballot box. This system is easier and faster than the electronic versions were, plus there's a paper trail.

With a bit more it's possible to go a step further, and get election systems that not only have a verifiable paper trail, but which are end-to-end verifiable, allowing any voter to check after the fact whether or not their vote was included in the tally (but without being able to prove to anyone how they voted), and allowing anyone to verify the correctness of the tally. The method relies on applying the concepts and methods of modern cryptographic proofs to the problem of voting. It not only ensures that ballot scanning is not less secure than non-automated methods, it achieves a provable level of election integrity that has never before been possible.

Check it out.

Re:We had paper ballots here in Virginia Beach

[hey!]

I have a theory why some districts may prefer voting machines to electronically scanned paper ballots. Voting machines make it possible to manipulate election results without actually hacking the machines themselves. You just have to hack the wait times in districts unfavorable to you. Lest that seem far-fetched, note that studies have shown that waits in minority-dominated precincts are on average almost twice that of white districts.

For the price of a single voting machine you can put up a dozen of those cheap pop-up voting booths. This means the marginal cost of scaling up an overloaded precinct's capacity is extremely low. I live in a state that uses scanned paper ballots, and the voting places have so many booths that in 45 years of voting I've never had to wait more than five minutes to vote -- and that's for checking in with the elderly volunteers. There's always free booths, no matter how heavy the turnout.

Re:We had paper ballots here in Virginia Beach

[Immerman]

Unfortunately, counting the votes is a much more lucrative attack vector than casting them, where it might be noticed (assuming there's a paper trail). Basically no one wants to do a recount after the fact, and there's no other way to tell if the tallying machine was compromised (especially when even gross inconsistencies with exit polls are routinely ignored).

There's nothing wrong with having a machine tally the votes as a backup/sanity check, but it should *never* be used to create the authoritative tally. You've spent a full day with people administering the voting, a few more hours to let a bunch of volunteers actually tally the votes in a verifiable and trustworthy manner is a small price to pay to be able to actually trust the election at all.

Re:We had paper ballots here in Virginia Beach

Having decades of experience with the reliability of humans processing large amounts of data, I wouldn't put any more faith in them than I would in a machine. For the machines, just do manual recounts of a random sample of machines and trigger a full recount if there are any significant discrepancies or if the margin of victory is too small. For the humans, you need at least three full recounts, more if you don't get the same numbers each time.

Re:We had paper ballots here in Virginia Beach

[Kohath]

Ok, maybe. But maybe the electronic voting machine salesman just told them people could vote in 90 seconds so it's OK that they cost twice as much. Meanwhile voting actually takes 3 minutes (or whatever) so you get lines.

Conspiracies make for interesting stories. Interesting stories are less likely to be true than boring stories.

Re:We had paper ballots here in Virginia Beach

[hey!]

Well, there's a different between conspiracy theories and theories about possible conspiracies.

Conspiracy theories are prima facie irrational, because they require the believer to assume that the actors will do a number of improbable things -- usually things that are actually against their interests or wildly risky -- with a level of perfection that is beyond what could be practical. Typically vast numbers of people who have good reason to distrust each other work together in a perfectly trustworthy way.

What complicates matters is that conspiracies *do* happen. Even stupid, hard-to-believe conspiracies happen. Some real conspiracies, such as the Tuskeegee Syphillis Experiment, are so outrageous that absent evidence they're in conspiracy theory territory. But gerrymandering and partisan vote suppression aren't really that outrageous. There's strong statistical evidence that polling places in some states are placed to inconvenience certain blocs of voters.

Now, I don't necessarily believe that voter suppression is the or the only explanation for the use of voting machines. Innumeracy is rife in our population, so it wouldn't be surprising for an election supervisor not to realize that adopting a solution that speeds up the process for the voter while he's using it won't necessarily speed up the whole voting experience. But the pretty well established fact that planners deliberately inconvenience voters in a partisan manner is enough to support a suspicion.

Re:We had paper ballots here in Virginia Beach

[Immerman]

Counts are normally quite consistent - you do 2-3 independent counts in parallel, under supervision, and only do a recount if there are significant discrepancies. There will be errors, but usually small ones insufficient to tilt the election. Most importantly, it's *extremely* difficult to compromise the count - improper chain of custody for the ballot boxes is pretty much the only major weakness.

Computers on the other hand are incredibly good at counting with near-perfect accuracy, but also incredibly easy to invisibly compromise - to the point where you basically can't trust the count at all. Recounting random samples (if it gets done at all) is unlikely to catch a handful of counting machines strategically chosen to tilt an election.

Re:We had paper ballots here in Virginia Beach

[Altrag]

That's not really all that useful. Being able to verify that somewhere, the fact that I voted was recorded, doesn't tell me a) if it tallied the correct vote I gave it or b) if the verification service and the vote record match.

That is, for a) you could punch in Democrat and it silently, internally records a vote for Republican. Since your after-the-fact check only notes that you did vote, not who you voted for, you still have no way to prove this one.

And for b) the verification website/service/whatever could be separated from the tally so it knows that you made a vote, but didn't actually count it. Or conversely, being able to verify that you voted doesn't prevent the tally from adding 1000 ghost votes -- you don't have any way to verify anybody else' vote.

Basically, there's absolutely nothing preventing the machines from running the electoral equivalent of double books -- one side that can be used to (individually) verify whatever they want, but not show or provide any mechanism to manually recount while also having the second side that shows blind (and for all you know, arbitrary) totals without allowing individual verification -- and make it look to any outside viewer that those two sides are linked.

That's why everyone wants a paper trail -- something that the voter can review before leaving the polling station to ensure that their correct vote is at least noted somewhere that's human-readable, at least in principle. Of course as I've mentioned elsewhere on this thread, that's really just kicking the issue down the line and while it might be better in some ways (primarily, the trust is spread around more people and thus less chance of all of them being corrupted) but its still not the panacea that a lot of posters like to claim -- you still have some level of trust involved rather than end-to-end guarantees.

Re:We had paper ballots here in Virginia Beach

[swillden]

You really need to read the underlying paper. The system actually has the properties you claim it cannot have.

Simpsons take.

[Falconhell]

https://m.youtube.com/watch?v=...

Manual counting only in Norway last night

[Terje+Mathisen]

Here in Norway we just had a general election last night:

Just 2-3 weeks ago Jan T Sanner, the minister with responsibility for elections, decided that every single vote had to be counted manually, including all early voting ballots. Previously those votes had been counted using optical scanners but with the news about how hackable most voting machines have turned out to be, he decided that we won't trust them.

Voting booths closed at 21:00 and the trend (our current prime minister will almost certainly get another 4 years) was immediately clear even though many of the details were less settled. This is mainly due to our voting setup with 169 representatives from 19 counties, where each party is supposed to get a total number which corresponds as closely as possible to the total vote counts, but with a cutoff of 4.0%: If a party gets less than that they will not get any of the final 19 slots which goes to the parties which have gotten too few direct representatives.

This morning at 07:00 we had passed 95% of total votes counted and a couple of the smaller parties had just managed to lift safely above the 4.0% cutoff point, so now the result is for all practical purposes final.

The key idea is that in all countries with "one person - one vote" the effort needed to do a full manual count (which is actually a dual count and verification) is exactly proportional to the size of the country, so it should be just as easy to do this in the US as in Norway!

Terje

Re:Manual counting only in Norway last night

In Canada, we use black ballots with empty white circles to mark the choice (ref: http://www.elections.ca/vot/yth/stu/gui/images/dxsmp1-f.jpg).

I sat on a counting committee once. All the parties were always in agreement with every single ballot. There's just no room for mistake. About 2 hours after the ballots close, everything is done and the party volunteers go home.

Wouldn't that be nice for the US? Except the US, for better or worse, is severely more democratic than Canada. Lots of stuff to vote on during election day, especially at state and county level. I guess only the US federal government, like Canada, is barely democratic.

Re:Manual counting only in Norway last night

[DrXym]

Ireland has paper ballots however the nature of the voting mechanism can have a huge impact on the time taken to count votes. Basically there are two or three seats up in every constituency and voters have to list their preferred candidates in order of preference - 1, 2, 3, 4 etc. as many as they like. First all the 1 preferences get counted up and if candidates pass a % threshold then they become elected, but if they don't then all the ballots are dumped back out and then the nr 2 preference is counted, then number 3 and number 4 and number 5 etc.

It takes days sometimes to figure out who got elected which is why Ireland looked at e-voting solutions about 15 years ago. Unfortunately they ordered a bunch e-voting machines which had no paper trail and the whole lot was withdrawn and is sitting in a warehouse somewhere. E-voting machines can work but only if they print a paper ballot and there are sufficient audit checks and balances to prevent tampering and any recount is via the paper ballot.

Re:Manual counting only in Norway last night

[K.+S.+Kyosuke]

We've never used anything else than paper voting in my country. What are these "paper scanners" you're talking about? ;) I guess we're just too backwards! For once for a good reason, though.

Re:Manual counting only in Norway last night

[toonces33]

Our county in Virginia uses optical scanners. The ballot itself is a large sheet of paper where you use a pen to fill in circles next to your choices. Once that is done, you take your ballot over to the scanner machine, and you as the voter insert the sheet into the scanner. At the end of the day they can get the vote totals out of the machine and report them up to whomever is supposed to get it. If there is a need, the individual paper ballots can be retrieved from the machine and recounted manually.

Re:Manual counting only in Norway last night

[TheRaven64]

That doesn't sound right. As I understand it, Ireland has a Single Transferable Vote (STV) system. Under STV, you count all of the first votes, and if no one wins outright then you eliminate the least-popular candidate and redistribute their votes to their second choice. If there's still no clear winner then you eliminate the least-popular remaining candidate and redistribute all of their votes to their second choice if they're still there or to their third choice if they aren't. You repeat this until someone has 50%. You never dump all of the votes out, you only redistribute them from the least-popular candidate.

There are other problems with STV, including some quite odd failure modes. For example, if you have four candidates, A, B, C, and D and 30% vote ABCD, 25% vote CBDA, 24% vote DBCA, and 21% vote BCDA, then candidate A will win. B is eliminated in the first round (because he receives the fewest votes) and all of his votes are redistributed to A. Now A has 51% and so wins, in spite of being there last choice for 70% of the electorate, and B never gets to see any of the second-choice votes in spite of being the first or second choice for 100% of the electorate. Of course, the same problem happens with first past the post, but there you don't have the information required to know that it's happened.

There are some variations on STV that avoid these corner cases, but they make counting harder.

Re:Manual counting only in Norway last night

[AmiMoJo]

I really can't understand why it is so hard to build a secure voting machine. Maybe we need GNU Democracy or something.

Re:Manual counting only in Norway last night

[swillden]

Just 2-3 weeks ago Jan T Sanner, the minister with responsibility for elections, decided that every single vote had to be counted manually, including all early voting ballots.

He should go one step further and implement end-to-end verifiable voting.

Re:Manual counting only in Norway last night

[olau]

It's easy to build one.

But how do you know it hasn't been tampered with?

Usually someone proposes an intricate cryptographic protocol as a fool-proof solution. But that's a great way to ensure that 99.9999% of the population will never be able to verify that the machine hasn't been tampered with.

You need something which is obviously correct. That is just difficult to do with complex machinery.

Re:Manual counting only in Norway last night

[mjwx]

Here in Norway we just had a general election last night:

Just 2-3 weeks ago Jan T Sanner, the minister with responsibility for elections, decided that every single vote had to be counted manually, including all early voting ballots. Previously those votes had been counted using optical scanners but with the news about how hackable most voting machines have turned out to be, he decided that we won't trust them.

Voting booths closed at 21:00 and the trend (our current prime minister will almost certainly get another 4 years) was immediately clear even though many of the details were less settled. This is mainly due to our voting setup with 169 representatives from 19 counties, where each party is supposed to get a total number which corresponds as closely as possible to the total vote counts, but with a cutoff of 4.0%: If a party gets less than that they will not get any of the final 19 slots which goes to the parties which have gotten too few direct representatives.

This morning at 07:00 we had passed 95% of total votes counted and a couple of the smaller parties had just managed to lift safely above the 4.0% cutoff point, so now the result is for all practical purposes final.

The key idea is that in all countries with "one person - one vote" the effort needed to do a full manual count (which is actually a dual count and verification) is exactly proportional to the size of the country, so it should be just as easy to do this in the US as in Norway!

Terje

Australia had a national election last year, it took over 2 weeks for a leading party to be established as it came down to counting postal votes in many electorates.

That being said, there is nothing wrong with paper votes leaving a verifiable trail. It means that votes can be trusted in cases like the 2016 Australian federal election.

Re:Manual counting only in Norway last night

[AmiMoJo]

Ballot boxes are not exactly fortresses. They are, at least in my country, metal boxes secured shut with an official zip tie.

The solution to verification is to simply print out a receipt. If there is any doubt the receipts can be manually counted.

The main problems with these machines always seem to be extreme stupidity - USB ports on the outside, connected to the internet, running Windows XP... An open source version could easily build custom hardware and run a hardened BSD system. It wouldn't be invulnerable but it would be at least as good as what we have now.

Re:Manual counting only in Norway last night

I believe that a more robust / workable system would be something like the following :
1. Touch screen system to register the choices made by the voter. The system then prints out a paper ballot.
2. The paper ballot is fed through an optical scanner to again register the choices made by the voter.
3. The paper ballot is then deposited in the ballot box by the voter.

1 & 2 above would be required to have different.manufacturers. Fast tallying of the votes is possible because of the use of the computer systems, any discrepancies between the systems will be immediately apparent and the paper ballots are available to provide an audit trail and a final manual count.

Obviously the above would be both more expensive, and more time consuming than the current methods.

Re:Manual counting only in Norway last night

[CastrTroy]

I think the only problem here is that the US doesn't have "one person - one vote". They seem to vote on pages worth of issues in each election. It's "one person - one ballot" but that ballot may contain 20 or more questions. I'm not sure if any other countries have this problem. It seems to me that most countries you just elect an MP and that's it, but for some reason in the states they have a huge number of elected offices.

Re:Manual counting only in Norway last night

Can anyone help me figure out how to post without copying part of my username into the body of my post? Everyone else seems to have this figured out but me.

Terje

Re:Manual counting only in Norway last night

There are other problems with STV, including some quite odd failure modes. For example, if you have four candidates, A, B, C, and D and 30% vote ABCD, 25% vote CBDA, 24% vote DBCA, and 21% vote BCDA, then candidate A will win. B is eliminated in the first round (because he receives the fewest votes) and all of his votes are redistributed to A. Now A has 51% and so wins, in spite of being there last choice for 70% of the electorate, and B never gets to see any of the second-choice votes in spite of being the first or second choice for 100% of the electorate.

On the contrary, your example shows why the system works perfectly because C wins in a landslide with 70% of the vote.

30 - ABCD
25 - CBDA
24 - DBCA
21 - BCDA

B has the lowest number of votes at 21 and is eliminated., The second round is:

30 - ACD
25 - CDA
24 - DCA
21 - CDA

C now has 46%, still not enough to win. D is the lowest at 24% and is eliminated. The final round is:

30 - AC
25 - CA
24 - CA
21 - CA

C is the clear winner.

I'm not sure how you decided that all of B's votes would immediately go to A, when B's tickets were ranked BCDA. Perhaps you meant to write BACD when writing up your example? In that case A would have inherited B's votes and would deserve their win, because 49% of the votes would be ambivalent between C and D, with their votes ranked CD or DC.

If i was being uncharitable, I'd say it looked like you had already made an incorrect conclusion and were trying to come up with data that supported it, and got the math very very wrong.

You could make a point that B should have won because they were the first or second choice for all voters, but that's not how the system works. The majority of people wanted A or C or D to win, and only picked B as an acceptable alternative if their preferred choice couldn't win. That obviously wasn't true for either of those 3 candidates since they all got more support, and thus B was eliminated.

Re:Manual counting only in Norway last night

Err... no, in your given scenario B's votes should be redistributed to C, meaning that C has 46% going into the second round. In the second round D is eliminated, and then C romps home with a landslide 70%.

Re:Manual counting only in Norway last night

[Immerman]

That's why ballot boxes should always be guarded by at least 2-3 people loyal to competing parties until the votes are actually counted.

Receipts are a nice idea - but once you have an official tally nobody wants to go through the difficulty and expense of counting them manually (especially if the incumbent party won), and without a manual count you have essentially zero confidence that the tally hasn't been tampered with. So why not just do the manual count up front and leave the automated tally out of it entirely?

As for an open source hardened voting machine - it would certainly be better than any of the current electronic options, but it would still fall far short of the integrity of a moderately well managed manual count.

Re:Manual counting only in Norway last night

[Immerman]

The biggest most obvious weakness - how do you tell if there's a need? And if there is cause for suspicion, but the incumbent party won the official tally, what are the odds that there will be a recount?

Re:Manual counting only in Norway last night

[TheRaven64]

If i was being uncharitable, I'd say it looked like you had already made an incorrect conclusion and were trying to come up with data that supported it, and got the math very very wrong.

Sorry, I was trying to reconstruct the example from memory. I did a detailed analysis of the corner cases of various voting systems for an assignment about 20 years ago, but it turns out that 5 minutes starring at a Slashdot post wasn't enough to reconstruct the examples. It is possible to construct cases where someone is everyone's second choice but is eliminated in the first round fairly easily, but I was trying to show a more complex example where tactical voting backfires.

Re:Manual counting only in Norway last night

[number6x]

@toonces33 gave a pretty good description of how the paper ballots with electronic scanners in the USA work.

Why do these make sense in the USA? In most US jurisdictions, elections are about much more than electing a few people to a few offices.

For example...

Here is a list of all 132 judges that serve in your jurisdiction, should they be retained? (Yes or No)

• Name of Judge 1 () ()
• Name of Judge 2 () ()
• Name of Judge 3 () ()
• Name of Judge 4 () ()
• ...
• Name of Judge 132 () ()

Referendum # 3453: Should the greater commonwealth of Harvey water and sewage district create a Tax increment district in the 10th, 12th, 14th and 19th precincts to pay for replacement of aged brick sewer tunnels within those districts? (Yes or No)

Referendum # 5237: Should a stop sign be placed on the South East corner of the intersection at 5th Street and Elm Avenue? (Yes or No)

This usually goes on for a few pages. Candidates for municipal, county (or parish), State (or Commonwealth), and federal offices.

Then electable judges, then the decision to retain or not retain appointed judges.

Then electable officers of special governmental bodies that usually run government services, water, sewage, garbage, education, roads, zoning and so on. Usually this is a list of 10 to 20 candidates and you mark 3, 4 or 5 of them.

Then binding referendums where the results of the vote are required to be implemented (put a stop sign here? increase a tax there?). Then non-binding referendums used to judge the publics' interest, or sometimes just appease a voting block by giving them a chance to rant on a real official ballot (Should tax dollars go to build a stadium for the local baseball team? (Yes or No), We hereby resolve that North Korea is a stinky poo-poo country we don't like! (yes or No)

For most elections in my district it takes 5 or 6 minutes to fill out an entire paper ballot. Many voters just skip most of the ballot and vote for the President, Congressman, Senator and a few local and state level offices. They skip the judges, other offices and the referendums.

The scanner quickly counts the marks made on the ballot and the ballot is placed in a locked ballot box. All of the ballots are available for manual counting. The scanners just make quick work of the tabulation.

Re:Manual counting only in Norway last night

[number6x]

I wish I only had 20 or so things to vote on each election...

There are the federal candidates, President (every 4 years), Senator (1 of 2 every 3 years), Representative (every 2 years).

Then the State, County, and municipal candidates. These usually number 20 to 40 each election.

Then there are electable judges. 20 to 30 each election.

Then the vote on whether or not to retain appointed judges. These are appointed by electable judges and approved by the level of government legislature they serve, but the voters can vote 'no' on whether they retain their appointed position. For me there are usually 120 to 130 judges listed.

Then there are elected officials for special governing districts like education, sewage, water, parks and recreation, and so on. These bodies can levy taxes and take care of many services. They are like small governments of their own. There are usually a few dozen of these, say 24-36.

Then there are usually a few referendums. Some binding and others non-binding. these will range between 2 and about 12.

Our ballots are usually 3 to 4 pages long, printed on both sides, made of stiff card stock. We fill out a spot with a marker to indicate a vote one way or another.

Most voters only fill out a few votes that they care about and leave many un-voted.

Re:Manual counting only in Norway last night

[DrXym]

You redistribute the winner's excess to the other candidates and if there is no outright winner then you go to #2, #3 etc on the eliminated candidate until there are none left but yes I just paraphrased incorrectly.

It's a painfully slow system to be sure. In some cases it takes all weekend to figure out who won.

Re:Manual counting only in Norway last night

I really can't understand why it is so hard to build a secure voting machine. Maybe we need GNU Democracy or something.

Go ahead and build one. Then have me tamper with it. Watch it pass all the tests and still give me 100% of the votes on election day.

Read "Reflections on trusting trust" to see how bad computers can be messed up - while the problem being near-impossible to
detect.

The great thing about paper-based voting is: Anyone who takes an interest, is capable of checking. And looking at current elections - lots of people actually check by being election observers. With computers, a good cheat may be somewhat expensive, but you WILL NOT be able to notice. And 'expensive' is paid for when the cheating side wins and gains power to tax the loosers.

Re:Manual counting only in Norway last night

[Altrag]

Typically there will be a "need" if either a) the vote is within some given percentage of 50/50 and you want to be absolutely sure that everything got counted appropriately (because you know, humans are so much less error-prone than computers..) or b) there's enough concern about the machine being tampered with to warrant putting in the effort.

a) is rare but certainly not unheard of. Most of the time though, even in "close" districts, there's a big enough difference between the winner and second place that it would take serious issues (or serious tampering) to effect the outcome. The odd rejected ballot or whatever wouldn't be sufficient so nobody would bother.

b) depends a lot on the system in question. Some voting machines have notoriously bad reputations (hence having this discussion in the first place) while others are relatively trusted. Simple bubble-sheet Scantron machines seem to be fairly well liked in this forum for example -- they're not dedicated election machines (meaning it would be less likely, though probably not impossible, to tamper with them in an election-rigging manner) and you have the paper trail if you decide you want a manual recount.

As for the incumbent winning.. that I imagine depends on your jurisdiction. Up here in Canada for example, the incumbent has no say in the matter -- its up to Elections Canada (who is, at least in principle, neutral, and provincial elections are operated by similar province-level bodies.) So the odds would be pretty good that a questionable tally would be recounted, even if it showed the incumbent winning.

Re:Manual counting only in Norway last night

[Altrag]

There is no voting system that can be both safe and verifiable, regardless of the scheme you come up with.

If you are able to verify your vote after you leave the polling station, then someone else is potentially able to watch over your shoulder while you do so, and could therefore make good on any threat they'd provided you to ensure you voted the way they wanted you to.

Its kind of like the MPAA trying to stop you from pirating movies -- all sorts of digital tricks can be employed, but at the end of the day if the movie can be seen by your eyes, it can be seen by your friends' eyes, or your camcorder. Any protection that math gives you is lost the second you've exposed the information in human-readable form, because no math in the world can stop those photons from reaching a second human's eyes (or a recording device.)

Re:Manual counting only in Norway last night

Voting booths closed at 21:00 [...] This morning at 07:00 we had passed 95% of total votes counted

You're slow. Your neighbours here in Finland have all the votes counted three-four hours after the polls have closed (that is, between 23:00 and 0:00), and that's mostly because the bigger cities are holding it up.

There's a recount done during the next few days that gives the final result though.

Re:Manual counting only in Norway last night

[Immerman]

(a) is ridiculous - along with speed, flawless accuracy is why you'd use a computer.

And the entire problem is that there will rarely be any evidence of (b) even if the vote was compromised - exit poll discrepancies are pretty much the only indicator. So you're down to either "we know this machine is vulnerable", in which case why are you using it at all? Or "We imagine this machine is invulnerable..."

Re:Manual counting only in Norway last night

[swillden]

If you are able to verify your vote after you leave the polling station, then someone else is potentially able to watch over your shoulder while you do so, and could therefore make good on any threat they'd provided you to ensure you voted the way they wanted you to.

Nope. It seems obvious that this should be impossible, but it's not. You should read about it.

Re:Manual counting only in Norway last night

[david_thornley]

All voting systems have problems, as Arrow proved that no ranked-choice voting system can satisfy some criteria that look simple and desirable. There are more general results including different methods of voting, and it looks like there is no ideal voting system.

Ranked choice is probably as good as any other system. It's better than the plurality system we have now in most of the US.

Re:Manual counting only in Norway last night

[david_thornley]

You can get flawless accuracy with humans. The humans just have to put in the work. Machine reading of ballots is sometimes a bit iffy. In my state, manual counts sometimes are a bit different from the machine counts.

Really close elections do happen, such as the Minnesota Senate race of 2008. In that case, the margin was a few hundred votes, and the initial reports favored Coleman. The margin was sufficiently small that there was an automatic recount. As is common, there was something like a thousand-vote change between initially reported results and the final results, but in this case that made a difference.

In my state, there are randomly selected precincts that will do a manual count to spot-check the machine totals. There are other things that could be suspicious about the votes.

Re:Manual counting only in Norway last night

[david_thornley]

It appeared to hand that off to other schemes, which don't look to me like they'll work.

If I can verify how my vote was counted, that gentleman sitting over there with the large wrench, or that other gentleman with the roll of $20 bills, can ask me to verify it.

Re:Manual counting only in Norway last night

[david_thornley]

We hold municipal elections on odd-numbered years. It keeps the ballot size down.

Re:Manual counting only in Norway last night

[swillden]

It appeared to hand that off to other schemes, which don't look to me like they'll work.

I'm not sure what "other schemes" you're referring to.

If I can verify how my vote was counted, that gentleman sitting over there with the large wrench, or that other gentleman with the roll of $20 bills, can ask me to verify it.

Yes you can, and no you can't, respectively. What you can verify is that your receipt (containing a random code that was associated with your ballot selection) was included in the public receipts, and you can verify that the public receipts are tallied correctly, but you can't directly verify that your receipt indicates a vote for Trump rather than Clinton.

The relationships between ballots, candidates and codes is pre-committed in some published tables. When you vote, you can take some extra ballots, reveal all of the codes and validated them against the published tables. Since these "test ballots" are taken from the same pool as the actual ballot (you should take several and pick one at random for your real ballot), any discrepancies in the bindings between codes and candidates would be probabilistically revealed. There are some other validation steps that are taken by election officials and representatives of the candidates; read the paper.

The bottom line is that all you can validate is that your ballot receipt is found in the list of published receipts. The other elements of the process confirm that the presence of your receipt means that your vote was counted, and counted correctly.

This is all laid out fairly clearly in the paper. Note also that the paper was published nearly a decade ago and was authored by some of the biggest names in cryptographic security, which means there has been plenty of time and plenty of motivation for people to find weaknesses in the design. None have been published.

Re:Manual counting only in Norway last night

[david_thornley]

I'm not sure what "other schemes" you're referring to.

The ones listed as anonymizing at the end of the Wikipedia article you referenced. At this point, I don't know quite what you're talking about.

If it's the idea about having lists of candidates by letter, and varied orders on the ballot, and markers that get both, that's not going to work in practice. Remember the Florida 2000 election? One county used a "butterfly ballot", with candidate names on the left and the right of the voting punches, and on statistical analysis it's virtually certain that over a thousand Gore voters accidentally voted for Robertson. Bush's name was at the top of the ballot, Robertson's name slightly below on the other side of the paper, then Gore's name. People apparently saw Gore's name just below Bush's, and punched the second punch-out box. Make ballots confusing and they will not express the will of the voter.

The butterfly ballot was a bipartisan mistake, as well as illegal, but the County officials apparently didn't realize that.

The scheme to fool the bribers and/or threateners appears to be to fill out several ballots, vote with one, and keep all the receipts. Again, that complicates the voting process.

Hand-counting the vote becomes immensely more difficult. Rather than just going through ballots and seeing which candidate was chosen for each, each ballot has to be looked up, and the lookup process has to be secure.

Re:Manual counting only in Norway last night

[swillden]

I'm not sure what "other schemes" you're referring to.

The ones listed as anonymizing at the end of the Wikipedia article you referenced. At this point, I don't know quite what you're talking about.

Until/unless you read the paper, we can't really communicate about this effectively. It's linked from the Wikipedia article, but I'll provide it here as well: http://www.usenix.org/event/ev...

If it's the idea about having lists of candidates by letter, and varied orders on the ballot

It's not. You can either vary orders on the ballots or not. Makes no difference to this system, and voters mark their ballots by filling in the bubble next to their selection, so there's no unusual opportunity for confusion.

The scheme to fool the bribers and/or threateners appears to be to fill out several ballots, vote with one, and keep all the receipts. Again, that complicates the voting process.

That would not provide any way to either inform or fool bribers and/or threateners. All the ballots are different and showing multiples would change nothing.

Hand-counting the vote becomes immensely more difficult. Rather than just going through ballots and seeing which candidate was chosen for each, each ballot has to be looked up, and the lookup process has to be secure.

No, it doesn't. Ballots can be hand-counted just by looking at bubbles next to names.

Re:Manual counting only in Norway last night

[david_thornley]

I haven't taken the time to fully understand it, but it appears that a voter can check that she entered certain codes, and the integrity of the system can be checked in other ways. Interesting. The voting process doesn't need to be any more complicated, and, like any acceptable voting system, it's possible to fall back on manual counting. I'll have to study it further.

Re:Manual counting only in Norway last night

[swillden]

In terms of achieving the security goals it sets out to achieve, it's exactly what you'd expect from the likes of David Chaum and Ron Rivest (the "R" in "RSA"), not to mention the other less famous but also eminent cryptographers involved. And it's also very practical, including having been tested in real-world elections, and refined based on lessons learned. The only real downside is that ballots are significantly more expensive than standard scan-tron sheets, because every one of them is unique, and because an additional ink "color" is needed for the invisible ink layer. But we're still talking fractions of a penny per ballot in volume. Well worth the cost, IMO. The invisible ink marker pens turn out not to cost any more than standard markers as long as you're buying at least a few thousand of them.

It's a good system. It should get much more attention. Which is why I post about it every time the question of elections show up on slashdot :-)

like any acceptable voting system, it's possible to fall back on manual counting

Absolutely, though it should be pointed out that the assurance provided by manual recounts is strictly weaker than the integrity guarantees provided by Scantegrity. Being able to do them is still good because everyone can understand a manual recount.

Re:Manual counting only in Norway last night

[Altrag]

It is. Other people in this thread have mentioned things you can verify -- for instance, you can verify that you did vote and that the machine accepted your vote (someone could certainly watch over your shoulder on that as well, but we generally don't consider that part to be sensitive information.)

I mean there could be some tricks to be done. Each ballot for instance could have a picture of one of 16 animals listed beside each choice, and then as long as you remember which animal was associated with your candidate, you could verify that that animal shows up later (through a website or such,) and since each ballot is randomized, someone looking over your shoulder would at best have to trust you when you say the animal it shows is associated with the candidate they wanted you to pick.

Something like that might work for a small ballot (ie: only one or two things to choose -- not some of the horror stories I hear with some ballots wanting you to elect the president and 50 judges and school trustees and the designated frozen pole licker and 13 referendums all at once) -- nobody would remember that many animals.

OK now I'm going a little crazy, but I guess you could then have the reading machine print out a "receipt" showing the animals you selected, and you could verify your receipt against your ballot before handing it in, and then verify it against the website/whatever later (and of course you wouldn't necessarily need animals for this -- I chose those originally as they're easy to distinguish and remember in small numbers. If you have a printed receipt you don't need to memorize things anymore..)

So OK, I think I've convinced myself that verifying your own vote could work while still protecting your privacy (as long as you can avoid telling anyone what the randomized receipt listing means, but that's equivalent to not telling them who you voted for.)

So next step.. how can you be sure that the system you verified yourself against is the same system that they used to tally the final vote count? I could build a perfectly safe and secure voting machine, collect say the 1 million votes in my district and open the website so each of those million people can verify that the machine indeed counted their vote as they made it -- and then report a totally arbitrary pair of numbers for the final counts, as long as they added up to a total of 1 million.

In large elections this would be somewhat mitigated the same way it is now -- each polling station reports numbers and providing you report the numbers per-station, its unlikely that enough stations could be corrupted to the point that they'd swing the vast majority of elections. Sure there might be the odd occasion here and there where the vote is tightly split and the tiebreaking polling station happens to be the corrupt one, but that's a lot of chance factors all having to line up perfectly so not impossible, but also not super likely and difficult to pre-plan.

For smaller votes though (say a small town voting for mayor) where there's only one or two polling stations however, the "reporting a count completely disconnected from the voting" issue could be a problem, and since we're talking about a theoreticals here, we'd rather not have problems. I can't think of a solution for this one. At least no solution that doesn't require out-of-band effort such as manual recounts and scrutineers and the such.

Re:Manual counting only in Norway last night

[swillden]

It's an interesting exercise to try to solve these problems, no doubt. However, we actually have a couple of decades of serious academic research into these problems, and they're pretty well solved. You should read the Scantegrity paper: http://www.usenix.org/event/ev.... It's not the last word, I'm sure, but it's extremely good, and eminently practical.

The Robinson Method solves all these problems

http://www.paul-robinson.us/index.php/2008/10/25/the_robinson_method_a_really_simple_way_?blog=5

Why is nobody here even discussing it? Electronic voting is obviously a scam.

Re:The Robinson Method solves all these problems

The other question is - why are most ballots counted at somewhere other than the polling stations? Why are they kept in sealed boxes and taken away to another location, during which time fraud could occur? (Just Google Blackboxvoting.) Why don't they just count the ballots live on video, IN the polling stations, as soon as the voting ends?

But the Robinson Method solves all these problems and gives virtually instant results - and all of it should be video streamed and recorded by several people at each polling station, then fraud would be virtually non-existent. For example, each voter's face would be included on the video so that facial recognition software could be used by the public to check several videos of different polling stations in a given area, to see if anybody had voted twice.

Re:The Robinson Method solves all these problems

[Immerman]

It seems to me to be a clever solution in search of a problem - much like electronic voting. It also is only applicable to winner-takes-all and proportional allocation voting.

I could see several issues that seem to be completely unaddressed, at least in a quick skim - one of the most obvious: what if someone ignores all other issues and, say, dumps all their tokens into the presidential election? If you do the per-issue scale thing you'll immediately know that they've done so, but you won't know how they voted to undo it, so the entire vote up to that point is compromised. I think by the time you've solved all such problems you'll have a Rube-Goldberg contraption prone to all sorts of different mechanical failures.

Furthermore, the only benefit it seems to offer over traditional mechanical or paper ballots is fast vote counting, which is a tiny benefit in verging on a total non-issue. The amount of man-hours required to count the votes pales in comparison to the man-hours required to cast the votes (how many votes could you count in the time you spent traveling to and from your polling place, waiting in line, and casting your vote?). It's not even that large compared to the man-hours required just to administer and supervise the vote.

Sudden outbreak of common sense.

This is really good news. At least, admins are actually listening to what us hackers have been saying all the time.

Besides, there's a very strong argument for paper ballots, which would hold even if we had a 100% bug free and watertight e-voting system:

*trust comes with acquaintance*

Make the ballot counting a manual process. Get as many volunteers involved in the act, so that a significant portion of the population actually *sees* and *touches* how the sausage is made. Make it a feast. Make it so cool that people tell about that, and next time their friends and friend's friends feel the urge to volunteer themselves.

Democracy should be more than just throwing a vote slip into some faceless machinery. This, actually is killing democracy.

Why americans don't care?

[gl4ss]

I mean other countries manage to do the important ballots with just plain pen and papers and multiple parties observe them.

why the country that prides on democracy has so few volunteers to make it? ..also why the fuck just 2 parties while at it...

Re:Why americans don't care?

2 parties is just plain retarded. Anybody with half a brain can see that no matter what parties you start out with, a 2 party system will always end up in the shitfest US politics in is, with only 2 significant ruling parties (only one step away from communism), both ruling party barely representing a fraction of the populace and aggressively polarized viewpoints.

Re:Why americans don't care?

[NoNonAlphaCharsHere]

We use first-past-the-post voting, for a single representative, which Duverger's Law tells us inevetably results in a two-party system. In other words, the two-party problem is systemic and isn't going to go away simply by wishing it would, or especially, by voting for some quixotic can't-possibly-win third-party candidate, on the theory that that will somehow change things.

Re:Why americans don't care?

[TheRaven64]

The problem in the US is that they vote on vast numbers of things. At most, in the UK, I'm voting for 3-4 offices at a time (MP, MEP, devolved parliament / assembly representative, local councillor) and these rarely line up so I typically only vote for 1-2 at a time. In the US, they vote for everything from local dog catcher on up. This increases the complexity of the elections considerably (and has secondary effects, such as politicising the judiciary - which in other countries is intended to be apolitical - by making both the judges and the district attorneys elected positions).

Re:Why americans don't care?

Right to bear arms - how is that holding up in UK?
Free speech - how is that holding up in Germany?

France, Italy, Greece, India, multiple parties, they seem to be doing great, yes?

Re:Why americans don't care?

[kilfarsnar]

Right to bear arms - how is that holding up in UK? Free speech - how is that holding up in Germany?

France, Italy, Greece, India, multiple parties, they seem to be doing great, yes?

It is telling that you list the right to bear arms ahead of the right to free speech. Those other countries you mentioned have their problems, no doubt. But in case you haven't noticed, the very-wealthy have used their money and influence to take over the two political parties in the US. The country is essentially a plutocracy at this point.

Re:Why americans don't care?

Only the wealthy should be allowed to own guns.

Re:Why americans don't care?

I was with you until that last bit. Voting third party won't change the two party system, but it can change which two parties are dominant. Go read a history book, the two parties that dominate weren't always the current ones.

Re:Why americans don't care?

[dryeo]

Yet, here in Canada, we have 5 parties in Parliament and Provincially, the last election was close enough that the Greens with 3 seats hold the balance of power and hopefully will force us to change from first past the post. At that the last Federal election saw the winners winning partially for promising "no more first past the post federal elections", which promise they broke. (Too decisive was the excuse)
Hmm, looking at https://en.wikipedia.org/wiki/... agrees with a list of examples of first past the post systems with more then 2 parties.

Re:Why americans don't care?

The two party system is in place because access to the ballot is largely controlled by those two parties. They make it virtually impossible for a third party to gain a foothold. Example: In Ohio, each county has its own "Board of Elections" that decides which voting tech to use, creates ballots, etc. These Boards are each run by 4 board members. 2 Democrats, 2 Republicans. Think they won't be biased against a third-party?

Re:Why americans don't care?

[flink]

The problem in the US is that they vote on vast numbers of things. At most, in the UK, I'm voting for 3-4 offices at a time (MP, MEP, devolved parliament / assembly representative, local councillor) and these rarely line up so I typically only vote for 1-2 at a time. In the US, they vote for everything from local dog catcher on up. This increases the complexity of the elections considerably (and has secondary effects, such as politicising the judiciary - which in other countries is intended to be apolitical - by making both the judges and the district attorneys elected positions).

It should be noted that this varies state by state in the US. In my state of Massachusetts, for example, judges aren't elected but are appointed for life. We do elect for various offices at the state, county, and municipal levels however.

Also, some towns, like to one I grew up in, still practice direct democracy in the form of a town meeting. Any eligible voter can attend the meeting, and everyone in attendance gets to speak and vote on proposed ordinances.

Re:Why americans don't care?

The US government wasn't designed with political parties in mind (it was desiged to limit individual power, and doesn't handle a coalition made up of members from all three branches well), and the first past the post voting system we use for the executive discourages small parties in favor of large ones. On top of that we have some seriously insane gerrymandering which further entrenches the existing power balance.

The US actually HAS more than 2 parties, and anyone can crate a new party at any time. We even have a few congressmen who belong to parties otehr than the democrats and republicans.
The thing is, you won't get anyone elected from your party unless you can pull a lot of support away from the big 2, and usually what happens in reality is the "third party" candidate juts sabotages the candidate they most closely resemble from the big 2 by splitting the vote of those sympathetic to the shared elements of their platforms while failing to capture any of the votes sympathetic to te opposing platfrom.

Re:Why americans don't care?

[JohnFen]

why the fuck just 2 parties while at it...

For one simple reason: the two parties want it that way, and work together to ensure it stays that way.

Re:Why americans don't care?

[JohnFen]

by voting for some quixotic can't-possibly-win third-party candidate, on the theory that that will somehow change things.

So, what do you suggest people do when neither party is remotely acceptable to them? Not vote?

Re:Why americans don't care?

[Grunschev]

Wrong, wrong, wrong. It's two parties because 99.9% of the population can't be bothered to participate in democracy. I have yet to meet a single person who claims to want a third party who is willing to get off his ass and actually participate IN ANY PARTY AT ALL. Don't like who the Democratic Party nominates? Get involved. Don't like Republican candidates? Get involved. You know that old saw, "Think globally, act locally"? "Act" is the key part.

About a third of eligible voters actually bother to vote in presidential elections. More like a tenth in other elections, and fewer in primaries. The number of people who volunteer or make contributions is microscopic. The number of people who show up at party functions is close to zero. If you're not willing to participate in either of the two existing parties, you won't participate in a third one. So why would things get any better?

Perhaps if you GOT OFF YOUR LAZY ASSES and participated, instead of watching Dancing With the Stars you'd get a better outcome.

YOU are the agent of change. If you don't like the way the democratic system works, spend perhaps an hour a month participating.

Re: Why americans don't care?

I dont think you know what communism is.

Re:Why americans don't care?

[JohnFen]

I have yet to meet a single person who claims to want a third party who is willing to get off his ass and actually participate IN ANY PARTY AT ALL.

I bet that you have, but you may not know it.

Don't like who the Democratic Party nominates? Get involved. Don't like Republican candidates? Get involved.

I'm not sure what you're recommending here. Do you mean get involved to make sure that the Dems or Reps nominate candidates that you like? If so, that's beside the point because it does nothing to break out of the two party system.

About a third of eligible voters actually bother to vote in presidential elections. More like a tenth in other elections, and fewer in primaries. The number of people who volunteer or make contributions is microscopic. The number of people who show up at party functions is close to zero.

All true, but it's pretty easy to understand why -- it seems pointless.

If you're not willing to participate in either of the two existing parties, you won't participate in a third one.

Baloney. Lots of people don't participate with either the Dems or the Reps because they feel that both parties are beyond redemption, and therefore the election process itself is beyond redemption. That has to do with a sense of hopelessness, not laziness. I'll bet that if any party, mainstream or otherwise, could provide a sense that they genuinely want to and are capable of making a real difference, you'd see an amazing amount of participation.

Re:Why americans don't care?

Give it time.

Re: Why americans don't care?

Right to bear arms? Doing very well thanks. We don't have 30,000 people a year killed with guns and the police shoot about 2 people a year and they're not even always both black.

Re:Why americans don't care?

[Altrag]

Throwing a bit of shit to the wind and possibly verging into troll territory here but my guess.. Americans just feel entitled to democracy. They've always had it and therefore they assume they always will have it and forget that its something they have to continually fight for, even if the "fight" is as simple as exercising their right to vote every couple of years.

As for two parties, check out this video. The guy has quite a few interesting videos on voting systems as well as a bunch of other topics, but that one gets into why the US system tends to naturally drive towards two parties (not just in the US of course -- other places use the same system and are or have trended toward two parties as well.)

Re:Why americans don't care?

[Altrag]

We only really have two parties federally -- the Liberals and the Conservatives, and its been a battle between those two for decades. The NDP took over the opposition spot for the one election cycle because Jack Layton was amazing and showed up as the NDP leader right as the Liberals shit the bed, but even then we just ended up with the Liberals being nearly irrelevant and we still had effectively two parties.

As for BC.. the Green's still aren't a major party even though they ended up having an amount of power far above their number of seats due to the near-tie between the other two parties. That's not quite the same as breaking out from the two-party mold.

And keep in mind, when we say "two-party system" we don't mean that there's literally only two parties -- just that there's two main parties that end up sharing the vast majority of the seats. That doesn't mean there can't be other parties in the election (and indeed even in the US, there are third parties running for pretty much every election) and those third parties can cause upsets via the spoiler effect (eg: Nader and Gore in the US' 2000 election.) And of course in the fairly rare case like BC where the two main parties are effectively tied and the otherwise-powerless third party ends up being the tiebreaker (which may or may not also have involved a spoiler effect as well.. not sure where those three Green seats would have gone had they not run.)

Re:Why americans don't care?

[david_thornley]

Work within the party that most represents you, such as the Tea Party or Sanders fans. If one party has a possibly acceptable candidate, support him or her in the nomination process. If neither party is remotely acceptable to you, then you're sufficiently far from the mainstream that your views aren't going to matter.

Re:Why americans don't care?

[david_thornley]

Right to bear arms? Since 1986, it's been illegal for a civilian to buy a nice new infantry rifle. I consider this a violation of the Second Amendment.

Re:Why americans don't care?

[JohnFen]

But your recommendations do nothing to address the problem of having a two-party system.

Re:Why americans don't care?

[david_thornley]

Minor party candidates usually have to get on the battle by petition. If they can't scare up the necessary signatures, they're not going to have a hope in the general election in any case. At that point, they've got the same chances to get votes. The current voting scheme discourages third parties by making tactical voting important. If there's a Democrat, a Republican, and a Pirate Party candidate here, and I really like the Pirate candidate, am OK with the Democrat, and really want the Republican to not win, I vote Democrat. A ranked-choice voting system would be a big help for third parties.

Re:Why americans don't care?

[david_thornley]

If you want to encourage third parties, encourage your legislators to go to some sort of voting other than plurailty. Ranked choice will do, or approval voting, You might also want to encourage proportional representation by party. In the US, states determine how people are elected to the House of Representatives, and the Constitution, by my reading, does not require them to have separate districts. I don't have much hope for that in the near future.

However, I was addressing the problem of finding both parties too distasteful to vote for. The best way to address that is to try to change one party so that it's something you'd vote for.

Re:Why americans don't care?

[JohnFen]

If you want to encourage third parties, encourage your legislators to go to some sort of voting other than plurailty.

I agree entirely with this.

However, I was addressing the problem of finding both parties too distasteful to vote for. The best way to address that is to try to change one party so that it's something you'd vote for.

And we disagree with this. Even if you manage, somehow, to actually change a party's stance, all that does is disenfranchise other people. The underlying problem is that we only have two choices, and making one choice more acceptable to me personally does nothing to actually improve the system overall.

Re:Why americans don't care?

[david_thornley]

It's going to be a LOT easier to influence a political party than to forge a new one and get it to major party status.

Re:Manual vote counting

[Sooner+Boomer]

... it should be just as easy to do this in the US as in Norway!

mmmmm....yeah

Norway - population ~5.2 million total

Ireland - population ~6.4 million total

Virginia - population ~8.5 million total
Two countries vs one state

Bit of a difference in scope, donchathink?

Not proportional

It's no proportional though. If a country 100 times larger than Norway was voting, there would simply be 100 times the people counting and 100 times more difficult to corrupt those people.

The issue is the electronic voting machines (and the COUNTING machines in particular), is it takes only a few people to corrupt those. A few bad actors in the companies making the machines, or a few bad actors capable of hacking them.

The spectre of Putin's hackers putting in a puppet leadership is not a hypothetical one. He's done it several times. The election results in Crimea are a joke, and we saw from Putin's own admission (in a TV interview) that's they'd already decided to invade Crimea before that vote, the 'vote' for 'independence' was clearly a sham because the decision to invade to support that vote with an army was already made.

It's just tooo easy for a rogue nation to side with politicians desperate for power, and put those puppets into positions of power, where they suppress the checks, which in turn lets them put more puppets in, and suppress more checks, and so on.

Use paper and a pen

[MoarSauce123]

Use paper ballots and a pen, list all candidates / parties and have voters make one cross at the candidate they want to vote for. Then collect all those ballots in sealed ballot boxes and after voting ended do a manual count that is open to the public. Sure, it will take some time, but I rather have reliable results slowly than wrong results fast. This is not the case where failing fast is a good thing.

Re:Use paper and a pen

[neo-mkrey]

It is never good to fail fast. Despite what our CEO spews out of his pie hole.

Re:Use paper and a pen

[JesseMcDonald]

Sure, it will take some time, but I rather have reliable results slowly than wrong results fast. This is not the case where failing fast is a good thing.

On the contrary, failing fast is the right answer. That means deciding early on that the correct result cannot be determined and reporting the failure, rather than wasting resources only to fail later on (failing slowly) or silently producing the wrong result (not failing at all). Electronic voting machines are one example of a "fail fast" election system, when they work correctly: any issues with invalid selections are handled interactively, before the ballot enters the system. Electronically-scanned paper voting can be only slightly slower, if the scanned ballot is validated before it goes into the lockbox. In that case an invalid selection requires the voting process to be repeated, wasting some time, but at least the voter knows that their vote will be counted once it has been accepted. A fully-manual system is of the "not failing at all" variety—if there is an issue with a ballot it won't be discovered until the votes are tallied, and at that point the only possible resolution is to discard the ballot so in the end no one knows whether their particular vote was counted.

Re:Use paper and a pen

[Altrag]

Then you obviously don't know where that phrase comes from, or what it applies to :P.

Basically it means that its better to stop on the first error than sit there accumulating errors, possibly past a point where you can recover from them.

No it doesn't universally apply. It only really applies when there's errors for which there is no obvious, automatic way to proceed -- that just happens to be the majority of errors though (partly because anything we can recover from in an obvious way, we don't usually call an "error," we call it a special case or similar verbage.)

Re:Manual vote counting

To count the ballots you need X counters per million people. The Us is ~60 times larger than Norway, so would need 60 times as many counters, but has 60 times as many taxpayers to pay for the counters. The overall cost and complexity of manual counting per citizen is exactly the same.

Re:Manual vote counting

But you have more people to do the counting.

Maths fail.

USian detected...

Blockchain!?

[esperto]

Reading the summary I was thinking, would this be actually a good use for a blockchain?

You could have each voter with an ID to authorize its vote (PKI maybe), it would make relatively easy to find if some ID was used more than once and you could give the voter a paper with a sequence of characters that could be tested against the blockchain to see if it is valid.

Could it work?

Re:Blockchain!?

Reading the summary I was thinking, would this be actually a good use for a blockchain?

No.

You could have each voter with an ID to authorize its vote (PKI maybe), it would make relatively easy to find if some ID was used more than once and you could give the voter a paper with a sequence of characters that could be tested against the blockchain to see if it is valid.

How do you propose to ensure and guarantee that each voter gets exactly one vote, while the actual vote remains anonymous?

How, furthermore, do you propose to ensure and guarantee that every voter, assumed to be a layman, can look at the voting process and verify that the process itself is transparent and fair, that it is not tampered with?

This is why you end up with paper and manual counting. It's not because the tech couldn't do things, it's because any tech quickly becomes opaque to the layman and therefore contrary to the requirements of the process.

Are you going to manually run the math to "verify against the blockchain"?

Over here, we don't even use pens, but red pencils, to vote.

Could it work?

I refer you to RFC1925 2(3):

With sufficient thrust, pigs fly just fine. However, this is not necessarily a good idea. It is hard to be sure where they are going to land, and it could be dangerous sitting under them as they fly overhead.

Re:Blockchain!?

[l0n3s0m3phr34k]

No, for logistical reasons. There are around 235,000,000 eligible voters in the US, across 3,797,000 square miles. There is no "federal ID" or "drivers license", each State "does it's own thing". This is per the US Constitution, in the 9th Amendment. Something like that would require a Constitutional amendment, and a Constitutional Convention. The last time was 1933, and would NEVER happen in the current US political climate.

As of September, 2016, 13% of US adults still don't use the Internet, so this would have to be addressed first. Maybe, if there was some giant national "push" this could be fixed in the next 10 years. So no, this idea is unworkable in the US.

Re:Blockchain!?

[bluefoxlucid]

Blockchain is a buzzword. Blockchain is not useful.

If you want an electronic method that can't be altered after cast and requires the voter's presence to cast, use a UAF, same as I recommended for credit reporting agencies.

Re:Blockchain!?

NO.

Re:Blockchain!?

[Immerman]

I think you're a little confused - a constitutional convention is not required for amendments - it's basically just a way for the states to make an end run around congress and modify the constitution without their cooperation.

It almost never gets done because any time it starts gathering momentum, Congress ends up passing a "good enough" amendment themselves to maintain their power

Re:Blockchain!?

All that gets me is a page full of your ugly mug. How do I vote with that, smash it into a table and use the blood for marking my vote? For the first few voters voting will be rather satisfying, but then the blood will run out, and then you will have made many voters bereft and sad.

Shit guy, don't link facebook. Ever.

Re:Manual vote counting

[TheRaven64]

The grandparent said:

The key idea is that in all countries with "one person - one vote" the effort needed to do a full manual count (which is actually a dual count and verification) is exactly proportional to the size of the country, so it should be just as easy to do this in the US as in Norway!

To which you replied that the USA has a lot more people than Norway. I strongly suspect that this means that you are an idiot.

Wait...

[Kokuyo]

They expect to have completely new equipment in place and running in less than a month? One can only hope they're already done choosing and testing the equipment and now it's only a matter of delivery from stock and training the users or else this screams clusterfuck.

Re:Wait...

[Opportunist]

It's possible to print a lot of paper ballots in that time frame and I think training the user to use a pencil should be doable in a month.

Re:Wait...

[l0n3s0m3phr34k]

Nah, they will just use some other State's already deployed solution that has yet to be PROVEN insecure. Because if it's not been proven, then no one really knows...and in today's political climate in the US this means it's got "plausible deniability" so it's all good from a political point of view.

Makes Perfect Sense

This makes perfect sense, because there is absolutely nothing suspicious at all about a voter loitering in the booth for 90 minutes with all of the specialized hardware and equipment that is required to "hack" one of these machines.

Everything is hackable if you have enough equipment. This is like the alarmism over security "flaws" in automotive systems that involve using JTAG programmers and hacking in interface logic to access programmable devices in them, and then saying cars could be remotely hacked trivially without saying it required prior physical access for several days to install remote access hardware.

All of this hacking alarmism is total bullshit. These machines CANNOT BE HACKED in the booth. They cannot be hacked in storage except by the people who basically designed them and know the intimates of how to do it. Russian operatives can't just walk up to a polling site and stuff the ballot box with their phones via bluetooth, as these hacking alarmists would have you believe.

This is why America is the laughing stock of the entire world. The shit we go apoplectic over...

Re:Makes Perfect Sense

[Opportunist]

So it would take someone who has long term access to the voting machines. Like, say, a representative of a party sitting there to make sure nobody dares to mess with the voting process?

Re:Makes Perfect Sense

[tomhath]

Like, say, a representative of a party sitting there

Party reps are the people who have been caught most often committing vote fraud. You've heard their motto: "Vote early and vote often."

Re:Makes Perfect Sense

[Opportunist]

You don't say...

The attack vector for that

These bubble counting machines themselves have an attack vector that's been well exploited.

In Florida, they did an analysis of faulty misaligned ballot counters and there was a statically higher number of mis-calibrated counting machines in Democrat districts. Those machines rejected votes as invalid that were valid.

Really, lots of people, done under surveillance of representatives of the candidates standing for vote is the way to do vote counting.

When you have elections run by political groups, you have opportunities for corruption of the voting system.

Re:The attack vector for that

[Kohath]

The point isn't that the scanning machines are perfect or impartial. The point is that scanned paper ballots can be re-examined and re-counted later.

Scanned paper ballots are also individually numbered, so the quantity can be matched to the number of voters who signed in. This is a safeguard to prevent someone from filling out 1000 extra ballots or throwing away 1000 of them during the recount.

Re:The attack vector for that

[Altrag]

Its not hard to count the number of voters who signed in and compare it to the total votes reported by the machine. The only way that would fail is if the machine just reports a winner rather than the counts, and that would be dumb even by voting machine standards.

Making sure it recorded the correct vote for each voter, without removing their voting privacy, is far more challenging.

Re:The attack vector for that

[Kohath]

Yes, but scanned paper ballots are individually numbered. So it's not just x number of votes, it's x specifically, uniquely numbered ballots with votes. The quantity has to match, but so do the ballot identifier numbers.

Re:Manual vote counting

[AmiMoJo]

The point is that it scales easily. The you need say one counter per 5,000 votes, no matter how many votes you have. You can adjust the work-load based on how quickly you want to know the result.

Re: Manual vote counting

In Norway and Sweden the counters are volunteers, so they are actually free.

60 times harder to rig

And 60 times the people, means 60 times harder to make any meaningful rigging. So this is one case where larger countries are harder to rig than smaller ones.

Re:60 times harder to rig

[hackwrench]

I don't buy your math. The number of hands to do the rigging scales as well.

Re:60 times harder to rig

And to swing the vote by 5% takes 60 times as many people.

Or conversely, one corrupt person has influence of 1/60 of the percentage of votes.

Hence the math. 60 times more people is 59 more people to squeal about the rigging.

Re:60 times harder to rig

[david_thornley]

And the number of people who can spill the beans scales as well, and all it takes is one.

Re:60 times harder to rig

[hackwrench]

Because coverups aren't a thing. People who would squeal have tells and the cheating party always claims they are lying.

Re:Paper ballots

[hackwrench]

Too busy doing other things.

Re:Manual vote counting

[Sooner+Boomer]

To which you replied that the USA has a lot more people than Norway. I strongly suspect that this means that you are an idiot.

I probably am an idiot. But even an idiot recognizes that there are some problems that do not scale linearly. I have had similar arguments (scalability) with regards to health care.

Re:Manual vote counting

The US has a much larger area so it needs more counters per million voters so 100 mile drives to a voting machine don't happen.

I think I speek for all nerds when I say,

[Aaden42]

"WE FUCKING TOLD YOU SO!"

No immutable audit trail and no possibility to audit internal functioning with anything that's not already internal and thus suspect. What could possibly go wrong?

When the tech nerds are telling you, "Go Luddite and use paper," maybe listen?

Comment removed

[account_deleted]

Comment removed based on user account deletion

This is actually a huge win for the manufacturers

[idontgno]

Think about it. They got a big sale, so money in pocket. And now they're relieved of any obligation to support what they sold, so money stays in pocket.

Really, the perfect business model is that buyers give you lots of money for absolutely nothing, and can't effectively demand anything afterwards. "Once you have their money, you never give it back." Plus, the uselessness of the articles you sold this time creates a built-in opportunity for the next sale, since obviously your "customer" has to replace what they bought from you. Oh, sure, you'd think your prior sale would be plenty of incentive for the sucker ^w customer to not do business with you any longer, but customers are stupid and easy to fool, so a good salesmonster can get repeat business even while abusing the gullibility of the buyer over and over.

Re:Manual vote counting

[dave420]

It not just scales, it scales incredibly well. It's not as if it has 8.5 million people and the same amount of people capable of reading a ballot.

Re:Manual vote counting

[dave420]

Counting ballots and healthcare are two problems which do scale wonderfully... More people voting means more people who can count ballots, and more people served by a healthcare system means more taxpayers paying for it. Both of these are solved problems elsewhere in the world.

Now for the rest of the states

[JohnFen]

Electronic voting machines are a huge security problem, and there's no clear way to fix the situation. Everyone needs to stop using them until/unless they can be made secure.

Re:Manual vote counting

You have failed to demonstrate that this scales linearly.

Re:Manual vote counting

In the UK, counters are volunteers, they're not even paid.

Bank tellers make excellent counters, because practice in handling and counting large wads of paper helps a lot.

Re:Manual vote counting

[Immerman]

You just need more polling places. You then have group of mutually untrusting individuals escort the sealed ballot box 100 miles to the nearest counting center.

Re:Manual vote counting

[number6x]

The populations you list are on order of the size of States within the US. The US Constitution gives the power to run elections to the States, so your numbers argue that this if this works for countries this size, it should work for states this size.

Most States in the US then delegate the business of implementing the elections to their counties (or Parishes). These are even smaller.

It may actually be the small size of the bodies running the elections in the US that make it harder to implement. It is why there are so many different systems across the USA for gathering and tabulating votes.

shewed logic over time

Reading comments now, it blows my mind how time skews logic. We knew of the huge problems we have with paper ballots when they were the only real choice. There were lots of votes lost and fraud. Now people are talking like it's the bees knees and has the blood of god on its seams.
I sure am glad I'm not these people.

Why do they make things so difficult?

Pure electric voting machines have to be the stupidest idea I've ever heard of. Its not rocket science building a decent voting machine. Either go with the tried and true method of a big paper ballot that you fill in the circles next to the desired candidate/issue and feed the finished ballot into an electronic counting machine. Or have an electronic ballot machine that prints off a smaller physical copy of the ballot in human readable format which the voter then takes over to a counting machine (tallying in both machines for verification). In both cases you do random audits (manually count the paper ballots and compare to the machine tally) to ensure there are no malfunctions/malicious acts.

Is fake news. Machines fine.

[mnemotronic]

Not possible to be hacking great American voting machines. Ignore fake news. Continue make use of wonderful machines.

Re: Is fake news. Machines fine.

Please do not worry about new candidate V. Putin appearing on every ballot. Is security measure and very fine man.

It's all about process

In my county (which held up by some in Ohio as the model of how to do it right), we have used the Diebold TSX units for ~12 years (though we're finally replacing them next year due to increasing maintenance issues). We have always used the paper trail printing option. The "official" record is the paper role on which is printed each voter's vote. The final summary acceptance asks the voter to review the paper (displayed under a plastic window) to confirm it is correct and matches the screen. The paper takeup reel is adequately sealed. We require both major parties to be represented whenever anything is done with this "official" record, which is what gets reviewed if a recount is requested. I've heard that there are also periodic random spot checks (post-election) to confirm that the paper record matches up with the electronic record. No one is ever allowed access to the voting machine memory cards without someone of the opposite party present (as in, you'll be fired on the spot if caught), and everything is secured to guarantee accountability. We even allow voters to request optical scan ballots if they prefer (and offer the option if the wait time is more than a few minutes).

You can use electronic voting machines in a secure way. You just have to build processes that presume that someone somewhere will try to "hack" them. Yes, pollworkers sometimes (often) get lazy. But if enough people follow best practices, most cases of electronic voting fraud should be caught quickly. I help train our pollworkers, and I've been working elections (currently managing one of our highest turnout locations) since we started using the TSX units.

As with anything, know your tools. Know their strengths and their weaknesses. Accommodate for their weaknesses.

Finally

[markdavis]

Does this mean we can just finally go back to the "machines" we had before which worked perfectly? You get a punch card from the front desk, you walk to the booth and put it in a little holder, you flip the pages and punch holes it in and then pull it out and insert it into a counting machine YOURSELF that counts the votes AND stores the paper card in a locked bin for later auditing?

Simple, effective, cheap, perfect auditing, no way they can ruin privacy. We never needed "touchscreens" and those machines also only worked when the front desk scanned a "access card" to give you after recording your ID; which to me meant they had the ability to track EVERY VOTE AND TIE IT TO EACH PERSON, which is a clear violation of every voting law (voting is supposed to be PRIVATE).