> (1) The software is not doing anything nefarious
Open source
> (2) The software toolchain is not modifying the software in (1) to cause it to do something nefarious
Use open source toolchains and hash the result.
> (3) The software loaded onto the machines is actually the software verified in (1) and compiled by the verified toolchain in (2)
Maybe some kind of cryptographic puzzle, question/response, you need to make a hash with the program, and make the HDD not large enough to contain more than that. Or maybe read only storage. Even a combination.
> (4) The machine doesn't have any kind of hardware/firmware-based defeat device to trick you into falsely confirming (3)
Your voting results are confirmable on the blockchain, but not specific, you can check that your vote hasn't been changed, but not the vote itself.
For people to have trust in their vote being counted, the voting machine needs to be understandable by everyone, not just software engineers specializing in cryptography.
A counting room full of people counting paper ballots is a machine, and it's a transparent machine where everyone inside it and outside of it can understand how it works, and trust that it's working properly.
But the biggest argument against electronic voting is that you're not solving any problems, you're just adding problems and decreasing the trust in the elections massively. And for what? To get election results a few hours faster? That's ridiculous.
If the only question left is whether or no it's easy enough, I think we're good and can find a solution for that problem too.
> A counting room full of people counting paper ballots is a machine, and it's a transparent machine where everyone inside it and outside of it can understand how it works, and trust that it's working properly.
I agree with this 100%
Electronic voting must be cryptographically secure, and increase trust and security. I think this should be the first rule.
> must be cryptographically secure, and increase trust and security.
Those two goals are mutually exclusive.
Everyone understands how a room full of people counting paper ballots works, without having to explain it. Everyone understands that the process is transparent, and that by having people of different political persuasions working together, you ensure that the result is fair.
There is also immense value in having the voting "machine" being made up of actual humans, so that everyone in society can take part if they want to, and feel like they're doing their part to defend democracy.
And none of that can be replicated in software. You and I might be able to understand and trust the software, but everyone? Not gonna happen.
The blockchain voting idea, among its numerous flaws, is philosophically grounded in hyperindividualism. I care about the integrity of my ballot, and mine alone.
But elections are not about my vote. They're about everyone's vote. I care about not just the integrity of my own ballot, but the integrity of every other voter's ballot as well. And, given a system where most people will never do a complex blockchain verification of their ballot, or have a mechanism to be certain that no additional machine-generated ballots were added to the results... blockchain isn't solving the actual problem.
Don't be in love with technology when looking for actual solutions to actual problems.
Theoretically correct and practically correct are two different things... Kind of like cryptography. Is it reasonable to expect best practices to happen? Especially when observable things like Gerrymandering are so blatantly done?
Consider the apocryphal story: "NASA spent millions of dollars developing an 'astronaut pen' that would work in outer space, while the Soviets solved the same problem by simply using pencils."
Why go for the complicated solution when the simple one works?
I think that's setting a very unreasonable standard as the exact same could be said of election workers in e.g. a paper balloting system. Votes get miscounted, votes go missing, a new box of 'votes' is added into the mix, etc.
Electronic systems can provide a much better level of security than this through not only all the regular security techniques you'd apply to regular workers (no individual access, surveillance, etc) but also a wide array of electronic means including logging, 'ballot' validation, and much more. And you can also burn everything including the operating system and election software onto a non-flashable ROM meaning software modifications become all but impossible, and even if somehow achieved, would be trivial to detect.
I am also not optimistic, but all of those are also failings of traditional voting methods. So one could offer the standard defense of self-driving cars, "it doesn't need to be perfect, as long as it's better" (but it may never be better...)
> but all of those are also failings of traditional voting methods
This isn't true at all. There is not way to tamper with paper to make it change its properties that isn't obvious and easily detectable. And once votes are cast the ballots are handled with significantly more care.
Not just collusion, but collusion at scale. See my description of the Minnesota process. Voting and counting are done at the precinct level, and there are thousands of precincts. It might be possible to subvert a single precinct, in order to manipulate its outcome. But how many precincts would need to be subverted in order to affect the outcome in a statistically meaningful way?
Additionally, can the precinct be subverted in a manner that can withstand outside auditing by non-corrupt district/state-wide election officials? Keep in mind that if one party in the election has substantial reason to suspect the results were broadly rigged, they could demand a recount (even at their own cost, as happened with the Dayton/Emmer recount in MN), thus triggering all those downstream audit controls.
Aren’t many of these problems amenable to solutions with asymetric cryptography? I.e people signing their votes with a key and the vote only be decryptable by a multi-part key, with the various parts being disrrinuted between the major parties and media.
Of course this has its own set of tradeoffs, but so does our current system.
First, why? What problem does this actually solve, other than the technical daring-do of it all? This can all be done easily with paper (see my post about Minnesota's process).
Second, it violates the principle of a secret ballot. Repudiation would require voters to reveal who they voted for, to match ballot to (digital) signature. So it's not viable as a mechanism for a global recount.
The ideal e-voting program/platform would increase security and verifiability. Right now I don't know if my vote has been tampered with.
The secret ballot could be reproduced a number of ways, but I'm particularly fond of the idea you have an extra password that makes it look like your vote was different, and only your password shows you who you really voted for.
The solution to every security problem is more complexity.
And, in a well designed paper voting system, you do know your vote was not tampered with, because nobody's votes were tampered with.
There are only three mechanisms for tampering with the actual vote count - adding ballots, removing ballots, or altering the content of ballots. (Replacing ballots is a combined add/remove.) The blockchain mechanism only checks for alteration/removal, and only for a single vote. One individual can verify their own ballot, but repudiation requires breaking secrecy. It's simply not a very good solution.
And the reason it's not a good solution is philosophical - it's focused on the individual, when the election is about the collective. Any effective election validation system must validate the collective, not just the individual. The collective is validated by insuring that no tampering happened anywhere. And if we can demonstrate that, then verification/repudiation of individual ballots is irrelevant. If A is true for all B, and C is a B, then A is true for C.
But when you really love your hammer, every problem looks like a nail. Blockchain is basically useless for elections, but people obsess over it anyway.
Somehow we manage to secure electronic banking despite possibly corrupt bank tellers having unmonitored access to the ATMs. I’m sure of the money were there we could secure voting the same way.
We also accept entirely different transparency for ATM transactions, can easily correct issues afterwards and given that it's about monetary damage, it can be insured. ATMs are regularly modified to steal information, and it is primarily fixed be insurance and chargeback mechanisms, the voting-equivalents of which are difficult.
It takes a long time to detect and fix problems. That's OK with ATM machines, because if you catch the insider who tampered with them months or years later, you can put them in jail and probably get most of the money back. But reversing election results more than a day or two after the first announcement is really bad for the stability of the country.
In fact, people are still digging into whether voting machine fraud happened in some states in the 2016 election. Any result now is too late.
Also, the nature of hacks is that you can often detect that one occurred, but not exactly what was changed. How would you take the news, "It looks like the Russians had root on every voting machine. But we've reconstructed the correct vote counts from analyzing deleted database files found in the free block list, and the winner is..." Not too convincing.
Electronic banking is defrauded on a regular basis, including at the endpoint using jackpot schemes and more. It’s acceptable for banking given the amounts stolen are ultimately trivial, but not for voting.
Sometimes they get detected and fixed, and sometimes they just get written off because they are small amounts.
Besides an important part of banks fixing issues like this (when they do fix them) is that someone (often the bank itself) must lose money, which they inevitably notice. In the case of an election, no one would ever know if their vote was stolen because they have no way of tracking it once they cast it. You seem to be blindly assuming that every problem will get detected and fixed which is mindbogglingly niave.
What happens when there are election irregularities detected after a winner has been declared?
2000 presidential election. Bush declared victor, but a Florida state law called for a recount as the margin was close. Recount was stopped, original election result stands. [1]
2016 brexit referendum. Leave campaign wins - and is later found to have broken campaign finance laws [2]. Original election result stands.
2016 presidential election. Trump declared victor, but evidence emerges of Russian interference [3]. Original election result stands.
There's no point in detecting irregularities after an election is over if they aren't going to be fixed - and history shows they won't be fixed. I'll stick with pencil-and-paper ballots thanks very much.
It's impossible to secure without giving up the secrecy of the ballot or having a fully redundant paper system with on-premise checks by humans with observers: In which case, why bother?
Because you need to both know the value of an action (ie, which politician the vote is counted for) and you need to hide who did the action (to keep the ballot private) and you need to ensure every voter only does the action at most once and you need to ensure that if the machine is replaced or subverted physically that the vote can't be silently switched.
No matter how you dice it, one of those things gives with electronic voting, even if you had electronic voting machines with no state (all pure circuits, say), but especially with votes on machines like personal computers, where a myriad of systems need to be trusted for the vote to register.
It isn't worth it. Paper ballots are intelligible to everyone, and even when we vote by mail there is such a paper trail it is hard to fake.
Generally, by sealed envelopes, and by having groups of people inspect mail votes at counting time to ensure the envelopes haven't been tampered with. There's also usually a paper trail from the post office that receives the votes so you can't just show up with a couple of thousand "mail votes" and send them in.
It is obviously less secure than voting in person, but it's good enough, and your in-person vote supersedes your mail-in vote.
Here's link to King County (Seattle) elections and how they work. Ballots come in by mail and can be dropped off at county owned lockboxes. This video shows how ballots are secured and counted.
In my piece of Floriduh a non-expert franks the signature on the envelope. It's still more secure than voting in person as state law prohibits inspection of paper ballots in a recount; The only regular ballots recounted are the machine-generated totals.
I'd love actual proof/research instead of an Youtube video, plus it doesn't differentiate between e-voting (with machines mentioned in the video) and i-voting (with public key crypto, like in Estonia) which further reduces the video's trustworthyness.
I feel like it's possible to write secure voting software to the same level as NASA's software is bug free [1] following a similar rigorous development and testing process. It's just not worth it for any commercial profit-driven company.
Generally we want only those eligible to cast one vote each and yet the votes must be secret, anonymous and repudiable. But we also want the counting to be auditable by the public and traceable by the individual voter.
It is absolutely impossible. There is no conceivable way to secure an electronic voting machine, especially one wired to a network. These machines solve a problem that does not exist with methods that are not necessary or well suited to the task.
Technically possible, politically impossible in large part because there are just too many local jurisdictions with final say over the selection of vendors and their ballot machinery.
That's never the goal with securing a system, though. The goal is to mitigate risk to a level acceptable to the various stakeholders involved based on what said stakeholders value.
Some systems that use paper ballots photograph each ballot before it is counted. This helps with auditing counts later on since every count must exactly match.
Preventing "lost or replaced" with paper ballots is a straightforward exercise in good human process. There are states that do not have good human process to manage their ballots, despite the example of other states that do have good process. Those states are incompetent/malicious.
And if you find problems after the winner is declared? “Only the losing side cares, and they’re just sore losers”
Or an adversary could not commit fraud, just trip the fraud alarms in areas their opponent is strong.
So it’s very, very difficult to secure.