| HN Mirror

> (1) The software is not doing anything nefarious

Open source

> (2) The software toolchain is not modifying the software in (1) to cause it to do something nefarious

Use open source toolchains and hash the result.

> (3) The software loaded onto the machines is actually the software verified in (1) and compiled by the verified toolchain in (2)

Maybe some kind of cryptographic puzzle, question/response, you need to make a hash with the program, and make the HDD not large enough to contain more than that. Or maybe read only storage. Even a combination.

> (4) The machine doesn't have any kind of hardware/firmware-based defeat device to trick you into falsely confirming (3)

Your voting results are confirmable on the blockchain, but not specific, you can check that your vote hasn't been changed, but not the vote itself.

henrikschroder 2876 days ago

For people to have trust in their vote being counted, the voting machine needs to be understandable by everyone, not just software engineers specializing in cryptography.

A counting room full of people counting paper ballots is a machine, and it's a transparent machine where everyone inside it and outside of it can understand how it works, and trust that it's working properly.

But the biggest argument against electronic voting is that you're not solving any problems, you're just adding problems and decreasing the trust in the elections massively. And for what? To get election results a few hours faster? That's ridiculous.

If the only question left is whether or no it's easy enough, I think we're good and can find a solution for that problem too.

> A counting room full of people counting paper ballots is a machine, and it's a transparent machine where everyone inside it and outside of it can understand how it works, and trust that it's working properly.

I agree with this 100%

Electronic voting must be cryptographically secure, and increase trust and security. I think this should be the first rule.

henrikschroder 2876 days ago

> must be cryptographically secure, and increase trust and security.

Those two goals are mutually exclusive.

Everyone understands how a room full of people counting paper ballots works, without having to explain it. Everyone understands that the process is transparent, and that by having people of different political persuasions working together, you ensure that the result is fair.

There is also immense value in having the voting "machine" being made up of actual humans, so that everyone in society can take part if they want to, and feel like they're doing their part to defend democracy.

And none of that can be replicated in software. You and I might be able to understand and trust the software, but everyone? Not gonna happen.

I personally don't understand how hashes work, I know _what_ they do, but not really how, just that they are not mathematically reversible. I should probably learn how exactly it works, since they extremely common.

I think most people know their passwords are encrypted, but they don't know about hashes at all, they just assume the domain experts have figured it out.

Security in e-voting would probably look similar. You would know there are smart people somewhere who understand the complexity, and ideally you would have ample opportunity to learn.

The blockchain voting idea, among its numerous flaws, is philosophically grounded in hyperindividualism. I care about the integrity of my ballot, and mine alone.

But elections are not about my vote. They're about everyone's vote. I care about not just the integrity of my own ballot, but the integrity of every other voter's ballot as well. And, given a system where most people will never do a complex blockchain verification of their ballot, or have a mechanism to be certain that no additional machine-generated ballots were added to the results... blockchain isn't solving the actual problem.

Don't be in love with technology when looking for actual solutions to actual problems.

> people will never do a complex blockchain verification

People don't verify their vote now, so this is unimportant.

> have a mechanism to be certain that no additional machine-generated ballots were added to the results

This should only require a hand full of people to check.

scj 2876 days ago

Theoretically correct and practically correct are two different things... Kind of like cryptography. Is it reasonable to expect best practices to happen? Especially when observable things like Gerrymandering are so blatantly done?

Consider the apocryphal story: "NASA spent millions of dollars developing an 'astronaut pen' that would work in outer space, while the Soviets solved the same problem by simply using pencils."

Why go for the complicated solution when the simple one works?

TangoTrotFox 2876 days ago

I think that's setting a very unreasonable standard as the exact same could be said of election workers in e.g. a paper balloting system. Votes get miscounted, votes go missing, a new box of 'votes' is added into the mix, etc.

Electronic systems can provide a much better level of security than this through not only all the regular security techniques you'd apply to regular workers (no individual access, surveillance, etc) but also a wide array of electronic means including logging, 'ballot' validation, and much more. And you can also burn everything including the operating system and election software onto a non-flashable ROM meaning software modifications become all but impossible, and even if somehow achieved, would be trivial to detect.

blacksmith_tb 2876 days ago

I am also not optimistic, but all of those are also failings of traditional voting methods. So one could offer the standard defense of self-driving cars, "it doesn't need to be perfect, as long as it's better" (but it may never be better...)

benchaney 2876 days ago

> but all of those are also failings of traditional voting methods

This isn't true at all. There is not way to tamper with paper to make it change its properties that isn't obvious and easily detectable. And once votes are cast the ballots are handled with significantly more care.

Collusion of multiple parties meant to verify each other.

Not just collusion, but collusion at scale. See my description of the Minnesota process. Voting and counting are done at the precinct level, and there are thousands of precincts. It might be possible to subvert a single precinct, in order to manipulate its outcome. But how many precincts would need to be subverted in order to affect the outcome in a statistically meaningful way?

Additionally, can the precinct be subverted in a manner that can withstand outside auditing by non-corrupt district/state-wide election officials? Keep in mind that if one party in the election has substantial reason to suspect the results were broadly rigged, they could demand a recount (even at their own cost, as happened with the Dayton/Emmer recount in MN), thus triggering all those downstream audit controls.

jaredklewis 2876 days ago

Aren’t many of these problems amenable to solutions with asymetric cryptography? I.e people signing their votes with a key and the vote only be decryptable by a multi-part key, with the various parts being disrrinuted between the major parties and media.

Of course this has its own set of tradeoffs, but so does our current system.

First, why? What problem does this actually solve, other than the technical daring-do of it all? This can all be done easily with paper (see my post about Minnesota's process).

Second, it violates the principle of a secret ballot. Repudiation would require voters to reveal who they voted for, to match ballot to (digital) signature. So it's not viable as a mechanism for a global recount.

The ideal e-voting program/platform would increase security and verifiability. Right now I don't know if my vote has been tampered with.

The secret ballot could be reproduced a number of ways, but I'm particularly fond of the idea you have an extra password that makes it look like your vote was different, and only your password shows you who you really voted for.

The solution to every security problem is more complexity.

And, in a well designed paper voting system, you do know your vote was not tampered with, because nobody's votes were tampered with.

There are only three mechanisms for tampering with the actual vote count - adding ballots, removing ballots, or altering the content of ballots. (Replacing ballots is a combined add/remove.) The blockchain mechanism only checks for alteration/removal, and only for a single vote. One individual can verify their own ballot, but repudiation requires breaking secrecy. It's simply not a very good solution.

And the reason it's not a good solution is philosophical - it's focused on the individual, when the election is about the collective. Any effective election validation system must validate the collective, not just the individual. The collective is validated by insuring that no tampering happened anywhere. And if we can demonstrate that, then verification/repudiation of individual ballots is irrelevant. If A is true for all B, and C is a B, then A is true for C.

But when you really love your hammer, every problem looks like a nail. Blockchain is basically useless for elections, but people obsess over it anyway.

How do you know nobody's vote was tampered with?

Because the process is well designed. No single person or single party was left alone with ballots, marked or unmarked, at any point. Any counting machines get spot-checked. Any count discrepancies from voter rolls to ballots cast trigger manual counts. Packages of blank ballots are sealed. Voting machines are locked, so no one can easily get into them to add/remove/replace ballots without the key(s). Used ballots are sealed at the end of the election. Signed chains of custody for everything. Etc.

jedberg 2876 days ago

Somehow we manage to secure electronic banking despite possibly corrupt bank tellers having unmonitored access to the ATMs. I’m sure of the money were there we could secure voting the same way.

detaro 2876 days ago

We also accept entirely different transparency for ATM transactions, can easily correct issues afterwards and given that it's about monetary damage, it can be insured. ATMs are regularly modified to steal information, and it is primarily fixed be insurance and chargeback mechanisms, the voting-equivalents of which are difficult.

NullPrefix 2876 days ago

>manage to secure electronic banking

Quite a bold statement. Electronic banking is primarily secured by the means of insurance.

jedberg 2876 days ago

Which detects problems and fixes them. That’s all we really need. A reliable way to detect problems and fix them.

tlb 2876 days ago

It takes a long time to detect and fix problems. That's OK with ATM machines, because if you catch the insider who tampered with them months or years later, you can put them in jail and probably get most of the money back. But reversing election results more than a day or two after the first announcement is really bad for the stability of the country.

In fact, people are still digging into whether voting machine fraud happened in some states in the 2016 election. Any result now is too late.

Also, the nature of hacks is that you can often detect that one occurred, but not exactly what was changed. How would you take the news, "It looks like the Russians had root on every voting machine. But we've reconstructed the correct vote counts from analyzing deleted database files found in the free block list, and the winner is..." Not too convincing.

yifanl 2876 days ago

One of the vital sections of any election system would be the vote counting.

If you could have a third party verify the count within your system as accurate/inaccurate, then you wouldn't need that system in the first place.

Somehow, we manage to drive cars! I'm sure we could ride a horse the same way.

DmenshunlAnlsis 2876 days ago

Electronic banking is defrauded on a regular basis, including at the endpoint using jackpot schemes and more. It’s acceptable for banking given the amounts stolen are ultimately trivial, but not for voting.

jedberg 2876 days ago

Why isn’t that acceptable? Those things get detected and fixed and that’s all that really matters in voting.

benchaney 2876 days ago

Sometimes they get detected and fixed, and sometimes they just get written off because they are small amounts.

Besides an important part of banks fixing issues like this (when they do fix them) is that someone (often the bank itself) must lose money, which they inevitably notice. In the case of an election, no one would ever know if their vote was stolen because they have no way of tracking it once they cast it. You seem to be blindly assuming that every problem will get detected and fixed which is mindbogglingly niave.

[1] https://en.wikipedia.org/wiki/2000_United_States_presidentia...

michaelt 2876 days ago

What happens when there are election irregularities detected after a winner has been declared?

2000 presidential election. Bush declared victor, but a Florida state law called for a recount as the margin was close. Recount was stopped, original election result stands. [1]

2016 brexit referendum. Leave campaign wins - and is later found to have broken campaign finance laws [2]. Original election result stands.

2016 presidential election. Trump declared victor, but evidence emerges of Russian interference [3]. Original election result stands.

There's no point in detecting irregularities after an election is over if they aren't going to be fixed - and history shows they won't be fixed. I'll stick with pencil-and-paper ballots thanks very much.

[2] https://www.standard.co.uk/news/politics/brexit-news-latest-...

[3] https://en.wikipedia.org/wiki/Russian_interference_in_the_20...