[entropyie]

As a Software Engineer with decades of experience working with PKI/cryptography/infosec, I believe that online voting is a fundamentally bad idea. It stems from a fundamental misunderstanding of the requirements of an election.

The requirement is not "accurately count the votes". It is: "Allow people to vote, and have their votes counted, in a demonstrably fair way, so that an average person can have high confidence the outcome is fair, given the adversarial nature of the system and varying levels of education / honesty among all present".

A election only means something because of the consent of a large number of average people to abdicate their freedom to someone else based on what they feel was a fair process.

In Ireland, observers from multiple parties observe the votes as they are counted and publish their own numbers realtime (see tallymen).

In this context it's very hard to argue the vote was rigged...

[rbanffy]

> I believe that online voting is a fundamentally bad idea

I (I worked in the Brazilian electronic voting system in 2002) agree. That's why the voting machines can't connect to the internet and voting is completely offline (totalization is entirely based on signed files in flash cards transferred via sneakernet under strict chain-of-custody protocols).

Another aspect of the election that's very important in Brazil is secrecy of the vote - to the point that, if a voting machine records only votes to a single candidate (effectively disclosing the option of all its voters) it's either discarded or merged with another machine in the same polling place.

[Scoring6931]

In the Brazilian electronic voting system, there is no mechanism to check that the counting on each machine was performed correctly. Validation only occurs after that point.

So if the machine somehow subtracts 256 votes from one candidate and transfers them to another, the total remains the same and this discrepancy isn't caught.

It sounds ludicrous, but actually has happened before: https://www.youtube.com/watch?v=AaZ_RSt0KP8

This is just one example of how the Brazilian system isn't ideal. The criticism against it is very well supported by sound arguments, and it's a shame that it got politicised. It's a pure technical matter.

[tmottabr]

this is done by auditions in the code and all the steps from compilation to vote consolidation, the code review start years in advance of the election.

The code is made available to all political parties and several third-party organizations for review and auditing, this including several international auditors.

The parties and auditors also monitor all steps of the process from the compilation process, to the loading of the memory cards that will be inserted in the machines with the code, the joining of card and machine that will be sealed, transpoprt of the machines, transport of the memory cards for vote consolidation and the vote consolidation process.

the machine also print a receipt with that machine results, a copy of that can be requested by any person, this can then be used to validated with the post consolidation to ensure what was consolidate and what was in the machine match.

The election process in Brasil does not rely only in the electronic side, there are several processes in place to ensure fraud does not happen and each step is monitored and audited.

[rbanffy]

> The code is made available to all political parties and several third-party organizations for review and auditing, this including several international auditors.

Anyone can register to audit it.

> process from the compilation process, to the loading of the memory cards

Don't forget the code signing. Unsigned binaries can't be executed.

> the joining of card and machine that will be sealed

With tamper-proof seals.

[Scoring6931]

You didn’t address anything I said.

The receipt only contains the number of votes for each candidate. It does not validate if X people actually have voted in candidate A. So if the machine transfer a certain number of votes between candidates, it does not raise any flags.

Such scenario can be detected by printed vote receipts in addition to the electronic ballot.

Watch the video I posted.

[cassianoleal]

> In Ireland, observers from multiple parties observe the votes as they are counted and publish their own numbers realtime (see tallymen).

Same used to be the case in Brazil. In fact, the people counting the votes were members of the public, chosen prior to the elections.

I know quite a few who have been in vote countings. The stories they tell are not very reassuring.

Electronic voting was and is a major source of democratic stability in Brazil.

Edit: to those downvoting (fair game, it's your vote to cast!), care to explain your reasons?

[braza]

I recall in the elections of 1994 that I was in a voting center (a school) and two things did not let my mind since then regarding the voting system back in the day: (1) candidates representatives arriving with buses and more buses of people that received money to vote in someone (in those days with a BRL strong like USD) and (2) During the votes counting endless amount of ballots being trashed way due to people writing silly things or some other reasons.

My mother used to sell things to people during the entire election day, and when we went to discard part of the trash in the school we could see ballots on the thrash.

On top of that, in some places we had complete network of fraudsters responsible for ballot register (Guia/Boletim de Urna in PT-BR) and counting (apuração in PT-BR) that some voting sections did not had blank/null (voto em branco/nulo in PT-BR) plus had sometimes 3x the original amount of people in the final counting.

I said that because even if the system is not perfect today, would be a bad decision to go back to that system.

[cassianoleal]

Some of the things that used to happen during counting:

- Blank ballot papers being filled out by the person counting;

- Votes for legislators were done by writing the candidate's name:

\- A lot of those were illegible so counters would "take a guess" (really just count to their candidates)

\- Sometimes the same name could be attributed to different candidates, including from different political sides. Same result as above.

- Criteria for what to do when in doubt would sometimes change mid-counting. Counting would take many days even when everything was going fine, so people now would have to make a decision between restarting the counting (and run the risk of facing the same situation a few days down), or adapt for the remaining votes and essentially make it a gamble which side of the criteria your vote fell.

- People were tired (again, it would take days in the heat of the summer in a closed room with a bunch of strangers) so they would make mistake.

- People just couldn't count sometimes.

I could go on...

[forinti]

The voting is not done online. When voting stops, the machines are taken to an office and the votes are copied to the tallying system.

[rrrrrrrrrrrrr]

It’s about the average person not being able to understand what the machine does whereas everyone understands elections on paper. Also just refer to what the ccc has done to any electronic election system that was considered for German elections.

[piva00]

> As a Software Engineer with decades of experience working with PKI/cryptography/infosec, I believe that online voting is a fundamentally bad idea. It stems from a fundamental misunderstanding of the requirements of an election.

Voting machines in Brazil are not online, there are no plans for online voting as far as I know.

[lr1970]

> A election only means something because of the consent of a large number of average people to abdicate their freedom to someone else based on what they feel was a fair process.

Even though paper voting is not perfect and has its own issues it offers several distinct advantages over electronic voting (whether online or offline):

(1) Paper voting and counting is inherently manual process. Therefore, election fraud (ballot tempering, stuffing, etc) is also manual and is hard to scale up.

(2) Because paper ballot fraud at scale involves many people it is harder to hide and easier to uncover and prove.

(3) Because of its simplicity, election observers can go deeper in the paper counting process and in some cases (e.g. Ireland) participate in counting and publish their own numbers providing additional independent confirmation.

(4) Chain of custody of physical objects (paper ballots) is easier to understand for an average people and easier to track for an average election observer.

(5) The last and the most important -- it is easier to audit and explain to skeptical and bitter supporters of the loosing party that it was a fair fight and their loss is legitimate. Without this last point everything else is meaningless no matter how objectively better it is.

[rodrigodlu]

I urge you to take serious look on all methods we have for scrutiny and validation before such comments.

People invalidating valid paper votes on 80s were a thing, impossible to prove, unlike the auditing we have today.

It's not online also, it's offline with uploaded encrypted data through encrypted channels.

[SCHiM]

I think it is you that misunderstands the point made in the comment.

Their point is not that the cryptography is flawed, or that the results can be tampered with or that the electronic voting system is less reliable than manual counting and voting. In fact, I do believe that electronic voting is more accurate and less (or not) vulnerable to certain types of attack/fraud.

The problems is that a large part of society is not capable of understanding the mathematics, or validating the results themselves. They don't understand how the security of cryptography propagates through the system to provide the results of the vote.

This creates another attack avenue, that is, you don't attack the results of the ballot, but you attack the entire system. You discredit the system because it is complicated, you use the limited understanding of the voter base to invalidate the results. Discredit the experts, the mathematicians, scientists, etc. It should be obvious that certain magnetic personalities should have no trouble swaying their base that they are being deceived by these "experts"...

The traditional system is not impervious to such attacks, but it is less so.

EDIT: But this likely differs by society too. Perhaps the answer to which system is better is: it depends.

[brabel]

The original commenter said well that it's important that the population actually believes the system is secure (separately from it being objectively secure or not). But in Brazil, people widely believe the system to be better than paper ballots. As the other commenter said, fraud was really common with paper ballots in Brazil in the 80's and early 90's, people had little faith in them (and as a Brazilian, I find it quite funny that it's the other way around in other countries: for some reason they do believe paper is safer without really explaining how).

People may not understand the mathematics or the encryption, but they do understand that you can't just change votes in that electronic machine unless you have high level of skills (as opposed to being able to make paper ballots disappear). To successfully attack the system, you need to be able to infiltrate the machine in such a way that you cannot be found out later (if it's found a machine was tempered with, there's ways to either invalidate some votes or recover the original if possible), and because all machines are completely independent, you would need to attack, physically, one by one. There are hundreds of thousands of machines, I believe... it's just not feasible to do that without making it obvious. So no, you can't just attack the entire system.

[lelc]

> This creates another attack avenue, that is, you don't attack the results of the ballot, but you attack the entire system. You discredit the system because it is complicated, you use the limited understanding of the voter base to invalidate the results.

That is exactly what Bolsonaro did. He effectively proved the system is vulnerable to a trust attack... it does not matter if the system is safe from tampering if a significant part of the voters do not trust the system.

But this issue has become so politicized in Brazil that it has become impossible to discuss it reasonably. Pointing out any flaws in it is interpreted as an "attack to democracy".

[tmottabr]

first, paper ballot suffer the exact same problem..

In fact i strongly believe that Bolsonaro would do the same thing regardless of the system, if we had paper ballots he would complain it is not electronic.

The same trust attack you can do on electronic system you can do on analogical systems. Anything you do will be subject to this problem

second, the truth is that electoral system does not care if people trust in it or not. Even with Bolsonaro attacks and a massive distrust by the right wing on the system it was still used and the results accepted.

The only thing that matter is whatever you can prof in the electoral court if there was fraud and no one was able to do it, not even bolsonaro.

[lelc]

The main point is that it is a lot easier to trust something you can understand than some black-box machine certified by experts. Thus, eletronic voting systems are more vulnerable to trust attacks.

[tmottabr]

i agree that not understanding something make it easier to mistrust, but understanding does not ensure it will be trusted.. the same way not understanding something does not necessary mean people will not trust it..

paper ballots are easy to understand but it is know to have many vulnerabilities thus it suffer from trust attacks the same way..

On the other side, i think a good example is that most people do not understand 1% about how modern cars work yet many people trust then with their life daily..

I personally would not trust a 100% analog election with paper ballots and manual counting of the votes like old ages, but i do see the value on adding paper ballots on top of modern electronic voting system as another layer of audition.

You use the physical paper ballot that will be manually counted but digitally printed by the machine and thus could have an electronic signature to validate making it impossible to create fake votes. You could even have automated counting of those votes if you some qr code and only manually count the paper ballots in some cases.

all a person could do it trash some votes, but then the count between the paper ballots and the electronic consolidation would not match.

[rodrigodlu]

> "Allow people to vote, and have their votes counted, in a demonstrably fair way

It was known to not be fair, specially for the challenger candidates that didn't had access to the govt machine and the money that came with it.

The idea for me is to make the system robust in general - so, simple dismissive arguments is not the right way to do, right?

[rbanffy]

> It's not online also, it's offline with uploaded encrypted data through encrypted channels.

Encrypted AND SIGNED.

[pennaMan]

I'm not sure your argument makes any sense.... So you're saying it's not about the absolute mathematical results of the poll, but more about the feelings of the general population?

[entropyie]

Of course it is about the feelings of the general population!

The feelings of the general population decide whether you have a stable democracy or a revolution on your hands.

There are no objective laws of physics when it comes to organizing society, no objective reality, only the perception of reality.

[PavleMiha]

It's both, the methods by which the election is made secure and accurate should be understandable by most people. Most people don't understand cryptography and cybersecurity.