[HN Gopher] Belenios: Verifiable online voting system
___________________________________________________________________
Belenios: Verifiable online voting system
Author : leonry
Score : 104 points
Date : 2024-08-04 12:41 UTC (10 hours ago)
(HTM) web link (www.belenios.org)
(TXT) w3m dump (www.belenios.org)
| 9dev wrote:
| Can you even reliably verify the entire voting process? From
| individuals using digital devices to votes being counted and
| tallies confirmed?
| tromp wrote:
| > Using the web interface, the voter enters her credential and
| selects her vote. Her computer then computes the ballot, which
| corresponds to the vote encrypted with the election public key.
|
| Like most (or all?) online protocols, this doesn't protect
| against vote selling or vote coercion.
| peterhunt wrote:
| The same could be said of mail in paper ballots too, which have
| seen widespread adoption in the United States starting in 2020,
| so I don't think this should be a knock against this system.
| SamBam wrote:
| How would you prove that you voted how you said you did?
|
| If you took a picture of your ballot, or even if you filmed
| yourself putting it in the envelope and putting it in the
| mailbox, there's nothing stopping you from taking it out
| later, tearing it up, and going to vote differently in
| person.
| peterhunt wrote:
| Just do it in person. The voter fills out the ballot in
| front of the buyer, seals and signs the envelope, and hands
| it to the buyer in exchange for cash. The buyer then puts
| it in the mail on the voter's behalf.
|
| The voter could go to a polling place afterwards and
| attempt to cast a provisional ballot but my understanding
| is that this is difficult, varies significantly state to
| state, and in many cases is not possible given that mail in
| ballots are detached from the voter identity ahead of
| Election Day in many states.
| pessimizer wrote:
| You haven't heard people "knocking" about the widespread
| adoption of mail in paper ballots? They simply offer no
| protection against vote coercion which is not a good choice
| in any election of importance. Pretty sure at least one of
| the two parties has ending mail-in voting as a long-held
| position.
|
| At the least, this will often result in heads of household
| voting for their entire families. At the most, it can result
| in people voting under the supervision of a local
| gang/militia member.
|
| If anyone is looking for the right terminology to find
| papers, it's _" no-receipt"_ voting. The holy grail is no-
| receipt, yet verifiable voting, but it might be
| mathematically impossible.
| SamBam wrote:
| I was going to say. AFAIK, no one has worked out a way that
| _you_ can verify that your own vote was counted, while
| preventing you from being able to sell your vote.
| rcarback wrote:
| There are a number of such systems that do this via revoting
| or dummy ballots. One of my projects, Votexx, uses vote
| nullification (or flipping) via a trusted third party chosen
| by the voter.
|
| The general idea for all of these is if you add uncertainty
| you reduce what a coercer is willing to pay creating a
| mutually assured destruction scenario whereby the system
| being in place ensures nobody ever tries it.
|
| Votexx.org if you want to learn more.
| JanisErdmanis wrote:
| The website on VoteXX and associated 4 page preprint does
| not offer comprehensive overview of the system. What
| happens to verifiabiloty when the vote is nullified? Does
| voter sees that the vote is cancelled and hence also
| coercer/briber?
| kylewatson wrote:
| The website says that your vote is last-write-wins. I think the
| idea is I could sell my vote and vote for A, then later re-vote
| for B. Since you can't trust that I won't just re-vote it won't
| be worth paying for.
|
| But if you held a gun to my head and made me vote at 18:59,
| with polls closing at 19:00, then I guess it would work. Hell,
| if you held a gun to my head and had me vote a week early and
| then blew my brains out, that would probably also keep me from
| voting again.
|
| So it's not complete, but neither is the current system. You
| could hold a gun to my loved-ones head and tell me to go vote
| for B in our current system. I could photograph the ballot from
| the box, cellphones are small these days. Or if I vote by mail
| I could easily prove to you I voted for B so you would let the
| hostage free.
|
| So I guess it actually is an improvement over the status quo.
| baobabKoodaa wrote:
| There are some voting schemes which protect against vote
| selling and coercion: https://attejuvonen.fi/thesis
| throwaway48476 wrote:
| The goal of a voting system is not verifiability, but trust.
| Without trust elections have no legitimacy.
| the_snooze wrote:
| I think these are technically interesting systems, but "trust"
| really is the goal. "Verifiability" doesn't necessarily imply
| "trust," especially if it's shrowded behind inscruable crypto
| mumbo-jumbo. A voting system should be something voters and
| poll workers (i.e., local volunteers) can understand.
| throwaway48476 wrote:
| A better heuristic is 'can you explain the system to a five
| year old'.
| ratorx wrote:
| Ideally you want both. "Trust" is a bit qualitative and
| includes a lot of factors outside the voting system itself.
| Just because a voting system is "simple" doesn't mean people
| trust it (e.g. Trump voting shenanigans). Obviously just
| because there are bad actors which can make trust impossible,
| doesn't mean you should give up but it is a separate axis to
| the voting system itself.
|
| On the other hand, "verifiability" is a more useful property
| on a larger scale. You may trust your local government but do
| you trust local government in all other districts? What if,
| with sufficient knowledge you could prove that their voting
| was right or wrong? I think that also seems like a useful
| property.
| rayiner wrote:
| Correct. The system must be something a bottom 15 percentile
| person can understand and doesn't think is magic.
| https://youtu.be/DUZa7qIGAdo?si=RDsgH2uIKb8k7ueG
| mightyham wrote:
| Or universal suffrage is fundamentally flawed. If people
| can't understand mildly complex voting systems then why
| should they be contributing to making political decisions
| that are significantly more complex.
| pcl wrote:
| Because systems that try to impose qualifications on
| voter characteristics historically end up being abused.
| debugnik wrote:
| But we don't vote on complex political decisions; we vote
| on our representatives, people whose interests allegedly
| align with ours, which is much simpler to understand, and
| delegate the complex decisions to them according to their
| qualifications.
|
| Whether the candidates themselves, all of them, can be
| trusted is a much more serious problem with democracy, I
| think, than "dumb" people affecting the vote.
| nhod wrote:
| this depends on where you live. there are many places in
| which people directly vote on complex issues. people in
| California voted to ban gay marriage. people in the UK
| voted on the incredibly complex topic of Brexit.
|
| dumb people vote for dumb things, whether issues or
| candidates.
| debugnik wrote:
| Well, referendums are kind of direct democracy, so yes, I
| agree those are at increased risk of dumb voting. But the
| actual problem there, to me, is such complex decisions
| being put to referendum in the first place; specially to
| a simple majority vote.
|
| Also, gay marriage isn't really a complex issue: Even the
| dumbest person understood the consequences of banning it,
| they just were that sadistic. Agreed on Brexit though.
| wakawaka28 wrote:
| Do you think any sitting politician, your physician, or
| your accountant really understands cryptography? Do you
| think studying cryptography needs to be a prerequisite to
| voting? I swear, sometimes nerds are insufferable snobs.
|
| As for the implications of your premise: Do you feel
| comfortable in not having a say whether you are taxed
| more, have your hobbies criminalized, or get sent off to
| die in some awful war somewhere so that some jerk can get
| rich? Because that's what you ask for when you say some
| obnoxious technocrat is fine running the country with no
| input.
|
| And before you mention passing an exam or something to
| vote, that's just a direct path to corruption and
| disenfranchisement.
| rayiner wrote:
| Maybe, but I don't agree with the cure. I think
| intellectualizing voting is a fool's errand in a
| representative democracy. I'd much rather filter on
| having good, democratic instincts. I'd rather have _e.g._
| an Iowan who has a gut-level orientation toward De
| Tocquevillian democracy than a naturalized foreign elite
| who has been socialized to think of governance in terms
| of hierarchy.
| mariusor wrote:
| My opinion is that IT literacy is increasing fast enough
| that in the near future a significant percentage would
| understand enough about electronic ballots as people
| understand now about the paper ballots. And I think you're
| over estimating how many people "understand" paper ballots.
| Yes, they know the basics, but the details on how votes are
| counted, validated and secured might be a bit too much for
| a random Joe.
| rayiner wrote:
| IT literacy is not increasing; if anything it's going
| down. My wife's Gen Z siblings grew up with iPads and
| think computers are magic.
| mariusor wrote:
| OK, fair.
|
| I meant it in the sense of the younger generation has
| more exposure to concepts like encrypted communication
| and peer to peer communication and encrypted ledgers,
| etc. They might not know _how_ exactly they work, but
| they know they exist and have an inkling of their
| attributes as they pertain to data secrecy, auditability,
| etc...
| throwaway48476 wrote:
| I'm far more familiar with cryptography concepts than the
| average person but I wouldn't trust myself to audit a
| crypto system or implementation.
| dmurray wrote:
| You might trust yourself to read a bunch of blog posts on
| technical deep dives into the system and make up your
| mind based on that, though.
|
| (Whether that's a good thing or not I don't know -
| perhaps you'd end up agreeing with whichever side has the
| most believable technological shibboleths, which isn't
| that much different from the current best practice of
| listening to the side with the better attack ads).
| throwaway48476 wrote:
| No, I'm aware of my limitations. Reading about how the
| system 'should' work does nothing to instill confidence
| that the implementation is correct or that there are no
| design flaws.
| Terr_ wrote:
| I believe that when Grandma laments/boasts that "kids
| these days just know technology", it's often a confusion
| of confidence with competence.
|
| The elder generation grew up with stuff where you had to
| be more cautious of damaging it, while the younger
| generation is far more confident with "randomly mess
| around until it works", because they grew up with
| products that were designed to be more forgiving.
| crazygringo wrote:
| > _especially if it 's shrowded behind inscruable crypto
| mumbo-jumbo_
|
| HTTPS is shrouded behind inscrutable crypto, but nearly
| everyone trusts it with their credit card details.
|
| Voting doesn't have to be any different. The implementation
| details don't matter, as long as there are easy-to-understand
| verification concepts such as receiving a "tracking number"
| for your vote that is then easy to see it was counted. And
| then journalists and other private election integrity
| observers who do random sampling from voter rolls and follow
| up on complaints. (This is not a complete list, just
| examples.)
|
| And remember, physical voting is actually tremendously
| complicated as well -- inscrutable optical scanners detecting
| which bubbles you filled in, and then... what? Who's actually
| adding the numbers, and where, and how? The point is, the
| details aren't really important as long as we're vaguely
| aware that there are election observers and journalists
| trying to catch any irregularities, and we all know it will
| be major news whenever they're found.
| wakawaka28 wrote:
| The difference between trusting HTTPS with credit card
| details and trusting crypto BS for voting is that you can
| easily tell if your credit card ends up abused. You can't
| easily tell if your vote is or isn't counted.
|
| You're generally right about each point in the process
| being a potential point of corruption. That's why voting
| systems need to be very simple and involve lots of people,
| even if it costs more. Ideally multiple independent parties
| would count the votes and compare results for
| discrepancies, until they reached an agreement.
| crazygringo wrote:
| > _You can 't easily tell if your vote is or isn't
| counted._
|
| That's why I said:
|
| > _such as receiving a "tracking number" for your vote
| that is then easy to see it was counted_
|
| There absolutely has to be a way to easily tell if your
| vote is or isn't counted, and that it's part of the sum
| total. I don't know if Belenios specifically does this in
| a way that is easy to see, but there's nothing inherently
| difficult or impossible about it.
| wakawaka28 wrote:
| I would concede that it's possible, but if you don't
| trust the system overall then it is basically impossible
| to solve the problem. And it's not just about making sure
| that your own vote is counted. It's about making sure
| there are no fake ballots cast. There are so many ways
| that illegitimate ballots can be cast, and I think an
| electronic system just makes it that much easier. At
| least with paper in person, someone has to show up and
| fool a poll worker. There's also a finite number of times
| that someone can commit fraud in person in one day.
| crazygringo wrote:
| > _It 's about making sure there are no fake ballots
| cast._
|
| Yup, I was clear that I wasn't giving an exhaustive list
| of the necessary things.
|
| But that also has solutions that can be easy. The easiest
| is simply to make sure that the voting rolls are
| accurate, and that the size of the voting results has the
| exact same number of entries (because it also records
| every instance of not-voting).
|
| So that if everyone who is an eligible voter, and
| therefore received a tracking number (even if they didn't
| vote), and they look up their tracking number and it's
| accurate (including "didn't vote") -- then there's no
| "place" to insert fake/stuffed ballots, because it would
| necessarily make the number of tracking numbers larger
| than the size of the voter roll. (And of course, voter
| rolls can be sampled randomly to determine they're made
| of actual real people as well, to whatever accuracy you
| desire.)
|
| The point is, there are solutions to all of these things
| that don't involve some kind of blind faith in crypto.
| But rather just common-sense solutions where it's easy to
| understand that any massive gaming of the system will be
| detected.
| schroeding wrote:
| > Voting doesn't have to be any different.
|
| Yes, it has to be. If you break the ability for the average
| citizen to understand exactly how and why your vote is
| counted, you undermine trust. Trust into the democratic
| process is the thing keeping a democracy alive.
|
| If someone currently says "<Country> / <Party> interfered
| with the voting process!", I can tell them to just observe
| their local polling station or even become part of the
| polling station staff themselves. Be there, check that the
| election staff doesn't start throwing away votes and count
| correctly. Check that the numbers they count are equal to
| the one on the official result for the polling station.
| It's all paper. It's easy to follow.
|
| If we put _anything_ between this, which requires trust
| into a magic box with a display, I cannot do this. If your
| credit card is abused, you see it on your bank account,
| always. You cannot have the same certainty the same for an
| anonymous election - yes, they may have proof that their
| vote was correctly counted, but what about the polling
| station as a whole? The votes of the other citizens? Most
| people will not check, just as you may only get one
| observer per polling station max today (which is already
| enough to prevent fraud for the whole station, in the case
| of paper ballots).
|
| "Trust the journalists" does not fly.
|
| > And remember, physical voting is actually tremendously
| complicated as well
|
| It doesn't have to be. You don't need complex equipment,
| you can count directly in the polling station after it
| closes. Paper and people suffice.
| crazygringo wrote:
| I completely disagree. You claim:
|
| > _Check that the numbers they count are equal to the one
| on the official result for the polling station. It 's all
| paper. It's easy to follow._
|
| I say that, using paper, it's _not_ easy -- it 's _next
| to impossible_ for any individual to do.
|
| On the other hand, if I can download a file of voting
| results, import it into Excel, and run SUM(), it's about
| a million times _easier_.
|
| What's important to rely on is the fact that people are
| able to verify that their own votes are consistent with
| what's in the public votes (using something like tracking
| numbers), and we can also verify there isn't vote
| stuffing (which there's no room for, if the number of
| votes and "didn't-votes" equals the size of the voter
| rolls).
|
| You claim this "requires trust into a magic box with a
| display" but that's simply not true. All it requires is
| the ability for everyone to verify that their vote got
| included accurately, that people who didn't vote got
| included as not voting, and that nothing got stuffed on
| top.
|
| Paper and physical voting is actually far, far, _far_
| harder to independently verify and trust. It 's just that
| until recently, we haven't had a practical alternative.
| schroeding wrote:
| I don't know what the US does, but in Germany all ballots
| are poured onto a big table and then sorted into staples
| for each candidate / party. Especially since the votes /
| crosses are always at the same position for each staple,
| it is trivial to keep an eye on 5, 6 staples at once, and
| the remaining parties get almost no votes anyway. After
| that, the staples are split into 10s and counted by two
| people, independently, after each other. All results are
| called out loud. The results are also given to the city
| hall via phone, so everyone in the room can hear it. City
| hall publishes the official results per party per polling
| station as nice images, easily digestible. I don't see
| how this is next to impossible to supervise, even for a
| single individual.
|
| If you want, you can even stay the whole day and keep an
| eye on the whole voting process _except_ when the voters
| make their choice behind the privacy screen, you can see
| everything which enters the ballot box. I 've seen myself
| someone regaining trust in the democratic process because
| of this - a guy who openly accused us, the polling
| station workers, of voting manipulation, being openly
| hostile, agreeing that everything was done correctly in
| the end. This would've been impossible while using
| electronic or online voting.
|
| > it's about a million times easier.
|
| If you, as a random citizen, know SUM() and even think
| about downloading the data for Excel, you are the top-n%
| in computer literacy. You are aware of that, right? ^^'
|
| For most people, verifying their own vote on a website
| with no understanding of the underlying process is the
| absolute maximum you can expect, IMO. In this case, it is
| "trusting a magic box with a display". You compared it
| yourself with HTTPS, for which the same is true for the
| general public.
|
| > What's important to rely on is the fact that people are
| able to verify that their own votes are consistent with
| what's in the public votes
|
| But will people do this at scale _and_ do people trust
| that they do so? The latter is the most important. It
| doesn 't have to make statistical sense, it's about
| feelings in this case.
|
| Because if most people (of a certain demographic like the
| elderly) don't check their own vote _or_ a significant
| amount of people don 't believe that they do so, you
| cannot automatically assume that all votes in the polling
| station have been counted correctly. It may have been
| e.g. only the votes of certain demographics (who are
| unlikely to check their own votes), which have been
| tampered, even if this believe is statistically
| unjustified.
|
| If you supervise a whole analog polling station, you see
| for yourself this is not the case.
| crazygringo wrote:
| >> _What 's important to rely on is the fact that people
| are able to verify that their own votes are consistent
| with what's in the public votes_
|
| > _But will people do this at scale and do people trust
| that they do so? The latter is the most important._
|
| Yes, absolutely. This _is_ the most important, and that
| 's what makes it all so easy! If you don't trust,
| verifying your own vote is a click away. If you think
| there's something fishy in your town, ping a few friends
| and ask them to verify. Journalists and international
| observers can sample a few thousand randomly chosen
| people and verify that the election is at least 99.9%
| accurate.
|
| Because we all know that if journalists find even _any_
| pattern of people whose votes aren 't getting counted, or
| were changed, it would be front-page national scandal
| news.
|
| The whole process you're describing for physical polling
| places is a million times more work for any individual.
| It requires a massive amount of time and attention.
|
| Meanwhile, with electronic/online voting, all you need to
| do is see if people are reporting discrepancies that hold
| up upon further investigation. If they're not, then it
| all works. I don't understand why you think people
| wouldn't trust this. It's dead simple.
| schroeding wrote:
| Well, agree to disagree. :D I see your points, and I
| would agree that the majority would still keep their
| trust.
|
| > I don't understand why you think people wouldn't trust
| this.
|
| Because people are not always rational beings, often
| don't understand statistics and, in my experience, the
| set of people not trusting journalists and having doubt
| on past elections having significant overlap. If you are
| not convinced the press isn't lying, and maybe just
| prints what the government wants, you will not expect
| that they uncover election intervention. And your friends
| may be on a list of the city hall, "they" know that they
| vote for certain parties[1]. This is basically verbatim
| what voters sometimes tell you, why they don't vote via
| mail. It's easy to transfer those fears onto electronic
| voting.
|
| It's very hard to keep believing in serious election
| fraud if you see how (this kind of) analogue voting
| works, though. You have to trust nobody, only yourself,
| at least in regards to your local polling station.
|
| > The whole process you're describing for physical
| polling places is a million times more work for any
| individual. It requires a massive amount of time and
| attention.
|
| Yes, I don't disagree. It's significantly more work,
| inefficient and antiquated. All true. I'm just not
| convinced that the convenience of electronic / online
| voting is worth the risk that a) a fuck-up due to any
| kind of bug / security problem and b) people losing even
| the slightest bit of trust into elections because of
| "magic computer", even if they are caused by delusions,
| would pose.
|
| [1] Germany has no "registration" as Republican or
| Democrat (w/ German parties of course) like the US has -
| they don't have such lists
| nihzm wrote:
| > Voting doesn't have to be any different
|
| From your long sibling thread I gather that for you it is
| more important to be able to verify the votes _by yourself_
| through the output of the voting system (the excel example)
| than to be able to reason through the voting system itself.
| Whereas for schroeding it is more important to be able to
| conceptually understand and scrutinize the voting process
| as a whole, even though it might be difficult for any
| single individual to check on that their own vote was
| counted. Correct me if the summary was not fair.
|
| Suppose we bring the two ideas to the extreme and imagine
| two voting systems:
|
| - an extermely complex, completely opaque voting system
| that can only be managed by experts to function correctly,
| but with a perfectly infallible way to individually check
| that their vote was correctly counted
|
| - an extremely obvious and straightforward way of voting
| such as paper ballots that are securely physically
| transported to a central location (all of them) and counted
| by people surrounded by observers (all in one sitting).
| clearly any individual cannot check that their vote was
| actually counted
|
| If there is a disagreement about the result of a vote
| because, let's say for the sake of the example that the
| losing party thinks they should have won; In the first
| system everybody can of course check their votes, but what
| if the losing party questions the checking system itself?
| Then it is on the experts to justify why the vote is
| correct (can they do it?). On the second system, because
| everybody can reason through it, it is on the losing party
| to prove that the vote was not performed correctly, by
| pointing at some part of the (simpler) voting procedure.
|
| I think that the second system is more robust in the sense
| that when there is a disagreement, it is easier regain
| everyone's trust. With simple procedures, the disagreeing
| party can make more meaningful demands on the people who
| manage the voting system to check that the vote was
| correct. In the first system it is the opposite, and
| because by definitions it is only understood by experts the
| losing party cannot do anything but to claim that the whole
| system is rigged.
|
| So, since voting systems are ultimately a tool to
| collectively take decisions, I'd say that there is more
| value in having a simple procedure than efficiency and
| extremely precise feedback for individual votes. The trust
| in voting systems is different than the one in credit card
| processing systems.
|
| Of course real electronic voting and real paper voting are
| neither of these two extremes, but choosing the e-voting
| moves us closer to the first system, while paper voting to
| the second.
| 9dev wrote:
| > paper ballots that are securely physically transported
| to a central location (all of them) and counted by people
| surrounded by observers (all in one sitting).
|
| That is unnecessary complexity already. Ballots can be
| counted directly in the voting stations, by the local
| citizens. If you want to check your vote is counted
| correctly, stay to witness the counting. After the
| results have been counted, they can be communicated to
| the city hall via phone, so everyone in the room can hear
| it.
| nihzm wrote:
| This would be more realistic, and everyone can still
| understand it, so it is another good example. The point
| was to provide an extreme system to highlight the value
| of simplicity in the dynamics of trust in a voting
| system.
| paradox460 wrote:
| > nearly everyone
|
| I remember having a boss demand I put the authorize seal
| next to our credit card form, else it wouldn't be secure
|
| We used stripe
| evantbyrne wrote:
| Trust is a social challenge, not a technological one. It is
| effectively impossible to stuff ballot boxes at scale in the
| US, but a large number of people still believe the last
| presidential election was stolen.
| declan_roberts wrote:
| Who needs scale? Doesn't the election ultimately come down to
| a couple of counties in 2 or 3 swing states?
| evantbyrne wrote:
| Even sneaking a single box of ballots into an American
| polling station would get caught in a key district. Please
| see my response to baggy_trough.
| baggy_trough wrote:
| Why do you believe so?
| evantbyrne wrote:
| Representatives from both parties are present for voting
| and ballot counting. They have observation areas. Plus they
| keep electronic and paper records. The few people who
| attempt voting fraud are easily caught. Parties abandoned
| ballot box stuffing in favor of gerrymandering and other
| voter suppression tactics long ago.
| baggy_trough wrote:
| Where I am located, there are ballot boxes literally on
| the side of the road, and we have universal absentee
| balloting. Anyone who can acquire ballots, perhaps from
| non interested voters, or those who can be pressured, can
| submit ballots and there would be no feasible way to
| know.
|
| Election day, in person secret voting, with voter ID is
| the way.
| evantbyrne wrote:
| The absentee voting process is still audited at every
| step. They even have observer areas in the ballot
| printing facilities now. How would a party ever subvert
| the process that exists to stuff ballots at any scale?
| baggy_trough wrote:
| Control and visibility of absentee ballots (in my state,
| all of them) is completely missing between mailing and
| drop-off. That is how.
| shrubble wrote:
| You literally have video evidence from 2020 of people driving
| up with their cars and shoving 100+ ballots into absentee
| boxes; and you wrote the above with a straight face?
| paavope wrote:
| No, I haven't seen evidence of that, and a quick googling
| for "2020 us ballot stuffing" doesn't show me such
| ncr100 wrote:
| An image illustrating why this (Belenios) approach is
| trustworthy could go a long way for many people. Images are a
| powerful tool for internalizing ideas.
|
| I took a (lazy) crack at generating an image from a (could be
| 120% incorrect) ChatGPT conversation, FYI:
|
| * IMAGE
| https://www.plantuml.com/plantuml/png/RLAzJiD03DxlAQnECF023A...
| (ChatGPT's images look bad)
|
| * CONVERSATION
| https://chatgpt.com/share/142a2eca-1f66-4087-9568-cbf49e7c3c...
| baobabKoodaa wrote:
| If I had to choose between a broadly trusted voting system
| which has been secretly compromised by a hostile state actor,
| or a not-broadly-trusted verifiable voting system, I would
| choose the verifiable voting system any day.
| trte9343r4 wrote:
| In reality private keys will be mailed in insecure envelopes,
| issued multiple times (just to be sure) or issued to people, who
| are not citizens, moved away or died.
| inhumantsar wrote:
| I don't disagree, the identity matching and uniqueness problem
| is a tough nut to crack.
|
| it's worth keeping in mind though that this is an issue the
| current system faces. voters end up duplicated in the rolls
| under different addresses or old names, or they don't get
| removed from the rolls after losing eligibility or dying.
|
| once upon a time I got two voter cards in the mail, one
| forwarded from an old address. I was eligible in two districts
| after nothing more extraordinary than moving across town. had
| to call in to get removed from the extra district.
| mariusor wrote:
| I think this will be prevented when these private keys will be
| part of the national IDs, similar to how Estonia and other
| European countries do it.
|
| If there's a "national registry of citizens" comprised of
| public keys, I think it will be easy to organize ballots on top
| of that.
| sylware wrote:
| Nothing will beat the paper with physical verification/monitoring
| of people from different parties with the details of the end
| results properly published for everybody to double check.
|
| The only way to trust voting machines (which could be rigged
| before delivery), would be to physically watch which buttons the
| voters did press, and manually account it... which would violate
| the core rule of anonymity, that to avoid retaliation.
| cies wrote:
| A cachier roll, that is locked into the voting machine. The
| voter selects an option on the machine, each option has a
| number. Once the voter confirmed it's pick the number is
| printed on the cashier roll and "rolled" into view for the
| voter (a small slit window of some transparent material will
| do). The voter can then see the number was printed. After the
| voter presses the "done" button, or leaves the booth, the vote
| is rolled beyond the window so the next voter cannot see what
| the previous voter voted.
|
| The rolls used can be marked uniquely.
|
| The voting machine will print an opening and closing pattern so
| no votes can be added before or after.
| baobabKoodaa wrote:
| There are various methods to trust voting machines. The
| simplest example is a machine which immediately prints out a
| paper trail that the voter verifies.
| oakesm9 wrote:
| Tom Scott videos which cover why electronic voting is a bad idea:
|
| https://youtu.be/w3_0x6oaDmI?si=kGDOYOb_RiiQaZ3u
|
| https://youtu.be/LkH2r-sNjQs?si=YdQgNC4uUZDUDbab
| mariusor wrote:
| Something being hard does not mean that it should not be tried.
|
| There are methods for preventing all the issues Tom Scott
| raises.
| sanbor wrote:
| Voting with pencil and paper is easy, everybody can
| participate in the voting process and understand it. Also,
| paper and pencil are more sustainable (can be made from
| recycled paper and trees, which you can plant, as opposed of
| mining minerals, shipping, and maintaining thoudsands of
| computers, with batteries in case there is a power outage).
| yoavm wrote:
| everyone _that can make it to the ballot_ can participate.
| also most people have computers already, so you don't need
| to ship anything. from a sustainable perspective, I'm
| assuming it's better to have everyone stay home instead of
| travel to the nearest ballot, and just use their anyway-
| always-on device.
| mariusor wrote:
| Also "everyone that can be arsed" to make it to the
| ballot. Which is a notorious problem that democracies are
| faced with today. Younger demographics don't get involved
| considering the election process too much of a chore in
| comparison with the outcomes.
| _heimdall wrote:
| Especially with something like voting, it is worth
| considering those who actually can't use paper and pencil.
|
| In college I worked in a research lab building accessible
| voting systems. We regularly ran test elections with the
| deaf and blind community. Its both amazing to see how
| adapted a person can become to living in a world that
| assumes a certain level of physical ability. Its also
| amazing to see how horribly inaccessible most voting
| systems are.
|
| With paper ballots, for example, you are usually limited to
| sitting in a booth with a poll worker and telling them how
| to fill in your ballot. That does technically work, but
| breaks voter privacy _and_ you have no way of knowing if
| they filled it in right because, well, you can 't see the
| ballot.
| throw0101d wrote:
| > _We regularly ran test elections with the deaf and
| blind community._
|
| Already a solved problem, e.g.:
|
| > _On election day and at advance polls, your polling
| station will have tactile and braille voting templates
| that you can use to mark your ballot. Simply fit your
| ballot into the template and use the braille and embossed
| numbers to find the space next to your chosen candidate
| 's name._
|
| * https://www.elections.ca/content.aspx?section=vot&dir=s
| pe/to...
| _heimdall wrote:
| Sure. I don't know if those specific devices were around
| 20 years ago, but there are various options.
|
| Another part of our goal was to build a voting system
| that was accessible by default, meaning everyone was able
| to use the same device regardless of any disabilities
| they may have.
| somerandomqaguy wrote:
| Not really, one of the goals in contradictory to the stated
| goal of an electronic voting system of voter verifiability.
|
| The problem is that when you can verify that your own vote
| has been counted a certain way, that can be used to influence
| the vote. $100 Amazon gift card if you verify that you have
| voted Purple. Lack of verifiability has been a feature to
| prevent a voter from willingly participating in manipulation.
| mariusor wrote:
| I have a different comment where I'm stating that one way
| to counter the influencing of votes is through allowing the
| voter to cast their ballot any number of times until it
| ends.
|
| I can think of a method that allows a voter to decrypt the
| ballot payload only coupled with one or more keys from the
| parties that organized it. Ie, if I as an individual want
| to see the vote, I can't. But if I suspect my vote has been
| tampered with I can ask the organizers to audit it, and
| with both our keys, I can see the payload. (This is just
| back of the napkin theorizing, it might have other issues)
| somerandomqaguy wrote:
| I'm not sure how the solves the issue of a voter that
| wants to reveal their vote.
| mariusor wrote:
| I'm looking at the problem through the lens of "why does
| a voter want to see their ballot". The answer which
| prevents the issue of vote buying is "to audit the
| validity of the vote", which then is ensured through
| putting some stop-gaps in front of viewing the vote in
| the form of requiring intervention from the entities
| organizing the ballot.
|
| Ie, if a malicious entity wants to make sure that the
| votes they have bought are corresponding with what they
| asked, they need to go through a more difficult process
| than just asking the people they bought from to reveal
| their vote.
| JanisErdmanis wrote:
| > why does a voter want to see their ballot?
|
| Because of potential malware on the client's device that
| can manipulate a vote before it is cast.
| JanisErdmanis wrote:
| One way to achieve verifiability is through deniable
| tracking numbers computed locally in network-disconnected
| devices. To ensure that they are deniable, they can only be
| computed after all tracking numbers along the votes are
| made publically available, which can be realised by
| publishing a secret code that the voter inputs into the
| device. That way, when the coercer/briber asks for a vote
| to be cast in a certain way, the voter can select another
| tracking number from a public list and show it to them.
| Meanwhile, computation on the device ensures that it does
| not have access to resulting tracking numbers and
| corresponding votes with which it could deceive the voter.
| Meanwhile, the cryptographic proofs ensure that every voter
| has one unique tracking number. This is the general idea of
| the Selene system.
| nihzm wrote:
| Suppose for the sake of the argument we implement such
| methods that bring the level of security of the digital vote
| to be mostly equivalent to paper voting (though I do not
| think this is possible). Then why do you think it would be
| better to use a harder method of counting votes? I do not see
| a strong argument to justify the change. The burden of proof
| is on the new technology, not on the old one that has been
| working so far.
| mariusor wrote:
| Why do you think it's harder to count votes? I'm not sure
| what belenios uses, but in the process I envision a ballot
| is a publicly accessible encrypted ledger, where the votes
| exist publicly.
| nihzm wrote:
| > Why do you think it's harder to count votes?
|
| I assumed this from the parent post
|
| >> Something being _hard_ does not mean that it should
| not be tried.
|
| As opposed to paper voting, which does not have the
| issues raised by Tom Scott. If that is not what you
| meant, don't you agree that a more high-tech solution,
| complete with unspecified but granted methods that
| mitigate the security problems, requires more expertise
| and makes the process of voting as a whole more difficult
| than the low tech one? (eg infra / software maintenance,
| robustness to outage, educating people on how to use it,
| ... everything discussed by other threads)
|
| > ballot is a publicly accessible encrypted ledger, where
| the votes exist publicly
|
| It is cool, but I do not see how this improves upon
| voting on paper by mail.
| thinkloop wrote:
| The criticisms in the videos do not appropriately counter the
| solution in the linked article. Scott's superficial discussion
| of blockchain at the end misses the entire ethos of blockchain.
| We agree that servers, devices, software and networks cannot be
| trusted, and possibly never will be. So we ignore them and
| instead rely solely on the output. Every stakeholder audits the
| final official "blockchain" (for lack of a better term) using
| their own tools, engineers, and techniques to verify its
| credibility. I'm not claiming that this has been solved,
| although Belenios seems damn close. But it definitely seems
| conceivable that we can one day come up with a functional
| scheme that distrusts the machines as a first principle. What
| specific problems do you see with the Belenios attempt?
| fny wrote:
| What if you want your citizens to be able to vote on policy
| matters in real time to make things more democratic?
|
| It would be too burdensome with pencil and paper. Alternatives
| are useful.
| nihzm wrote:
| > vote on policy matters in real time to make things more
| democratic
|
| Discussion, debades and more generally exchanging opinions
| with others and pondering the options before committing to a
| decision are important if not essential for proper
| functioning of democracy. This necessarily takes time. How
| would real-time voting make things more democratic? I see no
| advantage in making the process hasty. If anything, it would
| trivialize the process, like voting for a game show on
| television, which would definitely be bad.
| DemocracyFTW2 wrote:
| efficiency != democracy
| Gud wrote:
| We can get to that when we pick the low hanging fruit first.
| In Switzerland, they hold votes 4 times per year, in
| municipal, cantonal and federal referendums.
|
| https://en.wikipedia.org/wiki/Voting_in_Switzerland
| throwaway48476 wrote:
| Arguably there should be a non binding online based real time
| opinion voting to increase democratic input.
| pjkundert wrote:
| Use homomorphic encryption to allow a voter to create multiple
| "valid" keys from their root key, and sell those votes to as many
| people as they want! Provide instructions publicly on exactly how
| to do so.
|
| Then, the voter can vote using their root key, reversing all the
| sold votes and cast a vote for their preferred candidate.
|
| Vote selling problem solved.
| stoical1 wrote:
| Current and past voting systems have always been counterpart to
| boundaries of land, thus government of that land. Physically
| showing up at the polling station is symbolic enough for that
| realisation
| breuleux wrote:
| Voting is a deeply flawed decision making process compared to
| deliberation. If there are too many stakeholders for direct
| deliberation to scale, it is better to just pick a random sample
| of them and have them deliberate. You can have the sample vote
| afterwards to get the final result if they can't come to an
| agreement, but then you don't need fancy tech to check or tally
| the votes, you just need a room.
| declan_roberts wrote:
| Sure as long as I get to pick the sample.
| AngriestLettuce wrote:
| Sure, as long as it's a random sample
| declan_roberts wrote:
| Absolutely, as long as I get to pick the random number
| generator that generates the random sample.
| breuleux wrote:
| The way it would likely work is that a cryptographically
| secure open source random algorithm is made known long in
| advance which takes, say, a full hour to run on top of
| the line computers. In the hour before it is run, anyone
| can send in a number of their choosing, which are all
| added up (or rather their concatenation is
| cryptographically hashed) to make the seed. Then anyone
| can check that their number was indeed included and run
| the algorithm themselves to verify. It really only takes
| a single honest person to send in a 20-digit number to
| make it basically impossible to manipulate. Maybe I'm
| missing something.
| JanisErdmanis wrote:
| One way to resolve the issue is to use a distributed
| randomness generator like DRand which is threshold
| decryption based and hence can offer some robustness as
| well.
| BSDobelix wrote:
| Why take random samples if you tell your citizens that
| everyone has a vote? How do you proof it was random, and
| what do you do if by random chance you got a really on
| sided group? Sorry we have now a fascist state but it was
| random so it's fair.
| BSDobelix wrote:
| >you just need a room.
|
| I know Switzerland is small but still to big to put us all in a
| room, also who decides who the "random sample" is? People from
| Cities, Land? French speaking or German? Voting is the the only
| provable and fair decision making, however the pre-vote-
| training of the voters (aka marketing, media and money) is the
| big problem for me.
| breuleux wrote:
| What do you mean, who decides? Verifiably picking a random
| sample isn't technically difficult, you give everyone an ID,
| pick a known PRNG algorithm, publish a seed, let anyone send
| in a salt in public if they want to, and then anyone can run
| the whole selection process.
|
| > the pre-vote-training of the voters (aka marketing, media
| and money) is the big problem for me.
|
| It's not merely that. These are very complicated matters that
| take time and energy to understand, and voters don't have the
| necessary time and resources to dedicate. Voters are also
| asked to vote for people they cannot directly talk to.
| Everything _has_ to be done through intermediaries and
| middlemen, because direct communication doesn 't scale.
| That's why picking a smaller sample is interesting: if you
| pick a hundred people at random, you can pay them to simply
| think and talk to each other, and you can reduce (although
| not completely eliminate) the influence of marketing, media
| and money.
| cqqxo4zV46cp wrote:
| As usual, good old fashioned pen and paper is worlds better than
| this or any other attempt by overzealous tech people with a
| hammer looking to hit this particular nail.
| schroeding wrote:
| Agreed, the classic process also requires no trust into
| something technical (which, to most people, is equal to magic -
| hell, even as a CS major it's non-trivial to understand this),
| but only trusting ten-thousands of your fellow citizens with
| very different political affiliations, keeping each other in
| check. Easy to understand, easy to implement, easy to be a part
| of.
| pessimizer wrote:
| Good old fashioned pen and paper has tons of problems, and
| doesn't meet most of the guarantees that these voting systems
| are going after. Also, good old-fashioned pen and paper, when
| used, is surrounded by various systems and various equipment in
| order to: keep it anonymous and to make sure that a voter can't
| prove their vote to others, prevent false votes from being
| added and real votes from being thrown away, etc.
|
| Which is why you get things like voting booths, indelible ink
| marks on people's hands, elaborate secured containers for cast
| votes with elaborate seals, and extensive timed processes
| around how votes should be handled while being moved or
| counted, including complicated politically-aware algorithms
| about the selection of observers and counters, and counter-
| observers (and even foreign observers.) The rules about
| _spoilage_ in most paper and pen voting systems are probably
| more complicated and involved than the core algorithms of any
| of these voting systems. There 's was no golden age of voting
| when elections were trustworthy.
|
| Anonymity is a hard problem.
| schroeding wrote:
| > Also, good old-fashioned pen and paper, when used, is
| surrounded by various systems and various equipment
|
| I don't know what the US does, but this is how it works in
| Germany: Around half-ish of the polling station staff are
| clerks of the local administration (normal office workers of
| the city hall, who almost always serve their whole life -
| they are not re-appointed by the current ruling party), half
| (or more) are citizens. If not enough citizens sign up
| voluntarily, random citizens are drafted.
|
| The equipment is: A list of all eligible citizens, who can
| vote (no registration is required), a ballot box with a very
| flimsy padlock, for which the polling station staff has the
| key, mobile privacy screens for the voters, pens and the
| actual ballots.
|
| If a citizen wants to vote, they show their national ID
| (something which the US does not have, I know, but that's not
| the fault of the paper voting process) and get a ballot. They
| make their choice behind the privacy screen and put the
| ballot in the ballot box.
|
| After the polling station closes, the ballot box is shaken
| around a bit and anyone[1] can come to look / supervise the
| polling station staff as they count the votes. The number of
| votes must be round about equal to the number of voters. The
| result if given to the city hall via phone, the ballots get
| put into the ballot box and can be recounted later, if
| necessary. City hall puts all results on their website, so
| the polling stations can verify.
|
| If a ballot has more than the allowed number of votes or
| something written on it, the polling station staff holds a
| quick vote, majority decides.
|
| That's all, the whole process. No ink, no complex seals (the
| key for the ballot box is in a box with the blank ballots,
| it's only there to prevent accidental opening of the ballot
| box), no timed process (except "voting until 18 o'clock"), no
| politically motivated selection of polling station staff or
| observers.
|
| Would you really say that this is more complicated than
| electronic voting, including understanding the algorithms?
| Especially for someone with no CS background.
|
| And it works - will you sometimes have one ballot more than
| voters? Yeah, sure, because someone may forgot to count a
| voter. But those tiny, human discrepancies IMO don't matter
| when you have >1000 ballots. The result is correct enough,
| and based on keeping each other in check, not on technical
| security measures. Everyone can understand the process, and
| everyone can be a part of it.
|
| It does not meet the correctness guarantees of (perfect,
| untamperable) electronic voting, but it's IMO a heck of a lot
| simpler, just as trustworthy at scale and anonymous.
|
| [1] literally anyone, even non-citizens, no registration
| required - we even give them coffee if some is still left :D
| hereme888 wrote:
| Except when mail-in ballots with the same signature and
| handwriting send in tens of votes each for unqualified
| "voters"/dead people.
|
| So I'd amend your statement to "pen and paper, with official ID
| and in-person verification".
| NorthTheRock wrote:
| In the US, there's no evidence that this happens - just a
| bunch of media narratives and failed lawsuits after the 2020
| election that couldn't provide an ounce of proof when push
| came to shove.
| mariusor wrote:
| I think that stamp and paper ballots are actually hampering the
| democratic process. There are many downsides of physical
| ballots: the need to physically be at one location, having to
| set aside a day to vote, lack of interest for younger
| demographics... all of these could go away with a good
| electronic ballot.
|
| The more people can vote, the better the democratic process
| will be. Making it easier for _everyone_ to vote should be a
| priority.
| jltsiren wrote:
| > having to set aside a day to vote
|
| That only happens if the people in charge of the elections
| are enemies of democracy. It also means that the results are
| being manipulated and not particularly legitimate.
|
| The election day is obviously a public holiday. There are
| plenty of polling locations, so you never have to go far to
| vote, unless you live in a particularly remote rural area.
| And because there are enough polling locations, you should
| not have to stand in line for more than a couple of minutes.
| mariusor wrote:
| I don't know where you're voting from, but most of my adult
| life I had long queues to wait in - granted I was an expat
| crowding an embassy's corridor - and even if I don't have
| to work that day, I can think of better things that I could
| do with my time than that. And it's not all about me or
| you, it's about all the people that do have to take a day
| off even if it's a holiday, and the people that don't live
| next to a polling location, and about the people that are
| on vacation and need to vote in a train station or air
| port. There are always people inconvenienced by the act of
| physically going to a ballot station. Electronic voting
| would help them.
| baobabKoodaa wrote:
| Convenience over security. I don't like that.
|
| The #1 goal of a voting system should be to prevent a hostile
| state from secretly hijacking your elections.
|
| How convenient voting is can make a difference between 57%
| voter turnout versus 62% voter turnout. That's largely
| irrelevant.
| catapart wrote:
| Awesome! I hadn't heard of this.
|
| Obviously not something that seems reasonable for government
| implementation, but this seems like it would be great for
| soliciting a specific kind of feedback about a project or
| business. Board elections, or product reviews from third party
| stakeholders, or stuff like that.
|
| Truly auditable voting is definitely a tough enough problem that
| I'd never want to tackle it myself, so I'm glad this is available
| should I ever find a use for it!
| JanisErdmanis wrote:
| Warning: This is going to be a rant.
|
| The Belenios voting system is one of the E2E verifiable ones that
| allows the voter to ensure that their vote is correctly counted
| without submitting trust to a third party, which is necessary to
| prevent a corrupt election authority from deceiving and
| manipulating election results. However, it is also one of the
| underperforming ones in terms of usability. Like most of the
| existing E2E verifiable systems, deployability is a logistical
| nightmare if one wants to safeguard both privacy and resistance
| against sabotage.
|
| In particular, if I understand correctly, individual
| verifiability is ensured through a challenge where the voter,
| after casting a vote to the server, has a chance to test the
| voting client by challenging it with revelling encryption
| exponent to the server, which then can decrypt the vote and show
| it on the screen. This one is a bit concerning in itself, as the
| voting client can decide to manipulate only votes cast for one
| candidate. Whereas checking and casting the same vote again would
| reveal the vote to potentially corrupt authority. Imagine
| explaining to ordinary voters such verifiability guarantees.
| There are better systems where one can get a tracking number at
| the end of the vote and check it with all cast votes when they
| are decrypted (one can look up Selene).
|
| Another issue with the system and all existing E2E verifiable
| voting systems is the deployment of a threshold decryption
| ceremony. To recap for everyone. Before the elections, the
| authority manages the creation of a shared public key between
| multiple parties, which voters use to encrypt their votes during
| the vote. After the vote, all encrypted votes go through
| reencryption mixes or are homomorphically tallied and then
| finally, the votes are threshold decrypted. The challenge here is
| choosing the redundancy threshold of a number of all parties that
| need to come together to decrypt the election result. If too few
| come together, the election result can remain undecrypted,
| whereas if the hold is set too low, a small minority could
| collude and see how everyone has voted. Hence, securing both
| privacy and robustness is an expensive activity.
|
| The website offers the service for those who don't want to deploy
| the system themselves. The issue is that the voters' privacy is
| handed over to the running service. There is no way to verify to
| what extent the parties used by the organisation are truly
| independent and would safeguard their vote privacy.
|
| My biggest gripe is that theese arguments don't land well to
| thoose who are acustomed to mathematical formalism of security
| definitions and proofs. The E2E verifiability with strong privacy
| guarantees can also be achieved in expoinentiation mix setting
| wihtout the need to threshold decryption ceremony [1, 2]. Receipt
| freeness is still an unresolved challenge here, but I see a path
| to resolve it with ideas similar to those used in Selene. Whereas
| if you are concerned about fairness not being distributed between
| multiple parties, please explain to me an attack vector there
| that can't be accounted for!
|
| [1]:
| https://www.usenix.org/legacy/events/evtwote11/tech/final_fi...
|
| [2]: https://eprint.iacr.org/2024/1040
| exabrial wrote:
| Personally I love the idea of a fully verifiable election. I do
| the the current election protocol my county uses is pretty good:
| you present id in one room, they check your eligibility, then
| you're given an anonymous ticket, in another room you vote using
| said ticket, and get a receipt. You can see your but counted
| online using said receipt.
|
| There are two problems with this: 1. You can't verify extra or in
| eligible voters voted. 2. It relies on trust that to tell you
| your vote was counted.
|
| I am very interested in reading about this protocol, and it might
| make a fun hobby to re implement it as a research project.
|
| The one issue I have is: the act of physically showing up is an
| important one. Mass stuffing of ballot boxes is nearly impossible
| when physical presence is required. It also puts 'your ass in the
| game', meaning you really care so to speak; as you have to do a
| minor piece of physical labor in order to get your vote counted.
|
| If this protocol could be adapted to the physical world, I think
| it would be perfect barring any other issues.
| thepra wrote:
| Please forget about showing up physically, it's noble to think
| of "you really care" but in places with organized crime they
| have ways to count if those that depend on them come and vote
| for their "right" choice. It has been estimated that around
| 20-30% of IRL votes in Italy follow the organized crimes
| choice.
| tossandthrow wrote:
| You don't think this is even more pronounced if the criminals
| can keep af gun to your head in your own home when voting?
|
| That said - I am yet to see any protocol that is resilient
| against not showing up IRL (due to the exact reason above).
| oivey wrote:
| Criminals showing up to your house, putting a gun to your
| head, and demanding your vote is a fantasy. You don't need
| to defend against it because it's a totally unscalable way
| to steal an election.
| tossandthrow wrote:
| Apparently it is not fantasy that these people do it at
| the locations.
|
| I think more creative thinking on how the schemes could
| look will show some scalable solutions to coerce votes.
| oivey wrote:
| You're talking about voter intimidation at polling
| places, right? Yes, that is in fact well documented and
| not a fantasy.
|
| You can send a couple guys with bats to a polling
| location and coerce hundreds of voters. What you're
| describing would require a highly organized set of crimes
| taking years of man hours that would definitely attract
| law enforcement due to the prolonged time and scale.
| Fantasy.
|
| "Creative thinking" is leading you down the path of made
| up problems with ludicrous solutions.
| codesnik wrote:
| happened in annexed parts of Ukraine during "referendum"
| oivey wrote:
| Source on that? That was a crooked vote, but it doesn't
| really make sense for the Russians to send people door-
| to-door threatening people to send in coerced absentee
| ballots.
|
| I assume they instead did the more normal things of local
| voter intimidation, outright not counting, and lying. If
| your government doesn't want to follow democracy you're
| fucked either way. No need for armed gunman to make you
| vote at gunpoint.
| Modified3019 wrote:
| I get what you're saying, but that's not really relevant.
|
| That was political theatre being made in a conquered
| territory, not an actual attempt at democracy. It's like
| pondering the specifics of a vehicle's engine
| performance/efficiency after it's been hit by a fucking
| train.
|
| There was/is no solution to fix voting problems in
| Russian held territory other than to violently force
| Russian thugs to leave.
| ziofill wrote:
| Do you have a source for this 20-30%?
| mixmax wrote:
| since you have to be alone in the voting booth and your vote
| is anonymous it can't be bought.
|
| You can say that you voted for X, but vote for Y and noone
| will ever be able to tell.
| aziaziazi wrote:
| In France vote choice are made by placing a predefined
| paper in an envelope. You enter the place, present an ID,
| take and envelope plus zero/one/several/all papers, go in
| the alone room to fill the envelope with the paper of your
| choice. You can take zero papers because some organiser
| will send them prior by post but it's not always the case.
|
| How does it work in Italie? I can picture easely how
| someone in the paper room can put pressure on you to only
| take one paper.
| staindk wrote:
| Why is the act of physically showing up so important? I think
| reducing friction can be a great way to get more people to
| vote.
| tossandthrow wrote:
| Because you need to ensure that the vote is given without
| anyone interfering.
| mariusor wrote:
| I think a better measure against this is not physical
| presence, but allowing one individual to exercise their
| vote any number of times until the ballot period ends.
|
| This means that a malevolent entity that wants to influence
| votes needs to sequester the voter(s) for the whole ballot
| period, which is vastly more difficult than putting a gun
| to someone's head for a single vote.
|
| Executing this at scale so the effect can be statistically
| significant is even more difficult, and if it's still
| possible the entity holding the ballot can be assumed to
| have more pressing issues to care about than fair ballots.
| :D
| rrrrrrrrrrrryan wrote:
| I actually love this. I always cast my vote on election
| day because I want to have the most information.
|
| What if I vote early, then the person I voted for has a
| major scandal the day before the polls close?
|
| Being able to change one's vote would remove all the
| disincentive to voting early or whenever it's most
| convenient for you.
| dmurray wrote:
| If you're changing your vote based on which side was the
| latest to have a major "scandal", you're part of the
| problem.
| actionfromafar wrote:
| Generally yes, but it depends on what the scandal is.
| actionfromafar wrote:
| It works like this in Sweden.
| thegabriele wrote:
| For all Kinds of public elections? I would love to read
| more. Thanks
| tossandthrow wrote:
| This is a interesting idea. I reckon the individual
| voting period would have to be randomized to ensure that
| the malevolent entity doesn't just assemble everyone on
| the last day?
| nilsherzig wrote:
| It might be easy to extract this period from a potential
| victim, since the information would have to get delivered
| to them in some way.
|
| I think it would already help a lot, that there are some
| physical limitations on how many people you could gather
| at the same time.
| layer8 wrote:
| For example, so that people aren't forced by their spouses at
| home to vote a specific way.
| tzs wrote:
| For in-person voting use "fill in the oval" ballots that can be
| hand counted or counted by offline optical card scanners, and
| augment that with Scantegrity II [1].
|
| Scantegrity II is a system that adds end-to-end voter
| verifiability [2] to such systems by combining some clever
| chemistry with some clever cryptography. It requires no
| hardware modifications at the voting site except that special
| markers have to be used to mark the ballots.
|
| Briefly, a code is printed inside each oval using a special ink
| that is invisible, which turns visible when that oval is marked
| by a special marker.
|
| After the election all the ballots can be published, allowing
| any third party to independently verify the counts.
|
| Voters that wish to verify that their ballot was included in
| the count and counted correctly can note the code from the oval
| and afterwards use it to verify the count. The code cannot be
| used to prove to a third party, such as a vote buyer or vote
| coercer, that the person voted the "right" way. Here's a proof
| of that [3].
|
| [1]
| https://www.usenix.org/legacy/event/evt08/tech/full_papers/c...
|
| [2] https://en.wikipedia.org/wiki/End-to-
| end_auditable_voting_sy...
|
| [3] https://eprint.iacr.org/2010/502.pdf
| sinuhe69 wrote:
| Why could they not verify against extra or ineligible voters?
| If each ticket is tied to a national ID, then you can verify
| all tickets, right? To ensure the secrecy of the vote, the
| votes should not be linked to the tickets. Each voter must
| verify that his vote has been counted. But once a vote has been
| counted, using blockchain can ensure that it cannot be undone
| or changed.
|
| Could this work?
| egberts1 wrote:
| The many ways that an electronic ballot machine can lose its
| integrity:
|
| https://x.com/TallJohnSilver/status/1721918130568511822
| mariusor wrote:
| Any idea how those apply to the current topic? Just on a quick
| glance some of the voter fraud methods don't seem to apply:
| unregistered voter, multiple voting, etc.
| nemoniac wrote:
| It's worth noting that it's licensed AGPL so the source code is
| open and available. Arguably this is necessary for a fully
| verifiable election system. Or is there some kind of zero
| knowledge approach to it?
| atoav wrote:
| One important thing about any voting system - digital or not - is
| that it has to be good at producing _agreeable consent_. That
| means bitter, betrayed and hurt (but reasonable /democratic!)
| losing parties need to be able to say: yeah we accept the result
| because we are confident in the outcome of the election.
|
| This is something all digital systems are really bad at, even if
| everything is readable and verifiable, unless all your members
| know how to read that code.
|
| Edit: and even if they know how to read that code, can they trust
| the machines are running that code at the big day?
| baobabKoodaa wrote:
| Disagree. It's enough for the average voter to trust that some
| other people - independent experts - are able to verify the
| vote. Not everyone needs to be an expert at anything. I wrote
| more about this trust aspect in the appendix of my thesis on
| voting: https://attejuvonen.fi/thesis
| matheusmoreira wrote:
| It's not enough. It's not enough at all. Experts are easily
| compromised.
|
| The system by which power is transferred from the people to
| representatives needs to be literally self-evident. Any
| system that the "average voter" cannot understand should be
| literally unconstitutional. Deviating from this puts the
| results of all elections in doubt. People _will_ question the
| results, and they _will_ have a point because the system is
| _not_ actually verifiable and trustworthy to the average
| person and therefore they have no reason to accept the
| results. If you 're lucky you'll end up with numerous
| political prisoners at the end of the whole process.
| efitz wrote:
| Involving computers in vote tallying is an invitation to fraud.
|
| In the US right now, our problems are well understood and
| primarily relate to ensuring that only legally eligible people
| vote, and that the vote was cast by that actual person.
|
| These are fundamentally not technical problems. We have known
| about them for decades if not centuries and as recently as the
| early 2000s the Carter-Baker commission laid out the problems and
| the relatively straightforward solutions.
|
| There have always been political "machines" in big cities, and if
| given the opportunity, they will try to stuff ballot boxes,
| intimidate voters, harvest ballots, exclude observers, apply
| voting laws unequally, and do any number of other shenanigans to
| give their party an advantage.
|
| This has reached epic proportions since mail-in ballots for able
| bodied voters was normalized during COVID.
|
| And the problems have all been exacerbated by the unwillingness
| of the courts to force states to abide by their own voting laws.
|
| Election administration is not difficult, it is a straightforward
| set of tasks that require diligence and integrity, and that
| benefits greatly from having highly motivated partisan observers
| at every stage of the process.
|
| Technology currently used in voting mostly just introduces more
| ways to mess up elections either intentionally (via manipulation,
| by administrators or hackers) or accidentally (as via bugs).
|
| The fixes as I said, are simple but inconvenient:
|
| 1. Diligently clean voter rolls every year, or even throw them
| out and restart every year
|
| 2. Strongly authenticate voters via in-person registration with
| trusted nonpartisan agents (government officials) and verify
| eligibility to vote (citizenship, residency, age, selective
| service)
|
| 3. Vote in person. If intimidation is known to be a problem in a
| precinct, bring in state police (not local). Note that machine
| precincts are likely determinable via statistical and electoral
| analysis, eg where can small swings have big electoral impact).
| You don't have to fortify everywhere.
|
| 4. Check voter id at the polls.
|
| 5. Paper ballots, hand counted on the day of election.
|
| 6. Invalidate the count and require revote from any precinct that
| counts any vote not in the presence of partisan observers from
| any party on the ballot that asks. Do not allow any vote to be
| counted after results are reported; the remedy for custody
| mistakes and "finding uncounted votes" is re-vote.
|
| 7. Publicly post precinct level results BEFORE reporting to the
| county or state. Publicly post county results before reporting to
| the state. This allows independent channels to confirm that
| tallies at the county or state level are not tampered with or
| inadvertently miscomputed.
|
| 8. Fast track any election challenge hearings from any eligible
| voter in an election and do not allow judges to reject cases due
| to standing, mootness or laches.
|
| 9. Absentee ballots should be rare and require proof of need and
| extraordinary verification with partisan monitoring.
| mcny wrote:
| > The account creation failed because the password is too weak
| (it is too simplistic/systematic). Please try again with a
| different one.
|
| What does it want in a password? Would be nice if it actually
| listed out the requirements from the get go.
___________________________________________________________________
(page generated 2024-08-04 23:00 UTC)