To my dismay, I discovered that the newer model machines—those that were used in the 2016 election—are running Windows CE and have USB ports, along with other components, that make them even easier to exploit than the older ones.
Just wait until the next-next generation of voting machines has network access. Then exploitation can really scale.
The article spends a significant portion of the first part of the article talking about how it was easier to get hands on the physical machine than it should be.
And in some cases, contrary to the mantra, "security by obscurity" is indeed an important _layer_ of security. But I'm not sure if this is one of them. Of all the domains that one would expect state actors to be trying to exploit, I'd think voting would be near the top. And I don't think trying to only make sure "authorized" people can get their hands on a voting machine is going to be much of a barrier to a state actor. The thing better really be secure no matter how much an attacker knows about it, to defend against state actors, no?
And of course these _weren't_. But I don't think making it harder to buy an old machine on ebay would provide enough barrier to the attackers in the realistic threat model, to even bother doing it. Better to spend the focus on the actual security of the machine. I feel like the "lifecycle management" of machines that the author prioritizes as a solution is a misdirection.
> By simply regulating and monitoring the sale of used voting machines more closely, we would create a huge barrier to bad actors.
A HUGE one? To the intelligence agency of a foreign state? I doubt it. If you think it was a huge one, it's a false sense of security that may lead you to insufficiently prioritize more important fixes. (Which may be _not using digital voting machines_.)
As long as they actually are simple - there have been instances (e.g. in the US) where poor design of the voting paper caused confusion as to who you were actually voting for. Then there's the case of improperly filling them in, invalidating a number of voting papers as well.
Maybe do a combination? Voting machine that prints a hard copy of your vote. Activate by scanning your passport or other proof of voting right, centralized secure repository of who has voted or some kind of deduplication of votes when counting.
It’s not like digital UIs are any more immune from poor design issues that make it confusing to determine who you’re voting for. Plus you have the problem of poorly calibrated touch screens where you think you’re tapping one name but it turns out the other got activated.
I don't understand how is it possible to design a paper ballot that is confusing. In France, you have 1 paper for each candidate with their name + party on the paper. You receive each paper by the post before an election AND there is always all the papers in the voting place anyway.
You just put the paper of the candidate you want to vote for in the ballot box and that is it.
I understand there is more complicated voting system (e.g where you can rate candidate), but when do you need to choose one option in several, why would anybody want to use a different voting paper design ?
> You receive each paper by the post before an election AND there is always all the papers in the voting place anyway.
That opens the possibility to observe people picking up the paper of $CONTROVERSIAL_CANDIDATE and dropping it into the box, thus revealing who they voted for.
> That opens the possibility to observe people picking up the paper of $CONTROVERSIAL_CANDIDATE and dropping it into the box, thus revealing who they voted for.
You are supposed to pick at least two papers and usually there are enough paper so that everyone can pick one of each. Then you go to a booth, hidden behind a curtain and put one of the paper in an envelope (given after the official has checked your elector's card), discard the other paper in a basket case, then drop the envelope in the ballot box.
Of course it limits the possibilities of the vote: one person can only vote for one candidate, on the other hand, it's easier to understand for the voters.
US ballot is a lot more complex than in most western European countries in that voters have a say on a lot more stuff!
You vote for president, senate, congress, sheriff, education board members, a bunch of other offices, and also constitutional amendments. All on the same day/occasion - if spreading it out many election days would be needed!
As others said, sometimes we are voting on a lot of offices and a lot of initiatives/propositions. A voter is in several different type of districts, and the boundaries often don't line up, so your neighbor may be in the same federal congressional district, but not the same state congressional district, etc. Commonly in California, I voted on congressional districts, water district, lower school school district, high school school district, community college school district, water district, sanitary district, flood control district, vector control district, county supervisors, and I wasn't even in a city to have city supervisors or mayor. Almost all of these electrions are timed together, in order to increase turnout and reduce the election expenses.
Ocassionaly, we have hundreds of candidates for one office (ex California governor recall replacement that got Arnold Schwarzenegger into office).
>> Activate by scanning your passport or other proof of voting right, centralized secure repository of who has voted or some kind of deduplication of votes when counting.
This part (i.e - authorize the voter) should always be separate from actual voting system to protect the system of secret ballot for a true democracy.
Activate by scanning your passport or other proof of voting right
There are two problems with that:
1. People consider it discreminatory unless the US mass-distributes some voter ID thing that is near-forced into the possession of everyone who can vaguely verify their identity (which I disagree with but whatever)
2. More importantly, someone will fuck up the 'secret' part of the secret ballot, which will get leaked/hacked into the public, which in the current level of public discourse would probably end in WWIII
Voting machines can be safe(r). It's just that there seem to be no incentive. Contractor should pay at least twice the money he received in case a security flaw is found among clearly stated attack vectors. No contractor wants to take such offer? That means we are not ready for voting machines yet.
You've dismissed the potential benefits, so it's a hard argument to make, but I very much like the idea of the style of machine that let's you pick electronically, then prints a paper ballot displayed to you - you accept it and it goes into the same sort of secure container ballots always have, or you reject it and it is trashed.
We get the benefits of electronics with the benefits of a tried and tested paper ballot system. We no longer have people arguing over stray pencil marks or trying to cross out mistakes.
We even get some extra checks on the paper system: today, if there is a discrepancy between the count of people coming to vote and the number of ballots we don't know which is wrong - this would introduce a third number to compare against.
Electronic voting machines were rushed in following the whole "hanging chad" thing, and were done terribly, with credible accusations of corruption involved (see Diebold, who are still out there under a different name) when a better ballot design process would have done the trick, but that doesn't mean we cant get some benefits from electronics, so long as we put accuracy and verifiability first.
At some point we will want voting from home (outside of mail in) and I'd rather shake out bugs gradually than expect some future generation to get it right the first time
Irrelevant in the grand scheme of things. I would much rather wait one more day to have the definitive name of my new president than have a machine decide that for me 24hours earlier.
> not prone to human error or counter bias / agenda
Agree, in Italy every "voting neighborhoods" has a committee that needs to agree on criteria for unclear or invalid votes.
(obviously the people on the committee often have political affiliation, but there is a selection process to ensure some kind of balance)
You know people can just forge or manipulate paper ballots. There was even an instance that happened live on Russian TV where they were stuffing ballots.
In the US, forging/stuffing to the point that it matters in any regional election, to say nothing of national elections, is sufficiently hard that it is literally easier to outspend your opponent in advertising in the race.
It's a little off-point, but I can't help to note a bit of unmentioned fallout to exploitable voting machines -- I early-voted last week in Atlanta and again (as on every other voting day in Atlanta for the last 7-8 years) the voting booth had no curtains and virtually no privacy. I assume this is to make it more difficult for someone to swap in a card that could compromise that voting machine somehow. But I'd love to see an article addressing this issue - in some areas of the country you must vote 'publicly' - because the touch points are so huge on each screen (and color-coded) - each of your selections can [and are] seen by the poll workers. I'm too lazy to research this further, but isn't voting anonymity guaranteed/implied somewhere in our country's codicils (incorrect term, but you know what I mean)
Iirc, it is a state decision. It is hard to get firm answers as there are different concepts that overlap:
Is it legal to pay someone to vote a certain way? Saying 'no' does not mean it is a truly secret ballot, but it is something.
Is the ballot printed by the govt as opposed to parties or organizations? (Meaning there is an "official ballot" and not just any piece of paper) At one point this was a new thing.
Are you doing an oral vote?
As it is, I think in general you end up with no obligation to share your vote, but that is not the same as any legal obligation to make the voting booth well concealed, depending on state, but that is no small amount of reading between the lines and conjecture on my part, so dont trust me too much.
The constantly aghast tone makes every paragraph feel like clickbait. Shockingly. Surely. Alarmingly.
Why is it shocking that you can buy used voting machines? Why is it alarming the data is there and unencrypted? Why wouldn't a government (or supplier) sell on used hardware? Why would tamperproof screws stop you getting access? (They're for proof of access!)
It's nothing like sensitive medical data (a comparison made in tfa). It's anonymous data that should be publicly available.
The only concerning thing here is that these crappy machines were used in the first place. At least they're being flogged off now.
Don't want to turn this into another 'blockchains can solve anything' discussion - but I do feel some form of blockchain tech could be an effective way to solve e-voting.
Here's why:
- A central authority(government) can control issuance of new keys and maintain the association between keys and personal information. There are already plenty of gov ID cards which support digital signatures and can be used to sign voting keys as well. At the same time personal info would not show up on the blockchain.
- Blockchain explorers would be used as a way to verify the votes are legit by virtually anyone
- NVOs, governments, etc can run the blockchain nodes to ensure integrity of the blockchain
In combination with well designed UIs we can have simple voting apps that can make e-voting a breeze (see the Smart-ID implementation for a great example of such tech).
Obviously the attack vector shifts to the gov servers running the key issuance but its easier to do opsec on a datacenter level than on individual voting machines scattered around the country. There's also a question of the integrity of the voting app, but that can/should be open-sourced and audited.
We obviously have the tech and the capabilities to create very effective e-voting solutions. Would even go so far as to say that a proper solution would drastically change the way we think about voting - it would make on-boarding a lot easier and provide some form of 'direct' democracy that we are already seeing flourish in countries like CH. So it seems very shady to me that we end up with BS like this thats very easily exploited and discarded as ineffective.
> - A central authority(government) can control issuance of new keys and maintain the association between keys and personal information. [...]
This means that you can tie a vote to a key, thus a person?
That's not how voting should work. Any vote cast must be secret. Or what's to prevent any one group from blackmailing you (or any other voter)?
> Voting app
You mean that a thug could coerce me into casting my vote from home?...
> There's also a question of the integrity of the voting app, but that can/should be open-sourced and audited.
+ constantly verify that the machine was not tampered with (evil maid) + make sure the hardware was not compromised (supply chain attacks) + ... on TONS of devices?...
> We obviously have the tech and the capabilities to create very effective e-voting solutions.
> + constantly verify that the machine was not tampered with (evil maid) + make sure the hardware was not compromised (supply chain attacks) + ... on TONS of devices?...
I agree that's a problem that needs consideration, but we've solved many such issues before. There are quite a few ID, banking, authentication, etc. apps running quite fine and well on consumer devices.
E-voting is a general term that describes methods of voting that involve electronics. While some solutions are indeed terrible, that doesn't mean all are.
That's weird. I don't understand that "filling" paper ballots. In France, we get to pick N papers with only one candidate's name printed on each. We then discard and seal in the envelope the papers we want once we're in the "isolation room".
> I agree that's a problem that needs consideration, but we've solved many such issues before.
No, we never had the entire destiny of any one country rely on a single piece of tech running on untrusted devices. Banks can contact any individual if their logins were leaked or if their money transfer appear suspicious; but as votes cast must be kept secret, you can't do anything similar with voting.
> E-voting is a general term that describes methods of voting that involve electronics. While some solutions are indeed terrible, that doesn't mean all are.
Still waiting for a viable solution - so far I don't know of one.
Poor choice of wording on my end, I was coming up with the idea on the fly. I'm sure someone else can come up with something better with a bit more thinking :)
The association between vote keys and personal info does not need to exist. ID keys have to be issued by the gov but the vote signature keys can be derived from them and/or signed by a 3rd party like an NVO or a combination of govs/NVOs.
Having tried, it's a little more difficult than applying a bit more thinking.
Specifically, the criteria that you can't trace a voter to a vote but you need to ensure a voter only has one vote (or at most one if voting isn't mandatory) is really hard to reconcile.
I also happen to believe a way might be found but by handwaving "zero knowledge proof" in the same way that you're handwaving blockchain.
I don't think the blockchain provides any value at all because you cannot verify if a transaction is valid without having a list of authorized voter... And that can only be the Gvt.
If you have already a list of public keys for each voter why do you even need a blockchain to verify anything? You just through the list of signed votes to ensure uniquness, and you can confirm you personal vote is genuine but that is all you can do.
How do you preserve the secrecy of the ballot with a blockchain? Wanting to verify that an elector has voted but obscuring who for seems like a challenge.
Just wait until the next-next generation of voting machines has network access. Then exploitation can really scale.