I live in an economy where people vote with pencils on paper in cardboard booths and at scalable cost, it just works. Obviously the cost also has to scale linearly for the 200+m voter economies, and time becomes a factor, but for community acceptance I still think paper and pen/pencil beats machine hands down.

(this is Australia. we have compulsory attendance at voting booths for eligible citizens, you can spoil your paper or walk away but we enforce with a fine, participation in the one obligation of citizenship)

-I have been offered voting remotely in elections for my home economy of the UK and I would have welcomed some kind of homomorphic encrypted, secured voting method, given I have done KYC with the UK government to get my pension paid, I don't see there is a problem with them knowing who I am online.

I therefore do not totally agree with the headline, but I'm willing to be convinced by the article, because comparing the land of hanging chad to my own, I think paper and pencil is just fine. BTW we have a senate election which demands ballot papers cut from A0 paper in long strips. Hundreds of boxes to be filled in. What we don't have is the vote for every judge, official, proposition on the table, we just elect representatives and senators, but we have a complex vote method. It just works. We do machine reading, but every single paper is reviewed by people, and parties have rights to monitor the vote, in secured spaces. We do not have a serious concern with the integrity of our vote, and the question is regularly asked and tested. (it's not just because we believe its secure and don't check)

Its a great list of signatories, includes people I respect. I would think that the prime question for americans is "how much worse or better than the current approach could this be?"

The thing about paper ballots is that the ways to cheat with them are well-known ("finding" ballots in the trunk of a car, "losing" ballot boxes on the way to the counting center, counting the ballots behind locked doors with observers not present, and so on), and have been well known for centuries. So the counters to them (ballot boxes sealed with an official seal once full, only sealed ballot boxes will be opened and counted, neutral observers present at all times when ballot boxes are being transported and/or counted, and so on) are also well-known. If those anti-cheating counters are in place, that gives you quite a lot of trust in the results. And if observers get thrown out and then ballot counting continues behind closed doors, you can have a reasonable suspicion that cheating is going on, and can make a stink and demand a redo of the vote.

With Internet voting, the ways to cheat are not all that well-known among the general population, and even among an audience like HN I bet we couldn't come up with all the ways to cheat. (That's not a challenge!) So there's going to be fundamentally less trust in the election process than with paper ballots, even if the Internet-voting system was actually made completely secure. (And I'm not persuaded it can be made completely secure, given that secret ballots are a fundamental requirement of the process).

So yes, paper ballots are very much the way to go.

The most important feature of public elections is trust. Efficiency is one of the least important feature.

When we moved away from paper voting with public oversight of counting to electronic voting we significantly deteriorated trust, we made it significantly easier for a hostile government to fake votes, all for marginal improvements in efficiency which don't actually matter.

Moving to internet voting will further deteriorate the election process, and could move us to a place where we completely lose control and trust of the election process.

We should move back to paper voting.

I agree with the risks, the overall theme being it's much easier to potentially manipulate a million internet votes than physical. In other worlds, internet vote manipulation scales significantly more than physical.

But I could make the argument with any high trust internet system.

Let's take another high trust activity we do on the internet - banking. Internet banking gives a hacker the ability to steal millions while sitting across the world. This is the same argument the authors make about changing a million votes.

So it really comes down to the pros vs cons. That's the more important discussion imo.

Do the benefits of internet voting outweigh the cons?

>Malware on the voter’s phone (or computer) can transmit different votes than the voter selected and reviewed. Voters use a variety of devices (Android, iPhone, Windows, Mac) which are constantly being attacked by malware.

Yeah see this is where I thought this was going.

Phones can be insecure, but in aggregate they are secure enough for literally every other component of life to be conducted on them.

>Malware (or insiders) at the server can change votes. Internet servers are constantly being hacked from all over the world, often with serious results.

Again, great point. Accepting this point will the government erase all the private identifiable data it has collected on me from its systems? Probably not, because they have made a cost/benefit analysis that suggests the risk is middling compared to the reward.

>Malware at the county election office can change votes (in those systems where the internet ballots are printed in the county office for scanning). County election computers are not more secure than other government or commercial servers, which are regularly hacked with disastrous results.

This seems like a weird seppo thing.

Currently the risk of an election being seen as fraudulent is high, and the reward of online voting is low.

But we dont have to conceptualise the modern boring election when we look at online elections. We can look at alternative models, closer to real time use and other gains that tip things back in its favor.

Actually the biggest issue I see with online democracy is apathy and minimum quorum sizes.

To some extent, I think the cost of paper voting is almost a feature. It takes more work and effort to corrupt a paper voting system enough to change an electoral outcome, it helps more people gain familiarity with the electrical process and places an additional weight on the decisionmaking,

Voting is not a monolithic process. It's actually a combination of 3 things:

- How votes are cast

- How votes are counted

- How votes are custodied

In order for an election to be trusted, all three steps must be transparent and auditable.

Electronic voting makes all three steps almost absolutely opaque.

Here's how Mexico solves this. We may have many problems, but "people trust the vote count" is not one of them:

1. Everyone votes, on paper, in their local polling station. The polling station is manned by volunteers from the neighborhood, and all political parties have an observer at the station.

2. Once the polling station closes, votes are counted in the station, by the neighborhood volunteers, and the counts are observed by the political party observers.

3. Vote counts are then sent electronically to a central system. They are also written on paper and the paper is displayed outside the poll both for a week.

The central system does the total count, but the results from each poll station are downloadable (to verify that the net count matches), and every poll station's results are queryable (so any voter can compare the vote counts displayed on paper outside the station to the online results).

Because the counting is distributed, results are available night-of in most cases.

Elections like this can be gamed, but the gaming becomes an exercise in coercing people to vote counter to their preference, not "hacking" the system.

**

Edit: Some people are confused about what I mean by "coerced." Coerced in this case means "forced to vote in some way."

The typical way this is done is as follows:

- The "coercer" obtains a blank ballot (for example, by entering the ballot box and hiding the ballot away).

- The blank ballot is then filled out in some way outside the poll station.

- A person is given the pre-filled ballot and threatened to cast it, which they will prove by returning a blank ballot.

- Rinse and repeat.

This mode of cheating is called the "revolving door" for obvious reasons.

It’s not that it’s impossible - it’s that the established players are already questionable. And any new entry would require more than any simple company could provide. Heavy investment and collateral is required.

Our livelihoods are increasingly (almost entirely) digital and endure great efforts to abuse. But banking and/or retail operate on a different spectrum. For one they make money. The costs associated allowing their business online may never make sense for a non-profit based activity like voting.

Do we have any examples of internet activity as tempting to infiltrate/pervert that is secure and doesn’t extract value?

Anyways it seems greater damage will be done before we even reach a provably secure system. So paper/pencil voting would be better.

But fear not - even if we abolish voting machines we aren’t out of the hole just yet. We have good company with concepts like Citizens United as well as activities like sweepstakes that try to sway the populace to throw away a vote for a chance at a million. Illegal - sure - but that won’t stop the ostensible infinitely wealthy from enduring a slap on the wrist - or more appropriately a verbal reprimand (which is all that happened last time) for their part in electioneering. And if that didn’t work we have an onslaught of reAlIty and bots that poison our conversations in order to form our world views.

I’m jaded. I’m overly pessimistic. I’ll go now.

Mandatory Tom Scott video why electronic voting is a bad idea: Original: https://youtu.be/LkH2r-sNjQs?si=okd-iy_6JTRmmoqe Second part: https://youtu.be/w3_0x6oaDmI?si=EpS7SXd7Boe_1jn5

paper & pen has tremendous value as a recording mechanism. Although it's slower at counting and indexing, it is far better at reproducibility and durability:

* records last > 500 years with no electricity . corruption is obvious at first glance. ( bad records don't appear to be good).

* counting is easily distributed by number of workers

* readily visually inspected with no special tools . ideal for auditing

* records stay in order at rest.

* easy to detect & protect against tampering

* easy to train new users . CRUD tooling costs pennies per operator

* cheaper to scale writes & reads

TCO and risk-assessment for paper records exceeds digital on nearly every measure.

So my internet banking is secure for my funds, but internet voting is not for my vote. Right... OK, we got the message.

Hey all, coauthor here. Interesting to see it on Hacker News.

I'm a professor in Georgia Tech's CS dept that works on problems related to security, privacy, and public policy. (CV: https://mikespecter.com/)

Happy to answer any questions you all have.

If half the points here were true than internet banking and ecommerce would have already failed. Does the current system prevent fake votes? Did old banking and commerce prevent more fraud?

Here is the thing you are missing. With Internet voting we can have votes way more often. Limiting the damage caused by fraud. Yeah you could have malware on your phone that changes your inputs to a sandboxed voting app, and the malware also tracks your real votes so when you request an audit it shows you what you actually voted for. In reality that is extremely difficult to pull off over a long period of time.

I don't care about any of the names on the list, as far as I'm concerned they are missing the forest for the trees.

Estonians seem to have funny ideas on this. They're very VERY digital-forward.

>Voters should not be able to prove to anyone else how they voted – the technical term is “receipt-free” – otherwise an attacker could build an automated system of mass vote-buying via the internet. But receipt-free E2E-VIV systems are complicated and counterintuitive for people to use.

This can easily solved be done via letting people forge receipts. Then anyone can forge a vote to give to someone offering to buy them.

The receipt is in fact the best part of such systems as with paper voting it is impossible to verify if your ballot was counted or if it got "lost."

So where is the thought on mail in these days? It’s what we have in Washington and I rather like it.

> It’s difficult to make an E2E-VIV checking app that’s both trustworthy and receipt-free. The best solutions known allow checking only of votes that will be discarded, and casting of votes that haven’t been checked; this is highly counterintuitive for most voters!

Actually, Benaloh's challenge also does not offer receipt freeness. The adversarial strategy in such a model is to outsource the challenger itself in a hash function which decides whether to accept or discard the vote. It may look impractical at first, but one can build an app that could do that efficiently.

It can be said that all existing end-to-end verifiable remote e-voting systems compromise individual verifiability when reconciling it with receipt-freeness by introducing an assumption about the hardware-based protection of voters' secrets. If they leak or are predetermined by a corrupt vendor implementation, the malware on the voter's client can manipulate the vote at submission, and the adversary later fakes verification for the voter by exploiting that knowledge.

Still, I believe it's a solvable problem which needs more attention. Bingo evoting system is almost there, for instance, with verifiably random generated trackers, but needs a voting booth with a Bingo machine taken at home.

I believe the piece we're missing is the government (citizen?) service which issues (manages, replaces, revokes) constituents' cryptographic tokens for use with such things.

Then our voting systems could be electronic, secure, open, verifiable, and mostly private; assuming effective oversight / this organization does not issue fraudulent tokens or leak keys or identities (big assumption, but I don't think it's impossible.)

I live in Spain, and we have paper-based elections. Similar to what I've read from other comments, in our system, people are randomly selected to participate in oversight and counting. Different actors in the elections are able to oversee the process and count. Counts are performed by the randomly selected people and sent to headquarters from the site itself. Then, each ballot box count is available for display right after the counts are completed. Ballots are transported by the police to a safe location in case a recount is needed or randomly selected.

I'm leaving out other measures and details, but you get the general idea.

I used to flirt with the idea of a digital voting system, but now I clearly see that it is a problem of scale. It's very difficult to interfere with an election at scale when many independent actors and parallel flows are in place. This is what provides the system with its trustworthiness.

However, I think fraud is moved elsewhere (with campaign funding, fake news, and other methods...), but that's a whole different topic

If we can’t create a secure online voting system why do we use it for passports, banking, medical records, drivers licenses, criminal and law record keeping.

This is just an attempt at control using the majority of cases that most websites and applications are insecure. If enough effort and time is invested of course we can create a fairly robust and secure voting system.

The article talks about being “receipt free” as a required feature of any electronic voting system.

Fine. But by that standard, in a world where someone can bring their phone or AI glasses into the voting booth to record the whole voting process, how can any voting system be deemed secure? Anyone can show anyone else how they voted.

Voting is one of those things that people care very little about but it's extremely important as it can determine who is the head of state (a position that has a lot of power an influence).

A single compromise once can have incredibly bad long term consequences for the majority of a ruling elite gain power indefinitely.

Which of these vulnerabilities do not apply to any other internet system? And yet all of everyone's money is accessible over the internet and that seems to be working fine. If they really care about security at this level then they should ban all non in person voting methods.

Agree with everything being said here.

However, it is no longer even remotely paranoid to be concerned that the current administration plans to do one or more of:

1. Put its thumb on the scale by "guarding" urban polling places with paramilitary forces on election day,

2. Declare mail-in ballots illegitimate and seize them,

3. Seize voting machines or attempt to stop vote counts before all votes are counted,

4. Intimidate state legislatures by threats or economic blackmail to disregard results.

I don't see an alternative to trying to figure out how to make online voting secure. That won't solve (4) but it will at least mitigate some of the more direct methods of election fraud.

In person and by mail voting with a blockchain ledger-based receipt is how to prove one's vote is counted anonymously.

There must always be a paper trail and a blockchain ledger provides the most reliable and secure means to maintain integrity.

* “all your money lives on the internet and it’s safe”

* “internet voting is insecure”

who wins?

Electronic processes are way to easy to rig one way or the other.:

Tom Scott: Why Electronic Voting Is Still A Bad Idea https://youtu.be/LkH2r-sNjQs

Sure, there are ways to cheat with paper votes too. But counting paper ballots should always be open to watch for voters interested in observing the process. And voting should be done in secret, disallowing photos, to make it hard to "prove" the vote to possible buyers.

With the world the way it is now a days and software/firmware being insecure, it is difficult to see Internet Voting as a secure means of voting. Paper ballots with multiple biometric tools or AI to measure a voter's physiological state of mind, honesty, confirm identity may be something that should be considered.

If I can photograph a $10,000+ check with my phone and deposit it into my bank via an app, then people can surely create a secure voting app with the same technology. Maybe we should use blockchain technology to store public ballots in an open fashion. Who cast the ballots would be a secret like it always is.

I applied for my passport online. If it's secure enough for that, then it's secure enough for voting.

You need a private, secure booth, as you cannot guarantee really free (of mind, body) voting via internet, because of coersion, threats. Women threatened by their men to vote-anti women. Religious coercion. Internet voting will always be anti-democratic.

True.

Mail in voting suffers from some of the same issues. We go to great lengths (cabins, curtains, no pictures allowed etc.) to ensure people can verifiably cast a free will vote, then open a giant loophole for potentially coerced, non private or transactional voting.

The problem is that nothing is immutable about computing. Software itself is mutable. So is data. The transferability of software makes hardware mutable also.

It seems like pen and paper is currently the best verifiable and immutable voting approach.

And a favorite Phrack article on the same topic - Internet Voting: A Requiem for the Dream [1]

[1] https://phrack.org/issues/69/11

This feels like one of those cases where the technical consensus has been clear for years, but the policy and media narratives keep resetting to "maybe this time it's different."

Vote should be in person at a designated place, based on a census.

There's absolutely no justification (or excuse) for anything else.

It is much better to have less votes than to allow any avenues for manufacturing the results.

https://xkcd.com/2030/

My take: this is a paid-for hit piece to discredit a way of voting that makes total sense and is not all that hard to secure and make verifiable.

This is an alarmist headline and should be reconsidered before being posted anywhere.

And Nepal elected its current interim prime minsiter using Discord, apparently...

More important it should be a right first. Where i live it's not optional

It is possible to have a system that works as follows:

1. People vote on paper ballots by filling in an oval next the candidate they wish to vote for. They fill the oval with a marker provided by the election officials.

2. These ballots can be counted by hand, but they can also be counted by optical scan machines to get fast results. Optical scan machines do not have to be computerized--they have been around since the 1950s long before there were computers small enough and/or cheap enough to use for this. No computer means no software to get hacked.

Almost half of registered voters live in districts that already use that kind of ballot and already count it with optical scan machines.

3. By the use of some nifty chemistry and some clever cryptography an end-to-end auditable voting system can be overlayed on this.

End-to-end auditable voting systems (also called end-to-end voter verifiable systems) have these properties:

• Individuals can verify that their ballot was included in the final count and they vote was attributed correctly.

• Any third party can verify that the ballots were counted correctly. The candidates, the parties, news organization, civil rights groups, and anyone else can check.

• Voters cannot prove to third parties who they voted for. This is called coercion-resistance.

Here is such a system, developed by several well known cryptographers including David Chaum and Ron Rivest [1]. Here's a paper in HTML with the details [2]. Here's a PDF of that paper [3]. Here's a paper showing that it is coercion-resistant.

This is compatible with existing optical scan machines, so the places already using them don't need new machines.

The magic happens in printing the ballots. Inside each oval they print a code in a special invisible ink. When the special marker provided by the election officials is used to fill in the oval that code becomes visible.

If you want to be able to later verify that your particular vote was included and counted correctly you memorize or write down that code. If you don't care about this you can ignore it.

After the voting is done officials can publish all the codes that were revealed and voters can check to make sure their code was included. They officials publish other information that through the use of clever cryptographic techniques allows anyone to use the published codes to verify the totals for all the candidates without revealing the mapping from codes to candidates.

This gives us all the good points of paper systems that can be hand counted, plus fast machine counting that can be done with simple single purpose machines that have no software to be hacked, yet with the kind of end-to-end auditing that usually requires computerized voting systems to achieve. And it is inexpensive to implement and operate.

[1] https://en.wikipedia.org/wiki/Scantegrity

[2] https://www.usenix.org/legacy/event/evt08/tech/full_papers/c...

[3] https://www.usenix.org/legacy/event/evt08/tech/full_papers/c...

[4] https://eprint.iacr.org/2010/502.pdf

I think this relies on the old argument that anything connected to the internet is potentially insecure. While it might have some truth, practically we all do very sensitive stuff securely while connected to the internet. The risk is there, always, but you put all the measures to mitigate it and even prevent it.

The idea that a malware could be on a phone “altering things automatically” feels like a 90s FUD cliche. If an online voting system existed, it won't be like a poll that you see on Twitter, for instance; it will be far more involved. For example, we can have blockchain as the network, and not just transparent to all, but even after you vote you can still check your vote and see if it was potentially altered, and a proper electronic chain of custody can also ensure that the vote was counted per the process, and all of that is visible to anyone who would like to check and even count ALL the votes yourself, again, just like how transparent blockchain is.

And saying paper voting is more secure isn't true at all, because these votes will be counted electronically at some point, either by a machine or just a simple Excel sheet, opening the same risks as the previous one except here, if it would happen, you will never know and you as a voter can't trace the vote from when you voted all the way until it was counted. The voting process should be designed in a way with zero trust in mind, just like how secure systems are designed now, like storage, encryption, vpn, etc., and voting should too.

I personally believe that we can build a very secure, robust, and trustworthy system that can be used for voting online, but I think no one wants that for all sorts of political purposes, either by actually altering the results that could go unnoticed, or at least keeping the window open to blame the results on a faulty system.

2 factor vote. Vote in app, still go in person to validate result.

Honestly we should just have block chain based PUBLIC voting.

This article is right about secret internet voting: it’s fundamentally incompatible with unsupervised devices and global networks. But secrecy is the constraint that breaks everything.

If you instead require public, verifiable voting, most of the "unsolved" problems disappear. The core requirement becomes: everyone can independently verify inclusion and correct tallying.

That’s where blockchains are a genuine game-changer: - They provide a public, append-only, tamper-evident system of record.

- Anyone can recompute the tally from first principles — no trusted servers, no “checker apps,” no special dispute resolution.

- Server compromise or insider attacks stop being catastrophic; fraud becomes immediately visible rather than silently scalable.

- Malware can still affect an individual’s vote, but it can’t secretly change the election at scale — the main failure mode highlighted in this post.

If trust is the goal, opacity is the wrong primitive. The secret ballot is mistaken path solving a non existent and purely theoretical problem of vote buying.

In a world where we expect everything to be easily accessible, the hardships placed by all the steps required to vote (registration, confirming residency location, waiting in line for polling booth) is seriously impacting voter participation. We need to get with the times and modernize this voting infrastructure.

With the recent success of AI, I feel the more insidious issue is preventing the use of AI in reading paper ballots. There's a lot of room to engineer bias.

This is usually a smart crowd. I’m utterly mystified at the number of comments in this thread confidently stating that the US must go back to paper ballots when 99% of the country already uses them. It just takes a quick google search to know this.

Voter turnout might increase drastically if we solve security, so it’s a worthy problem to solve

Is this just an abstract and is there more to this post? I found it quite shallow.

Internet voting in general in not only insecure but an human rights act violation against our species. Look none other than the fascist utopia that is YCombinator where some rando can remove your comments simply because they do not like your joke or opinion.

what about crypto voting schemes? zero knowledge and all that

if we assume the user connection is secure (ie, about as secure as banking), can we have secure internet voting?

Premise: there's people that will try to game and cheat on anything that's important, including democratic elections. No matter your voting method, those people will exist.

Solution: the basic unit (paper ballot in this case) can be understood by any adult with basic education, which means anyone can detect cheating, not just a technical wizard. The only skill you need is reading.

Give me a solution that follows the same principle and I'd consider it.

Nobody cares about results coming faster except journalists that have to fill 2-3 TV hours with nonsense until there's some numbers.

No engineer that's worth of the title would advocate for electronic voting -- unless they're in the business of selling electronic voting. See the Premise.

I agree.

You know, kind of an interesting test here. This was posted 13 minutes ago and the comments so far are mostly all supportive of not wanting internet/insecure voting methods, all supportive of pen and paper. I wonder if after an hour or two the propaganda hoses will have been turned on and all the top comments start to have the reverse messaging in them, saying internet voting is perfectly fine, and such initial comments downvoted into oblivion.

Imagine that: thinking the technology used to cast votes is how elections get manipulated.

In Brazil we have been using electronic voting for decades.

See, here we always had issues with corruption, and thats why we had to implement it.

The thing is that we always had major issues at the city level elections, because many small groups dominate different regions, and they just controlled the election officials, influenced voters, disappeared with ballot bags, and did all types of crazy stuff. It was pretty common at the eighties exchange votes for gas, dentures or even tubal ligation.

For all this reasons, a specific voting registry was created in 1985, and an electronic voting machine was used for the first time in municipal elections in 1995. This solved most issues, and elections started to be a lot easier, there was A LOT of confusion in the past. After it was available in all cities in the country, they started to do national elections.

The main idea here is that this is a government endeavour, not a private company. There are so many security layers that I think that only another external government actor would have resources to attack it.

These machines have special hardware, the encryption keys are loaded at the election day by the government, the machines are there only for the 8 hours of voting, then came back to a government deposit, they account for every machine, they are audited before and after, they randomly choose the election officials, the machine prints a receipt for the voter and the stats of votes of that machine. Each person has an election location and room/machine, so schools are used. If a machine has problems, they have to on the fly generate new keys for a substitution. In 2024 they used 570.000 machines at the election.

When the election day finishes, they place at the door of the room the machine receipts, so any ONG or international organization can verify. After it they take the machine to a central place where they connect to them and trasmit the data, and in one hour we know the president. During these decades we had presidents from the right and from the left, and all cities and states, so you can say it works just by seeing all this power cycling all the time.

I agree with the article in the sense that we need paper confirmation, and that we cannot trust the voter machine, but I think Brazil solved this by making sure to control the machine, and printing receipts and making then available to any public organization.

I particularly think that only one thing is missing in this technology, technically speaking, I would like to have a personal key with an ecc key created by me, that would allow me to insert this card when voting, so it would encrypt my vote, store and send to the server, so I could, using my card (even online) check for my voting history, connecting all the endpoints. It is still anonymous, but verifiable by me.

More information here: https://international.tse.jus.br/en/electronic-ballot-box/pr...

[dead]

While we’re on it, I don’t want the internet on my stove or car either.

[dead]

[dead]

[dead]

[flagged]

Tom Scott made a solid video on this years ago[0].

I would love to go back to paper elections, even with all its problems (hanging chads anyone?). Let's make attack scaling as difficult as possible.

[0] https://www.youtube.com/watch?v=LkH2r-sNjQs