Internet voting is insecure and should not be used in public elections

406 pointsposted 11 hours ago
by WaitWaitWha
(blog.citp.princeton.edu)

389 Comments

ggm

10 hours ago

I live in an economy where people vote with pencils on paper in cardboard booths and at scalable cost, it just works. Obviously the cost also has to scale linearly for the 200+m voter economies, and time becomes a factor, but for community acceptance I still think paper and pen/pencil beats machine hands down.

(this is Australia. we have compulsory attendance at voting booths for eligible citizens, you can spoil your paper or walk away but we enforce with a fine, participation in the one obligation of citizenship)

-I have been offered voting remotely in elections for my home economy of the UK and I would have welcomed some kind of homomorphic encrypted, secured voting method, given I have done KYC with the UK government to get my pension paid, I don't see there is a problem with them knowing who I am online.

I therefore do not totally agree with the headline, but I'm willing to be convinced by the article, because comparing the land of hanging chad to my own, I think paper and pencil is just fine. BTW we have a senate election which demands ballot papers cut from A0 paper in long strips. Hundreds of boxes to be filled in. What we don't have is the vote for every judge, official, proposition on the table, we just elect representatives and senators, but we have a complex vote method. It just works. We do machine reading, but every single paper is reviewed by people, and parties have rights to monitor the vote, in secured spaces. We do not have a serious concern with the integrity of our vote, and the question is regularly asked and tested. (it's not just because we believe its secure and don't check)

Its a great list of signatories, includes people I respect. I would think that the prime question for americans is "how much worse or better than the current approach could this be?"

Tagbert

8 hours ago

Where I live we vote by mail by filling in little bubbles with a pen. the counting is done by simple photoelectronic tabulators and there is a built-in, human readable record that can be checked by hand. It is very economical and hard to compromise at a scale that has any effect. i hate the idea of using internet voting. I also don’t trust the electronic voting booths where the whole action is virtual or the older mechanical systems with the chads. Just a pen and paper is sufficient.

GJim

2 hours ago

> Where I live we vote by mail

The problem with this, like internet voting, is that you can be coerced.

e.g. a family member or your boss can tell you who to vote for and force you to submit that vote.

Whereas a polling both is utterly private; you are alone and free from coercion. Nobody else knows who you voted for and they have no way of telling.

In the UK, our voting is also done by paper and pencil. The votes are counted overnight by humans (with plenty of checks, independent oversight and rights of recounting) with the result typically declared the next day.

Its secure, and it just works.

sirdvd

an hour ago

>The problem with this, like internet voting, is that you can be coerced. As an example against coercion, on belenios faq they say that they let voter vote several times (and they count just the last vote).

schmuckonwheels

6 hours ago

>Where I live we vote by mail by filling in little bubbles with a pen.

>It is very economical and hard to compromise at a scale that has any effect.

Vote-by-mail creates unnecessary opportunities for cheating, irregularities, and all sorts of foolishness. If you can fill in the bubbles, you could theoretically fill them in for other people. People living with parents suffering from dementia could fill out their ballots without them knowing and vote multiple times. You don't even need a valid signature; states allow witnesses to vouch. Ballot boxes get vandalized. Ballot harvesting is rampant. There's so many problems. It's for the same reason universities don't allow take-home exams.

Vote-by-mail states are open targets for mockery (and rightfully so) as it routinely takes days or weeks to count all the ballots and declare a winner. Third-world backwaters can do it in the same night. This is a solved problem.

Whenever vote-by-mail is criticized, people get really upset. How do you think the other states do it? The argument about not being able to take off on election day doesn't hold water. Most states allow early voting for weeks. If you can find time to visit a post office or ballot box, you can certainly go to the library or a church basement for the 5 minutes it takes to fill in the bubbles, stick it in the machine and you absolutely know it's counted. And results will be available election night.

crote

6 hours ago

> People living with parents suffering from dementia could fill out their ballots without them knowing and vote multiple times.

Or more subtle: watching them vote, with the implicit threat of violence if they vote the "wrong" way.

> The argument about not being able to take off on election day doesn't hold water.

In my country it is mandatory to give time off to vote if necessary. But the booths are open from 07:30 to 21:00, are located in a bunch of convenient locations (schools, libraries, train stations, shopping malls), and have basically zero waiting time, so in practice rarely anyone needs to make use of it.

camgunz

4 hours ago

These problems are all theoretical. If you actually tried to implement them at the scale you'd typically need to sway a federal election you'd find it pretty unworkable. And in close elections, the recount process is pretty intense, so it's even less likely that you'll be successful.

You'll probably want more detail. Ballot harvesting can't work because data analysis shows weird patterns like this ("huh this nursing home went 95% Biden whereas every other nursing home in the county went 55%"). Recounts do signature validation and lawyers from either party can challenge any ballot they want. Voters are contacted to cure their ballots. I've worked on the Democratic side and been heavily involved in doing all of this. We had armies of lawyers, software and data engineers, and organizers.

Most of the pointing out opportunities for fraud comes from a place of like, reasoning from first principles. But elections are huge undertakings involving tons of people. It's hard to successfully commit election fraud at a large enough scale to sway a federal election. It's why foreign adversaries prefer to swarm social media with bots: it has a chance of working.

ralph84

6 hours ago

Ballot harvesting is viewed as a feature, not a bug, by the people who control vote-by-mail states.

ggm

2 hours ago

Because they operate in a non good faith model where discouraging voting and gerrymander is normalised. The electoral commission is politicised, not neutral and independent. Because voting is held at times and dates which disadvantage working poor, because voter ID rules are capricious and partisan.

joe_mamba

2 hours ago

>because voter ID rules are capricious and partisan.

Can you elaborate?

croon

2 hours ago

When looking at supporters of voter ID laws, look at whether they support free IDs, expansion of DMVs/issuers of IDs, etc.

Similarly, opposition of mail-in-voting typically ignores or supports closing down polling places (in strategically partisan areas), making it difficult for groups of people to vote.

These issues are always (by design) discussed in isolation, while ignoring the intrinsically related issues.

TL;DR: Voter ID laws are fine, only if, coupled with universal free IDs for citizens. And no mail-in-voting would be fine, if voting occured on a national holiday, and polling places were reachable by all eligible voters. This is not supported by any (elected) proponent of voter ID laws or opponent of mail-in-voting.

golem14

9 hours ago

The problem, as I understand it, is that if you can prove to yourself that your vote was counted right, you can also prove it to the guy with the sledgehammer next to you saying "it would be a shame if something happened to your family, so prove how you voted"...

endgame

7 hours ago

There are some really clever systems that let you prove that you voted without leaking how you voted.

Unfortunately, explaining them to Joe Q. Public in such a way that he's going to trust your election is a very tough sell, whereas counting paper is a much easier process to explain.

And that's before you begin worrying that the developer of your whizz-bang mathematically-provable voting system is a) going to win the bid to build it for the government, b) implements it correctly, and c) isn't subverted while doing so.

croon

an hour ago

I have had this discussion many times before, with people smarter than me, and I have not yet reached a counter argument to the idea that if you can only prove that you voted (and not couple each vote to a voter), how can you prove that innumerable votes were added to the record, or that your vote is correct?

You can either couple every vote to a voter and risk oppressive monitoring of votes at scale or coercion at micro level, OR you can have decoupled voting proving that your vote was counted, but not have convincing proof that your vote or anyone else's are accurate.

Please prove me wrong because I would love it if it was possible.

Edit: Booth/paper-voting solves this by:

* linearly scaling cost of multi-party verification of identity at time of voting

* your vote being anonymous and being decoupled from you at time of deposit

* you trust the system at scale since each step in the chain-of-custody has many-eyes-verification

* vote amount is grouped by location so vote insertion can't happen at scale without coordinating with each involved polling place to fudge each of their numbers

* you can't insert into one area without having a random 100k population increase in a polling place overnight

KurSix

2 hours ago

As soon as a system gives you a receipt, a cryptographic proof, or even a reliable way to re-verify later, you've created something that can usually be repurposed as evidence for a third party

godelski

8 hours ago

Proving that you voted is different than proving you voted for a specific candidate.

In fact, the one isn't nearly as big of a privacy concern (if any at all). I wouldn't be surprised if someone told me the former could be done with some XOR scheme, but proving that both you voted and your vote counted for a specific candidate while keeping that a secret is a much more difficult task

lategloriousgnu

6 hours ago

In Australia, which has mandatory voting, they literally just check your name off the voter roll when you arrive at the polling station. Each polling station has a list (digital or paper) of people registered to vote in that electorate.

After your name is checked off, you then proceed to a booth where you mark a piece of paper before folding and placing that paper into a plastic collection box on the way out.

It's very analog and the electoral commission have no way to know if you actually voted or who you voted for. They only know that you turned up to the polling station and gave them your name.

I assume the number of people who turn up at the polling station, only to walk away without voting is so small that it's not seen as a problem to solve.

tucnak

4 hours ago

I thought there were ZKP constructions that produce forward-secret receipts, while allowing to re-vote so that only the last vote would count, without ever breaking the original receipt.

The receipt would id candidate

KPGv2

8 hours ago

> proving that both you voted and your vote counted for a specific candidate while keeping that a secret is a much more difficult task

Just have a code show the truth (for you to verify) and a second code to show a lie (in case of threats).

godelski

8 hours ago

Sure. But if you talk about anything from a high enough level it's trivial. The hard part is actually implementing that.

testing22321

8 hours ago

Australia has very strict laws about who can be near a polling place, and certainly nobody can be inside other than the few certified officials running the show.

Guy with sledgehammer is at least a block waylay, and everyone knows that everyone votes, by law.

axus

8 hours ago

Obviously the person with the sledgehammer is a law enforcement officer working for the populist politician.

badestrand

8 hours ago

By that logic we have to get rid of mail-in voting as well because there could always be a sledgehammer guy standing next to someone in their own home.

endgame

7 hours ago

Yes. Here's a 2014 BBC article about that:

https://www.bbc.com/news/uk-politics-26487418

The article quotes one Mr Richard Mawrey QC:

> "Postal voting on demand, however many safeguards you build into it, is wide open to fraud… on a scale that will make election rigging a possibility and indeed in some areas a probability."

> "Now I know that there is a very strong political desire to keep the present system. What I'm saying is that if you keep the present system, then however many safeguards you create, fraud and serious fraud is inevitably going to continue because that is built into the system."

somenameforme

7 hours ago

In reality sledgehammer guy is never the threat, it's somebody fabricating votes. This can be done in a completely illegal fashion as in complete identity fraud, legally grey areas like ballot harvesting, or more socially palatable forms of identity fraud like somebody voting on behalf of family members who would not otherwise be voting.

And the biggest problem of this all is that it's basically impossible to prove because there's no meaningful identifier at any given point in the process. The only real evidence you'd have is a bad signature, yet in 2020 some states ceased comparing signatures and signature comparison was, in general, bizarrely under attack by certain interest groups.

habinero

2 hours ago

This is 100%, completely absolutely untrue. Stop repeating this propaganda. The system is actually really well designed and safe, I was a poll observer.

You cannot "fabricate" votes, because all mail-in ballots are associated with a voter. Or rather, you put your ballot in an envelope and the envelope is associated with you. When your ballot is received, you are marked as voted and other ballots are invalid. The envelope is stored as proof of who voted and the ballot is kept separately to be tallied.

Ballot counting is done in public (you can go watch!) and there are a lot of safeguards and crosschecks. It's intended to make any fraud very obvious and incredibly difficult to scale.

matsemann

3 hours ago

If you however can go to a polling place afterwards and cast a new vote, that solves that issue, right? And then your mail-in just doesn't count.

zamadatix

8 hours ago

Some do think so, but there is also a material difference in needing to be intimidated at the time of the vote being cast vs any point in the future as well.

godelski

8 hours ago

I think the bigger concern is that mail in ballots lead to fake ballots being submitted. Though I've seen no convincing evidence of this happening at any meaningful scale and the arguments seem unconvincing since you don't get a ballot unless verified with a state ID and your ballot has a unique ID associated with your name, preventing a double spend.

Personally, my concern is that with mail in ballots some nutjob that believes there's ballot stuffing can set fire to the ballotbox and even though they're caught it's a major inconvenience to get a replacement ballot and the websites that show your ballot is received take days to update.

But I still love mail in voting. My state sends a candidate brochure with it and I can take my time to actually look up all those random candidates' policies. It takes me hours to actually fill out my ballot but that's a feature, not a bug (there's nothing preventing you from along party lines but frankly I'd be happier without parties)

somenameforme

7 hours ago

In 2020 a number of states were sending out mail-in ballots to every single registered voter, even if they didn't request it. Those states were CA, CO, DC, HI, NJ, NV, OR, UT, VT, and WA. [1]

[1] - https://www.brennancenter.org/our-work/research-reports/voti...

habinero

2 hours ago

And that's completely fine, because each mail-in ballot is associated with one voter, and the system is designed to make fraud very obvious and difficult to scale.

If thousands of people were told "you already voted" when they showed up, then that would be very very obvious.

They also really do look at signatures and contact voters to cure ballots if they're unsure.

usefulcat

8 hours ago

> I can take my time to actually look up all those random candidates' policies

But you can already do that, regardless of mail in voting or not?

Detrytus

8 hours ago

For me the problem with mail-in votes is that they are (in many jurisdictions) allowed to come in long after the in-person voting is closed, and the preliminary results are annouced. So it creates the space for manipulations, where you count the in-person votes first, and, if the score is close, then a week after the election day half a million of mail-in votes mysteriously comes in and swings the vote one way or another.

ab5tract

6 hours ago

The postmark must be on or before voting day. I cannot fathom how people have bought into this idea that they can be sent after the preliminary voting has happened.

dietr1ch

7 hours ago

Yeah, and you should get rid of that

WWLink

6 hours ago

By that logic we should require DNA testing because, you never know, someone might go to a polling place and lie about their name and have a fake ID too.

You never can be too careful!

Also, maybe someone inside will take their ballot from them.

IMHO this voting thing is too risky. We should just go back to having a ruling family /s

zug_zug

8 hours ago

Such a weird argument. I've never met anybody with a sledgehammer threatening votes. Feels like a willfully absurd excuse to avoid having an audit trail in elections.

pdpi

8 hours ago

Then you haven’t lived under a dictatorship. It might not be a sledgehammer, but breaking voter secrecy and pressuring people to vote the “right” way is very much a thing.

notpushkin

8 hours ago

This. In Russia, employees of all sorts of organisations are “encouraged” to vote for a particular candidate or party (not always the ruling party, though it doesn’t really matter for different reasons I won’t get into).

As far as I know, these votes have gone mostly unchecked before electronic voting, but after that, they’ve started voting straight from the workplace computers. There were, of course, a lot of straight-up falsifications as well.

That said, our pen-on-paper voting isn’t too legit either :’)

somenameforme

7 hours ago

In the sort of scenario you're talking about the dictator doesn't care how people vote. 'The people who cast the votes decide nothing. The people who count the votes decide everything.' If he has such a lack of control that a mere election, which is to be counted fairly, could have him leave power, then it'd be somewhat farcical to declare him a dictator with all the connotations such a term implies.

anabab

3 hours ago

Yes but no. The looks are also important. They want 80-99% to stroke their ego and nice pictures to claim legitimacy. The latter seemingly being useful both internally and externally.

joe_mamba

2 hours ago

You don't need a dictatorship to nudge people to vote the "right" way, just incentives for the masses:

  Vote for me and I'll increase your pensions, the other guy wants to decrease your pensions.

  Vote for me and I'll increase wages of gov workers and civil servants, the other guy wants to fire gov workers.

  VOte for me and I'll increase your welfare and give you free* housing.
etc... etc.

The gov has masses of people that depend on the gov's generosity that they can leverage with a carrot on a stick to swing the majority in their favor. You don't need to put a gun to their head. The gun to their head is the threat of losing those government provided perks.

That's how elections are won in Europe, just promise the boomers(largest voter base) higher pensions. That's why nobody who campaigns on reforming the pension system will ever win an election.

gus_massa

35 minutes ago

At some level, incentives, masses bribes and political polices are interchangeable. A few almost real examples from Argentina:

Party A) Keep the 80% discount in the electricity and gas bills

Party B) Reduce inflation from 200% y.o.y. to 50% y.o.y.

Party C) [I don't remember]

Party D) "A normal country"

---

PS: D was a slogan, they got less than 5% of the votes.

EGreg

8 hours ago

Can you actually back this up? I have seen this argument before thrown around like dogma, even though I have NEVER seen it in the modern world.

The closest I can think of is rare cases like this: https://en.wikipedia.org/wiki/Bushel%27s_Case

vineyardmike

8 hours ago

I agree with the other comment about dictators and similar threatening voters, but at a mundane level: domestic violence.

People do, in fact, threaten or coerce their spouse and that extends to voting.

Being able to audit from a secure counting room and being able to produce an always-available-online permanent record is different.

somenameforme

7 hours ago

You haven't in any way prevented this scenario. Somebody could just as well demand that their spouse take a photo or video of their vote. Yeah no cameras allowed in the voting booth is a rule, but it's not like it's enforced or even realistically enforceable.

MikeRichardson

an hour ago

The "no cameras/no phones" rule is absolutely enforced in Harris County, Texas, although as an election worker I have never seen this escalate beyond "Please put away your phone". Workers are to ask the voter to put it away and if not done so immediately they are to notify the election judge (top official for that location/precinct). Judge will approach and ask again and cite the actual Texas law and show the voter a posterboard with the law printed in at least 4 different languages.

At this point, if the voter has not checked in yet, we can refuse to do so. Either way, if the phone/camera is still out after the judge has asked and shown them the law, judge is to immediately call the constable's office (police), who have been positioned nearby (but never directly at any vote center, due to possible intimidation). The constable can and will remove the man from the vote center. (It's never escalated that far!) (arresting that voter for any length of time might be problematic on election day for obvious reasons).

The most common complaint is "but I wrote up all my selections on there!" and for these voters we can provide a paper "sample ballot" and even a pen and they are free to mark their selections outside of the room and then come back to vote on the machine. One location was a church that was even gracious enough to allow a gentleman to AirPrint his notes.

Also of note, we do not have any kind of a "booth", however, the machines are typically placed rather far apart, and no one is allowed to queue at or near the machines, or linger there after voting, so I believe that privacy is effectively maintained. (Workers including judges are not even allowed to linger there unless assisting a voter who has specifically asked for help, and even then, there's more rules - if the voter needs help actually making the selections for candidates, now you need at least one judge and one clerk, one of whom must observe and ensure that the voter's selections were made correctly.)

We also got rid of the problematic "digital only" machines several years ago, but this post is too long already.

degamad

5 hours ago

The solution in Australia is simpler - you don't submit the vote that you took a photo of. You can get a ballot, fill it out the "right" way, take a photo, erase the markings, write on your preferred vote, and submit that.

Even if you ignore the pencil they give you and use a pen, you can simply tear or damage the paper, take it back to the elections officer, ask for a new ballot, and fill that out instead. We make it as hard as possible to coerce a vote while maintaining secret voting (noting that it is definitely still possible, just hard).

somenameforme

5 hours ago

Are there no polling stations where you can submit the ballot in a private location, like a drop box inside a booth or whatever? In the US I've only voted electronically, and it's done in a private booth with a curtain preventing external visibility, so somebody can easily video record the entire process with no realistic way of altering their vote.

femto

6 hours ago

> it just works

The biggest reason "it just works" is that the Australian Electoral Commission, the organisation that sets electoral boundaries and runs the election, is independent of the government. Other reasons are compulsory voting and preferential voting. In my mind, it is these three things that keep Australia's democracy relatively healthy.

direwolf20

20 minutes ago

And yet the people keep voting for some of the strictest internet surveillance laws in the world.

"The laws of mathematics are very commendable, but the only law that applies in Australia is the law of Australia" said a politician asked about his policy of making encryption illegal.

KurSix

2 hours ago

Paper systems fail locally and noisily; internet systems fail silently and at scale

ChrisMarshallNY

10 hours ago

I've heard great things about the way that India votes.

It sounds like their Election Commission takes their job very seriously.

topspin

8 hours ago

> It sounds like their Election Commission takes their job very seriously.

A key part of India's system is the Elector's Photo Identity Card (EPIC), required to cast ballots. Similar obligations are present wherever election integrity is taken seriously.

creata

8 hours ago

Australia, as far as I know, doesn't require voters to show identity documents, and they seem to take election integrity very seriously.

KiwiJohnno

7 hours ago

We do not. Elections here are run very smoothly, with no questions whatsoever about their integrity.

ggm

7 hours ago

No un-answered serious questions. Serious questions are asked, regularly, as well as un-serious ones by cookers. But, the serious questions, the audit, the sense "did we do ok" is continuously asked.

We have an independent electoral commission. I'm not saying its incapable of being reproachable, nothing is "beyond reproach" but I have yet to hear a serious, non-cooker accusation any political party has tried to stuff the electoral commission.

What we don't have, (and I think should have) is capped party donations. I'm tired of the money aspect of who gets the most billboards.

We also have silly bad behaviour emerging: People doing their billboards in the same style and colours as the electoral commission. Often in foreign language support roles, using words like (not a quote) YOU MUST VOTE FOR PARTY A LIKE THIS which I think is really trolling the voter badly.

degamad

5 hours ago

> but I have yet to hear a serious, non-cooker accusation any political party has tried to stuff the electoral commission.

We do get occasional issues with individuals trying stuff, but the AEC is very good at calling it out or prosecuting it.

It's strong enough that the parties don't try anything risky.

slg

8 hours ago

>Similar obligations are present wherever election integrity is taken seriously.

The flip side is even more true. If someone is claiming they care about election integrity and isn't willing to pair that with funding of an equivalent ID system that is both free and easy for voters to acquire, they don't actually care about election integrity.

mullingitover

8 hours ago

This needs to be said loudly from the rooftops.

If your voter ID system isn’t 100% free and absolutely effortless for voters to obtain, it’s a badly disguised vote suppression scheme.

It’s pretty much always a vote suppression scheme.

xp84

7 hours ago

I’d like to respectfully challenge you on this. There is no chance anyone can ever create an effortless-to-get ID. Even if it was like the census where they sent someone to your house repeatedly to try to find you, take your picture and print an ID on the spot, it wouldn’t be effortless because you might not know where your passport or birth certificate are.

Some people probably are so badly organized and/or ignorant that they can’t manage making and keeping one single DMV appointment even once every 15 years so that they could get an ID (I think we can all agree that an “expired” ID would do fine, as long as the picture isn’t so out of date it can’t be verified).

Anyway, it’s only those people who would be “disenfranchised” under a voter ID system and I’m not convinced our government would benefit from incorporating the opinions of someone so unserious. It’s ok that some things in life are reserved for people that have invested a tiny amount of effort once in their lives. There’s also not a free and effortless way to feed or bathe yourself.

By the way, a state ID costs $15 in Mississippi and $9 for “eligible people” in California.

array_key_first

5 hours ago

The main problem with obtaining ID is that is takes time, and it's not evenly distributed. In the US its not folklore that people of color are less likely to have ID, it's a statistical fact.

This can be fixed, but you will notice the people who champion voter ID never bother trying. Naturally, the only reasonable conclusion is they like it that way. They're not stupid, after all.

mullingitover

7 hours ago

> By the way, a state ID costs $15 in Mississippi and $9 for “eligible people” in California.

If it costs a penny and is a requirement to vote, it is an unconstitutional poll tax.

deathanatos

6 hours ago

> By the way, a state ID costs […] $9 for “eligible people” in California.

A state ID is not required to register to vote in CA[1]. (The requirement is CA ID number or last-four-of-SSN or a third complicated way, but I'm assuming ID or SSN is attainable for nigh everyone eligible.)

[1]: https://www.sos.ca.gov/elections/voter-registration

slg

6 hours ago

>Anyway, it’s only those people who would be “disenfranchised” under a voter ID system and I’m not convinced our government would benefit from incorporating the opinions of someone so unserious

I hate calling something a slippery slope, but I don't know how else to describe an argument that is fundamentally "Sure, it will disenfranchise people, but who cares about those people anyway?" Once you accept that people's rights can be taken away simply because protecting those rights is an inconvenience, then none of us actually have any protected rights.

mullingitover

6 hours ago

Exactly, a freedom you have to pay to access isn't a freedom. "If people can't get it together to pay a modest $9 fee for the 'don't get imprisoned forever' tax, who cares if they get throw into the forced labor camps?"

Beyond this point: voting isn't just a freedom, it's a duty in a civilized democracy. We don't enforce it like Australia does, but anyone who not only doesn't care if it's performed, but is sanguine about it, isn't fully on board with government by the people.

PaulDavisThe1st

8 hours ago

> Similar obligations are present wherever election integrity is taken seriously.

Asserted without evidence, and apparently quite likely to be an attempt to cast aspersions on "election integrity" in the USA and elsewhere.

phanimahesh

10 hours ago

Very. Every voter is guaranteed a booth nearby (<2km away from registered address). Including a monk who gets his own polling booth because he lives so far from everyone and everything else. https://www.aljazeera.com/gallery/2024/5/8/an-election-booth...

Also https://www.reuters.com/world/india/family-remote-himalayas-...

seanmcdirmid

9 hours ago

As a kid living in Vicksburg MS in the late 80s, this is what irked me about in person voting. We lived in county but in a fairly dense suburban area with some biggish apartments nearby (SFH was mostly white, the apartments were mostly black). Our polling site was way out in the boonies, somewhere you could never get to without driving for 45 minutes...I was shocked when my dad took me with him.

There was really no good reason for that, unless they were really against a certain segment of the population voting (a lot of people in the apartments didn't have cars, or were too busy to go so far to vote).

autoexec

9 hours ago

Yep. Physical voting places are great, but they're also an easy target for voter suppression. There should be a requirement that there be a nearby polling location, we should also have multiple days to vote there and employers should be required to give every one of their employees at least one of those days off.

seanmcdirmid

7 hours ago

Georgia made sure African Americans had crowded long line voting locations with no access to water. It wasn’t hard to figure out why they were doing that. The South is still pretty racist.

galago

4 hours ago

I observed this in New England while living in a city with evenly distributed population. The polling locations were more abundant in the wealthier side of the city. This may not have been straight racism; there was no way for me to determine why this was the case. Looking at a map of median income and polling locations made it pretty obvious to me at least that polling location choice was biased.

creata

8 hours ago

Maybe, but the election ink stuff feels a bit overboard.

TiredOfLife

an hour ago

> it just works

And the pieces of paper with votes for the wrong candidates are easy to dispose of. See, for example, russia.

joshcsimmons

7 hours ago

That seems common sense. It’s wild that this is an extremist position in the US now.

BurningFrog

10 hours ago

Australia really uses erasable pencil markings to vote?

I would feel much better if they required ink.

hydrox24

10 hours ago

Yes, and the reasons are outlined by the Australian Electoral Commission, the independent body that runs Australian elections (see the first FAQ)[0].

There are scrutineers that watch counting happen at the booth once polls close, and who also see and hear the numbers get phoned into HQ. HQ has more scrutineers from all parties checking both postal votes and recounts.

If anything doesn't match up it gets flagged. I think that the ability of every party to watch votes themselves means that trust is increased, and they have skin in the game (if they didn't object at the booth why not!?).

Pen markings are perfectly valid however, so you can bring a pen to the booth to vote with if you'd like to do so.

It's also true of course that erasers don't quite erase pencil. It would be fairly obvious that the paper was tampered with.

[0]: https://www.aec.gov.au/faqs/polling-place.htm

anon291

7 hours ago

> If anything doesn't match up it gets flagged. I think that the ability of every party to watch votes themselves means that trust is increased, and they have skin in the game (if they didn't object at the booth why not!?).

I mean the same is true in the United States. One of the key issues with the 2020 election was footage from several jurisdictions where the public was physically blocked from viewing the counting by election officials literally holding up giant white boards. The optics of that were extremely bad.

tacticus

6 hours ago

Unlike the US the elections aren't run by some local arsehat with local rules. they have consistent rules over the entire state or country (depending on election in question)

Scrutineers are also not members of the public. They are declared and appointed by candidates and parties for polling oversight and have complete access to the counting and polling area. They're not allowed to touch ballots but they can challenge and bring them up to all the scrutineers in the location (and EC staff) and finally they can take it to the court afterwards

Election officials are also not local council\elected people they're people working for the AEC\State Electoral commission. which is as mentioned above a non partisan organisation (which is highly different from bipartisan framing)

You also have a large number of counting staff. who do the sorting and then counting with machine assistance (how many sheets are here in this stack do they match the tally the 2 people already made on that pile)

Though the senate elections have a more complex voting software stack due to STV fun.

xmprt

10 hours ago

If you're worried about someone taking away your vote by erasing your pencil marking, then you should be equally/more worried about someone spoiling your ballot by voting twice on the same ballot, thereby invalidating it. You just need to trust that the people handling your ballot won't do that.

tacticus

6 hours ago

> You just need to trust that the people handling your ballot won't do that.

Given the number of people involved in watching ballots the entire time it is happening this would require a lot of compromised people and a lot of compromised scrutineers.

b112

10 hours ago

It's pencil in Canada too. Pencil works. Ink pens stop working, and are far more expensive than pencil in bulk. Voting is old. Using fountain pens, and quills to vote, is far more annoying than pencil when it just works.

The mark of vote being indelible or not is irrelevant. The monitoring and protection of the ballots is far more important. For example, representatives of all political parties are involved in the count, oversight by an agency, etc. If you had time to erase and re-mark ballots, you could swap out paper ballets too.

crote

5 hours ago

The problem is that disappearing ink is a thing, and someone could swap out the source of ink (pen, stamp pad) in the voting booth.

Erasing is indeed a possibility with pencil markings, but this can only happen during the counting process - which should be open to anyone to audit, and anyone messing around with an eraser during the counting process would stand out like a sore thumb.

adrian_b

4 hours ago

Where I have seen stamp pads used for voting, you do not take them with you in the voting booth.

You must press the stamp on the stamp pad at the official who gives you the stamp.

Stamping is fast and convenient. While corrupted officials could apply additional stamps during the counting, to make the vote invalid, that should be prevented by witnesses belonging to the parties that compete in the election.

ben-schaaf

8 hours ago

Someone needs to gain physical access to the ballot after voting in order to erase it. If they can do that they can just as well make it invalid using a pen, or they can just tear it up.

On the other hand, disappearing ink has been around for a long time.

xp84

8 hours ago

At this point the main problem here is one of trust either way. Most Americans, of any party affiliation, believe that one party’s officials are presiding over a vast conspiracy to steal every election. The Left thinks the GOP is intimidating real citizens who happen to be immigrants from voting by trying to pass laws for proof of identity, and the Right thinks Democrats are trucking in illegals to stuff the ballot box, or that some random voting machine company is systematically rigging every vote. All these positions are presented without evidence.

Then both parties think that if their party’s guy isn’t in charge of the election itself, that the vote counting itself is being faked. Of course, these concerns only ever come out when their preferred party loses.

Mix internet voting into this, and the average person’s utter cluelessness about computers, and no amount of fancy crypto, blockchain, etc. would ever convince any American that their party lost fair and square. “The new online voting system was rigged!”

slg

7 hours ago

>All these positions are presented without evidence.

What evidence do you need that making it more difficult to vote will result in fewer people voting? Isn't it common sense?

themafia

8 hours ago

> we have compulsory attendance at voting booths for eligible citizens, you can spoil your paper or walk away but we enforce with a fine, participation in the one obligation of citizenship

Then my refusal to vote should be counted. If enough people refuse to vote then the entire election should be cancelled and new candidates found. Otherwise this is a ridiculous catch 22 of state bullying to no actual purpose. Who would even think to create such a law?

GJim

2 hours ago

> Then my refusal to vote should be counted.

Then spoil your paper.

Spoiling your paper shows that you got off your arse and voted to say "I don't want any of these people". (See the number of spoilt votes in the UK Police and Crime Commissioner elections for a prime example of this; many in the UK disagreed with politicising the police and spoilt their papers in protest)

By simply not voting, the assumption is you are either lazy or simply don't care...... And as a result, the politicians will not care either.

crote

5 hours ago

Which country doesn't count spoiled or blank votes? And the whole "cancel the election and find new candidates" is pretty pointless when anyone can start a political party of their own and participate in the election.

Nursie

4 hours ago

You can pay the fine or spoil your paper. If significant numbers do this, it will be reported publicly.

As it is though, people tend to vote for one of the parties on offer, of which there are many. And as it's also preference voting, Australia is not stuck in the trap of "better vote for A or B will get in" either. You can vote for C, with a fallback to D, E and F before putting in A as a back-stop.

rmunn

10 hours ago

The thing about paper ballots is that the ways to cheat with them are well-known ("finding" ballots in the trunk of a car, "losing" ballot boxes on the way to the counting center, counting the ballots behind locked doors with observers not present, and so on), and have been well known for centuries. So the counters to them (ballot boxes sealed with an official seal once full, only sealed ballot boxes will be opened and counted, neutral observers present at all times when ballot boxes are being transported and/or counted, and so on) are also well-known. If those anti-cheating counters are in place, that gives you quite a lot of trust in the results. And if observers get thrown out and then ballot counting continues behind closed doors, you can have a reasonable suspicion that cheating is going on, and can make a stink and demand a redo of the vote.

With Internet voting, the ways to cheat are not all that well-known among the general population, and even among an audience like HN I bet we couldn't come up with all the ways to cheat. (That's not a challenge!) So there's going to be fundamentally less trust in the election process than with paper ballots, even if the Internet-voting system was actually made completely secure. (And I'm not persuaded it can be made completely secure, given that secret ballots are a fundamental requirement of the process).

So yes, paper ballots are very much the way to go.

rmunn

10 hours ago

P.S. On the subject of counting ballots behind closed doors, look up Athens, TN in 1946 if you haven't heard about it before. It's a fascinating story. https://en.wikipedia.org/wiki/Battle_of_Athens_%281946%29 has a very long account, but the short version is: the sheriff of McMinn County was widely believed to be cheating on ballots by, among other things, having his deputies count the ballots behind closed doors. In 1940, 1942, and 1944, he and his cohorts "won" the election. But in 1946, a bunch of WW2 veterans returning home had formed their own voting block and had run some candidates opposing the sheriff and his cronies. When the sheriff's men took ballot boxes away to count behind closed doors again in the county jail, the WW2 vets armed themselves (without permission) from the local National Guard armory and besieged the jail. The sheriff's men eventually surrendered and returned the ballot boxes which, once counted in front of unbiased observers, showed that the sheriff's candidates had lost and the veteran candidates had won. (Surprise, surprise).

It got made into a 1992 movie called "An American Story" (which covers many things, the Battle of Athens being just one of them). I have no idea how accurate the movie is (I know it's not 100% accurate, but how much it changed I don't know).

ceejayoz

10 hours ago

There's a town in Alabama that skipped elections for 60 years; they'd just hand it off to a buddy. Someone finally registered to run and won by default, so ten days later they had a secret do-over to avoid a Black mayor.

https://en.wikipedia.org/wiki/Newbern,_Alabama#Mayoral_dispu...

rmunn

9 hours ago

Hadn't heard about that one. Fascinating. Especially since the Black mayor then challenged the secret do-over, won, as was reinstated as mayor. Then the next year there was an actual election for the first time in over 60 years, and the Black mayor won reelection 66 to 26. Not 66% to 26%, 66 votes to 26 votes. Which just goes to show what a small town that was.

P.S. Population of that town in 2020, according to the census? 133 people.

esseph

7 hours ago

There are around 19,500 Incorporated Places.

About 42%, or 8,200 of those places, have less than 500 people.

About 20% of ALL US towns have less than 200 people.

It's a big country.

rmunn

10 hours ago

Oh, and if the election is on something so polarizing that there are no "neutral" observers, then rather than neutral observers you can have observers from both (or all) parties/sides present, with cameras rolling, while the counting is going on.

luxcem

3 hours ago

Not only that but paper in a voting booth is so simple that anyone can check that it is done properly.

It may be a burdensome process, but very simple to understand. Every modernization of the process has major drawbacks.

– Electronic voting machines cannot be verified by just any voter, and the vote count is not transparent.

– Remote voting (even paper-based) does not guarantee freedom of choice: it cannot be ensured that the person is not under pressure at home, or even that it is truly that person who is voting.

- Voting alone in a private booth ensures that no one can verify who a person voted for. It is therefore difficult to buy votes, since it is impossible to confirm that a person followed any instructions.

The fact that any voter can verify and ensure that everything is conducted properly, without having to trust a third party, is essential to guaranteeing the integrity of the vote.

twright0

9 hours ago

An interesting anecdote, another good example of a reasonably modern example of paper ballots enabling election stealing: https://en.wikipedia.org/wiki/Box_13_scandal

Caro covers this pretty extensively in his LBJ biography series, but it's reasonably clear from the evidence that LBJ won his senate seat by some pretty crude paper voting record manipulation after the fact - changing a '7' to a '9' by writing over the number with a pen - almost certainly with LBJ's knowledge. Given that his senate seat eventually put him in the presidency, it's probably the most consequential voter fraud ever committed in American history (that we know about, I suppose).

rmunn

7 hours ago

From the second paragraph of the Wikipedia article: "Six days after polls had closed, 202 additional votes were added to the totals for Precinct 13 of Jim Wells County, 200 for Johnson and two for Stevenson."

Those numbers alone should make anyone suspicious. If you have an urn containing about 20,000 balls in two colors, red and green (this election happened in 1948 and the 1950 census listed that county's population as 27,991; let's assume that roughly 20,000 people would have been old enough to vote in 1948) and you randomly draw out 202 balls (about 1% of the total number in the urn), you would expect the number of balls you draw out to be roughly proportional to the red-blue mix in the urn. (1% of the total is big enough to expect a roughly-unbiased sample). So if you draw out 99% red balls and 1% green balls, then either you have a very very skewed proportion of colors in the urn, or else someone is cheating. Given the TINY margin of victory in that race (87 votes out of nearly a million, 988,295 to be precise), it's very very unlikely that precinct 13 happened to be skewed 99% towards LBJ when the state as a whole was so closely balanced.

twright0

7 hours ago

I really encourage interested folks to read the biography (though it's an undertaking).

According to Caro, part of the background is that the relevant southern Texas precincts were well understood to have vote counts up for purchase; over the course of election counting, both sides would have their controlled districts release counts based on what the other side was reporting to stay in the race. These counts would vary in legitimacy and how skewed they were based on the precinct and need of the candidate that had swayed the boss to their side. But tactics like having armed guards supervise the casting of votes to ensure the favored candidate got a large majority, or simply distributing vote receipts to people who never voted at all and recording votes on their behalf, or making numbers up entirely, were quite common. Typically, though, Caro argues that because both sides did this, and they did it incrementally, it usually wasn't enough to sway an election one way or another, but rather was just part of the cost of doing business. He even says that LBJ lost his Senate election earlier that decade because he got cocky and told the bosses of the districts he had bought to just release all their numbers right away, letting his opposition then juice their numbers just enough to win.

It's really the timing, more than the margin, that makes it clear what happened (and the crudeness of the forgery); after every other precinct reported and finalized, they corrected their number by barely more than needed to win. The 100 to 1 vote margin was actually not that far off from the vote margin that the precinct reported in the first place (... which, of course, really tells you that the whole thing was made up from whole cloth).

KurSix

2 hours ago

With online systems, you can follow every visible procedure and still have no idea whether anything went wrong

john_minsk

10 hours ago

I strongly disagree. If the system is transparent enough and provides mechanisms for verification and control - No reason to distrust it. I would prefer a system where even in 20 years I can go online and check how my vote was counted in older elections - this way stealing my vote would be impossible.

The issue is how to preserve privacy...

rmunn

10 hours ago

> I would prefer a system where even in 20 years I can go online and check how my vote was counted in older elections - this way stealing my vote would be impossible.

Understandable, but then vote-buying becomes possible. The reason vote-buying is impossible in a secret ballot is because you can't prove how you voted to anyone else. If you can look up your own ballot even five minutes after it's dropped into the box, then you can show your screen to someone else who then hands you $100 for voting the right way, and elections change from being "who has persuaded the most voters?" into "who has the most money to buy votes with?"

bluGill

9 hours ago

Vote buying and worse 'vote for me or I'll shoot you'. Buying is the more common scam but there are worse options for evil people

gbear605

9 hours ago

A related issue is “vote for my preferred candidate, or I’ll abuse you” as a way for husbands to control wives. That’s especially relevant when one party is favored by a majority of men while the other party is favored by a majority of women.

NewJazz

6 hours ago

s/husband/boss

Or despot, or ruthless water district rep (lol)

HaZeust

5 hours ago

You can also do this today by telling someone to take a picture of their vote by smartphone or you'll shoot them. Millions post a picture of their ballot on high-energy political forums every 2 years already. This hypothetical is unhelpful.

luxcem

2 hours ago

Where I live, ballot are a piece of paper slipped into an envelope (not sealed). It's mandatory to take at least two different ballots before entering a voting booth. You can take a picture with one ballot inside the envelope and switch before leaving the booth.

crote

5 hours ago

> If the system is transparent enough and provides mechanisms for verification and control

That "if" is doing an awful lot of work here!

You can literally explain paper voting to children - it was part of my mandatory Civics classes. On the other hand, I'm pretty sure you need a cryptography PhD to even begin understanding why the various digital protocols are supposed to be secure. Even worse, as a software developer I am aware that things like "how do I know the compiler is trustworthy" and "how do I know the computer is in fact running the right binary" are very much open problems in the industry, so I know that any computer is untrustworthy.

Sure, if it's transparent and verifiable there's no reason to distrust it, but we don't live in a world where a transparent and verifiable digital voting system has been invented yet, so there are plenty of reasons not to trust them.

gpt5

10 hours ago

The most important feature of public elections is trust. Efficiency is one of the least important feature.

When we moved away from paper voting with public oversight of counting to electronic voting we significantly deteriorated trust, we made it significantly easier for a hostile government to fake votes, all for marginal improvements in efficiency which don't actually matter.

Moving to internet voting will further deteriorate the election process, and could move us to a place where we completely lose control and trust of the election process.

We should move back to paper voting.

maxerickson

10 hours ago

The US overwhelmingly uses paper voting (often paired with electronic tabulation). We can't "move back", it's where we are.

Electronic tabulation introduces little risk when the ballots are paper.

Brybry

10 hours ago

Yep, I believe Louisiana is the only US state that does electronic voting without a paper trail. [1]

And not all paper systems are good either. I'm sure everyone remembers the disaster that was the punch card system used by Florida in the 2000 election...

[1] https://ballotpedia.org/Voting_equipment_by_state

firesteelrain

8 hours ago

Florida basically now uses scan tron technology. Color in a circle and when done you turn it over and the ballot is scanned right in front of you.

fsckboy

8 hours ago

>We can't "move back", it's where we are.

vote by mail (and similar ballot harvesting, bulk ballot dropoffs with hazy chain-of-custody as from a nursing homes and immigrant communities) are new, based on paper, and open to abuse.

It's not where we were.

traditional absentee balloting was a small scale thing used by college students, military personnel, etc. and if it was messed up, it was not likely to change outcomes or a threat to counting accurately (no election is perfect)

PaulDavisThe1st

8 hours ago

So the question(s) to ask are:

1. why did absentee voting/vote by mail expand? What was the claimed intention and purpose? What has been the actual result (and based on what evidence) ?

2. who has an interest in underming confidence in vote by mail and why? What evidence do they offer that it actually is a problem?

fsckboy

5 hours ago

those are not questions I have, nor answers I feel that I am lacking, and it fits a familiar online debate technique of bogging down discussions when you don't like the direction they are going in, wasting the time of your interlocutor. are you really so unimaginative and out of touch that you don't know the answers to your questions?

legitimately elected politicians cheat left and right all over the place, and there is every reason to rhink illegimate election is just as attractive to them as the fruits of the power they seek, it's human nature, it's in the bible, it's in the koran, it's why we have laws. I would prefer a voting system that was guaranteed as secure as we can because the power to vote them out of office is our best hope.

mullingitover

8 hours ago

> open to abuse.

This claim is frequently made and never backed job with any compelling evidence.

fsckboy

5 hours ago

you don't need to have "compelling evidence" to show that something is "open to abuse", you simply need to point out the threat vectors

as we know from all over the internet and from various financial frauds, rug pulls, insurance frauds, etc., if there is something to gain, there is no shortage of people who will abuse any system.

mullingitover

4 hours ago

If you don’t have compelling evidence, you have hand-waving, which is all the concern trolling about massive absentee voting fraud always ends up doing.

Mail-in voting has been operating for decades. Nobody fear mongering about for all these years has ever delivered a shred of evidence to back their claims. It’s flat earth-grade conspiracy nonsense.

habinero

2 hours ago

No, that's just fear-mongering and spreading propaganda.

Our elections are designed to handle everything you said. I wrote another comment explaining, but you can also literally go watch it done yourself.

Everything's a conspiracy when you don't know how anything works.

SV_BubbleTime

10 hours ago

>Electronic tabulation introduces little risk when the ballots are paper.

Do European and other first world countries favor electronic tabulation?

Is it possible that introduction of all electronic factors reduce trust?

jcrawfordor

9 hours ago

Good data is hard to come by, but from a brief survey electronic precinct tabulation (the most common system in the US) is also in at least partial use in Canada, Mexico, India, the Phillipines, and Russia, and a laundry list of smaller countries.

Now, you might contend that this is not a list of first-world countries exactly (but rather I sampled the largest countries). You must keep in mind that the use of electronic tabulation in the United States is mostly a response to the very limited budget on which elections are carried out; electronic tabulation is much less expensive than significantly increasing staffing. As a result, globally, electronic tabulation tends to be most common in poorer countries or countries with newer election systems, while hand tabulation is most common in wealthier countries with long-established election procedures.

For this reason, the countries you might go to for comparison (like France and Germany) have largely manual election processes that have often seen few changes since the Second World War.

The Help America Vote Act (2002) had a de facto effect of making the United States a country with much newer election processes, as HAVA requires strict accessibility measures that most European election systems do not meet (e.g. unassisted voting for blind and deaf people). Most US election systems didn't meet them either, in 2002, so almost the entire country had to design new election processes over a fairly short span of time and on a shoestring budget. Understandably, election administrators leaned on automation to make that possible.

It's also important to understand that because of the US tradition of special-purpose mill levies and elected independent boards (like school boards), the average US ballot has significantly more questions than the average European ballot. This further increases the cost and complexity of hand tabulation, even ruling out entirely the "optimized" hand tabulation methods used in France and Ireland.

creata

9 hours ago

For their upper house elections (which can have giant ballots), Australia uses computers in its counting, but there are humans in the process. [Here's a video from the Austalian Electoral Commission.](https://youtu.be/9AqN-Y25qQo)

pa7ch

9 hours ago

Risk limiting audits are why this work. You physically sample ballots at random. The number you sample grows as the gap in the electronic tally shrinks to reach high confidence the election was tabulated correctly.

abdullahkhalids

9 hours ago

The normal person has no knowledge of stats. I am a professional physicist, and I struggle with stats. The methods you suggest can convince a stats professional that the tally is correct. It cannot convince a normal person of the same.

creata

8 hours ago

> It cannot convince a normal person of the same.

But you don't need everyone to be convinced of it first-hand. You just need everyone to trust someone who is convinced of it.

crote

5 hours ago

Election security should not hinge on a "trust me bro" - especially when people are being convinced the other way by Russian propaganda talking heads on social media.

Manual counting requires zero trust. In my country anyone is welcome to observe the entire process from start to finish, if they wish to do so. A few years back a fringe far-right party tried importing the voting integrity distrust over here, and recruited people to watch their local polling stations to "expose the fraud". Which was totally fine because they were always allowed to do so, and it fizzled out because zero evidence of fraud was found, and that party still didn't get a significant number of votes.

creata

2 hours ago

Don't these two situations (watching vote counts; understanding a complicated statistical argument that the vote is tamper-free) require the same kind of trust?

1. In both cases, everyone is theoretically capable of checking it themselves; they're theoretically zero-trust. In the former scenario, I'm theoretically capable of attending the vote count, and in the latter scenario, I'm theoretically capable of learning the statistics needed to verify the argument.

2. In both cases, most people cannot (or will not) practically check it themselves, and is trusting that someone they trust is doing the checking for them.

I'm not saying they're the exact same situation, but they both ask for a large amount of trust from most of the voters.

popalchemist

9 hours ago

As we learned from Dominion... depends who manufactures the machine.

xmprt

10 hours ago

> We should move back to paper voting.

We already use paper voting. If you mean go back to a time before voting machines, then I fear that would actually reduce trust because the amount of tabulation errors, data entry, and spoilt ballots would skyrocket. The only people who are increasing doubt in voting machine are the same people who are trying to disenfranchise voters and not accepting the results of past elections.

The last presidential election where doing a paper recount might have helped was in 2000 and believe it or not, the same party that's calling for abolishing voting machine today was the one who sued to avoid a paper recount then.

plagiarist

10 hours ago

They did start a recount! IIRC SCOTUS, at that time already taken over by partisans, illegally ruled to force the original results on us instead of correctly ruling for all FL districts to use the same methodology when performing the tallies.

cael450

9 hours ago

Yeah. The Republicans blatantly sabotaged the recount and everyone shrugged and moved on.

piou

10 hours ago

The majority of the U.S. votes on paper: https://verifiedvoting.org/verifier/. Most of the rest of the country votes using Ballot Marking Devices that produce paper ballots; less than 5% of the population lives somewhere where the only or default choice is electronic voting.

mmooss

8 hours ago

The issue is that the paper ballots are counted electronically. There may be a paper version for double-checking the vote, but it's rarely used. The vote relies almost entirely on electronic technology.

firesteelrain

8 hours ago

There are many state-mandated post-election audits that involve random selection of ballots or precincts. There are state statutes and procedures that require a post-election audit of ballots after every election. These audits are designed to verify that voting equipment and tabulations operated correctly and that reported totals are accurate

Alupis

9 hours ago

> The most important feature of public elections is trust.

Agreed.

However, in some states, such as California, mail-in voting has become the default.

What's used to verify identity and integrity? Your signature from your voter's affidavit of registration, a signature from any past voter form, or literally an "X"[1]. Your signature doesn't even need to match, it just must have "similar characteristics". You can print your name or sign in cursive, you can even just use initials. They're all accepted.

We're firmly on the "honor system".

Pair that with lack of voter ID laws, and we have a system that's designed to be untrustworthy.

Yes, I agree, a state issued ID should be free...

[1] https://codes.findlaw.com/ca/elections-code/elec-sect-3019/

mcmoor

5 hours ago

I wonder how correlated is this to how (un)contested California results are (?). I think the main test will be whenever a case like Bush vs Gore happens.

andyferris

9 hours ago

Do you not have in-person early voting?

In Australia you can postal vote if necessary, but "prepoll" voting is much more popular (I believe 37.5% of registered voters, 90% of which actually voted, in 2025). It's just so convenient, with the same crowd of volunteers and officials as actual polling day.

Alupis

8 hours ago

In 2020's national election, nearly 87% of California votes were by mail[1].

California offers day-of in-person voting, and has ballot-drop boxes (unmonitored) and drop-off (monitored) locations for at least several weeks (I believe it was a full month in the past election).

[1] https://abc7.com/post/election-2024-21-californias-registere...

anon291

6 hours ago

I volunteered at Fairview development center in Costa Mesa CA, which is a place where dozens of disabled residents lived. These people could not talk, move, etc. They were essentially quadriplegics; mentally completely not there; etc. I was a high school student helping move residents to Sunday service and back and doing activities with them (volunteer hours). I clearly remember seeing nurses and others mark ballots of residents that were in no fit state to vote (unable to communicate at all; those who could were often not mentally competent enough to make their own medical decisions, let alone decide who to vote for). I don't think anyone cares to be totally honest. I was shocked the residents even got absentee ballots. Of course, competent adults should be able to vote, but at the point where you're essentially a child mentally? I mean ... how can anyone possibly figure it out. I did lodge a complaint, but nothing came of it.

liveoneggs

10 hours ago

Just do both like we do here in GA. You vote on a computer, it prints out a piece of paper, you walk the paper over to some kind of scanner, and then it is deposited into a giant trash can. (maybe they keep the paper records, idk) - these are the dominion systems.

(memories..)

When I lived in NYC there was a giant lever you got to use - it was pretty fun - but positioning the actual paper was kind of tricky.

I think Georgia used to have Diebold machines where you would get a little receipt but I'm pretty sure they were very hackable. Anyway half of them were always broken.

velcrovan

10 hours ago

Minnesota has a better system. You fill in a paper ballot using a pen, and the paper ballot gets optically scanned.

Besides avoiding any issues (real or imagined) with touchscreens, it makes it extremely cheap to stand up more polling places with more booths, since only one tabulator is needed; the booths themselves can just be little standing tables with privacy protectors.

nonethewiser

9 hours ago

>Minnesota has a better system. You fill in a paper ballot using a pen, and the paper ballot gets optically scanned.

>Besides avoiding any issues (real or imagined) with touchscreens,

Wait... I don't think these are the complaints being made against internet voting at all. The problem is with a computer counting and reporting it, right? Centralized, less transparent, etc.

I dont view writing my vote on paper and scanning it to be paper voting if it's just immediately fed into a computer.

zugi

7 hours ago

> I dont view writing my vote on paper and scanning it to be paper voting if it's just immediately fed into a computer.

The paper ballots are retained for recounts, and most places with this system automatically recount a random subset of the paper ballots to ensure it matches the computer totals. This guards against both shenanigans and mistakes. For security the scanning machines are not networked! A person carries around a little SD card (not USB as it's too hackable) to collect the totals.

The paper ballot with in-precinct immediate scanning system is the best system I've seen. It reports results quickly and leaves a full paper trail for recounts and accountability.

sjm-lbm

9 hours ago

This was common in Texas, but becomes challenging when one polling place serves voters that might have different elections to vote for - say, at a polling place on the line between two school districts or something like that. You can't just print one sheet of paper, and it to everyone, and call it a day. Toss in a few different jurisdictions that don't directly overlay each other, and the number of combinations become nontrivial.

(the machines used in Texas vary by county, in my county we use Hart InterCivic machines that are touchscreen but produce a paper trail - honestly I think it works well)

velcrovan

9 hours ago

That just sounds like you don’t have enough polling places.

sjm-lbm

9 hours ago

To be fair, that is true. Texas is around the 5th most difficult state to vote in per the Cost of Voting Index.

autoexec

9 hours ago

This really is the best way to do it. Scantron gives fast results and you get a paper physical record which shows the actual ballot exactly as it was presented to the voter along with what their vote was.

dylan604

9 hours ago

<devilsAdvocate>How many people spend time making their selections on the computer, then compare every single selection on the print out? Deniers could say the computer randomly prints votes to skew in certain candidate/party direction knowing not everyone would catch it.</devilsAdvocate>

all it would take is one person saying their printed ballot does not match their specific selection, and the whole thing would become chaos.

zerocrates

9 hours ago

The person you replied to is talking about ballots that are just on paper, filled in with a pen, and scanned. So there's no computer making printouts.

dylan604

8 hours ago

Same but different issues. Now you have to know that the dots were filled in correctly to be readable. Having someone make an obvious attempt at selection but not readable by the reader is also problematic. No reason to not count their vote. You may laugh about not being able to do it correctly, but it happens.

Only if the scantron shows that each position on the ballot was counted and the voter is not allowed to leave until the person monitoring the scan confirms with the voter their ballot was scanned would this give confidence. Any issues with the scan, and the voter is allowed to correct the issue. There should never be an issue of reading the ballot by the scanner as an acceptable outcome.

of course, all of this is assuming in person voting only

autoexec

7 hours ago

Checking each ballot for completeness sounds like a good improvement to the system. Right now people are just expected to mark carefully and double-check their work before feeding their ballot into the machine and request a new ballot if they mess up.

It might slow things down a little bit, but making sure that the machine can detect a vote for each race/question (even if it's just "Abstain") would make sure people didn't forget to fill out something and help prevent the fill-in-the-bubble equivalent of hanging chads.

dylan604

4 hours ago

I like the idea that "abstain" should be an option for each position on the ballot to remove the ambiguity of it just being skipped mistakenly. Require every position on the ballot to need a response from the voter regardless. That would definitely simplify the tally process even if it does require the voter to go back to fill in additional spots. Better to be right on even if it takes 30 more seconds.

autoexec

9 hours ago

We agree. Don't use computers. Scantron is only there to get a fast count for the news agencies. Manual counting of physical paper ballots would still be done anyway.

dylan604

8 hours ago

To manually count by hand every ballot would mean not finding out a complete tally well until after Jan 20. When election day and inauguration day was selected, the number of ballots to count were a mere fraction of today's count.

Manually counting votes is so error prone that I'd have less confidence in it than a scantron type of ballot. At this point, I'm more in favor of giving each voter a ball/bead/chip to drop into a bucket for each position on the ballot. After checking in, you go to each position to receive your one token. If you don't visit a position, you do not get a token to pass to someone else. Tallying the votes could be as quick as weighing the bucket as the weight of the bucket/token will be known. Each election can change size/weight/color of tokens to be unique. If the weights total an irrational weight, it would be deemed suspect and a hand sort of the tokens can be done to find the odd token.

autoexec

7 hours ago

Hand counts are kind of obnoxious but they can't be beat for transparency. There's no reason it has to be done at once either. Ideally people would be able to vote over several days and counting can start right away.

Balls/tokens aren't a bad idea either though, but it sounds like people pocketing a ball/token would force a manual count even if they kept them since the total weight of all buckets combined would be off. I'd also worry about people bringing in heavier or lighter balls/tokens but the bigger risk would be poll workers handing out heavier or lighter balls/tokens to specific people (or types of people) because it'd be easier to make sure the weights would add up in the end.

Maybe we could force everyone to vote at every position (which should have an abstain option) then have the machine check the weight of every ball/token as it was inserted, and verify that one but only one was inserted, before it fell into the selected bucket?

dylan604

5 hours ago

To me, hand counts are beyond obnoxious. How many times does each ballot need to be counted? Just once? Someone with an agenda could cause havoc. Twice? Three times? Majority wins? How many times would non-unanimous count be allowed before the person making the odd result be dismissed/replaced? I can't remember the hanging chad debacle process, but I do seem to remember one person looking at it before handing it to the next person for confirmation.

I like the idea of placing the token into a verifier to validate authenticity before dropping into the bucket. Similar to a coin sorter where invalid tokens get rejected to a separate bin with a light and siren to ID the person trying to cheat. These could get expensive as you'd need one per candidate per position on the ballot.

Spooky23

10 hours ago

The New York mechanical machines by the 2000s were all worn out, there was a statistically higher occurrence of certain numbers (I believe 9) because the gearing was worn down.

seanmcdirmid

10 hours ago

> The most important feature of public elections is trust. Efficiency is one of the least important feature.

If efficiency is low enough to significantly affect turn out, you cannot trust the results.

> We should move back to paper voting.

Nowhere in the US is electronic voting used from what I know of. Estonia is the only country I know of that does internet voting, but my info could be out of date.

KurSix

2 hours ago

One thing I'd add is that paper voting's strength isn't nostalgia, it's public verifiability

teleforce

9 hours ago

One of the main aims of voting system (physical or online) is to increase the participation of the voters, since the average turnout of global voters are less than 70% (filter by continents for simpler aggregated average) [1].

For example even in country with pervasive internet connectivity (99%) like in Netherland the voter turnout in 2024 is only 77%.

Security technology of trust management in the centralized voting system and architecture has already been solved and well understood, and now we are even moving into zero trust with multi-factor authentications.

All this while the venerable Kerberos has been around for decades with its secure derivatives, and its secure alternatives are numerous. For the more challenging fully distributed arguably has already been solved recently by blockchain, immutable data, etc.

This is the classic example is not that you can't (as claimed by the the article), but you won't. This is what political will is all about and since this is on political voting this lame attitude is kind of expected.

[1] Voter turnout of registered voters, 2024:

https://ourworldindata.org/grapher/voter-turnout-of-register...

dbcurtis

10 hours ago

Mostly agree, but we don’t have to give up the benefits of direct digital tabulation for quick results. I would like a paper audit trail. Print my ballot-as-cast for on a paper roll that scrolls by under a window. I can verify it before leaving the voting booth. Recounts and challenges can be a computer scan of the paper roll. None of this is hard. Costs a bit more, but buys trust in the system.

jcrawfordor

10 hours ago

This is the system used in the majority of the United States. Direct-recording electronic voting systems were never that common, briefly peaked after the Help America Vote Act as the least expensive option to meet accessibility requirements, and have become less common since then as many election administrators have switched to either prectinct tabulators or direct-recording with voter-verified paper audit trail.

In the 2026 election, only 1.3% of voters were registered in jurisdictions that use direct-recording electronic machines without a voter verifiable paper audit trail (https://verifiedvoting.org/verifier/#mode/navigate/map/voteE...). 67.8% of voters are registered in precincts that primarily use hand-marked ballots, and the balance mostly use BMDs to generate premarked ballots.

LiamPowell

10 hours ago

You don't necessarily need any sort of electronic counting for quick results. Federal elections in Australia are usually called late on the voting day and I imagine the same is true for other countries that are paper-only.

lawtalkinghuman

4 hours ago

Same in the UK.

Votes close at 10pm. Might be a few stragglers left in the queue, so call it 10:15pm. (Exit poll results are embargoed until 10pm.)

Ballot boxes are transferred from individual polling station to the location of the count. The postal votes have been pre-checked (but the actual ballot envelope has not been opened or counted) and are there to be counted alongside the ballots from the polling stations.

Then a small army of vote counters go through the ballots and count them and stack together ballots by vote. There are observers - both independent and appointed by the candidates. The returning officer counts the batches up, adjudicates any unclear or challenged ballot, then declares the result.

The early results come out usually about 1 or 2. The bulk of the results come out about 4 or 5. Some constituencies might take a bit longer - it's a lot less effort to get ballot boxes a mile or two down the road in a city centre constituency than getting them from Scottish islands etc. - but it'll be clear who has the majority by 6 or 7 the next day.

I can appreciate that the US is significantly larger than the UK, but pencil-and-paper voting with prompt manual counts is eminently possible.

anon291

6 hours ago

Oh but you see in America, it takes us more than three weeks to count ballots.

tptacek

10 hours ago

That's how it works in Cook County and a lot of other places: it's touchscreen voting, using "ballot marking devices", which produce a paper ballot you hand to an EJ to submit.

deathanatos

10 hours ago

Some paper jurisdictions have this, essentially. E.g., where I live: the ballot is a paper ballot. You vote by filling in a circle/bubble. (If you're familiar with a "scantron" … it's that.)

It looks like a paper document intended for a human, and it certainly can be. A machine can also read it. (And does, prior to it being cast: the ballot is deposited into what honestly looks like a trashcan whose lid is a machine. It could presumably keep a tally, though IDK if it does. It does seem to validate the ballot, as it has false-negative rejected me before.)

But now the "paper trail" is exactly what I submit; it's not a copy that I need to verify is actually a copy, what is submitted it my vote, directly.

autoexec

9 hours ago

> I would like a paper audit trail. Print my ballot-as-cast for on a paper roll that scrolls by under a window. I can verify it before leaving the voting booth.

Why should you be forced to trust that what you're shown is also what was being counted? The paper record should be the actual ballot itself, with your actual vote on it.

PaulDavisThe1st

8 hours ago

> The most important feature of public elections is trust.

I think that perhaps you meant to say that the easiest thing about public elections to undermine is trust. You don't need to actually hack the ballots, send in fake electors, or any other actively nefarious stuff. Just undermine people's "trust" in elections (ironically by talking about how important that "trust" is), and voila, you've done much more harm to an election process than anything we have actual evidence for.

dstroot

9 hours ago

I suppose I'm an optimist. I believe it is possible to create a secure online voting system. My life savings might be held at Fidelity, Merrill, or elsewhere, my banking is online, 90% of my shopping is online and it all has "good enough" security. Plus most banks seem to be well behind the state of the art in security. I believe with the technologies we have available today, we could create a secure, immutable, auditable voting system. Do I believe any of the current vendors have done that? NO. But I believe it could be done.

bwestergard

9 hours ago

People of limited technical ability can understand the checks and balances of a paper voting system, which legitimizes outcomes. No digital voting system I'm aware of has this characteristic.

charcircuit

8 hours ago

They can't understand the cybersecurity of a banking app either yet they use those.

dfadsadsf

9 hours ago

Money are stolen electronically every day - we do not know how to build secure systems. Considering the stakes for national elections (civil war or government instability) good enough is not good enough.

I agree with you on local elections - electronic voting is good enough for town or even state level elections. The stakes are dramatically lower.

nonethewiser

9 hours ago

Banks have KYC - in the USA it's racist to ask someone to prove their identity before voting.

reactordev

9 hours ago

We have ID.gov and we have blockchain. If we can ensure that the person submitting the vote is indeed that person, would it matter whether it was online, in a booth, or by mail?

kQq9oHeAz6wLLS

8 hours ago

I'm told people of color have a hard time getting IDs.

droopyEyelids

9 hours ago

You're not securing your banking details from the bank. The people running the elections are a probable adversary during elections, though.

That makes software really unsuitable.

closewith

9 hours ago

How do you solve the issue of manipulated voting? That's solved by in-person ID-authenticated voting, but can never be solved by online voting.

anon291

6 hours ago

It's of course possible. In fact electronic voting could be safer. The issue is that voting has nothing to do with technical details of safety and everything to do with trust. If your electorate doesn't understand modular arithmetic, then there's no point to electronic voting.

p-e-w

9 hours ago

Elections in most countries involve tens of thousands of volunteers for running ballot stations and counting votes.

That is a feature, not a problem to be solved. It means that there are tens of thousands of eyes that can spot things going wrong at every level.

Any effort to make voting simpler and more efficient reduces the number of people directly involved in the system. Efficiency is a problem even if the system is perfectly secure in a technological sense.

energy123

7 hours ago

Yes, and this isn't a tech problem. It's a civics problem. Being secure is necessary but insufficient. We need to be maximally impervious to false allegations of insecurity. Having an election process that's comprehensible and transparent is part of that.

travisgriggs

10 hours ago

What if some level of efficiency (not necessarily internet) improves turnout and participation?

deathanatos

10 hours ago

At least in the US, I think there are a number of suggestions that are made repeatedly each cycle here. Like "it should be a paid federal holiday", and not putting onerous requirements on voters. Automatic registration. The list goes on.

But I what is written over and over is more on the lines of "I don't trust the process". I cannot blame anyone for not trusting Internet voting: I am a professional SWE, and it would be impossible for me to establish that any such system isn't pwned. Too much code to audit, hardware that's impossible to audit. But it's pretty trivial to demonstrate to the layperson how paper voting works, and how poll observers can prevent that process from being subverted.

the_snooze

10 hours ago

There are non-internet ways to do that. States are really the "laboratories of democracy" on that front, with different states having affordances like long early-voting periods and mail-in voting.

However, those are in the context of whatever political system they're in. No level of efficient election design is going to put a dent in the fact that California loves direct-elected downballot offices (e.g., treasurer, controller, insurance commissioner, state judges, local judges, etc.) and referenda, which all result in super long and complicated ballots with 50+ questions each.

bikelang

10 hours ago

We have mail voting as a default in Colorado. When you get your license you are registered to vote and opted in automatically. The one piece that might improve it further is if it came with a stamp to mail back. Otherwise you just drop it off at a drive-up ballot box. You can also vote in person if you want. Hardly anybody does it so there’s never a line.

You get text messages each step of the process too. “Your ballot has been mailed”/“your ballot has been delivered”/“your ballot has been received”/“your ballot has been counted - thanks for voting”.

irishcoffee

10 hours ago

How do they prevent double voting?

seanmcdirmid

10 hours ago

The ballots envelopes (not the ballots themselves) are keyed to the voter's identity. When the ballot is removed (not until the signature is verified and not contested), the voter is counted as voted, so if they double vote, then the second vote will be rejected. Likewise if you try to vote by mail and then at the poll, you are flagged before you even try to vote.

jaydenmilne

10 hours ago

Other states that do this well don't start counting mail in ballots until after polls closed. They know if someone voted in person, so their mail in ballot is rejected before being opened and verified.

bikelang

10 hours ago

When you vote in person they print out a label that has some internal identifier unique to you and place it in your ballot

mannykannot

10 hours ago

Improved turnout and participation is a good thing in itself, but not necessarily if it puts a weapon in the hands of those who do not like the outcome and are seeking to invalidate it without regard to whether it represents the electorate’s legitimate choice.

earleybird

10 hours ago

A question we all have to ask ourselves. What would I trade for efficiency?

nerdponx

9 hours ago

Efficiency for the voter and efficiency for the vote counting process are totally different things.

tdb7893

9 hours ago

Are there places that don't do paper voting in the US? Ballots are still paper everywhere I've voted (mail in ballots, electronic ballots with printouts, filling in bubbles, etc. It's always been paper).

Also, even with paper ballots hand counted people aren't suddenly going to trust elections, at least not some people I know. I had someone say that hundreds of thousands of illegal immigrants voted in the last election. That obviously didn't happen and there's already controls to stop that from happening but that didn't stop them from believing it. It's one of the issues with the conspiratorial thinking, it's durable even in the face of overwhelming evidence.

nonethewiser

9 hours ago

Isn't it effectively computers everywhere? Sure, you may write on a piece of paper but there is a computer scanning and reporting it. I dont see a practical difference between that and submitting a form directly on a computer.

tdb7893

8 hours ago

With paper ballots you can do hand recounts physically with the paper and it's much harder to change values than digitally (obviously), which is a huge difference. You could switch to hand counting by default for everything but the conspiracy theories are really durable for process changes like that so my experience is it won't make a difference.

To expand on that a bit: I've only found their preferred candidate winning to be a long term convincing argument to them (and even then they still will be suspicious). The scenarios I've heard aren't even possible in the current system but they don't trust the election system as a whole so there's no control they would be satisfied with. Even if they personally counted the paper ballots themselves they would just say the ballots were switched out before they got them. Obviously not everyone who doesn't trust elections is like this but I know a lot of people like this.

ronbenton

8 hours ago

Drives me nuts how many people don’t understand we are already using paper ballots. Electronically tabulated using risk-limiting audits.

Why are so many people convinced we don’t use paper ballots? Disinformation?

seattle_spring

10 hours ago

You're conflating "efficiency" with "disenfranchising voters."

Mail-in voting enabled citizens who otherwise simply couldn't vote, to vote. Citizens who, more often than not, were from already disadvantaged backgrounds.

closewith

9 hours ago

Many countries with far higher participation rates do not allow mail-in voting, which definitely should be banned to prevent voter manipulation.

pfisch

9 hours ago

The only thing seriously reducing trust in elections is anti-democratic politicians who will ALWAYS find a convenient reason to claim the election is rigged, and many of their followers will believe and propagate that lie to create distrust in the election.

There is really nothing we can do to satisfy these people except create some kind of structure they demand which will somehow be made to heavily lean in their favor. That is what will satisfy them. Nothing else will.

s1artibartfast

9 hours ago

it seems like encoded receipts are a simple solution for electronic auditability.

Voter registry is used to generate traceable but anonymous keys

Used when voting

Votes are electronically counted.

Voters can check their votes against the count

Third parties can check vote counts against the anonymized registry

autoexec

9 hours ago

It depends on what "Voters can check their votes" means since you have to make sure that nobody can take a receipt to see which way someone (including themselves) voted. You're also still stuck trusting that what your receipt said matches what actually got counted.

The best paper record is the actual ballot you yourself marked and turned in. It shows exactly what the ballot said and it shows what your selection was. Counting of those ballots can take place in public, on camera to make sure that each vote gets counted correctly. No internet or computers needed.

s1artibartfast

6 hours ago

I think there's nothing wrong with giving people a way to check that their vote was counted for the party or person they intended.

autoexec

5 hours ago

It means that some people will be able to force others to vote a certain way, punish them if they don't vote a certain way, or even pay them for their votes. Those schemes are a lot less effective when you can't prove how someone voted. People can try to bribe you, or even intimidate you, but once you're in the voting booth you have the freedom to vote however you want and nobody can find out later which way you actually voted. That freedom is very important and worth keeping. You already know which way you voted, no one else needs to be able to check.

voxl

10 hours ago

yeah, trust is real important. Wait, what's that. Stop the count? Don't count all the votes because it's taking too long? Where have I heard that before... What political, totally not fascist, group of people have supported a politician saying that before...

ss1996

10 hours ago

I agree with the risks, the overall theme being it's much easier to potentially manipulate a million internet votes than physical. In other worlds, internet vote manipulation scales significantly more than physical.

But I could make the argument with any high trust internet system.

Let's take another high trust activity we do on the internet - banking. Internet banking gives a hacker the ability to steal millions while sitting across the world. This is the same argument the authors make about changing a million votes.

So it really comes down to the pros vs cons. That's the more important discussion imo.

Do the benefits of internet voting outweigh the cons?

iamnothere

9 hours ago

Unless you’re talking about crypto, your internet banking hacker will not get away with anything significant. You can’t just “hack the bank” and take a million dollars. Banks only transfer funds digitally to one another by agreement through systems like SWIFT, and these transactions are traceable and reversible. Changing some ones and zeros in your account and then attempting to withdraw it all would raise a ton of flags, and you would need to breach an unrealistic number of systems and processes to make it possible.

At best you might be able to scam someone into sending you a few hundred dollars via Zelle. Some scam centers do this 24/7, but it isn’t that easy, and apparently they rely on human trafficking to acquire free labor.

The complex systems backing internet banking (including the people and processes) are immense in scale. They evolved over decades and were honed and improved as real problems occurred. Needless to say, there is no room for iterative trial and error in elections.

If you hack the bank you get very little, at least today. If you hack an election you get everything. No thanks. No to electronic voting.

bschwindHN

10 hours ago

Internet banking is not anonymized. Voting should be.

hydrox24

10 hours ago

> Let's take another high trust activity we do on the internet - banking. Internet banking gives a hacker the ability to steal millions while sitting across the world. This is the same argument the authors make about changing a million votes.

Bank fraud happens all of the time and at scale. However, it is entirely insurable and reversible.

Election fraud is not reversible. Trust cannot be restored in the way that a bank account can.

protocolture

9 hours ago

>Malware on the voter’s phone (or computer) can transmit different votes than the voter selected and reviewed. Voters use a variety of devices (Android, iPhone, Windows, Mac) which are constantly being attacked by malware.

Yeah see this is where I thought this was going.

Phones can be insecure, but in aggregate they are secure enough for literally every other component of life to be conducted on them.

>Malware (or insiders) at the server can change votes. Internet servers are constantly being hacked from all over the world, often with serious results.

Again, great point. Accepting this point will the government erase all the private identifiable data it has collected on me from its systems? Probably not, because they have made a cost/benefit analysis that suggests the risk is middling compared to the reward.

>Malware at the county election office can change votes (in those systems where the internet ballots are printed in the county office for scanning). County election computers are not more secure than other government or commercial servers, which are regularly hacked with disastrous results.

This seems like a weird seppo thing.

Currently the risk of an election being seen as fraudulent is high, and the reward of online voting is low.

But we dont have to conceptualise the modern boring election when we look at online elections. We can look at alternative models, closer to real time use and other gains that tip things back in its favor.

Actually the biggest issue I see with online democracy is apathy and minimum quorum sizes.

elbasti

9 hours ago

Voting is not a monolithic process. It's actually a combination of 3 things:

- How votes are cast

- How votes are counted

- How votes are custodied

In order for an election to be trusted, all three steps must be transparent and auditable.

Electronic voting makes all three steps almost absolutely opaque.

Here's how Mexico solves this. We may have many problems, but "people trust the vote count" is not one of them:

1. Everyone votes, on paper, in their local polling station. The polling station is manned by volunteers from the neighborhood, and all political parties have an observer at the station.

2. Once the polling station closes, votes are counted in the station, by the neighborhood volunteers, and the counts are observed by the political party observers.

3. Vote counts are then sent electronically to a central system. They are also written on paper and the paper is displayed outside the poll both for a week.

The central system does the total count, but the results from each poll station are downloadable (to verify that the net count matches), and every poll station's results are queryable (so any voter can compare the vote counts displayed on paper outside the station to the online results).

Because the counting is distributed, results are available night-of in most cases.

Elections like this can be gamed, but the gaming becomes an exercise in coercing people to vote counter to their preference, not "hacking" the system.

**

Edit: Some people are confused about what I mean by "coerced." Coerced in this case means "forced to vote in some way."

The typical way this is done is as follows:

- The "coercer" obtains a blank ballot (for example, by entering the ballot box and hiding the ballot away).

- The blank ballot is then filled out in some way outside the poll station.

- A person is given the pre-filled ballot and threatened to cast it, which they will prove by returning a blank ballot.

- Rinse and repeat.

This mode of cheating is called the "revolving door" for obvious reasons.

hintymad

9 hours ago

What I failed to understand is why only in the US the voting procedure is so controversial. Want paper vote? That's racism. Want counting in a day? That's xenophobia. Want to limit certain time window for counting? That's definitely racism. It's funny that the US criticized that EU countries were getting less democratic. Well, at least those countries have a much more sane voting process.

hackyhacky

9 hours ago

> Want paper vote? That's racism. Want counting in a day? That's xenophobia. Want to limit certain time window for counting? That's definitely racism.

This characterization is reductive and basically a straw-man.

The principle underlying opposition to "counting in one day" is basically that every vote that is correctly placed in time should be counted, and as many people as possible should have access to voting. Mail-in voting, for example, has been shown to increase voter turnout by making voting more convenient, but you have the question of what to do with ballots that are received late. There are pretty good arguments for counting all mail-in ballots that are postmarked before the election, and I don't think "xenophobia" is among them.

In America specifically, all decisions relating to access to voting are considered against a backdrop of our widespread and systematic attempt to restrict voting. A modern example of this is related to wide disparity in the number of polling places, and therefore the amount of time required to vote, in "urban" regions of some southern states as compared to rural regions.

I have never heard of a racism-based opposition to paper ballots. I think you just made that up.

asdfaslkj353

8 hours ago

> voter turnout

Make voting mandatory and on public holiday. Problem solved.

array_key_first

5 hours ago

The people championing one day voting don't propose this, because they would prefer to bias voting towards people with lots of time off.

popalchemist

9 hours ago

Are you American? Are you white?

There are historical factors that contribute to those things you brought up. American minorities are disproportionately affected by things like limited hours, for example. You'd know that if you were an American POC.

pxc

8 hours ago

GP has also taken these issues and personalized them. They're about impact and access, not whether the person raising the idea is racist or a xenophobe or whatever.

blharr

9 hours ago

I don't understand the critique. Nobody has ever made these claims.

I don't mean this as an ad hominem, but was this comment generated with AI or something?

elbasti

9 hours ago

You'll find those claims in sibling comments to yours, so they are clearly pretty real!

(At the time of writing this comment there's a sibling claiming that the comment cannot possibly understand this POV because they are not "an American POC.")

creata

8 hours ago

The specific comment by popalchemist you're referring to is actually fine (they're talking about voter suppression, which is a problem in the US), and isn't at all one of the claims that hintymad says people are making.

hackyhacky

8 hours ago

> You'll find those claims in sibling comments to yours, so they are clearly pretty real!

Really, where? In the sibling comments (including mine) people are pointing out that those claims are specious.

drBonkers

9 hours ago

These objections to secure voting always smell the same as “privacy and encryption bad, must protect children!”

chrisco255

8 hours ago

Politicians just use those accusations as cover for conducting fraud or enabling the conditions that they inherently benefit from. There's no reason to not use paper, ID checks, and same-day accounting.

hackyhacky

8 hours ago

> There's no reason to not use paper, ID checks, and same-day accounting.

Sure there is. ID checks make it impossible for people who don't have government-issued ID to vote, which is a lot of people; and furthermore ID checks don't actually improve election security. Same-day counting is impossible if you are going to count all mail-in votes that were sent before the deadline.

To be clear, I'm not saying that politicians aren't agitating for conditions that benefit them. That's there job. But I also believe in supporting access to voting and fair elections, and at least some of the politicians' arguments help achieve those ends.

array_key_first

5 hours ago

There are many reasons not to do those things, "lalala not listening" isn't an excuse.

It's usually very simple, too. For voting ID: ID isn't evenly distributed, and that's not an opinion, that's a fact.

So if you require ID, then obviously you will suppress some demographics more than others. That creates a bias. Again, not opinion.

This can be solved. You will notice none of the people championing voter ID make even a thinly-veiled attempt to solve it. Instead they say stupid things like "oh wow so black people can't get ID now? Uh, buddy, I think YOU'RE the racist one!"

mmooss

8 hours ago

I think these claims are badly miscontrued at best, and match one party's outlook. The Republican Party has tried inhibiting voting in ways that benefit them, often by making it more difficult for minorities to vote.

Many of those tactics existed on a large scale in the South before the Voting Rights Act, and when the Supreme Court recently invalidated the Act, many have returned. For example, reducing voting locations in minority areas so people have to travel far and wait longer. Texas and possibly other states have criminalized errors in voter registration (iirc), making it dangerous to register voters. Georgia, and others, conducted a large-scale purge of voting rolls, requiring people to re-register. Requiring government-issued ID prevents many people from voting, often poor people and immigrants who lack what wealthier people are accustomed to. Florida's voters passed a ballot measure enabling ex-felons to vote; the Republicans added a law requiring full restitution to be paid (iirc) before they could vote, effectively canceling the ballot measure vote. And these days almost any Democratic victory is called fraud; remember the 2000 election, the lawsuits, riots, threats against ordinary citizens working on local election boards and on elections, etc.

Directly addressing the parent's claims: I've never heard of paper votes being called racism - could you share something with us? Calls to limit counting are often accompanied by calls to limit the voting period, invalidate votes received later (e.g., due to US mail delays), and calls to greatly restrict mail-in voting - all things that make it more difficult for people working two-three jobs.

The Democrats have their flaws; I've never seen them try to limit voting. That should be something everyone in the US - and in the world - agrees on: Do all we can to enable everyone to vote.

fzeroracer

8 hours ago

> Want counting in a day? That's xenophobia. Want to limit certain time window for counting?

Why do either of these matter? If you assume paper voting in-person is secure, then there is zero reason to also limit the time spent counting or the time window for counting. Anything past that point is clearly trying to fill some sort of agenda for the sake of disenfranchising people who cannot adhere to the times you're trying to set.

Nursie

9 hours ago

> Want to limit certain time window for counting?

Why would you want that?

Surely what you want is to enable everyone to vote, and then to count all the votes?

In the UK where I have most experience of this stuff, there are many, many small polling stations, and usually you just walk right in and vote without queueing. The longest I ever had to wait to vote was about 30 minutes. Votes are counted locally and results usually declared within a handful of hours. Some take longer due to recounts etc if the tally is very close in a certain area, but the whole thing is pretty uncontroversial and pretty low-effort.

Here in Australia, voting is compulsory, it's always on a Saturday, and there's usually a charity sausage-sizzle at the polling place, it's sorta fun. And again, AFAICT (I'm not a citizen yet) the infrastructure is over-provisioned so people aren't waiting around forever.

From what I hear about the US, in some places voting can take hours, it seems like the number of polling places is deliberately limited to make it hard for people to vote, and you have those weird/horrible rules cropping up like it being illegal to hand out water to people in line, which seems purely designed to discourage electoral participation. And then you have all these calls to stop the count after a certain time etc.

It's deeply weird from an outside perspective. If counts are taking too long, if people are having trouble voting, provision more... but of course it seems clear that there are motives for underprovisioning, because one or other group thinks it will benefit them.

cogman10

9 hours ago

How we do it in Idaho, which I think is pretty much the ideal level.

1. Everyone votes on paper.

2. An electronic tallying machine tallies the vote.

3. Vote counts are sent to a central system, IDK if it's electronic or not.

4. Candidates can challenge and start a hand recount at anytime.

I think this combo is pretty close to the ideal. The actual ballots are easy to audit. Discrepancies can be challenged. And the machine doing the tallying isn't connected to the internet, it's just a counting tool that gets the job done fast.

For people with disabilities, poll workers can come in and help with the vote.

derektank

8 hours ago

If you’re willing to do away with the secret ballot, you can eliminate a lot of the need for transparency in the mechanics. If people are able to check their own vote for discrepancies and speak to others to confirm their validity, you only really need to confirm that the final vote count is tabulated correctly (which again, is relatively easy to independently verify).

hackyhacky

8 hours ago

> If you’re willing to do away with the secret ballot

We're not willing to do that. No modern democracy has public ballots. The reason is simple: secret ballots make it effectively impossible to buy votes, as there's no way to prove how any person actually voted.

derektank

4 hours ago

I would simply say speak for yourself.

You’re making a choice between making it impossible to buy votes and impossible to verify votes. Both come with tradeoffs that can be mitigated, whether that be investigating and prosecuting attempts at bribery in one case or maintaining a strict chain of custody in the other. The decision ultimately comes down to a judgement call on regarding your priorities. I don’t think eliminating the secret ballot should be dismissed out of hand, given most voting was conducted without it prior to the late 19th century.

nwellinghoff

9 hours ago

You can achieve the same thing with electronic voting. Just because its electronic does not mean you do away with the “layers”

LelouBil

8 hours ago

That's pretty much the same in France

nonethewiser

9 hours ago

>Elections like this can be gamed, but the gaming becomes an exercise in coercing people to vote counter to their preference, not "hacking" the system.

If that's gaming the system, what even is the point of voting?

elbasti

9 hours ago

The key word is coereced (as in, forced, not convinced).

capitanazo77

9 hours ago

Yeah. The weakness in any democracy are “populist” Robin Hood politicians.

hackyhacky

9 hours ago

> If that's gaming the system, what even is the point of voting?

Good point. Let's just get rid of voting and go back to "divine right of kings", at least until they develop a cure for human gullibility.

__MatrixMan__

9 hours ago

People can be taught to recognize when they're being duped.

This may be a bit tinfoil hatty of me, but I think the whole anti-woke thing is a ploy to interfere with that kind of education.

idiotsecant

9 hours ago

Are you suggesting that voting is pointless because some people can be convinced to vote for stupid things?

ggggffggggg

9 hours ago

I think the point is that’s not “gaming” that’s just how voting works. Gaming would be getting your preference by voting against it.

Panzer04

10 hours ago

To some extent, I think the cost of paper voting is almost a feature. It takes more work and effort to corrupt a paper voting system enough to change an electoral outcome, it helps more people gain familiarity with the electrical process and places an additional weight on the decisionmaking,

alanwreath

10 hours ago

It’s not that it’s impossible - it’s that the established players are already questionable. And any new entry would require more than any simple company could provide. Heavy investment and collateral is required.

Our livelihoods are increasingly (almost entirely) digital and endure great efforts to abuse. But banking and/or retail operate on a different spectrum. For one they make money. The costs associated allowing their business online may never make sense for a non-profit based activity like voting.

Do we have any examples of internet activity as tempting to infiltrate/pervert that is secure and doesn’t extract value?

Anyways it seems greater damage will be done before we even reach a provably secure system. So paper/pencil voting would be better.

But fear not - even if we abolish voting machines we aren’t out of the hole just yet. We have good company with concepts like Citizens United as well as activities like sweepstakes that try to sway the populace to throw away a vote for a chance at a million. Illegal - sure - but that won’t stop the ostensible infinitely wealthy from enduring a slap on the wrist - or more appropriately a verbal reprimand (which is all that happened last time) for their part in electioneering. And if that didn’t work we have an onslaught of reAlIty and bots that poison our conversations in order to form our world views.

I’m jaded. I’m overly pessimistic. I’ll go now.

nerdponx

9 hours ago

Prediction: In 2026 the Trump administration will attempt to ban all other forms of voting and will claim that it is in the interests of election security, because the Democrats can't be trusted to count votes (remember the 2020 election was "stolen"?), so we need to mandate all votes be counted electronically using some sketchy electronic voting system, which a company that is very politically friendly to Trump just so happens to be ready to provide. It will get immediately shot down in several courts but it will take months to resolve all the lawsuits, and SCOTUS won't hear the case. This will cause the election to be held in some places but not others, and overall delay final vote tally by several months. Some kind of data breach will occur but details will not be reported. Neither party will trust the election results but won't go so far as to call fraud lest public trust in the system completely unravel.

PeterStuer

3 hours ago

True.

Mail in voting suffers from some of the same issues. We go to great lengths (cabins, curtains, no pictures allowed etc.) to ensure people can verifiably cast a free will vote, then open a giant loophole for potentially coerced, non private or transactional voting.

zwranadikos

9 hours ago

So my internet banking is secure for my funds, but internet voting is not for my vote. Right... OK, we got the message.

AngryData

6 hours ago

Internet banking has security breaches and errors more often than you might think, it is just much easier to track down and retroactively fix any problems. The problem with elections is retroactively fixing a voting problem doesn't always happen and some of the most powerful people and groups have interests in preventing it and the common people have little real recourse when the cards come down other than rioting and potentially insurrection before they know the true results.

autoexec

9 hours ago

Internet banking is not secure. People's accounts get hacked all the time. Your bank transactions aren't a secret from your bank though. There are a lot of eyes on your accounts (including your own) and corrections can be made after the fact.

No one (including yourself) can be allowed to look up how you voted later.

nonethewiser

9 hours ago

Banking errors are detectable and reversible. You also arent anonymous.

GJim

2 hours ago

Baking and voting have a completely different set of requirements and security risks.

To suggest a direct comparison is idiotic.

anon291

6 hours ago

If you had enough money such that reversing fraud would become a huge hindrance for your bank, you probably cannot initiate any major monetary moves without the involvement of a real person, likely one you actually know. Online banking is for amounts which the bank will just compensate you for should something happen; just a cost of doing business.

KurSix

2 hours ago

This feels like one of those cases where the technical consensus has been clear for years, but the policy and media narratives keep resetting to "maybe this time it's different."

charcircuit

8 hours ago

>Voters should not be able to prove to anyone else how they voted – the technical term is “receipt-free” – otherwise an attacker could build an automated system of mass vote-buying via the internet. But receipt-free E2E-VIV systems are complicated and counterintuitive for people to use.

This can easily solved be done via letting people forge receipts. Then anyone can forge a vote to give to someone offering to buy them.

The receipt is in fact the best part of such systems as with paper voting it is impossible to verify if your ballot was counted or if it got "lost."

JanisErdmanis

44 minutes ago

> This can easily solved be done via letting people forge receipts. Then anyone can forge a vote to give to someone offering to buy them.

This is the literal definition of receipt freeness. It’s hard to ensure that the receipt you receive to verify your vote had not already been forged by the malware.

crazygringo

7 hours ago

I'm not sure if there's a way to make forging work.

You can't forge a new ballot, because ballot IDs are necessarily public, and are cryptographically tied to a voter ID in order to ensure votes are valid and that everybody only votes once.

But it seems like nothing is stopping you from looking up ballots at random until you find the votes you want, and then claiming that was your vote. And if someone else got paid for the same one, then claim they're the one lying, not you?

charcircuit

7 hours ago

You don't forge a ballot. You are forging the proof of your vote.

lacunary

8 hours ago

then it's not a proof of who you voted for

charcircuit

8 hours ago

You would know which would be the real one and which you forged. Obviously when checking that your vote was properly counted you wouldn't use a forged one.

victor_vhv

7 hours ago

I live in Spain, and we have paper-based elections. Similar to what I've read from other comments, in our system, people are randomly selected to participate in oversight and counting. Different actors in the elections are able to oversee the process and count. Counts are performed by the randomly selected people and sent to headquarters from the site itself. Then, each ballot box count is available for display right after the counts are completed. Ballots are transported by the police to a safe location in case a recount is needed or randomly selected.

I'm leaving out other measures and details, but you get the general idea.

I used to flirt with the idea of a digital voting system, but now I clearly see that it is a problem of scale. It's very difficult to interfere with an election at scale when many independent actors and parallel flows are in place. This is what provides the system with its trustworthiness.

However, I think fraud is moved elsewhere (with campaign funding, fake news, and other methods...), but that's a whole different topic

JanisErdmanis

8 hours ago

> It’s difficult to make an E2E-VIV checking app that’s both trustworthy and receipt-free. The best solutions known allow checking only of votes that will be discarded, and casting of votes that haven’t been checked; this is highly counterintuitive for most voters!

Actually, Benaloh's challenge also does not offer receipt freeness. The adversarial strategy in such a model is to outsource the challenger itself in a hash function which decides whether to accept or discard the vote. It may look impractical at first, but one can build an app that could do that efficiently.

It can be said that all existing end-to-end verifiable remote e-voting systems compromise individual verifiability when reconciling it with receipt-freeness by introducing an assumption about the hardware-based protection of voters' secrets. If they leak or are predetermined by a corrupt vendor implementation, the malware on the voter's client can manipulate the vote at submission, and the adversary later fakes verification for the voter by exploiting that knowledge.

Still, I believe it's a solvable problem which needs more attention. Bingo evoting system is almost there, for instance, with verifiably random generated trackers, but needs a voting booth with a Bingo machine taken at home.

Kim_Bruning

10 hours ago

Estonians seem to have funny ideas on this. They're very VERY digital-forward.

TazeTSchnitzel

10 hours ago

And their system has the same problems as all the others: https://estoniaevoting.org/

Kim_Bruning

10 hours ago

Looks like. More recent papers still find vulnerabilities too.

Steelmanning: They're putting the effort in so we don't have to. Either they find a way and it'll be awesome, or at some point they become an object lesson.

edit: Or third path: They muddle along just well enough with a system that can't work in theory, but ends up nearly working in practice, stochastically? (see also: email, wikipedia, or a hundred other broken things that can't possibly work but are still hanging on. )

mspecter

8 hours ago

Hey all, coauthor here. Interesting to see it on Hacker News.

I'm a professor in Georgia Tech's CS dept that works on problems related to security, privacy, and public policy. (CV: https://mikespecter.com/)

Happy to answer any questions you all have.

kuerbel

6 hours ago

Have you had a look at the Swiss post e-voting system and how it deals with verification?

stoneforger

7 hours ago

Voting needs to be auditable and verifiable by the lowest common denominator, to the last voter. As such anything that involves anything more complicated than counting by hand is out.

travisgriggs

10 hours ago

So where is the thought on mail in these days? It’s what we have in Washington and I rather like it.

DJBunnies

10 hours ago

I believe the piece we're missing is the government (citizen?) service which issues (manages, replaces, revokes) constituents' cryptographic tokens for use with such things.

Then our voting systems could be electronic, secure, open, verifiable, and mostly private; assuming effective oversight / this organization does not issue fraudulent tokens or leak keys or identities (big assumption, but I don't think it's impossible.)

kaashif

10 hours ago

Isn't a vote being verifiably tied to a person actually a bad thing? Then you can actually check what e.g. your wife or kids voted for and punish them if they vote wrong. Or get people to pay for votes, but doing that at scale is obviously hard.

Maybe this isn't what you meant by verifiable, but there are systems with this property and they are bad.

dandelany

10 hours ago

The property you are talking about is generally called "deniability" in the literature, whereas the GP is talking "verifiability" ie. being able to verify your own vote is cast correctly. They are both valuable, sometimes mutually exclusive, but not necessarily, see eg. https://petsymposium.org/popets/2024/popets-2024-0021.pdf

DJBunnies

10 hours ago

Verifiable in this context means I can verify my vote was tallied correctly.

BurningFrog

10 hours ago

That would also mean someone could force you to show who/what you voted for.

crazygringo

7 hours ago

No, because they have no idea what your true ballot ID was.

They can force you to show them a ballot, the idea is that all ballot ID's get made public. You could be showing them anybody's and they'll never have any way of knowing.

JanisErdmanis

36 minutes ago

It seems you mean something simailar to Selene voting system where a tally board is published containing tracker vote pairs. Each voter can decrypt their tracker once the voting phase closes to check the vote and also means to fake the decryption for claiming another other tracker from the tally board as yours.

dghlsakjg

10 hours ago

Not necessarily. In Colorado they handle this by putting the ballot in a blind envelope inside a trackable envelope. I can verify the details of the receipt of that trackable envelope to the tallying center where it is verified as untampered and opened under video with multiple people present. The unmarked envelope is added to all the rest of the ballots to be counted.

kaashif

10 hours ago

So then you can verify your vote reached the tallying center, but not that it was tallied correctly. Someone can look at your vote and count it wrong.

I think that's fine and the best we can do, but the person I replied to said you can verify your vote is tallied correctly. That implies checking what the actual vote was.

dghlsakjg

8 hours ago

All true, but this is no different than any other ballot in the state. At a certain point you can choose anonymous ballots or you can choose trackable ballots.

DJBunnies

10 hours ago

Not at all. Make verification possible only at secure physical sites.

deathanatos

10 hours ago

Receipt-freeness (i.e., a secret ballot) is usually the desired property. Yes, a lot of people like you state they desire verifiable votes. But that's where you need to respond to the points the person above you is making: how is such a system not also susceptible to coercion and bribery?

(However you would verify your vote, imagine the person who is coercing you is just standing over your shoulder with threat of force. An example might be an abusive husband who does not want to allow their wife to vote freely/against him. A briber might simply force you to allow them to look over your shoulder before they'll pay you off.)

Vs. paper ballots in a polling place: a coercer would not be permitted in the poll booth with me. I get to vote, and when I leave, … I can tell them whatever, but it does not need to match my vote. It utterly defeats bribery, as the briber has no way to verify that I'm doing what they way.

charcircuit

8 hours ago

>An example might be an abusive husband who does not want to allow their wife to vote freely/against him

This is an edge cases which could be made illegal. If someone forces someone else to vote you could hang them.

DJBunnies

10 hours ago

The person above me makes assumptions about implementation details and then pokes holes in them. I answered above.

FeistySkink

10 hours ago

Yeah, we have certificates on our ID cards, but they need to be manually renewed every 3 years which necessitates a trip to the designated authority. And then the underlying system gets changed every so often invalidating the card types altogether, so they can be used as dummy IDs only.

tamimio

10 hours ago

Exactly, we can definitely build a secure online voting system, far more secure than the current paper one, but it will come with some downsides. One of them is a national digital ID mandated to all voters, which obviously can and will be abused by the government.

Another reason (besides what I mentioned in another post below) why such a secure system will never see the light, even if we can technically build it, is that the average person will start to question: why do we still need to vote for representatives if we have such a system in place? Can't we as citizens vote directly on bills/acts? Which makes sense since the current system was designed before all these tech and connectivity.

legutierr

9 hours ago

The article talks about being “receipt free” as a required feature of any electronic voting system.

Fine. But by that standard, in a world where someone can bring their phone or AI glasses into the voting booth to record the whole voting process, how can any voting system be deemed secure? Anyone can show anyone else how they voted.

GJim

2 hours ago

Filming or recording in a ballot booth is very illegal in Blighty.

(Granted, nobody is going to see you do it in a private booth with the curtain pulled across).

crote

5 hours ago

> But by that standard, in a world where someone can bring their phone or AI glasses into the voting booth to record the whole voting process

That's why some countries have outlawed that.

maxerickson

9 hours ago

It's not about showing how you apparently voted, it's about not being able to prove it.

You can record a picture of a ballot and then spoil it and things like that.

tedk-42

10 hours ago

Voting is one of those things that people care very little about but it's extremely important as it can determine who is the head of state (a position that has a lot of power an influence).

A single compromise once can have incredibly bad long term consequences for the majority of a ruling elite gain power indefinitely.

jcynix

8 hours ago

Electronic processes are way to easy to rig one way or the other.:

Tom Scott: Why Electronic Voting Is Still A Bad Idea https://youtu.be/LkH2r-sNjQs

Sure, there are ways to cheat with paper votes too. But counting paper ballots should always be open to watch for voters interested in observing the process. And voting should be done in secret, disallowing photos, to make it hard to "prove" the vote to possible buyers.

foolfoolz

10 hours ago

* “all your money lives on the internet and it’s safe”

* “internet voting is insecure”

who wins?

jpollock

10 hours ago

Internet voting needs to be anonymous and non demonstrable.

Internet money needs to be the opposite, and reversible through the courts.

bigger_cheese

9 hours ago

I think it is very difficult to secure internet voting, someone can stand behind you and twist your arm or otherwise coerce you to vote for their candidate. Much harder to do when there are observers and witnesses at the polling booth.

terminalshort

10 hours ago

It can't be anonymous. There has to be some form of IDV to ensure it is a registered voter.

dghlsakjg

10 hours ago

The ballot has to be anonymous, or unable to be tied back to the voter once cast. It’s a hard requirement for a variety of reasons

seanmcdirmid

9 hours ago

You have to trust the voting place/ballot receiver in all cases. Like, after they take your name, you need to make sure that they aren't secretly associating your name with the ballot you are filling in. Likewise, if you vote by mail, you need to make sure that they aren't associating your identity on the envelope with the anonymous ballot inside the envelope.

stouset

8 hours ago

Please do yourself a favor and volunteer at a voting location. These are essentially solved issues, and you seem completely unaware of that fact.

seanmcdirmid

7 hours ago

I live in a vote by mail state (like most of the west), I know exactly how it’s done.

closewith

9 hours ago

This is a solved problem for in-person voting with indentical ballots and self-depositing into sealed ballot boxes.

It is an unsolvable problem for mail in voting, which is why it should be prohibited in most cases.

dghlsakjg

8 hours ago

It’s also a solved problem for mail in.

Double envelope systems, observable counting systems and standardized ballots that can checked for non uniqueness before voting are how they do it.

People have thought hard about this, and it has worked fine for may states for decades now.

closewith

3 hours ago

That only solves the double-counting problem, and it's fundamentally impossible to solve the voter ID and voter manipulation problems with postal voting.

seanmcdirmid

7 hours ago

Except for older republicans and military members in almost all states?

closewith

3 hours ago

I'm not American, so I don't understand the older republican comment, but except in exceptionally adverse circumstances (astronauts on the ISS or submariners, etc) the military can provide ballot boxes to it's personnel.

FeteCommuniste

10 hours ago

The vote needs to be anonymous, not the registration + checkin process.

phanimahesh

9 hours ago

When digital content can be duplicated with ease, it is difficult to guarantee verified voter but untraceable vote.

Joel_Mckay

10 hours ago

Indeed, many people now get a erroneous covid tax-relief refund bill for not qualifying for a program they never signed up for in the first place.

One local scammer made off with a $5m government refund for a fraudulent business tax filing. You can't make this stuff up if you tried...

At some point, one is just amazed at the size of the cons people pull online. =3

VladVladikoff

10 hours ago

>Internet voting needs to be anonymous and non demonstrable

Why? Honestly Internet voting would improve overall turnout, which seems more important. And we probably could accomplish anonymity with some clever cryptography.

jpollock

9 hours ago

Anonymity keeps the government from locking you up if you vote the wrong way. Non-demonstrable keeps you from selling your vote to your boss.

That is why you typically show id, get a ballot and there is no relationship between the two.

VladVladikoff

9 hours ago

I could still sell my vote to my boss in the typical system.

And we could use cryptography to vote anonymously after authentication online.

indecisive_user

8 hours ago

In the current system how do you sell your vote?

You go into the voting booth alone.

drchaos

an hour ago

"I give you $50 if you vote for me, you'll get it when I win the ballot"

If someone is willing to sell their vote in the first place, they have zero incentive to vote for another candidate. They only have to trust the buyer to follow up on his promise (which is required in any other scenario also).

autoexec

9 hours ago

* “internet voting is insecure” wins because your internet money is not safe. Hackers get into people's bank accounts all the time. It's actually amazing to me how many people here somehow think that internet banking is anything but massively insecure.

subscribed

10 hours ago

Second is also possible in jurisdictions that issue id cards with cryptographic layer AND ability with the companion app to only prove a scope of the identity.

Without saying too much about my home country I believe it's doable.

camillomiller

10 hours ago

Wow, rarely one sees a comment that so clearly shows how our attention span has deteriorated and how we now too often fail at understanding the most basic conceptual underpinnings of a discussion.

parentheses

8 hours ago

The problem is that nothing is immutable about computing. Software itself is mutable. So is data. The transferability of software makes hardware mutable also.

It seems like pen and paper is currently the best verifiable and immutable voting approach.

themafia

8 hours ago

> The problem is that nothing is immutable about computing.

That's why we have checksums. We've used computing to put people on different astronomical bodies. There is a way, but it comes with a huge cost. Cryptocurrency strongly hints towards a way to make internet voting viable.

> It seems like pen and paper is currently the best verifiable and immutable voting approach.

The simplest answer is usually the best, but then you shouldn't constrain voting to a single day otherwise it disadvantages large swaths of the population.

terminalshort

10 hours ago

Which of these vulnerabilities do not apply to any other internet system? And yet all of everyone's money is accessible over the internet and that seems to be working fine. If they really care about security at this level then they should ban all non in person voting methods.

GuB-42

9 hours ago

> If they really care about security at this level then they should ban all non in person voting methods.

Many countries do exactly that, sometimes with a few exceptions (ex: expats, disabilities, ...).

One problem with internet voting that does not apply to money is the "receipt-free" aspect. That is, a voter should not be able to prove that he voted for a particular candidate, as it would allow for vote buying, threats, etc... And it is a hard problem. With money transactions, you generally want the opposite, which is an easier problem.

creata

7 hours ago

I don't know why so many people in this thread are asking this, but as has been said elsewhere in this thread:

* It does apply to most other internet systems.

* Things like banking fraud can be detected and remedied. Election fraud is much harder to detect and even harder to remedy.

* Voting requires anonymity. Most internet systems are not anonymous: you are identified by your IP address at the very least.

mbf1

6 hours ago

If I can photograph a $10,000+ check with my phone and deposit it into my bank via an app, then people can surely create a secure voting app with the same technology. Maybe we should use blockchain technology to store public ballots in an open fashion. Who cast the ballots would be a secret like it always is.

Gud

6 hours ago

Different use cases.

nerocap

9 hours ago

If we can’t create a secure online voting system why do we use it for passports, banking, medical records, drivers licenses, criminal and law record keeping.

This is just an attempt at control using the majority of cases that most websites and applications are insecure. If enough effort and time is invested of course we can create a fairly robust and secure voting system.

autoexec

9 hours ago

> If we can’t create a secure online voting system why do we use it for passports, banking, medical records, drivers licenses, criminal and law record keeping.

Hackers get into people's bank accounts, medical records, etc. all the time. We know that these systems are massively insecure. Also, none of those things are kept secret from everyone involved. Your bank gets to know how much you paid for something. Your doctor gets to know what your xray showed. The judge can see what court documents you filed. There are a lot of eyes on that data and trails to catch problems. Nobody is allowed to know how you vote. It's a very different problem than the online submission of bank transactions and court records.

There are also robust systems for correcting the record when something goes wrong. Sadly still not enough in place to protect the people whose data gets stolen or leaked, but that's another topic.

iamnothere

9 hours ago

Errors in these other areas are typically reversible without undermining trust in electoral processes, leading to (in the worst case) wide scale violence and death.

We use the internet for too much, more systems should be airgapped. It’s a miracle that there hasn’t been a tragedy yet from a hack of critical infrastructure. Even things like water treatment and energy systems can be vulnerable: https://www.cnbc.com/2024/10/08/american-water-largest-us-wa...

charcircuit

8 hours ago

Elections are reversible too. A recount can reverse an election.

marcosdumay

9 hours ago

Because the security requirements of those systems are completely different from voting.

Voting is a uniquely hard process, where most kinds of validation are actually attacks.

plasticeagle

9 hours ago

I applied for my passport online. If it's secure enough for that, then it's secure enough for voting.

GJim

2 hours ago

Different use cases with different requirements.

kayamon

9 hours ago

This is an alarmist headline and should be reconsidered before being posted anywhere.

niteshpant

9 hours ago

And Nepal elected its current interim prime minsiter using Discord, apparently...

oskenso

6 hours ago

I came here to mention this. At the end of the day it's a circle of trust that keeps things moving in a positive direction

biglost

10 hours ago

More important it should be a right first. Where i live it's not optional

uptownhr

9 hours ago

2 factor vote. Vote in app, still go in person to validate result.

thegrim000

10 hours ago

You know, kind of an interesting test here. This was posted 13 minutes ago and the comments so far are mostly all supportive of not wanting internet/insecure voting methods, all supportive of pen and paper. I wonder if after an hour or two the propaganda hoses will have been turned on and all the top comments start to have the reverse messaging in them, saying internet voting is perfectly fine, and such initial comments downvoted into oblivion.

terminalshort

10 hours ago

So you are saying that the humans are fast and the propaganda bots are slow?

parentheses

8 hours ago

With the recent success of AI, I feel the more insidious issue is preventing the use of AI in reading paper ballots. There's a lot of room to engineer bias.

arjunchint

9 hours ago

Honestly we should just have block chain based PUBLIC voting.

This article is right about secret internet voting: it’s fundamentally incompatible with unsupervised devices and global networks. But secrecy is the constraint that breaks everything.

If you instead require public, verifiable voting, most of the "unsolved" problems disappear. The core requirement becomes: everyone can independently verify inclusion and correct tallying.

That’s where blockchains are a genuine game-changer: - They provide a public, append-only, tamper-evident system of record.

- Anyone can recompute the tally from first principles — no trusted servers, no “checker apps,” no special dispute resolution.

- Server compromise or insider attacks stop being catastrophic; fraud becomes immediately visible rather than silently scalable.

- Malware can still affect an individual’s vote, but it can’t secretly change the election at scale — the main failure mode highlighted in this post.

If trust is the goal, opacity is the wrong primitive. The secret ballot is mistaken path solving a non existent and purely theoretical problem of vote buying.

In a world where we expect everything to be easily accessible, the hardships placed by all the steps required to vote (registration, confirming residency location, waiting in line for polling booth) is seriously impacting voter participation. We need to get with the times and modernize this voting infrastructure.

whimsicalism

8 hours ago

of course, then you get vote bribing and retaliation. i'm generally in favor of public or provable voting because i think it is the best solution - but you do have to sort of how eyes wide open.

arjunchint

2 hours ago

We are a society of adults and complex individuals that don't need to be moralized to or nanny'ed.

You can easily bring up bribing and retaliation as excuses why we shouldn't have jury trials either. These were never really fundamental problems with open democracy, like Andrew Jackson didn't bribe everyone in the country to become president.

TBH if a politician offered me $100 to listen to his pitch, I would take it but I would still vote based on the thousands of dollars of lifetime impact of their policies on my income and assets.

ronbenton

8 hours ago

This is usually a smart crowd. I’m utterly mystified at the number of comments in this thread confidently stating that the US must go back to paper ballots when 99% of the country already uses them. It just takes a quick google search to know this.

ValveFan6969

5 hours ago

Internet voting in general in not only insecure but an human rights act violation against our species. Look none other than the fascist utopia that is YCombinator where some rando can remove your comments simply because they do not like your joke or opinion.

tonymet

10 hours ago

paper & pen has tremendous value as a recording mechanism. Although it's slower at counting and indexing, it is far better at reproducibility and durability:

* records last > 500 years with no electricity . corruption is obvious at first glance. ( bad records don't appear to be good).

* counting is easily distributed by number of workers

* readily visually inspected with no special tools . ideal for auditing

* records stay in order at rest.

* easy to detect & protect against tampering

* easy to train new users . CRUD tooling costs pennies per operator

* cheaper to scale writes & reads

TCO and risk-assessment for paper records exceeds digital on nearly every measure.

ripped_britches

8 hours ago

Voter turnout might increase drastically if we solve security, so it’s a worthy problem to solve

FeistySkink

10 hours ago

Is this just an abstract and is there more to this post? I found it quite shallow.

tamimio

10 hours ago

I think it’s just twisting the facts to reach a predetermined conclusion.

snvzz

7 hours ago

Vote should be in person at a designated place, based on a census.

There's absolutely no justification (or excuse) for anything else.

It is much better to have less votes than to allow any avenues for manufacturing the results.

randomcatuser

10 hours ago

what about crypto voting schemes? zero knowledge and all that

if we assume the user connection is secure (ie, about as secure as banking), can we have secure internet voting?

burnt-resistor

9 hours ago

Not exactly. Centralized transactions on a blockchain ledger using hierarchical aggregation of tiers of voting collection points where each municipality includes their digital signature. And receipts for all voters that are easily verifiable against a publicly-readable ledger.

casey2

8 hours ago

If half the points here were true than internet banking and ecommerce would have already failed. Does the current system prevent fake votes? Did old banking and commerce prevent more fraud?

Here is the thing you are missing. With Internet voting we can have votes way more often. Limiting the damage caused by fraud. Yeah you could have malware on your phone that changes your inputs to a sandboxed voting app, and the malware also tracks your real votes so when you request an audit it shows you what you actually voted for. In reality that is extremely difficult to pull off over a long period of time.

I don't care about any of the names on the list, as far as I'm concerned they are missing the forest for the trees.

artyom

9 hours ago

Premise: there's people that will try to game and cheat on anything that's important, including democratic elections. No matter your voting method, those people will exist.

Solution: the basic unit (paper ballot in this case) can be understood by any adult with basic education, which means anyone can detect cheating, not just a technical wizard. The only skill you need is reading.

Give me a solution that follows the same principle and I'd consider it.

Nobody cares about results coming faster except journalists that have to fill 2-3 TV hours with nonsense until there's some numbers.

No engineer that's worth of the title would advocate for electronic voting -- unless they're in the business of selling electronic voting. See the Premise.

nonethewiser

9 hours ago

Im not sure all paper ballets means delayed election results. Sure, it used to take days or weeks 100 years ago, but the only factor now is the counting.

tzs

8 hours ago

It is possible to have a system that works as follows:

1. People vote on paper ballots by filling in an oval next the candidate they wish to vote for. They fill the oval with a marker provided by the election officials.

2. These ballots can be counted by hand, but they can also be counted by optical scan machines to get fast results. Optical scan machines do not have to be computerized--they have been around since the 1950s long before there were computers small enough and/or cheap enough to use for this. No computer means no software to get hacked.

Almost half of registered voters live in districts that already use that kind of ballot and already count it with optical scan machines.

3. By the use of some nifty chemistry and some clever cryptography an end-to-end auditable voting system can be overlayed on this.

End-to-end auditable voting systems (also called end-to-end voter verifiable systems) have these properties:

• Individuals can verify that their ballot was included in the final count and they vote was attributed correctly.

• Any third party can verify that the ballots were counted correctly. The candidates, the parties, news organization, civil rights groups, and anyone else can check.

• Voters cannot prove to third parties who they voted for. This is called coercion-resistance.

Here is such a system, developed by several well known cryptographers including David Chaum and Ron Rivest [1]. Here's a paper in HTML with the details [2]. Here's a PDF of that paper [3]. Here's a paper showing that it is coercion-resistant.

This is compatible with existing optical scan machines, so the places already using them don't need new machines.

The magic happens in printing the ballots. Inside each oval they print a code in a special invisible ink. When the special marker provided by the election officials is used to fill in the oval that code becomes visible.

If you want to be able to later verify that your particular vote was included and counted correctly you memorize or write down that code. If you don't care about this you can ignore it.

After the voting is done officials can publish all the codes that were revealed and voters can check to make sure their code was included. They officials publish other information that through the use of clever cryptographic techniques allows anyone to use the published codes to verify the totals for all the candidates without revealing the mapping from codes to candidates.

This gives us all the good points of paper systems that can be hand counted, plus fast machine counting that can be done with simple single purpose machines that have no software to be hacked, yet with the kind of end-to-end auditing that usually requires computerized voting systems to achieve. And it is inexpensive to implement and operate.

[1] https://en.wikipedia.org/wiki/Scantegrity

[2] https://www.usenix.org/legacy/event/evt08/tech/full_papers/c...

[3] https://www.usenix.org/legacy/event/evt08/tech/full_papers/c...

[4] https://eprint.iacr.org/2010/502.pdf

SilentM68

9 hours ago

With the world the way it is now a days and software/firmware being insecure, it is difficult to see Internet Voting as a secure means of voting. Paper ballots with multiple biometric tools or AI to measure a voter's physiological state of mind, honesty, confirm identity may be something that should be considered.

burnt-resistor

9 hours ago

In person and by mail voting with a blockchain ledger-based receipt is how to prove one's vote is counted anonymously.

There must always be a paper trail and a blockchain ledger provides the most reliable and secure means to maintain integrity.

manoDev

9 hours ago

Imagine that: thinking the technology used to cast votes is how elections get manipulated.

quilombodigital

9 hours ago

In Brazil we have been using electronic voting for decades.

See, here we always had issues with corruption, and thats why we had to implement it.

The thing is that we always had major issues at the city level elections, because many small groups dominate different regions, and they just controlled the election officials, influenced voters, disappeared with ballot bags, and did all types of crazy stuff. It was pretty common at the eighties exchange votes for gas, dentures or even tubal ligation.

For all this reasons, a specific voting registry was created in 1985, and an electronic voting machine was used for the first time in municipal elections in 1995. This solved most issues, and elections started to be a lot easier, there was A LOT of confusion in the past. After it was available in all cities in the country, they started to do national elections.

The main idea here is that this is a government endeavour, not a private company. There are so many security layers that I think that only another external government actor would have resources to attack it.

These machines have special hardware, the encryption keys are loaded at the election day by the government, the machines are there only for the 8 hours of voting, then came back to a government deposit, they account for every machine, they are audited before and after, they randomly choose the election officials, the machine prints a receipt for the voter and the stats of votes of that machine. Each person has an election location and room/machine, so schools are used. If a machine has problems, they have to on the fly generate new keys for a substitution. In 2024 they used 570.000 machines at the election.

When the election day finishes, they place at the door of the room the machine receipts, so any ONG or international organization can verify. After it they take the machine to a central place where they connect to them and trasmit the data, and in one hour we know the president. During these decades we had presidents from the right and from the left, and all cities and states, so you can say it works just by seeing all this power cycling all the time.

I agree with the article in the sense that we need paper confirmation, and that we cannot trust the voter machine, but I think Brazil solved this by making sure to control the machine, and printing receipts and making then available to any public organization.

I particularly think that only one thing is missing in this technology, technically speaking, I would like to have a personal key with an ecc key created by me, that would allow me to insert this card when voting, so it would encrypt my vote, store and send to the server, so I could, using my card (even online) check for my voting history, connecting all the endpoints. It is still anonymous, but verifiable by me.

More information here: https://international.tse.jus.br/en/electronic-ballot-box/pr...

marcosdumay

9 hours ago

> but I think Brazil solved this by making sure to control the machine

It's bullshit, we don't control anything. Our voting machines are Linux computers that never survived a public auditing, so the government stopped let the public audit them.

If either China or the US decided to seriously invest into corrupting the hardware, it would be a several years long process but would actually cost less than our presidential campaigns. There are probably several ways to corrupt the machines software without anybody noticing (it a Linux PC, full of opaque firmware), that we won't know about because the details aren't public.

Without a paper confirmation that we could audit, nobody can't claim it's working. What would expect the results to be if it was compromised?

fmobus

5 hours ago

As the other reply noted, there were audits by multiple entities and parties, although I agree that it would be preferable for the code to be open sourced.

I do disagree with your other points. Paper confirmation is not necessarily the only way to audit, and may in fact introduce risks of voter reidentification and coercion (voto de cabresto). The other way of auditing the machines is the parallel voting procedure, which already takes place at every election and is honestly a brilliant piece of security engineering.

For those not aware, the parallel voting procedure works as follows:

1) the day before the election (when the software has already been loaded and locked into the machines for several days), a random sample of machines is selected for the procedure

2) those machines are then removed from the polling place they would ordinarily be assigned to, and replaced with a backup machine

3) the removed machine is then installed in a different room, and booted up normally on electionday. Since it is fully offline, the machine doesn't "know" it is being used in this mode

4) this room is setup so that there are cameras pointed to the machine, and people from all observing parties (and common citizens as well) are invited to "mock vote" in this room.

5) at the end of the day, the machine is closes, its report printed, and the result is checked against the known mock votes

Pretty solid method if you ask me, and much cheaper than upgrading the entire fleet to enable printing.

quilombodigital

8 hours ago

It is false your affirmation that they are not audited by public organizations.

Entities can register to see the source code in a controlled room. In 2024 for example the party União Brasil checked the code.

In 2025 during the official audit 149 entities registered to check the code and attack the machine. Universities, ONGs, political parties, etc.

Please check you facts before posting what you think

Reference: https://www.tse.jus.br/comunicacao/noticias/2025/Dezembro/te...

Some of the attacks performed: https://www.tse.jus.br/eleicoes/arquivos/relatorio-parcial-d...

One thing I agree with you. It would require another big country effort to break it.

fmobus

5 hours ago

Letting "entities" audit the code in a closed room is not enough for me. The entire codebase should be open sourced publicly.

crote

5 hours ago

... and how do you, the voter, prove that the machine you are using to vote is indeed running the audited source code?

TacticalCoder

8 hours ago

Not requiring a proof with a photo of the person and a proof that he's legally in the US should not be allowed in public elections.

How comes the democrats try to block every single voter ID act? Sounds to me there's something to hide.

There has also been some very shady counting happening in 2020: where during the last hours suddenly 100% of the votes coming in in some states where all for Biden.

Note that Trump, in his speech today in 2026 at Davos, said that the 2020 were rigged and that prosecution was coming (he then added something like: "oops that was a secret, well now it's not a secret anymore").

I'd add that, in my opinion, bringing in millions of illegals then trying to regularize them and allow them to vote is also a form of election rigging, even if it's legal.

deathanatos

6 hours ago

> Not requiring a proof with a photo of the person and a proof that he's legally in the US should not be allowed in public elections.

This is essentially (esp. once combined with the rest of your comment) misinformation: fraudulent voting by non-citizens effectively doesn't occur[1]. To sum it up,

> A Brennan Center for Justice study of 2016 data from 42 jurisdictions found an estimated 30 incidents of suspected noncitizen voting out of 23.5 million votes cast (or .0001% of votes).

I.e., a rounding error.

> How comes the democrats try to block every single voter ID act? Sounds to me there's something to hide.

Generally, the counter argument is that further requirements stifle voters, while not solving any real problem, since the above concern is not backed by actual facts demonstrating it to be a valid concern.

> There has also been some very shady counting happening in 2020: where during the last hours suddenly 100% of the votes coming in in some states where all for Biden.

You're assuming the vote is uniform, and it's pretty trivial to show it's not; look at any vote-by-county map, and you'll see urban centers are far more Democrat heavy. Expecting the tallying to then be uniform is illogical.

> Note that Trump, […], said

His words are beyond bereft of trust[2].

> I'd add that, in my opinion, bringing in millions of illegals then trying to regularize them and allow them to vote is also a form of election rigging, even if it's legal.

[citation needed], but this isn't a thing. No jurisdiction I know of permits non-naturalized immigrants, legal or otherwise, to register to vote. If they've been naturalized, voting is their right, same as it is mine.

[1]: https://en.wikipedia.org/wiki/Electoral_fraud_in_the_United_...

[2]: https://en.wikipedia.org/wiki/False_or_misleading_statements...

tamimio

10 hours ago

I think this relies on the old argument that anything connected to the internet is potentially insecure. While it might have some truth, practically we all do very sensitive stuff securely while connected to the internet. The risk is there, always, but you put all the measures to mitigate it and even prevent it.

The idea that a malware could be on a phone “altering things automatically” feels like a 90s FUD cliche. If an online voting system existed, it won't be like a poll that you see on Twitter, for instance; it will be far more involved. For example, we can have blockchain as the network, and not just transparent to all, but even after you vote you can still check your vote and see if it was potentially altered, and a proper electronic chain of custody can also ensure that the vote was counted per the process, and all of that is visible to anyone who would like to check and even count ALL the votes yourself, again, just like how transparent blockchain is.

And saying paper voting is more secure isn't true at all, because these votes will be counted electronically at some point, either by a machine or just a simple Excel sheet, opening the same risks as the previous one except here, if it would happen, you will never know and you as a voter can't trace the vote from when you voted all the way until it was counted. The voting process should be designed in a way with zero trust in mind, just like how secure systems are designed now, like storage, encryption, vpn, etc., and voting should too.

I personally believe that we can build a very secure, robust, and trustworthy system that can be used for voting online, but I think no one wants that for all sorts of political purposes, either by actually altering the results that could go unnoticed, or at least keeping the window open to blame the results on a faulty system.

deathanatos

6 hours ago

If we interpret "blockchain" "visibto to anyone" "transparent blockchain" charitably, TFA addresses your proposal pretty directly. (a.) Your design is likely not receipt-free — it is thus susceptible to coercion & bribery. (b.) How does your blockchain based proposal allow the voter to achieve confidence that extraneous votes are not being cast?

> because these votes will be counted electronically at some point, either by a machine

Random sampling (selecting a random subset of ballots, and manually counting them, and comparing against a machine total) is a cheap way to defend against this. But also, paper ballots mean that a full recount can be done, at which point any malfeasance becomes visible. It is likely that an attacker is going to want their tracks to not be so easily discoverable, so the mere possibility of such itself is a deterrent.

> or just a simple Excel sheet,

They needn't be, and results can be reported to various news agencies, interested observers, representatives of candidates or parties, etc. What is the likelihood of everyone's Excel sheet being compromised?

> The voting process should be designed in a way with zero trust in mind,

A paper process is explainable to a normal adult of reasonable intelligence, to a degree such that trust & confidence in the paper balloting process should be establishable. Most online voting systems cannot say that. Even I as a SWE would not be able to convince myself of most electronic systems, let alone an Internet based system. Is the source even available? (This is not a given.) Is the source correct? (Underhanded code is a thing, and it is unlikely that I, myself, can audit the entire thing.) Is the binary produced actually from the same source? Can the hardware used be trusted? (You literally cannot see transistors, and even if you could, you cannot verify their function!)

Blockchain systems and similar relieve some of this pressure — but not all of it. E.g., I would still have a hard time explaining the math involved to 99% of the population beyond "trust me, it works" — and the point is that that answer is unacceptable as a requirement of the problem.

Vecr

9 hours ago

Why is it FUD? It's a real thing any competent programming team could implement.

tamimio

9 hours ago

Well it isn't primarily the technicality aspect but rather the same risks that apply to end users are also applied to the people working at the polling station and their equipment, bringing it up when you are talking about one side only is just a tactic to discredit it. That being said, modern phone OSes are also unlike before, app isolation among others prevent such attacks, I don't think I came across a new attack that just altered another app on the fly, otherwise, we would have hundreds of cases of people getting their bank accounts compromised. In fact, I think from a technical standpoint, the risks of having such malware on end users' devices are harder to implement compared to infecting say the Android OS running on the voting screen at the polling station, or anywhere else in the process. Because in the end users' ones you can restrict the app to run under certain criteria similar to banking ones, and independent security researchers can check it for potential vulnerabilities, meanwhile an internal app used in the polling station won't have these measures, and you can even assume the OS/packages are outdated and vulnerable, making it far less secure, something like how flock cameras Android OS is a security nightmare for example.

pokstad

10 hours ago

While we’re on it, I don’t want the internet on my stove or car either.

rexpop

10 hours ago

We're actually not on that subject.

MarkusQ

8 hours ago

It's as close to on-topic as most of the other comments.

"The internet isn't secure enough to trust for voting" could be generalized to

"The internet isn't secure enough to trust for _____" just a reasonably as it could be to

"______ isn't secure enough to trust for voting" as most of the other commenters have chosen to do.

The fact that one of the generalizations is more popular doesn't make the other wrong, and addressing both (as, say, the GP or people talking about internet banking do) adds both depth and breadth to the discussion.

irjustin

10 hours ago

Tom Scott made a solid video on this years ago[0].

I would love to go back to paper elections, even with all its problems (hanging chads anyone?). Let's make attack scaling as difficult as possible.

[0] https://www.youtube.com/watch?v=LkH2r-sNjQs

recursive

10 hours ago

"Go back to"? How are you voting now?

nonethewiser

9 hours ago

A paper that gets scanned by a computer