First and foremost, paper ballots everywhere. No touchscreens.
Second, from printing time onward, all handling of ballots, whether marked or unmarked, must be done in the presence of representatives of at least two political parties. At no point are ballots left alone with individuals or only one party (this is something a lot of states could learn from us!). This eliminates many avenues for cheating by adding or removing ballots from the count.
The ballots themselves are Scantron, fill in the dots with ink. The state provides standardized pens for this.
All registered voters in a precinct are tracked in a paper roll. In order to get a ballot, voters must either be in the registration book, or apply for a provisional ballot (which requires identification). Names are marked off the registration roll as they get their ballots, and a count is kept. At the end of voting, the total count of the voting machines must match the total count of voters exactly. Any difference triggers a manual count.
Scantron machines are randomly spot-checked - some percentage of them will be hand-counted, and those counts checked against the machine results. Multiple mismatches across the district/state would trigger an election-wide hand count. This insures against cheating by altering the behavior of the machines. (This is also where touch-screen machines fall down, imho, and should be flatly banned! There is no manual guarantee of the integrity of the results in a touch-screen machine.)
Initial counts on election day are provisional, and need to be certified via additional checks before being finalized (including the possibility of recounts).
There's more, but these are the big ones, and you get the idea. This entire system depends on protecting the integrity of physical ballots, which as you can see, is pretty straightforward.
> Second, from printing time onward, all handling of ballots, whether marked or unmarked, must be done in the presence of representatives of at least two political parties.
Australia does this at all levels of government, up to national elections. The people nominated by candidates are called "scrutineers" and every candidate may nominate at least one for every polling station and several for every counting room.
The count is done manually, thrice, again with scrutineer oversight.
Here's a photo of a close count occurring under scrutiny: http://www.abc.net.au/news/2016-07-06/counting-resumes-in-se...
At the last Federal election, 3 boxes of Senate ballots in Western Australia were lost. The matter wound up in the High Court. Because there was a very slight but non-zero mathematical possibility that those ballots could have changed the outcome, the election was voided and run again from scratch.
This stuff isn't rocket science. You just have to pretend that it's important.
I remember one election in particular where I was working a mixed-race, poor neighborhood precinct in Minneapolis. The Democratic poll-watcher was convinced the Republican one was going to challenge every single voter and paralyze the precinct, preventing hundreds from voting. The Republican poll watcher was convinced that Democrats were going to bus in thousands of paid illegal black voters from Wisconsin. Of course, neither of these things happened.
Who thought it was a good idea to "disrupt" voting by going electronic?
In Minnesota, you show up at the polling place, say your name and address, they find you on the registration list, check you off, and hand you a ballot. No need to prove you are who you say you are. If someone pretends to be you before you vote, then it's immediately and obviously brought to the attention of the judges (and we aren't seeing a massive wave of fakery now). If someone pretended to be you after you vote, they'd get caught.
Of course, someone could fake it, with someone's registration that they know won't vote. But if they repeated it at a single precinct, the odds of being recognized as a repeat voter by the election judges goes up. So they would have to move from precinct to precinct, with a list of viable registered non-voters to use.
Now, consider scale. A statewide Minnesota election is about 1.5M voters. To move the outcome 1% requires 15,000 votes. If one person can manage to vote illegally ten times in a day, it would require 1500 people in a conspiracy. Plus data management, tight enough for no errors. And NO leaks while these 1500 people are trained (and probably paid, if you want that many).
With that in mind, the idea of actually manipulating the election with votes that could be prevented with Voter ID is absurd. But! If we put ID laws in place, we could well reduce the number of voters by 1%, and that result would be biased toward people who are poor or otherwise not fully integrated into mainstream society.
Election manipulation, completely legal, and more effective than the mechanism it purports to prevent. Ugh.
And hey, if voters are dumb enough to fall for that, maybe we can get them excited for touchscreen machines!
One one hand, I can see the effect that it would have on the makeup of the voters: older, richer, more established.
On the other hand, I couldn't shake the idea that voting is too sacred to not enforce some level of identity verification.
You just swept away my "on the other hand". Thanks.
My arguments for:
First, don't people have to register to vote in most places? I don't see how bundling your Voter-ID acquisition with registering to vote would be bad.
Second, a valid state ID should be enough to vote even with Voter-ID. This DRASTICALLY reduces the number of IDs we need to handle.
My main argument against not doing it right now:
We'd need proper funding that we're not going to get in the current political climate. A half-assed solution would be BAD.
How many times have you forgotten to bring some random item you need for something you're doing? Why stop someone from voting because of a mistake virtually anyone could make?
This is a freedom-based problem. First, what problem is voter id supposed to solve? Well, people cheating by voting illegally. Is this an actual, demonstrable problem? No. Despite grandiose claims by FOX News and Donald Trump, there is no evidence of widespread voting fraud. So we've established that this is a solution to a problem that does not actually exist.
Second, does it impact our freedom? Voting is both our right and responsibility as citizens. Should we be required to carry and show id just to prove that we are citizens? "Do you have your papers, citizen?" used to be a joke we made about the shortcomings of totalitarian communist dictatorships. So yes, it does impact our freedom, as we should be free to go about our day without carrying government id at all times, and I believe that would include the act of voting.
Limiting our freedom to solve fake problems sounds un-American to me.
I've seen plenty of elections come down to 100s of votes. To me this seems like an attack vector we shouldn't ignore.
Besides, we already have the concept of provisional ballots if people end up not having or forgetting their ID.
But again, I don't think we're ready for all this. A half-assed solution would be very bad, and I don't trust the current system to handle this in a partisan way.
It seems like you should be able to do things more easily, less expensively, and with lower risk in a repeatable way in every state.
People are partisan and will buy any story that explains why they lose. A non-trivial portion of Democrats think the Russian advertisements on Facebook changed the election to Trump's favor.
Eg, the oligarchs and good Ole boys
And in general I'm impressed by Minnesota's governance. Maybe the answer is a deeper look at Minnesota's government structure.
States that let individuals handle ballots and stuff are either incompetent or malicious. There's no excuse for not solving easily solved problems with simple, proven solutions, when our democracy is at stake.
I wonder if they have considered augmenting that. Add this  to it and it would still work pretty much the same as far as voters are concerned when they are in the voting both--the ballots would be printed a little differently and the pens would be different, but it would still be rub the dot with the pen.
Afterwards, though, when the results are released individual voters can verify that their vote was counted and that it went toward the correct candidate. There are other advantages discussed in the link below.
If outside hackers can influence the midterms in a way that is beneficial to the GOP - why would they do anything about it?
And if you find problems after the winner is declared? “Only the losing side cares, and they’re just sore losers”
Or an adversary could not commit fraud, just trip the fraud alarms in areas their opponent is strong.
So it’s very, very difficult to secure.
(1) The software is not doing anything nefarious
(2) The software toolchain is not modifying the software in (1) to cause it to do something nefarious
(3) The software loaded onto the machines is actually the software verified in (1) and compiled by the verified toolchain in (2)
(4) The machine doesn't have any kind of hardware/firmware-based defeat device to trick you into falsely confirming (3)
This is essentially the same problem as is outlined in Ken Thompson's Reflections on Trusting Trust .
> (2) The software toolchain is not modifying the software in (1) to cause it to do something nefarious
Use open source toolchains and hash the result.
> (3) The software loaded onto the machines is actually the software verified in (1) and compiled by the verified toolchain in (2)
Maybe some kind of cryptographic puzzle, question/response, you need to make a hash with the program, and make the HDD not large enough to contain more than that. Or maybe read only storage. Even a combination.
> (4) The machine doesn't have any kind of hardware/firmware-based defeat device to trick you into falsely confirming (3)
Your voting results are confirmable on the blockchain, but not specific, you can check that your vote hasn't been changed, but not the vote itself.
A counting room full of people counting paper ballots is a machine, and it's a transparent machine where everyone inside it and outside of it can understand how it works, and trust that it's working properly.
But the biggest argument against electronic voting is that you're not solving any problems, you're just adding problems and decreasing the trust in the elections massively. And for what? To get election results a few hours faster? That's ridiculous.
> A counting room full of people counting paper ballots is a machine, and it's a transparent machine where everyone inside it and outside of it can understand how it works, and trust that it's working properly.
I agree with this 100%
Electronic voting must be cryptographically secure, and increase trust and security. I think this should be the first rule.
Those two goals are mutually exclusive.
Everyone understands how a room full of people counting paper ballots works, without having to explain it. Everyone understands that the process is transparent, and that by having people of different political persuasions working together, you ensure that the result is fair.
There is also immense value in having the voting "machine" being made up of actual humans, so that everyone in society can take part if they want to, and feel like they're doing their part to defend democracy.
And none of that can be replicated in software. You and I might be able to understand and trust the software, but everyone? Not gonna happen.
I think most people know their passwords are encrypted, but they don't know about hashes at all, they just assume the domain experts have figured it out.
Security in e-voting would probably look similar. You would know there are smart people somewhere who understand the complexity, and ideally you would have ample opportunity to learn.
I find it hard to imagine a plausible scenario where a complex, blockchain-driven election model is met with trust and comfort by a broad cross section of voters. It practically begs for anti-science paranoia.
Is that rhetorical? I can't think of any major bug on a billion dollar ETH contract. The largest "heists" appear to have ranged in the mid 10's M$ (DAO, Parity), with one bug that freezed a sum in the low 100s M$.
And there are people that don't have a lot of trust in our current voting methods. Can't stop conspiracy theorists really. I think with global warming there is a degree of uncertainty due to the varying environmental factors. This will be something where you can pretty simply explain what's going on, or at least say this part is encrypted with X algorithm and people are happy. The public is willing to trust encryption, specifically there have been cases where the government's efforts were thwarted by strong encryption.
But elections are not about my vote. They're about everyone's vote. I care about not just the integrity of my own ballot, but the integrity of every other voter's ballot as well. And, given a system where most people will never do a complex blockchain verification of their ballot, or have a mechanism to be certain that no additional machine-generated ballots were added to the results... blockchain isn't solving the actual problem.
Don't be in love with technology when looking for actual solutions to actual problems.
People don't verify their vote now, so this is unimportant.
> have a mechanism to be certain that no additional machine-generated ballots were added to the results
This should only require a hand full of people to check.
Consider the apocryphal story: "NASA spent millions of dollars developing an 'astronaut pen' that would work in outer space, while the Soviets solved the same problem by simply using pencils."
Why go for the complicated solution when the simple one works?
Electronic systems can provide a much better level of security than this through not only all the regular security techniques you'd apply to regular workers (no individual access, surveillance, etc) but also a wide array of electronic means including logging, 'ballot' validation, and much more. And you can also burn everything including the operating system and election software onto a non-flashable ROM meaning software modifications become all but impossible, and even if somehow achieved, would be trivial to detect.
This isn't true at all. There is not way to tamper with paper to make it change its properties that isn't obvious and easily detectable. And once votes are cast the ballots are handled with significantly more care.
Additionally, can the precinct be subverted in a manner that can withstand outside auditing by non-corrupt district/state-wide election officials? Keep in mind that if one party in the election has substantial reason to suspect the results were broadly rigged, they could demand a recount (even at their own cost, as happened with the Dayton/Emmer recount in MN), thus triggering all those downstream audit controls.
Of course this has its own set of tradeoffs, but so does our current system.
Second, it violates the principle of a secret ballot. Repudiation would require voters to reveal who they voted for, to match ballot to (digital) signature. So it's not viable as a mechanism for a global recount.
The secret ballot could be reproduced a number of ways, but I'm particularly fond of the idea you have an extra password that makes it look like your vote was different, and only your password shows you who you really voted for.
And, in a well designed paper voting system, you do know your vote was not tampered with, because nobody's votes were tampered with.
There are only three mechanisms for tampering with the actual vote count - adding ballots, removing ballots, or altering the content of ballots. (Replacing ballots is a combined add/remove.) The blockchain mechanism only checks for alteration/removal, and only for a single vote. One individual can verify their own ballot, but repudiation requires breaking secrecy. It's simply not a very good solution.
And the reason it's not a good solution is philosophical - it's focused on the individual, when the election is about the collective. Any effective election validation system must validate the collective, not just the individual. The collective is validated by insuring that no tampering happened anywhere. And if we can demonstrate that, then verification/repudiation of individual ballots is irrelevant. If A is true for all B, and C is a B, then A is true for C.
But when you really love your hammer, every problem looks like a nail. Blockchain is basically useless for elections, but people obsess over it anyway.
Quite a bold statement. Electronic banking is primarily secured by the means of insurance.
In fact, people are still digging into whether voting machine fraud happened in some states in the 2016 election. Any result now is too late.
Also, the nature of hacks is that you can often detect that one occurred, but not exactly what was changed. How would you take the news, "It looks like the Russians had root on every voting machine. But we've reconstructed the correct vote counts from analyzing deleted database files found in the free block list, and the winner is..." Not too convincing.
If you could have a third party verify the count within your system as accurate/inaccurate, then you wouldn't need that system in the first place.
Besides an important part of banks fixing issues like this (when they do fix them) is that someone (often the bank itself) must lose money, which they inevitably notice. In the case of an election, no one would ever know if their vote was stolen because they have no way of tracking it once they cast it. You seem to be blindly assuming that every problem will get detected and fixed which is mindbogglingly niave.
2000 presidential election. Bush declared victor, but a Florida state law called for a recount as the margin was close. Recount was stopped, original election result stands. 
2016 brexit referendum. Leave campaign wins - and is later found to have broken campaign finance laws . Original election result stands.
2016 presidential election. Trump declared victor, but evidence emerges of Russian interference . Original election result stands.
There's no point in detecting irregularities after an election is over if they aren't going to be fixed - and history shows they won't be fixed. I'll stick with pencil-and-paper ballots thanks very much.
No matter how you dice it, one of those things gives with electronic voting, even if you had electronic voting machines with no state (all pure circuits, say), but especially with votes on machines like personal computers, where a myriad of systems need to be trusted for the vote to register.
It isn't worth it. Paper ballots are intelligible to everyone, and even when we vote by mail there is such a paper trail it is hard to fake.
It is obviously less secure than voting in person, but it's good enough, and your in-person vote supersedes your mail-in vote.
The encryption would need to be written so there is a fail safe password that identifies the opposite party was voted for, to stop voting coercion.
Yes, it really is:
It is purely a fear of federal vs state control that this hasn’t already happened?
I don't think that conclusion follows. Rather, I think that conclusion is too narrow.
In this situation, the astronomic overall cost of such software would overshadow any other impediments, such as profit movite.
Why would anyone task even a public entity with this, if using paper ballots and manual counting is vastly cheaper?
Generally we want only those eligible to cast one vote each and yet the votes must be secret, anonymous and repudiable. But we also want the counting to be auditable by the public and traceable by the individual voter.
The advantage of paper is it's bulky so it's hard to swap out if people from multiple parties and observers etc are paying attention.
PS: Remember the oldies, "Vote early, Vote Often" and "It's Not the People Who Vote That Count, it's the people that count the Vote"
That doesn't mean that securing the software isn't important. But it does mean that, in any evaluation of a voting system, we should be evaluating the whole-system design (including the critical parts of the software) in terms of how software independence is achieved.
Consider seeking out a medical professional to help with your delusions.
Anyway, if you looked at Wikileaks vault 7 leak, the CIA stockpiles zero days that they use to remote hack all kinds of different platforms. Other intelligence agencies do the same. One of the voting machine companies had pcanywhere installed on their machines which is even known to be full of holes. Whether this is negligence or malice is really up to a jury to look into, but certainly the possibility is there.
Security bugs are real. Hacking is real. What you are talking about is not spitballing. That's just fantasy.
People saying the NSA was working with hardware vendors to purposefully insert backdoors in routers were called crazy too before the Snowden leaks. I guess you haven't been keeping up with the news or do you think the Snowden leaks qualify as baseless conspiracy theories?
"A 2012 TAO budget document claims that these companies, on TAO's behest, "insert vulnerabilities into commercial encryption systems, IT systems, networks and endpoint communications devices used by targets".
The rest of his comment falls back to a fairly common computer security fallacy: We used it once and nothing terrible happened, so it is probably secure.
This is a very important part of the process, but it doesn't address the issues I raised.
I don't see why. I am still convinced there are security issues. The comment under discussion made all sorts of grandiose yet completely unsupported claims. If the paper he linked had backed up his assertions, I'd be inclined to give him the benefit of the doubt, but it doesn't. Therefore I don't believe him.
I helped write the software for the Brazilian voting machines (state issued, standardized, made to spec by competing companies) and we had a long list of scenarios we had to guard against. The people who wrote the spec were field experts who studied attempted and successful (but caught) voting fraud every election. The resulting combination of hardware, software (the application itself is ridiculously simple), analysis and (and this is most important) procedures surrounding the physical devices (never left alone unguarded, clear chain of custody, created layers of protection and, in the end, a reasonably secure device. It's possible to make it absolutely secure? I'm not sure. Would that be usable? I doubt it.
It's foolish to make a flawless voting system when we can't guard against propaganda and other forms of manipulation through social media or even the most traditional paying voters (either explicitly or through promises) to vote a certain way.
Paper, on the other hand, is fairly easy to comprehend and secure by all participants.