back to article Worried about election hacking? There's a technology fix – Helios

Election hacking is much in the news of late and there are fears that the Russians/rogue lefties/Bavarian illuminati et al are capable of falsifying results. For example, voters in the state of Georgia's sixth district are going to the polls on Tuesday for a close-fought election, and serious doubts have been raised about the …

  1. ma1010
    Joke

    No! No! No!

    You CAN'T use this system, ever! It uses ENCRYPTION, which is BAD 'cause TERRORISTS!

    Blah blah unsupervised safe space blah blah you'll all die blah blah keeping you safe blah blah.

    1. Gnosis_Carmot

      Re: No! No! No!

      Actually the reason it can't be used is because a whole bunch of people with government connections won't be able to make tons of money off it they way they can off closed-source software.

      1. ecofeco Silver badge

        Re: No! No! No!

        Exactly Gnosis.

  2. Barry Rueger

    "Because you can"

    Whine as you like about paper ballots being slow to count (apparently the only reason ever given to replace them) but they're still pretty difficult to hack (in countries inclined to be law abiding), and have the advantage that you can do a recount as many times as needed.

    I don't see any really good reason to abandon paper and pencil in the voting booth. If candidates and TV networks are forced to wait for results it seems like a very small price to pay for a trustworthy election.

    This seems like yet another example of a high tech solution to a problem that doesn't exist.

    1. willi0000000

      Re: "Because you can"

      paper ballots marked with crayons pencil are definitely the way to go . . . at least for now.

      how long have some of the i-bet-you-can't-hack-it challenges lasted when crowds get to sourcing solutions . . . hours? . . . minutes? . . . without a physical (non-electronic) record of each and every vote there's just too much room for shenanigans.

      perhaps someday in the (far!) future when humankind has grown up, we can try electronic voting . . . until that day: trust no one!

      [ paper isn't perfect but at least there are no dangly chads ]

      1. Charles 9

        Re: "Because you can"

        Then how so you guard against bribes and Kansas City Shuffles?

    2. Voland's right hand Silver badge

      Re: "Because you can"

      The issue US has with paper voting systems is direct democracy prevalent in several states - f.e. California. They sometimes end up with 20 + items to vote for on election day.

      Adding "yet another proposition" to a paper ballot is not cheap.

      1. Pen-y-gors

        Re: "Because you can"

        @Volands right hand

        Adding "yet another proposition" to a paper ballot is not cheap.

        Democracy ain't cheap...but it's a lot cheaper than the alternatives!

      2. Ian Michael Gumby

        @Voland Re: "Because you can"

        Huh?

        On election day, you have more than 20+ items.

        Depending on the year, you could have POTUS, then State Senators, Reps.

        Inside the state, you have various offices, Governor down to local judges, aldermen (councilmen) before you get to referendums and at the end non-binding referendums. (Things you can vote on that don't directly go into a law, but give an indication of what you favor. )

        1. Anonymous Coward
          Anonymous Coward

          Re: @Voland "Because you can"

          I'll apologize in advance for going off topic and getting ranty. Anything Government, voting or Economic drives me crazy, but I can't resist :)

          In New Brunswick, Canada you are given a paper ballot inside a cardboard shield with the top of the ballot slightly protruding from the shield, you pull out the ballot, mark your choices, put the ballot back in the shield, take it to a vote counting machine slide the protruding end of the ballot into the voting machine which then reads your votes and stores the ballot.

          So, what you have is an easily verifiable vote count and a count that is very fast. Is this possibly the best of both worlds?

          Now, if we had proportional representation and if Governments hadn't sold themselves to Corporations we might have a functional Governmental system. This problem is the same Federally. PM Justin Trudeau is dropping campaign promises as fast as he made them.

          http://www.torontosun.com/2017/03/25/10-key-promises-trudeau-has-broken-since-becoming-pm

          (I know there are more comprehensive lists, but I couldn't find them quickly.)

          I've read that we can't blame job loses on Globalization. I think that is largely or, at least, partly untrue and if Global Corporations had to pay taxes from where they got money and if, for instance, resource, energy and ISPs/phone companies where their resources are basically fixed to a location could not outsource and if taxation was closer to that of the early 1970s we could have a functional Government with functional health care, education...etc etc

          So, people will say that would make these companies unprofitable. Well, then have they corrupted themselves into a corner? Many of the above are essential services, so if they can't be profitable then maybe the government does need to step in and take over these essential services.

          Makes me wonder what people in the "Developed" World will do as it becomes less developed. Where will, really, livable incomes come from? How will people people who are, increasingly working in non-permanent jobs get loans to buy houses and cars? I guess for now we can continue to allow wealthy foreigners to buy up properties, but will they continue to want to as our economy and health care collapse?

          1. Brian 18

            Re: @Voland "Because you can"

            "In New Brunswick, Canada you are given a paper ballot inside a cardboard shield with the top of the ballot slightly protruding from the shield, you pull out the ballot, mark your choices, put the ballot back in the shield, take it to a vote counting machine slide the protruding end of the ballot into the voting machine which then reads your votes and stores the ballot."

            We do the same here in Michigan. I've been voting in Michigan since the 1996 election and an optically scanned ballot is what I've always used here.

            1. Sherrie Ludwig

              Re: @Voland "Because you can"

              "In New Brunswick, Canada you are given a paper ballot inside a cardboard shield with the top of the ballot slightly protruding from the shield, you pull out the ballot, mark your choices, put the ballot back in the shield, take it to a vote counting machine slide the protruding end of the ballot into the voting machine which then reads your votes and stores the ballot."

              "We do the same here in Michigan. I've been voting in Michigan since the 1996 election and an optically scanned ballot is what I've always used here."

              Netflix has a documentary "Hacking Democracy". It details how easily the Optiscan (optical scanner of paper ballots) can be undetectably hacked. It is frightening.

              1. Anonymous Coward
                Anonymous Coward

                Re: @Voland "Because you can"

                @ Sherrie Ludwig

                I haven't seen that. I definitely will though. Thanks. :)

        2. Mark Dempster

          Re: @Voland "Because you can"

          >On election day, you have more than 20+ items.<

          I think we're talking mainly about UK elections, which aren't done in such a confusing way as in the US. You just have one sheet of paper (maybe 2 if there's both a local and general election on the same day) and you mark an 'X' next to your preferred candidate's name.

      3. Whiskers

        Re: "Because you can"

        > Adding "yet another proposition" to a paper ballot is not cheap. <

        You don't have to have just one sheet of paper, and you don't have to have all the elections and referendums taking place on the same day. Here in the UK we seem to manage local and national and EU elections pretty well with paper ballots - and referendums too, although we struggle to ask the right questions with those. Sometimes there's just one paper, possibly with a single question on it, and sometimes the ballot has a long list of names on it; sometimes we've even managed to have some of the papers for 'first past the post' elections and others for some form of 'PR' - on the same day. Paper is very flexible, and so are human counters.

      4. Turbo Beholder

        Re: "Because you can"

        Perhaps need to add "yet another proposition" to ballots at the last moment would appear less often if they were made with less haste and more thinking through to begin with?

        Can "WE MUST HAVE A VOTE ON IT RIGHT NOW" possibly be an actual problem more often than an attempt to push something right now because in another week more facts may become public and the campaign will go belly up?

    3. Christian Berger

      Re: "Because you can"

      "Whine as you like about paper ballots being slow to count "

      Actually in Germany we have paper ballots, they are counted by volunteers. Polling stations close at 18:00, and most polling places finish counting at about 18:30-19:00. In time for the 20:00 news there's already a "preliminary official end result".

      1. Pascal Monett Silver badge

        Same in France and nobody is complaining about count time.

        Might be time to review the voting system in the US and simplify things a bit ? Besides, I find it quite curious that the "popular vote" counts for everything except the election of the President. That is something that should be corrected right there.

      2. Mark Dempster

        Re: "Because you can"

        >Actually in Germany we have paper ballots, they are counted by volunteers. Polling stations close at 18:00, and most polling places finish counting at about 18:30-19:00. In time for the 20:00 news there's already a "preliminary official end result".<

        Do you have a relatively small number of polling stations in Germany that people have to travel to? Or are they counted in the polling station itself? In a typical constituency of the UK it would take more time than that just to get the ballot boxes from the individual stations to the counting location.

        1. EnviableOne

          Re: "Because you can"

          Newcastle central and sunderland south would tend to disagree, polls close at 22:00 count done and declared at 23:02 and 23:08

    4. tom dial Silver badge

      Re: "Because you can"

      There have been relatively well known ways to put a thumb on the scale in a paper ballot election for at least, I would guess, 150 years. Most of them are not difficult for a moderately skilled illusionist to execute, or for another to detect while being executed. That said, optical machine counting evades nearly all of them, although at a cost of a statistically knowable rate of read errors due to such things as smudges and dirt in the equipment.

      The key thing that paper ballots have on their side is that the process for using and counting them is quite transparent and understandable by people of very modest technical skills, something that is untrue of touch screen voting machines (with or without a paper log) or even punch card ballots or the much earlier mechanical lever and wheel machines. It certainly is not true of encryption based gimmickry like the Helios system, which requires the voters and election administrators alike to accept on faith what might as well be magic.

  3. Marking Time

    >the voter is given a tracking number to keep. That number can be checked against an election tally system to ensure that the vote was cast as specified

    Issue right there.

    1. Voland's right hand Silver badge

      My exact thought

      This is hardly something that can be called anonymous voting.

      1. Anonymous Coward
        Anonymous Coward

        Re: My exact thought

        Look on the Bright side.

        Computerised voting will save the authorities time, money and effort when they come to record who you voted for on their Central Database of potential future troublemakers.

        Then they can disregard your vote and rig the system to ensure that one of their own is 'Elected'.

      2. Pen-y-gors

        Re: My exact thought

        @Voland

        This is hardly something that can be called anonymous voting.

        But then neither is the present UK system, technically. The voter number and ballot paper number are recorded on a list. In practice this is only used to provide a sort of audit of papers issued, but in a close election can be used to remove fraudulent ballots.

        But it could also be used to track down the 52% for punishment...

        Paper is the way to go. It provides a solid and safe audit trail, and with the supervision at all stages it's very, very hard to fix (except for the postal bit - and they're working on that). Security is tight, sealed boxes etc, and (many years ago now) when I worked a couple of times as a polling supervisor, once the polls closed and the records were written up, I had a police escort to the counting centre to hand the box to the returning officer. And the count is then overseen by representatives of the candidates. In fact, back then (late seventies in Scotland) we had a plod in the polling station all day. On overtime for 15 hours!

        One odd feature of the system that I suspect most people aren't aware of...

        One election the Liberal candidate brought a sweet little old lady in to vote. Asked her her number/address and checked the roll - it had already been crossed off! Oh bum! But then checked the pile of cards and found her card. So either someone had already voted for her, or she'd voted already. Checked the procedures and issued her with a PINK ballot paper. If it's close then the original paper can be removed and replaced with the pink one. We asked her if she'd already voted, and she said no, not recently - but she had voted last month (previous election was a year before!)

        1. tom dial Silver badge

          Re: My exact thought

          In the US State of Ohio, when I was involved with precinct level election management, the ballot number was recorded before the ballot was given to the voter, and the strip with the ballot number was removed when the voter returned the ballot, and the ballot, without identifying marks, was put in the ballot box (later, fed into the locked and sealed counting machine). This ensured anonymity to a high degree of certainty.

      3. Anonymous Coward
        Anonymous Coward

        Re: My exact thought

        "This is hardly something that can be called anonymous voting."

        UK voters may notice that the ballot paper has a unique number on it, and the person handing them out in the polling station writes down your electoral registration number on a list of other numbers. That makes me uncomfortable every time I vote. It seems an easy way for votes to be connected to individuals. Perhaps someone more observant (or knowledgeable) could confirm whether my suspicions are correct or I'm being unnecessarily paranoid.

        1. Anonymous Coward
          Anonymous Coward

          Re: My exact thought

          You are being necessarily paranoid. There is almost no such thing as too paranoid* when it comes to ensuring our elections are carried out in a safe and secret manner.

          *Voting in pen because MI5 might rub out your pencil vote is definitively too paranoid.

          Every ballot paper has an identification number. That number is recorded against your details when the paper is issued to you by the staff at the polling station. Therefore British ballots are definitively not secret.

          The papers and the register of who received which paper are turned over to the custody of the Lord Chancellor (in practise they end up stored in a government warehouse somewhere) so that should any accusations of voting fraud arise they can be resolved. This obviously represents a risk of abuse, and as such the records can only be accessed by order of the High Court or by Act of Parliament.

          The papers are destroyed one year and one day from the date of the election.

          This is a pretty high bar, so as designed the system is probably a fair balance between securing the absolute privacy of your vote and the need to guard against potential fraud or error. However we don't spend nearly enough time looking at what practical safeguards are in place (i.e. in terms of physical security of the papers themselves or the assurance of their destruction), and certainly in the 70s and 80s rumours were rampant that the Security Service would trawl the records to compile lists of Communists and other such enemies of the state.

          Unfortunately instead the government of the day is concerned with imposing voter ID restrictions on in-person voting, and making it more difficult than ever to register to vote. Thankfully the government of the day is a lame duck, so they won't actually be able to do any of that.

        2. J.G.Harston Silver badge

          Re: My exact thought

          It's not "an easy way" to find out how somebody voted. Do *you* want to sort through 55,000 pieces of paper looking the *one* piece of paper with the serial number on it that you are searching for? And that's after getting a court order from an Election Court to allow you to even get your mits on the 55,000 pieces of paper.

      4. tom dial Silver badge

        Re: My exact thought

        According to the Helios claims, the system ensures anonymity. The documentation is a bit sketchier than a set of Linux man pages, but I suppose one with suitable skills might go through the source code to see how it is done and, perhaps, whether the code is as bulletproof as it needs to be.

    2. Bronek Kozicki

      Nope, please see the presentation. The secrecy of the vote is preserved, the key here is homomorphic encryption - your vote is encrypted before count, and you get the keep the encrypted copy. There is also small FAQ here. Perhaps jump the the last point right away - as explained, this is not a system of election which is appropriate for public office elections, because it is online-only.

      On the other and, cryptographically very similar (but in-person rather than online) STAR-vote system does seem very appropriate.

      1. Anonymous Coward
        Anonymous Coward

        The secrecy of the vote is preserved, the key here is homomorphic encryption ...

        It is a logical impossibility to have a voting system where a vote is both truly secret and verifiable - you have to choose one or another, and no amount of algoritnmic pixie dust can change this. For example, the system described in the article removes the voters' ability to lie about how they voted - something which is crucial to a truly free election. This opens all kinds of possibilities for voter coercion and vote selling. Knowing that your choice is potentially verifiable at a latter time also affects how people vote even in the absence of overt coercion.

    3. Charlie Clark Silver badge

      That number can be checked against an election tally system to ensure that the vote was cast as specified.

      This is more down a to a poor explanation of the system than a risk within Helios itself.

      The Python Software Foundation recently switched to Helios. I don't think it's perfect as a system but it goes further to dealing with the potential issues than any other system I've seen.

      I'm a huge fan of paper-based systems for national elections but I think that the Estonians have raised several credible reasons for some potential problems.

      As for the US: fraud and system failure would be less of a worry if more people could be bothered to vote in the first place. Turnout at elections in the US is routinely abysmal.

    4. GrapeBunch

      One issue: what happens if gov't X politely asks you for the tracking number? Offering of course to feed and house you indefinitely in a domicile of their choice should you pretend to forget it. Not as far-fetched as one might imagine.

      1. GrapeBunch

        Although the opposite (contrapositive?) is interesting too. If legislation protected your tracking number, could you use it to encrypt your documents and thus evade the long arm of anti-terrorism (or whatever they're saying it is this week) laws? "No, occifer, I regret that I am unable to give you my mobile phone password because it is the same as my recent election tracking number, which may not be divulged under S.382 (2018)." - or something like that. Faint hope, I suppose.

  4. John Smith 19 Gold badge
    Unhappy

    One of the applications of public key encryption systems is verifying who you are

    So if the "document" is a voting form and signed with your private key.

    Of course that would mean everyone would have to have a public key pair and they might start emailing stuff that could not be broken without a court order.

    And we've seen how much governments feel constrained by due process.

    1. Anonymous Coward
      Anonymous Coward

      Re: One of the applications of public key encryption systems is verifying who you are

      It's possible to have multi-key systems, where stuff encrypted by one can be decrypted by either.

      Which makes government issued public/private key pairs, or software for generating them for the public, completely unworkable.

  5. Anonymous Coward
    Anonymous Coward

    No need for something needlessly complex like Helios

    Just use paper ballots, or use electronic machines that print paper ballots that the voter can double check before turning in. You can scan the paper ballots or use the electronic records, doesn't matter. What is important is that you choose a few percent of precincts at random for a mandatory hand count, and if there is an error more than a very small acceptable threshold a full state recount is ordered.

    Besides, having a way for a voter to prove they have voted means that parties, churches, bosses and other "interested" parties can pressure voters to prove that they voted. Imagine a local party organization publishing a list of 'naughty republicans' or 'naughty democrats' who failed to vote after a close election was lost? You think the naughty democrats wouldn't get a lot of crap from fellow democrats in one of the three states where Clinton lost by a small margin and cost her the election? Imagine the pressure fellow churchgoers would put on those evangelicals who failed to turn up at the polls to support the anti-abortion candidates? People should not be able to prove they've voted, because others will demand the proof, and no good can come of it. We have a right to vote for who we want to, but also need to keep the right to NOT vote if we so choose.

    1. CommsFogey

      Re: No need for something needlessly complex like Helios

      In Australia we have compulsory voting. I guess this would really annoy you.

      But the thing is, since you cant know how I voted, it still is anonymous. You can leave your paper blank. You can draw a pretty picture on it, or other less polite ways of performing an invalid vote.

      In India they actually have electronic voting at polling stations if memory serves. With a clever distributed, non-online cheap, anonymous mechanism. In many countries where for example the UN is present supervising a vote, marking ink eg on right thumb, is used to show a person has voted to stop multiple voting.

      So in the system described, I can see my vote has not been changed, but I cant be forced to show someone how I voted. Which I agree with you that is a fundamental necessity.

      1. Anonymous Coward
        Anonymous Coward

        Re: No need for something needlessly complex like Helios

        I don't understand the logic of compulsory voting. Why should you force people who don't care about an election to make a choice?

        If I was forced to vote in a local school board election, which I don't give a damn about, I might just pick someone at random or vote for/against someone who has the same last name as someone I know (depending on whether I like them or not) or do some other stupid thing that adds unnecessary noise to the result. Let the people who care enough to show up make the choice, and don't waste the time of those who don't.

        1. Anonymous Coward
          Anonymous Coward

          Re: No need for something needlessly complex like Helios

          "I don't understand the logic of compulsory voting. Why should you force people who don't care about an election to make a choice?"

          Because otherwise there's the possibility of less than a majority of the total electorate determining a stupid result. Astute readers may be able to think of a couple of recent examples.

          1. Anonymous Coward
            Anonymous Coward

            @AC "possibility of less than a majority of the electorate determining a stupid result"

            So you'd prefer to force people who don't care about the election to cast a vote, thus increasing the chance of a stupid result? Yeah, that makes sense...

            1. Anonymous Coward
              Anonymous Coward

              Re: @AC "possibility of less than a majority of the electorate determining a stupid result"

              I wasn't claiming that forcing everyone to vote would prevent a stupid result. It would mean that the result, stupid or otherwise, was valid democratically.

            2. Anonymous Coward
              Anonymous Coward

              Re: @AC "possibility of less than a majority of the electorate determining a stupid result"

              "So you'd prefer to force people who don't care about the election to cast a vote, thus increasing the chance of a stupid result?"

              I think the idea is to instill in people the fact that voting is a DUTY and needs to be taken seriously (thus the fine for skipping out). It's intended to MAKE them care. You either care or you pay. Who wants to blow some dough on election day?

        2. Phukov Andigh Bronze badge

          Re: No need for something needlessly complex like Helios

          on the flip side, we *encourage* people to vote who don't care enough about issues to do any research or even, after decades, bother to get even basic ID (or so they claim to avoid any sort of election fraud prevention).

          If knowing ID is needed for voting and 20 or 30 years later you still couldn't stop off once for a free ID, then is letting that person vote better than forcing everyone who DOES have ID to vote?

    2. John Smith 19 Gold badge
      Unhappy

      "Besides, having a way for a voter to prove they have voted "

      Or perhaps it's time to repeal the fact that you have to express a preference for voting when you register to vote?

      Actually the suggestion was not to prove you'd voted.

      It was to verify that a vote could be identified back to a real person, if necessary.

      1. tom dial Silver badge

        Re: "Besides, having a way for a voter to prove they have voted "

        In the US nobody has to express a preference when registering unless they want to vote in a partisan primary election. In that case, they have to indicate a preference for a political party and, in some places to attest that they voted for more of that party than of others in a prior election if they were not previously registered to that party. And there is, of course, no requirement that the expressed preference be truthful, which in some states has led to gaming of a sort that is easily imagined.

  6. Anonymous Coward
    Anonymous Coward

    you can keep this system

    ... the Helios system allowed the voting team to check the levels of votes by different years of students (freshmen, juniors, etc), and saw that while voting rates among other years had spiked after the email had been sent out, this wasn't true for sophomore students.

    Realistically, the only way to collect this, and other demographic data is to associate each ballot with a student ID or its hash. This can be done either by explicitly asking for it (and this is likely the method used, since the rest of the article does mention that each vote is associated with a unique verification code), or by asking enough "innocent" demographic questions to uniquelly identify the voter.

    Presumably the front-end of the electoral database will include some safeguards on directly quering the votes based on voter's ID, but ultimately the data is collected, stored, and available to anyone with the skill to directly perform an SQL query. At worst, one might need to build a rainbow table of the ID numbers; for any plausible number of voters, up to and including the entire population of Earth, this is a trivial task.

    I am sorry, but this system is no better than an "election" by an open show of hands at a town-hall meeting: a candidate most capable of threatening and cajoling the voters will always win. I am a very conscientious voter, and I have voted in every single election I was eligible to cast a ballot in for the past 20 years. However, I will never, ever take part in an "election" which so blatantly abandons the principle of a secret ballot.

  7. Anonymous Coward
    Anonymous Coward

    Look citizens you all keep voting wrong so we need to move to electronic voting so you all vote correctly.

    Kind Regards,

    The Establishment.

    P.S. We still have a good chortle over our foie gras that you think you live in a democracy when in reality no matter who you vote for they are equally our stooges after we have finished funding them.

  8. Christian Berger

    No, elections don't work this way

    The big problem is that only very few people will understand that protocol. An average person will not be able to check an election.

    It doesn't matter how easy it is to fake an election, as long as people, without any kind of special training or abilities, are able to understand that system enough to check for all possible kinds of fraud. With a pen and paper system that is easy. At the start of the election you look into the ballot box to check that it's empty. Then you check that everyone entering the polling station will be crossed out from the list, and only throw one ballot into the box. Then at the end, you count all the ballots and check if they are the same as crossed out names on the list. If everything matches up, you can be sure nobody did ballot stuffing. Then you manually count them (or watch the people doing it) and make sure those numbers match up with the others.

    Then you compare the numbers to the ones published on the election website or in the newspaper.

    Seriously all of those steps can be done by someone who doesn't have any kind of special knowledge. Any anybody can come up with those points when they only think hard enough.

    You can only have trust in a system you can understand, and elections are all about trust.

    1. Charles 9

      Re: No, elections don't work this way

      That still doesn't help against ballot swapping, where the boxes or contents are switched out via a Kansas City Shuffle and the switched contents also have the same number of ballots.

      What man can make, man can also usually subvert.

      1. Richard 12 Silver badge

        Re: No, elections don't work this way

        Yes, but such fraud is more easily detected by a lay observer than the equivalent switcheroo of electronic ballots.

        Swapping out a few paper ballot boxes means printing and manually marking those ballots, then arranging for them to be swapped out at the right moment and the real ones destroyed.

        This involves a lot of people and affords a lot of opportunities to get caught.

        Swapping out electronic ballots means connecting to the system with your BallotHackTM machine for a few seconds - whether locally or remotely.

        Faking large numbers of paper ballots takes a lot more manpower than faking electronic ones, and so is more likely to be spotted.

        A concerned citizen can follow paper ballots all the way from printing, right through to the count, and it doesn't require them to have any specific technical expertise.

        Inspecting and monitoring electronic ballots requires a lot of technical expertise, and is effectively physically impossible anyway - how do I check that the hardware and code running in the machine is the one you said it was?

        That's the point.

        1. Charles 9

          Re: No, elections don't work this way

          You underestimate the size and power of political parties (or as they were known in the Gilded Age, political MACHINES).

      2. Phukov Andigh Bronze badge

        Re: No, elections don't work this way

        I'm not worried about boxes shifting, since my campaign manager can keep finding more ballots in the trunk (boot) of his car for each recount!

    2. Alumoi Silver badge

      Re: No, elections don't work this way

      You can only have trust in a system you can understand, and elections are all about trust.

      Shirley you must be joking. Elections are about who's the biggest liar with the biggest spending account for electoral bribes and advertising.

  9. Nick Kew

    The description of Helios sounds a lot like Apache STeVe. I recently ran an election using that[1]. Each voter was referenced by an anonymised hash, generated by the system and known by the voter but not by anyone else. If there had been any question of foul play, we could've enabled individual voters to view their votes as keyed by the hash.

    I daresay there are other such systems around.

    [1] That election was for a VP post within Apache - four good candidates but no controversy.

    1. Anonymous Coward
      Anonymous Coward

      +1 for SteVe. Great system for handling little votes and far easier to understand than whatever homomorphic witchcraft is going on within Helios.

      Still wouldn't run a country on it, though.

  10. ocratato
    FAIL

    Trust

    The problem with all the encryption based systems is trust. The general population has to be able to trust that the election was run fairly.

    In order to trust an election system you have to have some understanding of how it works.

    Try explaining public/private key encryption to the ordinary "man in the street".

    1. Alumoi Silver badge

      Re: Trust

      Encryption? That's something the terrists use, right?

  11. Anonymous Coward
    Anonymous Coward

    I can tell you what Helios' REAL problem is..

    "In the United States, the most difficult aspect of that question is that decisions on voting systems and equipment are very decentralized. So I don't see a way in which a Helios-type system is in broad use in 2020," he said.

    "If anything, the difficulty of running pilots with new voting technology is probably the biggest impediment of all: no one wants to use a system that hasn't been proven at scale in national elections.

    No, no, no. Let's rewind a moment: we are talking about the US here, so let me correct that last sentence with a dose of reality:

    no one wants to use a system that does not make a vast amount of profit

    If security or veracity of votes had ever been a consideration, quite a number of the current systems would not have even passed cursory evaluation, let alone any in-depth review prior to procurement. From that it logically follows that choice is not based on quality. Given the at best vaguely reviewed spending of government pork, that leaves a simple conclusion: nobody will touch anything from the socks and sandals brigade, even if the commie tag has now been made acceptable by Trump, because that doesn't make enough profit for a select few.

    That's just NOT going to happen.

  12. handleoclast
    FAIL

    It's total bollocks

    Everyone seems to have missed the point here.

    It's not whether Helios is secure or not. It's not about whether Helios keeps your vote truly private or not. It's not about whether the election systems that register the votes are unhackable or not.

    It is about whether users' computers have been hacked or not. And we know, from all the botnets out there, that a lot of them have been hacked without the users even knowing. There will be a big demand for vote-changing hacks.

    Sure, it ought to show up. If enough people complain that the system wouldn't let them vote because it claimed they'd already voted then that might trigger doubts. But would it be enough in a country where the Florida recount was prematurely halted? Would it be enough in a country where some exit polls have differed drastically from the actual result, strongly indicating serious vote rigging, but the matter was ignored?

    A really smart hijacking attempt would monitor social media to figure out which users are unlikely to bother voting and vote for them. Sure, turnout would be abnormally high (the first time it happened, on subsequent votes it would be the new normal) but relatively few would complain that the system wouldn't let them vote.

    The day we have operating systems and applications that are provably immune to hacking of all forms will be the day that Helios would be a sensible idea. We could use it to vote on which squadron of pigs flying in formation over the ice-rinks of Hell gave the best display.

    1. Charles 9

      Re: It's total bollocks

      "The day we have operating systems and applications that are provably immune to hacking of all forms will be the day that Helios would be a sensible idea. We could use it to vote on which squadron of pigs flying in formation over the ice-rinks of Hell gave the best display."

      Ballot box swap done by a Kansas City Shuffle (a distraction opens a chance to switch them without anyone noticing). Purely physical and, done right, undetectable because the counts can also match. There, I pretty much proved your hypothesis impossible since this is essentially a Sneakernet hack that's pretty much always a possibility.

      1. handleoclast

        Re: It's total bollocks

        @Charles 9

        Yeah, a ballot box swap is possible. Kinda hard to carry off nationwide, though. You have to wait for (or manufacture) a suitable distraction. And then not get spotted doing it. Repeatedly.

        OTOH, there are shitloads of botnets running on zombies. Rigging votes is just one more incentive for crackers to infiltrate computers. Or, to put it another way, an additional revenue stream resulting from computers they've already infiltrated.

        Also, even if vote-rigging by computer is suspected, or even proven, perhaps the ensuing chaos and mistrust is what was intended anyway.

        1. Charles 9

          Re: It's total bollocks

          But not impossible, especially if you combine this with things like bribes and a political machine as large as a major political party. And if you think that's not possible, recall that the term "political machine" dates back to the Gilded Age in the late 19th century. This alone proves there's no real way to make an election truly trustworthy. And unfortunately, when it comes to something like this, it really is all or nothing, as one bad apple can spoil the entire election.

          1. Anonymous Coward
            Anonymous Coward

            Re: It's total bollocks

            A ballot box swap should be trivial to detect by any number of measures:

            1) Never having a ballot box anywhere except in plain sight of at least 2 people, and as many people as want to watch it

            2) Keeping track of which ballot papers are issued to which station, through colour, serial number, shape, randomisation of candidate ordering etc. etc.

            3) Stick a big tamper resistant location label on the side

            4) Chain it to the floor, or the van, or the nice policemen who are here to ensure there's no jiggery pokery with the ballot

            and so on and so forth.

            Paper voting: it just works.

            1. Anonymous Coward
              Anonymous Coward

              Re: It's total bollocks

              "Chain it to the floor, or the van, or the nice policemen who are here to ensure there's no jiggery pokery with the ballot"

              The nice policemen who are paid by the ruling party in places like Zimbabwe, for instance?

            2. Charles 9

              Re: It's total bollocks

              "Paper voting: it just works."

              So do insiders.

              1. Turbo Beholder

                Re: It's total bollocks

                This can happen in any solution.

                1. Charles 9

                  Re: It's total bollocks

                  So no solution is bulletproof, and if no solution is bulletproof no solution is truly trustworthy, and if a solution is not truly trustworthy, someone will eventually have enough of a grudge to usurp the system.

          2. tom dial Silver badge

            Re: It's total bollocks

            I am prepared to argue that part of the problem in the US stems from evisceration of the traditional "machine" political party organizations, which performed a number of useful quasi-governmental functions including, not insignificantly, voter education and turnout management.

      2. Anonymous Coward
        Anonymous Coward

        Re: It's total bollocks

        Ballot box swap done by a Kansas City Shuffle (a distraction opens a chance to switch them without anyone noticing). Purely physical and, done right, undetectable because the counts can also match ...

        A ballot swap is easily and conclusively detectable if ballot papers carry unique serial numbers (as they do in Canada, for example). This security measure may have a possible side effect of making votes personally identifiable. To guard against this possibility, you can try to make it harder to correlate voter's identity and the ballot's serial number. Again in Canadian system, this is achieved by splitting the tasks of checking voter's identity and issuing the ballot paper between the two people working each polling station, and keeping both processes manual (computerising the process would make it too easy to correlate the datasets through the timestamps). The price you have to pay for the vote privacy is that once a ballot paper with a correct serial number entered the ballot box, it can no longer be tied to a voter's identity. As the result, while you can still detect voter impersonation (assuming that the rightful voter shows up to cast the vote, of course) and multiple voting, it is no longer possible to correct for it. This is however sufficient to decide whether the number of fraudulent votes is large enougn to invalidate the result.

        The bottom line is that a well-designed paper-based election is hard and expensive to hack without detection, with the costs and difficulty at least proportional to the number of polling stations.

        1. Charles 9

          Re: It's total bollocks

          "The bottom line is that a well-designed paper-based election is hard and expensive to hack without detection, with the costs and difficulty at least proportional to the number of polling stations."

          But if an organization is big enough and determined enough (like a major political party or machine), then you still can't discount the possibility of insiders throughout the voting system as well as well-coordinated efforts to slip things through. Remember the Gilded Age. You also can't discount conspiracies of all the parties actually working in cahoots to subjugate the proletariat.

  13. Turbo Beholder
    Trollface

    Same old? http://xkcd.com/463/

  14. Eclectic Man Silver badge

    UK non-anonymous voting and re-counts

    @Anonymous Coward > "UK voters may notice that the ballot paper has a unique number on it, and the person handing them out in the polling station writes down your electoral registration number on a list of other numbers. That makes me uncomfortable every time I vote. It seems an easy way for votes to be connected to individuals.(*) Perhaps someone more observant (or knowledgeable) could confirm whether my suspicions are correct or I'm being unnecessarily paranoid."

    I believe that one of the powers of the Speaker of the House of Commons is the ability to authorise a check on who voted for whom in an election. This would only be in very exceptional circumstances, maybe where there is evidence or suspicion that votes were being procured in illegal ways, such as bribery or coercion.

    As Tom Stoppard pointed out, democracy is in the counting of the votes, so a system where everyone can verify the result, rather than relying on an old Widows XP spreadsheet would be good.

    The reason why close results were often sent back for a recount is that hand counting ballots rarely obtains the same result twice. In the UK, a re-count would mean that postal ballots would also be counted, as they were generally not included in the first count.

    (* this is the most (only) referenced part of my own humble contribution on cryptographic voting schemes, no mention of my proposed scheme, or what one actually wants from a voting scheme, no, just the fact that in the UK votes are no necessarily secret, sigh :o( mutters on and on and on ... )

    1. J.G.Harston Silver badge

      Re: UK non-anonymous voting and re-counts

      Bzzzt! Yes, postal ballots ***ARE*** included in the count.

      I was at a general election count two weeks ago (god was it that recent?) and the procedure is the same for locals.

      Stage 1:

      Postal vote boxes opened and emptied onto the tables. Count supervisor typically says "Postal votes, xxxx ballots". Count staff count the ballots and bundle them into (typically) 50s. The bundles are counted to check they match how many were received. If there is a mismatch they are counted again until they get it right.

      Polling station box opened. Count supervisor typically says eg "Box 23 St. Mary's, xxxx ballots". Procedure continues as above.

      Repeat for each polling station box.

      Stage 2:

      Chunks of 50-bundles are brought to the tables, and they are seperated into piles for each candidate.

      Stage 3:

      Seperated piles are counted into bundles of 50. Quick chat with agents regarding spoiled ballots. Returning offficer tallies them up to final total. Quick chat with agents regarding final totals and chance for recount if close. Returning officer announces result.

      A recount can be a bundle check, where the bundles are flicked through to visually check if a ballot has been misplaced. Or it can be a full start-again and re-sort and re-do everything check as happened in Fife where the majority ended up being 2.

      I used to have a very useful training video which if I still had I'd put online.

  15. dew3

    Money does drive electronic voting

    I am not as cynical as some, but the adoption of electronic voting in the US was certainly driven in part by money. There was the mess in 2000 in Florida, followed by hundreds of millions of $$$ raining down from the federal government to upgrade voter systems. In 2000 electronic voting machines were a very expensive solution looking for a problem to solve, and suddenly they were affordable. Everything is "cheaper" when you are spending grant money, and electronic voting companies were like a monorail salesman in a certain Simpsons episode.

    The other part that drove electronic voting was access - handicapped rights groups and immigrant rights groups joined hand-in-hand to demand the computer-based voting machines because they make access modestly better - video screens can expand text for the visually impaired, and once you have translated the ballot to another language, there is no extra printing costs to keep enough ballots on hand in each language. And it is hard for many politicians to say "no, it costs to much" to such groups.

    The cost? My community spends ~$14K per optical scanner for paper ballots (one per precinct) which last 15-20 years, ~$1.5K per machine per election to program the chips, and around $2K per precinct to print ballots (plus staff, etc). We spend $50 per voting booth (heavy folding cardboard) that last 8-10 years; we have 50 booths per precinct. We also have one booth per precinct at a table with a fancy magnifying reader (~$500) to blow up the paper ballot for the visually impaired. We get initial vote counts 2-5 minutes after the polls close (excluding write-ins).

    If we had computers, that is $3K-$5K per voting machine. Several $hundred per election per machine to program - less per unit than our $2K/optical scanner because of volume, but much more in total, OTOH no printing costs. The voting booths would be wood or metal due to weight, which aside from cost (not sure how much, but I'll guess ~$250/booth), means more storage space between elections and more labor costs to set up/tear down. And after 10-12 years, the machines are near their end of useful life (http://thehill.com/policy/cybersecurity/222470-states-ditch-electronic-voting-machines). Since they whole setup is so expensive, you buy as few voting machines per precinct as possible, which means longer lines than paper ballots - which can yield (somewhat ironically) less access. My state requires a minimum of one precinct per 6,000 residents, so pick a community size and you can do the math to guesstimate the cost. The bottom line is, if paying out of local taxes, very few communities would choose electronic voting over paper ballots.

    And if you lose power or have other technical problems, those paper ballots can be counted by hand. With electronic voting machines you're screwed (and that has happened).

  16. EnviableOne
    Boffin

    Low turnouts and 2 party systems go hand in hand as a large part of the electorate dont like any of the options presented. and if the ruling party has control of the districting, you get guys called gerry making salamanders and headphones on the map so the opposition supporters waste more votes ....

    then you end up with a party in power that less than 10% of the elegable population actually voted for.

    if you are going to go to compulsory voting, it has to be acompanied by a change to the voting system and an re-balnacing of the status quo.

    the only option is to bring in more proportional voting, I have a method that i think will work for a two house system, it uses single member Instant-runoff voting (IRV) districts for the lower house with direct representation, and simple party list Proportion Representation (PR) for the upper house. So you get to chose the representative you want for local issues, and the party you agree with for wider ones.

    districting should be handled by non-partisan independant authorities on a geographic basis taking into account only numbers of elegable voters, not demographics, to ensure equal representation.

    If you're gong for a seperate head of state, IRV is not bad, this way most people will end up with someone they can stand.

    1. Charles 9

      "districting should be handled by non-partisan independant authorities on a geographic basis taking into account only numbers of elegable voters, not demographics, to ensure equal representation."

      As long as you get humans involved, someone's going to be nefarious enough to try to subvert them. Why not set it up by algorithm where color-blind head count is the only metric? Say require that districts be of equal numbers of people give or take a small number and then have ti draw out districts as compact in geographic area as it can until it's forced to reach out to get enough people? With no human intervention, there's almost no way to game the system unless you're into planned neighborhoods and districting.

  17. bennyspeaks

    Online Voting Backed by Blockchain Technology

    It is not a new phenomenon that democratic processes world over are becoming increasingly susceptible to all forms of attack from cyber attacks and other forms of malpractices aimed at skewing a supposed reliable and open process. However, the consequences of electoral compromises have meted out dire straits for all stakeholders in a democracy. There is this lingering issue of alleged electoral malpractice in the US during the last presidential polls and maybe other issues of such magnitude not yet mentioned in public space.

    I was particularly disturbed in the wake of these issues and decided to think of how things could get better to ensure total trust and reliance on our electoral process to bring about the unquestionable credibility in the way we elect our leaders both in the society and in the academia. Even conducting polls shouldn't be left out, because polls are used to gauge the pulse of the society to test public affinity to or disapproval of a particular issue or cause of action. In my quest in search for answers, I came across the issue of e-voting based on blockchain technology. First, it sounded like a stealth idea but I had to dig a little bit because the bait that caught my interest deepened was the keyword, blockchain.

    After a thorough study, I was quite convinced that this particular tech process was going to be the hope of future elections because it promises absolute security, immutability and voter anonymity guaranteed by some kind of transparent crypto-algorithms, tech people could easily figure this out. Also, it offers fast deployment on both static (desktop) and mobile devices, which means an absolute guarantee for convenience and easy user interface from my findings.

    Moreso, political parties with credible candidates and electoral commissions shouldn't worry about cost implications of elections anymore, because this system as I have learned saves resources, especially cost, and also secure and transparent for all. It can also be a useful tool for intra-party or inter-intra-organisational elections.

    Its use in the university or academic setting cannot be wished away all of a sudden because dozens of elections and polls are held annually, as various reps are elected to student councils, associations, trade unions, extracurricular communities and university governing bodies.

    I wish to read about other safe, transparent and credible electoral processes. I am not an island of knowledge, there are bright minds out there with potential ways of making our electoral processes right.For more insights I couldn't capture in the course of reeling out my thoughts on this, you can visit https://polys.me/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like