On one hand this seems like a genuine attempt to alleviate the issues Rivest et al. mention in their paper.
On the other however the documentation seems like a whole lot of smoke to me: high level descriptions and no proofs of their security claims. Maybe I missed something?
What I’ve heard from most people that work on e-voting is that it’s a bad idea, not only from a technical side: Assuming a voting system which is provably correct, has a formally verified implementation, etc. pp.: there is never a guarantee that the client device from which the vote is sent is malware free. This reason alone defeats e-voting, since none of the actors (devices) can be trusted.
There’s a great video from Tom Scott in which he summarizes this and some other issues with e-voting, I highly recommend you to check it out.
One thing that the debate about digital voting is missing is an acknowledgement of the spectrum of decision making that people engage in. All discussion is about national central government elections, which happen every 3-4 years. Many of the requirements and obstacles to digital collective decision making stem from this particular use-case. Say I write a message in a chatroom that has 5 of my friends in it, saying “Shall we go to the ocean or the lake this weekend?”. Then everyone expresses a wish and the group does what the majority chose, that is digital voting. The outcome affects our lives. This is a trivial example but there are plenty of examples, both when scaling up the number of people, and the importance of the outcome. This is the spectrum I am talking about. The argument that digital voting is not perfectly safe is not strictly relevant if it is already happening unless you have a proposal to replace it. Especially if the argument is also that it can never be made safe. Someone working on making it safer however is doing useful work and I thank them.
The thing that saddens me most is that we don’t even have a worthwhile UX tool for this and are currently relying on chat apps, email, web apps and other dodgy, centralised, insecure solutions that are also not really built for this task.
Time to get collective decision making out of the labs. National elections can and should stay on paper, so lets work on the areas of life where paper ballots are not a feasible solution.
The definition e-voting is mostly used for anonymous, verifiable voting schemes such as mentioned above.
If you’re just polling your friends where to go hang out then I severely doubt you need any of the features these systems offer you: As you said you are lacking a nice UI, a quick search for “poll website” gives you many options to use in such cases.
For more “serious” stuff such as association meetings we have successfully used VoteIT, which again gives you none of the guarantees since the voting data is not anonymous, but is good enough for these small systems.
Why use an absurdly complex blockchain here when a simple webapp does the trick?
VoteIT is the kind of thing I have been was looking for for years, thanks for the link.
You’re welcome!
You can’t envision a single scenario where someone might want one or more of those guarantees?
Barring national elections? Not really, please enlighten me!
Most of the times an anonymous/secret vote is requested I think that the guarantees of e.g. VoteIT are good enough (assuming, of course, you trust the ops team).
Barring national elections? Not really, please enlighten me!
It is merely a question of scale and distribution of voters, combined with the importance of the vote. If I am part of an organisation with say 10,000 members and we are voting on a budget of say 10,000,000 USD, then there is a real need for many of the guarantees an election has. The answer might well be to use paper ballots in such a case but there are limiting factors, for example an organisation with members spread over the world. Especially if the organisation has a decentralised management structure where there is no central authority to trust with counting. The current global health situation is also an example of a temporary reason why it might not be desirable for members to all congregate in one place for a vote.
I write software for 15 years, and I firmly believe that paper ballots, put in transparents boxes, counted on the place it was cast, is much easier to secure, inspect, and gives much more confidence to voters than any (centralized or not) digital voting system :x
I believe that all of the technical problems will get solved within next 10-20 years or so. The difficult problems stem from the society. And those are hard to solve, because people don’t like to change their habits. Often, it’s easier to have completely new people with new habits, than re-educating existing people from their current ones. Therefore, I would not make elections digital until average lifetime has passed after a full working implementation of digital voting. Or, so to say, only over my dead body.
One of the hard problems of a national election is how to bootstrap a democracy while being able to have little to no trust in the sitting government that has to organize it. One way to solve the threat of a coordinated attack that would result in a distribution of power that does not reflect the will of the people, is to empower each member of the electorate with the ability to verify independently that all ballots in a polling station are casted and counted correctly and fair, meaning:
each ballot box in the polling station is empty before the election starts
they’re all sealed during the day when votes are being cast
each ballot is casted by a single individual that has stuffed only one ballot in the box
no other ballots are stuffed in the box
once the ballot box is opened at night, all ballots are tallied correctly to the right party and exactly once
As soon as you introduce microchips into this process it becomes opaque to most if not all of the electorate. This is not solved by introducing more complex technology.
A unique requirement for a general election is voter privacy in order to avoid coercion. In the process outlined above this is taken care of by letting each individual be able to verify their vote is counted correctly and exactly once, without being able to prove to anyone what they have voted for.
As soon as you introduce microchips into this process it becomes opaque to most if not all of the electorate. This is not solved by introducing more complex technology.
This is exactly what I mean when talking about societal problems. This is solvable. But this is also very hard to solve, since as of right now, maybe only 1% of population could actually look into how it works. With education and real digital revolution, I believe that number could go up to 100%. But that is very hard to solve. It will take entirely new people. I believe that neither me, nor you will see a verifiable, fair election. But I hope our great-grandsons do.
But this is also very hard to solve, since as of right now, maybe only 1% of population could actually look into how it works. With education and real digital revolution, I believe that number could go up to 100%.
Then the question becomes, this microchip that you’re inspecting, is it the one used in the actual election and has it not been tampered with before, during or after the election? It’s the complete operation from casting to tallying that you have to secure and that people have to legitimately trust.
I believe that neither me, nor you will see a verifiable, fair election.
Here in the Netherlands we have a decentralized process of paper ballots that are readable for humans, and a manual public tallying process. This way everybody can verify storage and counting for themselves in their polling station. I’m very happy to say that I can trust what I’ve seen in previous elections, and have faith these were fair because of the small chunk I could completely and independently verify myself, plus the fact there was no news nor rumors about significant trouble in any of the other polling stations that had the same public transparant procedure.
I believe that neither me, nor you will see a verifiable, fair election.
Sorry, I meant to add a digital qualifier before the election. I do believe that some of the regular elections are fair, and some of those are verifiable.
Then the question becomes, this microchip that you’re inspecting, is it the one used in the actual election and has it not been tampered with before, during or after the election?
You should not trust “the microchip”. You should trust the algorithm, and the ability to change on which chip it runs. Trustable hardware is very hard, so if you can find ways to not trust it, you should do that. There are of course ways to verify the hardware you are running on, even ones that should be fairly accessible for everyone, but this makes many sacrifices. I’d recommend to watch this talk on this topic.
On one hand this seems like a genuine attempt to alleviate the issues Rivest et al. mention in their paper.
On the other however the documentation seems like a whole lot of smoke to me: high level descriptions and no proofs of their security claims. Maybe I missed something?
What I’ve heard from most people that work on e-voting is that it’s a bad idea, not only from a technical side: Assuming a voting system which is provably correct, has a formally verified implementation, etc. pp.: there is never a guarantee that the client device from which the vote is sent is malware free. This reason alone defeats e-voting, since none of the actors (devices) can be trusted.
There’s a great video from Tom Scott in which he summarizes this and some other issues with e-voting, I highly recommend you to check it out.
One thing that the debate about digital voting is missing is an acknowledgement of the spectrum of decision making that people engage in. All discussion is about national central government elections, which happen every 3-4 years. Many of the requirements and obstacles to digital collective decision making stem from this particular use-case. Say I write a message in a chatroom that has 5 of my friends in it, saying “Shall we go to the ocean or the lake this weekend?”. Then everyone expresses a wish and the group does what the majority chose, that is digital voting. The outcome affects our lives. This is a trivial example but there are plenty of examples, both when scaling up the number of people, and the importance of the outcome. This is the spectrum I am talking about. The argument that digital voting is not perfectly safe is not strictly relevant if it is already happening unless you have a proposal to replace it. Especially if the argument is also that it can never be made safe. Someone working on making it safer however is doing useful work and I thank them.
The thing that saddens me most is that we don’t even have a worthwhile UX tool for this and are currently relying on chat apps, email, web apps and other dodgy, centralised, insecure solutions that are also not really built for this task.
Time to get collective decision making out of the labs. National elections can and should stay on paper, so lets work on the areas of life where paper ballots are not a feasible solution.
The definition e-voting is mostly used for anonymous, verifiable voting schemes such as mentioned above.
If you’re just polling your friends where to go hang out then I severely doubt you need any of the features these systems offer you: As you said you are lacking a nice UI, a quick search for “poll website” gives you many options to use in such cases.
For more “serious” stuff such as association meetings we have successfully used VoteIT, which again gives you none of the guarantees since the voting data is not anonymous, but is good enough for these small systems.
Why use an absurdly complex blockchain here when a simple webapp does the trick?
VoteIT is the kind of thing I have been was looking for for years, thanks for the link.
You can’t envision a single scenario where someone might want one or more of those guarantees?
You’re welcome!
Barring national elections? Not really, please enlighten me!
Most of the times an anonymous/secret vote is requested I think that the guarantees of e.g. VoteIT are good enough (assuming, of course, you trust the ops team).
It is merely a question of scale and distribution of voters, combined with the importance of the vote. If I am part of an organisation with say 10,000 members and we are voting on a budget of say 10,000,000 USD, then there is a real need for many of the guarantees an election has. The answer might well be to use paper ballots in such a case but there are limiting factors, for example an organisation with members spread over the world. Especially if the organisation has a decentralised management structure where there is no central authority to trust with counting. The current global health situation is also an example of a temporary reason why it might not be desirable for members to all congregate in one place for a vote.
I still strongly agrees with this XKCD strip: https://xkcd.com/2030/
I write software for 15 years, and I firmly believe that paper ballots, put in transparents boxes, counted on the place it was cast, is much easier to secure, inspect, and gives much more confidence to voters than any (centralized or not) digital voting system :x
I believe that all of the technical problems will get solved within next 10-20 years or so. The difficult problems stem from the society. And those are hard to solve, because people don’t like to change their habits. Often, it’s easier to have completely new people with new habits, than re-educating existing people from their current ones. Therefore, I would not make elections digital until average lifetime has passed after a full working implementation of digital voting. Or, so to say, only over my dead body.
In the (Brazilian) Navy, it is called “the ghost of the ship” (“espírito do navio”, if you are curious how they call it in Portuguese).
The idea is that there is a ghost in the ship that settles people into certain ways of doing things.
The real explanation is the following:
Since I heard this story, I got fascinated by this idea.
It is not correlated to e-voting, but I vouch your sentence I quoted.
One of the hard problems of a national election is how to bootstrap a democracy while being able to have little to no trust in the sitting government that has to organize it. One way to solve the threat of a coordinated attack that would result in a distribution of power that does not reflect the will of the people, is to empower each member of the electorate with the ability to verify independently that all ballots in a polling station are casted and counted correctly and fair, meaning:
As soon as you introduce microchips into this process it becomes opaque to most if not all of the electorate. This is not solved by introducing more complex technology.
A unique requirement for a general election is voter privacy in order to avoid coercion. In the process outlined above this is taken care of by letting each individual be able to verify their vote is counted correctly and exactly once, without being able to prove to anyone what they have voted for.
This is exactly what I mean when talking about societal problems. This is solvable. But this is also very hard to solve, since as of right now, maybe only 1% of population could actually look into how it works. With education and real digital revolution, I believe that number could go up to 100%. But that is very hard to solve. It will take entirely new people. I believe that neither me, nor you will see a verifiable, fair election. But I hope our great-grandsons do.
Then the question becomes, this microchip that you’re inspecting, is it the one used in the actual election and has it not been tampered with before, during or after the election? It’s the complete operation from casting to tallying that you have to secure and that people have to legitimately trust.
Here in the Netherlands we have a decentralized process of paper ballots that are readable for humans, and a manual public tallying process. This way everybody can verify storage and counting for themselves in their polling station. I’m very happy to say that I can trust what I’ve seen in previous elections, and have faith these were fair because of the small chunk I could completely and independently verify myself, plus the fact there was no news nor rumors about significant trouble in any of the other polling stations that had the same public transparant procedure.
Sorry, I meant to add a digital qualifier before the election. I do believe that some of the regular elections are fair, and some of those are verifiable.
You should not trust “the microchip”. You should trust the algorithm, and the ability to change on which chip it runs. Trustable hardware is very hard, so if you can find ways to not trust it, you should do that. There are of course ways to verify the hardware you are running on, even ones that should be fairly accessible for everyone, but this makes many sacrifices. I’d recommend to watch this talk on this topic.