Not convinced that in an age where I can buy a plane ticket for thousands of dollars, where we are thinking of sending people to Mars and I can securely communicate with people, in age where Edward Snowden is able to send private documents or whatev, and I have computers on my wrist, pocket and dick, I have to go to a physical place, stand in a queue and draw on a piece of paper to cast a ballot.
I've been hearing these complaints for years now, I don't buy it. It's a problem, solve it. Start from here - everyone has a digital signature or certificate or another mumbo-math-jumbo, the system for collecting votes is open source. You have an account at the web service and you can see that your vote has been cast for that candidate that you wished, so who watches the watchers - everybody. Pick two authorities - one counts votes, other distribute keys. One gets a summary of votes only, the other has the mapping of key-person.
Sure there are problems. But it sounds to me like laziness and lame excuses.
With all due respect, buying plane tickets and voting are quite different processes; when buying a ticket, everybody has an interest in knowing WHO you are, being able to connect your ticket with your credit card and whatnot.
When you vote, we're very interested in NOT being able to connect you with your vote - heck, in some countries it can even be dangerous if the powers that be find out what you voted. (The results being rigged to ensure they remain in power does not mean there's no interest in finding out who the opposition are!)
Also, we would like to be reasonably sure that you voted as you wished and that you were not under pressure to vote one way or the other; this, too, is much easier to keep under control if you have to go to a dedicated location to vote, rather than just clicking a few buttons on a computer in your home.
And, obviously, we'd like to be reasonably certain that the votes have not been tampered with after they were cast; one of the major benefits of paper ballots is that they do require quite some effort to manipulate after the fact - ballot stuffing is a lot easier if all you have to do is add entries to a database.
My preferred voting mechanism would be a hybrid - you go to a designated voting station, where you find a machine in the booth. The machine lets you choose whatever list or candidate you wish to support, then after you've confirmed your selection, it adds your vote to a tally AND prints a paper receipt, which is then deposited in a ballot box. This receipt shows your choice in plain text.
Now, you have the best of both worlds - the machines can give a (preliminary) result the second the ballot stations close; if anyone wants to contest the vote, there's no need to resort to computer forensics to decide whether the data may have been tampered with - simply count the ballots like we've done for the past few hundred years.
Wow. The bitter part is that I googled and found that I first suggested something like this in 2007, three years after Schneier. (It would have felt great to claim that 'Bruce Schneier later formed a similar opinion.')
Heck, it is even possible that I merely parroted Schneier's idea; I do read him on occasion, but not as often as I should!
Give me a way to permit online voting but also be sure that the person who is voting was not coerced. I think you'll find that this is impossible.
At least with a polling booth, even if the voter is being coerced, it is difficult for the coercer to verify which way the voter voted. One might come up with ways to surveil the booth (whether in general or through the coerced voter), but at least we have a chance at detecting this.
It's not difficult at all to verify - just insist that the person being coerced take a selfie with the ballot. I'm told this has already been implemented by communist terrorists in India, though I can't find any English language sources.
I think a big chunk of the opposition to electronic voting by techies is simply a failure to recognize that physical systems can also be hacked. Which is of course silly - the only time I voted, I did so fraudulently.
(The lack of voter ID laws in NJ made it very easy. To prove a point to a friend that voter ID laws allowed fraud, I voted as my friend. Then he voted as me. I won the bet.)
We've got a simple way to defeat this particular attack in Norway - the ballots are in the booth. You can take a dozen if you like.
Electoral workers inspect the booth regularly to make sure all parties' ballots are available.
If you cannot find a particular party's ballot, you are encouraged to take the remainder of another couple of ballots (So that you won't have to walk over to staff, asking them to provide more ballots for party X), leave the booth, bin the ballots and ask staff to refill the booth with all valid ballots.
Once you leave the booth (which is right in front of the electoral clerks), you head over to the desk with the voter register, your identity is confirmed against the register and then your (folded) ballot is stamped, immediately after which you put it in the ballot box. Only ballots with a stamp on them are counted, eliminating the risk that someone would (quite literally) go ballot stuffing by folding several ballots and trying to get them put in the ballot box; only the stamped one counts, anyway.
Did you not read my post? "One might come up with ways to surveil the booth (whether in general or through the coerced voter), but at least we have a chance at detecting this."
We have a chance at detecting purely electronic hackers also. For example, hackers made 574 attempts to connect to one of my servers as root since the logfiles were rotated.
This idea that physical is somehow categorically better than electronic is just magical thinking.
Let's say I'm an abusive husband. If my wife has the choice of voting online, I can force her to choose online voting, make her vote at home and in front of me, and nobody has any way of detecting my coercion. If my wife has no choice but to go to a polling booth, election observers absolutely do have a chance of detecting my coercion.
> This idea that physical is somehow categorically better than electronic is just magical thinking.
No, it's a demonstrable fact. You have created an "electronic hacker" strawman here. The problem I am raising is that of coercion, not a man in the middle. You have not been able to provide any means of mitigating it when not using a physical polling booth.
Problems such as "electronic hackers" are only problems on top of the problem of vote coercion, which is clearly made much worse with any ballot system that does not use physical polling booths.
You won't go very far by tampering with a single vote. Try coercing with 10 thousand people, and see how easily you are tracked.
The benefit of online votes is that coercion and data stealing are the only flaws we must take care of. Instead of this huge structure trying to cover for all the flaws of paper, we can focus on those two well specified ones.
Again, let me point out communist terrorists have already hacked this. Selfie in the voting booth. "Chance of detection" is just an assumption that some magic occurs because things are physical.
Your hack also works for absentee voting, which we already have. Do you propose eliminating that as well?
The good thing about physical is that it demands much more effort to tamper with results.
Also, the mechanisms we put in place to prevent tampering are easily understood by just about anyone, not just people with CS degrees - which lends credibility to the process, which I find to be a benefit.
This is already accounted for in many voting systems. You can either get a new ballot after you take the picture as "proof", or as a last resort you can spoil your ballot.
Online voting is a complex problem, and goes counter to all other online systems we have. No other system guarantees strong anonymity, strong verification and strong access control at the same time.
Why exactly is it a problem? Why not just vote by red-pencil?
Obviously there is a small drawback of it taking a bit more time.
Then again, one important feature of a voting booth is that you cannot proof your own vote. This is important because it prevents selling votes or blackmail, and seems impossible with any online voting system.
If you do not have the time to go to a physical place and stand in line, then you are lazy. If you are lazy in the first place, then I doubt that you have real political interest in the second place, which means you will do uniformed decisions anyhow.
Political decision making needs some burden. You need to take your time. It not a decision do you want a Burrito or a Pizza for tonight.
Is the hardware open-sourced, too? It should, there are known back-doors in many hardware nowadays (not talking about the unknown).
Plane ticket, electronic banking, etc. - they have an immediate feedback that corrects mistakes (or worse, attacks), elections should not have such feedback, because one should not be able to prove how they voted afterwards (because of buying votes or coercion to vote in family, workplace, church, etc.)
How do you "see" that you have voted for your choice? Because you monitor tells you so?
Maybe let you start with your queuing problem (I have never waited in one to vote and do not even know personally anyone to do so).
"How do you "see" that you have voted for your choice? Because you monitor tells you so?"
Blockchain-like technology can do that for you.
(Not evertbody will have enough determination to actually do the checking, but some people will, and they'll alert general populace if something goes weird)
I kind of agree. Some of the technical issues do seem like good points to think about, but a lot of the issues raised here (eg, coercion and the lack of anonymity) would also be applicable to ballot by mail / absentee ballots. Many nations have had ballot by mail for a while. Although there's been some fraud issues, I'm not aware of extensive fraud / anonymity problems. Certainly not to the point where the phrase "danger to democracy" is applicable.
Actually I would think electronic voting could be made more secure and less fraud-prone than ballot by mail, to be honest.
At best, we have achieved this with major caveats such as:
a) Only if your device is not compromised
b) You trust a CA to verify the identity of the remote host
c) You trust whatever cert/key you see the first time for a given entity
Even in your proposed solution you have replaced one hard problem (voting) with another (key distribution & mgmt) and completely ignored people's desire for elections to have certain other properties (anonymous, uncoerced).
Any solution that begins with "Everyone has..." is going to raise the question of cost. What's that rule that some systems which attempt to achieve 100% coverage will approach infinite cost?
Travelers pay a high price for the complex air travel reservation system we have now. Poor people don't fly on airplanes, but poor people will have to vote.
I've been hearing these complaints for years now, I don't buy it. It's a problem, solve it. Start from here - everyone has a digital signature or certificate or another mumbo-math-jumbo, the system for collecting votes is open source. You have an account at the web service and you can see that your vote has been cast for that candidate that you wished, so who watches the watchers - everybody. Pick two authorities - one counts votes, other distribute keys. One gets a summary of votes only, the other has the mapping of key-person.
Sure there are problems. But it sounds to me like laziness and lame excuses.