Why Electronic Voting is a BAD Idea – Computerphile

Why Electronic Voting is a BAD Idea – Computerphile


E-voting is a terrible idea After Hurricane Sandy in 2012, election officials
in some parts of America decided that they’d allow emergency e-voting from home. You’d
download a ballot paper, you’d fill it out, and then you would email or fax it back to
them. And yes, some people still fax. This was a terrible idea, and here’s why. Physical voting is centuries old. In that
time, pretty much every conceivable method of fraud has been tried, and has since been
defended against. Because of that, attacks on physical voting don’t scale well. It takes
so much effort, so many people and it only takes one person to leak your conspiracy and
the whole thing falls apart. Electronic voting, though? You can attack
with one person. It can take about the same effort to change one vote as it does to change
a million. And it can be done without even setting foot in the country whose elections
you’re trying to rig. There are two key parts of an election. Anonymity,
and trust. First of all, anonymity. You cannot let anyone pay, bribe, or threaten in order
to change someone’s vote. If you put any identifying mark on your paper ballot, if you sign it,
if you write your name on it, if you do anything that could, in theory, be used to check how
you voted, your vote is thrown out and ignored, just so no-one can be forced or bribed to
vote a certain way. And yet, because you marked your vote, and
you put it into a sealed box, and that box was only unsealed when it was surrounded by
everyone with a stake in the election, you know that your vote has still been counted,
even though you’ll never see it again. That’s the other key: trust. You never, ever,
ever, trust any one individual. Ideally, you don’t trust any two, or three. People can
be bribed, can be threatened, can be incompetent. I mean, hell, people have been all three of
those things. But like I said: the more physical votes you want to change, the more people
it takes and the less possible your attack gets. Everyone can see what’s happening and
keep an eye on each other, particularly if they don’t trust the other side. So let’s talk about voting machines. Problem 1: Auditing the software and hardware In theory, you could have open source software
that everyone has checked and everyone is happy with and that’s been used for years.
In theory. Never mind that you only actually do a full-scale test of this software every
few years when there’s actually an election, let’s say theoretically it can be done. But how do you make sure that software is
what’s actually loaded on that voting machine in front of you on the day of the election? And I know that immediately, someone is going
to want to comment about checksums or crypto. Which is great, except now you have to trust
the software that’s checking that hash. Or more likely, the one person that’s checking
it for you. You’ve just moved the problem. And if you’re thinking “I could verify that”,
then turn your brain the other way, and think “how could I break that?” because there are
trillions of dollars — that’s not an exaggeration — riding on the result of big elections,
and that’s an incredible motivation. If you’re coming up with sneaky ways to get around it…
believe me, so are lots of other people. It might be one angry techie, but it might
be an entire political party, or the huge corporations who want one party to win, or
entire nation states who want one party to win. And all that is assuming you’re even allowed
to verify the software that’s running, which you never are, because plugging unknown USB
sticks into a voting machine is a bad idea. Not that that stops people plugging unknown
USB sticks into a voting machine. It has literally happened. Let’s remember, these machines have
to be left in a room with the voter and no-one else in order for them to cast their vote
anonymously. Oh, by the way, the machines are frequently programmed by sticking a USB
into each of them in turn, so if you compromise the first one, jackpot. In practice, you don’t have open source software,
you have proprietary, unaudited software which you just have to trust. This is real, by the
way, around the world, there are some elections that run on this. And remember what I said?
This is an election. You don’t trust. And maybe you’re thinking, you could have
an audit trail, you could have a paper backup that the machine prints out as you vote. In
which case, congratulations, you’ve just invented the world’s most expensive pencil. One of
the reasons Britain gives people pencils for voting, by the way, is because we’re worried
that pens might be switched by any voter to contain disappearing ink. Erasing pencil ballots?
Takes time, and if you can do that, you can just throw them away. Disappearing ink? It
might be an urban legend, but it might actually be a plausible attack vector. This is the
level of paranoia we need to work at here. And don’t think you can get away with all
this by using a pile of paper ballots and just counting them electronically, either:
an electronic counting machine is still a black box that a pile of ballots goes into
and a mysterious number comes out of. They’ve got exactly the same problems. Problem 2: Votes In Transit There are three ways of moving the magic electronic
ballot numbers from the voting machines to the final count. You could treat the machine like a regular
ballot box, you seal it in a plastic bag, move the physical machine with two people
in the vehicle to the count, and then unseal it there. No-one does this. You could copy the result onto a handy USB
stick and move that instead. Do I need to run through how easily… no. Okay. Or, and this is what usually happens, you
could tell the voting machine to upload the results over the internet, optionally through
a third central server, and potentially not over a secure connection, and probably without
any checksums or tests. [exasperating] Problem 3: Central Count Program And right at the end, there’s the program
that takes all these numbers, all these votes, and produces a final count. Now you’ve got
all the same problems you have with the individual voting machines, except now only a few people
can even see that machine, and it’s been hidden away in a private warehouse somewhere for
the last few years. Good luck verifying that. And all this — all this — is before we even
talk about online voting. I could talk about all the ways which you
could hijack ballots, block an email address — because after Hurricane Sandy, the ballots
were sent by email — or any of the ways you could do a man-in-the-middle attack on that.
All possible. And those are just if it’s a well designed
system. There are reports of actual live elections
where there were cross-site scripting attacks in the e-voting page, where they’d misspelled
one party’s name, and where they’d put the wrong party’s logo next to a candidate. Sorry,
did I say elections? I meant election. That was all the same election, it was in Hampshire
in 2007. But never mind all that. Depending on which security company you believe,
somewhere around 5% and 50% of desktop computers are infected with something. And that’s just
the scammers trying to set up botnets and minor extortions using private computers.
If you want to affect a load of votes, try infecting the computers at the public library.
But never mind all that. We’ve seen what big scary countries and big
scary corporations can do when they put their mind to it. Given that someone designed an
immensely complicated worm that spread around the world just to break some Iranian centrifuges,
imagine what someone could do if they wanted to throw an online election. Remember, again, when you hear “just trust
us”, or “just trust me”, or “it’s a computer, it doesn’t go wrong” in an election, something
has already gone disastrously wrong. Imagine all this electronic voting, only without
computers. Would you be happy walking up to someone anonymous in a ballot box, or worse,
calling a number on your phone, just telling them your vote — but they promise to keep
it secret — and at the end of the election all those people, who have been sitting on
their own, phone up one other person in private and tell their results, and then that final
person — who promises to count it all up accurately — announces who’s won? Because
that’s essentially what electronic voting is. It is a terrible idea, and if a government
ever promises to use it, hope they don’t manage it before you get a chance to vote them out.

57 thoughts on “Why Electronic Voting is a BAD Idea – Computerphile

  1. I don't understand how the pocket protector crowd came up with the computer and don't have the ability to make them hack free. Why can't they come up with a read only type system. Maybe I'm not saying it correctly but I'm talking about a program that only allows a person to mark a single line and not be able to be manipulated. I feel we're letting technology go faster than we can control it.

  2. But we'll, in Greece, there aren't really people whose job is to count. They are just called before the election to do the counting chore for effectively nothing in return. Which is totally unfair. One is the only solution I can think of: counting machines that are used by the counting people, that take the ballots, scan them one by one, and output the results in the end. No internet, not other input that ballots (eg. No usb) no networking, no nothing. They just count ballots, quickly and efficiently. People would have of course to operate it, but I guess they would prefer using that machine instead of counting votes by hand.

  3. Thinking this way is naive. The voting box can be cheated the same way as online voting and online voting can be protected the same way as box voting.

  4. If you're using the internet to transfer money, by your behaviour you're showing that you don't actually think doing important things through the internet is so risky.

  5. So in the end, both physical and electronic voting are hard, but not impossible to break. Just in different ways. Both methods in the end rely on trusting a human. And it still feels like a computer could be made to be more secure in that it is a piece of technology and technology on its own is impartial.
    Hacking physical voting, although hard to scale, as you point out, has had numerous examples around the world of being done. I can point out Bulgaria as a strong example. There were video recordings of fake ballots being filled in by the people responsible for counting (the humans we supposedly trust). And Tom says it is better and hard to hack. It's not either of these. It's just different. Whereas in electronic voting, at least, you can track some of the history of the data processing and transfer.

  6. Just spitballing ideas, to address the "trusting the vote counter" issue. What if each electronic vote was sent to several """"trusted"""" parties, each one having some stake in the election. Each of them had to produce a final count independently. If anyone's count differed from the others', the entire election would be thrown out.

  7. you would think election security would be a bipartisan agenda item in the US … nope and no one is doing anything about it.

  8. Wait a second. Trillions of dollars are also managed by banking apps today. By comparison to their life savings, a vote is much less valuable to an individual. If all apps for voting are so insecure, why do we use them for banking? Someone explain in detail please.

  9. I know it’s just a video game, but Payday 2 touches on this.

    You play a heist mission where you steal some electronic voting machines, and rig the election, and the voters are none the wiser to the fact they’ve already voted for a pre selected candidate.

  10. In India we use electronic voting.
    It'd affect the environment if we use ballots for a billion people. 😅

  11. Open-sourced decentralised private crypto-token voting.
    1. Voters vote with their own trusted software, with their own private keys stored on dedicated hardware
    2. All votes are recorded on the public blockchain verifiable by anyone but voting choice is private so that anonymity is preserved
    3. Voting result can be calculated by anyone who can access the blockchain

    The only problems now are trusting the hardware key manufacturer and the existing problem of being unable to verify the number of eligible voters

  12. The entire counting process must be observed by the unaided sense of all interested parties in order to maximise trust in the results. You cannot observe the processes within a computer chip with the unaided senses.

    So … if they can't rig the voting itself, they'll rig the electorate instead … hence, mass immigration. Dissolving the democratic voice of the native population with people holding different cultural values.

  13. If you have something important, simply don't use general purpose computers. I fail to see why evm's can't be designed (on a hardware level) to only allow voting.

    Each person is assigned say a private key at your government agency with a piece of photo ID or whatever, then they use that key when they vote at their local voting machine booth. Make all software and hardware involved opensource.

    If the key is hard to remember, simply have a little pocket device inputs the key into the machine. Doesn't have to be USB, could be a single wire with the device running on battery, but shouldn't matter. You probably can't hack a machine that only has hardware that counts votes.

    Anybody care to tell me how this system won't work?

  14. Eletronic voting has its flaws, but pretty much all of the concerns pointed out on the video were addressed in Brazil, and have been using it without major problems since 1996. No online voting though.

  15. Clearly elections are fixed. If its that easy for a out side party with motivation…how easy will it then not be for an insider to do it with same motivation…I just realised that we will never know if any election is NOT rigged. So we just have to assume they are rigged because…why would they not when its so easy. You only have to change like 10% of the votes to turn the tables often…done with a few clicks with a mouse and a keyboard on the right pc….

  16. You are a computer scientist. And you are advocating against technology?
    Can you not make foolproof software?
    For countries whose population is for greater than UK, mannual paper voting is impractical?
    In countries like India, they need weeks to collect, count, and then generate result. And they even have to mobilize thousands of troops for the protection of officials of Election Commission.
    As an Engineer I am in favor of Paperless Voting.
    Lastly remember we are not living in 19th century, this is 21st century! Natural law is that you have to evolve or you will be extinct!

  17. So why does voting need to be anonymous? Why can’t people be proud of their vote, and be able to defend the reasons why they voted the way they did? Ensure laws are set to protect party affiliation as a protected status against discrimination and allow the voting to occur in a way that allows for post vote verification?

  18. Forget about voting in the first place. Give direct democracy to the ppl, by asking them to vote for each legislation and use AI to move the process along.

  19. It's easy. Electronic vote entry. Pick your candidate or issue decision and hit the finalize button. A receipt is printed with your choices that you can verify. The receipt is deposited in the ballot box. The electronic record is forwarded to the voting authority for immediate tallying. The ballot box with the collected receipts is also forwarded to the authority. The ballot box and physical votes are the official count. The electronic tally is for immediate reporting. The result of the election will not be valid and finalized until the physical receipts are counted and tallied. Boom. Wipe hands on pants. Done.

Leave a Reply

Your email address will not be published. Required fields are marked *