34

This is on a somewhat layman's level. I'm not a security guru.

Looking at this in very, very broad and general terms:

Election fraud is definitely a serious issue that needs to guarded against pretty heavily, ideally by many third-party officials and monitors. If you have random people working at the polling stations, some may be tempted to throw away ballots or to fill out extras. You have a lot of random people, each being a potential, partisan security risk.

Therefore to reduce the risk, as well as to speed up counting, a given jurisdiction makes everything completely digitized (no paper ballots), and they fully automate the vote counting.

Just looking at this vaguely, some issues I see are:

  1. Genuine bugs in the software. Not all issues are malevolent.
  2. The organization that produced the software was indeed malevolent.
  3. Even if they weren't malevolent, completely outside hackers can still try to get in and interfere.
  4. Hackers from within the jurisdiction's staff and officials can also try to get in and interfere. Or even if they don't hack in the most literal terms, they can still find other ways to revise the final results after they've been produced, but before they've been presented to another party or the general public.
  5. The whole entire system works as an opaque, black box. This means trying to monitor the ballot collection, as well as the counting itself, has the same issues as trying to debug a software defect in a black box, third-party item. Logging information helps, but it is not the same as having a clear/white box.

Even if the software were developed by the jurisdiction itself internally, it's still just a small subset of that jurisdiction (which can still be corrupt) that would be immediately familiar with the code and how to analyze it for potential issues. The corruption issues and black box issue are still somewhat at play.

On the other hand, imagine another jurisdiction chooses to avoid computers entirely for the purposes of collecting ballots and counting the votes. This other jurisdiction still uses computers for things like verifying someone hasn't already voted or sending internal communications between staff, for obvious reasons. However the ballots are all paper ballots, they are all collected manually by hand, and the votes are counted - and aggregated together - by hand.

That means there is no hacking, and it also means that we are now dealing with something at least somewhat closer to a clear/white box. If you have corrupt individuals collecting the ballots and counting them by hand, you can also have security and monitors, both from within the jurisdiction and from third parties, watching them. And if they miss something in real time, video cameras can sometimes provide footage of an incident. And if both of those fail, you still have A set of physical ballots, envelopes, and anything else. It may not be The set that is genuine (ballots missing or added corruptly - or by innocent mistake), but having A set, heavily derived from the genuine set of votes cast, is often better than having none at all.

Altogether it is potentially much easier to monitor.

Now that said, the first jurisdiction may still very well be much more secure in its election process than the second, but this would depend on things like the resources invested in security, and more importantly, how well they each manage things.

However is the first jurisdiction inherently running an extra risk by relying on computers to collect the votes and/or to tally the votes? Is the first jurisdiction, compared with the second, doing the equivalent of using HTTP instead of HTTPS, writing data access code that blatantly omits SQL parameters, or leaving the car defrosting and unlocked for 10 minutes while they're getting ready in the morning?

UPDATE: A lot of good answers here. I think there were at least a couple that more or less tied for 1st place, so I would've liked to accept at least a couple of different ones.

Panzercrisis
  • 554
  • 4
  • 13
  • 38
    https://xkcd.com/2030/ – Mike Scott Nov 06 '20 at 18:15
  • 1
    On that point, I remember moving from the US to Japan a couple of years ago, and that part of it certainly felt different. In the US I could and did change entire states and sides of the country basically over a weekend, on multiple occasions, with little or sometimes even zero requirement to report it. But in Japan, I immediately had to get registered at a city office, be signed up for national health insurance, undergo a separate, second registration at a national office afterwards, pay income taxes (residence taxes, IIRC) to even the municipal level), etc. ... – Panzercrisis Nov 09 '20 at 17:16
  • Comments are not for extended discussion; this conversation has been [moved to chat](https://chat.stackexchange.com/rooms/116093/discussion-on-question-by-panzercrisis-is-automated-and-digitized-ballot-process). – Rory Alsop Nov 11 '20 at 11:10

10 Answers10

61

Great answers already about supply-chain attacks, complexity, transparency. I'll give an answer in a different direction: accountability and auditability (basically; how easy is it to do a from-the-ground-up recount?).

With a paper-based system, in the case of disputes, as long as boxes aren't physically lost or destroyed you can always go back to the paper source-of-truth and do a recount. For example, if the voting machines physically screwed up, you can go to the supreme court to get a ruling on whether "hanging or dimpled chads" count, and then go back to the paper and do a recount.

With a computerized system, if something goes wrong and the votes are recorded incorrectly in the database (either by accident or malevolently), there is a much greater risk that that data is just lost and it's impossible to reconstruct voter's original intent compared to a paper system.


TL;DR given the amount of value we place on free and fair elections, and the amount of effort we assume attackers might be going to to try and subvert them, our tolerance for risk here is very low. Paper has fewer things to go wrong, and is easier to go back to the source-of-truth and do a recount.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207
  • 20
    Bingo. The toolchain necessary to audit paper records is minimal (comes standard equipment on your auditor), and that necessary to audit electronic-only records is... a challenge for state-level actors to manage. – chrylis -cautiouslyoptimistic- Nov 07 '20 at 04:59
  • 6
    This. Apart from accountability, there is frequently (not sure about the US) very little number of people who have access and understanding of the digital voting system. This means a much smaller number of people need to be subverted in order to alter results without anyone knowing. – Gnudiff Nov 08 '20 at 09:31
  • 1
    This. As a thought exercise I tried to imagine how a secure voting machine should work, and in the end the auditability requirement led me to a glorified printer: make your choice, a ballot is printed, double-check it (it's behind a glass), okay it, the ballot is dropped in a transparent box (folded or wrapped). The machine is useful: it automates identification, real-time checks that the voter is registered and hasn't already voted, real-time tallies the votes, ensures pristine ballots, etc... but in the end transparency and auditability requires a physical (paper) trail. – Matthieu M. Nov 09 '20 at 15:04
  • Why can paper records not be removed/replaced just as electronic records can? – yitzih Nov 09 '20 at 19:28
  • 2
    @yitzih I imagine that physical ballot boxes are watched carefully enough that you'd have a hard time bringing fake ballots into the building, or removing legitimate ballots from the building. Speaking for Canada which I'm most familiar with, I believe ballot boxes are sealed with have tamper-proof tape and are never left unattended. This sorta goes with the first comment: you only need regular human eyeballs and some common sense to notice someone tampering with paper records, but detecting electronic tampering needs tools and knowledge that most election volunteers don't have. – Mike Ounsworth Nov 09 '20 at 19:38
15

Most answers seem to focus on why automatic systems aren't used or aren't considered a good idea. I'll try to address the core question of what makes them inherently less/more secure. The central trade-off here is: Breach Risk vs. Breach Impact

Breach Risk: Here software systems win if we look at them in isolation. Taken a random person, software systems are arguably harder to overcome than paper voting. I.e. everyone knows how to fake a paper vote: just stuff a few more ballots in the box (and take out some others if you're a tad smarter). To overcome a software system you (should*) need at least some basic specialist knowledge. So the initial hurdle is typically higher with a software system. There are a few ways to get around that if the whole voting process is ill-designed, e.g. if it is easy to have people vote against their intend by "helping" them. Note that this only considers the "local" breach risk, i.e. given a random person, can they overcome the system. Using software system processes can however widen the target surface, i.e., an attack (or preparations) can happen easier from another country (yet still by specialists), meaning it does not necessarily require residents of the attacked country to be involved (or at least fewer). So the overall risk assessment is less clear and depends on what attack scenarios you consider more likely.

Breach Impact However, on the other end of the spectrum, a breach can be much more severe, because

  1. It is harder to detect (it needs also experts to detect a breach, whereas many manual breaches can be detected with both eyes open, e.g. watching the ballot box with 4 eyes catching those nasty hands exchanging votes).
  2. Therefore it is also harder to convince the public of a) the presence of a breach or b) the absence of a breach
  3. Once a breach is found, it's possible to have a far wider effect: If the same software counts half the votes of a country, a single breach can change the outcome of every single voting district (and if the breach is somehow online executable with a very small number of people involved). Thus both the risk to get detected stays low as there is a very limited amount of interaction needed and the impact can be huge.

And especially because it potentially requires only a small group of highly trained / well paid experts this seems so anti-democratic and thus so unsuited to handle voting, because it would play into the hands of any "bad elite" or an existing authoritarian government to manipulate votes without anyone ever finding out.

A high breach impact for individual breaches also means those are very valuable and thus everyone in the line that has some level of access is also a valuable target and you only need to successfully bribe a small set of people rather than multiple ones.

Also note that the overall risk (either breach risk or impact) increases with the benefits we want to have: We typically prefer automatic voting because it's supposed to be faster/more convenient to vote and to get the votes counted. But nearly all measures to make it more fast and convenient typically increase the breach risk or the breach impact. Voting from your personal computer/mobile? Much less secured environment and a common trojan can manipulate your vote (not to speak of the whole verification process, just wait until 10 seconds before vote ending and then submit votes for all the people who haven't voted yet). Automatic counting without proper(!) paper trail (or without looking at it every time): high impact risk.

*should, because the system and process around it can always be totally crappy and have the weaknesses of both worlds; example: use paper to collect the votes, stuff them into a ballot box, then the next day upload them into a cloud based system with the admin interface to check the count and the debug feature to change individual votes online on www.voting.com, and after the upload directly auto-burn the paper ;)

Frank Hopkins
  • 637
  • 3
  • 6
  • 4
    Like this answer, but I think you should expand on the breach impact of paper systems - it is not impossible to do a small-scale fraud (e.g. be able to alter a few ballots at a single place), but any operation to meaningfully affect larger results needs to involve a LOT of people, making it hard. Indeed, at least in my country, small-scale irregularities in voting, presumably mostly due to human error without bad intent are quite common. A typical example would be a voting commission misreading the rules about invalid ballots and tossing away one or two ballots inappropriately. – Martin Modrák Nov 09 '20 at 10:21
  • The impact can be controlled to an extent if computer voting only involves computers at polling stations (including tallying the votes). A closed network with one-way data traffic from stations to district center. True, that would also take away some of the benefits like voting from the comfort of your home. – Jyrki Lahtonen Nov 09 '20 at 11:33
  • 2
    I think that software systems lose on "breech risk". While only a small fraction of the population can perform a breech that fraction is large enough that bad actors have access to them. Think Russian hackers. It's made worse because people can breech software while not physically present. I think software systems are at much greater risk of breech attempts because the risk to the hacker is so low. You can attack a US voting machine wile sitting in an office in Russia. (You can attack vote counters even if they don't have internet access. Attack the people who make the voting software) – UEFI Nov 09 '20 at 16:05
13

The point here is trust and control.

If you can trust the digitized voting system, the risk of fraud and errors is much weaker than in a manual procedure. But... if you can trust...

In a manual procedure, the risk of fraud is mitigated by having observers representing the candidates. It is of course far from perfect, but it could be used for centuries without major problems - here I assume that the part organizing the vote is fair enough to accept observers trusted but all the candidates. That means that it is not perfect but it can be controlled by all interested parties.

In a digitized procedure, only experts could control anything and a bug or a flaw allowing attackers to take the control could lead to a true disaster with little to no way for candidates or their representants to mitigate the risk.

What follows is only my opinion.

Nevertheless, I think that we are on the way to digitized elections, because of the cost of the manual procedure in human being time, and because younger people are more inclined to trust automatic systems than older ones which always tried to have a manual emergency solution.

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84
  • 3
    "just stuff a few more ballots in the box (and take out some others if you're a tad smarter)" except that paper ballots are all security-printed, individually-numbered, and those in the box at end of poll + those remaining in the unissued book + spoilt papers must = those issued to the polling station at the start of the poll, all checked and signed for by the polling officer for that station. And you can't take papers out of the box as they're sealed with individually numbered seals at the start of the poll (witnessed by candidates' agents and any police present) - at least in the UK. – Owain Nov 08 '20 at 20:34
  • 4
    @Owain That quote appears on [a different answer](https://security.stackexchange.com/a/240547/149397). Did you mean to comment there instead? – NotThatGuy Nov 09 '20 at 11:02
  • Sorry, yes, I obviously did – Owain Nov 10 '20 at 15:08
7

Whether it is digitally automated or manually operated by hand, supply chain attack works in both cases regardless of the voting method used. Therefore, some level of trust has to be established with election commission else nothing can be verified. Both EVM and ballot box open up to different attack vectors and most of the time it's insider threat that is in the position of tampering with votes.

The problem with EVM is that there is no way to know whether it is already compromised by the manufacturer. So the commissioning body has to verify assembly of every EVM in the supply chain. But then the trust has to be put on engineers verifying the hardware and firmware. Security by promise is not a secure design.

With ballot box, trust has to be put on the verifying authorities which can be as corrupted as the EVM manufacturer but their counting can be verified and monitored by the observing authorities which gives some level of assurity of fairness.

Higher the number of delegate authorities involved, the harder will it become to monitor everything and this is where supply chain attack becomes stronger. It comes down to who can be trusted in the process as security by design requires some level of trust at the bottom.

defalt
  • 6,231
  • 2
  • 22
  • 37
  • 3
    "With ballot box, trust has to be put on the verifying authorities which can be as corrupted as the EVM manufacturer but their counting can be verified and monitored by the observing authorities which gives some level of assurity of fairness." If the count is public, you do not *have to* trust anyone. You could go there, watch them count, make your own list and compare it to the publicly announced results. You can *decide* not to observe and *put* your trust into the counting body, but you. – Polygnome Nov 08 '20 at 10:24
  • @Polygnome while I agree with your point in principle, one issue remains (not sure if the answer meant that): you can never individually check all polling stations etc. So at the least you need to trust your co-checkers unless with public you mean a public registry with the names etc, but then this would not be normal paper voting currently in place in most places^^. – Frank Hopkins Nov 10 '20 at 10:01
  • @FrankHopkins Every single voter can verify one voting station. Which means the public *as a whole* can independently verify *all* results. Of course this implies co-operation, which is to be expected at that scale... – Polygnome Nov 10 '20 at 10:28
7

tl;dr Voting requires a mix of privacy and publicity. Simple solutions fail to provide both, while robust solutions would likely confuse voters.


I'd split possible electronic voting systems into three categories based on their privacy model:

  1. Simple privacy.
    Voters vote privately. A central system adds up the votes and reports sums, but individuals' votes aren't (usually) exposed.

  2. Public voting.
    Voters vote publicly. Everyone can see how everyone else voted in an online database.

  3. Crypto-based privacy.
    Many different possibilities in this space, but the overall gist is that voters aren't fully exposed while we leverage crypto-based tricks to selectively expose things we want exposed, e.g. evidence that can be used to verify nothing was tampered with.

Reasons these aren't adopted:

  1. Simple privacy relies on an honest, centralized infrastructure. A malicious actor might be able to corrupt it; even when results are legitimate, folks may not trust them.

  2. Public voting might cause people to feel like they can't vote freely. For example, people might be afraid that their boss would look up how they voted and then treat them differently for it.

  3. Crypto-based privacy with open-source, auditable designs could be great if everyone understood how it worked and was able to fact-check assessments of the system themselves, but suffers from many of the public-trust problems of a simple private system if most of the population doesn't understand it.

A future, more technologically literate population would probably favor a crypto-based solution, but that might be a bit off yet. And the public/simple-private solutions have serious drawbacks.

Nat
  • 1,443
  • 2
  • 10
  • 13
  • 9
    "Public voting might cause people to feel like they can't vote freely. For example, people might be afraid that their boss would look up how they voted and then treat them differently for it." Its also way too easy to buy votes or bully people into voting a certain way, since you can 100% verify if what you did worked. Its a recipe for rampant fraud. – Polygnome Nov 08 '20 at 10:14
4

Digital ballot processing is inherently worse because of the complexity and lack of the transparency compared to the good old paper and pencil approach. If paper is replaced with a fully digital system, a voter can't understand what happens to the vote afterwards and how it's secured from lost or tampering.

However, I've been thinking of a system that would have the best of both worlds. If the vote is given digitally and printed out on paper, anyone can double check that the paper has the correct contents, but it also enables automated vote counting using optical recognition, making it a lot faster. Furthermore, it would enable recounting the votes manually in case of doubts, and also remove rejection of votes due to ambiguous handwriting.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55
  • 8
    EVM that prints [voter's receipt](https://en.wikipedia.org/wiki/Voter-verified_paper_audit_trail) is already used. – defalt Nov 06 '20 at 19:39
  • 1
    @defalt: Thanks for giving a name for the idea. I'm glad it has already been tested in practice! – Esa Jokinen Nov 06 '20 at 19:44
  • 1
    An EVM that also prints out paper is just a really expensive printer. – ave Nov 07 '20 at 16:25
  • 3
    @Ave It keeps track of the vote totals digitally, but _also_ prints a paper receipt so that 1) the voter can see that their ballot was recorded accurately and 2) a recount can be conducted based on the paper records (either manually or with optical scanners that are independent of the EVM) to verify the digital results if an error is suspected. – reirab Nov 07 '20 at 21:13
  • 7
    "that 1) the voter can see that their ballot was recorded accurately" The receipt does not say *anything* about what vote was actually recorded. If the machine is manipulated, it can easily print the correct receipt and record the wrong vote nonetheless. "2) a recount can be conducted based on the paper records". Only if the paper records are sealed away in an urn after being cast, at which point you are back to having a paper election, just with an automated first projection. Because everyone worth their salt would file appeals and have the actual paper votes be counted. – Polygnome Nov 08 '20 at 13:27
  • "The receipt does not say anything about what vote was actually recorded." That problem is solved years ago, the voter can take the reciept and check out how it would be counted. That test invalidates the vote, but the voter can then cast a new vote, and repeat the process until the voter is sure that the vote will be counted correctly. – Hans Ekbrand Nov 08 '20 at 14:22
  • 3
    @HansEkbrand that doesn't sound like a solution at all. If you compromised the system, on a check simply show the 'correct' vote and otherwise count the wrong one. that's the core issue, there is no guaranteed natural line from paper slip to the final count that can be followed through by an observer. This only "works" if you trust the software system, but there is no natural way for a layman to see the connection (not even for most software developers). – Frank Hopkins Nov 08 '20 at 18:01
  • The mechanism for checking is the same mechanism as when the ballots are counted, the machine doesn't know if the data is used in counting or checking. See Ron Rivest youtube video on the numberphile channel if you don't understand the concept. – Hans Ekbrand Nov 08 '20 at 21:22
  • If the machine flips a block of 10 votes every 1000 votes (enough to cause a 1% swing) would you notice? – UEFI Nov 09 '20 at 16:21
3

Other jurisdictions have different systems and here in England it would be all-but impossible to interfere with the counting of paper ballots, because it's so simple.

Tellers are invited from various sources: bank clerks because they're trustworthy and have experience counting valuable paper; police because they're trustworthy and duty-bound to fight fraud; journalists because they have a clear interest in exposing anything suspicious; various other groups for equally valid reasons.

Administrators and interested political parties have swarms of people watching every stage… literally peering over everyone's shoulder, or into everyone's face.

It would be possible to dispose of a few papers… but "few" would be the operative term.

Hacking an electronic system might easily be 100 times harder and wouldn't the potential rewards come 1,000-fold?

3

A very important aspect of the elections (and the democracy as a whole) is that the general public (or electorate) should be able to understand the whole process.

You don't need them to be actually understanding it, most of them don't bother if the whole thing looks transparent and understandable. Everyone can volunteer as an election observer or a pooling booth clerk, everyone knows someone who actually did and shared some experience.

That's how people see the connection between them voting and the officials ruling afterwards.

That's where the computers fail first. The confidence.

Computers are complex themelves (as if democracy itself was a simple thing). Computers need trained people to work with them. They sometimes fail spectacularily. And when they fail, one needs even more qualified people to fix the mess in a manner that few people understand. And then again, the computers sometimes fail silently.

On the other hand, ballots, boxes and bags are simple and reliable. Virtually everyone can read and count. Few people count them, aggree on the numbers, sign the protocol, report the results and secure the bags. If something fails, few other random people can check the results.

fraxinus
  • 3,425
  • 5
  • 20
2

IMO there's two separate issues here. Voting, and counting votes.

For the actual voting, there's a few things that are vitally important.

  1. The voter needs to express their intent, and have a high degree of certainty that intent was conveyed.
  2. That voter intent should be clearly able to be read manually (if necessary), by another human being without other layers getting in the way.

To me this means that the vote recording system should be pen and paper, or something just as simple. Any software layer that gets in between the voter, and voting record can (and will) be buggy. Software, no matter how well examined, adds complexity. Complexity is the last thing you want in an election.

The COUNTING system, however is entirely separate. Technology to count votes from paper is decades old. Anyone that's through a school system in the past 40 years has used scantron, and there's several systems that use a similar optical technology to count votes.

The counting system doesn't have to be 100% accurate, and 100% bug-free it only has to be accurate enough to account for the majority of elections.... say an error rate of 1/1,000 votes? If the election is closer than the machine count can provide, you can always examine the ballots individually, have both sides examine each an every ballot for challenges, and then have the court system rule on any of these challenges.

This is exactly what happened in my state of MN in 2008 in a US Senate race. Out of 2.4 million votes cast, the election was decided by 312 votes. There were several court battles that went to the MN supreme court. The courts ruled unanimously, and eventually a winner was declared.

The reason you could even do this was that everything the voter expressed was on the ballot and not interpreted first by machine, but able to be fully interpreted by a human. The system isn't perfect, and "voter intent" isn't always perfectly clear, but it was a lot better than using a software intermediary that creates the mark. Some ballots were thrown out for various legal reasons, but in the end, humans decided, not machines. If we had a system where a software layer sat between the voter and the vote, we might still be fighting court battles 12 years later.

Steve Sether
  • 21,480
  • 8
  • 50
  • 76
  • 1
    The problem with electronic scanning of paper votes is that counting them -- essentially placing them in one pile or another -- is faster. Australia counts by hand its votes for the House of Representatives in one short evening, when most outcomes are known, and one day. – vk5tu Nov 10 '20 at 00:48
  • @vk5tu In MN, we have results within hours. The ballot is put directly in the machine, which counts the votes, and validates that there's no over-vote. You can't get much faster than that. It also offers the advantage of not having to rely on one person to count them, who could cheat. The problem in the US is largely each state decides how to conduct an election, and chooses the system. – Steve Sether Nov 10 '20 at 01:13
1

People keep an election secure

With a paper based system everyone can understand how it works. Everyone can spot stuffed ballot boxes or differences between polling station counts and published counts. You have lots of competent observers watching the election.

As soon as you introduce computers you've got a black box that people don't understand. Your average election official or observer does not understand the attack vectors against an electronic vote counter. This means that people have to trust a bunch of nerds to keep the election secure. Most counting centres don't have anyone who really understands the risks with electronic vote counting.

When only a minority understand how the count works it's much easier for a bad actor to rig the election.

UEFI
  • 222
  • 1
  • 6