What is your opinion on electronic voting?

No electronic system is deemed impossible to hack. That said, the system we have in Brazil relies on way more than just technical measures to ensure the security.

There are statistical controls, processes are transparent and follow standards. Parties officials and technicians are involved in all steps.

But back to tech, since this is HN, parties can ask for the actual source code, tool chain (regular GCC) and binaries used; and verify the compilation themselves against published hashes. The individual machines do the tally and print public results at the end of the day before any kind of central connection. All the central office does is sum those results.

Thus any successful attack must happen at machine level, prior to Election Day. There are hundreds of thousands of machines from many different HW generations being used in a given election; all of them air gaped.

Loading rogue software without cooperation requires tampering undetected with trusted execution modules that validate binaries twice, before and after election to avoid scrutiny.

If you assume cooperation, you have to assume the collusion of way too many civil servants, from high court judges that oversees the processes appointed by parties of different colors, to low level tech folks who operates and validate much of the process.

All in all, pulling an undetected fraud here would be a massive, Hollywood-level hacking feat. And in almost 30y no major election came close to being suspect of fraud.

Involving a bunch of people is a security feature. Perhaps the only one that works consistently.

The only reason to move to electronic voting is to reduce the number of people. Ie. an attempt to reduce the security of the election.

Additionally your voting system has to he simple enough for transparency to be effective. Ie. a non-compromised voting system must be distinguishable from a compromised one by the average Joe or it will get replaced by the compromised one.

No electronic voting system passes this test.

By all means use a computer to help (ie. optionally mark the paper with a computer, or do some zero knowledge vote verification thingy or count the marks automatically as a pre-count), but it should never interfere with the basic process of put mark on bit of paper, put bit of paper in box, have human tally marks in box.

Paperless voting is asking for trouble, but electronic voting with a paper trail and an audit procedure is fine with me. It would be handy if you also have predetermined procedures for how to handle election irregularities.

In practice, I think there needs to be a physical trail no matter what. It needs to be both verifiable, anonymous, and auditable by parties all at the same time, and that can and should be done with paper. I say this as someone who otherwise detests paperwork, I only check my mail once every month or two.

Being more secure than banks is not enough, because banks are not 100% anonymous, and you can fix banking errors days, months, or even years later. With voting, you don't want to have a trail of who voted for whom.

In my state, Massachusetts, we use physical machines that scan the votes as they go in, and count them and return a tally at the end of the day. Personally, I wish we just counted them manually, but at least they're not connected to the internet I guess, and there's always physical ballots that can be counted in the issue of a challenge or conflict.

The main advantage to using machines, in our current system, is that they're faster. But who cares? You get your results at the end of the evening vs at the end of the week? There's no real urgency there, officials don't take office until some time after that.

But just to play devil's advocate against myself: I do think that liquid democracy, where people could dynamically vote for politicians/delegates (either carte blanche or certain delegates for certain categories and others for others), individual bills, and such on the fly, would be an interesting use of voting online if you were to make a new political system entirely. https://en.wikipedia.org/wiki/Liquid_democracy

I just think there's no way to implement this properly.

I think it is hard to ensure simultaneously the integrity/consistency and confidentiality of the electronic vote. "low-tech" paper ballots are easy to understand (including for elder/non-tech people), and make it more difficult to implement a massive fraud at scale. (Yet on the other hand, I admit that electronic vote makes it easier to implement more sophisticated voting systems, such as Condorcet (https://en.wikipedia.org/wiki/Condorcet_method) or Cardinal voting (https://en.wikipedia.org/wiki/Cardinal_voting)).

Notice that on the other hand it would be comparatively easier to make an electronic registration system ("X has voted", which does not require the same confidentiality), which then could enable people to vote from any voting office within their country rather than having to go to the specific voting office they are registered to.

> There is no evidence of fraud since then

absence of evidence is not the evidence of absence ~ NNT

Just because no one found fraud, doesn't mean it isn't there.

I'm optimistic about Charles Hoskinson's project to develop a secure voting system for a country in Africa (Ethiopia?) that is based on Cardano (crypto). But I'll wait for the final product to make the judgement.

You can't hack the paper, but you can hack the machine, no matter how secure it is...

I personally think the risks are less than for bank machines. But only if lessons learned in the development and maintenance of bank machines is fully embraced for the voting machines.

There are some banks that let you deposit cheques without needing to type anything - they use OCR to find the amount, then verify with you, then allow you to print a copy of the cheque with the receipt. There is no reason this same technology can't be used in voting machines, with the difference being that the visual proof is kept internally instead of being printed out. That visual proof is what is needed in case of a Trump-style fishing audit.

Personally, I find it amusing and useful (there are plenty of benefits of it in all spheres - https://ivypanda.com/essays/the-benefits-of-electronic-votin...), but no electronic system is impossible to hack, so it could be used wrongly, which is a pity.

The system used in Brazil is a glorified ballot. The machine just computes and prints the tally at the end, and this can be audited by all the parties. Fraud would require more than just compromising the machines. Attempt to spread FUD about it is political, ignoring how the system actually works.

For important voting (federal, provincial) paper ballots with a pencil “X” counted by hand witnessed by the parties.

For less important voting (city, district) with a greater number of positions and candidates, bubble form and machine count.

My opinion is simple: it shouldn't exist in democratic institutions. It is fine if you vote among the members of your hobby organization.

The only voting system I trust is pencil and paper with the counting verified by representatives of all the involved political parties.

Here in Brazil we have a eletronic voting system. Pretty much zero transparency, and ran on Windows until around 2008 (i think). Sad thing is, this debate turned into a political discussion and not a technical one, and the thing that makes me sad about it is to see programmers, who knows almost every system are vulnerable, defending a system this exploitable just to prove a political point.

Not even formally verified open-source compilers can be trusted (and for the record, in practice, voting machine software does not reach anywhere near such level of security): https://cs.cmu.edu/~rdriley/487/papers/Thompson_1984_Reflect...

Then you also have to trust the entire supply chain (software AND hardware): https://www.schneier.com/blog/archives/2018/03/adding_backdo...

Because the prize is so great, the system has to withstand decades-long attacks by global superpower-level actors. And unlike a bank account, you don't know when you've been hacked.

Once compromised, a smart attacker will stay within the public poll's margin of error - which is much greater for small, local elections through which most politicians have to pass. Think 30% or more, in countries where people have little to fear from answering such polls truthfully. Or venture outside of it, deliberately making the election look stolen to throw a country into chaos.

No system that relies on an un-auditable black box for security can be trusted with elections. This is so blindingly obvious, anyone that says otherwise, no matter how credentialed, is either deluded, corrupt, or malicious.

All this risk, and the benefit is.. what? Countries all over the world manage to vote and tally the results quickly using nothing but paper.

> I'm only referring to electronic machines used to vote, without any internet connection.

If you don't trust the chip fab, how do you check there is no connection? I suspect antennas can be hidden incredibly well, and there are countless side-channels that can be used for communication. And even without antennas, machines are not safe: It is typically introduced to the target environment via an infected USB flash drive, thus crossing any air gap. - https://en.wikipedia.org/wiki/Stuxnet

Do you trust every PC and every USB drive that comes into contact with the voting machine? And every PC that PC came into contact with, and so on?

Edit: To clarify, paper isn't immune to tampering. But crucially, tampering with it is much harder to hide, and it doesn't scale. Not unless you already have loyal agents controlling most polling stations in a country - at which point, no voting system can save you. But even then, hiding your activity will be hard, unlike if you only have to flip a few bits.

Pointless and insecure. Who benefits? Why would we let them have this?

I think electronic voting is a disaster waiting to happen.

An obvious path towards crony capitalism, and anyone who thinks differently is a fool.

A bad idea for little benefit. If it has to be done (and it should not be) the voter should make a selection and the machine should print a voting as slip, the voter should review the paper and then place it in the box, if there are any disputes you count the physical records and that is considered the true record of the vote.

The award for corrupting the system is too great to ever trust it and most of the decision makers have no way to make any informed judgement about the risks.