Voting Security Cheatsheet [2016 Edition]

It’s voting season! Which means everyone is asking questions like:

  • wait, why can’t I vote online?
  • how hard can voting really be?
  • shouldn’t this all be open-source?
  • isn’t it just as easy to hack paper voting as electronic voting?
  • is Russia hacking our voting machines?
  • why do we even need voting machines when other countries count by hand?
  • maybe there’s enough time to fix things before November 8th?
  • Hasn’t the blockchain solved voting already?

For your convenience, I have compiled this handy election technology & security cheat-sheet.

  1. you can’t vote online for good reason. (a) We don’t know how to make sure the device you use to vote has correctly captured your voting intent – it might have been compromised such that when you vote for Alice, it votes for Bob instead. (b) Though we know of a number of techniques to tally electronic votes in a publicly verifiable way that also preserves individual privacy, we are far from deploying these at scale. Reason (a) on its own, however, is good enough not to vote online.
  2. getting voting right is really hard. Since everyone has a stake in the outcome, you can’t outsource the trust to any one person or organization. You have to preserve the privacy of individual votes even against the wishes of the voter herself, otherwise voters can be coerced, and yes coercion has been a concern throughout history and remains a concern today, in 2016, in the US. And you have to provide some process that everyone, even the loser, can trust. In other words, you need a process auditable by everyone, without placing much trust in any given person or organization, while deleting critical information (who voted for what).
  3. open-source doesn’t solve the problem. Yes, it would be cool if voting machines used only open-source software. But how would you know the software that was audited is the same as the software running on the machine? Doesn’t solve the problem.
  4. paper ballots collected and tallied at each precinct are vastly more secure. It’s quite difficult to corrupt a distributed counting process, where every precinct publishes its results and keeps paper records for recounts, all while being disconnected from the Internet. Massachusetts does this well. California does this less well as paper ballots are transported before they’re counted, thus leaving more opportunities for foul play, though it’s still pretty tricky to attack at scale. What matters in an election is scalability of attacks.
  5. yes, voting machines can be hacked. Usually it takes an in-person attack as these machines aren’t networked, but apparently some are and that’s just crazy. This is why you probably want paper records of all votes, and why optical scan voting machines are best, since they start and end with paper. But again, to hack voting machines requires being at the precinct, which isn’t scalable. Except of course if the machines are on the network, and again that’s just insane.
  6. you can’t count ballots by hand in the US because we vote for a dozen offices and ballot initiatives. If we just voted for one thing, e.g. President, then counting by hand would be highly preferable and plenty fast: just make piles. You could even weigh the piles to count them quickly. The process for counting up a dozen ore more questions on paper by hand simply doesn’t work at scale. This part is sometimes hard to believe, but it is the real issue, and the central reason why we have voting machines.
  7. the Blockchain doesn’t solve voting. At best it solves one part of the voting process, which isn’t even the hardest part. Combining vote privacy and tally verifiability is the hardest part, and Blockchain doesn’t solve that.
  8. it’s way too late to change anything for November 8th. The process for certifying new voting machines / processes takes years. If you want to make things better, start now for 2020.