Any ideas to make an Electronic Voter Machine more secure? [closed]












2












$begingroup$


EVMs are not secure they say. So how can we make it more secure tham the existing one using cryptography?










share|improve this question











$endgroup$



closed as too broad by Maeher, D.W., Squeamish Ossifrage, Geoffroy Couteau, Maarten Bodewes Mar 7 at 23:14


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.


















  • $begingroup$
    Not sure how we can help here with the question in it's current form. Very, very very few of the real world practical issues with EVM pertain to cryptography. Is there some more specific theoretical/mathematical aspect that you have in mind?
    $endgroup$
    – Paul Uszak
    Mar 6 at 15:14










  • $begingroup$
    en.wikipedia.org/wiki/Electronic_voting, crypto.stackexchange.com/questions/tagged/voting, security.stackexchange.com/questions/tagged/electronic-voting.
    $endgroup$
    – D.W.
    Mar 6 at 19:37










  • $begingroup$
    And also directly related: Can a device prove the identity of its own code?. BLUF - No.
    $endgroup$
    – Paul Uszak
    Mar 6 at 21:34












  • $begingroup$
    @PaulUszak The existence of remote attestation says otherwise. Of course, with full physical access, you could of course violate any security guarantees it may have...
    $endgroup$
    – forest
    Mar 7 at 10:49


















2












$begingroup$


EVMs are not secure they say. So how can we make it more secure tham the existing one using cryptography?










share|improve this question











$endgroup$



closed as too broad by Maeher, D.W., Squeamish Ossifrage, Geoffroy Couteau, Maarten Bodewes Mar 7 at 23:14


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.


















  • $begingroup$
    Not sure how we can help here with the question in it's current form. Very, very very few of the real world practical issues with EVM pertain to cryptography. Is there some more specific theoretical/mathematical aspect that you have in mind?
    $endgroup$
    – Paul Uszak
    Mar 6 at 15:14










  • $begingroup$
    en.wikipedia.org/wiki/Electronic_voting, crypto.stackexchange.com/questions/tagged/voting, security.stackexchange.com/questions/tagged/electronic-voting.
    $endgroup$
    – D.W.
    Mar 6 at 19:37










  • $begingroup$
    And also directly related: Can a device prove the identity of its own code?. BLUF - No.
    $endgroup$
    – Paul Uszak
    Mar 6 at 21:34












  • $begingroup$
    @PaulUszak The existence of remote attestation says otherwise. Of course, with full physical access, you could of course violate any security guarantees it may have...
    $endgroup$
    – forest
    Mar 7 at 10:49
















2












2








2





$begingroup$


EVMs are not secure they say. So how can we make it more secure tham the existing one using cryptography?










share|improve this question











$endgroup$




EVMs are not secure they say. So how can we make it more secure tham the existing one using cryptography?







encryption voting






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Mar 6 at 19:37









D.W.

29.9k769146




29.9k769146










asked Mar 6 at 12:46









aashikaashik

141




141




closed as too broad by Maeher, D.W., Squeamish Ossifrage, Geoffroy Couteau, Maarten Bodewes Mar 7 at 23:14


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.









closed as too broad by Maeher, D.W., Squeamish Ossifrage, Geoffroy Couteau, Maarten Bodewes Mar 7 at 23:14


Please edit the question to limit it to a specific problem with enough detail to identify an adequate answer. Avoid asking multiple distinct questions at once. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.














  • $begingroup$
    Not sure how we can help here with the question in it's current form. Very, very very few of the real world practical issues with EVM pertain to cryptography. Is there some more specific theoretical/mathematical aspect that you have in mind?
    $endgroup$
    – Paul Uszak
    Mar 6 at 15:14










  • $begingroup$
    en.wikipedia.org/wiki/Electronic_voting, crypto.stackexchange.com/questions/tagged/voting, security.stackexchange.com/questions/tagged/electronic-voting.
    $endgroup$
    – D.W.
    Mar 6 at 19:37










  • $begingroup$
    And also directly related: Can a device prove the identity of its own code?. BLUF - No.
    $endgroup$
    – Paul Uszak
    Mar 6 at 21:34












  • $begingroup$
    @PaulUszak The existence of remote attestation says otherwise. Of course, with full physical access, you could of course violate any security guarantees it may have...
    $endgroup$
    – forest
    Mar 7 at 10:49




















  • $begingroup$
    Not sure how we can help here with the question in it's current form. Very, very very few of the real world practical issues with EVM pertain to cryptography. Is there some more specific theoretical/mathematical aspect that you have in mind?
    $endgroup$
    – Paul Uszak
    Mar 6 at 15:14










  • $begingroup$
    en.wikipedia.org/wiki/Electronic_voting, crypto.stackexchange.com/questions/tagged/voting, security.stackexchange.com/questions/tagged/electronic-voting.
    $endgroup$
    – D.W.
    Mar 6 at 19:37










  • $begingroup$
    And also directly related: Can a device prove the identity of its own code?. BLUF - No.
    $endgroup$
    – Paul Uszak
    Mar 6 at 21:34












  • $begingroup$
    @PaulUszak The existence of remote attestation says otherwise. Of course, with full physical access, you could of course violate any security guarantees it may have...
    $endgroup$
    – forest
    Mar 7 at 10:49


















$begingroup$
Not sure how we can help here with the question in it's current form. Very, very very few of the real world practical issues with EVM pertain to cryptography. Is there some more specific theoretical/mathematical aspect that you have in mind?
$endgroup$
– Paul Uszak
Mar 6 at 15:14




$begingroup$
Not sure how we can help here with the question in it's current form. Very, very very few of the real world practical issues with EVM pertain to cryptography. Is there some more specific theoretical/mathematical aspect that you have in mind?
$endgroup$
– Paul Uszak
Mar 6 at 15:14












$begingroup$
en.wikipedia.org/wiki/Electronic_voting, crypto.stackexchange.com/questions/tagged/voting, security.stackexchange.com/questions/tagged/electronic-voting.
$endgroup$
– D.W.
Mar 6 at 19:37




$begingroup$
en.wikipedia.org/wiki/Electronic_voting, crypto.stackexchange.com/questions/tagged/voting, security.stackexchange.com/questions/tagged/electronic-voting.
$endgroup$
– D.W.
Mar 6 at 19:37












$begingroup$
And also directly related: Can a device prove the identity of its own code?. BLUF - No.
$endgroup$
– Paul Uszak
Mar 6 at 21:34






$begingroup$
And also directly related: Can a device prove the identity of its own code?. BLUF - No.
$endgroup$
– Paul Uszak
Mar 6 at 21:34














$begingroup$
@PaulUszak The existence of remote attestation says otherwise. Of course, with full physical access, you could of course violate any security guarantees it may have...
$endgroup$
– forest
Mar 7 at 10:49






$begingroup$
@PaulUszak The existence of remote attestation says otherwise. Of course, with full physical access, you could of course violate any security guarantees it may have...
$endgroup$
– forest
Mar 7 at 10:49












2 Answers
2






active

oldest

votes


















9












$begingroup$

We can't make satisfactory Electronic Voting Machines. Their design face conflicting goals that are impossible to reconcile, even in the simplest conceivable use case: a yes/no vote, a single machine.




  • Count votes (or at least: determine if there was more yes than no) with the result public.

  • Limit voting to one per registered voter.

  • Keep individual votes secret, even from organizers or/and if a person casting vote is actively trying to prove how s/he voted (that requirement helps freedom of vote despite attempted bribery/duress), within the limits inherent to what gets published of the result.

  • Resist denial of service.

  • Convince reasonable observers with ordinary skills that the above goals are met, even if observers do not trust the organizers and designers of the machine, understandably so [*].


Among the few non-electronic approaches that work is one that evolved over time: paper ballot freely available to all, put in opaque envelope mandatorily in a private booth, with the envelope publicly inserted in a transparent urn (with mechanical interlock preventing unauthorized insertion), check of the voter's identity and that the voting role is unsigned right before that insertion, and signing the voting role right afterwards, with the urn and envelopes publicly opened in the end and counted, under public scrutiny all along.



Alternatives have been tried:




  • Mechanical counters, with interlocks preventing multiple voting. There have been jams (perhaps intentional). Only people understanding mechanical machinery (similar to watchmaking) can observe and confirm that counting work as intended before and after voting. And it is to fear that various side channels (lifting a cover hidding the value, sound, ...) can compromise vote secrecy. On the positive side, it can be me made slow and noisy to covertly alter the counters.

  • Electromechanical counters: reportedly more reliable, but side channels are rather worse, altering the counters might be faster and easier, and (because wires and air gaps can be hair-thin) an observer (needing basic understanding of electric circuit) could miss something redirecting counting to the wrong counter. While it would be conceivable and useful to make counters that the voter (only) can see moving when casting vote, without being able to tell the count, I have not heard that it was used.


The more we go towards modern electronics and complex cryptography, the worse the "convince reasonable observers with ordinary skills" goal is met. Finding backdoors in silicon and software is extremely hard, and entirely impossible at the voting location. For most reasonable observers, a finite field is a bounded piece of land.





[*] Voting machines in use in (few and mid-sized) French cities are purchased, stored, serviced and operated (with supervision from the ministry of home affairs) under the authority of the Mayor, yet are used to (re-)elect the Mayor. Their specification and type approval is under the authority of the ministry of home affairs, which head is chosen by the prime minister, which is chosen by the Président de la République, which the machines contribute to (re-)elect. In 2007 that election was won by the former head of the ministry of home affairs that gave delegation for establishing the specifications as law, and was again head of that ministry weeks before his own election and days before a software change was made to the most common type of machines. BTW that software is secret, and it's integrity is publicly demonstrated by a checksum that the software computes and displays. Descartes reportedly turned in his grave.






share|improve this answer











$endgroup$









  • 1




    $begingroup$
    Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
    $endgroup$
    – Paul Uszak
    Mar 6 at 15:53






  • 2




    $begingroup$
    In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
    $endgroup$
    – fgrieu
    Mar 6 at 16:36






  • 1




    $begingroup$
    Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
    $endgroup$
    – kelalaka
    Mar 6 at 18:01






  • 2




    $begingroup$
    @PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
    $endgroup$
    – Maeher
    Mar 6 at 18:09






  • 2




    $begingroup$
    +1 for "For most reasonable observers, a finite field is a bounded piece of land." (although the rest of the answer deserves it anyways; I entirely agree that the "convince reasonable observers with ordinary skills" is often ignored, and is a critical piece of the problem...)
    $endgroup$
    – poncho
    Mar 6 at 21:35





















1












$begingroup$

I will give some links;




  • E-voting experiments end in Norway amid security fears

  • If it ain’t broke, don’t fix it: Australia should stay away from electronic voting

  • DEFCON 25 Voting Machine Hacking Village

  • Hacking a US electronic voting booth takes less than 90 minutes

  • Voting - What Is, What Could Be (2001)

  • Voting: What Has Changed, What Hasn't, & What Needs Improvement (2012)


The last two is taken from the Caltech/MIT Voting Technology Project (VTP)






share|improve this answer









$endgroup$




















    2 Answers
    2






    active

    oldest

    votes








    2 Answers
    2






    active

    oldest

    votes









    active

    oldest

    votes






    active

    oldest

    votes









    9












    $begingroup$

    We can't make satisfactory Electronic Voting Machines. Their design face conflicting goals that are impossible to reconcile, even in the simplest conceivable use case: a yes/no vote, a single machine.




    • Count votes (or at least: determine if there was more yes than no) with the result public.

    • Limit voting to one per registered voter.

    • Keep individual votes secret, even from organizers or/and if a person casting vote is actively trying to prove how s/he voted (that requirement helps freedom of vote despite attempted bribery/duress), within the limits inherent to what gets published of the result.

    • Resist denial of service.

    • Convince reasonable observers with ordinary skills that the above goals are met, even if observers do not trust the organizers and designers of the machine, understandably so [*].


    Among the few non-electronic approaches that work is one that evolved over time: paper ballot freely available to all, put in opaque envelope mandatorily in a private booth, with the envelope publicly inserted in a transparent urn (with mechanical interlock preventing unauthorized insertion), check of the voter's identity and that the voting role is unsigned right before that insertion, and signing the voting role right afterwards, with the urn and envelopes publicly opened in the end and counted, under public scrutiny all along.



    Alternatives have been tried:




    • Mechanical counters, with interlocks preventing multiple voting. There have been jams (perhaps intentional). Only people understanding mechanical machinery (similar to watchmaking) can observe and confirm that counting work as intended before and after voting. And it is to fear that various side channels (lifting a cover hidding the value, sound, ...) can compromise vote secrecy. On the positive side, it can be me made slow and noisy to covertly alter the counters.

    • Electromechanical counters: reportedly more reliable, but side channels are rather worse, altering the counters might be faster and easier, and (because wires and air gaps can be hair-thin) an observer (needing basic understanding of electric circuit) could miss something redirecting counting to the wrong counter. While it would be conceivable and useful to make counters that the voter (only) can see moving when casting vote, without being able to tell the count, I have not heard that it was used.


    The more we go towards modern electronics and complex cryptography, the worse the "convince reasonable observers with ordinary skills" goal is met. Finding backdoors in silicon and software is extremely hard, and entirely impossible at the voting location. For most reasonable observers, a finite field is a bounded piece of land.





    [*] Voting machines in use in (few and mid-sized) French cities are purchased, stored, serviced and operated (with supervision from the ministry of home affairs) under the authority of the Mayor, yet are used to (re-)elect the Mayor. Their specification and type approval is under the authority of the ministry of home affairs, which head is chosen by the prime minister, which is chosen by the Président de la République, which the machines contribute to (re-)elect. In 2007 that election was won by the former head of the ministry of home affairs that gave delegation for establishing the specifications as law, and was again head of that ministry weeks before his own election and days before a software change was made to the most common type of machines. BTW that software is secret, and it's integrity is publicly demonstrated by a checksum that the software computes and displays. Descartes reportedly turned in his grave.






    share|improve this answer











    $endgroup$









    • 1




      $begingroup$
      Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
      $endgroup$
      – Paul Uszak
      Mar 6 at 15:53






    • 2




      $begingroup$
      In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
      $endgroup$
      – fgrieu
      Mar 6 at 16:36






    • 1




      $begingroup$
      Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
      $endgroup$
      – kelalaka
      Mar 6 at 18:01






    • 2




      $begingroup$
      @PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
      $endgroup$
      – Maeher
      Mar 6 at 18:09






    • 2




      $begingroup$
      +1 for "For most reasonable observers, a finite field is a bounded piece of land." (although the rest of the answer deserves it anyways; I entirely agree that the "convince reasonable observers with ordinary skills" is often ignored, and is a critical piece of the problem...)
      $endgroup$
      – poncho
      Mar 6 at 21:35


















    9












    $begingroup$

    We can't make satisfactory Electronic Voting Machines. Their design face conflicting goals that are impossible to reconcile, even in the simplest conceivable use case: a yes/no vote, a single machine.




    • Count votes (or at least: determine if there was more yes than no) with the result public.

    • Limit voting to one per registered voter.

    • Keep individual votes secret, even from organizers or/and if a person casting vote is actively trying to prove how s/he voted (that requirement helps freedom of vote despite attempted bribery/duress), within the limits inherent to what gets published of the result.

    • Resist denial of service.

    • Convince reasonable observers with ordinary skills that the above goals are met, even if observers do not trust the organizers and designers of the machine, understandably so [*].


    Among the few non-electronic approaches that work is one that evolved over time: paper ballot freely available to all, put in opaque envelope mandatorily in a private booth, with the envelope publicly inserted in a transparent urn (with mechanical interlock preventing unauthorized insertion), check of the voter's identity and that the voting role is unsigned right before that insertion, and signing the voting role right afterwards, with the urn and envelopes publicly opened in the end and counted, under public scrutiny all along.



    Alternatives have been tried:




    • Mechanical counters, with interlocks preventing multiple voting. There have been jams (perhaps intentional). Only people understanding mechanical machinery (similar to watchmaking) can observe and confirm that counting work as intended before and after voting. And it is to fear that various side channels (lifting a cover hidding the value, sound, ...) can compromise vote secrecy. On the positive side, it can be me made slow and noisy to covertly alter the counters.

    • Electromechanical counters: reportedly more reliable, but side channels are rather worse, altering the counters might be faster and easier, and (because wires and air gaps can be hair-thin) an observer (needing basic understanding of electric circuit) could miss something redirecting counting to the wrong counter. While it would be conceivable and useful to make counters that the voter (only) can see moving when casting vote, without being able to tell the count, I have not heard that it was used.


    The more we go towards modern electronics and complex cryptography, the worse the "convince reasonable observers with ordinary skills" goal is met. Finding backdoors in silicon and software is extremely hard, and entirely impossible at the voting location. For most reasonable observers, a finite field is a bounded piece of land.





    [*] Voting machines in use in (few and mid-sized) French cities are purchased, stored, serviced and operated (with supervision from the ministry of home affairs) under the authority of the Mayor, yet are used to (re-)elect the Mayor. Their specification and type approval is under the authority of the ministry of home affairs, which head is chosen by the prime minister, which is chosen by the Président de la République, which the machines contribute to (re-)elect. In 2007 that election was won by the former head of the ministry of home affairs that gave delegation for establishing the specifications as law, and was again head of that ministry weeks before his own election and days before a software change was made to the most common type of machines. BTW that software is secret, and it's integrity is publicly demonstrated by a checksum that the software computes and displays. Descartes reportedly turned in his grave.






    share|improve this answer











    $endgroup$









    • 1




      $begingroup$
      Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
      $endgroup$
      – Paul Uszak
      Mar 6 at 15:53






    • 2




      $begingroup$
      In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
      $endgroup$
      – fgrieu
      Mar 6 at 16:36






    • 1




      $begingroup$
      Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
      $endgroup$
      – kelalaka
      Mar 6 at 18:01






    • 2




      $begingroup$
      @PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
      $endgroup$
      – Maeher
      Mar 6 at 18:09






    • 2




      $begingroup$
      +1 for "For most reasonable observers, a finite field is a bounded piece of land." (although the rest of the answer deserves it anyways; I entirely agree that the "convince reasonable observers with ordinary skills" is often ignored, and is a critical piece of the problem...)
      $endgroup$
      – poncho
      Mar 6 at 21:35
















    9












    9








    9





    $begingroup$

    We can't make satisfactory Electronic Voting Machines. Their design face conflicting goals that are impossible to reconcile, even in the simplest conceivable use case: a yes/no vote, a single machine.




    • Count votes (or at least: determine if there was more yes than no) with the result public.

    • Limit voting to one per registered voter.

    • Keep individual votes secret, even from organizers or/and if a person casting vote is actively trying to prove how s/he voted (that requirement helps freedom of vote despite attempted bribery/duress), within the limits inherent to what gets published of the result.

    • Resist denial of service.

    • Convince reasonable observers with ordinary skills that the above goals are met, even if observers do not trust the organizers and designers of the machine, understandably so [*].


    Among the few non-electronic approaches that work is one that evolved over time: paper ballot freely available to all, put in opaque envelope mandatorily in a private booth, with the envelope publicly inserted in a transparent urn (with mechanical interlock preventing unauthorized insertion), check of the voter's identity and that the voting role is unsigned right before that insertion, and signing the voting role right afterwards, with the urn and envelopes publicly opened in the end and counted, under public scrutiny all along.



    Alternatives have been tried:




    • Mechanical counters, with interlocks preventing multiple voting. There have been jams (perhaps intentional). Only people understanding mechanical machinery (similar to watchmaking) can observe and confirm that counting work as intended before and after voting. And it is to fear that various side channels (lifting a cover hidding the value, sound, ...) can compromise vote secrecy. On the positive side, it can be me made slow and noisy to covertly alter the counters.

    • Electromechanical counters: reportedly more reliable, but side channels are rather worse, altering the counters might be faster and easier, and (because wires and air gaps can be hair-thin) an observer (needing basic understanding of electric circuit) could miss something redirecting counting to the wrong counter. While it would be conceivable and useful to make counters that the voter (only) can see moving when casting vote, without being able to tell the count, I have not heard that it was used.


    The more we go towards modern electronics and complex cryptography, the worse the "convince reasonable observers with ordinary skills" goal is met. Finding backdoors in silicon and software is extremely hard, and entirely impossible at the voting location. For most reasonable observers, a finite field is a bounded piece of land.





    [*] Voting machines in use in (few and mid-sized) French cities are purchased, stored, serviced and operated (with supervision from the ministry of home affairs) under the authority of the Mayor, yet are used to (re-)elect the Mayor. Their specification and type approval is under the authority of the ministry of home affairs, which head is chosen by the prime minister, which is chosen by the Président de la République, which the machines contribute to (re-)elect. In 2007 that election was won by the former head of the ministry of home affairs that gave delegation for establishing the specifications as law, and was again head of that ministry weeks before his own election and days before a software change was made to the most common type of machines. BTW that software is secret, and it's integrity is publicly demonstrated by a checksum that the software computes and displays. Descartes reportedly turned in his grave.






    share|improve this answer











    $endgroup$



    We can't make satisfactory Electronic Voting Machines. Their design face conflicting goals that are impossible to reconcile, even in the simplest conceivable use case: a yes/no vote, a single machine.




    • Count votes (or at least: determine if there was more yes than no) with the result public.

    • Limit voting to one per registered voter.

    • Keep individual votes secret, even from organizers or/and if a person casting vote is actively trying to prove how s/he voted (that requirement helps freedom of vote despite attempted bribery/duress), within the limits inherent to what gets published of the result.

    • Resist denial of service.

    • Convince reasonable observers with ordinary skills that the above goals are met, even if observers do not trust the organizers and designers of the machine, understandably so [*].


    Among the few non-electronic approaches that work is one that evolved over time: paper ballot freely available to all, put in opaque envelope mandatorily in a private booth, with the envelope publicly inserted in a transparent urn (with mechanical interlock preventing unauthorized insertion), check of the voter's identity and that the voting role is unsigned right before that insertion, and signing the voting role right afterwards, with the urn and envelopes publicly opened in the end and counted, under public scrutiny all along.



    Alternatives have been tried:




    • Mechanical counters, with interlocks preventing multiple voting. There have been jams (perhaps intentional). Only people understanding mechanical machinery (similar to watchmaking) can observe and confirm that counting work as intended before and after voting. And it is to fear that various side channels (lifting a cover hidding the value, sound, ...) can compromise vote secrecy. On the positive side, it can be me made slow and noisy to covertly alter the counters.

    • Electromechanical counters: reportedly more reliable, but side channels are rather worse, altering the counters might be faster and easier, and (because wires and air gaps can be hair-thin) an observer (needing basic understanding of electric circuit) could miss something redirecting counting to the wrong counter. While it would be conceivable and useful to make counters that the voter (only) can see moving when casting vote, without being able to tell the count, I have not heard that it was used.


    The more we go towards modern electronics and complex cryptography, the worse the "convince reasonable observers with ordinary skills" goal is met. Finding backdoors in silicon and software is extremely hard, and entirely impossible at the voting location. For most reasonable observers, a finite field is a bounded piece of land.





    [*] Voting machines in use in (few and mid-sized) French cities are purchased, stored, serviced and operated (with supervision from the ministry of home affairs) under the authority of the Mayor, yet are used to (re-)elect the Mayor. Their specification and type approval is under the authority of the ministry of home affairs, which head is chosen by the prime minister, which is chosen by the Président de la République, which the machines contribute to (re-)elect. In 2007 that election was won by the former head of the ministry of home affairs that gave delegation for establishing the specifications as law, and was again head of that ministry weeks before his own election and days before a software change was made to the most common type of machines. BTW that software is secret, and it's integrity is publicly demonstrated by a checksum that the software computes and displays. Descartes reportedly turned in his grave.







    share|improve this answer














    share|improve this answer



    share|improve this answer








    edited Mar 6 at 19:38

























    answered Mar 6 at 15:35









    fgrieufgrieu

    81.4k7175346




    81.4k7175346








    • 1




      $begingroup$
      Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
      $endgroup$
      – Paul Uszak
      Mar 6 at 15:53






    • 2




      $begingroup$
      In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
      $endgroup$
      – fgrieu
      Mar 6 at 16:36






    • 1




      $begingroup$
      Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
      $endgroup$
      – kelalaka
      Mar 6 at 18:01






    • 2




      $begingroup$
      @PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
      $endgroup$
      – Maeher
      Mar 6 at 18:09






    • 2




      $begingroup$
      +1 for "For most reasonable observers, a finite field is a bounded piece of land." (although the rest of the answer deserves it anyways; I entirely agree that the "convince reasonable observers with ordinary skills" is often ignored, and is a critical piece of the problem...)
      $endgroup$
      – poncho
      Mar 6 at 21:35
















    • 1




      $begingroup$
      Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
      $endgroup$
      – Paul Uszak
      Mar 6 at 15:53






    • 2




      $begingroup$
      In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
      $endgroup$
      – fgrieu
      Mar 6 at 16:36






    • 1




      $begingroup$
      Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
      $endgroup$
      – kelalaka
      Mar 6 at 18:01






    • 2




      $begingroup$
      @PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
      $endgroup$
      – Maeher
      Mar 6 at 18:09






    • 2




      $begingroup$
      +1 for "For most reasonable observers, a finite field is a bounded piece of land." (although the rest of the answer deserves it anyways; I entirely agree that the "convince reasonable observers with ordinary skills" is often ignored, and is a critical piece of the problem...)
      $endgroup$
      – poncho
      Mar 6 at 21:35










    1




    1




    $begingroup$
    Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
    $endgroup$
    – Paul Uszak
    Mar 6 at 15:53




    $begingroup$
    Are you totally convinced that French voting (fully end to end) is really anonymous? Even to law enforcement and the courts? In the UK, Canada, Singapore and others it's not, and this is public knowledge (UK). The ballot papers are serialised and traceable to the voter. Otherwise, how do you catch fraudulent votes?
    $endgroup$
    – Paul Uszak
    Mar 6 at 15:53




    2




    2




    $begingroup$
    In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
    $endgroup$
    – fgrieu
    Mar 6 at 16:36




    $begingroup$
    In France, paper ballots are not serialized, are freely available (at the entrance of the voting station, also sent by mail), and are (or should) be destroyed after the counting is done and no recount is called for, never leaving public scrutiny. Voter identification is procedural from paper ID, including when using voting machines. For these, voting is supposedly kept anonymous by randomizing the address at which the voting is recorded in a backup memory cartridge, analogous to mixing an urn (if that was sequential, it would be conceivable to find what vote the Nth voter casted).
    $endgroup$
    – fgrieu
    Mar 6 at 16:36




    1




    1




    $begingroup$
    Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
    $endgroup$
    – kelalaka
    Mar 6 at 18:01




    $begingroup$
    Nice answer. I would like to add that in some countries, the center that sums the votes can be corrupted. This requires a third party to collects and sums the results of the ballot boxes.
    $endgroup$
    – kelalaka
    Mar 6 at 18:01




    2




    2




    $begingroup$
    @PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
    $endgroup$
    – Maeher
    Mar 6 at 18:09




    $begingroup$
    @PaulUszak What do you mean with "how do you catch fraudulent votes?" At least in Germany, the general public can convince themselves that the ballot box is empty before the election starts, can remain present for the entire duration of the election as well as the opening and counting of the ballots. Every person needs to show government issued ID and it is confirmed that they are an eligible voter before they are allowed to cast their vote. (And everyone has a designated polling place. So voting at more than one does not work.) I don't see which problem traceable ballots would solve.
    $endgroup$
    – Maeher
    Mar 6 at 18:09




    2




    2




    $begingroup$
    +1 for "For most reasonable observers, a finite field is a bounded piece of land." (although the rest of the answer deserves it anyways; I entirely agree that the "convince reasonable observers with ordinary skills" is often ignored, and is a critical piece of the problem...)
    $endgroup$
    – poncho
    Mar 6 at 21:35






    $begingroup$
    +1 for "For most reasonable observers, a finite field is a bounded piece of land." (although the rest of the answer deserves it anyways; I entirely agree that the "convince reasonable observers with ordinary skills" is often ignored, and is a critical piece of the problem...)
    $endgroup$
    – poncho
    Mar 6 at 21:35













    1












    $begingroup$

    I will give some links;




    • E-voting experiments end in Norway amid security fears

    • If it ain’t broke, don’t fix it: Australia should stay away from electronic voting

    • DEFCON 25 Voting Machine Hacking Village

    • Hacking a US electronic voting booth takes less than 90 minutes

    • Voting - What Is, What Could Be (2001)

    • Voting: What Has Changed, What Hasn't, & What Needs Improvement (2012)


    The last two is taken from the Caltech/MIT Voting Technology Project (VTP)






    share|improve this answer









    $endgroup$


















      1












      $begingroup$

      I will give some links;




      • E-voting experiments end in Norway amid security fears

      • If it ain’t broke, don’t fix it: Australia should stay away from electronic voting

      • DEFCON 25 Voting Machine Hacking Village

      • Hacking a US electronic voting booth takes less than 90 minutes

      • Voting - What Is, What Could Be (2001)

      • Voting: What Has Changed, What Hasn't, & What Needs Improvement (2012)


      The last two is taken from the Caltech/MIT Voting Technology Project (VTP)






      share|improve this answer









      $endgroup$
















        1












        1








        1





        $begingroup$

        I will give some links;




        • E-voting experiments end in Norway amid security fears

        • If it ain’t broke, don’t fix it: Australia should stay away from electronic voting

        • DEFCON 25 Voting Machine Hacking Village

        • Hacking a US electronic voting booth takes less than 90 minutes

        • Voting - What Is, What Could Be (2001)

        • Voting: What Has Changed, What Hasn't, & What Needs Improvement (2012)


        The last two is taken from the Caltech/MIT Voting Technology Project (VTP)






        share|improve this answer









        $endgroup$



        I will give some links;




        • E-voting experiments end in Norway amid security fears

        • If it ain’t broke, don’t fix it: Australia should stay away from electronic voting

        • DEFCON 25 Voting Machine Hacking Village

        • Hacking a US electronic voting booth takes less than 90 minutes

        • Voting - What Is, What Could Be (2001)

        • Voting: What Has Changed, What Hasn't, & What Needs Improvement (2012)


        The last two is taken from the Caltech/MIT Voting Technology Project (VTP)







        share|improve this answer












        share|improve this answer



        share|improve this answer










        answered Mar 6 at 18:37









        kelalakakelalaka

        8,43822351




        8,43822351















            Popular posts from this blog

            mysqli_query(): Empty query in /home/lucindabrummitt/public_html/blog/wp-includes/wp-db.php on line 1924

            How to change which sound is reproduced for terminal bell?

            Can I use Tabulator js library in my java Spring + Thymeleaf project?