So I'm seeing a lot of misunderstandings around voting systems, especially when it pertains to voting machines. It occurs to me that people may not have a clear idea about how they actually work, and what properties they try to uphold, and how they try to be fraud-resilient.
So systems like these interest me for the same reasons cryptography does -- they're interesting constraint sets with complex dynamics, and are kinda fun to roll around in your head with various situations.
This year I signed up as a poll worker to help, and to learn more.
This year I signed up as a poll worker to help, and to learn more.
This thread will mostly be about how voting in Alameda County, CA works. I'll try to highlight properties considered important more broadly, but the exact dynamics of what I describe are county-specific.
I'll first just go through how voting in AC *works*.
One choice is voting by mail. You sign up to vote by mail, get a ballot in the mail, fill it in, sign the envelope, and mail it back (or stick it in a voting dropbox), and you're done.
One choice is voting by mail. You sign up to vote by mail, get a ballot in the mail, fill it in, sign the envelope, and mail it back (or stick it in a voting dropbox), and you're done.
I'm not sure why postage isn't free for these -- I'm a millenial, I don't have *stamps*. But it's pretty straightforward, and easy to do. VBM isn't available across the country, though.
Another choice is voting at certain government offices (the ROV in Oakland I think). I'm not clear on how the specifics of this work but I presume it's a modified version of the normal protocol. This is basically "early voting" though due to VBM it seems to be less popular?
Finally, you can vote in person on election day. There's a process to this.
First, you're supposed to turn up at your assigned polling precinct. You can ignore this and still vote (provisionally), and I'll get to that, but you're supposed to turn up at the assigned one.
First, you're supposed to turn up at your assigned polling precinct. You can ignore this and still vote (provisionally), and I'll get to that, but you're supposed to turn up at the assigned one.
IIRC this assignment is part of the voter election info you get in the mail.
The list of people assigned to a precinct is posted outside the precinct.
The list of people assigned to a precinct is posted outside the precinct.
Anyway, you turn up. You give your name and address to the poll worker at the table, and they find you in the rolls. If you're not in the rolls, you can still vote provisionally, but I'll get to that.
You need to show ID if you're a first time voter, but ID can even mean a utility bill.
en.wikipedia.org/wiki/Help_Amer…
en.wikipedia.org/wiki/Help_Amer…
You then sign a line next to your name -- fraudulently doing so is illegal -- and get your ballot cards (and their stubs). Because this is California and we have ballot measures, you usually get a fuckton (I have 4 large cards, 6 sides). Yay, social studies homework.
There's a separate procedure if you can't or don't want to fill out a ballot with pen, but I'll get to that.
You then go off to a voting booth, and vote, privately. You're given a little folder thing so that when not in the booth you can maintain the privacy of your cards.
You then go off to a voting booth, and vote, privately. You're given a little folder thing so that when not in the booth you can maintain the privacy of your cards.
Once done, you go up to the scanner, and slide your ballot cards in. The scanner will reject cards with problems (you can get new ones, up to three times). It will internally count the votes, but externally just increment a counter of the total number of ballots cast.
The scanner also will eat the ballot, internally storing it in one of two bins (based on whether or not there are write-ins). These bins can't be opened till the end of the day (modulo caveats).
You're done! You get a cool sticker!
One thing I skipped was provisional voting. If you're voting in the wrong precinct (and are stubborn), or are voting in the *right* precinct but registered in the wrong one (you moved?), or there's a glitch in the rolls, or if you lost your VBM ballot, you vote provisionally.
Also for if you needed to show ID but didn't.
In short, we basically can't turn people away from voting: voting provisionally is always an option.
(easy for me, not ever needing to say no zeroes the chances of doing it incorrectly and having legal issues)
In short, we basically can't turn people away from voting: voting provisionally is always an option.
(easy for me, not ever needing to say no zeroes the chances of doing it incorrectly and having legal issues)
In provisional voting, you're given a ballot and an envelope. The envelope has a voter registration form on it -- this form will reregister you. It's also got a declaration of citizenship, etc, etc. Lying on this is illegal.
Envelope has a stub with some numbers on it.
Envelope has a stub with some numbers on it.
You fill in your ballot, put it in the envelope, and submit your ballot into a different, non-automated receptacle. You can then call the registrar of voters in a week or so to check on your provisional ballot.
Side note: If you're a vote by mail voter and go to vote in your own precinct, you don't have to vote provisionally if you have your VBM ballot -- you surrender it, it gets torn and invalidated, and is kept in a separate receptacle.
If you have trouble filling in a paper ballot, there's a touchscreen voting machine with an audio thingie. It gets activated by a keycard a poll worker will give you once you provide your name/address.
This one has an interesting feature: a closed-loop printer connected to it. When you finish voting, the attached VVPAT printer will print a record of your vote. It will not *give* you this record, but you can see it through a glass window and verify it.
en.wikipedia.org/wiki/Voter-ver…
en.wikipedia.org/wiki/Voter-ver…
Once you're done, the machine will scroll the paper roll up so that the next person can't see your vote.
Anyway, that's basically most of the ways you can vote.
There are some interesting properties here.
One important property is that nobody -- not even you -- can find out who you voted for. The ballot card doesn't have your name on it. The ballot card ID isn't noted down with your name anywhere.
One important property is that nobody -- not even you -- can find out who you voted for. The ballot card doesn't have your name on it. The ballot card ID isn't noted down with your name anywhere.
(twitter doesn't let you thread longer than this, so I'll livetweet the rest. expect gaps.)
The "not even you" part is important. You *know* who you voted for, but you don't have any *proof* of it. Which means nobody can coerce you to vote a certain way because you can just lie about it and they can't check.
As a caveat, election officials will know the identities behind provisional votes. I'm not sure what happens to VBM votes, there can be a system where the ballots are separated from the envelopes and scanned, and any verification of the envelopes can be done separately.
Another property is the conservation of ballots! Everything hinges on ballot count here.
Already got a vote by mail ballot? Sorry, give it back or vote provisionally.
Spoiled your ballot? Give it back before you get another one.
Already got a vote by mail ballot? Sorry, give it back or vote provisionally.
Spoiled your ballot? Give it back before you get another one.
Ones given back are defaced, kept separately, and counted separately. At the end of the day, the numbers on the scanner/touchscreen should match the count on the signed voter roster, which should also match the number of ballots used (unused ballots must be sent back!)
Also, provisional votes may also be re-made into regular ballots and scanned, and I *think* something similar is done with the touchscreen.
That is, ultimately the entire election can be verified by counting the results on these anonymous ballots. Another (related) property.
That is, ultimately the entire election can be verified by counting the results on these anonymous ballots. Another (related) property.
Off the bat we have two important properties: Secrecy (nobody knows who you voted for, and can't force you to reveal it in a way that you can't lie), and paper trail (everything is on paper, and hand-countable)
Maintaining both of these properties is *hard*.
I'd argue there's a fourth property: obviousness: to a large part, what you need to do in the voting booth should be obvious. You're allowed to request assistance, and we do tell you things about voting, but we shouldn't need to
I'd argue there's a fourth property: obviousness: to a large part, what you need to do in the voting booth should be obvious. You're allowed to request assistance, and we do tell you things about voting, but we shouldn't need to
The recent Texas voting machine absurdities fail this test when applied with the stated "you should be paying attention" explanation -- really, they shouldn't *need* to, they should be able to trust that the obvious thing works.
So how is this robust against fraud?
Well, first off, I want to emphasize that voter fraud isn't a major problem in the US, and is far less prevalent than suppression, tradeoffs between fraud and suppression have an easy answer.
Well, first off, I want to emphasize that voter fraud isn't a major problem in the US, and is far less prevalent than suppression, tradeoffs between fraud and suppression have an easy answer.
But OK. How can an individual thwart this system? Pretty much the only way is by double voting under false names, or getting non citizens to vote. This scales badly: a single vote like this isn't worth it, and it's chances of getting caught grow as you scale this.
Who else can thwart this system? Poll workers.
We can sneakily submit extra ballots.
Wait, no, ballot counts have to match the voter rolls. Can't cross people off prematurely, there's a chance of being caught (same problem as previously)
We can sneakily submit extra ballots.
Wait, no, ballot counts have to match the voter rolls. Can't cross people off prematurely, there's a chance of being caught (same problem as previously)
Can't do a bulk scan at the end, super obvious.
To do any of this all of the poll workers have to collude anyway, it would be easy to notice this otherwise. And poll watchers exist too, so this is tricky/impossible.
To do any of this all of the poll workers have to collude anyway, it would be easy to notice this otherwise. And poll watchers exist too, so this is tricky/impossible.
Okay, what else? Poll workers can *discard* ballots.
Wait, no, they can't. All the receptacles non-defaced ballots end up in are secured with a seal. The numbers on these seals are known so you can't replace them.
Wait, no, they can't. All the receptacles non-defaced ballots end up in are secured with a seal. The numbers on these seals are known so you can't replace them.
Alameda's system of seals is pretty intricate, there are seals you add, seals you remove, seals you add and then remove, seals you don't touch, and all of this is recorded on a form, along with the physical seals if removed.
So you can't just fiddle with sealed things without messing this up.
You *could* mess things up at setup except the first voter must sign off on everything being orderly at setup. All the ballot bins must be empty and sealed in front of them, the seals must have their number written down correctly, various counters must be zero, etc.
Election officials also have power to mess things up, but presumably poll watchers are allowed during that process as well, and the ballot counts make everything harder.
So this system is somewhat fraud resilient. It's worth noting that the resilience is obtained by social measures more than technical ones.
Oh, one thing I forgot to mention: the tallies from the scanners get posted outside after the polls close (provided there are >20(?) votes for privacy reasons). They're also submitted to the election office along with the scanner's memory bank (same for touchscreen)
This gives us a really nice property: the election can give immediate local results modulo vote by mail, provisional. You can have your paper trail cake and eat it too -- paper ballots do not mean slow results (just slow *final* results)
Overall, when designing a voting system the paper trail, the secrecy (with coercion-protection), and obviousness/usability are the three properties I consider super important.
When it comes to voting machines they're in a bit of a CAP theorem-esque situation: they kinda seem to be "pick any two". A lot of the solutions you see floating around (some are smart and cool, others are blonkchain) fail one or more of these. Usually usability.
I'm reminded of @sec_tigger's Rule of Usability: Security at the expense of usability, comes at the expense of security.
Not quite the same thing, but relevant.
Not quite the same thing, but relevant.
Anyway, most tech solutions for voting machines are basically "gpg but for voting" thank you for coming to my ted talk
Oh, also: sign up to be a poll worker! This election if possible, or the next one. Learn how things work, and help voting run smoothly!
(They also seem to have a shortage of bilingual workers, at least in these parts, so if you speak languages that are locally common, help!)
(They also seem to have a shortage of bilingual workers, at least in these parts, so if you speak languages that are locally common, help!)
I saw this tweet and was happy and then I saw the chucklefucks in the replies and got annoyed so now y'all get a bonus thread.
Here's why your pet cryptographically sound voting machine system won't work: it probably fails *all three* of the properties I stated. Definitely two of them.
Auditable paper trail: Not without VVPATs, and those have problems.
It's kinda okay for machines used only in cases when folks can't cast a paper ballot, but still problematic.
en.m.wikipedia.org/wiki/Voter-ver…
It's kinda okay for machines used only in cases when folks can't cast a paper ballot, but still problematic.
en.m.wikipedia.org/wiki/Voter-ver…
Checking the vvpat is something non-obvious. It's fine if poll workers can carefully explain it to the occasional voter with accessibility needs, but for everyone stuff will be missed, and there's the chance of poll workers fudging things by not explaining.
Okay, but VVPATs are still a kind-of solution. I'll give you that. Let's look at the other properties:
Secrecy: any method of verifying the actual contents of your vote post-election is broken. Verification must be something you can do then and there and *only* then and there.
Secrecy: any method of verifying the actual contents of your vote post-election is broken. Verification must be something you can do then and there and *only* then and there.
Here's the thing: people can't compute hashes mentally. Anything the machine spits out is suspect, so you must human-verify.
The moment you say blockchain, you've already lost.
The moment you say blockchain, you've already lost.
At best you can have folks verify *a* vote was cast matching your receipt, but a malicious or hacked voting machine can still fudge your vote before counting it. VVPAT "fixes" this but isn't really a good solution as mentioned earlier.
Finally, usability/obviousness: it is totally not obvious how you verify a vote day-of. Folks have to be instructed to do it, and these instructions can be truncated maliciously. Even if not, it's likely something complex and that folks may not get right.
Currently as a poll worker even if I give zero instructions (and I don't, by default, I just offer to help) to a voter about filling their ballot it's still pretty obvious to them what they need to do.
Not in any of these systems.
Not in any of these systems.
Even systems that rely on clever human-compatible invariants instead of crypto (like en.m.wikipedia.org/wiki/ThreeBall… -- someone showed me this the other day and it's brilliant but flawed) have this problem, it's totally non obvious to voters what's going on there.
Ultimately, these machine based systems either don't achieve their own goals, or don't satisfy the three desirable properties of voting systems I've been highlighting.
At *best* they can be used to add an additional layer of security over ensuring your vote isn't dropped, but that's already kinda possible through having folks check stubs (support for this varies). Transporting ballots is a human system; it has human checks, and they work.
With computer based systems you lose a lot of the human checks and checking if a computer system is doing the right thing is *harder*. Poll watchers can ensure poll workers / officials don't fudge things easily. What can they do about machines?
Overall while it's fun to cook up cryptographic schemes they really don't help improve voting machines, at least not to a point where it's better than current systems.
Oh also shoutout to that one guy who said we should use social security numbers as private keys. That was a riot.
(I should clarify: I'm specifically talking about the "why don't we just do X" solutions techies keep coming up with)
