On days like this I dream of a world in which every citizen has a key pair assigned by the government for the purpose of interacting with the government.
It could work like this: you get the private/public key pair provided in your passport, or on a special social-security-type card. The public key is also on a website registered to your name, so anyone can look up your public key. However, in order to be allowed to sign anything, you have to be in the presence of a government agent who can verify your identity via a second means (e.g., at the DMV, your driver's license + social), and then the government agent signs it as well. So there's no _less_ verification of your identity in the system as before, but anyone can quickly verify the authenticity of your documents.
> On days like this I dream of a world in which every citizen has a key pair assigned by the government
I understand and fully sympathize with the spirit of this idea, but it is very important to understand that it cannot be the government who assigns a key pair. It has to be you who generates the key pair, and registers the public key -- and only the public key -- with the government. And the registration process has to be such that no one can register a key that they have generated on your behalf. Getting such a process to really work can be quite tricky, even trickier than conducting an election the old fashioned way.
Difficult != impossible. It can be done. Here is one possible design:
The government would publish an auditable non-repudiatable key registry, i.e. a public ledger similar to a blockchain (except you wouldn't need miners because the government would serve as a trusted third party) which maps keys onto their owners and vice versa. Anyone can then at any time look up their key in the registry to make sure that it really is their key. The initial registration process would involve some sort of identity confirmation similar to what you have to go through to get an official government ID issued nowadays. To register a key you would go to a notary who would take a photo of you and attest to the fact that the key being registered is the person in the photo. The photos would not need to be published (though they could be). They would be used mainly when someone alleges identity theft. That would make it highly likely that anyone attempting to falsely register a key would be caught. That would remove a lot of the incentive to attempt it.
There are so many point of failures in your descriptions I don't know where to begin.
- The network can be hacked;
- the client can be hacked;
- the server can be hacked;
- people managing the server can be corrupted or forced to do things;
- the system could have a subtile bug in either the client, server or network;
- the system could have a failure in either the client, server or network.
- how are persons suppose to be able to audit them ? Go to the server ? The network node ?
- how much time a citizen must spend studying the system before he or she can start to even begin to assess the sanity of it.
- how much time and persons to assess the entire system ?
There is NO WAY an average citizen can even start to comprehend the full extend of all that, if you couldn't even see all those problems.
Paper is simple. It sill can have it's problems, it's not perfect, but people can understand it and audit it quickly, easily, without being trained. It has less single point of failure, less complexity, more accessibility.
It's easy to make a list of general weakness that apply to any system, but you haven't actually described any specific attack. Yes, of course all of these things can happen, but all of these risks exist today in voter registries and passport registries. There's nothing really new in a key registry except that it's registering keys. There would still be humans -- notaries -- in the loop, and that would prevent most attacks.
No, not just a ledger, an audtiable public non-repudiatable ledger, i.e. one where every entry is the result of some commitment protocol. For example, every entry could include a signature that covered the contents of the new entry plus the hash of the previous entry. If ever there were two entries with the same ancestor hash that would be evidence of tampering.
Is this just because you don't trust the government not to use your secret key for nefarious purposes? Because if that's the case I feel like you wouldn't participate in the civic system at all... Like forget signing your vote you just wouldn't vote.
But you trust them to keep your vote secret, you trust them to keep national secrets secret, etc. I get that this is a big single point of failure that would be really difficult to fix if it was leaked. But the general default trust in the government to not, e.g, leak your SSN or vote... if you don't have that then the whole conversation is a nonstarter.
Actually, no, I generally do not trust the government to keep secrets. That is why I would be very upset if my ballot had my name on it. As for SSN's, they were never intended to be secret, and using them as an authenticator is a Really Bad Idea (not that that stops anyone). But anyone who wanted to know my SSN could find it easily.
Defense secrets are a little different. It's not so much that I trust the government to keep them as that I believe that the government is incentivized to keep them because that advances the government's interests. But even then there are exceptions when the stakes are high, c.f. Ed Snowden.
No. Blockchains are horribly inefficient. The only reason to use a blockchain is if you don't have a trusted third party. If you have a trusted third party you get the same functionality for a lot less cost. Because the government is already the final arbiter of who is a citizen we may as well just let them publish the ledger.
Blockchains are useful in financial systems because there are strong incentives to cheat, and hence it is much more difficult to find a trusted third party to keep the ledger.
It should also be noted that blockchains only protect their direct participants. Secondary actors can still be cheated every bit as easily as they can in traditional financial systems. And even the direct participants are not fully protected. Bitcoin is by far the biggest blockchain in terms of mining capacity, and well over 50% of that capacity is in China. If the Chinese government wanted to attack the Bitcoin network it very likely would succeed.
I would flip it and say that the Government only maintains the public key registry, and you alone keep your private key. You can extend that kind of scheme by signing "birth certificates" of your children using your private key to prove familial relationships. The hard part is dealing with key revocation in the event someone steals your private key. And of course overcoming the ambient distrust of government some people have.
Or losing the private key or forgetting the password. I have public keys that are older than a lot of HN commenters that I have not been able to use for almost two decades, I can't imagine how fun it would be do design a system where your private key is integral to your civic rights.
Build a system that can handle public keys for 100K people for more than ten years and then I might think about letting you start working on a pilot system to work out the additional failure scenarios, but absolutely nothing that the tech industry has produced in the past thirty years provides me with any sense of confidence that they would not screw this up horribly (and then those same people would complain bitterly on some future HN equivalent about what a waste of money this effort was.)
Oh for sure. Thought experiments like this are often far cries from workable solutions that are robust in the real world. That's basically a summary of why viable crypto for the masses in other domains remains such an albatross.
The anonymity requirement is relatively easy to solve for with either blind signatures or a homomorphic voting scheme. The general availability part is trickier since solving for it is akin to solving for the current issues with voter registration and disenfranchisement. India is having decent success rolling out their UIDAI program, so there's hope on that front, but distribution is the part of the stack that math and technology can't solve for directly.
I upvoted you for imagining a better voting system. Even though I disagree.
Voting in the USA must be preserve the secret ballot and be publicly verifiable.
I've studied a few crypto voting systems. None so far satisfy these requirements.
Further, any future perfect voting tech will only be provided by vendors, vs done in house, and I oppose the outsourcing of our election administration.
In Spain (and most of Europe, I assume, but can't really tell since I only vote here) you have an ID card (with a picture, among other things), and you are assigned a voting location according to your latest census data. In that location, there is a list of the people with a right to vote there. When you vote, your name is marked on the list. No-one gets to see your vote (well, until counting, but there is nothing identifiable along your ballot), the only thing that is not anonymous is the fact of whether you voted or not.
Oh, and the people assigned to do the task (checking the ID, marking the stuff, later on counting the ballots) are randomly chosen from the local census. Accredited people from the political parties can be part of the counting (but not touch anything until the first count is done).
Or you could avoid all of the technical mumbo jumbo and friction for voters... and use a convenient and easy to audit medium (paper) whose process can be understood by anyone.
Polling stations in the UK always provide pencils, and this caused a panic during the EU referendum amongst some Leave supporters, who were worried about their votes being changed. Those people brought their own pens, but that kind of paranoia was widely mocked.
The UX studies show must voters can't or don't actually verify their votes.
What guarantees the vote cast matches the vote printed?
I've attended my jurisdiction's VAT (verification and accuracy tests). When the card or paper strip was unreadable, they just swapped parts until it worked. So the only thing verified was the printer was still working.
Mandatory voting is common in many places outside of the US, but I feel like it's something that can lead down a dangerous path. You shouldn't be compelled to choose a leader if you disapprove of the choices, I think that's a freedom I think everyone deserves.
A ballot paper that doesn't clearly indicate preference order or identifies the voter is counted as "informal" and removed from the pool [0].
I don't believe it is an offence to vote informally but even if it was the anonyminity of the ballot woult make it impossible to enforce.
In the last Federal Election the overall informal vote share was about 5.92%. In some electorates it was above 10% [1].
The AEC doesn't distinguish between votes that were intentionally invalid and votes that were unintentionally invalid. I used to work as an electoral officer and in my experience the latter usually far outweighed the former. I saw very few if any ballots that were totally blank, about 10-15 where the person tried to make a statement of some sort and the rest were people who did not understand the instructions and number every box.
As far as I can tell, elections in Australia are seen as something you don't really ignore despite your individual disdain for politics.
Not defending the USA's crazy elections, but our ballots are often a great deal more complicated. My jurisdiction regularly has 30 items (races, referendum, initiatives, etc) spanning federal, state, county, and local stuff.
TLDR: Greater direct democracy, we vote on everything.
Sadly, not necessarily in any meaningful way. I am working my local precinct. We verify that the count on the machines matches the count in the book at the end of the day, but we have no way to know if the machine flipped votes at all. The machines have a paper receipt, but it is sealed without ever being looked at. Presumably in a contested election they would look at the paper, but there is absolutely no way for an interested party to audit the paper record after the fact to check the machine counts. The legislature declared the paper is to remain sealed and then incinerated after the election is certified.
How many years do you think it'll be before somewhere like Estonia does something like this to ensure transparency in an election? Put me down for $100 on "Fifteen Years".
I don't see the relevance of your question. Any election that doesn't have a full, public counting of votes is at best suspect. That's my view of elections today, in the past and in the future.
Thanks. I haven't paid attention for a few years. I just scanned their website. A new challenger emerges. Already certified (for use) in OR and NY, with others in the pipeline. Very impressive, considering the certification body is owned and operated by the incumbent vendors.
While it's certainly worthwhile to have more competitors, with better wares...
I'll only support open source, citizen owned software. The strangle hold the election system vendors have on our elections is deplorable. And it's not like this stuff is rocket science.
How are they the same? You can have open source software that is completely controlled by a private entity. There are many different open source licenses.
So, basically, everyone's preparing for this election to drag out worse than Bush v. Gore did, which ultimately led to the Supreme Court deciding the election.
Anyone think this election will end on November 8th?
This will be an audit of their internal bookkeeping. Ballots received equals ballots accounted for, number of signatures verified, that sort of thing. It's worth doing. When I served as a poll inspector, we'd proof each other's work, which is normal.
In my jurisdiction, final result is called the ballot summary report, which is approved by our canvassing board, which ultimately certifies the election.
An audit of the actual votes cast is not practical, certainly not in just two days.
This has been studied. The papers presented at the Election Verification Network conference(s) demonstrate that an audit, which is much like a recount, is expensive and does little to increase the certainty of the results. And when electronic (digital) casting and counting is involved, it's impossible.
The best strategy remains the Australian Ballot (private voting, public counting), paper ballots, precinct-based counting of the votes when the polls close.
Ahhh yes, the famous, main stream media said everything was fine so I went back to work argument.
To be fair, most of the problems we are currently having seem to revolve around gerry mandering with potential issues arising in the future involving tampering with electronic voting.
That doesn't mean voter supression, identity theft, and other forms of tampering aren't legitimate concerns though.
For example, heres article from MSM that investigates people who have been dead for years are still voting:
I didn't say "isn't a problem." I said "isn't a particularly big problem." In an electorate where millions of people vote every year, a few thousand votes in a non-swing state (using the example you mentioned), or even a few thousand fake votes in every state, is just not that high a rate of fraud.
There is rhetoric now as though most or all voting is subject to this kind of fraud, that the fraud is massive. It just isn't. That doesn't mean it doesn't exist or shouldn't be stopped, but threats must be dealt with proportionally to the degree that they are threatening. Your reaction strikes me as disproportional.
It's an UNKNOWN problem because we refuse to effectively detect it. It could be huge, it could be tiny, and we just don't know.
One side assumes the problem is huge, especially when they lose, and wants to take effective measures to prevent it. This side sees opposition to common-sense security as confirmation that fraud is actually occurring and is actively supported by the other side. The refusal to solidly secure things may or may not actually matter to the results, but it sure fuels suspicion. After all, why allow doubt about correctness unless you actually are doctoring the results?
We'd be better off if we could clearly demonstrate to the losing side that the loss is legit. Our low-security situation encourages the loser to claim that victory was stolen from them. That isn't good for keeping things peaceful.
> It's an UNKNOWN problem because we refuse to effectively detect it. It could be huge, it could be tiny, and we just don't know.
The sources I provide clearly demonstrate that it is not an unknown problem. I would agree that it is a problem whose scope is not fully understood, but when you have something that doesn't seem like a big problem to most people, it's hard to argue that you should spend lots of time investigating it/divert resources to it. Since people's perceptions of the system are changing now, maybe that'll change, too. It would be one of the few good things to come of this election cycle if so, provided the money spent and time invested are reasonable/proportionate.
> After all, why allow doubt about correctness unless you actually are doctoring the results?
Like another poster said in this thread: Because you don't know better. Because you don't care. Because you don't think it's necessary. Because you can't afford to. Because it's not what the law says to do. Malice should be the last, not the first assumption.
You use the term "refuse" a lot in your comment; I don't think this is a matter of "refusal," so much as it is a matter of "nothing/nobody is telling us to." The government doesn't do things unless the people force it to do things, or unless those things are absolutely and unquestionably in the best interest of the people in government (and even then, it doesn't always act until the law compels it to).
Generally, I just think this issue is less sinister and more typical of the American political system than people think it is these days.
First, your sources don't demonstrate a damn thing. CBS isn't a respected source of information in the tech community. As a rule, we'd prefer to see documentation and data so that we can arrive at our own conclusions. MSM provides neither, instead it cherry picks information to sell more ads. You can hardly trust anything so biased.
Second, you're statement "Malice should be the last, not the first assumption" is fundamentally incorrect. You shouldn't make any assumptions, you should look at the facts. While the intent may be benign, the effect is wide spread distrust, which is not and should be addressed accordingly.
> First, your sources don't demonstrate a damn thing. CBS isn't a respected source of information in the tech community. As a rule, we'd prefer to see documentation and data so that we can arrive at our own conclusions. MSM provides neither, instead it cherry picks information to sell more ads. You can hardly trust anything so biased.
I do not buy your narrative about media bias. I think it's ironic that you are standing on "we need hard facts and data" while providing none to support the idea that media is as biased as you say, only innuendo and an appeal to "the tech community."
You claim to be data driven, but when I provide data, you summarily throw it out, do not replace it with any of your own (or even an assertion that none exists), and make vague assertions about media bias instead.
> Second, you're statement "Malice should be the last, not the first assumption" is fundamentally incorrect. You shouldn't make any assumptions, you should look at the facts. While the intent may be benign, the effect is wide spread distrust, which is not and should be addressed accordingly.
I'll address this in concert with your reply above:
> It doesn't matter why something happens, only that it happens.
It does matter why, because if you want to fix it, you have to know the cause. If the problem is a problem of perception, that is fixed differently than if the problem is with the system itself. Data is meaningless without context.
I think distrust based on a small amount of fraud is a problem of perception, not a problem with the system. That is, it's the same as fearing you'll get serious side effects with a vaccine because a very small number of people do. In both cases, the risk/reward is out of whack, but you might worry anyway.
It doesn't matter whether or not there are problems. The fact that people question whether there are problems is in and of itself a problem. The fact that we're having these discussions makes it clear that such a problem does exist. People need to have faith in the system for democracy to work.
Facts and figures and studies can be produced, but unfortunately that's not enough to convince people -- and that's on both sides. As much as we'd like to be, we're not perfectly rational actors, and much less so in aggregate. The existing system isn't simple or transparent enough for people to trust. That's what we need to work on.
What do we do if it turns out that the system cannot be transparent enough for some people to trust?
There exists today a large group of people who will disregard anything the government or "mainstream media" says as false, regardless of who says it or what the statement is. What do we do about those people?
I know, right? This issue of trust is really problematic right now, and not just for voting. And it's not just government and mainstream media. At this point it seems any source is potentially suspect in someone's eyes. How do we rebuild that?
I want to believe that it's solvable, because the vast majority of people I meet day-to-day are good people. I'm not willing to accept the alternative.
I do think a big part of it has to do with figuring out how to talk about contentious issues, of finding common ground (no matter how narrow), with people we might disagree with on other issues. We can't let our disagreements get in the way of making progress on our common goals.
I honestly don't know how often it happens, and I'm not saying its common, but none of these are the least bit convincing. They just say that there aren't a ton of allegations of voter fraud or a bunch of prosecutions...absence of evidence and evidence of absence and all that stuff...
I mean, you can't prove a negative. We cannot prove there is no voter fraud happening anywhere. We can only show that there is no evidence for it, and further, that it is reasonable to conclude that lack of evidence suggests a trend (that is, we can show that we're also actually looking for evidence).
EDIT: Based on comments - this is a video that records the president stating that people in the country illegally (non-citizens) should not fear any repercussions from voting in the election.
The woman in that video is asking for clarification on what happens if she herself, a citizen, votes. Obama literally says in the video that she's a U.S. citizen.
She wants to know if immigration is going to go through voting records and discover the place she lives may also have undocumented immigrants living there.
No, that's not what was said. What was said that immigration isn't keying off voter rolls to launch investigations. I'll leave it up to you to contrive all sorts of examples where this could be abused and "they're" "taking" "muh" "freedoms", but this is a totally invented scandal.
As for why people downvoted you, probably because watching some shakey-handed screen recording and presenting it as some great revelatory fact predisposes the reader to thinking this has to be a joke.
The link is to a right wing propaganda site. I'd like to see the unedited video. I'm pretty sure President Obama was referring to the American born children of undocumented immigrants.
I personally am quite sure they mean to talk about citizens with undocumented relatives voting, but the exchange is not well done, it sounds like they are talking about non citizens voting (of course undocumented people probably aren't registered to begin with).
Oh you mean Fox News took an out of context exchange and re-purposed it to sound like something way more nefarious? Well NEVER IN A MILLION YEARS WOULD I HAVE GUESSED...
Even though the question might imply that illegal immigrants should vote, Obama's answer certainly doesn't. I've seen the fully answer and his answer is along the lines of "Children of illegal immigrants who are born in the US and thus are citizens but have family who are illegal immigrants, have a greater reason to vote because they are representing their family and friends". I disagree with that logic but Obama certainly wasn't implying that non-citizens should vote.
I think what he's saying is that there should more voter id laws and making sure people who really have the legal right to vote can vote and those who don't do not. As a person who's in charge of making sure our systems are secure, I must say that the amount of security in the voting process and the verification of the person voting is almost non-existent.
At least in San Jose / Santa Clara county where I went to cast an early vote, there's no verification of who you say you are. They only ask for your name and address (pretty easy to get). Maybe they have access to DMV records (a recent photo of you) on the computer they're looking at, when you provide them you're info? If so that's a good step, but I doubt they do that (what about for people who don't drive)? They also do zero checking when you're dropping off someone else's ballot in person. There's a spot on the back of the envelope where it's required to put the name of the person who's dropping of the ballot if it's not the person who cast the ballot, and no one even checks that.
Aside from Diebold etc.[1], the only fraud happening in our elections are a) gerrymandering and b) racist voter suppression laws like those in North Carolina, where a state senator admitted as much in a televised interview.
That's an extremely strong claim to back up with no evidence. The commenter above you has given at least anecdotal evidence of substantial opportunity for fraud, and we already know motive is strong on both sides.
Well, how about the same ID you'd need to board a plane or buy alcohol or deal with being stopped by a cop?
Let's start with that. To reduce forgery, match the ID against an image of it on a computer. Better yet, scan it into a computer and have the computer do the matching.
Also, take a new picture. This can be used to help catch and prosecute any remaining fraud. More importantly, such fraud would be strongly discouraged by the increased possibility of being caught.
Trump supporters just tried this and were in fact caught.
Nobody with sense would try, it carries severe punishment (it's a felony) for virtually no benefit to the person taking the risk, and really virtually no effect on the election either.
In my experience in the US, you have a registered polling station where you are allowed to cast your ballot. When you arrive, they cross your name off the list. If I'm only allowed to vote in one location, and that location only allows me to vote once, that should prevent double voting, even if I'm not who I say I am. Or rather, I'm not going to vote twice as the same person.
Is this the case across the US?
Whether the voter registration rolls are up-to-date, that's another matter as well. And double voting is only one type of fraud.
When voting in person, the poll worker is checking your name & address against what's listed in the poll book. Not listed? You get a provisional ballot. Two people try to vote as the same person? That'll be caught and investigated. Show up to vote as someone else (who doesn't vote)? Well, that's plausible.
Most of these kinds of "fraud" are actually voter registration "errors", where someone votes in the wrong jurisdiction. Like Ann Coulter did.
As for postal ballots, ya. The voter signature and proxy name are mostly for after the fact investigations if problems need to be resolved. You should attend your canvassing board meetings to hear all the nonsense. Husband and wives swapping envelopes. A couple putting two ballots into one envelope to save a stamp. Ballot from a prior election. Soiled ballots. Missing ballot, so voter just used another piece of paper (still legal). Etc, etc.
That spouses, job bosses, church leaders, command officers "help" others vote (the correct way) is established and well documented. But society seems to have decided that the benefits of enfranchisement outweigh the downsides.
Remarkably, comparatively, there's very little abuse of postal ballots. We're talking 10s and 100s vs 1,000s and 100,000s who are disenfranchised by other means. Caging, gerrymandering, underprovisioning voting machines and polls sites in key areas, not counting any votes on spanish language ballots, calling in a bomb scare and shutting down the central count which then has a mysterious miraculous election result, ad nauseam.
There's no shortage of problems with our districting, campaigning, elections, voting, tabulation, vendor relations, etc. If you only care to look. But please don't make the mistake that retail voter fraud is a significant factor.
Couldn't the concern be easily resolved by somebody explaining how voter registration works? I.e. How the government confirms your citizenship? And verifies your ID at the polling place? Then the discussion could shift to how thorough that process is.
It's someone with a video camera pointed at their screen breathing heavily. Just post the original video: https://youtu.be/oLLt-a6dI_0?t=203
Also, if you watch his entire response it's clear he interpreted the question as a person legally able to vote, but has family members who are undocumented and are afraid of voting for that reason.
That said, it does sound really bad. Especially how nonchalant the president is about breaking immigration laws.
Is it nonchalent about immigration laws, or is it just that he is much more interested in the protection of the ability of every person with a right to vote to exercise that right without coercion, particularly from a government agency? To my mind the latter is much more fundamental and important than the former.
I didn't downvote, but you're making us watch a video with minimal explanation why it's worth it. That requires going to another room and finding headphones, so not going to bother.
Ironic, given that your original post just barfed up a link "with no comments". If you can't bothered to do a little typing, I can't be bothered to watch the whackadoodle video from Breitbart.
It could work like this: you get the private/public key pair provided in your passport, or on a special social-security-type card. The public key is also on a website registered to your name, so anyone can look up your public key. However, in order to be allowed to sign anything, you have to be in the presence of a government agent who can verify your identity via a second means (e.g., at the DMV, your driver's license + social), and then the government agent signs it as well. So there's no _less_ verification of your identity in the system as before, but anyone can quickly verify the authenticity of your documents.