|
|
Log in / Subscribe / Register

Open-source voting for San Francisco

By Jake Edge
August 28, 2019

OSS NA

To open-source fans, the lure of open-source voting systems is surely strong. So a talk at 2019 Open Source Summit North America on a project for open-source voting in San Francisco sounded promising; it is a city with lots of technical know-how among its inhabitants. While progress has definitely been made—though at an almost glacially slow speed—there is no likelihood that the city will be voting using open-source software in the near future. The talk by Tony Wasserman was certainly interesting, however, and provided a look at the intricacies of elections and voting that make it clear the problem is not as easy as it might at first appear.

Wasserman is a professor of software management practice at Carnegie Mellon Silicon Valley and a San Francisco resident; he was asked to serve on an advisory committee on open-source voting for the city. San Francisco is about 11x11km, with around 800,000 people; roughly 500,000 of those are registered voters and nearly 350,000 turned out for the November 2018 election. He said that 70% participation by registered voters is a pretty good turnout for the US.

There are two different organizations within the city government that handle elections: the elections commission and the elections department. The commission is tasked with making the policies and plans for elections, while the department actually implements them, runs the elections, and reports the results. The elections department also handles "problem" ballots and registrations; as part of that, it stores 20 years of paper ballots underneath city hall, which he found astonishing.

$ sudo subscribe today

Subscribe today and elevate your LWN privileges. You’ll have access to all of LWN’s high-quality articles as soon as they’re published, and help support LWN in the process. Act now and you can start with a free trial subscription.

The goal of the project is to develop the country's first open-source voting system for political elections, which could potentially have a broad impact if it is successful, both locally and nationally. There are other justifications for it as well, including providing transparency for voters and the expectation of saving money. There are only three (down from four due to a merger) companies that sell election systems in the US; they are not cheap and moving to open-source would provide freedom from being locked into those vendors.

History

The history of the idea goes back a long time, so far, in fact, that a San Francisco civil grand jury investigated the whole process. It produced a report [PDF] that described everything that had been done up through 2018. The idea was first raised in 2005, but it was not until 2008 that the board of supervisors (similar to a city council) established a voting system task force. The board of supervisors is under the mayor and all of the governing bodies are for both the city and county of San Francisco, which are governed together.

[Tony Wasserman]

The voting system task force eventually found that open source is a good idea for election software—in 2011. The board of supervisors evidently mulled that for a while and in 2014 passed a unanimous resolution to move forward. The elections commission also voted unanimously, in 2015, to proceed. That made the papers and other media, Wasserman said, including on the front page of the San Francisco Examiner.

In 2016, the mayor budgeted $300,000 for an initial study and in 2017, the elections commission formed the open source voting technical advisory committee (OSVTAC), of which Wasserman is one of five members. Meanwhile, the city had awarded a contract to a consulting company (Slalom) to produce a plan for moving forward.

In 2018, the report from Slalom was delivered; "let's just say that it wasn't very strong", he said. OSVTAC recommended against following the suggestions from Slalom and the commission agreed. So the commission passed a new resolution [PDF] to continue to proceed on the open-source voting path. "You get the idea; it is taking a while". Around this time, the civil grand jury released its report, which was "pretty comprehensive" and "actually a good report", he said; it laid out all of the reasons why things were not moving faster.

In 2018, $1.7 million was allocated for ongoing project work over the next two years; there is hope that either the mayor's office or the state of California will add to that pile. Instead of putting the work out to bid, the Department of Technology (DT) took the work on and hired a project manager to oversee it. The first task was to do an "extensive study" of all the other open-source voting efforts it could find.

At the end of July, the first community meeting was held to start to include the public in the process. Various advocacy groups attended, along with the governmental representatives and interested citizens; it was facilitated by an outside mediator. The discussion was about the goals of the effort and is the start of building a community around it, he said. "And that's where we are."

Why so long?

He said that attendees may have noticed that he did not say anything about elections being held using open-source software. That has not happened and is not going to happen anytime soon. "Why is that?"

There are a number of reasons, but the first is that elections are complex. He gave a rundown of the different ways that San Francisco is partitioned for electoral reasons. Those regions are for electing officials at different levels of government: 11 supervisor districts, two US congress districts, two state assembly districts (that are, naturally, different than the congressional districts), as well as various other districts (rapid transit, air quality, school, ...) each with their own unique boundaries. His relatively close neighbor could have a very different ballot from his.

Beyond that, candidate names often have to be randomized to combat the "first in list" effect where those without strong opinions will simply pick the first candidate. San Francisco uses ranked-choice voting, which needs to be accommodated. There are lots of different ways to vote, as well, including early voting, vote-by-mail, absentee voting, and voting on election day in the local precinct. Provisions for disabled voters need to be made. Ballots need to be available in four languages city-wide (English, Chinese, Spanish, and Tagalog) and in two more (Korean and Vietnamese) in certain precincts. And on and on.

Once the voting has been done, the votes need to be counted. There are provisional, challenged, and improperly marked ballots to deal with. There needs to be support for poll-watchers to ensure the fairness of the election. In order to verify the results, 1% of the paper ballots are randomly sampled a few days after the election; so the reported results from some precincts will be compared to the hand-tallied ballots. All of that needs to be managed and administered.

Voting systems are under attack as well, as we have seen in some recent elections. Sadly, all of the voting equipment he knows of runs Windows 7. Perhaps those machines could be upgraded to Windows 10 and run the programs under some kind of emulation, but that is not happening. That is particularly worrisome when our elections are a global target, he said. The current voting system is not transparent, however; it is expensive and leads to vendor lock-in. There are also few or no provisions for updating the software that runs on these system. So it is not just Windows 7 running on them, but unpatched Windows 7 in many cases.

There are also government procurement issues; proposals have to be put out for competitive bidding among interested vendors. This is part of why he believes that the DT took on the work to develop the open-source voting system rather than have it go out to bid; it saved a round of proposals and bids. There are also various government transparency laws ("sunshine laws") that can complicate things at times. For example, OSVTAC meetings must be announced 72 hours in advance and OSVTAC members cannot privately email each other about anything related to the OSVTAC. If he wants to send something out to the rest of the committee, he has to send it to the chair, who will distribute it to the members.

More than just technical

So there are some complex technical hurdles, but those are not the main problem areas. He referred to PESTLE, which relates all of the factors that make up the "context of software development": Political, Economic, Social, Technical, Legal, and Environmental. Dealing with the technical side is less difficult than some of the other factors; one of the committee members fairly easily put together a program that could scan ballots, associate the marks with names, and tabulate the results, for example.

There is a lot of citizen concern about voting and elections in the US. Some of it is about voter fraud (votes from those who are ineligible), which "barely exists as far as anyone else can tell", Wasserman said. Other concerns are about the accuracy of the vote tabulation and vendor fraud.

The current voting systems are generally internet-enabled, not for full internet access but for the machines to be able talk to the vendor's servers. One of the main vendors is Diebold, which has been identified in the past as having tampered with machines and results. Paper ballots are an important component to address the concerns. He noted that the US state of Georgia has been ordered by a judge to run its next election using paper ballots because its voting machines were deemed unsafe.

While open-source advocates see open-source voting as a way to provide transparency and to build trust in the system, others do not necessarily see it that way. There are some who are concerned that open source would allow attackers to change the code in the systems mid-stream. Voting systems are frequently challenged; any open-source effort will similarly be challenged. Part of the problem is that many people simply do not understand what open source is and means.

San Francisco is not the first to try to come up with an open-source voting system. He listed half a dozen different efforts to create those kinds of systems; some of those systems have been used, but not for political elections. The Los Angeles County Voting System for All People (VSAP) has been approved by the California secretary of state (something that is required for any voting system used in the state), but has not been used for a real election. It is claimed to be open source, he said, but is not. It is built on open-source components and will run on Linux, but the code belongs to Los Angeles; "you can't get it".

The Open Source Election Technology Institute (OSET) is creating ElectOS, which is meant to be an open election system, but it hasn't built anything yet. It has a "wonderful board of advisors", but there's not much happening, at least yet, he said. Helios is used by the Open Source Initiative (OSI) for its elections, so it works, but it hasn't been used for anything on a large scale. The same is true for the others, such as Cornell's Condorcet Internet Voting Service (CIVS), which is the oldest effort he has found.

Wasserman had just returned from Amsterdam where he has a friend who is on an open-source voting committee as well. He was introduced to a system used in the elections in the Netherlands, which are also complicated in part because there are more than two dozen parties participating. The detailed specifications are available (in Dutch) as is the source code, but it is not open source. You can look at the code, but as far as he can tell, it is owned by the German firm that wrote it.

Meanwhile, the OSVTAC has made a set of recommendations on what the system should look like. It includes hardware and software requirements for voting, tabulating, securing, and overseeing San Francisco elections. There are a number of other organizations that are supportive of the effort (EFF, OSI, GitHub, Common Cause, ...). There is an effort to raise more money to continue the project past the end of the year.

He is hopeful that something comes of the project. Its funding is not assured, though there are several potential sources. It is all being done in the open and those interested can follow on the GitHub pages and on the city's project page. He finds it to be an interesting problem and has learned a great deal about elections in the process. Given the other high-powered organizations that are also interested, hopefully more will happen with open-source voting even if the effort in San Francisco does not result in a working system.

Open source and voting would seem, at first blush at least, to be obvious partners. It is more than a little concerning that figuring out the will of the people in a democracy is subject to the whims (and/or political leanings) of a small number of proprietary vendors—in the US at least. As Wasserman described, however, there are a lot of moving parts that have to be handled. Like tax reporting, accounting, and other areas where open-source software tends to fall short, election management may just not be an itch that enough of us are truly interested in scratching. Hopefully that situation is improving.

[I would like to thank LWN's travel sponsor, the Linux Foundation, for travel assistance to attend Open Source Summit in San Diego.]

Index entries for this article
ConferenceOpen Source Summit North America/2019


to post comments

Open-source voting for San Francisco

Posted Aug 29, 2019 0:36 UTC (Thu) by clugstj (subscriber, #4020) [Link] (4 responses)

Your tax dollars at work (at least in SF).

Open-source voting for San Francisco

Posted Sep 5, 2019 4:51 UTC (Thu) by kragil (guest, #34373) [Link] (3 responses)

Electronic voting is just stupid. It does not work. German CCC has tried years and years to explain to people, but they just won't listen.

Open-source voting for San Francisco

Posted Sep 7, 2019 19:08 UTC (Sat) by rdicosmo (guest, #106337) [Link] (2 responses)

It is indeed pretty sad to see that in 2019 we still need to explain, again and again, why electronic voting is not feasible.
I have been involved in public debate about electronic voting since the early 2000, when it was unfortunately introduced in France.
Here is a recent summary of the key points, in English, that should make a nice reading.

http://www.dicosmo.org/MyOpinions/index.php?post/2016/02/...

Open-source voting for San Francisco

Posted Sep 11, 2019 14:12 UTC (Wed) by cesarb (subscriber, #6266) [Link] (1 responses)

> > Electronic voting is just stupid. It does not work. [...]

> [...] electronic voting is not feasible [...]

And yet, we've been been using voting machines in the municipal, state, and federal elections for over two decades in my country. Saying "it does not work", when it clearly has been working for two decades, stretches credulity. You might say "it's not secure" or "it's impossible to make secure", but just saying "it does not work" is not a good argument.

Open-source voting for San Francisco

Posted Sep 11, 2019 15:25 UTC (Wed) by anselm (subscriber, #2796) [Link]

Electronic voting “works” in the sense that people can cast ballots and there is a tally of votes at the end of the day. The problem is that the connection between the ballots that have been cast and the tally that the voting computer outputs is not obvious; it is usually difficult for an outside observer to ascertain that the tally is an accurate representation of the ballots that have been cast, and it is often also difficult to verify this independently after the fact (unlike, e.g., when paper ballots are being used, which can be recounted). In other words, the question is not whether the electronic voting “works”, it's whether it works reliably and transparently.

No. Just say no.

Posted Aug 29, 2019 11:37 UTC (Thu) by dskoll (subscriber, #1630) [Link] (10 responses)

The issue with electronic voting is not closed-source vs open-source. The issue is the ease with which a security flaw can be exploited with devastating consequences.

Open-source code has no such flaws, right? 👀

The only voting system with any semblance of resistance to an organized attack is one that keeps a physical token for each vote for auditing. Here in Canada, we still use paper ballots and there has never been a serious issue with our elections... Certainly never any hint of a material security flaw.

No. Just say no.

Posted Aug 29, 2019 12:54 UTC (Thu) by cpitrat (subscriber, #116459) [Link] (8 responses)

I think a nice solution would be a voting machine that print your vote. You then put it in an envelope which goes in a ballot box.

This way, you have the fast result of the electronic system, lower cost of printing ballots, etc ... with the possibility to recount in case of issue and a clear understanding of the procedure of recount by all voters.

In France, there were cases where the number of votes reported by the machine was different from the number of voters from the signing sheet (it happens with regular ballots too but here the difference was much higher, around 10% IIRC). Recounting on the machine is done by pressing a button which, obviously, gave the same result.

No. Just say no.

Posted Aug 29, 2019 13:47 UTC (Thu) by cyphar (subscriber, #110703) [Link] (1 responses)

This seems like a reasonable idea, except that such a system is effectively a very expensive pencil. Not to mention that it seems likely (while paper recounts are technically possible) that such recounts would be quite rare. There's no point having a system for fast vote counting if you always do a recount, you'd probably only do it if there was some evidence of election hacking (the important follow-up question would be how many cases of election hacking would go undetected?).

Also, given that there are known cases in the US where voters didn't understand the process of using the existing voting machines (resulting in them not pressing the "confirm" button and allowing election officials to change their vote if they wanted to), I'd be shocked if there weren't similar problems with any other electronic voting system. Paper ballots are comparatively simple and have been developed and hardened for hundreds of years (with the collective experience of all attempted attacks to date) -- no new software-based voting system developed today will be anywhere near as secure for a long time.

No. Just say no.

Posted Aug 29, 2019 15:28 UTC (Thu) by rgmoore (✭ supporter ✭, #75) [Link]

This seems like a reasonable idea, except that such a system is effectively a very expensive pencil.

A good electronic ballot marker is a bit more than a fancy pencil. The biggest thing is, as the article points out, that voting in the US is complicated, so that a single election may require dozens or hundreds of unique ballot designs even in a jurisdiction the size of San Francisco. A well designed electronic system (whether direct recording or a ballot printer) can help to manage that complexity. It can also help with issues like the need for ballots in multiple languages*, making it easy for blind people to vote without needing an assistant, etc.

Not to mention that it seems likely (while paper recounts are technically possible) that such recounts would be quite rare.

Recounts are aren't as rare as you'd think. In most jurisdictions, the loser of a sufficiently close election can demand a recount, and if the election is very close such a recount may be mandatory. The article also points out that it's standard practice to perform an audit on a subset of polling places to ensure the system is performing correctly. An obvious discrepancy in such an audit can trigger a recount.

Also, given that there are known cases in the US where voters didn't understand the process of using the existing voting machines (resulting in them not pressing the "confirm" button and allowing election officials to change their vote if they wanted to), I'd be shocked if there weren't similar problems with any other electronic voting system.

And there are routinely stories about people misunderstanding the design of paper ballots in ways that result in them failing to vote for some races, voting for the wrong person, mismarking their ballot in a way that invalidates their vote, etc. Bad design is not limited to any one technology.

*This is a big issue in some places. Here in Los Angeles County, there is a legal requirement to provide ballots in 9 languages (English, Armenian, Farsi, Khmer, Korean, Mandarin, Spanish, Tagalog, and Vietnamese) and the voting system provides them in 4 additional languages (Hindi, Japanese, Russian, and Thai) even though they aren't legally required to.

No. Just say no.

Posted Aug 29, 2019 21:02 UTC (Thu) by k8to (guest, #15413) [Link]

I would expect a system where you select your votes electronically, a ballot is printed, and then the ballet is both scanned for results and stored. That's what I've seen from in-person reasonable designs.

This means that the paper is the source of truth, and can be re-counted the same way. It gives a voter the way to verify validity, and raises the bar for tampering and eases recounts.

No. Just say no.

Posted Sep 2, 2019 10:31 UTC (Mon) by mfuzzey (subscriber, #57966) [Link] (2 responses)

>>> In France, there were cases where the number of votes reported by the machine was different from the number of voters

I live in France and have never seen voting machines.

Everything is paper, there isn't even a printed ballot paper with the list of candidates but one paper per candidate.
All the papers and a stock of envelopes are on a table. You take several different candidate papers, go into a booth and secretly place one of them in the envelope.
You throw the other papers you took in the bin.
Then you go to a poll worker who checks your ID and your registration on the list and allows your envelope to to into the ballot box.
Finally you sign off the list to prevent you voting again.

I'm pretty sure this is the same procedure in all political elections here (everything is pretty centralized, cities don't get to decide their own voting systems).
We did have internet voting for the last worker representatives election at the company I work for but, though required by law, those are not political elections and each company is free to organise them how they like.

No. Just say no.

Posted Sep 2, 2019 11:04 UTC (Mon) by cpitrat (subscriber, #116459) [Link] (1 responses)

It depends where you are in France. The decision to use voting machines is left to the city (which organizes elections and has the burden of providing human resources for it). In my city, it's been voting machines for the past 10 years or so. Some cities tested them and stopped using them after this kind of issues.
More information: https://fr.wikipedia.org/wiki/Vote_électronique#France

No. Just say no.

Posted Sep 2, 2019 11:11 UTC (Mon) by cpitrat (subscriber, #116459) [Link]

By the way, this article mentions for Beligum that in may 2003, at Schaerbeek (Beligum), the number of votes was 4096 times higher than the number of voters. The experts attributed the error to "a bit inversion potentially caused by cosmic rays".
I suppose using high technology such as redundancy, correcting code and so forth is not worth it for such a complex machine, especially if you want to maintain the incredibly low cost of 3000€ to 6000€ (before taxes).

No. Just say no.

Posted Sep 5, 2019 5:17 UTC (Thu) by Tara_Li (guest, #26706) [Link] (1 responses)

Sorry - how do you verify, other than the hand count later, that the vote printed out is the same as the vote the machine records? And there are numerous other levels of verifying that is nearly impossible to fix. This is, in a sense, a variation of the Two Generals Problem.

https://www.youtube.com/watch?v=w3_0x6oaDmI (Why Electronic Voting Is A Bad Idea)

https://www.youtube.com/watch?v=IP-rGJKSZ3s (Two Generals Problem)

No. Just say no.

Posted Sep 6, 2019 17:42 UTC (Fri) by jhhaller (guest, #56103) [Link]

On the last voting machine I used, there was a small area which printed which candidates I selected. Once I confirmed it was corrected, the paper advanced and was not visible to the next voter. I'm not sure what would have happened if I selected that the information was incorrect, but presumably could void that ballot and let me re-vote. That's the way it works with paper ballots which are mismarked. One could then audit the paper version of the vote with what the machine recorded. An after-the-fact hand audit (or even a machine OCR of the paper tape) of 1% of the machines after the election was over could detect if there was substantial fraud. I could also only use the machine if I had a smart-card which was configured when I went in and verified that I was on the election rolls as a voter.

No. Just say no.

Posted Aug 29, 2019 15:42 UTC (Thu) by iabervon (subscriber, #722) [Link]

I was assuming that they'd ruled out electronic voting entirely, given the discussion of the paper ballots. On the other hand, meeting the requirements for printing the paper ballots without using any software seems impossible, and counting the paper ballots without using software is just as bad (even if humans were looking at each page, incrementing a tally hundreds of thousands of times by hand is implausible to do perfectly).

The best system for sighted people I know of has paper ballots that are designed such that the marks that constitute some valid vote are easy for a human to distinguish from any other valid vote, but also easy for an optical scanner to interpret, and the voter feeds the ballot through a scanner into a box. This also has the advantage that it can reject any ballot that's not clear, and have the voter try again. This obviously requires a device with software.

Open-source voting for San Francisco

Posted Aug 29, 2019 12:38 UTC (Thu) by kleptog (subscriber, #1183) [Link]

It a real pity that people tend not to work across border on this kind of thing. everyone likes to imagine their voting process is unique and special, but really they are all just variations on a theme.

EVACS is a system used in the ACT in Australia for more than 10 years, but it is really started as a vote counting system first (due to Hare-Clarke preferences), and also allows electronic entry but these are really separate components. But while you can see the source code, it's owned by a company.

I think the real problem is that voting as a concept is so easily understandable that any system is subject to endless bike-shedding, meaning that any kind of working together across borders is doomed to failure. Within a company it's not a democracy so something actually gets built.

Open-source voting for San Francisco

Posted Aug 29, 2019 16:45 UTC (Thu) by kpfleming (subscriber, #23250) [Link]

> For example, OSVTAC meetings must be announced 72 hours in advance and OSVTAC members cannot privately email each other
> about anything related to the OSVTAC. If he wants to send something out to the rest of the committee, he has to send it to the chair,
> who will distribute it to the members.

It's 2019, they could use any of a number of discussion forum tools which would keep the discussion in the open (for transparency) but also allow only the committee members to post. If they are doing things this way, they are unnecessarily slowing down their own work.

Open-source voting for San Francisco

Posted Aug 31, 2019 9:33 UTC (Sat) by ale2018 (subscriber, #128727) [Link] (7 responses)

Heck, I would have expected a concise summary of voting systems, rather than a list of bureaucratic hindrances and money wastes. For example, does any voting system provide for casting anonymized votes by email?

I found comments more interesting than the article. Sorry Jake, but bureaucracy is boring...

Open-source voting for San Francisco

Posted Aug 31, 2019 9:59 UTC (Sat) by amacater (subscriber, #790) [Link] (6 responses)

If you can teach people to GPG sign votes - and keep their keys safe - Debian's been using electronic voting relatively successfully. Paper ballots are the only answer, hand counted by humans for anything complex.

Canada can use paper ballots and count pretty much the whole country in a day - maybe not Nunavut?

Maybe LA and California need to consider a sane rationalisation of issue counts, political boundaries and the number of candidates per ballot. California as a state has more than enough budget to do this if the will is there before the systems implode under their own weight.

Open-source voting for San Francisco

Posted Aug 31, 2019 19:42 UTC (Sat) by rgmoore (✭ supporter ✭, #75) [Link] (5 responses)

Canada can use paper ballots and count pretty much the whole country in a day - maybe not Nunavut?

FWIW, the limitation on how quickly California can count its votes isn't with the actual vote counting. If all the votes were received and validated by the end of election day, we could have them counted on election day, too. But something like half the votes in California are mailed in, and they're valid as long as they're post marked by election day. That means the votes can trickle in for at least a week after election day, and then there's a laborious process to ensure all the mail-in votes were cast by registered voters who did not also vote in person. And California has adopted the general principle that it's more important to count every legitimate vote than to get the counting process done as quickly as possible. We are generally slower to count the vote than other states, but we have far fewer controversies surrounding the correctness of our count than states that hurry the process.

My impression is that one goal of the new voting technology- certainly here in LA County, and I assume in San Francisco as well- is to make early voting in person easier. Most people who choose to vote by mail do so because it's convenient- they can do it on their own schedule and take as much time as they like to make their decisions- rather than because they can't make it to the polls on election day. Making early voting in person more convenient should reduce the number of slow to process mail-in votes and thus speed up the overall process.

Maybe LA and California need to consider a sane rationalisation of issue counts, political boundaries and the number of candidates per ballot. California as a state has more than enough budget to do this if the will is there before the systems implode under their own weight.

This strikes me as precisely backward. The way California runs its elections and government is the result of more than a century and a half of experience about how we want to do things. It makes much more sense to develop technology to allow us to run our state as we believe is best than to change the way we run out state to accommodate the limitations of existing technology. That's especially true because the limits on developing better election equipment are much more social and bureaucratic than technological, so they're inherently amenable to being fixed if the political will is there.

Open-source voting for San Francisco

Posted Sep 1, 2019 9:47 UTC (Sun) by ale2018 (subscriber, #128727) [Link] (4 responses)

> there's a laborious process to ensure all the mail-in votes were cast by registered voters who did not also vote in person.

Ah, good old counting. However, can voters keep their ballot secret?

By comparison, let me quote part of the design of an electronic poll system:

[W]hen they cast their vote in a booth, voters get a receipt showing their vote in encrypted form. [...] The point of the encrypted receipt is to provide the voter with the means to check that her ballot is entered into the tallying process and, if her receipt has not been included, to prove this to a third party. The fact that her vote is in encrypted form ensures that there is no way for her to prove to a third party which way she voted. Voters can visit the web bulletin board and check that their (encrypted) ballot receipt has been correctly posted. The tellers process these posted receipts and there are mechanisms in place to ensure that all posted receipts are entered into the tallying process.

A Practical, Voter-Verifiable Election Scheme

Doing so by [e]mail is more challenging...

Open-source voting for San Francisco

Posted Sep 3, 2019 14:12 UTC (Tue) by zoobab (guest, #9945) [Link]

"Ah, good old counting. However, can voters keep their ballot secret?"

That's why the voting booth was invented. Nothing prevents your husband or your wife to pressure you to vote in one direction with remote voting.

Open-source voting for San Francisco

Posted Sep 3, 2019 22:49 UTC (Tue) by rgmoore (✭ supporter ✭, #75) [Link] (2 responses)

However, can voters keep their ballot secret?

Yes, and it isn't that hard. The voter seals their ballot in a plain envelope, then puts that envelope in a mailing envelope which has their personal information on it. When the election officials receive the ballot, they can check the information on the outer envelope to make sure it was sent by a registered voters who did not also vote in person on election day. Once they have confirmed this, they open the outer envelope and put the inner envelope in a ballot box for that voter's precinct. When one of those ballot boxes starts to get full (or when there are no more ballots to process), it is opened and the ballots are taken out and processed. Mixing the sealed ballots in the ballot box prevents anyone from connecting any ballot to the voter who cast it.

FWIW, this has a clear and obvious advantage over the system in the paper you linked to: it's simple enough that an ordinary voter can understand the process and have confidence that it works as promised. This is not true of any complex cryptographic system. Very few people know enough about implementing cryptography to analyze such a scheme and be sure it doesn't have a flaw that would allow someone to either deanonymize ballots or secretly change the results. The ability for ordinary voters to understand the security protecting their ballot is critical for an election to have legitimacy.

Open-source voting for San Francisco

Posted Sep 4, 2019 9:28 UTC (Wed) by excors (subscriber, #95769) [Link] (1 responses)

> FWIW, this has a clear and obvious advantage over the system in the paper you linked to: it's simple enough that an ordinary voter can understand the process and have confidence that it works as promised. This is not true of any complex cryptographic system. [...] The ability for ordinary voters to understand the security protecting their ballot is critical for an election to have legitimacy.

I think that's probably true even if the simple system has obvious vulnerabilities. That's still better than a system that promises to be perfect but cannot be understood.

In your example, the election official could e.g. guess the ethnicity of the name on the outer envelope and discard votes from certain groups to bias the result. Or they could open both envelopes at once and record the deanonymised votes. But those vulnerabilities are so obvious that an ordinary voter can reasonably assume the relevant authorities have already thought of them and put sufficient checks in place (like having observers watching for these specific issues), and if there is some anomaly (e.g. one party's observers being forbidden access to the count) then a journalist can report it and readers will probably understand the implications and there can be appropriate outrage. It won't be theoretically perfect but that feedback mechanism can ensure it remains good enough in practice.

With a cryptographic system, the average voter can't even begin to understand what vulnerabilities there might be and how they might be exploited. If there's a news report saying all the tellers generated their key pairs using a buggy low-entropy PRNG, nobody will have a clue what that means. Maybe some experts will say "trust us, this is really bad", but the voting machine companies will present other experts saying "trust us, everything is fine", and then the losing candidate will say "don't trust any of these so-called experts with their gobbledygook, trust your gut - I should have won a landslide. Grab your pitchforks!". Even if that system still gave a numerically perfect count of votes, the doubt over its legitimacy could cause more serious damage than a little bit of fraud would have.

Open-source voting for San Francisco

Posted Sep 6, 2019 18:00 UTC (Fri) by rgmoore (✭ supporter ✭, #75) [Link]

But those vulnerabilities are so obvious that an ordinary voter can reasonably assume the relevant authorities have already thought of them and put sufficient checks in place

Which they actually have. I didn't bother listing the ways our system protects against those kinds of problems because I was specifically talking about secrecy of mail-in ballots, but they're there. The key point of all this stuff is that the system is designed to protect against attacks by making the system open to observation and audit, rather than trying to make security that is theoretically impenetrable. A key part of that is making the procedures comprehensible, which expands the pool of people who are capable of observing and auditing them and gives everybody else confidence that any attempt to cheat is likely to be caught.

An example of this is the question somebody raised above about ballots that are designed to be both human and machine readable: how do we know that the machine-countable markings match the human-readable ones? The answer is audit. We select a subset of the polling locations, hand-count the ballots, and compare the results to the machine-counted results. You could select the polling locations at random, or you could allow candidates to select polling locations so they can satisfy their curiosity about suspect locations. That type of audit makes it very likely to catch any kind of cheating that's significant enough to top the election.

Open-source voting for San Francisco

Posted Sep 7, 2019 19:11 UTC (Sat) by rdicosmo (guest, #106337) [Link]

Besides electronic voting, I seem to understand that SF elections use a ranked voting method.
This is a *bad* idea, as it lends itself to vote selling, see details here: http://hal.archives-ouvertes.fr/hal-00142440


Copyright © 2019, Eklektix, Inc.
This article may be redistributed under the terms of the Creative Commons CC BY-SA 4.0 license
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds