Featured Post

Sovereign and the Problems with Internet Voting

An interesting proposal popped up on Twitter this week, from an organization called The Democracy Earth Foundation. They claim that they’ve solved the problem of internet voting, and they list UC Berkeley, TED, YCombinator, and the MIT Technology Review as sponsors. There are also some big names as donors and advisors. For instance, the co-founder of Reddit is listed as an advisor, and even Satoshi Nakamoto himself is listed as a donor, although I suspect that’s a cheeky joke.

Their solution, called Sovereign, is “a blockchain liquid democracy.” That’s a lot to unpack, so before we go into the specifics, let’s start with why this is such a hard problem.

Voting itself is difficult. Even in the real-world, we must defend voting against fraudulent voter registration, vote tampering, and corrupt officials. Even assuming that everyone is honest, the voting rules themselves can be faulty, as in when a third party candidate with little support is able to affect the outcome of the two main candidates.

Voting on the internet is even harder, because in addition to all the problems of voting, we have the problem of identifying voters. In real life, we use government IDs and prosecute voter fraud. However, on the internet…

But seriously, on the internet, it’s very easy to gain additional votes by creating additional accounts. So, any internet voting system needs to prevent the creation of multiple accounts in order to be fair. In computer science, these fake identities are known as Sybils (Douceur 2002). They create problems in reputation systems, voting, and in consensus algorithms like those in Bitcoin and Ethereum. Proof of work and proof of stake are two ways to solve this problem – proof of work by showing that you’ve done computation, and proof of stake by showing that you’ve staked tokens as collateral. However, they only work because the computation and the tokens can’t be faked. Unfortunately, both methods are costly, and ill-suited for voting applications where prior wealth shouldn’t matter.

Proof of Identity

Sovereign, however, relies on what the Democracy Earth Foundation calls “Proof of Identity.” In short, they require every potential voter to take a video of themselves where the voter states their name and other information, then they have have other users compare two randomly selected videos and judge whether the two are the same or not.

Some basic assessment questions for Sovereign and other voting systems are:

  • How easy is it for people to create Sybils by subtly changing their appearance and fooling the human judges?
  • How effective is this mechanism at identifying Sybils, if we assume they are easy to spot, and the judges are honest?
  • What motivates the judges to do the comparison? What are the incentives for users of Sovereign?
  • Can factions hijack the judging process and disenfranchise other factions, such as vulnerable minorities?

Let’s start with the video. Exactly how easy is it to present yourself as a different person and fool the human judges?

Makeup artist Eddie Senz created these during World War II in order to help the US in the event that Hitler disguised himself and escaped.

It turns out it’s probably easy to fool the judges. Studies show that human beings are very bad at matching unfamiliar faces, even from video. In one study, subjects who were judging based on photographs “picked the correct person on only about 70% of occasions. When the target was absent, subjects nevertheless chose someone on roughly 30% of occasions.”

Additionally, superficial features can be highly misleading. The Democracy Earth Foundation attempts to control this by commanding that people not wear “eyeglasses, hats, makeup or masks of any kind.” Leaving aside the fact that they have no way of enforcing a no-makeup policy (a successful use of makeup looks just like a natural face), it’s very easy for men to drastically change their look by just changing their facial hair. So, there’s at least several easy ways to create multiple identities that would pass by human judges.

Interestingly, human beings do significantly better at recognizing familiar faces than unfamiliar ones. Unfortunately, this leads to what is known as the Out-Group Homogeneity effect: People often find it more difficult to distinguish ethnic out-group members compared with ethnic in-group members. In Sovereign, this could easily lead to subconscious discrimination against other ethnic groups, since their videos are going to have a greater probability of seeming to be matches.

The Sovereign white paper states that “Anyone who ends up being voted as a replicant [aka Sybil or fake account] will see his or her granted votes useless.” Given the likelihood of false positives, it’s probable that Sovereign will often take away the right to vote from real people. Furthermore, if the errors aren’t random but instead caused by the out-group homogeneity effect, certain minority groups could be disenfranchised as a result.

Even if judges were 100% accurate at identifying fake accounts, how often would they even be looking at two videos of the same person? Turns out, it’d be pretty rare. For example, imagine there are n = 1000 videos of voters, and 2 match. (In other words, only one account has a duplicate.) Then the probability of even getting the matching videos in the same view is 1 out of (1000 choose 2), or 1/499500. This means that on average, the duplicate pair only comes up on a screen for someone to judge after 499,500 times. Let’s assume generously that every one of the 1000 people will watch and judge one set of the approximately 3 minute videos per day. On average, it will take more than a year to get a duplicate pair to compare, and let alone recognize them as the same person.

You might think that if there are more duplicates, they’ll be easier to find. That’s true. However, it only helps if the duplicates are all the same person. For instance, assume the 1000 voters are actually only 500 people, each with another fake identity. In this case, every single one of the voters is violating the rules and should be kicked out, but because a random voter and their fake identity will rarely be seen together, the judges will still only be able to stop the Sybil attacks 0.0002% of the time at best.

Computer Science, Game Theory and Mechanism Design

So far we’ve only covered the case in which the potential voters are dishonest. But what if the judges are dishonest? For instance, does a judge have an incentive to falsely say that two different people are actually duplicates?

The Democracy Earth Foundation says that the judges are “constantly incentivized to maintain legitimacy within the network in order to keep votes as a valuable asset: the success of the network on detecting replicants (duplicated identities) determines the scarcity of the vote token. The legitimacy of any democracy is based on the maintenance of a proper voter registry.”

This statement has two obvious problems. First, if votes are a valuable asset, there is just as much pressure to falsely accuse people of being replicants as there is to find actual ones. False accusations are very easy, and you can even disenfranchise your political opponents at the same time. The Democracy Earth Foundation’s argument doesn’t prove accuracy; instead it proves that there are huge incentives to lie. Furthermore, as long as no one finds out, the voting system stays legitimate in the public eye even with rampant fraud.

Thankfully, we already have a field of study that assesses the possibilities of bad actors: game theory. A general principle that applies here is that in order to prevent Sybils or in order to prevent collusion, you should ensure that creating a Sybil or colluding is more trouble than it’s worth. That’s a turn of phrase, but in this case I mean it literally: the expected cost of creating a Sybil should be greater than the benefit from having one.

It’s not clear that the Democracy Earth Foundation has done this kind of assessment at all. To be fair, looking at the problems of internet voting through the lens of game theory is relatively new and multidisciplinary.

How the SumUp algorithm fights Sybil voting, from this slideshow presentation.

There are a couple of different approaches. One is to use social choice, an area of game theory that uses axioms to assess voting rules. For instance, Vincent Conitzer, a Computer Science professor at Duke University, and others have been trying to find voting mechanisms that are false-name proof –  mechanisms where no agent ever has an incentive to use fake accounts. Another approach is to use the social network and graph theory to create algorithms that detect and remove Sybils as in Sybil-Guard and SumUp. This is still an ongoing area of research, and very difficult to accomplish. (As an aside, I’ll be doing more research on possible solutions to Sybil-resistant voting in smart contracts in the next few months. If you’re also working in this space, let me know.)

The bottom line is, any voting system using smart contracts has to be Sybil-resistant in order to be functional. Otherwise, there is no guarantee that the outcome of the vote is true to the wishes of the voters. Sovereign, the Democracy Earth Foundation’s voting system, isn’t Sybil-resistant, and furthermore, is hugely susceptible to fraud and abuse. Granted, the released publication is version “0.1,” but as published, Sovereign is simply not going to be able to work.

Feature Image by freestock.ca ? dare to share beauty


Guest Author
Twitter 

Pro-life libertarian. Blockchain enthusiast. Cal alum. Tiny-house builder. Software engineer. Mechanism Designer. Feminist. Judy Hopps understands me. She is on Twitter.

Please do be so kind as to share this post.
TwitterFacebookRedditEmailPrintFriendlyMore options

45 thoughts on “Sovereign and the Problems with Internet Voting

  1. Thanks for explaining how immature this proposal is.
    I did some work on designing an electronic voting system and the requirements for it to meet all requirements of being open, fair, protecting voter secrecy etc. are not easy to meet. In some of the papers on e-voting there is a reference to the cryptographic properties of paper in describing the benefits of the traditional paper and pencil ballot…
    In my view, in a national, regional, local political ballot the decision of who can vote and who can not is fundamentally political. That means that local/regional/national politicians have decided on the policies determining who is in and who is out.
    Not having read the proposal, it seems that Sovereign ignores this aspect, as it requires each individual that wants to be admitted on the ‘electoral role’ can also prove it meets the requirements set out in these policies, like living in the proper district, town, county or country or having the right age. Validating the required attributes and matching them to a unique person is a bit more involved then Sybil elimination.
    With an electronic electoral role, a necessary prerequisite for correctly conducting an election, there exist two contradictory requirements: of protecting privacy of the voters and of having the ability to mount a challenge to the administrative decisions of inclusion or exclusion.
    Another aspect of using blockchain is that it has latency in recording the votes, and the guarantee that it isn’t modified cannot be given, we just need to realise that for the Blockchain in Bitcoin 70% of the mining power is located in China. No country can accept that its ballots are counted in a foreign country.

    Report

    • Really good point about there often being geographic restrictions on whether someone is eligible to vote. I didn’t go into this in the original post, but Sovereign does say that they want organizations to be in charge of the voter authorization and authentication process. I suppose that these organizations could be researching whether someone lives in the geographic area, but if they’re already putting in that kind of effort, it seems strange to do this video matching mechanism.

      I think I may have downplayed how great blockchain tech is for voting. For the record, I do still think that’s a great idea. On Ethereum, it only takes 3 minutes to be generally certain that your vote (or any other transactions) have occurred, so latency shouldn’t be an issue. Additionally, the largest mining pool for Ethereum isn’t in China (but the second-largest seems to be) so perhaps Ethereum has more diversity than Bitcoin. Regardless, Ethereum is moving to Proof of Stake in the near future so miners won’t be used.

      Report

  2. It’s an interesting intellectual question. These days, though, I’m inclined to think that the big question about using the internet for voting is access to technology. What happens to the voters who are uncomfortable with tech, or too poor to afford tech, or don’t have adequate bandwidth available? Low-tech vote by mail (either exclusively or by voluntary permanent no-excuse “absentee” ballot lists, plus some sort of in-person voting for the outlier cases of people who relocate too close to election day) seems to have very low fraud rates and some evidence for increased turnout.

    Report

    • I think the low fraud is a luxury born of the kind of institutions we have. Citizens of other countries probably do face significant voter fraud. It is true that blockchain technology does allow for voting results that cannot be tampered with.

      Report

    • Paraphrasing Bruce Schneier from memory – if you think technology can solve your problem, then you don’t understand the technology, and you don’t understand the problem.

      Report

  3. I’ll kick in here too. Liked the post. Wasn’t aware of the proposal. Your post seems very good a poking holes in this idea. Of course, the whole video match up to me is an issue since I don’t want any (more) images of my ugly mug on the interwebs.

    Report

  4. There’s some sort of “Establish a blockchain-managed crypto locker of self” initiative happening at the state level in a couple of places that purports to solve the internet real name issue in a sensible way. I have not enough math to know if it makes any sense.

    Report

  5. I quite enjoyed this article, thank you!

    The number of things this project missed is probably too great for an article of this kind of length. It’s like the well intentioned folks behind it haven’t met a lot of people…

    Other things they missed, just off the top of my head
    – disenfranchisement of those who must cover their heads for religious reasons ( have they really never met any Muslims, Sikhs, Hutterites?)
    – all the problems that go with any non in person voting – the impossibility of secrecy/ non-coerceability and voter verification being only one
    – the fact that this is all totally untrustable mumbo-jumbo to anyone who’s not a computer scientist
    – the fact that there are enough virus infected client devices to swing all but the most locked in of stronghold elections.

    Report

    • the fact that there are enough virus infected client devices to swing all but the most locked in of stronghold elections.

      That, right there, is the reason that internet voting can never, ever happen.

      Let us assume that everyone is indeed, identifiable, somehow. That everyone has some sort of crypto-identity that is tied to just them, and some way of securing votes inside that in a way that cannot be tied to them. And let’s even be charitable and say they have to turn in a video saying their name and stuff, like in this proposal, and they can’t have created more than one identity.

      Let’s assume the _best possible universe_ here.

      And then someone writes a worm that infects end-user computers that simply…alters the actual votes submitted.

      I.e., you do everything exactly as required, and everything is completely correct, and you press ‘submit’, and the values you selected are instantly altered and _then_ submitted, or encrypted, or whatever.

      Everyone seems to think we’d be using a web browser, and altering what those submit is very very easy. And, no, SSL doesn’t help when the problem is your own computer.

      So maybe it’s a separate program on your computer? Well, now you’ve got a whole bunch of software issues (As opposed to just requiring a standards-compatible web browser.), but more importantly, that doesn’t help…programs can alter the values stored inside other programs, just google ‘trainers’, which are cheats for computer games that do exactly that.

      But what if it says who you voted for afterwards? Duh, it just lies again. There might be some server that gets the values, and returns a response, and the worm just…alters what it shows on screen.

      Part of the requirement for online voting is that you cannot, later, produce evidence of what your vote was. (Otherwise vote buying is really easy and untraceable.) Which means you can’t go and check your vote on some other, non-infected device.

      Then again, this is also the reason that _direct record electronic voting_ cannot happen (Because you have no way of confirming that it recorded the vote correctly.) and yet somehow I have ‘voted’ on such a device the past decade or more.

      Because a bunch of treasonous (And, yes, I meant that literally. People who replaced verifiable paper voting with electronic systems should be _arrested and charged with treason_.) morons who know nothing about computers have decided to set such a system up.

      There are exactly three sorts of computer scientists in regard to computer voting:

      a) The theorists who get all up in their own navel trying to solve cool problems like ‘How do we confirm this data is authorized while leaving it anonymous but non-duplicate’, which is indeed a cool CS problem with all sorts of interesting ideas behind it.

      b) The theorists who have read ‘Reflections on Trusting Trust’, and understand that we can’t even _theoretically_ verify that a Turing Complete machine (where instructions can be located in firmware and on mechanical media we cannot see with our own eyes) does exactly what it is supposed to. Computers can lie…and they can even lie about whether or not they are lying.

      c) Everyone else, who don’t care about theories, but practice…and who understand the utter crap state of computer security and is horrified at this entire idea.

      Group (a) need to be dangled out of windows until they shut the hell up and stop endangering democracy because they like cool math.

      Barring that, group (b) needs to leap in there and point out that while (a) might have invented a _theoretically_ unbreakable mathematical system (Maybe, maybe not, but it’s not important), that system still fails because also, _in theory_ we do not, and cannot, have any evidence that any specific computer is performing the calculation we think it is. We cannot read actual bits on hard drives without those bits going through processors, we cannot see bits in memories, we cannot watch processors do math.

      (b)’s theory that you cannot secure any of the systems on which computations are being done trumps (a)’s theory that the computations themselves are secure. (Unless the idea that everyone is going to do this complicated mathematical encryption on paper.)

      And of course, in practice, (c).

      Report

      • Despite being not being a CS person in any professional capacity, I’ve hung out with enough of them for long enough that I fall into your groups b) and c). Paper voting is horrible and easily compromised, but electronic voting is way more horrible and way more easily compromised.

        And yet I’m still asking you to stop talking about dangling people out of windows (particularly given that I have no information about whether our guest author considers herself more in group a or group b, so you may literally be telling our guest author that she should be dangled out a window and SURELY you can see why I don’t want that potentially happening). Also, if you have beliefs that people should be arrested for treason, maybe explain why you’re going to that particular (and very worrisome given how the other side applies it to folks in the computer industry who agree with you) assertion instead of some less inflammatory one, rather than just re-emphasizing it. (You don’t need to explain it to me right now, I’m familiar with the argument, some other time we can argue back and forth about it, I’m talking about not dropping it into a comment without explaining it more.)

        I get why you’re angry. This topic makes me angry too. But I still need you to be respectful on this site. Not least (though not only) because your otherwise excellent comment would be a lot more convincing without those two things.

        Next time I won’t lecture, I’ll redact and warn.

        Report

        • If you want to redact that part of the comment, go ahead. I thought it was humorous enough that it was okay, but if not, please delete.

          To be clear, I don’t think anyone should actually get dangled out of windows. But they do need someone yelling ‘What the hell are you thinking?’ at them, though.

          The really frustrating thing is most of the people who are doing this research know all this, they know everything I said, and they usually do not want people voting from current personal computers either.

          Some of them seem to think working on ‘secure internet voting’ is entirely a theoretical hobby, and the rest are in some future utopia where computers will magically secure any day now, somehow. (The second group doesn’t seem to understand that a computer you cannot see the inside functionality of, aka, all of them, cannot _theoretically_ be made secure, and seem to think that is a practical problem.) While, of course, both groups keep talking about ‘internet voting’ in public, and everyone can hear them.

          So, just like we got insecure ‘electronic voting’ 15 years ago, we will get very insecure internet voting soon. It will probable be some kludged-together system that doesn’t actually conceal identity _and_ isn’t secure, i.e., it will fail on both of the things that researchers are trying to make true.

          And all the ‘internet voting’ researchers will be like ‘Oh, that isn’t at all like what we were talking about, and also you shouldn’t have really done it, because current general purpose computers are basically insecure as a premise.’, and the rest of us will be banging our head against the wall and saying ‘No shit, Sherlock! The government didn’t understand any part of that except ‘internet voting can work’ and ‘lowest bidder’!’.

          So, yeah, I’m getting a bit angry about this, because I can so clearly see the disaster we are headed towards helped along by a bunch of math geeks who are super-excited about theories and blockchains and hash functions and all sorts of things, all sorts of awesome math things! And fail to notice, uh, they are building a damn iceberg we are going to crash into.

          AGAIN, because we already did it with electronic voting, and we’re not moving away from that because it is insecure, we’re moving away from that because the companies that set it up were too incompetent to do it right.

          And my rhetoric might be a bit out of hand due to that.

          Report

          • Agreed on all counts. I get wall-punchingly angry myself about this topic.

            And I don’t need to redact you here, I’m just telling you what’s likely to happen without much explanation if you go over the line next time. (As a general rule, it’s more likely to be funny and acceptably civil to talk about dangling people out windows in places where you aren’t also saying, and then re-emphasizing, that some other people should be arrested for a crime that can carry the death penalty.)

            Report

            • Just to add a counter argument, Bitcoin as a whole is currently worth $65 billion and Ethereum is worth nearly $27 billion. Voting is just another transaction to the computer, so if fraud through viruses were easy, we would already be seeing that in usage. I suspect that the difference between the insecurities of electronic voting systems that we’re familiar with and blockchain tech is that blockchains use public/private key pairs, and the entire security of your setup depends on keeping your private key secret. If you’re able to do that, it doesn’t matter what else is going on, it’s still under your control.

              Report

    • Really good point regarding the headcoverings.

      Coercion is a really hard problem that I’m not sure can be solved except by having 1) a private ballot, and 2) good legal protections in your physical jurisdiction.

      As for virus infected client devices, it’s possible to use a “hardware wallet” that stores your private key (what allows control of your money). I’m not sure how successful that would be for voting, but it’s probably a good starting point.

      Report

      • As for virus infected client devices, it’s possible to use a “hardware wallet” that stores your private key (what allows control of your money). I’m not sure how successful that would be for voting, but it’s probably a good starting point.

        Ah, yes, the quick and easy internet voting, where we apparently provide everyone with their own hardware device to hold their key?!?!

        Of course, the hardware is just signing whatever a computer sends to it, and you can’t trust computers, so hopefully that hardware device has a screen on it so you can see what is being signed. Hardware Bitcoin wallets just need to say the Bitcoin value and the address being sent to (Weirdly, only a few bother to do this.), but a hardware vote signing device would need to show the entire ballot.

        And before you say ‘They could show a hash of the ballot’…no, no they couldn’t, not unless people can verify hashes in their head.

        Might be easier to have the hardware device do the entire thing, but a) that doesn’t require super-cool math so what’s really the point, and b) would just make it obvious that you’re requiring everyone to have a piece of entirely untrusted hardware directly record their vote that they cannot verify recorded it correctly.

        I.e., congratulations, you’ve managed to take electronic voting, and add a lot to the cost without solving any of the problems! w00t!

        Report

      • Coercion is a really hard problem that I’m not sure can be solved except by having 1) a private ballot, and 2) good legal protections in your physical jurisdiction.

        I amreally sure that the problem of coercion cannotbe solved without those measures.

        Hardware wallets are nice and all, but I’m in agreement with re what they can and cannot accomplish in the case of voting.

        The most secure voting technology we’ve yet invented, or are likely to see in our lifetimes, is a folded out cardboard box and a pen on a card table in the gym of the local elementary school, with some nice retired people volunteering as scrutineers.

        Report

  6. And here is where I explain my previous comment about what I mean about ‘cannot theoretically be made secure’:

    I will try to explain to non-programmers. If a non-programmer does not follow along, please, ask me to expand. For programmers, please note I am simplifying some of this:

    Definitions:
    Source code – Source code, for reference, is the English-like language that is turned into machine code.
    Machine code – The 0s and 1s that computer directly executes. A .exe is ‘machine code’. (We’re talking Unix here, which doesn’t use the .exe extension, but the concept is the same.)
    Compiler – Thing that takes file(s) of source code and turns them into machine code.
    Login program – Exactly what it sounds like, the thing that prompts you for a name and password.
    Backdoor – A non-obvious and usually non-authorized means to get into a computer.

    The story:

    ‘Reflection on Trusting Trust’ is a very early and famous computer science document (It’s not really a ‘scientific paper’.) has a fun hypothetical (Possibly _not_ hypothetical, rumor has that it happened, but never got out of captivity.) about an undetectable backdoor in the login program on one of the first Unix systems.

    This backdoor was the simpliest sort, where, in addition to the correct password, you could type any user name and a specific known password and get in as them. This sort of backdoor would only require modifying one line of source code, whereas instead of checking if the password matched the user’s word, it would check if the password matched the user’s password _or_ the known password.

    So a backdoor in the login program would be installed by changing that line in the source code, recompiling the source code with the compiler, and then putting the generated machine code in place. Easy enough.

    But, the thing was, on this OS, this early Unix, all the operating system source code was publicly visible. So…anyone can see the source code and see the backdoor! It might take them a while to happen to stumble across it, but they could.

    So, well, how about we install the backdoor version…then we change that line of source code back? It’s undetectable now!

    But someone, eventually, is going to modify the login program for some other reason, and recompile, and the backdoor is lost.

    So…how about instead of putting it in the login program, we instead edit the _compiler’s_ source code to notice it is compiling the login program, and change that code on the fly. We recompile the compiler (Yes, that works) and put the backdoor in place, so now when the compiler reads that specific line of login source code, it recognizes the login program, and the compiler generates the machine code for a _different_ line of source code instead of the one it is really reading.

    Now the login program is completely clean. Someone can read the source code a million times, and nothing is wrong with it. We win!

    But, wait, now there is something visible that is weird in the _compiler_ source code, right? Oops.

    So…what if the compiler recognizes _itself_ when it’s compiling, and injects both the code to recognize and edit the login program, and the code to recognize and edit _itself_.

    And we compile it once, edit that code back out, and now we have perfectly untouched source code for both the login program and the compiler, that _nevertheless_, generates a backdoor when compiling the login program, and code to put all that code in when compiling the compiler.

    And that is where the document ends, with a backdoor that cannot ever be found or removed, because it appears out of thin air during compilation. And would also spread from system to system, because obviously you have to copy the machine code of the compiler when setting up a new system, because you can’t compile anything (even a compiler) without a compiler, so that’s one of the few things that cannot come just as source code!

    (I think this was slightly before the days of ‘installation programs’, and everyone just sorta formatted drives and copied everything over. But if there had been install disks…the compiler would have been put on them.)

    Here is the actual document:
    https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

    The stated moral in it: You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well-installed microcode bug will be almost impossible to detect.

    And it turns out…it’s not ‘almost impossible’. It is, functionally, impossible. It is ‘throwing a needle out of an airplane and impaling a specific piece of hay in a haystack with it’ impossible.

    Everyone else read that paper, and extrapolated, and tried to win the battle. They noticed they could still find the code using a real time debugger that stepped through the login program or compiler and they could see the machine code instructions…unless, of course, we put some code in the real time debugger to hide it…or, rather, we put code in the compiler to put that code in the debugger.

    Okay, so instead they just dump the machine code to the screen and reverse engineer it. That is so easy to do they can write their own program to do it, and a compiler cannot rewrite them all those programs. So instead…we alter the operating system itself to read the file one way when opening it to run it, and another way if any process tries to view it.

    At some point, we reach the bottom, the concept of ‘rootkits’, which run before the OS and hide their own code when the OS tries to read their sector of the disk, and do whatever else they want, like altering the login program as it executes.

    Actually, below that point, we get rootkits in the _firmware_. IDE and SATA hard drives _have ‘computers’ in them_, as in, a processor that runs hard drive firmware code. IDE literally stands for ‘integrated drive electronics’, because it had chips on the drive to do things that previous standards made the hard drive controller do.

    You put something in that, a piece of code that returns a rootkit the first time the boot sector is read but the correct boot sector the rest of the time…you aren’t finding that. (It is about this point that I start sounding paranoid, but intelligence communities have, indeed, subverted hard drive electronics like this. Gee, I wonder if any intelligence communities have any sort of interest in our elections)

    The point, or at least the eventually takeaway of computer science, of ‘Reflection on Trusting Trust’ is that you cannot trust a computer that does calculations you cannot see. Period, end of story. It doesn’t matter how well election officials vet the programs it is running, as election officials cannot be sure the programs it is running are the programs it is showing them.

    And this applies to multiple systems! It is contagious!

    Even if election officials put a computer together themselves from ‘scratch’, fabricated all the chips on the MB and hard drives and everywhere else code can reside, wrote the operating system from the ground up…which I must point out is something they have never suggesting doing so is a weird hypothetical to get involved in…they would do all that on _some other computer_ that they also don’t know is secure, and could have _lied_ to them about what it was doing with the computer they were building! (And this is assuming that I trust election officials 100%.)

    The only computer that can be theoretically secured for voting is one that the election officials is assembled from low-level electrical components (Not even integrated circuits, but transistors), components that are not complicated enough to have any hidden behaviors and that voters can map the wiring out themselves if they with. And all the code is publicly toggled in via switches on the front panel.

    Now, technically, they could use that computer to build a better one, and that computer to build a better one, making sure to keep them all clean, etc, but it’s hard to see why _I_ should trust a resulting computer unless they did all that in front of me.

    Report

    • Take as given that at this point I agree with you. Do you think we should ever vote for stuff at all? If so, why aren’t you as worried by the paper ballots? I mean, there are plenty of ways to alter them too.

      (Not a rhetorical question – I assume you’ve thought about the advantages of paper ballots a great deal more than I have…)

      Report

      • If so, why aren’t you as worried by the paper ballots? I mean, there are plenty of ways to alter them too.

        There are a variant of ways that physical ballots are kept secure.

        1) The total number of ballots distributed to voters is known, and the total in the ballot box should not exceed that, or be less than that amount by any meaningful amount. (It is theoretically possible for someone to get a ballot and wander off and not cast it, but this is extremely rare, so anything more than a couple of ballots missing should be cause for concern.) The lists are public at all times, and observers watch names get crossed off

        This makes adding votes functionally impossible

        2) The blank ballots themselves are kept controlled.

        This makes replacing entire ballots very difficult. (Or adding, but that already is too hard.)

        3) They are kept in secure and visible boxes.

        Thanks to #1 and #2, attackers have to basically alter _existing_ ballots. Thanks to #3, they somehow have to do that in the middle of a room.

        4) The boxes are kept sealed when not in public.

        This makes it very hard to tamper with them even when out of view, and even if that could be pulled off, that would really only effect any hypothetical recount, because the original counting doesn’t have the boxes out of view before it.

        And that leaves us with the most useful security measure of all:

        5) Altering paper ballots takes time.

        So let’s say you do somehow manage to get the box unsealed and can reseal it at the end. You can’t discard more than a few votes. You can’t add new ballots because getting new ballots is an entirely separate heist. So you can pull the ballots out and…erase each mark and make a new one?

        How many votes are in that ballot box? 1000? You’re going to pull them out one by one, put them to the side if the right person is marked, and otherwise spend 30 seconds erasing the existing marks and drawing your own? What sort of margin of victory are you overcoming here?

        There is pretty much one workable way of subverting a paper election, and that is subverting all the staff and hoping there are no observers. Then the staff simply wanders off with the paper ballots, and marks a bunch of them, and then at the end of the day, when the polls are closed, the election officials quickly mark off a bunch of random remaining names and throw that many new ballots in there.

        Report

        • Many of those problems are addressed by doing the counting in public the same day the voting happens – the ballot boxes are unfold and set up in public view, and not left unattended until the votes are counted.

          Also in Canada, the ballot has a tear off part with the serial number. You arrive, sign in, get a ballot, the number is recorded with your name. You go fill out the ballot, return to the front with the ballot folded so it cannot be read. The serial number strip goes in one box, the part you filled out with your votes goes in another.

          Easy to verify no extra votes, all voters’ ballots were accepted, any ballots that needed to be reissued because someone made a mistake were properly discarded, and vote secrecy is preserved.

          Report

          • And it’s worth pointing out that for some reason we haven’t implemented the next obvious step in all this: Video cameras.

            You put a camera where it can record the list of names as they get crossed off, and another that shows the people walking in, and another camera that can see the ballot box and watch as things get added to it. And then you also do the counting in view of those cameras. Then you have those livestreamed and recorded somewhere secure offsite.

            Now, you’ve basically removed the one possible hypothetical method of tampering I’ve mentioned, where everyone that works there and all observers are subverted. Because all observers cannot be subverted.

            Which means that poll workers cannot wait until the moment the polls close, and quickly grab 50 pre-marked ballots, cross 50 names that didn’t show up randomly off the list, and throw the ballots in.

            Please note this is a bit of an edge case anyway, because subverting all poll workers and observers is very difficult, but it’s not completely impossible.

            Report

  7. I don’t see for traditional elections what the need for internet voting is. Rather go to all mail voting, where you send the ballot back inside two envelopes, with the inner one having a place to sign. Use the bubble scoring paper method and get rid of voting systems with no paper trail. Yes you can scan the paper to get totals, but if need be the papers can be counted by hand. Other than wiz bang tech that other countries can subvert better than using social media for elections know to happen 2 months in advance what does the internet add in value?

    Report

    • There really are significant advantages to using blockchain technology and smart contracts for voting. First, the votes are immutable, so you can eliminate fraud that way. Second, you can prove that you, the holder of your private key, are the one doing the voting. Third, with smart contracts, you can handle the outcome of the election in code (for instance, handling over control of an account to the winner). Currently, transitions of power can be troublesome, even in a supposedly stable government like ours.

      Report

      • First, the votes are immutable, so you can eliminate fraud that way.

        Because people _editing_ paper ballots is a genuinely large problem. Or any sort of problem. Surely it happens. I mean, it could in theory.

        Second, you can prove that you, the holder of your private key, are the one doing the voting.

        Wow, that’s like two levels of wrong.

        First of all, you cannot prove anything. All that can be proven is that _a person who held your private key_ did the voting. You cannot prove you did not vote at someone else’s direction (A current non-in-person voting problem), and you cannot prove you did not loan your private key to someone else and let them vote for you.

        You have proven nothing at all!

        Second…in what universe are people required to prove they are the person who voted as themselves, anyway? Actually sound that out in your head, that the government comes up to you after you vote and says ‘Prove it was you that voted and not someone else!’. You don’t need to prove that! You sometimes might want to prove you _aren’t_ the person who voted, if someone voted in place of you and you’re helping some sort of voter fraud thing, but you never need to prove the other way around.

        Third, with smart contracts, you can handle the outcome of the election in code (for instance, handling over control of an account to the winner). Currently, transitions of power can be troublesome, even in a supposedly stable government like ours.

        And here comes the high level math nerd nonsense, where you could built some sort of electronic system that hands over control via MATH.

        And, I dunno, the Supreme Court gets a bajillion votes if they need to override it, and Congress has some secret vote reserve for impeachment, and suddenly everyone remembers that literally no part of the government is operated by automated machines, we don’t have some sort of voice activated computer controlling everything that we need to make sure only the correct person is in charge of.

        Mwhahahaha, _I_ have stolen root control of the government, and now everyone must bend to my will! Wait, no, there is literally no part of the government that operates like that.

        Instead the government is made up of people, and where computers are involved that do anything, like print checks, there are a bunch of people who are, in fact, _telling_ them to do that.

        Report

        • Your bombastic conversational style is becoming an increasingly worse companion for my three-day-old migraine, but here’s my last try:

          1) Paper ballots require trusted authorities. That’s a luxury in many countries. The best use case for smart contracts is where you *do not* or *do not wish to* trust authorities or third parties. So let’s limit our comparison of blockchain voting to paper ballots to those cases. For instance, consider Zimbabwe’s general election of 2008 Otherwise, we’re considering elections in the most stable of countries (the best case scenario for paper ballots) with the worst case scenarios for electronic voting.

          2) Instead of dealing in absolutes, we need to deal with probabilities. Certainly, it’s possible to have malware. But hacking isn’t cheap or easy – you have to be motivated somehow, either economically or ideologically. If you’re a hacker, are you going to go after the $65 billion dollar Bitcoin market cap, or try to swing an election? What’s more, there are plenty of other smart contracts in existence on Ethereum, and in most cases, the value of those is going to be higher than the outcome of vote hacking. Take Zimbabwe. Let’s say your election allows you to control the entire GDP of the country (16.29 billion USD). That’d be ridiculous, but it’s less than the market cap of Bitcoin.

          3) If you’re not recognizing the technological advance of blockchains at all in terms of ensuring that data recorded is not altered. You haven’t presented any arguments against it, just a few examples of malware in which private keys are stolen, or a bitcoin transaction address is changed at the time of the transaction. My points above, which you appear to have missed in your hysteria, are that if 1) you retain sole control of your private key, and 2) your transaction successfully makes it to the blockchain then your vote is guaranteed to be accurately represented as long as a key segment of the network is honest.

          That’s it. I’m out.

          Report

          • To follow up your example of the election in Zimbabwe, here’s how block chain voting there would go, I think:

            1) 16% of the population of Zimbabwe has internet access of any kind, so it’s a non starter.

            2) people proposing block chain voting would fall into two groups:
            2a – those proposing the official government voting app, which reports the result the government wants regardless of any fancy math
            2b – those dead in a ditch by next week

            Report

          • Paper ballots require trusted authorities. That’s a luxury in many countries.

            All elections requires trusted authorities, because the authorities _set up the election_.

            Doing an online electronic election just ensures that literally no one can observe what happened, whereas doing with paper in front of everyone allows problems to be pointed out.

            The best use case for smart contracts is where you *do not* or *do not wish to* trust authorities or third parties.

            There are basically no governmental election use cases for ‘smart contracts’. Smart contracts, in case people are not following along, is where the election is actually a mathmatical result that transfer authority to do something. I.e., you are basically voting on whose password unlocks a computer.

            That…is not how a government works, at all. Governments do not operate by computer, and not only is there no way to set such a system up barring some sort of governmental AI, it would be seriously stupid to do that if it was possible.

            So let’s limit our comparison of blockchain voting to paper ballots to those cases. For instance, consider Zimbabwe’s general election of 2008

            Where Mugabe would be _sure_ to somehow hand his government control over to a computer (somehow) and be _sure_ to distribute electronic voting that actually registered the vote you inputted into it.

            Otherwise, we’re considering elections in the most stable of countries (the best case scenario for paper ballots) with the worst case scenarios for electronic voting.

            Weirdly, absolutely no one making this argument actually _says_ stuff like that until you start pointing things out. Go check the article for any sort of disclaimer that it is talking about third-world countries, and absolutely should not be implemented in the US. I’ll wait.

            2) Instead of dealing in absolutes, we need to deal with probabilities. Certainly, it’s possible to have malware.

            Oh, sorry, weren’t we talking about the election of Mugabe? With the corrupt government? Why would there be any ‘malware’? The government would just write a voting program that, in 75% of the cases, would create and sign a vote for Mugabe, no matter what it displayed on screen.

            But hacking isn’t cheap or easy – you have to be motivated somehow, either economically or ideologically. If you’re a hacker, are you going to go after the $65 billion dollar Bitcoin market cap, or try to swing an election? What’s more, there are plenty of other smart contracts in existence on Ethereum, and in most cases, the value of those is going to be higher than the outcome of vote hacking. Take Zimbabwe. Let’s say your election allows you to control the entire GDP of the country (16.29 billion USD). That’d be ridiculous, but it’s less than the market cap of Bitcoin.

            So let’s be clear: You admit the system is hackable, but you assert it’s _not worth it to hack_ because there are other, more valuable targets?

            This is ludicrous for several reasons.

            First, your comparison is wrong. To vote, people _have to create a vote_, whereas a lot of Bitcoins are just sitting somewhere secure. The easiest attack vector is _during use_. As evidenced by the amount of Bitcoin trojans that attempt to redirecting transactions the user is making, vs. just steal all the keys.

            Second, THAT IS NOT HOW CRIME WORKS. By that same argument, no one in poor areas would ever get mugged…clearly, another area has richer people, and shouldn’t those people be robbing banks anyway?

            Third, programmers can be _paid_ to create programs. There is malware that does all sorts of stupid things, and weirdly programmers are not refusing to write this and instead say ‘No, I should be writing programs to steal Bitcoin and CC numbers!’

            Fourth, you’re assuming the point of altering an election is to steal stuff counted by the GDP, as opposed to some sort of ideological goal or to sell the country out to its enemy, or even to steal natural resources which are currently protected and thus not part of the GDP.

            Fifth, and this is a small point, but Zimbabwe presidents are not elected for a single year.

            3) If you’re not recognizing the technological advance of blockchains at all in terms of ensuring that data recorded is not altered. You haven’t presented any arguments against it, just a few examples of malware in which private keys are stolen, or a bitcoin transaction address is changed at the time of the transaction. My points above, which you appear to have missed in your hysteria, are that if 1) you retain sole control of your private key, and 2) your transaction successfully makes it to the blockchain then your vote is guaranteed to be accurately represented as long as a key segment of the network is honest.

            No it’s not. It’s guaranteed to be accurate in the chain. It’s not guaranteed to be _counted accurately_, or even counted at all.

            You have decided this form of voting, whch you _previously_ touted as awesome, now only should apply to places with poor democracy like Zimbabwe.

            And you have utterly failed to notice that Zimbabwe DID NOT TAMPER WITH BALLOTS.

            They just miscounted them. They just took them in secret and announced probably wrong vote results later.

            No one is tampering with damn paper ballots either. Your ‘advantage’ is total nonsense.

            It’s like claiming the advantage of travel by plane, instead of car, is that thanks to oxygen masks, you will have air in case the vehicles depressurizes. This makes planes much more awesome than cars, which…uh, don’t depressurize either.

            Almost everything you claim is an advantage is actually an advantage only over completely unsecured online voting via a web portal. You are merely solving problems that _you introduced_ with electronic voting!

            And you’ve managed to solve maybe half of them.

            Paper voting doesn’t have those problems to start with. People ‘tamper’ with it in exactly the same way that you have given no thought of solving in your system: By announcing an incorrect count at the end, which they can do because they did it all in secret. (You know, in secret. Like where the entirety of your system operates?)

            So here are my requests:

            Please explain exactly what system exists that would stop Zimbabwe from just announcing a different winner than the correct one. This would require everyone to have all the ballots and be able to confirm the math themselves, but also _somehow_ not see who voted for who.

            Please explain, if that system does exist (I do not think it does), what would stop Zimbabwe from creating a bunch of votes and adding them in.

            I can explain how _paper_ ballots can stop those two things. (I actually already have in this discussion.)

            Report

            • Hey, DavidTC, when a new author to the site says they’re done commenting with you, because they find your commenting style overwhelming, it’s ok to get the last word in, but not so ok to “yell” at them virtually and end with a series of requests when they’ve already said they’re done. If I had the experience with you that Kate Sills just did, I would feel bullied. I don’t want our authors to feel bullied.

              This is a really interesting (from my point of view at least) set of conversations, but it literally wouldn’t have happened without @kate-sills’ original and extremely informative post about what was wrong with Sovereign.

              I’d hope that you can keep that sort of thing in mind and moderate your tone when addressing authors in their posts. Especially if they tell you explicitly that you’re making them feel like there’s no point in discussing with you. This isn’t about who is wrong or right, it’s about treating people who go to the effort to write and post things (things that many of us found informative!) more how they want to be treated and less as a stalking horse for everything they represent to you.

              Sorry if you feel like I’ve been picking on *you*, lately, btw. I think you havea lot of really good insights and I like your comments generally, which is why I’m bothering…

              Report

              • Hey, DavidTC, when a new author to the site says they’re done commenting with you, because they find your commenting style overwhelming, it’s ok to get the last word in, but not so ok to “yell” at them virtually and end with a series of requests when they’ve already said they’re done.

                Maribou, can I ask a favor of you? I want to go to all the other times that Kate Sills has responded to me in this discussion, and see if her responses were…ha. That was a trick. You see, she literally has never responded to me before that post.

                I can see why you bought her nonsense about this being her ‘last try’ to convince me of something, it’s easy to take that sort of lie at face value, but it literally is her _first_ try in responding to me.

                And it’s not like she’s been busy responding to other people. She has attempted a response to a reasonable criticism once, to dragonfrog. Then she ignored him also.

                This isn’t about who is wrong or right, it’s about treating people who go to the effort to write and post things (things that many of us found informative!) more how they want to be treated and less as a stalking horse for everything they represent to you.

                So it turns out when an author proposes something extremely dangerous, fails to respond to any valid criticism (while still posting other comments), and then finally responds to me with a post that:

                a) Twice accuses me of ignoring/missing the point, once implicitly with a ‘last try’ (Which implies previous tries, which, again, did not happen.) and another claiming I missed the point of immutable blockchains, when in fact my response to that was paper ballots are pretty immutable in practice and I had no issues with The Math(TM). You will notice this is something I yelled about.

                b) Moved the goalpost utterly, because now all this just applies to Zimbabwe for some reason, so the fact it is insecure do not matter, because who would attack a Zimbabwe election? You will notice that this is, also, something I yelled about, because not only is that moving the goal posts, it’s an amazingly poor justification for installing an insecure system.

                So, yeah, someone does those two things, in their very first real post that attempts to address the numerous criticisms of what they appear to be in favor of, I get a little annoyed and yell some at that bullshit.

                Report

                • It would have been a lot better if you addressed that you thought she was ignoring you than if you lambasted her, yes. Not ideal, but better.

                  But also, she did make previous tries, she just didn’t reply to you directly. She replied on threads that you were on, to points relevant to the ones you were making, offering different perspectives. She was part of the same conversation we all were, commenting on things that were literally subthreaded to your comments. It takes a lot of time for people to get used to the style of conversation here, believe it or not, and you’re treating your lack of paying attention to the whole conversation as her having ignored you. Which, for the record, I *don’t really care if authors do*.

                  Secondly, I didn’t *buy into her nonsense* about it being her last try, I believed her because she was telling the truth. Treating me as someone with low reading comprehension and high gullibility is *not* going to win you any favors as far as being moderated go.

                  I don’t happen to agree with her, and I agree that some of her arguments were weak, but you also didn’t give her much space to respond, or much incentive, like you would have if you were acting in a respectful or courteous manner.

                  You can get as annoyed and yelly as you want *but not on this site in response to our authors*. Take a deep breath, walk around the block, or whatever.

                  I am not even a little bit kidding around. This is *exactly the sort of thing that ends up making people not want to write for us who have important things to contribute*.

                  The fact that I largely agree with your points, and that I would have welcomed a guest post from you about them, doesn’t mitigate that, really; it makes me even more frustrated. You don’t have to act this way, and yet you keep doing it. This isn’t the first place I’ve told you to turn down the anger volume.

                  You need to. If you don’t figure out how to do that, you will end up getting suspended the next time it happens.

                  Report

                  • You can get as annoyed and yelly as you want *but not in this comment section

                    I am aware that my habit of emphasizing words can look a bit extreme, or as Kate correctly described, bombastic.

                    I assure you I am nowhere near as angry as I apparently sounded, however, you are right in that it can be read as very angry, and I should stop. So I have now imposed an emphasis rate limit on myself, I get one emphasis a post (Well, let’s say per five paragraphs if I have a long post.) from now until I learn to not abuse them.

                    Thank you for pointing that out.

                    I also entered this conversation angry, but, frankly, that’s what you’re going to get from me with a pro-internet-voting article, at least one that does not lay out a bunch of caveats about how this should never, ever, be used in anything serious. I’ll get angry about almost any article that proposes disenfranchising people, or talks about disenfranchise methods in some sort of technocratic way without actually condemning implementing those methods.

                    However, arguing angry is not useful.

                    She was part of the same conversation we all were, commenting on things that were literally subthreaded to your comments.

                    She’s barely been even in this entire discussion…she has eight total comments, one of them a mere thank you. She hadn’t directly responded to a single non-top-level question anyone had asked of her (Until she responded to me.), and has only responded to questions asked in four top-level ones.

                    As for subthreads, she has responded in a grand total of two subthreads from my posts. The first was a response to dragonfrog’s response to me, which didn’t address anything I said at all. The second one of those was to you, and is indeed technically a rebuttal to my point that computers are insecure.

                    So she has made a response about…exactly one thing I said. She also responded to one of dragonfrog’s top-level similar points with a mention hardware wallets.

                    And…I just summarized basically everything on her part in this discussion. The entire thing.

                    And she has the right to do that. She doesn’t have to discuss anything with us. She can just post an article and never say anything. She can post at whatever level she wants.

                    But I’m not going to pretend she has been in a discussion she didn’t seriously enter until the very post she bowed out of the discussion in.

                    in response to our authors

                    What this is weirdly coming across is that we should be grading new authors on a curve, and we shouldn’t really challenge them in any way, and if they think the criticism is too much we should stop. Which is…I mean, I know that can’t really be what is meant, but it really is sounding like that.

                    I have no idea what new authors are told to expect, and as a new author she seems to have the ability to write an article. It was an incredibly weird topic to pick for an first article (I guess it was the first?), a strange choice that was certainly going to get blowback and anyone who had written about internet voting had to know that. But whatever. I am not the boss of topics.

                    As a new commenter, OTOH…I dunno, maybe she’s not much good at the format or something, maybe it’s a mechanical problem, maybe it was just the migraine. But I rather doubt the problem was me…dragonfrog had almost just as much trouble having points addressed, and was much more polite.

                    you’re treating your lack of paying attention to the whole conversation as her having ignored you.

                    I am paying attention to the entire conversation. In fact, I’m reading it probably the same way you are, via email messages that I often have to click to load the web page for context. I have read everything she said, almost immediately, which, again, has been almost nothing.

                    I am not sure why you think I haven’t read a grand total of eight posts.

                    I don’t happen to agree with her, and I agree that some of her arguments were weak, but you also didn’t give her much space to respond in a respectful or courteous manner.

                    I am not sure that I need to give someone space to respond in any manner if they explicitly said they weren’t going to respond…but I did. In fact, I basically said ‘Ignore that long rambling thing, I just request an answer to these two points’ Not demands, not something she had to answer, two polite requests.

                    …which you, weirdly criticized. I just noticed that. You here criticized me for not giving a space to respond, whereas in your post before, you criticized me for asking for a response to someone who said she was done with the conversation.

                    Report

                    • You need to consider the “oh, I guess I was arguing angry or at least I can see how I was coming across that way more than I should be” top half of your comment in context with the “we should be grading authors on a curve” part of your comment. Do you really think “hey, don’t be an asshole and extra don’t be an asshole if it’s a new author who isn’t invested in continuing to write for us yet,” is me asking you to *grade on a curve*? Who said I was interested in your grading authors in the first place?

                      And you didn’t give her space to respond until *after* she said she was done commenting, before that you probably wrote, yes, several thousand words for every one she wrote. Which was part of the problem with your comments, not hers. (And wouldn’t actually, have been a problem for me *at all* if you weren’t coming across as hostile so often. I don’t care if you are hostile. Actually on this topic I get why you are. But you are not allowed to act hostile. Not “oh, if I do this Maribou will nag me,” not allowed, but actually *not allowed*.)

                      You needed to give her *more* space to respond before you got so angry (or angry-sounding, honestly it doesn’t matter), and *fewer* requests to respond after she already said she was done. That’s not a contradiction. I’m telling you that part of being civil is being aware of the context in which you are interacting with someone. Them explaining that they are unwell and you are commenting in a bombastic style is not them pulling funny business, it’s something I expect you to *take into consideration before you respond*. Not after you get called on it.

                      Also you may have meant your last few questions to be a “hey, ignore the long rambling thing, just address these two points,” but in context it absolutely did not come across that way. It came across as “hey, now that I’ve given my extremely long speech, let me summarize what I expect from you,” which, again, was *your response to her bowing out of the conversation*. Which is not how people *having a conversation* actually talk. People having a conversation respond to those kind of signals by attempting to repair the conversation, or by accepting that it’s over, not by continuing on as they were. As it turns out, you are well aware that several other people posted to disagree with this author, some at length. I would point out to you that all of them managed to do it without messing up like this.

                      If I sound hot, it’s because I am. You are so much better than this. I don’t want you to stop commenting, I want you to stop being a jerk, and I don’t care how provoked you are or how justified you believe you are. If, just *as an example*, someone tells you they have a migraine and they are fed up with your angry comments which I will remind you *involved saying they should be dangled out of a window* right after you said *other people should be arrested for a crime that can lead to execution*, and you have written several essays worth of comments at the point where they say this, anything other than an apology and an offer to re-take-up the conversation, or a *brief* statement that you don’t think they’ve addressed your arguments and you hope they’ll reconsider the conversation, is not particularly civil. It might not be awful but it’s barely making the grade. If they are the author of the post, it is an extra titch noncivil on the premise that they are putting in an effort toward keeping this website going, and as a member of the community I assume you care about that in general, but yet are choosing not to act that way in particular. If not, it might not be more uncivil but I’m still going to be madder about it. If they are a new guest author, it is yet more uncivil because *they are a guest* in our community and should be welcomed, perhaps even MORE so if you think their ideas are dangerous, because how are you ever going to convince them and lead them to your way of thinking by acting like this??? You’re already talking to someone who agrees with you that there are a lot of stupid ideas about internet voting out there, how do you not see this as someone you could actually shift the perspective of? If you are just looking to treat the people you disagree with – no matter how desperately – as targets, you are, in fact, in the wrong place for as long as that is what you are looking for.

                      If I warn you about all of the above very clearly as something that will lead to a suspension and you proceed to *argue* with me in a way that *undermines itself*, that is both uncivil and not very smart. You are smart! You should have the sense not to do that.

                      I’ve been explaining this to you at length so that you have a chance to actually understand the problem. Also for the sake of anyone else who isn’t getting that their conversational tone has to stay somewhere on a spectrum between friendly through neutral through, at worst, fairly frustrated within reasonable bounds (with some amount of grace afforded for responses to people who are actively breaking the boundaries of civility themselves, which is why I could care less that this author called you bombastic).

                      But I’m done explaining this to you, now.

                      Because I don’t like writing long fed-up comments, but also because it’s not my job to prove to you that you’re not doing what I’m telling you to, it’s your job to take what I’ve told you and figure out how to make it make sense to you. Whether that’s by accepting that I have a point and changing your behavior, or accepting that I mean it even though I’m obviously totally in the wrong and changing your behavior, or some other less useful reaction, is up to you. But if it doesn’t involve changing your behavior you *will* get suspended.

                      That’s what it means that I’m the moderator and I warned you that you were going to be suspended if you did that again – it’s not something to fisk or to argue me into submission about, it’s a warning. I recommend you believe me.

                      Report

              • Of course, it is possible that, instead of getting angry, I should have called her out on her faux ‘beleaguered’ position and her lack of arguing in good faith. I just sorta ignored that, because I figured this discussion was too important for me to appear to be wandering off into complaining about mere technicalities. But maybe that would have been a better direction than getting angry and yelling.

                Report

  8. I’m afraid this reads as “Here’s a nifty new technology we can use” that does not, in the end, work as well as pencils on paper.

    Yes, we could use nifty blockchain algorithms and public key encryption and all sorts of fancy stuff that would be fun to code to vote! Except the second it was broken, the entire election is lost because once you’re in you’re in.

    Or you can use paper. Which can be counted by people, recounted by people, read by voters, verified by voters, submitted to courts as raw evidence, counted again — and to be “hacked” requires someone to physically alter or add a ridiculous amount of paper ballots without being noticed by the large numbers or election observers standing around watching for that very visible behavior.

    I cannot understand why we’d substitute a high-tech system (ie, a system mostly applicable in first world countries with stable elections) that, if altered, would be altered in ways unobservable by most watchers and if hacked, would be difficult to flat-out impossible to even freaking tell for a low-tech, easy to use system that can be validated by human eyeballs and audited by human eyeballs, and to be hacked requires easily discernible alterations that can ALSO be detected by human eyeballs. Pretty untrained human eyeballs.

    And yeah — the high-tech version makes it easy to steal entire elections whereas the low-tech one would be incredibly difficult to alter the outcome of the off-year election for county dog catcher.

    It’s a fun idea to play with. But it’s a technical solution looking for a problem, uncaring of the host of much, much worse problems it would create. All the in name of having a “nifty” tech solution.

    As a software developer of two decades now, I’ll take paper, thanks.

    Report

    • Just as a note of the most infamous American “hacks” — the famous rigged machines of Chicago and the dead voting.

      Those were highly limited — it required total precinct control (so not scaleable), required both the physical machines be altered (to change the count), and the voter registration to be altered (to “pad” the registration numbers — if there are 10,000 eligible voters and 9500 turn out, you can’t add 600 more votes without making people suspicious, so you register a 1000 or so more people).

      Neither of which can be done with machines these days (too many auditors from both parties).

      Notice that it was still a machine hack — adding paper ballots or people showing up to vote more than one time or altering people’s actual votes didn’t happen — they padded the count.

      That “hack”, if you tried it with paper ballots today, could be defeated by a random audit of the paper ballots. (You’d quickly find less ballots than voters, in very suspicious percentages). On a pure electronic machine, with no paper record? You could never tell….

      In the end, if you’re gonna use electronic voting booths — they should print out a human readable ballot which is verified by the voter, and subject to random audits of the machine count versus the stored and voter-validated ‘receipts’. Any problems should trigger a full audit, and if necessary a full hand recount.

      Report

Comments are closed.