back to article Worried about election hacking? There's a technology fix – Helios

Election hacking is much in the news of late and there are fears that the Russians/rogue lefties/Bavarian illuminati et al are capable of falsifying results. For example, voters in the state of Georgia's sixth district are going to the polls on Tuesday for a close-fought election, and serious doubts have been raised about the …

Silver badge

Re: No, elections don't work this way

That still doesn't help against ballot swapping, where the boxes or contents are switched out via a Kansas City Shuffle and the switched contents also have the same number of ballots.

What man can make, man can also usually subvert.

3
1
Bronze badge

Re: No, elections don't work this way

You can only have trust in a system you can understand, and elections are all about trust.

Shirley you must be joking. Elections are about who's the biggest liar with the biggest spending account for electoral bribes and advertising.

0
3
Silver badge

Re: No, elections don't work this way

Yes, but such fraud is more easily detected by a lay observer than the equivalent switcheroo of electronic ballots.

Swapping out a few paper ballot boxes means printing and manually marking those ballots, then arranging for them to be swapped out at the right moment and the real ones destroyed.

This involves a lot of people and affords a lot of opportunities to get caught.

Swapping out electronic ballots means connecting to the system with your BallotHackTM machine for a few seconds - whether locally or remotely.

Faking large numbers of paper ballots takes a lot more manpower than faking electronic ones, and so is more likely to be spotted.

A concerned citizen can follow paper ballots all the way from printing, right through to the count, and it doesn't require them to have any specific technical expertise.

Inspecting and monitoring electronic ballots requires a lot of technical expertise, and is effectively physically impossible anyway - how do I check that the hardware and code running in the machine is the one you said it was?

That's the point.

1
0

Re: No, elections don't work this way

I'm not worried about boxes shifting, since my campaign manager can keep finding more ballots in the trunk (boot) of his car for each recount!

0
0
Silver badge

Re: No, elections don't work this way

You underestimate the size and power of political parties (or as they were known in the Gilded Age, political MACHINES).

0
0
Silver badge

The description of Helios sounds a lot like Apache STeVe. I recently ran an election using that[1]. Each voter was referenced by an anonymised hash, generated by the system and known by the voter but not by anyone else. If there had been any question of foul play, we could've enabled individual voters to view their votes as keyed by the hash.

I daresay there are other such systems around.

[1] That election was for a VP post within Apache - four good candidates but no controversy.

4
1
Anonymous Coward

+1 for SteVe. Great system for handling little votes and far easier to understand than whatever homomorphic witchcraft is going on within Helios.

Still wouldn't run a country on it, though.

1
0
FAIL

Trust

The problem with all the encryption based systems is trust. The general population has to be able to trust that the election was run fairly.

In order to trust an election system you have to have some understanding of how it works.

Try explaining public/private key encryption to the ordinary "man in the street".

3
0
Bronze badge

Re: Trust

Encryption? That's something the terrists use, right?

2
0
Anonymous Coward

I can tell you what Helios' REAL problem is..

"In the United States, the most difficult aspect of that question is that decisions on voting systems and equipment are very decentralized. So I don't see a way in which a Helios-type system is in broad use in 2020," he said.

"If anything, the difficulty of running pilots with new voting technology is probably the biggest impediment of all: no one wants to use a system that hasn't been proven at scale in national elections.

No, no, no. Let's rewind a moment: we are talking about the US here, so let me correct that last sentence with a dose of reality:

no one wants to use a system that does not make a vast amount of profit

If security or veracity of votes had ever been a consideration, quite a number of the current systems would not have even passed cursory evaluation, let alone any in-depth review prior to procurement. From that it logically follows that choice is not based on quality. Given the at best vaguely reviewed spending of government pork, that leaves a simple conclusion: nobody will touch anything from the socks and sandals brigade, even if the commie tag has now been made acceptable by Trump, because that doesn't make enough profit for a select few.

That's just NOT going to happen.

3
0
Silver badge
FAIL

It's total bollocks

Everyone seems to have missed the point here.

It's not whether Helios is secure or not. It's not about whether Helios keeps your vote truly private or not. It's not about whether the election systems that register the votes are unhackable or not.

It is about whether users' computers have been hacked or not. And we know, from all the botnets out there, that a lot of them have been hacked without the users even knowing. There will be a big demand for vote-changing hacks.

Sure, it ought to show up. If enough people complain that the system wouldn't let them vote because it claimed they'd already voted then that might trigger doubts. But would it be enough in a country where the Florida recount was prematurely halted? Would it be enough in a country where some exit polls have differed drastically from the actual result, strongly indicating serious vote rigging, but the matter was ignored?

A really smart hijacking attempt would monitor social media to figure out which users are unlikely to bother voting and vote for them. Sure, turnout would be abnormally high (the first time it happened, on subsequent votes it would be the new normal) but relatively few would complain that the system wouldn't let them vote.

The day we have operating systems and applications that are provably immune to hacking of all forms will be the day that Helios would be a sensible idea. We could use it to vote on which squadron of pigs flying in formation over the ice-rinks of Hell gave the best display.

2
0
Silver badge

Re: It's total bollocks

"The day we have operating systems and applications that are provably immune to hacking of all forms will be the day that Helios would be a sensible idea. We could use it to vote on which squadron of pigs flying in formation over the ice-rinks of Hell gave the best display."

Ballot box swap done by a Kansas City Shuffle (a distraction opens a chance to switch them without anyone noticing). Purely physical and, done right, undetectable because the counts can also match. There, I pretty much proved your hypothesis impossible since this is essentially a Sneakernet hack that's pretty much always a possibility.

0
0
Silver badge

Re: It's total bollocks

@Charles 9

Yeah, a ballot box swap is possible. Kinda hard to carry off nationwide, though. You have to wait for (or manufacture) a suitable distraction. And then not get spotted doing it. Repeatedly.

OTOH, there are shitloads of botnets running on zombies. Rigging votes is just one more incentive for crackers to infiltrate computers. Or, to put it another way, an additional revenue stream resulting from computers they've already infiltrated.

Also, even if vote-rigging by computer is suspected, or even proven, perhaps the ensuing chaos and mistrust is what was intended anyway.

1
0
Silver badge

Re: It's total bollocks

But not impossible, especially if you combine this with things like bribes and a political machine as large as a major political party. And if you think that's not possible, recall that the term "political machine" dates back to the Gilded Age in the late 19th century. This alone proves there's no real way to make an election truly trustworthy. And unfortunately, when it comes to something like this, it really is all or nothing, as one bad apple can spoil the entire election.

0
0
Anonymous Coward

Re: It's total bollocks

A ballot box swap should be trivial to detect by any number of measures:

1) Never having a ballot box anywhere except in plain sight of at least 2 people, and as many people as want to watch it

2) Keeping track of which ballot papers are issued to which station, through colour, serial number, shape, randomisation of candidate ordering etc. etc.

3) Stick a big tamper resistant location label on the side

4) Chain it to the floor, or the van, or the nice policemen who are here to ensure there's no jiggery pokery with the ballot

and so on and so forth.

Paper voting: it just works.

5
0
Silver badge

Re: It's total bollocks

"Chain it to the floor, or the van, or the nice policemen who are here to ensure there's no jiggery pokery with the ballot"

The nice policemen who are paid by the ruling party in places like Zimbabwe, for instance?

2
0
Anonymous Coward

Re: It's total bollocks

Ballot box swap done by a Kansas City Shuffle (a distraction opens a chance to switch them without anyone noticing). Purely physical and, done right, undetectable because the counts can also match ...

A ballot swap is easily and conclusively detectable if ballot papers carry unique serial numbers (as they do in Canada, for example). This security measure may have a possible side effect of making votes personally identifiable. To guard against this possibility, you can try to make it harder to correlate voter's identity and the ballot's serial number. Again in Canadian system, this is achieved by splitting the tasks of checking voter's identity and issuing the ballot paper between the two people working each polling station, and keeping both processes manual (computerising the process would make it too easy to correlate the datasets through the timestamps). The price you have to pay for the vote privacy is that once a ballot paper with a correct serial number entered the ballot box, it can no longer be tied to a voter's identity. As the result, while you can still detect voter impersonation (assuming that the rightful voter shows up to cast the vote, of course) and multiple voting, it is no longer possible to correct for it. This is however sufficient to decide whether the number of fraudulent votes is large enougn to invalidate the result.

The bottom line is that a well-designed paper-based election is hard and expensive to hack without detection, with the costs and difficulty at least proportional to the number of polling stations.

4
0
Silver badge

Re: It's total bollocks

I am prepared to argue that part of the problem in the US stems from evisceration of the traditional "machine" political party organizations, which performed a number of useful quasi-governmental functions including, not insignificantly, voter education and turnout management.

0
0
Silver badge

Re: It's total bollocks

"Paper voting: it just works."

So do insiders.

0
1

Re: It's total bollocks

This can happen in any solution.

1
0
Silver badge

Re: It's total bollocks

So no solution is bulletproof, and if no solution is bulletproof no solution is truly trustworthy, and if a solution is not truly trustworthy, someone will eventually have enough of a grudge to usurp the system.

0
0
Silver badge

Re: It's total bollocks

"The bottom line is that a well-designed paper-based election is hard and expensive to hack without detection, with the costs and difficulty at least proportional to the number of polling stations."

But if an organization is big enough and determined enough (like a major political party or machine), then you still can't discount the possibility of insiders throughout the voting system as well as well-coordinated efforts to slip things through. Remember the Gilded Age. You also can't discount conspiracies of all the parties actually working in cahoots to subjugate the proletariat.

0
0
Trollface

Same old? http://xkcd.com/463/

1
0

UK non-anonymous voting and re-counts

@Anonymous Coward > "UK voters may notice that the ballot paper has a unique number on it, and the person handing them out in the polling station writes down your electoral registration number on a list of other numbers. That makes me uncomfortable every time I vote. It seems an easy way for votes to be connected to individuals.(*) Perhaps someone more observant (or knowledgeable) could confirm whether my suspicions are correct or I'm being unnecessarily paranoid."

I believe that one of the powers of the Speaker of the House of Commons is the ability to authorise a check on who voted for whom in an election. This would only be in very exceptional circumstances, maybe where there is evidence or suspicion that votes were being procured in illegal ways, such as bribery or coercion.

As Tom Stoppard pointed out, democracy is in the counting of the votes, so a system where everyone can verify the result, rather than relying on an old Widows XP spreadsheet would be good.

The reason why close results were often sent back for a recount is that hand counting ballots rarely obtains the same result twice. In the UK, a re-count would mean that postal ballots would also be counted, as they were generally not included in the first count.

(* this is the most (only) referenced part of my own humble contribution on cryptographic voting schemes, no mention of my proposed scheme, or what one actually wants from a voting scheme, no, just the fact that in the UK votes are no necessarily secret, sigh :o( mutters on and on and on ... )

0
0
Silver badge

Re: UK non-anonymous voting and re-counts

Bzzzt! Yes, postal ballots ***ARE*** included in the count.

I was at a general election count two weeks ago (god was it that recent?) and the procedure is the same for locals.

Stage 1:

Postal vote boxes opened and emptied onto the tables. Count supervisor typically says "Postal votes, xxxx ballots". Count staff count the ballots and bundle them into (typically) 50s. The bundles are counted to check they match how many were received. If there is a mismatch they are counted again until they get it right.

Polling station box opened. Count supervisor typically says eg "Box 23 St. Mary's, xxxx ballots". Procedure continues as above.

Repeat for each polling station box.

Stage 2:

Chunks of 50-bundles are brought to the tables, and they are seperated into piles for each candidate.

Stage 3:

Seperated piles are counted into bundles of 50. Quick chat with agents regarding spoiled ballots. Returning offficer tallies them up to final total. Quick chat with agents regarding final totals and chance for recount if close. Returning officer announces result.

A recount can be a bundle check, where the bundles are flicked through to visually check if a ballot has been misplaced. Or it can be a full start-again and re-sort and re-do everything check as happened in Fife where the majority ended up being 2.

I used to have a very useful training video which if I still had I'd put online.

0
0

Money does drive electronic voting

I am not as cynical as some, but the adoption of electronic voting in the US was certainly driven in part by money. There was the mess in 2000 in Florida, followed by hundreds of millions of $$$ raining down from the federal government to upgrade voter systems. In 2000 electronic voting machines were a very expensive solution looking for a problem to solve, and suddenly they were affordable. Everything is "cheaper" when you are spending grant money, and electronic voting companies were like a monorail salesman in a certain Simpsons episode.

The other part that drove electronic voting was access - handicapped rights groups and immigrant rights groups joined hand-in-hand to demand the computer-based voting machines because they make access modestly better - video screens can expand text for the visually impaired, and once you have translated the ballot to another language, there is no extra printing costs to keep enough ballots on hand in each language. And it is hard for many politicians to say "no, it costs to much" to such groups.

The cost? My community spends ~$14K per optical scanner for paper ballots (one per precinct) which last 15-20 years, ~$1.5K per machine per election to program the chips, and around $2K per precinct to print ballots (plus staff, etc). We spend $50 per voting booth (heavy folding cardboard) that last 8-10 years; we have 50 booths per precinct. We also have one booth per precinct at a table with a fancy magnifying reader (~$500) to blow up the paper ballot for the visually impaired. We get initial vote counts 2-5 minutes after the polls close (excluding write-ins).

If we had computers, that is $3K-$5K per voting machine. Several $hundred per election per machine to program - less per unit than our $2K/optical scanner because of volume, but much more in total, OTOH no printing costs. The voting booths would be wood or metal due to weight, which aside from cost (not sure how much, but I'll guess ~$250/booth), means more storage space between elections and more labor costs to set up/tear down. And after 10-12 years, the machines are near their end of useful life (http://thehill.com/policy/cybersecurity/222470-states-ditch-electronic-voting-machines). Since they whole setup is so expensive, you buy as few voting machines per precinct as possible, which means longer lines than paper ballots - which can yield (somewhat ironically) less access. My state requires a minimum of one precinct per 6,000 residents, so pick a community size and you can do the math to guesstimate the cost. The bottom line is, if paying out of local taxes, very few communities would choose electronic voting over paper ballots.

And if you lose power or have other technical problems, those paper ballots can be counted by hand. With electronic voting machines you're screwed (and that has happened).

1
0
Bronze badge
Boffin

Low turnouts and 2 party systems go hand in hand as a large part of the electorate dont like any of the options presented. and if the ruling party has control of the districting, you get guys called gerry making salamanders and headphones on the map so the opposition supporters waste more votes ....

then you end up with a party in power that less than 10% of the elegable population actually voted for.

if you are going to go to compulsory voting, it has to be acompanied by a change to the voting system and an re-balnacing of the status quo.

the only option is to bring in more proportional voting, I have a method that i think will work for a two house system, it uses single member Instant-runoff voting (IRV) districts for the lower house with direct representation, and simple party list Proportion Representation (PR) for the upper house. So you get to chose the representative you want for local issues, and the party you agree with for wider ones.

districting should be handled by non-partisan independant authorities on a geographic basis taking into account only numbers of elegable voters, not demographics, to ensure equal representation.

If you're gong for a seperate head of state, IRV is not bad, this way most people will end up with someone they can stand.

0
0
Silver badge

"districting should be handled by non-partisan independant authorities on a geographic basis taking into account only numbers of elegable voters, not demographics, to ensure equal representation."

As long as you get humans involved, someone's going to be nefarious enough to try to subvert them. Why not set it up by algorithm where color-blind head count is the only metric? Say require that districts be of equal numbers of people give or take a small number and then have ti draw out districts as compact in geographic area as it can until it's forced to reach out to get enough people? With no human intervention, there's almost no way to game the system unless you're into planned neighborhoods and districting.

0
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017