Just looking at the presentation right now (will wade through the comments later), and I get to Slide 8 and my immediate, visceral reaction is “HELL NO.”
I do not trust any form of voting that does not include a physical ballot, precisely because I work in the software industry.
- Free is good.
- Available anywhere: on one hand, that makes voting accessible, but it also means that it’s hacking accessible.
- Open source is good, but why should we trust that the open source software we’re looking at, that everyone has vetted as being good and trustworthy is what is being used?
- Doesn’t distributed simply mean that someone has direct, local access to the code? Besides, there is nothing so complex about any voting method (that voters would accept) that requires computers, let alone the level of processing that would make distributed computing anything but a waste of time.
- How do we know that what is being audited is what is actually happening?
- How is it possible to ensure that a ballot is both verifiable and what it claims to be?
- No Comment
- How is it possible to ensure that a ballot is both secret and verifiable?
- How many personal computers have adequate anti-virus protection that they can’t be hacked? How can we know that the 10-20% increase in voter turnout that one might see is because more voters are voting vs more voters’ compromised computers are voting?
- Increased ease of registration/re-registration also means increased ease of Man-in-the-Middle attacks.
- According to current projections, the entire concept of unhackable software will cease to be a thing in less than a decade thanks to Quantum Computing. Even if it takes 3 decades, adopting this now would mean that you’d have an entire generation thinking that “Internet Voting is just how things work” accepting it without thought when those with power/money/influence get ahold of computers that can trivially hack most anything.
…trivial Man-In-The-Middle Attacks"
…access points for Black Hats to compromise numerous voters.
Even if the software is Read Only, the computer itself could become a MitM agent, as we saw in Texas this election season, where voters cast “Party Line: Democrat” votes, and the confirmation page showed them voting for Ted Cruz.
Without a human-readable, physical ballot that the voters could confirm as theirs, there is no reason to trust the results.
If it’s not physical, what’s to stop a malicious program from changing the vote to the “right” vote after the voter confirms their intent?
If it’s not human readable, what’s to stop that malicious program from saying the vote was cast for A while actually casting a vote for B?
And here’s where the MitM attack happens: where do they get the ISO? How do they know that it’s the right ISO? If it’s OpenSource that means that all the APIs and Hooks etc would be available for anyone to see and emulate, doesn’t it? Who’s to stop a BlackHat from creating an OpenTheft ISO and publishing it?
Like “codeword”? 123456? [Voter’sMiddleName]? [A Go-To-Password that a hacker got from some breach or another]?
Cool stuff, but how could that go wrong?
What if a BlackHat registers to vote for you, before you do, and has a MitM that makes you believe you’ve registered? Then a voter will believe they voted, will be able to confirm their vote, but they will be confirming a vote that will never be counted because their “real” vote is the one cast by the BlackHat.
That’s the current state of affairs, isn’t it? So that isn’t changing anything.
which means that the vote could be hacked at any point right up to the close of the election. The more time you give between when they data is first visible to a Black Hat and the closing time of the election itself, the more time that BH has to figure out how to break in, the more time they have to make their modifications look natural.
That just means that any validation by the voter that occurs before the election is closed is meaningless; the vote for the targeted races could be changed after they validated things. I’m imagining someone coming out with a new ad a few days before the election’s closing date, and a virus choosing some plausible, random time after that ad’s release to change the vote as though it were influenced by the ad.
And yes, Blockchain is amazing technology… but you’ll note that most of my concerns about security aren’t problems with encryption, but with people. Someone (probably the CIA) dealt the Iranian Nuclear program a major setback not by hacking their encryption, but by leaving USB sticks lying around and hacking the users that could get inside the layer of encryption.
Current encryption protocols aren’t the weak point. Upgrading from 128bit to Blockchain encryption is analogous to upgrading from a hollow steel door to a solid steel door; a definite improvement to security, but largely irrelevant when there are windows that people open to get fresh air.
That introduces Game Theory into it, which is a horrible thing. People who think that their candidate has already lost won’t bother voting, nor will those who think that their candidate has it in the bag.
People who think that their vote won’t change the outcome might change their votes to better match their conscience (which means “change their vote” attacks would be less suspicious).
…are you trying to make this hackable? All a Black Hat would need at that point is data on who is eligible to vote and who isn’t registered to vote (both of which are public information), and IP spoofing tech (and possibly MAC address spoofing), and they can “recruit” enough perennial non-voters that the election goes precisely how the Black Hat wants it to.
And even if they needed more forms of authetication to register, that will A) effectively disenfranchise voters the same way that Voter ID laws do, and B) be easily surmountable, given the numerous data breaches lately (credit score companies, facebook, etc)
I am literally one in 3.3M people who voted for the President in my state. The idea that I have a voice is way less important than ensuring that every voice heard is actually the will of the person that voice properly belongs to.
You claim that I can trust the system, but why should I?
Why not? How does this achieve that (given that such a change requires a constitutional amendment)
Again, how? Nothing I saw in the presentation even mentions gerrymandering, let alone deals with it.
Now you’re just making things up.
You’re aware that basically every candidate with a chance of winning rejects public funding, right? Anyone who has a chance of winning can get more money if they reject public money. The Washington Post puts the amount of free money candidates turned down at a little less than $300M. The only candidate for president in 2016 who took public money was Martin O’Malley, whom I was not even aware had run.
Thus, practically speaking, the options that I see would be to jack up the amount of public money (available for every candidate? How will you keep that from bankrupting the nation?), or admit that it’s really only relevant for “also-ran” candidates.
Good. Neither Businesses nor Unions have any place in our political process.
…how does your proposed system make that happen, though?
Candidates advance based on merit, not money
How? Why is it money is relevant now, and how do you intend to eliminate that relevance?
Lowered influence for mass media news outlets.
Increased accountability for Lies.
Reduced time spent on re-election by seated politicians
How? I understand those are great goals, but …how does this achieve them?
For example, even if you got fundraising out of the equation (which I don’t believe possible), they would simply spend more time on other things that ensure their reelection (shaking hands, kissing babies).
Cardinal voting removes the spoiler effect
Spoilers still exist in both of the methods you explicitly called out (RCV is just bad, and STAR has spoilers in Condorcet Cycles)