Why Electronic Voting is a BAD Idea – Computerphile

Why Electronic Voting is a BAD Idea – Computerphile

E-voting is a terrible idea After Hurricane Sandy in 2012, election officials
in some parts of America decided that they’d allow emergency e-voting from home. You’d
download a ballot paper, you’d fill it out, and then you would email or fax it back to
them. And yes, some people still fax. This was a terrible idea, and here’s why. Physical voting is centuries old. In that
time, pretty much every conceivable method of fraud has been tried, and has since been
defended against. Because of that, attacks on physical voting don’t scale well. It takes
so much effort, so many people and it only takes one person to leak your conspiracy and
the whole thing falls apart. Electronic voting, though? You can attack
with one person. It can take about the same effort to change one vote as it does to change
a million. And it can be done without even setting foot in the country whose elections
you’re trying to rig. There are two key parts of an election. Anonymity,
and trust. First of all, anonymity. You cannot let anyone pay, bribe, or threaten in order
to change someone’s vote. If you put any identifying mark on your paper ballot, if you sign it,
if you write your name on it, if you do anything that could, in theory, be used to check how
you voted, your vote is thrown out and ignored, just so no-one can be forced or bribed to
vote a certain way. And yet, because you marked your vote, and
you put it into a sealed box, and that box was only unsealed when it was surrounded by
everyone with a stake in the election, you know that your vote has still been counted,
even though you’ll never see it again. That’s the other key: trust. You never, ever,
ever, trust any one individual. Ideally, you don’t trust any two, or three. People can
be bribed, can be threatened, can be incompetent. I mean, hell, people have been all three of
those things. But like I said: the more physical votes you want to change, the more people
it takes and the less possible your attack gets. Everyone can see what’s happening and
keep an eye on each other, particularly if they don’t trust the other side. So let’s talk about voting machines. Problem 1: Auditing the software and hardware In theory, you could have open source software
that everyone has checked and everyone is happy with and that’s been used for years.
In theory. Never mind that you only actually do a full-scale test of this software every
few years when there’s actually an election, let’s say theoretically it can be done. But how do you make sure that software is
what’s actually loaded on that voting machine in front of you on the day of the election? And I know that immediately, someone is going
to want to comment about checksums or crypto. Which is great, except now you have to trust
the software that’s checking that hash. Or more likely, the one person that’s checking
it for you. You’ve just moved the problem. And if you’re thinking “I could verify that”,
then turn your brain the other way, and think “how could I break that?” because there are
trillions of dollars — that’s not an exaggeration — riding on the result of big elections,
and that’s an incredible motivation. If you’re coming up with sneaky ways to get around it…
believe me, so are lots of other people. It might be one angry techie, but it might
be an entire political party, or the huge corporations who want one party to win, or
entire nation states who want one party to win. And all that is assuming you’re even allowed
to verify the software that’s running, which you never are, because plugging unknown USB
sticks into a voting machine is a bad idea. Not that that stops people plugging unknown
USB sticks into a voting machine. It has literally happened. Let’s remember, these machines have
to be left in a room with the voter and no-one else in order for them to cast their vote
anonymously. Oh, by the way, the machines are frequently programmed by sticking a USB
into each of them in turn, so if you compromise the first one, jackpot. In practice, you don’t have open source software,
you have proprietary, unaudited software which you just have to trust. This is real, by the
way, around the world, there are some elections that run on this. And remember what I said?
This is an election. You don’t trust. And maybe you’re thinking, you could have
an audit trail, you could have a paper backup that the machine prints out as you vote. In
which case, congratulations, you’ve just invented the world’s most expensive pencil. One of
the reasons Britain gives people pencils for voting, by the way, is because we’re worried
that pens might be switched by any voter to contain disappearing ink. Erasing pencil ballots?
Takes time, and if you can do that, you can just throw them away. Disappearing ink? It
might be an urban legend, but it might actually be a plausible attack vector. This is the
level of paranoia we need to work at here. And don’t think you can get away with all
this by using a pile of paper ballots and just counting them electronically, either:
an electronic counting machine is still a black box that a pile of ballots goes into
and a mysterious number comes out of. They’ve got exactly the same problems. Problem 2: Votes In Transit There are three ways of moving the magic electronic
ballot numbers from the voting machines to the final count. You could treat the machine like a regular
ballot box, you seal it in a plastic bag, move the physical machine with two people
in the vehicle to the count, and then unseal it there. No-one does this. You could copy the result onto a handy USB
stick and move that instead. Do I need to run through how easily… no. Okay. Or, and this is what usually happens, you
could tell the voting machine to upload the results over the internet, optionally through
a third central server, and potentially not over a secure connection, and probably without
any checksums or tests. [exasperating] Problem 3: Central Count Program And right at the end, there’s the program
that takes all these numbers, all these votes, and produces a final count. Now you’ve got
all the same problems you have with the individual voting machines, except now only a few people
can even see that machine, and it’s been hidden away in a private warehouse somewhere for
the last few years. Good luck verifying that. And all this — all this — is before we even
talk about online voting. I could talk about all the ways which you
could hijack ballots, block an email address — because after Hurricane Sandy, the ballots
were sent by email — or any of the ways you could do a man-in-the-middle attack on that.
All possible. And those are just if it’s a well designed
system. There are reports of actual live elections
where there were cross-site scripting attacks in the e-voting page, where they’d misspelled
one party’s name, and where they’d put the wrong party’s logo next to a candidate. Sorry,
did I say elections? I meant election. That was all the same election, it was in Hampshire
in 2007. But never mind all that. Depending on which security company you believe,
somewhere around 5% and 50% of desktop computers are infected with something. And that’s just
the scammers trying to set up botnets and minor extortions using private computers.
If you want to affect a load of votes, try infecting the computers at the public library.
But never mind all that. We’ve seen what big scary countries and big
scary corporations can do when they put their mind to it. Given that someone designed an
immensely complicated worm that spread around the world just to break some Iranian centrifuges,
imagine what someone could do if they wanted to throw an online election. Remember, again, when you hear “just trust
us”, or “just trust me”, or “it’s a computer, it doesn’t go wrong” in an election, something
has already gone disastrously wrong. Imagine all this electronic voting, only without
computers. Would you be happy walking up to someone anonymous in a ballot box, or worse,
calling a number on your phone, just telling them your vote — but they promise to keep
it secret — and at the end of the election all those people, who have been sitting on
their own, phone up one other person in private and tell their results, and then that final
person — who promises to count it all up accurately — announces who’s won? Because
that’s essentially what electronic voting is. It is a terrible idea, and if a government
ever promises to use it, hope they don’t manage it before you get a chance to vote them out.

100 thoughts to “Why Electronic Voting is a BAD Idea – Computerphile”

  1. In France some municipalities use electronic voting (like mine…) other don't.
    Really a terrible idea. But very few seems to debate it here, sadly…

  2. Computerphile: this is such a fantastic video! I have been reposting it on FB for several years to help educate people about the need for paper ballots and hand counting vs the dangers of electronic voting and counting machines.

  3. How about using blockchain for voting? Votes are administered by a central authority and you can verify that your vote definitely went to the correct candidate because you can check the public key associated with your vote. Thoughts?

  4. You are fear mongering. If you can do banking online, you can e-vote. You just need the people who design the system to be intelligent enough. There is one to many ways to counter every single argument you have presented there.

  5. 1:00 Does Tom not realise that in the UK there is a number on your ballot paper and that it is written against your name on the register as the ballot paper is issued to you?

  6. Actually this would be possible with blockchain technology, you can have tamper proof identities and the technology prevents the double voting problem. Smart contracts could automate an election with full transparency since you can see all the records on a public ledger.

  7. I don't think there has ever been a case in UK elections where a recount has produced the same result as the original count. I feel that is more than enough to make a secure electronic voting.

    Even being against electronic counting is ridiculous, banks have been counting crumpled notes correctly and they would be losing out for getting that count wrong

  8. We could use Monero for voting. Everyone gets a wallet with the value 1. You can send a transaction to the wallet you are voting for and it will be mixed with other votes and no one will know who you voted for.

  9. I am not a voter in UK, but please let me know, if on any step, during counting the votes, you are now using a computer 😉

  10. Well, that was prophetic.

    This is me trying to explain the problems with Brexit. Which shows it's not just voting machines that are problematic.

  11. But like….how do you manage paper ballots for nations with a huge population density like say, Japan or Taiwan?

    There has to be some system that we can use to automate this process and still be secure, otherwise we are going to lose democracy to the march of progress.

  12. How dare you expose our Electronic Voting Scam, Tom Scott !! How are we going to rig our elections now… ?
    The Socialist Republic of California depends on Fraud and Corruption to operate !! Ban Electronic Voting Machines !!

  13. 3:40 he just dont understand that democracy is all about trust…in the elite dont cheat and steal from us…as is proven they do all the time…every day live on TV…

  14. I'm so confused, why is it a big deal to keep your vote secret, news stations do random polling all the time, but that is not secret??

  15. Let's also talk about the fact that votes might actually not matter if the ones who count the votes are biased 🙂 You only need to get 51% more than your opponent, so even a 15% bribe margin will tip the scale.

  16. Electronic voting can work but it need to be done through mobile providers and use dual sim authentication lol

  17. A paper blockchain where everyone's SSN is their public key that contains one vote. They mark it and mail it to anyone and everyone they want who has to solve the hashes by hand in order to verify them

  18. Much of this, the problems with electronic-hardware or software controlled and/or network-Internet voting, still exist. This is likely why voting was compromised by Russia getting Trump to become president.

  19. I could see an electronic vote counting machine working, with paper ballots.
    All you’d need is a small box or folder of randomized test ballots. These ballots would be clearly marked as test ballots in a way that’s not visible to the counting machine. Multiple people from different political parties will count them by hand and find the correct number of votes each candidate got in the test election. Once those numbers are recorded, the test votes are sent through the machine before the actual ballots. If the test counts match up with what was previously recorded, the machine can be trusted as accurate. After that, just reset the counters and send the real votes through. If instead the machine’s test counts don’t line up, the ballot box can remain sealed until a properly working machine is found or built. Or the real votes could be counted by hand if need be.

  20. Using crypto so you can check and verify in the blockchain, mathematically is the only way to do it without corruption.

  21. Wait… here in the US we use electronic voting. Which gets sent to an electoral college to count. Which then makes a choice based on the results they get (and in some states legally doesnt have to be the same as the popular vote) and sends in their vote to the final count. We've already done everything wrong.

  22. It's possible, voting on block chain, using credentials set up prior, National ID for login & password. If anything, it's more secure from tampering, as long as no man in middle attacks.

  23. You need to understand hash sums w/ security validation. Paper ballots are severely antiquated and are still tallied electronically. Too many ways to validate the count w/o a hacker trashing the system. Validation, validation, validation – it takes work and it's the only way to maintain honesty. A clean system can be confirmed by software engineers. Cheating government officials are the biggest threat. I'll never trust paper ballots, especially after the FL hanging chad votes 14 years ago.

  24. I don't understand how the pocket protector crowd came up with the computer and don't have the ability to make them hack free. Why can't they come up with a read only type system. Maybe I'm not saying it correctly but I'm talking about a program that only allows a person to mark a single line and not be able to be manipulated. I feel we're letting technology go faster than we can control it.

  25. But we'll, in Greece, there aren't really people whose job is to count. They are just called before the election to do the counting chore for effectively nothing in return. Which is totally unfair. One is the only solution I can think of: counting machines that are used by the counting people, that take the ballots, scan them one by one, and output the results in the end. No internet, not other input that ballots (eg. No usb) no networking, no nothing. They just count ballots, quickly and efficiently. People would have of course to operate it, but I guess they would prefer using that machine instead of counting votes by hand.

  26. Thinking this way is naive. The voting box can be cheated the same way as online voting and online voting can be protected the same way as box voting.

  27. If you're using the internet to transfer money, by your behaviour you're showing that you don't actually think doing important things through the internet is so risky.

  28. So in the end, both physical and electronic voting are hard, but not impossible to break. Just in different ways. Both methods in the end rely on trusting a human. And it still feels like a computer could be made to be more secure in that it is a piece of technology and technology on its own is impartial.
    Hacking physical voting, although hard to scale, as you point out, has had numerous examples around the world of being done. I can point out Bulgaria as a strong example. There were video recordings of fake ballots being filled in by the people responsible for counting (the humans we supposedly trust). And Tom says it is better and hard to hack. It's not either of these. It's just different. Whereas in electronic voting, at least, you can track some of the history of the data processing and transfer.

  29. Just spitballing ideas, to address the "trusting the vote counter" issue. What if each electronic vote was sent to several """"trusted"""" parties, each one having some stake in the election. Each of them had to produce a final count independently. If anyone's count differed from the others', the entire election would be thrown out.

  30. you would think election security would be a bipartisan agenda item in the US … nope and no one is doing anything about it.

  31. Wait a second. Trillions of dollars are also managed by banking apps today. By comparison to their life savings, a vote is much less valuable to an individual. If all apps for voting are so insecure, why do we use them for banking? Someone explain in detail please.

  32. I know it’s just a video game, but Payday 2 touches on this.

    You play a heist mission where you steal some electronic voting machines, and rig the election, and the voters are none the wiser to the fact they’ve already voted for a pre selected candidate.

  33. In India we use electronic voting.
    It'd affect the environment if we use ballots for a billion people. 😅

  34. Open-sourced decentralised private crypto-token voting.
    1. Voters vote with their own trusted software, with their own private keys stored on dedicated hardware
    2. All votes are recorded on the public blockchain verifiable by anyone but voting choice is private so that anonymity is preserved
    3. Voting result can be calculated by anyone who can access the blockchain

    The only problems now are trusting the hardware key manufacturer and the existing problem of being unable to verify the number of eligible voters

  35. The entire counting process must be observed by the unaided sense of all interested parties in order to maximise trust in the results. You cannot observe the processes within a computer chip with the unaided senses.

    So … if they can't rig the voting itself, they'll rig the electorate instead … hence, mass immigration. Dissolving the democratic voice of the native population with people holding different cultural values.

  36. If you have something important, simply don't use general purpose computers. I fail to see why evm's can't be designed (on a hardware level) to only allow voting.

    Each person is assigned say a private key at your government agency with a piece of photo ID or whatever, then they use that key when they vote at their local voting machine booth. Make all software and hardware involved opensource.

    If the key is hard to remember, simply have a little pocket device inputs the key into the machine. Doesn't have to be USB, could be a single wire with the device running on battery, but shouldn't matter. You probably can't hack a machine that only has hardware that counts votes.

    Anybody care to tell me how this system won't work?

  37. Eletronic voting has its flaws, but pretty much all of the concerns pointed out on the video were addressed in Brazil, and have been using it without major problems since 1996. No online voting though.

Leave a Reply

Your email address will not be published. Required fields are marked *