Why Electronic Voting is a BAD Idea – Computerphile


E-voting is a terrible idea After Hurricane Sandy in 2012, election officials
in some parts of America decided that they’d allow emergency e-voting from home. You’d
download a ballot paper, you’d fill it out, and then you would email or fax it back to
them. And yes, some people still fax. This was a terrible idea, and here’s why. Physical voting is centuries old. In that
time, pretty much every conceivable method of fraud has been tried, and has since been
defended against. Because of that, attacks on physical voting don’t scale well. It takes
so much effort, so many people and it only takes one person to leak your conspiracy and
the whole thing falls apart. Electronic voting, though? You can attack
with one person. It can take about the same effort to change one vote as it does to change
a million. And it can be done without even setting foot in the country whose elections
you’re trying to rig. There are two key parts of an election. Anonymity,
and trust. First of all, anonymity. You cannot let anyone pay, bribe, or threaten in order
to change someone’s vote. If you put any identifying mark on your paper ballot, if you sign it,
if you write your name on it, if you do anything that could, in theory, be used to check how
you voted, your vote is thrown out and ignored, just so no-one can be forced or bribed to
vote a certain way. And yet, because you marked your vote, and
you put it into a sealed box, and that box was only unsealed when it was surrounded by
everyone with a stake in the election, you know that your vote has still been counted,
even though you’ll never see it again. That’s the other key: trust. You never, ever,
ever, trust any one individual. Ideally, you don’t trust any two, or three. People can
be bribed, can be threatened, can be incompetent. I mean, hell, people have been all three of
those things. But like I said: the more physical votes you want to change, the more people
it takes and the less possible your attack gets. Everyone can see what’s happening and
keep an eye on each other, particularly if they don’t trust the other side. So let’s talk about voting machines. Problem 1: Auditing the software and hardware In theory, you could have open source software
that everyone has checked and everyone is happy with and that’s been used for years.
In theory. Never mind that you only actually do a full-scale test of this software every
few years when there’s actually an election, let’s say theoretically it can be done. But how do you make sure that software is
what’s actually loaded on that voting machine in front of you on the day of the election? And I know that immediately, someone is going
to want to comment about checksums or crypto. Which is great, except now you have to trust
the software that’s checking that hash. Or more likely, the one person that’s checking
it for you. You’ve just moved the problem. And if you’re thinking “I could verify that”,
then turn your brain the other way, and think “how could I break that?” because there are
trillions of dollars — that’s not an exaggeration — riding on the result of big elections,
and that’s an incredible motivation. If you’re coming up with sneaky ways to get around it…
believe me, so are lots of other people. It might be one angry techie, but it might
be an entire political party, or the huge corporations who want one party to win, or
entire nation states who want one party to win. And all that is assuming you’re even allowed
to verify the software that’s running, which you never are, because plugging unknown USB
sticks into a voting machine is a bad idea. Not that that stops people plugging unknown
USB sticks into a voting machine. It has literally happened. Let’s remember, these machines have
to be left in a room with the voter and no-one else in order for them to cast their vote
anonymously. Oh, by the way, the machines are frequently programmed by sticking a USB
into each of them in turn, so if you compromise the first one, jackpot. In practice, you don’t have open source software,
you have proprietary, unaudited software which you just have to trust. This is real, by the
way, around the world, there are some elections that run on this. And remember what I said?
This is an election. You don’t trust. And maybe you’re thinking, you could have
an audit trail, you could have a paper backup that the machine prints out as you vote. In
which case, congratulations, you’ve just invented the world’s most expensive pencil. One of
the reasons Britain gives people pencils for voting, by the way, is because we’re worried
that pens might be switched by any voter to contain disappearing ink. Erasing pencil ballots?
Takes time, and if you can do that, you can just throw them away. Disappearing ink? It
might be an urban legend, but it might actually be a plausible attack vector. This is the
level of paranoia we need to work at here. And don’t think you can get away with all
this by using a pile of paper ballots and just counting them electronically, either:
an electronic counting machine is still a black box that a pile of ballots goes into
and a mysterious number comes out of. They’ve got exactly the same problems. Problem 2: Votes In Transit There are three ways of moving the magic electronic
ballot numbers from the voting machines to the final count. You could treat the machine like a regular
ballot box, you seal it in a plastic bag, move the physical machine with two people
in the vehicle to the count, and then unseal it there. No-one does this. You could copy the result onto a handy USB
stick and move that instead. Do I need to run through how easily… no. Okay. Or, and this is what usually happens, you
could tell the voting machine to upload the results over the internet, optionally through
a third central server, and potentially not over a secure connection, and probably without
any checksums or tests. [exasperating] Problem 3: Central Count Program And right at the end, there’s the program
that takes all these numbers, all these votes, and produces a final count. Now you’ve got
all the same problems you have with the individual voting machines, except now only a few people
can even see that machine, and it’s been hidden away in a private warehouse somewhere for
the last few years. Good luck verifying that. And all this — all this — is before we even
talk about online voting. I could talk about all the ways which you
could hijack ballots, block an email address — because after Hurricane Sandy, the ballots
were sent by email — or any of the ways you could do a man-in-the-middle attack on that.
All possible. And those are just if it’s a well designed
system. There are reports of actual live elections
where there were cross-site scripting attacks in the e-voting page, where they’d misspelled
one party’s name, and where they’d put the wrong party’s logo next to a candidate. Sorry,
did I say elections? I meant election. That was all the same election, it was in Hampshire
in 2007. But never mind all that. Depending on which security company you believe,
somewhere around 5% and 50% of desktop computers are infected with something. And that’s just
the scammers trying to set up botnets and minor extortions using private computers.
If you want to affect a load of votes, try infecting the computers at the public library.
But never mind all that. We’ve seen what big scary countries and big
scary corporations can do when they put their mind to it. Given that someone designed an
immensely complicated worm that spread around the world just to break some Iranian centrifuges,
imagine what someone could do if they wanted to throw an online election. Remember, again, when you hear “just trust
us”, or “just trust me”, or “it’s a computer, it doesn’t go wrong” in an election, something
has already gone disastrously wrong. Imagine all this electronic voting, only without
computers. Would you be happy walking up to someone anonymous in a ballot box, or worse,
calling a number on your phone, just telling them your vote — but they promise to keep
it secret — and at the end of the election all those people, who have been sitting on
their own, phone up one other person in private and tell their results, and then that final
person — who promises to count it all up accurately — announces who’s won? Because
that’s essentially what electronic voting is. It is a terrible idea, and if a government
ever promises to use it, hope they don’t manage it before you get a chance to vote them out.

100 thoughts on “Why Electronic Voting is a BAD Idea – Computerphile

  1. The real way to break it is to do what the mafia did with gambling: instead of being gamblers themselves and having to, for instance, fix boxing matches, they simply took over the industry itself, so that WHOEVER won the fight, the house (and the mafia) would win. How do you break an election? By offering the public a choice between candidates who are only superficially different — different in their physical appearances, their accents, even their speeches, but NOT in what they will actually do if elected. And then, once they are "in power", make sure they know that you can reward them for cooperating or punish them, even destroy them, if they become inconvenient. A few politicians being destroyed makes the public think, "The system works," and politicians destroying each other makes the public think, "At least we have competitive balance!" Meanwhile, the same actions take place regardless of the election outcome, only under a different coat of paint.

  2. The goal of any election is to create agreeable consensus. You can only do that if the losers of the vote cannot claim afterwards that it was all rigged.
    And that is the core of the problem: even if your electronic voting would be technically and mathematically perfect as long as the voters and the election observers have to trust it instead of knowing it, it is not a feasable system for a democratic election.

  3. I hope this video gets the attention it needs, I’m from Brazil, and we had many cases of election frauds because of thes stupid electronic urn

  4. Not that the goverment we vote for is actually in charge and controls anything independently, but still, that's quite crazy

  5. In Brazil it's works, for about 20 years, in this time there was at least 3 party changes, the workers party (PT) won the election against his worst rival, that was (is) alined with corporations interests, then the PT won 4 consecutives elections in a roll, a coup was needed to remove them off, I mean, people with real money invested in theirs adversaries, if there was a chance to hack the voting process it would been done

  6. It's easy to build a secure electric voting system on Ethereum. (using a decentralized blockchain with proof of work consensus)

  7. I got it! We line up the politicians behind thick bullet-resistant glass panels, each of equal mass, and issue everybody a muzzle-loaded gun with one bullet. Everybody attempts to shoot the politician they hate the most, and depending on their competency as a shooter (I mean voter), they might collectively be able to break through the glass and eliminate one politician from the ballot. If everybody doesn't want them around for the next election, they could concentrate their fire at the head, or somewhere non-vital if they just don't want them in office for that election. If more than one politician survives after everybody is finished shooting (voting), they weigh the glass panels and whoever's panel weighs the most (least damaged) wins the election!

  8. In Italy we did e-vote. Although, technically, the vote was done normally, but the winner party asked the internet who to cooperate with(PD or Lega), so the e-vote actually changed the partys in charge

  9. Sounds like we need to give up on the idea of anonymity in voting if we want to have voting integrity which can be checked.

  10. You do realize that the people behind electronic voting knw all of this before it was implemented. That was the whole point was to be able to hack elections.

  11. I am going to vote for Andrew Scheer during the canadian election

    yeah I am open about who I am going to vote for, so I personally never understood why so many people are secretive about it.

    plus for some, like during Hurricane Sandy, voting online was the only way for them to vote, are you saying that we should just not let some vote because they can't travel to mark a piece of paper?

  12. There is a couple arguments wrong in the video. Here in Brazil we use electronic voting for auditing the goverment uses paralel voting and others things, the metod to get the data is a proprietary of the voting machine and not a simple pen drive, uses a pen drive but not any. The hacking occur and is more effective to do so with social media not with the electronics.

  13. You are mistaken. We have the right to vote anonymously; but we do NOT have the duty to vote anonymously. Anonymity protects the voter from vindictive politicians.

  14. I agree that governments and corporations are unlikely to devise or voluntarily to implement a secure and unbiased electronic election. But I find it difficult to believe that you are unaware of the difficulties surrounding what we already have. In fact, we CAN teach people to download, to verify, to build, and to install Linux source code on central servers that will collect and tally electronic ballots. We CAN compute a hash of the entire server that every sophisticated citizen can verify on hardware identical to the server. We CAN archive all election results and server logs before deleting it all and verifying with the hash that no malware has been injected onto the server.

    Once the servers are operational, they can be used to store a key for each citizen whose identity is verified by a certified official, whose registration is recorded on video, who was counted in the last census, and who has not died. Citizens who try to register multiple times are immediately arrested and held until these video recordings can be used to resolve the dispute. The cryptographic keys and a passphrase are used on election day to verify and to tally simultaneously submitted, signed, and encrypted ballots. Key pairs shared among the servers verify that backup tallies can periodically be distributed securely to minimize sabotage or failure.

    Saturday through Tuesday should be national holidays so that every citizen has ample time to help the election. In addition to aural-visual records, groups of volunteers are selected at random to monitor and to verify that the election is valid at every stage. Yes, it is possible that there are cracks — people are human after all — but each group member will attend his own interest so that successful cheats will be rare and random.

  15. Well … as for traditional voting method … in my country there were several attempts (that were unsuccessful) to rig the results. In one of those attempts the main guy from the local commission (or whatever it is being called) has picked up blank cards and put crosses for the candidates that were from his political party. So, those are unsuccessful attempts, that went public. The question is, how many attempts were successful and nobody noticed that?

  16. All the arguments used here are bad and poor…
    For electronic voting, you cant juste give people that vote a crypted / signed token that show their vote. And on the other side, make all the vote public and anonymous. This way, we cant know who vote what, but anyone can prove thing was rigged with only his token. And this token can even be split in 2 part to keep the one having it anonymous. This way, to cheate, every people that vote MUST be in the part of the "conspiracy" (at this point, they could just vote for the one you want…)
    In the other hand, on "normal" vote, their is just way too many way to change you vote, and you'll never be able to know it… The papers are not under surveillance all the time by ton of people…

    I'm not saying that electronic vote are safe or anything like that. Not even saying that this video is wrong. Juste that the explanation are really bad.

  17. He's arguing against a least ideal scenario of electronic voting. When to strongly debunk it requires it's best case scenario.

  18. what about use of non reprogrammable voting machines , used along with voter verifiable paper audit trial , as used in indian ellections ?

  19. I wish someone who had a degree in computer engineering would have done this video. A guy who makes web apps with a degree in linguistics isn't the most credible person to talk about the subject.

  20. Well, it's not like regular elections are safer. What was said about internet voting can be argued about regular too. Great amount of effort and people most likely will trump a less prepared system of any type. The people who count the votes might be working together. Nothing is safe. The root problem here is I think a desire of anonymity. In an ideal situation, if EVERYTHING was transparent, hacking becomes IRRELEVANT. We don't need hidden layers upon hidden layers fighting against hackers (virtual or material). We need TRANSPARENCY in our opinions, governments and systems. In my mind, Truth > Liberty, but I understand and respect that other people may have other priority in their values.

  21. @Computerphile This video was posted prior to Brexit too. Let's thank Cambridge Analytica who taught us that you don't even need to rig votes to change an election. Whether it be in your own state or another's. But joking aside, not sure why we don't have a blockchain-based news/media outlets as of yet. Would aid in ceasing the spread of 'fake news'.

  22. This video makes some great points with regard to the risks of electronic voting. That being said I think there are some difficulties with paper based voting that need to be considered.

    At least for USA elections there can be many overlapping precincts (state, city council, school district, house of representatives, maybe some others). Paper ballots would either have to be customized for each voter, or consist of multiple separate ballots combined, both of which have a risk of fraud and error.

    In the USA the mandate for voting officials seems to be to divine the intent of the voter, but that can be difficult when they do things like vote for multiple candidates, or partially mark candidates (search for "hanging chad"). Electronic voting has the benefit of being digital and unambiguous.

    Given the above as a compromise why not have electronic voting machines that produce an immediate paper trail that the voter can audit? They vote, it prints out a ballot, the voter reviews it, and drops it in a box.

  23. World's biggest democracy is elected electronically, but the devices are not programmable, these devices use ASICs which are just up-Counters with few registers, each for storing the vote count of a party. The only I/O features are:
    1)Reset (requires a special key to use it)
    2) UpCount buttons, (For voter's use only, key protected so it's disabled after election hours)
    3) Count Display (Only used after election, key protected)
    4) LED indicators to show citizens that their vote is counted
    5) Disable key…. (Used just after the last vote is given, so no alterations are done after that)
    These machines are highly successful in India as every activity of officials in election booths are recorded under CCTVs.

  24. You can use blockchain technology and all problems are solved (p.s. there blockchains that cannot be brake even with quantum computers)

  25. In india voting machines once programmed not audited since they blocked downloading. They don't want to count vvpat (printout of vote) as well. It's a big mistake in history of Indian democracy

  26. Dominican Republic here, we for the first time used electronic vote for the primary elections, but not a single auditing was done, resulting now in troubles…

  27. I don't agree. The technology to make a secure electronic voting machine is here. It's just the fault of who implements the whole badly the problem

  28. getting nervous in australia of this happening soon, woefully incompetent and corrupt politicians in charge and their last IT adventures were just hilariously bad

  29. Computerphile contradicting itself, the video on Zero Knowlege Proofs claims that EVoting is possible without the problems mentioned in this video.

  30. Banking systems or blockchains work safe and great online. Why that is working, and electronic voting is so hard to do safe?

  31. I love the fact that bolsonaro was a critic and kept questioning our eletronic voting system until he was elected by it. now hes silent . hipocrisy at its best.

    Brazilian system is pretty reliable. it was developed in partnership with public universities , it has a mature end to end process, the dept responsible for it is transparent , there are public sessions where the code is open to be audited by all political parties.
    Tom is a skeptical but there's a smart solution for every problem he presented in this video.

  32. In Russia, they consistently making the result they need even without electronic voting.
    There are a lot of ways to manipulate/falsify election, and if the system is getting rotten, only civil guns could be the answer. But they've taken care of it as well.

  33. The problem with the American Vote is we still have an Electoral Vote for President which means our vote can mean almost nothing. Genious way to hack the system by controlling where your vote goes. That's why you can Lose by almost 3 million votes like Trump and still win.

  34. Go to Spain, they rigged the electronic vote this summer and going to do it again on Nov 10, but no one cares at all………

  35. I would hate to take a test from this guy's class. But, everything he says sounds so urgent. Like an ancient shaman or something.

Leave a Reply

Your email address will not be published. Required fields are marked *