Isn't the requirement for paper recounts simply unnecessary with electronic voting?
It seems to me that the errors which a recount is attempting to correct are only inherent to paper (not filled in correctly, mishandled paper etc) and simply non-existent in a correctly implemented electronic system, and thus irrelevant.
Electronic voting machines are inherently unsafe. (Consider the difficulty of validating that the software has not been tampered with eg trusting trust, that the drivers have not been tampered with, that the network transfer of the counts is secure and validated, that the hardware is safe and reliable, that the screens and display controllers are displaying what the software thinks they are displaying, etc).
The 'best' option is to use them to print a paper ballot that the voter can validate before putting it in a ballot box. But at that point, you've basically invented a $2000 pencil.
Options that rely on the voting machine itself to count or transmit the votes can't be adequately validated. Options that publish the votes in the clear - allowing voters to check their votes were recorded properly violate anonymity requirements, and options that publish obfusticated votes don't actually provide useful auditability.
Not being able to provide a paper (or equivalent) ballot recount is (or should be) completely unacceptable.
> Electronic voting machines are inherently unsafe.
Nothing about a voting machine is inherently unsafe (for any purpose of the word), or we wouldn't use machines ubiquitously. They are both safe and reliable. Software is difficult to do, but we go into space anyway.
> allowing voters to check their votes were recorded properly violate anonymity requirements
Nope. Using hashes and keys is how we do it in the technical community and would work fine with voting.
> publish obfusticated votes don't actually provide useful auditability.
You're improperly lumping problems that are a combination. Some have very good solutions and one is a rather intractable problem (for machines).
Added votes
Missing votes
Misrepresented choices
Altered votes
Most of these could be handled. The issue of added votes would be something that could only be handled by serious federal criminal legislation against padding at any level (which we don't do today) because only a human is trusted to determine if a voter is another human.
There's still a tremendous amount of trust involved, and many components to secure. Some folks have done security analysis of voting machines and were not impressed (an understatement). Block chains and other applications of crypto are kind of pointless if the firmware can be subverted to record Candidate B while displaying Candidate A to the user.
Oh, there are lots of technological solutions (display hashes of a vote, which can be photographed and checked, for instance). But paper and pen have worked for a long time and we have decent strategies for dealing with its faults, while the target area of a microprocessor-controlled voting machine is mind boggling.
That doesn't preserve the anonymity requirement for safe voting systems. Blockchains are only pseudonymous and a malicious landlord, employer or family member could easily coerce you into divulging your ID.
If you take the key with you after you vote, which you will need to do if you want to validate your vote later, then you can be coerced into disclosing it.
I believe that the keys would just be taken by the machine, that way you'd be able to verify the vote was placed without the risk of revealing the identity of the voter attached to that card.
> allowing voters to check their votes were recorded properly violate anonymity requirements
Why can't voters be provided with a random vote ID, which they can write down and later check against a list?
If you're concerned about people buying votes directly by buying IDs, just make the set of possible IDs small enough (ie, the same size as the number of registered voters) to confound buyers into being uncertain whether their provider might have just thought up a random ID and written it.
How is giving them a unique ID any different than the current situation? They can just as easily take a video of themselves voting as proof for these purposes.
IMO, a paper ballet with electronic verification in the booth solves these problems. Just make the in booth scanner reject happy. It can also display multiple languages for instructions.
A $2000 pencil that replaces tons of paper instructions printed in several languages and prevents double-voting and other mistakes may still be valuable. Not so much in democracies where you cast one vote every 4 years, but in America where you can have a dozen every year or so a voting machine can be useful.
A computer with $5 camera that can tally a paper ballot per second grocery-store style is also useful because you get accurate results in half an hour instead of a day later. Poll observers can't count that fast, but they can video the counting and review it later.
We can safely and effectively use computers as much as we want on either side of the ballot box.
It becomes necessary to have a fallback vote counting method that you can rely on, in order to detect fraud, because compromising electronic voting is orders of magnitude easier than compromising paper ballot voting.
It may be that these paper trails are not used for recounts, per se, but for audits of election results in a sample of polls.
No, electronic voting should never exist. Seriously, stop trying to add terrible amounts of complexity to a solved problem.
We have hundreds of years of experience with how to solve simple paper ballots. They work. They can be trivially easy to understand[1]. Any complexity added to this
As for not having a hard copy backup - do you seriously trust
1) the computer hardware, OS, and other standard parts,
2) the software designer (no mistakes allowed),
3) the probably rushed implementation (bug free software?),
3b) if Diabold was involved, an easily modified MS Access DB with no audit trail and an open data port,
4) the collation process process good luck finding a device that uses crypto or signing, and
5) that all of the above will somehow stay secure from attack when run by numerous volunteers, defending against regular attempts to fix the results or otherwise modify the results.
In a perfect world, electronic voting would work. In reality, electronic voting is guaranteed to fail far more often tan simple hand counting paper ballots. Even worse, the complexity of electronic voting allows damage to amplify. There s only so much damage someone can do to a paper ballot or local group of ballots. Once you involve networked computers, there is the risk that an attack to affect the entire system.
What is the benefit, anyway? Very slightly faster results? Do we add all that risk, cost, and complexity so the media can have their show a bit earlier? The supposed benefits are not important.
Electronic voting should be met with extreme suspicion. Like the con artist that tries to distract you with numbers and extra movements, electronic voting is almost certainly a sign that someone is trying to fix an election.
[1] Canada gets ballot design[2] right - just make a mark next to your choice. Doesn't really matter what kind of mark, and no "hanging chads" or other mechanical nonsense that can fail.
The point is that Florida law requires voting methods to be amenable to manual recount. So even if we agree that e-voting obviates the need for manual recounting, it's still incumbent upon the officials either to demand facility for that kind of auditing or to change the law.
It would be a scary world if we just started ignoring laws every time we thought they were obsolesced by some new tech.
For the first, even the most tested software still have bugs. Politics is already a complicate business if you add bugs. Complexity also affects trusts. It is easier to trust a system that you understand like paper voting than trusting machines that, for most people, look like magic.
For the second, the problem is that if I can't count the votes I have to trust the good will of the company that made the machine or some selected technicians that review it. The Volkswagen scandal is a good example of how things that can go wrong. You can still manipulate results in paper voting, but usually requires a lot more of people involved and because that it is easier to detect. Mass manipulation is easier to do and harder to detect if there is no paper to count.
So both solutions a the same time is the best of the two worlds. You can have a machine that counts the votes and still prints a ticket. So you can have instant results, better counting, etc. And this results can be checked if any doubt arises. (I will say that will be good to check them always anyway). So you can detect easily bugs or manipulation.
So what's the threat model here? Is it distrust in the voting machine itself -- because then why do you trust that the paper votes haven't been manipulated by the counters? Are there organizations that would be suddenly able to manipulate votes via electronic machines that are currently unable? Would the same be true if the machines weren't networked and basically dumb counting machines?
It's much harder to manipulate paper votes at scale than voting machines. With paper, people know that the correct vote was recorded (a voting machine could silently change it to something else), and the paper can be protected through a chain of custody with monitors from various groups watching it - and then counted by independent groups.
So the threat model is someone hijacks the firmware in a voting machine to record votes other than what the voter selected, and it's much easier for someone to flip millions of digital bits without being detected than for someone to change the box which is ticked on millions of bits of paper.
The threat model is "any attack that could work will be tried"--elections tend to be about huge power, and there is pretty much nothing some people wouldn't try to obtain that power.
In a properly functioning democracy, any citizen can go and watch the voting process, they can look into the empty ballot box at the start of the day, and watch the people coming to vote all day, to see who gets to vote and how many ballots they get to put into the box, and that voters are effectively being prevented from showing their vote to anyone, and then they can watch the ballot box being emptied and the votes being counted at the end of the day.
Also, in a properly functioning democracy, the voter can rather easily verify that noone is watching them as they vote.
Pretty much none of that is possible with electronic voting.
> Would the same be true if the machines weren't networked and basically dumb counting machines?
1. Yes.
2. How could you verify that there is no network connection anyway?
3. "Network connections" can be accidental. There was the case of the Nedap voting computers in the Netherlands where people from the CCC and Rop Gonggrijp showed that due to non-intentional radio frequency emissions of the machine's circuits, you could find out how people were voting with a short-wave receiver from the other side of the street.
Even without networking, you can usually break anonymity of electronic voting machines through Van Eck phreaking. This probably wont allow you to alter the votes, though.
It seems to me that the errors which a recount is attempting to correct are only inherent to paper (not filled in correctly, mishandled paper etc) and simply non-existent in a correctly implemented electronic system, and thus irrelevant.