Why Electronic Voting Is Still A Bad Idea

Why Electronic Voting Is Still A Bad Idea


Five years ago, I made a video for a channel
called Computerphile about why electronic voting is a bad idea. And I still get emails, occasionally, asking: things must have changed by now, right? There’s this new idea,
and maybe it’ll help. Surely electronic voting is
just around the corner? No. No, it’s really not. Here is why electronic voting
is still a bad idea. Elections have some very unusual requirements. There are two key features that are almost
opposed to each other: anonymity and trust. So first, your vote should be completely anonymous. There should be no way that anyone
can find out who you voted for, even after everything’s been counted. That way, no-one can bribe you or
threaten you to vote a particular way. In the UK, if you mark your ballot in a way
that could potentially identify you, so if you sign it, for example, then
that ballot is not counted. This is why election officials are
worried about people taking selfies with their completed ballots: because you should not be able to
prove how you voted afterwards. Otherwise, you can have attacks like
“$10 off for blue voters!” or “Entry to this party
only for yellow voters!” or “vote red or you’ll regret it.” Votes have to be anonymous. The second requirement is
absolute, transparent trust. The system needs to make sure that your vote
is securely and accurately counted, sure. But it also needs to be obvious to everyone,
no matter their technical knowledge, that the system can be trusted. So if you’re using paper, you place your
ballot in a sealed box that doesn’t get unsealed until
everyone with a stake in the election has someone representing them
in the room. There should always be people from more than
one side guarding it, or at the very least, witnessing that there’s a tamper-proof seal
being used for transport. Voters need to be able to trust that their
vote will be counted even though they’ll never see it again and
it can’t be traced back to them. And at no point is a single person put in
a position of trust. People can be corrupt, or threatened, or
incompetent, or all three at the same time. Now, physical voting is not perfect. It can be attacked, it has been attacked. The UK’s own paper system doesn’t fulfil
both of those requirements perfectly, it is possible to identify voters from their
ballots if a court orders it, and there are stories about that being done
outside the law too. But the key point is not that paper voting
is perfect: it isn’t. But attacks against it don’t scale well. Physical voting is centuries old. And in that time almost every conceivable
fraud on the system has been tried, and defences have been found. The more physical votes you need to change, the more people you need to influence, the more time and money it takes, and the less likely it is that your
little conspiracy will stay secret. In a UK election, there are hundreds of polling
stations across the country, with staff made up of scores of employees
and thousands of volunteers. The job of changing a
significant number of votes, enough to sway an election,
becomes very, very difficult. People have attempted it,
some people have been convicted, a few have probably gotten away with it
on some scale. “Granny farming” is the term that
shady operatives use for going round all the retirement homes and getting vulnerable elderly people to sign
a proxy vote, a paper saying that someone else can vote
on their behalf. And yeah, on a small scale,
that has worked. But once you start scaling up that attack it becomes extremely difficult and time-consuming and the chances are you’re going to get
found out. With electronic voting, that’s not the case. So first, let’s talk about
electronic voting machines. That’s where there’s a computer at the
polling station: so voters still go into a booth, it’s just that they are pushing buttons,
or tapping things on a touchscreen, not writing on paper. Problem number one:
trusting the software and the hardware. In theory, our voting computer could be running
open source software where anyone can see and
check the source code. In practice, that doesn’t happen: it’s probably going to be closed source, it’s probably going to be loaded off
an easily-compromised USB stick, on a computer that’s been sitting unguarded and sometimes just idly and inexplicably connected
to the internet for years. And those systems only ever get a full-scale
test when an election actually takes place. That in itself should be enough to stop
electronic voting ever being a thing. But, okay, let’s say that we do, magically, have the most stable, secure,
open source software possible. How does a voter know and trust that the correct
software is actually installed on the machine they’re using? Maybe we could use some sort of checksum or
some other system to make sure the voting
is running correctly. But then you’re just moving the problem, now you have to trust that checksum hasn’t
been forged. And almost no voters actually will understand
what that check even means, or why they should trust it. In the United States, voting machines are
regularly tested every year… at the Voting Village at DEFCON, one of the
world’s largest hacker conventions. It’s not an official thing. Hackers there have managed to alter the stored
vote tallies, change the ballots displayed to voters,
and in one case, have got a machine to run
the video game Doom. Imagine if, instead of a machine, there was
just a person in the voting booth, and you had to whisper your vote to them,
and they promised, oh, yes, you can absolutely trust them to
accurately record your vote and pass it on to the people
who are doing the count. No, you can’t see how or where they’re
writing it down, you can’t actually call and find out where they are or what they’re doing, but they absolutely promise. That’s basically what’s happening with
an electronic voting machine. You just have something that says:
trust me. I’ve counted your vote and I have absolutely
not been compromised. Honest. Problem number two is votes in transit. How do you get the votes off that machine
to the central counting place? There are three possible ways. One, you could take all the voting machines
to the count. You could seal them all up,
and transport them physically from where the voting took place
to where the counting takes place. No one does that. So, you could download all the results from
each machine onto a USB stick and take that. One bit of sleight-of-hand and you’ve got
a completely different set of results. If you’re about to propose some system where
the results are checksummed and trusted: please explain that to the average voter in
a way they can understand and implicitly trust. Okay, so, maybe we could transmit the votes
electronically over the internet. Which is… optimistic. Man-in-the-middle attacks
are more difficult now, but they’re not impossible, particularly if you can’t trust
the software on either end. And now you’re connecting the voting machines
directly to the internet. Deliberately. Which brings us to problem number three:
the central counting server. Right at the end of the process
there is the server that tallies the votes and gives the
final count. Which has all the same problems
with trust and verification as the individual voting machines, but now only a few people can
even see that computer. That’s also true about
electronic counting machines: ones that take stacks of paper ballots
and return totals. How do you trust they aren’t quietly changing
some votes? We live in a world where Volkswagen
got away with specifically designing their cars to cheat
on emissions tests for years. And that’s before we include user error. In one Scottish election,
trialing electronic voting, a result was corrected after one observer
noticed it didn’t make sense, and stopped the announcement at the last minute. Turns out that someone forgot to scroll
all the way to the right to read the columns on an
Excel spreadsheet with the results in. And even if you can’t compromise the election,
you can still break trust. You can still cast doubt on a voting
machine, or the entire counting system, just by leaving an unknown USB drive in it,
taking a picture, and posting it online. Or just faking a photo of that. To break an electronic election,
you don’t actually need to break it: you just need to cast enough
doubt on the result. It is a lot more difficult to do that with
paper and physical ballot boxes. And all this is before we get to
the really terrible idea: that people should be able to use their phone
or computer to vote from home. Now, I’m sure the device that you, personally, are watching this on is malware-free and up-to-date.
Of course it is. But can you trust that for everyone
in your family? For everyone on your street? The exact numbers differ depending on
which security firm’s figures you go with, but it’s safe to say that a huge number of computers are infected
with some sort of malware. Huge numbers of phones are on old, vulnerable
versions of their operating systems. And that’s just scammers setting up botnets
and minor extortions. Imagine the sort of attack that
could be put together by a small, well-funded team backed
by a national government. That sort of attack would scale
very, very well. Find the one hole in the system, and suddenly it costs roughly the same to change one vote
as it does to alter millions: and your conspiracy stays
very, very small indeed. Maybe you don’t even have to set foot in
the country whose elections you’re hacking. Now, there are a couple of regular objections
I get to this. First of all: what about Estonia? Yes, in 2005 Estonia became the first country
in the world to offer internet voting, first in local elections,
then in national, then in European. In 2019, more than 40% of votes
were cast online there, which is just short of a quarter of a million people. On the surface, the system seems robust. Voters can ID via their government-provided
smart card, or the SIM card in their phone. But there are problems. An independent report found gaps in the procedural
and operational security. The architecture of the system is a decade
old and it’s now dangerously out-of-date, and it’s open to cyberattacks
by foreign powers either by exploiting individual phones or by breaking the trust in the
server that counts the votes. The other common objection is: what about
new technologies? What about blockchain? Look, leaving aside trying to
explain blockchain to people and asking them to trust this
weird technology is worth using, it’s basically just a write-only database. It doesn’t solve the problem of trusting
the software or hardware: it doesn’t change how
the voting machine works, the interface between the voter’s intention and what’s actually written to
the database still has to work. If it prints a receipt of the vote you can
check later, it breaks anonymity. If it prints a receipt of seemingly-random
numbers you can check later, it breaks trust, because hardly anyone will understand what’s
actually going on there. I’m not saying there aren’t advantages
to electronic voting. Yeah, there are. Accessibility is the main one, and that’s
really important. In low-stakes elections, for small groups,
for the little things, sure, go for it. But when the future of nations
rests on the result: electronic voting is still a bad idea, and you should still vote against it. While you can. I’m endorsing Dashlane for two reasons:
one, they’ve given me money. Obviously. But two, because I genuinely believe that
if you’re techie enough to watch to the end of this video, you should absolutely be using
a password manager. If you go to dashlane.com/tomscott, you can
get a free 30-day trial of Dashlane Premium. Password storage, generation and autofill
that works across devices, browsers, operating systems,
everything, it syncs all your data in the cloud without sending
any of those actual passwords to Dashlane themselves. If you want to know how that works, see previous
sponsored sections. Using long, complicated, symbol-filled passwords that are completely different for
every web site and every app is ideal for security: but remembering them is nigh-on impossible
and typing them in is a pain. Being able to use a single master password, or the biometrics on your phone, is great: you’ve got one thing to remember. Dashlane will also store and autofill
credit card information, so you don’t have to retype it every time
you buy something online. You also get a VPN and a
gigabyte of secure storage. So: dashlane.com/tomscott for a
30-day free trial of Dashlane Premium, which includes unlimited
password storage and sync. And if you like it, you can use the code “tomscott”
for 10% off.

You May Also Like

About the Author: Maximilian Kuhn

100 Comments

  1. Thanks again to the smart people at Dashlane for sponsoring this run of the Basics! You can get Dashlane for free on your first device: https://www.dashlane.com/tomscott — and yes, I know it's a bit ironic recommending a closed-source solution on a video like this, but I've read their security white paper and it makes sense. They're a good solution: see previous sponsored sections for how they can sync your passwords without ever knowing them!

  2. Brazil uses electronic voting. Still. I don't see it changing any time soon. The government even advertised it as "safer than voting on paper"

  3. Also consider how many state-backed conspiracies are attacking Estonia. Probably very few. China doesnt care what happens in Estonia, but it would in the US or any other major trading partner.

  4. I'm surprised that you totally ignored ElectionGuard. It addresses many of your concerns about verification and anonymity.

  5. Elections are fixed even before one vote is cast. How, because only rich and powerful people can stand and win election.And they don't listen to what you say!

  6. But why dashlane? For one thing, I don't trust any one company with my passwords. Secondly it's actually relatively expensive and if I miss a payment, do I lose access to my passwords? A free desktop app is way better.

  7. I actually took a picture of an accessible USB port on a voting machine (that had a lock, but wasn't).. they took it way to light 🙁

  8. I was in prison and I used to vote five or six times me and my dude from prison that’s how it works in California California so corrupt

  9. I’ve had offers to intimidate voters just because I’m an ex-con Democrats and Republicans desperately want to win elections it’s sad what people go to to win

  10. Would be nice if I could go down to the polling station to play a bit of Doom, might actually get something out of it for once.

  11. A much bigger threat to democracy than electronic voting is misinformation, though. Why would you need to hack the machine that is counting the votes when you can just hack the minds of the people that are voting. This is what is breaking democracy right now. Even in countries who use paper ballots. The UK general election is a prime example.

  12. Why not electronic voting, with paper receipts that are printed, reviewed/double -checked by the voter & placed in a ballot box?
    A random percentage of voting centers are hand counted & compared to the electronic vote to ensure the system is working properly. And if the election is ever questioned, a hand recount can be done, for close candidates or anyone who has a reasonable concern over an election outcome.

  13. Question someone pro-electronic voting asked: If online bank transactions works fine, why cannot voting system be build like it?

  14. India we are using electronic voting machines for years now. We even have a system that prints paper ballot for later cross verification. Till now no mismatch found. And yes, the machines are physically carried to counting centers. And you cannot stick USB or hack into it, because it does not have any ports. And no point in physically manipulating the hardware, because the order of candidates is not known till few days before the election. Very poorly researched video , to echo preconceived bias.

  15. I really want to thank you for this video.
    On another note, I know you probably can’t answer that, but doesn’t google chrome generate and save secure passwords for free? Never used it myself, but is it somehow less safe?

  16. Although I understand there's perhaps no currently good solution, I think it's important to note that without accessible voting people with disabilities that mean they can't read and/or mark a paper ballot are being asked to trust the "whisper your vote to a guy in the voting booth" model. And in those big important elections, the need for accessible secure voting should therefore be even more urgent. (Perhaps the immediate solution lies in creating an accessible physical format – there's no reason a physical vote has to be print on paper.)

  17. block-chain would permit for safe votes with very few compromises, since it would only permit votes if the remainder of the decentralized network counts the vote as legitimate

  18. Certain transparent implementations of Blockchain and DAG nullify a huge amount of the problems you've mentioned. Multiple this with several forms of multi-factor authentication and a fairly secure voting system IS viable, I just don't know how far off.

  19. Use dash lane so that if someone gets control of your devices they won't need to worry about cracking any passwords as they will be automatically filled in on every thing you use also because you are expected to believe you are important enough to be targeted by criminals or even that you are so incapable you cannot make a secure password that you can easily remember without paying someone to do it for you

  20. Security problems ignore this important question: Do you want your leaders picked by folks who can't be bothered to leave their homes to go vote?

    It's also not just promoting indifference, it's promoting isolation. Whatever limits there are on the ability of people to live in their own bubble and perceptions would disappear.

  21. Sorry Tom I was hoping you wouldn’t do that. Push everything down to one point of security. Just the dash lane login. Come on. I really didn’t think you’d do that.

  22. Tom, I really thought that you were going to bring India and Brazil election system into the discussion… Have you made some study on how it's working and possible negative outcomes of those countries systems?

    I know that the process for the elections in Brazil is very bureaucratic, with everyone can request a audiction for the machines and it's software, for example

  23. But how much does absolute anonymity really matter in a presidential election? We can make it illegal to share your vote or to offer incentives to vote one way or another. Also, we already trust companies like Google and Microsoft to keep our email information private (private enough). We trust Banks in the same way, and we don't expect the amount of dollars in our accounts to be suddenly changing, even though there could be great incentive to do so. Think about how much we are losing by not allowing electronic voting; huge percentages of people who are not physically able or can't afford to vote simply do not.

  24. The main problem I have with your video is that the exact argument of trust is valid for physical voting. I come from a country where there are thousands of fraud reports each election and videos of ballots being fixed leak to the media each cycle. The result of this is less than 40% voter turnout. Electronic voting would be preferable as at least it would remove some vulnerabilities of paper voting like: vote tourism (people voting in more than one location), ballot swapping during the transit, people won't be able to photograph their ballot in order to get vote bribes, you could vote in local elections from any station thus increasing turnout.

  25. In my personal opinion I feel that excluding the initial printer I believe in only 1 electronic device being used in the election. for acssesibility maybe a vote printer where if someone is unable to use a physical ballet then they go into an assessable booth where they press a button on the screen and it will print a filled out ballet.

  26. Online banking reliably identifies both parties and transfers the data securely between them. And end to end encription technically makes that no one in the middle is able to read it. I have no clue of how this is implemented, but why could electronic voting not be based on a similar principle? I'm genuinely asking as the ignorant self I am, not trying to be clever.

  27. Another problem with electronic voting is the abrogation of anonymity. If you can vote by mobile phone, it would be much easier to threaten someone with harm if they didn't vote the way you wanted, because you could actually watch them voting. Sure, it's possible with postal votes now (which is why the proliferation of postal votes is a problem), but imagine if it was more widespread.

  28. Tom you said some things that are wrong like: "no one does that " referring to bringing machines into the counting centers. In Brazil, we do that. Besides, both hardware software are open to all parties to find errors in security. I suggest you search about the voting system in Brazil.

  29. Votes don't need to be anonymous so long as the agency managing the voting is independent.

    The real problem with computer voting systems is that the government cannot be trusted to understand the process of creating said machines and the whole thing just turns into a ridiculous payday for some tech company who knows they don't need to get any real work done, so security is null.

  30. Okay, but his ENTIRE argument for blockchain is that random numbers would 'break trust'? That is at the most a minor argument against it, The receipt I understand.
    I think we're moving towards a society where literally everyone understanding a technology being used is getting more and more irrelevant daily, and as this phases out electronic voting will have to phase in eventually, maybe not right now, but its coming very soon.

  31. An open source blockchain with signatures as proof and transparency would solve the problems you described. You clearly don't understand how they work. The voter can receive a private key they can use to verify their vote on the blockchain and then shred later to protect their privacy. About people not knowing how to do that – What you would see is many independent nonprofits would build their own apps to allow non-technical voters to verify their ballots without needing to understand blockchains, that auditors could then view the source code/checksum of to verify authenticity. The idea being you can type in your private key on your smartphone, it looks up the public key, and 200 different independent auditors that have access to the blockchain each confirm your vote.

    In the event of the government intending to tamper with an election, the public would immediately know because the announced winner wouldn't match the blockchain.

    All of the problems you described of blockchain voting exists with paper votes. How can I trust that my vote is counted correctly? How can I count that the ballot given to me is correct? How can I verify that someone doesn't fingerprint my paper ballot?

    Neither system is perfect, but open source blockchain based voting would be the ideal means to vote.

  32. People keep talking about flaws of electronic voting, but there seems to be a problem pushing the narrative of existing problems with today's voting.
    Needs to be trusted right? Well our current solution is not trusted at all. Nearly half of America doesn't even bother to vote for fear their votes will be manipulated, or otherwise do not matter. You can't act like there's no manipulation, lying, cheating, and fraud in today's voting.

  33. Electronic voting via private devices completely breaks anonymity because your family/friends could ask you to show them your phone as you vote.

  34. Why would you call blockchain a "write-only" database? 🤔 Did you mean read-only? Maybe write-once would be a better term.

  35. Ok, so I have a VERY simple solution: print the ballot with your vote, which you verify has the correct vote and then deposit in a ballot as usual. This will make the electronic vote as trustful as a regular voting system. You still have to trust people when elections happens anyway, everything is based on trust.

  36. In general, I agree with everything you say. However, we also live in a world where people voluntarily put every detail of their personal lives on a server so companies can auction it to advertisers. Such people also will believe anything they read on this server, so rather than hack elections, nefarious foreign powers only have to buy ads saying that (bad candidate) eats babies.

  37. Tom, can you make a video about the art of hand motions while talking?
    You use hand motions constantly and they really add to your videos when you are just sitting or standing in a static scene but some people aren't so gifted in this art. I am one of those people and would love to learn how to match my hands to my words!

  38. Just like your previous video you failed to discuss a system that combines paper and electronic. Why does it have to be one or the other? You can have an electronic device to take advantage of speed, and a paper ballot as the physical record and “master” count. I volunteered in elections where, at the of the day votes were counted by hand, and the reported issued by the computer was approved or rejected based on the manual result.

  39. It seems that there should be some sacrifices made in order to have a system that allows efficient and secure voting .

    The majority of people already have blind trust in a flawed system as it is.

    It is worth giving up "compete" anonymity for a system that allows the entire electorate to be polled accurately and efficiently. Since the UK already has a system that is not anonymous, then having some sort of blockchain (regardless of your sigh) based system, that allows random verification of votes would be exponentially better than what we have now.

  40. This should be cryptographically possible. That I can prove my vote counted and is anonymous. It should also be probably I had a right to vote. It's all about the keys. Anyone should be able to run the count with the public data.

    Paper in boxes same problems.

    I think there same policy goes for electronic logins and electronic payments.

    I'd like people to be using SQRL login but if course we all trust a software company with our credit accounts.

    Because trusting third party observers counting and stickers on boxes is reliable.

    Yup closed source is right out. Being able to correct your vote having recourse but most of all independent verification is unprecedented.

  41. In a large country like India, the world's biggest elections take place with specialised Electronic Voting Machines(EVM) and this has been in practice for quite some time.
    Of course there's the very high potential for fraud but eventually the government finds out and then corrects the flaw in the machine to counteract that fraud. But if we never start to implement in other countries, then we'll still be using ballot papers for decades to come.

  42. So what you're saying is that there's nothing inherently wrong with electronic voting, but rather, that humans just suck and will try to ruin everything for often stupid reasons, or no reason at all.

  43. I hold the opposite stance that voting being anonymous is itself a problem. Because when voting is anonymous, you can't track down those who vote to take away your rights.

  44. As expected, this is clickbait, and there is nothing wrong with electronic voting per se. The problem is with security and that it can be hacked. Like any system.

  45. In Brazil we have electronic voting since mid-90's and we face all the problems you related. The elections authorities allow access to the machines for IT security specialists but in a very limited and controlled way. Often proposals to print the vote to allow manual recount arises, but as you stated in the previous video, this is not the solution.

  46. I don't think I would support electronic voting but electronic counting machines I would support if say 1/3rd of batches were then hand counted in the traditional way to verify the counter. This should overall mean that results are quicker.

    I do also think perhaps at 7pm the boxes could all be collected and then smaller boxes are issued for the last bit. Then you can get counting started quicker and hopefully save all these people staying up until silly o clock waiting for a result.

  47. I come from India. Vote tampering is a huge issue around here, big enough to influence the outcome of an election. I've seen people being physically stopped from casting their votes or someone finding out that their vote had already been cast or people being blackmailed into voting for a particular party. It's ugly.

  48. I found an Error in Your Video. There are Times when announcing your vote in public, prevents all the harm by keeping votes private.

  49. If you want to do something high-tech and redundantly to solve voting forever: every voter gets a random physical coin at the polls with an embedded, unique, random RFID that only the registrar can generate with their private key. The voter places their coin into the slot leading to a container for their candidate and they get a paper receipt of their vote with the coin they just used.

    Larger and larger containers can then aggregate votes coins. And every container is weighed to count votes AND scanned to verify the votes it contains them with an RFID scanning system embedded in every container.

    To verify your vote was counted, all containers scanners record their RFID contents of every vote each container has (it doesn't who voted for who), and the tracking system finds your vote by you typing in the magic number on your anonymous receipt to prove it was counted.

    Coupled with chain-of-custody and third-party auditing and monitoring, this is the most foolproof way we can do voting… by neither trusting evoting nor physical voting alone.

    – RFID
    – paper-trail
    – physical object that can be weighed
    – no hanging chads BS

  50. You're making a bunch of strawman arguments that are disingenuous. "Decent" Evoting machines would never, ever be connected to the internet. They would use a private network of leased lines. But not stop there, they would be each issued registrar-baked-in digital certificates to establish an encrypted, authenticated and authorized connection to upload vote data.

    Either that or you shift the infrastructure to an election commission, high-security datacenter without internet access that runs the actual voting software clients, while the voting machines are actually stupid terminals that reboot between voters and connect to the actual servers via a private network of leased lines.

    Paper trail is essential, regardless of technology. See also my other answer about scrapping computer voting and going to physical coins with an anonymous, random RFID that only the paper receipt can link to the vote.

  51. back in the day it was all paper'''''and there were elderly people watching the voting stations call them geeks for the vote and non partisian ////NOW?>>>> trump won with the russians hacking all the individual counties…. and they are going to do more electronic voting machines(bradblog) ….so the russians will will again…trump is bringing democracy down one criminal move at a time

  52. Voting in private at an unmonitored location defeats anonymity also, because there is no one to verify you weren't coerced into selling your vote.

  53. Physical voting can be compromised if the tallys are intercepted in the middle. So long as another physical vote to confirm isn't done it'll be successful.

  54. Tom, you really need to look at Indian Electronic Voting Machine. In fact the whole system, there are few things they do differently.

  55. How is Russia targeting all 50 states ok well based on that headline they were not successful or that would have been the headline and what does that mean Russia sending out memes on Facebook or just letting people know about some things the clintons have done

  56. What would be your view for a mechanical computer for elections? The only way one may be able to tamper with it would be to change the device from with in. I'm talking of computers that may record votes in a manner our mechanical watches changes dates. 🤔

  57. replace the word "voting" with "banking" in your video, online banking would start to sound like a bad idea too. Online banking is susceptible to all the same security vulnerabilities as online voting. Yet some how we manage to trust online banking system enough to deposit our hard earn cash into it. I just don't understand why the same online transaction system is so insecure that we cannot trust to record our vote but simultaneously secure enough that we trust it count our money.

  58. PLEASE! Make a follow up video describing the theoretically perfect electronic voting system you would design. I would love to see that!

Leave a Reply

Your email address will not be published. Required fields are marked *