SoylentNews is people
SoylentNews
On Wednesday 15th of March, there are (were) general elections in the Netherlands. A vote is cast by marking the chosen candidate with a red pencil on a (large) ballot. Vote counting is manual. Below is a short history of how the Netherlands got to this point.
Background: voting in the Netherlands
First up: voting in the Netherlands is rather different than voting in the USA. In the Netherlands, every voter gets to cast one vote. There's a huge list of candidates (400-600), who are grouped into ordered lists (i.e., the various parties).
There are 150 seats in the House. To get elected, you need.... 1/150th of the total number of votes.
(that sounds almost reasonable, right?)
If you're short (or over), the votes that aren't used by you default to the party. Seats are then assigned to the folks on the party's list in the order they appear on the list. So, if after everyone was directly elected, a party receives 6 / 150th of the votes, then the first 6 persons on the list who did not win a seat themselves, win a seat.
Usually this process does not allocate all seats, and there's a process for that as well (D'Hondt method, if you want to be precise).
The TL;DR version: people vote for exactly one candidate out of a few hundred candidates. Every vote counts. Even if your candidate is not elected, by voting you've raised the total number of votes, and therefore the threshold that needs to be passed (1/150th of the vote) to win a seat.
Machine voting in the Netherlands
The Netherlands enjoyed machine voting for a long time. Prior to my existence, mechanical devices were in use. These were superseded by electronic voting machines. The machine that was used the most was the Nedap machine: sort of an extra-large checkerboard of buttons, on which a ballot with candidates was placed. You'd press the button of the candidate of your choice, a tiny LED screen on top would list the party and the candidate's name of the button you had pressed, you press the 'confirm' button next to the tiny display and you had voted.
This system facilitated vote counting enormously. To count votes, you'd just press a button and out came a "shopping receipt" with the vote count. A recount was even easier: just press the button again! Couldn't be easier.
Of course, there's a few security issues with that, but hey :)
Back to the red pencil: security issues with machine voting
Around 2007, the heat was turned up under the feet of voting machines. They suffered from various flaws: no meaningful recounts, no meaningful way to verify that the result had any relation to the voter input, etc.
At one point, Nedap claimed their machines were not computers. An opposing party countered this claim by making one of the Nedaps play chess (by inserting their own PROM chip onto the board). This effectively demonstrated that the machine could do anything whatsoever, and that verification was completely impossible.
Amazingly enough, that was not the thing that got these machines banned. What got these machines banned was the displaying of the party's name. As it happens, there was exactly one party who's name includes an accent: CDA (fully known as "christen-democratisch appèl"). That one accent was enough to get voting machines banned.
As it turns out, the emanations from the ancient, tiny LED screen depended on what was displayed. Before you say "well gosh jolly, who'dda thunk": determining what was displayed based on those emanations was *hard*.
Except for the accented character. I believe it was due to that one character using an extra bit (8-bits instead of 7 bits). At any rate, the emanations for this character could be easily distinguished from emanations lacking this character. Moreover, both types of emanations could be distinguished from when the screen was off.
A group of hacktivists (before this term was widely used), by the name of "Wij Vertrouwen Stemcomputers Niet", seized upon this. They had already shown that the Nedap could play chess, but now they constructed a simple display (converted TomTom) with a large antenna. The display would show when a vote was cast, and whether that vote was a vote for CDA or not. From outside the precinct.
That got Nedaps banned. In the ensuing fallout, security of the other manufacturers' machines was also enormously under par, so in one fell swoop all voting machines got banned. Voting was done in the traditional fashion: paper ballots, and a red pencil.
Handcounting of votes
Of course, the paper ballots had to be hand counted. You could probably design a system that is able to read this A2.5-ish ballot and determine where the mark is, but a trustworthy system that is cheap enough to deploy to all precincts (guesstimate: about 10.000), and easy and robust enough to be used accurately by folks who have never seen this before?
Yup, it's counting by hand.
Aggregation of votes
Aggregating the votes is somewhat tricky. Each precinct handcounts its results, which then need to be aggregated. This happens first at the municipal level. Up to recently, special software was used for this. Again, security was an afterthought - in the software and in the procedures used.
After completing the count, the count would be entered into a TXT file, which was saved onto a USB key. Then, someone would take the USB key to town hall. (I kid you not.) After that, the software would take over. The software, which could be installed on any system, including Windows XP (which was known to be on the way out when the software was developed). The software has its share of problems (installs a webserver but doesn't need internet, using HTTP to connect to local webserver, using SHA1, storing SHA1 hashes with the data they are "securing", emailing result-files without encryption,...). This was found out thanks to an ethical hacker, who did a teardown of this software based on a Youtube instruction video (I am not making this up!):
I am now at 03:44 minutes into this epic instruction video...
The responsible minister could do little else but hire a security company to perform a security audit of the software. Unsurprisingly, they reached more or less the same conclusions as the ethical hacker. They did state some rules under which the software could be used as a backup.
Determining the results of the 2017 elections
Which is where we are now. Each precinct will hand-count the votes. These results are then aggregated manually at the municipal level and at higher levels. Software may be used on stand-alone, unconnected computers to validate the result of the manual aggregations. Paper is leading, meaning that if the two aggregations differ, we will turn to the paper count and recount that to verify that it is correct.
Wrapping up
So that is that: we were using machines but they were horrendously insecure. We were using software to aggregate votes in a horrendously insecure way. We are voting today (yesterday?) with red pencil and paper, hand counting votes and manual aggregation of votes.
Every once in a while, someone suggests a "better" way to do it. Usually "better" translates into "more convenient, broken security". Some folks call the current system old-fashioned. To me, old-fashioned may be a downside for clothing, but I don't mind it in a voting system.
(Score: 1, Interesting) by Anonymous Coward on Thursday March 16 2017, @07:24AM (19 children)
Human counters are slow and not very accurate, and trying to lock down a general purpose computer for voting is a very difficult security problem, even if you do it right, which they obviously didn't.
You really have to build a vote counter that counts mechanically, using punch cards, optical scanners, or the like, and which doesn't have any CPU at all but only special-purpose, non-programmable computations. It can store its result onto some sort of physical record, like another punch card, a paper printer, or whatever meets the physical security requirements.
Everything could be implemented into an ASIC for a reasonable cost (by ASIC standards), and the source design implemented in FPGA first and published so security researchers can try to break it. When everyone is sufficiently confident, burn the ASIC. You don't need any fancy cryptography or anything else. Just a machine that only does one thing.
You'd still have a few side channel attacks (which human counters also have, and probably more severe) and you'd have to maintain the physical security of the vote counting machine, but since the physical counting machine wouldn't be open to the public (who only need to drop their punch card in the ballot box), the opportunity for attacks is minimized.
This problem is not hard. It's just that people often insist on doing it wrong. More technology is always better! Well, no. Not always.
(Score: 0) by Anonymous Coward on Thursday March 16 2017, @07:35AM
I don't get it. A car analogy... pretty please?
(Score: 5, Interesting) by Shimitar on Thursday March 16 2017, @08:10AM (11 children)
Slow is not bad... at all!
And accuracy is not correctness... You can be 100% accurate, but completely wrong.
In elections, you don't need speed or accuracy. You need accountability and recheckability (is this even a word?). Elections issues are people issues, and no more guarantees of results can come from computers, unless computers can fix humans...
... i would rather substitute politicians with computers than voting systems.
Coding is an art. No, java is not coding. Yes, i am biased, i know, sorry if this bothers you.
(Score: 2) by FatPhil on Thursday March 16 2017, @08:58AM (3 children)
However, you are right that verifiability is an absolutely essential attribute in any election - recounts must be possible.
I've only just noticed the similarity between another security-related field - that of idenitfication (in particular authentication, or "authentifying" as they now seem to call it). Passwords, the something you know, seem to have fallen out of favour for situations where security is very important - and two-factor, bringing in the second factor of something you have, seems all the rage.
Isn't an electronic ballot the computer tallying something it knows (your vote), and a paper ballot has the counters (which can be mechanical) tallying something it has (the ballot paper)? To see pressure back towards paper ballots is hardly surprising whilst thing-you-have is gaining popularity in other security fields.
Could be bullshit, I've literally only just thought of it just now, and have never seen such a parallel drawn before.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2, Insightful) by Anonymous Coward on Thursday March 16 2017, @12:33PM
The advantage of paper ballots is that their manipulation is subject to the rules of classical physics, which cannot be changed and to the degree needed are perfectly well known to anyone, so everyone can easily estimate the security of the vote, without requiring special knowledge. Moreover, the whole process involves only objects which are visible with the naked eye, so verification also doesn't need any tools that could themselves be manipulated.
On the other hand, computers follow the rules of their programming, which isn't directly accessible, but only can be accessed using tools that themselves may be manipulated (think of rootkits), and which can easily be manipulated. And you need specialized knowledge to even consider verifying them.
(Score: 2) by Immerman on Thursday March 16 2017, @02:34PM
Indeed, they seem to be confusing accuracy (correctness) and precision (amount of "detail")
Two factor is indeed a major security upgrade as it makes security considerably more difficult to bypass - but it relies on *both* factors being used. Without the something you know, it's just a standard key-based lock - anyone who can steal the physical "something you have" can get past the security unchallenged, and if there's any "pickable" flaws in the lock they don't even need that.
As security improves there is indeed motion towards "something you have", because it was not previously present. But importantly, there is not a corresponding motion away from "something you know", at least not among those concerned with actual security.
I don't see that is has anything to do with voting though - electronic ballots aren't "something you know" or "something you have" - there's no "what's the password" security to get past, they're just electronic data. And electronic data is *extremely* easy to tamper with remotely without leaving traces. Especially when being handled by general purpose computers with lackadaisical security and an internet connection. The tampering can even take place long before the election by infecting the machines with vote-switching malware that deletes itself after stealing the election.
The push back to paper ballots is simply because physical ballots are considerably more difficult to tamper with - doing so requires that actual physical ballots be "lost", and/or phony ones be "found" - tasks that require a criminal to be physically present, and can be easily guarded against by alert independent watchers (or a group of watchers with conflicting allegiances). The price - the potential for physical ballots to be improperly completed (hanging chads, mismarked sheets) is greatly outweighed by the increased difficulty in stealing the election in the face of well-understood and easily verified security, as well as the ability to do a recount.
An electronic ballot system can eliminate mistakes (perfect precision), but can't meaningfully guarantee accuracy (votes can be silently changed wholesale) . Hybrid systems could theoretically work - using an electronic voting machine that generates a human-verified paper ballot, but that's a lot of expense to eliminate a small margin of error. Plus, it seems that once you have involved machines in the process at all, they tend to end up doing the counting, since they're so fast and precise about it. But they can't be trusted, and once they've done the job, nobody wants to count the ballots by hand to make sure nobody cheated. Involving computers at all seems to just place the entire election on a slippery slope, where human eagerness, laziness, and inclination to trust the accuracy of computers under normal circumstances, all conspire to destroy the integrity of election.
(Score: 0) by Anonymous Coward on Friday March 17 2017, @03:00AM
really? to lazy too even google ....
http://www.diffen.com/difference/Accuracy_vs_Precision [diffen.com]
here's with colors in case you get too tired of reading:
http://www.mathsisfun.com/accuracy-precision.html [mathsisfun.com]
(Score: 1) by khallow on Thursday March 16 2017, @12:17PM (6 children)
Slow is not bad... at all!
It does allow for more opportunity to throw an election. There's more opportunity for skullduggery with, for example, a week long delay in vote count than a one day delay, for physical vote counting.
(Score: 2) by FakeBeldin on Thursday March 16 2017, @12:42PM (4 children)
Funny thing: I kept linking "skullduggery" to tweets by candidates in hypothetical scenarios :)
At any rate, tweeting doesn't affect the count. It might affect how people think about various candidates, but not the process of counting.
So I'm wondering how taking it slow allows for more opportunity to "throw an election".
Note that the process that is slow is the aggregation of the polling station counts. Each polling station finishes the count on the evening itself. Those folks are home by midnight (if the polling station closed at 21.00 - not all did as some ran out of ballots and others were open longer to compensate). Aggregating this all up takes more time: there are about 10,000 polling stations, divided into 20 districts, each of which has its own candidate list. Normally these lists largely overlap, but they're not required to. I have no clue how seats would be assigned in the completely theoretical case where one party gets so many votes that the differences between the lists in different electoral districts suddenly become important.
Anyway, I digress. Point is: counting is finished before the morrow. Actual aggregation of those counts will take a while, but the day after the elections the most likely distribution of seats is already known.
So, I'm wondering what "skullduggery" one could enact that would help "throw an election".
(actually, I am wondering that in general, not just for Dutch elections, so do please respond!)
(Score: 1) by khallow on Thursday March 16 2017, @12:56PM (1 child)
Anyway, I digress. Point is: counting is finished before the morrow.
Then it's not slow.
(Score: 3, Interesting) by Immerman on Thursday March 16 2017, @02:40PM
Sure it is, it take hours. Electronic voting is done counting the moment the last ballot is cast.
Think of the news media cycle man, think of the media cycle!
...actually, I'm kind of surprised the media isn't a big proponent of manual counts - they draw out the anticipation for many hours or days, which means more time of people watching talking heads speculate on the outcome as results trickle in, and more ads sold.
(Score: 1) by khallow on Thursday March 16 2017, @01:03PM (1 child)
So, I'm wondering what "skullduggery" one could enact that would help "throw an election".
Ugh, forgot to include this. If the only thing left is a complex algorithm, then there's no point to taking human time to compute it when a computer can do it instead. Just crank it out on in a fraction of a second, have the various parties verify with their own computations. Any "slow" method will be far more prone to error.
(Score: 2) by Immerman on Thursday March 16 2017, @03:00PM
Except there is no complex algorithm - there's just the generation of trustworthy regional tally sheets. Everything else is just simple inter-regional aggregation rules - publicly post the initial tally sheets as soon as they're confirmed, and anyone who wants to can quickly verify that the aggregation is done correctly. And there's really only two options to get those tally sheets:
1) have humans do the counting - preferably using redundant counters with different allegiances, with any discrepancies being resolved immediately on a box-by-box basis, and the entire process being watched and recorded to make it as difficult as possible for anybody to fraudulently "lose" or "find" any ballots.
2) have a computer do the counting - in which case you have to *completely* trust the hardware manufacturer, every piece of software that's supposed to be on the machine, the electronic security against remote hacking, and every person who has ever been alone with the computer for more than 30 seconds. Any single flaw in any of those is enough to completely compromise the election.
Theoretically you could do both, but in practice if the computer has already done all the work, nobody wants to do it by hand. Besides, given how completely untrustworthy computer tallying is, what exactly is it contributing? Is it really that important to have a completely untrustworthy "first guess" right away? The election won't have any real impact until weeks or months later, so what exactly is gained by knowing the outcome a few hours earlier, even if you *could* trust it?
(Score: 2) by compro01 on Thursday March 16 2017, @09:58PM
Sure, but no realistic system will have that much of a delay. In Canada, the counting of the paper ballots is done within hours of the polls closing, then phoned into the returning office. I've done this in both federal and provincial elections.
(Score: 2, Touché) by Anonymous Coward on Thursday March 16 2017, @08:12AM
This problem is not hard. It's just that people often insist on doing it wrong.
Great. The most important thing is that the security much be such that any voter (that includes my mother and my 94 years old grandfather) can verify that the vote put in at one end is what is counted at the other end.
Everything could be implemented into an ASIC for a reasonable cost (by ASIC standards)
If it's not hard, why are you one of those who - by your own words "insist on doing it wrong"?
(Score: 1, Insightful) by Anonymous Coward on Thursday March 16 2017, @10:09AM (1 child)
From the point of democracy, the most important aspect is that the inner workings of the system are public, understandable and verifiable (by anyone, not just some technocratic cabal). Even 100% accuracy comes way after that since if 49.99% candidate gets counted as 50.01% the actual issue is in those 49.99%, not 0.02%. The speed and cost of counting shouldn't even be in the list of important things.
(Score: 5, Insightful) by FakeBeldin on Thursday March 16 2017, @12:44PM
As prof Dan Wallach put it:
The purpose of an election is not to name the winner, it is to convince the losers that they lost.
(as phrased by Douglas Jones)
(Score: 3, Insightful) by The Mighty Buzzard on Thursday March 16 2017, @10:37AM
s/very difficult/unpossible/
Take it from a guy with a hardon for security that's been writing billing code for over twenty years. You cannot write perfectly secure software. You will always miss something. This is why I use nothing but pre-paid Wal-Mart debit cards with the exact amount I need on them when I'm forced to make online purchases.
And that's not even speaking of hardware, human, or unscrupulous admin type vulnerabilities.
My rights don't end where your fear begins.
(Score: 3, Informative) by azrael on Thursday March 16 2017, @11:51AM (1 child)
Human counters can be quite quick, but yes, they can make mistakes. That said, there is oversight to mitigate this. In the UK where counting is done by hand I have attended election counts several times (as a count agent for a political party). There will be a whole bunch of count agents from most if not all parties contesting the election who stand opposite counters and watch everything they do.
If we see a counter put a vote into the wrong pile we point it out. Where a voter's intention isn't clear it goes into a separate pile and then these are gone through by agents and an official to determine if a vote is spoilt, intended for one candidate or another, etc. (I have seen count agents argue that a drawing of a penis next to their candidate's name is actually a vote for their candidate - this is usually a successful argument as it is a clear mark against a name. Good tip for voters, don't draw penises against names of candidates you don't want to vote for without also clearly marking your paper as not wanting it to count as a vote cast for them.
So the manual method may be slow but there is a lot of oversight to make it as accurate as possible.
(Score: 0) by Anonymous Coward on Thursday March 16 2017, @10:39PM
I have seen count agents argue that a drawing of a penis next to their candidate's name is actually a vote for their candidate - this is usually a successful argument as it is a clear mark against a name.
That seems like a dick move.