Would an online voting system using a secure id be more subject to coercion than the current mail in ballot system?



A system which allows each voter to audit his vote in the final result via a unique ID has been suggested. The arguments against seem centered around the secrecy issue and coercion.

For example, a boss wanting his employees to vote for his candidate, and coercing them to provide their unique id so he can verify.

The system would also enable vote buyers demand the unique id in exchange for money.

I don't doubt these could happen, but either would be a serious crime. How would that be different from someone demanding the login for my bank account?

These crimes would be difficult to pull off today with whistlblower methods available.

I think we really need a more reliable means to audit the voting system, especially since more folks will be demanding mail in ballots.

The current methods allow us no means to verify that our vote has been properly tallied in the final result. The ability to locate one's private id and audit one's selections in the final database would close that gap.

ADDENDA 12/12/2020-A number of the questions do not fully consider what I have in mind. I am not a coder, but I do have a lot of data management experience, including mining data from public databases.

I created a simple example in Google Sheets of a ballot form for an election. The form consists of selecting from three candidates, and at the bottom is a form input box where the user makes up his own unique passcode. That passcode is submitted with the form along with the passcode. The selections appear in the database on the same row with the unique passcode. No one knows who that passcode is associated with. In the Google sheet example, Google requires their own login, tied to your email address, and they only allow one vote per a given email. I don't propose using Google for elections, it's just a simple way to make an example. I propose an open source program which can also be mirrored to a read only file available to the public. Any tampering to the software can be monitored publicly.

That brings us to the database. It would contain columns for a timestamp, the secret password and the votes of the user. This database would be secured, and a read only mirror displayed at the end of the election, (and possibly even during the election) A user would either have access to only his information prior to the election using his login (google account in this example, but through the registrar in the real world) If he finds error, or even changes his mind, he can edit his choices right through the close of polls. If he votes, and finds that his entry has been altered, he can notify authorities of the error.

At the end of the election, the full database would become available for public on a read only mirror. You can download the entire database, and find your vote by searching for your unique ID. This database could also be printed and available for viewing at the registrar's office, if you think your computer or the online database is hacked.

If anyone has ever written his congressman about an issue, and received a boilerplate reply, they you learn quickly that the only thing we really have is our vote. Politicians say that all the time, your vote is paramount to democracy. I agree, and so I want to be certain that my vote is counted in the manner I intend. This is of paramount importance.

Beyond that, input from individual voters would become a large wave if enough people find errors, and a serious investigation would ensue. It would probably not be that difficult to find the breach with that many errors. We already have this gap between election day and the seating of the electors, so there would even be time for a redo if we find wholesale problems. Perhaps we could try this in a few locations first and see how well it works, even as a "beta test" with the normal methods being used as a control test.

David Wright

Posted 2020-07-05T13:34:53.363

Reputation: 21

1HI David. Could you add what country/jurisdiction you're talking about? Mail in / postal ballots differ from place to place. – owjburnham – 2020-07-05T13:49:02.563

I am in the U.S., Louisiana. I realize systems vary among states, but the means available for audit are attractive enough that wholesale adoption might occur. – David Wright – 2020-07-05T13:52:22.753

Consider focusing on maintaining the secrecy of the vote rather than coercion. Attempts to influence a person’s voting choice will not change regardless of voting system. – BobE – 2020-07-05T13:53:58.177

Bob, I agree. There is another thread which discusses the mechanics of such a system, but I lack the points required to participate. – David Wright – 2020-07-05T13:58:38.270

Here is the thread: https://politics.stackexchange.com/questions/9119/how-do-i-know-that-my-vote-was-counted

– David Wright – 2020-07-05T14:03:15.220

To be specific, the means exists to allow every voter to vote online, by mail or in person and to verify that his vote is properly tallied in the final election result. A unique, secret Id number attached to each ballot (or bar code, etc) would allow me to find my vote in the official public database. – David Wright – 2020-07-05T14:43:14.350

1It's nice that you agree (that coercion will occur in any system) my point in making that comment is actually a suggestion that you focus your question on what your really want to ask: specifically, Can a system be developed for that would guarantee complete voter privacy; would such a system be compatible with universal on-line voting. I'm suggesting that you edit your question to focus – BobE – 2020-07-05T16:06:39.757

You miss an important (IMHO) related point, which is that an (exclusively) on-line voting system would disenfranchise a significant number of people. Especially if it is not designed to be OS/browser agnostic: there are all too many Windows-only sites out there :-( – jamesqf – 2020-07-06T04:28:46.197

@jamrsqf, such a system could include mail-in ballots. It would even allow for drive thru voting thru something like an ATM. – David Wright – 2020-07-06T16:39:27.480

@jamesqf, Do you think furnishing identification when you register is disenfranchisement? Purging dead people? Purging those who have moved away? All of these are necessary to insure validity of the process. I think those measures are very reasonable. – David Wright – 2020-07-06T16:50:54.900

3@David Wright: No, it's disenfranchisement because there are people who don't have or use computers. It's even more so if those in charge of implementing the system hire some of the all-too-common "everyone uses Windows" idiots. It's not hard to find unusable by everyone web sites - just look at StackExchange's so-called "chat" facility, which to me is equivalent to /dev/null. – jamesqf – 2020-07-07T05:01:36.540

@jamesqf, the proposed system would allow mail in ballots, walk-in voting or online voting. No disenfranchisement rhat I can see. I am a newb here, can you fill me in on why my question was moved to chat? How does one avoid that? – David Wright – 2020-07-07T18:15:36.553

1@jamesqf: one such system that is maybe more to the point than sx chat is the electronic signature that my German ID card supposedly offers. It should allow me to use web services for things where I'd usually have to go to the town hall or some other public office. Needs a mobile phobe app - took me 3 phones to try out to find one where I could install the app, and then it doesn't recognize the card... And when I say in the office that I tried but didn't get it working, I'm told that I'm no exception at all... – cbeleites unhappy with SX – 2020-08-06T20:10:25.693

1@David Wright: It would be disenfranchisement if ONLY on-line voting was allowed, which I understood to be the suggestion. No problem with it being one option. Your question was moved to chat because some of the moderators here dislike discussion, and move things of that sort to "chat", which as far as I can tell is the StackEnchange equivalent of /dev/null. I've gotten replies to comments that were moved there, and following the links just gives an empty screen. – jamesqf – 2020-08-07T22:10:36.267

4@cbeleites unhappy with SX: Exactly. I'm perfectly happy with my dumb phone, which has a physical keyboard (touchscreens and I don't get along well), and which cost me less than $30 from eBay (and about $7/month). Why should I have to buy an expensive and irritating smart phone in order to vote? – jamesqf – 2020-08-07T22:19:34.737

1Secure in what sense, exactly? – None – 2020-12-03T05:12:33.920


Don't have time for full answer, but short version is hooking it up to the internet means hacking worries which are far higher then any risk of coercion that currently exists. XKCD sums it up nicely: https://xkcd.com/2030/

– dsollen – 2020-12-03T15:48:23.317

@Chipster@xkcd@jamesqf Chipster, Secure in the sense that the voters would be able to locate their individual ballot on the complete database and insure that it was properly tallied. – David Wright – 2020-12-04T13:30:41.220

Secure in the sense that only one vote per registered voter could be tallied. The registrar could only issue a ballot to properly registered and living voters. It still relies on the Registrar to eliminate dead people and people who have moved from the registration roll. If a voter finds his vote changed, he can make an affidavit. If enough affidavits are received, then you have detected a hack and can investigate. If the software is open source and mirrored to a read only file, the public can monitor for any attempts to change the software on the server. – David Wright – 2020-12-04T13:34:15.973

I expect one could even mirror the process and pick up hacks. – David Wright – 2020-12-04T13:34:23.907

@jamesqf-The process could be as easy as going to an ATM device in each precinct. You could also allow voting in person if preferred. The point is that paper ballots are nearly impossible to monitor, regardless of how many observers. Think of Penn & Teller. – David Wright – 2020-12-04T13:36:45.327

Too many hands on the current process. It can be automated, secure and auditable. Tech people should be all over this if they really seek honest elections. – David Wright – 2020-12-04T13:38:06.097

@cbeleites-unhappy-with-sx Yes, what I am proposing is similar to a digital signature. The big difference is being able to verify that what I put in is actually coming out on the other side. Then, if enough people see their votes changed, it can be detected and traced. The other thing is making sure that only registered voters are issued a ballot. That too is much more secure through a digital registration process. – David Wright – 2020-12-04T13:43:51.613

1@David Wright: I suspect you live in an urban or suburban area. For those of us who don't, a trip to an ATM could be an all day matter. – jamesqf – 2020-12-05T17:55:10.853

@jamesqf: If you have a cell phone with an internet connection you could use that to vote. There would be at least 3 options. The ATM, the normal walk in voting, and voting through the internet, from your home or phone. Lots of folks are saying that the online is too easily hacked. Not if you have the means to check the global database and verify that your vote is properly tallied (before and after the close of the polls). Before the close, you could see if your vote is not correct, contact the registrar and any sort of hacking would be detected. – David Wright – 2020-12-07T12:55:51.687

@jamesqf:prior to the close, you would be able to change your vote, just like you can change your info for your bank account, etc. If we can securely handle banking information and medical information, we can easily do this. – David Wright – 2020-12-07T12:58:52.527

I prepared a simple example of a ballot for three peanuts characters using a google form. If you want to try it out, you have to have a google account and request access. The request would be similar to registering to vote, with the application being the means to eliminate duplicate votes by attaching voter registration to an email address. The email address could be one specifically used for voting purposes, and not your personal email address. – David Wright – 2020-12-07T13:36:10.683

There is another thread which I cannot participate in, because I lack 50 points. The last argument is regarding coercion by the boss to reveal your vote. I say how is that different that giving up your online banking password? It's a crime, and today, with cell phones, it is easy to document such a crime. Here is the link to the other thread: https://politics.stackexchange.com/questions/9119/how-do-i-know-that-my-vote-was-counted

– David Wright – 2020-12-07T15:34:21.233

1@David Wright: You are still missing the point that I'm trying to make, which is while all these options might work well for people who live in urban & suburban areas, or even some rural areas (such as east of the Mississippi), there are large areas of the US that don't have cell service. Likewise, other tech requirements (like your Google account example) disenfranchise those who don't meet them. – jamesqf – 2020-12-07T19:58:10.503

@jamesqf You are really overstretching the disenfranchisement issue. You would not need a google account. The Secretary of State for each state would handle the voting using open source programs. The source could be mirrored read only and observed by thousands of citizen watchers. – David Wright – 2020-12-08T21:43:01.513

1@DavidWright while I believe there are a whole lot of bigger issues with disenfranchisement and especially hacking there is still the issue that if you make voting trivially easy for people with computers (go to a website, click a button) and force the poor without computers to somehow get off of work to go wait in line for an hour to vote in person you now have created a system that further encourages the well off to vote while putting hurdles in front of those that aren't. We already have issues with it, but you would just further the disenfanchisement issues. – dsollen – 2020-12-11T20:01:30.433

@dsollen. I made an addenda to the original question just to be sure everyone understands my proposal. Again, your disenfranchisement issue does not hold a lot of water in comparison to the fraud possibilities. One could place drive through ATM type devices, available 24/7 in each precinct and make it even more convenient than a mail in ballot. – David Wright – 2020-12-12T13:48:39.873

@dsollen If there is widespread fraud in inner cities, doesn't that disenfranchise all inner city votes? If, for example, 30% of inner cities actually voted for a Republican, and their votes are diluted by thousands of phony Democrat ballots (dead people or people no longer residents) then that dilution is disenfranchisement. There was a time when a black person's vote only counted for 2/3, and perhaps it still does. – David Wright – 2020-12-12T13:52:22.707

@DavidWright There has been no indication of wide spread voter fraud, where there has been indications of disenfranchisement and hacking. All possible indications point to voter fraud being negligible, and thus the other threats are a greater concern. I feel the whole premise is trying to correct for a non-existent threat at risk of creating real measurable ones. Ever voter fraud claim factcheck.org looked at was deemed false: https://www.factcheck.org/issue/voter-fraud/ same is true with all other fact checkers, it's a made up bogyman not worth using a sub-par system to try to prevent.

– dsollen – 2020-12-21T15:20:18.860

@dsollen. I keep hearing the term "no widespread voter fraud". That is a strawman. There is no need for widespread voter fraud to change an election. There is evidence of focused fraud among election officials (not voters). Focused fraud being exercised in key precincts of battleground states is all it takes to change the outcome. If you have not listened to designated poll watchers complaints of being harrassed and removed from the process, you should take a look. The poll watching process is completely inadequate as a security measure. It's too easy to fool the human eye. Ask Penn & Teller. – David Wright – 2020-12-22T19:57:47.007

@DavidWright - If you're trying to guard against corrupt election officials, a publicly accessible database of votes is useless. They may not be able to easily change a vote, but it'd be trivial to add extra votes with ID numbers that no one will ever look up. And unless you completely throw anonymity out the window, there's no good way to verify that every ID number is real. – Bobson – 2020-12-22T20:05:46.637

@bobson, in a proper system, a vote could not be added by anyone who is not properly registered in the precinct where the vote is cast. Only those with an electronic invitation (or voter card with verification chip) issued by the registrar of voters would be allowed to cast a vote in the system. It's becoming pretty obvious to me that those in objection are those who don't really want to see an honest election. – David Wright – 2020-12-23T22:09:34.857

@DavidWright Physical cards that have to be distributed are not much more secure than absentee ballots. They're still vulnerable to being stolen and used by the wrong person. They're also vulnerable to shimming. For a simple example, you could make it so that whenever someone voted, the next voter appears to be using the same card, thereby looking like a double vote and invalid. Every possible system is vulnerable, it's just a matter of choosing which threats you want to guard against and which you accept

– Bobson – 2020-12-24T00:34:24.993

@Bobson You are grasping at straws at this point. We trust credit cards and can easily report theft and be issued a new card. If I go to the ATM and cannot get a receipt for my vote, then I report it and the shimming device is quickly discovered. In my opinion, there is a will to supress such ideas, because no one can possibly believe in the security of our system of shuffling millions of paper ballots and expecting human eyes to be able to spot deception. Especially when they are being harrassed and removed from the room. Only those who gain from fraud could possibly want this to continue. – David Wright – 2020-12-25T06:13:07.720

@DavidWright And you're missing the point I'm trying to make. Yes, that was a rather contrived example. There's far more subtle ways to potentially attack that route. But it's one example of a new point of compromise you're introducing by adding chip cards. Using chip-based voter cards can certainly be more secure than signature matching, but it also has its own weaknesses. As [Security.SE] will tell you, it's all about tradeoffs and your threat model. We trust credit card security, and there's still billions of dollars in fraud reported every year. Everything is vulnerable. – Bobson – 2020-12-25T09:08:22.723



This is a solution in search of a problem

I think we really need a more reliable means to audit the voting system, especially since more folks will be demanding mail in ballots.

Mail-in voting is not some new thing. The US has been doing it for decades. 24 states do 100% mail-in voting, or had no-excuse mail-in voting prior to 2020.

I live in Oregon which has been 100% vote-by-mail since 2000. Oregon has been watching the fretting about mail-in voting like some anti-Cassandra trying to tell people everything will be fine, but they don't believe us. While many hypothetical ways mail-in ballots can be made fraudulent have been put forward, a lot of them are the same old tired stuff. None have borne out after the extensive scrutiny. The one upside of all the frivolous and evidence-free 2020 lawsuits is to demonstrate that yes, mail-in voting is secure.

One must be very careful and conservative before changing how people vote because any new system will introduce new methods of fraud, disenfranchisement, and voter suppression. While deliberate fraud is almost non-existent, disenfranchisement and voter suppression are very real.

It doesn't solve the problem

How do you know when they say "yes, you voted for A" that they didn't switch it to B, but tell you A?

The whole premise of this question is that we don't trust the voting system, and the vote can be secured if the citizens can individually check their vote. But they're not checking their vote. They're asking the same people they say they don't trust to count their vote correctly to tell them whether they counted their vote correctly.

Consider that any system would be using a copy of the ballot record; there's no way the real record would be exposed online, that's a security nightmare. How do you know this copy is a true record of how you voted?

Elections can be verified without knowing the identity of the voter

The current methods allow us no means to verify that our vote has been properly tallied in the final result.

In Oregon, I am informed that my vote was received, but not how my vote was recorded. This is by design.

There is no need for me, a private citizen, to know how my individual vote was tallied to audit the election. The paper votes can be audited and recounted en masse without needing individual identities. What protects the US election system is its decentralized and visible nature. To alter enough votes to change an election requires a wide number of people from multiple parties and organizations (volunteer ballot counters, partisan and independent observers, county and state officials) to all be in a conspiracy together.

Each ballot has its own unique ID to prevent double voting. All the audit needs to know is yes, this an official ballot and it was counted only once.

Ballot secrecy is very important

A system which allows each voter to audit his vote in the final result via a unique ID has been suggested. The arguments against seem centered around the secrecy issue and coercion.

Ballot secrecy is extremely important to free and fair elections. As mentioned above, disenfranchisement and voter suppression are very real. Voter ID laws to prevent imagined fraud often result in real voter suppression.

For ballot secrecy to work, once the voter is identified their vote is separated from their identity. In Oregon vote-by-mail this is done by signing the envelope, not the ballot. After the signature is matched the envelope and ballot are separated. The ballot has its own unique identifier to guard against double voting. This all worked as designed in Georgia.

Your proposed unique ID could be implemented by allowing voters to keep their ballot's ID and look up the vote based on that ID. This opens up many ways in which ballot secrecy can be violated. It can be lost, stolen, or coerced without their even knowing.

Right now, the secure chain of a mail-in ballot happens after I've filled out the ballot, put it in its security envelope, and signed and sealed it. If I don't want to put it in the mail, I can drop it off at any number of official, secure drop boxes. Prior to that point, I can happily leave my ballot sitting out. There's no secret information in a ballot until I fill it out.

If I can see how I voted based on the ballot ID, the secure chain begins when the ballot is placed in an envelope with my name on it. This increases the "attack surface"; the number of places where my ID could be stolen. Before I even open it, what if someone peeks inside and reseals it? Now they must be delivered in security envelopes. Once delivered and opened I must keep it secure. What if an unscrupulous housemate, partner, or visitor peeks at my ID and later checks on my vote?

Hundreds of millions of voters must understand these risks and mitigate them. Even if it was 100% safe, for some just the idea that someone might find out how they voted will cause them not to vote; usually people who are more vulnerable. Since individual voter verification is not necessary to audit the election, don't even take the risk.

Such a system risks exposing how everyone voted

Ballot secrecy is secured because someone has to both know what your ballot ID is, and how that ballot ID voted. If those two pieces are kept separate and difficult to access they're easier to secure.

I don't know if a database of ballot IDs to individual votes exists; it's not necessary to tally the votes. Creating one makes security and privacy problem. If stolen, and if it's online it will be stolen, the attackers can expose one half of how everyone voted. If someone gains access to the poll books mapping people's names to their ballot ID, they have the whole record.

Ballot secrecy works because there are firewalls preventing any one person from gaining access to all the pieces, and this crumbles one of them.

If making stealing the ID a crime is good enough, why not all voter fraud?

I don't doubt these could happen, but either would be a serious crime. How would that be different from someone demanding the login for my bank account?

Or how would that be different from stealing someone's ballot?

All voter fraud is a crime. If you feel making stealing someone's unique ID a crime is good enough, then that should be good enough for any perceived insecurity in mail-in ballots.

Online voting systems are a security nightmare

Obligatory XKCD.

The idea opens up holes when implemented with paper ballots. When combined with online voting, the whole thing is a nightmare. Trust me, I'm a software engineer.

Paper is pretty simple and paper systems are transparent. Commercial software is a black box. Even if we required voting software to be Open Source, Australia does, software is ludicrously complex. Even without intentional fraud, a single mistaken line among thousands by a single developer could throw elections and nobody would ever notice. Voting software must be re-tested and re-certified after every change.

That's just software. One of the nice things about paper ballots is they require locality to be attacked. You have to physically be at the same place as the pieces of paper. This alone makes it very difficult to implement significant fraud without involving many, many, many people, each of which is an opportunity to get caught.

Putting voting online invites the entire world to attack your voting system invisibly and anonymously.

To use an analogy: If someone wants to break into your house they can. Keyed locks can be picked pretty easily, or forced, or break a window, drive a car through the wall... yet we still use keyed locks and they work if law enforcement is functioning. All the ways I mentioned are physical. They all require a person to go to your individual house and put themselves in danger of being caught. They're limited to how many houses they can visit. Each visit increases their exposure.

Online security is different. Anyone can try to break in to any house, at any time, from anywhere, anonymously, as often as they like, with little risk to themselves. They could be in another legal jurisdiction. They can test millions of doors at the same time, repeatedly. They can be as noisy as they like. If a fault is found, all houses with that vulnerability are immediately at risk.

Paper ballots are like keyed locks. They work because they are physical objects. Their attack surface is limited. Attacking exposes the attacker. The attack can be seen with a glance: hey, there's someone at my front door. There's only so many an attacker can reach. Altering paper ballots leaves a literal "paper trail".

Online security and online voting cannot get away with what paper ballots and keyed locks can. They need to be far, far, far more secure. Their attack surface is the entire planet. The attacker is not exposed. The attacks can be invisible unless you know what you're looking for. Attackers can run millions of attacks in parallel 24/7. There is no paper trail, the attacker can destroy electronic logs.

And that's why we don't vote online.


Posted 2020-07-05T13:34:53.363

Reputation: 3 631

Comments are not for extended discussion; this conversation has been moved to chat.

– CDJB – 2020-12-13T08:36:09.640


Three different questions here, really:

  • Is an electronic system with some sort of personal password more or less secure than a paper absentee ballot?
    Depending on how it is implemented, it could be more or less secure. skeptics.stackexchange.com: Does United States have no technology to allow Internet voting in a secure way?

    • An electronic system could be organized so that different parts of the key are delivered by different means. This might be better than a traditional paper absentee ballot, which could be intercepted by a third party with access to the physical mailbox of the recipient. (Scenario: A neighbour knows that a potential voter will not vote and never checks the mailbox before lunch, and requests an absentee ballot in his or her name.)
    • An electronic system might be attacked by malware on the computer where the vote is entered. A paper-based system is less vulnerable to these automated mass attacks. (Scenario: Some clever exploit installs a background process. Once the voter tries to vote, a fake site is displayed and the input of the key is captured.)
    • A paper-based absentee ballot request has a field for the signature of the voter. In theory, this signature could be compared to any other signatures of the voter the parish has on file. (How much trust do you have in the actual comparison of handwritten signatures?)
  • If any part of the voting process is out of plain sight of election officials, how can they be sure there is no coercion?
    Just about anybody has a phone with a camera these days. How do you stop them from filming their own voting process, either in their home or even in a polling station? Voters could be coerced/bribed to show the video of the process. Nobody suggests to strip-search all voters. (Scenario: "If you don't want to be fired, take a video from the time you enter the polling booth to the time you leave.")

  • Is there a need for absentee voting reform?
    Attempts to prevent fraud through surveillance also make it harder for legitimate voters to cast their absentee ballot. From most credible news reports, disenfranchisement through bureaucratic hurdles is much more common than voter fraud.
    skeptics.stackexchange.com: Is voter fraud practically non-existent in the United States?

A last point regarding audits, that's a really good reason to keep paper ballots, ideally with ink marks rather than hanging chads. Election officials and later judges can look at the shape of the mark as often as they want without fear that chads will move. And counting might be organized so that members of the public are able to witness the whole count.

The obvious drawback is the manual effort, with risks of manual mistakes, and the need to store ballots securely for any recount.


Posted 2020-07-05T13:34:53.363

Reputation: 49 884


Comments are not for extended discussion; this conversation about the technicalities of electronic voting has been moved to chat.

– Philipp – 2020-07-07T08:41:47.337

2This is a good answer. My only complaint is I feel you didn't place sufficient stress on just how dangerous the idea of online voting can be. Voter fraud is rare now partially because it isn't practical, all that effort and risk of being arrested to earn one more vote that's highly unlikely to change who wins. Fully online voting means fraud can be parallelized, instead of changing one persons vote a piece of malware I write can change thousands of votes, and the election itself. People will be trying to commit fraud once it has a real chance of deciding the winner. – dsollen – 2020-12-08T00:08:23.297


No. In all of the relevant ways they are functional equivalents of each other.

It is no different than the difference between a system where ballots are delivered by prepaid postal service envelopes and a system where ballots are delivered by prepaid FedEx envelopes.


Posted 2020-07-05T13:34:53.363

Reputation: 34 346

I agree, except that I think the idea of an employer coercing an employee is not so much of an issue with the advent of cell phones and recording devices. Who would risk being caught coercing someone to show his ballot? Furthermore, why don't we worry about the boss coercing the password for our bank account? Because it's fraud and easily dealt with. Too easy to get caught. – David Wright – 2020-12-04T14:34:47.743

Perhaps I should resubmit the idea of monitoring one's ballot tally on the final database as a new question. Or has this idea already been covered somewhere? – David Wright – 2020-12-04T14:37:14.017

It's funny how I submitted this as a proactive comment, but it only got attention after the fact. There's always next election I guess. I discussed this with family and friends long ago and the eyes glazed over. Now I'm getting questions..."is this what you were talking about?" Well....yeah. – David Wright – 2020-12-04T14:39:30.373

I'm trying to contact Penn and Teller to ask if they think the average citizen can adequately act as a poll watcher given the conditions we see. I say there is no way to adequately monitor all that paper. No reply as yet... – David Wright – 2020-12-04T14:42:51.757

1@DavidWright "I think the idea of an employer coercing an employee is not so much of an issue with the advent of cell phones and recording devices." Security cameras didn't stop crime. Cameras on police didn't stop police abuse. Recording devices and email records didn't stop corporate and partner abuse. They all adapted. – Schwern – 2020-12-08T22:00:05.660

@Schwern The case is actually quite strong that security cameras and cameras on police and recording devices and email records have significantly reduced crime, police abuse, corporate abuse and communicated partner abuse. They adapted by not doing it. These haven't reduced those things to zero, but that is a straw man argument. Crime is near record lows. – ohwilleke – 2020-12-09T03:59:07.480


Theoretically, a fully electronic voting system that is reasonably foolproof could be developed. After all, we have credit card payment systems that handle billions of transactions without major incidents of fraud. And, most federal income tax returns are processed electronically today without widespread fraud.

DoD and State Dept operate very secure systems... when someone too important to critique doesn't bypass those restrictions.

Since a person's vote is supposed to be anonymous, an employer trying to impose a political agenda upon its employees would have a hard time figuring out who voted for who. One would assume that any electronic voting system would keep the voter->vote association confidential, at least legally.

We have to keep in mind the context that the pandemic and lockdowns are somewhat unprecedented, at least in recent history. That they happened in a presidential election year amplified the consequences of problems.

This was an unusual situation. States had to handle a potentially huge volume of mail in votes, that current absentee ballot systems were ill equipped to handle. And they had to do it while wrestling with their own employees under a lockdown. Even under optimal circumstances, they would make mistakes, and these weren't optimal circumstances.

Point being: an electronic voting system can be developed that is reasonably secure. But, it can't be developed during a pandemic, with only a few months to make it foolproof.


Posted 2020-07-05T13:34:53.363

Reputation: 9 859

5You missed a key difference between the credit card payment systems/DoD systems and an anonymous voting system: The fraud-resistant systems you point to rely on knowing who is doing what. An anonymous voting system specifically can't know who is doing what. --- I log into my bank account, and every payment, transfer, and so on can be traced back to me. If fraud is detected, every action "I" took can be tracked and reversed. But with an anonymous voting system, I may have my own login, but there's no way to link that to the action (vote) I took, so there's no way to audit or reverse fraud. – Bobson – 2020-12-07T19:13:07.673

Put another way: Either I can audit the previous actions my account took (whether or not I was using the account), or I can do things anonymously. I can't have it both ways. – Bobson – 2020-12-07T19:16:13.217


"we have credit card payment systems that handle billions of transactions without major incidents of fraud" Credit card fraud is rampant. Capital One had 106 million records stolen in 2019. The credit card industry accepts some fraud as the cost of doing business and is heavily insured. They can audit individuals for abnormal behavior. Elections cannot do that. "DoD and State Dept operate very secure systems." US elections are run by individual US counties.

– Schwern – 2020-12-08T01:28:25.307

1"One would assume that any electronic voting system would keep the voter->vote association confidential, at least legally." Legally does not matter if the attacker is outside of US jurisdiction, or if they just don't care and put it on the Internet. To truly be secure, the voter/vote association *must not exist*. This is analogous to password security. Insecure systems store passwords. If breached, they're screwed. Secure ones store an irreversable checksum instead. They check the checksum of the input against the stored checksum. A data breech only gets the checksums. – Schwern – 2020-12-08T01:31:47.427

4"We have to keep in mind the context that the pandemic and lockdowns are somewhat unprecedented, at least in recent history. That they happened in a presidential election year amplified the consequences of problems." There were no actual problems, just disinformation. The situation is not unprecedented, five states do all their voting by mail. 22 states had "no excuse" mail voting prior to 2020. – Schwern – 2020-12-08T01:38:25.850

1@DavidWright Please do not employ straw men. Being able to check your vote is a fine idea, it's supposed to make it more secure. But we're saying the mechanism itself makes the system less secure and more vulnerable. This is a common theme in security, something that on the surface looks like a good idea turns out to be harmful. And many things we do online "securely" are very insecure compared to voting security, or cannot be secured in the same way. – Schwern – 2020-12-08T21:54:29.890

@Schwern I don't buy your arguments at all. The only thing I need to check my ballot is a user created uniqe set of characters which I can plug into a form box on the ballot. I can print that and look up my personal code on the final tally. No one but me knows that code unless I decide to protest. Anyone who detects the error can log an anonymous protest, and if there are enough to make a difference, then I can choose to testify. – David Wright – 2020-12-08T22:19:36.137

I am rural. I go to town to register. I have phone and internet. I go to town to vote. It could be just as easy as going to the bank, and very few voters do not go to the bank at least monthly. If not, they have online banking. This disenfranchisement argument is baloney. I need to know that my vote has been counted. Everyone should want to know that, especially after this election. Hopefully a lesson learned. – David Wright – 2020-12-08T22:24:40.073

2@DavidWright 1) You're conflating online voting with being able to verify how you voted. Both are huge issues. I encourage you to take them one at a time. 2) We've discussed disenfranchisement wrt knowing that someone can figure out how you voted. The impact of online voting has not been discussed here. 3) You're looking at online voting as a user, it's like saying "cars are easy, I push the pedals and turn the wheel". *I encourage you to look at the answers to other questions about online voting in his forum and on the Information Security SE.* – Schwern – 2020-12-08T22:41:45.887


@DavidWright To add another anecdote about online security, I was just looking at the news today and spotted FireEye stock drops as cybersecurity company reveals it was hacked. I cannot emphasize this enough: online systems are vulnerable in ways voting systems cannot be.

– Schwern – 2020-12-08T22:43:44.810

If I can view my ballot on the full database, before and after the election, I don't see how that can possibly be hacked. Print it out and I can look at it on paper. If it does not match my vote, then something is amiss. Enough people find changes, and we have fraud. Share the entire database publicly, downloadable. I search for my ID and check to make sure it matches. – David Wright – 2020-12-09T23:36:36.627

2@DavidWright If I can view my ballot on the full database, - how do you know that the database you're connected to or downloading is the same one that actual votes were entered into? How do you know that the data hasn't been tampered with? It'd be very straightforward for someone with the correct access (legitimate or otherwise) to do the equivalent of "Set every 100th vote to Mickey Mouse" or even "delete every 52nd vote for John Doe". How would you be able to detect that? You can examine your download and printout all you want, and it'd never show up. – Bobson – 2020-12-09T23:47:15.070

@Bobson I don't think you are getting it. If the database is stored on the secretary of state website, read only, I can look up my vote to make sure it matches what I entered. After the election, if you really want the extreme, you can view the printed result at the secretary of state and find your entry to verify. There are many ways to audit this.There would be enough people checking their vote that the hack could be traced. – David Wright – 2020-12-10T00:24:21.140

Detecting added (dead) votes is the most difficult part. The registrar must purge the rolls of all non-qualified voters regularly. People who moved, died, etc. One really big step would be to require voting, like fiing income taxes.That would also ease the audit process. – David Wright – 2020-12-10T00:26:16.893

@DavidWright - What do you do if you look up your vote and find that it isn't there any more, because someone deleted it? Should they take your word for it and add the vote back in? Do you have to present proof that you did, actually vote? How can the SoS know that the proof you're presenting (such as a printout of your voting "receipt") wasn't just fabricated in photoshop? Or do you just lose out altogether? Detecting missing votes is a much harder problem than detecting additional votes that shouldn't exist. I do agree that mandatory voting would solve many of these problems, though. – Bobson – 2020-12-10T01:13:53.470

Really, this is the fundamental difference in people's stances on voting: Is it worse to lose 2,000 legal votes, or to permit 200 illegal votes? There's arguments to be made on both sides. – Bobson – 2020-12-10T01:21:23.403

@DavidWright I think your missing a multitude of attack vectors, such as attacking the machine the user is voting on, man in the middle attacks, hacking into the database, the people maintaining the database logging into it and changing iet etc. But ignoring all that there is the fact that 95% of people would never check their vote after it was made, it's human nature, were all lazy. So malicious individuals can still alter things by trusting the majority of people will never know their vote doesn't match. Likewise only the 5% that look would gain any benefit from this system. – dsollen – 2020-12-11T19:53:42.860

@Bobson I'm going to try to give a simple example of the process, because I think some of the responses are not fully considering the proposal, which initially was just a general question about security comparisons. As far as disenfranchisement, if someone really wants to vote, I don't see any real barriers. Furthermore, if my vote is not properly tallied, or if thousands of phony votes are tallied in inner cities, that is disenfranchising everyone, especially the poor. There was a time when a black vote only counted for 2/3 of a vote, and fraud may still be having the same effect. – David Wright – 2020-12-12T13:16:08.237

@Bobson As for rectifying missing votes, a very good question. Perhaps some sort of bar code could be printed as a receipt. I'm not sure of the best way, but this is why we get receipts, and I am fairly certain there is a way. If enough people find errors, there would surely need to be an investigation, and perhaps even a two week period for rectification. I honestly don't have all the answers, but I know we must tighten this up, and feel fairly certain that electronic is preferable to having hundreds of hands on paper ballots, with no real way to properly observe the process. Ask Penn Gilette – David Wright – 2020-12-12T13:22:57.330