Re: [math-fun] 'in-band' signaling in voting systems
Henry Baker <hbaker1@pipeline.com> wrote:
I.e., in order to properly test the voting network, it may be necessary to inject a *known* number of 'false' votes into the network, and subsequently subtract these false votes from the totals.
How would that help confirm that the votes are getting through, unless the total number of votes for candidate X were less than the number of test votes for candidate X? Perhaps test votes should be for a non-existent candidate. Hypothetical hacked software can't accept those votes while rejecting votes for a real candidate, unless the name of one or both candidates appears somewhere in the code, which it shouldn't. Of course an encrypted version of one or both names could be hidden in the code. A better approach is to use the live votes as tracers. Every voter is encouraged to make a note of their ballot serial number. The whole database of who everyone voted for is made publicly available online, except for the link between the voter's name and the ballot serial number. Each voter could look up his own ballot and see that it's correct. There are two downsides to that. One downside is shared with absentee voting -- the voter could have been coerced or rewarded to vote in a specific way. The advantage of in-person voting is that that's not possible, at least not unless the coercer or rewarder hooks the voter up to a reliable lie detector. The other downside is that the voter could falsely claim that his vote was missing or wrong. Also, this doesn't address the opposite problem, ballot-box stuffing.
Clearly, there are great dangers in a poorly implemented voting system with 'in-band' signaling. However, there are also great dangers in *not testing* a voting system for link failures and active hacking attacks.
Re hacking, who says voting has to rely on computers? See https://xkcd.com/2030/ Of course non-computerized voting systems are also subject to hacking. But it's harder to automate, and harder to hide, just as before computers spies could steal secret information, but couldn't steal millions of pages of it at once.
Has anyone else considered these kinds of problems?
Of course. For instance it's a perennial topic on the Risks Digest, which has been running for 35 years, making it perhaps the oldest still extant email list. Note that even if there's an easy and foolproof solution, that doesn't mean that it will be implemented if those in charge prefer the flaws in the current system. For instance they've been simultaneously making government-issued ID harder to get, and required for voting. Here in Virginia, the ID requirement was recently abolished, but the online portal for requesting an absentee ballot won't let you submit the request unless you provide the serial number on your current ID. Analogously, there's an obvious solution to the many forensic lab scandals: Double-blind testing. Never tell the techs what samples the prosecutors want to match what other samples. But since prosecutors run the system, that will never happen. Some labs are actually paid per conviction, which is an enormous conflict of interest. And some are overworked to the point where it's physically impossible to actually run all the tests.
One of the most obvious things to do to make elections more secure, that as far as I know is done in 0 states, is random audits. Choose precincts at random, and check the paper ballots against the computerized results against the people checked off on the voter rolls. If there is more than a certain size discrepancy, audit more precincts at random, and continue progressively, eventually reaching a statewide recount if enough discrepancies are found. Of course, in states like Pennsylvania, no such audit or recount is possible. There we're just relying on the numbers spit out by a program some guy wrote, And he won't let us see the program, since it's a trade secret. And he gets paid a lot of money by the government to write the program, and makes large political donations to make sure the voting system continues to include paying him a lot of money. No conflict of interest there. Even in places that allow recounts, they are pretty broken. Recounts are generally triggered by a sufficiently close election. This may detect retail vote tampering, which is done one vote at a time and therefore can only affect a small number of votes. But wholesale vote tampering, by modifying the software, just has to tell a big enough lie that it claims not to be close enough to trigger a recount. And recount procedures can be pretty broken, too. Michigan was close enough in 2016 to trigger a recount. But the recount procedures specify that if the number of paper ballots in a precinct is less than the number of votes reported by the software, no recount can proceed there, because it's assumed that some ballots were lost. So any vote hacking that stuffs the ballot box, rather than suppressing votes, can never be detected by recount in Michigan. Andy On Sun, Aug 16, 2020 at 1:51 PM Keith F. Lynch <kfl@keithlynch.net> wrote:
Henry Baker <hbaker1@pipeline.com> wrote:
I.e., in order to properly test the voting network, it may be necessary to inject a *known* number of 'false' votes into the network, and subsequently subtract these false votes from the totals.
How would that help confirm that the votes are getting through, unless the total number of votes for candidate X were less than the number of test votes for candidate X? Perhaps test votes should be for a non-existent candidate. Hypothetical hacked software can't accept those votes while rejecting votes for a real candidate, unless the name of one or both candidates appears somewhere in the code, which it shouldn't. Of course an encrypted version of one or both names could be hidden in the code.
A better approach is to use the live votes as tracers. Every voter is encouraged to make a note of their ballot serial number. The whole database of who everyone voted for is made publicly available online, except for the link between the voter's name and the ballot serial number. Each voter could look up his own ballot and see that it's correct.
There are two downsides to that. One downside is shared with absentee voting -- the voter could have been coerced or rewarded to vote in a specific way. The advantage of in-person voting is that that's not possible, at least not unless the coercer or rewarder hooks the voter up to a reliable lie detector. The other downside is that the voter could falsely claim that his vote was missing or wrong. Also, this doesn't address the opposite problem, ballot-box stuffing.
Clearly, there are great dangers in a poorly implemented voting system with 'in-band' signaling. However, there are also great dangers in *not testing* a voting system for link failures and active hacking attacks.
Re hacking, who says voting has to rely on computers? See https://xkcd.com/2030/
Of course non-computerized voting systems are also subject to hacking. But it's harder to automate, and harder to hide, just as before computers spies could steal secret information, but couldn't steal millions of pages of it at once.
Has anyone else considered these kinds of problems?
Of course. For instance it's a perennial topic on the Risks Digest, which has been running for 35 years, making it perhaps the oldest still extant email list.
Note that even if there's an easy and foolproof solution, that doesn't mean that it will be implemented if those in charge prefer the flaws in the current system. For instance they've been simultaneously making government-issued ID harder to get, and required for voting. Here in Virginia, the ID requirement was recently abolished, but the online portal for requesting an absentee ballot won't let you submit the request unless you provide the serial number on your current ID.
Analogously, there's an obvious solution to the many forensic lab scandals: Double-blind testing. Never tell the techs what samples the prosecutors want to match what other samples. But since prosecutors run the system, that will never happen. Some labs are actually paid per conviction, which is an enormous conflict of interest. And some are overworked to the point where it's physically impossible to actually run all the tests.
_______________________________________________ math-fun mailing list math-fun@mailman.xmission.com https://mailman.xmission.com/cgi-bin/mailman/listinfo/math-fun
-- Andy.Latto@pobox.com
On 8/16/2020 11:34 AM, Andy Latto wrote:
There are two downsides to that. One downside is shared with absentee voting -- the voter could have been coerced or rewarded to vote in a specific way. The advantage of in-person voting is that that's not possible, at least not unless the coercer or rewarder hooks the voter up to a reliable lie detector.
Or asks for a cel phone video of the ballot being marked. But this kind of voter fraud can never be enough to swing any election bigger than dog catcher. Brent
The other downside is that the voter could falsely claim that his vote was missing or wrong. Also, this doesn't address the opposite problem, ballot-box stuffing.
participants (3)
-
Andy Latto -
Brent Meeker -
Keith F. Lynch