Приятного просмотра

Why Electronic Voting is a BAD Idea - Computerphile

Опубликовано: 4 года назад
1 536 965 просмотров
👎 1 844
Скопируйте и вставте на Ваш сайт


Voting is centuries old, why can't we move with the times and use our phones, tablets and computers? Tom Scott lays out why e-voting is such a bad idea.
More from Tom Scott: and

This video was filmed and edited by Sean Riley.
Computer Science at the University of Nottingham:
Computerphile is a sister project to Brady Haran's Numberphile. See the full list of Brady's video projects at:


E-voting is a terrible idea After Hurricane Sandy in 2012, election officialsin some parts of America decided that they'd allow emergency e-voting from home. You'ddownload a ballot paper, you'd fill it out, and then you would email or fax it back tothem. And yes, some people still fax. This was a terrible idea, and here's why. Physical voting is centuries old. In thattime, pretty much every conceivable method of fraud has been tried, and has since beendefended against. Because of that, attacks on physical voting don't scale well. It takesso much effort, so many people and it only takes one person to leak your conspiracy andthe whole thing falls apart. Electronic voting, though? You can attackwith one person. It can take about the same.

Effort to change one vote as it does to changea million. And it can be done without even setting foot in the country whose electionsyou're trying to rig. There are two key parts of an election. Anonymity,and trust. First of all, anonymity. You cannot let anyone pay, bribe, or threaten in orderto change someone's vote. If you put any identifying mark on your paper ballot, if you sign it,if you write your name on it, if you do anything that could, in theory, be used to check howyou voted, your vote is thrown out and ignored, just so no-one can be forced or bribed tovote a certain way. And yet, because you marked your vote, andyou put it into a sealed box, and that box was only unsealed when it was surrounded byeveryone with a stake in the election, you know that your vote has still been counted,even though you'll never see it again..

That's the other key: trust. You never, ever,ever, trust any one individual. Ideally, you don't trust any two, or three. People canbe bribed, can be threatened, can be incompetent. I mean, hell, people have been all three ofthose things. But like I said: the more physical votes you want to change, the more peopleit takes and the less possible your attack gets. Everyone can see what's happening andkeep an eye on each other, particularly if they don't trust the other side. So let's talk about voting machines. Problem 1: Auditing the software and hardware In theory, you could have open source softwarethat everyone has checked and everyone is happy with and that's been used for years.In theory. Never mind that you only actually.

Do a full-scale test of this software everyfew years when there's actually an election, let's say theoretically it can be done. But how do you make sure that software iswhat's actually loaded on that voting machine in front of you on the day of the election? And I know that immediately, someone is goingto want to comment about checksums or crypto. Which is great, except now you have to trustthe software that's checking that hash. Or more likely, the one person that's checkingit for you. You've just moved the problem. And if you're thinking "I could verify that",then turn your brain the other way, and think "how could I break that?" because there aretrillions of dollars -- that's not an exaggeration -- riding on the result of big elections,and that's an incredible motivation. If you're.

Coming up with sneaky ways to get around it...believe me, so are lots of other people. It might be one angry techie, but it mightbe an entire political party, or the huge corporations who want one party to win, orentire nation states who want one party to win. And all that is assuming you're even allowedto verify the software that's running, which you never are, because plugging unknown USBsticks into a voting machine is a bad idea. Not that that stops people plugging unknownUSB sticks into a voting machine. It has literally happened. Let's remember, these machines haveto be left in a room with the voter and no-one else in order for them to cast their voteanonymously. Oh, by the way, the machines are frequently programmed by sticking a USBinto each of them in turn, so if you compromise.

The first one, jackpot. In practice, you don't have open source software,you have proprietary, unaudited software which you just have to trust. This is real, by theway, around the world, there are some elections that run on this. And remember what I said?This is an election. You don't trust. And maybe you're thinking, you could havean audit trail, you could have a paper backup that the machine prints out as you vote. Inwhich case, congratulations, you've just invented the world's most expensive pencil. One ofthe reasons Britain gives people pencils for voting, by the way, is because we're worriedthat pens might be switched by any voter to contain disappearing ink. Erasing pencil ballots?Takes time, and if you can do that, you can just throw them away. Disappearing ink? Itmight be an urban legend, but it might actually.

Be a plausible attack vector. This is thelevel of paranoia we need to work at here. And don't think you can get away with allthis by using a pile of paper ballots and just counting them electronically, either:an electronic counting machine is still a black box that a pile of ballots goes intoand a mysterious number comes out of. They've got exactly the same problems. Problem 2: Votes In Transit There are three ways of moving the magic electronicballot numbers from the voting machines to the final count. You could treat the machine like a regularballot box, you seal it in a plastic bag, move the physical machine with two peoplein the vehicle to the count, and then unseal.

It there. No-one does this. You could copy the result onto a handy USBstick and move that instead. Do I need to run through how easily... no. Okay. Or, and this is what usually happens, youcould tell the voting machine to upload the results over the internet, optionally througha third central server, and potentially not over a secure connection, and probably withoutany checksums or tests. Problem 3: Central Count Program And right at the end, there's the programthat takes all these numbers, all these votes, and produces a final count. Now you've gotall the same problems you have with the individual voting machines, except now only a few peoplecan even see that machine, and it's been hidden.

Away in a private warehouse somewhere forthe last few years. Good luck verifying that. And all this -- all this -- is before we eventalk about online voting. I could talk about all the ways which youcould hijack ballots, block an email address -- because after Hurricane Sandy, the ballotswere sent by email -- or any of the ways you could do a man-in-the-middle attack on that.All possible. And those are just if it's a well designedsystem. There are reports of actual live electionswhere there were cross-site scripting attacks in the e-voting page, where they'd misspelledone party's name, and where they'd put the wrong party's logo next to a candidate. Sorry,did I say elections? I meant election. That was all the same election, it was in Hampshirein 2007..

But never mind all that. Depending on which security company you believe,somewhere around 5% and 50% of desktop computers are infected with something. And that's justthe scammers trying to set up botnets and minor extortions using private computers.If you want to affect a load of votes, try infecting the computers at the public library.But never mind all that. We've seen what big scary countries and bigscary corporations can do when they put their mind to it. Given that someone designed animmensely complicated worm that spread around the world just to break some Iranian centrifuges,imagine what someone could do if they wanted to throw an online election. Remember, again, when you hear "just trustus", or "just trust me", or "it's a computer,.

It doesn't go wrong" in an election, somethinghas already gone disastrously wrong. Imagine all this electronic voting, only withoutcomputers. Would you be happy walking up to someone anonymous in a ballot box, or worse,calling a number on your phone, just telling them your vote -- but they promise to keepit secret -- and at the end of the election all those people, who have been sitting ontheir own, phone up one other person in private and tell their results, and then that finalperson -- who promises to count it all up accurately -- announces who's won? Becausethat's essentially what electronic voting is. It is a terrible idea, and if a governmentever promises to use it, hope they don't manage it before you get a chance to vote them out..


Joris • 14 часов назад
For people who are making a comparison to electronic banking, please note there is one crucial difference: banking transactions can be individually verified _after_ they are processed. I can fetch my bank statement and verify that all transactions are correct. Of course, the bank could display a wrong statement. But in the end, you can always trace an error and correct/shut down the system. You *cannot* do this with an electronically cast vote because they are anonymous. So you might not know when your results are manipulated.
👍 3
Jakob van Klinken • 1 день назад
i'm drunk in a bar somewhere and this is what I get when i ask Tom Schoot what he thinks of electronic voting
👍 0
Drowning Narcissist • 2 дня назад
Not only would voter turnout increase, but elected officials might be unnecessary. If your fears have a basis, why do we have polls online?
👍 0
Bam Boo • 20 часов назад
+Drowning Narcissist Alright, but you're talking about a different political system right now (a more direct democracy), which could be implemented by traditional voting methods as well, I suppose. But never mind, it's just an exchange of opinions
👍 0
Drowning Narcissist • 22 часа назад
+Bam Boo you don't get it. If we can vote online, then individual bills can be voted by the people instead of picking a president who might not share all of your ideals. At the very least the leg/exec branches can cast polls for each individual bill instead of leaving that to the news broadcasters, whose viewership is biased. Honestly I don't care, just an idea that crossed my mind.
👍 0
Bam Boo • 22 часа назад
+Drowning Narcissist I get that. But what I'm saying is that convenience simply isn't worth it.
👍 0
Drowning Narcissist • 22 часа назад
+Bam Boo it's infinitly more convenient. No lines
👍 0
Ted • 3 дня назад
You appear to believe that there is only one electronic voting paradigm. Why can't voters verify tallies? Why can't miscounted votes be individually disputable?
👍 0
Filipe Mendes Webber • 3 дня назад
If we followed this logic, we would not have an international banking system.
Zomg think of all the money at stake, what about putting your money on a machine and trusting it will send it to your account? How would you transfer all this money from one place to another?
You dont know which software it is running. You don’t know who wrote it.
This is just short sighted, Im sorry. There might be ways of hacking an election, but that doesn’t mean that we cant come up with a secure way of doing it.
👍 0
Joris • 14 часов назад
Please note there is one crucial difference with electronic voting: banking transactions can be individually verified after they are processed. I can fetch my bank statement and verify that all transactions are correct. Of course, the bank could display a wrong statement. But in the end, you can always trace an error. You cannot do this with an electronically cast vote because they are anonymous.
👍 0
Matthew Turner • 3 дня назад
1:07 Zaphod Beeblebrox
👍 0
Christopher Krah • 5 дней назад
Could Blockchain help?
👍 0
Seagull Australis • 13 часов назад
_"Bitcoin uses Blockchain and is generally considered anonymous. Correct?"_ No, that's incorrect. Bitcoin is not anonymous. Bitcoin does provide a level of pseudonymity, but not anonymity. Each and every bitcoin transaction is tied to identifiable keys. Physical currency is anonymous, especially in comparison to a transaction made using bitcoin. With physical currency, the banknotes don't keep a record of those who have handled it beforehand, where with bitcoin, each transfer has its entire history traceable all the way up to the point it was first mined.
Also, you are forgetting the fact that a voting system would need a method of ensuring that all people who register to vote are able to have a key which is recognised in the voting process, and have it so one which is not a registered voter cannot generate a key which can be used to submit a vote. Such processes would likely tie people's personally identifiable information with the key which they use to vote.
👍 1
Christopher Krah • 14 часов назад
+Seagull Australis I don't think Blockchain necessarily entails non-anonymity - "anonymity" referring to the absence of PII here (=Personally Identifiable Information).
Bitcoin uses Blockchain and is generally considered anonymous. Correct?
👍 0
Seagull Australis • 1 день назад
Because if you cryptographically sign your vote with a key, it's not anonymous.
👍 0
Christopher Krah • 1 день назад
+Seagull Australis Why not?
👍 0
Damien Tonkin • 6 дней назад
I wonder how much of this Tom knows from understanding computers and how much he learned from the time he ran for parliament on a dare?
👍 0
Juan Casas • 9 дней назад
Argentina here we go
👍 0
Luke Brooker • 12 дней назад
I always feel like this guy was busy doing something else, and he was pulled away from the task to make a video
👍 0
frvo • 12 дней назад
I wonder why we relay on ATM's and computers our money then... Isn't that sopposed to be even more important than a vote? I genuinely don't understand. Or heck, the stock trade market still uses paper? I only see them with computers in there... Hmmm... Why is this so different and insecure? Doesn't the paper casted votes end up being counted up by a computer with a spreadsheet or other method? The rockets we launch to the moon or space, don't we trust these machines to do the tasks we usually used to to with abacus back in the day? I sense some paranoia here...
👍 0
rrafw • 15 дней назад
no matter the medium if anonymous vote is required it is rigged
👍 0
Dragonbreak • 16 дней назад
I'm intrested what would happen if someone used an USB killed on such machine...
👍 0
DiabloMinero • 19 дней назад
The "World's Most Expensive Pencil" would be great to make voting accessible to people who can't handwrite, for whatever reason. Citizens with dysgraphia are still citizens and still deserve to have their votes counted, even if they would have difficulty writing their votes on a paper ballot.
👍 0
Seagull Australis • 7 дней назад
Yes. And it would also be absolutely unnecessary to those who are perfectly able to handwrite. Such equipment should be available to those who need them, but should not be the standard.
👍 0
Gigi Gi • 19 дней назад
Le vote électronique c'est comme les machines à sous, elles sont programmées pour rendre de l'argent toutes les tant de pièces introduites.
Donc les votes électroniques peuvent être programmés pour que tous les tant de vote pour la personne à éliminer que le programmeur a désigné, se transforme en vote pour le Président que vous ne vouliez pas.
👍 0
Dynamo 02 • 20 дней назад
Yet I can bank online and banks still operate, surely if hacking a system like polling was as easy as you're saying no bank would have ever risked online banking as surely it's still safer to go into a bank and deal with a teller over the counter in person?
👍 0
Dynamo 02 • 6 дней назад
Yes of course, there's no point in knowing if a vote was cast by a Russian troll farm is there?....
👍 0
Seagull Australis • 7 дней назад
You don't do your banking anonymously. That's the difference. Voting needs to be anonymous.
👍 0
omamuzo odeh • 24 дня назад
We just finished voting in my country and there were a lot of fraud in the process especially during collation paper ballot has not worked well.
👍 0
Murat Çeşmecioğlu • 26 дней назад
0:33 - You said for physical voting "It takes so much effort, so many people and it only takes one person to leak your conspiracy and the whole things falls apart"
It is wrong ;)
👍 0
Aditya angara • 28 дней назад
This is where blockchain could actually help tho.
👍 0
Seagull Australis • 7 дней назад
Having each voted identifiable would compromise the entire election. Did you even watch the video?
👍 0
Aditya angara • 7 дней назад
+Seagull Australis an immutable database would be useful to e-voting wouldn't it ? Once a vote is cast and sent onto a block it couldn't be edited if you tried along with an identifier for the person. (Safe within the timespan of the whole process)
👍 0
Seagull Australis • 7 дней назад
No. It actually couldn't. Do you not know what a blockchain is?
👍 0
Maverick Hargrave • 1 месяц назад
What if it worked like this: the elector takes a card and punches a hole with a small standardized paper punch in the right place, to mark his candidate. Then, when it's time to count the votes, the people responsible for that job use a laser assistant to count the votes faster. If you use holes instead of pen or paper, it's harder to erase or use ink that disappears.
👍 0