Online voting – the only choice for idiots

Written By: - Date published: 3:45 pm, October 9th, 2016 - 139 comments
Categories: electoral commission, electoral systems, Politics, vote smart - Tags: , ,

As a professional computer programmer and someone who has been involved in politics for decades, I’m always amazed at fools like this idiot Malcolm Alexander talking about something that they clearly don’t understand the technicalities of.

Local Government New Zealand chief executive Malcolm Alexander said it was time to bring in online voting.

Voter turnout at local body elections had plummeted 15 per cent since 1989, when postal voting replaced voting day, Alexander said.

“We’ve got to ask ourselves, is postal voting fit for purpose? There’s no silver bullet, but we are going to look at online voting quite hard … it’s the way of the future, particularly in engaging youth.

“Postal voting doesn’t ring their bell. It’s like asking a Ferrari driver to ride a horse.”

Security had to be dealt with, but others, such as banks, had managed it, Alexander said.

Yeah right. It is pretty clear in this and the rest of this bozo’s waffle, that he really doesn’t understand the fundamental issue. That of responsibility and liability.

The banks primarily deal with it not accepting any major liability. Go and read the fine print. They run a policy of acceptable risk and following some pretty low security standards to legally prove their due diligence. Most of the liability for breaches at the front face of their systems fall to the customers.

Think about that. This is an insurance model. It means that they accept that there may be serious breaches of security but the risk level to the banks is acceptable. Most of those breaches will be because people give others their pin numbers or credit card details or login details. But the banks aren’t liable for those types of security breaches. Sure they have back-end breaches as well, but they are few and far between. But they also have years to amortise the cost of improving their security systems to deal with each case.

For the banks, the risk of a small fraction of breaches over a year or two, that the bank winds up paying for, are way cheaper than spending a lot of money to reduce the probability of breaches. This is why the way of expressing security levels in standards is mostly expressed as being the cost of assembling the team and skillsets to crack through the security.

Now translate that same security model to online voting. Few of these things apply. Voting is something that happens continuously like banking, instead it has punctuated periods of activity. It doesn’t have large budgets – something like $50 million in an election year.  And above all, most elections are decided by relatively small numbers of people when political parties are involved.

In some shape or form in a online system, the access details have to be sent to about 3 million people, and then they have to login to a system to vote. It makes it pretty easy collect or even to deduce those details, just as it is in any postal ballot. My apartment block has had a score of local postal voting letters on the foyer board for previous tenants over the last couple of months. A post out of the logins for an online system would require the same.

But there is a bit of a level of inherent security in the postal vote system. While I’d bet that some people voted for others, it is hard to get or forge paper well enough to tip results. And given a complaint by a frustrated voter, it wouldn’t be hard to track where and probably who has been diddling the postal votes.

However given enough details of logins, I’m pretty sure that it wouldn’t be hard to figure out an algorithm that would give a reasonable chance for getting logins. That is because the Electoral Commission would have to balance off the complexity of the login against the probability that people will fail to enter a 25 character pass code. And it really isn’t hard to make lots of untraceable access to the net. I can see at least 90 wifi routers with my 0.5 cm aerial from my workstation just waiting to cracked into, and more than 30 of them even reveal their SSID in public. This is kiddie level hacking.

But hey, you don’t have to bother doing even that level of work. Because typically elections are won or lost on the basis of just a few thousands of people. So just accessing the firmware of the multiplicity of switches or just getting access into the lines would do. Just find areas that vote the ‘wrong’ way and disable their net. This can be done with finesse like disabling access to particular pages on the net or without finesse with some bolt-cutters to take out lines and cell points.

Then of course there are people like me. In the last 26 years I’ve been professionally working as a computer programmer on everything from programming firmware through to building netapps and working on payment systems. I do a lot of network systems for everything from firmware based radio networks to running application across dispersed cloud systems. I’m pretty sure that if I found the inclination to ‘test’ an online voting system, I could shift the results. I’m also pretty sure that I wouldn’t be caught at it. Besides, there is nothing to really stop me offering public information about weak points for anyone to read.

These days there are a lot of us out there with skills, and contrary to popular opinion, software engineers do tend to have quite differing political opinions. But I suspect that one thing that most of those of us around the net space would probably agree on is that online voting would be fantastically dangerous. It is just so damn easy to make it fall over, and that is before you start to look at ways to do it maliciously.

But anyway, voting rates for postal voting and online voting for young voters is still going to be crap. Look at the young recently graduated engineers that I work with.

They largely didn’t seem to vote in this postal election despite wanting to do so. I got tired of hearing about how they were going to vote for Chloe Swarbrick. But when I queried them on Friday after postal voting closed, most of them still had the voting papers in the car on Friday, or hadn’t picked the papers up from a flat they lived in two years ago, or hadn’t gotten to the family address in time. They same things I have been hearing from similar young voters for the last 25 years. Changing to online voting isn’t going to change that, they’d still have to get those logins from the post

Remember these are the engaged young voters. They actually knew at least one person who they’d vote for. Doing it online is unlikely to change those litanies of personal negligence 😈

Personally I think that the real solution of falling turnout in elections is pretty obvious and quite simple. Look at the 74+% turnout in general elections when the actual number enrolled is far higher than in  local elections. Or the higher turnouts in any walk-in election before postal voting was brought in. It is also pretty safe security wise. There are simply too many people involved to do a seriously widespread attempt to distort the results. Moreover, it is a lot easier to identify people and to charge them legally. Anyone who is involved in computers at any depth knows exactly how hard a skilled cracker is to trace.

So do something simple. Revert to only having walk-in vote that minimises the risk levels because a lot of people can see what is going on. Combine it with the general election to reduce costs. Make it the one day you go and walk in and vote, and I’d expect that voters will do so.

I suspect even some of the young engineers that I work with would get around to voting then. Especially if they can special vote on election day.

It’d be a damn sight cheaper than any online system – even before I and my ilk turn our attention to improving the online security by testing it to destruction.

139 comments on “Online voting – the only choice for idiots”

  1. jcuknz 1

    The answer is obvious to me “revert to in-person voting at a booth AND MAKE IT COMPULSORY” with hefty fines for ignoring ones duty as a citizen.

    • mosa 1.1

      Booth and Compulsory Voting +1

      • Colonial Viper 1.1.1

        How compulsory voting going for Labour in Australia?

        • RedLogix 1.1.1.1

          Reasonably well. They like to moan about compulsory voting a bit, but there isn’t much call for it to be abolished either.

          And because the Australian system has at least three or four layers, regional, state and two federal houses, it’s much harder for any single ideology to gain dominance, so they tend to chart a slow pragmatic meander down the political middle with fewer lurches than us. Overall I’d say the Australian Constitution has served them better than ours.

          Politics in Australia is definitely a more bare-knuckle affair than it is in NZ, but it also has a more honest quality. You KNOW whose interests are being served, and people are generally more invested, more identified with the process.

          As for the ALP, the answer to your question is .. Kevin Rudd.

        • lprent 1.1.1.2

          Pretty effective… Look at their WORST result in nearly 100 years earlier this year. It makes the 74.x% in our 2011 election look pretty damn pathetic.

          A long winter federal election campaign in Australia that clashed with school holidays has resulted in the biggest voter no-show in the country since compulsory voting began in 1925.

          More than 1.4 million Australians last month failed to cast a vote for the House of Representatives in what ultimately became a cliff-hanger election. The figure represents more than 9 per cent of 15.7 million eligible voters.

          The turnout is the worst since 1922, when voting was optional and just 59 per cent of eligible people cast a lower house vote.

          In the Senate contest last month, 8.1 per cent of people failed to vote – a slightly better result than that for the lower house.

          Even their enrollment looks a whole lot better.

          The AEC on Monday announced it had returned the writs for the 2016 election.

          The rare winter federal poll, the culmination of a record-long eight-week campaign, coincided with school holidays in almost every state.

          An AEC spokesman said it made a concerted effort before the 2016 election to boost enrolment figures, including directly enrolling people based on information from other government agencies such as Centrelink.

          It meant 95 per cent of Australians aged 18 and over were on the electoral roll, up from 92 per cent in 2013.

          ABC election analyst Antony Green said this increase may have contributed to the lower voter turnout, because “you end up enrolling people who tried to avoid voting for years”.

          Overall I’d say that a compulsion to vote seems to work.

          • Colonial Viper 1.1.1.2.1

            I could go for compulsory voting if there was a “None of the above” option on every ballot.

            • Matthew Whitehead 1.1.1.2.1.1

              Keep in mind also in Australia not only are they compelled to vote, but they also until very recently had to rank every single candidate (they use an at-large STV system for one of their two houses) to cast a valid vote as well, so it was exceedingly complex to vote as you had to know which were the terrible-but-obscure candidates so you could rank them down the bottom of your list. (You now still have to rank them all to cast a valid vote, but you can do a shortcut by electing to follow a preference list the parties provide for you so you don’t have to think about the ranking yourself if you don’t want to)

              We could do a lot better with a compulsory voting system with our comparatively simply MMP vote. I think in a compulsory vote system, it’s fair to make a formalised way to no-vote on the ballot paper to remind people they have the option of making a protest vote if none of the options appeal, but I would also worry that some people would accidentally spoil their ballot without realising that way, too.

              I do wonder as well if it might not also be rather effective to make both non-enrollment and not voting carry a fine, but then concentrate any enforcement mainly on non-enrollment. Once people are enrolled they’re already somewhat invested, they get sent reminders and so on, and there’s also the stigma that some people don’t want to break the law, which may be pretty effective in increasing turnout even if we don’t really end up fining anyone for not voting.

    • Siobhan 1.2

      Here in Hastings I had 3 options for Mayor….one who had overseen the poisoning of his voters via the water supply, and the other two, who had no really strong opinion on the water, other than ‘things could be done better’.

      So I didn’t vote for Mayor.

      I suspect that many areas had similar ‘options’

      If we have compulsory voting it would have to have a ‘vote of no confidence’ box. Infact, even under the current system that should be an option.

      Local body elections, especially in the provinces are just too dismal in terms of candidates.

      • AB 1.2.1

        “If we have compulsory voting it would have to have a ‘vote of no confidence’ box”.
        Yes – and if that option turns out to be the most popular choice then it should have real teeth.
        Compulsory voting, walk-in only, and a mid-week half-day public holiday from 1:00PM. Some street events, pubs offering happy hour prices etc.

  2. weka 2

    Any reason to not have postal and in person voting? Is that a cost thing?

    I heard a couple of people say they found it hard to find a posting box for this election. At first I thought that was a rural issue, but most rural properties have RD that will pick up mail from the gate. So I’m guessing suburbs where NZ Post has removed the local boxes.

    It seems that because it’s local govt, it’s a bit haphazard about where to drop off voting forms, but I can’t see any reason why every locality can’t be mandated to have drop boxes in know places and for that to be well advertised. May as well make it a polling booth then too.

    I also wondered about the cut off for posting. Twitter people were saying it was Weds. I doubt that would have worked in many provincial places if you used a suburban street box after mid morning (often are cleared then, so if you post a lunchtime your mail won’t get cleared until the follow day). Was the cut off date designated by a postal stamp or by when it actually arrived? How many invalid votes are there that don’t get in on time? Do they even count those?

    Mostly though, if we want to know why people don’t vote we need independent research that goes and asks them. I’m guessing there are a range of reasons.

    • Lanthanide 2.1

      Given that papers had to be in-hand by 12pm Saturday, and that most voting papers would be travelling within the same city or district, I think that really the posting cut-off was Thursday, eg anything posted Thursday morning and collected on Thursday would make it in. So they simply said Wednesday as the last day, so people could drop their papers off at 11pm on Wednesday and say “it’s Wednesday” and have their vote counted.

    • lprent 2.2

      We have had postal + walk-in (to libraries etc) since 1983. It doesn’t work.

      The key difference between the local body system and the general election is that there is just one day to vote in, and people plan to vote then (or they actively do pre-voting).

      The 3 weeks or so for postal voting seems to just mean that people don’t do it in time. I know I have missed it a few times over the decades.

      • jcuknz 2.2.1

        My ‘better half’ who doesn’t live with me these days commented she had ‘managed to post her vote the day before the deadline’ … My lottery effort went in a good week early to get rid of it.
        Not sure which of us should get the kudos 🙂

        Really with the scant info about candidate I wonder how most can make an informed vote assuming they still believe they should vote …I certainly see little or no point in it …. but voting is just a habit.

        • Draco T Bastard 2.2.1.1

          Really with the scant info about candidate I wonder how most can make an informed vote

          In some respects I think we actually have more information about local body candidates than we do about national candidates and it’s sitting there right in front of us in an easy to read blurb. Of course, there’s a serious question of just how accurate that blurb is.

          We don’t really hear that much about national candidates – it’s more that we’re voting for the party that they belong to and we’re supposed to actively seek out that information which can be difficult if you don’t know your way around the web. I know that there’s around 20 registered parties in NZ and there’s a few more that aren’t registered and not all of them have web sites. I certainly haven’t read all of them and in may cases wouldn’t be able to find them.

          Perhaps what we need is a government website that has a similar blurb about the candidates and parties with a link back to their own websites to make finding the information easier.

    • The thing I wonder about is whether it makes sense to fix the election date and align local body elections with national elections so you can go and vote for both at once.

      The thing that worries me about that though is that people might pay even less attention than they already do to either or both of the elections if we make them vote for up to five different bodies at once.

      • weka 2.3.1

        I can see the argument for putting them on the same day, but I agree that it might just makes the ‘lesser’ ones even lesser. I’d prefer to see more energy going into getting people interested rather than trying to make voting more expedient. I like having to think about local things separate from national ones. The thought of having to deal with all those campaigns at the same time isn’t pleasant.

        • Yeah, that’s what worries me about the idea too, especially as it’s difficult to get good information on local campaigns even as an engaged voter. I’d almost like to have the local campaigns syncronised to come in the middle of the national term yet still do the full election day vote-in-person routine for them, but sadly convincing people to spend more money on elections is kinda a non-starter, even though it really should be considered one of the more important places to spend money.

          • Draco T Bastard 2.3.1.1.1

            but sadly convincing people to spend more money on elections is kinda a non-starter

            I think that you’re wrong about that. I think that the majority of people wouldn’t mind upping the cost for democracy if it made it better. The people who complain seem to be the politicians – especially National and National doesn’t like democracy anyway.

    • dukeofurl 2.4

      Yes the council needs to include for each voting pack, a sheet for local postboxes locations.
      NZ Post has its website where you can choose post offices or postboxes.
      http://www.nzpost.co.nz/tools/postshop-kiwibank-locator?filter=postbox

      Key said he couldnt find a post box, when the maps show 2 in his street!

      • weka 2.4.1

        My local street post box use to be covered with shrubs from the neighbouring section. I don’t even know if they cleared the box then (later the shrubs were cut back and it was in use again). Don’t get me started on NZ Post.

        Edit, that map doesn’t show street boxes, only Post Offices, dairies with posting boxes etc.

  3. Nic the NZer 3

    Pretty sure the NCEA results distribution system gets overloaded and can’t function about half of the time. If i remember correctly that last happened last year. Online voting has worse load issues and less frequent usage (and proving) than that which is reason enough to think its a poor idea. This post makes total sense.

    • lprent 3.1

      I failed to do the census for myself in 2013. Not because I didn’t fill out the online version. But apparently because it didn’t save it.

  4. UncookedSelachimorpha 4

    Replying to jcuknz (my reply buttons have been intermittent all day), I think compulsory voting is a good idea too, but the fines do not need to be large – say $50.

    How about paying people to vote – the cost of traveling to a polling booth can be a deterrent to many of those who are in poverty while enjoying the brighter future. A $10-20 payment would cover petrol or a bus and would not be a large sum in the grand scheme of things, supporting poor people to participate in democracy.

    • Draco T Bastard 4.1

      I think compulsory voting is a good idea too, but the fines do not need to be large – say $50.

      No, they actually do need to be large so that people will actually vote rather than decide that they’re better off going to work and not voting. Minimum wage for eight hours is ~$130 so it needs to be larger than that.

      How about paying people to vote – the cost of traveling to a polling booth can be a deterrent to many of those who are in poverty while enjoying the brighter future.

      How would you do it?

      • UncookedSelachimorpha 4.1.1

        “How would you do it?”

        Good point! When I think it through, there are hurdles, and my idea might not work at all. The two obvious difficulties are security and fraud.

        I think the extent of fraud could be minimal (small sum of money per transaction and you can only pretend to be someone else (who hasn’t already voted) once or maybe twice per polling booth).

        Security is a real headache though – can’t have thousands of cash on site, and voucher schemes etc get complicated.

        Instead we could have free public transport on election day, and in rural areas could run the school bus system to and from booths.

      • Australia’s fines are waived if you have a good reason for not voting, and AU$20 if you don’t but voluntarily pay the fine, and they seem to have boosted turnout pretty effectively.

        I think paying people to vote is just as good to be honest, as it’s effectively the same as fining those that don’t vote, but there’s less enforcement cost to it. You’d have to be careful how you pulled it off though as it could make voter impersonation more likely if it’s not done carefully. (for instance, just giving people $20 cash after they submit their ballot would be inviting voter impersonation, which people are sadly far more likely to do for cash than they are to effect the result) The best way would probably be to allow people to nominate a bank account for an electronic payment with their voter registration, and to wire that if they’re confirmed to have voted after everything is counted.

        • Draco T Bastard 4.1.2.1

          I think paying people to vote is just as good to be honest, as it’s effectively the same as fining those that don’t vote, but there’s less enforcement cost to it.

          Enforcement costs would probably be the same. You have to go through the same steps whether we have compulsory voting or not.

          We have to check if people have voted and that people haven’t voted twice either way.

          I do have moral qualms about paying people to vote but paying transport costs is probably valid.

      • Siobhan 4.1.3

        If you insist on that then the fine should be geared to each person’s wealth.
        For some, $130.00 is the shopping money for the week, while for others it’s a Karen Walker scarf.

        Actually, this goes for all fines. If Finland can do it, I don’t understand why we can’t.

        • Draco T Bastard 4.1.3.1

          /agreed

          I’ve said for awhile now that fines should be set as a percentage of income.

  5. RedBaronCV 5

    I too think we should revert to in person voting. So many of those letters must go astray.
    Nor should we assume that people have the computers to vote and if they don’t they are effectively disenfranchised.
    And as to security – I’ve seen what the techie’s can do at work- anything, everything. and if people access the voting through a work intranet who is to say that votes are not being changed before they leave the premises .

    Maybe have voting over a longer period and definitely have mobile booths which could tour local supermarkets, schools at 3.00 etc. It would have a much higher level of visibility and get to people where they are. Possibly even have a mixed system postal and in person. Cost ? what price democracy

    • Draco T Bastard 5.1

      Nor should we assume that people have the computers to vote and if they don’t they are effectively disenfranchised.

      They’d only be disenfranchised if we removed in person voting as well.

      And as to security – I’ve seen what the techie’s can do at work- anything, everything. and if people access the voting through a work intranet who is to say that votes are not being changed before they leave the premises .

      Never, ever do personal stuff at work. If you do you truly are an idiot.

  6. RedBaronCV 6

    And while we are at it – would be good to have voters able to vote as they used to – on whether or not the council could raise a loan for a particular purpose. It would need to be tweaked but would restrain some of the more grandiose proposals _ Ruatanwha dam?

  7. Lanthanide 7

    “Changing to online voting isn’t going to change that, they’d still have to get those logins from the post”

    Which is an unfounded assumption.

    The government has the Real Me system, for example, which verifies your identity online to the NZ government and any other 3rd parties that want to tie into it (good for people who want to sell age-restricted items, for example).

    I don’t think it’s too much of a stretch to suggest that Real Me could be leveraged for online voting, and therefore the login information could be sent via email.

    Pretty easy to check your email, get a link, and vote within 10 minutes. Perhaps the email links you to sign into the Real Me site, and you get your voting access there, to avoid sending sensitive information in the email itself.

    All of the rest of the security problems you identify still exist (and could potentially be exacerbated with electronic delivery of login info), but to simply assume that login information would *only* be delivered by post, is a bit naive. Even ignoring the Real Me system, when you enrol to vote, you give them your physical address. How is it any different to just give them your email address?

    • Nic the NZer 7.1

      RealMe or any other similar identity verification system solves none of the problems discussed here with identity theft.

      The reason postal is massively less prone to identity fraud than online it related to the number of addresses which need to be reached to commit such a fraud. If someone steals thousands of letters from visiting thousands of addresses then a significant impact on the result is possible. With an email system the same impact is possible with an anonymous computer stealing many more voter identities in vastly less time probably with no decent trail of how it occurred.

      • Lanthanide 7.1.1

        You missed my point. One of Lynn’s objections is that “it still relies on people checking their physical mailboxes and anecdotally young people don’t do that”, but there is no need for that to be true.

        • Nic the NZer 7.1.1.1

          Yes, you can do that if your willing to accept your voting system becoming massively more suceptible to voter fraud. Lynn (sensibly) concludes this is not viable because of this potential inbuilt fraud weakness.

          Tell you another way around this which is also not viable. Instead of mailing out cridentials they could get people to setup usernames and passwords at the previous election cycle. I think you can understand that’s not a viable alternative I just proposed is it.

    • weka 7.2

      Given National’s desire to collate mega data on all NZers and use it in whatever way they see fit, including rewriting the privacy laws to allow them to do that, there is no way in hell that voting should be tied into any existing system the government is using.

      “Even ignoring the Real Me system, when you enrol to vote, you give them your physical address. How is it any different to just give them your email address?”

      What about people who don’t have an email address? Or are you suggesting a dual system where one can choose?

      • Lanthanide 7.2.1

        Yes, obviously I’m suggesting a dual system.

        Do you think the election commission is suggesting that you would ONLY be able to vote online?

        • weka 7.2.1.1

          I had assumed that people who promote online voting ultimately want it to be the only method. In the same way that postal voting this time was the only method (afaik it wasn’t possible to go to a polling booth).

          • Lanthanide 7.2.1.1.1

            For electoral roll purposes I think they’d still want your physical address anyway, even if they were emailing you stuff. It’s used for jury duty after all, and other things I assume. Having to supply an address makes it harder for people to do fake enrolments etc.

            • weka 7.2.1.1.1.1

              Right, but even if you have to provide a physical address it could still be online voting only.

          • Nic the NZer 7.2.1.1.2

            You could still hand deliver your ballot to the council office where I am.

            • weka 7.2.1.1.2.1

              Yes, me too. That’s not voting at a polling booth though. You have to have the papers (at a polling booth you just have to turn up).

    • lprent 7.3

      Email is about the most insecure system I know of. Why would you want to use that?

      Similarly if you have a close read of what I talked about, you’ll note that a lot of it was about easy ways to sabotage an electronic election – in selected areas. Just think what targeting the North Shore networks would do to the votes.

      Add screwing with the email system into the list. God knows that isn’t hard to do.

    • jcuknz 7.4

      Since it took me at least 30 minutes to vote a 10 min allowance wouldn’t work …I think two days was what I took with two stabs at the lottery.

  8. Muttonbird 8

    Two major proponents for online voting are Farrar and Leggett.

    I think that tells us all we need to know.

  9. NZJester 9

    When even some of the biggest companies in the world with more cash to spend on security can not effectively stop some of the hackers, what chance has a NZ computer voting system got? It will cost a lot more money than the current postal or in person voting systems we have now. If it is done on a budget by the cheapest bidder it would likely have more security holes in than the number of holes you find in a piece of swiss cheese.
    If it was in place for the current Auckland mayoral race I would not have been surprised to have seen Phil Goff come in second place to Harambe or Boaty McBoatface.

    • Infused 9.1

      Because you don’t approach the issue ‘trying to plug every security hole’ this is a system only exposed to the net for a few days. Using a single entry code, to vote.

  10. Colonial Viper 10

    Online voting provides additional critical information about NZ citizens.

    Our SIS division of the NSA will be able use the massively valuable information collected from online voting to generate different reports which will allow governments and officials to better vet people who apply for public sector jobs, licenses, passports, visas, permits, business loans, mortgages, etc.

    We should implement online voting ASAP, no?

    • Paul 10.1

      Online voting will mean less people vote.

    • Wendy 10.2

      I feel online electronic voting that is dependent on the ethereal digital, virtual world will be quite dangerous in that it would be more easily manipulated to work against the interest of the many common folks who vote.

      Better to keep to the current system we’ve got that leaves a hard copy trail.

    • Draco T Bastard 10.3

      The NSA, SIS, GCSB and any other agency shouldn’t have access to it. If they do then they should be going away for a very, very long time.

      And so should the government that enabled it.

      • RJL 10.3.1

        Sure, GCSB / SIS should not be monitoring the content of any sort of online voting system, if we had one. Of course, attempting to keep an online voting system secure would perhaps be (if we took the disastrous route of having one) one of the few legitimate roles that can be imagined for the GCSB.

        However, even if we trust the GCSB / SIS to keep out of it; there is no way to prevent genuine foreign intelligence agencies such as the NSA (or Russian, European, Chinese, et al equivalents) from monitoring and potentially interfering if we had an online voting system. Why wouldn’t they: it’s their job to offer this capability to their country.

        • Draco T Bastard 10.3.1.1

          there is no way to prevent genuine foreign intelligence agencies such as the NSA (or Russian, European, Chinese, et al equivalents) from monitoring and potentially interfering if we had an online voting system.

          There’s no way to stop them trying but there is most definitely a way to try and prevent them gaining access and that comes down to ongoing effort and continuous updating. Such effort works most of the time.

          There’s still some risk but there’s risk in the present system as well. The thing is, there’s a hell of a lot more advantage to online voting which, IMO, means that it’s worth carrying that risk.

          • RJL 10.3.1.1.1

            If NSA and friends wanted to compromise any such system I doubt GCSB could stop them (assuming the GCSB didn’t actively aid them, of course).

            Especially as it is (presumably) a publically accessible system built from commodity hardware, and interacting with practically anything from the client/voter end.

            I can’t see any advantage at all in an online system, only a hell of a lot of risk.

            • Draco T Bastard 10.3.1.1.1.1

              If NSA and friends wanted to compromise any such system I doubt GCSB could stop them (assuming the GCSB didn’t actively aid them, of course).

              I’m pretty sure that our people are just as capable as the USians.

              I can’t see any advantage at all in an online system, only a hell of a lot of risk.

              There really isn’t that much risk and the advantage is that we could become far more democratic which we can’t do with a physical system.

              • RJL

                “I’m pretty sure that our people are just as capable as the USians.”

                Exactly.

                Which is why the Americans will be assuming that any system connected to the public is compromised (and their counterparts elsewhere assume the same).

                Which is why (except when there are cock-ups) public facing systems are not used for the various levels of secret communications between embassies, the military, etc.

                • Draco T Bastard

                  Which is why (except when there are cock-ups) public facing systems are not used for the various levels of secret communications between embassies, the military, etc.

                  Except for where it’s all connected to the internet like the CIA, the FBI, the NSA…

                  Having two separate systems would cause even more fuckups than simply having a proper system in place in the first instance. Because people will break protocol to get the communication where they need it to when the protocol prevents them.

                  • RJL

                    If the NSA’s skills at securely using the internet are so great, why does the head of the NSA periodically come out to NZ in an US airforce jet. Why doesn’t he just use Skype for Spies?

                    Likewise, why are the NSA bothering to intercept the communications of foreign powers if it is so trivial for intelligence agencies to use the internet securely?

                    • Draco T Bastard

                      If the NSA’s skills at securely using the internet are so great, why does the head of the NSA periodically come out to NZ in an US airforce jet.

                      Never heard of the personal touch?

                      Why doesn’t he just use Skype for Spies?

                      He probably does.

                      Likewise, why are the NSA bothering to intercept the communications of foreign powers if it is so trivial for intelligence agencies to use the internet securely?

                      You’ll note that they’re not relying upon decrypting the messages any more. Instead they’re building up reams of meta-data and deriving information from that.

                      Think about it this way: 128 bit encryption algorithm will take millions of years to crack. Cracking the password is easier but it can still take a long time. The latter is changed by two factor authentication which makes it almost impossible to crack the password.

                      The spies do have secure communications across the internet. In fact, so does everyone else. Why else do you think that some governments have been trying to soften up the people to have encryption software banned? Why they’re dragging up ISIS’ use of encryption to communicate?

                      They can’t listen in to conversations any more. All they can do is the needle in a haystack search with meta-data. That can tell them a lot: Who’s talking to whom, where people are at what time etc. but they aren’t listening to their conversations.

                    • RJL

                      @Draco T Bastard

                      Look, it’s pointless arguing about the capacity or otherwise of the NSA (or similar Euro/Russian/Chinese etc agencies) to screw with an online voting system. However, I think that it is criminally insane to assume such actors could not find a method to interfere with a practical system built from commodity hardware, probably communicating over the commodity internet, and interacting with millions of dubiously-secure voter-side systems, if they wanted to. Just the fact that critical hardware components of the system will almost certainly be built and exported from the US should give one pause for thought.

                      On the other hand, it is also probably needlessly paranoid to assume that such actors would even want to interfere in our online voting system. At least today.

                      The real problem of compromise is still internal. The danger is compromise by the people (or a subset of the people) who are developing and maintaining the system.

  11. James Thrace 11

    Or just get online voting sorted out through Real Me. Very little risk of that being usurped given the somewhat rigourous protocol to get verified on that system.

    Might as well put the $250mil that has been spent on RealMe to good use.

  12. Draco T Bastard 12

    Think about that. This is an insurance model. It means that they accept that there may be serious breaches of security but the risk level to the banks is acceptable.

    And the way we’d want to choose to use online voting is if the benefits out-way the risks rather than through hyped-up emotion. One of those benefits is that we could more easily do referenda both for local and national policies.

    Such an increase in democracy is, IMO, worth the risk. We already know that the elected dictatorship we have doesn’t work.

    Now translate that same security model to online voting.

    No, don;t because it simply doesn’t apply. Obviously the way to do it is to put in place the best security that can be produced with it updated as fast as possible.

    As RedBaron asks: What price democracy?

    While I’d bet that some people voted for others, it is hard to get or forge paper well enough to tip results. And given a complaint by a frustrated voter, it wouldn’t be hard to track where and probably who has been diddling the postal votes.

    Are you sure about that? A few thousand people across the country getting hold of a few each could easily swing a vote against the wishes of the people who didn’t get to vote.

    And just how are you going to catch them?

    However given enough details of logins, I’m pretty sure that it wouldn’t be hard to figure out an algorithm that would give a reasonable chance for getting logins.

    Yep your right. Of course, several thousand votes arriving from a single IP address would probably tip off any well made software that something was up.

    And having the logins doesn’t get you past the security token that comes with registering to vote – which would be done physically at the court.

    That means that trying to hack individual accounts isn’t worth the effort.

    So just accessing the firmware of the multiplicity of switches or just getting access into the lines would do. Just find areas that vote the ‘wrong’ way and disable their net.

    Which would achieve nothing. They’ll still be able to physically vote and as voting would be open for a month or even more keeping the net down for that length of time would be a dead give away – you’d be asking to get caught.

    Never mind the fact that you probably wouldn’t be able to get to several of the switches without tripping security.

    I’m pretty sure that if I found the inclination to ‘test’ an online voting system, I could shift the results. I’m also pretty sure that I wouldn’t be caught at it.

    So, we can expect Wikileaks to have the entirety of the CIA’s, NSA’s and the FBI’s files by tomorrow morning?

    It doesn’t even have to be you as I’m pretty sure that there are already thousands of people in the world who do have the inclination to make that information available.

    They same things I have been hearing from similar young voters for the last 25 years. Changing to online voting isn’t going to change that, they’d still have to get those logins from the post

    Actually, it would as it would remove several blocks that prevent people from voting using a postal voting system:

    1. They don’t have the irritation of having to deal with the paper. It took me ages to find the double nine that I entered on the voting paper. A mistake that could not even be entered on a computer system.
    2. Remove the chance that it goes to the wrong place. A few going missing is all it takes to tip the vote as you point out and yet almost none of those people will tell the Electoral Commission that they didn’t get their voting papers.
    3. Remove the double barrier of having to find the time to find a post box to post the bloody thing

    Look at the 74+% turnout in general elections when the actual number enrolled is far higher than in local elections.

    Yes, lets. Let’s look at the fact that it’s dropped from well over 90% a hundred years ago to 74% at the last general election. This isn’t a great selling point for a walk in system.

    It’d be a damn sight cheaper than any online system – even before I and my ilk turn our attention to improving the online security by testing it to destruction.

    We keep doing things cheaply and then acting surprised when the results suck.

    • lprent 12.1

      The postal local system has dropped from about 70% in about 35 years to about 50%. It simply isn’t working.

      The campaign for postal voting declaimed virtually the same advantages that you are looking for in an online system 40 years ago. They simply didn’t work. Voting turnout dropped damn near immediately and stayed down.

      My personal bet is that the effective of an online system will be to simply exclude people who don’t feel comfortable on computers with weirdo and complicated security systems. I’d expect that it will simply cause a further fall. Now show me some real world evidence that isn’t the case in a country with a clean voting record?

      Sure we can run walk-in + postal + online side by side. But all that is likely to do is to ensure that none of them work well because they are all resource starved.

      A walk-in booth system seems to be the most effective one. Concentrate on that. Fund it fully and concentrate on making it better rather spreading pissant amounts of resources around for the fashionista theories that appear not to work.

      • Draco T Bastard 12.1.1

        The postal local system has dropped from about 70% in about 35 years to about 50%. It simply isn’t working.

        I agree. Postal voting was always a stupid idea. People won’t feel the same pressure as they do for a walk-in system where they only get one day.

        It was done because it was cheaper. As I said, we keep doing things because they’re cheap and not because they’re good. The inevitable result is that we end up with systems that simply don’t work.

        My personal bet is that the effective of an online system will be to simply exclude people who don’t feel comfortable on computers with weirdo and complicated security systems.

        No well designed systems are weirdo or complicated. My security key requires simply pressing one button and entering the number provided in a short time span but it still effectively prevents most of the attacks that you’re describing.

        Sure we can run walk-in + postal + online side by side.

        I’d eliminate the postal one. Just have the walk in and online systems. Have the online system being maintained permanently while you only role out the walk-in one on election days. Having the online system being maintained is to ensure security updates are well installed and running when needed.

        A walk-in booth system seems to be the most effective one.

        But it’s not. Not if we’re going to go to a more democratic system and finally remove the power from government and business.

        • I’d feel really uneasy about running even local elections even partially online given how vulnerable any client-server traffic is on the internet. The risk isn’t so much about individual votes being fradulent as it is about the potential for systemic vote interception or compromising the server to favour a particular candidate.

          I’d actually wonder if synching them up with National elections might boost turnout too, and still keep things comparitively cheap because you’re piggybacking onto all the sunk costs of running a general election.

          • Draco T Bastard 12.1.1.1.1

            The risk isn’t so much about individual votes being fradulent as it is about the potential for systemic vote interception or compromising the server to favour a particular candidate.

            Using a security key makes vote interception impractical. A compromised server is a greater concern but I don’t think that it’s as high a risk as some make out. If it was we’d all know what the intelligence agencies are doing all of the time as their servers would be compromised.

            • RJL 12.1.1.1.1.1

              The risk of a compromised server is mostly internal compromise.

              With in-person (and postal) there is ultimately an actual physical artefact (the voting paper) that can be counted and recounted. This is difficult to compromise on a large scale without many people being involved and much evidence being created.

              On the other hand, a small number of people in the right place can easily mess with an electronic/online voting system, and it can be very hard to detect, and there is no physical back-up in terms of voting papers.

              Of course, we would like to pretend that our political parties are not corrupt enough to try to compromise an online voting system. On the other hand, look at what does go on, from screwing with the OIA, to the gerrymandering of electorate boundaries, to (say) Epsom. Clearly, we shouldn’t trust our political parties with such a temptation.

              • Draco T Bastard

                On the other hand, a small number of people in the right place can easily mess with an electronic/online voting system, and it can be very hard to detect, and there is no physical back-up in terms of voting papers.

                No, they can’t easily interfere with an electronic system. If it was easy then we really would know what all of the globes intelligence agencies were doing.

                And there’s a check that an electronic system has that a physical system doesn’t – the people can actually check their vote and how it was recorded. That cannot practically be got around as it would require an entire server capable of handling an entire nations voting and it needs to be online all the time so that when people check their vote they still get that server and that will be detected.

                And then there’s the fact that I will have an email sitting in my inbox that can be traced back to the government server. If it can’t then people are going to be looking. So, yeah, there is a trail that can be checked with multiple checkpoints.

                If there’s anything that looks like an attempt to compromise the election then it just gets declared null and void and we do it again within a couple of weeks. Again, something that simply cannot be done with a physical system.

                Of course, we would like to pretend that our political parties are not corrupt enough to try to compromise an online voting system.

                The only way to prevent corruption is to put in place processes that will detect it when it happens. Now, what do you think will happen to a political party that tries to corrupt the election and they get caught?

                Personally, I’d put the entire membership into jail.

                On the other hand, look at what does go on, from screwing with the OIA, to the gerrymandering of electorate boundaries, to (say) Epsom.

                And look at the fact that we know about it. The only real problem with those things is that we didn’t have the laws and processes to deal with them and National aren’t about to put those laws and processes in place. But I won’t be surprised if a Labour/Greens/NZFirst government does.

                • McFlock

                  How much did Snowden dump again? Or Manning?

                  And even if you had a way of checking your vote, that provides a quick way of finding political opponents by a corrupt administrator while still failing dismally to prove vote fraud: “I swear I voted Labour”/”good for you, computer says no”.

                  Paper ballots with barcodes that correspond to the electoral roll on a different list is the best way of doing it for both privacy and fraud prevention.

                  If you want to speed up processing, make the voting machine print out a voter receipt that the voter can check before putting in the ballot box. Electric tally gives election night vote, ballots are counted the old fashioned way for final result.

                  • Draco T Bastard

                    How much did Snowden dump again? Or Manning?

                    It’s not a question of how much he dumped but how he got hold of it. It wasn’t through online hacking, he really did break laws doing so and he really was identified. The only reason why neither are a criminal is because they showed immoral activity by the government through those illegal actions.

                    Please note though that those immoral actions had a veneer of legality.

                    And even if you had a way of checking your vote, that provides a quick way of finding political opponents by a corrupt administrator while still failing dismally to prove vote fraud: “I swear I voted Labour”/”good for you, computer says no”.

                    The administrator wouldn’t have access to the files.
                    There would be an automatic email generated when you vote showing the way you voted. This email could be used as proof that you voted the way you said you did.
                    If you swear that you voted a certain way and it doesn’t show that then the computer is considered to be wrong.

                    Paper ballots with barcodes that correspond to the electoral roll on a different list is the best way of doing it for both privacy and fraud prevention.

                    Best way of doing what?

                    If you want to speed up processing, make the voting machine print out a voter receipt that the voter can check before putting in the ballot box.

                    That would slow things down for no benefit.

                    • McFlock

                      So the supposedly secret ballot for the entire country is stored on a whole bunch of email servers? There goes the secret bit.

                      So you get an email that says you voted National when you’re sure you clicked on Labour. What do you do then?

                      Paper ballots with barcodes that correspond to the electoral roll on a different list is the best way of doing it for both privacy and fraud prevention.

                      Best way of doing what?

                      Having a secret and robust voting system.

                      If you want to speed up processing, make the voting machine print out a voter receipt that the voter can check before putting in the ballot box.

                      That would slow things down for no benefit.

                      The benefit is an immediate count on the night, without losing personal privacy or enabling bulk voter fraud on a scale that’s impossible for one person to do with paper votes.

                    • Draco T Bastard

                      So the supposedly secret ballot for the entire country is stored on a whole bunch of email servers?

                      Encryption

                      Having a secret and robust voting system.

                      There’s no point to what you said. Online voting would have better systems with less chance of being intercepted.

                      The benefit is an immediate count on the night, without losing personal privacy or enabling bulk voter fraud on a scale that’s impossible for one person to do with paper votes.

                      The chances are that won’t happen with online voting. There’s a risk but it’s, IMO, fairly minimal and it can be worked with.

                • RJL

                  “And then there’s the fact that I will have an email sitting in my inbox that can be traced back to the government server.”

                  That doesn’t sound plausible. An online voting system won’t be busy emailing back to everyone a record of how they voted. It might email back to you the fact that you have voted successfully.

                  Even if you got a vote receipt emailed to you, that’s no guarantee that the vote has been processed correctly at the counting end. And even, if there was a big email archive of how everyone voted, it would be impossible to reconcile the email archive with the recorded vote. If they are different it just means that you have two electronic copies of the vote, with no way to know which is correct (if either).

                  “If there’s anything that looks like an attempt to compromise the election then it just gets declared null and void and we do it again within a couple of weeks. “

                  There’s no way, that we would restart the voting process. An unknown number of errors with voting receipts won’t be due to a compromised system but will instead be due to voters either forgetting, or changing their mind, or lying, about how they voted.

                  “Now, what do you think will happen to a political party that tries to corrupt the election and they get caught?”

                  They’ll just deny it happened (and it will be really difficult to prove definitively that it happened, or who is responsible), perhaps there will be an inquiry, and at worst it’ll be blamed on independent contractors (i.e. DPF).

                  • Draco T Bastard

                    An online voting system won’t be busy emailing back to everyone a record of how they voted.

                    Why not?

                    I’d certainly expect it as the first line of checking.

                    Even if you got a vote receipt emailed to you, that’s no guarantee that the vote has been processed correctly at the counting end.

                    Which is, of course, why we have the ability to check.

                    If they are different it just means that you have two electronic copies of the vote, with no way to know which is correct (if either).

                    If the person turns up to court with a copy of their email saying how they voted, them saying that they voted the way the email said and then showing that the online record showed differently then you most definitely have a way to know which is correct.

                    There’s no way, that we would restart the voting process. An unknown number of errors with voting receipts won’t be due to a compromised system but will instead be due to voters either forgetting, or changing their mind, or lying, about how they voted.

                    All of which would be easily testable.

                    They’ll just deny it happened (and it will be really difficult to prove definitively that it happened, or who is responsible), perhaps there will be an inquiry, and at worst it’ll be blamed on independent contractors (i.e. DPF).

                    A little difficult to do any of that when you have the full trail available to you to determine who did what, when and where.

                    A big problem that anyone who tries to cheat an online voting system has is that they have to maintain the deception. It’s not just the short-term deception that’s needed to stuff up the paper system.

                    They change someone’s vote at the time of the voting and that will show up on the very first email that the voter gets. They change it after then the voter will know when they get the second email just after voting closes or they check before hand.

                    Changing the actual vote and trying to hide it will mean that they have to maintain a server that’s capable of holding all those voters votes and being able to get in between them and the real server at all times and that will be detected. Either through one of the techs mentioning it, it not getting between one of the voters and the real machine at some time or by the ISP doing a traffic analysis on their network. Nothing done on the internet is truly anonymous.

                    Changing it randomly during counting will stick out like dogs balls because the computer will be using more resources than it should be and the unauthorised update will be clearly visible in the update logs – along with who did the update.

                    No, an online voting system won’t be completely secure but it won’t be easy to corrupt either.

                    • RJL

                      @RJL “An online voting system won’t be busy emailing back to everyone a record of how they voted.”

                      @Draco T Bastard “Why not?”

                      Because it is a secret ballot.

                      I think you might be confused about whom a secret ballot is secret from. Understanding this will help you understand why voting receipts won’t be issued. Administratively it is already possible under our existing systems to retreive an individual’s ballot. This is for ensuring that (rare) duplicate votes can be dealt with properly.

                      But the electoral administrative structure is not whom a secret ballot is hiding your vote from.

                      The purpose of the secret ballot is to stop your husband (for example) from discovering how you voted and punching you in the head because you did not vote the way that he told you to.

                      That is why voting receipts will never be issued in the way you suggest.

              • Infused

                It would be detected. Everyone here is talking about their ass like they know IT security inside out. You all seem to be making it out to be like a single DB exposed to the internet. Things have moved on since 1995.

                • McFlock

                  And yet massive security breaches still make the news every year or so.

                  We currently have a system that is difficult to pervert in a systemic manner that is likely to skew an election result.

                  Excuse me if I don’t take it on faith that your alternative system is equivalent to or better than the current method.

                  • Infused

                    These systems are systems that are online all the time, with technology that is always changing. This is a closed system which would come online for a short period of time.

                    ANZ’s banking system upgrade their edge protection (to the internet) every two weeks. Have they been compromised?

                    As long as things are not done in a stupid manner, all will be well.

                    • McFlock

                      As long as things are not done in a stupid manner, all will be well.

                      lol

                      there’s the rub, of course.

                      Being online for a short period of time limits external threats, but it also limits the ability of the public to report problems and does nothing to limit the potential for internal corruption. So you miraculously make it invulnerable to external threats: how do we know the system itself isn’t flawed, or even rounds a particular party down?

                      With a paper system you have scrutineers as the ballots are counted, where’s that audit step with online voting?

                    • Infused

                      Paper system you can’t detect duplicate voting unless someone reports it.

                      This is what security audits, pen testing etc is for.

                    • Draco T Bastard

                      As long as things are not done in a stupid manner, all will be well.

                      Pretty much.

                      There’s always some risk of course but we can plan for things going wrong so as to mitigate the damage.

                    • McFlock

                      Paper system you can’t detect duplicate voting unless someone reports it.

                      This is what security audits, pen testing etc is for.

                      So it can’t, but it can?
                      The paper system frequently detects multiple voters, often elderly people who forgot they voted via special vote and trundled out on the day.

                    • Infused

                      im talking about people voting on other peoples behalf. ie: stealing voting papers, or having voting papers for other people delivered to your door.

                    • Draco T Bastard

                      And the paper system failed to detect that a dog registered to vote. As
                      Infused said: “Paper system you can’t detect duplicate voting unless someone reports it.”

                      So very, very easy for a manual system to totally miss something going wrong.

                      The point is that both systems have their shortcomings but only one has all the advantages of online voting and it ain’t the paper system.

                    • McFlock

                      You mistake one dog intentionally registered vs the possibility of compromising the entire system. Which you guys say is totes imposs- I guess the DNC should have gotten you two to design their system.

                    • Draco T Bastard

                      Which you guys say is totes imposs-

                      But we’re not saying that as you well know. So please withdraw that and apologise for lying.

                      If the paper system was as good as you say it is there should have been no chance of the dog being registered.

                    • McFlock

                      Fair enough.

                      Not “totes impossible”.

                      Just that “all will be well” and that “damage can be mitigated”. Which is still bullshit, because we’re talking about the core system of our democracy.

                      You do realise that “As long as things are not done in a stupid manner” is little more than a no true Scotsman claim, right? Any fuckup in the system, captain hindsight says “oh, they did that in a stupid manner, so everything’s ok”. despite the fact that this means that in the real world, our electoral system was fundamentally compromised.

                      Hell, what about simply doxing voters, like those Turkish hackers? I guess they did that in a stupid manner, all will be well here.

                    • Draco T Bastard

                      You do realise that “As long as things are not done in a stupid manner” is little more than a no true Scotsman claim, right?

                      Not in this case because best practice is actually known.

                      Any fuckup in the system, captain hindsight says “oh, they did that in a stupid manner, so everything’s ok”. despite the fact that this means that in the real world, our electoral system was fundamentally compromised.

                      Which is why we put in place processes to detect and mitigate and repair any damage done by a breach. To ensure that it’s not fundamentally compromised. To know that the next day it can be used again.

                      It’s part and parcel of that ‘not being stupid’ thing.

                    • McFlock

                      And the penalty for failure in an electoral system with no term limits is massive. You can’t mitigate that.

                • It’s not an issue of if a hack or in-person compromisation of the necessary files is detected eventually. It’s an issue of whether it is detected before results are finalised. Otherwise, we end up appointing the wrong government and the damage is done. It completely undermines confidence in the system if official results are published in a way that’s proven to be significantly wrong.

                  Any electronic system needs to be comparably secure to a paper system, meaning any likely vulnerabilities are generally to an individual vote or a category of voters. (ie. someone intercepts a box of ballots)

                  This isn’t how vulnerabilities in electronic systems generally work. It’s normally a matter of all-or-nothing. So essentially any electronic system needs to be so secure that any tampering will be detected in the time it takes to finalise election results, or manage to seperate out the files into multiple sets of physical hardware with different access privileges yet still be convenient to count once the time comes.

                  I am highly skeptical it’s possible to set up an electronic system that way that still has the advantages of being an electronic version of a secret ballot.

                  Draco seems to think we can ditch the secret part to secure the ballot. (we can’t, that exposes us to voter coercion of varying sorts, which runs into the same difficulties proving it as you do with discrepancies in voter records)

                  There is a way to have a secret ballot with receipts, but it works best with paper voting. (basically you cast two ballots that cancel each other out and one ballot with your actual vote on it, and you get to choose to keep a receipt of any one of those three votes- as there’s no way to prove that there isn’t a cancel-out vote for the one you have a receipt for, nobody can confirm the way you voted for sure, but systemic voter fraud is likely to contradict at least some receipts) The issue with electronic receipts is that you’d need to have some secret hashing technique coded in so that people couldn’t fake who they voted for in the receipt and it could be verified. However the integrity of the receipt system is then only as secure as the secret its programmers used to make it, so you have to have absolute trust in everyone who’s ever had access to the source code, which is a terrible way to secure an election system. What you need is a method of securing things that still works once everyone else knows all the details of how it works, and paper is still the most practical way to do that.

                  It’s also not a guaranteed safeguard, it’s merely a probabilistic safeguard against large-scale fraud that assumes that any sufficient fraud will be discovered by at least one person checking their receipt and finding the published version differs, and that causing a critical mass of other people to also verify their votes and find discrepancies, so that if the system is actually compromised it can be detected. If it’s hard to get people to vote in time, it will also be hard to get them to verify their votes in the right timeframe, too.

  13. Paul Campbell 13

    I’m also a professional programmer, with 40 odd years of experience, I completely agree with LPRENT’s analysis ….

    I do have a problem with STV voting, on one hand I think it’s by far the fairest way to elect councils or mayors, on the other hand living in Dunedin and sorting 43 names based on 1 written paragraph is almost an impossible process – and effectively a selection sort O(N**2)

    Checking out the various hoardings around town doesn’t help they don’t mention what the person is for mostly “vote for me because I’m another old white guy”

    I do think there’s a place for computerised assistive voting – to help me sort those 43 names, let me drag this one up, and that one down, remove that one all together …. then print it off, check it’s how I meant to to vote then mail it in or put it in a box.

    • STV actually isn’t the fairest way of electing people, either at-large like the council elections, or in single-winner contests like for mayor. STV overly privileges your most preferred candidate, (because the vote “travels” down your list as necessary instead of acting as an evalution of each candidate) so it can have some weird hiccoughs where ranking a candidate second can give them a better chance of winning than ranking them first in close races.

      It’s much better to use an evaluative system like Approval Voting or Range Voting in single-winner contests, or a re-weighted Range Vote for multi-winner ones. It’s a similar concept to STV where you can include as many or few candidates as you like in your vote, but instead of listing them in order, you rate them within a specified range. (eg. 0-9, or 0-99) And unlike STV, you can rate two candidates equally, it doesn’t need a computer to be counted, and you give preliminary results mid-tally easily, because each polling station just needs two numbers per candidate to report results. (Approval voting is just a strategic version of the same system, where you can tick as many candidates as you like) This has some huge advantages in more expressive and fair voting, such as the “compromise candidate” effect, where a candidate that nobody ranks first on their vote can still win because people in many different political factions considered them a decent choice, wheras their strong yesses and nos to each others’ preferred candidates averaged out below that.

      Computer-assisted voting of the sort you’re talking about would be equally secure to mail voting, so long as it was a print-off or a guide for you to write manually onto the voting paper yourself. A lot of websites were ranking candidates on issues this election, which I think made the process a lot easier once you knew about them.

      • Paul CDampbell 13.1.1

        I don’t think it much matters which of these systems you use – they issue I was more trying to get at was that anything requiring you to rank 43 candidates against each other (an O(N**2) propblem requiring in this case 900 comparisons) is unweildy

        My main thesis here is that a little bit of computer help (a web page you can print off that contains links to more information about candidates than the paragraph in the voting materials, both their personal info and info from 3rd parties) might make voting easier and more accurate

        • Except you’re not required to rank all 43 candidates in New Zealand’s variant of STV. You can rank a minimum of one candidate and as many as all of them if you like, so long as those you do rank are in a clear and unbroken sequence. (And it’s actually tactically superior to only rank candidates you know are acceptable to you, so the only pressure to rank more candidates is if you think all the ones you’ve already ranked may be either elected or eliminated before the final round of voting) If there’s a break in the sequence of your list, (ie. you skip the number “7”) We actually still count all candidates ranked before the break, so as long as you’re good at writing the number 1, it’s hard to cast an entirely invalid vote in STV, so most no-votes are either deliberate or due to not understanding how to vote in STV, for instance by ticking multiple candidates. (I don’t remember off the top of my head if ticking or putting a mark next to a single candidate is treated the same as writing a 1, but I hope it is!)

          It’s Australia where they (for no real reason!) require you to rank all the candidates.

          Now, granted, the real problem with STV as a multi-winner system once we get past Australia’s nonsensical addition to it is that you’re heavily incentivised to rank at least as many people as can win positions. (In the case of Dunedin, this would be 14, which is way too many, and why Wellington divides the city into 3- or 2-candidate wards for voting, meaning most people will only need to rank 3-5 candidates to have a good chance of their vote being as effective as possible) This is due to the fact that candidates who exceed the necessary quota to be elected (ie. candidates in places 1-13 if all of Dunedin voted at-large, or places 1 & 2 in most Wellington wards) will have their excess votes redirected in proportion to the next preferences of all of their supporters, so if you’re voting strategically, you want to include enough candidates in your list that you’re confident that you will get to take advantage of the votes being redirected each time. So there’s a tension between proportionality of the system vs the number of candidates voters are incentivised to vote for. This is why I wouldn’t recommend STV for more than 5 or 6 vacancies, and I think it’s probably less-than-ideal for DHB elections.

          Re-weighted range voting works in the reverse way, so it weights more highly the votes of people who haven’t yet rated a winner positively, meaning that as you add more winners to each election, it gets closer to being proportional to the vote, but doesn’t actually rely on any “vote transfers.” This means that rating someone more highly is never bad for that specific candidate, (which in some rare cases is NOT true in STV) although rating someone else better than or equal to a specific candidate can cause your vote to be weighted lighter for every other candidate you haven’t yet elected, so it actually builds in an incentive against strategically rating every single candidate at maximum, because the higher you rate them, the lighter your vote gets weighted for the other candidates if this one is elected. You can also cause your most-preferred candidate to lose by adding a vote for a less-preferred candidate.

          The versions of RRV that have been used in private elections before (to my knowledge it’s not in use in any regional or national elections yet) look at which votes gave more than the minimum to an elected candidate and lighten the weight of those votes by some factor of the total distance from said minimum for each time they have a candidate elected. That variation has the least vulnerability to strategic voting, although I suppose you could also weight based on distance from the average, increasing the weight of voters who disliked the elected candidates.

          There’s also provisions to deal with what happens with leaving candidates blank (unlike voting the minimum score, you’re not counted towards their average score, but there’s usually also a necessary quota of non-blank votes to be eligible as a winner)

    • Draco T Bastard 14.1

      He’s wrong on so many counts it’s not funny.

      1. You can’t have anonymous voting ever. Do that and you’ll never have any idea if the people voting are actually entitled to vote. Voting Tourism would quickly become a thing if we had anonymous voting.
      2. Never, ever use a voting machine as they’re too easily compromised. Online voting would have the servers maintained all the time. It’s one of the reasons why I say that government needs a government wide IT department. Personal PCs are also well maintained with anti-virus and other software these days that are difficult to remove. Sure, compromised personal PCs used to be a serious problem but not so much any more.
      3. Saying that physical voting is more secure because we’ve been doing it for centuries and so we know all the ways for it to be done isn’t a reason against online voting. In fact, it’s a reason for it. When we started voting all those centuries ago we didn’t have that knowledge and yet we went ahead and did it anyway. Using his logic we’d still have dictatorships because we’d know how to catch the fraud and corruption better.
      4. Love the number of ‘probably’ he had in the transmission of the data. None of which would happen on a secure system. He’s literally Making Shit Up to make it sound bad.
      5. The Central Counting Machine hidden away in a private vault WAAAAAH. Yeah, that’s another good example of shit that shouldn’t happen on a secure system.
      6. Interestingly enough, his description of online voting matches physical voting. You go down, fill in a piece of paper, hand it over to some anonymous person who then hands it over to some other anonymous person who promises that it’s been counted correctly. At least with online voting I’d be able to login and check to see which way my vote had been counted and how.

  14. save nz 15

    Agree with Iprent 100%. Online voting is open to election fraud.

  15. jcena 16

    Online voting can work. It’s just that it’d be so complicated in order to prevent voter fraud that most people would give up. And then there’s the issue of site / database security and trying to protect from the biggest security issue of all – rogue employees with code access and a grudge.

    • Infused 16.1

      Bigger systems (systems obviously lpent hasn’t worked on) have audit trails and are transactional DBs. You can’t get away with changing records or anything of the sort without someone knowing. It doesn’t matter how close you are to the project.

      • One Two 16.1.1

        If that is what you believe , you have no idea what you’re talking about

        Which looking through a few months of your comments, you don’t!

    • Draco T Bastard 16.2

      It’s just that it’d be so complicated in order to prevent voter fraud that most people would give up.

      You’d login using a username, a password and a rolling security code generated on a security key.

      You would then vote as normal.

      What’s so fucken complicated about that?

      And then there’s the issue of site / database security and trying to protect from the biggest security issue of all – rogue employees with code access and a grudge.

      A small risk.

      And if they did have access they’d also leave a trail. A trail that would have reds lights flashing everywhere.

      • Infused 16.2.1

        Exactly. You’re pretty on to this Draco. All these systems have full audit logs and are transactional. Anything funny is going to stick out like dogs balls.

        • Draco T Bastard 16.2.1.1

          Yeah, and now if I could just get this bloody if statement working… 🙁

          #IhateJava

      • McFlock 16.2.2

        Sorry, you’re planning on giving two million voters rolling keygens?

        And expecting the voters to not lose them and know how to use them?

        🙄

        • Infused 16.2.2.1

          or a 2fa card. losing it is no different to losing your voting papers.

          • McFlock 16.2.2.1.1

            Really?

            What’s the cost differential between that plus a letter and simply mailing the papers or the (optional at voting booth) quickvote QR code?

            • Draco T Bastard 16.2.2.1.1.1

              Somewhere in the approximate vicinity of none.

              • McFlock

                Apparently $5 a gen by two million voters is in the vicinity of none…

                • Draco T Bastard

                  Oh, that’s interesting, I didn’t know that all that paper you wanted to use was free.

                  • McFlock

                    printing is what – 10 or 15c a sheet?

                    Which you’d still have to send so people know what the newfangled doodad is for.

                    • Draco T Bastard

                      How many sheets?
                      How many times?

                      You’re talking several sheets of paper and postage every three years. I’m talking one device every ten or more years.

                    • McFlock

                      A device that’s thirty to fifty times the price, if the loss rate by voters is <50% (which is optimistic, IMO).

                    • Draco T Bastard

                      No, it’s not thirty times the price. Even using the delusional money system that we have now it’s comparable.

                      Using actual physical reality it’s far cheaper.

                    • McFlock

                      $5 each plus postage and envelope vs 15c plus (at worst) three envelopes and postage. Times two million.

                      For doubtful benefit.

        • Draco T Bastard 16.2.2.2

          One rolling keygen. Costs about $5.

          Now, how hard is it to press a button and read the screen?

          Yes, some people will lose them but people lose their voting papers all the time as well.

          • McFlock 16.2.2.2.1

            So that’s an extra $10mil per election right there, as a minimum, plus the replacement cards and additional call centre workload.

            Where’s the saving? Or where’s the evidence it will increase voter turnout to compensate for the increased cost?

            • Draco T Bastard 16.2.2.2.1.1

              Per election? WTF are you smoking?

              You give them one when they register which they then use for every election there after. They’ll last at least 10 years.

              • McFlock

                bwahahahaha!!!

                So three elections, plus all the people who lose them in the three year intervals between when they’re anything other than useless.

                Oh, but wait, we can minimise costs by tacking other functions onto it, like drivers license, 18plus, yeah not too long until some smart tory turns it into a national compulsory ID card while they outsource the electoral commission to a ppp that their mates have financial interest in. Congratulations.

                • Draco T Bastard

                  Well, I’d tie it to the RealMe identity, nationalise that service and make it so that it couldn’t be outsourced. In fact, Labour already did that to a degree with their legislation preventing selling off of strategic land. Just need to extend that to all government services.

                  But, hey, that too is part and parcel of the ‘not doing anything stupid’.

    • aerobubble 16.3

      How about continuious voting? Not postal, not web, but a booth in a shop, gas station where voter could go anytime during workinghouse. Place their card in the machine, be shown a readout ofhe current votes, then change theirs, see the numbers change. Then the card is written with their vote for the purpose of authentificstion, since the booth and card number and daily/weekly changes. If enough people vote in a booth, then together the anomalies would be proof of voter fraud if the numbers were wrong Every three years count, or if MP numbers so lowhave byelection cou t of current stats..

      • aerobubble 16.3.1

        oH a let a older person be responsble for a couple of extra dollars of pension. Make sure the system was work, clean, etc.

  16. Infused 17

    Funny you say that as some professional who runs this site from home on a ufb connection and continues to have tons of issues with it.

    Your argument is pure crap. Every system will have floors. Multi attempt lock you out. Vans? Block international access. Logins use a salt of or dobt + address. It’s not hard at all.

    • Infused 17.1

      mobile phone. vans = vpns.

      To add to that: your rant is very typical of all people pushing 60 seem to make. ‘oh no, dem clouds!’

      I get the previous owners electoral papers every year. Nothing stopping me going around and pulling papers out of peoples letterbox either. Far easier than any ‘hacking’.

      personally, I couldn’t be fucked going to the post these for the council elections.

  17. Siobhan 18

    An interesting link for those concerned about security, and whether e voting increases participation – which it didn’t, but that may be a situation that changes over time.

    https://cyber.harvard.edu/sites/cyber.law.harvard.edu/files/Gerlach-Gasser_SwissCases_Evoting.pdf

  18. ropata 19

    Famous twitter account @SwiftOnSecurity posted some relevant stuff today

    A journalist asked for some thoughts on computer security, but didn't use them. I'm too lazy to edit it, so whatever here they are pic.twitter.com/wW1nFlaEdn— SwiftOnSecurity (@SwiftOnSecurity) October 10, 2016

    PART 2 of why electronic security is different: The Data pic.twitter.com/d5fve8XTSj— SwiftOnSecurity (@SwiftOnSecurity) October 10, 2016

    Nutshell version:
    1. all that is needed to penetrate a ‘secure’ system online are time, intellect, and teraflops. there are thousands of bad actors online with all 3
    2. analogies with physical security ie. locked doors are rubbish

Recent Comments

Recent Posts

  • Compliance strengthened for property speculation
    Inland Revenue is to gain greater oversight of land transfer information to ensure those buying and selling properties are complying with tax rules on property speculation. Cabinet has agreed to implement recommendation 99 of the Tax Working Group’s (TWG) final ...
    2 days ago
  • Plan to expand protection for Maui and Hector’s dolphins
    The Government is taking action to expand and strengthen the protection for Māui and Hector’s dolphins with an updated plan to deal with threats to these native marine mammals. Minister of Conservation Eugenie Sage and Minister of Fisheries Stuart Nash ...
    2 days ago
  • Cameras on vessels to ensure sustainable fisheries
    Commercial fishing vessels at greatest risk of encountering the rare Māui dolphin will be required to operate with on-board cameras from 1 November, as the next step to strengthen our fisheries management system. Prime Minister Jacinda Ardern and Fisheries Minister ...
    2 weeks ago
  • Greatest number of new Police in a single year
    A new record for the number of Police officers deployed to the regions in a single year has been created with the graduation today of Recruit Wing 326. Police Minister Stuart Nash says the graduation of 78 new constables means ...
    2 weeks ago
  • Ensuring multinationals pay their fair share of tax
    New Zealand is pushing on with efforts to ensure multinational companies pay their fair share of tax, with the release of proposed options for a digital services tax (DST). In February Cabinet agreed to consult the public on the problem ...
    2 weeks ago