Electoral System Reform Policy discussion


#21

Depends on the implementation. Trust does not need to placed on the mystic “block chain” to do it’s job, when the data is open and verifiable, it is a mathematical certainty.

Here is an example implementation I’ve been thinking about

  • Voter checks in to get their name marked of the roll and are given a random access code (anonymises the vote)
  • Electronic voting machine collects the vote and displays it on screen, sends to the block chain.
  • Receipt of their entry is printed directly from the block chain to the voter, the voter can check it and compare to the screen, and then they retain it or give it to their scrutineer of choice (physically confirms the machine has recorded the vote correctly)
  • the entire block chain database is made available for 3rd party scrutiny, voters can then give their receipt info to the independent scrutineer they trust (ie via. the official LNP app) for cross check with the block chain (to prove the vote has not been tampered with after collection)
  • Obviously not everyone is going to submit their vote to scrutiny, but it just takes one wrong entry to call the entire block chain into question.
  • Before the chain is closed off, a final entry should be made to the Block Chain which verified by all scrutineers (paper copy too).

As it is now they only option is to ‘trust’ the count with no way to actually verify.

With a block chain, you can literally recount the entire election yourself. Any tampering would be easy to detect because all the paper copies after the change won’t match the block chain anymore if even a single bit has been changed .

The AEC is already using computer counting behind closed doors without it’s accuracy being verified, you can’t fight vote technology it’s already here, might as well make it accountable.

Using technology which increases count speed is more than just knowing the outcome sooner, it paves the way for more complicated algorithms which are not easy to count by hand, and access to see every single vote cast is good data to do some modelling off

Imagine if you had a copy of every single vote made, you could run a simulation of every single voting algorithm to see the result.


#22

Requires the software in the voting machine to be verified as both secure and doing what it’s supposed to be doing. Also requires the voters to trust the verification, and for the voters to trust that that is the software that’s actually running on the machine.

The only reason you can’t do that now is because instant runoff ballots aren’t ever digitised. STV ones typically are due to the counting being so complicated, and you can recalculate elections on that data. I’ve even done so myself.

Not actually an issue. There are voting systems that are fair, quick and easy to count, at least when parties dominate everything like all state/federal elections barring Tas Legislative Council. We just don’t use those systems.

Not actually viable, much to my annoyance. Different voting systems need different sorts of information to calculate, and that doesn’t always transfer over well if you want to redo something in another system.


(Alex Jago) #23

Ahh, today is @Simon’s lucky 10000 day to learn about cardinal voting systems — and of course the input to those can’t necessarily be determined from an ordinal ballot.


#24

It would certainly be “nice” to have the software/hardware stack to be 100% verified but the truth is that if it you could run it off a Malware infested Windows XP PC and the worst which could be done is invalidate the vote. Any attempt to change the actual voting data and pass it off as legit would be futile (so hopefully nobody tries). The biggest threat is sabotage, that’s the only reason why security is necessary.

The analogy would be like having someone compromise a ballot box, but instead of them being able to actually change anything, they could only destroy the box or some of the votes inside, and it would be extremely noticeable.

  • Any discrepancies in what the voter actually selects would be picked up right away on the print out
  • Even if the printout has been faked, if the voter then submits their receipt to a scrutineer, it would be plain to see that the receipt is fraudulent because none of the crypto information on the receipt would be valid.

Worst case scenarios:

  • Machine is not printing out user selections
    • Discrepancy picked up by the voter and reported to AEC staff on the spot. You can see that the screen and print out don’t match. Same procedures if someone was physically messing with a ballot box.
  • Printer compromised to print out what the voter actually put even though another vote was recorded
    • Discrepancy picked up by Scrutineers when the voter reports in their vote and the cryptographic hashes on the receipt don’t match what’s actually in the block chain.
    • Currently this defense (actually check the with the voter what they really voted for) isn’t even available in paper based systems. Who’s to know if the box wasn’t stuffed when no one was looking?
  • Someone makes a fake receipt to call the block chain they are on into doubt.
    • There would be other paper trails, other voters coming forward, and even a level of physical security (eg: security features on the paper it’s printed on) to confirm the validity of the claim. If proven, that block chain is invalid, possibly needing a re-vote done for that polling place/electorate.
  • Russian government invents a quantum computer which is at least 1 trillion times more powerful than Albert Einstein’s brain. It can solve any big data mathematical problem you throw at it and brute force it to get the results in seconds. It can mine a billion bitcoins in seconds, smash the record for prime in a nanosecond, cure cancer and find SETI.
  • Even if there was a way to change the data on the block chain (hash collision attack), discrepancies would be discovered when voters check their votes with the scrutineers version because those in the changed area have paper proof of their vote. Their crypto data would be wrong even if the crypto data outside the changed area is valid. That’s if it even gets that far because the whole block chain can be verified from a paper record and 3rd party scrutiny which keeps a running total before that could even happen (as unlikely as it is anyway)

The only level of trust involved is on the Scrutineer… surely they would trust the political party they go for? Or even 3rd party scrutineers unaffiliated with a party, or even publish the data as a whole on the web and they can check it for themselves. It doesn’t matter about trust if it is a mathematical truth.

I believe that they count a certain amount until a result is known and then don’t worry about the rest. Or maybe they OCR the rest for data purposes these days. Still, counters make mistakes, it’s quite an error-prone process because of the big human element.

Well that’s why we don’t use these systems because favouring major political parties make it easier to count. Imagine if everyone voted differently and below the line, it would be a nightmare to count. If counting process wasn’t a factor, then you don’t need to limit yourself to systems which need simplicity for counting in your Policy. Sure you could still do so, but you have more options. It is favourable to Pirate Party and other minor parties to have voting systems which give smaller players a fairer chance because the voting system hasn’t been gimped to make it easier to count.

Below the line is hard on purpose because they want you to do it above the line so they can count it easier.

Electronic Input makes Below the Line easier to use.

Fair enough, I exaggerated on that. Not ALL Systems. But Many. And it would still useful to play around with (i.e. instead of putting preferences 1,2,3 who are all under the same party, you could treat them as equal 1,1,1 and feed it into your algorithm that way) or cross check with demographics of the area and electoral boundaries.


(Andrew Downing) #25

By the same virtue, anybody that wants to can coerce you into revealing your vote and/or making a particular vote that they can force you to verify for them. This is a really bad feature. It could also be used to sell your vote.


(Andrew Downing) #26

So then when you don’t like the result of an election, you organise a bunch of people in various electorates to front up with fake bits of paper, to claim that “look, my vote wasn’t registered on the block chain, or was incorrect”. You can invalidate entire elections with minor effort.


#27

You’re missing the disconnect between what the voter sees and what the voting software/machine actually does. No way to verify that, and after it’s done all you have is anonymised data. You’re also thinking waaaaay too small. Think state actor level, and remember that most personal computers and all mobile phones are completely untrustworthy right down to the hardware when you’re playing that game.

Worst case scenario:

  • Machines/software is compromised across the country, placing the outcome of the election entirely in the hands of an unidentified third party. The results are still thought to be legitimate because the crypto wasn’t tampered with.

That voting receipt you mention has the problem of not being anonymous if it’s used as you describe. To maintain anonymity it would have to be put in a secure box after the voter checked that it displayed the right vote. Then scrutineers would have to go through each receipt after everyone has voted, double checking everything to ensure the hashes match the votes. At which point all the electronics haven’t achieved anything.

I think I’m talking myself into avoiding blockchain voting even for citizens initiative referenda and the like. Hmmm.

They count everything and they scan everything to double check it. They certainly aren’t scanning stuff for data purposes, since they would be doing it for instant runoff too in that case. The nature of STV makes it necessary to count nearly all votes to get an accurate result beyond first preferences, especially for the last few seats.

By “parties dominate everything” I only mean that independent MPs are rare even though the systems don’t penalise them. Compare with Tas upper house or a lot of regional local councils. The systems favouring major parties is more to do with having multiple divisions/districts without taking parties into account at all.

The fair, quick, and easy to count systems I had in mind were Party List and Mixed Member Proportional, and neither of them favour the majors. :stuck_out_tongue: They’re designed to produce results with each party getting a share of seats directly proportional to the total number of people who voted for them.

Counting process complexity is always a factor because whether the general voting population understands the process is important.

But yes, if everyone voted below the line with the current ridiculous Senate ballot sizes it would be a nightmare. Which is why advocating changes that will lead to reasonable ballot sizes is another point I want to address with this policy. As far as I can tell the crap we have now is due to trying to make the Senate serve a purpose that it really isn’t structured to serve. The NSW upper house tablecloths are also influenced by a rather silly combination of regulations and state constitutional issues.


#28

I suppose that’s possible or you could pop it in the box of your most trusted scrutineer on your way out. Or swap it with someone else (or pick one from the inevitable litter outside) to prove to your master who you voted for.

I suppose it’s a personal civil question: do we all get the personal power to verify that our vote was counted, or do we give it up in case someone out there has a master demanding their receipts so are under duress? And if there are some coerced votes in that way, is it enough to swing an election? Wouldn’t they already be under immense psychological control to vote a particular way anyway than to take a risk over just one vote?

I could concede this point in my example, I could imagine LNP giving out a free sausage or $5 cash to anyone with a receipt showing that they voted for them or some other dodgy bribery shit. Better to hand your receipt to a scrutineer you trust on the way out.

Yes, absolutely. When you’re given a random access code to cast your vote, that’s as good as cash. Up to the staff to be vigilant about the same person collecting access codes and entering multiple votes, and people leaving with unspent access codes. Still, if you give your access code to someone else you’d probably want them to decide how you vote. No different to letting someone else fill in your postal vote or following a how to vote card

There would need to be an investigation, there would be other data points to build off. Let’s say that the attack is sophisticated enough (defeats all the security features - including the paper trail left at the polling place itself), and that polling place could be significant enough to change the outcome of the vote, then there would need to be a revote. Same as a box being tampered with.

I would go for at least one block chain per polling place, so just everyone who was marked off the roll in that place needs to revote.


(Frew) #29

When designing voting systems, best practice is to think of the worst case scenarios, like rampant corruption, stand-over men, attempts to control the outcome through violence. Just because society is stable now, doesn’t mean it will be in 20 years. @AndrewDowning 's concerns around interferance are legitimate and exactly why I think blockchain voting is a bad idea.

If someone threatens your loved ones for your vote, it isn’t like you would ‘want’ them to decide your vote, but would have no choice. systems have to be designed for worst case scenarios. Would it work in an unstable democracy? If not, it shouldn’t be used here. Have a look at Kenya’s recent election and the troubles that have plagued the results. Any system we advocate for has to be secure, anonymous and scrutinisable.

Kenya might be an extreme example, but not that far removed from reality. I’m from Wollongong and the corruption in both local politics and state politicians from the area is endemic. I wouldn’t put actual vote buying past the ALP in Wollongong, they have certainly engaged in multiple voting, ballot stuffing, bribery and standover tactics to compete in elections. If the system isn’t designed to protect the anonymity of how people vote, it is a bad idea.

If the majority of people don’t trust blockchain technology (and they dont right now) it is a terrible idea.

Don’t get me wrong, I like where you are going with this policy, it was a criticism of using blockchain technology, nothing more. A better voting system would be great. People trust the current system more than the blockchain, however after the WA Senate election bungle, the trust in Senate elections have clearly been called into question.


(Kaz) #30

I’m interested in that @jedb
I’d be interested to see multi-member electorates get added to the Pirate Party platform.

When’s the next time we can have an online discussion about this?


#31

I agree 100%.

With my example it was just an example of how block chain could work securely. It is anonymous because being marked off the roll to get your random access code anonymises it, that access code becomes part of permanent record, not your ID. It analogues to existing attacks on the voting system where people use other people’s names to go around to different booths. I could go down the path of requiring ID before anonymisation but that is broad issue, not to do with block chain

You seem to be placing a lot of emphasis on block chain. Block chain is just one piece of the puzzle, mainly to do with the back end. Like if you change email servers but the client stays the same, who notices? AEC is already using proprietary OCR and nobody cares because people don’t see or care about back ends.

At least it would be a huge improvement to the current OCR backend being used.

You could analogue it to the current physical processes very easily. You could even run dual systems as a trial run (but then of block chain is a success Government would want full switch to save money)

Is it because you don’t understand how the technology works which makes you skeptical?

you know what cryptographic hash or checksums are right?

In a paper world it would be like taking a ballot paper and putting its preferences plus the checksum of the previous ballot paper together to make a new checksum written on the bottom of the page, then the next ballot does the same thing and that forms a chain. Each vote needs the previous vote before it be the same for it’s own checksum to stay the same. If you remove a vote or change a vote the checksum changes and causes a knock on effect of all subsequent votes in the chain. But that is extremely impractical to compute by hand.

There are lots of ways it could be tweaked to prevent standover tactics (I.e. Receipt handling), but from a technology standpoint, the block chain itself is sound.


(Frew) #32

Yes and yes.

It isn’t about me, it is about every voter in Australia. How many do understand cryptocurrencies? How many understand cryptography? If they don’t understand it, and the vast majority don’t, why would they trust it? Why would they trust any form of online voting? Let me quote myself from earlier.


#33

And how many understand OCR?

I see your point where climate science, NBN technology, evolution & science is denied despite overwhelming evidence because it goes against high up interests while those who don’t understand blindly believe their masters.

Education is a factor.

But the science can’t be ignored just because it’s new and cutting edge. We don’t cater to that market.

My suggestion is not to make the change too radical, ie: if the technology overcomes barriers which could give disadvantage to the major two parties, they will never back it.

Changing the actual system is a bigger barrier than technology because most Australians trust the current method and accept the two party preferred status quo. You might as well shut this whole working group down if you’re scared about broad acceptance. Or you could ignore that and make something special here


(Mark) #34

Remember when the CEO of Diebold (who make voting machines) lobbied the Republican party for the contract to install their voting machines in Ohio so they could “help Ohio deliver its electoral votes to the President”…?

If a change would make the electoral system harder for a non-technical person to understand, I oppose it. If change carries any kind of risk of introducing a technical vulnerability, I oppose it. Trust and transparency are the priceless commodities in an electoral system. Technical efficiency matters barely at all.


#35

Speaking as just a programmer, there are still big differences in the difficulty of infosec and physical security that can’t be worked around at the moment or in the forseeable future. Even with recent advances in cryptography. I’m not ignoring the math, I’m arguing that electronic/online stuff isn’t the best tool for the job when it comes to national elections.

There are several factors involved in that:

  • Dissatisfaction with the two majors is very high, with over 20% of voters giving first preference to absolutely anyone else for the House of Representatives in 2016.
  • There have been several recent results that show the major flaws of the current systems, eg Queensland 2012.
  • Some of the flaws are just plain obvious every election, eg the ridiculous upper house ballot sizes in some States.
  • Polarisation actually works in favour of change, because while a two party system continues the horrible nasty opposition (insert LNP or Labor as appropriate) is guaranteed to get into power again in 2-3 terms on average.
  • Calling for change straight up is already off the table because it would be opposed as an attempt to tilt the system in our favour somehow. This is one of the reasons it’s all about getting a Royal Commission on the problem then submitting our views for consideration.

#36

Personally I’m on IRC a large portion of most days. But regular once-a-month meeting times still haven’t been determined for this group. I’m not really the best person to decide that, since my schedule is extremely flexible.

Suggestions, anyone? Preferably from someone involved who has a lot of other committments taking up their time.


(Alex Jago) #37

On vote-buying/coercing, that’s possible now in the Senate.

The AEC publishes all ballot preference orders and even the polling place they came from.

So an attacker simply needs to instruct their pawns to vote BTL with some weird and likely-to-be unique ordering of candidates, perhaps the ungrouped candidates. In QLD last year we had 19 such, which gives about 100 quadrillion possible orderings, easily enough to uniquely identify a ballot.

Actually, the attack is also possible above the line, and the ballot paper could even look reasonably normal. major, {5 minors in set order}, other major, {another 5 minors in set order} gives at least 14400 possible orderings; much more if which minor parties are used varies. That’s enough for most polling booths, and with a selection of minor parties, enough for postals.


(Kaz) #38

There should be a policy discussion room, separate from the official PDC room, where people can spitball ideas and talk about them.


#39

True enough, I suppose. There’s already been a lot more discussion on this topic than I was expecting, even if a lot of it has been about electronic voting. Haven’t even finished organising my own notes yet.


(Kaz) #40

I meant, in general. Spawning a new room for every discussion seems a bit excessive, doesn’t it?