Allan Friedman November 16, 2006 7:33 AM

The only mention of the importance of a secret ballot is

“To prevent coercion or intimidation, for example, voters could be allowed to vote as many times as they want, with only the last vote counting.”

This seems like a poor solution to a very important problem.

Clive Robinson November 16, 2006 7:35 AM

The main point the artical raises is that computers and their OS’s are not secure enough for voting…

Funny I thought from what I had read your average PC was more secure than a Diebold voting machine.

Rod Hilton November 16, 2006 8:15 AM


Do you believe it would be possible for a fully electronic voting system to exist that would be secure and would ensure every vote was counted, or is it a complete impossibility? This specific idea may be bad, but could there exist a good one?

Something involving placing a vote online, and being given some kind of token value that represents your vote. Then maybe when it was election time, everyone can view the entire list of votes for every person/measure, and ensure that their token is on the correct list.

Could something be done to make a system like this tolerable, or perhaps even better than pure paper?

Banks know to the penny exactly how much money is transferred around daily. Why can’t we get it right?

Unix Ronin November 16, 2006 8:21 AM

“General purpose PCs are inherently insecure and vulnerable to viruses and other attacks…”

No, they’re not. Now, general purpose PCs running Microsoft Windows, on the other hand……

forReal November 16, 2006 8:27 AM

Before the recent election, a friend told me that they had already voted by early voting. I mentioned that I considered that not voting, because often such ballots are never counted. The response was, “Well I did my duty and I got my ‘I voted’ sticker and that’s all I care about!”
In as much as voting is a ritual duty that shows you are a “good citizen” living in a “democracy” but you are too “polite” to make a fuss about getting your vote counting. Who cares what system is used and how it can be manipulated.
For all the good that Bruce does, the political, in-the-streets fight about the results of the last election in Mexico (which is NOT covered by the press in general) is far more important to maintaining an actual democracy in this country and the world than any particular computer system.
If you won’t fight for it, it’s all hot air.

Roxanne November 16, 2006 8:43 AM

I vote from my TiVO every day. Of course, I’m just voting on which shows I want them to keep showing, not on anything critical to world peace and survival of the human species or anything like that.

People keep bringing up how many more votes American Idol contestants receive than, say, political nominees. The thing they gloss over is that any given person votes maybe fifty times for their AI fave … something we wouldn’t really want in a political election. Similarly, my TiVO records not only my votes, but those of my husband and children. If we restricted our voting to One TiVO, One Vote, someone wouldn’t get to vote.

I meant to comment on the Oregon voting scheme. I suspect that many spouses are being dis-enfranchised through this process. There is this theory that a given person will fill out his or her mail-in ballot in private, but in practice, in abusive relationships, the abused often doesn’t get that option. The abuser fills out the ballot and makes the abused sign the envelope. Under the current system, each person has to go to the polling station and fill out their own ballot in a neutral voting booth. No one, especially the abusive spouse, knows how the individual truly voted. At Home voting systems eliminate this societal protection.

Someone had a quote from a South Dakota poll, “My husband hasn’t decided how we’re going to vote yet.” Scary stuff, kids. Disenfranchisement begins at home, apparently.

Rich November 16, 2006 8:56 AM


As soon as the margin of victory + margin of error exceeds the number of remaining uncounted votes, there is no need to count more votes. It doesn’t matter if my particular vote was looked at or not.

If you think a ‘non-counted absentee vote’ isn’t a ‘real’ vote, then any vote in any election with a margin of victory > 1 isn’t a ‘real’ vote. The outcome would have been the same with or without that particular vote.

RSaunders November 16, 2006 9:03 AM

What would this cost? There are 100,000,000 households in America. If the box cost $20, in huge volume, that’s $2B. It seems vastly cheaper to pay the local County government to throw out their current Diebold junk and buy purpose- built, open- source, machines with voter verified paper audit trails. The other ideas, like early voting, are just cost saving approaches so you don’t have to buy as many machines.

alfora November 16, 2006 9:07 AM

What I really don’t get about all those electronic voting machines is, what problem do you want to solve with them? Is it the speed? Is it more convenient to press a button or screen instead of using a pen and crossmarking a box? Do you ask too much in one election?

In Europe there are about 342 Mio people who are eligible to vote which is, to my knowledge, much more than the number of registered voters in the USA. It is absolutely no problem to get the results of the elections of the EU parliament on the same day. So speed is obviously no problem without voting machines.

It is also no problem to check that every vote was really counted. Every voter is registered at the polling station so that nobody can vote more than once. The number of voters at any one polling station must match the number of ballots in the box. There is no way that you can lose 18.000 votes in one district!

So what’s wrong with paper ballots? Even if you vote for 10 different things in one election it doesn’t matter. Simply use one sheet of paper with a different colour or pattern for every vote and put everything in one envelope.

Remember, you vote for very important things that are significant for the next years or tens of years! And only because you want to see the results in the evening news you might want to use voting machines?

Mike Sherwood November 16, 2006 9:16 AM


By voting in person, it only prevents the abuser from verifying the vote. If the abuser is that concerned about how the abusee is voting, they are likely to ask. How likely is it that someone in a sustained abusive relationship is going to be a good enough liar to get away with it? Suspicion alone is reason enough to blow up over something else. The ballot by mail allows the abusee to get brownie points for showing ‘voluntary’ compliance with the abuser.

I prefer to vote by mail for exactly the opposite reason. I ask for my wife’s input while I’m filling out the ballot because there are many cases where I’m only 51% inclined towards a candidate or proposition and can be easily swayed by someone more interested and more knowledgeable about the issue.

There is no way to prevent someone from voting carelessly. Whether they vote for what their spouse or employer tells them, or vote along a particular party line, the person has effectively delegated their vote to someone else.

The problem with representative government is the choices in representatives. There are a lot of single issue voters because there is no way to delegate support for certain topics to specific people. For example, you can’t say you want Bruce as your representative on anything related to the TSA, but you don’t support his views on gun control. Representatives are a package and you have to choose which parts are more important to you. However, we’re frequently given no choice to vote against things like TSA stupidity because few people want to risk losing an election by promoting realistic views that will be spun by the opponent as being weak on terrorism.

wm November 16, 2006 9:56 AM

@Mike Sherwood: “I prefer to vote by mail for exactly the opposite reason. I ask for my wife’s input while I’m filling out the ballot”

However, you don’t require mail-in voting to do this. If mail-in voting was prohibited, you could just ask her for her views before going to the polling station. You presumably get told in advance what you’ll be voting on, after all!

I don’t see this as a strong argument for allowing mail-in voting, whereas I do regard the potential for voter coercion as a strong argument against it.

bob November 16, 2006 10:01 AM

As long as we are redesigning the entire process, lets take advantage of the electronics systems’ speed and flexibility to develop a voting/legislative system that has the legislature develop and propose legislation but actually have the citizenry (registered voters) vote yes/no on each one. Then we can get the exact package we want and not have to put up with “I like him/her for this and that but disagree with THAT”.

Joe November 16, 2006 10:11 AM

This whole thing is comical but scary. People are lazy and they are getting more lazy. How hard is it to fill in a little box with a pencil or pen. When i was in college there was a study if taking a computerized test over a Scantron test was 1. Faster 2. More accurate 3. Easier It was found out that paper tests were faster, more accurate, and easier. More people scored higher on paper tests then computerized. WHY? because we can SEE the results, they are tangible. After you answer a question on a computer it disappears and on to the next. Paper you can easily go back and review. Voting isn’t any different. You fill in the little box and there it is, your votes, you can confirm the votes and there is a hard copy for a recount. Why make this harder than it is, its not rocket science (although it seems to be)?

If you want “real time” results, connect all voting machines (not DRMs) to a single collection device. This device as well as the voting machines are not connected to anything else, they are a standalone system. Now setup a networked machine that videos the tally and converts that feed to text. Now you have an air gap and the official machines cannot be tampered with remotely.

John Davies November 16, 2006 10:29 AM

“What I really don’t get about all those electronic voting machines is, what problem do you want to solve with them?”

A very good question and one I’d like the answer to as well! What’s wrong with a ballot paper and putting a cross in the box?

Clive Robinson November 16, 2006 11:48 AM

@Allan Friedman

“To prevent coercion or intimidation, for example, voters could be allowed to vote as many times as they want, with only the last vote counting.”

Actually it’s possibly the best answer to the problem of coersion where you have someone looking over your shoulder etc. You vote the way they want and then you go somewhere else and do it again, to lodge your real vote. This was discused at Cambridge Labs some time ago when they changed their election process I just wish I could find the links.

The only down side with this is that you don’t know if anybody else can impersonate you and have the last vote instead of you. There have been sugestions as to how to deal with this but I have not seen enough details to comment.

Preston L. Bannister November 16, 2006 12:18 PM

For the service-folk overseas, this is not such a “dumb idea”. For contrast, just how secure do you think is the use of vote-by-mail “absentee” ballots?

Depends on the standard you are trying to hit.

jmr November 16, 2006 1:13 PM

The “only the last vote counts from your TiVo” model is broken in that it associates a vote with a person, thus breaking voter anonymity.

For that matter, so is vote-by-mail. Note that I’m not talking about the ability to know that a voter voted, but what the voter voted for. A vote-by-mail ballot clearly has the name of the voter and the ballot in the same envelope.

The only way I can think of to make this work is with a double-enveloping model, where envelopes containing names are opened, resulting in sealed envelopes containing ballots. The sealed envelopes are opened in a separate step from a randomized pile.

Still, there are disenfranchisement issues here, too. Simply by searching for voter information matching certain patterns and discarding them, one could affect the voting outcome based on other outside information. This process can be performed by, say, US Mail employees, the mail worker at the polling station, individual vote counters, etc.

These problems only get worse with “vote-at-home” systems, because there is not necessarily a way of having multiple observers handle each ballot.

quincunx November 16, 2006 1:50 PM

Here’s an even dumber idea: voting.

Why are you wasting time discussing idiotic mystic rituals?

You are essentially discussing the security of insecurity.

What is the most secure method of having politicians lie to me, steal my money, and in general lower my standard of living?

I would think more people would be concerned with removing the insecure element all together. Rather they appear to spend more time coming up with efficient methods for enlarging parasitic activity.

@ alfora

“Remember, you vote for very important things that are significant for the next years or tens of years!”

No, you are voting for a PERSON that may or may not keep his word. And even if this person does keep their word, any activity that they perfrom will benefit one group at the expense of another. There is no other way things get done in the political realm.

In the US your two options are b/w the Fascist Party (R), and the Communist Party (D).

The reason that people vote is that they are stuck with this ridiculous activity and must therefore try to be in the benefited group rather than the expropriated one.

If you are a union worker, you want the Communist Party to disemploy your competitors by raising the min wage.

If you are an investor, you want the Fascist Party to create a credit bubble by deficit spending so that you can get rich as long as you pinpoint the downturn correctly.

If you are an inefficient producer, you have to be very careful. The communist party will raise tariffs and restrict foreign trade, while the fascist party will do the same but will make exceptions for the biggest lobbyists.

As you can see, voting is the method by which some members of society gain parasitically at other’s expense. It is therefore antisocial, and insecure (to the bulk of the public that bears the expense). It is profoundly anti-human, and any talk of security must therefore seek a way to abolish the whole practice.

Anonymous November 16, 2006 1:59 PM

Electronic voting machines can provide access for the disabled, in ways that a paper ballot cannot. This of course requires them to be designed for specific disabilities, and they still should be producing a paper ballot in the end. Victorian elections (in Australia) are introducing such a scheme, though I have no doubt claims of “unhackable” are idiocy of the first order.

Chris E November 16, 2006 3:00 PM

jmr: The Oregon vote-by-mail system does use two envelopes. You are required to sign the outer envelope (and affix a stamp – yes people complain about it), then the inner one contains the actual ballot sheet. Both have tamper evident features built in, so while a person can’t easily change a mail in vote, they can damage it so the vote isn’t counted.

We also use “fill in the oval” type ballots rather than punch-outs or putting an X in a box. Not sure if that is better or worse, but I thought I’d mention it.

alfora November 16, 2006 3:24 PM

@quincunx: For what or for whom you vote depends on the election or referendum. You can vote for political parties, persons, laws, whatever.

But of course you are right that any result of the election or poll will have results that will benefit one (or more) group(s) at the expense of others.

Please note too, that there are other countries that have more than two political parties and don’t use a majority voting system. Much of the rest of your statement might not apply.

@Anonymous: You still don’t need electronic voting machines in order to let blind people vote. Simply use a stencil with braille labels that overlays the paper ballot. That’s it.

jmr November 16, 2006 7:02 PM

@Chris E: Thanks for the information! I’m glad to hear that people in Oregon actually spent time thinking about election security.

That method of preserving anonymity still doesn’t prevent certain disenfranchisement attacks, such as those we both described, but it does retain voter anonymity. I wonder if there is a way to prevent disenfranchisement attacks using a third envelope with no personal information on it?

The first envelope contains the second envelope. The voter registration would be verified using the information printed by the voter on the second envelope. The second envelope would contain the third envelope. The third envelopes are all blank, and should be thrown into a random pile prior to counting. The third envelope contains the ballot.

The process of opening the envelopes and counting ballots would be done in the presence of observers just like ballot counting would be done today. I think this process preserves voter anonymity and prevents certain local disenfranchisement attacks. It does not prevent more global attacks, such as an attack eliminating all the ballots from a locale’s post office where it is projected that a particular candidate will carry that locale, but not all locales.

There may be a way to protect against such attacks by having the voter retain a record of the existence of the ballot, such as a difficult-to-forge coupon that is detached from the second envelope that can be correlated with the second envelope. The provable fact of a large number of people posessing tickets for uncounted ballots may indicate that election fraud had taken place. One must be careful, in this case, of a person who merely neglected to cast their ballot claiming election fraud.

jmr November 16, 2006 7:06 PM

I forgot to mention that the first envelope would only have printed on it the address of the election official.

Additionally, ballots should be cast in an anonymous fashion in a public place, such as a public mailbox, rather than picked up from the sender’s mailbox, for additional security. This may be optional.

security November 17, 2006 12:31 AM

//// ‘Elections are a snapshot in time — election day — and a revote will not reflect that.’

There is a difference between a Snapshot in time, and a VALID snapshot in time — if significant errors exists.

And if a candidate was wrongfully deprived on a victory, the effects of those voting errors will continue for years.

Tarkeel November 17, 2006 1:44 AM

@quincunx: I’d just want to point out that from the point-of-view of most europeans, the US has the choice of the facist and the slightly-less-facist parties.

If you really want to make a difference to the system, voting alone is not enough, you have to become an activist. In a winner-takes-it-all system such as is employed in the US and UK makes it extremely hard for a third or fourth party to get much influence.

Clive Robinson November 17, 2006 3:57 AM


“There may be a way to protect against such attacks by having the voter retain a record of the existence of the ballot, such as a difficult-to-forge coupon that is detached from the second envelope that can be correlated with the second envelope”

It appeares there is a very easy and relativly low cost way of making a sheet of paper virtualy unforgable (yup I am still just a little sceptical but read on 😉

Proff Russell Cowburn of Imperial College London normaly does research into nanotechnology engineering, where one of the biggest problems in engineering terms is repeatable replication. That is it is almost impossible on the nano scale to make two identical objects.

Conversly it is fairly easy to scan two similar objects say nano scale microchips with a laser and get a very acurate reading of the errors / differences…

Apparently he had a problem one day in the lab, apparently a chip that he was measuring fell off it’s backing support that had a paper surface. He then noticed that the signal from the paper had “all the right charecteristics for a security device” (pinch of salt time 😉

The upshot is that if you think about how paper is made (celulose fibers in suspention deposit randomly onto a screen which is then roller pressed to remove the water and dried). The random criss crossing of the fibers is what gives paper it’s strength, as the fiber surfaces are (sort of) furry they lock together when dry with a more than velcro like strength, that requires destruction of the paper’s surface to erase the resulting patern.

However the resulting surface when magnified a hundred times or so looks as close to real random as you are likley to have around your house (apart from the childrens toys on the floor, or the tools in your box 😉

Any way he has carried out further work on other common surfaces and found that they likewise produce these sorts of signitures.

The idea is however not new. If you remember back to the post cold war days and weapons verification there was a proposel that wepons had unique unforgable tamper evident serial numbers that could be checked not just localy but remotly as well to stop proliferation.

I came across one system for doing this when doing some research on subliminal / side channels that resulted from the failings of other active systems (I remember it because it had the “hey neat” factor and I had thought up another use for it but that as they say is a story for another day).

As I remember it the idea was to grind a 6×4 area down to the bare metal, acid etch to reveal metal crystal structure, bash/ grind in a serial number with number dies etc, and then put on a reasonably thick layer of opticaly clear epoxy with a very small percentage of choped fiber glass strands added. When dry the whole image was then recorded / encoded, the base metal surface crystals/scratches, the serial number and the random patern of the chopped fiber strands. It was supposed to make the “unforgable / untamperable security ID tag” required for verification at low cost. It was read by a laser scanner, and a variation of the idea was supposed to be readable at quite a distance.

So the idea has a history of research, my scepticism however is not about the idea (thats sound). But the reliability using porus substances like paper which is going to be handeled by humans. We all sweat which contains disolved salts etc which crystalize out into things like paper (hey that’s why 90% of U.S. currency is supposed to have traces of cocain and other drugs in it).

Also sealing things against vapour ingrese is also a very difficult job, who has the “fading CD’s” made by Phillips where the silver layer used is turning a nice gold colour and are now unusable after a couple of years not the 50-100 touted for CD’s.

Therefore how much “human handeling” will the Prof’s system put up with before it becomes unreadable/usable. The devil is always in the practical details of these sorts of systems 😉

Prof. Cowburn has set up a company to exploit the idea, read more at,

yRFID November 19, 2006 3:14 AM

It appeares there is a very easy and relativly low cost way of making a sheet of paper virtualy unforgable (yup I am still just a little sceptical but read on 😉

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.