Securing Elections

Elections serve two purposes. The first, and obvious, purpose is to accurately choose the winner. But the second is equally important: to convince the loser. To the extent that an election system is not transparently and auditably accurate, it fails in that second purpose. Our election systems are failing, and we need to fix them.

Today, we conduct our elections on computers. Our registration lists are in computer databases. We vote on computerized voting machines. And our tabulation and reporting is done on computers. We do this for a lot of good reasons, but a side effect is that elections now have all the insecurities inherent in computers. The only way to reliably protect elections from both malice and accident is to use something that is not hackable or unreliable at scale; the best way to do that is to back up as much of the system as possible with paper.

Recently, there have been two graphic demonstrations of how bad our computerized voting system is. In 2007, the states of California and Ohio conducted audits of their electronic voting machines. Expert review teams found exploitable vulnerabilities in almost every component they examined. The researchers were able to undetectably alter vote tallies, erase audit logs, and load malware on to the systems. Some of their attacks could be implemented by a single individual with no greater access than a normal poll worker; others could be done remotely.

Last year, the Defcon hackers’ conference sponsored a Voting Village. Organizers collected 25 pieces of voting equipment, including voting machines and electronic poll books. By the end of the weekend, conference attendees had found ways to compromise every piece of test equipment: to load malicious software, compromise vote tallies and audit logs, or cause equipment to fail.

It’s important to understand that these were not well-funded nation-state attackers. These were not even academics who had been studying the problem for weeks. These were bored hackers, with no experience with voting machines, playing around between parties one weekend.

It shouldn’t be any surprise that voting equipment, including voting machines, voter registration databases, and vote tabulation systems, are that hackable. They’re computers—often ancient computers running operating systems no longer supported by the manufacturers—and they don’t have any magical security technology that the rest of the industry isn’t privy to. If anything, they’re less secure than the computers we generally use, because their manufacturers hide any flaws behind the proprietary nature of their equipment.

We’re not just worried about altering the vote. Sometimes causing widespread failures, or even just sowing mistrust in the system, is enough. And an election whose results are not trusted or believed is a failed election.

Voting systems have another requirement that makes security even harder to achieve: the requirement for a secret ballot. Because we have to securely separate the election-roll system that determines who can vote from the system that collects and tabulates the votes, we can’t use the security systems available to banking and other high-value applications.

We can securely bank online, but can’t securely vote online. If we could do away with anonymity—if everyone could check that their vote was counted correctly—then it would be easy to secure the vote. But that would lead to other problems. Before the US had the secret ballot, voter coercion and vote-buying were widespread.

We can’t, so we need to accept that our voting systems are insecure. We need an election system that is resilient to the threats. And for many parts of the system, that means paper.

Let’s start with the voter rolls. We know they’ve already been targeted. In 2016, someone changed the party affiliation of hundreds of voters before the Republican primary. That’s just one possibility. A well-executed attack that deletes, for example, one in five voters at random—or changes their addresses—would cause chaos on election day.

Yes, we need to shore up the security of these systems. We need better computer, network, and database security for the various state voter organizations. We also need to better secure the voter registration websites, with better design and better internet security. We need better security for the companies that build and sell all this equipment.

Multiple, unchangeable backups are essential. A record of every addition, deletion, and change needs to be stored on a separate system, on write-only media like a DVD. Copies of that DVD, or—even better—a paper printout of the voter rolls, should be available at every polling place on election day. We need to be ready for anything.

Next, the voting machines themselves. Security researchers agree that the gold standard is a voter-verified paper ballot. The easiest (and cheapest) way to achieve this is through optical-scan voting. Voters mark paper ballots by hand; they are fed into a machine and counted automatically. That paper ballot is saved, and serves as a final true record in a recount in case of problems. Touch-screen machines that print a paper ballot to drop in a ballot box can also work for voters with disabilities, as long as the ballot can be easily read and verified by the voter.

Finally, the tabulation and reporting systems. Here again we need more security in the process, but we must always use those paper ballots as checks on the computers. A manual, post-election, risk-limiting audit varies the number of ballots examined according to the margin of victory. Conducting this audit after every election, before the results are certified, gives us confidence that the election outcome is correct, even if the voting machines and tabulation computers have been tampered with. Additionally, we need better coordination and communications when incidents occur.

It’s vital to agree on these procedures and policies before an election. Before the fact, when anyone can win and no one knows whose votes might be changed, it’s easy to agree on strong security. But after the vote, someone is the presumptive winner—and then everything changes. Half of the country wants the result to stand, and half wants it reversed. At that point, it’s too late to agree on anything.

The politicians running in the election shouldn’t have to argue their challenges in court. Getting elections right is in the interest of all citizens. Many countries have independent election commissions that are charged with conducting elections and ensuring their security. We don’t do that in the US.

Instead, we have representatives from each of our two parties in the room, keeping an eye on each other. That provided acceptable security against 20th-century threats, but is totally inadequate to secure our elections in the 21st century. And the belief that the diversity of voting systems in the US provides a measure of security is a dangerous myth, because a few districts can be decisive and there are so few voting-machine vendors.

We can do better. In 2017, the Department of Homeland Security declared elections to be critical infrastructure, allowing the department to focus on securing them. On 23 March, Congress allocated $380m to states to upgrade election security.

These are good starts, but don’t go nearly far enough. The constitution delegates elections to the states but allows Congress to “make or alter such Regulations”. In 1845, Congress set a nationwide election day. Today, we need it to set uniform and strict election standards.

This essay originally appeared in the Guardian.

Posted on April 20, 2018 at 6:44 AM40 Comments


FRex April 20, 2018 8:02 AM

The problem is that people so often are willing to argue with security experts or invent issues on this: “it’s progress”, “it strengthens democracy”, “it’s convenient”, “just use blockchain” (this is increasingly answer to every problem ever in some circles), “it works perfectly in Estonia”, “it takes too long to count paper votes”, “who cares how we vote, it’s all rigged anyway” (the last one usually spoken by someone from the West who happens to hate the results of the last election in their country).

Mike Acker April 20, 2018 8:09 AM

First and Foremost: use a mark-sense paper ballot

Second: AUDIT

after the election select ( e.g. ) 1% of precincts at random. AUDIT the tally, manually.

if the machine count does not check then the software maker PAYS for a total manual recount.

Product liability is the key to cleaning up the HOT MESS that is commercial electronics today.

Brian Hankins April 20, 2018 9:56 AM

“A record of every addition, deletion, and change needs to be stored on a separate system, on write-only media like a DVD.”

Just a nit — probably want to store on write ONCE media. Historically, write-only media has proven troublesome as an audit trail. 🙂

Not sure April 20, 2018 11:45 AM

What about vulnerabilities of scanning ballots? Threats from attacks on the ocr software and hardware – eg two independent ocr checks can be both compromised

Are there robust tests to validate the trustworthiness of ocr validation systems against threats from attacks on the ocr and data processing engines?

Xavier April 20, 2018 11:53 AM

Maybe another issue is the massive number of simultaneous votes in the US

If I compare to my country (France), for any election day, we vote only on ONE subject each time, and (rarely) 2 (in that case, there is 2 ballot boxes with a color coded scheme for the voting enveloppes)

This way, voting machines are not that useful, paper count is relatively easy (and if you have time you can volonteer to help)

There are some voting machines pushed by that industry lobbying, but it’s not widely developped.

The US electoral system on the other hand seems to be designed to create issues (one fixed voting day, multiples ballots, same day registration…)

Chris April 20, 2018 12:18 PM

If you accurately choose the winner, then loser would already be convinced… I would argue that if the loser isn’t convinced, then the burden is on the loser to show evidence.

More broadly, the arguments presented here ignore potentially larger issues – does each person eligible to vote vote only once? Is every voter actually eligible? I believe those issues are just as important.

I bring this up because “convincing the loser” is not simply a voting machine issue, or vote tampering issue.

Who? April 20, 2018 12:35 PM

As I said lots of times in the last year the right way to alter elections (if there is a use for the word “right” in this context) is attacking the people not the technology itself. Attacking the voting machines is risky, as soon as the attack is discovered the President changes. Attacking people is safer, as the entire process has been designed to reflect people wishes and it is exactly that, people wishes, what is attacked.

Hmm April 20, 2018 3:18 PM


That’s an interesting thought which kind of ties in with Bruce’s main thrust.

If we had an ‘election week’ in which to cast a physical vote, all of which was a massively audited and observed process with data visible/confirmed in the public milieu, that would seem to solve several problems. Poor people who have to work / traveling people / infirm / caregivers / military, etc, all would have more flexibility – and the eligible voters would each have a lot less of an excuse for not exercising their duly inherited rights. The 5-12 hour lines we’ve seen in some states would be mitigated entirely. People could perhaps pre-register their “vote intention” prior to the actual election day, and that verification history could be used to later verify vote-change attack patterns in realtime, should they occur. The entire process would be slowed down to a less frenzied, less “watch cable news for 3 days straight” and more serious and solemn affair.

(and throw in campaign finance reform, since I’m daydreaming)

The only issue is cost and the willingness to invest in such trued cogs of representative governance. It will cost money to be designed, vetted, audited, administrated properly. It’s a lot in a lump sum up-front, billions probably done right – however, the detractors of investing in democratic “infrastructure” on the basis of that cost really have nothing to stand on anymore as Trillion dollar tax cuts for the wealthiest have directly become Trillion dollar deficit norms. What could be more fundamental than an accurate vote count, even (and especially) according to the most strident restrictive voting advocates?

Why must we rush something so important as if that helps it somehow?

Hmm April 20, 2018 3:35 PM

Of course the other major consideration is who do we trust to design and vet such an endeavor?

There seems to be no single entity, we’d need a purpose-built coalition. This is the latent problem.


justina.colmena April 20, 2018 5:32 PM

Those foreign-influenced self-aggrandizing fraternizing ballot-counting thieves in law have banned guns and legalized marijuana.

We gave up our freedoms and our rights for drugs. We ain’t gettin’ any of that back, ever.

Too bad. Once a free country.

Sancho_P April 20, 2018 6:09 PM

I think the main problem with voting are the candidates.
If there is the choice between inept characters still each one remains a bad choice.
I assume all candidates want the very best for the populace and are not stupid.
-> @ the system to get candidates there is the problem!

So my proposal::
Find better candidates and require a 2/3 majority to win.

Why do we need anonymity with democratic voting?
Because we can not trust our powers?
That would be a very serious issue.

Heck April 20, 2018 6:56 PM

“Why do we need anonymity with democratic voting?”

Because, without anonymity one group of thugs will form that harass people who “vote wrong”… and another group of thugs will form that promise money to people who “vote right”… (because, without anonymity, those groups of thugs can see/verify who everyone voted for) No amount of regulation or even prison sentences can prevent this fully, only removing the ability for it to happen can: i.e. foolproof anonymity! And we know this from history. It’s actually happened. Yes, in this country. It was a mess.

Heck April 20, 2018 7:51 PM

I mean, it’s like saying, “why do we need computer security? don’t you trust people? you got bigger problems if you can’t trust people!”

Yeah, we do have bigger problems: namely, you can NOT trust people. It’s as simple as that. Therefore we have to set up systems that work “well enough” even in a world where lots of people will do bad things if they can get away with it scott free (and sometimes even if they can’t get away with it).

That’s why computers are so bad, the fundamentals of everything was designed in an era where we forgot about this, and designed everything with the assumption that everything else could be trusted…. It’s wrong. Stop trusting everything. Prepare for the worst, but hope for the best. You’ll be much better off for it.

V April 20, 2018 9:46 PM

The article doesn’t mention mail-in ballots, the one form of voting that is more or less guaranteed to be fraudulent. The person in a household with the largest fists can vote for everyone living there, mail can be intercepted and replaced, bad guys can watch you vote/seal your ballot in the envelope/drop it in a public mailbox, etc, etc.

If you want fair elections try the following:

1) You must be at least this tall to vote -OR- show proof you are at least x years old.
2) You must dip your thumb in the purple dye to vote.
3) Anyone physically present at a poling station who passed 1 and 2 may vote. (Not a citizen? No problem! Do you pay sales tax when you buy stuff? Can you go to jail if you break laws? If so, you have a stake in the election.)

Voting is done with paper ballots / electronic counting may be used / random precincts get a hand recount after the fact / any interested party may watch & record the counting process.

Bennett April 20, 2018 10:11 PM

This might be getting a little off topic, into “movie plot threat” territory…

How sure are we that optical media are “write-once”? Historically it was difficult to seek to specific angular positions, but then we got DiscT@2 and LightScribe which try to do exactly this (not likely accurate enough to overwrite bits, but why didn’t anyone attack the position-based copy-protection schemes this way?).

There’s a lot of redundancy on a disc (CIRC, EFM, and an upper Reed-Solomon layer—it’s less than 30% “real” data). Though we can’t “un-burn” a bit, we could perhaps burn more to cause an error and tweak the correction data to come out a certain way. There must be labs with lasers and positioning equipment accurate enough to do it.

Of course, it’d be much easier to just steal the disc and replace it outright. Or, blockchain! Don’t know if that’ll help the public, but if I say it often enough VCs will soon be throwing cash at me…

Alyer Babtu April 21, 2018 12:26 PM

The wiley ballot tamperer will of course see that the preferred outcome is obtained with the minimal biasing needed, so that the result is plausible. Can the audit methods detect this, are they sensitive enough ? And the tamperers would also avoid certain districts and focus on others, perhaps playing a long game.

Sancho_P April 21, 2018 1:05 PM


Small correction: It is a mess. [- not only in “this” country]

So what you say is:
We can not trust the thugs, be it left, right, red, black, green, yellow, …
They’d sell and exploit the personal voting results for their own benefit against us,
the society:
Because we always vote for lobbied thugs.

And this is exactly why election security isn’t really important:
Uncontrolled capitalism has won the elections years ago.
Perfect voting machines / systems, even anonymity, won’t change that.

Denton Scratch April 21, 2018 1:47 PM

So the way I read the article (and I think all the comments I’ve seen), it feels that the discussion seems to be about the technical problem of constructing a trustworthy voting system.

Well: I think that’s all well and good, IFF you have an informed voting populace. If you don’t, then voting doesn’t mean much, and the design of the voting system is a distraction.

DS April 21, 2018 4:25 PM

Bruce, you might be happy to know that all of your suggestions are already the method by which elections are run here in Wyoming. I am an election judge/official who serves in a voting place where two precincts vote together. Here’s our methodology:

  1. Mark-sense ballots. The candidate/issue is marked on the ballot, the voters mark the ballot and return it to the mark-sense machine, where it is counted and deposited in a secured (locked) container until after the polls close.
  2. Ballots are controlled in locked boxes before they come to the polling place. One of our/my jobs as a judge is to pick up the ballots, the memory card for the mark-sense reader, etc either the morning of the election (which means I’m getting out of bed at about 0400), or the night before the election. These materials remain under election judge control the whole time they’re en route to the polling places, in locked boxes, with only the head judge having the key. The boxes are also sealed with serial numbered seals that cannot be re-sealed.
  3. As ballots are being handed out, we are keeping a strict cross-check on how many ballots the machines show as having been deposited vs. how many ballots we’ve handed out. The count is always, always expected to match. We will look at the machine’s count vs. the number of voters currently voting and how many ballots we’ve tallied as having been handed out. One of our risk points is a voter who tries to take a ballot from the polling place without depositing it into the mark-sense machine. We stop people from removing ballots from the voting place.
  4. All polling places have two lists of voters – the “unofficial” registration list (which we use for “quick” lookups for people asking “Where should I be voting?” – more than a few people show up to a polling location that isn’t “their” polling location). Then there are the “official” voting registration/vote tally lists. If someone was mailed a ballot for absentee or mail-in voting, that is noted on the official lists, and if a ballot has been seen from them (in a sealed envelope) by close of business the day before election day, then that is noted on the registration list. This prevents someone from voting by mail and voting in person. These lists are maintained under strict election judge control. The official lists are also where we note whether someone claiming to be that voter has come in to vote that day; if they have, then this is how we prevent them from voting twice.

Disabled voters have a machine which will assist them in marking the same mark-sense ballot that everyone else uses. There is no difference in the ballots for the disabled, and their machine tallies no votes. Voted ballots of the disabled are read/counted just as every other ballot is.

  1. At the end of the voting day, the polls are closed and now the election judges get to work. All the ballots are taken out of the mark-sense machines and we judges on-site count them. The number must match the tally on the mark-sense machine. If it doesn’t, then we work like hell to find out why. It cannot be “close enough.” We require judges to insure the tally & physical ballots match exactly – or explain why they don’t. We do not get to leave the polling place until the tallies match – or we have an explanation.
  2. When the head judge and at least three other judges have verified that the tally matches, then the voted ballots are put into a locking metal box, along with the memory card(s) from the mark-sense scanning machine, the “official” registration lists and the vote certification records, signed by at least four election judges there at the precinct. There is no question who was responsible for the ballots coming from that election place. Then the box is locked and sealed with a tamper-proof, serial-numbered seal. All the unvoted ballots, the unofficial registration lists, etc. are similarly locked up in another box, under seal. The unvoted ballots are also counted, and the total of voted+unvoted+spoiled ballots must equal the total number of ballots sent out to the precinct that morning or the night before by the election office.

  3. In our county, sworn members of the election office come out to the polling places within the city to pick up the election materials by 2100 after the polls have closed. In our outlying areas, sheriff’s deputies (with badges, guns, etc) come out to pick up the election materials. Outlying areas in Wyoming could be a couple hours away from the election office.

  4. After the election materials are returned to the main election office at the county seat, then the sworn election officers work on counting the absentee, early and mail-in ballots in a similar manner – using the mark-sense machines as we did in the live, in-person voting. Their counts must match, just as ours did.

  5. After the election has been preliminarily certified, the election office staff go back again, through ALL the election materials, and hand-count everything. This might take a week or more to go through all the ballots in the county. After this checks out, the entire election’s materials are put into a fire-proof safe in document boxes, sealed with tamper-proof seals, and that’s that.

Paper ballots work. They work for us, we’re able to comply with the federal election laws, and we’re able to maintain a verifiable election with some work, but we all believe it is worth it. Election judges are paid a couple hundred dollars for their efforts, but that’s being trimmed back – this year, the election office can no longer buy us lunch, so I guess we’re going to brown-bag it. On election day, the judges are typically out of bed at 0500, down to the polling place by 0630, the doors open at 0700, and remain open until 1900. Most elections, the ballots are in the deputy’s car by 2015, and we get out the door by 2030 to 2040 or so.

Ross Snider April 21, 2018 4:36 PM

The biggest issues in election / democracy security are:

  1. Republican/Democratic Party capture of the government. These parties have engineered the election commission so that it is not really possible to run as any other political party – or as independent.
  2. Private / industrial capture of political parties. The board members to the only available political parties are from a very narrow demographic and their control of political parties represents a huge security compromise for democracy.
  3. Gerrymandering, superdelegates, hom-estating and other hacking techniques for the political system.
  4. Political advertizing, including by capture of the primary national news syndication outlets of the country. The other half of this is political surveillance, which is legally incorporated.
  5. State capture by lobbyists, revolving doors, and privatized industries. These entities that hold significant power over otherwise democratic functions and institutions.

  6. Lack of opportunity for majorities to change real outcomes, areas of the political arena which are not available to vote (domestic surveillance / national security / foreign policy), and a weak American political culture that discourages civil discourse, voting attendance, local involvement, unions, etc.

We could have the strongest electronic voting machines or paper ballots in the world and still fail to secure democracy given the sum of the threats above.

VW under the hood April 21, 2018 4:44 PM

Don’t worry the stealth engineers from VW emmissions scandal are taking invisible election tampering as their next challenge

Uses AI to distinguish between actual election scenarios from auditing scenarios and act accordingly.

Alyer Babtu April 21, 2018 8:34 PM

@Ross Snider

Some “pre-commentary” on your remarks, showing the problems are at least 100 years old:

On the rich in politics, G. K. Chesterton, Orthodoxy, 1908 – “You will hear everlastingly, in all discussions about newspapers, companies, aristocracies, or party politics, this argument that the rich man cannot be bribed. The fact is, of course, that the rich man is bribed; he has been bribed already. That is why he is a rich man.”

On the main problem of the party system, that it is really a single party, H. Belloc and C. Chesterton, The Party System, 1911 – “ … something alien has intervened between electors and elected, between legislature and Executive, something that deflects the working of representative institutions.

That thing is the Party System.

A method of government has grown up in our country under which the representatives of the people are divided into two camps which are supposed to represent certain broad divergences of opinion. Between these two the choice of the election lies, and the side which secures the largest measure of support forms a Government, the minority undertaking the work of opposition.

The House of Commons had ceased to be an instrument of government. To whom, then, has the power of the House of Commons passed ? It has passed to a political committee for which no official name exists (for it works in secret), but which may be roughly called ” The Front Benches.” This committee is not elected by vote, or by acclamation, or even by general consent. Its members do not owe their position either to the will of the House or the will of the people. It is selected—mainly from among the rich politicians and their dependents by a process of sheer and unchecked co-option. It forms in reality a single body, and acts, when its interests or its power are at stake,as one man. No difference of economic interest or of political principle any longer exists among its members to form the basis of a rational line of party division. Nevertheless, the party division continues.”

Security Sam April 22, 2018 9:31 AM

In a state of representative democracy
The best you going to get is mediocricy
For even though you elect a candidate
The winner fails to follow the mandate.

Ollie Jones April 23, 2018 6:29 AM

We recently had a fiercely contested election for mayor in my city. We use marksense paper ballots, printed election rolls with checkboxes by them, and we allow any citizen access to watch the polls. To obtain a ballot, each voter is required to speak her name and address audibly (or have someone do it for her if she can’t). She’s required to do that again when putting the ballot into the counting machine.

This process is overseen by our professional city clerk and conducted by poll workers (this being New England, we call them “tellers”) paid a fair stipend.

At the conclusion of our recent vote tallying, the city clerk gave a personal interview to reporters and citizens waiting, in which he said “this result is conclusive.”

My point: even with decent choices of vote-gathering equipment there’s a LOT riding on the credibility of the PEOPLE conducting elections. If our town clerk were not well-known for doing his job correctly according to law and ethics, our elections might fail even with our high-quality process.

Yes, the naively implemented old voting tech from right after the “hanging chad” era needs to be junked. But it’s not enough.

Peter April 25, 2018 10:02 AM

No, I don’t vote on computerized voting-machines and my paper-ballot is hand-counted. But then, I’m from Denmark and our elections are not The Superbowl or a pissing-contest, we elect 179 members of Parliament.
And No, we do not elect sone quasi-dictator who sits on top of everything and can act like a French king. But then neither do Americans..Elect him, that is.

Computerized voting ? Might as well move to China.

Faustus October 19, 2018 9:22 AM

@DS Go Wyoming!! That’s one hell of a process. I don’t know that it would scale nationwide. You seem especially committed.

I think the blockchain is a great idea for non-malleable voting records. It is sort of amusing or concerning that Bruce, who really seems to dislike blockchain, would suggest malleable DVDs as better. We have to be careful what we accept solely to satisfy our bias. We spend a lot of time looking for problems with the things we don’t like. Not so much time looking for problems in our own ideas!

The blockchain is like a paper record, although not as user friendly. Maybe some techphobic people would have trouble accessing their info, though it seems like almost everyone consumes at least one of social media, shopping or porn, so maybe interfaces could be made that are similar to these sites!!

Once a voter is authenticated, a simple system could allow her to create a unique identifier for her to track her vote. It would embed user provided data so the user knows she is not being pointed to some generic vote, but her actual one.

People could verify their vote against this immutable record using numerous open source applications that are unlikely all to be hacked. People could also write their own vote tallying systems.

I suppose that the anonymity aspect would be addressed by using one way functions to record who voted in a conceptually separate blockchain while obscuring the identities. Alternately we could expose who voted, just not connect that with a vote. I would prefer not to expose the voters so the mob of the day couldn’t harass people who can’t be bothered to choose between a tyrant from party A, a nanny state authoritarian from party B, and a bunch of others with no hope of winning.

C U Anon October 19, 2018 2:17 PM


The blockchain is like a paper record

It never was and never will be. You obviously are one of those unreasond tech evangelists by the way you call others “techphobic people”

Not only is the blockchain a very wasteful use of resources it has become some form of “perverted deity” to others.

When you say,

I think the blockchain is a great idea for non-malleable voting records. It is sort of amusing or concerning that Bruce, who really seems to dislike blockchain, would suggest malleable DVDs as better.

Clearly shows you are totally lacking in understanding not just the technology but the basic security process.

As for the rest of your comment, perhaps you should actually go away and have a good long think about what you have said.

Ole November 15, 2018 3:28 AM

The best way of convincing the loser, is to make her part of counting the votes. Ideally in a process that is easy to understand and manual. A process anyone can participate in – and that you can tell people who mistrust the system to join (to restore their faith in the inner workings).

Here in Denmark we insist on keeping a manual process for all elections.

We use paper ballots, that are hand counted on election night. And fine counted afterwards.

We don’t have all the issues with voter registration as every one with a citizenship have a personal social security number. All voters receive a printed registration card that they bring to the voting place on election night, the card is swapped with a paper ballot that is marked with a pencil (as ink pens could be tampered with – loaded with fading ink ).

It scales well – pencils and paper is cheap – and namely because it is done by volunteers, normal members of political parties.

Voting places are kept small, they usually follow school districts, to make sure a count is done quickly. There will always be people to help. Volunteering for vote counting and supervision is protected by law, your employer has no right to stop you. There is food and drinks – the many counts work as a popular ceremonial celebration of our democracy. Do not under estimate the value of transparency, participation and ritual in establishing mutual trust.

The volunteers stand together in the same room and count by piling ballots on tables. They peer across the isles to make sure there is peer review. They discuss if a vote is void. Opponents supervise each other in a sense of mutual respect.

The key is to make sure there is diversity in the counting groups and that there is prestige in the district getting it right and quickly. As the tallying and voting process is manual and social, backend security does not matter that much – the results of every district come up on a central webpage and is reported live on national television during election night, as the results come in. The volunteers and local voting commissions can verify that their results are intact though out the system.

Large groups of people that only need to agree on anything else than process and method are hard to hack. It is healthy for democracy that any citizen can join and verify the process locally without technical knowledge. It is even healthier to work together with your political opponents to do the counting.

Our primary vulnerability is public opinion and propaganda, but our voting system remains secure, scalable and responsive – it takes a maybe an hour after voting places close before the results start ticking in – and it is immensely exciting to follow – and be part of – on election night.

dispose256 November 15, 2018 7:16 AM

I am continually amazed by the weakness of the machine voting system. An existing system such as the province of Quebec in Canada uses: paper ballots, hand counted with 2 representatives of major parties present. Printed voter rolls at the voting place again with 2 representatives present and mandatory government issued id with photo and address (really easy to get). I can only chalk up the lack of security to an appalling lack of political will.

Dave November 15, 2018 5:21 PM

One thing I would like to see that I think would help with some of these voting issues is this.

Assign every voter a unique code. These codes are re-assigned for every election. They are assigned randomly and sparsely, making it hard to guess a person’s code or guess a valid random code. We assume these assignments are kept in some sort of protected system. The voter is given his/her code prior to voting (e.g. a card in the mail, or for vote-by-mail it can come with the ballot).

For voting at polling stations, the machine prints out a copy of the votes taken along with the voter code, unique voting machine identifier, and gives this to the voter. It is printed using OCR or another way that humans and machines read the same (e.g. not bar codes), and with a confirmation code of some sort to verify its authenticity. The voter is given a chance to inspect the results before giving the final version. Perhaps two identical copies are printed, where one is submitted to tally while the other is kept by the voter.

Voting machines at polling stations display a current total count of votes cast so nearby observers can spot any extra votes recorded by a machine.

After all votes are submitted, a complete tally is published, broken down by individual machines, including every vote recorded (the voter’s unique code and the votes cast by that code). Perhaps it is online and/or perhaps verification machines are located in public places that people can bring their copy for verification. Obviously it’s not a complete security solution but it is another seemingly powerful tool to help detect and remedy voting system inaccuracies if enough people verify their votes on the final tally.

Terence November 15, 2018 9:13 PM

Is it really beyond the wit of man to have a ‘harmonised Federal standard’ for voting machines adopted and enforced by one of the standardisation organisations like ANSI, NIST, OSHA or some other quango like that?

Good grief Charlie Brown. It’s not rocket surgery.

Dinesh November 18, 2018 1:14 AM

Why does the US not use Electronic Voting Machines (EVMs) like
“Electronic voting machines in India”

The EVMs have been prevalent in India for the last decade and are now being exported to many countries across the globe.

They have proven to be reliable, trust-worthy and definitely more robust and secure as compared to any similar voting machine which is presently dropped in the US.

Christian December 1, 2018 4:13 AM

In Austria we had to repeat the presidential election in 2016 because noone trusted the results. In some places there were up to 146% votes (impossible). Even after the second “try” the results were not trustworthy.

Concerning the problem of SECRET BALLOTS:
I would suggest that every voter not just submits his voting decision (like Clinton or Trump in the US) but also a personal one-time-code like “HFF399WWY” he has to remember. This code should then be published on a voting list in each voting region so that everyone can look up his own voting on a public list and verfiy that his decision was correctly counted. For obvious reasons you would not publish a list with names and votes but instead with CODES and VOTES, e.g.


The published voting list could also include information about place and time (approx.) of the voting for the voter to verify.
Maybe part of the CODE sould have a randomly generated part, so that it would not be possible to pre-order (buy) votes by a specific code.
I think there would be more trust in voting results if everyone were able to check his own vote.

Christian December 1, 2018 4:22 AM

ad Dave (Nov 15, 2018):
I had similar thougts but I would rather avoid to assign and store a unique code to the voter. Instead: the voter creates his own code at the time of voting. He is the only person who knows about it and who can verify his own vote.

Sancho_P December 1, 2018 6:03 PM


But what should be done if 723 (just to have a number) voters claim their votes were changed?
And with 72 voters?
Or 7?
How difficult would it be to reach zero? (Hint: Does it depend on the winner?)

Suspicion makes people mad (as we actually can see in the US).

Ludovic F. Rembert April 29, 2019 6:35 AM

“Organizers collected 25 pieces of voting equipment, including voting machines and electronic poll books. By the end of the weekend, conference attendees had found ways to compromise every piece of test equipment: to load malicious software, compromise vote tallies and audit logs, or cause equipment to fail.”

Bruce, if you think the situation is bad in the US (and I agree that it is VERY dire), I can assure you it’s far more bleak in Canada… and bleaker still in other countries like Brazil and India, despite their national news media regulatory declaring victory on voter fraud. I wish the issue got more attention in the news, which is entirely focused on celebrity politics rather than what’s really going on. Looking at the Heritage Foundation’s database of election fraud, there were more cases of voting fraud last year than there were of ANY other type of cyberattack, as measured by the number of cybercriminals involved.

Leave a comment


Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via

Sidebar photo of Bruce Schneier by Joe MacInnis.