Slashdot Mirror
Online Voting Should Be Verifiable -- But It's a Hard Problem
An anonymous reader writes with a link to a pithy overview at The Conversation of recent uses of (and nagging difficulties with) online voting and asks Regular 'internet voting too risky' arguments don't take some approaches into account like verifiability of votes by voters, observers, and international media. Could we have end-to-end verifiable online voting systems in the future? What are the difficulties? Where is it being done already? From the linked article (which provides at least some answers to those questions), one interesting idea:Another challenge to designing verifiability in online voting is the possibility of malware infection of voters' computers. By some estimates between 30%-40% of all home computers are infected. It’s quite possible that determined attackers could produce and distribute malware specifically designed to thwart or alter the outcome of a national election – for example undetectably changing the way a user votes and then covering its tracks by faking how the vote appears to have been cast to the voter. Whatever verifability mechanisms there are could also be thwarted by the malware.
One way to try to prevent this kind of attack is to make voters use several computers during the voting process. Although this is hardly convenient, the idea is to make it more difficult for an attacker to launch a co-ordinated attack across several computers at once.
One way to try to prevent this kind of attack is to make voters use several computers during the voting process. Although this is hardly convenient, the idea is to make it more difficult for an attacker to launch a co-ordinated attack across several computers at once.
Just like postal voting, Internet voting is a bad idea.
In a family group, you simply don't know who is really voting. Yes, the correct person may be marking the postal ballot, or clicking the votes, but a dominant family member can be looking over the voter's shoulder, making sure the vote corresponds to the dominant family member's preferences.
The real "Libtards" are the Libertarians!
We are really really good at handling online transactions of various kinds. Voting is easy. You just have to give up the secret ballot...
Anonymous secure verifiable voting is a bad joke.
Finally! A year of moderation! Ready for 2019?
Or we could just use paper ballots that simply work.
Why the need to push technology into places where it is not needed and it doesn't improve the process?
We can't even get voting machines that are secure and verifiable. We contract companies with no accountability to make these, and they don't even listen to third party researchers, or calls for open reviews. Why on earth would we think we could secure it on a public network, with umpteen more attack vectors?
If we have a machine-readable and human readable paper record, then the paper record could be imaged, then submitted to a independent system to verify that all the votes are accounted for, and that what is printed is what is read by machine. It is up to the voter to verify what is printed is what was voted.
What's more is the voting verification system does not need to be from the same manufacturer of the voting machine itself.
Slashdot's rate-of-post filter: Preventing you from posting too many great ideas at once.
I am a ( small ) contributor to the future IEEE 1622 standard. We chose not to deal with the security problem, and to tackle only the electronic interchange format. Security, in electronic voting, seems too hard a problem to solve right now.
Religous speak to God. Insane are spoken to by God. When all shut up, one can finally hear Shostakovich in peace
Shouldn't we have the option as to whether or not we want our votes to be anonymous? I mean, people are pretty verbal on Facebook with the parties they support, and people even order signs to stick into their lawn etc. Is there any need for voting to be 100% anonymous anymore?
Or we could just use paper ballots that simply work.
Why the need to push technology into places where it is not needed and it doesn't improve the process??
Left MS Windows for Linux Mint and never looked back!
Vote for Bernie in 2016!
run OpenBSD. =)
Because only people smart enough to run OpenBSD and install (I think it includes compiling) and start a DE and overcome all the compatibility issues between Moonlight and Silverlight (the booth *must* be written in Silverlight) should be allowed to vote.
That way, you will not even need to ensure anonymity, because it's not hard to find the ones capable of doing the above.
Linux is for people who don't mind RTFM.
... like the 1980s, "I want a computer to balance my checkbook."
Online voting is a solution to a problem we don't have.
It little behooves the best of us to comment on the rest of us.
The same thing they claim on-line voting has problems with, is the exact same thing we have problems with using boxes. Every election there is somehow missing ballots, and don't even get me started on dangling chads, absentee ballots, and how many dead people are voting every election.
No system is perfect, but what they have currently can't be any worse than on-line voting.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Not environmentally sound, but send personalized lists of candidates by postal service to each voter with candidate numbers scrambled in a way known only to the voting server. Then when voting online, the voter uses the peronalized number for the candidate. Malware won't know what candidate numbers the voter has, but the server receiving them will. Malware can thus only affect the outcome by voting on random candidates on behalf of the voter instead of on the candidate the voter wanted.
Unfortunately the chosen candidate can not be verified back to the voter until the vote has been committed and can no longer be changed, otherwise malware could iterate through numbers to see which candidate is which.
In Canada you can file your taxes (and even get the replies via e-mail), renew your driver's licence, file for immigration changes (visa extensions, etc.), renew car plates, get a new passport, etc. all online. And yet, we don't feel we are secure enough to allow people to vote? How the fuck does that make any sense?
In the end, all this bullshit about "we can't provide enough security for voting" is just a smoke and mirrors job. The real fear is that everyone who doesn't vote now because it's a pain in the ass will start voting, and that could seriously change the political landscape.
And while you may be tempted to start giving me examples of how it's not a pain in the ass, such as how you can pre-vote with an envelope (wait, why is this allowed but online isn't?), or go physically in the morning/afternoon/whatever, NOTHING beats the ease-of-use of and time saving of online voting.
David Bismark demos a new system for voting that contains a simple, verifiable way to prevent fraud and miscounting — while keeping each person's vote secret. http://www.ted.com/talks/david...
But don't worry, we've got "Lawrence's Mom is a Slut" waiting in the wings as our new VP.
SJW's don't eliminate discrimination. They just expropriate it for themselves.
I don't want people who aren't invested enough* to go to a poll to decide policies that affect my life.
(*modulo people with disabilities or who have work conflicts, but we already have mechanisms in place to account for that -- I'm talking about the general issue of lowering the bar too much)
An unjust law is no law at all. - St. Augustine
...no need to physically invade the country anymore - just rig the election in a non-detectable way... job done.
Right now we use the finance industry to do the same thing. You don't even need to have elections, aside from the ceremonial ritual anyway.
“He’s not deformed, he’s just drunk!”
But don't worry, we've got "Lawrence's Mom is a Slut" waiting in the wings as our new VP.
Can't be any worse than the last two. :P
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
Why have online voting? Really, voting in person means people who are interested enough bestir themselves to do so. And if they are interested enough to go vote, presumably they at least know the candidates' names ahead of time and hopefully something of the issues. Until you can guarantee there are no ultra-low information voters then universal turnout is not good. Otherwise might as well turn voting over to Mechanical Turk.
...but it's hard problem.
Wait until all the State Driver's Licenses become smart cards and use those to verify identity. Similar to the PIV/HSPD-12 cards the U.S. government uses for employees. Require PINs just like with ATM cards.
With the card being an actual computer that can store secure digital certificates, and the same trust model the entire country uses now -- your government-issued Driver's License (and/or Passport) is accepted by pretty much EVERYONE as proof of identity -- this is doable.
Learning HOW to think is more important than learning WHAT to think.
1. Have a universal number, lets call it a SIN number for simplicity
2. Have a web site / physical record of casted votes with the casted vote and the voter's unique id hashed by something like MD5/SHA & date/time of casted vote in the incredibly rare case of hash collisions (correction, see below)
3. Send a mail-in pamphlet that provides a seed so that only the voting registry knows your unique (no reverse SIN guess in case your SIN was compromized by 'influencing' parties)
Me: Joe Blow
Issued SEED: 1234567890
SIN Number: 32323
Vote: Mad-like-hell Libertarian
Public Government Site Record:
| Mad-like-hell Libertarian | 8e63860d2a80a5d32d95345592697328 | May-14-2015 / 08:54pdt
(Example hashed from seed+sin / MD5)
The only problem being that the public needs to know (or rely) on the hash magic, but if you really care about your vote being untampered with, you can learn how to use basic tools to make it work.
For independent audits of the voting office, all SIN/seed hashes are to be retained for a number of years (or forever depending on data retention blah blah) so that independent audits of SIN numbers to actually viable voters, etc.. can be verified.
(Correction, because the registry can pre-calculate the hashes of everyone, they can re-generate a new seeding number until it doesn't collide with existing generated hashes)
Bye!
But is it NP-Hard?
By time we get to the polls we get to choose between Kang and Kodos. The real choosing has been done in back rooms by power brokers and billionaires. Low voter turn out is in part fueled by the apathy that comes from only getting to choose between two pre-selected options by those with very different morales and priorities from the rest of us. The candidates on the ballot only got their by becoming indebted to those power brokers and rich, meaning they have to be corrupted as a per-requisite.
E-voting without fraud is a solvable problem, you just need to holistically think about the issues, like this guy: http://www.ted.com/talks/david...
You have to make sure every link in the chain is secure.
That means:
1) Secured military-grade with strong anti-tamper machines, built on open-source OS software and hardware, that'll sign votes with a one-time-only HSM with strong anti-tamper (i.e., acid to burn off everything inside it if someone attempts to open it). Every HSM's public key will be competely open to the public, and the public will verify that the number of booth is what it's supposed to be.
2) Real life humans verifying the identity of the person voting (citizenship status, age, etc.), and verifying that they're alone in the booth.
3) Technology that uses biometrics (combination of voice, fingerprint, retina, DNA, whatever) to make a GUID for every person - this will also assure they haven't voted twice.
4) Open counting of the votes, booth by booth. Again, this will be completely open so the public can verify that all booths are accounted for and the vote counting is correct.
USB thumb drives are getting cheaper each day. Put a bootable OS on such a device and mail it to each voter. Yeah not all computers will boot to the same program. Maybe put multiple boots for specific computer types; Windows, Mac, etc. I would stay away from phones and tablets, they are too unreliable and prone to infection.
This problem has already been solved.
People already trust the financial system. Copy it.
Instead of creating a 'bank account', people would create a 'voter registration'.
Instead of processing debits and withdrawls, the system would process votes.
The solution is elegant because it is simple. By modeling it after the banking system, you inherit the implicit trust in that system. Anyone who challenges the system, has to challenge the global financial system. Who is going to stand up and say, "You can't trust your bank to accurately tally something as simple as vote!" ??? Doing so would open up a whole pandora's box of problems that nobody wants to deal with. "If they can't even tally a vote, can they really accurately track my account balance?" being among the most obvious.
How about an easier option of sticking with paper ballots, but having a longer window in which to vote? Having just a day at the polls, one a work day, assures that a fair portion of the population (especially the working poor) will have a hard time getting to the polls to throw away their vote.
How about having all mail in ballots be either be legal to send with a first class stamp or come postage paid. Even in our vote by mail state I find it to be a PITA to get my ballot in since I only ever have first class stamps, and barely use those anymore anyway.
Actually, as far as I can tell, the only problem is securing the endpoint, and that's a simple fix. Rather than opening the floodgates and letting *all* devices access online voting portals, we could set aside public spaces on election day for online voting. Private booths could be provided to avoid prying eyes.
Last post!
Blockchain technology has almost solved this already.
You could use a chain of hashes - staring with first hash of an id by a government agency, then that hash will go to a second and third party (private or civic organization) to be hashed again .
This system will ensure validation of an individual and yet preserve the anonymity – unless all parties involved in the system are compromised.
Then you can store these hashes in a smart card, either standard format or usb key format. The cost for the cards and additional readers will be less anyway then the cost of organization traditional voting systems.
At the application level, plugins for browsers or mobile apps can be written to access the smart card with a pin. In terms of validation on the backend, the vote request can be simultaneously pushed to three different servers, say government agency, opposition parties and a civil agency servers. Cross-validation between these should match.
Now, even in the case of weak online payment systems, as we have at the moment, only base of cc number and 3 digits on the back, the fraud percentages are small compared with potential fraud in traditional voting systems – so in any case I don't see real reasons not to adopt an online voting system.
If Democracy is worth anything it's worth an hour of your fucking time once a year to go a polling place.
I also agree with you. I do think we need to make a couple more considerations though.
First "those unavoidably out of town" should not be an excuse unless the distance between postal zip codes is greater than say 200 miles
Since when does a round trip of "200 miles" take "an hour"?
it is possible for your boss to intimidate you into not voting
Is it coercion for the boss to threaten to terminate your employment if you fail to travel on Election Day, ostensibly for essential business purposes, to a location that just happens to be between 100 and 200 miles away from the polling place?
We need to be fair and make election day a National Holiday! So that everyone has the day off.
It might take more than a day to travel to and from the polling place. For example, I went to college about 180 miles from home. How should someone at school 180 miles away from home vote in the district where he is registered? Take a Greyhound bus back home and miss several days of classes, including an important exam?
We probably need to make exceptions for the groups for which anti-strike laws already exist, Health, Safety and infrastructure folks who potentially have to work the holiday.
Are pharmacies considered "Health" for this purpose?
All the cleaner election benefits of paper ballots, plus you could do anything governments do right now to paper currency to prevent fake ballots from being stuffed into election counts
Best system for dealing with different disabled voter challenges easily bar none.
We are always getting 70-80% voter turnout in where vote-by-mail is being used now for a decade.
Why the push for online voting? Because, the Internet or something?
Just because you can doesn't mean you should. There is much to be said for making the effort to show up and mark a ballot. If voting becomes as easy as clicking some on-line survey like you find on the typical news page, then we will end up with what we deserve.
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
Sometimes fitting a headline in a finite space trumps correct grammar. This explains, for example, the use of "M$" in comment subjects to save seven characters compared to "Microsoft". Is "But It's a Hard Probl" more acceptable than "But It's Hard Problem"?
Democrats, hipsters, and neo-technotards, please give it up.
There's absolutely nothing wrong with paper ballots that reminding people to double-check the accuracy of wouldn't solve. It's worked forever, reduces security to the (relatively known problem to solve) of physical security of a location and transit -- something banks have done for centuries. For voter verification, require Photo IDs from a recognized entity, and/or "vouching" similar to what's done now in many states when needing to notarize something from someone with insufficient ID.
Make ballot-by-mail and online voting special-case-only (eg, registered expats; those on deployment; etc.) and such a small scope that it's not worth the coordinated, targeted investment in massive hack schemes, then secure using the best, reasonable internet-encrypting technology.
Stop trying to re-invent things that aren't really that broken to begin with. And sorry Millennials, the inability to vote by app from your cell phone is a feature not a bug.
In related news: I wish more people would go watch Max Headroom again. Sometimes I feel we're living about 15 of those 20 minutes into the future
Hire a Linux system administrator, systems engineer,
Headlines should be short, complete, and grammatical, but it's also a hard problem. Leave out "short" and the story will exceed the headline length constraint and thereby fail to be posted. Leave out "complete" and be accused of clickbait. So instead, the writer left out "grammatical".
Also, there's been a rash of 911 calls resulting in SWAT teams breaking down the doors of people who voted for Candidate B over Candidate A.
My sci-fi novel, Ghost Thief, is now available from Amazon.com.
USB thumb drives are getting cheaper each day. Put a bootable OS on such a device and mail it to each voter.
And watch a malware hypervisor load your thumb drive in a virtual machine. You'd need Secure Boot to thwart this.
What about a layered encryption system?
First, a random token is generated for your vote. This could be generated client side (with potential collisions) -- it's just a way for someone to verify their vote later. That, plus the vote(s) are encrypted with the Tallying Machine (TM) public key. Next, the output of that is combined with your identity information and encrypted with the Identity Machine public key. The whole thing is then sent to the IM, decrypted, identity is verified, voting record is made, and then the encrypted vote+token is sent to on to the tally machine, the vote and token are decrypted and logged. If necessary, the vote+token could be sent to a mixer to shuffle the order to defeat timing attacks.
It be much easier to whiteboard, but I don't see any immediate flaws -- at least none that would be unique to this method of voting. It's a lot how the current in-person voting works as well.
https://www.eff.org/https-everywhere
There's an algorithm (or two) that leverages multi-step encryption to facilitate two (seemingly exclusive) properties.
The algorithm, developed by Dr. Andrew Neff, was first implemented by a company called VoteHere.
Now it is available for testing and vetting via an implementation at https://vote.heliosvoting.org....
FWIW I've posted about this system almost a dozen times over the past decade.
You need to either be ok with that (i.e. botnet owners should have more votes than normal people, because the whole reason that people give their computers over to botnets, is that they want to personally have less power) or else you need to give up on the idea of online voting.
And since nobody sane is going to be ok with that (I think people will disagree with my above parenthesized assertion), then: give up on the idea online voting. By the time you "solve" the compromised-user-agent problem, you'll have lost 100% of the reason for online voting, as we see with the amusing idea of making people use multiple computers which are hopefully on competing botnets and therefore unable to reach enough consensus to vote the same way.
Just keep having people go to polling locations. Really, it's ok to do that.
"Believe me!" -- Donald Trump
As I noticed when I went to vote the other week in the UK General Election. All the ballots are numbered and your voter id is noted down and cross-referenced to the ballot you are handed. I had to double-check the implications of this after I'd voted and sure enough, it's a 'well known fact' in certain circles : "The use of numbered ballots makes it possible, given access to the relevant documents, to identify who has voted for whom, and there are many accounts of this being done regularly by the authorities in the United Kingdom, especially by the police and Special Branch to identify voters for fringe candidates". http://en.wikipedia.org/wiki/S...
Imagine a simple device similar in appearance to a calculator. For registration, voter verifies his identity to a human, selects a random one of these devices from a box, places it into a writing machine. Voter selects a PIN, enters this into the machine. Machine permanently burns random private key to the device and saves public key and PIN encrypted with private key.
To vote, website displays a random number. User enters this into device along with voting selection and PIN. Device displays hash of encrypted hash of these values. User enters displayed number into website. Website saves originally displayed number plus user-returned result. To verify, same process except website can indicate whether user-returned number match last entry.
If coerced, use a wrong PIN. It will still verify but will not be counted.
Something like that.
Democrats
Christ, everything is politicized in your them vs. us two-party system, isn't it?
Actually, I think I would welcome the addition of the Neo-Technotards as a third party. The political debates would be VERY entertaining. Can you imagine the looks of exasperation on the faces of the other parties' candidates?
voting should be at least a weeklong window. And Electoon Day itself should be a paid national/bank holiday. It should be more sacrosanct than Christmas Day; working on Election Day should be quadruple pay, to discourage employers from opening their doors.
In the parliamentary elections of September 2013, more than 250 000 Norwegians in selected municipalities were able to vote from home. They were taking part in a national trial of Internet voting, building on an advanced cryptographic protocol. Follow the link below for a talk about the technology behind it, presented at the last Chaos Computer Conference by Tor E. BjÃrstad http://media.ccc.de/browse/con...
English uses articles for definiteness and word order for case (what is subject and what is object). Russian uses declension (noun endings) for case and word order for definiteness. Each noun has to be marked as a subject or object, which lets definite ("the") nouns go before the verb and indefinite ("a") nouns after. The letters you lose by not having articles you gain by having to mark the object as such.
What's to prevent a hacker from inserting votes into the system? Granted, there is a mechanism for detecting if votes are deleted, but it relies on people checking their vote receipt against a website. The bulk of the population is not going to do that, so a hacker has fairly high probability of being able to delete votes without being detected. And what happens when a hack is detected? Is there a way of determining how many of the ballots are tainted? Do you run the election again, or go with the results of the untainted ballots?
Maybe there is more to this system than was explained in the video, but It doesn't seem entirely bombproof at first glance.
When our name is on the back of your car, we're behind you all the way!
Both ballot-by-mail and online voting are meant to increase the convenience of voting, which should be as easy as possible to do.
If you want to keep those limited to specific groups and scenarios, fine. But let's expand the voting period beyond just a single workday --- ideally over the span of Friday--Sunday.
There's absolutely nothing wrong with paper ballots that reminding people to double-check the accuracy of wouldn't solve. It's worked forever...
Well, except when it hasn't worked. The paper ballot system has one major flaw - it is impossible to unambiguously and objectively assess the validity or meaning of a paper ballot, at least not in a way that everybody can agree on.
What constitutes a stray mark? What constitutes a vote?
I think a good compromise is a computer-generated paper ballot which is voter-visible/verifiable, but not voter-modifiable. Let the voter pick their vote on a fancy touchscreen or whatever. Print their vote on a piece of paper behind a plexiglass screen, then have the voter hit the ok button and watch the piece of paper fall into the box. As the ballot comes out of the printer it could even run past a scanner for verification by the same algorithm that will be used for counting votes later.
This lets the machine validate the ballot while the voter is standing there and able to make corrections. There is no ambiguity around voter intent. Then the machine prints out a ballot which is completely standardized (easy to OCR accurately, unambiguous, no stray marks, etc).
There are real benefits to using computers in voting. The key is to capture those benefits, while then mitigating the risks they introduce.
End-to-end auditable voting systems
Spoon not. Fork, or fork not. There is no spoon.
widespread vote by mail has shown to be reliable and effective. what do you have against it?
As I understand it, you have to be a verifiable resident of a particular precinct for 30 days before you can vote in that precinct. People who move house in the 30 days prior to Election Day need to vote at the polling place for their old precinct, not their new precinct. If the distance from someone's new residence to the polling place for his old residence is greater than reasonable cycling distance (let's say 10 miles/16 km) but less than the absentee ballot eligibility cutoff (DarkOx suggested 200 miles/320 km), he won't be able to make it to the polling place on time. So such a rule would constructively disenfranchise recent movers.
And we could call these public places set aside for voting "polling places"!
I've seen some really interesting ideas regarding PGP signatures, using blockchain technology
To know if they'll work try this test.
Go to any Walmart.
Offer some people a free lunch if they'll listen to you explain the government's new way of voting.
I think you'll know what will happen.
Use malware signatures to uniquely identify the machine.
Convenience.
Paper Trail.
Research your candidates with your ballot in-hand for two weeks. (as I am now for a local election due in by19MAY, mostly school board members)
Go check Oregon's voter fraud rates as well.
If a company has a person who has access to the accumulated counts, then that person can change the vote, downstream, upstream, or final destination. The individual computers don't matter; there are no ways, given the constraints, the verify who voted for what - yes, there are established, effective ways of controlling the data, but if you can't audit the entire chain, it doesn't matter. The code, the counts, the data are owned by private companies, and they have established that all of that are their protected trade secrets. Past lawsuits show us that they refuse court orders and countersue, and that they destroy the data, such as it is. Puttering around with geeky analysis of the browsers and malware isn't addressing the problem which is: they who control the machines control the elections. Worrying about the "hackers" on the outside is specious. It's the hackers on the inside.
In democracy it's your vote in elections that counts; In FEUDALISM it's your count that votes;
Casteism