Blockchains Are Not Safe For Voting, Concludes NAP Report

The National Academies Press has released a 156-page report, called "Securing the Vote: Protecting American Democracy," concluding that blockchains are not safe for the U.S. election system. "While the notion of using a blockchain as an immutable ballot box may seem promising, blockchain technology does little to solve the fundamental security issues of elections, and indeed, blockchains introduce additional security vulnerabilities," the report states. "In particular, if malware on a voter's device alters a vote before it ever reaches a blockchain, the immutability of the blockchain fails to provide the desired integrity, and the voter may never know of the alteration."

The report goes on to say that "Blockchains do not provide the anonymity often ascribed to them." It continues: "In the particular context of elections, voters need to be authorized as eligible to vote and as not having cast more than one ballot in the particular election. Blockchains do not offer means for providing the necessary authorization. [...] If a blockchain is used, then cast ballots must be encrypted or otherwise anonymized to prevent coercion and vote-selling." The New York Times summarizes the findings: The cautiously worded report calls for conducting all federal, state and local elections on paper ballots by 2020. Its other top recommendation would require nationwide use of a specific form of routine postelection audit to ensure votes have been accurately counted. The panel did not offer a price tag for its recommended overhaul. New York University's Brennan Center has estimated that replacing aging voting machines over the next few years could cost well over $1 billion. The 156-page report [...] bemoans a rickety system compromised by insecure voting equipment and software whose vulnerabilities were exposed more than a decade ago and which are too often managed by officials with little training in cybersecurity.

Among its specific recommendations was a mainstay of election reformers: All elections should use human-readable paper ballots by 2020. Such systems are intended to assure voters that their vote was recorded accurately. They also create a lasting record of "voter intent" that can be used for reliable recounts, which may not be possible in systems that record votes electronically. [...] The panel also calls for all states to adopt a type of post-election audit that employs statistical analysis of ballots prior to results certification. Such "risk-limiting" audits are designed to uncover miscounts and vote tampering. Currently only three states mandate them.

All security = an implementation.

To say blockchain is inherently unsafe is like saying software is inherently unsafe, or anything else. Everything has pros and cons, but you evaluate the final implementation as secure or insecure. There are challenges in any medium.

Re:All security = an implementation.

[PopeRatzo]

To say blockchain is inherently unsafe is like saying software is inherently unsafe

Oh, you are so close to a breakthrough.

When it comes to voting, blockchain, like software, IS inherently unsafe. If the main goal for voting security is maintaining the people's confidence in an election, the only system that will meet that standard is a system where people are actually keeping an eye on one another. And I mean physically watching one another. And that's the system we had in place before the advent of voting machines and election software. You had a room full of election judges from both sides, and they sat side-by-side checking in voters as they approached the voting booth and physically watched them put the ballot in the box. When the votes were counted, there was a whole bunch of people from both parties standing around keeping a close eye. When the ballots were sent for storage, one person from each party rode in the truck to drop them off after sealing the container - together - and signing off.

It was trust, but verify. Was it possible to jigger with an election like that? Of course. But you had a list of names of people you could hold accountable at every step in the process. Electronic voting will never, ever be trusted. That is the effect of transparency.

Re:All security = an implementation.

" If the main goal for voting security is maintaining the people's confidence in an election " - Well I don't agree with that starting point definition. I think security = security, not theater of.

Re: All security = an implementation.

You need to make some assumptions for this article to hold: first, that there is an election, second that there are voters, third that the voters are known, fourth that there is anything to vote on. None of those aspects are handled in blockchain and you may as well be playing some stupid video game as much as think you are voting for something

Re:All security = an implementation.

" If the main goal for voting security is maintaining the people's confidence in an election " - Well I don't agree with that starting point definition. I think security = security, not theater of.

Then you're bad at security. Security is theater.

There is no impregnable system. Security can only increase the difficulty of entering a system, it cannot stop a determined opponent. Is a CCTV system going to stop someone from breaking into your store? No, but it will make the person think twice about it, because they are likely to be recorded, found, and caught. Is the TSA likely to stop all bad guys from getting on planes? No, but it alters how much they must prepare to get on board the plane so hopefully they'll trigger a signal and get caught before they get on, or try a different route. Does voting security stop fraud from happening? Of course not, but it creates it makes it difficult enough to tamper with to turn away most bad actors, and ensures the voters have confidence in the system.

Security ultimately changes the decision set of every actor involved toward a common good.

And quite frankly, blockchain does not equal security. It makes an unalterable database, but it does not secure the machine, the UI, and given tech's publicly poor history of securing people's information, it absolutely does not provide confidence of capability to the general public.

Re:All security = an implementation.

" Security is theater. " Pfft, lol. Security is forcing your attacker into a delay of predictable length. Theater is one aspect.

Re:All security = an implementation.

"And quite frankly, blockchain does not equal security." - NOBODY said it did, blockchain is a type of technology, it's vague, I left it vague. You can't even evaluate it as "secure or not" without implementing it to test for that!

-which was the point made above.

Re:All security = an implementation.

I have never seen a DOD vault with a 30 minute entry time replaced with the picture of a tough looking door

You have succumbed to BS, are you PMI certified by chance?

Re:All security = an implementation.

Nice straw man.

Re:All security = an implementation.

To say blockchain is inherently unsafe is like saying software is inherently unsafe, or anything else. Everything has pros and cons, but you evaluate the final implementation as secure or insecure. There are challenges in any medium.

Yes, that's a good summary of the article's main point. Accept that all methods are potentially fallible and consider what will happen when people try to do something dodgy.

- does the rigging leave a trail (paper or otherwise), or is it essentially invisible?
- how hard is it for the rigger to scale their activities - can it be done silently and quickly (bad news) or will it require co-opting a lot of individuals (good news: every additional person is another potential point of failure)?
- how likely is your typical worker to notice the scam?

The key problem with blockchain is that it fails each of these tests. Malware done right is basically invisible and can be scaled with minimal effort. And no-one working on the day is likely to notice anything amiss.

By comparison rigging a paper ballot requires multiple people trying to conceal physical activity (adjusting votes, disposing of ballot papers etc) with as many potential points of failure as there are crooked voting stations... and leaves a physical paper trail.

Re:All security = an implementation.

[shellster_dude]

Blockchains are obviously a terrible solution to election fraud. The only thing that prevents blockchain tampering is a ton of neutral third party machines checking the transactions (typically miners). We've already seen that this is a non-trivial problem when there is plenty of incentive for random people to fulfill that role (mining of crypto currency). National elections have very little incentive for people to invest thousands in hardware and electricity, and a ton of incentive for nation states like China or Russia with the funds and technology to manipulate the results.

If you instead make it a closed system with government machines validating the results, you've not solved anything (or at least nothing that couldn't be solved with more traditional cryptographic techniques like public/private key encryption, signing, and progressive cryptographic hashing). You still haven't solved the issues of patching, of the public's trust in the machines and people involved in securing the infrastructure, or prevented a malicious third party from compromising that infrastructure and altering the results. Blockchain only provides any type of verification, when you can trust that the majority of the verifying machines are not working in league to forge results, and in a voting infrastructure of relatively well secured machines you can do a lot better. Block chain introduces a ton of extra complexity which leads to a ton of additional attack surface while again not providing a lot of value.

Finally, BlockChain does nothing to solve the issue of machines registering one vote and writing a separate vote to the ledger, or even registering multiple votes that are fraudulent. In other words, it is simply a highly inefficient tool that exists to solve an entirely different problem.

Things that would vastly improve voting security:
1) When the user comes in, check their ID to validate they are who they claim to be, and that they are allowed to vote.
2) Give them a randomly generated, complex, unguessable ID number (voteid) in the form of a QR code. This should not be tied to their identity in any way
3) Have user scan said voteid to begain voting and then store with their vote results, and give them the progressive hash of the chain of votes before and after their votes are tallied.
4) Allow the user to swipe their voteid before leaving the voting area, and view how their vote was tallied, on a separate machine (thus increasing the complexity and size of the hack required to hoodwink a cautious user).
5) Allow all users to go online and view their votes as they were recorded (and will be tallied) by entering their voteid on a public website. As well as the aforementioned progressive hashes
6) Have a process by which a user can, upon presenting their voteid contest how their votes were recorded (both at the voting place, and after the election).

Of course the progressive hash idea is someone simplistic, public/private key signing or other more complex solutions could be implemented with different risk profiles. Yes there are still ways that such a system can be hacked and manipulated, but the skill and breadth of the hack would need to be significantly increased to pull it off unnoticed. More importantly, users would be empowered to a fair degree of confidence that their vote was recorded as they intended.

Re:All security = an implementation.

Paper votes aren't any better, just look at Russia's vote stuffing. Literately. Someone comes up to the booth and stuffs fake/coerced votes into the box.

Now the way most US, Canadian, and UK elections are run, the paper vote is a two-step process.

A) You go to a scrutineer to check your name off a PAPER list, they hand you a ballot with no identifying information on it
B) You mark an X on the ballot, fold it in half or stick it in a privacy envelope and then stick it in a cardboard box with a hole on top.

Now the civic elections use something more like a scantron device (remember tests from 1990-2000) where the actual "stick it in a cardboard box" part is actually run through a machine to do automated tabulation, but the paper vote still exists.

The problem with paper votes really comes down to the scrutineer, who may intentionally not be able to find your name on the list, and the tabulation process. The tabulation process is where nearly every paper-vote error comes from, and it's a direct result of people either being too picky or not picky enough. In general, tabulation should be counted by two or three people (of different party affiliations) and when the counts do not line up between them, the counting stops and a different set of scrutineers recounts the entire box.

That's how things remain fair. The problem specifically with US elections is the "provisional vote", by which they're basically not counted. So if you start sending all the black folk to provisional ballots in a racist backwater county, the racist-friendly politician is the winner, every time.

Re:All security = an implementation.

[PopeRatzo]

Paper votes aren't any better, just look at Russia's vote stuffing. Literately. Someone comes up to the booth and stuffs fake/coerced votes into the box.

That's right, because Russia doesn't have the same safeguards built into their elections that we have. You don't have election judges from both sides watching every vote from the time it's cast to the time it's counted to the time it's sent for storage. In the US, there have to be two election judges on hand when absentee ballots are opened.

People can still be corrupted, but the more people are involved in the election process, the safer it is. And since US elections are structured to be de-centralized, there is almost no chance for widespread fraud.

Re:All security = an implementation.

if all '$citizen' pub/private keys were generated on-smartcard,and the public key were enrolled in $democracy --- they would be functionally secure and blockchain would be groovy to use and better; but not $goodenough

$goodenough = you also need to implement Zero Knowledge proofs on the chain votes, so that government murder squads wont kill people who did not vote the proper way.

Re:All security = an implementation.

You don't have election judges from both sides watching every vote from the time it's cast to the time it's counted to the time it's sent for storage. In the US, there have to be two election judges on hand when absentee ballots are opened.

Yep paper is best, and a lot of that is simplicity. You just can't beat it with complexity, since the complexity introduces so many attack vectors. It is a bit like the sudafed mess. Awhile back someone supposedly created sudafed that couldn't be made into meth. They found a way. Why? Because there was enough demand. With something like elections, where Nation States are playing the game, well, you gotta minimize your attack surface.

It isn't enough to say you mitigated against all known threats. The threat level is as high as it gets. You have to mitigate against all known threats and all unknown threats, including a nation state paying the company that fabricates your chips to insert a little something special. This is why an election that can be by hand verified from simple paper is priceless. We give that up at our own peril. There is no acceptable substitute, and I'm pretty sure never will be.

That doesn't mean you can skip on auditing the scanners or making sure the production chain is controlled every bit as much as critical airline parts. You have to do that too, since a lot of the time someone isn't going to go back and check.

Re:All security = an implementation.

> Theater is one aspect.

> forcing your attacker into a delay of predictable length. ... is also one aspect.

Verification, authorization and auditing are all required by the voting process, making the "security" you're focusing on rather incidental.
It's not a compelling reason to scoff.

Re:All security = an implementation.

I am an Election official. We don't have parties at the Rogistrar of Voters. We are all neutral observers.

You are making this up as you type. Stop. It isn't helping.

Re:All security = an implementation.

My cock is mostly neutral. I'll stick it in the cunt of basically any STD-free female. In her fudge box too, if she'd like.

Re:All security = an implementation.

[Ocker3]

I'd invite you to visit us in Australia, where we have the Australian Electoral Commission (AEC), a non-partisan (not bi-partisan) body of people who are collectively considered the Platinum Standard of running elections around the world. We actually send people to the USA to train election staff. We don't have party reps in the voting area until the polls close, then the parties can send in scrutineers who check that the paper ballots are being counted as per the regulations (when I did this I actually noted some of the staff short-cutting the preferential voting process, which I pointed out to their team leader, who corrected the person's work). The Scrutineers are also there to get the latest voting trends back to their parties faster. While paper ballots do take a lot of manual counting, it's a pretty robust system. I hear Hawai'i is doing interesting things with paper verification. A key feature of a non-partisan group has to be the culture, my USA-living father got a half hour lecture from his cousin (who's an AEC staffer) about how serious elections are and that my Dad joking about fiddling the ballots wasn't funny. They take it Very seriously, and that's awesome. And while we may argue about whether the people who Did win are any chop at all, or the media coverage, very few people in Australia question whether the outcome was rigged at the ballot box.

Re:All security = an implementation.

[Ocker3]

Sadly, the TSA haven't shown themselves to be any good at their job, repeatedly. It's hard to get good help when the work is shite, the 'customers' range from sullen to hating you, and the pay is peanuts.

Re:All security = an implementation.

[PopeRatzo]

I'd invite you to visit us in Australia,

I've spent a fair amount of time in Australia. Yes, I've heard you guys do a good job with elections, but I'm not coming back until you get rid of those spiders that jump up and bite you on the eye. Oh, and drop bears and yowgwai. I don't need that kind of stress, thanks.

Re: All security = an implementation.

No!
If the user can check his vote using his special number, then anyone else paying or coercing him to vote a certain way, also can check. coercing the secret number from them, is easy. Tell, or I hit you again...

Re:All security = an implementation.

It's the Bunyips that you have to keep an eye out for mate :)

Re:All security = an implementation.

[Spazmania]

You badly misdefine security theater. Like saying a bank robber is a terrorist.

Security theater is highly visible security activity which costs more (typically much more) to operate than it reduces the risk-cost of breach. It's activity whose purpose is to be seen to do something about security regardless of whether the activity is effective.

Risk-cost is Threat times Vulnerability times the Cost of an incident. Operating cost is implementation cost plus the cost of impairment to the primary operating purpose of the protected system.

Where security decreases Risk-cost by more than it increases Operating cost, it isn't theater. It's just security.

Re:All security = an implementation.

[deKernel]

Your best not suggest your #1 suggestion to people here in my country (US) because many will interpret that as "voter intimidation"....and I wish I were kidding on this. Now on a more humorsome note, #1 would surely cause havoc in Chicago where the motto is: Vote Early and Vote Often.

Re:All security = an implementation.

I know right, finally some common sense about blockchain. Maybe soon they will even realize that anything stored on a computer, no matter how many copies are made across many computers, is not IMMUTABLE!

Re:All security = an implementation.

[bluefoxlucid]

Close, but not quite.

that's the system we had in place before the advent of voting machines and election software. You had a room full of election judges from both sides, and they sat side-by-side checking in voters as they approached the voting booth and physically watched them put the ballot in the box. When the votes were counted, there was a whole bunch of people from both parties standing around keeping a close eye. When the ballots were sent for storage, one person from each party rode in the truck to drop them off after sealing the container - together - and signing off.

Today, we have issues like 3,700 votes not being counted and ballots being apparently cast but somehow missing; or a ballot box being "found"; or all kinds of mucking with the error rate to intentionally miscount; or people invalidating ballots because they have a stray mark that could be a signal to a third party that the vote they purchased was cast faithfully.

Paper ballots aren't magically secure.

Was it possible to jigger with an election like that? Of course. But you had a list of names of people you could hold accountable at every step in the process.

Not really. In paper voting, it's possible to tamper at multiple stages. An unscrupulous election staffer can shuffle blank ballots to an individual who comes in and votes, casting multiple ballots into the box at once. A little sleight of hand. That's why ballots have anti-counterfeit properties, and why we freak out when we discover someone has a pile of blank ballots.

If you have a list of registered voters who never vote, you can tamper with the voting rolls by casting ballots at their polling places. Write their names in throughout the day and use one of the ballot numbers attached to the pile of stolen ballots.

Nobody can quite identify if or who. Totally-invisible, except for the record turn-out in your precinct (up 10%!).

Electronic voting will never, ever be trusted. That is the effect of transparency.

Paper voting is trusted too much, and people even let you take ballots out of public view "because the ballot boxes are kept in a secure location."

Current electronic voting is horrendous. You bring in a pre-programmed machine, "certified" by a trusted third party. Trusted? You fail. Load malware the night before; have the malware tamper with votes; delete the malware at poll close (self-removing!). Wipe forensic evidence by simply eliminating the deleted file pointer and clearing out the file contents for the malware's binary. Nobody will ever know.

You can secure elections with high integrity by using a non-repudiated elections integrity model, which practically requires electronic counts (we can't tamper with the counting that way). Ensuring non-tampering of the ballots in transit from the polling location is doable without electronic voting; this doesn't ensure the ballots weren't miscounted to arrive at the output values.

Electronic voting machines can't be network-connected, so you can't use blockchain. Blockchain is invisible, anyway, until you put something on the public blockchain, so you can tamper until then.

EVMs need to start non-tampered; and you need to prove that they are untampered at poll open in a manner which people can inspect at any point in the future. That means any person in the world can identify any tampering functions and any alteration in the software--and they can identify these things at any time in the future. If you haven't achieved that, you're using a black box with no assurance it's properly recording votes.

On the other hand, once you achieve that, paper ballots are invalid: if the paper audit trail disagrees with the electronic audit trail, the paper audit trail has been compromised.

Re:All security = an implementation.

[PopeRatzo]

Today, we have issues like 3,700 votes not being counted and ballots being apparently cast but somehow missing; or a ballot box being "found"; or all kinds of mucking with the error rate to intentionally miscount; or people invalidating ballots because they have a stray mark that could be a signal to a third party that the vote they purchased was cast faithfully.

The reason you know this has happened is...because we know this has happened. With black box voting machine elections, you don't know what's happened at any step of the way, and anyone who tells you that they do is simply lying.

The thing that makes paper ballots more secure than any and all electronic methods is that lots and lots of people can watch the entire process unfold in real time. And not just on some number incrementing on a screen, but on actual physical ballots that exist in the real world. There is still potential for abuse, but not anywhere near the potential in electronic elections.

You have a choice, right now:. I can give you $10,000 in hundred dollar bills in a briefcase right now, or I can show you a video monitor that shows I just deposited $10,000 in a bank account that I might or might not give you access to at a later date. Which do you take?

Re:All security = an implementation.

[bluefoxlucid]

because we know this has happened.

Do you know that it has happened, or do you know it has happened only these times?

With black box voting machine elections, you don't know what's happened at any step of the way, and anyone who tells you that they do is simply lying.

Yes, exactly. That's the part you need to fix.

The thing that makes paper ballots more secure than any and all electronic methods

I've designed an elections integrity model. It's more-secure with electronic voting machines than with paper ballots--to the point that if you have a paper audit trail and the paper audit trail is in conflict, it's the paper ballots that are tampered.

I did this by eliminating the black box. You have to prove, at poll open, that the machines run non-tampered software. That means they start blank and you start with read-only install media. Everybody has to be able to inspect what's happening. If the people watching election open--that is: regular folks who walked in off the street--copy, verify, and upload that software image, then every person in the world is physically-capable of inspecting that software forever.

Physical ballots in the real world are open to stuffing, losing, and altering.

I can give you $10,000 in hundred dollar bills in a briefcase right now, or I can show you a video monitor that shows I just deposited $10,000 in a bank account that I might or might not give you access to at a later date. Which do you take?

Actually, it's more-complicated than that.

You and I can disagree on whether a bunch of arbitrary people instructed to deposit a single $1 or $5 into a briefcase will deposit more $1 bills or $5 bills, and whomever is right gets the money. We then open several collection stations and invite people to come do this. The money is then counted, put back in the briefcases, shipped under watch of a few definitely-trustworthy people, taken to a central location, and counted together.

Instead, we can have those people come and fill out an electronic deposit form on a non-network-connected machine which has had its running software image published and was imaged under public watch as each station opened. At close, the machine displays the totals of how many 1's and 5's were deposited; we then pull its data and copy it to a central location where all electronic deposits are made (and all deposits are somehow guaranteed to be valid: once they've put in the deposit, it WILL come out of their account). The total deposits should be the sum of all observed totals at individual locations or else something has tampered with the numbers.

Now, under this first method, some of your agents can slip people extra 1's or 5's to sneak into the briefcases. Some of your agents can manipulate the errors in counting the money--a common sleight-of-hand trick. Agents can integrate additional 1's and 5's into the stack as they open the briefcases and remove the moneys. Once they've gotten away with it, it's not discoverable.

Under the second method, any software to commit tampering is discoverable. We can't go inside the neural network embedded in each human agent, but we can examine computer code; and the computer code was released to the whole public. The counts are guaranteed correct or discoverably manipulated, and can't be manipulated later.

The electronic method also doesn't fall to simple sleight-of-hand in counting or in slipping in extra bills: alteration while running the polls takes several minutes of invasive physical effort, and can't be instantly-aborted. It generates anomalous audit trails as well.

That's the reality of paper ballots: you only need someone to turn their heads and cough. You can mess with them while people watch and not get caught. With electronic voting, you have more integrity threats, and must reduce the attack surface to avoid those threats; what's left requires people to just up and leave for half an hour or so and not ask questions.

Paper ballot fetishism is magical thinking.

Re:All security = an implementation.

"Vote early, vote often, and find more boxes of votes later."

Re:All security = an implementation.

It's not voter "intimidation", it's voter suppression. Getting an ID, at least in my state (Florida) is nowhere near as trivially easy as a lot of people seem to make it out to be, especially if you're homeless or poor. However even if that weren't the case, try looking at it this way: "having a government-issued ID" is not a legal right guaranteed by the constitution, so requiring that you have one to be able to vote means you're effectively saying "you can't have the RIGHT to vote without the PRIVILEGE of having an ID." Regardless of how "easy" it is to get that ID, you're still gating someone's legal rights behind something that is just a privilege.

Requiring an ID to vote would be fine if we also guaranteed the right of everyone to *have* an ID in the first place, and better yet required that ID to be issued automatically without the person having to do anything. If everyone just automatically got a completely free ID when they were born or reached a certain age or grade in school or something like that, and we set up programs that actively made sure everyone had one even if they lost it or were homeless or homeschooled or anything that might not let them get one through normal means, then it would be totally fine to require them for voting or any other right.

Re: All security = an implementation.

[KingAlanI]

In New York state at least the board of elections activities are bipartisan

Re: All security = an implementation.

[KingAlanI]

I agree voter ID sounds sensible in theory, but it's disenfranchisement in practice.
it would be a pain in the butt for poor people to get the paperwork especially if they don't have a car. Fees to get forms could be a de facto poll tax, banned by the 24th amendment (some voter ID laws do include exemptions to govt records office fees). A Texas voter ID law counted concealed carry permits but not college IDs, that sort of thing highlights the conservative bias of such laws.
In New York state you're just ID'ed when registering and sign in at the polling place which can be checked against the signature from the registration form.
Prosecuted cases of vote fraud are rare so it's a "solution" in search of a problem.

Re: All security = an implementation.

[shellster_dude]

How would this coercive third party know this value unless the voter gave it to him? It's randomly generated when he walks in to vote. It is not tied to him in any way. If say, I were a person where I suspected this might happen, I'd just "lose" my random ID after checking my ballot on the other side. I can't validate my vote further on down the road, but no one else can force me to turn over my result.

Re: All security = an implementation.

[shellster_dude]

People make this claim all the time, but it's nonsense. People some how manage to get an id to get welfare or to apply for most jobs. You don't even have to get a license to get State ID, you literally go to the DMV, and pay less money that a driver's license costs, and they ship you one that's usually good for between 5-10 years. If you can ride a bus, you can get to the DMV. Considering you can't buy alcohol, open a bank account, get most jobs, or get government assistance, it is not an unreasonable ask that you get photo ID to vote.

Re:All security = an implementation.

[tkotz]

How do they know the commission is non-partisan? Where do they find people interested in government enough to care that voting is done properly, but don't care about the outcome? I think a culture of berating people who mentioned that they may be have bias or have the power to alter the vote so they don't mention it publicly is not non-partisan. It encourages repressed partisanship and grants power to people who don't care about the cultural norms.

The advantage of multi-partisan committees is you know everyone's bias up front. Someone could lie about their affiliation, but being that they are approved by their party that really is playing the long con and arguably the parties' own fault. If the losing parties agrees that they lost it is a really good way to be certain the winner won. It's why in elections when one is losing conceding the seat, rather than tallying every vote is considered a classy thing to do.

--
"What makes a good man go neutral? Lust for gold? Power? Or were you just born with a heart full of neutrality?" --Zapp Brannigan

Re: All security = an implementation.

[tkotz]

How coercion works:
"Bring proof you voted W and I'll give you X"
"Bring proof you voted Y or I'll break your Z"

To prevent coercion you have to let them vote without giving them proof they voted in any particular way. The voter is not considered trustworthy in the anti-coercion case. They are by definition acting under duress.

Oh the irony

[the_skywise]

All elections should use human-readable paper ballots by 2020. Such systems are intended to assure voters that their vote was recorded accurately. They also create a lasting record of "voter intent" that can be used for reliable recounts,

Now I agree with this and am happy to move back to paper ballots - But the entire reason we moved away from paper ballots was because of the 2000 elections where Florida used punch cards and political officers kept trying to argue over "partial punches", "dimpled chads" and "dangling chads" where they tried to reassess what the voter's INTENT was.
And, of course, let's not forget magical disappearing and appearing boxes of ballots.
Any system can be hacked but the electronic one is harder to track hacking than the good ol' traditional methods with paper ballots.

Re:Oh the irony

Your comments on the 2000 Florida situation are good ones, but the key thing here is that happened due to the closeness of the race. That will happen regardless of the system if the race is that close. However, with a mostly digital system, it's possible to alter things on wider scale. Which means that instead of recounts where an entire state's ballots are recounted because the electoral college and the popular vote are that close, it'll happen in every state when the winner's margin would otherwise seem clear.

And I'm sorry, but you can't say that the whole voter intent thing would go away. While you may be able to trust the blockchain, can you trust the UI/UX designer? Did their design choices make the choices clear? Were the buttons too close?

Given the large number of data breaches by companies we're supposed to trust with our data, like EquiFax, and given the government's poor record of implementing digital systems, like the Healthcare exchange, why would the public trust the government to implement a proper voting system and ensure it's secure?

Re:Oh the irony

People can be "hacked" in a similar fashion to a computer. The weakest link in the security chain is always a human or human error (which could be said that the link in question inherited the error from the human.) There are ways to mitigate the risks, but there will still be a heavy a level of uncertainty in any national vote (until a better solution is put in place.)

Re:Oh the irony

Where I live, data is entered on paper ballots (by drawing a permanent ink line between two arrow-points next to your selection), which is then scanned into a counting machine and finally stored in a locked container to be used in any potential re-counts or verification.

Simple, secure and verifiable

Florida's system was intentionally designed to be confusing, and every single electronic balloting machine is intentionally designed to be easily (and untraceably) corrupted.

We could have a simple, secure and fast voting system IF partisan hacks were not in charge of the process

Re:Oh the irony

Yep, and the workers were *aware* of the problems: they were visible and, frankly, pretty trivial to fix next time around.

Now compare that with some malware quietly changing votes between keyboard and blockchain entry - not outright and obvious, but say something subtle like "randomly switch 5% of votes for candidate A to candidate B" in a tight race. The chances of something like that being noticed in a timely manner is almost precisely zero - that is the problem here!

Re:Oh the irony

I think the real reason we moved from paper are twofold. Cheaper (no printing cost, no scan cost) and faster because we want the tally done when the polls close. While I totally get you can stuff the ballot box, it is much easier to imagine changing some bits to get the right answer. I'd also push to up the penalty for stuffing the ballot box to something that makes anyone think very carefully before doing or authorizing it done.

Re:Oh the irony

One STUPID implementation of using paper ballot did not mean all paper ballots have problems.

The rest of the world do not have such STUPID issues by simply using pen or chops to put a mark into a little box next to the candidates' names.

Only the STUPID idea that the votes must be tallied within hours after the vote closed, requiring a machine readable paper ballot that caused these STUPID problems. The rest of the world have no problem waiting until next morning, or however long it took to hand count the votes (and however many recounts until the counts matched) to hear the result.

Re:Oh the irony

[Dare+nMc]

Their have been academic papers proposing electronic system that would be safe, where you could verify that your vote was counted (IE received at the server.)

In theory with open software, hardware, and multiple servers (again all open source) we could have a very robust electronic voting system. This would require a large project likely done with universities, and it may even be similar to some bitcoin concepts.

The technology side is very solvable, getting the project started, past the politics, and accepted by people who aren't able to understand the theory behind it is the hard part.

I am confident currently political parties are strongly against starting down this path. As once it was implemented we could do things like nationwide ballot initiatives, and those can bypass lobbyist and pork barrel politics.

Re:Oh the irony

I work in life science, there are tons of academic papers out there about all sorts of things. Very few propose solutions that would work in the real world; this included.

Re:Oh the irony

Their have been academic papers proposing electronic system that would be safe, where you could verify that your vote was counted (IE received at the server.)

In theory with open software, hardware, and multiple servers (again all open source) we could have a very robust electronic voting system.

There is too much gain to be had to subvert some critical element. Remember there are Nation States behind it. Having vulnerabilities before they are generally known, or somehow slipping in custom silicon or custom binaries, is feasible, particularly if you control any part of production.

Basically if you are insistent on using technology, you still have to back it with a paper trail. Whether that is a laser printer in each booth that prints your final results, or any variation, such as a long roll of paper tape. The person voting has to see the actual entries on the actual paper that is saved.

The security might be slightly more achievable if your vote was a public record that can be searched, since people could check that nothing happened at any point, and others could research. I'm not sure we want to give up the anonymous ballot just yet though.

Re:Oh the irony

One of the interesting parts of our current voting system is that it is anonymous. Once your vote goes into the system it cannot be tied back to you. There is no way to know if any particular vote was cast by any particular person. This is very important because, since it is impossible to identity a vote:voter pair, you cannot legitimately coerce someone to vote a certain way - you cannot prove that someone did or did not vote the way you told them to.

This prevents people from selling votes and "you sure have a nice puppy, be a shame if you voted for the wrong person" situations.

One of the big things I see people pushing with new electronic voting systems is "you can verify that your vote was counted and that it was correct!" Well guess what - if you can do that then so can someone else. That's a problem.

I *do* think that there is a place for an electronic component. Think of this:

1. Voters get a paper ballot.
2. Paper ballot is read by a local machine.
3. That ballot is recorded on a blockchain.
4. The voter can wait for their vote to be accepted.

And I don't use blockchain to be flippant here; I think that this may be one of the very few use cases where it can be a useful tool in the toolbox - but just one of many. It would be a private blockchain, with the data released to the public AFTER the polls have been closed.

Now, in theory, you have:

1. A real time stream of votes - which can be used to help detect irregularities.
2. A very tamper-resistant record of that day's voting.
3. Ease of tabulation. Polls close, results are instant.
4. Multiple levels of verification.

A blockchain, BY ITSELF, is not sufficient but it can be used along side other technologies to add an extra layer of protection.

If you run into a situation where the local tallies don't match with what was submitted to the blockchain, then obviously you have a problem. If you do a physical recount and the number of votes do not match what has been recorded locally and on the BC, then obviously you have a problem. Time to investigate.

Still anonymous, but the voter can wait to ensure that their vote is recorded in all three places. That is a level of assurance I would personally appreciate.

Re:Oh the irony

[bluefoxlucid]

We moved away from paper ballots because of the rampant fraud associated with paper ballots. That's how we got punch card machines.

of course, let's not forget magical disappearing and appearing boxes of ballots.

See?

the electronic one is harder to track hacking than the good ol' traditional methods with paper ballots.

Oh I can do better than that

I think I'd have the log collector hooked up to the big display in that, too. Easier to show many statistics. We could show the public observers that X voters have cast ballots, that the two ballot machines are running in-sync, and so forth. Any important log notices would appear.

It's kind of annoying doing this with one-wire serial, but I don't want to put the EVM and two ballot boxes on an Ethernet network together. I want one-way communications, and nothing able to signal anything to the active EBB.

Re:Oh the irony

[bluefoxlucid]

Verifying that your vote is counted doesn't tell you the election is untampered; and verifying that your vote has been counted opens up the election to tampering via vote-buying.

We must verify that the ballots as a whole are counted, collected, and summed.

and those can bypass lobbyist and pork barrel politics.

I like pork. Four years ago, we had won a new transit system in our State. $2.2 billion dollars expected cost; the Federal Government gave us a $900 million grant.

That's pork barrel spending.

Every time the Federal Government pays for a State project--notably infrastructure--that's pork barrel spending.

Government waste is a real problem; Conservatives have pushed the idea that any spending on local projects is government waste. The culmination of this has been last year's proposal by the President for massive infrastructure projects while calling for the states to pay for them and stop asking the Federal government for money.

Re:Oh the irony

[Dare+nMc]

> Verifying that your vote is counted doesn't tell you the election is untampered; and verifying that your vote has been counted opens up the election to tampering via vote-buying.

That everyone can verify their votes are un-tampered, actually does tell us exactly that. And no, we only allow you to prove you voted to others. Their are several proposals that have been discussed to do this. Where you can leave with your vote encrypted on paper, and you can provide any number of false keys to prove whatever you want anyone else to see, only if they were in the both with you could they get the real key. You would only give a small % of volunteers from each machine the option to verify the true keys are used throughout. The other option is to allow multiple votes, such that only the last one is counted. again only a small % are required to be given the true decryption keys to validate the process is working and we don't have a massive corruption of the process.

> We must verify that the ballots as a whole are counted, collected, and summed.

Exactly, that is why you allow everyone to validate their true ballot is cast. You also allow as many servers collecting results, with the same open source software. You can verify and validate they all get the same results, if any official servers differ, or sufficient private servers differ to raise concern of a mass fraud, then you can re run all the ballots and find the difference. The states would have the keys for every machine in the state, and verify all machines reported in their results, and no extra machines reported extra results.

By having states generate their own private keys, you would have multiple keys, one for voter identity, one for candidates, another for each polling places id. After the election is over and the server data is verified received, you release the candidates private key, and every server can tabulate the results (their is proof of concept of doing math on encrypted data, without the keys, so it is possible all results could be calculated and compared before receiving the private keys, only need the private keys to declare the winner, and can be done after all servers have verified they came to the same winning result.) That way the private key cannot be used during the election to generate any more public keys...

As long as the private key for voter id is kept secret from all but a single validation location, even if you give your voter id to someone else, they cannot find your vote information. You can only verify the complete and un-altered vote you cast was received at every server. Since every vote, polling place cast, ID cast... is public information. Select people, in isolation using all the private keys can validate the entire election process.

The great thing about ssl, is we only care if the voting machine is secure, the encrypted packet can be path agnostic. Votes could all be printed and carried on paper and scanned. They could be flash drives, people could scan them at home and broadcast them. You can send the packets in 50 different ways, and state actors would have to block/corrupt all 50 ways to block that vote. duplicates are discarded. Until the private key is released, all is secured.

> I like pork.

Not all government would be by direct vote, that isn't how states with ballot initiatives work. But currently a bill like national health care could never get passed cleanly, as their is no way to pass it without paying off the special interests in DC. That is not true with ballot initiatives, if it is good for the majority and isn't being done through the normal process, this is where the corrupt process bypass happens. A health initiative or public university project could produce the bill that is then taken outside of partisan politics for passage. The standard process still stands for bills where that system is working.

Re:Oh the irony

[bluefoxlucid]

That everyone can verify their votes are un-tampered, actually does tell us exactly that.

No, it only tells you that your vote is untampered and that nobody has complained. If a bloc of people complain, they may be trying to throw credibility concerns rather than reporting honestly.

we only allow you to prove you voted to others. Their are several proposals that have been discussed to do this. Where you can leave with your vote encrypted on paper, and you can provide any number of false keys to prove whatever you want anyone else to see, only if they were in the both with you could they get the real key.

A zero-knowledge proof. They're hard to set up. I've proposed a similar scheme for Internet voting; problem being that Internet voting is not observable and is thus incapable of providing any integrity at all, thus is not a viable method for public elections. (There are other concerns; most are coverable.)

You can't keep your real key if you're avoiding coercion or vote buying. Coercion would require you to show up with only one key, as they can't identify how many valid keys you created. You'd have to discard your real key and keep your false key; the possibility of doing so then makes it impossible to prove you haven't, so you can show up with any number of false keys and cannot prove which is real or if any is real.

The other option is to allow multiple votes, such that only the last one is counted

You'd have to identify who voted what, or identify single-person vote batches. This mimics a risk with ranked ballots: a specific pattern of voting can identify a voter. If you're only counting the last vote and identifying a person's batch, you have to identify which was actually counted, which gets you back where you started.

Exactly, that is why you allow everyone to validate their true ballot is cast. You also allow as many servers collecting results

I've suggested that--of course, with the results being after polling center counting. We don't plug voting machines into networks. That's a thing VVSG 1.1 allows; it's ludicrous.

with the same open source software.

Working on it, but this is really just a mess. I'm looking at architecture to get a feel for how to run this; in truth, I can't build this software. I'll have to hire programmers, and I only know a few who are actually cognizant of things like good architecture and design.

Prototyping helps me think.

You can verify and validate they all get the same results, if any official servers differ, or sufficient private servers differ to raise concern of a mass fraud, then you can re run all the ballots and find the difference. The states would have the keys for every machine in the state, and verify all machines reported in their results, and no extra machines reported extra results.

You've already failed.

I have suggested we can propagate results to anyone and everyone, and "recount" by all interested third-parties in real-time. In truth, even for ranked ballot elections, your public observers will be posting photos and results at each polling station to Twitter or New York Times or whatever. You can likely reverse a set of pairwise results to a set of ranked ballots (these are 1:1) in something like O(m*n^2*log(n)), although I haven't figured out the right algorithm yet. It's linear to combined sets, which means decoding two sets of 100 ballots takes twice as long as one set of 100 ballots, while one set of 200 ballots takes longer; because you can graph a necessarily-existing ballot or reduce the number of candidates in a subset of ballots, you're continuously shrinking the coefficients and so you get weird logarithmic stuff.

In any case, this all means we can not only validate the per-polling-place r

Re: Oh the irony

[KingAlanI]

Also Trump's infrastructure plan has included subsidies for private projects which sounds like a handout to big business for something they might do anyway

Re: Oh the irony

[bluefoxlucid]

Yeah, don't do that. Build infrastructure to attract business; don't give business money to build a private building for themselves.

Infrastructure spending is for public projects.

Bull

I call bullshit on this one. A good block-chain implementation is the ultimate solution. Makes you wonder if the real problem is that it would be too good.

Key statement

They key statement in the finding that most technology solutions fail to solve is this:

"Such systems are intended to *assure* voters that their vote was recorded accurately."

In the end, paper ballots may seem inefficient from a processing perspective, but that inefficiency becomes inherently difficult to tamper with and builds in systems for checks and recounts. The argument here is that blockchain is vulnerable before the data is stored in the blockchain, at the UI and the machine level, and blockchain then will hard-code the malicious event.

But the key phrase here is "assure voters that their vote was recorded accurately". In the end, an inefficient system being difficult to tamper with makes voters feel more secure, meaning there is less likely a challenge to the system. If the voting public believes the system can be tampered with at a large scale level, then challenges and recounts and legal battles will happen with every election, and undermines the process where this is a simple majority winner. Instead regardless of their margin of victory every winner is subject to suspicion by the public. Maintaining public confidence in the accuracy of the system is far more important than the actual accuracy of the system.

Re:Key statement

[presidenteloco]

Blanket arguments against computer algorithms for secure voting (or secure anything) are illogical, emotional, and flawed.

People argue to the effect: Because many programs have been found to have a security flaw in either A) the algorithm mathematics and logical assumptions, or in B) the implementation, therefore ALL programs must have some flaw in A) or B) therefore there is no such thing is a secure computer program. That is just bullshit. It's incorrect, unsupported generalization from specific examples.

Just because it is a wise precautionary stance to be extremely skeptical of computer algorithmic voting security (or application security in general), and just because it is wise to demand transparency of the system so that it can be continually reviewed and critiqued (by both the competent and the incompetent),
DOES NOT mean that no secure voting system (or application of whatever kind that should be secure, like banking) is possible.

The reasoning that all computerized voting is flawed is the same is the following reasoning:
Many software programs have bugs (either in design or implementation),
Therefore all software programs have bugs.
And that is just layman-level, lazy-thinking, paranoid, non-technical bullshit.
There are, obviously, many algorithms and implementations that do not have bugs.

Here's one, in pseudocode, to output the number 10:
n = 0
while n 10:
        n = n + 1
print(n)

Ok, it's simple, but there are by simple extension many more complex programs that also have no bugs and do some defined calculation or data processing as designed, correctly implementing an unflawed mathematical and logical computable operation.
And you can say, oh, but the language layer or vm layer or OS layer or whatever, below, has bugs, and I will say, many of them do, but it is not a necessary condition.
So stop saying that adequate computer security is impossible. It's not. It's just very very very hard.

But whatever it is, it should be easy compared to the ease of carting stations' worth of paper ballotboxes off to a bonfire in military trucks, or simply threatening with submachineguns or machetes anyone that dares venture near a polling station. The bar we're competing with is NOT VERY HIGH.

Seriously, there are zero-knowledge proofs, mixes, all kinds of true anonymization techniques. There ARE currently unbroken strong encryption methods. And a voter authentication process that uses computers (bottom-up trust and reputation networks on a blockchain) AND people to build up assurance in the identity is not necessarily less trustworthy than a human and easily-forged paper document/ identity card authentication system.

Let's get serious and seriously technical here, and stop with the fearmongering bullshit.
Are all zero-knowledge proof and input mixing algorithms inherently flawed, for example? Can you prove that?
Is all strong encryption, including new research-stage quantum-resistant algorithms, definitely breakable within the forseeable future?
That's not the assumption that we're building the entire rest of the application ecosystem on computerized networks on.

More realistically, there is an arms race between encryption and anonymization algorithm design and implementation, and attacks on them. But that ongoing battle DOES NOT LOGICALLY MEAN that in well-defined areas, we can't be assured it is correct and secure.
1 + 1 == 2 ALL THE TIME (in decimal and a few other bases anyway).

Re:Key statement

[presidenteloco]

Ok, there's a stupid bug in slashdot apparently, not including my less-than sign.
There. One bug.
What's up with that. Let me try again. Hmm. There was a less-than in there just to the left of this sentence. That's lame on slashdot software's part.
So you proved that ALL programs have bugs?
Didn't think so.

Re:Key statement

[sconeu]

Use the entity <

Re:Key statement

[presidenteloco]

Didn't try that because pretty sure my slashdot post settings are set to the "plain-text" format option, as opposed to some kind of html format option. I guess they meant plain-text without less-than characters.

Re:Key statement

[presidenteloco]

Oh, ok, they changed all my post settings on me in some new version of slashdot. Oh well.

Re:Key statement

[bluefoxlucid]

Just because it is a wise precautionary stance to be extremely skeptical of computer algorithmic voting security (or application security in general), and just because it is wise to demand transparency of the system so that it can be continually reviewed and critiqued (by both the competent and the incompetent), DOES NOT mean that no secure voting system (or application of whatever kind that should be secure, like banking) is possible.

In fact, the system I designed fails the same way paper fails: if nobody's watching, you can do whatever you want. I just narrowed the window to between poll open and poll close, and made it extremely difficult to bypass public observation via sleight-of-hand.

It still needs refinement. This will work, but I need to define some of the specific throughout-the-day handling procedures and protective measures to prevent physical intervention. It's not good enough to just say "we need public observers"; we need alarms and impediments to ensure any attempt to tamper is highly-visible, leaves evidence, and takes a large amount of real time. I've made mention of such things, but haven't written down a detailed implementation.

The reasoning that all computerized voting is flawed is the same is the following reasoning: Many software programs have bugs (either in design or implementation), Therefore all software programs have bugs.

Computerized voting is invisible. Computers can have tampering paths which are invisible. You must prove a computer contains only specific, known software, which can then be inspected by everyone forever so that any invisible tampering can be discovered at any time by any person.

It's not about computers mistakenly doing the wrong thing; it's about computers intentionally doing the wrong thing and actively hiding it. We have to make it impossible to hide.

Re:Key statement

[sconeu]

Try "Extrans". The notes say it will not convert &, <, and >

Paper ballots are by far the most secure solution

[Seven+Spirals]

Gimme a break. Use paper. Computers will be better tools for tabulating and processing the votes after they are cast, but it's tough to beat paper for a recount. Even paper has it's flaws, but the hand waving crypto-bullshit is pathetic "Oh but this counter signature will detect if the previous initialization vector was properly zeroed inside of the S-Box" *rolls eyes*. KISS baby. Things don't get more secure by making them more complex and I can't think of any way to make something more complex than to introduce computers. Computers are great at some things, ideal for some tasks: not for voting. They suck at that.

well the bitcoin blockchain holds child porn

so this is a good call

paper ballots

The only way you can have some measure of accountability while keeping votes anonymous.

Re:paper ballots

Since no one else has linked it:
Obligatory xkcd

Or, for heaven's sake, you can just use paper

[mark-t]

Make a simple mark on a paper ballot indicating your vote, fold it, put it in a box.

done

Now theoretically you could bribe people who do the counting, but you'd have to bribe a *LOT* of people to make any kind of difference because each individual ballot box with the folded ballots contains but a tiny fraction of the number of votes, and nobody ever counts the ballots from more than one or sometimes two different boxes.

Re:Or, for heaven's sake, you can just use paper

I'm not sure for the US, but in Canada each ballot box contains maybe 100 votes (probably more in large cities) and you'll have 1 to 3 scrutineers watching the counting (and the voting process), and 2 or 3 elections officers doing the counting, yeah, you're looking at a *lot* of people to deal with.

The last time I did scrutineering we counted 47 ballots, total. And this was at a polling station in Canada's 10th largest city. Scrutineers are going to be hard to turn, because it is a volunteer position. That means the person doing the job isn't there for money.

There is no reason to not use paper ballots except for the expense, but that doesn't seem to be what people are complaining about.

Re:Or, for heaven's sake, you can just use paper

Where I live, we have a slight variant of that.

Mark ballot with provided pen.
Put ballot in scanner.
Scanner deposits ballot in the ballot box.

The scanner provides the auto-count, and the box below it has all the physical ballots if any questions arise.

On the other hand, I do have to show a government-issues ID before getting a ballot, so I suppose I live in a racist district.

Re:Or, for heaven's sake, you can just use paper

[mark-t]

Here in Canada you need to provide proof of identification as well. Government issued photo ID such as a driver's license or is best because it's generally just a show-it-and-go, but others can be accepted... there's just some extra paperwork involved, and one might need to have multiple ID's.

Re:Or, for heaven's sake, you can just use paper

[MobyDisk]

Is there any other country with modern infrastructure (stable government, ID cards, functioning postal system), other than the US, where you don't have to provide ID to vote? I have voted for decades and it still strikes me as odd every single time. I've never understood how requiring proof of identification disenfranchises anyone.

Re:Or, for heaven's sake, you can just use paper

[mark-t]

It shouldn't... you have to register to vote in the first place and that generally requires identification... the only reason you need to have identification to pick up a ballot is to make sure that you are the person whose name is on the voter registration card (and that you didn't swipe somebody else's so that you could try and vote more than once). In general, one just has to present the same ID that they used to register to vote in the first place.

It's even possible to vote without having received a voter registration card, but there's a special line for that, and the processing can take a lot longer, depending on what forms of ID the person has. In my observed experience, the lineups for that are shorter than the lineups for regular voting, but then after processing the person has to get into the regular voting lineup anyway, so there's no potential gain to be had.

Re:Or, for heaven's sake, you can just use paper

[davide+marney]

It must be nice to have an election with only 47 ballots. In the state where I volunteer, 3.6 MILLION ballots were cast in the last federal election.

Re:Or, for heaven's sake, you can just use paper

[mark-t]

What, does everyone in the entire state vote at the same physical location? That seems like it is logistically infeasible.

Obviously you have one polling station for every 5 to 10 thousand or so registered voters... and you have maybe 10 to 20 ballot boxes at any single polling station. In couple the times I've worked for elections Canada to man a ballot box, I've never seen an election box that was actually full, and the number of ballots in each box seemed to be no more than a couple of hundred, often much less.

Transparency is the key

[victor_alarcon]

I thought that was the main selling point. Yes, I'm sure someone can come up with some anonymity scheme but transparency should be top priority. Apologies if the point is too naive.

Re:Transparency is the key

Blockchain's main selling point is basically supply-chain logistics. Blockchain could be used for electronic voting, but too much of the problem is put on the user-end, which is why paper votes are still better. If governments want to start handing out "voting blackboxes" to plug into their TV's or phones, and then just tap your drivers license or passport to vote, then you still have the risk of that box being tampered with by the time the election comes around.

Re:Transparency is the key

Yes, Transparency. So your boss, union leader, mayor, police chief, church master, abusive husband, etc... get to see how you voted. Nothing bad can happen. This is not democracy ending at all.

25 start-ups just lost $5 billion in valuation

all because their blockchain based voting proposition got shot down.

the real story

[slashmydots]

Blockchains are perfect, right? WRONG. And also right. They are mathmatically flawless BUT if you outprocess the rest of the network, you can finalize a block with whatever the hell you want in it. You can form a block that says you own all bitcoins, all transactions put them in your wallet, and you're also the queen of England. The reason this "51% attack" doesn't happen it because that amount of processing power doesn't exist. That many ASICs don't exist on Earth. But let's set up a separate blockchain and separate currency called votecoin. Even if you buy a million dollars worth of graphics cards, someone could conceivably buy 1.1 million worth and forge a fake block with fake votes. So make it a billion. Oh wait, Russia has more than $1 billion. Darn. I mean getting a hold of that many GPUs would be difficult but there's always the secondary market. And then where did the first person get that many GPUs then if they're so hard to get a billion dollars worth? It doesn't work unless you can somehow tie it to an existing HUGE network lieke Ethereum, which btw also doesn't work.

Re:the real story

[Kaenneth]

Even with a 51% attack, the Bitcoin blockchain is filled with digital signatures; noone but your own nodes would accept the blocks, and you would only be 'fooling' yourself.

Electronic voting could only work if every citizen had their own private, secure, digital signature key. Which can't happen in the US because poor people can't afford them, and a certain party would never give anything for free, while the other would protect the poor.

Re:the real story

They don't care about the poor they just want to make voting more accessible for the flood of apes they want in to secure victory for themselves. Dems hate the poor.

Re:the real story

[sg_oneill]

Heres the thing that drives me nuts. Literally every single use case for the block chain re "contracts", can be done faster, vastly more securely, and with no concievable 51% style attack that doesn't involve "Solve the prime number prediction problem that probably is unsolveable" thing.

Its called "Public Key Signing" and its been common since the 1970s. I got to a ballot box, create a vote. I use my Private key to sign it. The govt uses their private key to sign it. I have the govts public key and can verify that they, and only they, recieved it. The govt has my public key and can verify that me, and only me, created and signed that vote.

Theres still an anonymizing issue, but its not hard to just strip identifiers off the big ol' bucket of public keys, so that the govt just has a list of verified public keys, but has willingly stripped off identification from them. Perhaps this part would be supervised by the judicial branch to ensure no shitbag politicians are stealing ids to punish voters later on.

Perfect security. Perfect verification, and as long as the anonymization process happens correctly, perfect anonymity.

 

Re:the real story

1) add a shit ton of public keys to the verified list
2) use these keys to cast votes
3) profit

Captain Obvious

Thanks Captain Obvious! seriously? "if malware on a voter's device alters a vote before it ever reaches a blockchain" Fucking duh!

Re:Captain Obvious

[jwymanm]

This was the dumbest comment in the article. Obviously software methods exist to verify after the fact that what you saved is what you expected.

It's not how the vote was recorded...

[LynnwoodRooster]

The report goes on to say that "Blockchains do not provide the anonymity often ascribed to them." It continues: "In the particular context of elections, voters need to be authorized as eligible to vote and as not having cast more than one ballot in the particular election.

It's who casts the vote. Before we even worry about Blockchain, we need to ensure people casting the ballots are legally eligible to vote. Guaranteeing a vote was cast is no more important than guaranteeing who cast the vote was eligible to actually cast that vote.

Re:It's not how the vote was recorded...

Ah the Trumper. It has been shown over and over and over again that voter fraud is a tiny tiny tiny tiny amount. Like I think they found 2 cases in the ENTIRE state of texas. But keep listening to Alex Jones. Sandy Hook was staged right?

Re:It's not how the vote was recorded...

[LynnwoodRooster]

We require photo ID for just about everything, why not for voting? Why the fear of proof of ID? I need to prove ID to purchase a firearm, why not for voting?

Paper ballots

[burtosis]

Let me start out saying 100% electronic voting is going to be a disaster, triply so when done remotely and not at a secure voting machine. But what most people don't realize is we currently use unencrypted images of paper ballots in many states as backups. These are very insecure. Why not use paper ballots for the primary method, blockchain for the electronic backups? This ultimately seems far more secure than what we are doing now. We also could use open source machines and have audits at each polling place to ensure everything is going as it should.

Just to clear up confusion, the voter would not have access to the votes, the key would be assigned by the machine and printed on the ballot after it is turned in so that the paper may be checked against the distributed ledger, the blockchain would include a scan of the ballot just as is already common practice.

Moronic..

...alters a vote before it ever reaches a blockchain, the immutability of the blockchain fails to provide the desired integrity, ...Blockchain is not responsible for what happens before sonethibg is submitted to it...It like saying banks are responsible for money that still to be deposited..

Re: Paper ballots are by far the most secure solut

Everyone can understand how paper voting works, less so with elliptic curves and what not. Proper paper voting requires no trust in any single party and can be carried out during a civil war or other unrest. Electronic voting alway requires trust because it is impossible for everyone to understand the process let alone verify it.

Yes but reread

[aepervius]

Boxes of ballot contain how many votes ? If your county are divided like by us a few thousand at most. Yes for 2000 it was exceptionally relevant, but it is much harder in a democracy where it is on paper ballot to cheat. Printing that much additional ballot can be found , having the whole LOT of people to distribute them in ballot box and remove true votes can be found out much easier. And if you use the method many country use to COUNT at the local level with volunteer first, with the box never out of the eyes of anybody, that is nigh impossible.

As for the failing chad, the simplest system is also the most proven : print your ballot on paper separated , 1 for candidate A , 1 for candidate B , separated, and ask people to put only 1 in envelope, and if they put two count them as "blank" vote. Et voila !

Re:Yes but reread

[bluefoxlucid]

Printing that much additional ballot can be found , having the whole LOT of people to distribute them in ballot box and remove true votes can be found out much easier.

You know we've had this conversation before?

As the 1940s came to an end, the public demanded mechanical voting machines. Paper ballots were rife with fraud, with ballot boxes 'lost' and 'found' all the time, and politicians frantically calling their loyal precinct bosses to manufacture votes.

Today, we still hear about electoral fraud in the form of messing with how judges count votes and spoiled ballots. We hear about thousands of ballots cast mysteriously not being present in counting, but the election officials are sure it's fine and has no effect. We hear about the scandal of some election staffer being discovered with no counterfeit ballots or anything, just a few hundred blank ballot sheets--an enormous concern to the integrity of our elections.

They're doing it wrong. Electronic voting machines are handled horrendously. The standards for using these systems do not provide any degree of integrity. That doesn't mean you can't; in fact, you can provide greater integrity with electronic voting than with paper. Nobody does.

Don't call for a solution that's worse than the problem.

Too Many People Shouting

"Paper!!"..."Blockchain!!"..."E-Voting!!"

Bah! Just make it like American Idol voting...phone-in your vote to toll numbers that charge fifty cents or a dollar a call, different number for each candidate. Vote as many times as you van afford.

Elections are bought anyway, at least this way it's a lot more open and transparent, and you can use the money collected from the voting toll lines to lower individual income taxes, pay for college tuitions, or if feeling charitable, buy France and straighten out that hellhole.

Re:Paper ballots are by far the most secure soluti

[gshegosh]

Things don't get more secure by making them more complex

Soooo... Is HTTPS simpler than HTTP? :)

Re:Paper ballots are by far the most secure soluti

[DNS-and-BIND]

The PRI in Mexico rigged elections for 80 years using nothing but paper ballots.

Re:Paper ballots are by far the most secure soluti

[sg_oneill]

The PRI in Mexico rigged elections for 80 years using nothing but paper ballots.

Yes, but everybody knew. It stopped being an engineering problem and became a political problem.

use git then

Could then just plain "old" git be used somehow? with branches per each voter, being merged into branches per each district or whatever?

LOL at the mythical 'vote selling'

How much is any candidate going to be able to afford to pay to voters to get them to vote for the candidate, when those voters believe that voting for that candidate will be bad for them? (Otherwise they would already be voting for that candidate and wouldn't have to be paid to do so.)
For example, if Candidate 1, (call him C1) is going to raise taxes on lower paid workers so that they will lost £500 a year, how much would C1 have to pay affected voters to make them vote for him? Presumably more than £500!
This myth of 'vote selling' is always brought up any time somebody suggests a secure voting method, I wonder why...

Russia has total clarity

Or you could use hackable machines, where Russia decides and there is total clarity: around 51% win for Putin's candidate when he's in a strong position and wants to create a plausible result, or 51%+ of the total POPULATION when he's in a weak position and needs to show backing, no matter how implausible and fake.

With electronic voting it removes any mechanism to hide the problem.

That remote back door pcAnywhere they admitted to putting in, was used to identify why the count of those who voted didn't match the totals reported! Literally an infallible machine was hacked badly, then rehacked to make the totals match.

https://motherboard.vice.com/en_us/article/mb4ezy/top-voting-machine-vendor-admits-it-installed-remote-access-software-on-systems-sold-to-states

"In May 2006 in Allegheny County, Pennsylvania, ES&S technicians used the pcAnywhere software installed on that county's election-management system for hours trying to reconcile vote discrepancies in a local election, according to a report filed at the time. And in a contract with Michigan, which covered 2006 to 2009, ES&S discussed its use of pcAnywhere and modems for this purpose. "

With no paper trail, you can bet the machines in current use are PROPERLY hacked, so the totals match, so that loophole that revealed the hack would be closed.

Paper ballots MUST BE USED where electronic voting machines have no paper audit trail, because you cannot legally recount the vote with those machines, you can only recount whatever data the Russian hacker (or other bad agent) put there.

The argument is invalid.

It's like saying, your bitcoin wallet really doesn't have the money in there because you can't check it. Voting has 2 components. Identity and your recorded vote.
To say you can't secure your identity with a private key and sending your vote using your identity while getting your voting balance is ludicrous.
Sometimes you have to think outside the box. Block chain is an immutable record which may have mutable changes based on a tally.

Also malware would be unable to affect the vote if the voting mechanism comes from a central rather than decentralized server.
So the two components, your identity with your public address would be used to fill a single vote, then once you have that in your wallet, this would then be used to cast your vote.
Giving the voter a device like the ledger wallet would make secure voting secure, really secure.
Any voter could go to any library with a computer and cast the votes. Not only that, the wallet could contain the votes before the user actually connects to cast the votes.

Re:The argument is invalid.

[davide+marney]

Blockchain is a PUBLIC ledger. Your identifier is therefore in public view, right along the record of your vote. Congratulations, you've just made voting a public act, removing the one thing that prevents your vote from being coerced.

And oh, it's immutable, too! Gee, thanks a lot.

Re:Paper ballots are by far the most secure soluti

[sysrammer]

Computers are great at some things, ideal for some tasks: not for voting. They suck at that.

Excellent comments, I vote you insightful!

Oh, wait...nevermind.

Paper ballots are STILL counted by machine

[davide+marney]

To all the people waving their hands and saying, "just count them thar ballots like we did back in granddaddy's time, dab gummit", I say please for the love of all that is sacred, volunteer to help run an election in your home town. NO ONE is going to count the millions of ballots cast in a major US election by hand unless they absolutely are forced to do so. All paper ballots are initially counted by machines. It is only when the totals are within a small margin (it's 1% in my state of Virginia) that a recount is even permitted, and only by an even smaller margin when it is paid for by the taxpayers (1/2 of 1% in Virginia.)

People absolutely stink at repetitive tasks. Can you imagine counting 62 MILLION individual pieces of paper -- by hand?! Well, right out of the box you'd have to double that number just to be sure you didn't make any mistakes. Not happening.

No, man made machines to take humans OUT of repetitive processes. Given a perfectly-filled in ballot, the error rate for a scanned ballot would be the same as the error rate of bar code scanning: 1 error out of 400,000 scans. In the state of Virginia, that error rate would mean that only 10 ballots cast in the entire state in 2016 would have been mis-counted.

But we don't have perfectly-marked ballots, again because we ask humans to fill in the paper. The error rate of just mis-marked ballots is 10x the error rate of scanning, and the error rate of hand-counting is 100x larger than that.

No, machines are good. You need to black-box test them and prove that they have not been tampered with, but that is a small, small price to pay for such an enormous gain in accuracy and speed.

But I want my money

How can it be a fair election if somebody isn't making oodles of $$$$ from the process?

That's just unAmerican!