Blockchains Are Not Safe For Voting, Concludes NAP Report

The National Academies Press has released a 156-page report, called "Securing the Vote: Protecting American Democracy," concluding that blockchains are not safe for the U.S. election system. "While the notion of using a blockchain as an immutable ballot box may seem promising, blockchain technology does little to solve the fundamental security issues of elections, and indeed, blockchains introduce additional security vulnerabilities," the report states. "In particular, if malware on a voter's device alters a vote before it ever reaches a blockchain, the immutability of the blockchain fails to provide the desired integrity, and the voter may never know of the alteration."

The report goes on to say that "Blockchains do not provide the anonymity often ascribed to them." It continues: "In the particular context of elections, voters need to be authorized as eligible to vote and as not having cast more than one ballot in the particular election. Blockchains do not offer means for providing the necessary authorization. [...] If a blockchain is used, then cast ballots must be encrypted or otherwise anonymized to prevent coercion and vote-selling." The New York Times summarizes the findings: The cautiously worded report calls for conducting all federal, state and local elections on paper ballots by 2020. Its other top recommendation would require nationwide use of a specific form of routine postelection audit to ensure votes have been accurately counted. The panel did not offer a price tag for its recommended overhaul. New York University's Brennan Center has estimated that replacing aging voting machines over the next few years could cost well over $1 billion. The 156-page report [...] bemoans a rickety system compromised by insecure voting equipment and software whose vulnerabilities were exposed more than a decade ago and which are too often managed by officials with little training in cybersecurity.

Among its specific recommendations was a mainstay of election reformers: All elections should use human-readable paper ballots by 2020. Such systems are intended to assure voters that their vote was recorded accurately. They also create a lasting record of "voter intent" that can be used for reliable recounts, which may not be possible in systems that record votes electronically. [...] The panel also calls for all states to adopt a type of post-election audit that employs statistical analysis of ballots prior to results certification. Such "risk-limiting" audits are designed to uncover miscounts and vote tampering. Currently only three states mandate them.

All security = an implementation.

To say blockchain is inherently unsafe is like saying software is inherently unsafe, or anything else. Everything has pros and cons, but you evaluate the final implementation as secure or insecure. There are challenges in any medium.

Re:All security = an implementation.

[PopeRatzo]

To say blockchain is inherently unsafe is like saying software is inherently unsafe

Oh, you are so close to a breakthrough.

When it comes to voting, blockchain, like software, IS inherently unsafe. If the main goal for voting security is maintaining the people's confidence in an election, the only system that will meet that standard is a system where people are actually keeping an eye on one another. And I mean physically watching one another. And that's the system we had in place before the advent of voting machines and election software. You had a room full of election judges from both sides, and they sat side-by-side checking in voters as they approached the voting booth and physically watched them put the ballot in the box. When the votes were counted, there was a whole bunch of people from both parties standing around keeping a close eye. When the ballots were sent for storage, one person from each party rode in the truck to drop them off after sealing the container - together - and signing off.

It was trust, but verify. Was it possible to jigger with an election like that? Of course. But you had a list of names of people you could hold accountable at every step in the process. Electronic voting will never, ever be trusted. That is the effect of transparency.

Re:All security = an implementation.

" If the main goal for voting security is maintaining the people's confidence in an election " - Well I don't agree with that starting point definition. I think security = security, not theater of.

Then you're bad at security. Security is theater.

There is no impregnable system. Security can only increase the difficulty of entering a system, it cannot stop a determined opponent. Is a CCTV system going to stop someone from breaking into your store? No, but it will make the person think twice about it, because they are likely to be recorded, found, and caught. Is the TSA likely to stop all bad guys from getting on planes? No, but it alters how much they must prepare to get on board the plane so hopefully they'll trigger a signal and get caught before they get on, or try a different route. Does voting security stop fraud from happening? Of course not, but it creates it makes it difficult enough to tamper with to turn away most bad actors, and ensures the voters have confidence in the system.

Security ultimately changes the decision set of every actor involved toward a common good.

And quite frankly, blockchain does not equal security. It makes an unalterable database, but it does not secure the machine, the UI, and given tech's publicly poor history of securing people's information, it absolutely does not provide confidence of capability to the general public.

Re:All security = an implementation.

[shellster_dude]

Blockchains are obviously a terrible solution to election fraud. The only thing that prevents blockchain tampering is a ton of neutral third party machines checking the transactions (typically miners). We've already seen that this is a non-trivial problem when there is plenty of incentive for random people to fulfill that role (mining of crypto currency). National elections have very little incentive for people to invest thousands in hardware and electricity, and a ton of incentive for nation states like China or Russia with the funds and technology to manipulate the results.

If you instead make it a closed system with government machines validating the results, you've not solved anything (or at least nothing that couldn't be solved with more traditional cryptographic techniques like public/private key encryption, signing, and progressive cryptographic hashing). You still haven't solved the issues of patching, of the public's trust in the machines and people involved in securing the infrastructure, or prevented a malicious third party from compromising that infrastructure and altering the results. Blockchain only provides any type of verification, when you can trust that the majority of the verifying machines are not working in league to forge results, and in a voting infrastructure of relatively well secured machines you can do a lot better. Block chain introduces a ton of extra complexity which leads to a ton of additional attack surface while again not providing a lot of value.

Finally, BlockChain does nothing to solve the issue of machines registering one vote and writing a separate vote to the ledger, or even registering multiple votes that are fraudulent. In other words, it is simply a highly inefficient tool that exists to solve an entirely different problem.

Things that would vastly improve voting security:
1) When the user comes in, check their ID to validate they are who they claim to be, and that they are allowed to vote.
2) Give them a randomly generated, complex, unguessable ID number (voteid) in the form of a QR code. This should not be tied to their identity in any way
3) Have user scan said voteid to begain voting and then store with their vote results, and give them the progressive hash of the chain of votes before and after their votes are tallied.
4) Allow the user to swipe their voteid before leaving the voting area, and view how their vote was tallied, on a separate machine (thus increasing the complexity and size of the hack required to hoodwink a cautious user).
5) Allow all users to go online and view their votes as they were recorded (and will be tallied) by entering their voteid on a public website. As well as the aforementioned progressive hashes
6) Have a process by which a user can, upon presenting their voteid contest how their votes were recorded (both at the voting place, and after the election).

Of course the progressive hash idea is someone simplistic, public/private key signing or other more complex solutions could be implemented with different risk profiles. Yes there are still ways that such a system can be hacked and manipulated, but the skill and breadth of the hack would need to be significantly increased to pull it off unnoticed. More importantly, users would be empowered to a fair degree of confidence that their vote was recorded as they intended.

Re:All security = an implementation.

Paper votes aren't any better, just look at Russia's vote stuffing. Literately. Someone comes up to the booth and stuffs fake/coerced votes into the box.

Now the way most US, Canadian, and UK elections are run, the paper vote is a two-step process.

A) You go to a scrutineer to check your name off a PAPER list, they hand you a ballot with no identifying information on it
B) You mark an X on the ballot, fold it in half or stick it in a privacy envelope and then stick it in a cardboard box with a hole on top.

Now the civic elections use something more like a scantron device (remember tests from 1990-2000) where the actual "stick it in a cardboard box" part is actually run through a machine to do automated tabulation, but the paper vote still exists.

The problem with paper votes really comes down to the scrutineer, who may intentionally not be able to find your name on the list, and the tabulation process. The tabulation process is where nearly every paper-vote error comes from, and it's a direct result of people either being too picky or not picky enough. In general, tabulation should be counted by two or three people (of different party affiliations) and when the counts do not line up between them, the counting stops and a different set of scrutineers recounts the entire box.

That's how things remain fair. The problem specifically with US elections is the "provisional vote", by which they're basically not counted. So if you start sending all the black folk to provisional ballots in a racist backwater county, the racist-friendly politician is the winner, every time.

Re:All security = an implementation.

[PopeRatzo]

Paper votes aren't any better, just look at Russia's vote stuffing. Literately. Someone comes up to the booth and stuffs fake/coerced votes into the box.

That's right, because Russia doesn't have the same safeguards built into their elections that we have. You don't have election judges from both sides watching every vote from the time it's cast to the time it's counted to the time it's sent for storage. In the US, there have to be two election judges on hand when absentee ballots are opened.

People can still be corrupted, but the more people are involved in the election process, the safer it is. And since US elections are structured to be de-centralized, there is almost no chance for widespread fraud.

Re:All security = an implementation.

[Ocker3]

I'd invite you to visit us in Australia, where we have the Australian Electoral Commission (AEC), a non-partisan (not bi-partisan) body of people who are collectively considered the Platinum Standard of running elections around the world. We actually send people to the USA to train election staff. We don't have party reps in the voting area until the polls close, then the parties can send in scrutineers who check that the paper ballots are being counted as per the regulations (when I did this I actually noted some of the staff short-cutting the preferential voting process, which I pointed out to their team leader, who corrected the person's work). The Scrutineers are also there to get the latest voting trends back to their parties faster. While paper ballots do take a lot of manual counting, it's a pretty robust system. I hear Hawai'i is doing interesting things with paper verification. A key feature of a non-partisan group has to be the culture, my USA-living father got a half hour lecture from his cousin (who's an AEC staffer) about how serious elections are and that my Dad joking about fiddling the ballots wasn't funny. They take it Very seriously, and that's awesome. And while we may argue about whether the people who Did win are any chop at all, or the media coverage, very few people in Australia question whether the outcome was rigged at the ballot box.

Re:All security = an implementation.

[Ocker3]

Sadly, the TSA haven't shown themselves to be any good at their job, repeatedly. It's hard to get good help when the work is shite, the 'customers' range from sullen to hating you, and the pay is peanuts.

Re:All security = an implementation.

[PopeRatzo]

I'd invite you to visit us in Australia,

I've spent a fair amount of time in Australia. Yes, I've heard you guys do a good job with elections, but I'm not coming back until you get rid of those spiders that jump up and bite you on the eye. Oh, and drop bears and yowgwai. I don't need that kind of stress, thanks.

Re:All security = an implementation.

[Spazmania]

You badly misdefine security theater. Like saying a bank robber is a terrorist.

Security theater is highly visible security activity which costs more (typically much more) to operate than it reduces the risk-cost of breach. It's activity whose purpose is to be seen to do something about security regardless of whether the activity is effective.

Risk-cost is Threat times Vulnerability times the Cost of an incident. Operating cost is implementation cost plus the cost of impairment to the primary operating purpose of the protected system.

Where security decreases Risk-cost by more than it increases Operating cost, it isn't theater. It's just security.

Re:All security = an implementation.

[deKernel]

Your best not suggest your #1 suggestion to people here in my country (US) because many will interpret that as "voter intimidation"....and I wish I were kidding on this. Now on a more humorsome note, #1 would surely cause havoc in Chicago where the motto is: Vote Early and Vote Often.

Re:All security = an implementation.

[bluefoxlucid]

Close, but not quite.

that's the system we had in place before the advent of voting machines and election software. You had a room full of election judges from both sides, and they sat side-by-side checking in voters as they approached the voting booth and physically watched them put the ballot in the box. When the votes were counted, there was a whole bunch of people from both parties standing around keeping a close eye. When the ballots were sent for storage, one person from each party rode in the truck to drop them off after sealing the container - together - and signing off.

Today, we have issues like 3,700 votes not being counted and ballots being apparently cast but somehow missing; or a ballot box being "found"; or all kinds of mucking with the error rate to intentionally miscount; or people invalidating ballots because they have a stray mark that could be a signal to a third party that the vote they purchased was cast faithfully.

Paper ballots aren't magically secure.

Was it possible to jigger with an election like that? Of course. But you had a list of names of people you could hold accountable at every step in the process.

Not really. In paper voting, it's possible to tamper at multiple stages. An unscrupulous election staffer can shuffle blank ballots to an individual who comes in and votes, casting multiple ballots into the box at once. A little sleight of hand. That's why ballots have anti-counterfeit properties, and why we freak out when we discover someone has a pile of blank ballots.

If you have a list of registered voters who never vote, you can tamper with the voting rolls by casting ballots at their polling places. Write their names in throughout the day and use one of the ballot numbers attached to the pile of stolen ballots.

Nobody can quite identify if or who. Totally-invisible, except for the record turn-out in your precinct (up 10%!).

Electronic voting will never, ever be trusted. That is the effect of transparency.

Paper voting is trusted too much, and people even let you take ballots out of public view "because the ballot boxes are kept in a secure location."

Current electronic voting is horrendous. You bring in a pre-programmed machine, "certified" by a trusted third party. Trusted? You fail. Load malware the night before; have the malware tamper with votes; delete the malware at poll close (self-removing!). Wipe forensic evidence by simply eliminating the deleted file pointer and clearing out the file contents for the malware's binary. Nobody will ever know.

You can secure elections with high integrity by using a non-repudiated elections integrity model, which practically requires electronic counts (we can't tamper with the counting that way). Ensuring non-tampering of the ballots in transit from the polling location is doable without electronic voting; this doesn't ensure the ballots weren't miscounted to arrive at the output values.

Electronic voting machines can't be network-connected, so you can't use blockchain. Blockchain is invisible, anyway, until you put something on the public blockchain, so you can tamper until then.

EVMs need to start non-tampered; and you need to prove that they are untampered at poll open in a manner which people can inspect at any point in the future. That means any person in the world can identify any tampering functions and any alteration in the software--and they can identify these things at any time in the future. If you haven't achieved that, you're using a black box with no assurance it's properly recording votes.

On the other hand, once you achieve that, paper ballots are invalid: if the paper audit trail disagrees with the electronic audit trail, the paper audit trail has been compromised.

Re:All security = an implementation.

[PopeRatzo]

Today, we have issues like 3,700 votes not being counted and ballots being apparently cast but somehow missing; or a ballot box being "found"; or all kinds of mucking with the error rate to intentionally miscount; or people invalidating ballots because they have a stray mark that could be a signal to a third party that the vote they purchased was cast faithfully.

The reason you know this has happened is...because we know this has happened. With black box voting machine elections, you don't know what's happened at any step of the way, and anyone who tells you that they do is simply lying.

The thing that makes paper ballots more secure than any and all electronic methods is that lots and lots of people can watch the entire process unfold in real time. And not just on some number incrementing on a screen, but on actual physical ballots that exist in the real world. There is still potential for abuse, but not anywhere near the potential in electronic elections.

You have a choice, right now:. I can give you $10,000 in hundred dollar bills in a briefcase right now, or I can show you a video monitor that shows I just deposited $10,000 in a bank account that I might or might not give you access to at a later date. Which do you take?

Re:All security = an implementation.

[bluefoxlucid]

because we know this has happened.

Do you know that it has happened, or do you know it has happened only these times?

With black box voting machine elections, you don't know what's happened at any step of the way, and anyone who tells you that they do is simply lying.

Yes, exactly. That's the part you need to fix.

The thing that makes paper ballots more secure than any and all electronic methods

I've designed an elections integrity model. It's more-secure with electronic voting machines than with paper ballots--to the point that if you have a paper audit trail and the paper audit trail is in conflict, it's the paper ballots that are tampered.

I did this by eliminating the black box. You have to prove, at poll open, that the machines run non-tampered software. That means they start blank and you start with read-only install media. Everybody has to be able to inspect what's happening. If the people watching election open--that is: regular folks who walked in off the street--copy, verify, and upload that software image, then every person in the world is physically-capable of inspecting that software forever.

Physical ballots in the real world are open to stuffing, losing, and altering.

I can give you $10,000 in hundred dollar bills in a briefcase right now, or I can show you a video monitor that shows I just deposited $10,000 in a bank account that I might or might not give you access to at a later date. Which do you take?

Actually, it's more-complicated than that.

You and I can disagree on whether a bunch of arbitrary people instructed to deposit a single $1 or $5 into a briefcase will deposit more $1 bills or $5 bills, and whomever is right gets the money. We then open several collection stations and invite people to come do this. The money is then counted, put back in the briefcases, shipped under watch of a few definitely-trustworthy people, taken to a central location, and counted together.

Instead, we can have those people come and fill out an electronic deposit form on a non-network-connected machine which has had its running software image published and was imaged under public watch as each station opened. At close, the machine displays the totals of how many 1's and 5's were deposited; we then pull its data and copy it to a central location where all electronic deposits are made (and all deposits are somehow guaranteed to be valid: once they've put in the deposit, it WILL come out of their account). The total deposits should be the sum of all observed totals at individual locations or else something has tampered with the numbers.

Now, under this first method, some of your agents can slip people extra 1's or 5's to sneak into the briefcases. Some of your agents can manipulate the errors in counting the money--a common sleight-of-hand trick. Agents can integrate additional 1's and 5's into the stack as they open the briefcases and remove the moneys. Once they've gotten away with it, it's not discoverable.

Under the second method, any software to commit tampering is discoverable. We can't go inside the neural network embedded in each human agent, but we can examine computer code; and the computer code was released to the whole public. The counts are guaranteed correct or discoverably manipulated, and can't be manipulated later.

The electronic method also doesn't fall to simple sleight-of-hand in counting or in slipping in extra bills: alteration while running the polls takes several minutes of invasive physical effort, and can't be instantly-aborted. It generates anomalous audit trails as well.

That's the reality of paper ballots: you only need someone to turn their heads and cough. You can mess with them while people watch and not get caught. With electronic voting, you have more integrity threats, and must reduce the attack surface to avoid those threats; what's left requires people to just up and leave for half an hour or so and not ask questions.

Paper ballot fetishism is magical thinking.

Re: All security = an implementation.

[KingAlanI]

In New York state at least the board of elections activities are bipartisan

Re: All security = an implementation.

[KingAlanI]

I agree voter ID sounds sensible in theory, but it's disenfranchisement in practice.
it would be a pain in the butt for poor people to get the paperwork especially if they don't have a car. Fees to get forms could be a de facto poll tax, banned by the 24th amendment (some voter ID laws do include exemptions to govt records office fees). A Texas voter ID law counted concealed carry permits but not college IDs, that sort of thing highlights the conservative bias of such laws.
In New York state you're just ID'ed when registering and sign in at the polling place which can be checked against the signature from the registration form.
Prosecuted cases of vote fraud are rare so it's a "solution" in search of a problem.

Re: All security = an implementation.

[shellster_dude]

How would this coercive third party know this value unless the voter gave it to him? It's randomly generated when he walks in to vote. It is not tied to him in any way. If say, I were a person where I suspected this might happen, I'd just "lose" my random ID after checking my ballot on the other side. I can't validate my vote further on down the road, but no one else can force me to turn over my result.

Re: All security = an implementation.

[shellster_dude]

People make this claim all the time, but it's nonsense. People some how manage to get an id to get welfare or to apply for most jobs. You don't even have to get a license to get State ID, you literally go to the DMV, and pay less money that a driver's license costs, and they ship you one that's usually good for between 5-10 years. If you can ride a bus, you can get to the DMV. Considering you can't buy alcohol, open a bank account, get most jobs, or get government assistance, it is not an unreasonable ask that you get photo ID to vote.

Re:All security = an implementation.

[tkotz]

How do they know the commission is non-partisan? Where do they find people interested in government enough to care that voting is done properly, but don't care about the outcome? I think a culture of berating people who mentioned that they may be have bias or have the power to alter the vote so they don't mention it publicly is not non-partisan. It encourages repressed partisanship and grants power to people who don't care about the cultural norms.

The advantage of multi-partisan committees is you know everyone's bias up front. Someone could lie about their affiliation, but being that they are approved by their party that really is playing the long con and arguably the parties' own fault. If the losing parties agrees that they lost it is a really good way to be certain the winner won. It's why in elections when one is losing conceding the seat, rather than tallying every vote is considered a classy thing to do.

--
"What makes a good man go neutral? Lust for gold? Power? Or were you just born with a heart full of neutrality?" --Zapp Brannigan

Re: All security = an implementation.

[tkotz]

How coercion works:
"Bring proof you voted W and I'll give you X"
"Bring proof you voted Y or I'll break your Z"

To prevent coercion you have to let them vote without giving them proof they voted in any particular way. The voter is not considered trustworthy in the anti-coercion case. They are by definition acting under duress.

Oh the irony

[the_skywise]

All elections should use human-readable paper ballots by 2020. Such systems are intended to assure voters that their vote was recorded accurately. They also create a lasting record of "voter intent" that can be used for reliable recounts,

Now I agree with this and am happy to move back to paper ballots - But the entire reason we moved away from paper ballots was because of the 2000 elections where Florida used punch cards and political officers kept trying to argue over "partial punches", "dimpled chads" and "dangling chads" where they tried to reassess what the voter's INTENT was.
And, of course, let's not forget magical disappearing and appearing boxes of ballots.
Any system can be hacked but the electronic one is harder to track hacking than the good ol' traditional methods with paper ballots.

Re:Oh the irony

[Dare+nMc]

Their have been academic papers proposing electronic system that would be safe, where you could verify that your vote was counted (IE received at the server.)

In theory with open software, hardware, and multiple servers (again all open source) we could have a very robust electronic voting system. This would require a large project likely done with universities, and it may even be similar to some bitcoin concepts.

The technology side is very solvable, getting the project started, past the politics, and accepted by people who aren't able to understand the theory behind it is the hard part.

I am confident currently political parties are strongly against starting down this path. As once it was implemented we could do things like nationwide ballot initiatives, and those can bypass lobbyist and pork barrel politics.

Re:Oh the irony

[bluefoxlucid]

We moved away from paper ballots because of the rampant fraud associated with paper ballots. That's how we got punch card machines.

of course, let's not forget magical disappearing and appearing boxes of ballots.

See?

the electronic one is harder to track hacking than the good ol' traditional methods with paper ballots.

Oh I can do better than that

I think I'd have the log collector hooked up to the big display in that, too. Easier to show many statistics. We could show the public observers that X voters have cast ballots, that the two ballot machines are running in-sync, and so forth. Any important log notices would appear.

It's kind of annoying doing this with one-wire serial, but I don't want to put the EVM and two ballot boxes on an Ethernet network together. I want one-way communications, and nothing able to signal anything to the active EBB.

Re:Oh the irony

[bluefoxlucid]

Verifying that your vote is counted doesn't tell you the election is untampered; and verifying that your vote has been counted opens up the election to tampering via vote-buying.

We must verify that the ballots as a whole are counted, collected, and summed.

and those can bypass lobbyist and pork barrel politics.

I like pork. Four years ago, we had won a new transit system in our State. $2.2 billion dollars expected cost; the Federal Government gave us a $900 million grant.

That's pork barrel spending.

Every time the Federal Government pays for a State project--notably infrastructure--that's pork barrel spending.

Government waste is a real problem; Conservatives have pushed the idea that any spending on local projects is government waste. The culmination of this has been last year's proposal by the President for massive infrastructure projects while calling for the states to pay for them and stop asking the Federal government for money.

Re:Oh the irony

[Dare+nMc]

> Verifying that your vote is counted doesn't tell you the election is untampered; and verifying that your vote has been counted opens up the election to tampering via vote-buying.

That everyone can verify their votes are un-tampered, actually does tell us exactly that. And no, we only allow you to prove you voted to others. Their are several proposals that have been discussed to do this. Where you can leave with your vote encrypted on paper, and you can provide any number of false keys to prove whatever you want anyone else to see, only if they were in the both with you could they get the real key. You would only give a small % of volunteers from each machine the option to verify the true keys are used throughout. The other option is to allow multiple votes, such that only the last one is counted. again only a small % are required to be given the true decryption keys to validate the process is working and we don't have a massive corruption of the process.

> We must verify that the ballots as a whole are counted, collected, and summed.

Exactly, that is why you allow everyone to validate their true ballot is cast. You also allow as many servers collecting results, with the same open source software. You can verify and validate they all get the same results, if any official servers differ, or sufficient private servers differ to raise concern of a mass fraud, then you can re run all the ballots and find the difference. The states would have the keys for every machine in the state, and verify all machines reported in their results, and no extra machines reported extra results.

By having states generate their own private keys, you would have multiple keys, one for voter identity, one for candidates, another for each polling places id. After the election is over and the server data is verified received, you release the candidates private key, and every server can tabulate the results (their is proof of concept of doing math on encrypted data, without the keys, so it is possible all results could be calculated and compared before receiving the private keys, only need the private keys to declare the winner, and can be done after all servers have verified they came to the same winning result.) That way the private key cannot be used during the election to generate any more public keys...

As long as the private key for voter id is kept secret from all but a single validation location, even if you give your voter id to someone else, they cannot find your vote information. You can only verify the complete and un-altered vote you cast was received at every server. Since every vote, polling place cast, ID cast... is public information. Select people, in isolation using all the private keys can validate the entire election process.

The great thing about ssl, is we only care if the voting machine is secure, the encrypted packet can be path agnostic. Votes could all be printed and carried on paper and scanned. They could be flash drives, people could scan them at home and broadcast them. You can send the packets in 50 different ways, and state actors would have to block/corrupt all 50 ways to block that vote. duplicates are discarded. Until the private key is released, all is secured.

> I like pork.

Not all government would be by direct vote, that isn't how states with ballot initiatives work. But currently a bill like national health care could never get passed cleanly, as their is no way to pass it without paying off the special interests in DC. That is not true with ballot initiatives, if it is good for the majority and isn't being done through the normal process, this is where the corrupt process bypass happens. A health initiative or public university project could produce the bill that is then taken outside of partisan politics for passage. The standard process still stands for bills where that system is working.

Re:Oh the irony

[bluefoxlucid]

That everyone can verify their votes are un-tampered, actually does tell us exactly that.

No, it only tells you that your vote is untampered and that nobody has complained. If a bloc of people complain, they may be trying to throw credibility concerns rather than reporting honestly.

we only allow you to prove you voted to others. Their are several proposals that have been discussed to do this. Where you can leave with your vote encrypted on paper, and you can provide any number of false keys to prove whatever you want anyone else to see, only if they were in the both with you could they get the real key.

A zero-knowledge proof. They're hard to set up. I've proposed a similar scheme for Internet voting; problem being that Internet voting is not observable and is thus incapable of providing any integrity at all, thus is not a viable method for public elections. (There are other concerns; most are coverable.)

You can't keep your real key if you're avoiding coercion or vote buying. Coercion would require you to show up with only one key, as they can't identify how many valid keys you created. You'd have to discard your real key and keep your false key; the possibility of doing so then makes it impossible to prove you haven't, so you can show up with any number of false keys and cannot prove which is real or if any is real.

The other option is to allow multiple votes, such that only the last one is counted

You'd have to identify who voted what, or identify single-person vote batches. This mimics a risk with ranked ballots: a specific pattern of voting can identify a voter. If you're only counting the last vote and identifying a person's batch, you have to identify which was actually counted, which gets you back where you started.

Exactly, that is why you allow everyone to validate their true ballot is cast. You also allow as many servers collecting results

I've suggested that--of course, with the results being after polling center counting. We don't plug voting machines into networks. That's a thing VVSG 1.1 allows; it's ludicrous.

with the same open source software.

Working on it, but this is really just a mess. I'm looking at architecture to get a feel for how to run this; in truth, I can't build this software. I'll have to hire programmers, and I only know a few who are actually cognizant of things like good architecture and design.

Prototyping helps me think.

You can verify and validate they all get the same results, if any official servers differ, or sufficient private servers differ to raise concern of a mass fraud, then you can re run all the ballots and find the difference. The states would have the keys for every machine in the state, and verify all machines reported in their results, and no extra machines reported extra results.

You've already failed.

I have suggested we can propagate results to anyone and everyone, and "recount" by all interested third-parties in real-time. In truth, even for ranked ballot elections, your public observers will be posting photos and results at each polling station to Twitter or New York Times or whatever. You can likely reverse a set of pairwise results to a set of ranked ballots (these are 1:1) in something like O(m*n^2*log(n)), although I haven't figured out the right algorithm yet. It's linear to combined sets, which means decoding two sets of 100 ballots takes twice as long as one set of 100 ballots, while one set of 200 ballots takes longer; because you can graph a necessarily-existing ballot or reduce the number of candidates in a subset of ballots, you're continuously shrinking the coefficients and so you get weird logarithmic stuff.

In any case, this all means we can not only validate the per-polling-place r

Re: Oh the irony

[KingAlanI]

Also Trump's infrastructure plan has included subsidies for private projects which sounds like a handout to big business for something they might do anyway

Re: Oh the irony

[bluefoxlucid]

Yeah, don't do that. Build infrastructure to attract business; don't give business money to build a private building for themselves.

Infrastructure spending is for public projects.

Key statement

They key statement in the finding that most technology solutions fail to solve is this:

"Such systems are intended to *assure* voters that their vote was recorded accurately."

In the end, paper ballots may seem inefficient from a processing perspective, but that inefficiency becomes inherently difficult to tamper with and builds in systems for checks and recounts. The argument here is that blockchain is vulnerable before the data is stored in the blockchain, at the UI and the machine level, and blockchain then will hard-code the malicious event.

But the key phrase here is "assure voters that their vote was recorded accurately". In the end, an inefficient system being difficult to tamper with makes voters feel more secure, meaning there is less likely a challenge to the system. If the voting public believes the system can be tampered with at a large scale level, then challenges and recounts and legal battles will happen with every election, and undermines the process where this is a simple majority winner. Instead regardless of their margin of victory every winner is subject to suspicion by the public. Maintaining public confidence in the accuracy of the system is far more important than the actual accuracy of the system.

Re:Key statement

[presidenteloco]

Blanket arguments against computer algorithms for secure voting (or secure anything) are illogical, emotional, and flawed.

People argue to the effect: Because many programs have been found to have a security flaw in either A) the algorithm mathematics and logical assumptions, or in B) the implementation, therefore ALL programs must have some flaw in A) or B) therefore there is no such thing is a secure computer program. That is just bullshit. It's incorrect, unsupported generalization from specific examples.

Just because it is a wise precautionary stance to be extremely skeptical of computer algorithmic voting security (or application security in general), and just because it is wise to demand transparency of the system so that it can be continually reviewed and critiqued (by both the competent and the incompetent),
DOES NOT mean that no secure voting system (or application of whatever kind that should be secure, like banking) is possible.

The reasoning that all computerized voting is flawed is the same is the following reasoning:
Many software programs have bugs (either in design or implementation),
Therefore all software programs have bugs.
And that is just layman-level, lazy-thinking, paranoid, non-technical bullshit.
There are, obviously, many algorithms and implementations that do not have bugs.

Here's one, in pseudocode, to output the number 10:
n = 0
while n 10:
        n = n + 1
print(n)

Ok, it's simple, but there are by simple extension many more complex programs that also have no bugs and do some defined calculation or data processing as designed, correctly implementing an unflawed mathematical and logical computable operation.
And you can say, oh, but the language layer or vm layer or OS layer or whatever, below, has bugs, and I will say, many of them do, but it is not a necessary condition.
So stop saying that adequate computer security is impossible. It's not. It's just very very very hard.

But whatever it is, it should be easy compared to the ease of carting stations' worth of paper ballotboxes off to a bonfire in military trucks, or simply threatening with submachineguns or machetes anyone that dares venture near a polling station. The bar we're competing with is NOT VERY HIGH.

Seriously, there are zero-knowledge proofs, mixes, all kinds of true anonymization techniques. There ARE currently unbroken strong encryption methods. And a voter authentication process that uses computers (bottom-up trust and reputation networks on a blockchain) AND people to build up assurance in the identity is not necessarily less trustworthy than a human and easily-forged paper document/ identity card authentication system.

Let's get serious and seriously technical here, and stop with the fearmongering bullshit.
Are all zero-knowledge proof and input mixing algorithms inherently flawed, for example? Can you prove that?
Is all strong encryption, including new research-stage quantum-resistant algorithms, definitely breakable within the forseeable future?
That's not the assumption that we're building the entire rest of the application ecosystem on computerized networks on.

More realistically, there is an arms race between encryption and anonymization algorithm design and implementation, and attacks on them. But that ongoing battle DOES NOT LOGICALLY MEAN that in well-defined areas, we can't be assured it is correct and secure.
1 + 1 == 2 ALL THE TIME (in decimal and a few other bases anyway).

Re:Key statement

[presidenteloco]

Ok, there's a stupid bug in slashdot apparently, not including my less-than sign.
There. One bug.
What's up with that. Let me try again. Hmm. There was a less-than in there just to the left of this sentence. That's lame on slashdot software's part.
So you proved that ALL programs have bugs?
Didn't think so.

Re:Key statement

[sconeu]

Use the entity <

Re:Key statement

[presidenteloco]

Didn't try that because pretty sure my slashdot post settings are set to the "plain-text" format option, as opposed to some kind of html format option. I guess they meant plain-text without less-than characters.

Re:Key statement

[presidenteloco]

Oh, ok, they changed all my post settings on me in some new version of slashdot. Oh well.

Re:Key statement

[bluefoxlucid]

Just because it is a wise precautionary stance to be extremely skeptical of computer algorithmic voting security (or application security in general), and just because it is wise to demand transparency of the system so that it can be continually reviewed and critiqued (by both the competent and the incompetent), DOES NOT mean that no secure voting system (or application of whatever kind that should be secure, like banking) is possible.

In fact, the system I designed fails the same way paper fails: if nobody's watching, you can do whatever you want. I just narrowed the window to between poll open and poll close, and made it extremely difficult to bypass public observation via sleight-of-hand.

It still needs refinement. This will work, but I need to define some of the specific throughout-the-day handling procedures and protective measures to prevent physical intervention. It's not good enough to just say "we need public observers"; we need alarms and impediments to ensure any attempt to tamper is highly-visible, leaves evidence, and takes a large amount of real time. I've made mention of such things, but haven't written down a detailed implementation.

The reasoning that all computerized voting is flawed is the same is the following reasoning: Many software programs have bugs (either in design or implementation), Therefore all software programs have bugs.

Computerized voting is invisible. Computers can have tampering paths which are invisible. You must prove a computer contains only specific, known software, which can then be inspected by everyone forever so that any invisible tampering can be discovered at any time by any person.

It's not about computers mistakenly doing the wrong thing; it's about computers intentionally doing the wrong thing and actively hiding it. We have to make it impossible to hide.

Re:Key statement

[sconeu]

Try "Extrans". The notes say it will not convert &, <, and >

Paper ballots are by far the most secure solution

[Seven+Spirals]

Gimme a break. Use paper. Computers will be better tools for tabulating and processing the votes after they are cast, but it's tough to beat paper for a recount. Even paper has it's flaws, but the hand waving crypto-bullshit is pathetic "Oh but this counter signature will detect if the previous initialization vector was properly zeroed inside of the S-Box" *rolls eyes*. KISS baby. Things don't get more secure by making them more complex and I can't think of any way to make something more complex than to introduce computers. Computers are great at some things, ideal for some tasks: not for voting. They suck at that.

paper ballots

The only way you can have some measure of accountability while keeping votes anonymous.

Re:paper ballots

Since no one else has linked it:
Obligatory xkcd

Or, for heaven's sake, you can just use paper

[mark-t]

Make a simple mark on a paper ballot indicating your vote, fold it, put it in a box.

done

Now theoretically you could bribe people who do the counting, but you'd have to bribe a *LOT* of people to make any kind of difference because each individual ballot box with the folded ballots contains but a tiny fraction of the number of votes, and nobody ever counts the ballots from more than one or sometimes two different boxes.

Re:Or, for heaven's sake, you can just use paper

[mark-t]

Here in Canada you need to provide proof of identification as well. Government issued photo ID such as a driver's license or is best because it's generally just a show-it-and-go, but others can be accepted... there's just some extra paperwork involved, and one might need to have multiple ID's.

Re:Or, for heaven's sake, you can just use paper

[MobyDisk]

Is there any other country with modern infrastructure (stable government, ID cards, functioning postal system), other than the US, where you don't have to provide ID to vote? I have voted for decades and it still strikes me as odd every single time. I've never understood how requiring proof of identification disenfranchises anyone.

Re:Or, for heaven's sake, you can just use paper

[mark-t]

It shouldn't... you have to register to vote in the first place and that generally requires identification... the only reason you need to have identification to pick up a ballot is to make sure that you are the person whose name is on the voter registration card (and that you didn't swipe somebody else's so that you could try and vote more than once). In general, one just has to present the same ID that they used to register to vote in the first place.

It's even possible to vote without having received a voter registration card, but there's a special line for that, and the processing can take a lot longer, depending on what forms of ID the person has. In my observed experience, the lineups for that are shorter than the lineups for regular voting, but then after processing the person has to get into the regular voting lineup anyway, so there's no potential gain to be had.

Re:Or, for heaven's sake, you can just use paper

[davide+marney]

It must be nice to have an election with only 47 ballots. In the state where I volunteer, 3.6 MILLION ballots were cast in the last federal election.

Re:Or, for heaven's sake, you can just use paper

[mark-t]

What, does everyone in the entire state vote at the same physical location? That seems like it is logistically infeasible.

Obviously you have one polling station for every 5 to 10 thousand or so registered voters... and you have maybe 10 to 20 ballot boxes at any single polling station. In couple the times I've worked for elections Canada to man a ballot box, I've never seen an election box that was actually full, and the number of ballots in each box seemed to be no more than a couple of hundred, often much less.

Transparency is the key

[victor_alarcon]

I thought that was the main selling point. Yes, I'm sure someone can come up with some anonymity scheme but transparency should be top priority. Apologies if the point is too naive.

the real story

[slashmydots]

Blockchains are perfect, right? WRONG. And also right. They are mathmatically flawless BUT if you outprocess the rest of the network, you can finalize a block with whatever the hell you want in it. You can form a block that says you own all bitcoins, all transactions put them in your wallet, and you're also the queen of England. The reason this "51% attack" doesn't happen it because that amount of processing power doesn't exist. That many ASICs don't exist on Earth. But let's set up a separate blockchain and separate currency called votecoin. Even if you buy a million dollars worth of graphics cards, someone could conceivably buy 1.1 million worth and forge a fake block with fake votes. So make it a billion. Oh wait, Russia has more than $1 billion. Darn. I mean getting a hold of that many GPUs would be difficult but there's always the secondary market. And then where did the first person get that many GPUs then if they're so hard to get a billion dollars worth? It doesn't work unless you can somehow tie it to an existing HUGE network lieke Ethereum, which btw also doesn't work.

Re:the real story

[Kaenneth]

Even with a 51% attack, the Bitcoin blockchain is filled with digital signatures; noone but your own nodes would accept the blocks, and you would only be 'fooling' yourself.

Electronic voting could only work if every citizen had their own private, secure, digital signature key. Which can't happen in the US because poor people can't afford them, and a certain party would never give anything for free, while the other would protect the poor.

Re:the real story

[sg_oneill]

Heres the thing that drives me nuts. Literally every single use case for the block chain re "contracts", can be done faster, vastly more securely, and with no concievable 51% style attack that doesn't involve "Solve the prime number prediction problem that probably is unsolveable" thing.

Its called "Public Key Signing" and its been common since the 1970s. I got to a ballot box, create a vote. I use my Private key to sign it. The govt uses their private key to sign it. I have the govts public key and can verify that they, and only they, recieved it. The govt has my public key and can verify that me, and only me, created and signed that vote.

Theres still an anonymizing issue, but its not hard to just strip identifiers off the big ol' bucket of public keys, so that the govt just has a list of verified public keys, but has willingly stripped off identification from them. Perhaps this part would be supervised by the judicial branch to ensure no shitbag politicians are stealing ids to punish voters later on.

Perfect security. Perfect verification, and as long as the anonymization process happens correctly, perfect anonymity.

 

It's not how the vote was recorded...

[LynnwoodRooster]

The report goes on to say that "Blockchains do not provide the anonymity often ascribed to them." It continues: "In the particular context of elections, voters need to be authorized as eligible to vote and as not having cast more than one ballot in the particular election.

It's who casts the vote. Before we even worry about Blockchain, we need to ensure people casting the ballots are legally eligible to vote. Guaranteeing a vote was cast is no more important than guaranteeing who cast the vote was eligible to actually cast that vote.

Re:It's not how the vote was recorded...

[LynnwoodRooster]

We require photo ID for just about everything, why not for voting? Why the fear of proof of ID? I need to prove ID to purchase a firearm, why not for voting?

Paper ballots

[burtosis]

Let me start out saying 100% electronic voting is going to be a disaster, triply so when done remotely and not at a secure voting machine. But what most people don't realize is we currently use unencrypted images of paper ballots in many states as backups. These are very insecure. Why not use paper ballots for the primary method, blockchain for the electronic backups? This ultimately seems far more secure than what we are doing now. We also could use open source machines and have audits at each polling place to ensure everything is going as it should.

Just to clear up confusion, the voter would not have access to the votes, the key would be assigned by the machine and printed on the ballot after it is turned in so that the paper may be checked against the distributed ledger, the blockchain would include a scan of the ballot just as is already common practice.

Re:Captain Obvious

[jwymanm]

This was the dumbest comment in the article. Obviously software methods exist to verify after the fact that what you saved is what you expected.

Yes but reread

[aepervius]

Boxes of ballot contain how many votes ? If your county are divided like by us a few thousand at most. Yes for 2000 it was exceptionally relevant, but it is much harder in a democracy where it is on paper ballot to cheat. Printing that much additional ballot can be found , having the whole LOT of people to distribute them in ballot box and remove true votes can be found out much easier. And if you use the method many country use to COUNT at the local level with volunteer first, with the box never out of the eyes of anybody, that is nigh impossible.

As for the failing chad, the simplest system is also the most proven : print your ballot on paper separated , 1 for candidate A , 1 for candidate B , separated, and ask people to put only 1 in envelope, and if they put two count them as "blank" vote. Et voila !

Re:Yes but reread

[bluefoxlucid]

Printing that much additional ballot can be found , having the whole LOT of people to distribute them in ballot box and remove true votes can be found out much easier.

You know we've had this conversation before?

As the 1940s came to an end, the public demanded mechanical voting machines. Paper ballots were rife with fraud, with ballot boxes 'lost' and 'found' all the time, and politicians frantically calling their loyal precinct bosses to manufacture votes.

Today, we still hear about electoral fraud in the form of messing with how judges count votes and spoiled ballots. We hear about thousands of ballots cast mysteriously not being present in counting, but the election officials are sure it's fine and has no effect. We hear about the scandal of some election staffer being discovered with no counterfeit ballots or anything, just a few hundred blank ballot sheets--an enormous concern to the integrity of our elections.

They're doing it wrong. Electronic voting machines are handled horrendously. The standards for using these systems do not provide any degree of integrity. That doesn't mean you can't; in fact, you can provide greater integrity with electronic voting than with paper. Nobody does.

Don't call for a solution that's worse than the problem.

Re:Paper ballots are by far the most secure soluti

[gshegosh]

Things don't get more secure by making them more complex

Soooo... Is HTTPS simpler than HTTP? :)

Re:Paper ballots are by far the most secure soluti

[DNS-and-BIND]

The PRI in Mexico rigged elections for 80 years using nothing but paper ballots.

Re:Paper ballots are by far the most secure soluti

[sg_oneill]

The PRI in Mexico rigged elections for 80 years using nothing but paper ballots.

Yes, but everybody knew. It stopped being an engineering problem and became a political problem.

Re:Paper ballots are by far the most secure soluti

[sysrammer]

Computers are great at some things, ideal for some tasks: not for voting. They suck at that.

Excellent comments, I vote you insightful!

Oh, wait...nevermind.

Paper ballots are STILL counted by machine

[davide+marney]

To all the people waving their hands and saying, "just count them thar ballots like we did back in granddaddy's time, dab gummit", I say please for the love of all that is sacred, volunteer to help run an election in your home town. NO ONE is going to count the millions of ballots cast in a major US election by hand unless they absolutely are forced to do so. All paper ballots are initially counted by machines. It is only when the totals are within a small margin (it's 1% in my state of Virginia) that a recount is even permitted, and only by an even smaller margin when it is paid for by the taxpayers (1/2 of 1% in Virginia.)

People absolutely stink at repetitive tasks. Can you imagine counting 62 MILLION individual pieces of paper -- by hand?! Well, right out of the box you'd have to double that number just to be sure you didn't make any mistakes. Not happening.

No, man made machines to take humans OUT of repetitive processes. Given a perfectly-filled in ballot, the error rate for a scanned ballot would be the same as the error rate of bar code scanning: 1 error out of 400,000 scans. In the state of Virginia, that error rate would mean that only 10 ballots cast in the entire state in 2016 would have been mis-counted.

But we don't have perfectly-marked ballots, again because we ask humans to fill in the paper. The error rate of just mis-marked ballots is 10x the error rate of scanning, and the error rate of hand-counting is 100x larger than that.

No, machines are good. You need to black-box test them and prove that they have not been tampered with, but that is a small, small price to pay for such an enormous gain in accuracy and speed.

Re:The argument is invalid.

[davide+marney]

Blockchain is a PUBLIC ledger. Your identifier is therefore in public view, right along the record of your vote. Congratulations, you've just made voting a public act, removing the one thing that prevents your vote from being coerced.

And oh, it's immutable, too! Gee, thanks a lot.