Blockchains Are Not Safe For Voting, Concludes NAP Report

The National Academies Press has released a 156-page report, called "Securing the Vote: Protecting American Democracy," concluding that blockchains are not safe for the U.S. election system. "While the notion of using a blockchain as an immutable ballot box may seem promising, blockchain technology does little to solve the fundamental security issues of elections, and indeed, blockchains introduce additional security vulnerabilities," the report states. "In particular, if malware on a voter's device alters a vote before it ever reaches a blockchain, the immutability of the blockchain fails to provide the desired integrity, and the voter may never know of the alteration."

The report goes on to say that "Blockchains do not provide the anonymity often ascribed to them." It continues: "In the particular context of elections, voters need to be authorized as eligible to vote and as not having cast more than one ballot in the particular election. Blockchains do not offer means for providing the necessary authorization. [...] If a blockchain is used, then cast ballots must be encrypted or otherwise anonymized to prevent coercion and vote-selling." The New York Times summarizes the findings: The cautiously worded report calls for conducting all federal, state and local elections on paper ballots by 2020. Its other top recommendation would require nationwide use of a specific form of routine postelection audit to ensure votes have been accurately counted. The panel did not offer a price tag for its recommended overhaul. New York University's Brennan Center has estimated that replacing aging voting machines over the next few years could cost well over $1 billion. The 156-page report [...] bemoans a rickety system compromised by insecure voting equipment and software whose vulnerabilities were exposed more than a decade ago and which are too often managed by officials with little training in cybersecurity.

Among its specific recommendations was a mainstay of election reformers: All elections should use human-readable paper ballots by 2020. Such systems are intended to assure voters that their vote was recorded accurately. They also create a lasting record of "voter intent" that can be used for reliable recounts, which may not be possible in systems that record votes electronically. [...] The panel also calls for all states to adopt a type of post-election audit that employs statistical analysis of ballots prior to results certification. Such "risk-limiting" audits are designed to uncover miscounts and vote tampering. Currently only three states mandate them.

Oh the irony

[the_skywise]

All elections should use human-readable paper ballots by 2020. Such systems are intended to assure voters that their vote was recorded accurately. They also create a lasting record of "voter intent" that can be used for reliable recounts,

Now I agree with this and am happy to move back to paper ballots - But the entire reason we moved away from paper ballots was because of the 2000 elections where Florida used punch cards and political officers kept trying to argue over "partial punches", "dimpled chads" and "dangling chads" where they tried to reassess what the voter's INTENT was.
And, of course, let's not forget magical disappearing and appearing boxes of ballots.
Any system can be hacked but the electronic one is harder to track hacking than the good ol' traditional methods with paper ballots.

Re:Oh the irony

[Dare+nMc]

Their have been academic papers proposing electronic system that would be safe, where you could verify that your vote was counted (IE received at the server.)

In theory with open software, hardware, and multiple servers (again all open source) we could have a very robust electronic voting system. This would require a large project likely done with universities, and it may even be similar to some bitcoin concepts.

The technology side is very solvable, getting the project started, past the politics, and accepted by people who aren't able to understand the theory behind it is the hard part.

I am confident currently political parties are strongly against starting down this path. As once it was implemented we could do things like nationwide ballot initiatives, and those can bypass lobbyist and pork barrel politics.

Re:Oh the irony

[Dare+nMc]

> Verifying that your vote is counted doesn't tell you the election is untampered; and verifying that your vote has been counted opens up the election to tampering via vote-buying.

That everyone can verify their votes are un-tampered, actually does tell us exactly that. And no, we only allow you to prove you voted to others. Their are several proposals that have been discussed to do this. Where you can leave with your vote encrypted on paper, and you can provide any number of false keys to prove whatever you want anyone else to see, only if they were in the both with you could they get the real key. You would only give a small % of volunteers from each machine the option to verify the true keys are used throughout. The other option is to allow multiple votes, such that only the last one is counted. again only a small % are required to be given the true decryption keys to validate the process is working and we don't have a massive corruption of the process.

> We must verify that the ballots as a whole are counted, collected, and summed.

Exactly, that is why you allow everyone to validate their true ballot is cast. You also allow as many servers collecting results, with the same open source software. You can verify and validate they all get the same results, if any official servers differ, or sufficient private servers differ to raise concern of a mass fraud, then you can re run all the ballots and find the difference. The states would have the keys for every machine in the state, and verify all machines reported in their results, and no extra machines reported extra results.

By having states generate their own private keys, you would have multiple keys, one for voter identity, one for candidates, another for each polling places id. After the election is over and the server data is verified received, you release the candidates private key, and every server can tabulate the results (their is proof of concept of doing math on encrypted data, without the keys, so it is possible all results could be calculated and compared before receiving the private keys, only need the private keys to declare the winner, and can be done after all servers have verified they came to the same winning result.) That way the private key cannot be used during the election to generate any more public keys...

As long as the private key for voter id is kept secret from all but a single validation location, even if you give your voter id to someone else, they cannot find your vote information. You can only verify the complete and un-altered vote you cast was received at every server. Since every vote, polling place cast, ID cast... is public information. Select people, in isolation using all the private keys can validate the entire election process.

The great thing about ssl, is we only care if the voting machine is secure, the encrypted packet can be path agnostic. Votes could all be printed and carried on paper and scanned. They could be flash drives, people could scan them at home and broadcast them. You can send the packets in 50 different ways, and state actors would have to block/corrupt all 50 ways to block that vote. duplicates are discarded. Until the private key is released, all is secured.

> I like pork.

Not all government would be by direct vote, that isn't how states with ballot initiatives work. But currently a bill like national health care could never get passed cleanly, as their is no way to pass it without paying off the special interests in DC. That is not true with ballot initiatives, if it is good for the majority and isn't being done through the normal process, this is where the corrupt process bypass happens. A health initiative or public university project could produce the bill that is then taken outside of partisan politics for passage. The standard process still stands for bills where that system is working.

Re:All security = an implementation.

[PopeRatzo]

To say blockchain is inherently unsafe is like saying software is inherently unsafe

Oh, you are so close to a breakthrough.

When it comes to voting, blockchain, like software, IS inherently unsafe. If the main goal for voting security is maintaining the people's confidence in an election, the only system that will meet that standard is a system where people are actually keeping an eye on one another. And I mean physically watching one another. And that's the system we had in place before the advent of voting machines and election software. You had a room full of election judges from both sides, and they sat side-by-side checking in voters as they approached the voting booth and physically watched them put the ballot in the box. When the votes were counted, there was a whole bunch of people from both parties standing around keeping a close eye. When the ballots were sent for storage, one person from each party rode in the truck to drop them off after sealing the container - together - and signing off.

It was trust, but verify. Was it possible to jigger with an election like that? Of course. But you had a list of names of people you could hold accountable at every step in the process. Electronic voting will never, ever be trusted. That is the effect of transparency.

Key statement

They key statement in the finding that most technology solutions fail to solve is this:

"Such systems are intended to *assure* voters that their vote was recorded accurately."

In the end, paper ballots may seem inefficient from a processing perspective, but that inefficiency becomes inherently difficult to tamper with and builds in systems for checks and recounts. The argument here is that blockchain is vulnerable before the data is stored in the blockchain, at the UI and the machine level, and blockchain then will hard-code the malicious event.

But the key phrase here is "assure voters that their vote was recorded accurately". In the end, an inefficient system being difficult to tamper with makes voters feel more secure, meaning there is less likely a challenge to the system. If the voting public believes the system can be tampered with at a large scale level, then challenges and recounts and legal battles will happen with every election, and undermines the process where this is a simple majority winner. Instead regardless of their margin of victory every winner is subject to suspicion by the public. Maintaining public confidence in the accuracy of the system is far more important than the actual accuracy of the system.

Paper ballots are by far the most secure solution

[Seven+Spirals]

Gimme a break. Use paper. Computers will be better tools for tabulating and processing the votes after they are cast, but it's tough to beat paper for a recount. Even paper has it's flaws, but the hand waving crypto-bullshit is pathetic "Oh but this counter signature will detect if the previous initialization vector was properly zeroed inside of the S-Box" *rolls eyes*. KISS baby. Things don't get more secure by making them more complex and I can't think of any way to make something more complex than to introduce computers. Computers are great at some things, ideal for some tasks: not for voting. They suck at that.

Re:All security = an implementation.

" If the main goal for voting security is maintaining the people's confidence in an election " - Well I don't agree with that starting point definition. I think security = security, not theater of.

Then you're bad at security. Security is theater.

There is no impregnable system. Security can only increase the difficulty of entering a system, it cannot stop a determined opponent. Is a CCTV system going to stop someone from breaking into your store? No, but it will make the person think twice about it, because they are likely to be recorded, found, and caught. Is the TSA likely to stop all bad guys from getting on planes? No, but it alters how much they must prepare to get on board the plane so hopefully they'll trigger a signal and get caught before they get on, or try a different route. Does voting security stop fraud from happening? Of course not, but it creates it makes it difficult enough to tamper with to turn away most bad actors, and ensures the voters have confidence in the system.

Security ultimately changes the decision set of every actor involved toward a common good.

And quite frankly, blockchain does not equal security. It makes an unalterable database, but it does not secure the machine, the UI, and given tech's publicly poor history of securing people's information, it absolutely does not provide confidence of capability to the general public.

Or, for heaven's sake, you can just use paper

[mark-t]

Make a simple mark on a paper ballot indicating your vote, fold it, put it in a box.

done

Now theoretically you could bribe people who do the counting, but you'd have to bribe a *LOT* of people to make any kind of difference because each individual ballot box with the folded ballots contains but a tiny fraction of the number of votes, and nobody ever counts the ballots from more than one or sometimes two different boxes.

Re:All security = an implementation.

[shellster_dude]

Blockchains are obviously a terrible solution to election fraud. The only thing that prevents blockchain tampering is a ton of neutral third party machines checking the transactions (typically miners). We've already seen that this is a non-trivial problem when there is plenty of incentive for random people to fulfill that role (mining of crypto currency). National elections have very little incentive for people to invest thousands in hardware and electricity, and a ton of incentive for nation states like China or Russia with the funds and technology to manipulate the results.

If you instead make it a closed system with government machines validating the results, you've not solved anything (or at least nothing that couldn't be solved with more traditional cryptographic techniques like public/private key encryption, signing, and progressive cryptographic hashing). You still haven't solved the issues of patching, of the public's trust in the machines and people involved in securing the infrastructure, or prevented a malicious third party from compromising that infrastructure and altering the results. Blockchain only provides any type of verification, when you can trust that the majority of the verifying machines are not working in league to forge results, and in a voting infrastructure of relatively well secured machines you can do a lot better. Block chain introduces a ton of extra complexity which leads to a ton of additional attack surface while again not providing a lot of value.

Finally, BlockChain does nothing to solve the issue of machines registering one vote and writing a separate vote to the ledger, or even registering multiple votes that are fraudulent. In other words, it is simply a highly inefficient tool that exists to solve an entirely different problem.

Things that would vastly improve voting security:
1) When the user comes in, check their ID to validate they are who they claim to be, and that they are allowed to vote.
2) Give them a randomly generated, complex, unguessable ID number (voteid) in the form of a QR code. This should not be tied to their identity in any way
3) Have user scan said voteid to begain voting and then store with their vote results, and give them the progressive hash of the chain of votes before and after their votes are tallied.
4) Allow the user to swipe their voteid before leaving the voting area, and view how their vote was tallied, on a separate machine (thus increasing the complexity and size of the hack required to hoodwink a cautious user).
5) Allow all users to go online and view their votes as they were recorded (and will be tallied) by entering their voteid on a public website. As well as the aforementioned progressive hashes
6) Have a process by which a user can, upon presenting their voteid contest how their votes were recorded (both at the voting place, and after the election).

Of course the progressive hash idea is someone simplistic, public/private key signing or other more complex solutions could be implemented with different risk profiles. Yes there are still ways that such a system can be hacked and manipulated, but the skill and breadth of the hack would need to be significantly increased to pull it off unnoticed. More importantly, users would be empowered to a fair degree of confidence that their vote was recorded as they intended.

Re:Paper ballots are by far the most secure soluti

[DNS-and-BIND]

The PRI in Mexico rigged elections for 80 years using nothing but paper ballots.