Blockchain Voting: Solves None Of The Actual Problems Of Online Voting; Leverages None Of The Benefits Of Blockchain
from the oh-come-on-now dept
Just recently we wrote about why blockchain-based DRM was a terrible idea, and it could be summed up by the simple fact that a blockchain solves none of the "problems" of DRM today, and leverages none of the actual benefits of a blockchain. And... now I feel like writing basically the same exact post around blockchain voting. Like blockchain DRM, blockchain voting is one of those ideas that gets tossed around a lot. For decades, lots of people who actually understand computer security have explained why online voting is a horrifically bad idea in that it involves effectively unsolvable problems. It's not that it's a "hard" problem, it means that online voting is effectively impossible without massive changes to almost everything we do in ways that we can't really comprehend right now. There are some serious researchers who are thinking about this, but to date, there is nothing even remotely close to to being acceptable, and there may never be.
And yet, the "simplest" way that some people understand the risks of online voting is basically "it would be bad if someone could change your vote and no one would know." That's an easy to understand point to make, but the problems with online voting go way, way beyond that. Do a simple Google search on why online voting is a terrible idea and you'll get dozens of on-point results, but if you want a nice, simple explanation of just the first pass of potential risks with online voting, check out this video from a couple years ago by Princeton professor Andrew Appel, who has been studying voting security for many, many years:
It's 21 minutes, and if you're unsure of why internet voting is dangerous or think there's a simple solution, I'd urge you to watch it. But for those who don't, I'll just toss up one single slide from the presentation, which is not even remotely comprehensive in the list of potential problems with online voting:
That doesn't even get at a number of other potential issues (some of which are discussed in the video). And yet -- as with blockchain-for-DRM -- there's always someone who thinks that the only real problem is the double spend problem. Enter Alex Tapscott and the NY Times. Alex Tapscott is the son of Don Tapscott, who has written a number of fairly influential books related to technology and innovation, including "Growing up Digital" and "Wikinomics." In 2016, he teamed up with his son, Alex, and wrote a book called "The Blockchain Revolution," which is a fun read (they sent me a copy), if a bit overly excited in its analysis of potential implementations of the blockchain. As I've said in the past, I'm a believer that blockchain/tokens can completely revolutionize a few areas of the internet, but people have yet to really figure out which areas can take advantage of what is unique about the blockchain (beyond highly volatile currencies).
My favorite review of the book on its Amazon page includes this lovely sentence: "After the opening chapter, it turns into a rambling acid trip of delusional fantasies about exactly how blockchain will inevitably fix all the things wrong with society and the world."
Anyway, along comes Alex Tapscott and on election day, the NY Times gave him precious space to spew utter nonsense about how it's time for online voting... via the blockchain.
The key weakness of early online voting systems was the inability to solve what cryptographers called the “double spend problem.” When we send a file on the internet, we’re actually sending a copy of that file; the original remains in our possession. This is acceptable for sharing information but unacceptable for recording votes in elections. The possibility that individuals could cast their ballots multiple times for a candidate made these systems useless — just as vulnerable as paper ballot systems. Points of failure included susceptibility to hackers, coding bugs, and human error. With enough resources, any rogue could “stuff” a digital ballot box with illegitimate votes.
Except... that's not the key weakness in early online voting systems. It is one problem, but kinda far down the list. Look at that still from Appel's video above. Double spending isn't even there, really. Yet, Tapscott's piece acts as if it's the biggest problem, and easily solved with blockchain.
Since the NY Times published that article, plenty of folks with actual computer security expertise have stepped up to debunk it. Ben Adida, the Executive Director of a new organization called Voting Works, attempting to build secure, open source voting machines, actually debunked it a year ago (that's how good he is):
In a typical election setting with secret ballots, we need:
- enforced secrecy: a way for each voter to cast a ballot secretly and no way to prove how they voted (lest they be unduly influenced)
- individual verifiability: a way for each voter to gain confidence that their own vote was correctly recorded and counted.
- global verifiability: a way for everyone to gain confidence that all votes were correctly counted and that only eligible voters cast a ballot.
Let’s say we have a Blockchain-style distributed database. How far does that get us to meeting these needs?
A distributed database of all cast votes, where everyone sees the same state of the world, would certainly be useful for (3) global verifiability and to some degree for (2) personal verifiability. That said, it won’t get us all the way there on those, and it won’t get us anywhere on (1) enforced secrecy.
Specifically, to combine personal verifiability with enforced secrecy, we need some mechanism that gives each voter enough confidence that their vote made it all the way to the tally, but not so much that they can sell their vote to a buyer/coercer. A public ledger of plain votes is a terrible idea, since that makes vote selling trivial. A public ledger of vote tracking numbers of sorts is better for privacy, though it doesn’t really provide actual verifiability that the contents of the ballot weren’t tampered with. Clearly, we need something more, and that something simply isn’t provided by a distributed ledger.
In a typical election setting with secret ballots, we need:
- enforced secrecy: a way for each voter to cast a ballot secretly and no way to prove how they voted (lest they be unduly influenced)
- individual verifiability: a way for each voter to gain confidence that their own vote was correctly recorded and counted.
- global verifiability: a way for everyone to gain confidence that all votes were correctly counted and that only eligible voters cast a ballot.
Let’s say we have a Blockchain-style distributed database. How far does that get us to meeting these needs?
A distributed database of all cast votes, where everyone sees the same state of the world, would certainly be useful for (3) global verifiability and to some degree for (2) personal verifiability. That said, it won’t get us all the way there on those, and it won’t get us anywhere on (1) enforced secrecy.
Specifically, to combine personal verifiability with enforced secrecy, we need some mechanism that gives each voter enough confidence that their vote made it all the way to the tally, but not so much that they can sell their vote to a buyer/coercer. A public ledger of plain votes is a terrible idea, since that makes vote selling trivial. A public ledger of vote tracking numbers of sorts is better for privacy, though it doesn’t really provide actual verifiability that the contents of the ballot weren’t tampered with. Clearly, we need something more, and that something simply isn’t provided by a distributed ledger.
That's only part of Adida's thorough takedown of the concept.
Tim Lee at Ars Technica highlighted another batch of problems:
Tapscott focuses on the idea that blockchain technology would allow people to vote anonymously while still being able to verify that their vote was included in the final total. Even assuming this is mathematically possible—and I think it probably is—this idea ignores the many, many ways that foreign governments could compromise an online vote without breaking the core cryptographic algorithms.
For example, foreign governments could hack into the computer systems that governments use to generate and distribute cryptographic credentials to voters. They could bribe election officials to supply them with copies of voters' credentials. They could hack into the PCs or smartphones voters use to cast their votes. They could send voters phishing emails to trick them into revealing their voting credentials—or simply trick them into thinking they've cast a vote when they haven't.
[...]
But let's think about how this would play out in practice. Suppose it's mid-November 2020 and Donald Trump has narrowly won reelection. A few thousand voters in key swing states come forward to say that they intended to vote for Trump's opponent but their vote was recorded for Trump instead. Thousands of others say they tried to vote for Trump—or against him—but their votes weren't counted.
Was that due to hackers meddling with the vote, technical snafus, or user error? Were some of them just misremembering how they had cast their ballots? There would be no way to know for sure.
An important property for an election is finality: you want a well-understood process that makes people confident in the result. The paper-based process used in most states today isn't perfect, but it's pretty good on this score. Each vote is recorded on a paper ballot that's available for anyone to look at. Everyone understands how paper ballots work. People can observe the vote-counting process to verify that no ballots were altered. So not only does the process usually lead to an accurate count of peoples' votes, it also builds public confidence in the integrity of the result.
Blockchain voting would be much, much worse. Hardly anyone understands how a blockchain works, and even experts don't have a good way to observe the online voting process for irregularities the way an election observer does in a traditional paper election. A voter might be able to use her private key to verify how her vote was recorded after the fact. But if her vote wasn't counted the way she expected (or wasn't counted at all) she'd have no good way to prove that she tried to vote a different way.
Just a few months back, we also wrote about the terrible idea that West Virginia was experimenting with, via a company called Voatz (which is mentioned in Tapscott's article) that was building a "blockchain-based" system to allow military personnel overseas to vote via their mobile phones. And of course, as we noted at the time, it had all the same problems of all these systems. What it adds in "convenience" (if anything) is completely outdone by the security nightmare it creates.
Again, I still think blockchains have some potential to do some pretty useful things, but the idea that they can solve any old basically impossible under current realities technology problem by sprinkling magic "crypto" and "distributed" pixie dust on the problem is not a good look. Which should lead people to asking why the NY Times is publishing it without any fact checking at all?
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: blockchain, voting
Reader Comments
Subscribe: RSS
View by: Time | Thread
Well that's bloody disappointing.
It seems that on-line voting would be the natural next step from mail voting.
Though this raises questions of what mail voting does that online voting does not that assures it is secure, or are the security problems similar but we ignore them?
[ link to this | view in thread ]
enforced secrecy, individual verifiability, global verifiability
Maybe I'm missing something but we have none of these for non-internet voting in the United States.
In fact, our epidemics of voter suppression, rumors of illegal voting and electronic voting machine failures all indicate that we don't.
[ link to this | view in thread ]
But...
Surely that must make it more important?
[ link to this | view in thread ]
DBA's prespective
The only reasonable use case I have ever seen outside bitcoin was cradle to grave part tracking for airplanes and other very expensive items with critical infrastructure tracking requirements across several actors.
This could still be done better by a dedicated government agency using a database and an API.
Voting's problems with Blockchain is all about the fact that who you vote for is secret. The block chain does nothing to hide who you voted for in any format that could not be reverse engineered. In fact no computer solution that could be used for online voting is so far able to provide validation and untrackability of the voters votes.
Paper ballots work, Computers that print paper ballots work, everything else requires you to give up the ability to validate or to keep a persons vote secret.
[ link to this | view in thread ]
Re: Well that's bloody disappointing.
Vote-by-mail has some security problems, yes.
[ link to this | view in thread ]
[ link to this | view in thread ]
I'm more concerned that Republicans continue to prove that they're willing to use any trick in the book to try to keep anyone who isn't a Republican from even trying to vote at all or to keep their votes from being counted if they do manage to vote. The current Republican Party does not believe in democracy or majority rule, which makes every one of them a traitor to this country.
[ link to this | view in thread ]
[ link to this | view in thread ]
Typo
[ link to this | view in thread ]
Re: enforced secrecy, individual verifiability, global verifiability
Yes it would be best if we could have them completely. Unfortunately we've never found a way to do that. Thankfully the paper system we have in place now does have them to a decently strong degree. While it does have it's problems it largely does accomplish what we need it to well enough that what corruption does exist around it is not able to completely change the end results.
We should certainly keep trying to find better ways, but the point of this article seemed to be that this proposal is completely incapable of even meeting the current standards, much less making them better.
[ link to this | view in thread ]
"a decently strong degree"
I think the indictments I mentioned indicate that we have them to an insufficiently weak degree.
In the voting systems we have, there are certainly points of human involvement which are vulnerabilities, more prone to failure due to error than corruption, though the exact match policy in Georgia indicates how corruption can be implemented. Can the implementation of automation, perhaps with encryption serve the public better than appointing a clerk who is allegedly impartial?
And my above point remains: voting by mail is pretty vulnerable as we do it now. Could voting by email be made no more vulnerable than voting by mail?
If so, the advantage is more people will vote.
[ link to this | view in thread ]
Re: Verify your vote?
-- no way to do that in U.S.
You must blindly trust a complex, variable election system that is prone to human and technical error, as well as fraud.
There's an appreciable margin-of-error in every election. That becomes a big deal on close election races where the winner can be decided on a tenth-percent of the total vote.
Remote Voting (mail/online) and Secrecy sharply increase the margin-of-error.
Eliminating remote voting and secrecy is not a crazy idea.
The secret/Australian ballot was only adopted in U.S. in 1890. The American Founding Fathers would be appalled at cowardly citizens not publicly declaring their choices in government nor openly participating in civil society.
All American voters are very proud of their specific votes ... or they wouldn't vote (right?)
Remote voting should be a rare option for a tiny percentage of citizens. Voting is serious business and should not be treated casually; physically voting at a polling location is a trivial effort compared the routinely weekly activities in most all people' lives. Widespread remote voting is far to risky to justify its modest convenience to citizens.
[ link to this | view in thread ]
Re: DBA's prespective
Except one-way hashing.
[ link to this | view in thread ]
Re: Re: Verify your vote?
All American voters are very proud of their specific votes ... or they wouldn't vote (right?)
I'd definitely avoid participating in elections if my vote was available to the winner or those working in the law enforcement and justice systems... or even my employer, for that matter.
The American Founding Fathers would be appalled
They would most assuredly kick my cowardly (but free & employed) ass :)
[ link to this | view in thread ]
Re: "a decently strong degree"
Much of what you're talking about is I think a different topic. Voter suppression policies, for example, aren't related to the security of the voting process. It's a problem, but it's a different problem.
Only if the problems with the current system are in significant part due to officials who should be impartial but are not, which is not the case. There are people from multiple political parties overseeing every step of the voting process, so nobody can easily get away with miscounting votes.
Maybe eventually, and people are working on it. But right now no.
[ link to this | view in thread ]
Blockchain is web-scale
Give me a block!
Give me a chain!
Block-Chain!
All the cuttingest-edge enterprises are blockchaining to the max. Don't be stuck back in the digital era--be a blockchainer now!
[ link to this | view in thread ]
Re: Re: Verify your vote?
If you watch the linked video, it's not quite as bad as you make it sound. And you only have to trust blindly if you don't take the time to learn how it works.
It's not cowardly to want secret voting, it's a recognition that unethical actors would take advantage of public voting to buy and/or coerce votes.
[ link to this | view in thread ]
Re: Re: Re: Verify your vote?
[ link to this | view in thread ]
Re: Re: Re: Re: Verify your vote?
I do. I don't.
But... I'm enough of a naive idealist that, when it comes to voting, I feel obligated to act as though I trust the system to work as advertised. (How naive? I even voted when I lived in Chicago.)
[ link to this | view in thread ]
Re: Re: DBA's prespective
An all electronic network voting system has no reliable way of generating a break between validating the voter, and counting the vote that they cast, in that its needs to validate that a person is eligible to vote, and only casts one vote. Also it needs to see who they voted for to count the votes, and ensure that replay of the message does not result in a double vote. There is no way of guaranteeing that the two will not be linked by whatever token is used to ensure that someone can only submit their vote once.
[ link to this | view in thread ]
Re: Re: Re: Verify your vote?
tradeoffs are necessary to optimize most systems.
the nitty-gritty vote casting/counting system is totally invisible to 95% of Americans. that ain't good for self-government
how did America survive and prosper until the 20th Century without secret voting?
[ link to this | view in thread ]
Re: "a decently strong degree"
Is that really an advantage? Statistically, most people base their votes on rather trivial criteria such as party affiliation rather than the candidate's actual voting/policy record, candidate's physical appearance, and how the candidate's speeches made them feel. Political parties, lobbying groups, and other decision makers are aware of those determinate factors and it alters our political landscape in subtle ways - largely by ensuring that certain potential candidates never even come to our attention. A larger pool of active voters without any improvements would exacerbate this problem.
What we really want are better voters. Voters who thoroughly review the candidates in front of them and make informed, considered decisions about their votes based on things like voting/policy record, who contributed to their campaign fund, prior work experience, etc. Even if they vote for candidates we would not, so long as they voted on those sorts of criteria, would be better because the political machine would eventually adapt and offer us better candidates overall. Just throwing more voters at the elections is like throwing an ever increasing amount of money at the drug war and then wondering why drugs are still rampant in the streets.
[ link to this | view in thread ]
Re: Re: "a decently strong degree"
In neither case is the system perfect, nor does it appear that it can be. So the arguement against Internet voting becomes 'it is not possible to create a perfect system, so lets not try' when one would think it should be 'can we create an Internet voting system that is at least as good as our various manual systems'?
Who knows. Given open sourced, mission specific, hardware, OS, software, along with those 3 rules and security and auditability in mind, etc. with maybe a few years of public testing and White Hat attacking, something, while still not perfect, is at least as good as what we have now, and possibly better.
[ link to this | view in thread ]
Re: "a decently strong degree"
That's what observers are for.
[ link to this | view in thread ]
Re: Re: Re: Re: Verify your vote?
How did America survive and prosper until the civil war without a prohibition on slavery?
[ link to this | view in thread ]
Re:
My dog has his own driver's license and drives a truck for a living.
Yeah, right.
[ link to this | view in thread ]
Problems? What problems?
[ link to this | view in thread ]
Re: Well that's bloody disappointing.
[ link to this | view in thread ]
What about those who, for whatever reason, do not have access to a computer? The computers in a library are not very secure at present, not sure that can be fixed. There would have to be a system in place to accommodate these people for obvious reasons. And then there are the military ballots, many times they are not counted. Is it too difficult to accomplish this? Why?
[ link to this | view in thread ]
You've missed the point
[ link to this | view in thread ]
How did the US survive and prosper
Well, it didn't.
To date we've had a voting system that was rigged, though I can't verify the graveyard voters in Illinois that helped put JFK in office, I CAN speak to robber barons like Boss Tweed who assured the affluent chose who got nominated. Candidates have to lean to the green in order have a chance to get elected, which means the public hasn't been represented well all this time.
But what this tells me is that if we don't have an impregnable voting system, those with resources are going to find ways to subvert it even if we reform campaign financing. In 2018 at least on the incumbent Republican side, they didn't even try to hide their efforts to subvert the vote, any more than they tried to hide their demagogy.
So the way the US survived all this time was by letting the rich win.
[ link to this | view in thread ]
Re: Re: Re: DBA's prespective
As someone pointed out in another comment, all of the attacks on Internet voting completely ignore the flaws in the current system and demand a perfection that isn't currently there. You're criticizing something that isn't a blockchain problem, it's a single vote voting system problem.
[ link to this | view in thread ]
Online voting vs. Blockchain voting
I think the whole story goes like this:
~ We haven't figured out online voting.
~ Wait, can blockchain technology be applied to make it work?
~ Not in the ways we've conceived of.
Now according to Masnick lots of people who actually understand computer security have explained why online voting is a horrifically bad idea in that it involves effectively unsolvable problems. It's not that it's a "hard" problem, it means that online voting is effectively impossible
Which makes it sound like there's a fundamental flaw much the way there is in encryption backdoored for law enforcement. I don't know what that fundamental flaw is, or if it's a flaw in that we can't create something perfect though we could create something that's robust at all the key points.
In my case, vote-processing isn't something I have studied enough to understand, except that after Florida 2000, I lost faith that the systems in the US even try to be impartial. They clearly do not, and this has been confirmed countless times since.
I guess that's to say I'm too cynical to reject online voting out of hand, on the basis that paper voting already sucks so much it's difficult to imagine something sucking more.
[ link to this | view in thread ]
Re: Re: Re: Re: DBA's prespective
A voting system generally has the requirement of one person, one vote, which means registering voters, and ensuring that they only vote once. With a paper ballot, control over issuing ballot papers, and checking that only one ballot per person is put in the box, is a pretty robust system for controlling voting while keeping actual votes anonymous.
The online equivalent would be to issue a unique token to every voter, and use it to ensure that they only vote once. This can be a two step process, using two systems, one which validates the person and issues the token, and the other which issues the ballot, and uses the token to ensure that a person can only vote once. Without that unique token, the system cannot limit one person to one vote, and with it, it is trivial to find out who voted for whom.
[ link to this | view in thread ]
Re: You've missed the point
If that's what you think made voting "not secret," you seem to misunderstand what's "secret" about a "secret ballot."
Your vote has to be counted, therefore someone, somewhere, will eventually look at your vote. Your vote will be seen by someone, that's the point of voting.
It's still a "secret ballot," though, IF nobody is able to identify which vote belongs to which voter. Unless you sign your ballot, or take a selfie with it, no-one can link a specific person to a specific ballot. No number of tracking ink patents can change that, since the polling place has no control over which ballot you take, nor which booth you fill it out in.
If you were required to keep a portion of your ballot to match you to a specific vote, that would be different. But you aren't required to keep your ticket stub, it's not a movie theater. All tracking-ink technology has been proven to do is prevent polling workers from printing off extra, possibly fraudulent, ballots.
Could it be abused? Well, yeah, sure. But it hasn't. You would need some pretty air-tight evidence to convince anyone otherwise, too.
After all, like they say: Extraordinary claims require extraordinary proof.
[ link to this | view in thread ]
Hidden ballot >> anonymous vote
I think in an ideal system, the voter can check his own voting block and confirm the votes are recorded as he intended. This could be done with a hashing system
If the voter is the only one that keeps the ID ticket afterwords that would allow the end vote tallies to be anonymized, thus preserving ballot secrecy.
And then an open-source tallying system would at least provide the confidence that if that code was used to tally the data, then the confidence of the count is high. If there was a way to also have it provide a unique execution hash, then it could be tallied redundantly, and if the execution codes match, we're pretty sure they ran the right software. (On the grounds that our haxxors couldn't affect all the redundant counters).
To be sure, I'm only speculating. I haven't heard the specific paradoxes that are associated with the online voting problem.
[ link to this | view in thread ]
Re: Re: Verify your vote?
They were an appalling bunch of dicks, so that gets you a microfraction of the way towards even, i guess.
[ link to this | view in thread ]
Re: Blockchain is web-scale
on a computer.
on the internet.
with blockchain!
also with ai, the singularity, and uploading my consciousness.
ima patent that shit, hard.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: DBA's prespective
Yes.
> and checking that only one ballot per person is put in the box
Yes.
> , is a pretty robust system for controlling voting
Yes.
> while keeping actual votes anonymous.
No.
If you point out flaws in the blockchain solution, you must be willing to accept flaws in the paper solution. I can think of a dozen ways to prevent votes from being anonymous. For example, I could mark all of the ballots ahead of time. I could open the ballot box after you vote. I could give each voter a new pen to use when they sign in, then track fingerprints on the ballot.
Could paper voting be anonymous? Sure. If you trust the party holding the vote. Which is really all anyone can do. If you don't trust the party holding the vote (ahem, Georgia) game over.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: DBA's prespective
1) You have to do them in meat space
2) You can only "Hack" a county at most
3) People are guarding the vote system and watch for issues like the ones you stated
Security even with a double token system is less robust at every step of the way with an all electronic system. No matter how robust the system, if a bad actor gets involved, the electronic voting system can result in pairing the tokens again unless you can come up with some kind of secret key that only the voter would know, and this is not technically doable at this time.
Also no one is moving the goal posts, we're being very clear that the security problem has flaws that block chain does nothing to fix.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: DBA's prespective
You also need to record who they are issued to, and to then record the votes on each ballot, and collate all that work into a paper or electronic database. That scheme requires access to the ballots outside of the counting hall to obtain the voting record.
You need at least one, and more usually two keys which are not normally available at the polling station. You also need to be sure that other voters will not see you opening the ballot box.
You need to record which pen was given to who, and the recover the fingerprints from the pen, and from the ballot paper, which requires access to those papers, probably after they have been counted.
The robustness of the paper system is due to the way the a large number of people are required to operate it normally, with different people dealing with the actual voting and counting, and all being carried out under observation.
In the electronic ballot, the hurdles to tracking votes are very much smaller than with paper, with details hidden from view, and automatable with ease. Also the cost of doing so is trivial, while doing so in a paper ballot is prohibitively expensive.
[ link to this | view in thread ]
Re: Hidden vote
... guess you are talking about open source 'software' -- but who guarantees that software is error-free to begin with and has not been altered when actually used?
Casting an individual citizen vote, officially counting all votes legally cast, and somebody officially declaring an election winner -- are 3 entirely different processes ... that vary widely across the U.S.
You must address all 3 processes in any election "system"!
Theoretically it's just an objective IT problem, consolidating millions of individual decision nodes/datapoints over communication links -- it should be simple overall.
However, there is tremendous variability in datapoint format/accuracy and communication links format/accuracy ... with much human (not computer)influence on each process.
This is not simple... like counting beans in a jar and phoning the result to somebody.
[ link to this | view in thread ]
So good you pasted the excerpt in twice eh, Mike?
[ link to this | view in thread ]
Re: enforced secrecy, individual verifiability, global verifiability
The main issue with electronic voting is one which can not be underscored enough:
In order to be really sure the machine has counted nothing but the input the one querying the machine also needs to have sufficient rights on said machine enabling him to alter the outcome.
Anything less than that and the guy trying to validate the procedure can never know s/he isn't just being shown erronous data by a root script.
And unlike the manual ballot count supervision only a handful will ever be able to tell it's happened.
So with that in mind, you think the lucky guy who's to inspect the machines counted correctly will feel tempted when people show up offering 10 million USD in small unmarked bills for skewing the vote by about 1-2%? Especially when no one is likely to ever find out?
[ link to this | view in thread ]
Re: Online voting vs. Blockchain voting
"I guess that's to say I'm too cynical to reject online voting out of hand, on the basis that paper voting already sucks so much it's difficult to imagine something sucking more."
Try this one on for size - with online voting there will be a very few technical experts who, in order to guarantee the machines work correctly, must have root access on said machines.
Meaning they can alter the vote, not just count it.
And there's no real way around the fact that the next election result may be determined entirely by a suitcase filled with dollar bills changing hands.
[ link to this | view in thread ]
Re: Hidden ballot >> anonymous vote
The voter showing this to someone else, e.g. to collect cash for voting the right way, is exactly what we're trying to guard against.
It wouldn't be, because people who don't understand cryptographic math, programming, and computer security very well—i.e., almost everyone—could not be confident about this system. Whereas with paper ballots, the election observers are just normal people who can count.
[ link to this | view in thread ]
Re: tl;dr
A blockchain solves none of those problems.
(It could solve the problem of illegal voting -- if such a problem existed -- but not the problem of rumors of illegal voting.)
[ link to this | view in thread ]
Re: Re: Well that's bloody disappointing.
Perhaps. But "this could be happening and we would never even know" is a weak argument.
It's not inherent but it's easily achievable. My state has a website I can go to, put in my name, address, and PIN, and it tells me my ballot was received and counted.
Any voting system is going to require trust in the people counting the votes. An online voting system would require trust in the people who wrote the software and operated the infrastructure.
If you can't trust the people counting the votes, you can't trust the vote. That's going to be a problem whether they're hand-counting them, feeding them into a machine, or designing the machine they're being fed into.
[ link to this | view in thread ]
Re: Re: Re: "a decently strong degree"
The tricky part is, how do you verify that it's actually running that software? By which I mean how can a computer illiterate poll worker or random voter be assured of that?
[ link to this | view in thread ]
Re:
That is the least of the problems with online voting. You can still set up polling places with voting computers for anyone who doesn't have access any other way. Presumably you would need many fewer voting machines, since most people would be voting remotely.
[ link to this | view in thread ]
Re: Typo
You have the quote from Ben Adida twice in the quoted section.
You have the quote from Ben Adida twice in the quoted section.
[ link to this | view in thread ]
Re: Re: Re: Well that's bloody disappointing.
Not really. That's kind of the whole meaning of "verifiability:" the ability to know that a plausible problem is not actually occurring.
[ link to this | view in thread ]
Re: Re: Re: Re: Well that's bloody disappointing.
Verifiability most certainly does not mean proving a negative.
[ link to this | view in thread ]
Open Source, execution hash.
This is where I thought redundancy might help.
If we have multiple machines (at least three) that not only convert the voting data block into a count, but also produce a unique execution hash, then we'd have both the end count and the hash to compare to the redundants.
If one of them doesn't match, a problem has been detected.
Of course, this is still subject to insecurities: the hash may be subject to collisions. The code may not be perfectly secure or bug free even after testing by white hats. All the redundants may be simultaneously bribed.
But from here, it looks like all of these problems are difficult to turn into massive voter fraud.
[ link to this | view in thread ]
Do we really want individual verifiability?
Let us say someone can confirm that his vote was recorded correctly.
That means he can demonstrate to a third party that his vote was recorded correctly a specific way and get paid accordingly.
So are we sure this is a good thing? Should it be limited?
It's hard to imagine a system that has all the features we want if we are uncertain whether or not we actually want them.
[ link to this | view in thread ]
Re: Do we really want individual verifiability?
And that's a central dilemma to online voting.
If voters have no way to check their vote after the fact, they have no way of knowing that it was counted accurately. (While traditional voting has its flaws, a paper ballot can be both anonymous and verifiable in a way that a digital one can't.)
But if voters do have a way to check their vote after the fact, then that means they can verify it to a third party, which opens up vulnerabilities to bribery, coercion, or other forms of pressure.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: DBA's prespective
[ link to this | view in thread ]
Re: Open Source, execution hash.
The thing is, massive fraud is not necessary. Elections are frequently so close that flipping a few precincts can change the outcome of a statewide election. That's one reason the ability to audit and recount votes with a paper ballot is so important. If all you have is computers, all you can do is ask the computers what the vote count is.
[ link to this | view in thread ]
Districts or precincts = massive enough.
When Trump and his GOP allies talk about the terrors of voter fraud (e.g. changing hats to vote again ) they're usually discussing very small elements of fraud, maybe a singke person voting three or four times. Their belief is that the great leftist militant movement can organize well enough to incite tens of thousands to act to subvert the vote.
My mass fraud I mean something like the graveyard voters that allegedly threw illinois for JFK, the conspiracy of only a couple of people. Maybe a handful, effecting tens of thousands of votes.
That is the threat our prospective voting system needs to be able to block.
[ link to this | view in thread ]
Re: Re: Re: Re: "a decently strong degree"
No idea if that would work, but it's a thought at least.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Re: Re: Re: DBA's prespective
Given a ballot number, it will take a fair chunk of time to find it on the voter roll for the relevant voting station. going in the other direction, from voter to ballot is even harder, and takes much longer once the ballots have been removed from the ballot boxes and piles together.
For that infomation to be useful outside of auditing a random sample of ballots require that the ballot number on the voter roll is entered in a database, and that every ballot is also entered into that database. which is difficult to do under the eyes of election monitors, especially as it would require a large number of people to do the data entry.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: "a decently strong degree"
[ link to this | view in thread ]
Internet Voting
https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2229557
[ link to this | view in thread ]
How is this unique only to blockchain voting and not blockchain itself?
[ link to this | view in thread ]
Re:
Because online voting has different issues than the other problems that blockchain doesn't solve.
[ link to this | view in thread ]
Re: Re: Re: Re: Re: Well that's bloody disappointing.
You think you're more intelligent than you are.
[ link to this | view in thread ]