Blockchain Voting: Solves None Of The Actual Problems Of Online Voting; Leverages None Of The Benefits Of Blockchain

from the oh-come-on-now dept

Just recently we wrote about why blockchain-based DRM was a terrible idea, and it could be summed up by the simple fact that a blockchain solves none of the "problems" of DRM today, and leverages none of the actual benefits of a blockchain. And... now I feel like writing basically the same exact post around blockchain voting. Like blockchain DRM, blockchain voting is one of those ideas that gets tossed around a lot. For decades, lots of people who actually understand computer security have explained why online voting is a horrifically bad idea in that it involves effectively unsolvable problems. It's not that it's a "hard" problem, it means that online voting is effectively impossible without massive changes to almost everything we do in ways that we can't really comprehend right now. There are some serious researchers who are thinking about this, but to date, there is nothing even remotely close to to being acceptable, and there may never be.

And yet, the "simplest" way that some people understand the risks of online voting is basically "it would be bad if someone could change your vote and no one would know." That's an easy to understand point to make, but the problems with online voting go way, way beyond that. Do a simple Google search on why online voting is a terrible idea and you'll get dozens of on-point results, but if you want a nice, simple explanation of just the first pass of potential risks with online voting, check out this video from a couple years ago by Princeton professor Andrew Appel, who has been studying voting security for many, many years:

It's 21 minutes, and if you're unsure of why internet voting is dangerous or think there's a simple solution, I'd urge you to watch it. But for those who don't, I'll just toss up one single slide from the presentation, which is not even remotely comprehensive in the list of potential problems with online voting:

That doesn't even get at a number of other potential issues (some of which are discussed in the video). And yet -- as with blockchain-for-DRM -- there's always someone who thinks that the only real problem is the double spend problem. Enter Alex Tapscott and the NY Times. Alex Tapscott is the son of Don Tapscott, who has written a number of fairly influential books related to technology and innovation, including "Growing up Digital" and "Wikinomics." In 2016, he teamed up with his son, Alex, and wrote a book called "The Blockchain Revolution," which is a fun read (they sent me a copy), if a bit overly excited in its analysis of potential implementations of the blockchain. As I've said in the past, I'm a believer that blockchain/tokens can completely revolutionize a few areas of the internet, but people have yet to really figure out which areas can take advantage of what is unique about the blockchain (beyond highly volatile currencies).

My favorite review of the book on its Amazon page includes this lovely sentence: "After the opening chapter, it turns into a rambling acid trip of delusional fantasies about exactly how blockchain will inevitably fix all the things wrong with society and the world."

Anyway, along comes Alex Tapscott and on election day, the NY Times gave him precious space to spew utter nonsense about how it's time for online voting... via the blockchain.

The key weakness of early online voting systems was the inability to solve what cryptographers called the “double spend problem.” When we send a file on the internet, we’re actually sending a copy of that file; the original remains in our possession. This is acceptable for sharing information but unacceptable for recording votes in elections. The possibility that individuals could cast their ballots multiple times for a candidate made these systems useless — just as vulnerable as paper ballot systems. Points of failure included susceptibility to hackers, coding bugs, and human error. With enough resources, any rogue could “stuff” a digital ballot box with illegitimate votes.

Except... that's not the key weakness in early online voting systems. It is one problem, but kinda far down the list. Look at that still from Appel's video above. Double spending isn't even there, really. Yet, Tapscott's piece acts as if it's the biggest problem, and easily solved with blockchain.

Since the NY Times published that article, plenty of folks with actual computer security expertise have stepped up to debunk it. Ben Adida, the Executive Director of a new organization called Voting Works, attempting to build secure, open source voting machines, actually debunked it a year ago (that's how good he is):

In a typical election setting with secret ballots, we need:

  1. enforced secrecy: a way for each voter to cast a ballot secretly and no way to prove how they voted (lest they be unduly influenced)
  2. individual verifiability: a way for each voter to gain confidence that their own vote was correctly recorded and counted.
  3. global verifiability: a way for everyone to gain confidence that all votes were correctly counted and that only eligible voters cast a ballot.

Let’s say we have a Blockchain-style distributed database. How far does that get us to meeting these needs?

A distributed database of all cast votes, where everyone sees the same state of the world, would certainly be useful for (3) global verifiability and to some degree for (2) personal verifiability. That said, it won’t get us all the way there on those, and it won’t get us anywhere on (1) enforced secrecy.

Specifically, to combine personal verifiability with enforced secrecy, we need some mechanism that gives each voter enough confidence that their vote made it all the way to the tally, but not so much that they can sell their vote to a buyer/coercer. A public ledger of plain votes is a terrible idea, since that makes vote selling trivial. A public ledger of vote tracking numbers of sorts is better for privacy, though it doesn’t really provide actual verifiability that the contents of the ballot weren’t tampered with. Clearly, we need something more, and that something simply isn’t provided by a distributed ledger.

In a typical election setting with secret ballots, we need:

  1. enforced secrecy: a way for each voter to cast a ballot secretly and no way to prove how they voted (lest they be unduly influenced)
  2. individual verifiability: a way for each voter to gain confidence that their own vote was correctly recorded and counted.
  3. global verifiability: a way for everyone to gain confidence that all votes were correctly counted and that only eligible voters cast a ballot.

Let’s say we have a Blockchain-style distributed database. How far does that get us to meeting these needs?

A distributed database of all cast votes, where everyone sees the same state of the world, would certainly be useful for (3) global verifiability and to some degree for (2) personal verifiability. That said, it won’t get us all the way there on those, and it won’t get us anywhere on (1) enforced secrecy.

Specifically, to combine personal verifiability with enforced secrecy, we need some mechanism that gives each voter enough confidence that their vote made it all the way to the tally, but not so much that they can sell their vote to a buyer/coercer. A public ledger of plain votes is a terrible idea, since that makes vote selling trivial. A public ledger of vote tracking numbers of sorts is better for privacy, though it doesn’t really provide actual verifiability that the contents of the ballot weren’t tampered with. Clearly, we need something more, and that something simply isn’t provided by a distributed ledger.

That's only part of Adida's thorough takedown of the concept.

Tim Lee at Ars Technica highlighted another batch of problems:

Tapscott focuses on the idea that blockchain technology would allow people to vote anonymously while still being able to verify that their vote was included in the final total. Even assuming this is mathematically possible—and I think it probably is—this idea ignores the many, many ways that foreign governments could compromise an online vote without breaking the core cryptographic algorithms.

For example, foreign governments could hack into the computer systems that governments use to generate and distribute cryptographic credentials to voters. They could bribe election officials to supply them with copies of voters' credentials. They could hack into the PCs or smartphones voters use to cast their votes. They could send voters phishing emails to trick them into revealing their voting credentials—or simply trick them into thinking they've cast a vote when they haven't.

[...]

But let's think about how this would play out in practice. Suppose it's mid-November 2020 and Donald Trump has narrowly won reelection. A few thousand voters in key swing states come forward to say that they intended to vote for Trump's opponent but their vote was recorded for Trump instead. Thousands of others say they tried to vote for Trump—or against him—but their votes weren't counted.

Was that due to hackers meddling with the vote, technical snafus, or user error? Were some of them just misremembering how they had cast their ballots? There would be no way to know for sure.

An important property for an election is finality: you want a well-understood process that makes people confident in the result. The paper-based process used in most states today isn't perfect, but it's pretty good on this score. Each vote is recorded on a paper ballot that's available for anyone to look at. Everyone understands how paper ballots work. People can observe the vote-counting process to verify that no ballots were altered. So not only does the process usually lead to an accurate count of peoples' votes, it also builds public confidence in the integrity of the result.

Blockchain voting would be much, much worse. Hardly anyone understands how a blockchain works, and even experts don't have a good way to observe the online voting process for irregularities the way an election observer does in a traditional paper election. A voter might be able to use her private key to verify how her vote was recorded after the fact. But if her vote wasn't counted the way she expected (or wasn't counted at all) she'd have no good way to prove that she tried to vote a different way.

Just a few months back, we also wrote about the terrible idea that West Virginia was experimenting with, via a company called Voatz (which is mentioned in Tapscott's article) that was building a "blockchain-based" system to allow military personnel overseas to vote via their mobile phones. And of course, as we noted at the time, it had all the same problems of all these systems. What it adds in "convenience" (if anything) is completely outdone by the security nightmare it creates.

Again, I still think blockchains have some potential to do some pretty useful things, but the idea that they can solve any old basically impossible under current realities technology problem by sprinkling magic "crypto" and "distributed" pixie dust on the problem is not a good look. Which should lead people to asking why the NY Times is publishing it without any fact checking at all?

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: blockchain, voting


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Uriel-238 (profile), 16 Nov 2018 @ 8:06pm

    Well that's bloody disappointing.

    It seems that on-line voting would be the natural next step from mail voting.

    Though this raises questions of what mail voting does that online voting does not that assures it is secure, or are the security problems similar but we ignore them?

    link to this | view in thread ]

  2. icon
    Uriel-238 (profile), 16 Nov 2018 @ 8:12pm

    enforced secrecy, individual verifiability, global verifiability

    Maybe I'm missing something but we have none of these for non-internet voting in the United States.

    In fact, our epidemics of voter suppression, rumors of illegal voting and electronic voting machine failures all indicate that we don't.

    link to this | view in thread ]

  3. icon
    Gary (profile), 16 Nov 2018 @ 8:12pm

    But...

    But Blockchain!!!
    Surely that must make it more important?

    link to this | view in thread ]

  4. identicon
    Paul Brinker, 16 Nov 2018 @ 8:29pm

    DBA's prespective

    Blockchain is nothing more then a stupid flat file encoding standard that was replaced long ago with relational and No SQL databases.

    The only reasonable use case I have ever seen outside bitcoin was cradle to grave part tracking for airplanes and other very expensive items with critical infrastructure tracking requirements across several actors.

    This could still be done better by a dedicated government agency using a database and an API.

    Voting's problems with Blockchain is all about the fact that who you vote for is secret. The block chain does nothing to hide who you voted for in any format that could not be reverse engineered. In fact no computer solution that could be used for online voting is so far able to provide validation and untrackability of the voters votes.

    Paper ballots work, Computers that print paper ballots work, everything else requires you to give up the ability to validate or to keep a persons vote secret.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 16 Nov 2018 @ 9:33pm

    Re: Well that's bloody disappointing.

    Vote-by-mail has some security problems, yes.

    • Enforced secrecy: fail. The voter can fill out a ballot, show it to a bribing/coercing entity, then, under supervision of that entity, put the ballot in the mail, at which point the voter cannot recall it to replace it with the ballot they would have voted if not for the bribe/coercion. This one is particularly bad when you consider voters who receive help, sometimes even well-meaning, from friends or family with notably different political views. It can lead to subtle coercion through social pressure that a fully secret ballot would prevent. Since the coercion is social, rather than extortive, it will almost certainly go unreported.
    • Individual verifiability: weak. The voter can proofread the ballot before mailing it, but there is no general mechanism to verify that the envelope made it to election officials intact, was opened, and was included in the overall tally. (Some jurisdictions might provide some sort of accounting on this, but nothing in the design of vote-by-mail guarantees that it is present.)
    • Global verifiability: weak. Election observers can watch election officials opening mailed ballots and including/excluding them, but it's impractical for observers to verify that every single ballot was processed correctly. Massive corruption (such as discarding whole stacks of ballots) would be noticed, but subtle corruption (such as claiming ineligibility on valid ballots the corrupt official disliked or claiming eligibility on invalid ballots that the corrupt official liked) could slip through.

    link to this | view in thread ]

  6. This comment has been flagged by the community. Click here to show it
    identicon
    John Smith, 17 Nov 2018 @ 1:06am

    Masnick is a big, stinky poopypants who steals my money for hookers and blow.

    link to this | view in thread ]

  7. identicon
    Glenn, 17 Nov 2018 @ 3:29am

    I'm less concerned with anyone knowing how I voted than I am with being able to verify that my votes were properly counted towards my chosen candidates.

    I'm more concerned that Republicans continue to prove that they're willing to use any trick in the book to try to keep anyone who isn't a Republican from even trying to vote at all or to keep their votes from being counted if they do manage to vote. The current Republican Party does not believe in democracy or majority rule, which makes every one of them a traitor to this country.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 17 Nov 2018 @ 4:58am

    My dog got an absentee ballot in the mail so don't tell me I can't complain if I didn't vote. You wanted to put another shady lawyer in the peoples house, not me.

    link to this | view in thread ]

  9. icon
    JoeCool (profile), 17 Nov 2018 @ 7:24am

    Typo

    You have the quote from Ben Adida twice in the quoted section.

    link to this | view in thread ]

  10. icon
    Cdaragorn (profile), 17 Nov 2018 @ 11:08am

    Re: enforced secrecy, individual verifiability, global verifiability

    You are treating them as if they are binary concepts. We can only either have them completely or not have them at all. The problem is far from that simple.

    Yes it would be best if we could have them completely. Unfortunately we've never found a way to do that. Thankfully the paper system we have in place now does have them to a decently strong degree. While it does have it's problems it largely does accomplish what we need it to well enough that what corruption does exist around it is not able to completely change the end results.

    We should certainly keep trying to find better ways, but the point of this article seemed to be that this proposal is completely incapable of even meeting the current standards, much less making them better.

    link to this | view in thread ]

  11. icon
    Uriel-238 (profile), 17 Nov 2018 @ 11:53am

    "a decently strong degree"

    I think the indictments I mentioned indicate that we have them to an insufficiently weak degree.

    In the voting systems we have, there are certainly points of human involvement which are vulnerabilities, more prone to failure due to error than corruption, though the exact match policy in Georgia indicates how corruption can be implemented. Can the implementation of automation, perhaps with encryption serve the public better than appointing a clerk who is allegedly impartial?

    And my above point remains: voting by mail is pretty vulnerable as we do it now. Could voting by email be made no more vulnerable than voting by mail?

    If so, the advantage is more people will vote.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 17 Nov 2018 @ 4:14pm

    Re: Verify your vote?

    //// "...being able to verify that my votes were properly counted towards my chosen candidates."


    -- no way to do that in U.S.

    You must blindly trust a complex, variable election system that is prone to human and technical error, as well as fraud.

    There's an appreciable margin-of-error in every election. That becomes a big deal on close election races where the winner can be decided on a tenth-percent of the total vote.

    Remote Voting (mail/online) and Secrecy sharply increase the margin-of-error.

    Eliminating remote voting and secrecy is not a crazy idea.
    The secret/Australian ballot was only adopted in U.S. in 1890. The American Founding Fathers would be appalled at cowardly citizens not publicly declaring their choices in government nor openly participating in civil society.
    All American voters are very proud of their specific votes ... or they wouldn't vote (right?)

    Remote voting should be a rare option for a tiny percentage of citizens. Voting is serious business and should not be treated casually; physically voting at a polling location is a trivial effort compared the routinely weekly activities in most all people' lives. Widespread remote voting is far to risky to justify its modest convenience to citizens.

    link to this | view in thread ]

  13. icon
    justanothercommenter (profile), 17 Nov 2018 @ 6:18pm

    Re: DBA's prespective

    The block chain does nothing to hide who you voted for in any format that could not be reverse engineered.

    Except one-way hashing.

    link to this | view in thread ]

  14. icon
    stderric (profile), 17 Nov 2018 @ 6:32pm

    Re: Re: Verify your vote?

    All American voters are very proud of their specific votes ... or they wouldn't vote (right?)

    I'd definitely avoid participating in elections if my vote was available to the winner or those working in the law enforcement and justice systems... or even my employer, for that matter.

    The American Founding Fathers would be appalled

    They would most assuredly kick my cowardly (but free & employed) ass :)

    link to this | view in thread ]

  15. icon
    nasch (profile), 17 Nov 2018 @ 8:52pm

    Re: "a decently strong degree"

    Much of what you're talking about is I think a different topic. Voter suppression policies, for example, aren't related to the security of the voting process. It's a problem, but it's a different problem.

    Can the implementation of automation, perhaps with encryption serve the public better than appointing a clerk who is allegedly impartial?

    Only if the problems with the current system are in significant part due to officials who should be impartial but are not, which is not the case. There are people from multiple political parties overseeing every step of the voting process, so nobody can easily get away with miscounting votes.

    Could voting by email be made no more vulnerable than voting by mail?

    Maybe eventually, and people are working on it. But right now no.

    link to this | view in thread ]

  16. identicon
    Mr Big Content, 17 Nov 2018 @ 8:53pm

    Blockchain is web-scale

    Blockchain leverages the richness of the online user experience to enhance maximum techno-socio-political outcomes.

    Give me a block!
    Give me a chain!
    Block-Chain!

    All the cuttingest-edge enterprises are blockchaining to the max. Don't be stuck back in the digital era--be a blockchainer now!

    link to this | view in thread ]

  17. icon
    nasch (profile), 17 Nov 2018 @ 8:56pm

    Re: Re: Verify your vote?

    You must blindly trust a complex, variable election system that is prone to human and technical error, as well as fraud.

    If you watch the linked video, it's not quite as bad as you make it sound. And you only have to trust blindly if you don't take the time to learn how it works.

    It's not cowardly to want secret voting, it's a recognition that unethical actors would take advantage of public voting to buy and/or coerce votes.

    link to this | view in thread ]

  18. icon
    justanothercommenter (profile), 17 Nov 2018 @ 9:01pm

    Re: Re: Re: Verify your vote?

    Do you vote in current elections? How do you know that your vote isn't accessible to those you mention?

    link to this | view in thread ]

  19. icon
    stderric (profile), 17 Nov 2018 @ 9:46pm

    Re: Re: Re: Re: Verify your vote?

    I do. I don't.

    But... I'm enough of a naive idealist that, when it comes to voting, I feel obligated to act as though I trust the system to work as advertised. (How naive? I even voted when I lived in Chicago.)

    link to this | view in thread ]

  20. identicon
    Anonymous Coward, 18 Nov 2018 @ 2:48am

    Re: Re: DBA's prespective

    An all electronic network voting system has no reliable way of generating a break between validating the voter, and counting the vote that they cast, in that its needs to validate that a person is eligible to vote, and only casts one vote. Also it needs to see who they voted for to count the votes, and ensure that replay of the message does not result in a double vote. There is no way of guaranteeing that the two will not be linked by whatever token is used to ensure that someone can only submit their vote once.

    link to this | view in thread ]

  21. identicon
    Anonymous Coward, 18 Nov 2018 @ 5:05am

    Re: Re: Re: Verify your vote?

    secret voting certainly has some good benefits, but such secrecy significantly reduces the transparency of the voting system, prompting more error and fraud.
    tradeoffs are necessary to optimize most systems.
    the nitty-gritty vote casting/counting system is totally invisible to 95% of Americans. that ain't good for self-government

    how did America survive and prosper until the 20th Century without secret voting?

    link to this | view in thread ]

  22. icon
    Zgaidin (profile), 18 Nov 2018 @ 6:07am

    Re: "a decently strong degree"

    If so, the advantage is more people will vote.

    Is that really an advantage? Statistically, most people base their votes on rather trivial criteria such as party affiliation rather than the candidate's actual voting/policy record, candidate's physical appearance, and how the candidate's speeches made them feel. Political parties, lobbying groups, and other decision makers are aware of those determinate factors and it alters our political landscape in subtle ways - largely by ensuring that certain potential candidates never even come to our attention. A larger pool of active voters without any improvements would exacerbate this problem.

    What we really want are better voters. Voters who thoroughly review the candidates in front of them and make informed, considered decisions about their votes based on things like voting/policy record, who contributed to their campaign fund, prior work experience, etc. Even if they vote for candidates we would not, so long as they voted on those sorts of criteria, would be better because the political machine would eventually adapt and offer us better candidates overall. Just throwing more voters at the elections is like throwing an ever increasing amount of money at the drug war and then wondering why drugs are still rampant in the streets.

    link to this | view in thread ]

  23. icon
    Anonymous Anonymous Coward (profile), 18 Nov 2018 @ 6:35am

    Re: Re: "a decently strong degree"

    Which makes me wonder, along with other comments and the article, if we are setting targets for a voting system too high, either electronic or manual. The various manual (paper or machine or electronic (but not internet)) systems all have flaws. Every time the question of Internet voting comes up there a lists of the potential flaws with that concept.

    In neither case is the system perfect, nor does it appear that it can be. So the arguement against Internet voting becomes 'it is not possible to create a perfect system, so lets not try' when one would think it should be 'can we create an Internet voting system that is at least as good as our various manual systems'?

    Who knows. Given open sourced, mission specific, hardware, OS, software, along with those 3 rules and security and auditability in mind, etc. with maybe a few years of public testing and White Hat attacking, something, while still not perfect, is at least as good as what we have now, and possibly better.

    link to this | view in thread ]

  24. identicon
    Anonymous Coward, 18 Nov 2018 @ 6:56am

    Re: "a decently strong degree"

    a clerk who is allegedly impartial?

    That's what observers are for.

    link to this | view in thread ]

  25. identicon
    Anonymous Coward, 18 Nov 2018 @ 7:09am

    Re: Re: Re: Re: Verify your vote?

    how did America survive and prosper until the 20th Century without secret voting?

    How did America survive and prosper until the civil war without a prohibition on slavery?

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 18 Nov 2018 @ 7:13am

    Re:

    "My dog got an absentee ballot in the mail"

    My dog has his own driver's license and drives a truck for a living.

    Yeah, right.

    link to this | view in thread ]

  27. identicon
    Anonymous Coward, 18 Nov 2018 @ 7:15am

    Problems? What problems?

    Those aren't bugs. Those are features!

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 18 Nov 2018 @ 7:41am

    Re: Well that's bloody disappointing.

    Paper Trail?

    link to this | view in thread ]

  29. identicon
    Anonymous Coward, 18 Nov 2018 @ 7:49am

    Not sure those in favor of online voting have thought this thru.

    What about those who, for whatever reason, do not have access to a computer? The computers in a library are not very secure at present, not sure that can be fixed. There would have to be a system in place to accommodate these people for obvious reasons. And then there are the military ballots, many times they are not counted. Is it too difficult to accomplish this? Why?

    link to this | view in thread ]

  30. identicon
    stine, 18 Nov 2018 @ 8:24am

    You've missed the point

    There haven't been any secret ballots cast, on paper, for more than 25 years. Not since patent #5515451.

    link to this | view in thread ]

  31. icon
    Uriel-238 (profile), 18 Nov 2018 @ 9:09am

    How did the US survive and prosper

    Well, it didn't.

    To date we've had a voting system that was rigged, though I can't verify the graveyard voters in Illinois that helped put JFK in office, I CAN speak to robber barons like Boss Tweed who assured the affluent chose who got nominated. Candidates have to lean to the green in order have a chance to get elected, which means the public hasn't been represented well all this time.

    But what this tells me is that if we don't have an impregnable voting system, those with resources are going to find ways to subvert it even if we reform campaign financing. In 2018 at least on the incumbent Republican side, they didn't even try to hide their efforts to subvert the vote, any more than they tried to hide their demagogy.

    So the way the US survived all this time was by letting the rich win.

    link to this | view in thread ]

  32. icon
    justanothercommenter (profile), 18 Nov 2018 @ 9:14am

    Re: Re: Re: DBA's prespective

    Now you're moving the goalposts. The method you mention uses data outside the blockchain. With a one-way hash, I can verify that my vote was recorded in a certain way and no one else can know who I am. Any system where one registers to vote has the problem you mention.

    As someone pointed out in another comment, all of the attacks on Internet voting completely ignore the flaws in the current system and demand a perfection that isn't currently there. You're criticizing something that isn't a blockchain problem, it's a single vote voting system problem.

    link to this | view in thread ]

  33. icon
    Uriel-238 (profile), 18 Nov 2018 @ 9:25am

    Online voting vs. Blockchain voting

    I think the whole story goes like this:

    ~ We haven't figured out online voting.

    ~ Wait, can blockchain technology be applied to make it work?

    ~ Not in the ways we've conceived of.

    Now according to Masnick lots of people who actually understand computer security have explained why online voting is a horrifically bad idea in that it involves effectively unsolvable problems. It's not that it's a "hard" problem, it means that online voting is effectively impossible

    Which makes it sound like there's a fundamental flaw much the way there is in encryption backdoored for law enforcement. I don't know what that fundamental flaw is, or if it's a flaw in that we can't create something perfect though we could create something that's robust at all the key points.

    In my case, vote-processing isn't something I have studied enough to understand, except that after Florida 2000, I lost faith that the systems in the US even try to be impartial. They clearly do not, and this has been confirmed countless times since.

    I guess that's to say I'm too cynical to reject online voting out of hand, on the basis that paper voting already sucks so much it's difficult to imagine something sucking more.

    link to this | view in thread ]

  34. identicon
    Anonymous Coward, 18 Nov 2018 @ 11:29am

    Re: Re: Re: Re: DBA's prespective

    Any system where one registers to vote has the problem you mention.

    A voting system generally has the requirement of one person, one vote, which means registering voters, and ensuring that they only vote once. With a paper ballot, control over issuing ballot papers, and checking that only one ballot per person is put in the box, is a pretty robust system for controlling voting while keeping actual votes anonymous.

    The online equivalent would be to issue a unique token to every voter, and use it to ensure that they only vote once. This can be a two step process, using two systems, one which validates the person and issues the token, and the other which issues the ballot, and uses the token to ensure that a person can only vote once. Without that unique token, the system cannot limit one person to one vote, and with it, it is trivial to find out who voted for whom.

    link to this | view in thread ]

  35. icon
    Killercool (profile), 18 Nov 2018 @ 11:47am

    Re: You've missed the point

    If that's what you think made voting "not secret," you seem to misunderstand what's "secret" about a "secret ballot."

    Your vote has to be counted, therefore someone, somewhere, will eventually look at your vote. Your vote will be seen by someone, that's the point of voting.

    It's still a "secret ballot," though, IF nobody is able to identify which vote belongs to which voter. Unless you sign your ballot, or take a selfie with it, no-one can link a specific person to a specific ballot. No number of tracking ink patents can change that, since the polling place has no control over which ballot you take, nor which booth you fill it out in.

    If you were required to keep a portion of your ballot to match you to a specific vote, that would be different. But you aren't required to keep your ticket stub, it's not a movie theater. All tracking-ink technology has been proven to do is prevent polling workers from printing off extra, possibly fraudulent, ballots.

    Could it be abused? Well, yeah, sure. But it hasn't. You would need some pretty air-tight evidence to convince anyone otherwise, too.

    After all, like they say: Extraordinary claims require extraordinary proof.

    link to this | view in thread ]

  36. icon
    Uriel-238 (profile), 18 Nov 2018 @ 2:17pm

    Hidden ballot >> anonymous vote

    I think in an ideal system, the voter can check his own voting block and confirm the votes are recorded as he intended. This could be done with a hashing system

    If the voter is the only one that keeps the ID ticket afterwords that would allow the end vote tallies to be anonymized, thus preserving ballot secrecy.

    And then an open-source tallying system would at least provide the confidence that if that code was used to tally the data, then the confidence of the count is high. If there was a way to also have it provide a unique execution hash, then it could be tallied redundantly, and if the execution codes match, we're pretty sure they ran the right software. (On the grounds that our haxxors couldn't affect all the redundant counters).

    To be sure, I'm only speculating. I haven't heard the specific paradoxes that are associated with the online voting problem.

    link to this | view in thread ]

  37. identicon
    Anonymous Coward, 18 Nov 2018 @ 5:54pm

    Re: Re: Verify your vote?

    "The American Founding Fathers would be appalled"

    They were an appalling bunch of dicks, so that gets you a microfraction of the way towards even, i guess.

    link to this | view in thread ]

  38. identicon
    Anonymous Coward, 18 Nov 2018 @ 5:57pm

    Re: Blockchain is web-scale

    i wanna do it interactively.
    on a computer.
    on the internet.
    with blockchain!

    also with ai, the singularity, and uploading my consciousness.

    ima patent that shit, hard.

    link to this | view in thread ]

  39. identicon
    Anonymous Coward, 18 Nov 2018 @ 6:45pm

    Re: Re: Re: Re: Re: DBA's prespective

    > With a paper ballot, control over issuing ballot papers,

    Yes.

    > and checking that only one ballot per person is put in the box

    Yes.

    > , is a pretty robust system for controlling voting

    Yes.

    > while keeping actual votes anonymous.

    No.

    If you point out flaws in the blockchain solution, you must be willing to accept flaws in the paper solution. I can think of a dozen ways to prevent votes from being anonymous. For example, I could mark all of the ballots ahead of time. I could open the ballot box after you vote. I could give each voter a new pen to use when they sign in, then track fingerprints on the ballot.

    Could paper voting be anonymous? Sure. If you trust the party holding the vote. Which is really all anyone can do. If you don't trust the party holding the vote (ahem, Georgia) game over.

    link to this | view in thread ]

  40. identicon
    Paul Brinker, 18 Nov 2018 @ 8:50pm

    Re: Re: Re: Re: Re: Re: DBA's prespective

    Your missing the point, If you do manage to do any of the above actions,

    1) You have to do them in meat space
    2) You can only "Hack" a county at most
    3) People are guarding the vote system and watch for issues like the ones you stated

    Security even with a double token system is less robust at every step of the way with an all electronic system. No matter how robust the system, if a bad actor gets involved, the electronic voting system can result in pairing the tokens again unless you can come up with some kind of secret key that only the voter would know, and this is not technically doable at this time.

    Also no one is moving the goal posts, we're being very clear that the security problem has flaws that block chain does nothing to fix.

    link to this | view in thread ]

  41. identicon
    Anonymous Coward, 19 Nov 2018 @ 1:43am

    Re: Re: Re: Re: Re: Re: DBA's prespective

    For example, I could mark all of the ballots ahead of time.

    You also need to record who they are issued to, and to then record the votes on each ballot, and collate all that work into a paper or electronic database. That scheme requires access to the ballots outside of the counting hall to obtain the voting record.

    I could open the ballot box after you vote.

    You need at least one, and more usually two keys which are not normally available at the polling station. You also need to be sure that other voters will not see you opening the ballot box.

    I could give each voter a new pen to use when they sign in, then track fingerprints on the ballot.

    You need to record which pen was given to who, and the recover the fingerprints from the pen, and from the ballot paper, which requires access to those papers, probably after they have been counted.

    The robustness of the paper system is due to the way the a large number of people are required to operate it normally, with different people dealing with the actual voting and counting, and all being carried out under observation.

    In the electronic ballot, the hurdles to tracking votes are very much smaller than with paper, with details hidden from view, and automatable with ease. Also the cost of doing so is trivial, while doing so in a paper ballot is prohibitively expensive.

    link to this | view in thread ]

  42. identicon
    Anonymous Coward, 19 Nov 2018 @ 6:02am

    Re: Hidden vote

    r "And then an open-source tallying system would at least provide the confidence..."


    ... guess you are talking about open source 'software' -- but who guarantees that software is error-free to begin with and has not been altered when actually used?

    Casting an individual citizen vote, officially counting all votes legally cast, and somebody officially declaring an election winner -- are 3 entirely different processes ... that vary widely across the U.S.

    You must address all 3 processes in any election "system"!


    Theoretically it's just an objective IT problem, consolidating millions of individual decision nodes/datapoints over communication links -- it should be simple overall.
    However, there is tremendous variability in datapoint format/accuracy and communication links format/accuracy ... with much human (not computer)influence on each process.


    This is not simple... like counting beans in a jar and phoning the result to somebody.

    link to this | view in thread ]

  43. identicon
    Anonymous Coward, 19 Nov 2018 @ 6:32am

    In a typical election setting with secret ballots, we need:

    So good you pasted the excerpt in twice eh, Mike?

    link to this | view in thread ]

  44. icon
    Scary Devil Monastery (profile), 19 Nov 2018 @ 7:02am

    Re: enforced secrecy, individual verifiability, global verifiability

    The main issue with electronic voting is one which can not be underscored enough:

    In order to be really sure the machine has counted nothing but the input the one querying the machine also needs to have sufficient rights on said machine enabling him to alter the outcome.

    Anything less than that and the guy trying to validate the procedure can never know s/he isn't just being shown erronous data by a root script.

    And unlike the manual ballot count supervision only a handful will ever be able to tell it's happened.

    So with that in mind, you think the lucky guy who's to inspect the machines counted correctly will feel tempted when people show up offering 10 million USD in small unmarked bills for skewing the vote by about 1-2%? Especially when no one is likely to ever find out?

    link to this | view in thread ]

  45. icon
    Scary Devil Monastery (profile), 19 Nov 2018 @ 7:05am

    Re: Online voting vs. Blockchain voting

    "I guess that's to say I'm too cynical to reject online voting out of hand, on the basis that paper voting already sucks so much it's difficult to imagine something sucking more."

    Try this one on for size - with online voting there will be a very few technical experts who, in order to guarantee the machines work correctly, must have root access on said machines.

    Meaning they can alter the vote, not just count it.

    And there's no real way around the fact that the next election result may be determined entirely by a suitcase filled with dollar bills changing hands.

    link to this | view in thread ]

  46. identicon
    Anonymous Coward, 19 Nov 2018 @ 7:10am

    Re: Hidden ballot >> anonymous vote

    If the voter is the only one that keeps the ID ticket afterwords that would allow the end vote tallies to be anonymized, thus preserving ballot secrecy.

    The voter showing this to someone else, e.g. to collect cash for voting the right way, is exactly what we're trying to guard against.

    And then an open-source tallying system would at least provide the confidence that if that code was used to tally the data, then the confidence of the count is high.

    It wouldn't be, because people who don't understand cryptographic math, programming, and computer security very well—i.e., almost everyone—could not be confident about this system. Whereas with paper ballots, the election observers are just normal people who can count.

    link to this | view in thread ]

  47. icon
    Thad (profile), 19 Nov 2018 @ 7:49am

    Re: tl;dr

    In fact, our epidemics of voter suppression, rumors of illegal voting and electronic voting machine failures all indicate that we don't.

    A blockchain solves none of those problems.

    (It could solve the problem of illegal voting -- if such a problem existed -- but not the problem of rumors of illegal voting.)

    link to this | view in thread ]

  48. icon
    Thad (profile), 19 Nov 2018 @ 7:54am

    Re: Re: Well that's bloody disappointing.

    Enforced secrecy: fail. The voter can fill out a ballot, show it to a bribing/coercing entity, then, under supervision of that entity, put the ballot in the mail, at which point the voter cannot recall it to replace it with the ballot they would have voted if not for the bribe/coercion. This one is particularly bad when you consider voters who receive help, sometimes even well-meaning, from friends or family with notably different political views. It can lead to subtle coercion through social pressure that a fully secret ballot would prevent. Since the coercion is social, rather than extortive, it will almost certainly go unreported.

    Perhaps. But "this could be happening and we would never even know" is a weak argument.

    Individual verifiability: weak. The voter can proofread the ballot before mailing it, but there is no general mechanism to verify that the envelope made it to election officials intact, was opened, and was included in the overall tally. (Some jurisdictions might provide some sort of accounting on this, but nothing in the design of vote-by-mail guarantees that it is present.)

    It's not inherent but it's easily achievable. My state has a website I can go to, put in my name, address, and PIN, and it tells me my ballot was received and counted.

    Global verifiability: weak. Election observers can watch election officials opening mailed ballots and including/excluding them, but it's impractical for observers to verify that every single ballot was processed correctly. Massive corruption (such as discarding whole stacks of ballots) would be noticed, but subtle corruption (such as claiming ineligibility on valid ballots the corrupt official disliked or claiming eligibility on invalid ballots that the corrupt official liked) could slip through.

    Any voting system is going to require trust in the people counting the votes. An online voting system would require trust in the people who wrote the software and operated the infrastructure.

    If you can't trust the people counting the votes, you can't trust the vote. That's going to be a problem whether they're hand-counting them, feeding them into a machine, or designing the machine they're being fed into.

    link to this | view in thread ]

  49. icon
    nasch (profile), 19 Nov 2018 @ 7:54am

    Re: Re: Re: "a decently strong degree"

    Given open sourced, mission specific, hardware, OS, software,

    The tricky part is, how do you verify that it's actually running that software? By which I mean how can a computer illiterate poll worker or random voter be assured of that?

    link to this | view in thread ]

  50. icon
    nasch (profile), 19 Nov 2018 @ 7:56am

    Re:

    What about those who, for whatever reason, do not have access to a computer?

    That is the least of the problems with online voting. You can still set up polling places with voting computers for anyone who doesn't have access any other way. Presumably you would need many fewer voting machines, since most people would be voting remotely.

    link to this | view in thread ]

  51. icon
    Mason Wheeler (profile), 19 Nov 2018 @ 8:37am

    Re: Typo

    I think you mean:

    You have the quote from Ben Adida twice in the quoted section.

    You have the quote from Ben Adida twice in the quoted section.

    link to this | view in thread ]

  52. icon
    Mason Wheeler (profile), 19 Nov 2018 @ 8:41am

    Re: Re: Re: Well that's bloody disappointing.

    But "this could be happening and we would never even know" is a weak argument.

    Not really. That's kind of the whole meaning of "verifiability:" the ability to know that a plausible problem is not actually occurring.

    link to this | view in thread ]

  53. icon
    Thad (profile), 19 Nov 2018 @ 9:26am

    Re: Re: Re: Re: Well that's bloody disappointing.

    Verifiability most certainly does not mean proving a negative.

    link to this | view in thread ]

  54. icon
    Uriel-238 (profile), 19 Nov 2018 @ 11:20am

    Open Source, execution hash.

    This is where I thought redundancy might help.

    If we have multiple machines (at least three) that not only convert the voting data block into a count, but also produce a unique execution hash, then we'd have both the end count and the hash to compare to the redundants.

    If one of them doesn't match, a problem has been detected.

    Of course, this is still subject to insecurities: the hash may be subject to collisions. The code may not be perfectly secure or bug free even after testing by white hats. All the redundants may be simultaneously bribed.

    But from here, it looks like all of these problems are difficult to turn into massive voter fraud.

    link to this | view in thread ]

  55. icon
    Uriel-238 (profile), 19 Nov 2018 @ 11:25am

    Do we really want individual verifiability?

    Let us say someone can confirm that his vote was recorded correctly.

    That means he can demonstrate to a third party that his vote was recorded correctly a specific way and get paid accordingly.

    So are we sure this is a good thing? Should it be limited?

    It's hard to imagine a system that has all the features we want if we are uncertain whether or not we actually want them.

    link to this | view in thread ]

  56. icon
    Thad (profile), 19 Nov 2018 @ 12:14pm

    Re: Do we really want individual verifiability?

    And that's a central dilemma to online voting.

    If voters have no way to check their vote after the fact, they have no way of knowing that it was counted accurately. (While traditional voting has its flaws, a paper ballot can be both anonymous and verifiable in a way that a digital one can't.)

    But if voters do have a way to check their vote after the fact, then that means they can verify it to a third party, which opens up vulnerabilities to bribery, coercion, or other forms of pressure.

    link to this | view in thread ]

  57. identicon
    Anonymous Coward, 19 Nov 2018 @ 4:24pm

    Re: Re: Re: Re: Re: Re: Re: DBA's prespective

    I don't know where you're from, but in Wisconsin, they *do* mark each ballot with a number, and they also write that number in the registration book next to your name. So a ballot could easily be associated with a name.

    link to this | view in thread ]

  58. icon
    nasch (profile), 19 Nov 2018 @ 6:15pm

    Re: Open Source, execution hash.

    But from here, it looks like all of these problems are difficult to turn into massive voter fraud.

    The thing is, massive fraud is not necessary. Elections are frequently so close that flipping a few precincts can change the outcome of a statewide election. That's one reason the ability to audit and recount votes with a paper ballot is so important. If all you have is computers, all you can do is ask the computers what the vote count is.

    link to this | view in thread ]

  59. icon
    Uriel-238 (profile), 19 Nov 2018 @ 7:07pm

    Districts or precincts = massive enough.

    When Trump and his GOP allies talk about the terrors of voter fraud (e.g. changing hats to vote again ) they're usually discussing very small elements of fraud, maybe a singke person voting three or four times. Their belief is that the great leftist militant movement can organize well enough to incite tens of thousands to act to subvert the vote.

    My mass fraud I mean something like the graveyard voters that allegedly threw illinois for JFK, the conspiracy of only a couple of people. Maybe a handful, effecting tens of thousands of votes.

    That is the threat our prospective voting system needs to be able to block.

    link to this | view in thread ]

  60. icon
    CrushU (profile), 20 Nov 2018 @ 6:58am

    Re: Re: Re: Re: "a decently strong degree"

    My first thought would be a hardware RSA key, possibly shipped separately, that could be used to confirm the system is running the correct software. And it's as simple as 'Match these numbers.'

    No idea if that would work, but it's a thought at least.

    link to this | view in thread ]

  61. identicon
    Anonymous Coward, 20 Nov 2018 @ 7:07am

    Re: Re: Re: Re: Re: Re: Re: Re: DBA's prespective

    Its on paper, and ballot numbers are randomly placed on the voter list. This is used by an audit process, which traces randomly selected ballot numbers back to a voter as a means of auditing the ballot process. That process is designed so that the voting infomation is not available to the auditor carrying out the check. (one person puts randomly selected ballot numbers on paper slips, and puts them into a hat. the auditors that carry out the checking pull a slip from the hat, the ballots go back into the counting process, the slip gets marked as voter found, without putting their name on it).

    Given a ballot number, it will take a fair chunk of time to find it on the voter roll for the relevant voting station. going in the other direction, from voter to ballot is even harder, and takes much longer once the ballots have been removed from the ballot boxes and piles together.

    For that infomation to be useful outside of auditing a random sample of ballots require that the ballot number on the voter roll is entered in a database, and that every ballot is also entered into that database. which is difficult to do under the eyes of election monitors, especially as it would require a large number of people to do the data entry.

    link to this | view in thread ]

  62. icon
    nasch (profile), 20 Nov 2018 @ 7:27am

    Re: Re: Re: Re: Re: "a decently strong degree"

    That might work if it's difficult to program it incorrectly. You don't want shady operators bribing employees at the factory to tamper with them. However I'm not sure what it would do for public confidence. "We can tell this computer that you don't understand is doing what it's supposed to because this little dongle that you also don't understand says so."

    link to this | view in thread ]

  63. identicon
    William J. Kelleher, Ph.D., 26 Nov 2018 @ 4:48pm

    Internet Voting

    Propaganda is the art of making folks think there's only one POV on a subject -- that of the propagandist. Actually, Internet voting has been done all over the world w/o the problems described here as inevitable and unsolvable. Interested in some Truth on this subject? Read this: How NIST Has Misled Congress and the American People about Internet Voting Insecurity
    https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2229557

    link to this | view in thread ]

  64. identicon
    Anonymous Coward, 12 Dec 2018 @ 3:51am

    But for those who don't, I'll just toss up one single slide from the presentation, which is not even remotely comprehensive in the list of potential problems with online voting:


    How is this unique only to blockchain voting and not blockchain itself?

    link to this | view in thread ]

  65. icon
    nasch (profile), 12 Dec 2018 @ 8:06am

    Re:

    How is this unique only to blockchain voting and not blockchain itself?

    Because online voting has different issues than the other problems that blockchain doesn't solve.

    link to this | view in thread ]

  66. identicon
    Anonymous Coward, 29 Jun 2021 @ 8:16pm

    Re: Re: Re: Re: Re: Well that's bloody disappointing.

    You think you're more intelligent than you are.

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.