Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Government Privacy Security United States Politics Technology

Blockchains Are Not Safe For Voting, Concludes NAP Report (nytimes.com) 106

The National Academies Press has released a 156-page report, called "Securing the Vote: Protecting American Democracy," concluding that blockchains are not safe for the U.S. election system. "While the notion of using a blockchain as an immutable ballot box may seem promising, blockchain technology does little to solve the fundamental security issues of elections, and indeed, blockchains introduce additional security vulnerabilities," the report states. "In particular, if malware on a voter's device alters a vote before it ever reaches a blockchain, the immutability of the blockchain fails to provide the desired integrity, and the voter may never know of the alteration."

The report goes on to say that "Blockchains do not provide the anonymity often ascribed to them." It continues: "In the particular context of elections, voters need to be authorized as eligible to vote and as not having cast more than one ballot in the particular election. Blockchains do not offer means for providing the necessary authorization. [...] If a blockchain is used, then cast ballots must be encrypted or otherwise anonymized to prevent coercion and vote-selling." The New York Times summarizes the findings: The cautiously worded report calls for conducting all federal, state and local elections on paper ballots by 2020. Its other top recommendation would require nationwide use of a specific form of routine postelection audit to ensure votes have been accurately counted. The panel did not offer a price tag for its recommended overhaul. New York University's Brennan Center has estimated that replacing aging voting machines over the next few years could cost well over $1 billion. The 156-page report [...] bemoans a rickety system compromised by insecure voting equipment and software whose vulnerabilities were exposed more than a decade ago and which are too often managed by officials with little training in cybersecurity.

Among its specific recommendations was a mainstay of election reformers: All elections should use human-readable paper ballots by 2020. Such systems are intended to assure voters that their vote was recorded accurately. They also create a lasting record of "voter intent" that can be used for reliable recounts, which may not be possible in systems that record votes electronically. [...] The panel also calls for all states to adopt a type of post-election audit that employs statistical analysis of ballots prior to results certification. Such "risk-limiting" audits are designed to uncover miscounts and vote tampering. Currently only three states mandate them.

This discussion has been archived. No new comments can be posted.

Blockchains Are Not Safe For Voting, Concludes NAP Report

Comments Filter:
  • by Anonymous Coward

    To say blockchain is inherently unsafe is like saying software is inherently unsafe, or anything else. Everything has pros and cons, but you evaluate the final implementation as secure or insecure. There are challenges in any medium.

    • by PopeRatzo ( 965947 ) on Thursday September 06, 2018 @05:55PM (#57266476) Journal

      To say blockchain is inherently unsafe is like saying software is inherently unsafe

      Oh, you are so close to a breakthrough.

      When it comes to voting, blockchain, like software, IS inherently unsafe. If the main goal for voting security is maintaining the people's confidence in an election, the only system that will meet that standard is a system where people are actually keeping an eye on one another. And I mean physically watching one another. And that's the system we had in place before the advent of voting machines and election software. You had a room full of election judges from both sides, and they sat side-by-side checking in voters as they approached the voting booth and physically watched them put the ballot in the box. When the votes were counted, there was a whole bunch of people from both parties standing around keeping a close eye. When the ballots were sent for storage, one person from each party rode in the truck to drop them off after sealing the container - together - and signing off.

      It was trust, but verify. Was it possible to jigger with an election like that? Of course. But you had a list of names of people you could hold accountable at every step in the process. Electronic voting will never, ever be trusted. That is the effect of transparency.

      • I thought that was the main selling point. Yes, I'm sure someone can come up with some anonymity scheme but transparency should be top priority. Apologies if the point is too naive.
      • by Anonymous Coward

        Paper votes aren't any better, just look at Russia's vote stuffing. Literately. Someone comes up to the booth and stuffs fake/coerced votes into the box.

        Now the way most US, Canadian, and UK elections are run, the paper vote is a two-step process.

        A) You go to a scrutineer to check your name off a PAPER list, they hand you a ballot with no identifying information on it
        B) You mark an X on the ballot, fold it in half or stick it in a privacy envelope and then stick it in a cardboard box with a hole on top.

        Now

        • Paper votes aren't any better, just look at Russia's vote stuffing. Literately. Someone comes up to the booth and stuffs fake/coerced votes into the box.

          That's right, because Russia doesn't have the same safeguards built into their elections that we have. You don't have election judges from both sides watching every vote from the time it's cast to the time it's counted to the time it's sent for storage. In the US, there have to be two election judges on hand when absentee ballots are opened.

          People can sti

      • by Ocker3 ( 1232550 )
        I'd invite you to visit us in Australia, where we have the Australian Electoral Commission (AEC), a non-partisan (not bi-partisan) body of people who are collectively considered the Platinum Standard of running elections around the world. We actually send people to the USA to train election staff. We don't have party reps in the voting area until the polls close, then the parties can send in scrutineers who check that the paper ballots are being counted as per the regulations (when I did this I actually not
        • I'd invite you to visit us in Australia,

          I've spent a fair amount of time in Australia. Yes, I've heard you guys do a good job with elections, but I'm not coming back until you get rid of those spiders that jump up and bite you on the eye. Oh, and drop bears and yowgwai. I don't need that kind of stress, thanks.

        • by tkotz ( 3646593 )

          How do they know the commission is non-partisan? Where do they find people interested in government enough to care that voting is done properly, but don't care about the outcome? I think a culture of berating people who mentioned that they may be have bias or have the power to alter the vote so they don't mention it publicly is not non-partisan. It encourages repressed partisanship and grants power to people who don't care about the cultural norms.

          The advantage of multi-partisan committees is you know every

      • Close, but not quite.

        that's the system we had in place before the advent of voting machines and election software. You had a room full of election judges from both sides, and they sat side-by-side checking in voters as they approached the voting booth and physically watched them put the ballot in the box. When the votes were counted, there was a whole bunch of people from both parties standing around keeping a close eye. When the ballots were sent for storage, one person from each party rode in the truck to drop them off after sealing the container - together - and signing off.

        Today, we have issues like 3,700 votes not being counted and ballots being apparently cast but somehow missing; or a ballot box being "found"; or all kinds of mucking with the error rate to intentionally miscount; or people invalidating ballots because they have a stray mark that could be a signal to a third party that the vote they purchased was cast faithfully.

        Paper ballots aren't magically secure.

        Was it possible to jigger with an election like that? Of course. But you had a list of names of people you could hold accountable at every step in the process.

        Not really. In paper voting, it's possible to tamper at multiple stages. An unscru

        • Today, we have issues like 3,700 votes not being counted and ballots being apparently cast but somehow missing; or a ballot box being "found"; or all kinds of mucking with the error rate to intentionally miscount; or people invalidating ballots because they have a stray mark that could be a signal to a third party that the vote they purchased was cast faithfully.

          The reason you know this has happened is...because we know this has happened. With black box voting machine elections, you don't know what's happe

          • because we know this has happened.

            Do you know that it has happened, or do you know it has happened only these times?

            With black box voting machine elections, you don't know what's happened at any step of the way, and anyone who tells you that they do is simply lying.

            Yes, exactly. That's the part you need to fix.

            The thing that makes paper ballots more secure than any and all electronic methods

            I've designed an elections integrity model. It's more-secure with electronic voting machines than with paper ballots--to the point that if you have a paper audit trail and the paper audit trail is in conflict, it's the paper ballots that are tampered.

            I did this by eliminating the black box. You have to prove, at poll open, that the machines run non-tampered software. That m

    • Blockchains are obviously a terrible solution to election fraud. The only thing that prevents blockchain tampering is a ton of neutral third party machines checking the transactions (typically miners). We've already seen that this is a non-trivial problem when there is plenty of incentive for random people to fulfill that role (mining of crypto currency). National elections have very little incentive for people to invest thousands in hardware and electricity, and a ton of incentive for nation states like
      • by deKernel ( 65640 )

        Your best not suggest your #1 suggestion to people here in my country (US) because many will interpret that as "voter intimidation"....and I wish I were kidding on this. Now on a more humorsome note, #1 would surely cause havoc in Chicago where the motto is: Vote Early and Vote Often.

        • I agree voter ID sounds sensible in theory, but it's disenfranchisement in practice.
          it would be a pain in the butt for poor people to get the paperwork especially if they don't have a car. Fees to get forms could be a de facto poll tax, banned by the 24th amendment (some voter ID laws do include exemptions to govt records office fees). A Texas voter ID law counted concealed carry permits but not college IDs, that sort of thing highlights the conservative bias of such laws.
          In New York state you're just ID'ed

          • People make this claim all the time, but it's nonsense. People some how manage to get an id to get welfare or to apply for most jobs. You don't even have to get a license to get State ID, you literally go to the DMV, and pay less money that a driver's license costs, and they ship you one that's usually good for between 5-10 years. If you can ride a bus, you can get to the DMV. Considering you can't buy alcohol, open a bank account, get most jobs, or get government assistance, it is not an unreasonable as
  • Oh the irony (Score:4, Insightful)

    by the_skywise ( 189793 ) on Thursday September 06, 2018 @05:49PM (#57266466)

    All elections should use human-readable paper ballots by 2020. Such systems are intended to assure voters that their vote was recorded accurately. They also create a lasting record of "voter intent" that can be used for reliable recounts,

    Now I agree with this and am happy to move back to paper ballots - But the entire reason we moved away from paper ballots was because of the 2000 elections where Florida used punch cards and political officers kept trying to argue over "partial punches", "dimpled chads" and "dangling chads" where they tried to reassess what the voter's INTENT was.
    And, of course, let's not forget magical disappearing and appearing boxes of ballots.
    Any system can be hacked but the electronic one is harder to track hacking than the good ol' traditional methods with paper ballots.

    • Their have been academic papers proposing electronic system that would be safe, where you could verify that your vote was counted (IE received at the server.)

      In theory with open software, hardware, and multiple servers (again all open source) we could have a very robust electronic voting system. This would require a large project likely done with universities, and it may even be similar to some bitcoin concepts.

      The technology side is very solvable, getting the project started, past the politics, and accept

      • Verifying that your vote is counted doesn't tell you the election is untampered; and verifying that your vote has been counted opens up the election to tampering via vote-buying.

        We must verify that the ballots as a whole are counted, collected, and summed.

        and those can bypass lobbyist and pork barrel politics.

        I like pork. Four years ago, we had won a new transit system in our State. $2.2 billion dollars expected cost; the Federal Government gave us a $900 million grant.

        That's pork barrel spending.

        Every time the Federal Government pays for a State proj

        • > Verifying that your vote is counted doesn't tell you the election is untampered; and verifying that your vote has been counted opens up the election to tampering via vote-buying.

          That everyone can verify their votes are un-tampered, actually does tell us exactly that. And no, we only allow you to prove you voted to others. Their are several proposals that have been discussed to do this. Where you can leave with your vote encrypted on paper, and you can provide any number of false keys to prove whatev

          • That everyone can verify their votes are un-tampered, actually does tell us exactly that.

            No, it only tells you that your vote is untampered and that nobody has complained. If a bloc of people complain, they may be trying to throw credibility concerns rather than reporting honestly.

            we only allow you to prove you voted to others. Their are several proposals that have been discussed to do this. Where you can leave with your vote encrypted on paper, and you can provide any number of false keys to prove whatever you want anyone else to see, only if they were in the both with you could they get the real key.

            A zero-knowledge proof. They're hard to set up. I've proposed a similar scheme for Internet voting; problem being that Internet voting is not observable and is thus incapable of providing any integrity at all, thus is not a viable method for public elections. (There are other concerns; most are coverable.)

            You

        • Also Trump's infrastructure plan has included subsidies for private projects which sounds like a handout to big business for something they might do anyway

          • Yeah, don't do that. Build infrastructure to attract business; don't give business money to build a private building for themselves.

            Infrastructure spending is for public projects.

    • Boxes of ballot contain how many votes ? If your county are divided like by us a few thousand at most. Yes for 2000 it was exceptionally relevant, but it is much harder in a democracy where it is on paper ballot to cheat. Printing that much additional ballot can be found , having the whole LOT of people to distribute them in ballot box and remove true votes can be found out much easier. And if you use the method many country use to COUNT at the local level with volunteer first, with the box never out of the
      • Printing that much additional ballot can be found , having the whole LOT of people to distribute them in ballot box and remove true votes can be found out much easier.

        You know we've had this conversation before?

        As the 1940s came to an end, the public demanded mechanical voting machines. Paper ballots were rife with fraud, with ballot boxes 'lost' and 'found' all the time, and politicians frantically calling their loyal precinct bosses to manufacture votes.

        Today, we still hear about electoral fraud in the form of messing with how judges count votes and spoiled ballots. We hear about thousands of ballots cast mysteriously not being present in counting, but the electio

    • We moved away from paper ballots because of the rampant fraud associated with paper ballots. That's how we got punch card machines.

      of course, let's not forget magical disappearing and appearing boxes of ballots.

      See?

      the electronic one is harder to track hacking than the good ol' traditional methods with paper ballots.

      Oh I can do better than that [google.com]

      I think I'd have the log collector hooked up to the big display in that, too. Easier to show many statistics. We could show the public observers that X voters have cast ballots, that the two ballot machines are running in-sync, and so forth. Any important log notices would appear.

      It's kind of annoying doing this with one-wire serial, b

  • Key statement (Score:2, Insightful)

    by Anonymous Coward

    They key statement in the finding that most technology solutions fail to solve is this:

    "Such systems are intended to *assure* voters that their vote was recorded accurately."

    In the end, paper ballots may seem inefficient from a processing perspective, but that inefficiency becomes inherently difficult to tamper with and builds in systems for checks and recounts. The argument here is that blockchain is vulnerable before the data is stored in the blockchain, at the UI and the machine level, and blockchain th

    • Blanket arguments against computer algorithms for secure voting (or secure anything) are illogical, emotional, and flawed.

      People argue to the effect: Because many programs have been found to have a security flaw in either A) the algorithm mathematics and logical assumptions, or in B) the implementation, therefore ALL programs must have some flaw in A) or B) therefore there is no such thing is a secure computer program. That is just bullshit. It's incorrect, unsupported generalization from specific examples.

      • Ok, there's a stupid bug in slashdot apparently, not including my less-than sign.
        There. One bug.
        What's up with that. Let me try again. Hmm. There was a less-than in there just to the left of this sentence. That's lame on slashdot software's part.
        So you proved that ALL programs have bugs?
        Didn't think so.

      • Just because it is a wise precautionary stance to be extremely skeptical of computer algorithmic voting security (or application security in general), and just because it is wise to demand transparency of the system so that it can be continually reviewed and critiqued (by both the competent and the incompetent), DOES NOT mean that no secure voting system (or application of whatever kind that should be secure, like banking) is possible.

        In fact, the system I designed [google.com] fails the same way paper fails: if nobody's watching, you can do whatever you want. I just narrowed the window to between poll open and poll close, and made it extremely difficult to bypass public observation via sleight-of-hand.

        It still needs refinement. This will work, but I need to define some of the specific throughout-the-day handling procedures and protective measures to prevent physical intervention. It's not good enough to just say "we need public observers"; we

  • by Seven Spirals ( 4924941 ) on Thursday September 06, 2018 @05:56PM (#57266484)
    Gimme a break. Use paper. Computers will be better tools for tabulating and processing the votes after they are cast, but it's tough to beat paper for a recount. Even paper has it's flaws, but the hand waving crypto-bullshit is pathetic "Oh but this counter signature will detect if the previous initialization vector was properly zeroed inside of the S-Box" *rolls eyes*. KISS baby. Things don't get more secure by making them more complex and I can't think of any way to make something more complex than to introduce computers. Computers are great at some things, ideal for some tasks: not for voting. They suck at that.
    • Things don't get more secure by making them more complex

      Soooo... Is HTTPS simpler than HTTP? :)

    • The PRI in Mexico rigged elections for 80 years using nothing but paper ballots.
      • The PRI in Mexico rigged elections for 80 years using nothing but paper ballots.

        Yes, but everybody knew. It stopped being an engineering problem and became a political problem.

    • Computers are great at some things, ideal for some tasks: not for voting. They suck at that.

      Excellent comments, I vote you insightful!

      Oh, wait...nevermind.

  • by Anonymous Coward

    The only way you can have some measure of accountability while keeping votes anonymous.

  • Make a simple mark on a paper ballot indicating your vote, fold it, put it in a box.

    done

    Now theoretically you could bribe people who do the counting, but you'd have to bribe a *LOT* of people to make any kind of difference because each individual ballot box with the folded ballots contains but a tiny fraction of the number of votes, and nobody ever counts the ballots from more than one or sometimes two different boxes.

  • Blockchains are perfect, right? WRONG. And also right. They are mathmatically flawless BUT if you outprocess the rest of the network, you can finalize a block with whatever the hell you want in it. You can form a block that says you own all bitcoins, all transactions put them in your wallet, and you're also the queen of England. The reason this "51% attack" doesn't happen it because that amount of processing power doesn't exist. That many ASICs don't exist on Earth. But let's set up a separate blockchain an
    • by Kaenneth ( 82978 )

      Even with a 51% attack, the Bitcoin blockchain is filled with digital signatures; noone but your own nodes would accept the blocks, and you would only be 'fooling' yourself.

      Electronic voting could only work if every citizen had their own private, secure, digital signature key. Which can't happen in the US because poor people can't afford them, and a certain party would never give anything for free, while the other would protect the poor.

    • Heres the thing that drives me nuts. Literally every single use case for the block chain re "contracts", can be done faster, vastly more securely, and with no concievable 51% style attack that doesn't involve "Solve the prime number prediction problem that probably is unsolveable" thing.

      Its called "Public Key Signing" and its been common since the 1970s. I got to a ballot box, create a vote. I use my Private key to sign it. The govt uses their private key to sign it. I have the govts public key and can veri

  • The report goes on to say that "Blockchains do not provide the anonymity often ascribed to them." It continues: "In the particular context of elections, voters need to be authorized as eligible to vote and as not having cast more than one ballot in the particular election.

    It's who casts the vote. Before we even worry about Blockchain, we need to ensure people casting the ballots are legally eligible to vote. Guaranteeing a vote was cast is no more important than guaranteeing who cast the vote was eligible to actually cast that vote.

  • Let me start out saying 100% electronic voting is going to be a disaster, triply so when done remotely and not at a secure voting machine. But what most people don't realize is we currently use unencrypted images of paper ballots in many states as backups. These are very insecure. Why not use paper ballots for the primary method, blockchain for the electronic backups? This ultimately seems far more secure than what we are doing now. We also could use open source machines and have audits at each polling
  • To all the people waving their hands and saying, "just count them thar ballots like we did back in granddaddy's time, dab gummit", I say please for the love of all that is sacred, volunteer to help run an election in your home town. NO ONE is going to count the millions of ballots cast in a major US election by hand unless they absolutely are forced to do so. All paper ballots are initially counted by machines. It is only when the totals are within a small margin (it's 1% in my state of Virginia) that a rec

You know you've landed gear-up when it takes full power to taxi.

Working...