Blockchain-Based Elections Would Be a Disaster For Democracy (arstechnica.com) 168
An anonymous reader quotes a report from Ars Technica: If you talk to experts on election security (I studied with several of them in graduate school) they'll tell you that we're nowhere close to being ready for online voting. "Mobile voting is a horrific idea," said election security expert Joe Hall when I asked him about a West Virginia experiment with blockchain-based mobile voting back in August. But on Tuesday, The New York Times published an opinion piece claiming the opposite. "Building a workable, scalable, and inclusive online voting system is now possible, thanks to blockchain technologies," writes Alex Tapscott, whom the Times describes as co-founder of the Blockchain Research Institute. Tapscott is wrong -- and dangerously so. Online voting would be a huge threat to the integrity of our elections -- and to public faith in election outcomes.
Tapscott focuses on the idea that blockchain technology would allow people to vote anonymously while still being able to verify that their vote was included in the final total. Even assuming this is mathematically possible -- and I think it probably is -- this idea ignores the many, many ways that foreign governments could compromise an online vote without breaking the core cryptographic algorithms. For example, foreign governments could hack into the computer systems that governments use to generate and distribute cryptographic credentials to voters. They could bribe election officials to supply them with copies of voters' credentials. They could hack into the PCs or smartphones voters use to cast their votes. They could send voters phishing emails to trick them into revealing their voting credentials -- or simply trick them into thinking they've cast a vote when they haven't.
Tapscott focuses on the idea that blockchain technology would allow people to vote anonymously while still being able to verify that their vote was included in the final total. Even assuming this is mathematically possible -- and I think it probably is -- this idea ignores the many, many ways that foreign governments could compromise an online vote without breaking the core cryptographic algorithms. For example, foreign governments could hack into the computer systems that governments use to generate and distribute cryptographic credentials to voters. They could bribe election officials to supply them with copies of voters' credentials. They could hack into the PCs or smartphones voters use to cast their votes. They could send voters phishing emails to trick them into revealing their voting credentials -- or simply trick them into thinking they've cast a vote when they haven't.
The elections of the future... (Score:2)
"Blockchain technology" means everything (Score:5, Insightful)
I like how "blockchain technology" now means everything. Certainly everything related to cryptography. Sure, you could do something like have everyone cryptographically sign their vote and then you could have it anonymously verifiable. What does that have to do with a block chain?
Re: (Score:1)
Blockchain only represents the chain-of-custody/anti-tamper tech.
It does not (as the article asserts) make it possible to forge or create ways to manipulate the vote unless they're in control of the entire blockchain from the start, which they likely are.
What would solve this is to bring in several countries (eg Canada, UK, Germany, Australia, New Zealand, Japan, etc) to develop a block chain witness system in which each counties elections are "monitored" by as many "kind" observers as possible, but they on
Re:"Blockchain technology" means everything (Score:5, Insightful)
A block chain doesn't have anything to do with making it anti-tamper either. You get exactly the same protection if you just publish your count list, as you're counting. It's more secure even, since it's not subject to the whims of the mining pool or whatever.
The hash trees that are what block chains really are provide fast consistency checking. That's it. Not verification.
Re: (Score:2)
"Blockchain only represents the chain-of-custody/anti-tamper tech."
That's my favourite claim from blockchain fans. There's nothing about a blockchain that makes it tamper resistant (although the things stored IN a blockchain may or may not be encrypted, and so tamper resistant). It makes it (relatively) easy to verify integrity. That's it. Blockchain gets its anti-tamper capability from having a whole bunch of different people having a copy of the data. That would work the same way with any kind of data
Electronic voting is stupid (Score:5, Insightful)
The sole purpose of voting is to convince the losers they lost a fair election, so the winner's can govern with a mandate.
to be convincing There are only three things about any voting system that are important
1. the secret ballot
2. THat everyone can see how it works and and thus see how it's secured
3. That there's a way to recount that is traceable to the voters own hand written ballot.
Anything else is dross. Crytposystems, proof your vote was counted, etc, all nice but not important if you lose any of the above 3.
All these online voting systems utterly destroy the secret ballot and the also harm the other two.
Sheer stupidity.
Re: (Score:3)
Spot on.
They are hammers in search of a nail.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Explain how the ledger secures anything if the ballots must remain anonymous. And the method has to be not complicate or no one will believe it.
Re: (Score:2)
Okay let's try running through the 3 possible scenarios of "who-has-the-key"
If the block chain is the vote then it has to be readable by the govt and by you. Therefore you can prove how you voted and sell your vote. This is not a secret ballot
If the block chain cannot be read by the govt then it's not the ballot that is being counted and so there is no added security or provability from the block chain.
if the block chain is simple a record that you voted but does not contain your vote then it is not the b
Re: (Score:2)
Re: (Score:2)
Just to be clear, I'm not arguing for "proof of voting". I'm arguing against destroying ballot secrecy.
If anyone, including you, can recover the ballot assigned to "you" it's secret anymore.
if you can write down a key, then you can later prove how you voted. that's not a secret ballot.
An additional important feature of ballot security is destroying the serial ordering of ballots. This is why, in many states, anytime a ballot box is opened the order of the ballots is not supposed to be recorded or a shuf
Re: (Score:2)
Re: (Score:2)
That's a deal killer in the US.
Most people don't have passports, and we don't want a "national ID".
Re: (Score:2)
1 .If the ballot is in the block chain who has the key to read it?
2. If machines are not on-line then the block chain isn't validated in real time. Plenty of time to change it.
3. If the machine is online you just bolted the worlds largest security hole onto a voting machine for no gain.
Re: (Score:3)
If I have the key, then can I use the block chain to prove how I voted? If so you just chucked the secret ballot.
Re: (Score:1)
Trump already has, but he's not for democracy either.
Re: (Score:3, Informative)
You would think that if there was more than a minuscule amount of voter/voting fraud happening, people would be slinging proof from the rooftops. The lack of proof leads credence to the fact that is not a large factor for anything, which means our current processes, while not that great are still reliable.
Postal voting seems much better to me in some cases. For instance, I had about 90 questions on my ballot (2 very long and double sided pages). If I wasn't able to remember or write down all the things I
Re:Same old ... Partisan BS (Score:3, Informative)
"A political party sending in 10000 extra postal votes under names that should not be voting any more?"
If someone is not at the address they are registered, the ballot will be returned. People are required to sign their name on the outside of the envelope the ballot is mailed in and it is matched to the signature on the voting roll. If there is a question, it can be challenged. Once the signature is verified, the ballot is removed from the envelope it was mailed in while still in its own inside privacy enve
Re: (Score:2)
Re: (Score:1)
let's embrace it instead.
Judging by the class of people that win all the time, the voters already have.
TLDR (Score:1)
Trump indicted in 5... 4... 3...
Obligatory XKCD (Score:4, Insightful)
Can we just have vote by mail in all 50 states already? It's 2018. I shouldn't have to go to the polls. If somebody's trying to force you to the polls it's because they don't want you to vote.
Coercion (Score:5, Informative)
The problem with mail-in voting is that it's possible to coerce people to vote a certain way. I'm not even talking about broad conspiracies to alter the vote en masse. For example, I wouldn't be surprised if many spouses said they were voting one way, for the sake of marital harmony, but in fact voted another.
Huh? (Score:4, Interesting)
Re: (Score:2)
I would argue that it is....
But more importantly, there ARE limits to what you discuss and share with anyone, even a spouse.
As an individual, you are allowed to have your private thoughts and opinions and actions like voting.
Re:Coercion (Score:5, Interesting)
You really think this strawman would make a statistical difference when compared with the sheer amount of participation tamper-evident mail-in voting would achieve?
Weigh it against "I have one day to vote, gotta take some unpaid time off work.. now gotta find my polling station.. different every year.. oh look it's 21 miles away.. wait they say they're out of ballots.. hmm, now they say there's a hyphen in my name in their DB that doesn't match my ID" type bs many states have to deal with.
The "problem" with mail in voting is it's not absolutely perfect. It is, however, the best option we have to have the highest possible turnout of eligible voters under the current systems. Which is why it's so strongly pushed back against in highly gerrymandered states.
It's just basic human behavior. If you want people to participate, you make it as easy as possible. Tamper evident mail-in with paper trails just also happen to be the most secure method we currently have.
Re: (Score:2)
I have one day to vote, gotta take some unpaid time off work.
In civilized countries, polling stations are open for 12-14 hours to make sure you don't have to choose between work and voting.
Re: (Score:3)
Re: (Score:2)
"Its illegal to show someone your ballot"
Wrong. See https://www.cnn.com/2018/11/02... [cnn.com]
Its illegal to take pictures of your ballot or polling places in some states.
Re: (Score:2)
I don't want to call your statement a lie but I tried to look up this "fact" that "We literally had thousands and thousands of Canadians sneak into Newfoundland, and vote to join". All I could find was this https://www.cbncompass.ca/opin... [cbncompass.ca] which doesn't really sound like much proof that the Newfoundland vote was "stolen".
I was unable to find any story about parliamentary records to support your claim (not saying they aren't out there just couldn't find them).
Anonymous voting? (Score:1)
Blockchain solves no current problems with voting. (Score:5, Insightful)
I suppose it's barely possible that my vote isn't being counted, but I would be VERY surprised if that were the case, other than trivial clerical errors. The problems we need to solve are things like "People are not database records", and "People don't listen" and "People who listen screw up all the time" and "Infrastructure is selected by committees of people, and people are terrible at their jobs". Basically we're way past the point where mere technical issues dominate the problem space, the big problems are social and political issues which aren't reasonable to blockchain your way out of.
Also, believe me, if you take someone who suspects that the system is rigged against them, introducing a digital voter ID and an explanation involving crypto math is NOT going to make them comfortable. I would have thought that would be self-evident from a few minutes paying attention to Facebook.
Re: (Score:2)
It seems trivial to use paper ballots, give the voter a receipt, and let them check online to see if the ballot was counted - not how they voted, but that the ballot was processed. Vote by mail only requires that the receipt be included in the ballot materials mailed to voters.
God this is simple. I get this sort of service with product rebates and even those sub-dollar class action settlements. The tech is straightforward, the cost reasonable, it's just that easy. Yes, it will require decommissioning some v
Re: (Score:3)
Missing the point. (Score:5, Insightful)
Besides: rigging a paper based election is possible but the number of people you need to involve scales linearly with the amount of votes you want to falsify, increasing chances of being caught. That's not the same for computer based voting; fraud is much easier to hide, and easier to carry out on a massive scale.
Re: (Score:2)
Even if not independently verifiable by laymen, if it at least started with a certain well-established standard for security [networkcomputing.com], it could leverage a verification process that's been in place for a while.
Re: (Score:2)
The point is that with pretty much any system that relies on computers to tally the votes, the results can not be independently verified end-to-end by laymen.
Wouldn't making to blockchain make it more verifiable? Even if I wanted to count ballots, I can't single handedly count every one in every state. The vast majority of people aren't doing anything to verify that the ballots were tallied correctly. But if everyone had a snapshot of the blockchain wallet at the time of the vote, and that verified with the current state of the blockchain, the layman could use their own device to verify that the vote is being properly tallied.
Re: (Score:2)
You don't want a single person counting all the votes. You want it to be a mass effort to reduce the impact of any single person deliberately miscounting.
Re: (Score:2)
I get that blockchain is supposed to make it impossible for someone to dupe the system such that all ten people in your example can see a fraud has been attempted, but I don't trust that the technology genuinely protects against attack.
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Why do we have to pander to deliberately dumbass "lay people" who won't put the effort in to figure out how anything really works.
So you aren't at the mercy of elected officials or experts with a vested interest when it comes down to the brass tacks of counting a close election. I'm pretty sure most "dumbass lay people" would recognize this, even though you didn't.
Re: (Score:3)
What you are forgetting is that the current paper process is an algorithm and a process, with various properties and guarantees (and weaknesses) at various points. We can replicate that as cryptographically gua
Re: (Score:2)
Re: (Score:3)
The guarantees you are looking for are simply not there. As soon as a black box is introduced, no-one can ever be sure that a vote that was cast has been counted correctly. It's as simple as that. Just because I press the button marked R and the machine tells me that it's recorded my vote as R doesn't mean it actually has, and there's no way for anyone to check this. Not least because it's a secret ballot, so any checking has to be done after the fact, without knowing what vote I cast in the first place. Cr
Re: (Score:2)
Only technical experts could validate this sort of thing, but each political side is free to appoint technical experts they trust. The work of the technical experts must be verified b
Verifiable votes are NOT anonymous (Score:2)
If I can verify my vote, someone can peel my skin with a carrot peeler until I verify it.
Re: (Score:2)
Unless you know that you're going to have to validate your vote to a third party. Then, it's "guilty until proven innocent". Better keep that slip of paper.
Re: Verifiable votes are NOT anonymous (Score:2)
Boss: vote for candidate A to keep your job
Me: I destroyed my paper
Though perhaps it's an acceptable puncture of anonymity since cell phone video recorders basically allow that much puncture anyway.
Re: (Score:2)
Hmmm, I wonder if I can cancel votes and revote here, I don't think so.
I believe when I hit the vote button, a physical piece of paper is punched that drops into a lock box.
This is certainly a point in favor of paper ballots (hand paper ballots, pretty sure they're paper in my state too)..
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
If I can verify my vote, someone can peel my skin with a carrot peeler until I verify it.
So you let someone verify your vote, and then go and inform the F.B.I.
Re: (Score:1)
Then everyone can audit it. If they can't handle the math themselves, they're free to appoint the nerds of their choice and their political persuasion to help them audit it.
The more fundamental problem with online voting (Score:5, Insightful)
There's a fundamental problem with online voting... and it would be a huge problem, even IF you could absolutely guarantee 100% security: it's a serious threat to secret ballots. Right now, in most places, if an ultra-frail person shows up to vote who needs assistance, they election officials will provide a poll worker to help them, but WON'T allow a family member or anyone else to accompany them, for that precise reason.
Right now, a husband and wife can easily cancel out each other's votes. If online voting is allowed, there's little to stop the spouse with more power in the relation ship (or who's less ambivalent about voting) from voting on the other's behalf after getting the spouse to log in.
There are other opportunities for coercion... say, an employer (or union, or any other group) who decides to "encourage voting" via the internet "right now" (in at least semi-public view, with at least some social pressure to vote the "right" way). Think: a politically-active church that, instead of marching its congregation off to early voting at a polling place nearby, passes around tablets after the second collection while encouraging people to vote the "right" way in front of their friends, neighbors, and family members.
Let's not forget the possibility of rounding up a bunch of poor people and offering to pay them $20 apiece if they come "vote online" and cast verified ballots for the "right" candidates.
THIS is why voting needs to occur in private, but in a public location where individual voters CAN'T be coerced by anyone.
The right to a secret, coercion-free ballot is absolutely fundamental. It's at least equal in importance with security, and is arguably part of "integrity". It's a fundamental problem with internet voting that simply CAN'T be solved.
Obviously, it's also a potential problem with absentee ballots sent by mail... the difference is, absentee ballots are an edge case, generally used by a relatively small number of voters. Yeah, there are some elections now held by mail only... but they're for local races that few people care about anyway. The more powerful the office, the greater the stakes.
Re: (Score:2)
Right now, a husband and wife can easily cancel out each other's votes. If online voting is allowed, there's little to stop the spouse with more power in the relation ship (or who's less ambivalent about voting) from voting on the other's behalf after getting the spouse to log in.
That's a little far-fetched.. in some abusive relationship where the abusive partner cares a lot about voting, they would just not let the other person go vote. How is making it easier for *everyone* going to materially change that situation? And in the parenthetical you mention, campaigning is going to happen anyway. If someone is ambivalent, the other person will try to convince them.
There are other opportunities for coercion... say, an employer (or union, or any other group) who decides to "encourage voting" via the internet "right now" (in at least semi-public view, with at least some social pressure to vote the "right" way). Think: a politically-active church that, instead of marching its congregation off to early voting at a polling place nearby, passes around tablets after the second collection while encouraging people to vote the "right" way in front of their friends, neighbors, and family members.
Technology has already made that possible. You can take a picture of your ballot with your phone. If the employer/church/wh
Re: (Score:3)
> You can take a picture of your ballot with your phone.
Actually, in Florida, you can't. You can take a picture of *a* ballot. You can even take a picture of THE ballot given to you. But the moment you photograph a ballot, it's considered 'spoiled' and has to be exchanged for a fresh one.
Re: (Score:2)
I'm curious how anybody would know? Where I vote (in NC) we have tables with privacy screens and nobody sees what you're doing. What's it like in Florida?
Re: (Score:2)
Technically, you could probably be really secretive about it without getting caught, but most people who try to do it don't try hiding it, so it's fairly easy for poll workers to catch them and inform them about the rule.
The intent isn't to enforce some draconian zero-tolerance rule or punish people... it's to give people who don't WANT to be forced to document their ballot an easy out, so they can tell anyone who tried to get them to provide proof of how they voted, "I tried, but the poll workers wouldn't
Re: (Score:3)
Re: (Score:2)
Total bullshit.
Re: (Score:2)
So, over 40 years, 1,177 cases. So, accidents driving to the polls probably causes more errors. Heck, fatal accidents probably cause more errors. Of those, ~1% (13) would have been stopped by voter ID. Out of billions of votes cast. So, we're really at the level of "put lighting rods near polling places" or, quite literally, "I better take out a loan cause I just bought the winning lottery ticket".
Meanwhile, 10% of the illegal votes were for duplicate voting (which voter ID won
Re: (Score:3)
Obviously, it's also a potential problem with absentee ballots sent by mail... the difference is, absentee ballots are an edge case, generally used by a relatively small number of voters.
Not an edge case any more. Oregon and Washington State are 100% vote by mail.
Re: (Score:1)
That is correct. But blockchain-based voting can still be useful and reduce voting costs.
Ideally, you would keep the requirement of showing up at the polls. You would verify your identity manually and be issued a private key on the spot with your smartphone, with a token to vote.
You would use that immediately in a terminal where you would cast that vote much like you scan a qr code and pay with a bitcoin address.
Later in the day, or the next day, you would verify your vote is included, in a similar way that
Re: (Score:2)
Ideally, you would keep the requirement of showing up at the polls.
Why? You register to vote without showing up somewhere.
Re: (Score:3)
THIS is why voting needs to occur in private, but in a public location where individual voters CAN'T be coerced by anyone.
I feel another aspect is just as important, the fact that your identity is truly separated from your vote. If it's one thing computers are really good at it's surreptitiously logging what you do. No matter how you do it in order to make sure only eligible voters vote and only once you have to issue some kind of token that's linked to your identity. Even if you could build a magic box that only gives totals that's no good if you can poll it after every vote, if you can verify it's your vote and they kept the
Re: (Score:2)
Could this problem be solved by using a private verification key and a dummy key that is recorded when you register to vote? With this verification key as the last step to submitting your ballot, if you enter the dummy key the system marks the vote as valid and submitted so if someone is coercing you they are satisfied. Then later on you can redo the ballot with your verification key and it will actually be recorded as your vote. I propose we call the dummy key the "safe word".
Re: (Score:2)
This might work, but it would ONLY be an effective mitigation if:
1. Internet voting ended at least a day before in-person voting (so somebody couldn't coerce you into voting online 10 minutes before the polls closed to negate the possibility that you might go out the next day, vote in person, and cancel out your coerced vote).
2. There's literally NO public paper trail that would allow anyone besides an elections department employee (or maybe certain others, like journalists bound by nondisclosure agreements
All Those Votes (Score:1)
Verification not casting (Score:1)
Blockchain could probably be an effective way to allow the electorate to verify that their results were tallied correctly. Imagine each vote is added to a closed blockchain that's merged internally. Once the results are tallied the chain used for the tally is moved from air-gapped systems to the public internet. Once that happens the results are essentially fixed. The voters could have been given their key in the chain to check that it exists.
Using any of this to actually cast the votes is a terrible idea.
You cannot replace paper voting (Score:3)
I've been programming computer for 40 years and I'll be hard pressed to follow what happens inside a "black box" voting machine, so imagine someone with no computer knowledge!
Voting is the one thing that Blockchain works for (Score:2)
What is blockchain useful for? Verifying that the log history hasn't been altered with. Voting is the one scenario where what you're worried about is a bad actor mis-tallying the votes; ie, modifying the "history" of the votes. With blockchain, when you vote a majority of the other voters have to sign off on what you voted for. Then, your client keeps an offline copy. Each voter can then check that against their voting wallet to see what the result of the election is. If a bad actor somehow pulls off a 51%
Re: (Score:2)
And yet we somehow do online banking and online shopping. While they're at it, they could hack into the PC's tallying the paper ballots. Significantly smaller target than 51% of the voters.
*Precisely* this kind of hack of PC's tallying votes is already suspected to be happening at a significant scale in the US. It isn't a situation that is made better by more use of computers, whereas it is a situation made better by more use of manual counting.
Re: (Score:2)
It isn't a situation that is made better by more use of computers, whereas it is a situation made better by more use of manual counting.
But every voter having a wallet for their precinct, is a way for every voter to be part of manual counting. Not just those who manually do the counting and then report in the tallies, and hope that the person they're talking to writes the tallies down correctly.
Re: (Score:2)
It's really not taking part in a manual count, though, is it? It's trusting that a screen is telling you something meaningful about the integrity of an election.
Some answers (Score:2)
You have the computer that generates credentials offline, physically inaccessible and tamper-resistant. Very basic airwall type stuff. You can't hack what you can't reach. Physically transfer votes to a tape drive bridging the gap.
Voters never transmit voting credentials. Why would you need to? It's a shared secret, or one half of a public/private key pair. Transmit a vote encrypted by the credential and it'll only decrypt if valid.
The other issues are more significant. You can't do anything about a PC, so
Re: (Score:2)
Too many people have to be able to access the raw information for any such card to be useful. It's also re-used. As Turing demonstrated, reusing a key isn't always good. You want certificates that are generated purely for one-off use.
Smartphone based Elections (Score:1)
Vote must be secret or not be accepted (Score:5, Insightful)
With the secret ballot, those politicians need various tricks to have their "clients" prove that they voted whom they had to vote. If they could instead have them vote by phone, comfortably in front of them or of one of their "representatives", their racket would be much easier, and this would further degrade the quality of the government.
The domestic threat? (Score:2)
many ways that foreign governments could compromise an online vote
I would look to the non-foreign possibilities first. The people most motivated to influence elections are the parties taking part. Either "officially" or some out-of-control breakaway factions.
They would also have greater access to all points of the voting process and be more able to leverage individuals who controlled it. We know from commercial and industrial hacking and espionage that most of the leaks come from within an organisation, yet most of the defences are outward-looking. It seems that those c
OMG more disaster. (Score:1)
I remember a company I once worked for. It was a voice verification technology. A mike picks up your voice and decides it's you.
One day we learned that the Defense Department was investing. We joked "Why to Guard the nuclear arsenal?" Answer "Yeah". Our reaction. "The world is doomed."
Every technical person left the company. Including the people responsible for the recognition science. This was a company that literally had 200% annual turnover.
A few years later, Bush v Gore. I'm listening to some g
Re: (Score:2)
You know what? I've been hearing about dead voting all my life.
What's wrong with that? Zombies are people too, you insensitive clod!
I do have some reservations about letting zombies be elected into high offices, but I'm afraid it's too late now.
Obligatory xkcd: (Score:2)
https://xkcd.com/2030/ [xkcd.com]
Whoever invents it must answer the support lines (Score:2)
The dangers of fad technologies (Score:2)
This is the problem when technologies reach popular fad status. Every idiot thinks that it is somehow a magic bullet that will fix all your woes, even the non-technical ones.
It happens over and over and over again without fail. Considering that this happens every few years, it now blows my mind that we keep falling for it considering that the last episode couldn't possibly have been so long ago that it faded from memory. And yet here we are.
Blockchain is a great technology. But FFS learn how it actually
when voting is anonomous... (Score:2)
we can buy your vote. No one will know, because you are anonymous. How many people would be willing to go vote , for whomever for $50?
I could see a whole black market for votes developing.
Only one thing will stop the insanity. (Score:2)
I want to see the headlines: "Unknown candidate 1337 h4x0r wins in a surprise write-in landslide."
That'll put the kibosh on this nonsense right quick.
My modest proposal: (Score:2)
A ballot is a blank sheet of paper.
You write on it the offices and the candidates you're voting for.
Spelling counts.
Estonia has blockchain based online voting (Score:1)