We can probably spend the next decade trying to theoretically engineer our way to a method for secure and tamperproof electronic voting.
But how does that ensure that “normal” people (who doesn’t have a solid grasp of blockchains and cryptography) can verify that the voting machines themselves actually are running the correct software without having to break out a chemistry set and a microscope to analyse the ICs?
Can the integrity of every machine ever be verified, and even if the system discards votes from machines not running the correct software, now people are having their votes discarded because they used a hacked machine.
With paper ballots it allows pretty much anyone to watch the ballots from being put in the box to when they are being counted and then they can confirm that the ballots haven’t been tampered with.
Yeah pretty much my view. Paper ballots work. If you can't afford to have paper ballot elections, then your country has bigger issues.
I also question whether electronic voting would be cheaper, since if you want to avoid foreign tampering you would have to develop the machines independently and internally in your country. Hardly a cheap proposition.
I think you are kinda missing the point. The blockchain would define a secure protocol for voting, which you could independently verify. In such a distributed trustless system, you could even vote with your own device, provided you have the "keys"/"id" to submit your vote. See my other post in this thread for my opinion in this subject, if you want to further understand what I'm trying to say.
Homomorphic encryption might be able to be used to demonstrate your vote has been tallied, but make it impossible to prove what you voted for. The problem with this being that you can't vote that your vote was tallied for what you wanted it to be. But that is also a problem with the counters. A malicious counter could "miscount" a vote as another vote.
Imagine it's voting day, you go to a polling location and sign in to verify that you are a real person and allowed to vote. They generate a private/public key for you on the spot and hand it to you without officially linking your name and key together on the record, so your vote can remain anonymous. (Or maybe you're even allowed to generate your own and let polling station just verify the public key) You vote for who you want, sign the vote with your private key and then keep your public key for your own personal records. Your vote is added to a master database and made publicly available for anyone to verify. You can give your public key to anyone you trust to validate your vote, or just look it up yourself to make sure nothing was altered.
Now how does running this mechanism through a P2P blockchain make this more efficient, or more resilient against corruption?
Your proposed system fails at one of the most essential properties of voting, repudiation. Voters must not be able to prove who they voted for, or they could be coerced to vote a certain way.
Oops. I posted about the same scheme before reading yours. Sorry.
One nice property of the Git-like Merkel-Tree half of the blockchain I do understand is that it's stupid easy to say: at this time, this was the state of the world and nothing in the past changed. (Just like git-commits though more robust than sha1s). It's harder to mess with than a giant DHT.
As for all the other bits of blockchain, I'm out of my depth.
With the U.S. heading into a pivotal midterm election, little progress has been made on ensuring the integrity of voting systems—a concern that retook the spotlight when the 2016 presidential election ushered Donald Trump into the White House amid allegations of foreign interference.
Most of the allegations at the center of the media feeding frenzy have nothing to do with tallying votes, but:
- influencing voters through platforms like Facebook
- airing the Democratic Party's dirty laundry regarding Sanders
- the unsubstantiated claim by a certain President that illegal aliens voted in droves
One notable exception is Reality Winner, who published classified materials that among other things linked Russia to an attempt to contact a voting machine company. She sits in prison today without bail awaiting a trial that has been years in the making. Few have even heard of her.
The pro-election automation drumbeat seems to have very little basis in fact, at least in the US.
There will be no trial: “In June 2018, it was announced that Winner would change her plea to guilty. In late June, she pleaded guilty to one count of felony transmission of national defense information. Winner's plea agreement with prosecutors calls for her to serve five years and three months behind bars plus three years of supervised release. She is yet to be sentenced.”
"De Beers turns to blockchain to guarantee diamond purity"
"Blockchain Technology Is Becoming Crucial For Space Exploration"
"The Blockchain Art Market is Here"
It is actually quite remarkable how much hype there is for this technology that hasn't really done anything useful besides cryptocurrency (and even then, we can argue about how useful that really is...). Seriously though, how on Earth did the hype get this far? This technology is actually not that interesting or new or proven to do anything. It's an interesting study of human psychology. Are there any other examples of technology with a worse hype to usefulness ratio? At least "machine learning" has actually done something useful in places.
If you build your own software that needs to be secure, it is hard and risky(for your career).
Maybe the blockchain is a way to outsource that responsibility, rightfully, because of the large community and money invested in making sure it's safe ? Which manager won't like that ?
And also great, manager have heard of it - because bitcoin is famous.
In addition, blockchain offers a new funding mechanism. Which founder wouldn't like that ?
The bitcoin ecosystem, a type of blockchain, manages tons of money, and does so in the public - open source, open ledger, everyone can try to either crack or improve it, etc.
And yet it works well. And everybody has heard of it.
So let's say i'm a manager at big corp X, and need to implement a secure transactions system(for whatever) - Is there a better way to cover my ass than using a blockchain ? to cover my manager's ass than to choose bitcoin/blockchain ? What is that way ?
And i think it also helps us understand why some founders would like blockchain.
Also, a side note: it's extremely easy to make someone interested in the success of some crypto coin. This means many people now have the motive, and manipulating the media becomes a possibility , and maybe , it's easier in the age of internet.
Maybe its worth asking what properties a blockchain would need in order to provide a secure election, and ask whether those are possible. I'd love to see results for blockchain-related election technology with similar sorts of implications to Arrow's Theorem or the CAP Theorem of distributed systems.
Indeed. Furthermore, "secure elections" are a solved problem. Have paper ballots, and scan them later. If you have any reason to suspect the scanners, then throw away the scanners and then proceed by hand.
There are statistical methods to count a small number by hand (+ corroborate with poll results) to ensure a degree of consistency. Chi-squared distributions and stuff (I'm not a mathematician, but I'm sure there's some statistical method to verify the results without counting everything by hand).
The main problem with blockchain is that it requires everyone to trust the blockchain. With humans counting by hand, you don't require any trust. As long as the ballots are properly stored, you can always recount the results.
You still require trust with the paper ballots, there are multiple threat models:
- System needs to ensure everyone votes only once
- Ensure each person meets the qualifications to vote
- Ensure ballots cannot be counterfeit or additional ballots inserted somehow
- Ensure votes are confidential throughout the process
- Ensure voters cannot prove their votes to others
- Ensure the people counting are trusted or the results checked / verified
- Ensure all ballots are actually counted
One significant negative with the paper ballot method is that voters cannot confirm the last point. I have no way of confirming that my ballot was actually counted and contributed to the final tally's.
To attack paper ballots you need people. Like thousands of people working with you to manipulate important elections directly at the source.
With electronic voting, you potentially need a single person with a computer on the other side of the globe exploiting a security flaw, that will inevitably be there. Whoever claims to write bug free software is a conman.
I also don't want to be able to verify my vote. If I can, that means that somebody else also can. Given how tech-illiterate the average human is, voting crypto keys will be littered all around the internet.
>I also don't want to be able to verify my vote. If I can, that means that somebody else also can. Given how tech-illiterate the average human is, voting crypto keys will be littered all around the internet.
Right, I should have been more clear. You typically do want voters to be able to prove that they voted and that their vote was counted, but you do not want voters to be able to prove the contents of their vote (who they voted for).
Pretty much all those points apply with electronic voting too.
With electronic voting I pretty much lose the ability to verify my vote wasn't changed. With paper I can achieve a high level of confidence that a significant number of votes didn't get changed as lots of people with opposing interests are watching each other.
With electronic voting:
- I can't read the code since it's likely closed source (and not many people can read code)
- Even if it's open source I can't verify that the code I verified is running the code I verified. A USB port is a security risk, any printout can be forged and finally I certainly wouldn't be allowed to inspect the machine's insides. And this is ignoring all the other code on the machine in stuff like the touch screen controller etc.
- So given that the code is a blackbox, I can't verify that my vote hasn't been changed silently, especially since the crypto token I'm given doesn't allow me to verify my vote.
Whereas, with paper ballots, the average person is able to understand the risks and be able to mitigate them. Especially, since you'll have people with opposing votes trying to find the other side cheat.
Elections are too important and people are motivated to try and hack them, since the likelihood of getting caught hacking is much smaller than the massive effort you'd need to materially affect a paper ballot.
I remember back in college listening to a guest lecturer talk about the problems with electronic voting. It was very interesting. I think the entire political world is still feeling the wrath of the 21st century. Hopefully we all make it out alive.
This removes the cryptography aspects, which is what keeps the system and results verifiable after the fact. Of course the votes can be counted and statistical estimations of accuracy can be used to attempt to detect fraud but that can also be performed AFTER each individual vote is recorded on a blockchain. In fact the only reason not to utilize blockchain technology in election processes is to ensure the results can be manipulated.
Because its a public, verifiable data structure. That's not to say it's perfect, it's subject to 51% attacks so yes votes could possibly be discarded in that case.
Yeah it's backwards. We need to first characterize how to implement a secure election, compile a criteria for that, then evaluate tech platforms against that.
Given that experts already know how to secure elections and that traditional tech solves the problem just fine, Blockchain would almost certainly lose.
Election tech experts like Verified Voting, Black Box Voting, and Ed Felton & co at Princeton already know how to secure elections, but for whatever reason that knowledge hasn't promulgated to all the local election officials in the country that make the decisions on how they're run and what tech they use. That's the real problem, not a lack of secure voting knowhow/tech.
I think "secure election" is one of the few uniquely viable use cases for blockchain. In my opinion, elections should be easily anonymized, verifiable, distributed, and resistant to bad actors. That seems like a slam dunk for the things blockchain claims to be good at.
What's unique about blockchain compared to paper ballots is, everyone has access to every ballot if every ballot was recorded on the blockchain, which is unfeasible with physical paper ballots. The slow speed of consensus is also less of an issue for elections than it is for financial transactions.
That being said, use of blockchain alone doens't make a election secure.
I think a way around this is: everyone gets randomly generated keys every election, like how everyone gets randomly numbered paper ballots. Currently, you can check if your numbered ballot was counted after you voted, but you can't verify the ballot wasn't tampered with.
With keys, you can verify your vote was counted and not tampered with. If you don't want people to know how you voted, destroy your key.
I'll admit that this still has the some of the same flaws as paper ballots: government doesn't track which key/ballot is assigned to you, and effectively centralized issuing of keys/ballots. But the advantage is: it's harder to forge or tamper with a ballot
> With keys, you can verify your vote was counted and not tampered with. If you don't want people to know how you voted, destroy your key
If you can prove how you voted, this will be the subject of vote buying (or negative retaliation for failure to prove “correct” votes.) History has demonstrated that over and over again, which is why secret ballots for normal public elections and recorded votes in representative bodies where you want voters to be held accountable are norms.
Sure, just like how you can just steal physical absentee ballots out of mailboxes and mail them in.
There's no such thing as perfect security. The problem of secure elections is how secure is secure enough?
How many keys/ballots can you feasibly steal before getting caught? Is that number significant enough to change an election? Historically, it hasn't been.
Or just pay you. A huge portion of the populace would vote "the correct way" for a remarkably tiny kickback. We saw rampant vote buying during the gilded age.
>Elections should also not allow someone to verify how they voted after the fact.
Why not? I'd like to know that my ballot was counted properly.
And that everyone whose vote was counted was a valid voter.
And that everyone whose vote was counted, was counted how they intended (but not the content).
You're right if you mean that some of those desirable properties might be irreconcilable, but that's not the same as saying I shouldn't be able to validate correct counting outright; that's exactly what allows votes to be changed after the fact.
IIRC, it is possible to use homomorphic encryption to get all of that and have an end-to-end auditable system that maintains differential privacy (impossibility of detecting a change in the outcome by removing one vote). But I don't know the details of such a system.
Ideally, you'd want to be able to verify your vote was counted correctly, but not be able to determine whether a specific individual voted a certain way. It's so you can't feasibly sell your vote; it's one thing to say you voted a certain way, it's another to prove you actually did it.
It's also to protect the voter against retaliation; imagine if the government can discriminate based on how you voted. You can always destroy paper ballots; it's difficult to destroy public blockchain ledgers.
>Ideally, you'd want to be able to verify your vote was counted correctly, but not be able to determine whether a specific individual voted a certain way. It's so you can't feasibly sell your vote; it's one thing to say you voted a certain way, it's another to prove you actually did it.
Right -- my point was that the parent was equating the two, but that's throwing the baby out with the bathwater. It's great that you can't prove to others how you voted, but not if it allows a third party to overwrite your vote without your knowledge!
Yes, I understand the concept of selling votes. That wasn't in dispute.
But in that case, your objection is to "being able to prove to others that you voted one way". Not to "being able to prove to yourself that you were counted as voting one way".
Equating the two makes to harder to evaluate what is and isn't possible with different schemes like e.g. homomorphic systems.
That does not follow at all: there are deniable encryption schemes that can decrypt to one or another message depending on which key is used.
There are zero-knowledge proof systems that can convince exactly one person of a claim but not others (because the one person chose random challenges that others' can't trust not to have been revealed in advance)
The integrity of a paper ballot election is verifiable by anyone with a grade six level of education. A digital blockchain election is verifiable by a small percentage of the population, which consists of techno-wizards.
Paper ballots win, hands-down, in that respect.
Blockchains are better then opaque electronic voting machines, but not entirely better then paper.
People may downvote you but I have never seen an explanation that tackles exactly this point. For paper ballots you can easily take anybody that completed elementary school to get a correct result. For blockchain, electronic voting, etc, you need highly skilled people. How can you be sure that this single person per voting district isn't screwing everybody over?
There's also the fact that you can't verify that the verification done applies to each machine in the field.
If your crypto system has non-verifiability of who you voted for as a requirement. How do you prove that the code actually running on the machine didn't change the vote?
Especially seeing as actual machines have code other than the election software running on it, think touch screen controllers, etc..
It is pretty obvious that nothing electronic is more secure and transparent than paper. Blockchains show the only thing that potentially could provide a solution. At this point in time for a secure election, it must be paper. If you want electronic, it is either going to involve a blockchain, or something even more radically different than anything that has been done before. If it isn't either of these two things, then I guarantee that it is less secure than paper, regardless of any efficiency gain which is moot.
This is pretty much how all projects and headlines about blockchain are created. X could be: the music industry, healthcare, space, pornography, universities, protecting your art, tracking your bananas in Laos or buying your weed. Those are all real ones that I could remember of the top of head btw. It's an utterly ridiculous field.
Excellent point, when you perform that thought experiment you end up with a set of technologies so close to a blockchain it actually makes sense to just use a blockchain.
> what properties a blockchain would need in order to provide a secure election
Actually being secure is one thing, but the public need to know that it's secure. They need to be able to see it. Understand it.
As soon as you start hand-waving and frothing about blockchain all people hear is "blah blah blah tech magic" and either trust it blindly or dismiss it.
Even if I trusted the software, I cannot trust the machines. How do I know that someone didn't insert extra code somewhere to flip my vote? Remember, if you hacked the software you can hack all the verification methods the voters have on voting day.
Then that's not even taking into account the fact that you can inject code into various bits of hardware like the touch screen.
> Maybe its worth asking what properties a blockchain would need in order to provide a secure election
Here's one: unhackable software at the endpoints. You don't really have a secure election if someone can hack your blockchain-based voting machine and spew votes all over your blockchain.
That's also ignoring the software in all the physical components of the voting terminal. How do you ensure your touchscreen controller hasn't been hacked?
Disclaimer: In no way do I claim to be an infosec engineer, security expert, elections expert or any kind of expert that is relevant for this discussion. My knowledge limits itself to distributed systems, cryptography and development in general as a software engineer and elections as a voter.
From the point of view of a voter, I can summarize what I care about in an election as follows:
- My vote is counted in the final tally ("verifiability")
- Every vote counted was cast by an eligible citizen, with no duplicates (validity & uniqueness)
- Every vote cast was properly counted into its correspondent candidate tally (integrity)
- The final count results from the sum of all the votes that meet the above requirements
Now, paper ballets do all of this pretty well. But I should stress the "pretty" part, as plenty of shenanigans can happen at a local level that put these properties at risk.
The thinking goes that since voting, especially in the US, is pretty decentralized, the final tally ends up trending towards a true result. Also, records are kept so that if the results are put into question, they can be verified.
However, that has not stopped elections from being rigged in many parts of the world. In fact, even in the US this has happened previously [1], albeit not public elections per-se (but still politically-relevant ones).
Now, I'm not saying that the magical blockchain can fix all of this. Clearly, when it comes to validity, things can quickly get increasingly difficult to tackle. For instance, proving your citizenship provides a single point of failure vulnerable to government malfeasance if such is desired. If a government entity is responsible for issuing voting rights, they can simply make up a law or straight up strip you of your voting rights, therefore censoring you. I would tackle this by making voting an inalienable right, but clearly that is not the case in some countries (e.g. felony disenfranchisement in the US and other places).
Another problem is the recovery of lost/stolen/phished voting "keys"/id (in a hypothetical blockchain environment). I would tackle this with a revoke/reissue mechanism, but again, the central entity that can revoke and reissue a key/id for you can be a point of failure. So clearly blockchain does not fix everything.
Now there are some things that I believe "the blockchain", or some system that is "cryptographically" secured and verifiable, can help. Mainly, in the insurance of the integrity and uniqueness of the vote and the final tally. I would love to be able to check, if I had the private key, that my vote counted towards a particular candidate/party, whilst retaining my voting privacy. In this particular use-case, there are concerns of stolen keys being used to lookup voting histories, but I much rather tackle this problem than simply disregard such a system altogether. Clearly, there is a level of trust that I have to have on the current top brass at my local institutions if I want to cast a vote to throw them out. I'm simply not confortable with paper ballets in such instances, although I obviously prefer them to "voting machines" that have no devised threat model whatsoever.
I know cryptocurrencies have created a space that relishes on get-rich-quick stories, scams, buzzword parties and other sad sights, but I like to always chose the cautious path of not throwing the baby out with the bathwater. To extend the saying, we might need both the baby and the bathwater badly in the future...
I like how this article does not fall for "Betteridge's law of headlines": Any headline that ends in a question mark can be answered by the word no. I appreciate the straight answer in the headline.
That being said, reading a headline obviously does not equate to reading a whole article.
But how does that ensure that “normal” people (who doesn’t have a solid grasp of blockchains and cryptography) can verify that the voting machines themselves actually are running the correct software without having to break out a chemistry set and a microscope to analyse the ICs?
Can the integrity of every machine ever be verified, and even if the system discards votes from machines not running the correct software, now people are having their votes discarded because they used a hacked machine.
With paper ballots it allows pretty much anyone to watch the ballots from being put in the box to when they are being counted and then they can confirm that the ballots haven’t been tampered with.