
Hearing on Cybersecurity of Voting Machines: Testimony of Prof. Matt Blaze [pdf] - warrenm
https://oversight.house.gov/wp-content/uploads/2017/11/Blaze-UPenn-Statement-Voting-Machines-11-29.pdf
======
jonny_eh
The choice quote:

    
    
        I offer three specific recommendations:
        
        • Paperless DRE voting machines should be immediately
          phased out from US elections in favor of systems, such
          as precinct-counted optical scan ballots, that leave a 
          direct artifact of the voter’s choice.
        • Statistical “risk limiting audits” should be used after
          every election to detect software failures and attacks.
        • Additional resources, infrastructure, and training
          should be made available to state and local voting
          officials to help them more effectively defend their
          systems against increasingly sophisticated adversaries.

------
klondike_
It's insane that anybody thought electronic voting machines were a good idea
when paper ballots have worked for hundreds of years.

Where paper ballots are transparent and accountable, electronic voting
machines have closed source and unaudited software. They go against the core
tenets of transparency and fairness that make democracy work.

~~~
LeifCarrotson
The core feature of a voting system is to determine who got more votes.

With paper, that's a laborious process, requiring physically adding up
millions of pieces of information. And many other things - like horses,
sailboats, and slavery existed for hundreds of years but have been phased out
for superior technology. An electronic voting machine or computer would, in
theory, be able to take votes and output a result without this effort.
Electronic voting machines are, at first pass, a good idea.

The presence or lack of transparency, accountability, and auditability are
implementation details, not principles of electronic voting machines. In the
absence of bad decision making and the presence of properly aligned
incentives, the issues current voting machines suffer from could be worked
around with a different implementation.

Before computers were an option, paper was not chosen because of these
properties it's now lauded to have.

~~~
monocasa
> With paper, that's a laborious process, requiring physically adding up
> millions of pieces of information.

I'd argue that this isn't a huge deal since the amount of labor available
scales essentially linearly with the amount of votes cast.

~~~
excalibur
Unless you follow Saudi Arabia's lead and start granting citizenship to
robots. Then you can't use them as labor for counting paper ballots, as that
would turn them into electronic voting machines.

~~~
cmurf
Mimic humans: some robots will be lower class, without citizenship, and they
can do the counting. Oh wait...

------
NatW
A bit oversimplified, but in France, voters are essentially given a printed
coupon book, with each candidate on a different coupon.

They just take their coupon/candidate of choice and deposit it into a box.

There are no pencils needed, no ambiguity. Ballots are hand-counted and totals
are reached rapidly. A far less-hackable alternative to what exists in the US
IMHO.

~~~
TheGRS
This was the system the US had for a long time. In fact the newspapers would
have coupons you could cut out and bring to the polls.

Problem back then was that people would literally beat you up on the way to
the poll if they disagreed with your choice. It was an entirely different
culture around voting, secret polls were not a thing.

I live in Oregon State and we are one of the few states that does all of our
voting entirely by mail. I think it is the best way to do things. No need to
go to the polls and you can do research while you fill out your ballot. We
have polling offices available if you forget to fill it out on time.

~~~
vertex-four
Surely voting by mail has the same problem - your family members, abusive
partner, employer, etc etc, could force you to vote a certain way?

~~~
TheGRS
Sure, polling places are still offered in that case. The benefit of voting
from home greatly outweighs the cons IMO.

I wasn't implying that voting coupons would still have the issue of people
bullying you, just why we don't use that system anymore. And honestly coupons
seem a little archaic to me, not to mention easy to manipulate.

~~~
walshemj
Postal voting does have problems like granny farming and stealing postal
ballots.

------
DannyB2
I don't have a problem with electronic voting if:

The electronic machine has a nice UI. Clear. Offered in multiple languages.
Maybe even show pictures of the candidates. Touch screen. It's all great.

It MUST produce a paper ballot that clearly shows what my vote is. I put it in
a cardboard sandwith for privacy. I drop the ballot from the cardboard into
ANOTHER machine that instantly counts my vote. A readout on the top of the
machine shows the total number of ballots counted today. I can see that number
increment as my ballot is scanned and dropped into a basket within the
machine's guts. That gives me a feeling of assurance that my vote was counted
and scanned. What the machine scans is the same exact thing on the ballot that
my eyeball scans. That way the "human readable" part of the ballot cannot
differ from the "machine readable" part of the ballot since they are one and
the same.

Now at various points during the day, the election officials could obtain the
number of votes to each candidate in order to update the press on how it is
going.

A statistical audit for anomalies can be done -- even on the paper ballots.

If needed, a laborious manual recount could be done using the paper ballots.

You get the reliability of paper ballots and recounts. And the convenience of
modern UIs and rapid counting.

~~~
Doxin
> It MUST produce a paper ballot that clearly shows what my vote is.

Congratulations, you've invented a very expensive pencil.

> ANOTHER machine that instantly counts my vote. A readout on the top of the
> machine shows the total number of ballots counted today.

Which can be hacked to _show_ you the correct count, but not _report_ the
correct count later on. At which points obviously the paper ballots can be
emptied out and verified, but then which part of this isn't paper voting
except with complex machines needlessly inserted?

Paper votes can be counted quickly by machine if so desired, but the counting
machines will have to be monitored and watched carefully to make sure they
tally correctly. Essentially they cannot be placed in a public area where just
anyone has access.

------
dundercoder
I worked at Three Mike Island inspecting a steam generator during a refueling
outage. A robot arm operated by a person ran a sensor down each pipe to
inspect its integrity. After completion a random set of pipes were chosen for
verification. If even one pipe in the verification set differed from its
original scan, the entire steam generator had to be reinspected.

We had a huge incentive to get it right. Counting ballots should be just as
verifiable and accurate.

------
wilkystyle
Tom Scott has a good video about this:
[https://youtube.com/watch?v=w3_0x6oaDmI](https://youtube.com/watch?v=w3_0x6oaDmI)

------
taoistextremist
Despite all the comments here denouncing electronic voting, I think it could
work _if done right_ and provide a better security than paper ballots. This,
however, would involve something like some blockchain voting proposals I've
seen floated around. Being able to provide a paper trail that's _extremely
hard_ to tamper with (as opposed to paper ballots which really aren't), along
with, depending on how it's implemented, allowing easier access to voting by
allowing remote options like internet or phone.

~~~
jstewartmobile
Votes may be secret, but there is an identity issue for one-man-one-vote, as
well as an authorization issue for minors and convicted felons.

How would you attack those with a blockchain?

~~~
wh1te_n0ise
There are entities in existence that issue identification (SSNs, Passports,
Drivers License) - why not just have them issue a hardware token once you've
proven your identity to them?

If someone steals the hardware token, you could get it revoked and have a new
one re-issued; just as you'd do if you lost your Passport of Drivers License.

The hardware token (as well as some form of biometric identification) could be
your assurance of one-man-one-vote. The hardware token would do all of the key
management needed to submit votes to the blockchain. The blockchain by itself
would not be the full solution - only part of it.

~~~
jstewartmobile
Sounds more like an administrative solution with a blockchain as a 3rd wheel.
If we're going full administrative, could just PGP it, and limit the franchise
to nerds.

~~~
wh1te_n0ise
I see voting systems as multiple components. You don't necessarily need to use
the government or the existing structure to issue the hardware tokens - I was
just proposing that as one potential idea as logistically it seems like it'd
be the easiest.

You could set up some decentralized system like the Certificate Authority
system that we have for the internet perhaps to verify & issue tokens. That
would be fairly difficult, however, as there would also have to be assurance
that a single person has not been issued multiple tokens. There would likely
require there to be a central registry somewhere.

You can't just "PGP it" in this scenario, as it needs to be one token per
voter - and that has to be provable. In a "PGP"-like system - while you can
receive higher assurance of identity through other people signing your public
key, it provides no assurance against tokens being associated with fake
identities, or people owning multiple tokens.

Regardless - identification is just one aspect of voting.

You also need some way to store the votes that have been cast (while
maintaining integrity, verifiability, confidentiality) as well as a way to
tally the votes (while maintaining integrity, verifiability, confidentiality).
That's the component that the blockchain would serve to fill.

~~~
jstewartmobile
PGP and limit to nerds was a joke. Using crypto to _simultaneously_ anonymize
and identify (which is being done at least indirectly to enforce one-vote-per-
person) sounds more like a contradiction than an engineering problem.

That being said, if there is a buck to be made, people will swallow all kinds
mess to make it.

------
enitihas
One very important point in favor of paper based voting systems which often
comes up on HN is that attacks against paper based voting are inherently not
scalable, while electronic voting is prone to large scale attacks by a corrupt
government or a determined and resourceful adversary.

I used to be in favor of electronic voting, but after slowly learning more and
more about how difficult it is to create secure system, I think voting is one
place where we are not yet ready to digitise(if we ever will be).

~~~
anigbrowl
_attacks against paper based voting are inherently not scalable_

Sure they are. Attacks against the counting are not, but you can easily attack
the voters int heir heads by microtargeting of advertising, both electronic
and in more traditional forms like paper mailers or street displays. You can't
easily produce a particular outcome across a large population, but you don't
need to; all you have to do is throw the integrity of the election into
sufficient doubt that the political consensus breaks down and it's off to the
races. And that is very very easy to do, as we have seen over and over again.

~~~
enitihas
But all these attacks still remain possible with whatever electronic voting
system you choose. So I don't see how electronic voting offers us any help
here.

~~~
anigbrowl
I expanded on this in greater detail in one of my other comments and omitted
to mention it again here, sorry. In addition to forcing a close vote by
whatever means, you then attack the integrity of the ballot-counting process
at the local level. This is easy to do in a a paper-based system because of
the information asymmetry that exists from voting precincts; you don't know
much about the integrity of the vote in any other precinct besides your own,
and likely not even in that unless you're really interested.

On the other hand, you know a lot about the general integrity of electronic
transactions because you probably use a credit or debit card frequently and in
many different places and contexts and it works predictably. So even though
that system isn't that secure, enough people believe in it through repetition
and general utility that it remains in place. Voting is infrequent and thus
easier to get up conspiracy theories about.

------
wyldfire
From [1] (also note that video of this testimony is there):

> BACKGROUND:

> In September 2016, prior to the 2016 elections, the IT Subcommittee held a
> hearing entitled “Cybersecurity of Voting Machines”.

> In January 2017, Department of Homeland Security (DHS) Secretary Jeh Johnson
> designated election infrastructure as “critical infrastructure” with the
> intent of offering assistance to state and local election officials. On
> September 22, 2017, DHS notified 21 states of Russian government hackers’
> attempt to breach state systems during the 2016 election. Two weeks later,
> DHS announced the creation of an election security task force to enhance
> coordination with state and local election officials.

> On September 8, 2017, the Commonwealth of Virginia’s election supervisors
> directed counties to end the use of touchscreen voting machines before
> November’s elections, citing the devices posed unacceptable digital risks.

[1] [https://oversight.house.gov/hearing/cybersecurity-voting-
mac...](https://oversight.house.gov/hearing/cybersecurity-voting-machines/)

------
amenghra
CHVote is a fun read. The formal document is here:
[https://eprint.iacr.org/2017/325.pdf](https://eprint.iacr.org/2017/325.pdf)

There's a higher level concept document here: [https://github.com/republique-
et-canton-de-geneve/chvote-pro...](https://github.com/republique-et-canton-de-
geneve/chvote-protocol-poc/blob/master/doc/Concept.md)

------
ouid
Is it possible to remotely brick the most insecure voting machines before
election day?

------
umanwizard
Why the fuck do we need electronic voting.

I post this on every thread involving electronic voting and nobody has yet
successfully responded.

Paper is secure by default.

~~~
maerF0x0
Some electronic voting systems would allow the voter to confirm their vote was
counted and correct after the fact. Imagine if a webpage posted all the votes
(crypto secured of course) such that any voter could verify their vote. IMO
this would help end the corruption. If a statistically significant enough
people stand up after a vote and say "I didnt vote that!" the we can be made
aware of corruption.

~~~
Arkanosis
If you can verify your own vote after the fact, then you can be compelled to
prove what you've voted, thus making vote selling and vote under threat
possible.

Deniable voting — aka not being able to verify a single vote — is a feature of
paper-based voting, not a drawback.

~~~
jmgrosen
> If you can verify your own vote after the fact, then you can be compelled to
> prove what you've voted, thus making vote selling and vote under threat
> possible.

That's not the case. Imagine this system: upon receiving your ballot at the
polling place, you find n candidates, each with random numbers from 1 to n
associated with them. You pick candidate #i, submit that vote, and take home a
receipt saying you voted for candidate #i. Then proof is later posted that
your vote was counted for candidate #i (using some fancy crypto). Then you can
verify that your vote was indeed counted for the correct candidate, but no one
(not even you, were you to forget) can tell _who_ that candidate is.

For more information on these sorts of voting systems, see
[https://www.usvotefoundation.org/sites/default/files/E2EVIV_...](https://www.usvotefoundation.org/sites/default/files/E2EVIV_full_report.pdf).
It's intended as a review of remote voting systems, but a lot of it apply to
other types of systems as well.

~~~
TheGRS
That's pretty clever.

I've been reading this discussion off and on a lot today because I'm pretty
fascinated that so many people feel so strongly against electronic voting and
would rather have paper. On _Hacker News_ of all places. Yes there are ways to
manipulate any system, but being software developers we should all know that
there are ways to fix these things and make it better.

That's what we're all here for, not for regression to old systems that seem
great on paper (ha!), but for progression and new systems that work _better_.

~~~
Arkanosis
I'd argue that “being software developers we should all know that there” is
_no_ way “to fix these things” _reliably_.

I can understand non-technical people buying bullshit about so-called “secure”
software, but anyone having an idea of what software looks like should know
that there is no such thing and feel responsible for teaching people about it.

Plus, voting machines in use so far have been so blatantly insecure (eg.
requirement to use a well known insecure old version of Java-in-the-browser
for French people abroad at the French elections of 2012) that it's just
impossible to trust people currently working on these matters.

------
lordnacho
Someone must have mentioned this idea somewhere:

Use something like a cryptocoin. You go to a voting office, get approved as a
legit voter, and they send you a coin. You send it to some address for a
candidate. Everyone can see the result.

Pros/cons?

~~~
tonyztan
I commented this somewhere below, but it also applies here:

Would this allow you to prove to someone else how you voted in the election?
If so, that's not a desired property.

Currently there is no way for you to prove, to yourself or someone else, who
you voted for in an election because nobody gets to see your ballot and you
cannot take a photo. This makes vote buying and coercion much more difficult.
I'd like our voting system to keep this feature.

~~~
anigbrowl
_you cannot take a photo_

Obviously you can and people do even though they're not supposed to.

~~~
anigbrowl
Google 'ballot selfie photo' and prepare to be surprised at the fact that this
is not actually prohibited in many jurisdictions. Terrible idea? Sure.
Actually existing reality? Yes.

[http://www.king5.com/article/news/politics/ballot-selfies-
st...](http://www.king5.com/article/news/politics/ballot-selfies-states-where-
theyre-legal/281-345708142)

------
jrs95
Why do these make it to the front page like once a month? Do we really need to
say "we don't need electronic voting" this often?

~~~
provost
They don't. This post is a rare congressional testimony by a subject matter
expert, on a security & technology topic.

The rest of the posts you're alluding to are weak, media articles by non-
experts.

~~~
retrohacker
"Subject matter expert". LOL. Hardly.

