
Darpa wants help cracking the election security problem - ga-vu
https://www.fifthdomain.com/dod/2019/08/05/darpa-wants-help-cracking-the-election-security-problem/
======
rectang
The article goes awry from the first sentence:

> If election security is an engineering problem,

It's not an engineering problem, it's a political problem. To the extent that
it's engineering, it's solved if we would only adopt the known good
approaches.

But we won't because there is political utility in having elections remain
murky and messy for parties who may benefit from manipulation of the vote
through disenfranchisement or other shenanigans.

------
m463
I think paper ballots should be collected at each polling location.

I also think paper ballot totals from each polling location should be
published publicly in a variety of forms, so that the totals can be added
independently.

~~~
tamrix
Paper ballots get counted publicly. Anyone that would like to witness it can
attend for any amount of time and call out miss counts. Totals are read out on
live TV.

~~~
Supermancho
Multiple counts that are corroborated is a common validation, iirc. That would
be tedious, to listen to or correlate.

24-13 .... 25-13

25-13 .... 25-14

26-13 .... 26-14

------
Beltiras
The most successful attacks on democracy are gerrymandering (US especially)
and misinformation (global problem, see Brexit thou specifically). Don't get
me wrong, this sort of security is necessary but there's nothing wrong with
tossing out the machines and using real paper ballots with a pencil (thus
sidestepping the problem). You can even machine-read those for a machine count
(which can be verified since the paper ballots are still around to rescan with
different hardware/software for validation).

How do you engineer around the misinformation vector thou? That's the hard
problem.

~~~
jethro_tell
Not only are paper ballots simple and effective, they can be mailed out 2
weeks ahead of time and people can vote with a laptop, at their leisure. Also,
you don't have to store them for three months at a time with proof of custody,
you can just scan them, or dump them once the election has been certified.

Voting machines sound great but that it's solving a problem by doing things
the same with tech.

~~~
AnimalMuppet
Where I come from, the voting machines create a paper with the votes, which
the voter gets to review. That seems to have all the advantages of the paper
ballots, with the electronic advantage of rapid totals.

I _would_ like to see spot checks - pick a few precincts at random, and
compare the electronic totals to the paper.

~~~
jethro_tell
the paper ballots via mail handle infrastructure and are counted by machine
with spot checking. Also, you can go to the vote counting floor at any time
and be part of the process.

However you don't have to setup/store machines, and people can vote over a few
days which means better access to everyone.

------
lidHanteyk
Use the post office. Use paper ballots in the mail. Many security issues
vanish if polling places are no longer rich targets. In my state of residence,
my ballot is sent in the mail, and I get SMS notifications when it is sent to
me and when it is counted.

~~~
airstrike
You never know if it's counted correctly, though, so it sounds like the
auditing challenge remains

~~~
debatem1
We have a system where you can go and see a webpage say your vote was counted
after you mail in your ballot. What you can't do is tell if that webpage is
accurate.

This still feels like a tractable problem in the domain of pure crypto if you
divide it into a commitment scheme and a tabulation step.

------
phs318u
An excellent essay on Voting Security by Bruce Schneier, showing how hard this
problem is:
[https://www.schneier.com/essays/archives/2004/07/voting_secu...](https://www.schneier.com/essays/archives/2004/07/voting_security.html)

And more on the same topic:
[https://www.schneier.com/essays/elections/](https://www.schneier.com/essays/elections/)

------
toomanybeersies
Disenfranchisement (e.g. requiring voter ID) and gerrymandering are far more
significant issues for the democratic process in the USA than ballot security,
which is a relatively solved problem.

~~~
lucifirius
Most countries require a form of voter ID.

~~~
vasco
If you don't require voter ID in the US, how do you prevent duplicate votes?

~~~
thepaperone
You don't.

"BUT ITS NOT A HUGE PROBLEM"

it still happens, which is a problem none-the-less.

~~~
AnimalMuppet
There's two problems. One is duplicate votes, which may be an insignificant
problem. The second is public perception of the fairness and security of
elections. The first is a problem; how big a one I don't know. The second is a
problem, and a big one.

------
ModernMech
Step 1) Make sure the guy in charge of bringing election security bills to
vote on the Senate floor can't accept campaign donations from voting machine
companies [1].

Step 2) Bring election security bills to vote on Senate floor.

[1] [https://www.newsweek.com/mitch-mcconnell-robert-mueller-
elec...](https://www.newsweek.com/mitch-mcconnell-robert-mueller-election-
security-russia-1451361)

------
daenz
Both are important, but WRT elections, faith in security is as important as
actual physical security. I don't see how a black box of tech can convince a
layperson that voting is secure. We need more in the way of audit trails and
accountability.

~~~
m-p-3
The toughest part is ensuring anonymity and privacy while ensuring someone can
only vote once, ensure the vote is legitimate, and accounted for.

The only way I can see that is using a PKI-based ID to validate the ID of
someone, but then how do you ensure that person can vote anonymously and only
once?

------
Quequau
Back when we were all agonising over "Hanging Chads" in Bush v. Gore, Bruce
Schneier published a series of collaborative works featuring the back & forth
design of secure paper ballots + digital voting. So that was what? 2000?

Surely the problem then isn't technical, it's cultural and political.

------
josh_fyi
Israel has an old-school paper-based procedure, with cross-party observers
present at every step. This wastes a lot of paper, but is very hard to hack.
[https://www.timesofisrael.com/can-israels-election-count-
be-...](https://www.timesofisrael.com/can-israels-election-count-be-tampered-
with-an-official-explains-the-process/)

------
hardwaresofton
IMO it shouldn't be all or nothing, here's a system I think would be the best
of both worlds:

\- Allow people to express voting intent & go through the candidates on the
ticket with a website/app (as strong as it can be), which spits out some
random ID/QR code

\- Widen voting time period to _months_

\- Support mail-in-ballots in more states

\- Add a mandatory # of holidays per year (with proof of vote, notification of
which local/national election the person is voting in)

\- Require people to confirm their vote in person, with the option to vote
with the QR their phone generated (and a confirmation screen afterwards for
them to review), with every vote required to take a certain amount of time in
the booth (to prevent timing people to figure out if they used their cell
phone or not).

This setup allows for a few things:

\- Early consideration of candidates and their positions and the ability to
save _how_ you were going to vote once you're in the booth

\- More signals of voting intent that could be used to detect fraud (in
addition to random sampling)

This scheme probably needs more thought to prevent election tampering, but I
think _adding_ a digital element as additive would be a benefit. If the
digital element detects voting intent that sharply diverges from voter rolls,
then a recount in whatever county is triggered.

------
ElijahLynn
* Open Voting Specification (includes paper trail)

* Ranked Choice Voting (or better)

* Individual Vote Verification API

------
sambroner
I had thought that this was a great opportunity for blockchain, if identity
could be solved reliably. That being said, identity is already being solved
through IDs, voting stations, home-delivered ballots, etc.

The audit-ability and reproduce-ability would be great features, while cost
and latency wouldn't be huge problems for voting.

There were even a few start ups in the space (e.g. Votem), but none seem to
have made the jump to doing real elections. Votem did a few smaller voting
experiments like a vote for the Rock & Roll hall of fame, but never made its
way to state elections.

I hope that DARPA can not only inspire innovation, but also help startups
break into the difficult game of government contracting.

~~~
tsimionescu
You can't have an anonymous system that simultaneously allows meaningful
verification: if there is no way to tie me to my vote in the system, then
there is no way for me to prove that my vote was misrepresented to anyone but
myself. Even if there were, there is no way for me to prove that my claim
about my vote is correct. Even if many people come out claiming that their
votes are mis-represented, there is no way to know whether that is a sign of
errors/tampering with the system, or a concerted campaign to try to put the
election in doubt.

Any system which foregoes physical proof of voting as a base for the count,
relying instead on after-the-fact verification, is open to this problem. A
complex system, whether software or even mechanical, can never match this
level of confidence.

~~~
babyloneleven
There are crypto schemes that can solve those problems. Some work with paper
ballots as well.

[https://en.m.wikipedia.org/wiki/ThreeBallot](https://en.m.wikipedia.org/wiki/ThreeBallot)

------
yardstick
Given postal votes are a thing, and have been for many years (at least for
UK/AU/NZ), is there still such stringent requirements on making it
difficult/impossible to buy/coerce votes? Since both can be done using postal
votes already.

Does this then open up more digital options? Eg app based voting where your
vote is published along with everyone elses but in anonymised form, so
everyone can independently verify the totals. By anonymised I mean the app
displays a random “vote reference ID” that you could check in the final
published ledger to see your vote was included, and was recorded correctly.

------
karterk
India has been conducting elections via electronic voting machines for a while
now:
[https://en.wikipedia.org/wiki/Electronic_voting_in_India](https://en.wikipedia.org/wiki/Electronic_voting_in_India)

In India's case, the paper ballots actually caused a lot of rigging as booth
capturing was ramptant. EVMs greatly helped tackle that.

A small sample of the votes are also verified using voter-verified paper audit
trail (VVPAT).

~~~
iyw
And there are rampant reports of election fraud. so your point?

------
thepaperone
DARPA, fund me.

1\. go vote 2\. check to see who hasn't left their house today via open source
GPS indicators 3\. vote as them too because its illegal for those at a voting
station to ask to verify your identification 4\. ??? 5\. undetectable voter
fraud

~~~
bb611
There's a high chance you'll go try to vote as someone who simply didn't
register. In California you could then register as that person and vote
provisionally, but polling officials will check your identification.

Alternatively you may attempt to impersonate someone using vote by mail. In
that case, there won't be a ballot to vote at the polling station, and even if
you are able to successfully register provisionally or convince polling
workers to give you a blank to fill out, election officials are already
looking for these kinds of duplicates.

------
dwobry
I know Ron Rivest has a lot of interest and work invested into securing voting
system. I can't point you to a direct paper, but if you Google it I'm sure
you'll find more then enough.

------
shanxS
Has it been proved that elections have been tampered with in past?

~~~
rectang
Yes — for instance last year in North Carolina's 9th congressional district.

[https://en.wikipedia.org/wiki/2018_North_Carolina%27s_9th_co...](https://en.wikipedia.org/wiki/2018_North_Carolina%27s_9th_congressional_district_election)

> _On February 21, the board unanimously voted to call a new election because
> of fraud by Republican operatives._

------
Dowwie
Those who are involved in the American election industry, from government to
vendors or consultants, have committed to a platform based on verified C. The
industry continues to refuse to adopt a memory safe language such as Rust.
Granted, the investment in a new toolset is costly. However, the benefits are
very compelling. In the meanwhile, industry will crutch its toolset decisions
with white hat hacking events, bug bounties, millions of dollars in contracts
supporting audits and testing, etc.

Path dependence is costly. In the case of elections, more than money is at
stake. Industry must move beyond verified C to Rust.

------
peg_leg
Paper ballots?

------
hedora
Ballot security is a solved problem (but, sadly, I think DARPA knows this,
which makes me wonder what’s really motivating this work):

Use paper ballots. Scan them at the polling place for fast electronic tally.

Audit a significantly significant random sample of the paper ballots after the
election, and do a full recount if any discrepancy is found.

Prosecute people that violate chain of custody for the ballot boxes. (Give
this power to a non-partisan authority.)

There are open problems around tampering with voter rolls; this is done both
by state governments and foreign powers. We still need a scheme to make this
more detectable (and to invalidate the election when it happens).

~~~
mc32
Occasionally we hear about “found” ballot boxes especially around recount
time. How do they get lost. Or what does it mean when they say they lost them
(and found them). I’d imagine it’s more prevalent than we hear as it seems
rather odd if they only disappeared and reappeared in contested elections.

~~~
throwawayjava
Imagine a very large mostly volunteer-run event that only runs once a year or
so and where some fraction of the volunteers are running the event for the
first time.

At the end of the day all the important equipment gets packed up, shipped
somewhere, and unpacked.

But sometimes -- rarely, but sometimes -- some really important piece of
equipment gets left behind at the event site or unpacked incorrectly at its
new location.

I just described marathons, carnivals, and... voting.

~~~
mschuster91
In Germany, we also have paper based voting and yet, we do not have the issue
that _ballot boxes_ disappear. Everything and I mean literally everything is
accounted for and if the numbers do not match up (e.g. less boxes of ballot
boxes than before, or n(valid votes)+n(invalid votes)!=n(total votes) there is
an immediate recount. No one leaves until shit is done, and if it gets too
late everything is packed up, sealed and boxes counted.

The horror stories of the US are a failure of their system, not of paper
voting.

