
Voting system to be used in West Virginia elections is vulnerable - grey-area
https://twitter.com/GossiTheDog/status/1026603800365330432
======
skywhopper
"'You take a photo of your photo ID and then they take a selfie of
themselves,' Kersey explained. 'Facial recognition software is then deployed
to compare the photo on the ID and the photo of the person who took the
picture.'"

So it sounds like they verify your identity based on two photos that you
provide? So if two photos provided by an unknown person match, then they
become a trusted person? Even if there's a separate step that matches that to
the DMV database or something... all you actually need is a photo of the
person you want to impersonate.

But pretending to be someone else for remote voting is already a weak point,
and one that would be expensive to exploit on a large enough scale to make a
difference. The much much bigger risk is that we have absolutely no way to
verify that the votes recorded are correct. This company's app sends the vote
to the company's server which stores it in this company's database. That's
three steps at which the votes can be easily changed.

The question to ask with any proposed voting system is: how can we verify that
the counts are accurate? The _only_ way to do that in anything close to a
trustworthy manner, is by having an established network of trusted agents (one
or more witnesses from each interested party organization at each physical
voting location) monitor a human-visible process for collecting paper ballots
which can be counted and recounted at will by multiple groups of interested
parties.

Any system where the votes are _ever_ hidden away from witnesses and
accessible, say, in a back room with an unlocked door leading to an empty
alleyway ... or on any computer system, is inherently insecure.

~~~
TazeTSchnitzel
> So it sounds like they verify your identity based on two photos that you
> provide? So if two photos provided by an unknown person match, then they
> become a trusted person? Even if there's a separate step that matches that
> to the DMV database or something... all you actually need is a photo of the
> person you want to impersonate.

I recently signed up for two different mobile banks (Monzo and bunq). Both of
them verified my identity by having me take a photo of my passport, but then
also recording a video of myself (with my face clearly visible) saying an
exact phrase they specified, in one case “My name is $legalname and I'd like
to open a Monzo account” and in the other a sequence of random numbers.

That seems way more secure.

~~~
TomMckenny
The problem isn't who opened the account, it's whether they authorized a
massive electronic transfer somewhere.

The problem with voting is not and has never been physical people people
voting fraudulently. It is the alteration of the votes on a central machine.
(For example as an easily editable excel file on at least on occasion)

The extra barriers to confirm the physical person standing at the booth is a
redirection of a serious problem with Putin into a little more voter
suppression.

~~~
rfreytag
There is no way to be sure that voting is private and uncoerced with remote
voting. Someone from a spouse to a precinct captain could be watching you vote
on your phone under some threat of penalty.

~~~
heavenlyblue
Nobody stops the interface from allowing the voters to vote as many times as
they want before the deadline. Only the last vote counts. If the vote is tied
to an ID then it’s definitely going to be unique.

------
3pt14159
If there is one thing I fail to understand it is the impulse to electronic-ify
our elections.

Why? Do we have a history of securing computers and keeping them secure over
time? No.

Are computerized elections understandable to laypersons? No. Worse; even if
the election was tallied faithfully by a computerized system, a demagogic
candidate can whip up fervour and call the election into question.

And without bug bounties there is no legal way for whitehats to pentest these
things. We're stuck with shitty scans and guessing at best. Even so, from what
I've seen I fail to see why we should trust these votings systems.

But the public doesn't care. They don't understand that code is just data and
it can alter itself. The voting machine industry has lobbyists. The paper
ballot industry doesn't exist.

~~~
darpa_escapee
> If there is one thing I fail to understand it is the impulse to electronic-
> ify our elections.

The part that gets me is that there is no organic, grassroots push from the
people who actually vote to implement electronic voting.

Usually when someone, or many people, advocate for a cause, they have
something to gain from it.

Who is advocating for electronic voting and what do they stand to gain?

~~~
rayiner
There’s always people complaining how backwards it is that we don’t have
electronic voting, how it suppresses the youth vote, etc.

~~~
jpfed
Interesting! I'd never heard the idea that the lack of electronic voting
suppresses the youth vote. Do you have a link for someone arguing that
position?

~~~
rayiner
[https://www.bbc.com/news/business-39955468](https://www.bbc.com/news/business-39955468)

> Online voting is a good way to engage with younger voters, busy workers, and
> even Estonians living abroad, Mr Koitmae says.

~~~
s73v3r_
There are several miles of difference between what they said and 'claiming
that not having it suppresses the youth vote.'

------
dangoor
As noted later in the thread, this is specifically for people who are overseas
at the time of the election and not broadly.

That said, this system seems like a bizarre choice given the apparent security
issues discussed in the thread.

------
pablobaz
€54 million spent in Ireland. End result:

"In 2012, KMK Metals Recycling paid €70,267 for 7,500 e-voting machines; 1,232
transport/storage trolleys; 2,142 hand trolleys and 4,787 metal tilt tables."

[https://en.wikipedia.org/wiki/Electronic_voting_in_Ireland](https://en.wikipedia.org/wiki/Electronic_voting_in_Ireland)

~~~
Freak_NL
Electronic voting has been tried in a bunch of countries, and subsequently
scrapped. We had these abominations in the Netherlands too, they turned out to
be insecure, and now we're back to pencil and paper.

And still, despite all the solid arguments against electronic voting and the
actual experience with those machines, a certain class of influential people
keeps bringing it up. Sometimes they're gadget-crazy policy makers who just
can't fathom why we're still using a pencil in 2018 (because it works, is
transparent, can be understood by any layperson, and instils trust). Sometimes
they're politicians who absolutely must have the all the results of an
election the same night, and only computers can do that (despite exit polls
working pretty well, and there really is no rush).

Recently, some are arguing for electronic voting because it would mean people
with sight impairments can vote assisted by headphones rather than by a
trusted person (there a solutions for the classic paper ballot in the form of
a Braille-embossed mould that work pretty well in Germany, you don't need a
computer for this).

It's a constant battle to keep the public informed about the problems with,
and undesirability of, electronic voting after each assault in the media. Why
can't we keep this cornerstone of democracy a process powered by pencils,
paper, and people instead of opaque IT solutions?

See:
[https://en.wikipedia.org/wiki/Electronic_voting_by_country#N...](https://en.wikipedia.org/wiki/Electronic_voting_by_country#Netherlands)

~~~
Thlom
You don’t even need pencil, just different paper ballots. In most cases at
least.

------
DonHopkins
What the hell kind of a company name is "Voatz"? Can you buy Voatz with Flooz
and Beenz Bux?

[https://en.wikipedia.org/wiki/Flooz.com](https://en.wikipedia.org/wiki/Flooz.com)

[https://en.wikipedia.org/wiki/Beenz.com](https://en.wikipedia.org/wiki/Beenz.com)

~~~
pavel_lishin
I thought it was that Reddit alternative for fascists.

~~~
fake-name
They added a 'z'.

Considering their security practices and cluelessness, they also seem to be
mostly for fascists.

------
fabian2k
What exactly does the blockchain part of the voting app provide here? Are
there any details known about how this is supposed to work, especially how to
ensure that votes are actually anonymous in this case?

And using facial recognition to make sure the right person votes just sounds
like it'll end up either trivially exploitable or just cause many legitimate
people to be denied as their faces can't be matched.

What exactly is wrong with voting by mail? It's pretty easy to do, and it
ensures anonymity by wrapping two envelopes inside each other.

~~~
DonHopkins
>What exactly does the blockchain part of the voting app provide here?

It was essential for bilking investors out of $2.4 million.

[https://www.vanityfair.com/news/2018/08/smartphone-voting-
is...](https://www.vanityfair.com/news/2018/08/smartphone-voting-is-coming-
just-in-time-for-midterms-voatz)

>“A HORRIFICALLY BAD IDEA”: SMARTPHONE VOTING IS COMING, JUST IN TIME FOR THE
MIDTERMS

>A Boston-based start-up promises to let West Virginians vote via app. Critics
call it “the Theranos of voting.”

>Enter Voatz. With a name reminiscent of a plot device in Idiocracy, Voatz is
a mobile election-voting-software start-up that wants to let you vote from
your phone.

------
partiallypro
Everyone here that I've read so far is close to going fringe conspiracy
theorist on this issue. Electronic machines in the US are hard to hack en
masse, because they require you to take them apart...and most neighboring
jurisdictions don't even have a matching processes or voting systems. You all
seem to say that paper ballots are safer and more transparent...but that's
just factually wrong. Where do you think the term "ballot stuffing" comes
from? There are videos of the Russian election just this past year of boxes
being stuffed with paper ballots. It happened in the 1800s in the US,
especially around the time when black Americans could begin voting.

The solution is simple and most places already do this, but each voting
machine prints a matching paper receipt that can be matched with an electronic
record. My jurisdiction already does this, it prints out of the back of the
machine when you're done, but my vote is also electronic.

Those of you insinuating that Republicans (generally this is what people are
hinting at) or Democrats are conspiring to rig elections via electronic voting
are acting insane. If either party wanted to rig the election they could do it
with paper or electronic ballots...and I highly doubt the vote tallies would
be so close or that both parties would have so many seats flip every 8-10
years in toss up areas.

~~~
Mangalor
Ballot stuffing is a diagnosable problem. Electronics obfuscate. It's the
principle that matters.

~~~
partiallypro
Not really? Because we don't pool the votes together into a mass pool, we can
see a county by county break down of votes, if the votes are off people are
going to notice in the electronic world. Not just that but as I said, you can
have both a paper and digital ballot for verification. You can also have
"check-in" numbers (which I believe most polling places do) to make sure the
number of check-ins match the vote tally.

------
api
Wait it's called _what_?

Sounds very professional. Sounds like the system I want counting my votes.
Maybe they won out over v0tr.io and Votester?

~~~
deepspace
Voat.co was also already taken.

------
adamnemecek
I feel like all these solutions right now are very business driven. Is there a
legit open source alternative?

Voting is a legit hard problem but it influences you more than you realize.
The setup of the election basically determines the outcome of the election.

I think that the one thing that could improve democracy globally is an
internationally agreed upon open-source verified voting system.

None of these startups will last long enough to have an impact.

There are many problems, voter identity is definitely one. You need some sort
of public ledger (the blockchain isn't the worst idea, however proceed with
caution).

------
davidgerard
I wrote this up:

[https://davidgerard.co.uk/blockchain/2018/08/07/west-
virgini...](https://davidgerard.co.uk/blockchain/2018/08/07/west-virginia-and-
the-voatz-blockchain-voting-system-scaling-and-security-concerns/)

They're sloppy with security, and they're ludicrously unable to scale.

And they've put this out in an environment with state-backed hackers. It's
very blockchain.

------
rcpt
Never heard of voatz before. AIUI
[https://en.m.wikipedia.org/wiki/Helios_Voting](https://en.m.wikipedia.org/wiki/Helios_Voting)
is the closest we have to working electronic voting.

~~~
waddlesworth
Helios works pretty well, and I believe is in actual use for some college
elections with people trying to break it.

I'm curious to see an implementation of a variant called 'BeleniosRF'[1],
which adds the requirement that voting be receipt-free (RF)

[1]:
[https://eprint.iacr.org/2015/629.pdf](https://eprint.iacr.org/2015/629.pdf)

------
Thespian2
Voting presents uniquely difficult challenges, you need integrity, strong
authentication, verifiability, _and_ anonymization.

As others have stated, this particular scheme's weakness to tampering lies at
the receiving end of the app's server.

There are other privacy problems with the "send a selfie" of the on-duty
soldiers I won't get in to.

But ultimately, voting has unique constraints. The voter needs to be able to
verify their vote was counted correctly, outside observers need to be able to
verify totals, but _not_ identify individual votes, and the whole system needs
assurances only those who are supposed to vote, do so.

------
RIMR
They literally based their entire software off of IBM's "Marbles" program.

That's just a Blockchain PoC. The fact that they're trying to take the
simplest, most exploitable form of Blockchain and dressing it up as an
innovation already puts a bad taste in my mouth, but the fact that this
garbage software is now being used for a federal election is horrifying.

It also doesn't help that more than one of the leaders of this company are
Russian nationals...

------
komali2
>Note that the article is pretty clear: this is only for those people
overseas, mostly troops stationed abroad. Still a terrible idea, but somewhat
less terrible than statewide voting via mobile phone.

^Tweet in sub...chain (how the fuck do we describe twitter comments?)

It's horrible, but I almost hope somebody hack these votes in the most
disruptive, obvious way. I think the country could use a good slap in the face
when it comes to both infosec and voting security.

------
ben_jones
What happens when we receive more votes then the population of West Virginia?
Will this information be hidden from the public until it doesn't matter
anymore?

------
crankylinuxuser
This sounds like that someone/group needs to make very obvious invalidating
changes to this. Of course, you'd be tampering with federal systems... But
take your pick: secret plausible tampering vs 'Votey McVoteface' and 'Iluv
Dems' combined with 100m votes in a state with 8m people

------
ryanmarsh
I initially read that as "Voat to be used in West Virginia elections" and
became immediately alarmed. Always google your company name first folks.

------
shazzy
Obligatory why electronic voting is a bad idea:
[https://www.youtube.com/watch?v=w3_0x6oaDmI](https://www.youtube.com/watch?v=w3_0x6oaDmI)

~~~
rmetzler
Obligatory "I rigged an electronic vote" video:
[https://www.youtube.com/watch?v=DzBI33kOiKc](https://www.youtube.com/watch?v=DzBI33kOiKc)

------
microcolonel
Seems to me that voter IDs should be based on PKI, and the rolls should be
self-published under a per-voter key.

~~~
AlexCoventry
Not enough voters would handle their keys securely. Maybe if every voter was
given some kind of hardware which could sign their votes offline. That's a
big, risky, upfront expense, though.

~~~
tonysdg
Still wouldn't work probably -- think of how many times the average person
misplaces their _car keys_ in a given year. Now give them a piece of hardware,
that they're only going to use every 2 years (which is a stretch given
Americans' voting patterns, so realistically it's every 4 years if ever), and
tell them to (1) keep it safe and (2) remember where they put it.

------
kartan
An automated voting system is very efficient. You only need one person to
change all the votes...

A good thing about so much people involved in voting is that is harder to
cheat. Even an state agent like Russia can influence elections only so much.
It was very effective because it just needed to change a few percentage points
to tip the balance.

The bi-partisan system, gerrymandering and sub-standard education makes
democracy fragile. Automated voting systems are much more dangerous.

> "It's internet voting on people's horribly secured devices, over our
> horrible networks, to servers that are very difficult to secure without a
> physical paper record of the vote."

This is a good summary of a few of the problems.

~~~
woah
Someone else said the same thing and got downvoted to hell, but let’s be
clear: while it’s very obvious that Russia assisted the Trump campaign and
bought ads for Trump, there has never been any evidence or even suspicion that
they were involved in direct vote manipulation regardless of what clickbait
headlines may imply.

~~~
komali2
I'm curious if you consider a phishing attack a "hack."

More clear: is calling a company, pretending to be their IT, and getting their
root credentials, "hacking?"

~~~
squiggleblaz
I don't. It's fraud. A hack is technical. The fact that you get access to a
computer system isn't what makes a hack a hack.

In terms of democracy.

People can be mislead whether by internal or external sources.

Democracy works slowly. The important thing is that they have another chance
to vote in a few years to vote in their interest.

Things that affect the effectiveness of a democracy include a limited
franchise (e.g. a test to ensure only "educated" voters are allowed,
restrictions on people who have previously been jailed, precinct voting[1]
with voting on a working day); ballot stuffing; gerrymandered districts and
excessive malapportionment; insufficient sensitivity to changes in public
opinion (e.g. not enough legislators); supermajority requirements (on ordinary
bills) and vetoes for small groups.

[1]: Since not everyone will be aware of what precinct voting is, it's a
system where you are allocated to a certain voting centre. So you live in
Ballotsville South: therefore, you're only allowed to vote at the Ballotsville
South Primary School.

Other jurisdictions permit people the freedom to select the voting centre
based on convenience. Every voting centre in some district will have a ballot
and a record for you. In some broader district they may not have a record for
you but they still allow you to vote by keeping your ballot inside a sealed
envelope: then they can confirm your entitlement and open your ballot or
destroy it as appropriate.

------
kimdotcom
It is only for overseas military from WV using mobile devices for voting on
foreign soil.

No cause for concern.

