
Show HN: VOTEism – Secure political opinion poll app - votes
https://docs.voteism.org/
======
arkadiyt
> We wondered what it would be like to conduct democratic elections online.
> While that is the far-far future, we set about building something that could
> get us a step closer towards that future.

There is unanimous agreement from the security community that we must not use
digital voting. It is a mistake, full stop. As an opinion app it doesn't
matter, but we must use paper ballots for our elections.

For anyone interested in learning more I recommend this short 20m Enigma
conference talk by Ben Adida (currently building open source voting
software/hardware at [https://voting.works](https://voting.works)):

[https://www.youtube.com/watch?v=dy0_8A9U8Rs](https://www.youtube.com/watch?v=dy0_8A9U8Rs)

~~~
bobmaxup
Unanimous? That seems extremely unlikely, no?

~~~
maccam94
It is fundamentally impossible to have secret ballots[1] in a digital system
along with provable integrity. Secret ballots are necessary to prevent vote
buying, intimidation, and coercion. If no one can prove which voter submitted
which ballot, nor what choices a voter indicated, the voter is free to choose
without risk of repercussions. The breakdown of any digital voting system is
always with verification.

With paper, the voter can see that their ballot is securely stored under the
supervision of the election operators, and they can see that representatives
from multiple parties watch the movement and counting of the ballots.

In contrast, with a digital system it is impossible to verify that your ballot
was delivered with the choices you intended without also being able to show
that proof to anyone else. It is important that the voter is unable to show
proof of their vote for the reasons mentioned above. Unlike a paper-based
process, you cannot directly observe the functioning of an electronic circuit,
the transmission of data over cables, or the storage of bytes in memory, and
neither can anyone else trying to verify the integrity of the process. You'll
never know if someone has replaced any of the hardware or software components
with malicious versions designed to fool voters and rig elections.

1:
[https://en.wikipedia.org/wiki/Secret_ballot](https://en.wikipedia.org/wiki/Secret_ballot)

~~~
ShorsHammer
I can prove the existence of X with zero-knowledge proofs without exposing X.
Obviously there's more from there for elections but the cryptographic
groundwork certainly exists.

~~~
jobigoud
But unlike the paper mechanism, the average person, nor the experts for that
matter, can verify the correct and uncompromised implementation of the zero
knowledge algorithm. You trade off the understandability and verifiability of
the scheme.

------
ve55
Won't the results of this just be heavily biased via sampling by the fact that
only certain types of people want to download and vote using an open-source
public/private key voting simulation app?

~~~
sloka
Well, I think it's unfortunate that all opinion polls work that way. A small
sample size can skew results in one direction. The objective is to get to a
sample size as large as possible. I hope this goes in that direction.

~~~
advisedwang
No, most opinion polls don't work that way. Typically polls a) try and sample
at random rather than self-selection and b) ask demographic questions that
allows sampling to be adjusted to ensure it is representative.

------
XMPPwocky
Hi. I'm a malicious server.

When a client requests the public key from me, I give them a fake one- not the
one present on the air-gapped PC, my own key. I then decrypt their vote,
inspect it, and re-encrypt it with the real key before sending it off to the
air-gapped server.

Does this work? How do you detect it? And what's your threat model?

~~~
votes
The encrypted data along with the signature of the encrypted vote is written
to the bigquery table (and not directly to the air-gapped server) which is
written to another temp folder (only the account that has access permissions
can write to this folder) before being downloaded and processed on air-gapped
server. The malicious server will not be directly able to write to the air-
gapped server.

~~~
XMPPwocky
"The encrypted data along with the signature of the encrypted vote is written
to the bigquery table (and not directly to the air-gapped server) which is
written to another temp folder (only the account that has access permissions
can write to this folder) before being downloaded and processed on air-gapped
server."

No, you _say_ it is. From the client's side, all I do is POST my encrypted
vote and signature (
[https://github.com/VOTEism/server/blob/d8d3752af99d7f4c25c0b...](https://github.com/VOTEism/server/blob/d8d3752af99d7f4c25c0b1d85963d294358e1697/README.md#88-save-
user-vote) ), encrypted with a public key I just got from an HTTP request _to
the same server_ , no? (
[https://github.com/VOTEism/server/blob/d8d3752af99d7f4c25c0b...](https://github.com/VOTEism/server/blob/d8d3752af99d7f4c25c0b1d85963d294358e1697/README.md#87-fetch-
public-key) ). I can't tell what you're doing with it after that.

And there's what may be an even worse issue (not even requiring tampering with
the public key) - the user's signature appears to go _outside of the encrypted
blob_. Now, I can't tell what the signature is actually _over_ \- but if it's,
say, just a candidate name or ID, then... without ever decrypting the
"encrypted vote", I can figure out who voted for what by just trying possible
values and seeing if I can validate their signature.

~~~
votes
Thanks for commenting. If you are concerned that our signature is over
candidate name or ID, we don't do that. We sign the encrypted vote and not the
plain text. We verify it on the air-gapped system.

------
vuldin
This reminds me of Democracy Earth. I like how Democracy Earth takes into
account the concept of liquid democracy, where people can vote through
nominating a trusted person they feel is more suited than they are to make
what they feel is the right decision. This representative vote is an option to
take on a vote-by-vote basis.

[https://democracy.earth/](https://democracy.earth/)

~~~
smt88
> _where people can vote through nominating a trusted person they feel is more
> suited than they are to make what they feel is the right decision_

So... a republic?

------
koolba
>
> [https://github.com/VOTEism/server/blob/d8d3752af99d7f4c25c0b...](https://github.com/VOTEism/server/blob/d8d3752af99d7f4c25c0b1d85963d294358e1697/voteism/src/main/java/com/voteism/JwtFilter.java#L50-L60)

Why fork threads only to immediately join on them? This is just sync code with
extra context switching and fatter stack traces.

>
> [https://github.com/VOTEism/server/blob/d8d3752af99d7f4c25c0b...](https://github.com/VOTEism/server/blob/d8d3752af99d7f4c25c0b1d85963d294358e1697/voteism/src/main/java/com/voteism/controllers/UserController.java#L149)

This creates a new thread pool for each login request. That's a terrible idea.
If anything create it once statically and re-use it. Or just perform your
actions in the calling thread as you're just issuing a .get() on the future
anyway. Again, it's needless complexity.

~~~
votes
Thanks for pointing the issue with the thread pool and will take a look.

------
alexmingoia
You might find it valuable to read “So you want to reform democracy?”
[https://medium.com/civic-tech-thoughts-from-joshdata/so-
you-...](https://medium.com/civic-tech-thoughts-from-joshdata/so-you-want-to-
reform-democracy-7f3b1ef10597) by the founder of GovTrack. There is a lot of
prior art in this area.

PlaceAVote was one of many startups that tried this, monetized by selling the
data to pollsters. They had quite a few users at one point.

[https://countable.us](https://countable.us) lets people vote and discuss real
bills and issues, I think also monetized by poll data and ads.

------
advisedwang
What is the goal of this project?

The focus on technical details is fine - if you are going to build an opinion
poll app it sounds like you're doing a fine job, but I don't really understand
what it gains for users, society or your company?

------
i_cannot_hack
What prevents normal users or malicious actors from voting multiple times?

If no such prevention is in place, are there any guarantees at all that the
collected statistics actually reflect real opinions?

~~~
votes
When we process the results on the air-gapped system our algorithm does make
sure that the user's vote is counted only once (no matter how many times the
user has voted). Please read the process at
[https://voteism.org](https://voteism.org)

~~~
i_cannot_hack
I've read both [https://docs.voteism.org/](https://docs.voteism.org/) and the
Github README, and found no mention of this algorithm that prevents multiple
votes from malicious actors. Except a brief mention of collecting "device id,
location, ip address, etc". Could you point me to the specific section where
it is explained?

Edit: After rereading your comment, I felt there might have been a
miscommunication. I'm sure your server discards multiple votes from the same
registered user. With "voting multiple times" I instead refer to a malicious
actor masquerading as multiple distinct users by registering multiple
accounts.

~~~
votes
When we process the data and aggregate the results on the air-gapped system we
do make sure that the user vote is not counted twice. Like you pointed out
this is one of the fundamental things that is super important and we were very
careful when we designed the app to address this issue. We did make sure that
a single individual's votes are not counted twice. It is a custom algorithm.
Also, we have taken precautions during registration too.

~~~
i_cannot_hack
And are those precautions during counting and registration open source as
well, or are they secret by necessity? I've had not had time to read the
source code, if they are in there. If they are open source, could you still
briefly explain the gist of the precautions here? If they are secret, can you
offer any guarantees to the public that they cannot be circumvented in a way
that makes any collected statistics inherently faulty?

I'm sure you've made impressive work with this app, and it surely is beyond my
capabilities. But if you have created an app that presents itself as a
reliable and secure system but in reality is easily gamed by malicious actors,
it might actually hurt democracy instead of helping it. If the app gains any
form of notoriety or popularity, it could be fed malicious votes and then be
used to sow distrust towards the (real and valid) election results. In such a
scenario it would just harm the democratic process. I have yet to see any
indications that this is not a real possibility.

Being sure my vote is counted is only half the battle. I also need to be sure
that my vote was not drowned out by countless of fake votes. One thing is not
worth much without the other.

I would be more forgiving it was more clearly presented as only a prototype or
proof-of-concept, but with a mission statement as grand as "VOTEism seeks to
fix opinion polls" I feel it deserves more in-depth questions.

~~~
votes
Thanks for all the questions raised here. Really appreciate it. To answer your
concerns/questions -

1\. Registration part is open-source and we have taken precautions such that
same user doesn't register twice from the same device using different SIMs,
change of devices. 2\. We have made sure that the registered device is a
mobile number 3\. Restriction and verification of the user registration to
where the poll is being held. For example, currently VOTEism app cannot be
downloaded outside of US. 4\. Counting part is not open-source by design,
because it is processed offline and it is a proprietary algorithm out of
necessity for secrecy. 5\. We want to make sure the counting of the votes
happens offline to eliminate the scope for manipulation 6\. Vote data is
encrypted and validated with it's signature to make sure it is not tampered
with. 7\. We are also making sure that the keys are rotated periodically. 8\.
We can guarantee that the collected information statistics are accurate.

I hope we have answered your questions. Please feel free to raise your
concerns. If you want to take the conversation further you can email us at
hi@voteism.org

------
votes
Hi Everyone,

We are redoing the Show HN for VOTEism.

The first time we did a Show HN
([https://news.ycombinator.com/item?id=23430800](https://news.ycombinator.com/item?id=23430800)),
there was a very valid suggestion from the HN Community that we open source
the code. Accordingly we have published the code here:
[https://github.com/VOTEism](https://github.com/VOTEism).

A brief about VOTEism ... again :)

The Covid-19 situation forced many things to shift online. We wondered what it
would be like to conduct democratic elections online. While that is the far-
far future, we set about building something that could get us a step closer
towards that future.

VOTEism is a secure political opinion poll app to express your preference for
one electoral candidate or the other. VOTEism currently works for the 2020 USA
Presidential Election only. But we hope to take it to all countries where
democratic elections happen.

Current political opinion polls are riddled with low sample sizes, interviewer
biases, push poll tactics, self voting sock-puppets, and worst of all, the
lack of privacy. VOTEism seeks to change that.

Your vote is encrypted with a public key on your mobile device and is
decrypted with the private key on an air-gapped system. 4096 bit keys are
used. Anonymized and aggregated results are published on the VOTEism mobile
apps.

VOTEism is built, published and funded by a small and independent software
company (AskDesis INC.) based in the United States. We have no political,
governmental, corporate, or media affiliation. Please take time to read our
transparency policy here:
[https://docs.voteism.org/transparency](https://docs.voteism.org/transparency)

We hope you find VOTEism useful. Feel free to ask us anything.

Links: iOS: [https://ios.voteism.org](https://ios.voteism.org) Android:
[https://android.voteism.org](https://android.voteism.org) Docs:
[https://docs.voteism.org](https://docs.voteism.org) Source Code:
[https://github.com/VOTEism](https://github.com/VOTEism)

------
kaffeeringe
As far as I know Constanze Kurz of Germany's Chaos Computer Club wrote her
doctor thesis about eVoting and proved that it's only possible if you abandon
secret vote. If your voting system is a black box to most people, they have to
see the result. Not only their result but everyone's result to be able to
prove it's correct and the sums are also correct.

------
indit
Is there any open source application alternative for opinion polling?

