
Votebook – A proposal for a blockchain-based electronic voting system [pdf] - mdb333
http://www.economist.com/sites/default/files/nyu.pdf
======
pedrocr
Paper elections are cheap, reliable and more importantly trustworthy even to
people that have no idea what a symmetric key, hash or blockchain even is. But
we had to go and screw up by creating extremely insecure voting machines and
then come up with crazy schemes like this one to fix them. Do people really
think all this complexity is a good thing? Paper elections are very well
understood but you can easily come up with various exploits to at least
disrupt an election under these systems. Once you give me all this shiny new
attack surface I can:

\- Hack the voting machines to just turn on the "duress" mode for everyone, or
do it just in the precincts that tend to vote for my opponent

\- Use my great new paper receipt to prove I have voted for candidate A and
collect my bribe as if the paper receipt doesn't encode the candidate it's
useless. I don't care to verify if my vote was counted if I can't verify that
it was counted for my candidate

\- Hack the voting machines to record candidates at random ignoring the key
presses, turning the election into disarray

\- Selectively deny network access at polling places to create longer queues
at the sites where my opponent is stronger

I'm sure you can cause a riot or two pretty easily. The fact that paper is
dumb and paper elections use extremely simple technology, math and process is
a feature not a bug.

~~~
barnacs
Paper voting doesn't allow for much more citizen involvement than most
"democratic" countries have today. You can hold elections every few years,
maybe a referendum once or twice a year at most, but any more than that and it
becomes inconvenient, inefficient and not so cheap.

As a citizen, I want to be more involved. Even in a representative democracy,
I want to hold my representatives responsible for their actions. I want to be
able to recall them. I want to support some bills and oppose others. I want to
have votes in my local community about building a playground or whatever. I
may even want to propose policies and have other citizens vote or maybe even
crowdfund it.

While I do not support this specific proposal, I think we should move on from
paper elections.

~~~
badsock
Some context: Switzerland has votes on issues about four times a year, and
they managed to do this with paper, mostly via mail (if someone local knows
otherwise, please correct me).

Recently they tried out e-voting, with what I consider predictable results:

[http://www.swissinfo.ch/eng/voting-with-a-click_hacking-
fear...](http://www.swissinfo.ch/eng/voting-with-a-click_hacking-fears-
jeopardise-e-voting-rollout/41635672)

Also, I agree with ianstormtaylor in that I don't think that what you're
proposing would necessarily be good. You need a political system that you
trust will promote wise decision makers, and then you need to not micromanage
them. If the people who get elected can't be trusted to make good decisions on
a scale of several years, then the political system needs to be corrected, not
expanded.

~~~
noobermin
Switzerland has a population of 8.4M, about the population of NYC. US has
>300M and a land area two orders of magnitude larger than Switzerland.

~~~
pooper
> Switzerland has a population of 8.4M, about the population of NYC. US has
> >300M and a land area two orders of magnitude larger than Switzerland.

Can we start with the city? Bill de Blasio (bless his heart) won 282,344 votes
in the 2013 Democratic Primary. What's worse is Lhota won his primary with
just 32,236 votes.
[https://en.wikipedia.org/wiki/New_York_City_mayoral_election...](https://en.wikipedia.org/wiki/New_York_City_mayoral_election,_2013)

I hate to agree with President Obama on this topic but I have to agree with
him. The first problem we need to tackle is not to fix the electoral process.
The first problem we need to tackle is getting people to actually care enough
to show up and show up in large enough numbers so we can effect change.

~~~
jackvalentine
Preferential voting and (and I realise this is pretty much impossible to get
implemented if not already so these days....) compulsory voting.

------
badsock
Looking at the "Voting Machine Security Specifications", it's a verified OS
image connecting to a VPN over the internet on election day.

This means that you have to trust the:

    
    
      * VPN
      * OS
      * Network stack
      * Display and input drivers (HW and SW)
      * SSD controller
      * CPU
      * CPU's "Management Engine" or equivalent
      * Mainboard chipset
    

To all be free of exploits and backdoors. You're trusting many, many thousands
of people, from hundreds of different companies in several different nations,
to not have put backdoors in, despite the fact that backdoors and exploits
have been discovered after the fact in essentially all of the listed
components.

I don't say this lightly: the authors are dangerous fools. They're fools to
think that this is secure enough for an election. And they're dangerous
because someone in power might believe them.

~~~
munin
You don't have to trust them that much, though. These are all COTS components
used in every other computerized system everywhere, so any backdoors the
authors want to slip in would have to impact only the voting system, and not
raise anyone else's attention.

That's pretty hard. How, for example, are you going to get a CPU bug to do
this for you?

I'm not saying it's impossible, but it's sort of like saying that we're fools
for using gas-powered engines for the military. Thousands of people design
them, so how do we know the designs haven't been sabotaged? You might be
right, but you're probably wrong.

~~~
cyphar
> so any backdoors the authors want to slip in would have to impact only the
> voting system, and not raise anyone else's attention.

Except that many of the backdoors are universal backdoors, meaning that they
can be remotely updated with new instructions.

~~~
munin
People still look for backdoors of that type, though.

Additionally, if you really made something that specific, that was only ever
discovered and used to hack an election, and the only people that could have
done it were the chip vendor... how do you think that will play out when it's
discovered? Or do you, as the attacker, bank on no one ever discovering this,
ever?

If you're an engineer working for one of these places, how much do you have to
get paid, or what do you have to be threatened with, to make this work out?

This seems much more like a novel written by Ian Fleming, not le Carre...

~~~
badsock
First, auditing the hundreds of millions of lines of code that it takes to
build an OS and userspace every election and midterm is completely
unrealistic. Especially given the degree of code obfuscation that is possible.

Second, at the silicon level there's billions of transistors in a CPU, silicon
in general is prohibitively expensive to audit, and you can do malicious
things by just putting in nigh-undetectable changes in dopant levels:

[https://www.schneier.com/blog/archives/2013/09/surreptitious...](https://www.schneier.com/blog/archives/2013/09/surreptitiously.html)

Third: you don't need to hide the hack forever. You just need to gain enough
power in the election that you can suppress any further investigation.

Given the parade of hacks that make the HN front page every week, at all
levels of government and industry, given that the well-funded and incredibly
paranoid US military inadvertently deployed backdoored chips, given that
existing voting machines have had demonstrable amateur-hour exploits in them:

[http://fortune.com/2016/11/04/voting-machine-hack-watch-
vide...](http://fortune.com/2016/11/04/voting-machine-hack-watch-video-
cylance/)
[http://www.pcworld.com/article/135461/article.html](http://www.pcworld.com/article/135461/article.html)

is it really that difficult to believe that voting machines can be hacked?

------
graiz
I'm not sure about this specific approach. As other comments note, this is
somewhat complex. That said there may be a few gem ideas.

\- Did my vote get counted? (can you prove it)

\- Did it get counted correctly? (can you prove it)

\- Can a vote be both traceable to the voter and anonymous publicly?

The parallel to blockchain is simple. I get a "vote coin" that I can spend at
the election. You can then see who has the most votes. The challenge to
overcome in any block-chain approach is how to prevent votes from being bought
and sold.

If done correctly you don't have to trust the hardware to trust the election.
If done correctly we could vote by phone.

~~~
wheelerwj
the biggest problem isn't buying and selling votes, its distribution of the
votecoin.

if you can get votea into the hands of legitimate voters, the rest falls into
place.

~~~
graiz
That aspect wouldn't have to change from how it's done today. Go to your
polling location and show/prove residency for registration purposes.

~~~
wheelerwj
then you don't need a blockchain.

As a proponent of blockchain-based voting. we're not hitting the 10x better
rule with this solution.

------
specialist
I wish the cryptophiles would study how real world elections work before
floating their ideas.

Votebook proposes using a blockchain as a tamper evident (immutable) audit
log. Because voters sign-in chronologically, recording votes in order removes
the secret ballot. Votebook's proposal is to group up multiple into "blocks"
and randomize the order within a block.

Randomizing the order of the votes in an audit log would simulate the secure
one-way hash of dropping your paper ballot into a ballot box.

Poll sites are "bursty". During rush hour, lots of voters, so blocks will span
small time windows. During midday, blocks will be large.

1 - How large must these blocks be to guard the secret ballot? Using some
differential privacy mojo might determine they have to be 100 votes. I'm
skeptical. It's problem even today with poll sites and postal ballots.
Situations like small precincts or low turnout. In which case, Votebook is
adding complexity without any real world benefit.

2 - What happens with the vote data as blocks are being built? So now this
system has plaintext data in memory awaiting processing. Oops, power outage.
Oops, software bug.

3 - Votebook does not solve the problem of properly, accurately recording the
ballot as the voter cast it.

4 - Votebook will be cryto-based, necessitating further outsourcing our
elections to vendors.

5 - I would never be able to explain how Votebook works to my mother (Jane
average).

------
bobbygoodlatte
Not sure what this solves. I'm a huge proponent of Bitcoin/Blockchain, but how
is this a better solution than say, one centralized national database?

Blockchains are useful in situations where centralized trust can't be
established or would be less valuable. If you can't trust the government
that's running the election process, how would a blockchain solve that?

Too many blockchain proposals just boil down to building a slow, expensive to
maintain database.

~~~
colordrops
Trust in the government is not a given. They must earn trust through public
support, which is why propaganda and PR are such power government tools used
to change what the public supports. With a blockchain, you don't have to trust
the government at all, since it is public and very difficult to tamper with.
If they do not comply with the outcome in the blockchain, the public outcry
will cause severe upheaval. To not comply with less secure voting systems,
they can just tamper with it to change the outcome.

~~~
Taek
You can fix that in other ways. Governments are inherently centralized. If you
are voting, well that vote is meaningless without a government to enforce the
results.

There are cheaper ways to get transparency than a blockchain I think.

------
IncRnd
There are many weaknesses in this system.

The first clause of Design Considerations, "Although elegant and (thus far)
invincible," shows a lack of understanding of currently possible and prior
blockchain attacks.

This protocol allows voting any Voter ID multiple times. There is a
significant window of time until one of the blocks containing the Voter
ID/ballot ID Hash is added to the block chain. During this time, all Voter IDs
in the prospective block may be voted multiple times. This can occur by making
a copy of a physical voter ID and simply using it twice at relatively the same
time - just not on the same terminal. The exploitability chance increases as
the number of votes per block increases. The blockchain plus the union of all
unsent blocks for all terminals, not a local database, should be checked for
who has voted. This is compounded by not checking when the blocks are added to
the blockchain.

Another issue with the local database, is that even if it is made to be a site
database, many jurisdictions with early voting allow voters to vote anywhere,
not just at their assigned voting location.

The selected candidates are not signed properly with a voter's key. There is
no assurance that a particular voter actually cast a vote for a specific
candidate and not, say, "Mickey Mouse." This is actually one of the purposes
of smart cards and similar. Beyond any protocol issues, this is the central
purpose of any voting system, to ensure that when votes are cast the voter id
is redacted but that that voter id's candidate selection can be validated!

The Central Admin should release the list of the machine's public keys _prior_
to the election not _after_.

There really are a lot of security issues with this security design.

That being said, this paper is the winner of a cyber challenge here:
[http://www.economist.com/whichmba/mba-case-studies/cyber-
sec...](http://www.economist.com/whichmba/mba-case-studies/cyber-security-
case-study-competition-2016)

~~~
Natanael_L
I've got an MPC based proposal;

[https://roamingaroundatrandom.wordpress.com/2014/06/16/an-
mp...](https://roamingaroundatrandom.wordpress.com/2014/06/16/an-mpc-based-
privacy-preserving-flexible-cryptographic-voting-scheme/)

------
Kec71
I think there is more important problem to fix if we are talking about
democratic election.

Programmer in video says it all:
[https://www.youtube.com/watch?v=1thcO_olHas&sns=fb](https://www.youtube.com/watch?v=1thcO_olHas&sns=fb)

------
partycoder
How do you validate that each voter is real? What if the fraud moves to the
voter registration?

------
aminok
My blockchain-based voting proposal:

[https://bitcointalk.org/index.php?topic=413196.10](https://bitcointalk.org/index.php?topic=413196.10)

~~~
Natanael_L
Here's mine;

[https://roamingaroundatrandom.wordpress.com/2014/06/16/an-
mp...](https://roamingaroundatrandom.wordpress.com/2014/06/16/an-mpc-based-
privacy-preserving-flexible-cryptographic-voting-scheme/)

------
transfire
I call B.S. on the excuse that it is expensive... Drop a few bombs in the
Middle East (which we do routinely) and you've already spent more.

------
known
Cannot prevent
[https://en.wikipedia.org/wiki/Electoral_fraud](https://en.wikipedia.org/wiki/Electoral_fraud)
when voters succumb to
[https://en.wikipedia.org/wiki/Stockholm_syndrome](https://en.wikipedia.org/wiki/Stockholm_syndrome)

------
pm24601
Background: I run a voting precinct in California and have for many years.

Paper ballots are really the best for these reasons:

1) Fits human time frame. a large number of voters make up their mind
incrementally. They take the mail ballot and mark the offices/measures that
they know for certain on. Come election day they show up at the precinct with
almost everything filled out. They then sit down and decide for everything
else.

2) Does not require good eyesight. Older voters, younger voters, what ever - a
simple magnifier can easily be used. We have them at the polling place.

3) Voter can vote on issues nonsequentially. Voting machines present the
issues in the order they are on the ballot - not the order that the voter
wants.

4) Speed of voting: if a voter knows how they are going to vote they can fly
through a ballot in a couple of minutes. Voting on a voting machine takes a
minimum of 6. Add in all the back and forth on the screens and it is
frustrating for voters.

5) Ability to handle crushload of voters: If I have a lot of voters ready to
vote: I put them anywhere in the room I have a seat, flat surface and a pen.
With electronic voting machines I am limited to number of machines.

6) requires no training: everyone knows how to use a pen. Computer program...
not so much. And I am not talking about tech sophistication. Anytime anyone
uses a new program they have to slow down and make sure they understand what
is being asked and what are the choices.

7) clarity of errors and error recovery: if a voter knows if they marked a
ballot ( with a pen - not the chad Florida ballots) incorrectly. Error
correction is easy.

8) No electricity is needed. Paper ballots always boot up correctly.

\-----------

Only reason for electronic voting is for sight impaired voters. And of the
sight impaired voters, 100% seem to have solved the problem with mail in
ballots OR bringing someone with them to the polling place. (In the 6 years i
have run a precinct with upwards of ~2000 voters personally processed by me :
about 6 have actually voted electronically)

\--------------

If you want to solve the real problem, based on my experience:

1) same day registration/automatic registration

2) easy voting at locations near transit.

3) easy access to mail-in ballots.

4) no electronic voting - much faster to process voters with paper.

5) allow people to vote out of precinct. (don't require people to get home -
make it easier for them to vote near where they work)

------
udshu
a real future voting system must work all time, on tons of simultaneous polls,
be easily reachable by all world citizen via internet and must use p2p
distributed technologies..

------
misterhtmlcss
I was thinking the same thing. Glad someone is doing this, because the hope is
obviously it'll massive increase the efforts anti-democratic individuals or
orgs need to invest to determine the outcome of an election; which isn't all
that high today.

~~~
ianstormtaylor
Do you have any evidence of it being easy to influence the outcome of the
election?

As far as I can tell there are a __ton __more exploits to be had, from less
powerful (money, connections, etc.) people in an electronic system than in our
current paper system.

Right now the only individuals who have massive influence on an election are
the candidates themselves (and maybe some specific people on their team).

The next closest individuals are probably the extremely, extremely wealthy,
and there aren't that many of them, and they don't even have as much power as
you'd think.

------
ClayFerguson
I invented something like this myself that used a checksum based form of
ensuring data can't be tampered with. The key point is that anyone can look up
how it recorded THEIR vote without anyone else being able to. Uses a hash of
social security number for that (plus other personal identifiers). Websites
can be written to allow a simple form-based trivially simple gui that allows
anyone to look up how their vote was recorded. There needs to be a way for
people to post a 'protest' (saying vote was recorded wrong), and if there are
statically enough disputes to change the outcome the election must be redone.
But regardless blockchain or something using my checksum approach is the only
solution. No paper chads or other technology will ever be trustworthy.

~~~
sanswork
Any system that allows someone to confirm their vote is a system that allows
people to be forced to vote for someone.

~~~
Natanael_L
Depends on how the verification is done. If it is verifiably derived from your
raw vote, then yes.

But if it's is tied to the process of voting such that it doesn't reveal the
contents but confirm it was recorded right, then it can work.

See 3-ballot, and also my suggested scheme;

[https://roamingaroundatrandom.wordpress.com/2014/06/16/an-
mp...](https://roamingaroundatrandom.wordpress.com/2014/06/16/an-mpc-based-
privacy-preserving-flexible-cryptographic-voting-scheme/)

~~~
sanswork
That was an interesting read thank you.

