> The clients do not interact with the blockchain directly, so there is no blockchain verification code in the client.
So if all client requests are routed through the same centralized API endpoint before hitting the blockchain, nor validated after the fact, whats the point of the blockchain? Just some public "ledger" of what the server ultimately sends out?
Ideally, at a minimum, you would be given a token for your vote which you can then follow up and see it on the ledger. Even if you don't get to wait for 'confirmation', it's still a public signal that something is not right.
The honest answer is that I have no idea. In the version we reverse engineered, there's no proof of inclusion of any of the data in the blockchain in the client, and the receipt system was via a PDF. The vote selections (ballot?) are also never signed by the client.
It's also worth noting that, according to the ToB article, the backend blockchain is a permissioned hyperledger instance, which runs PBFT[1] rather than proof of work. PBFT is controllable with roughly 1/3 of the network, 100% of which has been controlled by the company.
Is there any technical/security benefit at all to private blockchains? Or even more generously, lightly-mined public blockchains? It seems that in either of those scenarios, you lose the decentralized validation and consensus brought about by a bunch of people incentivized to compete with one another to burn electricity.
To push this further, I was working on a research paper with Ron Rivest, Neha Narula (head of MIT's decentralized currency initiative), and Sunoo Park (a wonderful applied cryptographer) on whether blockchains in general could be helpful in casting and tallying.
But if everyone used a public blockchain, with proof of work + user-level signatures for each vote cast, wouldn't it be far more auditable than any current system? Ignoring implementation details, reaching a point where anyone could have a way to audit that their vote was counted (correctly) seems very useful. Using this sort of model, it theoretically wouldn't matter who completes the proof of work as long as the results are audited.
You don't need blockchain to enable voters to verify "that their vote has been counted correctly". Several cryptographic voting schemes already provide this feature (for example, Civitas and Floating Receipts).
My bet would be: marketing. Blockchain is hot, blockchain is sexy -- at least among people who aren't really technically inclined. (The technically inclined passed over the blockchain hype curve several years ago.)
There are tons of blockchain projects out there whose only real use for the blockchain is to be able to slap "now with blockchain!" on the sales materials.
> Trail of Bits engineers said Voatz' code was written intelligibly and free of many common security foibles, but added “it is clear that the Voatz codebase is the product of years of fast-paced development.” The summary goes on to list several technical flaws, such as a lack of test coverage and documentation, infrastructure provisioned manually without the aid of infrastructure-as-code tools, vestigial features that have yet to be deleted, and nonstandard cryptographic protocols.
That honestly sounds pretty good in terms of software quality, adding additional tests for proofs and ramping up ops are both addressable problems - especially if handled by a government sponsored team. But...
How confident are you that we could reach a well engineered and proofed electronic voting platform that also adheres to theoretical rules around vote security?
And which component of that, adherence to theoretical requirements and perfected development practices, do you see as a larger hurdle to overcome going forward?
> How confident are you that we could reach a well engineered and proofed electronic voting platform that also adheres to theoretical rules around vote security?
I don't think we can with the current commodity devices / ecosystem, even assuming that voting system software is well-written. Keeping electronic-only systems secure from nation-state level adversaries is hard.
I understand that current solutions to electronic voting are unsatisfactory, but I am fairly baffled by:
> It remains unclear if any electronic-only mobile or Internet voting system can practically overcome the stringent security requirements on election systems
Like, we can adequately secure banking software. With proper considerations and processes for the problem domain (i.e. user follow up / validation, alerts on suspicious vote changes) I don't see why securely implementing electronic voting is considered near-impossible, and has so few advocates.
To put this in short-hand: "We bank online, we buy all sorts of stuff online, why not vote?"
The biggest reason is that banking and other financial transactions have a very different threat model from voting.
In particular, voting requires a secret ballot. In addition to preventing an adversary from learning how you voted, a secret ballot requires you to be unable to prove how you voted, to prevent vote selling and coercion.
Hmm, I hadn't fully grokked the facet of the problem domain.
I guess you could give users a spoofing mode, that allowed them to fake any ballot / action. Or possibly, if there was a window of time in which they could change their ballot freely.
Maybe making such features both secure and accessible would be nearly impossible though.
Many bank transactions can be reversed, and the ones that can't can be covered by insurance or self-insurance. You can't practically speaking reverse a tainted election.
> Like, we can adequately secure banking software.
We really can't. Banking is riddled with fraud, and I say that as someone who works in banking and has designed online banking software. Even with continually ratcheting up security in banking software, use of MFA, encouraging customers to more-secure platforms (Android/iOS), fraud detection (various approaches on the back ends, edge, etc), fraud through online applications is many orders of magnitude higher than fraud in traditional voting systems.
It doesn't matter so much in banking because we can (and do) give customers their money back. We can't fix a broken election.
And that's before we get into the way online voting completely fucks election practises around vote buying, coercion, etc.
I wish people who think they understand computers and are clever would actually make the effort to learn something about either domain before saying stuff like this. It's very disappointing.
But we've developed processes that allow us to have a functional online banking system. Similar processes might be possible for voting - such as a confirmation and triage period like with ACH transactions, but a month long or something.
For vote buying, seems like all the software has to do is enable faking your vote to 3rd parties effectively. Hard, but seems doable.
Like, yes, it's a very hard problem. But we could stand to do more than scoff and write it off as impossible.
We can't secure banking, there are just a lot of undo processes, holds, and internal processes and cross-comms that make it so people don't lose all their money all at once and potential losses can generally be reversed, insured, bailed out, covered by someone else, or balanced out / hedged against. Even with that, fraud is rampant and heists worth billions do still occur digitally[1]. And these are financial systems that evolve constantly over centuries at this point. And the attackers still win sometimes.
The biggest thing the measures do is significantly decrease the known ROI on a target. For example, a credit card can be cancelled. Even if the bank doesn't notice and the person doesn't notice and you do get 100k off it, the fact attackers don't know that still reduces the value of the stolen credit card and therefore the incentive to steal them. Further the gain of 100k by an attacker may be split amongst cardholder, card issued, insurance, merchants, etc. so no one person actually loses 100k. These things all matter when building and securing new systems.
If you look at the cryptocurrency space in general, you can see what happens when you replace a credit card or swift with transactions that are similtaneously immutable, very valuable, and easily anonymous enough. The monetary value on anyone's Coinbase account, let alone all the Coinbase accounts, is so high that we've seen attacks[2] usually reserved for nation-state actors and by actual nation state actors[3], including sophisticated + targetted zero-days and bgp hijacks and all sorts of fun stuff. Not to mention the very high density of attacks that require lower effort and talent like sim swaps, phishing, spear-phishing, impersonation, typosquatting, on and on.
Regardless, if the potential gains to hack a bank are level 1, and crypto exchanges or private keys are a 10, then voting is 1,000,000.
The zero-sum nature of winning an election coupled with the potential gains from doing so are so large and so unfathomable that we have to assume that the lengths people will go to are unfathomably more than everything else we've ever tried to secure. Bc if you can gaurentee a win for a candidate or choose the candidate or change the candidate, you can do anything. You can own anything. You can control anything. You can make any amount of money. The limit is only your talents, abilities, moral compass, and appetite for risk.
To protect against a huge number of attackers, including nation state ones with essentially unlimited resources and the incentive to use those unlimited resources is…it's never been done. Again, back to Coinbase, they secure their crypto with...wait for it…paper. Generated and printed using randomly chosen, single-time, fully-airgapped machines. In a random location. In a Faraday cage.[4] That's how you secure billions when you don't have an undo button. With paper. While not even trusting the electricity flowing thru the cable.
As we saw in the 2016 election, Brexit, and lesser know elections across the globe, it takes very little to secure a win. With the right data (which is even more accessible today than it was in 2016) you only need to manipulate relatively small amount of voters. I'm too lazy to look it up but the numbers were insane when you looked at who was targeted by VoteLeave and Trump's campaign. They may have served 40m ads but it was only to like 40k people.
And that wasn't hacking anything. And those were huge-scale elections. And we still don't know who gained what from their outcomes, just that a lot of people spent a decent amount of money and a huge amount of effort to do so. And it wasn't selfless.
Small towns make gains more obvious. If small town mayor decides who gets the contract for building the new 10M town hall and if you can build it for 5M, you have 4.9M to spend on winning that contract. (Well 5M - resources to rig election - gain required for you to take the risk and put in the effort.) And, given the size of government contracts and their ongoing nature, the financial gains alone are massive. Military contractors: trillions and trillions.[5]
Even securing a single contract early on can ensure your success down the line. Maximus handles tons of Los Angeles welfare programs and now all sorts of programs around the globe. They have for 40+ years. They have billions in annual revenues from doing so. E.g. "In September 2012, the Illinois Department of Healthcare and Family Services awarded Maximus Health Services a two-year, $76.8 million contract to help the state with its Medicaid program. That same month, Maximus announced a $23.5 million contract with the State of Oklahoma."[6] Most of these contracts are decided not by the president but a random group of 5-7 officials at a meeting no one knows about where there is no competition and no real discussion.
Again, these are just a few very, very, very simple incentives people have to manipulate votes. Again, go look at 2016 Trump election or Brexit in depth to understand truly what is currently known about the number of people and the lengths they went to to get an election won. Without hacking. Check back in 40 years after more details emerge. We just don't even know yet.
The reason I have zero faith in any tech being successful in the nearish term with regards to voting is not that I think programmers suck or that politics is corrupt. It's that it's truly unprecedented on an incentives level and risk level. And, it's not just that the risk and potential loss for society or potential gain for attackers is so huge, it's also that we don't even know what it is, and even if we did, we wouldn't be able to comprehend it. How do you secure that when that's what you're up against?
The scope of what we do know about banking fraud, crypto fraud, and paper voting fraud is so great and we are always one step behind attacks and mitigate risk in millions of little ways because we can't fully reduce it. But you can't hedge against election fraud. There's no insurance. There's no undo button. There's no time travel.
And that means that, very unlike financial services, the amount you have to spend to secure an app of this nature is actually one resource more than the attackers are willing to spend to get their way in an election. Or one resource less than the amount lost if an attacker wins. But what even is the value of people, our future, our literal lives? Society, war, money, peace, contracts, the fed, interest rates, all the markets, all the debt, n95 masks, new buildings, old buildings, corruption, legitimacy? We can't know which of these attackers are going after therefore you have to protect against all. And there literally isn't enough resources in the world for that.
Zooming back down to simple: there isn't enough money to even secure an app for a single small town that has a single contract for $10M and will never have another contract and there is, impossibly, no other possible gain for rigging the election. I mean, there literally is enough money. But why spend $1M or $2M or $5M on that app? Why even spend a dollar? Why do so when it doesn't actually reduce all the other risks of election manipulation and corruption that are currently in practice while adding a whole new variety of known and unknown attack surfaces and exacerbates existing ones? You wouldn't. Period.
Why would a company try to build an app knowing this? Well, either they're optimistic and altruistic as fuck and don't know it. Or, second, they are taking advantage of you. Or, third and most terrifying, is the act of building a voting app itself is actually the way to rig the election.
Voatz, without a shadow of a doubt, is not the first. Perhaps the second. But the third? When you consider the timing of Voatz' fundraise, who they raised money from, the goddamn timing, the fact they didn't die when it was discovered they were using old ass php and plesk in 2018, and the fact the app is actually still this fucking completely worthless and insecure and hasn't improved, well, I can't say that it's not an attempt to rig an election but it's def not the US who's doing the rigging. They would go to far greater lengths.[7]
All of this doesn't undermine the fundamentals of the model I'm approaching the problem of online voting with. What is the potential upside, and is a system that reaps those benefits without compromising on security possible? I believe there are answers to most of these problems, providing you can restructure some aspects of voting.
It's not something I would advocate implementing in the nearish term, but I do think work can and should be done on it's fundamental problems.
One if the best/most frequent arguments against online voting is that there will be exploits and individual votes can and will be tampered with. So, lets take that in isolation for a second. Lets say I have to cast a vote a month in advance. I can change it for another month, but perhaps only in person. Is that enough fraud mitigation? What if that period is a year long? What if my political positions have been known by this app for years, and a dramatic shift in their distribution sends an alert prompting confirmation processes?
Essentially, is there some level of triage/verification process at which the online vote is considered acceptably secure? Well, if so, then can it be made compatible with a system that ensures ballot secrecy?
To flesh out my overall thinking of this problem domain – my kind of dream/ideal future of democracy is a system in which the positions of the electorate are "simply known". Right now we clumsily take a partial pulse every 2-4 years. But, if we had a system where voting (and polling) was "passive", then we could see the shift in sentiment way easier. Tampering would show in the data, or else have to be maintained for long periods of time. Essentially, the further we move from instantaneous votes, the better the process should get across the board.
To get a bit soap-boxy, if representation is a right as opposed to a privilege, then deepening and broadening it is an obligation of the state. More aggressively accessible in-person voting options would be good, but in the long run nothing will beat technologically-enabled democracy... if we can figure it out.
3. Paper-backed ballots (which are the official record of the vote) that are physically voter-verified (as a requirement for the above)
4. Paper ballots are anonymized after submission, so as to avoid coercion and vote selling
5. Usability improvements
An app may be a solution to some of #5 above, e.g. as a ballot marking device at the polls, but in order to be secure it should absolutely have #1 and #2. FWIW, voting.works will likely support these.
The solution to long lines and timing is a complicated policy issue, which may not be solvable with technology.
A moral hazard happens when an entity is somehow insured against something (e.g. health insurance), so is rationally more likely to behave in some "bad" way (e.g. driving recklessly).
I'm not seeing how this a moral hazard, do you just mean "immoral"?
"Insured" can be interpreted very broadly; moral hazard is whenever the negative outcomes of a risky decision are directed away from oneself. A CEO considering the option of a layoff is a moral hazard as she will make her board happy at the expense of her employees. Either way she has nothing to lose.
>"Insured" can be interpreted very broadly; moral hazard is whenever the negative outcomes of a risky decision are directed away from oneself.
Nope! That's called an externality. A moral hazard is a type of externality, but is very focused on a particular set of instances in the definition I provided.
My comment used the term in the exact manner described by the comment you're replying to, to describe a state of affairs whereby incentives are systemically perverse because risk is not properly allocated.
A recent review I looked through indicates that the term has been historically used for different purposes in economics, insurance and probability literature. If the language of externalities is easier to understand for you, feel free to mentally substitute it in.
I could have couched the comment in the language of externalities and made a similar point, but it would lose the rhetorical flourish of hinting that legislatures themselves discount risk associated with their actions (or lack thereof).
Sure, though, to be pedantic, a common example of moral hazard is the increased likelihood of driving recklessly in the presence of mandatory seat belts. See https://web.stanford.edu/~leinav/pubs/RESTAT2003.pdf
That’s not a moral hazard. The word doesn’t even appear in the paper. It’s just an example of somewhat efficiently choosing a different point on the risk/reward continuum when the payoffs change.
A moral hazard is choosing a selfish course of action with negative external effects.
This is absolute hogwash, there are other methods than a full hand recount if you have a paper trail, some of which only require counting a small number of the ballots by hand.
The best example of this is a Risk Limiting Audit (RLA). You only have to re-count a smaller number of ballots until the overwhelming probability is that the vote is confirmed, or that the vote is rejected. Depending on the disparity between the ballot options, this count can actually be very small.
During the mid aughts, the consensus of the Election Verification Network (EVN) crowd (academics, election administrators, feds) was that audits were no better than manual recounts and just as expensive.
I'll read the paper you linked, but know that it's contrary to the received wisdom, and I'm very skeptical of any claims that auditing elections are feasible or worthwhile. By audit, I mean anything short of a full manual recount.
--
Okay. I lightly read that paper.
First, it specifically says to only audit the VVPR, meaning the actual ballots, not the VVPAT, which is just what the computer says it recorded. So there might be some miscommunication. I assumed #bdamm was referring to the VVPAT.
Second, the meat of the paper is refinements for calculating the confidence that the official result is correct based on recounting a sample. All of the caveats with audits, not within the scope of this paper, remain the same.
Colorado successfully performed an RLA, and didn't have to recount every ballot. If you really want to read more, Free and Fair (IIRC, the same group bidding on the DARPA grant) has open source software and instructions on how to perform RLAs: https://github.com/FreeAndFair/ColoradoRLA
Can you elaborate? It seems each vote would be harder to tamper if blockchain is applied. (or some other techniques chaining data together to be verified)
What's the plan for pairing based curves now that the Extended Tower Number Field Sieve has made BN256 unusable for many applications[1]? Do you plan on integrating BLS curves any time soon?
The theory is that the cops would be the ones selecting the finger. This would be no different from LE trying to crack a password, and the system permanently locking them out. However, I am also Not A Lawyer.
http://www.mit.edu/~specter/blog/2020/dkim/