| 1 | BLOCKCHAINS ARE NOT SAFE FOR VOTING, CONCLUDES NAP REPORT \r |
| 2 | (NYTIMES.COM) \r |
| 3 | \r |
| 4 | Thursday September 06, 2018 @11:30PM (BeauHD)\r |
| 5 | from the ensuring-the-integrity-of-elections dept.\r |
| 6 | \r |
| 7 | o News link: https://politics.slashdot.org/story/18/09/06/2137245/blockchains-are-not-safe-for-voting-concludes-nap-report\r |
| 8 | o Source link: https://www.nytimes.com/aponline/2018/09/06/technology/ap-us-tec-election-security-reform-report.html\r |
| 9 | \r |
| 10 | \r |
| 11 | The National Academies Press has released a 156-page report,\r |
| 12 | called "Securing the Vote: Protecting American Democracy,"\r |
| 13 | concluding that blockchains are not safe for the U.S. election\r |
| 14 | system. "While the notion of using a blockchain as an\r |
| 15 | immutable ballot box may seem promising, blockchain technology\r |
| 16 | does little to solve the fundamental security issues of\r |
| 17 | elections, and indeed, blockchains introduce additional\r |
| 18 | security vulnerabilities," the report states. "In particular,\r |
| 19 | if malware on a voter's device alters a vote before it ever\r |
| 20 | reaches a blockchain, the immutability of the blockchain fails\r |
| 21 | to provide the desired integrity, and the voter may never know\r |
| 22 | of the alteration." The report goes on to say that\r |
| 23 | "Blockchains do not provide the anonymity often ascribed to\r |
| 24 | them." It continues: "In the particular context of elections,\r |
| 25 | voters need to be authorized as eligible to vote and as not\r |
| 26 | having cast more than one ballot in the particular election.\r |
| 27 | Blockchains do not offer means for providing the necessary\r |
| 28 | authorization. [...] If a blockchain is used, then cast\r |
| 29 | ballots must be encrypted or otherwise anonymized to prevent\r |
| 30 | coercion and vote-selling." The New York Times summarizes the\r |
| 31 | findings: The cautiously worded report calls for conducting\r |
| 32 | all federal, state and local elections on paper ballots by\r |
| 33 | 2020. Its other top recommendation would require nationwide\r |
| 34 | use of a specific form of routine postelection audit to ensure\r |
| 35 | votes have been accurately counted. The panel did not offer a\r |
| 36 | price tag for its recommended overhaul. New York University's\r |
| 37 | Brennan Center has estimated that replacing aging voting\r |
| 38 | machines over the next few years could cost well over $1\r |
| 39 | billion. The 156-page report [...] bemoans a rickety system\r |
| 40 | compromised by insecure voting equipment and software whose\r |
| 41 | vulnerabilities were exposed more than a decade ago and which\r |
| 42 | are too often managed by officials with little training in\r |
| 43 | cybersecurity. Among its specific recommendations was a\r |
| 44 | mainstay of election reformers: All elections should use\r |
| 45 | human-readable paper ballots by 2020. Such systems are\r |
| 46 | intended to assure voters that their vote was recorded\r |
| 47 | accurately. They also create a lasting record of "voter\r |
| 48 | intent" that can be used for reliable recounts, which may not\r |
| 49 | be possible in systems that record votes electronically. [...]\r |
| 50 | The panel also calls for all states to adopt a type of\r |
| 51 | post-election audit that employs statistical analysis of\r |
| 52 | ballots prior to results certification. Such "risk-limiting"\r |
| 53 | audits are designed to uncover miscounts and vote tampering.\r |
| 54 | Currently only three states mandate them.\r |
| 55 | \r |
| 56 | \r |
| 57 | ** \r |
| 58 | \r |
| 59 | ** Re:All security = an implementation. (Score:5, Insightful)\r |
| 60 | (by PopeRatzo ( 965947 ))\r |
| 61 | \r |
| 62 | \r |
| 63 | > To say blockchain is inherently unsafe is like saying\r |
| 64 | > software is inherently unsafe\r |
| 65 | Oh, you are so close to a breakthrough.\r |
| 66 | When it comes to voting, blockchain, like software, IS\r |
| 67 | inherently unsafe. If the main goal for voting security is\r |
| 68 | maintaining the people's confidence in an election, the only\r |
| 69 | system that will meet that standard is a system where people\r |
| 70 | are actually keeping an eye on one another. And I mean\r |
| 71 | physically watching one another. And that's the system we had\r |
| 72 | in place before the advent of voting machines and election\r |
| 73 | software. You had a room full of election judges from both\r |
| 74 | sides, and they sat side-by-side checking in voters as they\r |
| 75 | approached the voting booth and physically watched them put\r |
| 76 | the ballot in the box. When the votes were counted, there was\r |
| 77 | a whole bunch of people from both parties standing around\r |
| 78 | keeping a close eye. When the ballots were sent for storage,\r |
| 79 | one person from each party rode in the truck to drop them off\r |
| 80 | after sealing the container - together - and signing off.\r |
| 81 | It was trust, but verify. Was it possible to jigger with an\r |
| 82 | election like that? Of course. But you had a list of names of\r |
| 83 | people you could hold accountable at every step in the\r |
| 84 | process. Electronic voting will never, ever be trusted. That\r |
| 85 | is the effect of transparency.\r |
| 86 | \r |
| 87 | ** \r |
| 88 | \r |
| 89 | ** Re: (Score:1, Insightful)\r |
| 90 | (by Anonymous Coward)\r |
| 91 | \r |
| 92 | \r |
| 93 | > " If the main goal for voting security is maintaining\r |
| 94 | > the people's confidence in an election " - Well I don't\r |
| 95 | > agree with that starting point definition. I think\r |
| 96 | > security = security, not theater of.\r |
| 97 | Then you're bad at security. Security is theater.\r |
| 98 | There is no impregnable system. Security can only\r |
| 99 | increase the difficulty of entering a system, it cannot\r |
| 100 | stop a determined opponent. Is a CCTV system going to\r |
| 101 | stop someone from breaking into your store? No, but it\r |
| 102 | will make the person think twice about it, because they\r |
| 103 | are likely to be recorded, found, and caught. Is the\r |
| 104 | TSA likely to stop all bad guys from getting on planes?\r |
| 105 | No, but it alters how much they must prepare to get on\r |
| 106 | board the plane so hop\r |
| 107 | \r |
| 108 | ** Re: (Score:2)\r |
| 109 | (by Ocker3 ( 1232550 ))\r |
| 110 | \r |
| 111 | \r |
| 112 | Sadly, the TSA haven't shown themselves to be any\r |
| 113 | good at their job, repeatedly. It's hard to get good\r |
| 114 | help when the work is shite, the 'customers' range\r |
| 115 | from sullen to hating you, and the pay is peanuts.\r |
| 116 | \r |
| 117 | \r |
| 118 | \r |
| 119 | \r |
| 120 | ** Transparency is the key (Score:1)\r |
| 121 | (by victor_alarcon ( 5520418 ))\r |
| 122 | \r |
| 123 | \r |
| 124 | I thought that was the main selling point. Yes, I'm sure\r |
| 125 | someone can come up with some anonymity scheme but\r |
| 126 | transparency should be top priority. Apologies if the\r |
| 127 | point is too naive.\r |
| 128 | \r |
| 129 | \r |
| 130 | ** Re: (Score:1)\r |
| 131 | (by Anonymous Coward)\r |
| 132 | \r |
| 133 | \r |
| 134 | Paper votes aren't any better, just look at Russia's vote\r |
| 135 | stuffing. Literately. Someone comes up to the booth and\r |
| 136 | stuffs fake/coerced votes into the box.\r |
| 137 | Now the way most US, Canadian, and UK elections are run,\r |
| 138 | the paper vote is a two-step process.\r |
| 139 | A) You go to a scrutineer to check your name off a PAPER\r |
| 140 | list, they hand you a ballot with no identifying\r |
| 141 | information on it\r |
| 142 | B) You mark an X on the ballot, fold it in half or stick\r |
| 143 | it in a privacy envelope and then stick it in a cardboard\r |
| 144 | box with a hole on top.\r |
| 145 | Now\r |
| 146 | \r |
| 147 | ** Re: (Score:2)\r |
| 148 | (by PopeRatzo ( 965947 ))\r |
| 149 | \r |
| 150 | \r |
| 151 | > Paper votes aren't any better, just look at Russia's\r |
| 152 | > vote stuffing. Literately. Someone comes up to the\r |
| 153 | > booth and stuffs fake/coerced votes into the box.\r |
| 154 | That's right, because Russia doesn't have the same\r |
| 155 | safeguards built into their elections that we have. You\r |
| 156 | don't have election judges from both sides watching\r |
| 157 | every vote from the time it's cast to the time it's\r |
| 158 | counted to the time it's sent for storage. In the US,\r |
| 159 | there have to be two election judges on hand when\r |
| 160 | absentee ballots are opened.\r |
| 161 | People can sti\r |
| 162 | \r |
| 163 | \r |
| 164 | \r |
| 165 | ** Re: (Score:2)\r |
| 166 | (by Ocker3 ( 1232550 ))\r |
| 167 | \r |
| 168 | \r |
| 169 | I'd invite you to visit us in Australia, where we have the\r |
| 170 | Australian Electoral Commission (AEC), a non-partisan (not\r |
| 171 | bi-partisan) body of people who are collectively\r |
| 172 | considered the Platinum Standard of running elections\r |
| 173 | around the world. We actually send people to the USA to\r |
| 174 | train election staff. We don't have party reps in the\r |
| 175 | voting area until the polls close, then the parties can\r |
| 176 | send in scrutineers who check that the paper ballots are\r |
| 177 | being counted as per the regulations (when I did this I\r |
| 178 | actually not\r |
| 179 | \r |
| 180 | ** Re: (Score:2)\r |
| 181 | (by PopeRatzo ( 965947 ))\r |
| 182 | \r |
| 183 | \r |
| 184 | > I'd invite you to visit us in Australia,\r |
| 185 | I've spent a fair amount of time in Australia. Yes,\r |
| 186 | I've heard you guys do a good job with elections, but\r |
| 187 | I'm not coming back until you get rid of those spiders\r |
| 188 | that jump up and bite you on the eye. Oh, and drop\r |
| 189 | bears and yowgwai. I don't need that kind of stress,\r |
| 190 | thanks.\r |
| 191 | \r |
| 192 | \r |
| 193 | \r |
| 194 | \r |
| 195 | ** Re: (Score:2)\r |
| 196 | (by shellster_dude ( 1261444 ))\r |
| 197 | \r |
| 198 | \r |
| 199 | Blockchains are obviously a terrible solution to election\r |
| 200 | fraud. The only thing that prevents blockchain tampering is a\r |
| 201 | ton of neutral third party machines checking the transactions\r |
| 202 | (typically miners). We've already seen that this is a\r |
| 203 | non-trivial problem when there is plenty of incentive for\r |
| 204 | random people to fulfill that role (mining of crypto\r |
| 205 | currency). National elections have very little incentive for\r |
| 206 | people to invest thousands in hardware and electricity, and a\r |
| 207 | ton of incentive for nation states like\r |
| 208 | \r |
| 209 | \r |
| 210 | ** Oh the irony (Score:4, Insightful)\r |
| 211 | (by the_skywise ( 189793 ))\r |
| 212 | \r |
| 213 | \r |
| 214 | > All elections should use human-readable paper ballots by 2020.\r |
| 215 | > Such systems are intended to assure voters that their vote was\r |
| 216 | > recorded accurately. They also create a lasting record of "voter\r |
| 217 | > intent" that can be used for reliable recounts,\r |
| 218 | Now I agree with this and am happy to move back to paper ballots\r |
| 219 | - But the entire reason we moved away from paper ballots was\r |
| 220 | because of the 2000 elections where Florida used punch cards and\r |
| 221 | political officers kept trying to argue over "partial punches",\r |
| 222 | "dimpled chads" and "dangling chads" where they tried to\r |
| 223 | reassess what the voter's INTENT was.\r |
| 224 | And, of course, let's not forget magical disappearing and\r |
| 225 | appearing boxes of ballots.\r |
| 226 | Any system can be hacked but the electronic one is harder to\r |
| 227 | track hacking than the good ol' traditional methods with paper\r |
| 228 | ballots.\r |
| 229 | \r |
| 230 | ** Re: (Score:3)\r |
| 231 | (by Dare nMc ( 468959 ))\r |
| 232 | \r |
| 233 | \r |
| 234 | Their have been academic papers proposing electronic system\r |
| 235 | that would be safe, where you could verify that your vote was\r |
| 236 | counted (IE received at the server.)\r |
| 237 | In theory with open software, hardware, and multiple servers\r |
| 238 | (again all open source) we could have a very robust\r |
| 239 | electronic voting system. This would require a large project\r |
| 240 | likely done with universities, and it may even be similar to\r |
| 241 | some bitcoin concepts.\r |
| 242 | The technology side is very solvable, getting the project\r |
| 243 | started, past the politics, and accept\r |
| 244 | \r |
| 245 | \r |
| 246 | ** Key statement (Score:2, Insightful)\r |
| 247 | (by Anonymous Coward)\r |
| 248 | \r |
| 249 | \r |
| 250 | They key statement in the finding that most technology solutions\r |
| 251 | fail to solve is this:\r |
| 252 | "Such systems are intended to *assure* voters that their vote\r |
| 253 | was recorded accurately."\r |
| 254 | In the end, paper ballots may seem inefficient from a processing\r |
| 255 | perspective, but that inefficiency becomes inherently difficult\r |
| 256 | to tamper with and builds in systems for checks and recounts.\r |
| 257 | The argument here is that blockchain is vulnerable before the\r |
| 258 | data is stored in the blockchain, at the UI and the machine\r |
| 259 | level, and blockchain th\r |
| 260 | \r |
| 261 | ** Re: (Score:2)\r |
| 262 | (by presidenteloco ( 659168 ))\r |
| 263 | \r |
| 264 | \r |
| 265 | Blanket arguments against computer algorithms for secure\r |
| 266 | voting (or secure anything) are illogical, emotional, and\r |
| 267 | flawed.\r |
| 268 | People argue to the effect: Because many programs have been\r |
| 269 | found to have a security flaw in either A) the algorithm\r |
| 270 | mathematics and logical assumptions, or in B) the\r |
| 271 | implementation, therefore ALL programs must have some flaw in\r |
| 272 | A) or B) therefore there is no such thing is a secure\r |
| 273 | computer program. That is just bullshit. It's incorrect,\r |
| 274 | unsupported generalization from specific examples.\r |
| 275 | \r |
| 276 | ** Re: (Score:2)\r |
| 277 | (by presidenteloco ( 659168 ))\r |
| 278 | \r |
| 279 | \r |
| 280 | Ok, there's a stupid bug in slashdot apparently, not\r |
| 281 | including my less-than sign.\r |
| 282 | There. One bug.\r |
| 283 | What's up with that. Let me try again. Hmm. There was a\r |
| 284 | less-than in there just to the left of this sentence.\r |
| 285 | That's lame on slashdot software's part.\r |
| 286 | So you proved that ALL programs have bugs?\r |
| 287 | Didn't think so.\r |
| 288 | \r |
| 289 | \r |
| 290 | \r |
| 291 | ** Paper ballots are by far the most secure solution (Score:4,\r |
| 292 | Insightful)\r |
| 293 | (by Seven Spirals ( 4924941 ))\r |
| 294 | \r |
| 295 | \r |
| 296 | Gimme a break. Use paper. Computers will be better tools for\r |
| 297 | tabulating and processing the votes after they are cast, but\r |
| 298 | it's tough to beat paper for a recount. Even paper has it's\r |
| 299 | flaws, but the hand waving crypto-bullshit is pathetic "Oh but\r |
| 300 | this counter signature will detect if the previous\r |
| 301 | initialization vector was properly zeroed inside of the S-Box"\r |
| 302 | *rolls eyes*. KISS baby. Things don't get more secure by making\r |
| 303 | them more complex and I can't think of any way to make something\r |
| 304 | more complex than to introduce computers. Computers are great at\r |
| 305 | some things, ideal for some tasks: not for voting. They suck at\r |
| 306 | that.\r |
| 307 | \r |
| 308 | ** paper ballots (Score:1)\r |
| 309 | (by Anonymous Coward)\r |
| 310 | \r |
| 311 | \r |
| 312 | The only way you can have some measure of accountability while\r |
| 313 | keeping votes anonymous.\r |
| 314 | \r |
| 315 | ** Or, for heaven's sake, you can just use paper (Score:3)\r |
| 316 | (by mark-t ( 151149 ))\r |
| 317 | \r |
| 318 | \r |
| 319 | Make a simple mark on a paper ballot indicating your vote, fold\r |
| 320 | it, put it in a box.\r |
| 321 | done\r |
| 322 | Now theoretically you could bribe people who do the counting,\r |
| 323 | but you'd have to bribe a *LOT* of people to make any kind of\r |
| 324 | difference because each individual ballot box with the folded\r |
| 325 | ballots contains but a tiny fraction of the number of votes, and\r |
| 326 | nobody ever counts the ballots from more than one or sometimes\r |
| 327 | two different boxes.\r |
| 328 | \r |
| 329 | ** the real story (Score:2)\r |
| 330 | (by slashmydots ( 2189826 ))\r |
| 331 | \r |
| 332 | \r |
| 333 | Blockchains are perfect, right? WRONG. And also right. They are\r |
| 334 | mathmatically flawless BUT if you outprocess the rest of the\r |
| 335 | network, you can finalize a block with whatever the hell you\r |
| 336 | want in it. You can form a block that says you own all bitcoins,\r |
| 337 | all transactions put them in your wallet, and you're also the\r |
| 338 | queen of England. The reason this "51% attack" doesn't happen it\r |
| 339 | because that amount of processing power doesn't exist. That many\r |
| 340 | ASICs don't exist on Earth. But let's set up a separate\r |
| 341 | blockchain an\r |
| 342 | \r |
| 343 | ** Re: (Score:2)\r |
| 344 | (by Kaenneth ( 82978 ))\r |
| 345 | \r |
| 346 | \r |
| 347 | Even with a 51% attack, the Bitcoin blockchain is filled with\r |
| 348 | digital signatures; noone but your own nodes would accept the\r |
| 349 | blocks, and you would only be 'fooling' yourself.\r |
| 350 | Electronic voting could only work if every citizen had their\r |
| 351 | own private, secure, digital signature key. Which can't\r |
| 352 | happen in the US because poor people can't afford them, and a\r |
| 353 | certain party would never give anything for free, while the\r |
| 354 | other would protect the poor.\r |
| 355 | \r |
| 356 | \r |
| 357 | ** \r |
| 358 | \r |
| 359 | ** Re: (Score:2)\r |
| 360 | (by jwymanm ( 627857 ))\r |
| 361 | \r |
| 362 | \r |
| 363 | This was the dumbest comment in the article. Obviously\r |
| 364 | software methods exist to verify after the fact that what you\r |
| 365 | saved is what you expected.\r |
| 366 | \r |
| 367 | \r |
| 368 | ** It's not how the vote was recorded... (Score:2)\r |
| 369 | (by LynnwoodRooster ( 966895 ))\r |
| 370 | \r |
| 371 | \r |
| 372 | > The report goes on to say that "Blockchains do not provide the\r |
| 373 | > anonymity often ascribed to them." It continues: "In the\r |
| 374 | > particular context of elections, voters need to be authorized as\r |
| 375 | > eligible to vote and as not having cast more than one ballot in\r |
| 376 | > the particular election.\r |
| 377 | It's who casts the vote. Before we even worry about Blockchain,\r |
| 378 | we need to ensure people casting the ballots are legally\r |
| 379 | eligible to vote. Guaranteeing a vote was cast is no more\r |
| 380 | important than guaranteeing who cast the vote was eligible to\r |
| 381 | actually cast that vote.\r |
| 382 | \r |
| 383 | ** Paper ballots (Score:2)\r |
| 384 | (by burtosis ( 1124179 ))\r |
| 385 | \r |
| 386 | \r |
| 387 | Let me start out saying 100% electronic voting is going to be a\r |
| 388 | disaster, triply so when done remotely and not at a secure\r |
| 389 | voting machine. But what most people don't realize is we\r |
| 390 | currently use unencrypted images of paper ballots in many states\r |
| 391 | as backups. These are very insecure. Why not use paper ballots\r |
| 392 | for the primary method, blockchain for the electronic backups?\r |
| 393 | This ultimately seems far more secure than what we are doing\r |
| 394 | now. We also could use open source machines and have audits at\r |
| 395 | each polling\r |
| 396 | \r |
| 397 | \r |