Internet Voting


#21

Thanks for writing Trevin,

This is the design stage so these ideas are not fleshed out and haven’t even been discussed with anyone who might actually be capable of programming it. Right now all of these are ideas and I am fully aware that it may be impossible to accomplish some of it. I’ll have to wait until I get into the stage of working with a programmer to see what is possible and not. But I think the software would be tested in a sandbox environment first and then with a small community and then a city and then a state and so on. I think it might also be possible to make some sort of “seed” process to test the functionality while a vote is in progress. these seeds could even be made into some sort of publicly visible indicators.
To answer your question more specifically, I think we can give every voter a printable receipt after voting.

Gerrymandering is the intentional redrawing of districts with the purpose of benefitting one side or the other of a two party system. Part of this system is the creation of a publicly funded election system and THAT cuts off the need to be on a team right at the roots.

Removing the need for teams changes everything.

Encrypted yes. No idea how to do this yet. When we get a blockchain expert on our team maybe we can start to brainstorm ways to do this. Right now, it’s just a design goal - along with everything else in this plan.

You got me thinking about this and I wrote answers to this question twice. Then I erased them and started doing some research. Thankfully, you got me moving on this and I found a FANTASTIC solution.
Check out Slide #20 and #21 and let me know what you think. And thank you thank you thank you!


#22

I’m envisioning as the best initial real word implementation strategy for something like this, is to be done “alongside” traditional voting, much like absentee voting or early voting. There’s less sense of risk or disruption this way; it would ve easier to swallow. it’s a voluntary pilot test.

Also I’m told in Seattle everyone gets mailed a ballot, and then they just mail it back. That of course helped with turnout. Indeed they get mailed an entire package that goes over every candidate and issue on the ballot. A system like this could do something like that, sending a notice via email or text message.


#23

Regarding the ability to vote, and verify your vote, without letting someone else vote for you: that’s what digital signing is for. This is the process:

  1. you generate the encryption key on your computer. this never leaves your computer
  2. you then generate the decryption key from that and share it globally.
  3. you then “sign” your vote by computing a checksum of the ballot, including this like timestamps, etc, encrypting that checksum, and then publishing the encrypted checksum along with the ballot.
  4. then anyone can decrypt that checksum with the public key and see that it matched the checksum of the ballot.

this doesn’t solve anonymization. first thought on that is:
request a key from a registry.
the registry then adds that key to unconfirmed valid keys
acknowledge receipt of the key by signing a transaction
the registry then signs the key as confirmed.
and signs your voter id as used.

mmmm… there are some weaknesses with that…


#24

Would the voter be able to transfer it from their computer if they want to? Like, if someone would pay them for it? Or if someone would harm them if they don’t?

Estonia uses internet voting, but they have those smart ID cards. They contain a private key that cannot be read or copied from the card. For decryption and signing, the data is sent into the card, and the card does the computation itself.

Follow My Vote uses blind signatures (they have their own high-level explanation of how it works here).


#25

HALLELUJAH! I think I figured out a way to solve the problem of Coercion.
Check out the presentation on slides #20 and #21. This is such a simple solution but I think it will work.

As for vote selling… we’re never going to stop that because it looks the same as giving the vote to a proxy or a trusted family member to vote for you. If this other person thinks the way you do, then this should be a benefit because the Proxy is most likely going to do some research and cast the votes with care - whereas the person who is willing to give their vote away, probably doesn’t care that much at all.


#26

Yes, after we get the development done the last thing we need is to cause an election disaster.

Carefully moving out into the public with testing alongside smaller regional elections and growing bigger each year - that’s the way to go.

Oregon has vote by mail.

Perhaps when we’re ready we can get on the Oregon Ballot, not as an issue, but just as a way to tell people what we are and to give them the opportunity to try our system concurrently with this election.

Working in slow and getting people used to this system will prevent a disaster that could give us a bad name.

Two years from now will be the first chance.


#27

I didn’t understand your post when you said this. I think I came up with the same idea last night. Check out slides #20 and 21 in the Openvote.world presentation.

And yes having a numerical voter ID paired with a simple code word that you are certain to remember forever seems to solve several problems at once. It obviously allows for anonymization, but it also creates a way to defeat Coercion.

Let me know what you think.


#28

Just looking at the presentation right now (will wade through the comments later), and I get to Slide 8 and my immediate, visceral reaction is “HELL NO.”

I do not trust any form of voting that does not include a physical ballot, precisely because I work in the software industry.

Slide 9

  1. Free is good.
  2. Available anywhere: on one hand, that makes voting accessible, but it also means that it’s hacking accessible.
  3. Open source is good, but why should we trust that the open source software we’re looking at, that everyone has vetted as being good and trustworthy is what is being used?
  4. Doesn’t distributed simply mean that someone has direct, local access to the code? Besides, there is nothing so complex about any voting method (that voters would accept) that requires computers, let alone the level of processing that would make distributed computing anything but a waste of time.
  5. How do we know that what is being audited is what is actually happening?
  6. How is it possible to ensure that a ballot is both verifiable and what it claims to be?
  7. No Comment
  8. How is it possible to ensure that a ballot is both secret and verifiable?
  9. How many personal computers have adequate anti-virus protection that they can’t be hacked? How can we know that the 10-20% increase in voter turnout that one might see is because more voters are voting vs more voters’ compromised computers are voting?
  10. Increased ease of registration/re-registration also means increased ease of Man-in-the-Middle attacks.
  11. According to current projections, the entire concept of unhackable software will cease to be a thing in less than a decade thanks to Quantum Computing. Even if it takes 3 decades, adopting this now would mean that you’d have an entire generation thinking that “Internet Voting is just how things work” accepting it without thought when those with power/money/influence get ahold of computers that can trivially hack most anything.

Slide 11:

…trivial Man-In-The-Middle Attacks"

…access points for Black Hats to compromise numerous voters.

Even if the software is Read Only, the computer itself could become a MitM agent, as we saw in Texas this election season, where voters cast “Party Line: Democrat” votes, and the confirmation page showed them voting for Ted Cruz.

Without a human-readable, physical ballot that the voters could confirm as theirs, there is no reason to trust the results.

If it’s not physical, what’s to stop a malicious program from changing the vote to the “right” vote after the voter confirms their intent?
If it’s not human readable, what’s to stop that malicious program from saying the vote was cast for A while actually casting a vote for B?

Slide 15

And here’s where the MitM attack happens: where do they get the ISO? How do they know that it’s the right ISO? If it’s OpenSource that means that all the APIs and Hooks etc would be available for anyone to see and emulate, doesn’t it? Who’s to stop a BlackHat from creating an OpenTheft ISO and publishing it?

Slide 20

Like “codeword”? 123456? [Voter’sMiddleName]? [A Go-To-Password that a hacker got from some breach or another]?

Cool stuff, but how could that go wrong?
What if a BlackHat registers to vote for you, before you do, and has a MitM that makes you believe you’ve registered? Then a voter will believe they voted, will be able to confirm their vote, but they will be confirming a vote that will never be counted because their “real” vote is the one cast by the BlackHat.

That’s the current state of affairs, isn’t it? So that isn’t changing anything.

Slide 31

which means that the vote could be hacked at any point right up to the close of the election. The more time you give between when they data is first visible to a Black Hat and the closing time of the election itself, the more time that BH has to figure out how to break in, the more time they have to make their modifications look natural.

That just means that any validation by the voter that occurs before the election is closed is meaningless; the vote for the targeted races could be changed after they validated things. I’m imagining someone coming out with a new ad a few days before the election’s closing date, and a virus choosing some plausible, random time after that ad’s release to change the vote as though it were influenced by the ad.

And yes, Blockchain is amazing technology… but you’ll note that most of my concerns about security aren’t problems with encryption, but with people. Someone (probably the CIA) dealt the Iranian Nuclear program a major setback not by hacking their encryption, but by leaving USB sticks lying around and hacking the users that could get inside the layer of encryption.

Current encryption protocols aren’t the weak point. Upgrading from 128bit to Blockchain encryption is analogous to upgrading from a hollow steel door to a solid steel door; a definite improvement to security, but largely irrelevant when there are windows that people open to get fresh air.

That introduces Game Theory into it, which is a horrible thing. People who think that their candidate has already lost won’t bother voting, nor will those who think that their candidate has it in the bag.
People who think that their vote won’t change the outcome might change their votes to better match their conscience (which means “change their vote” attacks would be less suspicious).

Slide 34

…are you trying to make this hackable? All a Black Hat would need at that point is data on who is eligible to vote and who isn’t registered to vote (both of which are public information), and IP spoofing tech (and possibly MAC address spoofing), and they can “recruit” enough perennial non-voters that the election goes precisely how the Black Hat wants it to.

And even if they needed more forms of authetication to register, that will A) effectively disenfranchise voters the same way that Voter ID laws do, and B) be easily surmountable, given the numerous data breaches lately (credit score companies, facebook, etc)

I am literally one in 3.3M people who voted for the President in my state. The idea that I have a voice is way less important than ensuring that every voice heard is actually the will of the person that voice properly belongs to.

You claim that I can trust the system, but why should I?

Why not? How does this achieve that (given that such a change requires a constitutional amendment)

Again, how? Nothing I saw in the presentation even mentions gerrymandering, let alone deals with it.

Now you’re just making things up.

You’re aware that basically every candidate with a chance of winning rejects public funding, right? Anyone who has a chance of winning can get more money if they reject public money. The Washington Post puts the amount of free money candidates turned down at a little less than $300M. The only candidate for president in 2016 who took public money was Martin O’Malley, whom I was not even aware had run.

Thus, practically speaking, the options that I see would be to jack up the amount of public money (available for every candidate? How will you keep that from bankrupting the nation?), or admit that it’s really only relevant for “also-ran” candidates.

Good. Neither Businesses nor Unions have any place in our political process.

…how does your proposed system make that happen, though?

Candidates advance based on merit, not money

How? Why is it money is relevant now, and how do you intend to eliminate that relevance?

Lowered influence for mass media news outlets.
Increased accountability for Lies.
Reduced time spent on re-election by seated politicians

How? I understand those are great goals, but …how does this achieve them?

For example, even if you got fundraising out of the equation (which I don’t believe possible), they would simply spend more time on other things that ensure their reelection (shaking hands, kissing babies).

Cardinal voting removes the spoiler effect

Spoilers still exist in both of the methods you explicitly called out (RCV is just bad, and STAR has spoilers in Condorcet Cycles)


#29

WOW! Ok, I’m overwhelmed.
I certainly appreciate your knowledge and the care you’ve taken to write all this.
Some of your points and questions are answered in later parts of the presentation so after reading it all, you might have a few of these answered.
For example: I’m seeing a comment on Man-in-the-middle attacks and I’m wondering fi you read the part about how the software is a LIVE operating system that is limited to communicating over a VPN. Which to my understanding eliminates the possibility of the MIM attack.
I think many if not MOST of your comments are actually addressed in the presentation.

However… I think the most important thing I can say to you is that I value your help on this project and I invite you to become a real part of this. You obviously have an extremely high degree of knowledge on these topics and I really need people like you to dissect this plan and help rebuild it in a way that addresses each of the issues.

Your list here is what we need to post on the wall so we can start knocking down each one of these issues one at a time by modifying the presentation to address them all - or as many as possible.

So I hope you will read through the presentation a couple times to see how it all fits together, and then let me know what you think the weak points are, and if you have any suggestions on how to patch each hole.

Your input is GOLD! Thank you so much and I hope you’ll participate a LOT more.


#30

No, but yes. It’d be like Voter ID laws; simple enough for most people, but disenfranchising to everyone else.

Mathematically, it’s irrelevant. Provided you’re not doing some sort of reweighting, the only mathematical difference between a 0 to 10 scale and a -5 to +5 scale is what the final numbers are, not the relative numbers. All the results would be the same, except the averages would be off by 5 points, so instead of a candidate winning with an average score of 1.82 over the runner up’s 1.37, they would win with an average score of 6.82 over 6.37, or vice versa.

So obviously, the abuser would then force them to vote election night, and not let them leave.

That’s precisely why most localities only allow one person into the voting booth at a time, to ensure that doesn’t happen. Those sorts of laws, along with the prohibition on photographing ballots, are explicitly designed to protect the sanctity of the vote against coercion/sales, and cannot be enforced with at-home voting, either online or by mail.

I know people who have versions of Adobe and Windows that were pirated yet still pass validation. When working in software, you have to assume that the Bad Guys are better than you are.

Indeed, I know of people who discuss vote brokerage/auctioning agreements, where they, in a Swing State will cast a vote for (eg) Clinton or Trump depending on how many people would vote for their preferred candidate in a Safe state (thus effectively selling their Electoral-College-relevant vote for Popular votes).

Everything in that scenario would be completely voluntary, and could, in theory, result in a minor party breaking the 5% popular vote threshold that could make them relevant (via public funding that minor parties, independents aren’t eligible for)

That’s a nice idea, but gerrymandering has little to do with actual parties and everything to do with voter preference.

Let’s say, for argument, that parties no longer exist in any meaningful way. That doesn’t change the fact that a Latin@ candidate is going to want to keep IL-4 exactly how it is

So long as you have a method that suffers from Vote Splitting, so long as any stage of voting counts a ballot as being exclusively for one candidate and not any others, you’re still going to have a need for teams. This is because only one “side” can win, and a candidate-exclusive vote counting method doesn’t allow for you to support everyone on your “side,” and so you have to unify behind your “side’s” most likely winner.

That is the fundamental process behind Duverger’s Law: candidate exclusive voting leading to voters looking for “indicators of electablity,” such as Party Endorsements, Media Endorsements, Incumbency, campaign funding/expenditures, etc.

All of Washington, in fact. But no, actually, it didn’t meaningfully change voter turnout. Neither did it meaningfully change anything in Oregon, for that matter.

Only if the software is what you think it is. I addressed that in my response to slide 15, specifically:

And here’s where the MitM attack happens: where do they get the ISO? How do they know that it’s the right ISO? If it’s OpenSource that means that all the APIs and Hooks etc would be available for anyone to see and emulate, doesn’t it? Who’s to stop a BlackHat from creating an OpenTheft ISO and publishing it?

Additionally, what’s to stop the BlackHat from swapping out the CD at a library? Get the True CD from the librarian, use it, return a false one (that was made to look like the true one). Everyone who uses that CD after the Black Hat won’t actually vote as they wanted to.

I’ll see if I have time. In the meantime, I hope you will read through my comment, because there are a few questions and concerns that haven’t been answered by the presentation nor the comments here.


#31

Ok this is one of your major arguments that is really difficult for me to defeat because it is a clear fact.
However, if you look at what Bernie did, where he raised money with small individual donations. I think this clearly shows that there are a LOT of people who are willing to send in some money. Of course they can’t out compete corporate money - YET!
But imagine if we set this system up so that…

  • ONLY individuals could contribute money to public elections.
  • Each person has a $500 cap.
  • Donations are tax deductible - as they are now.
  • This costs the Government nothing and only the people who can afford it will be paying.
  • Once enough people start to contribute from both sides, the amount of money will be significant although hopefully less than the totally obscene amounts being spent today.
  • Your donation does NOT go to your preferred candidate, but rather to support a system that is used by ALL candidates to show off who they are and what they believe in - ie a website, which can hold text, video, etc which tells your story to the public in a manner that is very open and equal for each candidate…
  • Voters cast their votes starting as far as 6 months in advance, and as each candidate starts getting votes they either rise up towards the top of the candidate list on the website, or they drop down.
  • This lessens the need for mudslinging and increases the desire to talk about issues in a meaningful way.
  • Voters can change their vote at any time right up to the closing date for that election, so candidates are constantly in motion either up or down on the list depending on their behavior, how many lies they tell, how articulate they are, etc… all the things politicians should be judged on.

Trump is a fine example of how the Media can move you up in importance if you do things that attract viewers and sell ads for them. That is just wrong! He got millions in free publicity every time he acted like a crazy buffoon! They actually rewarded him for that. This system would allow Voters to see that behavior and move their vote to somebody who looks a little less crazy.

The mass media corporations will not let this happen easily.

This is all just a dream right now of course. But I think it’s a worthy one and if enough bright people can put their heads together and flesh out a plan for this, I think it could work.

It would be hard to make something that can’t work better than what we’ve got now.

Would you like to help design this?


#32

I have only used TAILS. Which is an Open Source project that is thoroughly trusted around the globe.
If I understand correctly, there is a hashtag posted on the website and when you download the ISO you check to make sure your hashtag number is the same as that posted on the site.

But Granny is NOT going to validate a hashtag. We would have to make this an automatic feature of the software. Perhaps we could make it perform an automatic check-in every time the software boots up. Kinda like how Adobe or Windows authenticates itself every time you open the software. No authentication = the software locks up.

This HAS to be possible. White hat hackers, will need to be hired as consultants on this project all along the way as it is developed. Preferably starting right in the beginning. We need to get set out on the right track so we don’t spin our wheels on useless work that can be hacked.

If/when we have money, we could offer an ongoing reward for ANY hacker that can find holes in the system. As we progress, the reward can grow larger.


#33

I have to leave for today but I will read your comments.
Thank you for taking the time to write all this.


#34

So, you’re going to get Democrats to donate to a fund that Trump could use to campaign? You’re going to convince Republicans to donate to Hillary’s campaign?

So long as it is still legal for them to donate to a candidate (which can’t be eliminated without effectively repealing the 1st Amendment), who is going to put any money towards a system that doesn’t advance their ideas? Few enough people put their money where their mouth is, and you expect a system that puts their money where their mouth isn’t to be viable?

On the contrary, it increases it! They need to ensure that they will make that cutoff, which means they will do anything and everything they can to give themselves a relative advantage over their opponents. If someone can win exclusively on ideas, then they’ll do that. If anyone, and I do mean anyone can improve their relative position through mudslinging, they will.

And what do you propose we do about it? State controlled media? Censors?

And the Black Hat version would make spoofing those credentials an automatic feature of their software.

Good thought, but you seem to have missed the part where I know people who have pirated versions of the software that pass those checks. Cracks are already at thing. We’re talking Day 1 workarounds.

As I said earlier, you have to assume that anyone working against you is better than you are.

Does it? Why does it? What fundamental law of computer science makes that the case?


#35

"
OpenSource that means that all the APIs and Hooks etc would be available for anyone to see and emulate, doesn’t it? "

Yes. But to be clear closed source also means that. Well, except it’s much easier for malicious hackers with decompilers and what not to see it. Open source improves security by leveling the playing field.


#36

Us computer nerds have developed a solution for MitM attacks. You know whati it’s called? TSL (transaction layer security) what’s the most popular TSL implementation in the world? OpenSSL. That’s right, OPEN all. it’s opensource.

You need open source for security otherwise you cant verify that the code is doing what’s advertised.

opensource and mitm prevention aren’t exclusive, they are codependant.


#37

the “hashtag” you refer to is called a checksum. basically it’s all the bytes in the program, added together. if one byte changes, the checksum changes. so it’s a quick way to verify that no byte has changed. it’s actually at least 4 bytes long.

but for things like this you usually do the validation and business rules and security checks and all that server side, not client side. so a malicious client couldn’t “hack the system”, so to speak. the server side code would just reject it as invalidm


#38

I just fact checked this.

Oregon actually does have significantly higher voter turnout.


#39

aka a “dongle” or a “hardware key”.

a chip or USB dongle yes would help with that, but there’s the problem of distribution. it’s a poll tax.

it made me think of blockchain wallets. maybe eventually your I’d will be tied to your blockchain wallet, and then you could vote with that. pipe dreams though, and practicality issues abound.


#40

First, I’ll say that if it did defeat coercion, I think it would defeat vote-buying too. The seller could take the buyer’s money and then vote for whatever they want anyways.

I’m no pro, I haven’t done an exhaustive analysis, but I don’t think secret & fake codes would work either.

There are a few ways you could try to make this work:

  1. If a fake code is used, the ballot put on the blockchain will be for whoever the ballot was filled in for, but it will somehow be externally marked invalid (so people know not to include it in the authentication process).

  2. Encrypted votes include the code that was used (internally or externally, doesn’t matter). If the counting authority (who knows what each voter’s real code is) sees that a code is fake, it doesn’t count that vote.

  3. If a fake code is used, the ballot put on the blockchain will be a dummy ballot. It’s encrypted, so no one can tell that it’s a dummy just by looking at it. This would be sort of “valid” in that it would sort of go through the authentication process, but it wouldn’t affect the outcome of the election (it’d be like a null vote).

If you use #1, the buyer would instantly be able to tell that the code was fake due to the mark. If instead the mark is internal, then it’s functionally equivalent to #3.

If #2, then the election isn’t authenticatable by the voters. Only the authority knows which votes are real votes.

How could you try to achieve #3?

  1. The voting software does the encryption itself and sends a dummy ballot.

  2. The voting software does the encryption itself and sends a “real” ballot, but some authority recognizes that the code is fake and posts a dummy ballot.

  3. The voting software doesn’t do its own encryption, it sends the “unencrypted” ballot to some authority who would normally encrypt it, except they recognize that the code is fake and posts an encrypted dummy ballot.

If you try to use #1, then the buyer would just use different software that always sends a real ballot. Actually, this wouldn’t really work anyways because the device would not know whether the code is real or fake, it’d have to communicate with an authority to verify it, which could be read by the buyer.

If you try to use #2, then a buyer will be able to tell that the encryption from the device and the version posted on the blockchain are different, and would know the code was fake.

If you try to use #3, then you don’t have end-to-end verifiability because no voter would know if the encrypted ballot posted on the blockchain is really reflects their intent. You could regain verifiability by allowing voter audits, but then buyers could tell if there’s a mismatch again.

Something you might think of, is how the buyer would know which vote on the blockchain is associated with the voter. If they can’t tell, they can’t check to see if there’s a mark or mismatch, right?

Unfortunately, it doesn’t matter. If the voter can know their encrypted ballot (necessary for end-to-end verifiability), then the buyer can just check if it appears in the blockchain at all. If it does, they’ve found their voter, and if you’re using validity marks, they can check for that. If it doesn’t appear on the blockchain, they know there’s a mismatch.