Paper elections are cheap, reliable and more importantly trustworthy even to people that have no idea what a symmetric key, hash or blockchain even is. But we had to go and screw up by creating extremely insecure voting machines and then come up with crazy schemes like this one to fix them. Do people really think all this complexity is a good thing? Paper elections are very well understood but you can easily come up with various exploits to at least disrupt an election under these systems. Once you give me all this shiny new attack surface I can:<p>- Hack the voting machines to just turn on the "duress" mode for everyone, or do it just in the precincts that tend to vote for my opponent<p>- Use my great new paper receipt to prove I have voted for candidate A and collect my bribe as if the paper receipt doesn't encode the candidate it's useless. I don't care to verify if my vote was counted if I can't verify that it was counted for my candidate<p>- Hack the voting machines to record candidates at random ignoring the key presses, turning the election into disarray<p>- Selectively deny network access at polling places to create longer queues at the sites where my opponent is stronger<p>I'm sure you can cause a riot or two pretty easily. The fact that paper is dumb and paper elections use extremely simple technology, math and process is a feature not a bug.
Looking at the "Voting Machine Security Specifications", it's a verified OS image connecting to a VPN over the internet on election day.<p>This means that you have to trust the:<p><pre><code> * VPN
* OS
* Network stack
* Display and input drivers (HW and SW)
* SSD controller
* CPU
* CPU's "Management Engine" or equivalent
* Mainboard chipset
</code></pre>
To all be free of exploits and backdoors. You're trusting many, many thousands of people, from hundreds of different companies in several different nations, to not have put backdoors in, despite the fact that backdoors and exploits have been discovered after the fact in essentially all of the listed components.<p>I don't say this lightly: the authors are dangerous fools. They're fools to think that this is secure enough for an election. And they're dangerous because someone in power might believe them.
I'm not sure about this specific approach. As other comments note, this is somewhat complex. That said there may be a few gem ideas.<p>- Did my vote get counted? (can you prove it)<p>- Did it get counted correctly? (can you prove it)<p>- Can a vote be both traceable to the voter and anonymous publicly?<p>The parallel to blockchain is simple. I get a "vote coin" that I can spend at the election. You can then see who has the most votes. The challenge to overcome in any block-chain approach is how to prevent votes from being bought and sold.<p>If done correctly you don't have to trust the hardware to trust the election. If done correctly we could vote by phone.
I wish the cryptophiles would study how real world elections work before floating their ideas.<p>Votebook proposes using a blockchain as a tamper evident (immutable) audit log. Because voters sign-in chronologically, recording votes in order removes the secret ballot. Votebook's proposal is to group up multiple into "blocks" and randomize the order within a block.<p>Randomizing the order of the votes in an audit log would simulate the secure one-way hash of dropping your paper ballot into a ballot box.<p>Poll sites are "bursty". During rush hour, lots of voters, so blocks will span small time windows. During midday, blocks will be large.<p>1 - How large must these blocks be to guard the secret ballot? Using some differential privacy mojo might determine they have to be 100 votes. I'm skeptical. It's problem even today with poll sites and postal ballots. Situations like small precincts or low turnout. In which case, Votebook is adding complexity without any real world benefit.<p>2 - What happens with the vote data as blocks are being built? So now this system has plaintext data in memory awaiting processing. Oops, power outage. Oops, software bug.<p>3 - Votebook does not solve the problem of properly, accurately recording the ballot as the voter cast it.<p>4 - Votebook will be cryto-based, necessitating further outsourcing our elections to vendors.<p>5 - I would never be able to explain how Votebook works to my mother (Jane average).
Not sure what this solves. I'm a huge proponent of Bitcoin/Blockchain, but how is this a better solution than say, one centralized national database?<p>Blockchains are useful in situations where centralized trust can't be established or would be less valuable. If you can't trust the government that's running the election process, how would a blockchain solve that?<p>Too many blockchain proposals just boil down to building a slow, expensive to maintain database.
There are many weaknesses in this system.<p>The first clause of Design Considerations, "Although elegant and (thus far) invincible," shows a lack of understanding of currently possible and prior blockchain attacks.<p>This protocol allows voting any Voter ID multiple times. There is a significant window of time until one of the blocks containing the Voter ID/ballot ID Hash is added to the block chain. During this time, all Voter IDs in the prospective block may be voted multiple times. This can occur by making a copy of a physical voter ID and simply using it twice at relatively the same time - just not on the same terminal. The exploitability chance increases as the number of votes per block increases. The blockchain plus the union of all unsent blocks for all terminals, not a local database, should be checked for who has voted. This is compounded by not checking when the blocks are added to the blockchain.<p>Another issue with the local database, is that even if it is made to be a site database, many jurisdictions with early voting allow voters to vote anywhere, not just at their assigned voting location.<p>The selected candidates are not signed properly with a voter's key. There is no assurance that a particular voter actually cast a vote for a specific candidate and not, say, "Mickey Mouse." This is actually one of the purposes of smart cards and similar. Beyond any protocol issues, this is the central purpose of any voting system, to ensure that when votes are cast the voter id is redacted but that that voter id's candidate selection can be validated!<p>The Central Admin should release the list of the machine's public keys _prior_ to the election not _after_.<p>There really are a lot of security issues with this security design.<p>That being said, this paper is the winner of a cyber challenge here: <a href="http://www.economist.com/whichmba/mba-case-studies/cyber-security-case-study-competition-2016" rel="nofollow">http://www.economist.com/whichmba/mba-case-studies/cyber-sec...</a>
I think there is more important problem to fix if we are talking about democratic election.<p>Programmer in video says it all:
<a href="https://www.youtube.com/watch?v=1thcO_olHas&sns=fb" rel="nofollow">https://www.youtube.com/watch?v=1thcO_olHas&sns=fb</a>
Background: I run a voting precinct in California and have for many years.<p>Paper ballots are really the best for these reasons:<p>1) Fits human time frame. a large number of voters make up their mind incrementally. They take the mail ballot and mark the offices/measures that they know for certain on. Come election day they show up at the precinct with almost everything filled out. They then sit down and decide for everything else.<p>2) Does not require good eyesight. Older voters, younger voters, what ever - a simple magnifier can easily be used. We have them at the polling place.<p>3) Voter can vote on issues nonsequentially. Voting machines present the issues in the order they are on the ballot - not the order that the voter wants.<p>4) Speed of voting: if a voter knows how they are going to vote they can fly through a ballot in a couple of minutes. Voting on a voting machine takes a minimum of 6. Add in all the back and forth on the screens and it is frustrating for voters.<p>5) Ability to handle crushload of voters: If I have a lot of voters ready to vote: I put them anywhere in the room I have a seat, flat surface and a pen. With electronic voting machines I am limited to number of machines.<p>6) requires no training: everyone knows how to use a pen. Computer program... not so much. And I am not talking about tech sophistication. Anytime anyone uses a new program they have to slow down and make sure they understand what is being asked and what are the choices.<p>7) clarity of errors and error recovery: if a voter knows if they marked a ballot ( with a pen - not the chad Florida ballots) incorrectly. Error correction is easy.<p>8) No electricity is needed. Paper ballots always boot up correctly.<p>-----------<p>Only reason for electronic voting is for sight impaired voters. And of the sight impaired voters, 100% seem to have solved the problem with mail in ballots OR bringing someone with them to the polling place. (In the 6 years i have run a precinct with upwards of ~2000 voters personally processed by me : about 6 have actually voted electronically)<p>--------------<p>If you want to solve the real problem, based on my experience:<p>1) same day registration/automatic registration<p>2) easy voting at locations near transit.<p>3) easy access to mail-in ballots.<p>4) no electronic voting - much faster to process voters with paper.<p>5) allow people to vote out of precinct. (don't require people to get home - make it easier for them to vote near where they work)
a real future voting system must work all time, on tons of simultaneous polls, be easily reachable by all world citizen via internet and must use p2p distributed technologies..
I was thinking the same thing. Glad someone is doing this, because the hope is obviously it'll massive increase the efforts anti-democratic individuals or orgs need to invest to determine the outcome of an election; which isn't all that high today.
I invented something like this myself that used a checksum based form of ensuring data can't be tampered with. The key point is that anyone can look up how it recorded THEIR vote without anyone else being able to. Uses a hash of social security number for that (plus other personal identifiers). Websites can be written to allow a simple form-based trivially simple gui that allows anyone to look up how their vote was recorded. There needs to be a way for people to post a 'protest' (saying vote was recorded wrong), and if there are statically enough disputes to change the outcome the election must be redone. But regardless blockchain or something using my checksum approach is the only solution. No paper chads or other technology will ever be trustworthy.