SoylentNews is people
SoylentNews
from the newer-is-not-necessarily-better dept.
The Intercept reports
The nation's secretaries of state gathered for a multi-day National Association of Secretaries of State (NASS) conference in Washington, D.C., this weekend, with cybersecurity on the mind.
Panels and lectures centered around the integrity of America's election process, with the federal probe into alleged Russian government attempts to penetrate voting systems a frequent topic of discussion.
[...] One way to allay concerns about the integrity of electronic voting machine infrastructure, however, is to simply not use it. Over the past year, a number of states are moving back towards the use of paper ballots or at least requiring a paper trail of votes cast.
For instance, Pennsylvania just moved to require all voting systems to keep a paper record of votes cast. Prior to last year's elections in Virginia, the commonwealth's board of elections voted to decertify paperless voting machines--voters statewide instead voted the old-fashioned way, with paper ballots.
[...] Oregon is one of two states in the country to require its residents to vote by mail, a system that was established via referendum in 1998. [Oregon Secretary of State Dennis] Richardson argued that this old-fashioned system offers some of the best defense there is against cyber interference.
"We're using paper and we're never involved with the Internet. The Internet is not involved at all until there's an announcement by each of our 36 counties to [the capital] Salem of what the results are and then that's done orally and through a confirmation e-mail and the county clerks in each of the counties are very careful to ensure that the numbers that actually are posted are the ones that they have," he said. "Oregon's in a pretty unique situation."
[...] In New Hampshire, the state uses a hybrid system that includes both paper ballots and machines that electronically count paper ballots with a paper trail.
Karen Ladd, the assistant secretary of state for New Hampshire, touted the merits of the system to The Intercept. "We do a lot of recounts, and you can only have a recount with a paper ballot. You can't do a recount with a machine!" she said.
America's paper ballot states may seem antiquated to some, but our neighbors to the north have used paper ballots for federal elections for their entire history. Thanks to an army of officials at 25,000 election stations, the integrity of Canada's elections is never in doubt.
(Score: 5, Insightful) by TheRaven on Tuesday February 20 2018, @10:13AM (17 children)
Stalin (an authoritative source on election tampering, if ever there was one) said that it doesn't matter who casts the votes, only who counts them. For a fair election, you need at least half of the electorate to be able to audit the election - any smaller amount and the auditors can collude. Even in an unobfuscated open source program, that just means that the non-malicious bits are unobfuscated, the malicious parts are going to be hidden. I doubt that there are more than a few hundred people in the world that could do an audit of the code and guarantee that there are no bugs that affect the outcome (there are more that could audit the code and might find a bug, but proving the non-existence is a lot harder).
In contrast, anyone can look at a box, check that there are no hidden compartments in it, watch the box as people put folded pieces of paper in it, watch the box as it's carried to the counting centre, and watch people take the pieces of paper out and count them. This guarantees that candidates will be able to find people able to monitor the election on their behalf.
Unless your objective is to disenfranchise the majority without their noticing, computerised voting is not the correct solution.
sudo mod me up
(Score: 2) by Wootery on Tuesday February 20 2018, @11:54AM (11 children)
I'm against electronic voting generally, but I'll play Devil's advocate: how about a formally verified software system?
There aren't many people who could, uh, 'verify' such a system, but there are enough of them scattered around the world (with differing political interests) that I figure you could do it and provide strong assurances.
Providing assurances that you haven't secretly patched the code with backdoors before deployment, is another matter...
(Score: 4, Interesting) by VLM on Tuesday February 20 2018, @01:52PM (3 children)
Why does there have to be one system?
Once you have scantron optical ballots not only can you write the tabulation software but theoretically you could write scanning software to use anything from the dedicated scantron testing machines we already have, to OCR style scanning of ballot pictures.
For that matter we're about at the point of being able to take a pix of every vote cast and put the archive on the internet.
Of course that puts us back in the situation of voting districts where 110% of the registered population voted for candidate X (mostly left wing doing this kind of stuff, which then politicizes discussion debate or actually fixing things into right vs left thus preventing repair)
Of course the "real" problem is fourteen Russian PR people supposedly warped the election more than millions of illegal aliens. Or for political bias reasons, the legacy media provided trillions of dollars of free propaganda to the candidate that none the less lost, at least in part because most of the population hates the legacy media, which is kinda funny. Then theres the billions of dollars of legal bribes in the form of political contributions, vs the billions of dollars of pork barrel kickbacks in payment. I'm just saying WRT subversion of the will of the people, extremely obscure voting technical attacks are probably not the biggest problem we have nor is it a very hard problem to solve.
(Score: 3, Insightful) by Wootery on Tuesday February 20 2018, @03:41PM (2 children)
With proof of identity? If no, the idea is useless, if yes, that's a crime. I already said in another comment: one of the major design goals is to ensure people can't sell their vote by proving who they voted for. That's why it's illegal to record yourself placing your vote, and should remain so.
(Score: 0) by Anonymous Coward on Tuesday February 20 2018, @10:15PM
That's how Alabama's system works.
...and when Roy Moore got beaten there, the preservation|erasure of those images became an issue.
it's illegal to record yourself placing your vote
Depends on where you are.
Want to take "ballot selfie"? Here's where it's legal, and not [usatoday.com]
-- OriginalOwner_ [soylentnews.org]
(Score: 2) by VLM on Tuesday February 20 2018, @11:55PM
It would be trivial technologically to post process the images before posting to mask out everything except the scantron image windows (where you scribble a mark or not).
That would make it impossible to write in the margin "VLM was here" thus selling my vote.
The idea being you could re-examine poorly marked ballots.
(Score: 2) by TheRaven on Tuesday February 20 2018, @02:07PM (5 children)
It's a problem of trust. How many people have enough mathematics to follow a formal proof of correctness of a voting system? Let's say ten thousand. Now, to trust the election, every voter who is not one of these people has to trust at least one of these people. Unfortunately, the people in that group are all highly educated, with a strong bias towards current and retired university employees. If you are voting for a party that mostly represents working class voters with a maximum of high school education, do you trust verification carried out by a group whose interests may be diametrically opposed to yours? Are you willing to bet your country on the idea that foreign nationals with no vested interest in your wellbeing would rather point out the flaw than keep quiet while people like them run your country?
sudo mod me up
(Score: 2) by Wootery on Tuesday February 20 2018, @03:53PM (4 children)
I probably would, yes. The world's a big place, we're talking about an Open Source project, and it only takes one objector to kick up about a flaw.
Compare: the Soviets' Cuban missile project. There were no leaks there and the USA only discovered the sites through U2 reconnaissance missions. Because the (doubtless numerous) people who knew of the project were all working on the same side, and would have taken on enormous risk exposing the project anyway (which, again, they were not motived to do in the first place).
That's not how crypto works, though. When a researcher finds a problem, they publicise it. It's adversarial scholarship in action. It would be the same here. Deliberate maliciousness in FOSS is pretty rare even in obscure projects (though I'm aware people have tried it with the kernel).
It would certainly be a damn sight better than those amateur-hour Diebold trainwrecks.
Again though, I'm still against electronic voting. Even with such a software system, you can't trust the final deployment. More compellingly still, there's just not enough reason to move away from paper ballot in the first place. Digital isn't always better.
(Score: 2) by TheRaven on Wednesday February 21 2018, @02:51PM (3 children)
But it also takes one objector to have the time and expertise to conduct a full review. How long did vulnerabilities like Heartbleed stay in OpenSSL, when companies had a big financial incentive to care that it was secure? If they find a flaw a year after the election, what do you do, re-run the whole thing?
And then, a decade later, something is declassified and you learn that the NSA and / or GCHQ knew about that vulnerability 20 years earlier and were using it for all of that time. If you're working for the FSB and you find a vulnerability in the US election code, do you publish it? My guess is that you either tamper with the election, or you wait for a year after the election and then leak evidence that you knew about the vulnerability and pretend that you tampered with the election and undermine trust in the process. And, actually, if you don't find a flaw, then leaking that you did and tampered with the election will have a similar effect - and how does the government then prove that there wasn't a flaw in the formal verification of the voting system in a way that the majority of the population would trust?
sudo mod me up
(Score: 2) by Wootery on Wednesday February 21 2018, @04:59PM (2 children)
Indeed, I'm putting some faith in formal methods making this considerably easier. I presume it would be a good deal harder to conceal a malicious 'feature' in a formal spec (from which the imperative code is then refined) than in a typical ball-of-mud C codebase.
To your second paragraph: all good points. I don't know formal methods well enough to know how much real help they'd be in all of this. Perhaps my point boils down a With a sufficiently approachable formal system... pipe-dream.
(Again though, the impossibility of trustable deployment renders our whole exercise insignificant.)
(Score: 2) by TheRaven on Wednesday February 21 2018, @06:39PM (1 child)
If anything, they make it harder. To check a formally verified program you need to understand both the problem domain and the mathematical tools. That dramatically reduces the set of people that can do it. You can machine check the proof, but you can't check that the proof is actually telling you anything useful. seL4 is a great example here: all of their proofs are probably fine, but it was about 6 hours between their initial public release and the first security vulnerability being found, because the security vulnerability wasn't as a result of a property that was checked.
The problem with security proofs is that you need to define what security means before you can prove that a system has that property. You can't exhaustively enumerate security requirements, the next attack always comes from the thing that you didn't consider.
sudo mod me up
(Score: 2) by Wootery on Wednesday February 21 2018, @10:03PM
True, but I still think it'd be harder to conceal a deliberate defect.
Sure you can - it tells you the program fulfils the formal spec. Of course you still have to worry about side-channel attacks and anything not covered by the formal spec, but it's not as if the assured properties are worthless.
Side-channel attacks can be an issue with formal systems, sure, such as Haskell programs leaking secrets by having more predictable timings than the equivalent C code. Oops, wasn't part of the formal model, and the type-safety didn't help.
I missed the seL4 bug - what did they miss?
I'm not sure how that would manifest with a voting system, but that might just be proof that I'm not that imaginative.
(Score: 2) by dry on Thursday February 22 2018, @03:55AM
There's two issues here. Having a trustworthy election system and having the average person trust the election system. While an electronic voting system can probably be built to be trustworthy, how do you convince the average person it is trustworthy? It's just as important to convince the losers they lost fairly and as long as it appears to be a black box to most people, it's impossible to trust.
I'm maybe smarter then most when it comes to this stuff and I wouldn't trust electronic voting for anything important no matter who reassured me that the code was formally verified, and I wouldn't trust myself to verify it either.
Compare to how voting works here (Canada), I can watch most of the process, show up in the morning, examine the empty ballot boxes etc and watch the whole procedure till the counting is finished at the end of the day. I also see others doing the same and as they're from all political interests, I feel pretty confident that they'll watch carefully.
There's still the flaw of absentee ballots but it is very few elections where they make a difference besides slightly changing the margin of victory by the odd individual seat changing. Here in BC last election, they did matter and I was happy to see the absentee votes not changing the outcome of the opposition winning the deciding seat.
(Score: 0) by Anonymous Coward on Tuesday February 20 2018, @03:35PM (1 child)
I was going to say something like this. Our local county has used electronic voting with no paper trail for a long time. I've complained since the first year they picked it, but got a "trust us" form letter back from the SoS about it. Now it's in the news again, and the officials are all "oh, but we don't connect them to the internet, so they can't be hacked" while completely ignoring insider threats.
And then they wonder why turnout is always so low...
(Score: 2) by curunir_wolf on Tuesday February 20 2018, @08:16PM
We used to have those in my city, until just last year (went back to optical scan paper ballots). They were Windows XP machines with MS Access databases and touch screens. Each precinct had several machines, which communicated over WiFi so that a master machine could tabulate the votes from all the machines.
They finally got rid of them when a newspaper article came out describing how you could access the WiFi network from the parking lot, download the Access database, change a bunch of votes, and upload it back to the master. Oh, and the published the 5-character passwords, too, which had not changed since 2007.
I am a crackpot
(Score: 2) by jimtheowl on Tuesday February 20 2018, @10:22PM (1 child)
"Even in an unobfuscated open source program, that just means that the non-malicious bits are unobfuscated, the malicious parts are going to be hidden."
I know that there is some very impressive code written to that effect, and even contests, but checks and balances can be added in at different levels. Take for example a completely different program written by a different entity and provide it with the same input. If it doesn't provide the same output there is a problem. It is not a mathematical proof, but is an added level of verification.
Perhaps it is possible to build a system where the voter can check his own vote while remaining anonymous (using private/public key to vote and count?). Again, that alone isn't sufficient.
I'm all for paper, line phones and networks, but what worries me is that at some point, enough people are going to want to vote with their phones because it is easier. It would be nice if a relatively good system could be designed before, even if that is not likely to happen.
(Score: 2) by dry on Thursday February 22 2018, @04:00AM
Even a perfect system can't be trusted by the average person, which can lead to the loser screaming fraud and being believed by their base.
Having everyone trust the results is actually more important then having trustworthy results.
(Score: 2) by frojack on Tuesday February 20 2018, @10:54PM
Hmmm, seems to me you just devastated your own Stalin quote. Or was it the other way around?
But on another point...
If you have paper ballots, you don't really have to know how to read code to prove that the counting software is correct or in-correct.
You just have to gather the Daughters of the American Revolution (unfortunately weaponized by the Democrats of late) and count the ballots with redundancy and observers. If it matches the machine total, fine. If not, the machine is wrong. Doesn't matter if the code is pretty or polluted. Long is its right.
Software should never be the depository of votes. Merely the counter of easily read paper ballots.
No, you are mistaken. I've always had this sig.