SoylentNews is people
SoylentNews
Submitted via IRC for ErnestTBass
From checking in at a polling place on a tablet to registering to vote by smartphone to using an electronic voting machine to cast a ballot, computers have become an increasingly common part of voting in America.
But the underlying technology behind some of those processes is often a black box. Private companies, not state or local governments, develop and maintain most of the software and hardware that keep democracy chugging along. That has kept journalists, academics and even lawmakers from speaking with certainty about election security.
In an effort to improve confidence in elections, Microsoft announced Monday that it is releasing an open-source software development kit called ElectionGuard that will use encryption techniques to let voters know when their vote is counted. It will also allow election officials and third parties to verify election results to make sure there was no interference with the results.
"It's very much like the cybersecurity version of a tamper-proof bottle," said Tom Burt, Microsoft's vice president of customer security and trust, in an interview with NPR. "Tamper-proof bottles don't prevent any hack of the contents of the bottle, but it makes it makes it harder, and it definitely reveals when the tampering has occurred."
Developed with the computer science company Galois, the kit will be available free of charge for election technology vendors to incorporate into their voting systems.
(Score: 2) by sshelton76 on Tuesday May 07 2019, @07:15PM (2 children)
Thanks!
Any thoughts on the design though?
(Score: 2) by All Your Lawn Are Belong To Us on Tuesday May 07 2019, @07:52PM (1 child)
Interesting proposal. The three questions I have would be:
1) If the ballot is downloaded, how does the voting machine verify the signature of the correct ballot / what prevents my invading in the middle and feeding a false ballot (with, say reversed choices) to the station the voter is using? (And there isn't any reason the machine can't be preprogrammed with a table of legitimate signature hashes to recognize and crunch the ballot itself to verify it itself, just isn't quite spelled out that way).
2) Similar concern with the uploaded consumption format - is it assured that it is crunching "All Your Lawn" as the candidate, or is it encoding "He Chose Number Two on Question 7"? (Or do I get a receipt that checks out that my ballot was counted by that was corrupt by being presented with a fake ballot).
3) Any concerns with the format and write-in choices / would the reception format be flexible enough for that sort of transmission.
I have a feeling that when you were speaking of consumable formatting this would be one that would solve questions 2/3, again just isn't quite explicitly stated that way.
Otherwise, really interesting idea and very much agreed that the entirety of the system proper should be open enough that any skilled person can verify the authenticity of it. (And make it applicable to other polling/voting contexts than public elections).
This sig for rent.
(Score: 2) by sshelton76 on Tuesday May 07 2019, @08:27PM
Ohh these are great questions, thank you!
I'll try to answer them as concisely as possible, feel free to ask for more details though.
1) The machine would have a certificate installed that would contain the public key of authorized ballot issuers. So when it downloads the ballot, the ballot is just a collection of bytes and a signature. Using the public key it is possible to verify that the ballot is complete and untampered with. The gloss doesn't specify the particular encryption, but the overall patent is much longer and promulgates a process such as the one here... https://nacl.cr.yp.to/sign.html [cr.yp.to] Because the ballot creator's public key is by definition public along with the ballot itself, you could also download the ballot to an app on your phone, examine it and practice voting while standing in line at the polls. You just couldn't submit the vote until you interacted with a machine authorized by the election authority. You could try, but it would be rejected automatically since part of the security model is based on pre-authorizing specific devices which have their own unique keys.
2) In most blockchain scenarios your transaction id is a hash of the data. However for transparency purposes, this system prints a receipt that uses an encoding that looks like... machineid.timestamp.selection1.selection2... Now it is important to note, that most jurisdictions have an option for a write in candidate. In order to preserve that option the selections are free form unicode strings. If they do not match an existing option, the option is added to the blockchain counter for that selection upon receipt of the vote. Obviously we case correct, where appropriate on the client side, but it does leave a problem we have yet to address where one person might put in "Nunez" and someone else might put in "Nunnez" and someone else might put in "Nu~nez" (imagine that ~n is the spanish letter after n called en-yeah and giving the sound of "nya". Anyways because of this disparity, it is possible candidate Nunez may wish to contest the results, but at least the results are recorded even if spread out a bit. It is because of this freeform ability that we do not simply select an offset in an array.
3) See my answer to #2
The complete transaction id includes machine id, timestamp and selection choices. But that is for the voter's receipt. The machine id and timestamp will by definition be unique and the voter can then check the blockchain at that point to see their particular vote and precisely how it counted.
One other advantage of this approach is that it also accommodates locales where there are legal requirements that the ballot be in multiple languages. We have the ballot framework and options encoded in the original upload, but ballot creators can add language translation files later so long a they sign them. The language files would be available at ballothash.en and ballothash.es etc.