SoylentNews is people
SoylentNews
Hey everyone! Sorry I've been quiet for so long.
The June 7th primary in California is rapidly approaching and I've been involved in a project to create an international standard for secure electronic voting. The design work is all done and our first application of the technology is to use it to detect and uncover fraud, specifically voting machine tampering. This project is happening in phases. The first phase happens June 7th. We will be conducting an audit of the primary, effectively a parallel election.
The main goal of phase one is actually to shake out the tech make sure it's as bug free as possible and also that the blockchain that supports this tech can scale to meet the demands of a real election.
If you're interested in novel ways of using technology to help secure elections we could really use your help, because it's crunch time now.
First of all, if you live in California, we could use boots on the ground. Some of our volunteers and probably a sizable fraction of the voters will be technically illiterate. We need people on hand who can quickly troubleshoot the hardware, reboot devices and even just demonstrate the tech and walk people through the process if needs be. We've tried to make it as simple as possible. Literally, scan a QR code and press 1 button corresponding to your choice of candidate. But as simple as we've made it the process could still be confusing to some especially in the heat of the moment. If you're interested in helping out by being boots on the ground for us go here... https://www.democracycounts.org or here https://www.facebook.com/notes/election-justice-usa/independent-citizens-election-audit-to-be-conducted-in-select-precincts-in-calif/889795561147138 You can contact Dawn on facebook to be put directly into the volunteer pipeline.
[Continues...]
Secondly, over the course of the weekend we will be conducting a "dry run" poll. The purpose of this is just to test the software on the widest range of devices possible. If you have an android or iOS phone, you just download the software and give it a try. Feedback on the install process, the UI, etc would all be very helpful. Details will be made available on our technical discussion page sometime in the next 24 to 48hrs. https://nxtforum.org/index.php?topic=11226.0;all
Thirdly, we are using the NXT blockchain for this. There are presently a lack of full nodes with open APIs. So even just downloading a full NXT node and running it for the duration of the primary (takes a few days to sync the blockchain), would be a huge help because it adds nodes to the network making it much harder to attack. You can download the software from here... https://nxt.org/ and if you want to you can get a recent blockchain snapshot (which speeds up the process of getting in sync with the network) from here... http://www.peerexplorer.com/#Download
Thank you everyone!
(Score: 3, Informative) by devlux on Saturday June 04 2016, @12:23AM
For voter authorization we use the same system that is in place now. Meaning that the voter is registered to vote ahead of time and signs a roll to check in when they get there.
As for secrecy with crypto, it all depends on the distribution mechanism.
Consider generating a large number of access codes upfront.
Toss those codes into a hat.
Have the voter sign a sign in sheet.
Have the user pick one code out from the hat, use that code to authorize to the app (the app is on dedicated devices).
Voter casts a vote and then goes home taking the chit with them.
Once home they can view their vote on any block explorer and verify the vote was as intended.
They can even write their own block explorer if they so choose.
As an organization, you now know how many codes were used, because it will be right there on the blockchain.
You can verify that only authorized voters used the codes because you have rolls with signatures.
Furthermore you know how many codes were unused because they should still be sitting in the hat at the end of the day.
What you don't know is who specifically used them.
However the voter has their code and can use it to check that their own vote was recorded correctly. Which gives them assurances that their vote counted.
Right now there are a lot of ways to adjust the outcome of an election to your liking. Probably the easiest way is to contact the voting machine over it's wireless connection, log in and modify the DB on the device. Second easiest is to tamper with the DB at the state (or in this case the party) level, again adjusting votes so that you obtain the outcome desired.
With existing voting tech there is no way to prove that this did or did not occur.
We use the blockchain because it is public and prevents tampering with the results after the fact. It's like adding a tamper proof seal to the database of votes.
By storing the actual votes on the blockchain this way, you have strong evidence if tampering were to occur and what amounts to a computationally intractable problem to modify these things in the first place.
(Score: 0) by Anonymous Coward on Saturday June 04 2016, @02:03AM
They can also show that receipt to anyone else, who can then verify that they voted the 'right' way. You are back to non-anonymous voting.
Any method that allows you to check your vote after the fact will make voting non-anonymous. If you can check it, so can someone else.
(Score: 2) by devlux on Saturday June 04 2016, @02:41AM
No because it's not a printed receipt, it's hand written at their own discretion. Something like a post it note.
If they want to PROVE they voted a certain way they can pick any vote that goes the way they were being pressured to vote and still vote their own conscience in reality.
Furthermore any third party that wants someone to prove they voted a certain way can have absolutely 0 assurances that what they pressured for is the event that occurred, because anyone can view the public ledger, pick a desired vote and claim it was theirs. There is no way for the third party to say one way or the other.
We have the best of all possible worlds here.. The voter has an assurance that their vote counted whilst maintaining their choice of plausible deniability/claimability in the event of third party pressure.
(Score: 2) by jmorris on Saturday June 04 2016, @03:13AM
That fails to prevent fraud at all. You have to be able to prove your vote wasn't counted our you will have trolls and nutters and everyone will just ignore complaints. Once you can prove it is when the secret ballot fails.
(Score: 2) by devlux on Saturday June 04 2016, @04:07AM
Again you say it fails, but you offer no support, just a provably false dichotomy.
You appear to be very confused. You are mixing concepts freely that don't mix, so allow me to be a bit more precise in my explanation.
#1 Fraud here means tampering either before or after the fact with the ballot count. This is the only type of fraud which we can assure against with a technical solution.
The technical solution involves securing the entries in the database against tampering. We accomplish this by taking a hash of the vote and an nonce, signing the hash with a public key. Then we broadcast that vote to the internet. Once on the internet it is timstamped again and placed in a public ledger. This ledger, by way of being public is visible to the world in near real time. No way to backdate or post date it because there is a consensus network at play. We call a distributed timestamping ledger driven by consensus rules a blockchain. Because that's the right word for it. This isn't buzzword bingo, it's just we have a name for a particular collection of concepts that functions as shorthand for the collective concept.
#2 Anonymity of the voter, while proving they had the right to vote. This is not a technical problem and there really is no technical solution. We do this the old fashioned way. The voter checks in and signs a paper roll. If they registered to vote they will be on the roll. If they are not registered to vote then they will not be on the roll and cannot vote. After they have signed in, they pick a number from a large group of random numbers. These numbers have ALL been authorized to vote ahead of time and the problem space is wide enough, that it is not plausible that there would be a collision. The voter now has a number. At this point, to the system the voter IS the number. There is no tie between the voter and the number other than the voter's possession of said number. They have wrote this number down. Once a vote is cast it is tied to that number forever, and the vote and the number are public at the time of casting. However there is no link between voter and number, ergo the voter remains anonymous, but we have verified their eligibility to vote.
#3 Vote Selling / Claimability. The voter can at any time view the same public ledger on any block explorer and point at any vote and say "hey that's my number! see I voted the way you asked me to!" They can do this whether or not they actually voted for that option. Ergo there is plausible deniability and also plausible claimability. It can and does go both ways. We do this specifically because it completely negates the ability for a pressure group to actually yield a valid result from their tactics whatever they may be. The voter is the only one really who knows whether or not they are telling the truth or lying. Kind of like mailinator for voting. In otherwords we make it so you can prove the truth to yourself and at the same time anything you want to demonstrate to anyone trying to get you to prove whatever.
Now you appear to claim that #3 will bring out trolls. We address that by standardizing on open hardware, using open source software and generally keeping the voting process secure. This is the part where we talk about turning this into an international standard for secure electronic voting. People can claim that there was a problem, and if there is a problem it can be quickly uncovered and corrected. In fact we move proceed at all times under the assumption that there is a problem and constantly try to prove the claim through whatever factual basis we can. This is in the aggregate though. An individual making a claim would also find the tools to support their claim are widely available, but the burden of proof is on them to support their claims. In general the entire process including hardware, software and people processes would be subject to re-certification on a regular basis. Failure to re-certify would be grounds for immediately questioning the entire vote.
So please, tell me how this fails?
(Score: 1) by ACE209 on Sunday June 05 2016, @12:13AM
The thing is, that you don't wan't something like this number that can be connected to a vote to exist at all.
It is not a side effect, that you can't check your vote. This is by design.
With your solution, someone still needs to take the time to find a number proving he voted the right way.
This might leave holes for exploitation. Not having such a prove of vote is really the most elegant and far reaching solution here.
(Score: 2) by jmorris on Saturday June 04 2016, @02:10AM
You are still sperging. You are obsessed with one aspect of election fraud and are correct that you solve it and like many techs, obsessed with applying the latest buzzwords to a problem whether it requires it or not. You are however willfully oblivious to the fact your solution breaks elections in other ways, ways that can't be repaired while retaining your fix for the problem you are interested in.
If it is acceptable to discard the requirement for secret ballots there are much easier ways to eliminate election fraud while allowing Internet voting. But you can't do that because the secret ballot is an important protection against election shenanigans.
If we don't care about keeping ballots secret you solve it like this:
Issue a smartcard to every citizen. Voter registration then becomes a question of key exchange. You appear in person at your registrar of voters with your card and they add it's public key to your voter ID info along with your email address and yuo import their public key. When the ballot is finalized they send you one with a uuid, signed with their private key and encrypted with your public key. You then send in a filled out ballot retaining that uuid and sign with your private key and encrypt with their public. In short it devolves to the standard public key crypto protocol. Both emails use return receipt notification hardened with public key crypto and just resend every few hours and warn after a day. But it ain't secret by any stretch of the imagination. Release a list of the UUID + hash of the keys. No wanking with blockchains required though.
(Score: 2) by devlux on Saturday June 04 2016, @02:31AM
How does this violate the secret ballot? In what ways does this break the election?
I've read every single comment you've made and you provide no basis that has any validity when taken in context of the given solution.
I realize you keep saying it breaks things, but do you realize you're not actually explaining how or in what way?
In fact this method has secrecy at least as strict as any current systems, while introducing an inviolable accountability mechanism that ensures 1 voter equals 1 vote, that votes cannot be added before or after the fact and that the results are a true and accurate reflection of voter intent in near real time, on a public ledger.
Please enlighten me. If we've missed something, right now is literally the time to address it.
(Score: 3, Insightful) by jmorris on Saturday June 04 2016, @03:33AM
You are attempting a variation of the DRM problem. In short you are attempting to make water not wet.
If you can prove your vote you can sell it. No way around that problem. You can make electronic votes secure and verifiable or secret, but not both.
But you fail to even make them truly secure. Yes a blockchain can assure no votes can be added between two known ballots after the fact. But unless everybody releases their ballot receipts (and there goes secret) you have no way to know how many ballots are stuffed in between yours and mine, so long as they don't stuff more than they have dead and missing registered voters to cover with. And since you aren't addressing secure id of voters they can still send in flunkies to sign the book as dead voters, but that would currently be outside the scope of your current efforts.
Of course you won't have serious problems with your tests, you are aiming at valid results and aren't attacking your own system. But in a real election the whole machinery is in enemy hands, or must be assumed to be for purposes of evaluating security.
Meanwhile my low tech proposal solves every failure mode discussed so far, is simple enough that those without degrees in advanced math can understand and trust them and are cheap. Never make a simple problem complicated unless you are up to no good.
(Score: 1, Troll) by devlux on Saturday June 04 2016, @04:49AM
No we aren't trying to make water not wet.
You mistake the ability of allowing the voter to be assured that their vote was part of the official count as inviolable proof that this voter is the person who voted this way.
Only the voter knows that for sure and they have no proof of vote beyond a hand written number, they could just as easily have chosen any other random number since the information is made public in near real time.
We certainly do have a method of establishing how many ballots were inserted between your vote and mine. First there is a roll that is completely offline which needs to correspond 1:1 with cast votes in overall count. If it does not, then what we have is proof of fraud. Secondly the blockchain itself is timestamped. The contents are public and known. Someone stuffing ballots is going to first need to have access to the id numbers which is not an impossible task, but it is a damned hard one. Then they will also need to cast ballots, and these ballots are all timestamped by a series of independent witness nodes. So we know the rate because we can see it.
Think about what you're saying for a moment... I have attached to my home a watthour meter. Anyone standing in front of the meter can see the rate at which my house is drawing current. If that meter suddenly starts spinning faster, then you know for a fact that something is drawing more power. It might be MY air conditioner, or it might be that my neighbor has dropped a line between my house and his and is charging his tesla. But the fact is the meter is suddenly spinning faster and someone should investigate. There is no way to even know this with a paper ballot.
As for dead people voting etc, that isn't a problem that can be solved with technology. In fact the only way to solve it that I'm aware of is to make sure that precincts are small enough that the election judges know all the folks by name. If Grandpa Jones has been dead for 10 years but suddenly shows up in the election rolls whether he votes or not, it really ought to be something the election judge is able to catch or he can't be doing his job properly. I realize that is not how things are done right now. But it is the way things were intended to be by our founding fathers and it's inarguably the right way of doing things. Anything else such as "real id", "voter id" etc, is just to compensate for the fact that folks have forgotten how to be neighborly anymore. The real solution is to get to know all the folks who live nearby, then volunteer in your local voting precinct.
You state that we are somehow being "simple" and overly trusting.
In fact we are assuming at all times that the system is in enemy hands. However we also recognize that the only thing we can do is use good solid technology to fix problems introduced by the use of weak and flimsy tech. The fact that technology is being used at all is a reflection of the will of the people. May as well make it the best tech we possibly can.
All the other problems, are more or less down to the people.
Which brings up an important point.
Your low tech proposal actually introduces multiple points of failure and introduces untraceable absolute fraud.
The primary one is that of ballots disappearing or being changed, ex post facto.
Perhaps not in the original count, but if anyone disputes the results of the initial count and triggers a recount then there is ample opportunity for an enterprising individual to obtain any result that they desire, simply by hauling in a (p)re-stuffed ballot box.
Secondly, your system can fail even in the original count because you are relying on people reading paper, if they cannot establish the marks on the paper then they could add a count to the wrong choice, or maybe discard what would otherwise be a legitimate vote.
That's also assuming that all vote counters are good actors. If you have a bad actor then they can simply write down whatever option they wish on the tally, there is no way to say one way or the other.
Ok so let's add multiple eyes. What's to stop the multiple eyes colluding? Or even worse whats to stop multiple opposed sets of eyes from deriving different information from the same ballot. Truthfully speaking people are deeply flawed, they see only what they want to see, no more, no less. This is a very mechanical task and by that virtue it is one best left up to machines.
This is because you could have an entire table of people a mile long all doing hot potato and counting one ballot at a time. At some point, someone has to come along and certify the election results. There will never be complete agreement on a count with more than a small handful of counters, so who is the election certification person supposed to believe? Do we just do m of n, the greatest number of counters in agreement wins? What if all the counters in agreement are from the same political party? What if no one is in agreement, shall we just take an average?
Your solution is fails, because this is a complex problem and it's rare that there are simple solutions to complex problems especially when people are involved.
With the technical solution, you don't need a degree in math. You just need to understand that there are types of cryptography which can be used to verify signatures and there are math functions that will generate a completely unique number if the source material differs by even a single byte of information.
People do understand this intuitively.
You can sign for a purchase with a PIN, and the box you bought has a tamper proof seal. You can choose to keep the receipt or discard it. Nothing difficult to understand there at all. Also unlike current solutions which are all closed, in our case if you happen to have the background knowledge , or trust someone who does have the necessary background, you can easily verify every stage of the process. Doing that is not possible in any current system.
(Score: 2) by Scruffy Beard 2 on Saturday June 04 2016, @05:53AM
In a paper election, you prevent pre-stuffing by checking that the ballot box is empty before use.
You prevent counting fraud by having two people count the ballots. Both partizan and non-partizan observers make sure things are counted correctly; and the ballots are not tampered with.
You prevent post-stuffing buy sealing the box and signing the seal.
Yes, you seal the box after counting.
(Score: 2) by devlux on Saturday June 04 2016, @06:19AM
Come on, you guys were mostly all around to remember the joy that was the 2000 Presidential Election, weren't you?
That system works ok until there is a recount, or a dispute as to what the marks on the paper actually mean, or someone cuts off your tamper proof seal, swaps the ballots inside with ballots for a friend, then sticks a new seal on, or the sealed ballot box disappears all together.
Any place you involve people in a mechanical process you introduce human fatigue and error unnecessarily.
Adding more people to a mechanical process just increases the chance for human errors to occur.
Show me a human who can count ballots more accurately than a well configured and maintained machine, let's not even worry about speed here, just accuracy.
Vote counting is a mechanical process. If you're worried about the counting machine being tampered with, you build better locks around it and perhaps consider building a tamper proof counter.
Yet if you can certify that cast ballots are authentic and counted correctly, then the only place left to munge the system is in allowing unauthorized voters to be voting and that's why we have to also push for voter registration rolls and smaller voting precincts.
As an aside, if you're dead set on using dead trees for this. There is a paper based audit available doing the same thing we are (auditing the primary).
It's in the facebook page I linked in the original article. So even if you want to be obstinate and not get involved in the Democracy Counts project, at least get involved in something. :)
I need to make this my last post on soylent for a few days, arguing the points ain't getting the work done. I hope I've shown you that there is a right way to do something and if not I hope I've showed that you can at least do something.
(Score: 4, Informative) by Scruffy Beard 2 on Saturday June 04 2016, @06:36AM
Up in Canada we were flabbergasted that it took you guys a month to count ballots.
We don't have as many different votes going on at the same time, so are able to use simple paper ballots marked with a pencil. Except for close races, all of the ballots are counted within about 3 hours.
The voter is able to review the ballot and make sure it is properly marked (and free of stray marks). If there is a problem, they can request a new ballot.
My impression of the 2000 election fiasco is that voters were not able to verify that their ballot was properly cast. They were not able to request a new ballot if they only dimpled the paper.
Your electronic proposal has the same problem: the voter is not able to determine if the computer casts the correct vote. Sure they get a verification code; but the computer may have already broadcast that same code a minute ago, and instead broadcasts a different code. As far as I can tell, the only way to make sure the vote is cast correctly is a human-readable paper trail.
(Score: 2) by devlux on Saturday June 04 2016, @08:32AM
Question, why was my above comment modded troll?
I'm genuinely curious as to what was said there that warranted that mod?
I've never had a troll mod before and furthermore it's is one of the least troll like post I've ever made,
Would whomever made the mod please explain the thought process behind it?
Thanks!
(Score: 1) by Scruffy Beard 2 on Saturday June 04 2016, @05:11PM
I did not mod that post a Troll, but have studied trolling theory after being accused of being a troll myself.
Essentially, there is enough wrong with your post that somebody decided your were being deliberately obtuse.
-Trolling the web: a guide [urban75.com]
By Steve Spumante
(Score: 2) by devlux on Sunday June 05 2016, @12:41AM
Guess I just don't see anything wrong with the post. Care to clarify on what you see as being wrong or trollish so that I can watch out for it in the future?
Thanks!
(Score: 1) by Scruffy Beard 2 on Sunday June 05 2016, @01:29AM
I already responded to the part I had specific knowledge in (because I have worked in a previous election).
You mostly ignored the central point of the post you were responding to (simply saying they were wrong because they have to write down the code manually).
I am not sure if you are familiar with the Talk the DRM analogy [craphound.com] was referring to. (Note: I was thinking the receipt could give out several dummy codes...but then how does the voter know which one is the correct one?)
Then you start building strawmen with dead people voting, and claiming that counting is hard.
I am not sure you understand how many people actually count the ballots in Canada. Ridings are broken up into polls of less than about 500 people. Each poll gets 2 (paid) people to watch the box all day and count the votes before sealing it. When I was counting, two ballots got stuck together, and we still finished counting in less than 2 hours. (We knew 1 ballot was not counted because they have serial numbers (that are torn off when the ballot is given out).)
It may be expensive to employ that many people, but that is the price of democracy.