Ask Slashdot: Why Haven't We Implemented Public Key Infrastructure Voting? 433
Long-time Slashdot reader t0qer has a question: why haven't we gone to an open source, Public Key Infrastructure-based voting system? "I'm fairly well versed in PKI technology, and quoting this site, it would take traditional computers 300 trillion years to break RSA-2048 for a single vote."
SSL.com has a pretty interesting piece on using Public Key Infrastructure in voting. There's also a GitHub project that leverages PKI and IBM blockchain technology...
It just seems like paper at this point has outlived its secureness. A closed sourced voting system doesn't really seem like the kind of thing Slashdot would really get behind.
SSL's article points out that the technology seems to exist already. Nearly half the population of Estonia already votes online, and four U.S. states (Arizona, Colorado, Missouri and North Dakota) already have web portals that allow for absentee voting. (And West Virginia has a mobile voting app that uses blockchain technology.) [L]uckily, the groundwork for securing the practice of remote, online voting is already there. We have been conducting many delicate transactions online for some time — the secure transfer of information has been a cornerstone for many industries that have successfully shifted online such as personal banking and investing, and those methods of securing and authenticating information can be employed in voting as well. For years, people have suggested that the use of blockchain technology could be used to secure elections and increase voter turnout.
Share your own thoughts in the comments. Why haven't we implemented Public Key Infrastructure voting?
It just seems like paper at this point has outlived its secureness. A closed sourced voting system doesn't really seem like the kind of thing Slashdot would really get behind.
SSL's article points out that the technology seems to exist already. Nearly half the population of Estonia already votes online, and four U.S. states (Arizona, Colorado, Missouri and North Dakota) already have web portals that allow for absentee voting. (And West Virginia has a mobile voting app that uses blockchain technology.) [L]uckily, the groundwork for securing the practice of remote, online voting is already there. We have been conducting many delicate transactions online for some time — the secure transfer of information has been a cornerstone for many industries that have successfully shifted online such as personal banking and investing, and those methods of securing and authenticating information can be employed in voting as well. For years, people have suggested that the use of blockchain technology could be used to secure elections and increase voter turnout.
Share your own thoughts in the comments. Why haven't we implemented Public Key Infrastructure voting?
Fraudbait (Score:4, Insightful)
Because a robust PKI-verified vote is a prerequisite for verifiable vote buying. The problem case is almost completely unlike e.g. online banking, which anyone "well-versed in PKI technology" should realize by themselves.
Re: (Score:3)
The anonymization of the ballot is often neglected in these schemes, I'll have to RTFA to see how it is dealt with there. Mail/absentee voting is also inferior in the area, but fortunately there is no evidence of significant abuse in major elections, yet.
But as to TFA the basic problem is the system needs to be explainable to the voters. The vote must not only be accurate, but also trusted. Paper systems have the same issues... for example there were a bunch of "poll observers" this time who skipped thei
Re: (Score:3)
Quite to the contrary, it very much isn't. Indeed, in a properly designed system, you can't even prove to others who you voted for [slashdot.org] - you can only prove it to yourself.
And re: trust, the ability to use any additional device to verify your votes - such as casting a vote on a computer but verifying it with your cell phone, or even at an registrar's office if you're paranoid - at any point up to or after the election - is certainly a voter conf
Re: (Score:3)
Citation needed. AFAIK, every such claim has been thoroughly debunked. Specifically, in every case, they were comparing the registered voter numbers from a previous election against the number of voters in the current election. It turns that out a lot of people (minorities in particular) saw what happened in 2016, and were bound and determined to register to vote so that it would not
Registrations as of 2020 deadline (Score:3)
As one example precinct 538 in Florida had more ballots counted than the number of people who registered to vote *this year*, as of the registration deadline in 2020.
The relevant election explained / speculated that some people could have moved to the precinct after they registered to vote.
It's theoretically possible that everyone who registered there voted there, nobody skipped voting or moved away, plus more voters moved to the precinct between the registration deadline on October 6 and the election four
Re: (Score:3)
Ps I'm not sure if my point was entirely clear.
The point isn't that there were funky smells coming from certain precincts, so it's probably fraud. Or even probably and error. That's not what I'm saying.
What I'm saying is that when there is a funky smell, a lot of people will *wonder* if the numbers are accurate. They'll reasonably *suspect* there may have been an error or a fraud. With physical ballots we can actually count them and see if the numbers are correct or not. Errors can be corrected. Suspicio
Re:Registrations as of 2020 deadline (Score:4, Interesting)
As one example precinct 538 in Florida had more ballots counted than the number of people who registered to vote *this year*, as of the registration deadline in 2020.
The relevant election explained / speculated that some people could have moved to the precinct after they registered to vote.
It's theoretically possible that everyone who registered there voted there, nobody skipped voting or moved away, plus more voters moved to the precinct between the registration deadline on October 6 and the election four weeks later. That is something that could happen, it's mathematically possible.
Precinct 538 had 754 people on the voter roll. 795 ballots cast. Precinct 538 covers a college, UCF, which as of 2017 had over 66k students enrolled. 754 people seems very small for a precinct that includes a college anyway.
Re: (Score:3)
No, sir/mam.
As one example precinct 538 in Florida had more ballots counted than the number of people who registered to vote *this year*, as of the registration deadline in 2020. (In October 2020).
The relevant election explained / speculated that some people could have moved to the precinct after they registered to vote. Which ... could be possible. Maybe everyone in the precinct voted, nobody moved out of the precinct, and some people moved in a couple weeks before the election. That's theoretically pos
Just allow voters to change their vote (Score:3)
It's not possible to verifiably buy that vote, without buying/borrowing the person's private key.
One way to prevent buying the person's private key might be to have the private key be actually two private keys, each encrypted with a password that the voter chooses when registering to vote. In the voting system, both keys appear to the voter to "work" at casting a vote, however one passw
Re: (Score:3)
Re:Fraudbait (Score:5, Interesting)
More to the point, if the person had bothered to read about Estonia's system before commenting, they'd know that you can change your vote any time you want, both with online voting, and also with showing up to vote in person, so "proving to someone who you voted for online" means nothing.
An alternative approach can be found in deniable encryption, where encrypted data can yield multiple different, plausible results depending on which key is used to encrypt it, and a person can create as many keys as they wish. Thus you can know that you're using your true key when viewing the results, but you can't prove it to another person.
Re:Fraudbait (Score:5, Insightful)
When at stake is an office that can issue full pardons, any penalty up to and including death penalty is insufficient. Not to even mention that your ability to prove this beyond reasonable is going to be near impossible in most cases where perpetrator has planned the crime well. Considering the amount of money that goes into modern political campaigns, you can expect best minds in the world to be planning such crimes should secret vote go away.
Finally, in addition to vote buying, voter intimidation becomes possible.
In general, secret vote is absolutely and utterly critical for a functioning liberal democracy. Without it, the primary defence of voters against wide variety of tools of subversion is irreversibly stripped away.
Re:Fraudbait (Score:5, Insightful)
The last election in the US was the most secure in its history, and also had the highest participation ever. So security of the vote itself doesn't seem to be an issue.
What is an issue is gerrymandering and disenfranchising voters. PKI seems like it wouldn't solve either of those, in fact it might make the latter worse.
Re: (Score:3, Insightful)
>The last election in the US was the most secure in its history
Repeating a religious mantra doesn't make it less incorrect than it was before.
Re:Fraudbait (Score:5, Insightful)
You think that, but you fail to take into account that there are people on both sides that think that the opposing candidate is *literally* Satan, Hitler reincarnate, or someone else equally bad.
It's amazing the lengths some people will go to because they think they're saving civilization as we know it. They feel completely justified.
Re: (Score:3)
Yeah well it's much easier to go saving world on the internets than to sit down and fix one's own life.
^ this
Read a great analysis of conspiracy theory believers recently that made exactly this point, that people would rather believe in some global conspiracy Great Satan because that lets them absolve themselves of all responsibility for their own mistaken choices.
Because it's not necessary. (Score:5, Insightful)
& if there is no paper trail of your bank acco (Score:2)
Oh wait, that never happens.
Because data, when properly secured and validated, is secure and valid.
Re: Because it's not necessary. (Score:2)
you seem to be unbelievably ignorant of the history of voting fraud in these United States, mostly done by paper for well over a century.
Re: Because it's not necessary. (Score:5, Insightful)
* - Many systems include no paper trail, which means audits are severely hampered, but, if you need a paper trail to provide verifiability and traceability, perhaps you should just use paper
Re:Because it's not necessary. (Score:4, Informative)
Re: (Score:3)
clearly you are doing things wrong if people have to wait for hours just to vote.
Living in the UK, we have a paper ballot system, and it takes me about ten minutes to vote, with virtually no queues. I go to a checkin desk, and give my name and address. They cross me off a printed list, and give me a ballot paper. I go to a private booth, mark my choice, then drop the ballot through a slot in a box. This process has the great advantage that you do not need any technical qualifications to operate it, and to see how it works. I consider this of vital importance to democracy, where the peop
Re: (Score:3)
My thought is crypto systems and electronic methods should supplement rather than replace paper. For instance if you did have a robust PKI system in absentee ballot you could replace the ink signature, w/ scanning a barcode and having you're ID card generate an OTP for that ballot. It reduces the skill needed to check signatures and there is no gray area, either the 10 digit number is correct or it isn't.
Electronic terminals can increase accessibility (large text, braille terminals, many translations,) an
Re:Because it's not necessary. (Score:4, Funny)
I can't believe I'm on /. and reading people posting that we need to stick to paper, as opposed to something higher tech. Slashdot, I hardly knew ye.
Re:Because it's not necessary. (Score:5, Insightful)
Re: (Score:3)
While all you say is true: the US has an 17th century third world voting system.
Does not really matter if it is on paper or electronically.
If it is electronically, they will still find a way to gerrymander it somehow.
As long a the US is not getting away from that absurd 2 party system - on all levels - it is bottom line not a single bit better than China or North Korea. Except for the fact that the US has twice as many corrupt politicians and the honest ones have it twice as hard.
300 trillion years to vote? (Score:3)
300 trillion years to vote? It was bad enough that it took an hour. And, the wounds in our democracy will take long enough to heal without adding Open Sores. And what happens when I lose my key?
the public don't get it (Score:3, Insightful)
Re: (Score:2)
Lack of (Score:4, Insightful)
Re:Lack of (Score:5, Insightful)
Most of all, if it can't be explained to the masses, no amount of theoretical technological robustness is going to convince people that it isn't just a way to hide more fraud.
Re: (Score:2)
Most of all, if it can't be explained to the masses, no amount of theoretical technological robustness is going to convince people that it isn't just a way to hide more fraud.
Hell you can't even convince the IT security experts. The public is easier to convince that those who understand the technology.
Re: (Score:3)
Agree: obvious transparency is the key (so to speak). No black boxes or devices. The system must be obvious, understandable, and auditable to people without IT or math degrees, pretty much the only requirement is basic literacy and counting skills. So that hundreds of thousands of people across the country (involved in conducting the election but also in voting) can come to the same conclusion, know how they did it, and feel confident no one else tampered with it. Hard to beat hand-counted paper ballots.
So you get 1 month to vote online (Score:2)
That way, no one can force you to vote a certain way, and you can't prove to them you voted a certain way, unless they kidnap you for the month, in which case you have bigger problems than voting.
This is the functional equivalent of the Denmark system you mentioned.
So much more too it. (Score:2)
Signing a 'vote' is the easy part, its all the other stuff behind it is the hard part.
Maybe because it wouldn't matter that much? (Score:2)
I'll just leave this here [youtu.be]. We'd probably benefit more from ranked-choice voting/polling.
For the same reason the tax system is complicated (Score:3)
Those in power want things to be a mess so they can exploit all of the loop-holes.
Technology doesn't solve this problem. (Score:5, Informative)
Please explain to your parents how they should trust that their vote is secure with PKI. I'll wait...
Voting requires trust and anonymity. Having anonymous electronic bits that can be silently manipulated by dedicated actors makes it a solution that is impossible to trust. You cannot convince a large enough group of the population that it's trustworthy. Hell, we have people that are claiming that the paper ballots are being manipulated even with no evidence of it. All you need to do is put some doubt in people's minds and it will unravel quickly.
Everyone loves to use banks as examples of industries that can make a secure system. Except they're hacked regularly and people are constantly defrauded. Banks are able to keep trust by /not/ having anonymity. They're able to go in and fix transactions. If you slip up and give your credit card number to a phishing website they can revert all the transactions because they know who you are and what you did. Voting requires anonymity so it's not possible to fix situations where people are tricked or coerced into voting a certain way.
The answer seems bloody obvious (Score:4, Insightful)
It won't happen because most people can't understand the explanation regarding why it would be secure.
Not to mention that it's not really necessary. Paper ballots are pretty darn secure.
The instructions could be (Score:3)
But seriously, there would be a pool of 10s of thousands of comp sci grads and hundreds or thousands of cryptography and blockchain experts who could opine on the security of the system. A consensus opinion would quickly form, aided by a $1 million security bug bounty.
Bury it in the desert. Wear gloves. (Score:5, Insightful)
PKI is good for a lot of things, but sometimes it's best not to over think this.
1) The voting with PKI in the paper assumes there are national ID cards. The US doesn't have that or anything close to that.
2) Voting needs to work with the actual citizens of this country, some who don't have computers, most who don't have an ID card reader, etc
3) Voting needs to work ALL the time. Power outages shouldn't stop the polls, computer problems shouldn't stop the polls.
4) Voting needs to be verifiable by anyone easily.
Some of these schemes will work on the small scale, but paper and pen\pencil methods while the seem archaic actually do the job quite well. Adding computers into the mix as the one guaranteer of the vote will just make things worse, as states that went to all computerized systems found out after they were all the rage in 2000. They're just too complex, assume a technical sophistication of everyone, cause too many issues on the day of, and people really freak out once they find out there is no good paper trail, so they've all been retired or in the process of being retired.
Also this [xkcd.com]
Re: (Score:3, Informative)
1. The US does have national ID card now, it's called SecurID and is required (or passport) by every citizen to get on an airplane.
Democrats will just cry racism when talking about requiring an ID to vote, but where were they when they voted to require a national ID (SecurID)
to travel by airplane.
Ballots have one big advantage... (Score:5, Insightful)
You can have ballots without being able to identify who cast them, which is to say, people can vote without being targeted for their votes if the wrong people get access to the ballots.
Vote fraud is, by and large, very close to a complete non-issue in the US. There's a handful of people doing individual-scale vote fraud, probably, and they seem to get caught, and larger-scale things are vanishingly rare, because nearly everyone agrees that this would be bad, and they're on the lookout for it. So, yeah, we have definitely had some known cases, but... Chicago's big illicit voting problems were in the 1960s, and the reason that's still the go-to example is that it's one of the only ones we've had.
Vote suppression is at least as effective and much easier to get away with.
Any of the alternatives like ranked-choice or strict approval would produce better results, in general. And we might yet get there some day; ranked choice voting is actually very popular with people, but not as popular with political parties.
(You can, BTW, safely disregard the surreal conspiracy theories about how much fraud there is, or you can spend a bit of time reading careful writeups of them, but honestly, once you see the list of Minnesota cities presented as evidence of fraud in Michigan, you sort of know what the quality of work you're looking at is going to be.)
Bad... BAD security (Score:2)
300 trillion years to break RSA-2048 for a single vote."
If I give you a public key - it will take 300,000,000,000,000 years, if I give you 200,000,000 public keys it will take you 1.5M year. Now I I build a beowulf cluster of 10,000 of those standard computers, that gets you to 150 years. This starts getting into the range that I can create an ASIC to mount onto the PCI bus so that I can accelerate each computer by 1000 that gets us to about 8 weeks with todays technology to get each one...
Now convince me that my dad will be able to create, safely store, and r
It shouldn't record the ballot near publc key (Score:3)
The actual ballot, once decrypted, should get re-wrapped in the voting system's own encryption, and sent by a completely separate data path to the vote recording blockchain, after going through a random mixer to decouple the time of arrival of the ballot from the time order that the "has voted" bit is associated with the public key.
The fact of that public key having voted can be stored on a separate blockchain.
Re: (Score:3)
If I give you a public key - it will take 300,000,000,000,000 years, if I give you 200,000,000 public keys it will take you 1.5M year.
No, it will take 300,000,000,000,000 times 200,000,000 years. Seriously? Such strong math problems?
I give you my public key - that identifies me as the voter. I send my ballot in, the election system identifies me, decrypts and authenticates my ballot.. now has my ID and vote pretty close to one place
That is not how public/private keys work. No one knows your private key, t
Because it's a shitty idea. (Score:3)
If a machine is involved in any way, it is possible, however difficult you make it, to screw around with it in a way that can't be proven. Every election that makes use of a machine should be considered invalid.
Where's the proposal? (Score:2)
Someone would have to propose an actual system, preserving the (notional) guarantees of the current system (at least anonymity and without property or tax qualifications), for us to be able to comment on why we hadn't actually implemented such a system.
Estonia still uses paper ballots, a lot of people still use them - we could certainly (as some localities have done) implement a similar partial e-voting system, but that wouldn't answer the premise behind the question. Also of course at a bare minimum you'd
Because that isn't the problem (Score:5, Informative)
Voting is a very difficult problem to solve digitally because of the nature of the parameters inherent in voting:
1. Voters need to be able to be identifiable as voters.
a. Entities who are not eligible to vote (e.g. Russia) need to be prevented from casting votes.
b. Entities who are eligible to vote need to be prevented from submitting duplicate votes.
i. This cannot use IP addresses or devices, as it is as possible for one device/IP to be used by multiple eligible voters as it is for a voter to have multiple devices.
2. Votes need to remain secret.
a. Voters may not be tied to their ballots, and must be assured that they are not.
b. Votes need to be secured in transit.
c. Votes need to be secured at rest.
3. Votes need to be verifiable.
a. Votes need to be verified as being submitted successfully.
b. Votes need to be capable of being subjected to a recount individually.
Now, I'm by no means an expert on how certificates and PKI and all of those things work. What I understand of it, though, is that PKI does nothing to solve Problem 1, can help to a certain extent in certain parts of problem 3, and can only be involved in #3 by subverting #2.
Estonia works because, according to TFA, the key is part of an ID card. Now you've taken a baseball bat to the hornet's nest of "Voter ID requirements" that is highly controversial. Moreover, TFA says that the private key on the ID card is being used for signing documents and verifying authenticity of documents other than ballots, meaning that one's private key is tied to a real world identity, meaning that ballots aren't secret anymore.
Browser-based methods of voting need to validate the end user somehow, and can't used devices or IPs to do it - one voter could have multiple devices, or a single device could be used by multiple voters. The "Digital Divide" that is heavily discussed in terms of education is now doubly exacerbated by being a barrier for low income voters, and you'd have to somehow validate the voter as a voter, not as a taxpayer or land owner, that works on iOS and Android and Windows and OSX and Linux and isn't a hardware token or device ID or phone number or IP address.
The ultimate answer here, is that PKI doesn't solve most of the issues with election security. It helps in certain steps of the process, but those are the "easy" problems to solve. It's making sure that there is one vote per voter, no more and no less, in a way that also prevents votes and voters from being paired together while also allowing for independent audits and recounts.
Pretty much every technical solution involves a compromise. Hand out keys at the DMV? Great, you've just advocated for Voter ID laws. Allow self-generation of private keys, upload public keys, and sign a vote with a public key? Great! you've just ended the secret ballot. Use some variant of a Google Form? Great! You've just allowed foreign actors to vote. Use a state-issued CA to validate private keys? Great! You've got one hell of a single point of failure there.
Paper may well have its issues, but paper ballots seems to be the solution to all of these almost-conflicting requirements. The issues, for the most part, aren't technical.
Re: (Score:3)
You're right, the voting requirements are near-contradictory.
I'd go further to suggest they're flawed:
- Someone's vote going public means: {"my_name": "my_vote"}
However if someone has an ID known only to the state, it becomes: {"my_state_secret_id": "my_vote"}
Anyone unmasking vote-to-user info would be immediately criminal and therefore questionable regarding the facts they bring.
Being provided your ID would resolve #1 and it being "mostly" secret handles the revised #2.
If everyone's vote included a rec
Tom Scott said it best (Score:4)
https://www.youtube.com/watch?... [youtube.com] - "Why Electronic Voting is a BAD Idea"
https://www.youtube.com/watch?... [youtube.com] - "Why Electronic Voting Is Still A Bad Idea"
Comment removed (Score:3)
False (Score:2)
That 300 trillion years number is nonsensically false - -it's for a 1 Ghz desktop computer circa year 2000 without using a GNFS algorithm. Using GNFS, 1024 is doable today with about 1 month on just the top publicly known super computer. Think about it .. someone cracked 829-bit RSA earlier this year on some desktops. Given the reduction in cost of computing and the scaling of supercomputers .. we should be able to crack 2048 encryption within 10 to 20 years .. and even that's assuming no signification brea
obligatory XKCD (Score:2, Redundant)
would make it worse (Score:2)
Can we do the same for SSNs? (Score:2)
There is one problem you can't solve. (Score:5, Insightful)
Voting has several criteria to fulfill:
The first one is ridden with problems no computer can solve: How to determine if someone is eligible to vote? Voter suppression by making it more difficult for some people to vote than for others is a social problem. While electronic voting can solve each of the other requirements, it is not able to solve all of them at the same time. One big problem is to allow for both equality (fairness of the count) and secrecy (non-attributable vote). Your vote has to stay secret, so no one can prove how you voted. Otherwise your vote can not be kept free, because you individually can be made responsible for how you voted, either by paying you to vote a certain way or by forcing you to cast your vote in the desired way. But if your vote is secret, there is no way to prove that it got counted correctly. You simply have to trust the people who set up the computer that they do their job correctly, and that the software is bug free enough, as you can not watch the count (and in the current election, watching the count was one of the big issues in countering numerous claims of voting fraud). Yes, with Open Source, some people can check the integrity, but most people are not able to read and understand source code, and even for specialists, it is time consuming to individually read through very long computer listings and make sure, neither glitches nor intentionally obfuscated tampering slips through.
Paper ballots are the counter example. They are simple enough, that everyone understands how they work by simply looking at them. And it's easy to have people watch the count and convince themselves that the count is fair. Additionally, you can have the whole voting process in public, from shipping empty ballots to the voting places to handing then out to the single voter, checking the eligibility of the voter and watching them putting the ballot in the ballot box. You can hide the actual casting of the vote in the vote booth without tampering of the integrity of the whole voting process. You can effectively prevent things like ballot stuffing by keeping an eye on the ballot boxes from sealing the proven empty box to breaking the seal for counting and then counting the whole contents of the box.
Internet voting starts from internet-anything-else (Score:5, Informative)
Writing from Estonia.
I authored the first risk analysis of the Estonian internet voting system in 2003 (with others).
Our path to secure voting started from:
a) secure online identity - government-issued identity cards with two certificates (digital signature and TLS client authentication)
b) getting all your daily services online
c) getting the population used to using the ID cards
d) public education campaigns about cyber hygiene, especially using those cards
You cannot provide a _single_ secure service online. People won't know how to use it and the human component will fail.
You start from putting all your banking online (we believe we had the world's first Internet banking applications in the nineties), students accessing their schools online, parents accessing their children's records in the schools, all _other_ government services, utilities, everything.
Only then do you tackle voting.
Few other things to note:
- Our ID cards are not mandatory to use for anything, you can still do everything in person.
- The government pushes for transparency in digital communications. This really works. Any citizen can monitor the requests or queries that government agencies have made about them to any other agency; it is an online service, free of charge, and near-real time. This is possible by all agencies using a single, secure and auditable system to exchange data. Think "enterprise message bus" with authentication, authorization and signatures but on country level;
- We have a recent history of living in Soviet Union, so we have engineered the systems to proactively avoid any "big brother" scenarios;
- There are mechanisms to fight coercion, privacy and other voting-related risks;
- The voting implementation is completely public - from crypto protocols and security analysis to source code and deployment notes. Everybody is welcome to compile, run and test a copy of the system himself.
Do I recommend the same system to the US?
No, I don't and I cannot.
Estonia is small, we can agree on protocols and implement them on country level.
Re: (Score:3)
Estonia was lucky to establish government-based digital identities _before_ Facebook and Google appeared.
Now the global identity market is hijacked by a few US companies. All governments save China, India and Russia are thus in a stalemate. There is no incentive for establishing a national online identity when everyone can "log in with Facebook". But would you build voting on this?
Re: (Score:3)
The Estonian i-voting documents are available here:
https://www.valimised.ee/en/in... [valimised.ee]
Technical docs include principles, architecture, code, crypto and so on.
Organizational docs include procedures, auditing guidelines, audit reports, risk assessments etc.
Secrecy and anonymity are reached by a "double envelope" protocol using PKI and role separations.
There are two servers, say "outer" and "inner".
- the voter creates a "vote"
- encrypts the "vote" with the inner server's public key, creating an "inner envelope"
-
Some assumptions going on here (Score:3)
First, some States send cards or voter information packs to voters just before an election. Nothing stops them sending a chip or SIM card with that pack.
Second, it is assumed that PKI voting has to mean remote voting. Why? What's wrong with machines at polling station using your chip to digitally encrypt your vote to prevent editing afterwards?
Third, it is assumed that PKI voting can't use paper. What's wrong with the voting machine printing your ballot with the digital signature in ASCII armoured format, then keeping the signed encrypted ballot - or even just the signature with no ballot - for electronic transmission? That way, you can prove the number of ballots counted must equal the number of ballots cast.
Fourth, it's assumed PKI isn't anonymous. Why shouldn't it be? A machine can program a chip with a public key whilst keeping the private key in a tamper-resistant location. It can also send the chips out by fedex. The only room anyone needs access to is the mail room, the server room can be physically secure. If the machine is A1+ on the Orange Book scale, with all the implied hardware requirements, neither election officials nor anyone else is going to have access to the private keys, and only the the recipient has access to the public key.
Fifth, it's assumed that just because ballot stuffing is very rare that ballot omission is also very rare. West Virginia had a recent case where a candidate "collected" postal votes from elderly residents and threw away those not for him. South Carolina, in the 2000 election, saw votes being found after the fact stuffed behind furnishings. And in the most recent election, fake ballot collection boxes were put out. Wonder why those don't get mentioned much in the fake votes protests. Oh, it's because it's the same side that's claiming fake votes. The PKI system I've proposed in the past and outlined here would prevent this sort of fraud -- which we know does happen -- as well as the box stuffing (which we don't).
Yes, these are expenses. I'm not even going to claim they're that useful or solve any real or significant problem. (You'll notice I gave three examples for all of the districts in all of the States across 20 years. That's because I can't think of any others.) Not the point. The point is that the aforementioned objections are invalid assumptions. Can we focus the debate on the real objections, because there are many and we don't need to be side-tracked.
So, for those who like it in one place, here's the proposal I have for PKI voting.
1. Machine in a secured, shielded room, A1+, running a single piece of software written using formal methods, programs and tests chips in the same manner a credit card company or a SIM chip company would, containing the public key but no PII. These cards are sent to be delivered by FedEx to voters. Private keys are retained, public keys are not.
2. Machine voting at polling stations would print out a paper ballot containing the ASCII armoured digital signature of the vote. This ensures that a vote is attributable to having been cast by a voter, that the voter has cast one vote and that the vote is unmodified. The signature is kept by the machine. The count of signatures must match the count of paper ballots, proving no votes added or deleted. Encrypted copies of the votes may also be kept, so that the central machine can produce an electronic tally. Since the signatures are unattributable to individuals, they can be sent to any observers or the media, who can verify that the counts match up.
3. Postal ballots would be replaced by a robust, impact-resistant, tamper-resistant embedded computer but would functionally be no different. Where witnesses are needed, you'd need a counter-signed digital vote. Yes, there's the risk of intimidation, but there is with any postal ballot. It's not different here, except that as the vote is encrypted, you've reduced the risk of people destroying ballots because they're for the wrong person. You've not eliminated a threat, just reduced the scope a l
Public Trust Requires Public Understanding (Score:5, Insightful)
Most people can understand every aspect of paper voting and counting. Nobody can comprehend every aspect of voting involving computers because they're just too complex: Together the BIOS, OS, drivers, voting software, etc. will have millions of lines of code. Yes, there are ways to attempt to rig paper ballots but there are always going to be way more ways to rig electronic voting.
If you want to have computers help, program them to OCR the paper ballots so you can spit out a quick result. That way you still have the paper around for a manual recount if there are any suspicions.
It isn't about security - it's about trust (Score:3)
Having super-duper-secure cryptography isn't the point. The single most important requirement is having a system so simple and transparent that Joe Sixpack and Sally Soccermom can understand it, and will trust it.
Touting cryptographic algorithms does not meet that requirement. Having votes disappear into an electronic gizmo does not meet that requirement. Frankly, the only thing that does is paper-based ballots.
Too problematic, and doesn't solve anything... (Score:3)
The logistics of voter ID is considered problematic enough to cause disproportionate disenfranchisement of certain voter groups, could you imagine trying to get people to go through the trouble of acquiring and maintaining the private key material/devices/whatever you are planning.
There's a reason even 2FA is not a mandatory thing in a lot of financial services businesses, where the stakes for an individual compromise are higher.
It's one of those things that sounds great to a technology person thinking about the theory of something, but in practice would be a nightmare to try to implement for every voting citizen.
It wouldn't even stop these cries of 'election fraud' happening currently. He's been prepping to call 'election fraud' no matter what for the last 4 years. If the signing was simply to submit ballots, but the ballot ownership was secret, he'd claim vote counters would open the envelopes, stack up the legitimate ballots, then shred them and replace with a count of favorable ballots. If you gave up on secret ballot (a terrible idea), then they'd *still* claim dead people are voting as an explanation. There's always a place to shout 'election fraud' if you don't care about actual evidence, no matter how far you take things. Heck, they might even claim 'hackers broke the encryption', which technical people would recognize as an outlandish claim, but the problem is that the average citizen can't evaluate the veracity of such a claim. They would be told to distrust the 'deep state' that's conspiring to tell you this system is secure so they can manipulate it as much as they want.
In short, this isn't a technology problem to solve.
Paper is required, whatever else accompanies it (Score:3)
It just seems like paper at this point has outlived its secureness.
Do NOT make the mistake of taking paper out of the process. Paper is compatible with electronic voting, and IMO is *required* for securely auditable voting. Without paper, numbers come crawling out of machines and they're very hard to contest without being a computing genius with the right access to the machine. Paper solves this. Here is how the process works:
Because technology cannot solve social problems (Score:3)
Because electronic voting can never be made secure and is never going to be trusted.
Because a larger issue than fiddling with voting systems is figuring out how to stop demagogues from undermining trust in democracy.
Here in Canada, we vote using paper ballots. In the entire history of the country, there has never been the slightest suspicion of material electoral fraud. Technology is not the problem and it won't be the solution.
Secret Ballot (Score:3)
> Luckily, the groundwork for securing the practice of remote, online voting is already there.
Voting from home, voting by mail all break "Secret Ballot which is one of the core securities of voting.
If someone offers to pay you 100$ for voting for his party, you could take that 100$ & still vote for someone else at the booth because he has no way of verifying who you voted for at the booth. Because of SECRET BALLOT.
Likewise, if someone is threatening you.
But there is no secret ballot with voting from home or mail-in ballots.
Most countries have laws which insist on "Secret Ballot".
The right to hold elections by secret ballot is included in numerous treaties and international agreements that obligate their signatory states to do so.
https://en.wikipedia.org/wiki/... [wikipedia.org]
We need VETTED digital certificates 1st (Score:3)
Re: old tricks don't work on it (Score:4, Insightful)
The same old tricks are done with voting machines, ballot stuffing, dead voting early and often and etc. Citation required. What "same old tricks"? Name one trick. Name one instance of ballot stuffing or dead people voting at all or anyone voting more than once. I'd like to read about it. Because I have worked on elections (ballot issue and counting) at local, state and federal level since the 90s and have never seen a single instance of fraud. Trump lost. Get over it.
Re: old tricks don't work on it (Score:4, Interesting)
Most "ballot stuffing" claims are caused by accidents. eg, you voted online, forgot you did, and then voted again in person.
The solution there is to make the "voting in person" cancel the online vote if one exists.
Dead people voting, again, caused by people with the same name in the same voting area being mis-identified.
Like look at all the crap people had to do to stay registered, some people had to register multiple times because automated processes kept deleting then from voter rolls.
Now, the way to really solve that one requires combining the census, income taxes and voting into one system. When you file your taxes, you are automatically "registered to vote" and marked as "census resident of (voting area)" along with whatever info is needed to redraw district lines that year. Nothing you do will take you off the voting roll except moving and filing a new tax return.
However the missing piece of the puzzle here is having voting districts redrawn only by population density, not race/age/gender/political-affiliation/income (it should look like a grid within natural geographical barriers, nothing else.) As long as voting districts can be gerrymandered, nothing done to "Secure" the vote matters, because politicians can disenfranchise voters by drawing the voting districts to favor themselves only.
As far as doing public-key anything, It will eventually work, but it requires a top-down approach starting with the federal government, that everyone use the same voting hardware and software, and no usage of insecure hardware (eg no mobile phones running unsupported operating system versions.) As long as weak systems keep being used, it doesn't matter what is used to secure the vote if someone can get a rootkit on their device and "vote without voting". Android devices are notorious for this, and any device that can be sideloaded would be ineligible to vote from. This isn't like banking or playing mmo games, where you can have the account investigated from your own stupid actions. You only get to vote once, and if your device does it for you, then there is no undo'ing it.
Re: old tricks don't work on it (Score:4, Interesting)
Re: (Score:3)
Yeah, thank god that the regressive government hasn't added that extra "other" box to the Census form. That simple non-change right there saved the Republic!
You do know that someone else's gender is really none of your business, and doesn't affect you in any way, right?
Re: (Score:3)
This is not an exhaustive list, for example, it doesn't have the mayoral fraud from California or Texas that happened this year.
https://www.heritage.org/voter... [heritage.org]
There will always be people that try to game the system, and one has to assume that the higher up the ladder you get the more careful you will be about it.
Re: (Score:3)
Name one instance of ballot stuffing or dead people voting at all or anyone voting more than once. I'd like to read about it.
To be fair there are plenty of cases of the above in every voting system all over the world (including the USA). But to be clear, they are almost universally the result of a clerical error or so infinitesimally small as to be irrelevant for the outcome of the vote.
There's a reason why we talk about the past election in terms of "mass" fraud. Because absolutely everyone knows that finding single isolated cases of fraud is trivial.
The checks and balances we have in place against this largely eliminate the cha
Re: old tricks don't work on it (Score:4, Interesting)
Actually there are two documented fraud cases in PA, but they were Trump votes. The Lt Gov of Texas offered a $1 million reward for evidence of voter fraud. Well he isn't paying out for some reason https://www.newsweek.com/penns... [newsweek.com]
Re: old tricks don't work on it (Score:3, Interesting)
About 70 sources and growing, from both Democrats and Republicans. https://missliberty.com/voter-... [missliberty.com]
Re: old tricks don't work on it (Score:4, Insightful)
While the main stream media may not be the most trusted sources out there, they are vastly more trustworthy than the fake news industry. The solution is to have some skepticism towards the news, not to embrace conspiracy theories like those links do. Yes, we know CNN is a bit biased but it has actual news, if it says a house is on fire you can pretty much accept that this happened. However things like Newsmax and OANN and Brietbart are outright houses of fiction with bias tattooed everywhere.
Ie, if you think NASA has some mistakes in their science then that is not a justifiable reason to run off and wholeheartedly accept flat earth theories.
Re: old tricks don't work on it (Score:5, Insightful)
I received multiple mail in ballots without requesting any. Waiting to find out which ballot was counted or if all.
Are you implying that you *sent* multiple ballots back? That's 1) a felony (at least in the US as far as I know), and 2) your problem, not the authorities' problem.
Re: old tricks don't work on it (Score:5, Informative)
More likely he received multiple requests to fill out a form to receive a mail in ballot. Almost any organization can send out ballot request forms and many do in hot states.
But the ballot form itself is sent by the election agencies. So if he got multiple ballot forms, not only should he send back just one, but as part of his civic duty, should also report it to the elections board in his county. They do take this kind of stuff seriously and this reporting is how we protect our elections.
But of course we know that guy is just posting a false story for his own amusement.
Re: (Score:3)
Re: old tricks don't work on it (Score:3)
Re: old tricks don't work on it (Score:5, Informative)
Said voters then cast a provisional ballot. Provisional ballots are then analyzed and a determination is made on which vote, if either, was valid, and whether there's any clear evidence of fraudulent intent. If there is reason to suspect the latter, it is referred to prosecution for further investigation.
A voter is disincentivized to try to do both a mail-in and in-person vote because of the risk that neither will be counted, versus the high unlikelihood that both would.
Re: (Score:3)
No. The whole point of the secret ballot is that votes can't be traced to individual voters. You can tell if a person had already voted, but you can't tell who they voted for; and thus you can't call back the vote of somebody who voted by mail if they later come in and said no, they didn't vote.
But if you go to vote in person and are told that you have already voted the mail in vote is most likely still sealed in an envelope with your name on it. You cast a provisional vote at the in person voting location and that provisional vote and the mail in vote are scrutinized to determine which one is actually to be counted. Once that determination is made then the mail in or provisional vote is unsealed and added to the rest of the votes for that election.
Note: since each state has their own rules for ho
Re: (Score:3, Insightful)
So, someone who has worked as an election official for a long time and not witnessed fraud first-hand, at least tells us that it is not very common.
Re: old tricks don't work on it (Score:5, Insightful)
Any idiot with an internet connection can google the subject and find numerous instances of voter fraud. That you claim there hasn't been any cases of voter fraud means you posted without making even the minimal effort to check. Which tells us you are even dumber than an idiot.
Yes, they can. The Heritage Foundation has a nice database of voter fraud. 1300 proven instances over 30 years. So, compared to the number of elections and votes cast, the problem is minuscule, especially on a national level (local elections are the only place where fraud can realistically be done on a scale that is both large enough to be effective and small enough to not be caught).
Fraud not alleged in court [Re: old tricks...] (Score:3)
Absence of proof does not mean proof of absence. Evidence will be presented to the courts, not the media.
But it turns out evidence is not being presented to the courts. The allegations of fraud are entirely in the media; the cases brought up in court are not mentioning fraud at all.
https://time.com/5914377/donal... [time.com] :
Pennsylvania
In a recent Pennsylvania federal case, Giuliani alleged “widespread, nationwide voter fraud” in his opening remarks. But under questioning from the judge, he retreated. “This is not a fraud case,” Giuliani later admitted. In the same case, Trump lawyer Lin
Re:old tricks don't work on it (Score:5, Informative)
So we'll have the current type of voting machine so this can continue, solutions to problem are not welcome.
You might want to keep up with current events.
The Trump campaign just parted ways today with one of their lead lawyers, Sidney Powell, who had been the primary drummer in the "voting machines are switching millions of votes" legal orchestra. Problem is, she (and they) have been unable to show even a single instance of this happening. It's so ridiculous that even Tucker Carlson felt compelled to call her on it a few days ago.
Re:old tricks don't work on it (Score:4, Insightful)
Problem is, she (and they) have been unable to show even a single instance of this happening.
In a recent youtube by LegalEagle talks about how several Trump lawyers and others make all sorts of claims of irrregularity at podiums clustered with microphones, however, when in court they say none of these things. Reason is because they can get into big trouble under penalty of perjury.
Re:Every US national election has some problem vot (Score:5, Insightful)
If counting votes is so accurate, why do recounts come up with different numbers? And those few cases where there is a 2nd recount, those come up with a 3rd set of numbers.
Because ... humans and bits of paper that can stick together.
And the difference will be:
a) Unbiased, ie. it could just as easily go the other way.
b) Only be a couple of votes, not the thousands needed for Trump to win.
Re:old tricks don't work on it (Score:5, Informative)
Actually, she was never one of the Trump campaign's lawyers.
Oh? the man at the top seems to think otherwise [twitter.com].
There is always a tweet contradicting the ever changing reality within the fact-free Trump campaign.
Re:old tricks don't work on it (Score:4, Insightful)
To answer the question:
a) Can you imagine trying to manage keys and digital signatures for all the idiot voters?
b) Voting is supposed to be anonymous.
Re:old tricks don't work on it (Score:5, Insightful)
Voting is supposed to be anonymous.
This right here is the key issue.
It is EASY to make an election secure.
It is EASY to make votes secret.
The problem is that it is very difficult to do BOTH.
PKI makes elections secure but non-secret. So PKI doesn't fix the problem.
Re: (Score:3)
I voted by mail in New Jersey. There was a ballot that said who I wanted to vote for with no personal identification that went into an envelope with my name, address, and signature. Someone had to compare my illegible scrawl of a signature against an illegible scrawl on file and use that to determine if the ballot was actually mailed by me. With PKI in place, we can replace the hand signature on the envelope with a digital signature, which is much more easily verified consistently. Hand signature verifi
It's not that difficult (Score:3)
Re: (Score:3)
A. Most PKI systems of record are pretty good at allowing self-service for managing certificates. See: any publicly trusted CA's web site, LetsEncrypt, etc. to say nothing of hardware solutions such as Yubikey or the like.
B. The ballot itself can remain anonymous by only using the PKI to encapsulate the ballot for verification, exactly the same as the "security envelope" we use with shitty signature verification today. Think of it this way:
1. You complete your ballot
2. Your ballot is then encrypted with a
Re:Elementary, my dear EditorDavid (Score:4, Insightful)
Pretty much crammed all the evidence-free conspiracy theories into one post there, didn't you? Real shame that despite all this rampant fraud, and despite trucks pulling up loaded with ballots that all these folks saw...that no one managed to take even one photo or cell phone video. Shocking, really.
Re: (Score:2)
Obviously, the trucks were being driven by Bigfoot. We all know he has evolved a natural defense that hopelessly blurs all photos. Rumor has it Elvis learned the technique from Bigfoot while living in the woods shortly after faking his death using an alien DNA replication machine he won playing poker.
Re: (Score:3)
I flip a bit in a system and there's one million votes. Depending on the system, you may or may not have an audit trail, and since I'm probably sitting in some government buil
Re: (Score:3)
Electronic ballots don't have your address on them or your signature. In fact, since we have a right to secret ballots, it CAN'T have your address on it.
I know that in Georgia, you have to request each ballot prior to the election. The ballot goes into an inner envelope that has no personal information on it, then it goes into an outer envelope identifying you. On receipt, they check and discard the outer envelope, and retain the inner one still sealed until polls close on election day.
That has been the pro
Re: (Score:3)