24 votes

United States Postal Service (USPS) files patent for a blockchain-based voting system

59 comments

  1. [10]
    Micycle_the_Bichael
    Link
    Putting to the side all of the many years of documented criticisms from the CyberSec community on online voting and blockchain in voting, I’m really against this idea and online voting in general...

    Putting to the side all of the many years of documented criticisms from the CyberSec community on online voting and blockchain in voting, I’m really against this idea and online voting in general until America has wholly reformed the way it treats poor people. Online voting, intentional or not, is a poll tax in the US and will almost certainly continue the disenfranchisement of the poor, esp voters of color.

    17 votes
    1. [8]
      Adys
      Link Parent
      Why? Of all possible arguments against online voting, this one doesn't make sense. Of course, we're talking about adding online voting, not replacing one with the other; which means increasing...

      Online voting, intentional or not, is a poll tax in the US and will almost certainly continue the disenfranchisement of the poor, esp voters of color.

      Why?

      Of all possible arguments against online voting, this one doesn't make sense. Of course, we're talking about adding online voting, not replacing one with the other; which means increasing accessibility, regardless of your skin color, background, language, etc.

      Increasing online accessibility means decreasing load in physical stations, which means a better experience at the latter.

      9 votes
      1. [3]
        vord
        Link Parent
        In short: Access to internet is far from universal. About 10% of the USA doesn't have internet (33 million). 19% of them said the cost of owning a computer and getting internet service was a...

        In short: Access to internet is far from universal.

        About 10% of the USA doesn't have internet (33 million). 19% of them said the cost of owning a computer and getting internet service was a barrier.

        Further disenfrancising 6 million+ is no joke.

        And they'll use it as an excuse to close polling stations. They already do it without any excuse, how wpuld that be different?

        5 votes
        1. Amarok
          Link Parent
          I find it pretty hard to take this concern seriously when any library or net cafe or friend's house with a computer or a smart phone could do the voting. Sure, we close a few hundred polling...

          I find it pretty hard to take this concern seriously when any library or net cafe or friend's house with a computer or a smart phone could do the voting. Sure, we close a few hundred polling places, and then make every internet-connected device that runs a web browser into a potential voting machine instead. That's going from hundreds to hundreds of millions of voting locations, and it's not like election day is a surprise. I wouldn't even mind keeping polling places running computers open for voting, but it seems rather redundant.

          8 votes
        2. Adys
          Link Parent
          I addressed this concern in my reply.

          I addressed this concern in my reply.

          1 vote
      2. [4]
        Micycle_the_Bichael
        Link Parent
        Much of the discourse I’ve read/seen people argue is the abolishment of paper voting and replacing with online voting. If it’s in addition to, then yeah I’m only against it for the CyberSec reasons.

        Much of the discourse I’ve read/seen people argue is the abolishment of paper voting and replacing with online voting. If it’s in addition to, then yeah I’m only against it for the CyberSec reasons.

        1. [3]
          Adys
          Link Parent
          Indeed, it shouldn't be a replacement.

          Indeed, it shouldn't be a replacement.

          2 votes
          1. [2]
            Amarok
            Link Parent
            The classic mail in ballot should always exist, I think. It's versatile and can be relied upon in situations where the other system doesn't get it done for someone due to whatever reasons. Lack of...

            The classic mail in ballot should always exist, I think. It's versatile and can be relied upon in situations where the other system doesn't get it done for someone due to whatever reasons. Lack of or distaste for computer access is as good as any in my book. Plus it's never a bad idea to have a backup system just in case. I can think of a few things capable of taking down the internet, let's see if 2020 can muster a solar storm to round out the year. :)

            2 votes
            1. patience_limited
              Link Parent
              Agreed, but not because blockchain cryptography is unsound in principle. It's every technology required to implement it, down to the chip design and the OSI layer protocols, which remains faulty...

              Agreed, but not because blockchain cryptography is unsound in principle. It's every technology required to implement it, down to the chip design and the OSI layer protocols, which remains faulty with respect to security.

              New technologies should augment and enhance old ones, not supercede them by default; give me a verifiable paper record of the blockchain transaction, at least.

              The article is short on details, but looking at a more detailed report, it's clear that the USPS blockchain patent proposal described authenticating the mailed paper ballot as unique and independently verifying that it's been cast by a unique, but anonymous authorized voter. This isn't electronic voting, it's a security layer on paper voting. I like this idea in theory, but can see how messy it might become in practice.

              3 votes
    2. Eric_the_Cerise
      Link Parent
      Frankly, the security concerns alone should be more than enough reason. Every time yet another financial institute is hacked, or worse, is just further evidence that we are not yet ready for...

      Frankly, the security concerns alone should be more than enough reason. Every time yet another financial institute is hacked, or worse, is just further evidence that we are not yet ready for online voting (or online finances, for that matter).

      Obligatory xkcd.

      https://xkcd.com/2030/

      9 votes
  2. [21]
    cmccabe
    Link
    I haven't read through the patent application itself, but it is great to see serious attempts at modernizing the voting system.

    Following President Donald Trump’s conclusion that mail-in voting would represent ballots all over the place and fraudulent ballots would be named after dogs and dead people, the patent that was filed back in February 2020 was made public on Thursday 13th August.

    I haven't read through the patent application itself, but it is great to see serious attempts at modernizing the voting system.

    8 votes
    1. [15]
      whbboyd
      Link Parent
      https://xkcd.com/2030/

      great to see serious attempts at modernizing the voting system

      https://xkcd.com/2030/

      30 votes
      1. [14]
        cmccabe
        Link Parent
        Well who am I to argue with xkcd. But jokes aside, saying "it's good because it has blockchain" is dumb, but seeing a problem and trying to develop technology to solve it is not dumb. It's just...

        Well who am I to argue with xkcd. But jokes aside, saying "it's good because it has blockchain" is dumb, but seeing a problem and trying to develop technology to solve it is not dumb. It's just not easy, and it will definitely take many attempts. This is one of them.

        10 votes
        1. [11]
          vektor
          Link Parent
          From what I recall about my CySec lectures, computerized voting is so much so considered impossible that I don't think a patent application can be taken seriously. Patents imply that something...

          From what I recall about my CySec lectures, computerized voting is so much so considered impossible that I don't think a patent application can be taken seriously. Patents imply that something will come of this in the near future. I don't think that's plausible. Or at least, whatever comes of this shouldn't be touched with a 10ft pole until we have a shit ton of independent audits and hackers were able to pen test it at their leisure for a good while.

          Fundamentally, it boils down to the problem that you can't have all the basics of elections verifiable upheld at the same time. Everyone only votes once. Ok then, how do you make sure there is no way to tell who voted for whom? Things like that are in conflicts all over the place.

          To me, with USPS election-related bad news recently, this smells like complete horseshit to me. Someone decided that googling "USPS election" should return a more positive result.

          Research, sure. But patenting means "the research is mostly done, we're about to throw this thing out there, no one copy us!" The research gap right now sits with very fundamental problems of how to make it tamper-proof and anonymous. (And relying on a even less clear memory of mine, I think there's some amount of proof that digital elections are a bad idea, period. But I doubt myself there, so you're forgiven if you do too.)

          16 votes
          1. [10]
            post_below
            Link Parent
            Don't the same fundamental challenges exist for existing voting systems? Seems like they're all solvable. For example if you want to ensure that people don't vote twice then you log their voter...

            Don't the same fundamental challenges exist for existing voting systems?

            Seems like they're all solvable. For example if you want to ensure that people don't vote twice then you log their voter ID. You don't have to link that to their vote if you want anonymity. The logged ID will stop them from trying again without knowing the logged vote.

            Hacking will always be a potential problem but you can limit the scale to negligible if the database is well insulted from the WAN. Open source would also help. You'd have no shortage of white hat hackers willing to put free hours into penetration testing something so fundamental to democracy.

            Why you'd need blockchain though, that's a mystery.

            1 vote
            1. [7]
              vord
              Link Parent
              Nope. You pull 50 people in a room, and hand out 50 paper ballots. 50 ballots get collected, shuffled, and counted. In this surveilance age, if it can be linked, it will. There's numerous articles...

              Don't the same fundamental challenges exist for existing voting systems?

              Nope. You pull 50 people in a room, and hand out 50 paper ballots. 50 ballots get collected, shuffled, and counted.

              You don't have to link that to their vote if you want anonymity.

              In this surveilance age, if it can be linked, it will. There's numerous articles about how these are massive problems with no known solution.

              Voting is one of those big cases where good old fashioned paper works best.

              8 votes
              1. [4]
                Amarok
                Link Parent
                If by best you mean restricted access to voting machines, an overabundance of voting machines proven to be trivial to hack, and all crammed into a single workday so that it's more of a pain to...

                If by best you mean restricted access to voting machines, an overabundance of voting machines proven to be trivial to hack, and all crammed into a single workday so that it's more of a pain to vote than the majority of Americans will put up with. Most people don't vote, and it's no surprise why.

                I'd be a lot happier with universal mail in ballots if we're going paper only. I'm hoping a lot of states go that way, it's their decision after all, not the feds.

                2 votes
                1. [3]
                  vord
                  Link Parent
                  I was actually suggesting completely eliminating electronic voting machines for the same reason...they're not as good as paper. How I would fix voting: National Holiday Mail-in ballots as an...

                  I was actually suggesting completely eliminating electronic voting machines for the same reason...they're not as good as paper.

                  How I would fix voting:

                  • National Holiday
                  • Mail-in ballots as an option for anybody.
                  • Use public schools as polling stations

                  Here's what the process could look like:

                  1. Polls open at 8 AM, close at 8 PM
                  2. Everybody gets in line, they sign in at building entrance, and are given a barcode sticker tied to their registration to identify themselves.
                  3. When 50 people are signed in, they are shuffled and split into two groups.
                  4. Group is escorted to classroom with 25 paper scantron ballots.
                  5. Voters get assigned a secret random number (1-25), puts it at top of ballot.
                  6. When voters are finished filling in, scantrons are shuffled, scanned and tallied by offline scantron machines, and sealed. Tally results are displayed on projector, and printed. Voters affix their stickers to that page, to be tallied by election officials.
                  7. Voters are escorted to the sign-out, where they can sign that their vote was accurate or inaccurate.
                  8. Rinse and repeat.

                  In my hometown of ~10,000, which is currently split to ~4 voting districts. The local elementary school teaches ~450 kids. With 12 hour voting window, Need to process less than 850 votes per hour. The entire population of my town could vote in 12 hours, giving a full 30 minutes for that process, with that single school. Add in the high school, and everybody could be processed in < 6.

                  Voting is only hard because it is designed to be so. It's not given the proper resources to be easy and accessible.

                  7 votes
                  1. Amarok
                    Link Parent
                    I'd vote for that. It's a big step up from where we are. I still think the possibility exists for a digital system to outperform paper ballots in security, verification, and convenience, though....

                    I'd vote for that. It's a big step up from where we are.

                    I still think the possibility exists for a digital system to outperform paper ballots in security, verification, and convenience, though. Not that I've seen a paper outlining a system that would do this effectively yet. I just can't see why it's some impossible problem when we've already solved all of the challenges it presents in different unrelated systems and industries that every one of us uses every single day without a second thought. If you think voting is somehow riskier or more difficult or more of a target than banking or health data or government data or the stock market you're not seeing clearly and you should have even stronger reservations there than you do about voting.

                    We just haven't solved all of those challenges in a single voting system yet. I know we're never going to get there at all unless it's a secured distributed network - the kind where you download the election image from the state to a USB key, then boot from that on whatever hardware and run the election platform, donating your compute resources to this live-for-a-day cloud and using it to vote. Each node that passes the tests to join and remain on the network should also double as a monitoring station so we can get millions of eyes on it and real time vote verification for anyone who wants it. That's the scope of doing it right.

                    I do not like electronic voting machines. I definitely prefer paper there since there's less chance of tampering or confusion, and those old school tick/lever machines are the best of the bunch. It is impossible to fuck up your vote on those things. We're still using them in most places in NY, they are decades old but they work very well.

                    4 votes
                  2. vektor
                    Link Parent
                    What's wrong with the conventional "come in, identify yourself, get handed a ballot, go to booth, fill ballot, cast ballot, leave"? No machines involved thus far. You can of course make ballots...

                    What's wrong with the conventional "come in, identify yourself, get handed a ballot, go to booth, fill ballot, cast ballot, leave"? No machines involved thus far. You can of course make ballots machine readable to hasten the counting process without preventing audits.

              2. [2]
                post_below
                Link Parent
                Ok 50 people in a room, putting aside the electronic voting machines currently in use all over the world... Many places require ID in order to vote, there's the first point where logging or...

                Ok 50 people in a room, putting aside the electronic voting machines currently in use all over the world... Many places require ID in order to vote, there's the first point where logging or recording is possible. Then once you're in the room, hidden cameras are the next possibility. Also these days they're doing amazing things with radio waves to record what's happening in a room from outside.

                After the vote is cast there are numerous points in the chain of custody where tampering is possible.

                These things theoretically don't happen because they're illegal. They'd be illegal digitally too.

                To say that "if it can be linked it will" seems to skirt the issues. If you build a system specifically not to link certain data points then it absolutely cannot link those data points. There are all sorts of ways to accomplish this.

                So then what we'd be assuming is bad faith, that someone would secretly write the software to do something it's not supposed to. If we're concerned about that level of bad faith then the same concern about corruption applies to paper ballots.

                And we should definitely consider corruption in any solution. The point being that paper voting is not fundamentally safer, there are similar problems either way.

                Digital is dramatically cheaper in the long run though, and once you get it right, it keeps on being right until someone changes the code.

                1 vote
                1. vord
                  Link Parent
                  Yes, it is possible to do all those things. It's just a hell of a lot easier to do so when you're voting with an electronic machine with 0 paper trail. That's what online voting is, except even...

                  Yes, it is possible to do all those things. It's just a hell of a lot easier to do so when you're voting with an electronic machine with 0 paper trail.

                  That's what online voting is, except even less trustworthy. You're trusting that the system (if it's public at all) is being kept both secure and auditable.

                  The 50 people in the room is presuming you also tally the results with those same 50 people. I outlined a process of how that could work on a larger scale..

                  Corruption is easily solved: Large numbers of election officials, drawn by lot of the voting populous. It's good enough for juries.

                  1 vote
            2. [2]
              vektor
              Link Parent
              Yes, in general they do. Voting machines with a paper trail that the user can check are at least auditable. But even then you don't know what the machine does. If it has its own logging, it might...

              Don't the same fundamental challenges exist for existing voting systems?

              Yes, in general they do. Voting machines with a paper trail that the user can check are at least auditable. But even then you don't know what the machine does. If it has its own logging, it might easily deanonymize your vote.

              Regarding the logging, I'm not sure how you want to log the ID independently of the cast vote. And even then, part of anonymous voting is to anonymous who voted, so you can't even do that.

              The much easier approach is to question the de facto security of paper elections. Because the CySec guys hold themselves to very high standards. If you can observe how paper elections fail at their goals, you can slightly slack in the same areas too. But that too doesn't solve the problem of trust. Everyone can understand paper elections and their auditing process from first principles. No one can for a proprietary system, and only few if it's FOSS.

              3 votes
              1. post_below
                Link Parent
                An electronic system is also auditable. Whether it's logged on paper or electronically (which comes with a perk of being able to save a second set of logs offsite for free if you want), you have...

                An electronic system is also auditable. Whether it's logged on paper or electronically (which comes with a perk of being able to save a second set of logs offsite for free if you want), you have the same potential drawbacks (tampering).

                What's the downside of logging the ID separately? If the vote is anonymous you don't need an ID attached to it once you've verified the voter, two different buckets.

                You're right that there's a problem if you want to verify the legitimacy of the voter while still keeping whether they voted at all a secret. I don't think many people would mind a record that they voted but putting that aside, it's solvable. For example voters could verify themselves with a system that assigns them a single use ID independent of their voter ID. This gets stored for later verification when they vote, it is not attached to their voter ID at that point. This could easily happen invisibly in the background. These are the sorts of problems that software is good at solving.

                Of course you have to assume good faith, but that's what open source is for.

                Where trust is concerned, do people understand how the internals of voting machines work? Does it make a difference if they do or not? We live in a digital world, I suspect the percentage of people who wouldn't trust digital voting is relatively small. For them, paper voting can remain an option.

                As far as FOSS goes, don't underestimate the community's willingness to write blogs in plain english for mass media reporters to pick up and spin stories out of. It's easy to imagine an end result where voting feels more, rather than less, transparent.

                The point I'm making, from a software engineering perspective, is that there are no insurmountable barriers to digital voting. At least none that I can think of. I keep seeing "CySec guys say it's too hard" but all the examples of why that is don't seem to hold water.

                The biggest barrier I see is that governments are notoriously bad at software (or I should say they hire firms which are notoriously bad at software).

                I feel safe in predicting we'll arrive at digital voting eventually, just a question of how long it'll take. After all, paper has been on the way out for a while now.

                2 votes
        2. [2]
          whbboyd
          Link Parent
          This is not a "serious attempt at modernizing the voting system". (It could well be an incompetent attempt made in earnest, though assuming good faith where the GOP is concerned would be a...

          This is not a "serious attempt at modernizing the voting system". (It could well be an incompetent attempt made in earnest, though assuming good faith where the GOP is concerned would be a grievous error.) If it were, it would be talking about a Merkle tree-based voting system. The term "blockchain" is exclusively used by scammers or the still-oblivious victims of scammers; and the concept which it names predates it by thirty years, has been productively exploited for all that time, and has no meaningful applicability to online voting.

          12 votes
          1. Amarok
            Link Parent
            Even I'm scratching my head wondering what value 'blockchain' brings to solving the problem. It doesn't seem like something that needs blockchain technology.

            Even I'm scratching my head wondering what value 'blockchain' brings to solving the problem. It doesn't seem like something that needs blockchain technology.

            1 vote
    2. teaearlgraycold
      Link Parent
      How can you read that first clause and think this is a good idea? The same person is dismantling the USPS to block mail-in ballots. Trump's cronies told him he could stuff the blockchain better...

      How can you read that first clause and think this is a good idea? The same person is dismantling the USPS to block mail-in ballots. Trump's cronies told him he could stuff the blockchain better than you can the ballot box and he loved it.

      5 votes
    3. [4]
      moocow1452
      Link Parent
      Would like someone in the know to determine how much of a hail Mary/experiment unintended for prime time this is. Usually some project involving "blockchain" is a venture capital grab, but a...

      Would like someone in the know to determine how much of a hail Mary/experiment unintended for prime time this is. Usually some project involving "blockchain" is a venture capital grab, but a patent filed by the Post Office implies some sort of competency. Does the post office running it solve any of the trust issues that plague voting previously?

      4 votes
      1. [3]
        Litmus2336
        Link Parent
        Blockchain is not fully anonymous, meaning it would be possible to determine who you voted for. IMO, even if perfectly implemented and tested (which I doubt it will be) that is already a disqualifier

        Blockchain is not fully anonymous, meaning it would be possible to determine who you voted for. IMO, even if perfectly implemented and tested (which I doubt it will be) that is already a disqualifier

        2 votes
        1. [2]
          vegai
          Link Parent
          There are plenty of blockchain-implemented altcoins that provide anonymity, even if the main bitcoin design does not. Perhaps it would be possible for a voting system as well?

          There are plenty of blockchain-implemented altcoins that provide anonymity, even if the main bitcoin design does not. Perhaps it would be possible for a voting system as well?

          2 votes
          1. Litmus2336
            Link Parent
            As far as I understand, everybody participating in the chain gets an identifier. Now, theoretically you don't have to share that identifier, but I don't know of a method that doesn't use them....

            As far as I understand, everybody participating in the chain gets an identifier. Now, theoretically you don't have to share that identifier, but I don't know of a method that doesn't use them. This means that it is theoretically possible to track votes back to people.

            4 votes
  3. [9]
    hook
    (edited )
    Link
    Online voting cannot be done in line with what we expect from voting in modern democratic systems. Roberto si Cosmo studied this topic and wrote it much better than I ever could: As a lawyer who...

    Online voting cannot be done in line with what we expect from voting in modern democratic systems.

    Roberto si Cosmo studied this topic and wrote it much better than I ever could:

    A wealth of protocols for electronic voting have been proposed in the literature over the past years. What makes these protocols difficult to conceive and verify is one fundamental property, anonymity, which is of paramount importance in the real world, in particular when performing actual political elections. Historically, certain techniques have been used in actual elections to nullify anonymity and effectively coerce voters, by exploiting an evident weakness in many voting protocols; these techniques were used in traditional elections well before the notion of electronic voting was even proposed, yet, they still seem to be little known: as a consequence, we find recent proposals of voting protocols that can easily be attacked this way, like Rivest's ThreeBallot scheme, or clever attempts at formal definitions of privacy and anonymity properties that would not rule out such flawed protocols. In this paper, we describe one old technique, effectively used in Italy over twenty years ago, and show how the flaws or incompleteness in current protocols and formalization can be clearly exposed just through that simple idea. We also show how this very same simple attack can be effectively used today on US-style elections, regardless of the presence of a VVPB or VVPT. We hope that a wide circulation of this simple ideas will help design better protocols and formalization in the near future.

    As a lawyer who read it, I completely concur with his analysis of the problems.

    update: fixed typo. Sorry, on mobile. Seriously, read his research paper.

    7 votes
    1. [6]
      Amarok
      Link Parent
      The brief look I took, anonymity seems his chief concern, and even I know how to solve that problem, I mentioned it in other replies. You solve that problem by separating the event of issuing a...

      The brief look I took, anonymity seems his chief concern, and even I know how to solve that problem, I mentioned it in other replies. You solve that problem by separating the event of issuing a vote token from the government to a person from the event of actually cashing in that token to cast a vote.

      The government does not need to know which token is issued to which person. It only needs to know that it has issued a token (voter ID or other unique signature) to each eligible voter, and it needs to make sure that once issued that person cannot get a second token to double up on their vote. The token can come out of the system in a sealed envelope or via secure electronic delivery without any other human eyes ever seeing the code besides the voter it is issued to. That's one of the design challenges.

      This gets a little messy when you run it alongside other voting systems (like a mail in ballot) that involve voting without tokens. If someone wants to vote without using the distributed cloud system, you do it old school and just make sure that person can't get a digital token to use in the digital system. This would be part of the first step where tokens are issued. Voting becomes a two step process - get your ballot anytime or your token the week leading up to the election, and then on election day put it to use.

      You kill cheating dead by making sure that every node processes every vote. Counting and other critical decisions are made by network node consensus where the majority of the network agrees on the result - this prevents hostile clients from having any effect on the system, just like some cryptocurrencies do now. You'd have to launch a successful 51% attack to interfere with this process, and it would be obvious that it happened, so there's no way to cheat this system.

      People can and still will make trouble even here - selling their tokens, for instance. There's nothing that prevents anyone from selling their vote right now and I don't think that problem can be solved, so it's just one of those things we have been and still will be stuck with in any voting system.

      But, I haven't read all his stuff yet, maybe there's something I'm missing, so I'm going to enjoy digging into it when I've got the time. Thanks for sharing that, I'll read through it all later this evening and if something he brings up stumps me I'll make another reply. :)

      2 votes
      1. [2]
        j3n
        Link Parent
        What happens if a voter loses their token? Or if there is some kind of glitch that, for example, results in a voter being given an empty envelope?

        The government does not need to know which token is issued to which person. It only needs to know that it has issued a token (voter ID or other unique signature) to each eligible voter, and it needs to make sure that once issued that person cannot get a second token to double up on their vote.

        What happens if a voter loses their token? Or if there is some kind of glitch that, for example, results in a voter being given an empty envelope?

        3 votes
        1. vektor
          Link Parent
          Or similarly, bullshit claims of the same designed to get 2 IDs.

          Or similarly, bullshit claims of the same designed to get 2 IDs.

          2 votes
      2. vektor
        Link Parent
        There's a simple way of preventing sale of votes: No mail ballots. The problem with mail ballots is that they compromise anonymity a little bit - in the sense that the voter is required to enforce...

        People can and still will make trouble even here - selling their tokens, for instance. There's nothing that prevents anyone from selling their vote right now and I don't think that problem can be solved, so it's just one of those things we have been and still will be stuck with in any voting system.

        There's a simple way of preventing sale of votes: No mail ballots. The problem with mail ballots is that they compromise anonymity a little bit - in the sense that the voter is required to enforce their anonymity. The moment anonymity is enforced centrally, I can sell my vote, promise to vote for a polished turd with a wig and then turn around and do the opposite. No one will buy that vote anyway, so problem solved.

        But completely aside from that: You have to trust that the issuing of a vote token is kept secret. If someone records who's who, it's all over. Anonymized voting is in large part to prevent the government (who is controlling the elections) from being dicks. So you can't record who's who, only who's already been issued. Sure, alright. The problem is now that you can't check your work anymore. Your delivery method must be absolutely secure or you can prevent people from voting by sabotaging their tokens - because you can't reissue tokens. Absent a literally perfect method of transmitting information to the intended person, Nope.

        And if you try non-anonymized tokens, you have to keep a log of who voted to prevent people voting multiple times. But that log can be used to retrace the votes. Or at least, I'm claiming it can, because just writing votes and tokens to two different files won't help.

        3 votes
      3. [2]
        hook
        Link Parent
        It has been a while I read that research paper, but I have a vague recollection your solution was also taken into account in it.

        It has been a while I read that research paper, but I have a vague recollection your solution was also taken into account in it.

        1 vote
        1. Amarok
          Link Parent
          Good, I'll look forward to seeing the flaws in it. Thanks again for the share.

          You have to trust that the issuing of a vote token is kept secret. If someone records who's who, it's all over.

          Good, I'll look forward to seeing the flaws in it. Thanks again for the share.

    2. [2]
      patience_limited
      Link Parent
      You know, there's a great deal of focus on anonymity in voting, but it's likely that your political preferences have already been determined in great detail through the constant collection of...

      You know, there's a great deal of focus on anonymity in voting, but it's likely that your political preferences have already been determined in great detail through the constant collection of personally identifiable data exhaust - purchase history, political contributions, religion, health status, ethnicity, gender, sexuality, location, etc.

      It's more than enough for a corrupt or authoritarian state entity to target you for retaliation, regardless of direct access to your voting history.

      1 vote
      1. hook
        Link Parent
        Oh, well, I guess then we're doomed and there is no reason fighting against anonymity and surveillance. (SCNR) But what you say, leans on two big assumptions: 1) a political system where the...

        Oh, well, I guess then we're doomed and there is no reason fighting against anonymity and surveillance. (SCNR)

        But what you say, leans on two big assumptions: 1) a political system where the options are so few they can be quite transparent (e.g. bipartisan system in UK and USA), and 2) the government has access and means to process vast amounts of personal data of its citizens, either itself or through a company it can force to do so.

        Ad 1) when have more viable options you can vote for, the results are less predictable, as more people tend to change which party they vote for during which ellection. And this is not an issue of the technical method of how to cast a vote, but the voting/political system in general.

        Ad 2) let's imagine Coruptania - very corrupt country, with a quasi-dictatorship in place, the economy (at least of the elite) is doing pretty well, yet they don't have their own Baidu, nor can they influence Google that much. Even if Corruptania's secret service were to gather info on their citizens, it would likely not be enough to deduct the conclusions needed to assess who you voted for.

        Also, it may not always be the (current, your own, or even any) government, who is interested in pushing into one or another direction.

        3 votes
  4. [19]
    Amarok
    (edited )
    Link
    Seems like they'd be generating the voter ID/vote token and then mailing it out to people, who would then take the unique code they get in the mail, register, and vote on a secured platform...

    Seems like they'd be generating the voter ID/vote token and then mailing it out to people, who would then take the unique code they get in the mail, register, and vote on a secured platform online. It seems better than sending paper ballots back in the mail. In this system there's no opportunity for someone to interfere with the vote being cast by intercepting it. You'd have to intercept the vote token on the way to the recipient before the vote is cast, and then somehow confirm you are that person to cast a vote in their name... and they'd probably notice because they never got their ballot/code in the mail.

    I'll be more interested when it's a working system rather than an outline. Frankly, it's an embarrassment we can't vote from our phones already. Polling booths and paper ballots are relics of the past. I don't buy the hogwash arguments that we have to have paper to secure it - tell it to the banks, who have moved well beyond paper and don't have these fictional security problems everyone always hypes up as the 'reason' we can't do online voting. I sure as hell don't trust a voting 'machine' that isn't dirt simple and fully open sourced. Digital vote machines strike me as a much serious risk than paper ballots (mailed or in person) and a provably secure open digital system.

    I'll look forward to a more thorough analysis of this system from crypto and security experts - that patent is complicated and not well explained.

    4 votes
    1. [9]
      Omnicrola
      Link Parent
      Just because something is old, slower, or inefficient, is not automatic justification for replacing it. IMO those are usually used as justifications, but I don't believe they are good reasons....

      Polling booths and paper ballots are relics of the past. I don't buy the hogwash arguments that we have to have paper to secure it - tell it to the banks, who have moved well beyond paper and don't have these fictional security problems everyone always hypes up as the 'reason' we can't do online voting.

      Just because something is old, slower, or inefficient, is not automatic justification for replacing it. IMO those are usually used as justifications, but I don't believe they are good reasons. This speaking as a software developer who loooves optimizing things.

      For me, the argument is not that paper ballots are more secure than a digital system. It's that paper ballots are more secure than any digital system we have right now. It at the very least, paper ballots are the most trusted. Even if we can prove academically that a digital system is in fact secure, if the public doesn't trust it, it is de facto not useable.

      I sure as hell don't trust a voting 'machine' that isn't dirt simple and fully open sourced.

      100% agree. The problem I have with voting machines is that they're all currently made by for profit companies and are closed source. We will probably eventually get to a good digital solution, but first we're going to see a lot of fuckups on the scale of Equifax. But instead of the consequences being that some people get their identity stolen, we instead get elections with erroneous results that may not be discovered until long after people are sitting in office. And that's the scary part to me.

      13 votes
      1. Amarok
        Link Parent
        I agree with that - but the conversation should be about building secure digital voting online, not about reinventing yet another paper ballot system. I'd be happy to stick to paper until the...

        It's that paper ballots are more secure than any digital system we have right now.

        I agree with that - but the conversation should be about building secure digital voting online, not about reinventing yet another paper ballot system. I'd be happy to stick to paper until the online system is vetted and ready.

        3 votes
      2. [7]
        jackson
        Link Parent
        The great thing about paper-backed voting machines, however, is that poll workers randomly audit the counts of the counting machines, and if there is a discrepancy, count all the votes in a...

        The great thing about paper-backed voting machines, however, is that poll workers randomly audit the counts of the counting machines, and if there is a discrepancy, count all the votes in a specified group of machines. Electronic-only systems have no such backup available.

        2 votes
        1. [6]
          Amarok
          Link Parent
          A distributed network should be able to outclass that handily by auditing all the votes at every step, and I'd like to send any that couldn't back to the drawing board. New codes for every...

          A distributed network should be able to outclass that handily by auditing all the votes at every step, and I'd like to send any that couldn't back to the drawing board. New codes for every election, never reuse anything. The database of vote responses should be open online for anyone to download or browse. If you kept your receipt and voter ID code, you can look up your own results in the database to verify they match. Randomized question order per voter solves the issue of someone else reading your vote if they get your ID. Without the receipt, they can't tell what the order of questions was or how you voted.

          3 votes
          1. [5]
            jackson
            Link Parent
            But allowing the lookup of a voter ID is a problem as well. You presently are not allowed to take a ballot from the voting booth because you could be coerced, bribed etc to vote a certain way....

            But allowing the lookup of a voter ID is a problem as well. You presently are not allowed to take a ballot from the voting booth because you could be coerced, bribed etc to vote a certain way. Since there's no way to verify, there is no leverage in that regard.

            also to note-- the Democrats tried an online system for some caucuses this year. It failed, horribly. I have very little faith in the ability of the US government to test the voter system at an appropriate scale.

            1 vote
            1. [4]
              Amarok
              Link Parent
              The only person who knows your voter ID is you unless you tell someone, and that's on you, no one else. Even if you do that, without your receipt/answer key, no one can tell how you voted even...

              The only person who knows your voter ID is you unless you tell someone, and that's on you, no one else. Even if you do that, without your receipt/answer key, no one can tell how you voted even when looking directly at your vote ballot. You'd have to give up both your ID and your receipt to compromise your vote privacy. There is zero risk with having all of the voter ID numbers present in a single online database for the entire public to view when it's done this way.

              The government itself doesn't even know your voter ID - that gets generated and sent to you in a sealed envelope or through a secured network/connection with no human eyes involved until you see it yourself. IDs are never, ever reused, each is unique to a single person in a single election. All the state knows, and needs to know, is that one was issued to you.

              1 vote
              1. [3]
                whbboyd
                Link Parent
                Therefore, you can be coerced to reveal your voter ID, therefore specific votes can be coerced or purchased. I am categorically unwilling to blame someone for caving to threats on their life or...

                The only person who knows your voter ID is you unless you tell someone…

                Therefore, you can be coerced to reveal your voter ID, therefore specific votes can be coerced or purchased.

                …and that's on you, no one else.

                I am categorically unwilling to blame someone for caving to threats on their life or health, or that of their loved ones, or lifechanging monetary payouts. Even if I didn't have a shred of empathy in my body, I'd recognize that people will cave to those things, and thus the integrity of elections will be compromised.

                Pseudonymity is actually insufficient for voting; the votes must be truly anonymous, such that it is impossible for any party (including the voter themselves) to link votes back to voters.

                4 votes
                1. [2]
                  Amarok
                  Link Parent
                  Hardly a valid objection since you could always coerce anyone to give up that information in any system. If someone puts a gun to your head, you'll tell them how you voted or you'll turn over your...

                  Therefore, you can be coerced to reveal your voter ID, therefore specific votes can be coerced or purchased.

                  Hardly a valid objection since you could always coerce anyone to give up that information in any system. If someone puts a gun to your head, you'll tell them how you voted or you'll turn over your vote token. I bet you'll also be calling the cops, and we'll put them in jail, because we've moved well beyond election systems into assault and election interference, both of which are felonies. This seems like an unrealistic standard.

                  Most people will burn the receipt and the voter ID after they've confirmed their vote, and that's security. Each person can personally audit their vote, which is a real strike against voter fraud. It's also a big boon if the election system moves beyond simple FPTP into something more elegant like Condorcet, as people will want to see how those more advanced systems used their votes in the pairwise election matchups.

                  1. whbboyd
                    Link Parent
                    Not with a standard paper voting system. I enter, receive an unidentified paper ballot, vote on that ballot, submit it, leave. No evidence of how I voted exists outside the voting room. Nobody can...

                    Hardly a valid objection since you could always coerce anyone to give up that information in any system.

                    Not with a standard paper voting system. I enter, receive an unidentified paper ballot, vote on that ballot, submit it, leave. No evidence of how I voted exists outside the voting room. Nobody can coerce me to give up my vote, because if I lie about it, that is impossible to prove.

                    Most people will burn the receipt and the voter ID after they've confirmed their vote

                    Then our hypothetical vote coercer says "you'll take the receipt and id out of the building and show them to me, or I'll murder your spouse and children". You can try to address this by requiring people to submit and destroy their receipts to leave the building, but what when somebody loses theirs, or eats it? I guess you can lock them in until they starve, but I hope we can agree that's not an effective approach. And if someone can lose their receipt, they can (and thus can be coerced to) hide it on their person and smuggle it out of the facility.

                    Each person can personally audit their vote, which is a real strike against voter fraud.

                    In-person voter fraud is not a problem in the US, so much so that focusing on it has become a dog-whistle for people trying to distract from their voter suppression activities, which is a huge problem in the US.

                    3 votes
    2. [3]
      PendingKetchup
      Link Parent
      How is a phone a good voting machine then?

      I sure as hell don't trust a voting 'machine' that isn't dirt simple and fully open sourced.

      How is a phone a good voting machine then?

      5 votes
      1. teaearlgraycold
        Link Parent
        Also, full open source doesn't mean that the software running on the machine is what they published.

        Also, full open source doesn't mean that the software running on the machine is what they published.

        5 votes
      2. Amarok
        Link Parent
        I have a rant about the lack of open hardware to go along with that, I feel you. What you can do is make the network fully secured, and have all of the clients checking up on each other, including...

        I have a rant about the lack of open hardware to go along with that, I feel you.

        What you can do is make the network fully secured, and have all of the clients checking up on each other, including vetting their hardware and communication channels. Anything even a little bit fishy, and the network kicks you off, you can't vote until you find a better computer. Go to a library, for example. You have to assume the client is hostile, and we've got plenty of experience with that (and defeating it) already.

        3 votes
    3. [6]
      petrichor
      Link Parent
      I was under the impression that they did, and it was just massively more profitable to ignore it than fix the system? But I agree - I don't think there's anything that makes an online voting...

      tell it to the banks, who have moved well beyond paper and don't have these fictional security problems everyone always hypes up as the 'reason' we can't do online voting.

      I was under the impression that they did, and it was just massively more profitable to ignore it than fix the system?

      But I agree - I don't think there's anything that makes an online voting system fundamentally inferior to paper ballots. I do, however, find it unlikely that a secure, vetted, and open system would be able to make it through the United States' halls of bureaucracy.

      2 votes
      1. [3]
        Amarok
        Link Parent
        I share that skepticism. Not a chance in hell the people in power would ever entertain a wholesale replacement unless we'd had one hell of a bloodbath for incumbents. I think it more likely a...

        I share that skepticism. Not a chance in hell the people in power would ever entertain a wholesale replacement unless we'd had one hell of a bloodbath for incumbents. I think it more likely a couple states will get there first on their own, and we'll be looking at a hodgepodge of state systems before it gets federal. Someone's got to prove it works before it can go any further.

        2 votes
        1. [2]
          patience_limited
          Link Parent
          E-voting has been in use in Estonia since 2001, and it's gone through quite a few refinements in security and transparency since then. Still not wholly secure, or transparent, yet; only 25% of...

          E-voting has been in use in Estonia since 2001, and it's gone through quite a few refinements in security and transparency since then. Still not wholly secure, or transparent, yet; only 25% of ballots are cast electronically as of the last election.

          1 vote
          1. Amarok
            Link Parent
            I'll take any real world examples I can get, thanks for the link. I'll be curious to see what methods for hacking it have been attempted.

            I'll take any real world examples I can get, thanks for the link. I'll be curious to see what methods for hacking it have been attempted.

            1 vote
      2. [2]
        patience_limited
        Link Parent
        Banks have the advantage that they don't need to anonymize transactions. In fact, they usually demand proof of identity and associate account identities with each transaction. They just verify the...

        Banks have the advantage that they don't need to anonymize transactions. In fact, they usually demand proof of identity and associate account identities with each transaction. They just verify the transaction ledger to establish that funds are available/delivered, and transactions aren't duplicated or otherwise tampered with.

        1 vote
        1. vektor
          Link Parent
          Also, banking has much lower stakes. Much like healthcare, election breaches carry with it info that can't just be bought away. You can always pay to make a victim of a financial crime whole. If...

          Also, banking has much lower stakes. Much like healthcare, election breaches carry with it info that can't just be bought away. You can always pay to make a victim of a financial crime whole. If the expected payouts there are smaller than the savings from going digital, they'll do it. They're banks ffs.

          But if everyone learns of a disability of mine? Or my political preferences? No amount of money will ever truly make me whole.

          5 votes