Mastodawn

HcInfosec Aug 20, 2023

@jeroen @mattblaze In general voting by going to a specific place inside the town where you live is cumbersome. If we can get a good system to mostly get rid of that that will likely increase voting turnout. Having elections with 40% turnup is much more dangerous to #democracy than it security risks, of course unless these lasts once are huge (which is possible)

@HcInfosec @jeroen Yes, and every technical expert who has seriously studied online voting as come to the same conclusion about the risks, because there are fundamental problems and requirements that preclude building an Internet voting system sufficient for civil elections.

It's not that scientists don't think Internet voting would be nice. Just as physicists don't think perpetual motion machines wouldn't be terrific. It's just that they understand fundamental reasons we can't make them.

Matt Blaze Aug 20, 2023

@HcInfosec @jeroen You want an Internet voting system? You have two choices. One is to relax some of the basic requirements and civil rights associated with voting (at least in the US), such as the secret ballot. The other option is to have elections where we can never be sure who actually won, and that are vulnerable to disruption by anyone connected to the Internet.

Neither option seems great.

(moved)Galbinus Caeli 🌯Aug 20, 2023

@mattblaze @HcInfosec @jeroen funny how Silicon Valley uses mail in paper ballots.

Matt Blaze Aug 20, 2023

@HcInfosec @jeroen And these are because of FUNDAMENTAL properties of software-based systems and the requirements of voting, These are not things we can engineer our way out of with better technology or by working harder. We'd have to either change the requirements for democratic elections or accept potentially unbounded uncertainty in election outcomes, no matter what technical advances happen.

Kalle Kniivilä Aug 20, 2023

@mattblaze @HcInfosec @jeroen So what, exactly, is fundamentally wrong with, say, the Estonian voting system?
🤔
#Estonia #voting #elections

Alexander The 1st Aug 20, 2023

@kallekn @mattblaze @HcInfosec @jeroen Scale, primarily (In the most recent election, more than 50% voted electronically, and that meant 312,181 ballots electronically.).

That said, look at the two 2019 maps of Estonia voting breakdown on Wikipedia ( https://en.m.wikipedia.org/wiki/Electronic_voting_in_Estonia ) - those two images seem to indicate that voting electronically seems to heavily favour one party more than if the votes were done with paper ballots.

Electronic voting in Estonia - Wikipedia

HcInfosec Aug 20, 2023

@AT1ST @kallekn @mattblaze @jeroen No not scale, is it?
If I would state what most it people state as reasons for not wanting #evoting it's probably:
1- how to make sure every vote is counted correctly. For that you need some kind of proof where you can after counting re-count and be sure all votes are counted correctly. In analog voting you have the paper trail: meaning you can count ballots by hand or machine and re-count also.
2- and you need to do this without knowledge who voted what (privacy)
3- and you need to verify everyone who votes is entitled to and only votes once

Voting electronically has the risk of:
A- software making mistakes or of course being manipulated
B- so you need a system with proof that counting was done right
C- and apparantly in the papers all others will send us this is explained😎

I hope they can have the decency to explain in a few lines.

Alexander The 1st Aug 20, 2023

@HcInfosec @kallekn @mattblaze @jeroen I mean, there's also the possibility of random candidates suddenly getting 4096 more votes electronics than they actually got [ https://youtu.be/AaZ_RSt0KP8 ].

...And that's the best case scenario for why something went wrong with the count.

The Universe is Hostile to Computers

YouTube

HcInfosec Aug 20, 2023

@AT1ST @kallekn @mattblaze @jeroen My first answer to all this was: you need to compare two systems. Analog voting systems have problems too, like we can see in the USA where they try to make it hard for people to vote.

My conclusion for now, not having red all papers of course, it that mail-in voting seems more secure in practice than #evoting

But of course I don't accept that #evoting can't be secure. I have posted a solution that might work.
I would say have an open-source challenge with a pretty big bounty between universities to design a system. (God I hope they didn't do that yet)

HcInfosec Aug 20, 2023

@AT1ST @kallekn @jeroen By the way, why can we have bank accounts we trust without paper trails, but not voting by using computers?
Don't bank account computers have the fundamental problems voting computers have?

Alexander The 1st Aug 20, 2023

@HcInfosec @kallekn @jeroen If banking goes awry, you mess with the people who had accounts with that bank.

If voting goes awry, you mess with the group of people who can prioritize whether to help the bank or the people who had accounts with that bank (See: FTX, SVB, the 2008 recession, etc.).

Märt Põder Aug 21, 2023

@AT1ST @kallekn @mattblaze @HcInfosec @jeroen I calculated 2023 parliament election results according to e-votes and paper ballots in #Estonia and it appears that they are as from different worlds. At the same time Estonian scientists contend that choice of voting method doesn't give preference to any of the political parties. I claim that this is not true and that Estonian #evoting is at least partly motivated by sort of "digital #gerrymandering". https://gafgaf.infoaed.ee/en/posts/great-divide-in-evoting/#two-separate-worlds

Digital divide in Estonian election results · 🐕 Üks Tartu krants

Despite near equal usage of e-voting and paper ballots in 2023, the results for different voting methods were as from different worlds. There is a huge popular demand to fix the problems with Internet voting, but very little agreement on what do they consist of.

HcInfosec Aug 21, 2023

@tramm @AT1ST @kallekn @mattblaze @jeroen That analysis does call for an explanation..
Is it known what agegroups voted in what way? #hypothesis

Alexander The 1st Aug 21, 2023

@HcInfosec @tramm @kallekn @mattblaze @jeroen I mean, that would start to get into trouble with the whole "Anonymous vote casting" - if we could identify the demographics of e-voting (Beyond "Probably Millenial/Gen X/Zoomers because of a technical bias"), we'd be pretty much breaking the anonymity of how they voted by that disparity.

Märt Põder Aug 21, 2023

@HcInfosec @AT1ST @kallekn @mattblaze @jeroen The data about voting method, age group, geographical location, voting time, even IP-addresses and basically everything which does not include the voter choice is available for research in anonymised form and AFAIK is provided to academic institutions on case by case basis. I have never tried to get my hands on it, but you can find some basic statistics and summaries from NEC page. https://www.valimised.ee/en/archive/statistics

Statistics | Elections in Estonia

Participation in voting (%) Election year Riigikogu (parliamentary) elections (RK) Local government councils elections (KOV) European Parliament elections (EP) Referendums (RH) 2019 63,7 37,6 2017 53,3 2015 64,2 2014

Alexander The 1st Aug 21, 2023

@tramm @kallekn @mattblaze @HcInfosec @jeroen It's possible it's intentional gerrymandering - especially as the reform party presumably is more technically inclined -, but it's worth remembering that mail-in ballots also encourage voter turnout among Democrats in the U.S.

Though I do feel like the disparity in the Estonia paper/electronic voting setup is confusing to see given the % vote that is going e-voting. It just seems like it should be starting to normalize by now.

Michael A. Specter Aug 20, 2023

@kallekn @mattblaze @HcInfosec @jeroen I mean…https://jhalderm.com/pub/papers/ivoting-ccs14.pdf

HcInfosec Aug 20, 2023

@specter @kallekn @mattblaze @jeroen Thanks, that actually helps.

Kalle Kniivilä Aug 20, 2023

@specter @mattblaze @HcInfosec @jeroen Thank you.

mav Aug 20, 2023

@specter @kallekn @mattblaze @HcInfosec @jeroen

and in addition, there's the minor detail that the US doesn't need one voting system, it needs at least... what, 51 systems, plus overseas territories? ... and they'd all be provided by different vendors with different requirements and security models and then there's the problem of voter ID, which is its own social policy issue...

Why don't we just use mail. Works, well-known, effective, built-in paper trail, leverages existing systems.

Dan Veditz Aug 20, 2023

@kallekn @mattblaze @HcInfosec @jeroen

There was a bunch wrong when it was analyzed a decade ago. Given the defensive response from the Estonian gov't at the time I don't know how much has been addressed since
https://estoniaevoting.org/

Independent Report on E-voting in Estonia | A security analysis of Estonia's Internet voting system by international e-voting experts.

Stanislav Ochotnický Aug 20, 2023

@kallekn @mattblaze @HcInfosec @jeroen I don't think anything is wrong with it, but if wikipedia is right, voting is done using Estonian ID card. Which I think "breaks" the assumption in US voting that nobody can tell who you voted for. So that would be a difference in the voting requirements between Estonia and US.

HcInfosec Aug 20, 2023

@drizzy @kallekn @mattblaze @jeroen In the USA mail voting system you mail in your ballot and it contains your vote and your signature. So they also know what you voted.
The analog procedures must guarantee this information is not leaked. In theory the voting counting machine could fill a nice database with who voted what.

HcInfosec Aug 20, 2023

@drizzy @kallekn @mattblaze @jeroen I was wrong here since the signature is on the outside of the envelope apparently. Thay makes a difference

Norman Wilson Aug 21, 2023

@HcInfosec @drizzy @kallekn @mattblaze @jeroen Yep. Typical system:
You fill out ballot.
Seal in special envelope,with tear-off tab on outside, with place for your name and signature.
Special envelope then goes in another envelope for mailing.
When ballot arrives at voting office, tab is torn off and filed as (a) proof that they received your ballot; (b) means to tell if the same voter votes twice.
Ballot itself, still sealed in envelope, goes in a box without tab, opened only for counting.

Norman Wilson Aug 21, 2023

@HcInfosec @drizzy @kallekn @mattblaze @jeroen I know this stuff because I've been a US overseas voter for >30 years.
More recently I have had the option to send my completed ballot to the election office by FAX or (scanned) by e-mail. When I do this there is a separate sheet where I must sign twice: once in place of the envelope tab; the other as an acknowledgement that by sending my ballot that way, I am waiving my right to a secret ballot.

Norman Wilson Aug 21, 2023

@HcInfosec @drizzy @kallekn @mattblaze @jeroen So I have the option of sending the ballot electronically but with privacy risk, or sending it more slowly but with better guarantee of privacy. Reasonable balance.

Oh, and if I send electronically, I must also mail the original, but it's then OK if it arrives some specified time after election day. I believe that is used if a recount is required--original paper still needed for that.

Norman Wilson Aug 21, 2023

@HcInfosec @drizzy @kallekn @mattblaze @jeroen Details probably vary by state. Overseas US voters are guaranteed by federal law the right to vote for federal offices in the state and district where they were last eligible to vote (even if they never registered there), but the voting procedures are still handled by the state. Up to the state whether you're allowed to vote for state offices. Mine didn't but recently changed their mind and now allow it.

Märt Põder Aug 21, 2023

@kallekn @mattblaze @HcInfosec @jeroen I have elaborated on that very question in my preliminary observer report of 2023 elections in #Estonia and I contend that Estonian #evoting is not observable in any meaningful sense and because of that also the procedural aspect has substantially degraded in ~18 years of its existence. https://gafgaf.infoaed.ee/en/posts/perils-of-electronic-voting/

What's (still) wrong with Estonian e-voting? · 🐕 Üks Tartu krants

Estonia spouts official and binding electronic elections since 2005 and it has been a controversial yet an interesting journey. The building blocks of initial system have been replaced, but the lure of trusting operational security instead of democratic oversight is still very much there.

@mattblaze @HcInfosec @jeroen

The only possible way to have secure voting over the internet is when we develop the ability to transport people over IP, let them vote, and transport them back home again.

#transporter #StarTrek #impossible

HcInfosec Aug 21, 2023

@cazabon @mattblaze @jeroen As long as I get my own tcp session 🖖

Norman Wilson Aug 21, 2023

@cazabon @mattblaze @HcInfosec @jeroen And I never understood why the Star Trek transporters can't have their transmissions recorded and duplicated or even modified. (See certain of George O Smith's Venus Equilateral stories for a fun take on that, though he decided not to allow living beings to be transmitted/duplicated.)

HcInfosec Aug 20, 2023

@mattblaze @jeroen I think one could minimize chances of votes becoming public and accept that a chance of your vote becoming public exists but is very small.
One could built several separate ledger counting systems and a non-public in between decentralised open-source system. The third system could be counting in max 5 votes per unit and then encrypt it.
You still keep the problem that some decentralized system holds the keys, but that is also true for voting now: you can simply add a few cans with voting papers too.
For me the biggest issue is: how do you reliably and in mass prove id's or authentication

With eidas that problem is tackled

Matt Blaze Aug 20, 2023

@HcInfosec @jeroen Well, I guess you're the expert.

I give up.

HcInfosec Aug 20, 2023

@mattblaze @jeroen Yes you are the only person who gets to decide what's right. Typing words in captions doesn't mean shit. Fundamentally is the kind of word used when rationality stops.
Many problems that seemed unsolvable have been solved non the less

Matt Blaze Aug 20, 2023

@HcInfosec @jeroen I apologize for wasting your time.

HcInfosec Aug 20, 2023

@mattblaze @jeroen It's not that what you say is stupid, it's the tone. It's unacceptable so go away

mav Aug 20, 2023

@HcInfosec @mattblaze @jeroen

gutsy to reply to someone to tell them to go away in *their own thread...*

if you want links, perhaps you should start with matt's cv, it's full of them https://www.law.georgetown.edu/faculty/matt-blaze/

Matt Blaze

HcInfosec Aug 20, 2023

@mav @mattblaze @jeroen Yes, the childish man Matt blocked me. I have no respect for such bullies. He has time to to yell but not to explain.
If you defend rudeness you are rude yourself.

mav Aug 20, 2023

@HcInfosec @mattblaze @jeroen

I'm not gonna say Matt isn't a dick, but he has been having this same conversation with thousands of uninformed people for years. It's tiresome *watching* it happen let alone being the target of so many people who seem to be angry at him for existing.

You jump in a thread with a guy who's been researching voting methods for decades and has had every damn discussion under the sun, you have nothing useful to contribute but you do want to yell at him because you think there should be a solution and he's just... what, being ignorant? Willfully deceptive? What's your end goal here? Do you want the right solution or the solution you want to be right?

If you were asking Schneier why we don't use MD5 anymore, would you be surprised if he mocks you for not even doing the most basic of research?

HcInfosec Aug 20, 2023

@mav @mattblaze @jeroen We will happily live on don't worry. I learned some things about mail voting which is nice. I forgive him for being not perfect, which nobody needs to be.
But I do have a nice cartoon for this situation 😎

Norman Wilson Aug 21, 2023

@HcInfosec @mattblaze @jeroen This may be an unpopular opinion, but I'd urge you to read references such as that here:
https://nap.nationalacademies.org/catalog/25120/securing-the-vote-protecting-american-democracy
Matt tends to be short with nay-sayers because he's had to fend off so many rude attacks over the years, but he really has studied voting security in great detail. Whether you agree with him or not, it's worth engaging to understand what he says and why he says it.

Securing the Vote: Protecting American Democracy

Read online, download a free PDF, or order a copy in print or as an eBook.

The National Academies Press

HcInfosec Aug 21, 2023

@oclsc @mattblaze @jeroen Thanks, is there a shorter version? I did download it of course

Norman Wilson Aug 22, 2023

@HcInfosec @mattblaze @jeroen Dunno. Matt knows a lot more than I do about this.

Sebastian Sylvan Aug 20, 2023

@mattblaze @HcInfosec @jeroen we already sacrifice secret ballots with mail in voting (anyone in your household could watch you vote and even force you to vote how they want). Seems like we decided the pros outweigh the cons on that one. So if we remove that one, online voting seems plausible.

Sebastian Sylvan Aug 20, 2023

@mattblaze @HcInfosec @jeroen also mail in voting is secure in practice but not in theory. Nobody has even once checked my ID either to apply for mail ballot or to vote. It’s based on signature verification of whatever I used to sign up. I haven’t signed my signature the same way twice in my entire life. It wouldn’t be too hard to outdo that in terms of aithentification rigor.

Matt Blaze Aug 20, 2023

@ssylvan @HcInfosec @jeroen Vote by mail represents a balancing of tradeoffs, because it involves unsupervised voting that could compromise ballot secrecy in individual cases. However, the protocols for processing ballots prevent wholesale compromise of ballot secrecy, in a way that electronic voting would not.

I discussed the protocols for mail-in ballots a bit here: https://www.mattblaze.org/papers/Emergencyvoting.pdf

Supervised voting at polling places is definitely more robust against individual coercion .

Andrew Brandt Aug 20, 2023

@mattblaze @ssylvan @HcInfosec @jeroen I think we do a pretty good job here in Colorado with mail ballots and same-day voter registration. I worked at the polls in 2020 and it was very smooth.

Sebastian Sylvan Aug 21, 2023

@mattblaze @HcInfosec @jeroen There are e-voting mechanisms where voters could verify their vote after the fact, so any changing of the vote would be detected. It does mean that anyone could force you to reveal your vote (at least before the election result is announced, since you'd presumably destroy your receipt at that point), but again we have that problem with mail-in votes already.

James Corey Aug 21, 2023

@mattblaze @ssylvan @HcInfosec @jeroen Reading that paper, it's like one of Trump's people looked at the first threat on your list--"possibly degraded postal delivery service"--and immediately went all out to create that threat.

Really appreciating vote by mail in WA. Would not like to live in a state that doesn't. I don't have time or inclination to stand in long lines over and over. Guess that's the point.

HcInfosec Aug 20, 2023

@ssylvan @mattblaze @jeroen That's clever. They have a signature database apparantly.
Than they probably scan your ballot, and have a computer see what you voted for.
Notice, that computer at that moment knows and could log or communicate what you voted. So there is the same problem #evoting (e-voting or electronic voting) would have.
#democracy #voting

Dan Veditz Aug 20, 2023

@HcInfosec @ssylvan @mattblaze @jeroen

Typically you sign the outside of a sealed envelope. That is checked before it is opened and the unsigned ballot sent to be counted. If it's not opened mechanically (by a machine without a scanner!) then there will be observers to make sure people who see the signatures also don't stop to read ballots. They don't have time for that, anyway.

Election officials take their jobs seriously. Anything you think up off the top of your head will already be addressed by standards and best practices.

HcInfosec Aug 20, 2023

@dveditz @ssylvan @mattblaze @jeroen Ah, that's indeed different. The signature is not on the ballot but on the envelope. Does open some attack surface of course.

Dan Veditz Aug 20, 2023

@HcInfosec
One advantage of polarized politics is that each side worries the other will cheat, so there are all kinds of controls, procedures, observers, and audits to prevent everything that anyone has ever thought up.

That's why the real battle is over who votes, not how. The "how" gets argued over because it makes voting easier for the wrong people or harder for the right people, and the arguers disagree on who those are.

HcInfosec Aug 20, 2023

@dveditz Yes, the whole world knows in the #usa the #gop has gone fascist and tries to block poor and colored people to vote. It's a pretty sad and also dangerous situation.

@ssylvan I expect the difficulty of intercepting lots of mail undetected is doing more to secure the ballot than the signature in that case.

gigantos Aug 20, 2023

@mattblaze @HcInfosec @jeroen there are cryptographically secure ways for a person to vote, where that person can go and validate the vote was counted, and nobody can see what this person voted, even if they see the proof that the person voted.

Here is one description of it: https://www.microsoft.com/en-us/research/publication/end-end-verifiablity/

End-to-end verifiablity - Microsoft Research

This pamphlet describes end-to-end election verifiability (E2E-V) for a nontechnical audience: election officials, public policymakers, and anyone else interested in secure, transparent, evidencebased electronic elections. This work is part of the Overseas Vote Foundation’s End-to-End Verifiable Internet Voting: Specification and Feasibility Assessment Study (E2E VIV Project), funded by the Democracy Fund. Opens in a new […]

Microsoft Research

Matt Blaze Aug 20, 2023

@gigantos @HcInfosec @jeroen Not quite. There are cryptographic techniques for verifying, after the electon, that your vote was counted correctly, in ways that don't themselves reveal your vote. These systems do nothing to correct the problem if a software error or compromise caused your vote to be counted incorrectly, or to refute a claim that it was counted incorrectly.

Matt Blaze Aug 20, 2023

@gigantos @HcInfosec @jeroen In other words, e2e verifiable voting (the technical term for these cryptographic systems) does not provide software independence.

gigantos Aug 20, 2023

@mattblaze @HcInfosec @jeroen but the voting machines used in the US does?