[mspecter]

Oh, hi.

I'm Mike Specter, lead author on the MIT report [1], and have been involved in other voting-related research projects [2,3].

LMK if you all have any questions!

1. https://internetpolicy.mit.edu/wp-content/uploads/2020/02/Se...

2. http://people.csail.mit.edu/rivest/pubs/PSNR20.pdf

3. https://www.belfercenter.org/sites/default/files/files/publi...

[dmix]

The article mentions:

> The clients do not interact with the blockchain directly, so there is no blockchain verification code in the client.

So if all client requests are routed through the same centralized API endpoint before hitting the blockchain, nor validated after the fact, whats the point of the blockchain? Just some public "ledger" of what the server ultimately sends out?

Ideally, at a minimum, you would be given a token for your vote which you can then follow up and see it on the ledger. Even if you don't get to wait for 'confirmation', it's still a public signal that something is not right.

[mspecter]

That's a wonderful question.

The honest answer is that I have no idea. In the version we reverse engineered, there's no proof of inclusion of any of the data in the blockchain in the client, and the receipt system was via a PDF. The vote selections (ballot?) are also never signed by the client.

It's also worth noting that, according to the ToB article, the backend blockchain is a permissioned hyperledger instance, which runs PBFT[1] rather than proof of work. PBFT is controllable with roughly 1/3 of the network, 100% of which has been controlled by the company.

[1]http://pmg.csail.mit.edu/papers/osdi99.pdf

[the_snooze]

Is there any technical/security benefit at all to private blockchains? Or even more generously, lightly-mined public blockchains? It seems that in either of those scenarios, you lose the decentralized validation and consensus brought about by a bunch of people incentivized to compete with one another to burn electricity.

[mspecter]

To push this further, I was working on a research paper with Ron Rivest, Neha Narula (head of MIT's decentralized currency initiative), and Sunoo Park (a wonderful applied cryptographer) on whether blockchains in general could be helpful in casting and tallying.

We're skeptical.

See: http://people.csail.mit.edu/rivest/pubs/PSNR20.pdf

[eyegor]

But if everyone used a public blockchain, with proof of work + user-level signatures for each vote cast, wouldn't it be far more auditable than any current system? Ignoring implementation details, reaching a point where anyone could have a way to audit that their vote was counted (correctly) seems very useful. Using this sort of model, it theoretically wouldn't matter who completes the proof of work as long as the results are audited.

[baobabKoodaa]

You don't need blockchain to enable voters to verify "that their vote has been counted correctly". Several cryptographic voting schemes already provide this feature (for example, Civitas and Floating Receipts).

[nordsieck]

> Is there any technical/security benefit at all to private blockchains?

It really depends on what you want out of your blockchain.

For example, the backend of git is essentially a blockchain. It's extremely useful, even for a solo developer.

[smacktoward]

> whats the point of the blockchain?

My bet would be: marketing. Blockchain is hot, blockchain is sexy -- at least among people who aren't really technically inclined. (The technically inclined passed over the blockchain hype curve several years ago.)

There are tons of blockchain projects out there whose only real use for the blockchain is to be able to slap "now with blockchain!" on the sales materials.

[rsynnott]

> whats the point of the blockchain

Er... the word 'blockchain', obviously. Catnip to a certain type of VC.

[munk-a]

Within the article this statement was made

> Trail of Bits engineers said Voatz' code was written intelligibly and free of many common security foibles, but added “it is clear that the Voatz codebase is the product of years of fast-paced development.” The summary goes on to list several technical flaws, such as a lack of test coverage and documentation, infrastructure provisioned manually without the aid of infrastructure-as-code tools, vestigial features that have yet to be deleted, and nonstandard cryptographic protocols.

That honestly sounds pretty good in terms of software quality, adding additional tests for proofs and ramping up ops are both addressable problems - especially if handled by a government sponsored team. But...

How confident are you that we could reach a well engineered and proofed electronic voting platform that also adheres to theoretical rules around vote security?

And which component of that, adherence to theoretical requirements and perfected development practices, do you see as a larger hurdle to overcome going forward?

[mspecter]

> How confident are you that we could reach a well engineered and proofed electronic voting platform that also adheres to theoretical rules around vote security?

I don't think we can with the current commodity devices / ecosystem, even assuming that voting system software is well-written. Keeping electronic-only systems secure from nation-state level adversaries is hard.

[micimize]

I understand that current solutions to electronic voting are unsatisfactory, but I am fairly baffled by:

> It remains unclear if any electronic-only mobile or Internet voting system can practically overcome the stringent security requirements on election systems

Like, we can adequately secure banking software. With proper considerations and processes for the problem domain (i.e. user follow up / validation, alerts on suspicious vote changes) I don't see why securely implementing electronic voting is considered near-impossible, and has so few advocates.

[mspecter]

To put this in short-hand: "We bank online, we buy all sorts of stuff online, why not vote?"

The biggest reason is that banking and other financial transactions have a very different threat model from voting.

In particular, voting requires a secret ballot. In addition to preventing an adversary from learning how you voted, a secret ballot requires you to be unable to prove how you voted, to prevent vote selling and coercion.

So, unlike financial transactions, how you do validation / remediation of failures is very unclear. Ben Adida has a blog post with further thoughts here (https://benlog.com/2007/03/02/on-voting-banking-and-bad-anal...).

[micimize]

Hmm, I hadn't fully grokked the facet of the problem domain. I guess you could give users a spoofing mode, that allowed them to fake any ballot / action. Or possibly, if there was a window of time in which they could change their ballot freely.

Maybe making such features both secure and accessible would be nearly impossible though.

[roywiggins]

Many bank transactions can be reversed, and the ones that can't can be covered by insurance or self-insurance. You can't practically speaking reverse a tainted election.

Anyway, I'll let Tom Scott take it: https://www.youtube.com/watch?v=LkH2r-sNjQs

[rodgerd]

> Like, we can adequately secure banking software.

We really can't. Banking is riddled with fraud, and I say that as someone who works in banking and has designed online banking software. Even with continually ratcheting up security in banking software, use of MFA, encouraging customers to more-secure platforms (Android/iOS), fraud detection (various approaches on the back ends, edge, etc), fraud through online applications is many orders of magnitude higher than fraud in traditional voting systems.

It doesn't matter so much in banking because we can (and do) give customers their money back. We can't fix a broken election.

And that's before we get into the way online voting completely fucks election practises around vote buying, coercion, etc.

I wish people who think they understand computers and are clever would actually make the effort to learn something about either domain before saying stuff like this. It's very disappointing.

[micimize]

But we've developed processes that allow us to have a functional online banking system. Similar processes might be possible for voting - such as a confirmation and triage period like with ACH transactions, but a month long or something.

For vote buying, seems like all the software has to do is enable faking your vote to 3rd parties effectively. Hard, but seems doable.

Like, yes, it's a very hard problem. But we could stand to do more than scoff and write it off as impossible.

[insomniasexx]

We can't secure banking, there are just a lot of undo processes, holds, and internal processes and cross-comms that make it so people don't lose all their money all at once and potential losses can generally be reversed, insured, bailed out, covered by someone else, or balanced out / hedged against. Even with that, fraud is rampant and heists worth billions do still occur digitally[1]. And these are financial systems that evolve constantly over centuries at this point. And the attackers still win sometimes.

The biggest thing the measures do is significantly decrease the known ROI on a target. For example, a credit card can be cancelled. Even if the bank doesn't notice and the person doesn't notice and you do get 100k off it, the fact attackers don't know that still reduces the value of the stolen credit card and therefore the incentive to steal them. Further the gain of 100k by an attacker may be split amongst cardholder, card issued, insurance, merchants, etc. so no one person actually loses 100k. These things all matter when building and securing new systems.

If you look at the cryptocurrency space in general, you can see what happens when you replace a credit card or swift with transactions that are similtaneously immutable, very valuable, and easily anonymous enough. The monetary value on anyone's Coinbase account, let alone all the Coinbase accounts, is so high that we've seen attacks[2] usually reserved for nation-state actors and by actual nation state actors[3], including sophisticated + targetted zero-days and bgp hijacks and all sorts of fun stuff. Not to mention the very high density of attacks that require lower effort and talent like sim swaps, phishing, spear-phishing, impersonation, typosquatting, on and on.

Regardless, if the potential gains to hack a bank are level 1, and crypto exchanges or private keys are a 10, then voting is 1,000,000.

The zero-sum nature of winning an election coupled with the potential gains from doing so are so large and so unfathomable that we have to assume that the lengths people will go to are unfathomably more than everything else we've ever tried to secure. Bc if you can gaurentee a win for a candidate or choose the candidate or change the candidate, you can do anything. You can own anything. You can control anything. You can make any amount of money. The limit is only your talents, abilities, moral compass, and appetite for risk.

To protect against a huge number of attackers, including nation state ones with essentially unlimited resources and the incentive to use those unlimited resources is…it's never been done. Again, back to Coinbase, they secure their crypto with...wait for it…paper. Generated and printed using randomly chosen, single-time, fully-airgapped machines. In a random location. In a Faraday cage.[4] That's how you secure billions when you don't have an undo button. With paper. While not even trusting the electricity flowing thru the cable.

As we saw in the 2016 election, Brexit, and lesser know elections across the globe, it takes very little to secure a win. With the right data (which is even more accessible today than it was in 2016) you only need to manipulate relatively small amount of voters. I'm too lazy to look it up but the numbers were insane when you looked at who was targeted by VoteLeave and Trump's campaign. They may have served 40m ads but it was only to like 40k people.

And that wasn't hacking anything. And those were huge-scale elections. And we still don't know who gained what from their outcomes, just that a lot of people spent a decent amount of money and a huge amount of effort to do so. And it wasn't selfless.

Small towns make gains more obvious. If small town mayor decides who gets the contract for building the new 10M town hall and if you can build it for 5M, you have 4.9M to spend on winning that contract. (Well 5M - resources to rig election - gain required for you to take the risk and put in the effort.) And, given the size of government contracts and their ongoing nature, the financial gains alone are massive. Military contractors: trillions and trillions.[5]

Even securing a single contract early on can ensure your success down the line. Maximus handles tons of Los Angeles welfare programs and now all sorts of programs around the globe. They have for 40+ years. They have billions in annual revenues from doing so. E.g. "In September 2012, the Illinois Department of Healthcare and Family Services awarded Maximus Health Services a two-year, $76.8 million contract to help the state with its Medicaid program. That same month, Maximus announced a $23.5 million contract with the State of Oklahoma."[6] Most of these contracts are decided not by the president but a random group of 5-7 officials at a meeting no one knows about where there is no competition and no real discussion.

Again, these are just a few very, very, very simple incentives people have to manipulate votes. Again, go look at 2016 Trump election or Brexit in depth to understand truly what is currently known about the number of people and the lengths they went to to get an election won. Without hacking. Check back in 40 years after more details emerge. We just don't even know yet.

The reason I have zero faith in any tech being successful in the nearish term with regards to voting is not that I think programmers suck or that politics is corrupt. It's that it's truly unprecedented on an incentives level and risk level. And, it's not just that the risk and potential loss for society or potential gain for attackers is so huge, it's also that we don't even know what it is, and even if we did, we wouldn't be able to comprehend it. How do you secure that when that's what you're up against?

The scope of what we do know about banking fraud, crypto fraud, and paper voting fraud is so great and we are always one step behind attacks and mitigate risk in millions of little ways because we can't fully reduce it. But you can't hedge against election fraud. There's no insurance. There's no undo button. There's no time travel.

And that means that, very unlike financial services, the amount you have to spend to secure an app of this nature is actually one resource more than the attackers are willing to spend to get their way in an election. Or one resource less than the amount lost if an attacker wins. But what even is the value of people, our future, our literal lives? Society, war, money, peace, contracts, the fed, interest rates, all the markets, all the debt, n95 masks, new buildings, old buildings, corruption, legitimacy? We can't know which of these attackers are going after therefore you have to protect against all. And there literally isn't enough resources in the world for that.

Zooming back down to simple: there isn't enough money to even secure an app for a single small town that has a single contract for $10M and will never have another contract and there is, impossibly, no other possible gain for rigging the election. I mean, there literally is enough money. But why spend $1M or $2M or $5M on that app? Why even spend a dollar? Why do so when it doesn't actually reduce all the other risks of election manipulation and corruption that are currently in practice while adding a whole new variety of known and unknown attack surfaces and exacerbates existing ones? You wouldn't. Period.

Why would a company try to build an app knowing this? Well, either they're optimistic and altruistic as fuck and don't know it. Or, second, they are taking advantage of you. Or, third and most terrifying, is the act of building a voting app itself is actually the way to rig the election.

Voatz, without a shadow of a doubt, is not the first. Perhaps the second. But the third? When you consider the timing of Voatz' fundraise, who they raised money from, the goddamn timing, the fact they didn't die when it was discovered they were using old ass php and plesk in 2018, and the fact the app is actually still this fucking completely worthless and insecure and hasn't improved, well, I can't say that it's not an attempt to rig an election but it's def not the US who's doing the rigging. They would go to far greater lengths.[7]

---

1: https://en.wikipedia.org/wiki/Bangladesh_Bank_robbery or great podcast on it for audio lovers https://www.stitcher.com/podcast/mugshot-podcast/mugshot

2: “Responding to Firefox 0-days in the wild” by Philip Martin https://link.medium.com/x8tNj2rc14

3: https://blog.chainalysis.com/reports/cryptocurrency-exchange...

4: https://www.wired.com/story/coinbase-physical-vault-to-secur...

5: https://247wallst.com/special-report/2019/02/21/20-companies...

6: https://en.wikipedia.org/wiki/Maximus_Inc.

7: https://archive.nytimes.com/www.nytimes.com/interactive/2013...

[micimize]

All of this doesn't undermine the fundamentals of the model I'm approaching the problem of online voting with. What is the potential upside, and is a system that reaps those benefits without compromising on security possible? I believe there are answers to most of these problems, providing you can restructure some aspects of voting.

It's not something I would advocate implementing in the nearish term, but I do think work can and should be done on it's fundamental problems.

One if the best/most frequent arguments against online voting is that there will be exploits and individual votes can and will be tampered with. So, lets take that in isolation for a second. Lets say I have to cast a vote a month in advance. I can change it for another month, but perhaps only in person. Is that enough fraud mitigation? What if that period is a year long? What if my political positions have been known by this app for years, and a dramatic shift in their distribution sends an alert prompting confirmation processes?

Essentially, is there some level of triage/verification process at which the online vote is considered acceptably secure? Well, if so, then can it be made compatible with a system that ensures ballot secrecy?

To flesh out my overall thinking of this problem domain – my kind of dream/ideal future of democracy is a system in which the positions of the electorate are "simply known". Right now we clumsily take a partial pulse every 2-4 years. But, if we had a system where voting (and polling) was "passive", then we could see the shift in sentiment way easier. Tampering would show in the data, or else have to be maintained for long periods of time. Essentially, the further we move from instantaneous votes, the better the process should get across the board.

To get a bit soap-boxy, if representation is a right as opposed to a privilege, then deepening and broadening it is an obligation of the state. More aggressively accessible in-person voting options would be good, but in the long run nothing will beat technologically-enabled democracy... if we can figure it out.