> We wondered what it would be like to conduct democratic elections online. While that is the far-far future, we set about building something that could get us a step closer towards that future.
There is unanimous agreement from the security community that we must not use digital voting. It is a mistake, full stop. As an opinion app it doesn't matter, but we must use paper ballots for our elections.
For anyone interested in learning more I recommend this short 20m Enigma conference talk by Ben Adida (currently building open source voting software/hardware at https://voting.works):
The security community is an expert community, and the people opinion isn't always aligned with expert's opinion, as the covid19 crisis showed it to us.
There is probably a place for a digital voting system, for example physically disabled people. It could also be used to let people vote on less important topics, where they would have otherwise no direct voice. For some important elections, we could have a majority of people voting on paper, but still have a digital voting system for specifically allowed people.
Some people already trust enough their phones to install a covid19 contact tracing app, without fully understanding all the layers of the technology.
At the end of the day, if enough people trust digital voting, it can happens, even if the system is not provable end to end.
While you are right and certainly most if not all prominent infosec people would be highly sceptical of any online voting I really don't think that's a reason to dissuade people from trying.
It's utterly absurd to say everyone should just give up and we will only use paper for the next 500 years. People should be attempting secure online voting and kneejerk pessimism or shutting down discussion on it is counter-productive.
In Germany, a election must be equal, secret and comprehensible. (Hope I translated correctly: gleich, geheim, nachvollziehbar). One of the three will always fail in online voting systems. The obvious is always the comprehensibility, because the majority won't understand the software. That can only be sold by losing the secret vote, because then a vote is reasonable for anybody.
It is fundamentally impossible to have secret ballots[1] in a digital system along with provable integrity. Secret ballots are necessary to prevent vote buying, intimidation, and coercion. If no one can prove which voter submitted which ballot, nor what choices a voter indicated, the voter is free to choose without risk of repercussions. The breakdown of any digital voting system is always with verification.
With paper, the voter can see that their ballot is securely stored under the supervision of the election operators, and they can see that representatives from multiple parties watch the movement and counting of the ballots.
In contrast, with a digital system it is impossible to verify that your ballot was delivered with the choices you intended without also being able to show that proof to anyone else. It is important that the voter is unable to show proof of their vote for the reasons mentioned above. Unlike a paper-based process, you cannot directly observe the functioning of an electronic circuit, the transmission of data over cables, or the storage of bytes in memory, and neither can anyone else trying to verify the integrity of the process. You'll never know if someone has replaced any of the hardware or software components with malicious versions designed to fool voters and rig elections.
I can prove the existence of X with zero-knowledge proofs without exposing X. Obviously there's more from there for elections but the cryptographic groundwork certainly exists.
But unlike the paper mechanism, the average person, nor the experts for that matter, can verify the correct and uncompromised implementation of the zero knowledge algorithm. You trade off the understandability and verifiability of the scheme.
I work in Switzerland on evoting issues and I disagree with that reply, so by definition opinion is not unanimous. End to end verifiable voting systems work. The devil is in the (operational details) but societies which wasn't evoting can have it if they read the research (or cheat and just take Switzerland's law).
Won't the results of this just be heavily biased via sampling by the fact that only certain types of people want to download and vote using an open-source public/private key voting simulation app?
Well, I think it's unfortunate that all opinion polls work that way. A small sample size can skew results in one direction. The objective is to get to a sample size as large as possible. I hope this goes in that direction.
No, most opinion polls don't work that way. Typically polls a) try and sample at random rather than self-selection and b) ask demographic questions that allows sampling to be adjusted to ensure it is representative.
When a client requests the public key from me, I give them a fake one- not the one present on the air-gapped PC, my own key. I then decrypt their vote, inspect it, and re-encrypt it with the real key before sending it off to the air-gapped server.
Does this work? How do you detect it? And what's your threat model?
The encrypted data along with the signature of the encrypted vote is written to the bigquery table (and not directly to the air-gapped server) which is written to another temp folder (only the account that has access permissions can write to this folder) before being downloaded and processed on air-gapped server. The malicious server will not be directly able to write to the air-gapped server.
"The encrypted data along with the signature of the encrypted vote is written to the bigquery table (and not directly to the air-gapped server) which is written to another temp folder (only the account that has access permissions can write to this folder) before being downloaded and processed on air-gapped server."
And there's what may be an even worse issue (not even requiring tampering with the public key) - the user's signature appears to go outside of the encrypted blob. Now, I can't tell what the signature is actually over - but if it's, say, just a candidate name or ID, then... without ever decrypting the "encrypted vote", I can figure out who voted for what by just trying possible values and seeing if I can validate their signature.
Thanks for commenting. If you are concerned that our signature is over candidate name or ID, we don't do that. We sign the encrypted vote and not the plain text. We verify it on the air-gapped system.
This reminds me of Democracy Earth. I like how Democracy Earth takes into account the concept of liquid democracy, where people can vote through nominating a trusted person they feel is more suited than they are to make what they feel is the right decision. This representative vote is an option to take on a vote-by-vote basis.
This creates a new thread pool for each login request. That's a terrible idea. If anything create it once statically and re-use it. Or just perform your actions in the calling thread as you're just issuing a .get() on the future anyway. Again, it's needless complexity.
The focus on technical details is fine - if you are going to build an opinion poll app it sounds like you're doing a fine job, but I don't really understand what it gains for users, society or your company?
When we process the results on the air-gapped system our algorithm does make sure that the user's vote is counted only once (no matter how many times the user has voted). Please read the process at https://voteism.org
I've read both https://docs.voteism.org/ and the Github README, and found no mention of this algorithm that prevents multiple votes from malicious actors. Except a brief mention of collecting "device id, location, ip address, etc". Could you point me to the specific section where it is explained?
Edit: After rereading your comment, I felt there might have been a miscommunication. I'm sure your server discards multiple votes from the same registered user. With "voting multiple times" I instead refer to a malicious actor masquerading as multiple distinct users by registering multiple accounts.
When we process the data and aggregate the results on the air-gapped system we do make sure that the user vote is not counted twice. Like you pointed out this is one of the fundamental things that is super important and we were very careful when we designed the app to address this issue. We did make sure that a single individual's votes are not counted twice. It is a custom algorithm. Also, we have taken precautions during registration too.
And are those precautions during counting and registration open source as well, or are they secret by necessity? I've had not had time to read the source code, if they are in there. If they are open source, could you still briefly explain the gist of the precautions here? If they are secret, can you offer any guarantees to the public that they cannot be circumvented in a way that makes any collected statistics inherently faulty?
I'm sure you've made impressive work with this app, and it surely is beyond my capabilities. But if you have created an app that presents itself as a reliable and secure system but in reality is easily gamed by malicious actors, it might actually hurt democracy instead of helping it. If the app gains any form of notoriety or popularity, it could be fed malicious votes and then be used to sow distrust towards the (real and valid) election results. In such a scenario it would just harm the democratic process. I have yet to see any indications that this is not a real possibility.
Being sure my vote is counted is only half the battle. I also need to be sure that my vote was not drowned out by countless of fake votes. One thing is not worth much without the other.
I would be more forgiving it was more clearly presented as only a prototype or proof-of-concept, but with a mission statement as grand as "VOTEism seeks to fix opinion polls" I feel it deserves more in-depth questions.
Thanks for all the questions raised here. Really appreciate it. To answer your concerns/questions -
1. Registration part is open-source and we have taken precautions such that same user doesn't register twice from the same device using different SIMs, change of devices.
2. We have made sure that the registered device is a mobile number
3. Restriction and verification of the user registration to where the poll is being held. For example, currently VOTEism app cannot be downloaded outside of US.
4. Counting part is not open-source by design, because it is processed offline and it is a proprietary algorithm out of necessity for secrecy.
5. We want to make sure the counting of the votes happens offline to eliminate the scope for manipulation
6. Vote data is encrypted and validated with it's signature to make sure it is not tampered with.
7. We are also making sure that the keys are rotated periodically.
8. We can guarantee that the collected information statistics are accurate.
I hope we have answered your questions. Please feel free to raise your concerns. If you want to take the conversation further you can email us at hi@voteism.org
The Covid-19 situation forced many things to shift online. We wondered what it would be like to conduct democratic elections online. While that is the far-far future, we set about building something that could get us a step closer towards that future.
VOTEism is a secure political opinion poll app to express your preference for one electoral candidate or the other. VOTEism currently works for the 2020 USA Presidential Election only. But we hope to take it to all countries where democratic elections happen.
Current political opinion polls are riddled with low sample sizes, interviewer biases, push poll tactics, self voting sock-puppets, and worst of all, the lack of privacy. VOTEism seeks to change that.
Your vote is encrypted with a public key on your mobile device and is decrypted with the private key on an air-gapped system. 4096 bit keys are used. Anonymized and aggregated results are published on the VOTEism mobile apps.
VOTEism is built, published and funded by a small and independent software company (AskDesis INC.) based in the United States. We have no political, governmental, corporate, or media affiliation. Please take time to read our transparency policy here: https://docs.voteism.org/transparency
We hope you find VOTEism useful. Feel free to ask us anything.
As far as I know Constanze Kurz of Germany's Chaos Computer Club wrote her doctor thesis about eVoting and proved that it's only possible if you abandon secret vote. If your voting system is a black box to most people, they have to see the result. Not only their result but everyone's result to be able to prove it's correct and the sums are also correct.
There is unanimous agreement from the security community that we must not use digital voting. It is a mistake, full stop. As an opinion app it doesn't matter, but we must use paper ballots for our elections.
For anyone interested in learning more I recommend this short 20m Enigma conference talk by Ben Adida (currently building open source voting software/hardware at https://voting.works):
https://www.youtube.com/watch?v=dy0_8A9U8Rs