This is crazy (and dangerous). West Virginia is allowing people to vote via a smart-phone app. Even crazier, the app uses blockchain—presumably because they have no idea what the security issues with voting actually are.
Warren • October 19, 2018 6:52 AM
Bruce!
This isn’t like you – give the full context:
“allowing hundreds of overseas residents and members of the military stationed abroad to cast their ballots remotely”
This isn’t a general internet voting option for WV residents
It’s still problematic, but starting with such a small group is a pretty good way to beta-test/proof-of-concept whether it’s actually effective or not
AlanS • October 19, 2018 6:54 AM
@Winter In the context of gerrymandering and voter suppression, one has got to figure “they” consider it a feature.
wiredog • October 19, 2018 7:51 AM
Obligatory XKCD: https://m.xkcd.com/2030/
RSaunders • October 19, 2018 7:58 AM
@parabarbarian: I believe you’re on the right track. Allowing overseas military members to vote electronically makes them think the state is trying to make their service easier. The downside is only that a small number of votes get botched. A small number of votes gets botched every time, people don’t follow the instructions or the chad doesn’t detach or something.
While voting ought to be precise down to the units digit, that would be too hard for the sort of folks who want a job at the local board of elections. It’s becoming almost like newspaper polls, ± a little is OK. Worst case is that it’s a tie, and then we’re flipping a coin or drawing lots or the like. It simply undermines the significance of voting.
Jack • October 19, 2018 8:56 AM
Who cares, according to leading conspiracy-theorists you already have a KGB-agent as POTUS?
fred • October 19, 2018 9:17 AM
Let anybody vote anyway they wish.
But for those of us who care, please give use a secure, auditable way to vote.
Peter Knoppers • October 19, 2018 9:30 AM
@fred: Are you just trolling, or do you really not care that fraudsters can swing the results of a race because lots of votes are not cast in a “secure, auditable way”.
I find this very disturbing.
Saul Tannenbaum • October 19, 2018 9:39 AM
Voatz has been floaiting around the Boston/Cambridge startup scene for awhile now, attracting support your basic buzzword bingo including blockchain.
When the West Virginia voting trial was announced, your HKS colleague, Juliette Kayyem, was associated with Voatz, giving it a security imprimatur. I can’t find anything about a current relationship but perhaps a conversation is in order.
Petre Peter • October 19, 2018 9:46 AM
@parabarbarian
The US election has been classified as critical infrastructure
Impossibly Stupid • October 19, 2018 9:50 AM
@parabarbarian
I have come to the realization that voting is not seen as important enough to secure.
You have it backwards. Those in power think voting is so important that they must keep it as insecure as possible. Secure things are accountable. Secure things follow logical rules with mathematical rigor. If you make a voting system secure, you make it very hard for the corrupt to rig an election.
@fred
Let anybody vote anyway they wish.
Terrible advice. History has shown time and time again that flawed voting systems seldom reflect the wishes of the voters themselves. It matters not one whit that your vote is secure if you still allow your opponent to cheat at will.
Jon (fD) • October 19, 2018 10:01 AM
@parabarbarian: There is such a system, inadequate as it may be, what with registration and ID cards.
There is, however, a problem. See, for me it’s trivial to scrape up fifty bucks, the required fistful of paperwork my parents bequeathed to me, and spend a day sitting around at the DMV.
To people who $50 means the difference between paying the rent or not, that four-hour shift they take means the difference between keeping their (often 2nd) job or not, and who don’t have, either through fire, theft, or just incompetent record-keeping on the part of their parents/guardians, that fistful of papers what may seem a harmless requirement to you is in fact a near-insurmountable obstacle to them.
I have no problem with such a system provided it is provided free of cost to every potential voter, free of both financial and opportunity cost.
The citizen living in a cardboard box under a bridge who hasn’t an address, any papers, or seen $50 in once place since the Carter Administration has just as much right to vote as I do.
If that citizen is prevented from voting by inability to carry the relevant papers (yours, please!) an injustice has been done.
Of course, this is a touch OT. People living in cardboard boxes don’t often have smartphones (although those living in their cars often DO!). Still, they deserve a vote as much as anyone else.
Jon (fD)
Jon (fD) • October 19, 2018 10:06 AM
PS – If you’re really worried about voter fraud, try looking in the state Houses and Senates, wherein you’ll find people voting, both more than once and in other people’s names, is practically standard practice.
A Texas House member was caught on video reaching around and pushing voting buttons at many desks other than her own. Some Senators apparently even bring sticks with them to the chamber to make it easier to push someone else’s button.
Start with that voter fraud, and then work on the rest.
J.
Faustus • October 19, 2018 10:12 AM
I think the blockchain is a great idea for non-malleable voting records. It is sort of amusing or concerning that Bruce, who really seems to dislike blockchain, in another post would suggest malleable DVDs as better. We have to be careful what we accept solely to satisfy our bias. We spend a lot of time looking for problems with the things we don’t like. Not so much time looking for problems in our own ideas!
The blockchain is like a paper record, although not as user friendly. Maybe some techphobic people would have trouble accessing their info, though it seems like almost everyone consumes at least one of social media, shopping or porn, so maybe interfaces could be made that are similar to these sites!!
Once a voter is authenticated, a simple system could allow her to create a unique identifier for her to track her vote. It would embed user provided data so the user knows she is not being pointed to some generic vote, but her actual one.
People could verify their vote against this immutable record using numerous open source applications that are unlikely all to be hacked. People could also write their own vote tallying systems.
I suppose that the anonymity aspect would be addressed by using one way functions to record who voted in a conceptually separate blockchain while obscuring the identities. Alternately we could expose who voted, just not connect that with a vote. I would prefer not to expose the voters so the mob of the day couldn’t harass people who can’t be bothered to choose between a tyrant from party A, a nanny state authoritarian from party B, and a bunch of others with no hope of winning.
Brandon • October 19, 2018 11:07 AM
While we can have the debate on how true this is (I think voting software can be secure given the right config), it seems relevant:
Weather • October 19, 2018 11:58 AM
Slightly off topic,but if ever vote had a computer to make a election vote,years down the line, maybe bills and individual laws,as the majority is well the majority not much in society will change, but the would be as close to full democracy
Genie • October 19, 2018 12:32 PM
West Virginia is in trouble. I had arrived there seeking safety from even worse trouble.
A crowd of coal miners gathered when they saw my out-of-state license plate at a gas station at a small town near the state border. “We’re felons,” they told me.
No trouble at first, not from them at any rate.
My clutch gave out near Charles Town, and I couldn’t really afford to get it fixed “right,” so a guy at the service station hooked up the clutch cable a little better and charged me $200 +$20 tip, to get me a few miles further down the road.
I tried to open a bank account at United Bank, but the account was arbitrarily closed some time later, and my deposits returned to their source, while I had outstanding checks, which consequently were not honored by the bank, even though in fact I did have sufficient funds on deposit there. Anyways, …
https://www.cnn.com/2018/08/14/politics/west-virginia-supreme-court-impeach-trnd/index.html
The entire Supreme Court of West Virginia was impeached, the whole sorry lot of them, but the impeachment trials were later botched, and those crooks are still sitting on the bench while the innocent ones have lost their “privilege” to possess firearms.
Genie • October 19, 2018 12:44 PM
Botched trial?
Those WV Supreme Court justices must have failed to recuse themselves from their own impeachment trials, or else the legislative House failed to make a motion to recuse the judges from their own trials when they passed the articles of impeachment.
Faustus • October 19, 2018 2:17 PM
@Genie
I’m happy the impeachment fell through. Impeaching the whole court screams of impropriety. The charges pretty much describe 99% of all government officials.
The Court was right to rule it violated the separation of powers: The impeachment is the poster child for violation of separation of powers.
I hope the idiotic idea some Democrats are floating about expanding the US Supreme Court and packing it likewise fails.
The country has to live with the result of these selfish tantrums.
As a public service announcement, I would like to advise people that they can get acquanted with their ballot by visiting https://www.vote411.org/ , operated by the League of Women Voters. I have about 20 things on my ballot, some of which needed checking out.
Don’t let Nov 6th be the first day you see what is on the ballot.
Timothy • October 20, 2018 12:23 AM
The U.S. Election Assistance Commission (EAC) has a blog post on West Virginia’s upcoming 2018 election “#Countdown18: Securing the Vote — West Virginia.” From the blog post:
When Secretary Warner came into office, he charged the Elections Division to find a solution to the problem [of extremely low military participation in elections]. Thanks to an investment by a generous philanthropic donor who shares the same concerns of military participation, West Virginia initiated a mobile voting application as a solution…
Dave Tackett, Chief Information Officer for the West Virginia Secretary of State’s Office, says, “We are not wedded to this app. At the end of the day, if something goes wrong, we will find another solution. We want to ensure that we are moving forward with something that warrants our full confidence. So far though, the tests look good.”
Voatz, West Virginia’s selected mobile phone voting app, has a FAQ page plus several blog posts on its West Virginia pilot program. From its official statement on the West Virginia pilot:
Has this been vetted by independent 3rd party auditors?
Yes. Following the first West Virginia pilot, multiple independent technology firms were engaged to vet the Voatz system. Reputable security companies was engaged to conduct penetration testing on the system and to inspect the source code of the Backend Systems and the Voatz smartphone application for both iOS and Android. A public HackerOne program has been engaged to continuously analyze and test the implementation of the blockchain network and the mobile applications.
The HackerOne Voatz bug bounty program appears to have been launched in August 2018, paying out $50 to $1,000 for low to critical vulnerabilities.
Genie • October 20, 2018 7:49 AM
“Vetted” by reputable security companies? And a gentleman’s bug bounty? The real vets say run for your life before they charge you with felony voting fraud for having an app like that on your phone or even visiting the company’s website. They’re not joking when they call these things “burner phones.”
Got your government issued I.D. on you when they arrest you for hacking the election? Ditch that phone and get off the property ASAP. It’s the party van.
Gerard van Vooren • October 20, 2018 12:20 PM
“West Virginia is allowing people to vote via a smart-phone app. Even crazier, the app uses blockchain — presumably because they have no idea what the security issues with voting actually are.”
And still they are keep on allowing this madness. This is yet again proof that the US is a monster that can’t be controlled.
In the words of Winston Churchill: “You can always count on Americans to do the right thing – after they’ve tried everything else.”
I just don’t believe they have tried everything yet.
Jon (fD) • October 21, 2018 5:24 AM
@Barfa – Still not flawless. I’m not sure any voting mechanism is.
In certain of Lyndon Johnson’s elections (back when it was all paper and counted by hand) as the Texas voting came to a close, it was a very close finish, and for Mr. Johnson to win certain outlying districts had to come in with fairly wacky vote distributions. Some calls were made, and they did.
Who transports the boxes of ballots to the counting place (and to the storage place) is important too.
J.
Timothy • October 21, 2018 11:59 AM
David Jefferson, whom the Politico article mentions, has a technologically savvy article assessing the security – or lack thereof – of the blockchain as a method to secure voting. His article “The Myth of “Secure” Blockchain Voting” unpacks a long list of threats that could be utilized to subvert the distributed database system. Some of the issues he reviews are the blockchain’s vulnerability to collusion based on the ownership of the distributed databases and the cyberthreats common to all Internet voting systems including authentication, malware, DoS attacks, penetration attacks, and non-auditability.
He suggests that rather than moving to Internet-based voting systems, all jurisdictions should move to paper ballot systems with routine manual audits. He details the improvements that have been made to support military and overseas voting, including the laws that mandate the availability of ballots 45 days in advance of Election Day and the fact that blank ballots must be available for electronic download.
Mr. Schneier’s The Guardian article from April included a link to DEF CON 25’s Voting Village about which he writes “By the end of the weekend, conference attendees had found ways to compromise every piece of test equipment: to load malicious software, compromise vote tallies and audit logs, or cause equipment to fail.”
DEF CON 26’s Voting Village Report from September 2018, co-authored by a half-a-dozen contributors including David Jefferson and Matt Blaze, offers that the event made “30 pieces of voting machines and other equipment available to its participants” however I didn’t see Voatz, West Virginia’s mobile voting app, listed as being presented for the event as we now quickly approach the 2018 mid-term elections.
Surprisingly West Virginia’s Division of Homeland Security and Emergency Management has an online safety guide for minors warning of the dangers of mobile apps, with let’s say location services enabled, so it is increasingly difficult to fathom the trust extended to a smart phone voting app for remote military personnel. Much earlier this year Mr. Schneier wrote about a fitness app that “could be used to locate secret military bases” which the military subsequently banned. Surely, Voatz must have offered assurances that GPS and other such identification data would be unaccessible.
Thoth • October 21, 2018 7:21 PM
@all
Blockchain is not the security problem and we should not quickly point fingers at it saying it is insecure until we can figure out why Blockchain is insecure. It is like saying RSA is insecure but not having drilled down to the whys and hows.
To be more exact, what is truely insecure is actually the practical implementations that gives implementations problems. This is like saying RSA is insecure under the circumatances that someone uses textbook RSA for encryption to provide context on what actually is insecure and the whys and hows.
Blockchain if properly implemented is a merkle hash tree and there is nothing wrong from an algorithm standpoint. The implementations like how the transactions and blocks are verified and mined and the consensus drawn on each block is the main deciding factor.
Assuming they use Bitcoin style like he Proof of Work then it can be problematic if the attackers hold 51% of mining power. This can be fixed by using a private blockchain where adding to the block uses miners that are approved and regulated in some sense.
The IOTA style of Tangle which is its own form of ‘blockchain’ is much more efficient as it does not need active mining or rewards of sorts. The reason is that the mining is done when someone wants to submit their transactions.
Let’s say in order to qualify for entry into an IOTA Tangle, your transaction has to verify previous two transactions thus the verification/mining is actually done by whoever trying to enter the Tangle Ledger. Error on the Tangle Ledger by using a branch that is verified to be clean.
The problem with Tangle and IOTA is the homebrew hashing algorithm but a modified variant with a SHA2 hash or SHA3 would solve the problem of problematic homebrew hash functions.
What I am more concerned is the use of smartphones for eWallets to store their blockchain keys and these were never the best idea for security unless they use the Ledger hardware wallet as the Ledger is by far the most robust hardware wallet up till now.
The reason why I am able to discern and refute claims on such accussations of Blockchains is down to the fact that as part of a security hardening effort by my client, I was contracted to build the backend for a particular exchange in a secure manner and that meant I had to write the backend transaction mechanisms FROM SCRATCH !!
Being forced to work with raw blockchain technologies from nothing in order to enhance its security, there was no easy way around and I had to handle the low levels of different types of blockchain ranging from Bitcoin, Ethereum and many more.
I wont dare say I am expert in all of them. I am no expert in any and in fact it is my contracted job that gave me a chance to peek into the mechanics of blockchain and its working gears and cogs. I invested much time and effort into it and drew a conclusion from my study of these blockchains from a practical hands-on style.
So before we throw in the towel and say blockchain is insecure, please go to Github, go to forums and ask about the codes. Do the codes yourself. Understand the underlying mechanics first. The whitepaper are good starters but the codes are the main essentials as the codes will evolve away from the specifications of a whitepaper or yellowpaper due to practical feasibility.
The best way to understand them is via trying them on their test network.
Hopefully the use of strong hardware wallets instead of simply smartphone wallets would be used in this voting.
Timothy • October 21, 2018 9:57 PM
@Thoth
Being forced to work with raw blockchain technologies from nothing in order to enhance its security, there was no easy way around and I had to handle the low levels of different types of blockchain ranging from Bitcoin, Ethereum and many more.
Voatz’s FAQ page says that it is built using the HyperLedger blockchain framework. Are you familiar with this?
Voatz also says that its distributed servers run open source blockchain software while its backend systems and iOS and Android smartphone apps run on proprietary source code and are not open for public inspection (less the pen-testing companies who reportedly inspected the source code). The FAQ has more details that might be assessable with someone who has worked with the technology at the level that you have.
The article “Meet the guy paying for West Virginia to run an election on blockchain” gives insight into Bradley Tusk the venture capitalist and political operative who paid $150,000 to cover the cost of West Virginia’s contract with Voatz. In additional to working for politicians such as NY Senator Chuck Schumer, IL Governor Rod Blagojevich, and former NY Mayor Mike Bloomberg, Tusk has lobbied for firms like Uber, reportedly earning $100m in Uber stock for his work. Tusk, the founder and CEO of Tusk Holdings, manages multiple business ventures including a VC-fund with a portfolio of startups, a casino-management firm, and a philanthropic foundation. His Tusk Montgomery Philanthropies (TMP) declares its two-fold mission to be solving hunger and mobile voting; its website has an extensive collection of articles published on Voatz’s West Virginia pilot. He says that he does not have any direct investment in Voatz though his fund does have a stake in Coinbase, a cryptocurrency exchange. Computer security experts in Freed’s article continue to ring the bell of alarm on the electronic-voting startup and review the many design decisions that may open the system to tampering. Benjamin Freed wrote a follow up article in September “Blockchain-enabled voting has started in West Virginia.”
Thoth • October 21, 2018 11:43 PM
@Timothy
Hyperledger is a bunch of Open Source blockchain technology funded by Linux Foundation and with many supporting institutions and institutional investors.
In fact the Monetary Authority of Singapore (central government authority on $$$ here) has started a Blockchain project called Project Ubin to create something similar to USD Tether by creating a SGD$ version of USD$ Tether back by the SG Govt via its MAS dept which authorizes minting of SGD currencies and all financial, assets, funds and banking issues.
So we have an experimental sandbox to peg our SGD$ to tokens with a SG Govt’s own Blockchain and it is based on Hyperledger project too which is pretty well regarded.
Sans • October 22, 2018 12:23 AM
Great comment from SANS.org
“Some portion of the generation that has never written a paper check will eventually vote the same way they pay and get paid. They will be hard to convince that voting by mail is safer than voting by mobile app. They will register by mobile app, obtain their ballot by mobile app, and cast it by mobile app. The “activists” might as well get over it.”
Clive Robinson • October 22, 2018 1:47 AM
@ Sans,
The “activists” might as well get over it.
SANS appears to be drinking the wrong kind of “Cool Aid”, why I don’t know, I guess it’s down to their political stance.
Those who comprise “Some portion of the generation that has never written a paper check” are in the vernacular of some “cruising for a bruising”.
Why? Because I’ve yet to see a secure App on a mobile device, nor am I ever likely to, that is the fundemental reality of the technology[1].
As communications end points there are two things that realy should concern you about supposadly smart mobile devices,
The first point is something few of the “Some portion of the generation” have ever thought about, but realy realy should. Because the implications are realy quite bad.
The second point should be obvious to anyone who can read. Not just the legislation and subsequent regulation and specifications but also the software and underlying hardware on which they are implemented.
That is most arguments or proofs of security are based on certain assumptions that are just not true, thus they fail.
For instance the news from the begining of this year about Spector and Meltdown which has shown all the talk about “secure enclaves” shows is basically nonsense[2], likewise signed driver code. The list goes on and on, with several good books telling you why if you care to read them.
But when you consider these two points alone –even without the inclusion of other fundemental issues of which there are several more– realy should tell you that what you see on your device screen is compleatly controled by others and there is nothing you can do about it…
[1] Something that SANS should be compleatly aware of but for some reason are pretending does not exist… Which does not exactly make them either trustworthy or reliable commentators.
[2] Though any longterm reader of this blog would have known that as attacks on memory via various techniques such as DMA or even software via RowHammer have been discussed at length fairly often.
Oliver Jones • October 22, 2018 5:41 AM
Electronic voting is going to come. It needs to come. “Turnout” needs to be much higher than it is if politicians are to understand that “the people have spoken.”
The turnout problem, of course, is the mindset that leads to the word “turnout.” We’ve successfully set expectations that everything can be done remotely … except voting.
But first the voting systems must be tested aggressively by white-hat system crackers. They must be subjected to more rigorous tests than banking systems are. Why? Bankers can use money to correct errors: somebody skimmed your debit card? OK, here’s your money back.
Clerks of elections cannot fix errors with money. Maybe the closest standard of integrity we have is HIPAA (health privacy). Election systems must give the citizenry confidence in their integrity.
The tests must include all sorts of attempts to cast fake votes, intercept or delete valid votes, lock voters out from the app, and so forth. The testers must be equipped with all kinds of security breach tools including lock picks and smooth talk.
One way to promote security might be to use open-source freely inspectable software. But it’s not nearly enough. Can you imagine a hand recount of a bunch of votes in a blockchain?
This WV experiment is limited to a certain number of voters, so if the election clerks are minimally competent there will be no way to stuff that eballot box. That substantially mitigates the risk (of the experiment).
Still, the secretary of state is relying on security by obscurity: he’s assuming that nobody cares about one little IT system. He forgets that his little IT system has a big fat target painted on it.
Thoth • October 22, 2018 6:02 AM
@Oliver Jones
“The testers must be equipped with all kinds of security breach tools including lock picks and smooth talk.”
Maybe the more accurate term is phishing and online scamming because if they are using blockchain, they will be decentralized and no actual voting machines available to be picked.
The likes of Facebook and social media alredy does a highly effective job at mass perception manipulation and the need of attacking the blockchain itself is less effective than spreading “Fake News” which is less problematic and less investment with huge returns due to it’s ability to reach out to more people across the globe.
The current rising trend these days are to attack the social media accounts and change people’s perception as one of the main highlights in recent times.
Cincinnatus__SPQR • October 23, 2018 6:44 AM
@ Timothy
Nice comments.
“…the trust extended to a smart phone voting app for remote military personnel.”
Of course, Mr. Schneier is right. It is completely nuts. I can picture military personnel not voting because they know it is unsecure.
The truth is that if something is easy to use, then people will use it–no matter how insecure or dangerous. Look at the list of politicians who have sent classified traffic over the internet or over cellular networks. Victoria Nuland comes to mind. It was easy, so they do it.
Timothy • October 23, 2018 1:03 PM
@ Cincinnatus__SPQR
Of course, Mr. Schneier is right. It is completely nuts. I can picture military personnel not voting because they know it is unsecure. The truth is that if something is easy to use, then people will use it–no matter how insecure or dangerous.
Sadly, for all those who are unaware, you are right. And this probably causes the people who have seen the fallout on the back-end to cringe.
Unfortunately without having the access or authority to see further into Voatz or the forces at play in West Virginia’s decision, there is only that gut feeling of insecurity.
To add to the discomfort (before hopefully the assurances) @Wesley Parish posted an article about smart phone apps that can track you even after you unistall them, and I just saw an article about apps that use excessive amounts of background data. I heard someone speak about the lack of access security researchers have to examine and debug voting software. And I remember Uber having a major snafu with law enforcement and a mobile app that deceived regulators (the funds used to pay for Voatz’s contract with the state were provided by a former Uber lobbyist). And on top of that, you have vetted security researchers throwing out warning after warning. I agree with you; easy certainly does not equate to safe. It’s tough not to feel and want more transparency for the people who are placing their trust in the system.
Impossibly Stupid • October 23, 2018 4:15 PM
@Cincinnatus__SPQR
I can picture military personnel not voting because they know it is unsecure.
Even better. The whole agenda for making it “easier” for the military to vote is that it is assumed they’ll predominantly vote conservative. The less voting they actually do, the easier it will be to exploit the system to have it support that outcome. People are less likely to notice their vote was stolen if they never tried to vote in the first place.
TRX • October 24, 2018 8:14 AM
I have come to the realization that voting is not seen as important enough to secure.
My county – in my state, each county has its own election commission – requires registration ahead of time, the poll worker matches my name and address against the registered voter list at my assigned polling place, and my name is crossed off before I’m allowed to vote. And this year marked the return of the requirement for “state-issued photo ID”, which a Federal court had previously blocked as “racist.” (a word that seems to mean, “because we said so, and we don’t have to explain to the likes of you.”
Of course, my vote was through a Diebold touch screen device, which means I might as well have just written it on a piece of paper and dropped it into the trash, as far as having any confidence that it was properly recorded. Our old system, still used by some neighboring counties, involved big cardboard ballots and felt-tip markers, and the ballots were counted at long tables, right out in the open for everyone to see, then tied in bundles in case a recount was necessary. Nobody has managed a credible explanation as to why we had to go to the Diebold machines. The usual “explanation” is that it is “faster”, which, since there was never any problem getting the votes counted before midnight before, translates to “because we said so…”
TRX • October 24, 2018 8:21 AM
See, for me it’s trivial to scrape up fifty bucks, the required fistful of paperwork my parents bequeathed to me, and spend a day sitting around at the DMV.
In my state, a state photo ID is $5. It’s done through the same DMV offices and takes the same thirty minutes to an hour as a regular driver’s license.
The profoundly poor probably have some equivalent ID already, from whatever assistance programs they might be on.
But if they don’t, the state Democratic or Republican Party will pay for your ID as a public service. And give you a ride to and from the polls, too. (The Libertarians and Greens are too cheap for that.)
TRX • October 24, 2018 8:26 AM
The HackerOne Voatz bug bounty program appears to have been launched in August 2018, paying out $50 to $1,000 for low to critical vulnerabilities.
Um. Doesn’t really sound like they actually want to know about any vulnerabilities, doesn’t it?
Of course, how secure can you be when you’re running on a spyphone which is backdoored all the way down to the CPU silicon?
Faustus • October 24, 2018 10:58 AM
The bitcoin blockchain has been secure since its inception. People might have their keys stolen, exchanges may screw up, but the blockchain has never been corrupted.
It is true that it is impossible to be totally secure. But banks run smart phone applications all the time and they have not collapsed. Amazon and Google run complex systems effectively and they are sufficiently secure for these companies to make a lot of money.
Paper ballots? Come on. They have been manipulated since the beginning of time. And can the ballots for the US President really be counted without involving software? Errors of significant magnitude will creep into any large scale manual system. This (and speed) is why people invented computer systems in the first place.
If we insure that 1) People vote at most once and nobody is voting in somebody else’s name 2) Votes are registered corrected and 3) Votes are tallied correctly, we have a secure system.
I don’t trust the W Va system because it’s not transparent. A non-open blockchain offers absolutely nothing.
But a publicly available blockchain answers all of these points. The blockchain is a fairly simple data structure. 100s or 1000s of people can create independent apps that people can use to verify that their vote is in the blockchain correctly and that people can use to independently tally the vote. Goal 1 will probably require some non-public tracking data so that the source of suspect votes can be tracked down and people can be caught who are fraudulently claiming their vote was stolen because they didn’t like the result.
If for some reason the system fails, an internet system enables immediate revotes, which are very difficult and expensive in large scale manual systems.
I don’t like any of the creepy software companies currently lurking around the election booth. Perhaps the core system should be written by NASA or some similar non-political arm of the government, or a small group of them. Encryption standards were put out to competition, why not a voting system? I am not suggesting that I am the person to actually do it, but I could create a team and write the whole system for less than a million dollars. You don’t want a big system. The bigger it is the more room for bugs. (Obviously the hosting/infrastructure costs would be a lot more than this.)
bttb • October 24, 2018 2:03 PM
From the New Yorker on Voatz, https://www.newyorker.com/tech/annals-of-technology/the-campaign-for-mobile-phone-voting-is-getting-a-midterm-test :
“…The retired Stanford computer-science professor David Dill has been writing about Internet voting since the turn of the century. He is the founder of the election-security organization Verified Voting, which is adamantly opposed to Internet, mobile-phone, and blockchain voting, advocating instead for systems that rely on easily auditable paper ballots. (Voatz is adding a paper-ballot option, but Dill is unconvinced that it is actually verifiable.) “I think it’s a horrible idea,” he said of the voting app. “My position is not that Internet voting is impossible in the sense that perpetual motion is impossible but that there’s a broad consensus among the best computer scientists that it’s not doable with current technology. If somebody comes out and says, ‘Yeah, I’ve got a secure Internet-voting system,’ they’ve got a high burden of proof.”
Researchers poking around the margins of earlier iterations of the Voatz system (which is proprietary and not open to public scrutiny) also found a number of problems with it. “The most basic issue is what happens to the votes before they go on the blockchain,” Dill said. “If the voter is entering a ballot on their smart phone in an app that’s written by Voatz, why should we trust this? Some random company gives us an app, we enter our votes into it, and that app claims to be delivering an encrypted copy of our ballot to be counted. We’re trusting not only the people who wrote the app but the people who implemented the operating system on the smartphone—first, to be honest, and, second, not to have any security holes that would allow a third party to have some malicious app that corrupts the votes…”
Timothy • October 26, 2018 1:13 PM
Voatz, the mobile app that West Virginia has elected to use for overseas military voting in the 2018 mid-term elections, has an odd term in their current Privacy Policy:
6. Site And Services Intended For Use Within The United States Only At This Time 1. Voatz provides its Sites and Services for the purpose of creating an enjoyable experience for users within the United States. The laws governing the collection and use of information within the United States may be different from the laws of your country. If you are not physically located within the United States, please do not use our Site or Services.
Huh?
Voatz’s Privacy Policy was linked to on both Google Play and the App Store, for Android and iOS mobile apps respectively.
On Google Play the app’s permissions/access are listed as follows:
Thomas Sewell • October 27, 2018 1:04 AM
I recently spoke to an American from Florida who was not a Republican. She knew the voting machines used in Florida could be compromised by an 11 year old in 10 minutes (literally: http://time.com/5366171/11-year-old-hacked-into-us-voting-system-10-minutes/ ) and she was also convinced any mailed in votes would be discarded.
@Winter, if that’s their conclusion (and yours) then you didn’t actually read the stories on this event. It was a fake setup designed to let the 11 year olds “hack” the contents of a web page by following the instructions of the organizers. It had nothing to do with voting machines, nor the counting of votes, just a web pages purporting to display unofficial totals.
Even if the web page used was an actual replica of the State’s architecture(it wasn’t, it was created for the literal script-kiddie event), all it would show is that someone can deface a web page, not affect the outcome of an election.
Reputationally, if you’re so very wrong on the basic information from a source you provided in your comment, it’s difficult to ever take anything you write in the future seriously.
Subscribe to comments on this entry
Sidebar photo of Bruce Schneier by Joe MacInnis.
Winter • October 19, 2018 6:46 AM
We must not discount the possibility that “they” think the security issues are a feature, not a bug.
I recently spoke to an American from Florida who was not a Republican. She knew the voting machines used in Florida could be compromised by an 11 year old in 10 minutes (literally: http://time.com/5366171/11-year-old-hacked-into-us-voting-system-10-minutes/ ) and she was also convinced any mailed in votes would be discarded.
I was not surprised to hear she would not make an effort to vote.
I can only imagine how the voters in West Virginia trust this voting system, but I do not think it will be much.
On the other hand, the prevailing way to subvert the paper ballots was to make voting a harrowing experience for anyone not in a well off neighborhood. If you make people wait for 4 hours and more to cast a vote, you give off a strong message:
https://www.pewtrusts.org/en/research-and-analysis/blogs/stateline/2018/02/15/voting-lines-are-shorter-but-mostly-for-whites
And
https://www.vox.com/policy-and-politics/2016/11/7/13545718/voter-suppression-early-voting-2016