Over-opinionated hyphen-abuser, lover of words, and magical-internet-money-community-management-busy-body.
Echo-chambers are, arguably, the worst thing to come out of our social-media-centric lives since that Auntie of yours who comments how grown-up you look now on every photo you post.
John Sebes, CTO of the OSET institute, is an incredibly educated man, passionate about fair and free election processes, an active member of the GBA, and, importantly for this conversation, believes « Any system which claims to be Blockchain voting, is neither blockchain, nor voting. »
« Hi John, what a great day to be debating blockchain (Bitcoin is blowing ATHs out of the water as we speak!). Starting on a nice easy opener then, when did you first take an interest in blockchain and cryptocurrency? »
« Well, I first discovered crypto, it was probably back in the 80’s when David Chaum came up with the first. Digicash was an interesting idea, but we were under the impression that Public key infrastructure was feasible at the time.
Not that it isn’t a great idea but — keeping private keys safely stored by memory? — not feasible for mere mortals. Blockchain, the other half of your question, merges two ideas: digital ledgers from Merkle hash trees, and cryptography. This was, around about, 1992? »
« Early doors then! So, in your recent blog post, Blockchain (heart) Breakers — great title by the way! — you start off by mentioning a large portion of those who advocate for blockchain based voting as a solution to current cyber security problems (with internet voting), aren’t aware what the problems actually are. Could you give us a quick overview of the issues as you see them in current systems? »
« There is a consensus amongst computer scientists and developers interested in elections, that it would be possible to build a digital voting scheme which would be suitable for the US, but only if the 6 hard problems of computer science were to be solved. A ledger only helps with 1 of these 6 — a digital ballot box.
Imagine a system in which someone at their computer — possibly running amuck with malware — ran the first gauntlet of fire, they overcame man in middle attacks and certification compromises, and the vote gets to it’s trusted end point.
That ballot is just a bundle of bits, open to tampering. How do you then take this when it lands on server, and make it tamperproof by those with admin access to the server? Basic problems. Rely on a single company/computer/system, and access is problematic. A distributed ledger needs to store multiple different copies of the ledger, so no one person can tamper.
After the conspiracy, it doesn’t matter whether or not it’s immutable — Data custodianship is required for any kind of transaction which has to be stored durably.
Now, you might think this applies to financial products, but they have this other nice property.
They are authenticated and easily reversed. Elections raise the stakes! The transaction isn’t permanently tied to a person, and if there is transaction fraud the vote can’t be reversed. It’s just too bad, you can’t take back!
And that’s the other reason it’s not widely used — it doesn’t solve all of these other problems.
Why take extra measures to secure the data after it arrives, if the data could have been whacked by malware on the user’s computer that sent the data ? »
« Honing the issue in upon military, overseas and voters with disabilities then, at present, the alternative to making it to the polls is email, and even still fax. Leaving blockchain out of it for just a moment, how do you rate this system? Is it fit for purpose as is, or does a more viable alternative need to be found? »
« What a totally horrible idea! ‘If you have a digital ballot, and need to return digitally because you couldn’t send it in time — then send it to us by email?’ It is parallel with paper, sure, but from security perspective, it’s full of warts.
For local election officials (LEOs) such as Amelia — if they are obligated to do this, maybe there is a better option. For these special voters, the law implies that it’s okay for the voter to be using systems that could infested with malware, that if a ballot is tampered, then too bad!
That’s the price of business.
It’s too bad in the case of the ballot going to the wrong place, of a social engineering attack.
Acceptable risk, because the alternative is they don’t vote at all. Law implicitly accepts the risks.
Given that email is acceptable. I’ve got no beef, per se, with people trying to provide better way for this special class. But it’s important to be honest. Just because a solution is better, it doesn’t mean it’s solved the hard problems. »
« Leading nicely into the more polarising side of the debate then, you say that any potential Blockchain based system introduces an entirely different set of risks to election processes (based on a DHS, FBI, et al report on internet voting). Could you outline the main risks for us? »
« In paper based remote voting, you have to trust people in transportation of your ballot — postman, ballot box officials etc. It’s a limited number of people and yes, some of whom have significant oversight. But it takes a conspiracy to tamper with ballots.
So there are some risks with paper based absentee voting, but if this come to fruition, you know who the perpetrators are. With digital remote voting you still have to trust everyone that could potentially touch that ballot, only this time, they aren’t government officials. Amazon Web Services employees, for example.
You’ve got no idea who they are, so the people risk is greatly expanded. It comes down to the digital attack surface. With paper, it’s just those people and their physical things.
With digital you have every company in the chain, so there are more weak points. Instead a handful of people, you have huge numbers of computers, each open to attack. The third I’ll give for now — and I could go on! — is that the additional harm of any malpractice extends to everyone in an election.
Now, the difference between retail and wholesale attacks is on the scale of comparing paper absentees voting and physical access tampering. I.e., Your ballot, along with thousands of others, can be tampered en mass if a storage box is corrupted.
At present, there is a small scale up on the harm with absentee attack. But with digital absentee voting, all the digital ballots can be attacked with one cyber attack, so everyone in this election suffers! One attack could literally change election results.
This is the primary reason why US government bodies are saying the risks are too great for general use by any voter.
As we said though, this doesn’t affect the conundrum of UOCAVA, as these are sufficiently low numbers to tolerate the risk. Let’s use the example of Alaska. Do you know much about what they were doing there? »
« Please, do tell… »
« Well, it’s by far the largest, most geographically dispersed State in the US, but, despite the size, there’s not a lot of people. I mean the place is so sparsely populated in places they don’t even get a regular mail service, you know? »
« Coming from the little old UK, the scale of things out there blows my mind to be honest! »
« I can imagine! So, Alaskan voters, for some it is hard to even partake in paper absentee voting. In response, they were trialling digital ballot return, and, better than email, they developed a Web Portal to upload files onto a server.
It was originally put in place partly for military, but, of course, for the very remote voters, they expanded this idea to provide absentee ballot digitally as a last resort.
What this means is, if they can’t even print, vote, and snail mail it back, they can just waive right to anonymity, and at least their vote will arrive! They were expecting around 5% — with a high water mark of ~9% — of the turn out to use this, which is already quite a large proportion of voting. When it came down to it, for Senator Lisa Murkowski, who was running as a write-in candidate, the margin of victory was much smaller than usual.
In fact, the margin was very close to percentage of digital ballots returned, although the true numbers of digital ballots wasn’t fully disclosed. So, shortly after this. what do you know, they back-peddled. ‘It’s great, but only for military from now!’ they said.
They realised it would only take a few hundred extra people using this option at every election until they reach double digits. Then we’re back to everyone getting mad at a service with only three guys running the server, and the inevitable outcries of ‘Couldn’t they change if they wanted to!?’ begin. »
« Can you see any viable ways to circumvent these issues using existing platforms such as Free TON? »
« Sure, if there is anyone trying to build ledger based tooling that is separate from crypto — the kind of ledger that makes sense for an election — then there is scope to have an impact on processes.
It wouldn’t be voting, but rather voter registration systems — the systems that nation state adversaries have conducted cyber attacks in past — so there is real scope for use there. In my conversations with Eugene, I’ve told him that you can’t seek to implement anything in the US if want to have positive impact.
They’re not going to have it in the US, no matter what. It (blockchain) doesn’t solve the gating problems, and if it doesn’t solve these big issues first, then secure data storage for ballots is moot. There is also the specific problem we have here of voters needing to be identified by LEOs directly.
And, well, seem as how we don’t have any form of large scale digital ID in this country, how do they do this? So, as I’ve said, until these bigger are solved, then to have a significant impact, why not go to Estonia? In Estonia they accept that malware and cyber attacks are a risk.
They accept the risk. It’s okay if malware changes the vote prior to count/being signed, they say, as this is the trade off. In the US it is not acceptable to put some voters at that risk, while others aren’t. The standards for disabled voters, has to be at parity with everyone else.
We can’t just say « don’t worry about malware » it’ll be okay, because their right to parity is protected. This said, as I mentioned, with military and overseas, we have some wiggle room, but that is just for this group. »
« Do you see any fruit being born of attempts to use blockchain to verify votes after the fact (as opposed to being used for the vote) such as the models being designed for Guatemalan elections by the Free TON community, or is this almost a Beta-Max type interim solution in your view? »
« In the US? Not at any scale. Sorry. If want to go on a big scale, go to voter registration. Looking at Guatemala, there are numerous NGOs (non-government organisations) trying to help with election verification. You have a system of volunteers, each helping to capture the information at the booths, and then making digital copies to be put onto internet.
So even here, you still need to believe the information from volunteers. The NGOs collecting the data, of course they need to store this information somewhere.
So sure, putting it on a public blockchain is a great idea! This brings trust. It can be watched by public in real time, aiding believability. It’s still a garbage-in garbage-out problem though. If you trusted the volunteers then, with a blockchain, you can be sure that, later on, nobody could mess with the report. Still, this has nothing to do with actual voting.
You can’t viably make it publicly accessible, as in, anyone can operate a node akin to a cryptocurrency blockchain. These chains are nothing like a private digital ledger that would be used by voters and election officials.
Going back to the question then, while I’ve been watching and am impressed by the work at Free TON, the tech which best fits (so far) in this field, in my opinion, is IOTA. It has really good open source ledger tech, very flexible, non-commercial. For anyone that wants to set up something public, this is the cheapest, easiest way to my minds eye.
Obviously, there are other sources though. With regards to transactions based on digital identity, some government organisations say that this actually become very useful in the case of vaccine passports.
You don’t have issues with ballot anonymity with this, the record needs to come from authority, but not forgeable. For this, blockchain is a sensible solution. »
« Garbage-in garbage-out, interesting analogy! I’m aware we’re running over time now, so alluding back to the title of the post then (assuming the Hackernoon editorial team don’t tweak it!), if you had to summarise this conversation for us, what are the 3 main reasons you see Blockchain based voting as a non-solution? »
« The internet does like X reasons why articles! Okay…
1) Blockchain doesn’t help with two most serious issues in American elections: Malware and the sad fact election official have no way to digitally identify voters. The legal requirement is that voter identification is done by the election officials, not a third party or Google, or an app which makes you take a selfie with your passport.
Blockchain doesn’t help with anything on the voters side.
We’ve got to figure out the digital ID problem, and address malware issues before thinking about applying blockchain technology to election!
2) Advocates of the technology cite Military and overseas usage, but this is a corner case. Those two issues above can be waived because of particular laws. So even in this limited use-case, blockchain won’t revolutionise anything there, because we already have options (stinky email, fax, web portals). All this has already been done, so, fine, stick it on a digital ledger if you must.
3) Maybe some day, we’ll be able to have everyone who is not military have a digital ledger which runs in background of a system without them even knowing they’re using blockchain. But not until those 6 main computer problems are solved, and we’ve still got 5 to go! You might not like to hear this, but blockchain won’t be the revolution, at least not for voting processes. The revolution will be a solution that solves trust issues, identity issues, issues of devices with malware.
A solution which answered these issues would be so revolutionary, they would completely reinvent the entire computer industry! This is why I say (to those claiming to have developed a working solution), ‘You don’t have a solution, you have a mitigating system.’
An actual solution: if they had that they wouldn’t be selling it to election officials, that’s for sure! They’d be selling it to the military and sleeping in a bank vault filled with gold coins! »
« Some very good points well made, I can only hope you’re wrong about the last one! John, it’s been great speaking to you, we should definitely do this again. Anything else you’d like to add? Anything to promote? »
« Nothing to shill today, Ben, but thank you for offering! I will add this though, I have a lot of respect in particular for those officials who are seeking a better solution for Military and overseas voters, and I definitely have a lot of respect for a tech vendor who says, ‘I’ve got something, it’s not a perfect solution, but it’s better than email.‘
The problem is, I don’t know anyone saying that. If I found that, with published source code, I would really respect that. But, for now, on a psychological level, we have baked it into the common assumption that computers are used to steal votes.
This is mind, I just don’t see a lot of value in a digital remote voting system that’s a black box. It’s just more Kraken food for those looking for ways to say votes are being stolen. »
Kraken food/Calamari… there’s a pun in there somewhere. I’ll leave that one to you though. I hope you’ve learned something from this conversation, and if not, I hope it was entertaining at least!
If you’d like to learn more about the potential blockchain and voting applications, there’s a wealth of information over on the GBA site, and you can also check out more of the work being done by Free TON in this area over on our new developed community site.
Until next time, when, I’ll be speaking to a genuine, bona-fide international-superstar-celebrity! You won’t want to miss it!
Create your free account to unlock your custom reading experience.
Traduction de l’article de Benjamin Bateman : Article Original