topic Re: Vote by (smart?) phone ... in Industry News

Vote by (smart?) phone ...

rslade — Mon, 09 Oct 2023 08:53:26 GMT

Electronic voting systems are weak on security. That is known.

Electronic ballots cast over the phone, or over the Internet, have been considered dangerously weak for some time. (A long, long time.)

And, we all know that portable devices have all kinds of security weaknesses.

So, in this climate, what do you think the smart thing is to do?

Of course. Build a smartphone app for voting. And have it used in West Virginia. (Remember, these are the guys who just impeached their entire Supreme Court.)

How do you register? Take a picture of your government ID, and a selfie style video of yourself. Face recognition will do the rest. (There's no weaknesses in face recognition, right?)

And it's protected by blockchain! So nobody has to worry about anything, right? (And nobody can extract data from a blockchain to find out how you voted, right?)

Re: Vote by (smart?) phone ...

CraginS — Thu, 09 Aug 2018 01:08:01 GMT

https://giphy.com/explore/facepalm

Re: Vote by (smart?) phone ...

CISOScott — Thu, 09 Aug 2018 14:53:44 GMT

Walk in voting is weak on security! When I voted in last year's presidential election, I was able to ask the volunteer if my mother-in-law was registered to vote. She paged through the voter roles right in front of me and I could clearly see who had voted and who hadn't (they removed a sticker and put it on another sheet when you came in to vote, so no sticker meant you had voted already.) She looked her up and couldn't find her but said well she can come in and fill out a provisional ballot.

My point being, there was no voter id required. I could easily game the system by asking about my "sick" neighbor (who I knew to be out of town or I knew never participated in voting) and see if they were on there. If so I just show up later in disguise and vote in their place. And what is to stop the "volunteers" from stuffing the ballot box at the end of the night? They just peel off a sticker, slap it on the other form and then fill out a ballot. Lather, Rinse, Repeat until you get 100% voter turnout for an area. Add into that provisional ballots and you have greater than a 100% turnout.

The election system needs a serious overhaul and voter id should be right up there. P.S. I have seen this at every voting system across 3 states. Not that I vote in multiple states in an election, I have just been voting long enough and moved around enough that I have voted in 3 states in my lifetime.

Re: Vote by (smart?) phone ...

Early_Adopter — Thu, 09 Aug 2018 15:51:41 GMT

I for one hold that voter turnout greater than 100% is wonderful evidence of the electorates overwhelming commitment to democracy!

If anyone has read any books in Alaistair Reynolds Revolution Space* Series he posits a political system called ‘Demarchy’, I assume a portmanteau of ‘Democratic Anarchy’.

Basically everyone in the Demarchy has to vote and you do it electronically and it realtime on much greater granularity than our current state of the art allows(Switzerland - IMHO it kind of works but is weird), and you get asked a lot of questions and are profiled(if it turns out you make good decisions then your vote gets added weight) - of course this needs to be electronic, and as such you’d assume that authentication would be secure, and profiling the individual over a the long term would provide better security that just walking into a polling booth or downloading and app.

Ultimately to have really secure elections our systems need multiple points of contact over time, and accountability and oversight are going to be as important as technology.

*It’s relatively hard SF, if compared to pop culture, though non of it as written before he current hype around Blockchain and AI. Data was also stored on ‘turbines’ which spun very quickly and failed spectacularly.

Re: Vote by (smart?) phone ...

CISOScott — Thu, 09 Aug 2018 16:10:16 GMT

If we weighted people's votes based off of their social media activity I can see some people going into the negative weighting.

Re: Vote by (smart?) phone ...

Early_Adopter — Thu, 09 Aug 2018 16:28:17 GMT

Pay me to not vote for you... or else!;)

Re: Vote by (smart?) phone ...

denbesten — Thu, 09 Aug 2018 16:59:29 GMT

@CISOScott wrote:
I could easily game the system by ...[voting for]... my "sick" neighbor.

Small risk in small-town America, where everyone knows everyone else. Bigger risk in big cities. Less detectable would be to steal absentee ballots from mailboxes, at the risk of violating 18 U.S. Code § 1708. Even less detectable would be to implement systems that don't require physical presence (either at the precinct or at your mailbox).

And what is to stop the "volunteers" from stuffing the ballot box at the end of the night?

Most (if not all) states require ballots boxes to remain in the presence of at least one Republican and at least one Democrat. Stuffing therefore requires cross-party collusion/conspiracy. I also believe that the two to three people you see at the check-in table must not be of a single party. So, for example, a Republican checks your name off the roster and a Democrat hands you your ballot.

The election system needs a serious overhaul and voter id should be right up there.

Most states have already implemented at least some form of Voter-ID. To prevent disenfranchisement (the opposite of voter fraud), Voter-ID needs to be coupled with a movement to "help people get IDs". Such a movement ought to be equally strong as "register to vote".

Re: Vote by (smart?) phone ...

rslade — Thu, 09 Aug 2018 17:13:31 GMT

> CISOScott (Contributor III) posted a new reply in Industry News on 08-09-2018

> Walk in voting is weak on security!

Doesn't have to be. I used to work as a Deputy Returning Officer or Poll Clerk in
elections. We got training. We use paper ballots and got the results in within an
hour of polls closing. (Less if we were using a counting machine. Which still had
a paper ballot trail.)

> When I voted in last year's presidential
> election, I was able to ask the volunteer if my mother-in-law was registered to
> vote. She paged through the voter roles right in front of me and I could clearly
> see who had voted and who hadn't (they removed a sticker and put it on another
> sheet when you came in to vote, so no sticker meant you had voted already.) She
> looked her up and couldn't find her but said well she can come in and fill out a
> provisional ballot.

One point being, that we didn't tell voters about other voters.

(We didn't have stickers. We drew a line through the entry when they'd voted.)

(Of course, back then, maybe stickers hadn't been invented yet ...)

> My point being, there was no voter id required. I could
> easily game the system by asking about my "sick" neighbor (who I knew to be out
> of town or I knew never participated in voting) and see if they were on there.
> If so I just show up later in disguise and vote in their place.

We also ask for ID. And check that the address matches the list.

> And what is to
> stop the "volunteers" from stuffing the ballot box at the end of the night? They
> just peel off a sticker, slap it on the other form and then fill out a ballot.
> Lather, Rinse, Repeat until you get 100% voter turnout for an area.

Ummmm, people called "scrutineers." I really hated the scrutineers, since they
weren't subject to the same restrictions as we were all day, but they do serve a valid
audit purpose.

> Add into
> that provisional ballots and you have greater than a 100% turnout. The
> election system needs a serious overhaul

Is your election system *really* that bad? (OK, yes, I've read the reports: yes, it
is.)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
You are not my router! You are a Snort! - after P. D. Eastman
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

Re: Vote by (smart?) phone ...

rslade — Thu, 09 Aug 2018 17:31:31 GMT

> Early_Adopter (Contributor III) posted a new reply in Industry News on

> and
> you get asked a lot of questions and are profiled(if it turns out you make good
> decisions then your vote gets added weight)

Kudos!

(Badges?)

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I summon the vast power of CERTIFICATION! ... Well, this is
embarrassing; that's all I remember from the classes.
- Scott Adams, Dilbert
victoria.tc.ca/techrev/rms.htm http://www.infosecbc.org/links
http://blogs.securiteam.com/index.php/archives/author/p1/
http://twitter.com/rslade

Re: Vote by (smart?) phone ...

rslade — Thu, 09 Aug 2018 19:15:40 GMT

Re: Vote by (smart?) phone ...

Caute_cautim — Thu, 09 Aug 2018 20:03:25 GMT

Would you really trust a Blockchain system, which was released to the Open Source community, and then some start up then decides to invest and sell shares in it, without looking under the hood and all the other ecosystems required to ensure its assurance levels. Without standards, assurance controls, certification processes - there are many things that can go wrong. I think it is too early, good for resolving business issues - of which about 85% of the time is where the real issues reside. But the underlying infrastructure, has certainly been put together - lots of people are talking about it, including NIST, but until Governments put some legislation in place - would you trust it at this point time? What about private Blockchain systems - many Government Analysts and auditors would want access to such system for monitoring and investigation purposes legitimately.

Regards

Caute_cautim

Re: Vote by (smart?) phone ...

rslade — Thu, 16 Aug 2018 15:56:41 GMT

@rslade wrote:
And it's protected by blockchain! So nobody has to worry about anything, right? (And nobody can extract data from a blockchain to find out how you voted, right?)

And blockchain has now become a mainstream election platform ...

Repeat after me: blockchain is weak. Blockchain is poorly understood ...

Re: Vote by (smart?) phone ...

Caute_cautim — Thu, 16 Aug 2018 19:32:04 GMT

I agree, and I happen to work with an organisation who actually put it into the mainstream market. Even I don't believe it is ready, but this does not stop progress. No Sir, you cannot stop or slow down progress.

Regards

Caute_cautim

Re: Vote by (smart?) phone ...

Early_Adopter — Fri, 17 Aug 2018 03:24:36 GMT

I could imagine a lot of claims based security and ephemeral-ness going to an online voting system. Block chain, maybe a record resisting mutability that someone(a given secret key) had voted, and on the flip side in another similar chain with record that an entity(a given public key) had a vote - but recording that x had voted for y so that z could send the boys round for a cup of tea? Nah.

Just because you have digital you don't get away form the analogue, or you risk 'the great forgetting'.

As an aside you can already vote on the things that are most important to many people with your smafone:

https://www.nbc.com/americas-got-talent/exclusives/agt-app

Re: Vote by (smart?) phone ...

rslade — Fri, 17 Aug 2018 15:13:11 GMT

@Caute_cautim wrote:
Even I don't believe it is ready, but this does not stop progress. No Sir, you cannot stop or slow down progress.

As I mentioned:

"I have seen [progress] in an egg ... We call it going bad ..."
The Voyage of the Dawn Treader, C. S. Lewis

Re: Vote by (smart?) phone ...

Early_Adopter — Fri, 17 Aug 2018 16:52:26 GMT

Caspian”s egg analaogy(metaphor?) was just entropy(ok horrible simplification), I felt the egg was fertilised he would have speak of embryology. Being more pedantic he might have accurately reported that he saw the results of progress on the opening of his egg, unless he was an egg boffin, and that doesn’t leave much time for being a prince and whatnot.

The concept of progress Is however arguably overrated. I refactor the code and claim it’s progress, next minute QA tell me it’s a regression....

I’d say it’s more down to how quickly you can safely use the new tools, how close to the bleeding edge do you want to be, and it’s not a race against a concept but more about how you stay ahead of bad actors without going broke or having catastrophic consequences because you were too fast/slow.

Re: Vote by (smart?) phone ...

Early_Adopter — Sun, 26 Aug 2018 23:54:28 GMT

https://xkcd.com/2030/

Re: Vote by (smart?) phone ...

Caute_cautim — Mon, 27 Aug 2018 02:13:58 GMT

Very good indeed - but the nub of the issue is a human being developed it, and will implement it, and it is human beings were most of the fault lies.

Regards

Caute_cautim

Re: Vote by (smart?) phone ...

Early_Adopter — Mon, 27 Aug 2018 17:01:56 GMT

Assuming that’s directed at Randall’s cartoon, I’d say “Well, yes...” but then point out that we could apply this to any product of artifice. Even if we look to a future where everything meaningful(or at least insureable) comes from an algolrythm you could posit a creator species that might have made better initial systems, I’m minded of this video:

https://www.bbc.co.uk/programmes/p06hdznx

TL;DR I made a learner, I gave it some pointless, statistically unreliable data, and well it came out with some pretty spurious assumptions.

So notwithstanding a deep FMEA on our fleshy infrastructure by superior machine beings, yes people are involved, they are flawed(and in the balance I think highly likely to fail en mass* in the next certruary or so), but at the moment they are probably the best option that we have - and well, if democracy doesn’t make itself available on the most used platforms, then it will at some stage go out of fashion( I think reality shows might help out here in keeping the lights on).

Lots of devil in detail, Attack trees and adoption of technologies needed to do e-voting properly, but I don’t think it’s beyond to acheive reasonable results in this field.