I am the co-author behind ACM’s TechBrief on Election Security: Risk-limiting Audits. Ask me anything about election security!

Submitted by TheOfficialACM t3_yd7qp6 in IAmA

I am Dan S. Wallach, a professor in the Departments of Computer Science and Electrical and Computer Engineering and a Rice Scholar at the Baker Institute for Public Policy at Rice University in Houston, Texas. I am a co-author of the ACM TechBrief on Election Security and Risk-limiting Audits. I'm also a member of the Election Assistance Commission's Technical Guidelines Development Committee, so I help write the standards that voting machines in the U.S. will follow. I've done research on finding security flaws in existing voting systems and in designing better ones with sophisticated cryptography and other security features.

The mechanics of how elections work have evolved significantly over time. The U.S. has been transitioning away from insecure, paperless electronic voting systems, which became popular two decades ago, to newer systems involving paper ballots (either hand-marked or machine-marked), which are then tabulated electronically. What happens if the electronic tabulator has been hacked to produce fraudulent results? That's where Risk Limiting Audits (RLAs) can save the day, with an efficient random sampling process to compare the paper ballots to their electronic equivalents. Five U.S. states are requiring RLAs in this election and many more are piloting them. During this AMA, I'll be answering questions about RLAs, and more broadly, about security in our elections. Ask me anything!

More Info:

Read the TechBrief on Election Security: Risk-limiting Audits

https://dl.acm.org/doi/pdf/10.1145/3568005

ACM TechBriefs is a series of technical bulletins by ACM’s Technology Policy Council that present scientifically-grounded perspectives on the impact of specific developments or applications of technology. Read the issue to come prepared with questions!

Proof: https://imgur.com/a/oMvzaab.

EDIT: My allotted time is up. It was great talking to you all and answering these great questions. Before you go, grab an e-copy of the ACM TechBrief on Election Security (link above) and follow u/TheOfficialACM for more AMAs!

879

Comments

You must log in or register to comment.

PaulSnow t1_itqqh5t wrote

Why don't we require all electronic voting to be done with open source hardware and software for true end to end auditability and transparency?

43

TheOfficialACM OP t1_itqusk8 wrote

The current business model of elections is that the vendors have no requirements for open source, but they do have the requirement that their systems are subject to certification and testing. The certification process requires the vendors to share their source code with the testing labs.

For what it's worth, there have been a number of attempts at doing an open source voting system that could be commercially viable in the U.S. market, but none of them have achieved significant market share to date, except perhaps the Los Angeles VSAP system, but the source code isn't actually open yet (article from 2018, but I don't think anything has changed since then).

(I do consulting with another open source vendor, VotingWorks.)

30

PaulSnow t1_itrgk17 wrote

Hence require open source. It isn't about being commercially viable, if not providing an open source product means it isn't commercially viable.

9

TheOfficialACM OP t1_itrlcw4 wrote

Here's a more concise way to put it: I would prefer if we did not have trade secrets in elections. Let the vendors copyright and/or patent their stuff, but the source code should be open to public inspection. This isn't about security, per se, as much as it's about transparency. If you want to get nerdier about it, it's also about publicly verifiable reproducible builds, which has ramifications for security and transparency.

15

PaulSnow t1_itrmgg9 wrote

In this case, transparency is security (more review) and verifiable reproducible builds is a given.

[in addition, ] Open source hardware is a critical component here.

Edit: *Added "in addition"

5

e_to_the_pi_i_plus_1 t1_itqseft wrote

Part of the issue is that elections are managed by municipalities. States have different rules and inside of states many counties have their own rules.

For a long time, hiding source code was thought to improve security. Voting machines are expected to last 10-20 years so it takes time to move to more modern notions of what makes something "secure."

19

dratsablive t1_itr5jh4 wrote

Not just time, but the motivation and funds to change.

6

PaulSnow t1_itrgzm2 wrote

Open source hardware and software is the only way to rid ourselves of accusations that are made about voting machines like we saw in 2020.

And it isn't an entirely baseless fear. We do know software is often compromised, and we even know hardware is often compromised.

The most secure software in the world is open source, and the best way to build forward with secure voting software with rich features is to ensure everyone can develop on a common base.

5

borktron t1_itslz64 wrote

While I'm generally in favor of well-understood and battle tested open-source hw/sw, it's not really a panacea. How do you know the build of the open-source software hasn't been tampered with? How do you know that the physical machines actually in use conform to the open-source specs and haven't been tampered with?

Of course, you can mitigate some of those risks by allowing stakeholders to inspect, verify hashes of builds, etc. But that's a lot of human-factor stuff on top that you're absolutely relying on.

So even in an open-source hw/sw world, RLAs are still critical.

2

TheUnweeber t1_itsw9xz wrote

Although open source isn't a panacea, couple it with trustless ledgers, and the more parties distrust each other, the more nodes they (and nonpartisans) will run. ..and that's nearly a panacea.

2

PaulSnow t1_itudneq wrote

This is exactly the point. Fewer truly independent code bases, increased distribution of knowledge of the code, more tools deployed for automated verification/validation of the code, etc.

Proprietary code usually ends up devolving to the point most of it is treated like a black box. This is because knowledge of the internal code is restricted. And then over time the institutional knowledge is lost as people quit the effort (nobody is immortal).

At least with open source, knowledge can be distributed over larger bodies of people, and more experts can exist for the entire ecosystem to leverage. For applications where no "secret code" or "secret sauce" is required and in fact is nothing but a danger, Open Source is the solution.

2

PaulSnow t1_ittge4u wrote

I am a big fan of RLAs. Basically we ran the election in 2020 in a way very few statistical tests could be run to compute a confidence level on the ballots.

However, software builds can be hashed and signed, and open source hardware can refuse to load unsigned builds. But how to evaluate the signature? This is where small cryptographic proofs from blockchains provide a distributed ledger.

The hardware and the software can be reviewed by everyone earning money in the voting game, and when disputes arise, there is no excuse to demand access to the voting machines because everyone has access by definition.

Open Source solves both pragmatic transparency issues, and political ones.

1

billy_teats t1_its8mb6 wrote

Go be fair, open source software is increasingly becoming compromised. Some of the modern attacks would not stand against election systems, like someone taking over an old domain that didn’t get paid for so they can get someone’s custom email so they can reset the password to an account that owns a repo. Or someone making a pull request with a bug fix and also oh ya here’s a little call out to a C2 server.

−5

PaulSnow t1_ittguvh wrote

Not really. A tiny inactive project can run all those risks,sure. But voting software to be used in the US is going to be a big, active project. And many interest groups will be willing to pay for reviews of the source.

Every change sticks out like a sore thumb; hiding an exploit in a bug fix is more of a movie plot than a reality. Automated testing and source analysis will pick up any call out of the software with no human intervention.

1

Natanael_L t1_ittyuja wrote

The issue remains proving the hardware runs that software and that software only. No extra chips, no modified chips, not even tweaking semiconductor doping, and no exploits against the secure boot mechanism.

Even game consoles and the iPhone and sometimes HSM's fail at this.

1

PaulSnow t1_itucs77 wrote

If the hardware is modified, this can be detected. And deploying the hardware should be done with the consideration that the voting machines themselves are hostile. So keeping hardware off networks, using fixed communication channels, blockchain tech (which prevents processes from accepting data that isn't properly registered, does not go through fixed processes), etc. remains critical.

Proving security is impossible, but pragmatically it is possible. The unique requirements of voting software make it far easier to secure than any device that requires networking to be functional.

The most secure voting system is one that doesn't allow voting at all, preventing any exploit to capture or corrupt ballots. Since that isn't an option, we do the best we can. Which can be very good. None of the exploits discovered to date lack some process to address them.

1

Natanael_L t1_itufvgn wrote

In practice it's the paper copies that's the best security measure. It really isn't feasible to audit the hardware in full at scale.

1

PaulSnow t1_itwczyd wrote

Have we forgotten Florida already?

1

Natanael_L t1_itwew4c wrote

Do you think every voting machine in Florida can be xrayed?

1

PaulSnow t1_itydl6t wrote

Not sure what xraying voting machines is supposed to do.

1

Natanael_L t1_ityfenv wrote

How to you think hardware tampering is discovered?

1

PaulSnow t1_itziv5a wrote

Through testing, architecture, and audited manufacturing.

Auditable manufacturing processes at every level.

Altering chips requires massive changes in workflow and processes.

Certification of manufactures (Not having your hardware manufactured in suspect countries like china).

Hardware design that separates keys and security from general computing. Embedded hardware testing and verification.

Hardware can be architected to be self checking, such that changes or alterations do not produce the same timing and values as the proper hardware.

https://www.securityweek.com/closer-look-intels-hardware-enabled-threat-detection-push

I can't find any reference for detecting hardware modifications with x-rays.

1

Natanael_L t1_itzm4n5 wrote

Did you not look at the link I provided above?

1

PaulSnow t1_iu0g3ko wrote

I don't remember a link to talking about x-rays, and a review of the history didn't reveal a link from you I didn't read.

So what am I looking for?

1

Natanael_L t1_iu0m81m wrote

https://www.reddit.com/r/IAmA/comments/yd7qp6/i_am_the_coauthor_behind_acms_techbrief_on/ittyuja/

https://www.infona.pl/resource/bwmeta1.element.springer-147a2312-2fe6-3a08-9954-a904e950f9bb

> Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against “golden chips”.

1

PaulSnow t1_iu23xnr wrote

Your first link is just your post, and it doesn't mention x-raying anything.

The second mentions optical inspection and checking against "golden chips" isn't x-ray, and there is no reference to x-raying hardware here in the abstract. And I don't have a subscription to read the paper.

1

Natanael_L t1_iu2a0dm wrote

https://spectrum.ieee.org/chip-x-ray

And optical inspection is common - and less capable in detecting attacks like manipulated silicon doping

1

PaulSnow t1_iu2kxqj wrote

The article does not say they can detect doping. Their test was a flaw in a interconnect layer.

But great. You would do a statistical examination of batches of chips. Done. Their process is destructive.

1

billy_teats t1_ituh1hz wrote

>>Hiding an exploit in a bug fix is a movie plot

Well this is taught up wrong

1

PaulSnow t1_itvxdnw wrote

The kind of exploit you describe (making a call out over the network hidden in a bug fix) is in fact very unlikely. This is pretty easy to find in code that is reviewed and tested as with most Open Source projects.

Especially applications like voting applications that have no networking functions.

1

TheUnweeber t1_itsvzfu wrote

..and, what about trustless ledgers? This is probably the safest direction to be heading.

1

lpd1234 t1_itttw1o wrote

Just use paper ballots FFS.

2

PaulSnow t1_itucynn wrote

Because we have never had issues with paper ballots. /s

0

lpd1234 t1_itwfqej wrote

Elections do not occur often enough in most societies to warrant an electronic ballot system. Many places that have tried have gone back to paper. It is not infallible, but it does represent something most people trust. Now, if you have segments of your society actively undercutting the legitimacy of elections, that might be something to pay more particular attention too.

1

PaulSnow t1_ityejte wrote

Fair and reliable voting is the goal. We know paper ballots don't solve all problems. Nor does electronic voting.

As to increasing doubt of our election security....

Both the left and the right are casting doubt on elections in the USA.

It's the level of conflict between the far left and the right that's at the bottom of this. Once you have demonized the other side past a certain point, how can they work together to have fair honest elections?

And if the other side is a literal threat to the future, what is a justifiable limit in what you will do to keep them from power?

At least we are not assassinating public figures at the rate we did in the 1960's yet. But how far away are we? Given the level of rhetoric we've heard since Trump got involved?

2

dr_noiiz t1_itqtjj4 wrote

How do you feel about the overall election security of the 2020 presidential race? Do you think there was any significant security gaps that heavily impacted the result?

12

TheOfficialACM OP t1_itqywpp wrote

To be absolutely clear, there is no evidence of any tampering with the 2020 presidential election. We have high confidence that the election outcome was correct.

Here's the crazy part: there's nothing inconsistent with the above statement and saying that there are a number of security weaknesses in our election systems that we need to improve. We'd love to see more states adopt risk-limiting audits (the topic of this post!), which would improve our confidence in their elections. Similarly, it's great that the older generation of paperless electronic voting systems are being replaced with newer machines that use paper ballots. This helps mitigate against the worst risks of malware or tampering with voting systems' software.

36

LostMyKarmaElSegundo t1_itrahdp wrote

What about the races that were so far off from the pre-election polling?

No one even thought to audit the Senate race in Maine, because it was a huge margin, but the polls had it much closer.

Wouldn't it make sense to do some sort of audit in those situations?

2

TheOfficialACM OP t1_itrcskm wrote

I'm not an expert in polling, but polls have margins of error, and pollsters often make corrections to their raw polling to compensate for demographic differences between their sampled population and what they anticipate the actual electorate might look like. So, for any given poll, there are a bunch of assumptions baked into the numbers, any of which might turn out to be false. In other words, when an election disagrees with a poll, that can be a surprise, but it's not an immediate red flag.

That said, many states have laws that allow for automatic recounts when the margin of victory is small enough (typically under 1%). And we recommend that every state adopt risk-limiting audits (the topic of this post!) for all their elections, as a required procedure.

In a high-margin race, a risk limiting audit requires a very small number of samples in order to provide convincing evidence of the correctness of the outcome, so RLAs would be a great thing to adopt.

12

rugratsallthrowedup t1_its4dzs wrote

People lie to pollsters

3

GalironRunner t1_itseims wrote

More then that who's being asked who's asking AND how something is asked can change a poll. You could write questions down and expect the same answers from anyone that reads it vs reading it to them as in that case the answer can charge based on how you ask it and even based on where you put emphasis on different words which can change how someone interprets the question.

6

rugratsallthrowedup t1_ittnjyr wrote

I can also see a situation where the pollster calls, one person picks up the phone, the other resident asks who is calling and then proceeds to hang around, so the person on the phone changes their answers due to social pressure

3

Natanael_L t1_itshtck wrote

Also where they ask, they need to get a representative sample to make an accurate prediction

1

dr_noiiz t1_itrcxhm wrote

Thank you for the response :) I'll read up more on risk-limiting audits!

I'm glad to hear that a security expert such as yourself is not concerned with non-credible "evidence" and is more focused on eliminating vulnerabilities before they are exploited. I imagine you could talk at length about 2020 but I'll leave it at that!

1

TransposingJons t1_itqu348 wrote

Several years ago, when Dominion voting machines were first introduced into Georgia, NPR ran an article that associated them with large donations to the Republican party.

Why should we trust/not trust Dominion to deliver unadulterated voting results?

Am I crazy to think the Q-Anon morons might be right, but not for the correct reasons.

11

TheOfficialACM OP t1_itqxyji wrote

For starters, the modern Dominion equipment uses a printed paper ballot. This means that every voter can (and should!) take the time to read the paper ballot that the machine produces and, if something is wrong, they can "spoil" their ballot and do it again. This is an important defense against any hypothetical tampering or malware with the software inside the machines.

After that, you're not being asked to trust machines. You're being asked to trust process. Those paper ballots travel in ballot boxes that are suitably sealed. Election officials tabulate the paper ballots with election observers and the press watching what they do. Georgia also did a risk-limiting audit (the topic of this Reddit post!) during the 2020 election which confirmed the result in the presidential race. (More details: Carter Center report, Georgia SoS's page)

As you might imagine, there's a lot more to it than I can summarize in a few paragraphs, but you should have some comfort that the combination of certification & testing, plus the use of the right kinds of policies & procedures, are where we gain confidence in our election systems.

22

aleph32 t1_itqw806 wrote

Assuming the basic voting equipment is secure, how secure are the systems for agglomerating all those individual counts against, say, hacking or social engineering?

8

TheOfficialACM OP t1_itr96ni wrote

The purpose of a risk limiting audit (the topic of this thread!) is to efficiently determine if the tallying process gets the correct outcome. That's an important defense against hacking.

Social engineering / misinformation / disinformation is an important topic as well, but that's outside of the election system, in the sense that we can't fight misinformation by improving how our voting machines work. That said, fighting misinformation is a huge challenge that election officials now face. (Summary of the issues from the Brennan Center.)

13

Natanael_L t1_itsiy5o wrote

With paper ballots as a backup and protected from tampering, it's pretty hard to mess with a competent audit and not get caught.

1

Weak_Bus8157 t1_itqlj99 wrote

Do you have any national elections system besides US that might worth your special consideration?

7

TheOfficialACM OP t1_itr167q wrote

U.S. elections are quite unusual relative to most other countries. Of particular note, we're often asked to vote on a huge number of contests. My ballot in Houston, Texas has I think 93 contests or propositions on it. This means that we require automation in order to get timely and accurate results. And therefore we must have computers around, but we need processes like risk limiting audits (the topic of this post!) to mitigate against the risks of malware or tampering with the computers.

Several countries are currently experimenting with Internet voting (Estonia, Switzerland, Canada, and more). This creates a variety of new risks that are harder to mitigate. What do you do to prevent malware on a voter's computer from tampering with their vote? What do you do to protect the servers against denial of service attacks? For contrast, consider that a paper ballot, whether marked by hand or by machine, once it gets into a ballot box, is beyond the reach of even the most sophisticated Internet attacker. There's nothing a foreign nation-state adversary can do over the Internet to modify ink on paper!

Of course, the real world is never quite so simple. I had the chance once to speak with Swiss officials about this, and they pointed out how 40% of Swiss nationals are physically outside the borders of Switzerland at any given time. And they might vote five times per year. Perhaps unsurprisingly, there's a strong demand for Internet voting, and an ongoing challenge to see if they can mitigate against those risks.

16

Natanael_L t1_itsim44 wrote

As a cryptography nerd, I think electronic remote voting for national elections is terrifying. Even the best possible technical solutions can be attacked with trivial workarounds if the users' devices can be compromised, or even substituted. Supply chain security for the hardware involved, handling issuing/registering keypairs and handling lost keypairs, etc. Coercion, targeted denial of service, etc.

Even without the actual election system being hacked, the processes around it can still be compromised. State of the art cryptography doesn't help when the keys are stolen and the inputs were replaced.

3

NoIHaveNotRedditYet t1_itr49ko wrote

Given the perceived vulnerabilities of electronic voting machines to remote bad actors, as well as the scalability for one bad actor to effect a large swath of machines, what are your thoughts on just reverting back to an entirely paper system? Is there a reason this would not be more secure?

6

TheOfficialACM OP t1_itreban wrote

The earlier generation of paperless electronic voting systems, adopted in the early 2000's, have been widely studied and have been found to have significant security flaws (examples: California "top to bottom" review in 2007, Ohio EVEREST 2007). (I was one of the co-authors on the California review.)

As a consequence, all the new voting machines involve paper in one form or another. The two most popular forms are ballot marking devices, which have some sort of computer interface and produce a printed ballot, and hand-marked paper ballots, which are typically scanned by a computer, often bolted to the top of the ballot box ("precinct count optical scanner").

The magic of a risk limiting audit (the topic of this thread!) is that it provides an efficient process where a post-election audit can prove, to a desired level of statistical confidence, that any errors in the electronic tabulation are small enough that they don't change the announced winner of a contest.

So, RLAs let us have the efficiency benefits of computers, while still having the security properties that we want from hand tallies, without requiring the slow (and error-prone) process of hand counting.

11

jilldoesthings t1_itqi0vq wrote

Are these RLAs new? Have we used them before?

5

TheOfficialACM OP t1_itqz3kk wrote

We summarize the adoption of RLAs in the article linked at the top. The idea is about a decade old and is growing in popularity among election officials.

9

e_to_the_pi_i_plus_1 t1_itqrz8i wrote

They have been used in Colorado for years, Rhode Island and Georgia in 2020. In addition, they have been used in counties in California, Indiana, and Illinois. Pilots have been done in at least 10 states.

6

redditorx13579 t1_itqn7j7 wrote

How important is physical security? Do you assume there is none for this situation?

3

TheOfficialACM OP t1_itqvcv5 wrote

Physical security (or, if you prefer, "chain of custody") is essential to all elections. Even if we're talking about hand-marked and hand-counted paper ballots, we still need to ensure that ballot boxes were sealed properly, transported properly, and guarded properly. Of course, when you add computers to the mix, physical security is even more important. This is an important reason for having post-election audits, like the RLAs we talk about in the linked article at the top of this post. An efficient post-election audit allows for discrepancies to be discovered before an election result is certified.

12

e_to_the_pi_i_plus_1 t1_itqsl3b wrote

Physical security remains crucially important for risk-limiting audits as it requires the set of ballots cast by voters not to be altered (reflecting the set of legitimate cast ballots).

3

PaulSnow t1_itqq9km wrote

What do you think of requiring blockchain based audit trails of all processes around elections, voting, tallies, challenges, and recounts?

3

TheOfficialACM OP t1_itqwe5v wrote

There's an entire academic discipline dedicated to the world of election integrity, and an important technique that's crossing the divide from academia to practice is called "end-to-end verifiable elections". Without getting lost in the technical details of how and why different encryption techniques are used, all of these voting systems generally include a concept called a "public bulletin board". If you squint at it, there isn't all that much difference between a public bulletin board and a blockchain. Both use cryptographic hash functions to build linear chains or tree-like structures.

The essential difference is that blockchains are "decentralized", which means that nobody is in charge. Instead, a series of unrelated parties reach a consensus as to what the blockchain means. In an election, however, all the parties are known in advance, and disputes are generally resolved through administrative processes or lawsuits. This means that public bulletin boards don't need consensus mechanisms. Instead, they're generally about publishing encrypted votes in such a way that a voter can verify that their vote was "counted as cast" (i.e., you get a strong proof that your vote was tabulated exactly as you cast it) as well as "cast as intended" (i.e., the machine didn't misinterpret your vote as you cast it). The exciting part of the cryptography is that we can achieve both of these properties without allowing you, the voter, to have enough evidence to be able to prove to anybody else how you voted (so, we don't enable bribery or coercion).

18

Bullboah t1_itqz0gc wrote

That’s interesting. How is verification that your vote correctly tabulated your choice achieved without giving you proof another person would recognize?

2

TheOfficialACM OP t1_itr7m60 wrote

There are a lot of variations on this, so I'm going to assume we're talking about how Microsoft's ElectionGuard project would work in the context of a ballot marking device. (I've written some of the code being used in ElectionGuard.)

Once the voter finishes specifying their vote, the machine computes an encrypted version of their vote. It's public key encryption, where the voting machine only knows the public key, so only the election official (or a group of election trustees working together, using a technique called threshold cryptography) can do the decryption.

The voting machine can also compute the hash of that encrypted ballot, and then hand it back to the voter, perhaps on a small receipt printer. Now here's the fun part: all the encrypted ballots for the entire election will be posted on some public web server somewhere. And you'll be able to use your receipt and figure out that a ballot matching your hash is right there where it's supposed to be. And now here's the crazy fun part: you can add all the encrypted ballots without first decrypting them. This is called an additive homomorphism. Every election observer can compute this same value, and compare it to the value that's ultimately decrypted by the election official, who provides a cryptographic proof that they did the decryption correctly. So, anybody can validate that their encrypted ballot is part of the big total and that the big total was decrypted correctly. But your receipt doesn't let you sell your vote, since it's the hash of an encrypted ballot, and that ballot is never individually decrypted. (This paragraph summarizes the "counted as cast" property.)

But wait, you ask, why should I believe that my ballot was correctly encrypted in the first place? Turns out, there are a number of independent ways to prove this.

  1. Your paper ballot, which is human readable, includes the hash of your ciphertext below it. A risk-limiting audit would, for each ballot being audited, recompute the encryption of the ballot, based on the human-readable text, and make sure that the hash matches.
  2. Ballots that are spoiled aren't tabulated. That means it's safe for the election official to decrypt those spoiled ballots. So we could create a process where regular voters and/or trained auditors are allowed to keep copies of spoiled ballots, and we'll check later on whether the human-readable text matches up with the ciphertext.

The cool trick here is that the machine doesn't know which ballots will be cast and which will be audited, so if it's going to cheat, it needs to cheat before it knows whether it might be caught. This is called a Benaloh challenge. Josh Benaloh is also, not coincidentally, one of the designers behind Microsoft's ElectionGuard.

14

Bullboah t1_itrgiin wrote

Very interesting, thanks for the thorough and informative response!

2

PaulSnow t1_itrjuks wrote

If the hash doesn't give feedback to the voter that the ballot is counted correctly, I think you need open source to ensure that is actually done correctly.

0

TheOfficialACM OP t1_itrmu5i wrote

The trick with these fancy e2e-verifiable schemes is that they're very good at providing the voter with evidence that everything worked perfectly, but if something goes wrong, and there are a lot of ways for things to go wrong, it's not necessarily easy to pinpoint the problem.

ElectionGuard happens to be open source, but that's not a requirement for security. In fact, the magic of e2e-verifiable schemes is that they create a much more interesting property called software independence, which means that we can verify a correct election outcome without being required to trust any of the software used by the election officials.

Risk limiting audits, by the way, are also a method of achieving software independence, without any cryptography at all.

7

PaulSnow t1_itrif3f wrote

My point really isn't about counting or verifying votes, but the monitoring of processes. Of course, being in the blockchain myself, I've focused on creating cryptographic proofs of sequences of events, and gathering all those proofs into summaries (block hashes if you will).

Allowing the logging of all the processes behind voting (the set up, poll, venue, setup, voting machine configurations), observers, workers, video, etc.) all to the blockchain, you end up with time sequences and actions that create responsibilities. Failures in process can't be hidden.

I feel actual voting and ballots don't gain much from the blockchain, though there are ways to use the blockchain for voting. The real gain is to audit the execution of the election.

Public blockchains are much more complex than your description, and do allow for selecting authorities in distributed locations that all contribute to a unified (cryptographically speaking) log of events.

2

TheOfficialACM OP t1_itrn7r6 wrote

A Reddit AMA is the wrong place to get into the finer points of blockchains, cryptocurrency, and/or public bulletin boards.

Suffice to say that one of the core features of most blockchains is consensus, while one of the core features of a public bulletin board is maintaining evidence. Those are emphatically not the same thing, even though many of the same cryptographic techniques (zero knowledge proofs, hash data structures, etc.) are used in both settings.

3

rodeler t1_itqyc3a wrote

Is there an inadvertent strength against systemic hacking since the US has so many different types of voting machines and laws?

3

TheOfficialACM OP t1_itr9kve wrote

Each of our states have their own rules and procedures, but there are only a small number of equipment vendors for the vast majority of votes cast. This means, in practice, that we can't depend on diversity as much of a security mechanism. Instead, we need better process and procedures (like risk limiting audits!) to help mitigate against some of the threats we face.

7

MarleyandtheWhalers t1_itr43pk wrote

Two questions: first, what reasonable questions about election security can or should be raised for elections with fully paper ballots? What about those without?

Second, are there any major real-world known cases of voting machine interference that have affected a democratic outcome, in the US or elsewhere?

Thank you for offering to answer our questions.

3

TheOfficialACM OP t1_itrt8ea wrote

Risk-limiting audits (the topic of this thread) are all about how to improve security with paper ballots. So a reasonable question for someplace that has paper ballots is "when are you going to do RLAs?"

Without paper ballots, we're back in the world of paperless electronic voting systems, which have been shown to have a variety of security vulnerabilities (discussed elsewhere in this Reddit). So a reasonable question for someplace that has paperless electronic voting systems is "when are you going to retire these machines and what's the plan to replace them?"

I'm not aware of any systematic voting machine election interference, at least in any U.S. election in anything resembling the modern era. If you go back far enough in time, you get plenty of well-documented messy elections. The story of "Landslide" Lyndon Johnson's victory in the 1948 Texas Senate Race is pretty amazing.

5

psibomber t1_itr4kyw wrote

What is being done to secure elections against vote trafficking/muling?

3

TheOfficialACM OP t1_itrgtvz wrote

It's difficult to find evidence of this sort of thing. The most persistent rumors generally involve some form of bundling of vote-by-mail ballots. In the Rio Grande Valley of Texas, for example, they're called "politiqueros" or "politiqueras". It's unclear whether the impact of these sorts of activities are sufficient to change election outcomes, but Texas and other states have chosen to make it harder to vote by mail, claiming it would reduce fraud. Of course, whenever you change a policy like this, you'll have unintended effects, like making it harder for legitimate voters who might prefer to vote without needlessly exposing themselves to the risks of COVID.

5

psibomber t1_itrlz87 wrote

Are there no attempts made to investigate the impact of vote trafficking?

4

PaulSnow t1_itrlnck wrote

Europe did several studies on postal ballots, and largely rejected them as insecure. I don't think the possibility with mail in ballots is in question.

You can require registration with an ID, but in the US maintaining voter rolls is hard.

All security limits how easy it is to do whatever it is you are securing. So you have a trade off of zero security and super simple voting, or massive security and very difficult voting. And everything in between. You have to choose.

In my opinion, postal ballots should be restricted to the smallest group possible. I don't mind an exception for the paranoid, but we don't need to break the system to accommodate the fringe cases.

3

AutoModerator t1_itqftqe wrote

Users, please be wary of proof. You are welcome to ask for more proof if you find it insufficient.

OP, if you need any help, please message the mods here.

Thank you!

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

2

DohRayMeme t1_itrvzys wrote

What would be required to carry out a ballot harvesting operation on the level claimed by 2000 Mules?

Setting aside the fact that their evidence doesn't match their assertion- what sort of evidence would exist if such a thing actually did happen? How effective would it be? Who would detect it?

2

IAmAModBot t1_itqvcpm wrote

For more AMAs on this topic, subscribe to r/IAmA_Academic, and check out our other topic-specific AMA subreddits here.

1

indygoth t1_itr0622 wrote

Not technology-related, why do you think armed militia types are guarding ballot boxes?

1

TheOfficialACM OP t1_itr8ep6 wrote

This sounds like an attempt at voter intimidation, which can be a violation of federal and/or state laws. Here's the ACLU explainer.

19

CorrectPeanut5 t1_itrclve wrote

What states do voting the best? And what are the things they are doing to make it that way?

1

TheOfficialACM OP t1_itrf3uv wrote

It's not really that simple. I could tell you that Rhode Island is amazing (try the grilled pizza!), but they face very different needs, never mind operating at a very different scale, from California or Texas. Small town elections are often done with hand-counted ballots, which is fantastic, but that would never work in huge cities, where it's just too slow and too error-prone.

6

pcalvin t1_itsjzx3 wrote

No mention of Colorado here? I'm surprised. Our state does voting right.

1

fuzzycuffs t1_itrdmxd wrote

So a Republican and her goons go walking into a voting machine office. How can we put safeguards in place so that the machines themselves, i.e. their physical security, can be assured?

1

thingandstuff t1_itrm6ew wrote

> How can we put safeguards in place so that the machines themselves, i.e. their physical security, can be assured?

The most effective safeguard would probably be charging those people with the crimes they committed against the American people.

4

PaulSnow t1_itrkken wrote

Why do you think one party or the other is worse about honest elections?

Republicans have been pushing for more observers, more verifications, elimination of mail in ballots, laws against ballot harvesting, etc.

The Democrats are opposing election security. I'm not saying they are necessarily trying to steal elections, but they are not doing investigations into voter fraud, and opposing common sense election security so you can't catch voter fraud if it happens!

This guy is detailing some great ways to ensure nobody (including your Republican and her goods) can mess with the results. Something I applaud. But note none of his solutions work with mail in ballots outside of a monitored polling station.

−7

kavono t1_itrwaf1 wrote

>Why do you think one party or the other is worse about honest elections?

Probably because the last Republican president has continued to deny that he lost an election, and even claimed the one he'd won was also fraudulently rigged against him via "millions of illegal immigrant votes", and the vast majority of that party continues to side with him.

>but they are not doing investigations into voter fraud

Many studies of voter fraud have been done and the end results have always been extremely minimal. The fact that Conservatives dislike hearing that fact doesn't mean voter fraud is rampant, specifically only when they don't win, and only when it comes to key states they lost. If they actually had full fledged concerns about inaccurate results they wouldn't only call for audits in states they didn't win. They also wouldn't have chanted to "stop the count" or "count the votes" in certain states entirely dependent on whether Donald Trump was winning at that moment.

6

DohRayMeme t1_itrxhhs wrote

I believe the reason the GOP is worse on honest elections is:

  • They deny the integrity of the 2020 vote with no evidence.
  • Without evidence of voter fraud, they seek to make voting more difficult
  • They are intimidating people who drop votes at ballot boxes
  • In Florida and Texas they are prosecuting ex-felons who have been told they were allowed to vote, instead of simply removing their ballots and reminding them that can't. This tactic will reduce voting of people who may have had a criminal record in the past.
  • They are seating election deniers in positions of power in canvasser and secretary of state positions so they can attempt to "Prevent another 2020"
  • They support the attempt to invalidate legitimate electoral votes under pressure of a violent mob on January 6th.
  • They are leading the charge in Moore v. Harper, which will allow state legislatures to set the terms for elections without judicial review.
6

RexButz t1_itrkd2j wrote

Are the machines ever randomly subjected to a forensic level audit to ensure the machine operated as it should? Ultimately who is accountable for ensuring the machine operated as it should? Are there any consequences of a machine that didn’t operate as it should for the person or entity responsible for its operation? Are the machines connected to some kind of live operations center for real-time monitoring?

1

TheOfficialACM OP t1_itrnxry wrote

It's exceptionally difficult (read: expensive, time consuming) to do a forensic audit of the sort you're describing, and the adversary has an advantage in this game, because they could potentially engineer their malware to erase itself after the election is over.

The goal of RLAs and other kinds of election auditing procedures is to achieve a property called software independence, such that we can gain confidence in the correct outcomes of an election without requiring any confidence that the software is correct.

9

Oscaruit t1_ittahyi wrote

In my county we do L&A (logic and accuracy) testing. Both parties are involved everything is signed off and documented. I know this isn't forensic level, but what more would one want? We complete a test deck using ballot markers, test all races in all precincts. Tabulate them and output a print that checks against the test deck produced. All of this is held in archives and reviewable by the public. Machines are zeroed and sealed and will not be touched until election day.

2

danegerously t1_itrpi0v wrote

What do you think? 2020 was the cleanest election in the history of the US…..mmmmmk those suitcases they pulled out after they told everyone to leave because voting would resume the next day and proceeded to frivolous scan document after document was completely normal and rational behavior. 81 million people voted for the big guy, he just doesn’t sell much merch.

−6

Nihilistic-Fishstick t1_itso4w5 wrote

It literally was the most observed, most audited, and most litigated election, ever.

Biden won. That's it.

2

Natanael_L t1_itsp1rh wrote

It's not a sports team. More people voted against former guy than for him because they wanted him out. End of story.

1

claymaker t1_itrxdgb wrote

What applications do you imagine for crypto tokens and DAOs in the future of voting?

1

dwallach t1_its5hmt wrote

See earlier threads about end-to-end verifiable elections. Many of the same cryptographic techniques are used, but voting is very different from moving money around on a blockchain.

2

Natanael_L t1_itskik8 wrote

It's not a good match for national elections. It may work for participants within an organization which understand the tech and issues at hand, but there's too many problems for national voting.

1

progressnerd t1_its0t9r wrote

How do you feel about the usefulness of Bayesian audits, as a simpler but perhaps imperfect, substitution for risk-limiting audits?

1

dwallach t1_its55bj wrote

For the purposes of this discussion, they're pretty much the same thing. Different equations, same end goal.

2

dorquelon t1_its8l1x wrote

It's been a few years since the NAS published "Securing the Vote: Protecting American Democracy" which does mention RLAs; has anything changed to make RLAs more immediately compelling? Do you have any other commentary on that document, and/or how it should be updated?

1

Brancher t1_itseovp wrote

Was the Cyber Ninjas audit a risk limiting audit? If not, why?

1

Natanael_L t1_itskm06 wrote

What they did was faff around and mess with numbers they didn't understand.

2

SScattered t1_itsipu1 wrote

As an electrical engineer and a programmer I'd like to know what should I learn in computer science to increase my knowledge? I'm more into embedded systems and programming.

1

Natanael_L t1_itspfz7 wrote

It's really the audit part that's important. Statistics and such topics. On the CS side maybe cryptography, if you want to learn about that part of electronic voting. There's /r/crypto (I'm a mod there) and /r/cryptography where you can ask questions.

1

codefox22 t1_itsksf9 wrote

Which MODCOD is your favorite part of the standard?

1

pcalvin t1_itsl2ah wrote

Paper ballots seem to be the key first step to making any progress on this topic. How best can citizens influence the policy-makers to ensure that this minimum step on the road to transparency and auditability is implemented?

1

Star_Tropic t1_itsmpx7 wrote

A few elections ago I saw a post about a professor who every election would go around his section of the country to polling locations before election day to see if he could gain access to voting machines. He never broke into any rooms or snuck through security. Instead he would just walk into these locations through unlocked doors where no one was around to stop him. The machines were usually sitting in a dark room just waiting to be plugged in on election day. He never actually did anything but would just take a picture to show how easy it was.

Is this kind of early unfettered access to a voting machine a security issue?

1

Oscaruit t1_ittbd31 wrote

Sure the machines are sitting in minimally secured voting places. And usually they are already plugged in and charging. But they cannot be turned on without breaking seals and loading the election by entering passwords. And even if someone went in and ran up one or many votes overnight, when poll workers arrived they would notice the seals were broken and public/protected counts would be off. And in our case, there would be paper ballots in the bins of the tabulator. All red flags that would be immediately investigated. We would see it in the logs and it would be painfully obvious.

2

Natanael_L t1_itspouk wrote

It's not a good idea to leave them exposed, but ideally shouldn't bea huge risk. And with paper backups and audits that risk can be minimized.

1

digispin t1_itsybw5 wrote

Have you received any death threats or other kinds of threats?

1

kaizerdouken t1_itt2dj0 wrote

Why aren’t ballots traceable to an active member of society but are left blank with no unique identifier traceable back to someone?

1

bnyc t1_ittf0gu wrote

Because nobody except you should know who you voted for. You vote in private so that nobody has influence over your vote. If there was a chance spouses, employers, or friends could confirm how you cast your votes, your votes would be influenced.

2

bornonthetide t1_ittj80z wrote

Why were wifi networks found on so many machines that were intended to not that have feature on them.

Also don't you consider dominion to be an ominous name for a voting machine? Also they have been used in countries we know are subject fraud and their results seem suspicious. Also did you see the film 200 mules.

1

Natanael_L t1_ittz85o wrote

The mules film was debunked in full before it was published.

Why does the name matter?

The wifi thing is a process issue. Local staff messed up. And in other countries they don't even need to mess with machines. If you control the whole thing with no insight and no audits you can just lie about the result regardless how the vote happens.

With paper backups AND independent audits none of that is a problem because the real count can be verified by hand, it would be obvious if it differs from what the machine reports. In western countries there's enough insight into how the voting is run to detect attempts at manipulation.

1

bornonthetide t1_itv5oxd wrote

To people who have training in secret societies, we have learned they must announce their intentions, it can be sarcastic, hidden in placmne sight or whatnot. being true spiritual rule or not, it's some kinda of spiritual rule to them.

I watched the film, Dinesh also has a spirituality that prevents him from telling an intentional lie.

1

Natanael_L t1_itv9owu wrote

The dude has fraud convictions. That's absolutely laughable.

1

bornonthetide t1_itvbzhj wrote

Are you referring to the time he was jailed over donating 10k to his friends campaign? In the history of thr united states, he is the only prosecution of campaign donation being over limit.

Like no arguing, just adult conversation, but when you hear that he's the only person to ever to be punished for it, why doesn't that give a you pause and wonder why the DNC would want to punish him in the form of a 2 teered justice system?

1

Natanael_L t1_itvdk7h wrote

My response is to go ahead and prosecute more people over it. Don't let people get away with crime. The people who's prosecutions you're upset over all broke the law.

1

bornonthetide t1_itvzb35 wrote

Well, why was only person who made an anti Obama film the one who got in trouble? And campaign finance? You want people to all goto jail for campaign finance issues of 10k dollar donations? 5k over? That's what you want?

0

Natanael_L t1_itw7xsk wrote

Most people don't leave evidence but he did.

Nobody accidentally goes over the limit by that much.

1

bornonthetide t1_itw8pvv wrote

You're telling me that no one ever donates 10k by check? That's the only thing he did. You're delusional in this aspect, it's such a clear cut case of target behavior your comments are making me sick.

0

Natanael_L t1_itwf6fr wrote

You're really far down the rabbit hole. I told you everybody who breaks the law should face consequences and you falsely take it as proof that I somehow am the tribalistic hypocrite and not you yourself.

1

bornonthetide t1_itwg9cz wrote

My point is that there's have been MILLIONS of donations over the limit, of those IRS audits happened to some of those... not one single one got in trouble. The justice system was weponised intbis case and I don't know how any reasonable person can't see that.

1

Natanael_L t1_itx3j26 wrote

If you think it's weaponized in every single instance where a criminal in the republican party gets caught then you need to reevaluate your life choices. Do you really think Republicans are overrepresented in prosecutions? They aren't.

1

bornonthetide t1_itx6dn4 wrote

I'm saying and only saying there's a million examples of this law being broke, and one example of someone being prosecuted for it. And the one guy that did it, made a movie that was counter Obama. Injustice of this nature should make all our blood boil.

1

Natanael_L t1_itx703j wrote

Didn't I already tell you I'm all for prosecuting the rest too?

1

gameartist3d t1_itqnk7k wrote

How come there isn't election security within the parties? What does it matter if our votes are properly counted if the candidates we get are neither one we wanted? Foreign powers are going straight to the source. What is being done to prevent corrupt politicians like Trump from running again?

0

TheMerovingian t1_itr2p1b wrote

Not to mention electoral college and gerrymandering. Or the fact that federal elections aren't federally regulated. States can do whatever the hell they want as long as in the end, their electors produce their handful of votes.

The electors aren't even required to vote according to the states outcome!

4

dmanbiker t1_itrg0el wrote

People vote for the corrupt politicians.

To combat them, you have to get people to stop voting for them.

The current state of things has people wanting corrupt politicians, and the only way to change that is to talk to people and change their mind,

3

Weioo t1_itrkxvy wrote

How is it legal for Republicans to be doing what they are to take over the government? I.E. filling positions all over the country with trumpists (state level SOS) which is an obvious government power grab? Why is gerrymandering acceptable per court ruling some odd years ago? Fuck politics and the system, man, its fucked at this point.

−1

danegerously t1_itrousa wrote

Why do people who were involved in Jan 6 arraignments and cases keep getting delayed? Why is Steve Bannon the only person to go to jail for contempt when so many others have refused to attend congressional hearings? Eric Holder, Bill Barr, Chad Wolf, Henry Kissinger, Lois Lerner were held in contempt yet no one else has gone to jail. It’s called a kangaroo court and the Biden administration reigns supremely over it. I’ve never saw an administration vehemently attack its political adversaries like Biden’s. And the out right lies while they protect the likes of Hunter Biden, Andrew Cuomo, Nancy “The Bull” Pelosi. And btw wth are you even talking about?

−4

Natanael_L t1_itspu8p wrote

You don't know what gerrymandering is? Go look it up.

1

Weioo t1_itrxl7o wrote

Honestly it was purely a rant because I'm so fed up with politics in this country going down the shitter. It only gets worse as time goes on, more attacks, more usage of blatant loopholes that our bullshit country continues to allow. Much like the way the gerrymandering case went a couple years back.... and corporate donations to politicians. It's all setup to fail hard. It's not a question of if, but when.

Edit: Why do you think the extreme right fought so hard to remove abortion federally, and continue to try at the state level in every state? That 'pro-life' bullshit is true, but only for the wealthy. They need little minions to take all the shitty, crappy jobs that nobody wants so they can be served/serviced. They worry about our population and want to force it to grow in recent years.

I could rant all day. Not arguing, just ranting, so tired of blantent bullshit.

0

jtmarshiii t1_itqlx76 wrote

Does somehow holding an AR15 75 feet from a ballot box give someone super powers to determine election fraud or do we have something already setup on both state and federal levels that already do this?

−2

danegerously t1_itrmqdi wrote

Was it Stalin who said “I care not who you vote for, I only care who writes the source code”? Or maybe it was Stallone?

−3

Frogtarius t1_itrg4ut wrote

How much money did you get from dominion?

−6