Microsoft announces electronic voting system

[Shpaget]

https://blogs.microsoft.com/on-the-issues/2019/05/06/protecting-democratic-elections-through-secure-verifiable-voting/

Let me just remind everybody that politics are not to be discussed here. This is about the technology.

Tom Scott has a list of things that are wrong with it:

I have to agree. There are too many possible attack points that can lead to large scale manipulation.

Yes, I know cryptography is complex and there are mechanisms that can be put in place, but there is always a possibility.

[Guest]

On the other hand, this could possibly make direct democracy an option at scales never seen before. Whether that's actually a good idea remains to be seen, but there are uses for that sort of things (referendums can be a handy tool, but they're currently expensive to set up). 

Of course, that's assuming it actually works. What with this being Microsoft...  Also, I sure hope they don't want to integrate it with the rest of their software, just to show you election ads of the party you last voted for. 

Edited May 8, 2019 by Guest

[IncongruousGoat]

*puts on computer security hat*

Okay, so having read the article, they're not trying to replace paper ballots; they're just trying to supplement paper ballots by making certain information about the election more widely available and verifiable. Let me emphasize: This is NOT an e-voting system. Some of their claims regarding security and behavior seem pretty straightforward to me (e.g. the stuff about homomorphic encryption), while others are less so (e.g. the stuff about an "open verifier"). We don't know very much about the actual implementation details yet, so I'm going to withhold judgment until they release the source code and I can actually work out what it is they've done.

[Cassel]

You know that by voting on paper you leave fingerprints on which you can be tracked down?

How can we be sure that our voice has been saved in the database?

Edited May 9, 2019 by Cassel

[DAL59]

[klesh]

Jerkbag manipulative humans will get ya coming and going.  Do you remember hanging chads?  Even physical votes can be manipulated if people are really into manipulating votes.   I'm going to back away before I lose faith in humanity for the day. 

[Guest]

By far the easiest (and most common) way of manipulating votes is manipulating people themselves. The human factor will always be the weakest link in any technological system, unless you're working with either a very unreliable technology, very exceptional humans, or both.

Edited May 9, 2019 by Guest

[IncongruousGoat]

Okay, so, perhaps I wasn't clear enough the first time around: THIS THING THAT MICROSOFT HAS MADE IS NOT AN E-VOTING SYSTEM. It is NOT, repeat, NOT intended to replace traditional ballots. Seriously. We can all stop running around like chickens with our heads cut off. E-voting is bad, but this isn't e-voting. This is something else (and something much more interesting, IMO).

@Shpaget You may want to change the thread title, because people here seem to be reading it without reading the article and panicking as a result.

[Shpaget]

I don't mind changing the title, but I disagree with you.

Yes, even the MS blog states

Quote

ElectionGuard is not intended to replace paper ballots but rather to supplement and improve systems that rely on them, and it is not designed to support internet voting.

 but it also says:

Quote

After people make their choices, their selections can be printed on a physical sheet of paper that they can review for accuracy and place in the ballot box as the official record of their vote.

 

And this here effectively makes it electronic voting system with optional paper backup.

It doesn't take much creative thinking to see that even with manually counted paper ballots, this opens a possibility for manipulation during data aggregation.

[Cassel]

8 hours ago, IncongruousGoat said:

Okay, so, perhaps I wasn't clear enough the first time around: THIS THING THAT MICROSOFT HAS MADE IS NOT AN E-VOTING SYSTEM. It is NOT, repeat, NOT intended to replace traditional ballots. Seriously. We can all stop running around like chickens with our heads cut off. E-voting is bad, but this isn't e-voting. This is something else (and something much more interesting, IMO).

@Shpaget You may want to change the thread title, because people here seem to be reading it without reading the article and panicking as a result.

Then what is it?

[Nivee~]

Mmhmm... we had elections in our country and in my state this year, about a few weeks ago...we used electronic voting machines in all the elections. Maybe I can provide a perspective?

In these elections we had to go to the designated poll booth, press a button in complete privacy and then print a VVPAT slip (Voter Verified Paper Audit Trail: which is a method to verify that our vote was registered correctly)

Before Electronic Voting Machines were used extensively, vote rigging was very common.

The video claims that Physical voting is immune to frauds, as every method has been tried against it. Well, picture this scenario:

You are voting in a poll booth, and suddenly goons come out of nowhere and threaten you to vote for a particular party. Or worse, they snatch your ballot papers and mark their preferred candidates and stuff the ballot box with the bogus votes. This practice was commonplace in my country when EVMs were not a thing. In those areas, ideally, re-voting would take place... But then again, would you stand up to a guy who has tons of goons and influence at his disposal and got them to beat up the police stationed at the voting booth.

If you try to button smash EVMs though, it will stop registering any input. The only way to tamper the votes is if you dismantle the CPU inside it, which is easily detected. Furthermore, all of these machines are isolated, meaning that they are not connected to a network for a hacker to 'hack' it.

Recently, claims have been made by several individuals and organizations within the country that EVMs can be tampered remotely with a 'bluetooth chip'.. The Election Commission of India allowed them access to EVMs used in 2014 General Elections, in hope that any security concerns that may arise could be solved, but no one came forward to demonstrate any tampering. I am not saying that it proves that the machines are tamper proof, but that there are still no tangible threats against the integrity of this system, yet.

I don't really agree with the 'voting from your phone' thingie. Not one bit.

I guess the problem is with the humans, the corruption lies within us. No matter what method we cook up, people will find a way to damage/ corrupt it. even if it's the 'Ultra Mega Block Chain Crypto Proto Deus ex Telepathy Voting System' from the 3000s

[Cassel]

2 hours ago, Nivee~ said:

Mmhmm... we had elections in our country and in my state this year, about a few weeks ago...we used electronic voting machines in all the elections. Maybe I can provide a perspective?

In these elections we had to go to the designated poll booth, press a button in complete privacy and then print a VVPAT slip (Voter Verified Paper Audit Trail: which is a method to verify that our vote was registered correctly)

How does the fact that you print a piece of paper verify the entry to the database in the central server?
The device on which you cast your voice can print an option that you have selected, but another voice may be added to the database.

Quote

Before Electronic Voting Machines were used extensively, vote rigging was very common.
 

Maybe, but in paper system to cheat 100 votes you need one man, you would need a lot of people to cheat for a million votes, so it's easy to detect such a fraud.
In the case of an electronic system, a scam for 10 million votes requires only one man.

Quote

The video claims that Physical voting is immune to frauds, as every method has been tried against it. Well, picture this scenario:

You are voting in a poll booth, and suddenly goons come out of nowhere and threaten you to vote for a particular party.

To do something like that on a national scale, you need thousands of people.

 

Edited May 10, 2019 by Cassel

[Nivee~]

43 minutes ago, Cassel said:

How does the fact that you print a piece of paper verify the entry to the database in the central server?
The device on which you cast your voice can print an option that you have selected, but another voice may be added to the database.

Well, for starters, the entire process is being overseen by a Central (Federal) authority unaffiliated to any political party, and has a lot of autonomy. The Election Commission of India is ruthlessly impartial(as it should be). The Database modification that you are mentioning would need a change in the vote registration software. And to change the results of the election, a large number of these machines will have to be tampered.

Moreover, at every polling booth, the Election Commission allows one agent from each party to test it and make sure that the vote is registered accordingly. And immediately after that, the EVM is disconnected from any form of outside electronic contact. It runs on batteries, even. The system is isolated, and remains so throughout the voting process.

43 minutes ago, Cassel said:

To do something like that on a national scale, you need thousands of people

Well, there are 1 million polling booths in 2019, with 1 million EVMs..... so to tamper them to change the result considerably, you would need an army too.

43 minutes ago, Cassel said:

Maybe, but in paper system to cheat 100 votes you need one man, you would need a lot of people to cheat for a million votes, so it's easy to detect such a fraud.
In the case of an electronic system, a scam for 10 million votes requires only one man.

There's this misconception going around that EVMs are connected via internet and it can be hacked movie-style by a computer geek with hitech gadgets. It can't, for the simple reason that it is NOT CONNECTED to any form of electronic network during the polling process. After polling is done in that booth, EVMs are physically sealed with lac, much like the ballot boxes used to be.

http://secharyana.gov.in/web/assets/Cform/STEP-BY-STEP new 2018.pdf

This document details the entire process of the EVM getting sealed post polling process.

Edited May 10, 2019 by Nivee~

[Kerbart]

4 hours ago, Nivee~ said:

Before Electronic Voting Machines were used extensively, vote rigging was very common.

Not were I grew up. At the end of election night, they ballot boxes would be emptied in public, counted, and tallied up in a publicly verifiable way. And usually citizens would hang around to view the process, because, you know, democracy.

Technological systems are black boxes. We can’t see what happens inside them. You have to rely on experts who assure us the machines are safe and cannot be rigged.

In my home country, those machines were “hard wired, impossible to tamper with.”

Hackers managed to get their hands on one, and that night, on national television, one of those hard-wired, impenetrable machines was shown playing chess.

Every system, including paper ballots, has vectors for fraud. But electronic systems, just like nuclear powerplants, rely on experts to ensure it’s safe, because we cannot verify it ourselves. And every time our trust in those experts gets eroded by news that the safeguards in the system don’t work.

It’s not like we need electronic voting, there are secure, simple paper ballot systems out there. Makes you wonder all the more what the motivation for electronic involvement in the voting system is.

[Nuke]

17 hours ago, klesh said:

Jerkbag manipulative humans will get ya coming and going.  Do you remember hanging chads?  Even physical votes can be manipulated if people are really into manipulating votes.   I'm going to back away before I lose faith in humanity for the day. 

things are easier if you never had it to begin with.

[steve_v]

1 minute ago, Kerbart said:

Technological systems are black boxes. We can’t see what happens inside them.

Proprietary closed-source technological systems are black-boxes that we can't see inside of. Open designs and open software are not.

I would be reasonably comfortable with an electronic-ballot system where I could review the code, provided that there are no rookie mistakes in the hardware layout. I would be extremely uncomfortable with an opaque proprietary system designed by Microshaft.

 

9 minutes ago, Kerbart said:

Hackers managed to get their hands on one, and that night, on national television, one of those hard-wired, impenetrable machines was shown playing chess.

This doesn't mean that all electronic voting is insecure and corruptible, it just shows that you hired the wrong crowd to design the system. Chess. that's both awesome and hilarious.

 

13 minutes ago, Kerbart said:

electronic systems, just like nuclear powerplants, rely on experts to ensure it’s safe

So does any system, to a certain extent. I'm sure one could screw up the security of a paper ballot just as well as an electronic one, given the requisite quantity and concentration of ineptitude.
 

[Nuke]

13 hours ago, Dragon01 said:

By far the easiest (and most common) way of manipulating votes is manipulating people themselves. The human factor will always be the weakest link in any technological system, unless you're working with either a very unreliable technology, very exceptional humans, or both.

think about it, you cant trust any news unless its boring, and even then maybe they made it boring on purpose to confuse us. i heard a phrase the other day: "post reality world". now that i heard this phrase everything makes sense again. reality simply does not exist. 

[Nuke]

5 hours ago, Nivee~ said:

Mmhmm... we had elections in our country and in my state this year, about a few weeks ago...we used electronic voting machines in all the elections. Maybe I can provide a perspective?

In these elections we had to go to the designated poll booth, press a button in complete privacy and then print a VVPAT slip (Voter Verified Paper Audit Trail: which is a method to verify that our vote was registered correctly)

Before Electronic Voting Machines were used extensively, vote rigging was very common.

The video claims that Physical voting is immune to frauds, as every method has been tried against it. Well, picture this scenario:

You are voting in a poll booth, and suddenly goons come out of nowhere and threaten you to vote for a particular party. Or worse, they snatch your ballot papers and mark their preferred candidates and stuff the ballot box with the bogus votes. This practice was commonplace in my country when EVMs were not a thing. In those areas, ideally, re-voting would take place... But then again, would you stand up to a guy who has tons of goons and influence at his disposal and got them to beat up the police stationed at the voting booth.

If you try to button smash EVMs though, it will stop registering any input. The only way to tamper the votes is if you dismantle the CPU inside it, which is easily detected. Furthermore, all of these machines are isolated, meaning that they are not connected to a network for a hacker to 'hack' it.

Recently, claims have been made by several individuals and organizations within the country that EVMs can be tampered remotely with a 'bluetooth chip'.. The Election Commission of India allowed them access to EVMs used in 2014 General Elections, in hope that any security concerns that may arise could be solved, but no one came forward to demonstrate any tampering. I am not saying that it proves that the machines are tamper proof, but that there are still no tangible threats against the integrity of this system, yet.

I don't really agree with the 'voting from your phone' thingie. Not one bit.

I guess the problem is with the humans, the corruption lies within us. No matter what method we cook up, people will find a way to damage/ corrupt it. even if it's the 'Ultra Mega Block Chain Crypto Proto Deus ex Telepathy Voting System' from the 3000s

if voting machines are to be used i would prefer them to:

be air gapped. they should contain no hardware for network transmission. nor should they have any external ports for common data storage devices. 

they should be cased in a faraday cage and fail to operate if not properly grounded. the machine would isolate its local power to avoid any possible feedback path through the power line to avoid exfiltration. the whole box would be armored and locked while the machine is in operation, nor should it operate if unlocked. 

they should use some kind of uncommon worm storage like a big rom module installed at setup time. the machine cannot run without the module installed, nor can it be removed until the end of the election day. 

voting data would be encrypted with multiple keys with each one being provided by a specific campaign. officials for each campaign represented on the ballot would need to deliver the key and enter it manually when the machine is in setup mode.

to set up the machine, a new module would be installed, the machine would enable all internal locking mechanisms, additional external locks would be added by the local election officers. the machine would immediately boot into setup mode. officials could input their keys, once all the keys are entered and verified the machine can be placed into voting mode and stays that way until the end of the election. if there is an error the machine would burn the roms and render it useless and you would need to start over with a new module. any attempts at tampering or power loss events will be logged to the rom. the machine should remain locked if the power is out, on reboot the module will be detected with a vote in progress and the machine either returns to vote mode or finalizes the rom if the vote duration has ended. when the module is finalized it will burn padding to all remaining space. the machine unlocks and the module can be recovered and sent to the voting office. 

the main security here are the officials. since the keys are only known by the officials (and the candidates) and are secret to that campaign. every campaign would be responsible for their officials to ensure they are trustworthy and incorruptible,and for keeping their keys secret, which is in the best interests of the campaign. the module cannot be read without all the encryption keys and is just a block of bricked silicon otherwise. the authentication process would be much like the setup procedure, all keys would need to be entered. once opened then you would review the audit data, then officials would have to agree that the machine was not tampered with and the vote is legit, only then will the final tabulation be computed. if the module was in question, a copy of the unencrypted audit data (no voting data, which would remain secret) would be sent off for a more thorough analysis. if that fails to please the officials then the whole election would need to be redone. 

Edited May 10, 2019 by Nuke

[magnemoe]

2 hours ago, Kerbart said:

Not were I grew up. At the end of election night, they ballot boxes would be emptied in public, counted, and tallied up in a publicly verifiable way. And usually citizens would hang around to view the process, because, you know, democracy.

Technological systems are black boxes. We can’t see what happens inside them. You have to rely on experts who assure us the machines are safe and cannot be rigged.

In my home country, those machines were “hard wired, impossible to tamper with.”

Hackers managed to get their hands on one, and that night, on national television, one of those hard-wired, impenetrable machines was shown playing chess.

Every system, including paper ballots, has vectors for fraud. But electronic systems, just like nuclear powerplants, rely on experts to ensure it’s safe, because we cannot verify it ourselves. And every time our trust in those experts gets eroded by news that the safeguards in the system don’t work.

It’s not like we need electronic voting, there are secure, simple paper ballot systems out there. Makes you wonder all the more what the motivation for electronic involvement in the voting system is.

This, its pretty simple to guard against cheating with paper ballots if process can be monitored and tracked. Two easy ways to cheat you can add votes, or you can loose votes, latest would be most useful in an part there most vote for the opposition. You can also try to do stuff to stop or limit number of people voting by various means but this is pretty obvious. 

As you say an voting machine is an black box and you can not control that is going on inside it. Software in it self is suspect as it can be hacked and this can be very hard to prove still system has to be so advanced you can not simply add an bunch of votes into it. 
And you need to make the vote private

[Cassel]

5 hours ago, Nivee~ said:

Well, for starters, the entire process is being overseen by a Central (Federal) authority unaffiliated to any political party, and has a lot of autonomy. The Election Commission of India is ruthlessly impartial(as it should be). The Database modification that you are mentioning would need a change in the vote registration software. And to change the results of the election, a large number of these machines will have to be tampered.

There are no people who have no views and are independent. Everyone works somewhere, wants his views to win voting or can be bribed or intimidated. You were worried about being able to intimidate millions of voting citizens, but you do not care about the fact that you can intimidate a handful of people watching over the correctness of voting? Who created it Central (Federal) authority?

Who makes updates on these machines? Does it happen in one central place? Who will read the results of the votes?

Quote

Moreover, at every polling booth, the Election Commission allows one agent from each party to test it and make sure that the vote is registered accordingly. And immediately after that, the EVM is disconnected from any form of outside electronic contact. It runs on batteries, even. The system is isolated, and remains so throughout the voting process.

I'm asking again. How do you know that what you get on the printed paper has been saved in the database? The fact whether data is sent to the server through the network, or whether it is copied manually from each machine does not change the fact that the machine has to collect data from the voting somewhere.

And you have no control over whether your voice has been saved or not. In the paper system, if you threw your vote, you can be sure that he is in the ballot box.
In my country we have transparent ballot boxes, so you can see how many voices there are in the ballot box and there are also cameras that you can monitor over the Internet during the voting and counting votes by the committee.

 

Quote

Well, there are 1 million polling booths in 2019, with 1 million EVMs..... so to tamper them to change the result considerably, you would need an army too.

So it is enough to intimidate people who work in copying and counting votes in the headquarters to which ballot boxes are transported. The fewer people take part in the electoral process, the easier it is to cheat and the electronic systems limit the number of people.

Quote

There's this misconception going around that EVMs are connected via internet and it can be hacked movie-style by a computer geek with hitech gadgets. It can't, for the simple reason that it is NOT CONNECTED to any form of electronic network during the polling process. After polling is done in that booth, EVMs are physically sealed with lac, much like the ballot boxes used to be.

http://secharyana.gov.in/web/assets/Cform/STEP-BY-STEP new 2018.pdf

This document details the entire process of the EVM getting sealed post polling process.

What if the employee operating the copying procces wants his candidate to win and falsify voices when copying to the server?
What if the owner of company had one employee mount a chip that changes the vote on the voting device?

Edited May 10, 2019 by Cassel

[Cassel]

3 hours ago, steve_v said:

Proprietary closed-source technological systems are black-boxes that we can't see inside of. Open designs and open software are not.

You can check the open source code, which was published by the manufacturer, but what is the certainty that the compiled application on the device was created from this code?

3 hours ago, steve_v said:

I would be reasonably comfortable with an electronic-ballot system where I could review the code, provided that there are no rookie mistakes in the hardware layout. I would be extremely uncomfortable with an opaque proprietary system designed by Microshaft.

Equipment is another problem. Each chip on the motherboard can add its instructions and change the option chosen by the voter before the data is saved on the device's storage.

 

[IncongruousGoat]

8 hours ago, Cassel said:

Then what is it?

22 hours ago, IncongruousGoat said:

*puts on computer security hat*

Okay, so having read the article, they're not trying to replace paper ballots; they're just trying to supplement paper ballots by making certain information about the election more widely available and verifiable. Let me emphasize: This is NOT an e-voting system. Some of their claims regarding security and behavior seem pretty straightforward to me (e.g. the stuff about homomorphic encryption), while others are less so (e.g. the stuff about an "open verifier"). We don't know very much about the actual implementation details yet, so I'm going to withhold judgment until they release the source code and I can actually work out what it is they've done.

To elaborate a little more: what this thing does is provide a system that, strictly in parallel with a paper ballot system, electronically records all the votes in a (nominally) secure fashion using the power of cryptography. It then (again, in parallel with the paper ballots, which throughout all this have remained completely unchanged) provides A: individual voters with a mechanism by which to check if their vote has been registered and counted correctly, and B: a mechanism by which arbitrary third parties may validate the election as a whole, both without violating voter privacy and without providing avenues by which to interfere with the vote. Let me once again note that none of the above in any way, shape, or form changes the process or procedure around paper ballots, and cannot be used to change any votes that were written down on said paper ballots.

At least, this is what Microsoft claims that their system does. As I said earlier, I'm going to hold off on either advocating for or against it until I know exactly what it does under the hood.

 

[steve_v]

12 minutes ago, Cassel said:

You can check the open source code, which was published by the manufacturer, but what is the certainty that the compiled application on the device was created from this code?

https://reproducible-builds.org

 

16 minutes ago, Cassel said:

Each chip on the motherboard can add its instructions and change the option chosen by the voter before the data is saved on the device's storage.

That is indeed a thorny issue, and the only real answer is extensive testing and a secure supply-chain. I am fairly sure that all governments already have something like that, the question is whether or not they can be trusted... If they can't, you're kinda screwed whatever ballot system you use.
 

[IncongruousGoat]

3 hours ago, steve_v said:

I would be reasonably comfortable with an electronic-ballot system where I could review the code, provided that there are no rookie mistakes in the hardware layout. I would be extremely uncomfortable with an opaque proprietary system designed by Microshaft.

No offense to the people in this thread, but I'm getting the feeling none of y'all have actually read the article. Quoting the literal first line (emphasis mine):

Quote

Today, at the Microsoft Build developer conference, CEO Satya Nadella announced ElectionGuard, a free open-source software development kit (SDK) from our Defending Democracy Program.

 

[steve_v]

3 minutes ago, IncongruousGoat said:

No offense to the people in this thread, but I'm getting the feeling none of y'all have actually read the article.

Touché, I was just replying to the post I quoted.

How about this then:

4 hours ago, steve_v said:

I would be extremely uncomfortable with an opaque proprietary system or one designed by Microshaft.

Better? It's closer to the truth anyway.

So the SDK is open-source, sure. It's also MIT licenced so there's no guarantee it will stay that way once it's in a finished product, which IMO largely defeats the point of open-source software.
I'd be pretty surprised if the manufacturer (Microsoft or otherwise) puts the complete source for the finished system on github, it'll be the reference code with some extra secret proprietary sauce or unobtainium component I'm sure.

Besides, this is Microsoft we're talking about here. I thoroughly expect some kind of treachery, probably the "It's open source, but we made it nearly impossible to get it compiled yourself, so just buy systems from our partners." kind.