Blockchain ❤️ Breakers
Here is the start of a sequel of sorts to KrakenBusters, which isn’t about Kraken, but actually about Blockchain.
It appears necessary to do some more debunking, but not about “The Big Lie” (aka election Kraken), but rather about the Blockchain — that overly hyped, open, highly distributed, public ledger.
Why the hype?
Before we get into debunking the hype, I think that it’s important to start with a story about why the hype persists — maybe not the only reason, but an important reason why “blockchain” and “voting” keep getting mashed together in ways that confuse a lot of people. You see, first, there is a set of technical problems needing to be solved to get beyond the hype, and they exist because of a conundrum that some local election officials (“LEOs”) face:
The Federal government says Internet voting is “too risky,” but several state legislatures have passed laws to go so far as to require Internet voting.
So, these LEOs need to do something, but it’s very unclear how to compare the options.
And many others want the cyber security problems of Internet voting to be fixed; in fact, they want it so much, that they’ve become convinced that “blockchain” solves the problem — without ever getting clear about what the problem actually is, or exactly what is meant by “blockchain,” so that it could be a genuine solution in this unique setting.
However, because the genuine solution hasn’t actually materialized, the “blockchain voting” ideas just keep being raised up as “the thing.”
To Be Specific: Too Risky
When I state “the Federal government says Internet voting is too risky,” I am referring to several pronouncements, but mostly specifically a May 2020 joint statement from several agencies: DHS/CISA, FBI, EAC, NIST, likely with input from others as well. The Wall Street Journal coverage is complete; “Entire elections can be compromised if online voting systems are hacked, U.S. says in blunt warning to states” (the full article is pay-walled). Meanwhile, CyberScoop’s Sean Lyngass offers a good summary, and of course, you can always read the whole 8-page report. This statement came after some other inter-agency statements about threats to election security including nation-state cyber-threats.
Key audiences for these “advisories” are information-sharing organizations that include Federal agencies, state election officials, and some local election officials including some large jurisdictions. (Note: that’s not the average public.) As far as Federal and state and local cooperation is concerned, these advisories are well heeded.
Personally and professionally, I agree that it would be foolhardy to allow anyone who wanted to, to use the Internet to return their marked ballot to their local election officials. The more people who do so, the more they create a tempting target to nation-state cyber-attackers seeking to hack an election.
Also, consider just the “doubt factor.” For a while, Alaska allowed general use of Internet ballot return, but rolled it back after usage crept into the double digits of percent of voters, while there were some contests with narrower margins. I imagine it grew a bit uncomfortable because of the:
- Potential for a contested election;
- Demands to produce the “digital ballots” for inspection; and
- Questions about how anybody could be sure that those ballots were the ones sent by the voter. What about hackers? Couldn’t the IT administrators gain access to the digital ballots stored on the server they operate?
To Be Specific: “Required for Some Voters”
However, it’s also important to remember that state legislatures write the election laws that states and LEOs must follow. And despite the warnings, over 30 states have required some form of electronic/digital return of absentee ballots, with eMail being the most common option. (Note: the National Conference of State Legislatures (NCSL) has an excellent breakdown.)
Usage is typically limited to military and overseas voters; these voters were specifically and originally addressed in a Federal law called “UOCAVA” (say, “U-O-kah-vah”), which required various accommodations, including digital delivery of blank ballots, but not digital return of completed (marked or cast) ballots.
If it sounds like a terrible idea to require LEOs to accept eMail from anyone claiming to be a UOCAVA voter, and open eMail attachments claiming to be ballots, then you understand some eMail security basics; great!
It’s also a terrible idea in terms of not protecting the anonymity of the ballot as an attachment to an eMail (and some other attachments) necessary to identify the voter. And yes, of course, the attachments themselves can be hacked en route. (Note: Kudos to Galois’ Joe Kiniry and team for whipping up a reference attack in, as I recall, a couple hours on a challenge.)
Fax isn’t much better; nowadays, fax is just another way to move an image over the Internet, because the Internet is now the backbone for telephony. Also, it’s very common for the recipient of a fax to be a computer that sends the contents to a recipient via eMail, since so few people have fax machines any more.
In addition to fax and eMail, other methods are allowed in various states, and all subject to the usual array of Internet security threats, and threats to privacy and anonymity. For example, both Colorado and Alaska have, at times, allowed digital ballot return by uploading files to a government file server through a web interface, where a file server needs to keep the ballot+affidavit pair actually together, and maybe put a few hurdles in the way of someone inspecting them to determine the identity of a voter and the contents of their ballot; or deleting the files or inserting spurious ones. 😮
So, these are not great alternatives for disadvantaged voters, who in some cases have to simply waive ballot privacy, and in any case have to accept the technical risks to their ballots being potentially accessible to skilled hackers anywhere on the planet. However, these alternatives are certainly better than nothing for a voter who is certain that physical ballot return will result in a late and uncounted absentee ballot.
Enter the Blockchain
And that’s where the “blockchain wonderfulness” enters the conversation, by a simple near reflexive knee-jerk thought of parallelism:
“The blockchain has transformed money, enabling us to use cryptocurrency to pay for stuff securely and anonymously — so it should fix the security problems of Internet voting!“
Well, not so much, as we’ll see later.
The problem with containing this particular “zombie” is that there are several “systems” or “schemes” for voting that claim to use something called a “blockchain” and which blockchain enthusiasts refer to as “blockchain voting systems” that really work… well, sort of.
After all … eMail voting “works” with some obvious and huge risks, while nevertheless actually following typical U.S. absentee voting practices. There are some systems that some call a “blockchain voting system” that lack the obvious risks, though not following absentee voting practices. Yet, these systems have different risks, as the DHS, FBI, et al Report explains in detail. And whether or not there is really a “blockchain” in there somewhere, there are real risks.
What’s a Local Election Official to do?
That’s a good question. I’ve heard several election officials from some 30 states lament that they don’t have much guidance from their own state or the federal government on how to meet their legally required duties to UOCAVA voters … with several options to compare and contrast.
They need some guidance on what the options are, their trade-offs, and how to pick a method of “digital ballot return” that fits their needs and abilities.
Presently, none exist, and the situation is severely muddied by blockchain enthusiasts making great claims, and computer scientists and cybersecurity professionals poking holes in those claims. In fact, there are a lot of questions.
Before we can get to some answers — or rather concrete guidance for LEOs to decide what to do — there needs to be some serious conceptual clean up of the phrase-term “blockchain voting.”
That will be the focus of the next installment, which will then get us to the point of teasing apart the confusing dialog (if that’s the right word) between blockchain-ers, computer scientists, and digital security folks.