security research, software archaeology, geek of all trades
510 stories

Three Paper Thursday: Vēnī, Vīdī, Vote-y – Election Security

1 Share

With the recent quadrennial instantiation of the US presidential election, discussions of election security have predictably resurged across much of the world. Indeed, news cycles in the US, UK, and EU abound with talking points surrounding the security of elections. In light of this context, we will use this week’s Three Paper Thursday to shed light on the technical challenges, solutions, and opportunities in designing secure election systems.

This post will focus on the technical security of election systems. That said, the topic of voter manipulation techniques such as disinformation campaigns, although out of scope here, is also an open area of research.

At first glance, voting may not seem like a challenging problem. If we are to consider a simple majority vote, surely a group of young schoolchildren could reach a consensus in minutes via hand-raising. Striving for more efficient vote tallying, though, perhaps we may opt to follow the IETF in consensus through humming. As we seek a solution that can scale to large numbers of voters, practical limitations will force us to select a multi-location, asynchronous process. Whether we choose in-person polling stations or mail-in voting, challenges quickly develop: how do we know a particular vote was counted, its contents kept secret, and the final tally correct?

National Academies of Sciences, Engineering, and Medicine (U.S.), Ed., Securing the vote: protecting American democracy, The National Academies Press (2018)

The first paper is particularly prominent due to its unified, no-nonsense, and thorough analysis. The report is specific to the United States, but its key themes apply generally. Written in response to accusations of international interference in the US 2016 presidential election, the National Academies provide 41 recommendations to strengthen the US election system.

These recommendations are extremely straightforward, and as such a reminder that adversaries most often penetrate large systems by targeting the “weakest link.” Among other things, the authors recommend creating standardized ballot data formats, regularly validating voter registration lists, evaluating the accessibility of ballot formats, ensuring access to absentee ballots, conducting appropriate audits, and providing adequate funding for elections.

It’s important to get the basics right. While there are many complex, stimulating proposals that utilize cutting-edge algorithms, cryptography, and distributed systems techniques to strengthen elections, many of these proposals are moot if the basic logistics are mishandled.

Some of these low-tech recommendations are, to the surprise of many passionate technologists, quite common among election security specialists. For example, requiring a paper ballot trail and avoiding internet voting based on current technology is also cited in our next paper.

Matthew Bernhard et al., Public Evidence from Secret Ballots, arXiv:1707.08619 (2017)

Governance aside, the second paper offers a comprehensive survey of the key technical challenges in election security and common tools used to solve them. The paper motivates the difficulty of election systems by attesting that all actors involved in an election are mutually distrustful, meaningful election results require evidence, and voters require ballot secrecy.

Ballot secrecy is more than a nicety; it is key to a properly functioning election system. Implemented correctly, ballot secrecy prevents voter coercion. If a voter’s ballot is not secret, or indeed if there is any way a voter can post-facto prove the casting a certain vote, malicious actors may pressure the voter to provide proof that they voted as directed. This can be insidiously difficult to prevent if not considered thoroughly.

Bernhard et al. discuss risk-limiting audits (RLAs) as an efficient yet powerful way to limit uncertainty in election results. By sampling and recounting a subset of votes, RLAs enable the use of statistical methods to increase confidence in a correct ballot count. Employed properly, RLAs can enable the high-probability validation of election tallies with effort inversely proportional to the expected margin. RLAs are now being used in real-world elections, and many RLA techniques exist in practice. 

Refreshingly, this paper establishes that blockchain-based voting is a bad idea. Blockchains inherently lack a central authority, so enforcing election rules would be a challenge. Furthermore, a computationally powerful adversary could control which votes get counted.

The paper also discusses high-level cryptographic tools that can be useful in elections. This leads us to our third and final paper.

Josh Benaloh, ElectionGuard Specification v0.95, Microsoft GitHub (2020)

Our final paper is slightly different from the others in this series; it’s a snapshot of a formal specification that is actively being developed, largely based on the author’s 1996 Yale doctoral thesis.

The specification describes ElectionGuard, a system being built by Microsoft to enable verifiable election results (disclaimer: the author of this post holds a Microsoft affiliation). It uses a combination of exponential ElGamal additively-homomorphic encryption, zero knowledge proofs, and Shamir’s secret sharing to conduct publicly-verifiable, secret-ballot elections.

When a voter casts a ballot, they are given a tracking code which can be used to verify the counting of the ballot’s votes via cryptographic proofs published with the final tally. Voters can achieve high confidence that their ballot represents a proper encryption of their desired votes by optionally spoiling an unlimited number of ballots triggering a decryption of the spoiled ballot at the time of voting. Encrypted ballots are homomorphically tallied in encrypted form by the election authorities, and the number of authorities that participate in tallying must meet the threshold set for the election to protect against malicious authorities.

The specification does not require that the system be used for exclusively internet-based or polling station-based elections; rather it is a framework for users to consume as they wish. Indeed, one of the draws to ElectionGuard is that it does not mandate a specific UI, ballot marking device, or even API. This flexibility allows election authorities to leverage the system in the manner that best fits their jurisdiction. The open source implementation can be found on GitHub.

There are many pieces of voting software available, but ElectionGuard is the new kid on the block that addresses many of the concerns raised in our earlier papers.

Key Themes

Designing secure election systems is difficult.

Often, election systems fall short on the basics; improper voting lists, postage issues, and poorly formatted ballots can disrupt elections as much as some adversaries. Ensuring that the foundational components of an election are handled well currently involves seemingly mundane but important things such as paper ballot trails, chains of custody, and voter ID verification.

High-tech election proposals are not new; indeed key insights into the use of cryptographic techniques in elections were being discussed in the academic literature well over two decades ago. That said, in recent years there has been an ostensibly increased investment in implementing cryptographic election systems, and although there remain many problems to be solved the future in this area looks promising.

Read the whole story
1 day ago
Pittsburgh, PA
Share this story

Thoughts on the Election of Joe Biden


Thoughts on the election of Joe Biden.

First, let’s admit it’s pretty amazing that Biden won. If you look historically at US Presidential elections all the forces were tilted toward a Trump win:

Trump had every advantage and still lost, which is amazing.

But now let’s pivot and focus on what made Trump’s rule possible and so terribly destructive.

Let’s start by unpacking the fact that at the peak of his power Trump controlled the executive branch of the US government, controlled the messaging on the countries largest cable network, and also controlled the algorithmic bias on the world’s largest social network.

Now as far as Fox News is concerned, the first step there is to re-introduce the Fairness Doctrine and applying it not only to broadcast media like radio and TV, but also to cable networks and social media algorithms.

The Facebook problem is also a problem of market concentration. If we had a dozen or a hundred different Facebooks all competing with one another then a single algorithmic change at a single company couldn’t be so effective.

Finally we need to address that fact that there was a large group of Americans that were primed for radicalization.

Let’s use the five whys to figure that out:

  1. Why is a large portion of the population upset? Dwindling job prospects and shrinking wages, let’s call this the gutting of middle class jobs.
  2. Why are good middle class jobs being gutted? Moving manufacturing out of the country and the weakening of worker power.
    1. Why are jobs being moved out of the country? Companies make higher profits when they seek out cheaper labor and lower tax burdens outside the US.
      1. Why are companies allowed to move production outside the country when it’s obviously a detriment to US citizens? Because market concentration creates larger companies and more billionaires that are able to exert more political power than average US citizens.
    2. Why is worker power being weakened? Because market concentration creates creates an unfair playing field where fewer and fewer companies are vying for the same number of jobs, so workers have less choice and thus less bargaining power.
  3. Why do we have market concentration? Because Robert Bork wrote a book The Antitrust Paradox that gave conservatives the veil of academic legitimacy to dismantle antitrust regulations, which they succeeded in doing during the Reagan administration.

Reagan. It’s always Reagan.

Anyway, the root of the problem is that market concentraction is incompatible with democracy, and the first part of a solution would be to abandon the “consumer welfare” interpretation of antitrust law and go back to the “increasing competition” interpretation.

The last point that needs addressing is the incredible power of the position of the President of the United States. I have no idea how to address that, but I can say that Nancy Pelosi’s utter failure to use the oversight power of the House on the Trump administration was appalling, and replacing Nancy as Speaker of the House would be a good first step.

Further reading

A great article by Zeynep Tufekci, America’s Next Authoritarian Will Be Much More Competent, on why we need to fix the system now.

I’ve been following the writing of Peter Turchin for years, so where we are, and what still lies ahead, hasn’t been a surprise to me. Welcome To The ‘Turbulent Twenties’ is a good introduction.

Do you realize Robert Bork was not only the architect of the destruction of antitrust law in the US, which led us to Trump and almost losing our democracy, but he was also a part of Nixon’s Saturday_Night_Massacre?

This guy is the Thomas Midgley Jr. of democracy. If you are unfamiliar with Thomas Midgley Jr. he invented both Leaded Gasoline and CFCs. From the Wikipedia entry:

Midgley’s legacy has been scarred by the negative environmental impact of leaded gasoline and Freon. Environmental historian J. R. McNeill opined that Midgley “had more impact on the atmosphere than any other single organism in Earth’s history”, and Bill Bryson remarked that Midgley possessed “an instinct for the regrettable that was almost uncanny”. Use of leaded gasoline, which he invented, released large quantities of lead into the atmosphere all over the world. High atmospheric lead levels have been linked with serious long-term health problems from childhood, including neurological impairment, and with increased levels of violence and criminality in cities. Time magazine included both leaded gasoline and CFCs on its list of “The 50 Worst Inventions”.

Read the whole story
18 days ago
Pittsburgh, PA
Share this story

‘A Large Portion of the Electorate Chose the Sociopath’


Tom Nichols, writing for The Atlantic:

Sadly, the voters who said in 2016 that they chose Trump because they thought he was “just like them” turned out to be right. Now, by picking him again, those voters are showing that they are just like him: angry, spoiled, racially resentful, aggrieved, and willing to die rather than ever admit that they were wrong.

Also: stupid.

Read the whole story
20 days ago
Anyone who has no hesitation in writing off 70 million people as "stupid" is part of the problem.

"Angry, spoiled, racially resentful, ..." is descriptively accurate, as I can attest from living in Pennsylvania, but it's also superficial and useless. There are reasons why Trump's supporters are the way they are, but the linked article doesn't even try to grapple with them. It is too busy saying things like "Trump would've defeated anyone to the left of Biden" and all I can say to that is congratulations, you are also part of the problem.
Pittsburgh, PA
20 days ago
“Think of how stupid the average person is, and realize half of them are stupider than that.” ― George Carlin
Share this story
1 public comment
20 days ago
Um, yeah, that's the average American summed up pretty well.

Your Data, Our Democracy

1 Share

Around the world, as elections become increasingly data-intensive, our personal data is becoming a political asset for campaigns to leverage in pursuit of electoral success and political power. This educational short film explains to voters some of the ways in which our personal data is being used and alludes to the larger democratic consequences of the ‘datafication’ of politics. What does the development of the ‘Influence Industry’ mean for our democracies, and what can we do about it? Watch the animation in English or Dutch to learn more:

If you want to dive deeper into the topic, check out our Voter’s Guide, which explains in accessible terms where political campaigns source personal data, what kinds of data they collect, and how they use it to target and persuade voters. The guide demystifies campaigning techniques like ‘digital listening’, ‘micro-targeting’ and ‘A/B testing’, and offers voters 7 essential tips to detox their personal data. The Voter’s Guide is also available in Dutch here!

Read the whole story
37 days ago
Pittsburgh, PA
Share this story

This is an Experiment about How We View History

1 Share
We’re going to show you some photos and ask you when each picture was taken.
Read the whole story
38 days ago
Pittsburgh, PA
Share this story

Bruce Springsteen or Stephen King?

1 Comment and 3 Shares

1. You take Mary out for a nice drive. Disaster ensues.

2. Bit by bit, this town is killing you.

3. Two remorseless killers careen across a desert state, leaving a trail of destruction in their wake.

4. You used to see Janey around, but she’s gone now.

5. Your clothes don’t fit you anymore. You feel like you’re shrinking.

6. An animal has been struck and killed on the highway. Its owner seems to think it might get back up again.

7. You leave the carnival with your arm around your girl and climb behind the wheel of your car. It feels like nothing could go wrong.

8. Wendy, let me in!

9. Mary listens to Roy Orbison.

10. Clarence Clemons makes a brief appearance.

11. A man tells you an unsettling story about an amusement park ride.

12. A young man is mortally wounded in a highway auto accident.

13. Vietnam was hell — but coming home ain’t all it’s cracked up to be either.

14. You walk the train tracks. Somewhere, a dead man waits for you.

15. You’re impulsively shopping for tchotchkes. This store has a pretty nice lamp for sale, but the proprietor has a strict policy against refunds.

16. There’s a chapel deep in those pine woods. You won’t be going there alone.

17. A whole generation of your town peaked in high school.

18. Your father was a deeply troubled man, but you’re trying to make good. You struggle to keep the dark memories at bay. Thank god for Mom.

19. Everything dies. But that doesn’t mean it can’t come back.

20. The children here are all quiet. Too quiet. They stand there, hand in hand, just watching you.

21. She’s got hair like fire, and you can’t stop thinking about her.

22. You’ve been contemplating that old Buick for over thirty years.

23. It’s been a long time since you once played together — long enough for you all to grow up and forget. But you’ll always be blood brothers.

24. Outside, the snow is coming down harder and harder. The wind moans. It doesn’t matter. The world is our enemy. We’re never leaving this place again. Right, honey?

25. There is a mansion at the edge of town that stares down upon the children at play. You stare back, but it refuses to yield its secrets.

26. You need Eddie to calm down.

27. You’re hell-bent on getting out of these handcuffs.

28. The prisoner welcomes his trip to the electric chair. Sometimes a man’s better off dead.

29. You hope fast cars will allow you to leave misery behind. You are sorely mistaken.

30. It’s unusually long and begins with the lyrics to “Jungleland.”

- - -

1-30: Both.


1. “The River”; Desperation
2. All of them.
3. “Nebraska”; The Stand
4. “Spirits in the Night”; Mr. Mercedes
5. “Streets of Philadelphia”; Thinner
6. “Reason to Believe”; Pet Sematary
7. “Born to Run”; The Dead Zone
8. “Born to Run”; The Shining
9. “Thunder Road”; “You Know They Got a Hell of a Band”
10. Too many to list; It
11. “4th of July, Asbury Park”; Riding the Bullet
12. “Wreck on the Highway”; Christine
13. “Born in the U.S.A.”; “Blind Willie,” “Why We’re in Vietnam” (Hearts in Atlantis)
14. “The Ghost of Tom Joad”; The Body
15. “You Can Look (But You’d Better Not Touch)”; Needful Things
16. “Ramrod”; “Jerusalem’s Lot” (Night Shift)
17. “Glory Days”; Carrie
18. “Adam Raised a Cain”; Dr. Sleep
19. “Atlantic City”; Pet Sematary
20. “Jungleland”; Children of the Corn
21. “Red Headed Woman”; It
22. “My Hometown”; From a Buick 8
23. “Blood Brothers”; It
24. “Cover Me”; The Shining
25. “Mansion on the Hill”; Salem’s Lot
26. “Meeting Across the River”; It
27. “Magic”; Gerald’s Game
28. “Johnny 99”; The Green Mile
29. “Darkness of the Edge of Town”; Misery
30. “Jungleland”; The Stand

Read the whole story
67 days ago
Pittsburgh, PA
Share this story
1 public comment
67 days ago
Washington, DC
Next Page of Stories