Is Votebook a really private blockchain voting system?
Elections are a very complex process. The basic assumptions are contradictory: Voters must be registered and cast only one vote, but votes must be kept private and cannot be linked to its voter by an external entity. Using conventional paper ballots and every candidate had at least one vote, there is no way for a citizen to be sure that his vote was really counted. A candidate can claim all his family voted for him, but there is no way to prove anything beyond your own vote that you obviously know. Frauds have taunted countries for ages without a good answer from the world´s IT department in developing a secure and anonymous digital voting system.
Wait, don´t I live in Brazil where the elections are completely electronic? Yes, Brazil has an electronic voting system, but it has never gone through extensive and open security tests. First, the code is not open source, so no researcher can freely study the program that runs in the voting machines. Even the machine hardware is not available to an open examination. The Superior Court of Elections is the branch of the government that defines the election process in Brazil, develops the code and defines the machine hardware specs. They recently promoted a public test that provided access to the voting machine and code to researchers for a brief time and under very restrictive rules. Even on a absolutely constrained environment, a group of researchers was able to recover the order of the votes, which is pretty serious for the elector privacy. Moreover, Brazil´s voting machines do not print paper ballots to allow manual recounting, so we have to trust on the digital results alone.
This problem let to a challenge promoted by Kaspersky Lab and The Economist magazine: Can blockchain technology really hold the key to secure digital elections?
The requirements seemed to cover all the voting system basics:
2- Voting under duress protection;
3- Partial results disclosure avoidance before all voting spaces are closed;
4- Correct counting of blank votes and abstainers;
5- Recounting possibility;
And a final important requirement:
6- Ability to check that your vote was really counted.
The winner was New York University with its Votebook proposal. As a blockchain enthusiast living in Brazil, I read the paper, which, spoiler alert, had very good insights but, in my opinion, falls short under severe security scrutiny.
How Votebook works
The NYC team proposed a system that relies on a “permissioned blockchain” using dedicated voting machines on designated poll locations. Remote voting was not permitted because of coercion, personal device compromise and denial of service risks. Good call, in my opinion. Prior election day, each voter must have a unique voter ID that can be a randomly generated number or a previous unique public identification ID like a driver´s license. Each voting machine must generate an asymmetric key set and send its public part to a central authority server that compiles a complete trusted public key table, appends signatures from all voting machines and loads the complete signed trusted public key list on each voting machine.
Once the pools open, the machines will connect to each other in a peer-to-peer network protected by a Virtual Private Network through the internet and start collecting the votes. Each voter must input his voter ID in the machine, write the choices and if he is under duress. A ballot ID is generated for the voter and printed to be taken out. A hash is generated from the concatenation of the ballot ID and the voter ID, I will call it interaction ID. The “voting under duress” is signaled generating a ballot ID that produces a character in a position of the interaction ID hash. A receipt is printed and deposited in a secure space containing interaction ID and the vote choices. This is the best design choice of the team: Paper audit. It is not clear, but it is important that this paper receipt can be verified by the voter thought a transparent window before being deposited without any possibility of manual intervention.
Behind the scenes, the machines aggregates the votes in a block composed of a set of data structures [interaction ID,votes], a standard blockchain hash of the previous block and a digital signature. These blocks are broadcast to the peer-to-peer blockchain network, and its signature is validated on arrival using the trusted public key table. This vote ledger allow partial results disclosure if permitted.
A second ledger is proposed on the same peer-to-peer network: A voter ledger. This blockchain propagates all the voter IDs that have already cast a vote and is intended to detect and discard any double-voting.
Votebook really improves the fraud resistance, but at an expensive cost
I understand the Votebook motivation. In the actual voting system, we cannot be 100% sure if our personal votes were really counted or if absent voter names were used to cast fraudulent votes. The NYC blockchain voting system permits all voters to check if his vote is in the public ledger that stores all votes.
But what bothers me is the cost of this feature. I live in Brazil and in every election we watch the news being flooded with voter bribery and coercion. Votes are exchanged to the most variable sort of things, from money to dentures, but today an elector can simply take the bribery and vote for the other candidate. Being able to check to whom you have voted for means that the briber will attach some strings to his offer, after all he wants to be sure if the voter fulfilled his part of the deal. Things will get even worse in case of threats instead of bribery. Everyone will vote for a violent candidate because he will knock on your door after the election to collect your ballot ID.
The last problem I see is the constant internet connection on every machine during election day. I do not have to explain how dangerous it is. The authors explain that “the machines will never touch the open web” because they only communicate through virtual private networks (VPNs) and firewalls will restrict communication. In my opinion, this is not the same as “never touch open web”. Any vulnerability on the firewall or VPN software will compromise everything, and the attackers incentives are high. My definition of “never touch open web” is an air gap. Without it, we cannot be sure that the machine is not leaking all ballot IDs.
In my opinion, Votebook is a step forward but it cannot be used in unsecure countries like Brazil. It improves the accountability of an election on expense of voter privacy. Using this system, voters can check if your vote was really counted, but opens a silent attack vector that discloses how every voter voted, task actually much more difficult using conventional paper ballots.
I really like the idea that a voter should be able to check that his vote was properly counted, but I can´t think in a way of doing it without destroying the voter privacy in a country where the state does not properly protect its citizens.