On Blockchain Voting

Blockchain voting is a spectacularly dumb idea for a whole bunch of reasons. I have generally quoted Matt Blaze:

Why is blockchain voting a dumb idea? Glad you asked.

For starters:

  • It doesn’t solve any problems civil elections actually have.
  • It’s basically incompatible with “software independence”, considered an essential property.
  • It can make ballot secrecy difficult or impossible.

I’ve also quoted this XKCD cartoon.

But now I have this excellent paper from MIT researchers:

“Going from Bad to Worse: From Internet Voting to Blockchain Voting”
Sunoo Park, Michael Specter, Neha Narula, and Ronald L. Rivest

Abstract: Voters are understandably concerned about election security. News reports of possible election interference by foreign powers, of unauthorized voting, of voter disenfranchisement, and of technological failures call into question the integrity of elections worldwide.This article examines the suggestions that “voting over the Internet” or “voting on the blockchain” would increase election security, and finds such claims to be wanting and misleading. While current election systems are far from perfect, Internet- and blockchain-based voting would greatly increase the risk of undetectable, nation-scale election failures.Online voting may seem appealing: voting from a computer or smart phone may seem convenient and accessible. However, studies have been inconclusive, showing that online voting may have little to no effect on turnout in practice, and it may even increase disenfranchisement. More importantly: given the current state of computer security, any turnout increase derived from with Internet- or blockchain-based voting would come at the cost of losing meaningful assurance that votes have been counted as they were cast, and not undetectably altered or discarded. This state of affairs will continue as long as standard tactics such as malware, zero days, and denial-of-service attacks continue to be effective.This article analyzes and systematizes prior research on the security risks of online and electronic voting, and show that not only do these risks persist in blockchain-based voting systems, but blockchains may introduce additional problems for voting systems. Finally, we suggest questions for critically assessing security risks of new voting system proposals.

You may have heard of Voatz, which uses blockchain for voting. It’s an insecure mess. And this is my general essay on blockchain. Short summary: it’s completely useless.

Tags: , , , ,

Posted on November 16, 2020 at 9:55 AM61 Comments

Comments

Matt November 16, 2020 11:38 AM

Hm, who should I trust more, a paper from MIT researchers including Ron Rivest, or some guy named “Chuck” who posted an uncited comment on a blog?

Terry November 16, 2020 11:45 AM

Chuck says “It’s very convenient to forget that banking/ecommerce works just fine.”

Translation: “It’s very convenient to forget about banking/ecommerce fraud.”

If banking and ecommerce worked the way evoting should work, and you did ALL of your banking and shopping online, you’d be broke, hungry and naked. Banking and ecommerce may be private, but they aren’t secret – and voting is.

If you’ve ever had to cancel a credit card because of a fraudulent transaction, or know anyone who has, raise your hand.

Banks and ecommerce sites expect fraud. In fact, they absorb the costs as part of doing business. If banks and ecommerce held you responsible for fraudulent transactions, you’d delete all your accounts today! Banking and ecommerce fraud costs billions every year. How much evoting fraud would be acceptable?

Bruce Schneier November 16, 2020 11:52 AM

@ chuck:

“It’s very convenient to forget that banking/ecommerce works just fine.”

This is an important point to address. The reason banking and commerce work just fine, even though fraud and theft is common, is because the system is not anonymous. It’s possible to audit the results, and undo transactions that are bad.

It’s the requirement for a secret ballot that makes all of that impossible for voting systems. If voting were not anonymous, it would be easy to secure. It would be easy to vote on the internet.

This is why comparisons to making and finance don’t make sense.

Kurt Seifried November 16, 2020 3:19 PM

I would go one further and simply say “Electronic voting” in general is a terrible idea where you need:

1) security
2) privacy
3) verifiability by regular humans

I would say that for systems where privacy is not a concern, e.g. you want transparency of who voted how, then electronic systems and blockchain are acceptable, as you can make the tradeoff of privacy, and more subtly of verifiability, it’s easy for people to confirm how they voted to others so everyone has confidence in the voting if privacy is not an issue (e.g. a Doodle poll for a meeting time, or stockholder voting on a board member).

SM November 16, 2020 3:26 PM

@Vesselin Bontchev
I like your Twitter posts, I never thought about auditing that your own vote was counted as a problem, but I see your point. However, don’t you have the same problem with mail votes?

For me the biggest problem is phantom votes. Once you see a vote on the system, how do you know that it was cast by an actual person.

SpaceLifeForm November 16, 2020 3:58 PM

@ Vess, SM

The only safe way must be hand marked ballots, hand counted.

I have entertained the electronic voting angle, in depth, for many years.

Including hashes so the voter can determine that their vote was counted, and properly counted.

Alas, there is always a Silicon Turtle.

Or, a corrupt person reporting results.

So, you need hand marked paper ballots, counted at least twice, by different groups.

QQ Anon November 16, 2020 4:03 PM

The existing classic forms of voting in the US (excluding any relatively newer electronic types) are arguably inefficient but they are largely NOT insecure.

There is a huge difference between those things.

Conflating efficiency and security means you are either:

1- accidentally wrong,
or, worse
2- intentionally wrong.

SpaceLifeForm November 16, 2020 4:09 PM

@ SM, Vess

Phantom votes.

That is not the problem I am seeing now.

I am seeing dropped votes.

And I am not referring to USPS.

Which is a separate problem that effected various states.

Clive Robinson November 16, 2020 4:47 PM

@ ALL,

Vote secrecy is a very thorny issue and is way more difficult than ensuring a correct count.

Remember even with paper ballots and locked boxes the secrecy of your vote, is not down to you but the good grace of the vote counters[1] and the effectiveness of the independent oversight.

The one many are aware of is the 1930’s elections in Germany where ballot papers had serial numbers written on them in milk[2]. Modern day techniques can do a much better job even passing the iodine vapour test[3] and more modern tests. Serial numbers can be embedded in the paper by way of aligning fibers or threads or overprinting the printing on the paper with chemical identifiers or just make the ink sufficiently thick that secondary dots of ink printed on top act like “brail” serial numbers.

But serial numbers are not required more modern finger print or even DNA test with “National ID” databases will unmask the majority of voters and other techniques will “fill in the blanks”.

So if somebody pulled a “Joe Stalin”[4] could take the ballot papers and remove the secrecy of the “booth and ballot box” long after the election is apparently over.

Moving to electronics might have the illusion of being made more secure, but the reality is they just make finding out who voted how, much easier to do, whilst making it very very difficult even for independent oversight to spot.

If you think otherwise consider ATM fraud, it’s not exactly difficult to rob people and they can not see how it’s being done.

Making accurate vote counts is way way easier than stopping voter secrecy from being lifted. In fact it’s sufficiently hard that more people are comming to the conclusion that from a practical viewpoint securing voter secrecy in electronic systems is effectively impossible.

[1] For the secrecy of a vote to happen there needs to be very clear independent oversight of the ballot papers and boxes at all stages untill the ballot papers are burned.

[2] Milk like many bodily fluids contain organic materials that change their properties with fairly mild raising of temprature (as low as around 42C 108F so held above a candle works fine). These changes can turn what is nearly invisable to a quite visable nut brown, thus for centuries bodily fluids have been used as “secret/invisable inks”.

[3] Many decades ago a scientist found that all secret inks they tested effected the paper, in effect changing the properties of the fibers. They found that iodine vapour which is very easy to make, attached it’s self to the damaged threads thus making what ever secret invisable ink was used visable. You can do similar with the more modern ESDA and “super glue vapour” tests.

[4] Effectively observing, it’s not who casts the votes, but who counts them determins the outcome…

Drone November 16, 2020 4:55 PM

Who cares HOW you vote when all the ballot counting (or non-counting) is witnessed by one side only, ballots are permitted to appear after the initial counting has stopped, mysterious ballots DO appear after the initial counting has stopped, and counting resumes.

Clive Robinson November 16, 2020 4:56 PM

@ SpaceLifeForm,

Alas, there is always a Silicon Turtle.

Yup even down amongst the electrons and their charges.

It’s what side channels are made from…

lurker November 16, 2020 5:56 PM

@Bruce

It’s the requirement for a secret ballot that makes all of that impossible for voting systems. If voting were not anonymous, it would be easy to secure.

We still need to catch people who vote twice (or more), and dead people voting. We’ve been doing that for years with paper registers and paper ballots, without violating the secrecy of the ballot.

Complaints that counting paper ballots is slow and inefficient suggest that excessive use of electronic devices has allowed people to forget how to count…

metaschima November 16, 2020 6:07 PM

I agree with Bruce. IMO, there is no way to vote securely on our current network infrastructure. Not only that but even if you purpose built an infrastructure that is vastly more secure, it will probably be less secure than our current system. So why bother trying? For the sake of convenience or because it’s a cool idea and adding buzzwords like “blockchain” or “quantum” make it even more cool?

MarkH November 16, 2020 7:37 PM

I can’t prove that there will never be an problem for which blockchain based on proof-of-work is a rational answer. Maybe someday, somebody will find such a problem.

But it seems awfully improbable.

==========================

If you think that “cryptocurrency” is a valid application, then you didn’t understand it very well …

A recent careful estimate of Bitcoin mining concluded that it burns electricity at almost 8 gigawatts. The total mining energy cost for 2020 will be at least 60 million megawatt hours. That’s enough to supply the electric needs (personal and industrial together) of 10 million persons in a fairly prosperous country, or more than 20 million at the global average of consumption.

All of that energy consumed for a contrived resource which, if it were a currency by the economic definition of that term (it ain’t) would make up 0.2% of the world’s money (defined as physical currency, plus immediately accessible money in accounts).

SpaceLifeForm November 16, 2020 11:12 PM

@ Drone, EvilKiru, Clive

It’s difficult to observe the counting inside the Ballot Scanners.

It’s even more difficult, if, as alleged, the ballots were not scanned.

2524 ballots, net gain of 778 for trump.

hXXps://www.northwestgeorgianews.com/rome/news/local/presidential-race-hand-count-completed-in-floyd-county-just-over-2-500-additional-early-votes/article_c1365ce2-2818-11eb-8656-6b7f49a93a04.html

Mr C November 17, 2020 2:47 AM

Internet voting is a hopeless problem since its security depends upon solving two other hopeless problems: endpoint security and key distribution.

Even if you had perfectly secure internet voting software, elections conducted over the internet would still be hopelessly insecure because the attacker could just distribute a virus to compromise a large number of windows/android/etc. devices and make the operating system alter their users’ votes as they were cast. This problem is likely unsolvable, since decades of effort on the endpoint security front have gotten us, well, windows 10/android/etc.

A secure communications channel is required to avoid a man-in-the-middle attacker changing votes en route to the counting authority. That, in turn requires either some way to securely preshare a symmetric key with each individual voter or some way for voters to verify the authenticity of an asymmetric key received over an insecure channel. The former is infeasible, since it requires a face-to-face with each individual voter. (Or a whole lot of trust in the postal service, which is a fraught topic right now…) The latter is an unsolved problem, on which decades of effort have given us the shambolic mess that is the TLS certificate authority system, with its huge failures like the CNNIC incident. Some may shout, “We can fix this with certificate pinning!” But you can’t; the pin is hardcoded into the voting program, which is distributed to voters over… TLS — and, damn, we’re right back where we started. Others may shout, “We can fix this with certificate transparency!” But they’re wrong too; certificate transparency doesn’t prevent attacks, it merely exposes them after the fact, and nation state attackers might be happy to burn a suborned certificate authority in exchange for throwing an election to a Trump-like candidate (again).

As for blockchain, it’s an (expensive) way for mutually distrustful nodes to agree upon a historical log, provided that, at all times, more than 50% of the computing power is collectively held by nodes with mutually conflicting interests when it comes to whether or how to rewrite the historical log. This might sort of maybe make sense if the voters themselves could run the nodes, but every blockchain voting proposal to date involves the voters submitting votes to a central server that then posts them to a blockchain, which is… just dumb. Even if you did have a system without the idiocy of a one-node blockchain, that wouldn’t solve either the endpoint security problem or the key distribution problem. Blockchain voting runs into an additional fatal problem in two-party elections: you’re always going to have at least 50% of the computing power in the hands of supporters of one side or the other.

Rj November 17, 2020 8:44 AM

“Complaints that counting paper ballots is slow and inefficient suggest that excessive use of electronic devices has allowed people to forget how to count…”

This is indeed true, or they never learned how to count in the first place.

Watch your cashier next time you go to a store. Most of them cannot figure change without looking at the cash register which does the arithmetic for them. To proove this, buy something that has some number of pennies in the total amount, then hand the cashier a single bill of a large enough denomination to cover that cost. After she takes the bill, reach into your pocket and hand her the coins to cover the pennies, so you are now expecting her to only give you bills back for change. Watch the expression on her face: Fear, dismay, confusion… She doesn’t know what to do. The cash register already told her what change to give you, pennies included. Now you’ve messed everything up, and she’s lost!

Tom Smith November 17, 2020 8:48 AM

Many people are concerned about hacking of internet voting, or other forms of fraud – and rightly so.

But the biggest concern with online voting isn’t that the election might be hacked, though of course that’s a possibility. No, the concern is that even if it ISN’T hacked, people will CLAIM it was hacked (or just plain “fixed”) – and there’s no convincing way to prove them wrong!

Sure, you can have all sorts of encryption and blockchains and whatever else you want – but if you think that propeller-head-talk like that is going to quiet claims that an election was hacked/fixed, you’re utterly delusional. There are millions of Americans who don’t believe we went to the moon, and probably tens of thousands who think the Earth is flat. Right now, in the middle of a pandemic that has killed well over a million people worldwide, there are millions of Americans who think it’s a Democrat hoax. Do you REALLY think these kinds of people are just going to calmly accept whatever the “so-called ‘experts’” say? These people make it a point of pride to DISBELIEVE anything that any “experts” say, ESPECIALLY if a partisan tells them that the experts are lying.

No matter who wins, the other side is going to claim that it was due to irregularities of some sort. And there’s nothing an egg-headed I.T. guy can say that will assuage their concerns – NOTHING!

And while actual hacking can be made as unlikely as you want (by adding enough layers of protections), CLAIMS that an election was hacked are VIRTUALLY GUARANTEED to occur – no matter how unlikely an ACTUAL hack might be.

Ironically, the more layers of complex mechanics you add to make it harder to hack the election, the LESS faith people will have in the resulting system – it will simply be too complex for them to understand, and so they’ll have no reason to disbelieve partisans who claim that the election was hacked.

So we’ll have a large portion of the electorate fully convinced that the election was stolen out from under them, and there’s NO WAY to prove them wrong – there’s no paper trail, nothing to recount, nothing you can say other than “Trust me, you lost fair and square”.

In these hyper-partisan times, that’s a recipe for civil unrest on a scale previously unimaginable.

Anders November 17, 2020 8:53 AM

How long Estonia already is using e-voting so far?
And only now they start slowly admitting that there
might be some problems that needs to be fixed.

news.err.ee/1159591/economics-affairs-ministry-looking-to-tighten-up-e-voting-security

In my humble opinion – e-voting is a perfect tool for power-hungry
politicians.

Clive Robinson November 17, 2020 12:04 PM

@ Rj,

To proove this, buy something that has some number of pennies in the total amount, then hand the cashier a single bill of a large enough denomination to cover that cost. After she takes the bill, reach into your pocket and hand her the coins to cover the pennies, so you are now expecting her to only give you bills back for change.

Just last week I handed over a 20note and 41 pennies for a 15.41 ring up.

The cashier took the note typed in 20-00 and pushed the coins back and started adding the wrong number of coins to them.

The cashier would not admit his error so I dug my heels in and called for the manager. The casher kind of lied to her, but the customer in the que behind me confirmed my story.

The manager took an executive dicision and told him to give me the 5note and put the coins in the till with a slightly barbed word at him that he needed it as his change was very low…

Which made it clear as to his general MO…

Funny thing is I’ve not seen him in there this week, to see if he is still doing it. I guess his shift pattern has been changed on him.

But I’ve talked to young cashers who have been surprised when I’ve given them the exact money before they start putting things through. It turns out that not many can count up, but nearly all could not “count down” to give change… The exception bring one lass who’s dad had a market stall.

The older cashiers often women from the eastern side of Europe, not only count down they also count up as stuff goes through, and catch “entry errors” faster than I do…

Which kind of suggests basic shopping and cash skills are “normal not exceptional” to them.

Clive Robinson November 17, 2020 12:37 PM

@ Tom Smith,

But the biggest concern with online voting isn’t that the election might be hacked, though of course that’s a possibility. No, the concern is that even if it ISN’T hacked, people will CLAIM it was hacked (or just plain “fixed”) – and there’s no convincing way to prove them wrong!

Because the use of “online voting” is a way to “fix” elections much like Gerrymandering.

My big concern is disenfranchisment, with the upper middle class and above having high bandwidth Internet modern fast computers and the latest OS’s it would be easy to set a “security bar” as banks and other online organidations do.

Thus if you are in the bottom 2/3rds of society with slow Internet, old OS’s, old computers or even no Internet or nothing at all, then guess what you don’t get to vote…

In the UK for instance many are required to make tax returns or suffer significant and rapidly rising fines… But you can only make returns online with a very very limited subset of what computers and OS’s etc there are. If you write to them asking that they supply the required equipment they get upset, you then request the correct details to have the cost deducted from your taxes they get upset. Oh you have to write and send it registered post because they can not be bothered to answer the phone in anything like a timely manner (I have an audio recording that is three and a quater hours of “on hold” message on one channel and the 50hz mains on the other[1] that I wired up a friends phone to record after they had suffered from it a couple of times).

The current political flavour of government in the UK has very deliberatly taken a number of actions to disenfranchise or criminalize the lower socio economic end of society (who generaly vote against them). To hit them with outlandishely large fines and criminal records, that they were going to use to force them out of work and “social housing” or homes if privately rented or owned.

[1] What is not that well known in the UK is that thr frrquency of the 50hz mains signal is closely monitored and recorded with a very accurate time stamp. Thus the 50hz signal when tied to thr audio recording is of evidentiary importance and fully admissable in court as the equivalent of a continuous watermark.

Jason November 17, 2020 4:20 PM

Interesting read thanks.

It doesn’t seem like internet voting is a good idea even if it could be done securely. Voting should require a little bit of difficulty to do. This isn’t a “what Star Trek Captain are you” poll, it is determining which people are given enormous law making powers. If you don’t think it is worth walking down to the polling station to cast the vote (or apply in advance for an absentee vote) then maybe you don’t care enough about the process to be voting in the first place.

Clive Robinson November 17, 2020 5:27 PM

@ Jason,

… then maybe you don’t care enough about the process to be voting in the first place.

What about the disenfranchised, who are not alowed the right to vote?

Those who would walk down many roads just to make their mark. But those in power have stolen not just their ability to have a say, but their right to say when they have been denied.

There is a lot to be said for “one man one vote” not “our people will vote but your people will not”

Much as I dislike the idea of central control of anything, a free and fair set of elections for all over a given age should be made from the center such that all States have to obay and not disenfranchise people.

Otherwise how does the US Government expect other countries to listen when the US Government calls for them to do something which the US Government freely alows to be denied to it’s own citizens?

Thus ending the hypocrisy one way or another should be of major importance, if the US wants to be credible in the eyes of the world…

JonKnowsNothing November 17, 2020 5:27 PM

@Rj, Clive

re: count up and count down

The problems mentioned above occurred when paying for a meal (pre-covid). The manager had to come sort out the exchange of funds. Not only could the person running the till not count up or count down, they didn’t know the numerical value of the coins.

While the USA still counts in yards and feet, our money had been decimal based since the time of our break away from King George. So it’s not a new new new monetary scheme.

It’s the reliance on debit-credit cards.

Tom Smith November 17, 2020 6:04 PM

@Clive Robinson,

Yes, internet access (and browser compatibility, etc) is another problem. I imagine that most people think of internet voting as merely an option (in which case it doesn’t hurt people who do not or cannot vote online) – but it’s certainly possible that off-line voting could become so rare that it ends up becoming burdensome for the voter (due to inconvenient polling places, limited hours, etc), resulting in off-line voters being effectively disenfranchised.

That's a Bingo! November 17, 2020 9:10 PM

Governments aren’t stupid and they have been well-informed that voting software can never be secure. They cannot credibly claim to not know it, though they will claim it anyway.

The thing to take away from all this is that governments are desperate for the ability to manipulate elections. These developments prove that they are not going to stop trying any time soon. Voting machines have been ridiculously insecure since the whistle blower at Diebold went public in 2005. That’s not actually secret, but it sure ain’t the news, either. You have to search out the info.

JonKnowsNothing November 17, 2020 10:41 PM

@All

There is an underlying theme that affects how we think about this and many other topics. It’s been honed over 20+ years of neoliberal+austerity management. The drive to the bottom, cheapest, fewest humans and highest mechanical devices has been the format for a long time now.

We are trying to solve problems without adding in people to do the work. We are trying to solve problems created by having too many machines between here-and-there. We are trying to solve a problem with artificial constraints such as “balanced budget” and “debt neutral” concepts that are the keystone of neoliberal economics.

If you back up about 20 paces and ask without these constraints imposed since Reagan and Thatcher period, what changed? We were able to count the votes just fine using simpler technology that required more people to do the work.

The main reason we have “small government and big contracting firms” is that you still need people to do the work. When you off-load the decision to AI systems you get one debacle after another (see RoboDebt Australia among others).

Humans need to be more involved. It does not need to cost more. It shifts people away from contract-zero-hours back to actual working hours. The only down cost is the .05% super-bonus the Contract Company CEOs bill the governments as part of their contract terms.

Perhaps a more human intensive approach would be worth consideration.

name.withheld.for.obvious.reasons November 18, 2020 2:16 AM

@ JonKnowsNothing

We are trying to solve problems…

I’m going to have to disagree, I believe we cycle through solutions after creating the problems. I will agree that we do a kind of two steps forward, one step back method of forward momentum. Just trying to put the emphasis on the cycle, you’ve already identified the procedural argy-bargy and I think we often produce a facile postulate. But if I know anything (pun intended), it is that there are a number of individuals that will provide additional externalities that often go unattended. Many of those individuals can be found here frequenting Bruce’s house of blog. (BHOB)

And you are certainly one of them, JonKnowsNothing.

Robin November 18, 2020 2:46 AM

@All on counting up/down

I have no doubt that we (yes, me included) have become habituated to machines doing work for us (I barely write anything these except a signature), and the increased use of debit/credit cards also reduces the need to handle cash and the associated sums.

But I want to put in a few words for those who work the tills.

1 They often do it over several hours at a time and doing the sums is fatiguing.

2 A single transaction for the customer is only one of several dozens, maybe hundreds for the cashier. It might be an agreeable mental arithmetic diversion for us but it’s part of the long daily drudge of the job for them.

3 Managing the till is their responsibility: if the cash doesn’t balance against the machine at the end of the shift the shortfall comes out of their wage. (I doubt if it works the other way). If you want to be sure of getting it right every time, time after time, you trust the machine.

4 There is already a moment where you need to concentrate on checking the coins that are given to you and/or picking the right coins out to give change. Doing the sums is a distraction; that’s what the till is for.

5 As a customer I despair when I see another customer rummaging through a purse, handbag or suchlike, muttering “I’m sure I’ve got the right change in here somewhere”, then spending (what seems like) an eternity trying to find the final 1c. Multiply that by a few dozen customers per shift and I’m surprised the cashiers can keep their cool.

6 Everybody makes mistakes, even me. I think I’m pretty sharp on mental arithmetic (like the rest of us here, I guess) but over a shift, and over weeks of doing the same work day in day out I would make mistakes. They would need to be sorted out with the customer who could get … impatient, at best .. it might get the store manager involved. All in all it screws up my work rate (which is undoubtedly closely scrutinised by management), will affect my reputation and could well affect any bonuses I might hope for each month.

7 For the customer, doing the sums is an important part of being at the till. For the cashier it’s only one of many things that must occupy their attention: checking out the items; checking the customers are not stealing stuff; keeping an eye on the display for exceptions; explaining that the special offer finished yesterday; checking prices that are not on the label; ensuring that any coupons are valid; following every damn-fool rule the management insist on; giving out yards of receipts and the vouchers for next week. And to keep sane, replying to the cashier just behind you when he/she asks if you watched the football last night, or did I know that the assistant under-manager was seen in a bar last week with the chief accountant?

I could go on but you get the picture. Behind that smile – or puzzled and hopeless expression – on the face of the cashier is the screaming thought “JUST GIVE ME THE NOTE AND TAKE THE CHANGE!”. Or even more often : “Please just use the card, contact free”.

There are some gentle lessons for security in all this rant, which I’m sure I don’t need to list.

Tm November 18, 2020 4:11 AM

It is a perennial source of frustration that the US just doesn’t seem to be capable of efficiently organizing the election and ballot counting process. It’s now two weeks and some states still haven’t finished counting. Does anybody have a plausible explanation for this? And please don’t say the US is a big country … the per capita time and effort shouldn’t be greater in the US than in Switzerland.

kucik November 18, 2020 6:00 AM

@Tom Smith:
In our country, the only possibility to vote is by person, you are checked against ID, against pre-prepared list. Every party can nominee person to observe and participate on ballots counting and boxes are secured.

I’d say there is low risk of manipulating with votes and there’ve never been proven fraud. Just minor counting mistakes.
Still there are people talking about frauds. There always will be, however you will try to prove them wrong. If you stuck focusing on this minority, you get nowhere.

Yes, according to paper above, risk of fraud in electronic voting is not marginal. And as we were taught, you have to consider likelihood and impact of each type of security risk.

If you consider any other way of voting than in-person in secured room, the biggest risk is always bribing/making pressure to voter. In voting by mail (paper mail) this cannot be eradicated yet this types of voting is OK by paper and accepted in many countries?

I’m not trying to question vulnerabilities of electronic/remote voting. I cannot. But we live on globalised world with many people working/living abroad so they have to travel enormous distances to be able to vote. It’s just hard to give up the idea, that voting could be accessible and convenient to anyone who want to vote.

Winter November 18, 2020 6:02 AM

@Tm
“Does anybody have a plausible explanation for this?”

Some Googling gave as reasons:
1 Waiting for all mail-in votes post marked on Nov 4th. USPS is not very fast

2 Recounts

3 Provisional votes counting. Difficult to understand for nin-USAians.

“It is a perennial source of frustration that the US just doesn’t seem to be capable of efficiently organizing the election and ballot counting process. ”

I suspect the USA has lost the ability to organise anything at all. There have been jokes about:

”Historians Still Unable To Determine How Americans Were Able To Build Hoover Dam”
(The Onion)

But I am afraid this is not really a joke. Just as it is questionable whether Americans could set a person on the moon again.

Tom Smith November 18, 2020 8:09 AM

@kucik

I’d say there is low risk of manipulating with votes and there’s never been proven fraud. Just minor counting mistakes.

Yes, but how do you KNOW there are only minor counting mistakes? Because you can count them! And why do people trust that process? Because they understand counting pieces of paper!

I don’t know what country you live in, but here in the US, literally everything is politicized into two opposing camps. We have political positions on whether we should wear masks to slow the spread of COVID, we have political positions on whether dumping CO2 into the atmosphere causes global warming – pretty much any subject you care to name, Republicans have one point of view and Democrats have another. And no one trusts anyone from the other party, and everyone listens almost exclusively to the news sources favored by their “tribe”. Conspiracy theories run wild, and people will take to the streets and riot before the facts are in. And when the facts do come in, people still won’t believe them – preferring instead to think that their original opinion is still correct, and that the “facts” have been whitewashed by the guilty. It’s really not a good environment at all, but it is what it is.

And in that environment, a scheme too complex for most people to follow, combined with partisans who are perfectly happy to make wild claims without evidence (and people willing – even eager – to believe those claims without evidence), is a recipe for disaster. Maybe it could work in some countries, maybe it could have worked in the US in the past – but not here, not now.

Vesselin Bontchev November 18, 2020 8:16 AM

@SM, You accounting for your vote being counted is not a problem. In fact, it’s one of the requirements – an electronic voting system must be able to prove to you that your vote has been accounted correctly. However, it must be impossible to prove how exactly you have voted (in order to prevent vote selling). These are two different things – the system must be able to prove that it has counted exactly the vote that you cast without knowing how exactly you have voted. Zero-knowledge proofs can help but they are very hard for the average person to understand (and thus to trust).

Voting by mail has a different problem, which I didn’t cover well enough in my cucumbers thread – coercion. How do you know that the husband hasn’t forced his wife to cast the kind of vote by mail that he (but not she) wants?

The only secure voting mechanism is in person, at the voting booth, with a pencil supplied by the organizers. Everything else has security problems, although some of them (e.g., in mail voting) are difficult to exploit at scale.

Clive Robinson November 18, 2020 8:21 AM

@ Robin,

But I want to put in a few words for those who work the tills.

All of what you describe was the case back five decades ago. The difference was that tills were mechanical decices in the main.

The 14year old girls working in Woolworths certainly could count up and count down without issue all day long, whilst chatting to the shoppers and the other girls.

When I had a Saturday job in a different store I was expected to likewise be able to count up and count down whilst being nice to customers.

All that has realy changed is needless technology dumbing people down to button pushing droids, which might account for why more and more stores are going for “self checkout” tills, where even the dumbest of customers can now be a checkout clerk as the skills required are now about as close to zero as you can get.

You see the same with cell phone usage, back in the 80’s people still knew how to organise a meetup on a Friday or Saturday night they knew when and where to meet but more importantly they knew what to do if they missed each other for some reason. These days they use their phones to be “talked in”…

As for credit and debit cards, again another dumbing down device but also a way for idiots to get into vast debt which banks etc exploit ruthlessly to vast profit. Also they are yet another “tracking device” exploited by others at the expense of the holder. I still use cash and will continue to do so, simply because I can think and plan ahead. ATMs make it way way easier than when I was young and you had to go to a real teller in a bank at lunch time to get out money if you were “Salaried” rather than “waged” and given a packet of cash on a Friday afternoon.

All of which also shows another dumbing down many people now “only live in the moment” they don’t plan or think ahead a skill other primates clearly have… Even animals that hunt plan what they do, otherwise they would starve very quickly.

The games kids used to play in school playgrounds used to teach the rudiments of these life skills many teens and young adults have apparently lost…

If you are not independent, then you are dependent, when you are dependent you are also beholdent, when you are beholdent at best you are a charity case, a slave or worst still a surf, tied to a usually thankless master. Does it matter if the master is a man or a machine? No once you are a slave, you will die a slave unless you take responsability for your future.

Something the Founding Fathers understood only to well.

kucik November 18, 2020 10:14 AM

@Tom Smith
I’m from Czech rep.

What I was trying to tell: Even though you can count the votes paper by paper, there are still people who don’t trust that and believe it’s rigged. It’s just about some people.

This polarization of opinions into two opposite camps is happening here too. Even though there is multiple political parties and view. Guess it’s just amplified by two parties system. But some people just need to see the world simplified to black and white. But i think we’re being bit too political.

Cassandra November 18, 2020 1:01 PM

@Clive Robinson, @Rj

My mother was, for a period, a cashier in a busy lunch restaurant, for workers in a financial district. She would add up the total of what was on people’s trays while they were in the queue approaching her, and have the correct change ready for the expected note before she stared ringing up their transaction (she pulled the change out while putting in the money from the previous transaction), If someone gave her the correct change (pennies), she would hand them straight back, together with the change she had already calculated in her head. Pipelining and look-ahead.
She was a farm-girl that left school at 14.

Anyone who stalled the queue by trying to pay in a non-standard manner soon learned not to from the opprobrium received from other queue members who did not appreciate being kept waiting. When things were busy, she simply rang up the totals: no-one objected.

I have noticed that people leap for their mobile phones to do the simplest arithmetic: on the other hand, I am no good at dealing with social networking software, which is possibly a more relevant modern skill. The only constant is change.

Cassie

Cassandra November 18, 2020 1:20 PM

It my be of interest to know that the voting system in the UK is quite possibly not anonymous. The link below is to the ‘Notes and Queries’ column of The Guardian where somebody asked “What happens to the voting slips used in British elections after they have been counted?”

hxxps://www.theguardian.com/notesandqueries/query/0,,-1051,00.html

It appears that votes are indeed traceable back to the voter.

Cassie

Clive Robinson November 18, 2020 3:54 PM

@ Cassandra,

It appears that votes are indeed traceable back to the voter.

Yup, I’ve been aware of it for many decades which is why I commented on it.

Also noting that serial numbers need not be visable or infact necessary.

What makes me smile is that it’s a “small world”. Back last century when I knew computer journalists, I shared a conversation of exactly this issue over a pint with a certain pipe smoking journalist who later knew Bruce through the Gaurdian…

As for the bit in the “notes” about the UK Official Secrets Acts (yes there have been two) is that you do not have to have signed it to be covered by it’s provisions, and more importantly the wording is sufficiently loose to be one of those “White Knight from Alice through the looking glass” type acts in that “It means what I says I means”.

Charles Dodgeson was an educated man and logic was his metier, it shows when you consider,

https://en.m.wikipedia.org/wiki/Haddocks%27_Eyes

Most experianced low level programers of any merit will know what’s happening with the naming the White Knight uses.

lurker November 18, 2020 4:51 PM

@Clive

… which might account for why more and more stores are going for “self checkout” tills, where even the dumbest of customers can now be a checkout clerk…

A human checkout clerk will never bark at me: “Unknown item in the bagging area!” A human clerk can see if I am offering cash or a card, and will not require me to make the selection on the machine. Which is why I choose a human when one is available, and they’re faster, even for a single item purchase.

Clive Robinson November 18, 2020 5:53 PM

@ Cassandra,

If someone gave her the correct change (pennies), she would hand them straight back

She would have met her match with me, because I have the “bad habbit” of giving the correct amount when ever I can, mainly because it speeds things up…

I have noticed that people leap for their mobile phones to do the simplest arithmetic

I used to be the proud owner of a Casio watch with inbuilt calculator, I hear they have come back into certain parts of life as a retro fashion accessory with certain types.

I only ever used the calculator function to “show it off” (much like I did my later GPS watch[1]). There is a picture of my at my desk taken for a company brochure. It’s an over the shoulder shot of me with my watch plainly visable but also holding my fathers slide rule in the hand the watch was on the wrist of. The photograph was mainly focused on the piece of equipment I was using, but my colleagues did pull my leg about “belt and braces” calculating.

on the other hand, I am no good at dealing with social networking software, which is possibly a more relevant modern skill.

Ahh the same here, though my avoidence of social networking/media is a very concious choice made almost from before it was known. Lets just say my hat was not always a glowing white, and getting to know other peoples BBS’s admin functions was rather too easy, even when they were “big boy” professional systems runing on expencive GEC or Prime mainframe computers.

Thus I knew from the “get go” that social media/networking was a significant liability.

Yes I did have personal Email at one point, but I dumped that several years back it had become way more trouble than it was worth. Some friends keep telling me I should install WhatsApp or Signal or Telegram or some other aledged secure messaging app. But as regular readers here know I’ve been saying for years they are in no way secure and would not recomend people make targets of themselves by installing them.

It looks like in the near future I’m going to have to “go through France” into Europe. I’ve dug out and got working an old “non smart” cell phone that does SMS and voice only. I got a raised eyebrow from one or two people, but rather than tell them the real reason I say “It does seven days on one charge” at which point both their eyebrows raise in surprise and they say something like “but I have to charge my iPhone twice a day”…

But the real point that people should consider, is that of “false security” even though I’ve been saying it for years EncroChat came as a surprise to most, and should have be a wake up call but apparently not…

If you think your phone is secure then you will be indiscret if not now in the near future when a little stress is involved. If however you know it’s plaintext open to all like a “post card that flashes neon bright” then you tend to be more carefull about what you say even when under stress.

You would think that 2013 and the Ed Snowden “collect it all” revelations would have made people more cautious about what they said, sent, and put on line, but nope they are spilling their guts faster than water goes down Angel Falls Venezuela[2] and in greater quantaties than Niagara… In other words a veritable torrent of PII falling into both Private and Government hands.

[1] As they say “Hey every boy should have a toy” 😉

[2] At a little under 2/3rds of a mile high the water kind of gets to terminal velocity as spray and drops but not in the main fall. It’s said that in warm weather a lot of the water just does not get down because it gets evaporated or misted away… Now that is one waterfall I would not mind standing under just for the heck of it… I doubt I ever will but UK lockdown is making my feet itch to be “out on foot where vehicals just can not go”.

Clive Robinson November 18, 2020 8:04 PM

@ lurker,

Which is why I choose a human when one is available

I will quite happily que up for a human even when a self checkout is available, not because humans are faster, but because I want them to have jobs.

I intensively dislike self checkout not just because of the reasons you mention but others as well.

I treat each time I have to use a self checkout as an experiment in how to break or game it some way. That is it’s me versus the software developers and sofar they are very much on the loosing side.

There is one self checkout from Nixdorf that is possible to cheat, because it has a faulty “debounce” routien.

The trick is to put through two items of the same weight quickly. That is you scan the first item and thump it in as you scan the second that you add quickly. The result it only registers one of the items on the bill but adds the weight of both items as excepted thus the unknown item alarm does not come up…

I suspect I’m not the only one to have discovered this, because of the sudden increased presence of over head CCTV above only those self checkouts in stotes with rows of mixed checkout systems…

In another self checkout the “coin counter” is again gameable. If you spin the coins in in the right way they get miscounted or the coin counter jams up / confused. You complain and in some stores they give you “inconveniance discount” as it takes them a while to sort it out…

There’s a couple of other tricks I’ve found but you get the idea that these systems have not been “alpha tested” properly for some reason…

ferritecore November 19, 2020 9:20 AM

To reinforce Clive’s comment,

Counting back change does not require doing sums. If you are doing sums to make change you are doing it the hard way and increasing the chances of error.

This skill was once taught in elementary school. Partly because you might need to do it. More importantly because so you could monitor the process of having change counted back to you.

Suppose that your total purchase was 16.27 and you offered a 20. Attach decimal currency symbol of your choice.

The clerk would start by saying the total “16.27”.
Then say “twenty-eight” adding .01 to the pile.
“twenty-nine” adding .01
“thirty” adding .01
“forty” adding .10
“fifty” adding .10
“seventy-five” adding .25
“seventeen” adding .25
“eighteen” adding 1.00
“nineteen” adding 1.00
“twenty” adding 1.00

The difficulty for the clerk is pretty much equivalent to the current system, where the register reports that the change should be 3.72 and the clerk counts up to that amount in the reverse order:
“one” adding 1.00
“two” adding 1.00
“three” adding 1.00
“twenty-five” adding .25
“fifty” adding .25
“sixty” adding .10
“seventy” adding .10
“seventy-one” adding .01
“seventy-two” adding .01

There is of course a security angle, given that intentional short-changing has been known to happen.

Drone November 19, 2020 1:24 PM

@EvilKiru said: “@Drone: both sides are allowed to observe vote counting in the US.”

FALSE: Take Philadelphia for example (or any large city in a Swing State). Republican election count witnesses were NOT allowed to approach within a meaningful proximity of persons opening and verifying ballots. Also, counting was allowed to continue at odd hours when the counting facility was officially CLOSED to any ballot observers! Just look at the counts from these corrupt cities: Overnight, mysteriously the ballot counts for one candidate skyrockets without explanation AND this happened while the counting facilities were supposedly closed. Imagine flipping a coin hundreds of thousands of times in in a relatively short time and having all the results turn up heads. Yeah, something is rigged.

This is what a valid count looks like (it can vary by state but this a typical example): At least TWO persons from different and significantly opposing political parties witness the opening and signature verification of a statistically significant number of randomly sampled ballots. This looks like two persons sitting side by side opening ballots, inspecting them and verifying voter signatures (yeah, the persons are socially-distanced and wearing masks). Next, the witnesses either agree that the ballot is good, or that the ballot is either contested or invalid. That outcome determines whether the ballot moves on to be machine counted, discarded, or set aside for a possible “cure” involving the supposed voter (additional signature and/or address verification are common reasons).

Is that what you saw in the Philadelphia count? NO! What you saw were witnesses separated from the counters by large distances and forced to stand behind fences. If you complained about this illegal treatment you were forceably EJECTED from the counting venue and sent right into the hands of vicious AntiFa/BLM goons. Counting was allowed to continue at odd hours when the counting facility was officially CLOSED to the public, much less any official observers. During odd hours vehicles were witnessed (under penalty of perjury) to be delivering large numbers of mysterious ballots.

This election is/was fraudulent in my opinion.

WmG November 20, 2020 1:23 AM

@Drone. You need to cite a source with a story like that.

It’s been my experience that both political parties have observers present, and that they get along and treat each other respectfully.

WmG November 20, 2020 1:30 AM

@Clive @Rj @Ferritecore

Back in the 70’s I would try to teach young cashiers how to count-up to make change. By the later part of the decade, not one could learn to do it. Probably the influence of calculators.

Clive Robinson November 20, 2020 5:11 AM

@ WmG, Ferrite core, Rj,

By the later part of the decade, not one could learn to do it.

As ny mother used to say of the students she taught,

“Couldn’t or Wouldn’t?”

Like what to watch out for when cooking (green-potato, kiddney beans, casava etc) we try to help people not poison themselves, and so they don’t cook anylonger and the wise words of “Granny” told to the very young do not happen.

Back cough cough years ago when I was a snorty nosed child, parents taught their under 5’s the basics of life. Including reading and basic math, but also other things like how to hold a knife for peeling and dicing vegetables. Even the basic use of tools like hammers and saws, as you got a little older, how to tell weeds from vegtables and how to dig and make concrete paths etc, even how to do simple decorating like painting and basic carpentry. By the time I was eight my parents trusted me to cook my own breakfast and tea as well as supper occasionally.

This was all considered normal, as in a year or two you’ld start learning a trade, so that you were actually worth paying by the time you were 14 and left school to bring home a wage to help put food on the table etc. By the time I was 14 with the help of my dad I’d self taught myself how to repair valve radios and TV’s and was earning my own pocket money and then some. I also knew the basics of carpentry (cabinate making we call it today) plumbing and building.

None of that was difficult as you learnt with mum and dad and elder siblings almost as a game, and it was thus fun not tedium.

Mike November 20, 2020 6:02 AM

This issue is not as clearcut as you think. Why not listen to an expert on blockchain based voting:

https://youtu.be/DZf-LE-LZAI

a lot of the problems in that paper can be addressed, the above video walks through it. please take a considered look

Anders November 20, 2020 6:41 AM

@Clive @Bruce @SpeceLifeForm @ALL

Changes ahead in Estonian e-voting!

hxxps://news.err.ee/1161488/it-minister-smartphone-camera-verification-would-cut-out-voter-fraud

Clive Robinson November 20, 2020 7:39 AM

@ Anders, Bruce, SpaceLifeForm, ALL,

Changes ahead in Estonian e-voting!

And not for the better realy.

I know the idea of a “mugshot” photo is appealing, but in all honesty such systems all morr or less fail.

Take cheques with your photo printed on them, did the cashier check it, “of course they did not”…

Even pasport officers are realy bad at checking passports, as I’ve mentioned before I traveled most of the way across Europe on a friends passport because a clark in a hotel gave us the wrong passports and we were to much in a hurry to check. It was a day or so later when back at home I realised the passport was my friends.

The simple fact is we are realy bad at connecting a 2D-Image to a 3D-Face, even with fairly good training.

WmG November 20, 2020 4:15 PM

@Clive
“ Couldn’t or Wouldn’t?”

Well, it’s always hard to know for sure.

But I’m pretty sure that it was couldn’t. They usually seemed anxious and a bit flustered.

Of course, the till would provide the answer. So, job performance did not depend on having the skill.

It was baffling to me, who learned how to make change when I was eight years old. But maybe anxiety was the problem. I don’t know what management told them about their responsibilities for the drawer.

Many ordinary high schools students now turn to a calculator to discover the mystery of 2 x 8 = ???

Clive Robinson November 21, 2020 1:58 AM

@ WmG,

But maybe anxiety was the problem.

Yes, and not just for the contents of the cash draw, but also for “making the numbers” of shoppers/items through.

The electronic till supposadly gives both an accurate and instant answer (but often does neither[1] which is why this applies to electronic voting as well).

So for the cashier the contents of the cash draw would be correct and most shoppers/items got through if there is sufficient of each coin and note in the cash draw and they behave like a pure automaton[2]. It obviously goes all to pot when there is not enough of any note or coin to “make change” the easy way. Thus a new shop floor process has to be made to ensure that does not happen. So a cost saving in one area becomes an expediture in another, which causes a “ratchet effect” that makes unwinding the changes harder than making them.

But the problem that still comes up, and at the end of the day –is what I call the “MBA issue”[3],– is when a customer not just totalls up on their way around but memorizes item price as they go. Especially when you get a 3 for the price of 2 or similar discount offer.

You would be surprised at how many Epos systems don’t give the discount unless the cashier runs them discount items all through together[1]. So if you the shopper have not lined them all up together in the same place on the conveyour and the cashier does not ring them through as a group you don’t get the discount.

This problem is kind of obvious when you get a 5 for 4 on a 25 pence item like cans of soft drinks and you also buy a packet of biscuits at 70 pence, you know it should be 1-70 but to have the till come up 1-95 you know you’ve not got the discount, and there can only be two reasons why. Firstly the discounts not been put in the Epos system and secondly the Epos system is “Not Fit For Purpose”(or more crudely NFU).

When you say to the cashier you’ve “rung it up wrongly” they kind of don’t listen to why and the old “The Machine Says” thinking kicks in for them and sometimes their managers as well.

Yes I’ve seen it several times, which must make me sound like “the shopper from hell” or what some call a “custard” or even “barnacle”. But at the end of the day I like seeing checkout staff and I don’t like “dim bulb” MBA’s. Saving the former and culling the latter I think is a service to society[4] 😉

[1] One of the reasons it happens is the programers not dealing with user “expectations” correctly which is generaly not the programmers fault. They in effect write the transaction as an item by item “calculator” not as a “database” of all items. Because those developing the specification have insuficient or no “Domain experience” and nine times out of ten neither do those purchasing the Epos systems know how to do a correct “Factory Acceptance Test”(FAT) the mistake gets through and customers get diddled[1b]. And as the problem works in the favor of the business they are often in no hurry to fix it unless the customers push them over a tipping point[1c], by ruining the shopper/item through put and wasting shop floor managers time as well as giving out those “we’re sorry you are not happy” discounts and all the auditing they involve.

[1b] Similar issues arise with voting systems and “straight ticket votes”.

[1c] Something many would say is why we are having this conversation about voting systems and electronic ones in particular.

[2] And if they do behave like a pure automaton then managment logic says “you don’t pay wages to a machine” so they get the old “Unit of work resource optimised” from Human Resources and their job is gone for good, replaced by one of those awful self checkout machines.

[3] The problem with MBA’s is they supposadly know everything about business… Not only do they not know everything about business they usually have absolutly no idea what any individual business actually does as they have “no experience” of it. A business is about “Value Added Processes” in the case of manufacturing you take “raw feed stock” apply a “process” to it and output a “finished product” customers will buy at some price point. Whilst an MBA in Marketing should be able to set the price point, they can not “optimize the manufacturing process” without sufficient experience, which they are very unlikely to get. The smarter MBA’s know this and take off their jackets roll up their sleeves and get in with those who actually work the process on the shop floor. The trouble is way to many MBA’s these days are not smart, they get fed “mantra” as part of their course and that’s what they regurgitate to the senior managers who mostly only talk “business” not “process” as well. It’s why I tell “team leaders” if they want to get promoted they have to not just learn to talk “business” but set “process issues” in “business speak” and then get a bit of paper that says they are an MBA as well so they can job swap their way up the senior managment greasy pole, if that’s what they want to do, or go out as a consultant or start up their own business.

[4] Actually it’s not a joking matter, but a very serious problem caused by certain business leaders and politicians, and it’s come back to bite with quite sharp teeth. Few understand before they do it, that you can not just “jump into a job” even if the job is just moving boxes around a warehouse, there is a lot you have to learn. That is what “Saturday jobs” are all about, you get the essential training that makes you employable at a time in life where if you muck it up nobody cares. If we loose those jobs then the result is they have to be taught elsewhere and that is a real problem as it follows you via your C.V. etc. It’s a problem you see in “fresh graduates” sufficient of the time to be a concern even to the most senior of business leaders. Unfortunatly in their mid to late twenties the graduates have already become “set in their ways” and less responsive to a “quiet word to the wise”, so “breaking them in” to basic employment skills is a lot lot harder than it should be.

Ruchir November 26, 2020 6:44 AM

Fascinating discussion…
I agree that there is no holy grail of voting security that electronic voting can fix. But we should use technology to make voting easier, less expensive and less disruptive to daily life.
One easy solution is to add vote-by-phone to the existing vote-by-ballot system.

-Voter registration should include the ability to register a mobile number (just like you do your postal address). Changing your registered mobile number should follow the same process as changing your postal address.
-Every registered voter that has a verified mobile number should be able to vote via an android or iOS app
-Folks who do not want to register a mobile number with their voter registration can always vote by regular paper ballot.
-Of course this requires the ability to check for double voting when scanning in a ballot (checking can be done before opening the ballot envelope for postal voting or at check-in at a polling booth)

I believe that over a generation, this will approach near 100% adoption and will allow the conduct of elections more cheaply, faster and with less irregularity than the system we have today.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.