US Postal Service Files Blockchain Voting Patent

The US Postal Service has filed a patent on a blockchain voting method:

Abstract: A voting system can use the security of blockchain and the mail to provide a reliable voting system. A registered voter receives a computer readable code in the mail and confirms identity and confirms correct ballot information in an election. The system separates voter identification and votes to ensure vote anonymity, and stores votes on a distributed ledger in a blockchain

I wasn’t going to bother blogging this, but I’ve received enough emails about it that I should comment.

As is pretty much always the case, blockchain adds nothing. The security of this system has nothing to do with blockchain, and would be better off without it. For voting in particular, blockchain adds to the insecurity. Matt Blaze is most succinct on that point:

Why is blockchain voting a dumb idea?

Glad you asked.

For starters:

  • It doesn’t solve any problems civil elections actually have.
  • It’s basically incompatible with “software independence”, considered an essential property.
  • It can make ballot secrecy difficult or impossible.

Both Ben Adida and Matthew Green have written longer pieces on blockchain and voting.

News articles.

Posted on August 28, 2020 at 6:40 AM33 Comments

Comments

Zerok Bitcoinder August 28, 2020 7:31 AM

Blockchains are the male super-models of security softwares, and security is a precious, precious commodity. But just because we have chiseled ledgers and stunning protocols, it doesn’t mean that we too can’t not get hacked in a freak proof of wallet accident.

Clive Robinson August 28, 2020 7:47 AM

@ Bruce,

As is pretty much always the case, blockchain adds nothing.

Whilst I agree it not only does not add anything to the postal voting process and is in all probability actually quite harmfull, I think people need to take a step backwards.

The patent is not just for postal voting it’s more generic. The main use of patents is to actually prevent competitors not to make money by licencing etc. That is it’s to establish or maintain a monopoly.

Thus when seen from this angle the USPO could use the patent to force other potential voting systems out of contention. Thus protect the USPO from rival mail carriers and other voting systems.

marmalade August 28, 2020 11:30 AM

“It can make ballot secrecy difficult or impossible.”

I do wish you people would be consistent. There is no privacy and little security on the Internet. Millennials and younger appear to be fine with that. Very soon we will have an avalanche of deep porn, deep fakes, deep revenge porn, deep delusion, and deep libel, with everyone being vulnerable to it, not just politicians. Why should voting history be any different?

Kronos August 28, 2020 12:56 PM

A local radio station runs an ad for a computer security product, of which they always tout “it has BANK GRADE encryption”. I always laugh about that because, as Schneier frequently points out, security is hard and most people/programmers/organizations don’t really know how to do it.

Erdem Memisyazici August 28, 2020 1:01 PM

My big fat decentralized block chain strikes again. It’s the new Windex I tell you, just put some blockchain on it.

Sherman Jay August 28, 2020 2:04 PM

@Bruce,
Thanks for blogging this. It is important even if it is a Huge Can of Worms and just one more in an endless chain (pun intended) of reasons why voting is so insecure. Hackable machines, machines with no audit capability, people collecting ballots to ‘help’ and then trash-canning them, States purging voter registrations often without any valid justification, etc, etc.

The right to vote used to be important. I think Pat Paulsen once said, “Vote! vote for the idiot of your choice, but vote!” Today we should replace the word ‘idiot’ with ‘corruption’.

@wiredog,
Thanks, xkcd Really Nailed It.

It’s really sad that some trolls have discovered (and pollute) Bruce’s gift to all of us.

WmG August 28, 2020 4:01 PM

@Sherman Jay. Yes it is sad that particularly ugly trolls seem to be acting up. Maybe a filter based on 3 or 4 letter text strings would prove valuable.
in re: @news @Gibbs.

@Wiredog, Thanks for xkcd.

1&1~=Umm August 28, 2020 5:18 PM

@WmG:

“Maybe a filter based on 3 or 4 letter text strings would prove valuable.”

Hmm, irony oh irony where for out thee.

Fortuna August 30, 2020 10:05 PM

The reason “blockchain” keeps cropping up in every conversation remotely tech-oriented is because most people have only a vague idea of what it is.

Classic “buzzword” syndrome.

myliit August 31, 2020 4:08 AM

@morris, All, Voting Security Professionals ( or Experts)

“… USPS is not secure. Most countries ban mail-in ballots for a reason. You cannot secure a postal service. …”

A few things:

1) That sounds like our President’s position (propaganda?), more or less:

Except for the states, where he wants to get out the mail-in Republican vote.

2) Voter intimidation at polling sites may be planned for 2020

3) Does anybody know if the cited article has been peer reviewed? Does the article have any merit for the U. S. In 2020?

4) Currently I am leaning toward:

Early mail-in voting, mail early, and manage your own audit trail (follow-up) of your votes progress through the system. If it never get’s back, vote with a provisional ballot, too.

myliit August 31, 2020 7:43 AM

@morris, All, Voting Security Professionals ( or Experts )

Our President might disparage, or create confusion about, mail-in voting, because foreign governments are Not known to be fiddling in that area of U. S. elections yet. [1]

I assume it might be easier for our President to get Russia, for example, to do certain things that three letter agencies might consider beyond the pale when used against U. S. voters.

If our President is counting on foreign election interference to help keep him in power, then obviously, he wouldn’t want Democratic voters to mail-in vote.

[1] https://www.schneier.com/blog/archives/2020/08/friday_squid_bl_743.html#c6816602

Anthony Pagano August 31, 2020 3:14 PM

I haven’t read the Postal Patent application but reading Ben Adida’s blog did prompt a few comments which may indicate that Adida gets this wrong. The blockchain may prove to be unworkable in practice like many electronic voting ideas, but it is hardly a dumb idea.

It’s not clear that any voting system we’ve had in my adult life time has ever guaranteed

  1. enforced secrecy,
  2. individual verifiability or
  3. global verifiability.

For the unwashed masses there has never been hope of 2 or 3.

With a blockchain made up of blocks containing votes each individual can, in principle, conduct his own automated recount (global verifiability). Assuming that I can obtain some randomly generated “public address” at the time that I vote linked to my vote, I can search the blockchain and confirm the vote I cast was correctly recorded (individual verifiability).

Since voting is a very public act “enforced secrecy” is practically impossible. When I go into a polling place I must identify myself and sign in—-this is the very antithesis of privacy. What is more practically attainable is at least pseudonymity. That is, I want my vote to be included in the public count, I just don’t want my name associated with it. If a unique public address—-available only to me at the time of my voting—-is generated and included as a key with the record of my vote, I achieve both pseudonymity and individual verifiability.

The blockchain is also of value because “validating-nodes” must agree by consensus that each block containing a record of votes is validly recorded before it gets into the chain, this serves to prevent fraudulent blocks from getting it. And once a block is embedded into the chain the ability to alter its contents becomes increasingly difficult. It would take a consensus of nodes to hack the system.

There appears to be some evidence that local elections in particular in the hands of a few poll workers have and will continue to tamper with elections. And absentee ballots are so fraud prone that I would rather not vote then use one. Whether blockchain is unworkable in practice is far different from characterizing it as dumb.

WhiskersInMenlo September 1, 2020 9:15 AM

It adds one thing.
It adds the ability to disclose identity individuals and voting history either intentionally or via a hack..

“The system separates” is the key to understanding the flaw. It has all the data and nothing prevents the system from being changed.

Summary: it adds an attack surface.

As a patent it can be used to quash others from playing.

Vote on the record like the US Senate sure, proxy voting sure. The system can obscure details yet be altered for the equivalent of forensics after anonymity is stripped.

Because it is digital shenanigans can be invisible.

Mail in ballots also have risks but those can be managed at a human physical level.

Not only can your voting history be exposed but your unique digital signature private half is proof that you voted for the opposition and now you get a train ride and a jar of vanishing cream.

Bitcoin uses key pairs generated outside the system. A system that generates and delivers a key has the keys.

Anthony Pagano September 1, 2020 1:53 PM

Matthew Green’s criticism of a blockchain voting systems is little better than Ben Adida’s. If the four criteria Green sites are the principle concern in voting systems then blockchain voting is, at least in principle, superior to what we have now. Green sites these criteria as essential for a voting system:

  1. votes accurately recorded,
  2. votes accruately counted,
  3. votes remain secret, and
  4. voting process must be easy to use for the non technical

I submit that none of the voting systems I’ve come across in the United States over the last 40 years meet any of these criteria. The only assurances we have of criteria 1-3 under current voting systems are blind faith in the honesty and integrity of poll workers. Sadly there appears to be some evidence over several decades that some (or many) polling station workers, Postal employees and others in the chain of custody of votes have intentionally tampered with votes and/or vote counts. Absentee ballots are worthless for guaranteeing criteria 1-3 for the same reasons. Finally, if you’ve stepped into some of these voting booths they seem to be purposely laid out in a confusing manner making criteria 4 problematic.

Green incorrectly assumes that the front-end of a blockchain voting system will necessarily be as complicated as Bitcoin wallets were 10 years ago The newest Bitcoin wallets are increasingly shielding users from the complexities. Blockchain systems are in principle “trustless” so we don’t have to have blind faith in poll workers. And the votes stored in a blockchain are generally tamper-proof. The blockchain is plain text and public so that EVERYONE in principle can perform there own recount and verify that their vote was correctly recorded AND counted. The unwashed masses have had no hope of either of these criteria since 1776.

Since every polling place I’ve entered over 40 years required me to identify myself and sign-in there is NO privacy. The fact that there are witnesses that I’m voting at a particular place, time and voting booth eliminates the possibility of privacy. The minimum required is pseudonymity. That is, I want my vote accurately recorded and publicly counted, but I don’t want my identity associated with my vote. Assuming untrustworthy partisans working at polling places using commonly used voting systems we get neither privacy, pseudonymity nor accuracy of vote count.

Now to the leg-breaker movie senario. One is likely to be able to shield the anonymity of one’s vote with greater likelihood on trustless blockchain than that of a compromised polling location. Otherwise there is no solution to this senario short of fighting or submitting. This problem is generally outside the scope of voting systems.

Anthony Pagano September 2, 2020 8:28 AM

Re: myliit’s comments of 09/02/2020

Schneier asserts in his article that blockchain adds nothing to a voting system and cites Ben Adida’s and Matthew Green’s comments in support. Both Green and Adida give 3-4 criteria that any acceptable voting system should have. Both assert incorrectly—and without substantive argument—-that blockchain doesn’t meet them; however, they side-step the fact that current voting systems in the US have never met their criteria. I point out in my previous two comments that—in principle—-blockchain meets all of their criteria.

Whether I can produce an historical record of fraud prone poll workers is largely irrelevant. Unlike current voting systems where I must have faith in the integrity of poll workers, blockchain systems—in principle—-don’t require me to trust them. And a public, plain text, “voting” blockchain, in principle, is tamper-proof, allows everyone to verify their own vote, verify that their vote was correctly counted and that the overall vote count was correct.

Green and Adida push aside the technical issues, complexities and associated risks with any blockchain voting system—–as do I. Attaching personal motives to me in an academic-like discussion about whether voting systems meet specific criteria hardly seems justified.

Anthony Pagano September 2, 2020 11:34 AM

Re: myliit’s “fwiw” comment

Your comment, again, is mostly off topic but worth a reply. As a senior I’ve both lived through and seen the reports of election fraud (since the JFK election) to know that they are not limited to movie plots. This is why something better than we have might be helpful. Whether that is blockchain or something else is worth study. So blockchain may be insecure or impractical in practice (a position disputed by 11 years of Bitcoin experience) it is not as Scheier, Adida and Green claim—–that it adds nothing.

Nonetheless it is well known by the unwashed elderly masses (including me) that absent the cash of the upper crust to influence elections all we have as individuals is our contact with our elected representatives and our vote. Since those age 65 and above consistently voted 70% of time (including myself) for well over 20 years your comment is wasted on me.

haigai September 4, 2020 4:56 PM

@Anthony Pagano

A block chain system is in fact impractical for election voting. You sighted bitcoin as a counter example. However, its bitcoin that is exactly the example to prove my point. First, block chain can be manipulated and has been. IF a malicious actor such as a nation state controls a majority or even select well placed nodes in the blockchain it is possible to manipulate integrity. Second, the infrastructure required for a resilient block chain environment is huge. For instance its estimated the infrastructure for bitcoin generates over 64 Terrawatt hours of electricity. Which is more than many countries use. The costs associated with electrical consumption are very steep. Regarding the actual equipment, at least relative to bitcoin are many hundreds of thousands of specialized ASIC systems. Or cpu’s specially built to do one thing which is crunching numbers of certain algorithms many times faster than any traditional cpu possibly could. One of the reasons bitcoins blockchain is relatively safe is because of the sheer number of nodes or devices in that network. hundreds of thousands spread around the world. (mostly in China). The costs related are obviously enormous. Im not suggesting block chain is a useless idea. Im saying the costs are not worth the reward as it simply doesnt solve any of the election concerns or other security/anonymity or integrity issues we have with the election voting system. Contrary to popular belief bitcoin can infact be tracked to a user or account, and is NOT anonymous. While its certainly true that there is no perfect system, there are better solutions than a blockchain. The purpose of blockchain was for a decentralized network and ledger integrity. However, if the USPS or US GOV owns the blockchain network, that defeats its purpose.

In my opinion paper ballots and the ole fashioned way has been tested for thousands of years. Its far from perfect. While I do agree with you that we could be improving our systems, I would argue that efforts would be better spent getting some standard for our elections across all 50 states. Currently each state may have completely different laws and processes, this can cause serious issues to our presidential electoral process. Getting all states on the same page, using the same laws, rules, processes, systems would be a step in the right direction.

myliit September 4, 2020 6:59 PM

@haigai

“… Currently each state may have completely different [ election related ] laws and processes …”

Different laws and processes, however, may screw up fvcking wholesale with U.S. elections. Thus these inconsistencies may introduce friction for dastardly deed doers (DDDs) and Not Be a liability, but a feature for the U.S. election process.

haigai September 5, 2020 8:52 AM

@myliit

Thanks for accurately clarifying the election related laws and processes rather than general laws and processes lol, my mistake.

I see what you mean. Sort of like trying to build a trusted network from un-trusted devices. That is certainly something to think about. I would still stay away from computer systems for national elections simply because there are many more potential vectors of attack, in which the triple D’s could potentially exploit, as its a complex computer system/network.

Anthony Pagano September 5, 2020 11:28 AM

@haigai comments dated 09/04/2020

I’m not arguing that Blockchain is the answer; however, claims that it “adds nothing” or has no merit—even in principle—-indicate zero knowledge of blockchain. Second I’m not advocating a vote by smartphone blockchain system—that’s a disaster with no current hope of verifying eligibility.

Schneier cites Adida and Green as supporting his position of “adds nothing.” Unfortunately Adida’s and Green’s criteria for a workable voting system has NEVER been met by any voting system we’ve had since 1776. However, a theoretical blockchain system met ALL of their criteria. I pointed that out in my previous comments to which you offered no rebuttal.

I would be highly surprised if you can site one example with Bitcoin, the most mature of such systems, that an external actor—-or any actor for that matter—-was able to alter the contents of a block and get that block into the accepted chain without being detected and corrected. EVERY participant in Bitcoin who makes a transaction can personally verify that his/her transaction was properly recorded and the transaction completed correctly. There is no hope of that with paper ballots or any electronic voting system I’ve heard of so far.

You are mistaken about Bitcoin, for example, having large numbers of non-mining nodes. The numbers of so-called “validating” nodes are relatively small and fluctuates. In Bitcoin it is the relatively small number of mining nodes which have the most responsibility. Yet in 11 years of continuous operation no nation state or anyone else has been able to control the network or MORE IMPORTANTLY alter the contents of the blocks without detection. Even individuals with nothing more than a Bitcoin “wallet” can verify that their transactions were properly recorded and acted upon.

In the case of a US voting system this is critical where voting fraud—in all types of systems—-perpetrated by poll officials (and other bad actors with electronic voting systems) is apparent and growing. In the case of a theoretical blockchain system an open source voting protocol controls how the vote is collected, recorded, stored and counted. In principle there is no reason some voting Blockchain shouldn’t be open text such that anyone can verify their own vote and the total vote count. Bad actor poll officials would no longer be able, in principle, to throw local election results domino-ing to national ones.

As near as I can tell, like Green and Adida, all the criticisms you have of some blockchain system are more seriously flawed with what we have now.

haigai September 5, 2020 12:27 PM

@Anthony Pagano

I think people are giving absolute or binary answers for this particular upcoming presidential election. Partially because of the misinformation/disinformation. Its important to give a clear unambiguous solution and rationale. In which case I would tend to agree with Bruce’s logic.

However, block chain voting certainly has potential in lesser important votes or decisions that require user input with some combination of authentication, security, integrity, trust, speed, etc. for your submission. When it may not matter as much regarding satisfying the strong voting requirements such as those in the presidential election.

Regarding your other points, I was just reading an article about China holding roughly 50% of the nodes and 65% of the total hash power. Here is the story I read. https://www.financemagnates.com/cryptocurrency/news/does-china-control-bitcoin-and-ethereum/

It says “Is centralization a legitimate security concern?

But how much should Bitcoin users be concerned about the fact that so much of the network’s hash power is being produced in just one country?

There are, of course, geographical and geopolitical concerns: after all, reports emerged earlier this month that Chinese authorities have been shutting down Bitcoin mining farms to contain the spread of the Coronavirus.

Beyond that, though, over-centralization can lead to “51% Attacks”–which is to say that if a single entity or a coordinated group of entities have control of more than half of the hash power on a blockchain, they can use that hash power to erase and rewrite transactions on a blockchain, which can effectively destroy a network.”However that hasnt happened yet.

Because the block chain resides in a relatively complex network of computer systems, there are many unknown potential attacks that could be discovered. What about a compromised computer system? Which can steal your account info and lock you out of your wallet and therefor make decisions on your behalf? What about a DDos attack on the blockchain? Which could make many people miss a deadline to vote. What about a zeroday worm that can spread through the block chain via protocol vulnerability? While bitcoins blockchain is the most mature, you couldnt use that particular iteration for voting because they way it is designed requires fees for transactions and miners to generate coins from the hash calculations to operate. In a voting system there is no use for any of that. The bitcoin block chain was designed to run indefinitely, where as in a election, we just need the system to work until a winner is picked. Then we can turn it off.

Another issue regarding a possible attack is, i dont believe you need to “take over 51% of nodes, you just need to control 51%….The difference being, you can simply plug in several datacenters with hundreds of thousands of VM’s to accomplish that feat. Obviously that would be a nation state attack.

Bitcoin is NOT anonymous and can be traced back to an individual, which doesnt work for the requirement of anonymous votes. Which is required against voter intimidation. (at least in US election system)

Finally, you mentioned all of the voter fraud we are having problems with…..Im not aware of a voter fraud problem. In the news the President and a few others have stated that they think there will be fraud in the upcoming election. However, these are baseless claims. Its simply not possible to submit fraudulent votes in a quantity large enough to alter the election in a meaningful way. There are safegaurds in place to mitigate that.

haigai September 5, 2020 1:20 PM

To clarify a few technical details. It turns out you dont need to control 51% of nodes to perform that attack. It is 51% of the total hash power. If China wanted to, in theory, they could take bitcoin down, as they control more than that.
Because of the way the blockchain allows miners and other systems to connect to the network freely. That is a huge vulnerability. In theory any country or corporation or cooperative entities that could muster 51% of the hash power can simultaneously join and hammer the blockchain with the attack taking the network down. (at least according to the article) It would be easy for some bad actor to interfere in that case.

You made the point a few times regarding verifying your vote was correct. Relative to the US Presidential election, and the blockchain system you propose to use. This is not compatible with current required regulations. The way bitcoin blockchain is setup, yes you can verify your vote, but you can also verify everyone elses votes too. Which is the part thats incompatible. If you know someones wallet number, you can see how much bitcoin is in it 24/7

Anthony Pagano September 5, 2020 4:26 PM

@haigai re:To clarify a few technical points

If a nation state brought down the Bitcoin network it would be known immediately, in real time around the world. A few things the nation state could not do: (1) it could not obliterate the blockchain as it existed at the time of the take down because it is distributed worldwide and (2) for the same reason it could not alter the contents of existing blocks. This is a considerable strength ignored by Schneier, Adida and Green.

While anyone can search and read the plain text blockchain anyone many NOT—willy-nilly—connect to the Bitcoin network and make transactions. One may only connect to the Bitcoin network if one is running the accepted software. There are also protections in place to blacklist those nodes or wallets which are not behaving according to the protocol. With a blockchain system one does not have to trust poll workers, one need only trust an open source protocol locked in the code which is agnostic to partisan politics.

Under current voting systems we have no idea when bad actor partisan poll workers have altered votes, thrown them out or simple altered the count. Since these compromised polling places also count national election votes it is hardly beyond the possibility that a state electoral vote could be swayed. Having watched the activities of recounts reported in the press I am skeptical that recounts are any more reliable than the initial count. This is NOT a problem with the blockchain.

It was Schneier who cited Ben Adida’s and Matthew Green’s comments as support for his “blockchain adds nothing.” opinion. Adida and Green offered two related criteria for any voting system: “enforced secrecy” and “individual verifiability.” Neither of these is practically possible under current voting systems. Blockchain voting systems where you must enter a polling place don’t offer “enforced secrecy” but they can offer “pseudonymity.” This is not so in most common voting locations where votes are stored serially. Blockchain votes do not have to be stored serially but each vote can be associated with a unique “public address” provided only to the voter at the time of the vote. As one possibility a voter might get a QR code in the voting booth upon voting to capture with a smart phone. In principle that voter—and only that voter—-can verify his vote. There is no hope of that with current voting systems. With a plain text blockchain vote everyone can verify the overall vote.

Still think Schneier is correct when he opines that blockchain “adds nothing?”

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.