Ben Adida+ Your Authors @benadida Voting, software, leadership, privsec, kids. Exec Dir @voting_works, board @creativecommons, tweets my own. Past: @Clever, @Square, @Mozilla .. Harvard, MIT Jul. 19, 2020 3 min read + Your Authors

1/ In light of the voting question that will never die -- "if I can do X online, why can't I vote online" -- I'm reminded that most people don't have a good intuition for what makes things secure. So let's explore.

Security online depends predominantly on logging and auditing.

2/ This probably sounds weird and surprising, but hear me out. And there are exceptions that I'll get to. But truly, security depends predominantly on logging and auditing.

3/ Consider the Twitter hack from earlier this week. We found out about it because the attackers tweeted a Bitcoin scam visible to everyone. Twitter is, by definition, a public audit log. Those messages looked odd. We all saw them. That's why we all knew: Twitter was hacked.

3.5/ What would have happened if Twitter attackers had only used their access to read DMs and then possibly switched credentials back to the original user? Would victims have detected it?

Twitter has extensive logs of user actions, so maybe, but it would have been much harder.

4/ How is online banking secured? If you get phished and someone takes your money, you'll figure it out the next time you log in, because your money will be gone. There's an audit log of all transactions. It never goes away. That's how the bank can make you whole.

5/ Consider the advanced security measures that Google takes to secure high-value accounts. A lot comes down to extensive logging & analysis of user behavior: do you usually log in from Russia at 3am Eastern and search your email for "bank accounts"? Seems fishy, lock it down.

6/ Don't get me wrong, there are important security measures like encrypted connections, two-factor authentication, hardware tokens, and more that are critical.

But all of these, given enough attacker motivation, can be subverted. For most users, it's sadly not that hard.

7/ At the end of the day, the final safety net of security is extensive logging and detection of badness, either proactive or reactive. The devious acts leave a trace. That trace can be detected and, oftentimes, reverted to make users whole, sometimes even prevented altogether.

8/ (OK, exception: end-to-end encryption & other advanced crypto. In those cases, say Signal messaging, the final security safety net is crazy math running on end-user devices. Super cool, but only useful in very specific use cases. Particularly useful for private messaging.)

9/ So when you want a mental model for online security in everyday activities, it's extensive logging and analysis of those logs that provide the real security.

Stop thinking of locked down Fort Knox and unbreakable encryption. Start thinking of tedious accounting & logging.

10/ OK, still with me?

So now, voting. Why is voting online so impossibly hard?

11/ Because, in voting, by definition, we have to throw away a lot of logs. We can't record who votes for whom. We need a secret ballot. You can't log back in later to check that your vote was recorded properly, or you might be able to sell your vote.

12/ So that means if an attacker *does* break in and change your vote, it's going to very difficult to detect this, because, by design, you shouldn't be able to come back later and check how you voted, and no one else should ever know how you voted.

13/ The safety net of online security is *gone* in the case of voting. Because of the secret ballot. So you end up having to trust some third parties, notably the servers, and hope they never got hacked. That's a no-go for public office (it's probably fine for student council.)

14/ Now, you might ask: ok, so if we can't log & analyze, can we sprinkle some of that crypto magic as an alternative safety net?

And yes, in fact, you can. See @heliosvoting, Microsoft ElectionVault, and all of the prior work on e2e-verifiable voting.

15/ Unfortunately, where Signal messaging has been able to reduce end user work to a very small amount, no one has yet figured out the equivalent for voting. A lot of end users would need to do a lot of complex work to secure the cryptography and the vote. Not practical.

16/ And that's why Internet voting is the equivalent of landing on the Sun when all we've done is land on the Moon.

Because security depends on logging. And voting, by design, throws away the logs.

Correction: ummm, Microsoft Election*Guard*, not Vault.

You can follow @benadida.


Tip: mention @threader_app on a Twitter thread with the keyword “compile” to get a link to it.

Enjoy Threader? Sign up.

Since you’re here...

... we’re asking visitors like you to make a contribution to support this independent project. In these uncertain times, access to information is vital. Threader gets 1,000,000+ visits a month and our iOS Twitter client was featured as an App of the Day by Apple. Your financial support will help two developers to keep working on this app. Everyone’s contribution, big or small, is so valuable. Support Threader by becoming premium or by donating on PayPal. Thank you.

Follow Threader