Novi izvještaj NASEM-a, američke nacionalne akademije znanosti zaključuje da blockchain nije adekvatan za online glasovanje, piše Verge.
Prisjetimo se – online glasanje putem blockchaina predlaže se od strane mnogih novih blockchain projekata kao način za suzbijanje lažnih glasova i bolje i točnije brojanje istih. Nepromjenjivost blockchaina omogućava automatsko zbrajanje i time rezultate u stvarnom vremenu kao i verifikaciju identiteta koja nadilazi jednostavno pregledavanje osobnih dokumenata i time sprječava glasove mrtvih ili emigranata.
Bit izvještaja od 156 stranica može se rezimirati na: malware na uređajima ljudi koji ih koriste za glasanje može promijeniti njihovu odluku prije nego se zabilježi na blockchainu pa se time prednost nepromjenjivosti i sigurnosti blockchaina gubi.
Nažalost, kao što to često bude kod ljudi koji nisu stručnjaci u svom području, zaključak je točan samo zato jer je premisa kriva. Tvrdnja da je Tesla Model S loš brod je točna, ali to je zato jer to nije brod nego automobil.
Glasanje na blockchainu ne može i ne smije funkcionirati na način da korisnici pomoću neke aplikacije glasaju sami, već na način da se njihov identitet i glas verficiraju na blockchainu, ali da se samo glasanje odvija pod uvjetima ili u okruženju koje je izvan njihove direktne kontrole.
Glasanje na glasačkim mjestima
Prilikom glasanja na glasačkom mjestu mijenjamo trenutni, nepraktični i visoko korumpirani papirnati sustav sustavom blockchaina. Evo kako ga osigurati.
Glasaču se na bazi njegovih biometrijskih podataka (kombinacija šarenice i otiska prsta, npr.) generira privatni ključ-korijen iz kojeg se deriviraju druge Ethereum adrese. Biometrijski podaci se enkriptiraju pa nisu vidljivi, a hash koji se njihovom kombinacijom dobije ostaje unikatan i trajno provjerljiv daleko u budućnost.
Privatnim ključem generira se javni kripto identitet (Ethereum adresa) uz kojeg se bilježe pojedini atributi poput trajanja osobne iskaznice, emigracijskog stanja, životne dobi itd. Kod ulaska u glasačko mjesto, glasač se prijavljuje svojim biometrijskim podacima i možda dodatnim PINom ili lozinkom. Taj trostruki faktor sigurnosti je dovoljan i daleko veći od trenutnog. Autentifikacija omogućuje pritisak gumba koji odgovara glasu kojeg glasač želi dati, a na ekranu se prikazuje odabrani glas čim isti bude potvrđen na blockchain mreži. Budući da se radi o blockchainu, čitanje s istog može se napraviti i sekundarnim i tercijarnim aplikacijama za koje vlada nije odgovorna, pa se lako na glasačko mjesto može ući s pametnim telefonom i instaliranom vlastitom aplikacijom koja dodatno omogućava provjeru da je odgovarajući glas zaista prošao.
Za još jedan sloj sigurnosti, glasač može imati npr. 6 sati da poništi ili promijeni glas i za to mu je potreban isti set autentifikacijskih mehanizama kao kod davanja prvog glasa – biometrijski vektori i lozinka. To da je blockchain nepromjenjiv je istina, ali nepromjenjiv je kada se odluči da je nepromjenjiv – pametni ugovori na Ethereumu ponašaju se baš kao obični programi u kojima onaj s pristupom može mijenjati te podatke, ako je pametni ugovor tako napisan. I sami Ethereum tokeni su promjenjivi programi – inače ih ne bismo mogli slati jedni drugima. Stoga, trivijalno je ugraditi sigurnosne mehanizme koji omogućavaju opozivanje glasova u slučaju detektiranih nepravilnosti.
Dodatna prednost ovog sustava je to da se ključ korijen može koristiti za generiranje derivacijskih identiteta baziranih na glavnom, bez da se javno vidi povezanost deriviranih adresa s glavnom Ethereum adresom. Npr. ako pogledate kako Ledger Nano S radi – kada ga spojite na neki softver za čitanje novčanika kao što je MyEtherWallet, on vam prikazuje beskonačno mnogo adresa baziranih na jednom ključu generiranom na uređaju. Ne postoji način da se te adrese povežu, a ipak su sve vaše i sve ih možete koristiti jednim ključem.
Takva derivacija jednokratnih adresa bazirana na biometrijskim faktorima omogućila bi i veoma lako sudjelovanje u raznim nagradnim igrama, anketama, TV glasanjima, recenzijama na raznim aplikacijama i drugo bez da se otkrije identitet osobe do kad to ne postane potrebno. Drugim riječima, ovaj sustav bi mogao transparetno, efikasno i jeftino zamijeniti cijeli sustav osobnih iskaznica, OIBa, vozačkih dozvola i drugo.
Glasanje kod kuće
Budući da je nerealno očekivati od “civila” da koriste ovakve metode glasanja kod kuće, taj bi pothvat bio malo kompliciraniji. Jedna od opcija je državno atestirani uređaj za čitanje biometrijskih podataka – takav bi se uređaj, veličine tokena za banku – mogao spojiti na mobitel ili računalo i poslati transakciju glasanja u ime korisnika nakon autentifikacije. Jedini način da se ovakav sustav zloporabi je otmicom i prisilnim glasanjem na licu mjesta ili potplaćivanjem, a te ranjivosti su aktualne i kod trenutnog sustava.
Zaključak
Strah od nove tehnologije nije produktivan za društvo. Glasanje na blockchainu je ne samo sigurno, nego i idealna evolucija glasačkog sustava. Nema mnogo scenarija u kojima je blockchain koristan, no javni poslovi poput glasanja svakako jesu među njima. No, za to su potrebni stručnjaci koji se bave nečime konkretnijim od teoretiziranja strahova.
This is very complex problem, more complex than it seems at first glance.
For blockchain solution:
– there is a indisputable connection between a person and a vote even if it’s hard/almost impossible to reveal the starting and ending point. Even more so, because it remains publicly written forever. This is a big no-no in voting systems. You might argue that your handwriting style may also be analyzed in the future but this is significantly harder and less possible to legitimately carry out than collect/steal person => privateKey mapping someday and analyze historical votes on a supercomputer (anonymity is even one of the reasons that paper votes with any kind of identifiable stuff get rejected, images, text, anything other than a circle/X )
– who does guarantee that devices do not intercept biometric data/private keys/whatever and send them to 3rd party or record somewhere? For sure, the people won’t vote by manually signing transactions with pen and paper? There must be some kind of software layer in between. Who does guarantee that user is even connected to the right blockchain network? Man in the middle, DNS hijacking, fake blockchain, just a simulation of the real interface, there is even a blockchain hack scenario that’s improbable but is a possibility. If you think the solution for any of this and more is a digital one, than ask the same security/privacy questions for that proposed digital solution… and down the rabbit hole you go(which is pretty much non-existant with simple cardboard box and papers and room with mostly unrelated supervisory people). Any kind of hack in regard of blockchain voting would probably easily fool 99% of the people in comparison with current system where pretty much anyone understands pen and paper(voters, counters, supervisors) and anyone can easily spot malicious activity.
– I don’t see how blockchain solves the problem of dead people voting. Especially if it’s allowed to vote from “home devices”. Who guarantees that issuer of the devices won’t generate millions of fake vote accounts and start voting. You shouldn’t be able to verify that, because if you could, there would be no real anonymity, so any case where someone regulates and verifies the real person blockchain vote validity, falls into water. What I think is the biggest misconception in practicality of blockchain is that blockchain guarantees the data that is written there is not modified, but, it does not guarantee that the data is correct. Every blockchain interface with the real world(where the information comes from) opens a possibility for malicious activity. It’s more dangerous than current system because at the moment you have a bunch of voting centers, vote counts are revealed in the end and vote counter of that region can confirm the numbers, multiple people supervise voting, counting etc. You must control a bunch of people to make some kind of effect. In comparison to hacking a piece of software/network that may or may not require significant resources and greatly affect the voting.
– I also don’t see real time results as a positive side, maybe I’m wrong, but I think this could greatly affect the voting in unpredictable ways
Maybe I’m just not educated enough in the field and may be plain wrong, but this are just some of my thoughts and concerns at the moment, especially after watching this https://www.youtube.com/watch?v=w3_0x6oaDmI and reading a few similar articles.
Thanks for the feedback.
1. This is not a problem. Your approach is looking at it from the wrong angle. There is no concrete data stored in the blockchain about the users, and every time an interaction with the blockchain is made, it’s made from a different address (sub-identity). I’m working on such a system. In a nutshell, there are ways to permanently obscure and verify identites without having to write them on the blockchain.
2. It is easier to hack people in voting centers than blockchain because when working with the blockchain you work with a system verifiable by everyone and all third party apps. Just in case, though, this is why the 6 hour cooldown is in place. Once the transactions appears on the network and the user can verfiy it, it’s all safe. Prior, during and after every voting process the system can be checked automatically by third party NGO software for full transparency without relying on trust towards supervisors. In absolutely every way this is much safer than anything that has been suggested so far. There is no DNS to hijack, there is no fake blockchain to submit a TX to because then all the apps scanning the real one would immediately notice. There is no way to fool a decentralized system without fooling the entire world, and at that point you’re not fooling anyone because your truth effectively becomes the real truth.
3. Blockchain identities can have timestaps which require periodic renewal / regeneration of the identity. A dead person’s voting ability will simply expire. The daya cannot not be correct, because the identity is generated from a triple combination of biometric data and a password. You cannot get a dead person’s biometrics for a scan, and even if you do, you probably deserve the extra vote it gives you, just for effort. It would be much harder to generate a dead person’s identity – especially since their identity hash is already bound to the event “death” on the blockchain – than to fake papers or bribe counters.
4. Everything affects voting in unpredictable ways. From presidential yogurt statements to wars across the world. I don’t think transparency towards the accurate number of votes would be a net negative.
The problem with articles and videos like the one you linked to are that these people are not exactly experts in their field so they can’t apply solutions that they don’t know exist. There are people who have been dealing with these problems full time for years now, considering each and every edge case, and it is not only possible but preferred to any current system in existence. Anyway, enough talk – stay tuned for a PoC soon 🙂
Hey, thanks for the response. I’m still not totally convinced, mostly because I don’t understand the complete mechanics of the described processes. But, I’d love to see a PoC that would prove me wrong. It would also make debating easier, commenting and analyzing the concrete solution rather than covering the theoretical implementations and outcomes etc. Good luck with the project!