Marcel Waldvogel

2024-05-26 13:05:01

🧑‍🏫 «eVoting: Rettung der Demokratie oder Todesstoss?»

Die Demokratie ist unter Beschuss, neuerdings auch durch Fake News, Trollfabriken und KI. «Vote éléctronique», so heisst die elektronische Abstimmung im Bundesjargon, ist angetreten, um die Demokratie zu retten. Am Mittwochabend geht Marcel Waldvogel der Frage nach, wie eVoting eigentlich funktioniert und welche Auswirkungen es auf unsere Gesellschaft haben könnte. Und wieso er glaubt, dass es trotz vieler technischer Sicherheitsmassnahmen eben doch unsicher ist.

Vortrag	VHS Stein am Rhein
Datum	Mittwoch, 29. Mai 2024
Beginn	19:30
Ort	Stein am Rhein
Saal	Jakob und Emma Windler-Saal (Bürgerasyl am Rathausplatz)
Kosten	Eintritt frei, Kollekte zu Handen VHS

Inhalt

Toggle

• Links
  
  • eVoting
    
    • Offizielle Informationen
    • Hintergrund/Kritik

    
    

  • IT-Sicherheit
    
    • Bedrohungen und Methoden der Angreifer
    • Schutz und Abhilfe

    
    

  • Betrug und Fake News
  • Vertrauen
  • Moderne Kryptographie

  
  

• Aktuelles zu IT-Sicherheit

Links

eVoting

Offizielle Informationen

• evoting-info.ch
  E-Voting-Informationsportal der Kantone.
• demo.evoting.ch
  Öffentliche Demoversion des Post/Scytl-eVoting-Systems.
• tg.evoting.ch
  Produktives eVoting-Portal des Kantons Thurgau.
• Vote électronique, Bundeskanzlei.
  Dossier mit Überblick über den Stand des eVoting-Versuchs in der Schweiz und den hier fehlenden Pro-Argumenten.
• E-Voting: Chronik, Kanton Zürich.
  Chronik von eVoting im Kanton Zürich, einem der frühen Player.

Hintergrund/Kritik

• Marcel Waldvogel: Stimmbeteiligung erhöhen ohne eVoting, DNIP, 2024-05-27.
  Die Grafiken und Hintergründe zur Stimmbeteiligung (und viele weitere Informationen, inkl. ein Fazit).
• Patrick Seemann: eVoting: No risk, have fun?, DNIP, 2023-09-04.
  Die Risikobeurteilung der Bundeskanzlei definiert viele Risiken einfach als eliminiert, als wirklich etwas am Risiko selbst zu ändern.
• Patrick Seemann: eVoting: Der Stimmbürger bleibt die Schwachstelle, DNIP, 2023-10-17.
  Die Verantwortung für eVoting-Stimmabgabe wird auf die Stimmbürger:Innen abgewälzt.
• Marcel Waldvogel: DEFCON Voting Village 23 Panel, 2024-02-12.
  Transkription der Vorträge des DEFCON Voting Village 23 Panels, welche die Probleme von eVoting erläutern — und wieso eShopping oder eBanking und eVoting nicht in denselben Topf geworfen werden dürfen.
• E-Voting, Digitale Gesellschaft.
  Dossier mit der Entwicklung in der Schweiz und Kritikpunkten.

IT-Sicherheit

Bedrohungen und Methoden der Angreifer

• Simpliccisimus: Putins Bären — Die gefährlichsten Hacker der Welt, ARD/SWR, 2024-02-26.
  Dokumentarfilm mit Einblick in die Aktivitäten von staatlichen Akteuren und den Hackerangriff 2015 auf den deutschen Bundestag. (Begleittext dazu beim WDR.)
• Marcel Waldvogel: xz oder: Wie die Open-Source-Community an Ostern die Welt gerettet hat, DNIP, 2024-04-02.
  Chronik eines von langer Hand vorbereiteten Angriffs. Und Lehren daraus.
• Marcel Waldvogel: Wer ist «Jia Tan»? Eine Spurensuche zur xz-Backdoor, DNIP, 2024-05-14.
  Motivation und Ziele von Angreifern.

Schutz und Abhilfe

• Marcel Waldvogel: Tracking, nein danke!, DNIP, 2023-12-20.
  Gefahren und Schutzmassnahmen für den eigenen Internet-Browser.
• Marcel Waldvogel: Was uns Ransomware zu Datenschutz und Datensicherheit lehrt, 2022-12-05.
  Einige Tipps für Individuen und KMUs, die auch gegen Cyberangriffe helfen. Sie taugen nur bedingt für Grossfirmen und exponierte Personen/Organisationen; diese brauchen spezifisches, erfahrenes Personal und auf sie zugeschnittene Lösungen.
• Kai Biermann und Linus Neumann: Hirne hacken: Hackback Edition , 37C3, 2023-12-28. (Bericht darüber bei Golem für Textbevorzuger)
  Erfahrungen und Überlegungen zur Verhandlung mit Ransomware-Erpressern.

Betrug und Fake News

• Marcel Waldvogel: Wie viel Swissness (und Bitcoin) steckt in SwissBitcoin ETF? Oder: Das 1×1 der Betrugserkennung, DNIP, 2024-04-24.
  Medienkompetenz: Wie erkenne ich Falschinformationen im Internet? Mit ganz vielen weiterführenden Links
• Adrienne Fichter: 20 Minuten-Fake-Website ist ein “Scam”- Und Google bleibt tatenlos, DNIP, 2023-11-27.
  Wie Betrüger Medien fälschen.
• Fake News? Nicht in der Schweizer Presse, Verband Schweizer Medien, undatiert.
  Journalistische Standards und wie man sie erkennt (und damit auch Fake News).
• Andrea Haefely und Thomas Angeli: Videos als Waffen — So erkennen Sie Fake News, Beobachter, 2023-10-12.
  Kurzüberblick mit Links zu Faktencheck-Plattformen.
• Alex Mahadevan: This newspaper doesn’t exist: How ChatGPT can launch fake news sites in minutes, 2023-02-03.
  Wie einfach das erstellen von ganzen gefakten „Online-Zeitungen“ ist.
• Isabelle Qian: 7 Months Inside an Online Scam Labor Camp, New York Times, 2023-12-17.
  Einblick in eine chinesische Betrugsfabrik.

Vertrauen

• Marcel Waldvogel: Marcel pendelt: «KI» und «Vertrauen», DNIP, 2023-12-11.
  Wieso Vertrauen in Organisationen (und damit KI) anders funktioniert als Vertrauen in Menschen.
• Patrick Seemann: Die Sache mit dem Vertrauen, DNIP, demnächst.
  Computern zu vertrauen ist schwierig bis unmöglich; anhand des klassischen Papers «Reflections on Trusting Trust»).

Moderne Kryptographie

• Marcel Waldvogel: Post Quantum and Homomorphic Encryption made easy, 2023-02-23.
  Eine allgemeinverständliche Erklärung anhand von Kinderrätseln, wie einige dieser quantensicheren Verschlüsselungsalgorithmen funktionieren.

Aktuelles zu IT-Sicherheit

• 

  Nextcloud: Automatischer Upload auf Android verstehen2025-06-05

  Ich hatte das Gefühl, dass der automatische Upload auf Android unzuverlässig sei, konnte das aber nicht richtig festmachen. Jetzt weiss ich wieso und was dabei hilft.

• 

  VÜPF: Staatliche Über­wachungs­fantasien im Realitätscheck2025-06-02

  Die Revision der «Verordnung über die Überwachung des Post- und Fernmeldeverkehrs» (VÜPF) schreckte die Schweiz spät auf. Am Wochenende publizierte die NZZ ein Streitgespräch zum VÜPF. Darin findet sich vor allem ein Absatz des VÜPF-Verschärfungs-Befürworters mit Aussagen, die nicht unwidersprochen bleiben können.

• 

  Phishing-Trend Schweizerdeutsch2025-06-01

  Spam und Phishingversuche auf Schweizerdeutsch scheinen beliebter zu werden. Wieso nutzen Spammer denn diese Nischensprache? Schauen wir in dieser kleinen Weiterbildung in Sachen Spam und Phishing zuerst hinter die Kulissen der Betrüger, um ihre Methoden kennenzulernen. Und danach – viel wichtiger – was wir tun können, um uns zu schützen.

• 

  Persönliche Daten für Facebook-KI2025-05-19

  Meta – Zuckerbergs Imperium hinter Facebook, WhatsApp, Instagram, Threads etc. – hat angekündigt, ab 27. Mai die persönlichen Daten seiner Nutzer:innen in Europa für KI-Training zu verwenden. Dazu gehören alle Beiträge (auch die zutiefst persönlichen), Bilder (auch die peinlichen) und Kommentare (auch die blöden Sprüche) auf Facebook und Instagram, die Interaktionen mit dem KI-Chatbot «Meta… Persönliche Daten für Facebook-KI weiterlesen

• 

  In den Klauen der Cloud2025-05-01

  Bert Hubert, niederländischer Internetpionier und Hansdampf-in-allen-Gassen, hat einen grossartigen Artikel geschrieben, in dem er die Verwirrung rund um «in die Cloud gehen» auflöst. Ich habe ihn für DNIP auf Deutsch übersetzt.

• 

  Können KI-Systeme Artikel klauen?2024-12-05

  Vor ein paar Wochen hat die NZZ einen Artikel veröffentlicht, in dem Petra Gössi das NZZ-Team erschreckte, weil via KI-Chatbot angeblich «beinahe der gesamte Inhalt des Artikels […] in der Antwort von Perplexity zu lesen» gewesen sei. Und nun könne «man gratis oder für eine Gebühr von etwa 20 Dollar pro Monat jede Zeitung auf… Können KI-Systeme Artikel klauen? weiterlesen

• 

  Was Prozessoren und die Frequenzwand mit der Cloud zu tun haben2024-10-12

  Seit bald 20 Jahren werden die CPU-Kerne für Computer nicht mehr schneller. Trotzdem werden neue Prozessoren verkauft. Und der Trend geht in die Cloud. Wie das zusammenhängt.

• 

  Facebook: Moderation für Geschäfts­interessen­maximierung, nicht für das Soziale im Netz2024-10-10

  Hatte mich nach wahrscheinlich mehr als einem Jahr mal wieder bei Facebook eingeloggt. Das erste, was mir entgegenkam: Offensichtlicher Spam, der mittels falscher Botschaften auf Klicks abzielte. Aber beim Versuch, einen wahrheitsgemässen Bericht über ein EuGH-Urteil gegen Facebook zu posten, wurde dieser unter dem Vorwand, ich würde Spam verbreiten, gelöscht. Was ist passiert?

• 

  Was verraten KI-Chatbots?2024-09-27

  «Täderlät» die KI? Vor ein paar Wochen fragte mich jemand besorgt, ob man denn gar nichts in Chatbot-Fenster eingeben könne, was man nicht auch öffentlich teilen würde. Während der Erklärung fiel mir auf, dass ganz viele Leute ganz wenig Ahnung haben, wie die Datenflüsse bei KI-Chatbots wie ChatGPT etc. eigentlich ablaufen. Deshalb habe ich für… Was verraten KI-Chatbots? weiterlesen

• 

  Sicherheit versteckt sich gerne2024-09-13

  Wieso sieht man einer Firma nicht von aussen an, wie gut ihre IT-Sicherheit ist? Einige Überlegungen aus Erfahrung.

• 

  Chatkontrolle: Schöner als Fiktion2024-09-12

  Wir kennen «1984» nicht, weil es eine technische, objektive Abhandlung war. Wir erinnern uns, weil es eine packende, düstere, verstörende Erzählung ist.

• 

  Chatkontrolle, die Schweiz und unsere Freiheit2024-09-10

  In der EU wird seit vergangenem Mittwoch wieder über die sogenannte «Chatkontrolle» verhandelt. Worum geht es da? Und welche Auswirkungen hat das auf die Schweiz?

#Demokratie #eVoting #InformatikUndGesellschaft #ITSicherheit #SteinAmRhein #Voteéléctronique

Marcel pendelt: «KI» und «Vertrauen» - Das Netz ist politisch

Vor einigen Wochen hat Bruce Schneier einen Vortrag gehalten, bei dem er vor der der Vermischung und Fehlinterpretation des Begriffs «Vertrauen» gewarnt hat,

^{Marcel Waldvogel (avongunten)}

Marcel Waldvogel

2023-07-09 20:22:01

How to block AI crawlers with robots.txt

If you wanted your web page excluded from being crawled or indexed by search engines and other robots, [url=https://www.rfc-editor.org/rfc/rfc9309.html]robots.txt[/url] was your tool of choice, with some additional stuff like <meta name="robots" value="noindex" /> or [url=https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel#nofollow]<a href="…" rel="nofollow">[/url] sprinkled in.

It is getting more complicated with AI crawlers. Let’s have a look.

Table of Contents

Toggle

• Traditional functions
• New challenges
  
  • Changes over time
  • Commercialization

  
  

• AI crawlers
• Control comparison
• Example robots.txt
• Poisoning [Added 2023-11-04]
• References

Traditional functions

• One of the first goals of robots.txt was to prevent web crawlers from hogging the bandwidth and compute power of a web site. Especially if the site contained dynamically generated context, possibly infinite.
• Another important goal was to prevent pages or their content from being found using search engines. There, the above-mentioned <meta> and [url=https://developer.mozilla.org/en-US/docs/Web/HTML/Attributes/rel#nofollow]<a rel>[/url] tags came in handy as well.
• A non-goal was to use it for access control, even though it was frequently misunderstood to be useful for that purpose.

New challenges

Changes over time

The original controls focused on services which would re-inspect the robots.txt file and the web page on a regular basis and update it accordingly.

Therefore, it didn’t work well for archive sites: Should they delete old contents on policy changes or keep them archived? This is even more true for AI training material, as deleting training material from existing models is very costly.

Commercialization

Even in the pre-AI age, some sites desired a means to prevent commercial services from monetizing their content. However, both the number of such services and their opponents were small.

With the advent of AI scraping, the problem became more prominent, resulting e.g. in changes in the EU copyright law, allowing web site owners to specify whether they want their site crawled for text and data mining.

As a result, the the Text and Data Mining Reservation Protocol Community Group of the World Wide Web Consortium proposed a protocol to allow fine-grained indication of which content on a web site was free to crawl and which parts would require (financial or other) agreements. The proposal includes options for a global policy document or returning headers (or <meta> tags) with each response.

Also, Google started their competing initiative to augment robots.txt a few days ago.

None of these new features are implemented yet, neither in a web servers or CMS, nor by crawlers. So we need workarounds.

[Added 2023-08-31] Another upcoming “standard” is [url=https://site.spawning.ai/spawning-ai-txt]ai.txt[/url], modeled after robots.txt. It distinguishes among media types and tries to fulfill the EU TDM directive. In a web search today, I did not find crawler support for it, either.

[Added 2023-10-06] Yet another hopeful “standard” is the “NoAI, NoImageAI” meta-tag proposal. Probably ignored by crawlers as well for now.

AI crawlers

Unfortunately, the robots.txt database stopped receiving updates around 2011. So, here is an attempt at keeping a list of robots related to AI crawling.

Organization	Bot	Notes
Common Crawl	CCbot	Used for many purposes.
OpenAI GPT	OpenAI	Commonly listed as their crawler. However, I could not find any documentation on their site and no instances in my server logs.
	GPTBot	The crawler used for further refinement. [Added 2023-08-09]
	ChatGPT-User	Used by their plugins.
Google Bard	Google-Extended	No separate crawl for Bard. But normal GoogleBot checks for robots.txt rules listing Google-Extended (currently only documented in English). [Added 2023-09-30]
Meta AI	—	No information for LLaMA.
Meta	FacebookBot	To “improve language models for our speech recognition technology” (relationship to LlaMa unclear). [Added 2023-09-30]
Webz.io	OmgiliBot	Used for several purposes, apparently also selling crawled data to LLM companies. [Added 2023-09-30]
Anthropic	anthropic-ai	Seen active in the wild, behavior (and whether it respects robots.txt) unclear [Added 2023-12-31, unconfirmed]
Cohere	cohere-ai	Seen active in the wild, behavior (and whether it respects robots.txt) unclear [Added 2023-12-31, unconfirmed]

Please let me know when additional information becomes available.

An unknown entity calling itself “Bit Flip LLC” (no other identifying information found anywhere), is maintaining an interactive list at DarkVisitors.com. Looks good, but leaves a bad taste. Use at your own judgment. [Added 2024-04-14]

Control comparison

Search engines and social networks support quite a bit of control over what is indexed and how it is used/presented.

• Prevent crawling by robots.txt, HTML tags, and paywalls.
• Define preview information by HTML tags, Open Graph, Twitter Cards, …
• Define preview presentation using oEmbed.

For use of AI context, most of this is lacking and “move fast and break things” is still the motto. Giving users fine-grained control over how their content is used would help with the discussions.

Even though the users in the end might decide they actually do want to have (most or all) of their context indexed for AI and other text processing…

Example robots.txt

[Added 2023-09-30] Here is a possible /robots.txt file for your web site, with comments on when to enable:
# Used for many other (non-commercial) purposes as wellUser-agent: CCBotDisallow: /# For new training onlyUser-agent: GPTBotDisallow: /# Not for training, only for user requests User-agent: ChatGPT-UserDisallow: /# Marker for disabling Bard and Vertex AIUser-agent: Google-ExtendedDisallow: /# Speech synthesis only?User-agent: FacebookBotDisallow: /# Multi-purpose, commercial uses; including LLMsUser-agent: OmgilibotDisallow: /

Poisoning [Added 2023-11-04]

A different, more aggressive approach, is to start «poisoning» the AI models; something currently only supported for images. The basic idea is to use adversary images, that will be misclassified when ingested into the AI training and will therefore try and disrupt the training data and the resulting model.

It works by subtly changing the image, imperceptible to the human. The result is, however, that e.g. a cat is misclassified as a dog, when training. If enough bad training data is ingested into the model, part or all of the wrongly trained features will be used. In our case, asking the AI image generator to produce a dog may result in the generated dog to look more like a cat.

The “Nightshade” tool that is supposed to be released soon, which has this capability, is an extension of the current “Glaze” tool, which only results in image style misclassification.
AI Poisoning example from the Glaze team via Ars Technica
Judge for yourself whether this disruptive and potentially damaging approach aligns with your ethical values before using it.

References

• Neil Clarke: Block the Bots that Feed “AI” Models by Scraping Your Web Site, 2023-08-23. [Added 2023-09-30]
• Benj Edwards: University of Chicago researchers seek to “poison” AI art generators with Nightshade, 2023-10-25, Ars Technica. [Added 2023-11-04]
• The Glaze Team: What is Glaze?, 2023. [Added 2023-11-04]
• Didier J. Mary: Blocquer les AI bots, 2023. [Added 2023-12-31]
• Richard Fletcher: How many news websites block AI crawlers?, Reuters Institute, 2024-02-22. [Added 2024-09-27]

#Privacy #AI

AI bots (OpenAI ChatGPT et al) - comment les bloquer - Didier J. MARY (blog)

Bloquer les AI bots (OpenAI ChatGPT et al - màj) - Pour ceux qui souhaitent protéger le contenu de leur site Web ou blog, des AI bots

^{Didier J. MARY (Didier J. MARY (blog))}

Marcel Waldvogel

2022-12-01 06:29:25

Reproducible AI Image Generation: Experiment Follow-Up

Inspired by an NZZ Folio article on AI text and image generation using DALL•E 2, I tried to reproduce the (German) prompts. The results: Nouns were pretty well understood, but whether other parts—such as verbs or prepositions—had an effect on the image was akin to throwing dice. Someone suggested that English prompts would work better. Here is the comparison.

Table of Contents

Toggle

• The original goal
• Railway station
• Intelligence
• Antique fun
• Neural network
• Culture clash
• Nile conflict
• Sneakernet
• The artist
• Crown jewels
• Stained-glass windows
• Bonus track: Scary doors
• Lessons learned
• “AI psychology”
• DIY
• Understanding AI

The original goal

Einen verwandten Artikel (eigentlich sein Vorgänger) gibt es auf Deutsch 🇩🇪: «Reproduzierbare KI: Ein Selbstversuch». Darüber findet man auch mehr Informationen zu KI.

The goal of the original self-experimentation was to determine how easy it was for a prompt designer to

1. find the right prompt, and
2. wait until a matching image appears.

By trying to reproduce the original prompts, an estimate on #2 was possible. (My guess: Several of the images required multiple or even many attempts.)

Trying to switch languages can help give a hint on part of question #1: Whether switching language simplifies finding the right prompt.

“Haustür mit Krokodil” (“front door with crocodile”) according to MidJourney. The “Krok” neon lighting is the only reference to the prompt I could find.

A side lesson from the experiments in German: Current generative AI have no possibility to report, “Huh?”. They just do their best. And if, as in this image, MidJourney does not understand the German prompt at all (“Haustür mit Krokodil”, i.e., “front door with crocodile”) it just creates anything. (For artistic image generation, this may be acceptable behavior. But not in many other scenarios where we use AI, now or in the future.)

When looking at the images here, you may want to have the original German article side-by-side for direct comparison.

Railway station

«A robot reading a newspaper outside in a Swiss city while waiting for the train. Large-size photography, Jeff Wall style. Very detailed. Very high resolution. Linhof Master Technika Classic. Hasselblad. 80 mm.»
After generating the first four images, I found the railway stations to be much more “Swiss” than those created from the German prompt. The houses, the hedges, the walls, the streets: Clearly Swiss; those created from the German prompt, on the other hand, looked much more generic and could be in many other (European) countries instead.

I only noticed the lack of Swissness in comparison to these stunning images. So I wanted to be sure and made two additional sets with identical prompts (DALL•E 2 always creates a set of four independent images for each prompt). If you look closely, you can find some non-Swiss items here, such as the clock in image 6 or the pole in image 7.

To make sure that the originally chosen perspective for the German prompts was not the reason for lack of Swissness, I created another set with the original German prompt:
«Ein Roboter liest draussen in einer Schweizer Stadt eine Zeitung, während er auf den Zug wartet. Grossformatige Fotografie im Stil von Jeff Wall. Sehr detailliert. Sehr hohe Auflösung. Linhof Master Technika Classic. Hasselblad. 80 mm.»
Several of the newly generated German-prompt images were much more Swiss: I found number 3 to be particularly Swiss with the overhead line gantry. The ticket vending machine(?) in the first image, however, is a weird combination of equipment, some of them reminding of actual Swiss vending machines (such as the top cover).

Conclusion: The original German results showed a lack of Swissness, but it may be partly due to the selection of angles. The new German results seem somewhat more Swiss, but the English prompts feel delightfully home.

Result: English wins.

Intelligence

«Intelligence. Magazine illustration.»
Discussion: Even though “Intelligence” could mean multiple things, the images clearly refer to the meaning of brain power. All four fit the description, in my opinion.

Result: English is a clear winner here.

Antique fun

«A Greek statue, stumbling over a cat.»

Discussion: Cats and statues clearly visible in all cases, three could be considered stumbling, two of them over the cat. (The “stumbling” part was clearly absent throughout the German original.)

Result: English again significantly better.

Neural network

«Neural Network.»
Discussion: While none of these actually represent a neural network, I could imagine each of them being used as a teaser image for an article on the topic (even though the eyes in 2 and 4 are not parallel). Maybe they were actually taught from such teaser images… (The German originals were depicting neurons.)

Result: English is the clear winner here.

Culture clash

«A robot, reading a book, in an Indian street. Style: National Geographic.»
Discussion: All pass. (The German results only contained robots in two out of four images.)

Result: Go, English, go!

Nile conflict

«An ancient Egyptian painting, depicting a fight over whose turn it is to take out the trash.»
The first four images were accidentally created using a typo in the prompt: “Egyptioan”, so the set was redone without the typo.

Conclusion: The typo did not seem to make a difference. So probably typos which humans would ignore have little or no effect. All images seem to show some form of dispute in ancient Egyptian style, but none about trash. (Some German originals seemed to include trash cans; and I prefer the colored images there.)

Result: For once, I think German has had an advantage.

Sneakernet

«A modern sneaker made of clouds.»
Description: The first two images use clouds for part of the shoe, for the third it’s decoration, and for the last, it reminds me of a little child hitting on its banana-flavored ice cream until it looks like a cauliflower. I find the German originals much more impressive, if slightly less accurate.

Result: Let’s call that one a tie.

The artist

«A robot at Paul Klee's typewriter.»«A robot at a typewriter by Paul Klee»
This prompt’s translation is ambiguous, depending on how you would analyze the sentence: “Ein Roboter an der (Schreibmaschine von Paul Klee)” (parenthesis added for grouping) would be “A robot at Paul Klee’s typewriter”, as I had always imagined the sentence’s meaning. However, “A robot at a typewriter by Paul Klee”, derived from “(Ein Roboter an der Schreibmaschine) von Paul Klee”, might be the original prompt’s actual intention. So, your choice, both are here.

Description: The first prompt clearly and reliably matches the “robot at a typewriter” part, even the “at”, which was all but ignored in the German original. However, the second prompt looks much more artistic, more homogeneous in style within each image. The German original was more “original”, independent, more what a real artist would do given the prompt.

Result: Even if we give the German interpretation extra points for “free thinking”, the English versions would be much more likely to hang in a museum or a residence.

Crown jewels

«The Royal Skateboard of England, exhibited between the Crown Jewels in the Tower of London.»
I had been using the German originals as showcases for how the AI can “imagine” fictitious scenes no one has ever seen, because all it ever does is creating fictitious things. (Assigning human traits and concepts to AI, is wrong. So I shouldn’t have written “imagine” in the first place. But the flesh is weak…)

However, I was disappointed with the first set of “royal skateboards”: Not really royal, and all depicted from the underside, some with impossible mechanics. So I gave it two more chances with the same prompt.

Description: The “exhibition” part feels slightly more pronounced in comparison to the German original. However, the German output is definitely much more “royal skateboard” than the vast majority of the above.

Result: This point is clearly a win for German.

Stained-glass windows

«A robot reading a book, as a stained-glass window.»
Description: In the German original, the “as a” part was causing confusion. In English, we have a perfect score, even with a second set.

Results: English wins hands down. Forget German here, it was not even qualified for the finals.

Bonus track: Scary doors

«Front door with crocodile» (second row without the “front”)
As I have been using “Haustür mit Krokodil” (“(front) door with crocodile”) as a simple test whether AIs do understand German, here is what DALL•E 2 does with the English version.

“Crocodile” seems to add green color and crocodile texture to the images, even to (parts of) the door.

If you look closely at image number 2, you will see that the gray thing at the lower left is debris(?), even though it looks like a crocodile at first glance. Maybe the prompt was misunderstood as “croco-tile”… 😉

Lessons learned

As a word of warning, the number of images generated for this impromptu “study” is way too small to be able to come to solid conclusions. So take any of these conclusions with plenty of skepticism.

The German text concluded:

Nouns are fulfilled, everything else is pure luck. The images rarely matched the description, but all were beautiful.

Marcel Waldvogel (in: “Reproduzierbare KI: Ein Selbstversuch“, paraphrased)

For English, nouns rendering remains very good. In addition, the relationship between the items is often more accurately reflected (with exceptions). This is especially prominent with stained glass.

“AI psychology”

Some early assumptions on “AI psychology”:

1. What we already “know” is that today’s generative AIs are unable to tell the user that they did not understand the instructions. Instead, they will just spin a tale. This tale may be self-consistent, but may bear little or no relationship to the original prompt.
2. We “know” that too little training data will make it hard for the AI to create a meaningful scene. This is presumably the reason for “stained glass” failing in German while getting a perfect score in English; but also in the “stumbling” being rendered inaccurately or not at all.
3. However, the English skateboard coming in unusual poses “might” (a lot of speculation here!) be case of too much available data, including in unusual poses. And if you ask for something unusual, these poses might be more likely to be chosen. (But it could also just be an artifact of the small sample size used here.)
4. A pattern I felt emerge: Making the sentence hard to understand will provide the AI with more leeway for interpretation. So, sentences it does not understand (the MidJourney “crocodile” example) or it understands less well (the German “Paul Klee” examples?) will result in images with more “artistic freedom”. This can be an advantage, if you can free yourself from trying to convince the AI to reach your pre-set goal.

You may know the following expression:

What’s worse than a tool that doesn’t work? One that does work, nearly perfectly, except when it fails in unpredictable and subtle ways.

Cory Doctorow on AI

However, if all you plan to do is create something for the beauty of it, and are willing to spend some time in weeding out what you do not consider nice enough, AI image generation is a great (and enjoyable) helper. Or time-waster… Anyway: Enjoy these images, and the ones you might create.

DIY

Did I whet your mouth? Here are some tools you might want to try:

• DALL•E 2, used here: Requires an account (email address+mobile number); free when used infrequently. Provides additional features.
• Craiyon, using its “predecessor” DALL•E mini: Free, low resolution, no login necessary. Ideal for learning the ropes.
• Stable Diffusion (Huggingface): „Stable Diffusion“ uses different mechanics behind the scenes. Free, low resolution, no login necessary; “pro” version available without these limits.
• Stable Diffusion (Replicate): Another Stable Diffusion model, with plenty of knobs to turn. Free, low resolution, no login necessary; “pro” version available without these limits.
• MidJourney: Different concept, different UI: Send messages in a Discord group chat. The AI will answer in the group chat, giving you options to refine the images further.

Understanding AI

• 

  The year in review2023-12-23

  This is the time to catch up on what you missed during the year. For some, it is meeting the family. For others, doing snowsports. For even others, it is cuddling up and reading. This is an article for the latter.

• 

  How to block AI crawlers with robots.txt2023-07-09

  If you wanted your web page excluded from being crawled or indexed by search engines and other robots, robots.txt was your tool of choice, with some additional stuff like <meta name=”robots” value=”noindex” /> or <a href=”…” rel=”nofollow”> sprinkled in. It is getting more complicated with AI crawlers. Let’s have a look.

• 

  «Right to be Forgotten» void with AI?2023-03-02

  In a recent discussion, it became apparent that «unlearning» is not something machine learning models can easily do. So what does this mean to laws like the EU «Right to be Forgotten»?

• 

  How does ChatGPT work, actually?2023-01-30

  ChatGPT is arguably the most powerful artificial intelligence language model currently available. We take a behind-the-scenes look at how the “large language model” GPT-3 and ChatGPT, which is based on it, work.

• 

  Identifying AI art2023-01-24

  AI art is on the rise, both in terms of quality and quantity. It (unfortunately) lies in human nature to market some of that as genuine art. Here are some signs that can help identifying AI art.

• 

  Reproducible AI Image Generation: Experiment Follow-Up2022-12-01

  Inspired by an NZZ Folio article on AI text and image generation using DALL•E 2, I tried to reproduce the (German) prompts. Someone suggested that English prompts would work better. Here is the comparison.

#2 #1

Stable Diffusion 2-1 - a Hugging Face Space by stabilityai

User provides a prompt and negative prompt description; the application generates images based on the text. Users can also adjust the guidance scale to influence the quality.

^{huggingface.co}

Marcel Waldvogel

2023-02-23 14:32:13

Post Quantum and Homomorphic Encryption made easy

Major challenges in computer and information security are the advent of quantum computers and the need to trust your data to (cloud) service providers. New cryptography is supposed to help, but they look daunting. At their core, however, they are just children’s riddles. An introduction to Lattice cryptography and Learning With Errors.

Two big challenges are faced by information security:

1. Cryptographers are afraid that quantum computers may be able to break existing public-key cryptography easily, a few years from now. As public-key cryptography is at the heart of almost every information security mechanism, something needs to be done. And for secrets which should remain secret for many years or decades, we need solutions now. These solutions are called Quantum-safe or Post-Quantum cryptosystems.
2. Cloud computing, smart cards and the Internet of Things have a common problem: You may need to process data on platforms which are in the hands of someone else. Trust in those devices and their owners or operators is necessary, but there is no way to test whether they are violating your trust. It would be great if sensitive data would not need to be processed on these systems, if instead, they could operate on encrypted versions of the data. This is the promise behind (Fully) Homomorphic Encryption: Performing mathematical operations on the encrypted data, with the results remaining encrypted; essentially, the holy grail for trustworthy computing.

When trying to learn about Quantum-resistant cryptography or Homomorphic Encryption, the terms Lattice-based Cryptography and Learning With Errors quickly pop up. However, the descriptions I was able to found on the Internet try to discourage any normal reader from understanding it: As presented by those in the know, the math looks scary and complex; achieving magic looks trivial by comparison.

However, at their core, they are just coordinate systems and children’s riddles.

So, let me give you an intuition into how they work, explained even for those who hate math. And conclude with what that means.

Table of Contents

Toggle

• Lattices are fancy coordinate systems
  
  • Twisting the vectors
  • Not all points are valid
  • More dimensions
  • Lattice-based cryptography

  
  

• Learning with Errors
  
  • As a riddle (without errors)
  • Properties of linear equation systems
  • For cryptography (with errors)
  • A riddle with turtles
  • Learning-with-errors based public-key cryptography

  
  

• Cryptographic applications
  
  • Key and message sizes
  • Quantum-resistant cryptography
  • Homomorphic encryption

  
  

• Conclusion
• Acknowledgments

Lattices are fancy coordinate systems

You know coordinate systems from blueprints, maps, you name it. They are easy:

1. The coordinate axes are orthogonal to each other (and parallel to the edges of the sheet or screen)
2. The measurement system (or spacing) along the coordinate axes is the same (e.g., x coordinate 1 is at the same distance from the origin than y coordinate 1, just in a different direction)
3. The coordinate systems are linear (i.e., the distance from 0 to 1 is the same as from 3 to 4)

Left: A “normal” two-dimensional coordinate system with orthogonal, linear and proportional axes, labeled X and Y, as almost any coordinate system we will deal with in real life. Adding two vectors (arrows) of length 1 aligned to the axes, A and B, allows us to follow a series of these arrows to the destination.
Right: For example, to get to the point indicated by the middle red arrow, at X coordinate 2 and Y coordinate 1, we follow twice the step indicated by arrow A (dark blue) and once the step indicated by arrow B (cyan). In math terms, the distance between the origin and the point at (2, 1) is 2*A+1*B.
This all seems natural, because we are used to it and they are made to be easy on us. The lattices used for encryption will just add a few twists to them, which we will introduce.

Twisting the vectors

That was easy. You may even have wondered why we talk about that at all. So let’s look at slightly different vectors A and B:
Left: Our vector A is no longer aligned to the X axis.
Right: But we still can reach any integer coordinate (marked by the green dots) using an integer multiple of A and B vectors. The same point at coordinate (2, 1) can now be reached by following twice along the distance and direction of A and then following once in the reverse direction of B. In math terms, that point is at 2*A–1*B.
The new coordinate system is a slight nuisance, but still easy to handle. (In fact, using a simple formula, any (x, y) coordinate pair can be easily transformed into the number of A’s and B’s to add.)

In the same spirit, let’s continue twisting the vectors further:
Left: The vectors are now almost aligned.
Right: We can still address our three points (and in fact, any integer coordinate pair) using a weighted sum of our two basis vectors, A and B. For example, the point at (–2, –2) can be reached by first following A once forward, the twice B backward, then again once A forward, resulting in 2*A–2*B. (The A-B-B-A order in the figure is just to keep the intermediaries inside the drawing; they can be arbitrarily reordered.) This point is easily reachable, the point at (2, 1) which we reached using three steps each in the previous examples, would now require a stunning 17 steps.
With these two almost-aligned basis vectors, it becomes hard to determine the number of A and B steps to take. Some might be reminded of the complexity to move to a given location with a knight on a chess board.

Not all points are valid

In the previous section, all integer coordinates were reachable, because the vector pairs were carefully selected to enable this. Choosing vectors randomly would rarely result in this property. For example, after a slight variation of the second set of vectors above, only every second point is reachable, checkerboard-style.
After doubling the length of B (left) or turning B as well (right), every other point in the coordinate systems becomes unreachable. As hard as you try, you will never get to any of the hollow points. (The right-hand image might remind you of the reachable squares of the black bishop in chess.)
By choosing longer vector lengths, you will generally create even sparser lattices. (This is a general rule. Let’s gloss over how to guarantee a certain sparseness; but it involves things like the relationships between the prime factors of the vectors’ coordinates.)

More dimensions

So what happens when we make these vectors more complicated, both in their sheer number (and thus, also their number of dimensions) and their length? It becomes even harder.

Humans can easily deal with two, sometimes three dimensions. Switching to dozens or even hundreds of dimensions and having longer vectors makes it very hard to determine:

1. which coordinates are reachable at all,
2. how this coordinate can be reached, and, especially,
3. if this coordinate is unreachable, what is the closest reachable point.

The latter property is known as the closest vector problem and is at the heart of Lattice-based cryptography.

Lattice-based cryptography

The closest vector problem is hard to solve for a complex set of basis vectors. However, if you have a simple set of basis vectors, as we started off in the first few examples, it becomes easy to solve. Having such a pair of complex and simple problems is at the heart of public-key cryptography.

So in essence, Lattice-based public-key cryptography works as follows:

1. Alice creates a set of simple basis vectors in a high-dimensional space, which does not cover all of the space (think of a checkerboard with most squares white; black ones only few and far between, with no visible pattern to their placement). This is her private key, in which the closest vector problem is easy to solve.
2. Alice also creates a second set of basis vectors, each vector built by weighted addition of many of her simple vectors. This is her public key, where it is still easy to create a valid point, but it is hard to determine whether a given point is valid or not (and where it is also hard to solve the closest vector problem).
3. Alice publishes her public key and keeps her private key private (just as with any other public-key cryptosystem).
4. Bob, wishing to encrypt a message to Alice, uses her public vectors to encode the message. For example, he could use the first byte of the message to multiply the first public basis vector with, the second byte for the second vector, and so on. Summing up all vectors will lead to a valid lattice point.
5. Bob then slightly and randomly moves that encrypted data point, such that it is off-lattice now.
6. He then sends that message to Alice.
7. Any eavesdropper will only know the public, complicated, basis vectors and will be unable to solve the closest vector problem.
8. However, Alice, with access to the private key, can solve the closest vector problem easily and therefore reverse-engineer (1) the actual data point and (2) what factors Bob used to multiply the basis vectors with, and thus the bytes of the message.

(In case you wonder: As is common in cryptography, these operations are all done in modular arithmetic.)

Learning with Errors

As a riddle (without errors)

A mother has two children. The girl is twice the age of the boy. Together, they have are 18 years old. How old are the children?

Simple children’s riddle, which can be solved using linear equations.

The riddle can be solved by trial and error, or using a set of linear equations, where B is the age of the boy and G is the age of the girl:

2*B – G = 0
B + G = 18

After solving this linear system for B and G, we get G=12 and B=6. Here, we learned the age of the children without errors.

Properties of linear equation systems

That was easy. In general, linear equations are easy: With enough equations, they can be solved in a well-defined, straightforward manner, even if you increase the number of variables into the millions or billions.

“Enough equations” generally means that the number of equations need to be at least equal to the variables. (Equations that can be formed by weighted addition of other equations don’t count—i.e., those that are linear dependent on others—as they do not add new information.)

More information may not necessarily be better: If a third equation, “3*B + G = 100”, were to be added, this equation would conflict with the other two, as 3*12 + 6 = 42, which obviously does not equal 100. However, each of the three pairs would have a valid solution. In this case, they would be vastly different from each other.

For cryptography (with errors)

With these conflicts, we are on the right track toward a cryptographic puzzle. The basic idea behind learning with errors is as follows:

• Have a set of linear equations
• Increase the number of variables to be huge (into the many thousands or even millions)
• Add more valid equations, significantly beyond the number of variables. (They will automatically be linear combinations of the initial set, not adding additional information.)
• And now the magic part: Slightly jiggle the constants

A riddle with turtles

A mother turtle has two children. The girl is twice the age of the boy. Together, they are 180 years old. How old are the children?

Slightly more complicated children’s riddle, which can still be solved using linear equations (or, guessing)

The ages are ten times those of the human children, but otherwise things stay the same. We also add a third equation which agrees with the other two equations. (It automatically is a linear combination of the first two. In this case, twice the first equation plus seven times the second equation equals three times the third equation.)

However, now we slightly change the right-hand sides of the equation, adding or subtracting a small number:

All of the equations now still almost match the girl and boy ages of 120 and 60 years, respectively, but no pair of equations matches the exact numbers or even just the third equation. Picking any pair of equations, however, gives a good estimate of the real result. With these approximations, you can perform further calculations and, as long as we are careful, the results will be close to the correct results as well. But we will never know the exact numbers. (And rounding to the nearest multiple of ten only works in this toy example.)

Learning-with-errors based public-key cryptography

To build a public-key cryptosystem, the correct values of the variables can be used as the private key and the jiggled equations as the public key. Same as in the Lattice above, the cryptographic operations are done in modular arithmetic.
The lower equation a linear combination of the equations above.
In this case, the sum of 5 times the first, 3 times the second, and (–1) times the third equation.

1. Alice chooses a modulus and creates private and public keys; she publishes the public keys and the modulus (let’s assume it to be M=89).
2. For each encrypted bit that Bob wants to send to Alice, Bob creates a new, unique equation as a random, non-trivial linear combination of a subset of the equations forming the public key. (For example, the lowest equation in the image above.)
3. To communicate a bit with a value of zero, Bob transmits this base equation as-is (of course, modulo M, so the the 131 would turn into 131 mod 89=42).
4. To communicate a bit with a value of one, Bob transmits base equation modified by adding roughly half the modulus, again modulo M (half of M would be roughly 44, so 42+44=86 would be transmitted as the right-hand side of the equation).
5. When receiving an equation, Alice can easily compute the correct value for the right-hand side of the equation from the left-hand-side coefficients (5 and –8, in the case of the linear combination created above). The correct result here would be 120 (=5*120–8*60); modulo M that would be 31.
6. When the difference between the transmitted and the correct value is small (in this case, 42–31=11), the equation is decrypted into a bit valued 0; if the difference is high (close to ½M), the equation is decrypted into a bit valued 1.
7. Given the right parameters, this decryption is easy for Alice and impossibly hard for anyone else; exactly how we want public-key cryptography to be like.

Cryptographic applications

Key and message sizes

The first thing to note is that—for both Lattices and Learning With Errors—both keys and the messages are significantly larger than what we are used from “traditional” public-key cryptography: Every transmitted bit(!) may be hundreds of bytes or even kilobytes in size.

Quantum-resistant cryptography

Many current (“classical”) public-key algorithms (RSA, Diffie-Hellman, ECC, …) rely on it being hard to find the (large) prime factors of a composite number. A powerful quantum computer running Shor’s Algorithm would be able to factor these numbers quickly and thus break public-key cryptography. As data encrypted today might still need to remain safe even when powerful quantum computers will be available (at least several years from now), such data need to stop using these “classical” public-key algorithms.

Current symmetric-key cryptographic algorithms such as AES will not be affected by Quantum computers.

Lattice-based cryptography and Learning With Errors are considered to be safe against quantum computers.

Homomorphic encryption

The goal of homomorphic encryption is to separate the provisioning of computing power from the right to access the data in the clear: Calculations on (encrypted) data can be performed on a computer without the computer needing to decrypt and re-encrypt the data. In fact, without the computer even having the key (and thus the ability) to decrypt the data.

One of the earliest cryptosystems which allowed some simple forms of homomorphic encryption was RSA. In “textbook RSA“, (modular) multiplication can be performed on the encrypted data. For most application, this “malleability” is undesirable and needs to be actively prevented by making sure that the decryption of a homomorphically-multiplied message has an illegal format.

Lattice-based cryptosystems are much better suited for homomorphic encryption, as they can support multiple operations, not just multiplication. But the property of malleability remains, so in the encrypted state, almost any operation could be performed on the encrypted data. You still have to trust that the right operations were performed when using the decrypted result.

Learning With Errors does not currently seem usable for FHE.

Conclusion

You learnt the basics of two cryptographic primitives that will be important in the future. And you learnt two applications. So you are well prepared for the future. I hope you enjoyed the minimum math! (If you insist on these two topics being explained with just a little bit more math, read on and watch the linked videos.)

Acknowledgments

The descriptions are inspired by Kelsey Houston-Edwards‘ videos:

• Lattice-based cryptography: The tricky math of dots
• Learning with errors: Encrypting with unsolvable equations

They are great and provide some additional information.

I would like to thank DALL•E 2 for the teaser image it created using the prompt “Post-Quantum Encryption without text”. Yes, it seems that “without text” was ignored, as it does not seem to understand the concept of “text” at all, and fails to recognize that it does not recognize (part of) the prompt, as image generation AI seems to be prone to do. Also, the concept of negation (“without”) seems to be hard for AI; but then again, it is hard for humans: You might remember experimenting with “do not think of a pink elephant” in your childhood. And failing to not think of a pink elephant…

#Security #CloudComputing

psychological process

^{Contributors to Wikimedia projects (Wikimedia Foundation, Inc.)}

Marcel Waldvogel

2024-02-12 16:59:19

DEFCON Voting Village 23 Panel

There was a DEFCON Voting Village panel «If I can shop online, why can’t I vote online?» which I found extremely important to read or listen to. Not just for me, in fact, for anyone talking about electronic voting. Here is a transcript for those who prefer reading (or searching for keywords).

Table of Contents

Toggle

• Editorial remarks
• Introduction
• David Jefferson: Problem space
  
  • National security
  • Attack vectors
  • No strong defenses now, …
  • … and probably never
  • Attack detection/identification

  
  

• Matt Blaze: IT security
  
  • Fundamental, unsolvable problems
  • Impossible reliability
  • Accepting the risks?
  • Conclusion

  
  

• Harri Hursti: False promises
  
  • Estonia
  • Finland
  • «Young voters!»
  • «Understandable, verifiable»

  
  

• Susan Greenhalgh: History
  
  • Trying to create
  • Standards first
  • Policy before Possibility
  • 1. Bradley Tusk
    
    • Despite Federal warnings
    • State legislation lobbies

    
    

  • 2. Vendors
  • Confidence in elections
  • «Theranos of voting»

  
  

• Q&A
  
  • Auditing?
    
    • Digital «voter-verified paper ballots» aren’t

    
    

  • Eliminating vote secrecy?
  • Perpetual motion machines
  • Praise for secret ballots
  • Internet voting is racist
  • Biometrics
  • Vote by phone isn’t secret
  • Remote (postal) voting
  • Voter outreach
  • Ballot marking machines vs. secrecy

  
  

• Related work
  
  • U.S.
  • Estonia
  • Switzerland
  • Technology

  
  

Of course, a link to the original video may not be missing, for those who prefer to watch or listen.

youtube.com/live/WJjBEhPjLRE

Editorial remarks

The transcript has received minor editorial changes: Placeholders (“uh”, “you know”, …), repetitions, self-corrections, etc. have been removed in order to improve readability. Text in angle quotes («…») would be indirect speech in a written text; from the context, it is meant to be a summary/rephrashing of someone else’s statement, illustrated by a change of tone, not as a direct quote.

Chunks that are related to the organization of the panel and that are unrelated to the content have been removed for clarity.

Bold text and section headings have been added by me to help you navigate the arguments or point out what I believe are important take-home messages.

But now, let’s switch to the transcript:

Introduction

Susan Greenhalgh (00:08): I’m Susan Greenhalgh, I’m the senior advisor for election security at Free Speech For People. We are a national nonpartisan not-for-profit legal advocacy organization that works protect elections and democracy for all the people. We have a Proprogram which focuses on Election security and I’ve done a lot of work on internet voting for over 15 years studying the policies and practices and written several reports on it. I’m here to talk about this issue with our esteemed panel.

First starting with David Jefferson: Dr David Jefferson, who is a researcher from Lawrence Livermore Laboratories, retired. In 1999 to 2000, he was the co-chair of the California Secretary of State’s task force on internet voting. He’ll talk a little bit more about that. He was the one of the co-authors of the peer review that was done on the Department of Defense’s SERVE internet voting system in 2004, which ultimately resulted in the Department of Defense canceling the project. and he can talk a little bit about that. It was a 22 million dollar project that was ultimately shut down and he’s been writing, speaking, and testifying in opposition internet voting ever since. So that’s David.

Next we have Matt Blaze, professor at Georgetown University School of Computer Science and Law. He is also co-founder of the Village and he’s been working in election security for two decades and especially interested in the impact of complex software systems on security and reliability.

And Harri Hursti, also co-founder of the Defcon Voting Village. He is the OG in election security reviews, famously conducting the Hursti Hack back in the 2000s. He also was part of a team that reviewed the Estonian online voting system for security and traveled to Estonia to present the findings to people there.

So, we have an incredible panel and I will turn it over to David.
Screenshot of David Jefferson’s talk. Click image to open the YouTube video at the beginning of his talk.

David Jefferson: Problem space

David Jefferson (03:12): So, first let me give you a summary up front of where I’m coming from. That which is, that it isn’t possible now or in the foreseeable future with any combination of technologies that we can envision today to secure an online voting system and so thus we shouldn’t be instituting internet voting anywhere in the U.S and we should really stop using it where it’s in use today.

National security

Voting of course is a national security issue: The legitimacy of democratic government depends on voting being secure and and open. So we really cannot open our voting systems to the to the various kinds of threats I’m about to describe to you, many of which would open our elections to manipulation by Foreign actors.

So let me talk about what internet voting is first of all. What we mean by that is any voting system in which voted ballots are transmitted over the Internet; maybe one hop of the communication is just over the internet, but if it’s if voted ballots are ever transmitted over the internet in the course of running an election, it’s an internet voting system. It doesn’t matter whether it’s by email or fax or web or mobile app: Any scheme, doesn’t matter what the protocol is, if it’s transmitted over the Internet, it’s going to be vulnerable to the kinds of threats I’m about to describe.

Attack vectors

So let’s talk about those threats. What are the threats that we’re talking about? There are many of them.

1. The first one is authentication related threats. When you vote online, of course you have to identify yourself, so that you can be checked that you’re registered and that you haven’t already voted. So you have to actually identify yourself. That will have to be done online also and an attacker can can mess with that system, so that it makes it too difficult for people to authenticate themselves and they get disenfranchised; or too easy for people to authenticate themselves and phony voters can vote. So authentication threats, number one.
2. Number two and perhaps the most insidious is client-side malware. You’re going to be voting from some device—a phone or a PC or other mobile device—and that device might be infected with malware. And that malware might have the purpose of interfering with your voting, either preventing you from voting or modifying your votes before your votes even get out of the device. Before they’re encrypted for transmission, your votes can be modified: You wouldn’t know it, the election officials wouldn’t know it. That’s a profound problem, the client malware problem.
3. The third problem: The third kind of attack would be network attacks; attacking routers or DNS or other parts of the internet infrastructure. Where even if your ballots are transmitted, in progress, they can still be stopped or redirected or otherwise interfered with.
   
   • There are spoofing attacks, where you’re tricked into voting to an incorrect site: A site which may look like the real site, but which is not. And and you think you voted, but you didn’t, and you don’t know whether your vote was transmitted or modified or just thrown away.
   • There are denial of service attacks, where the server that receives votes is overwhelmed with a lot of of fake ballots, sent to it by an attacker. It’s so overwhelmed that the service slows down. It may slow down to the point where voters get timeouts and they can’t vote at all; or the server just crashes.
   • There are server penetration attacks, where an attacker actually gains control remotely of the server that’s accepting the ballots and when he gains control he can do anything he wants.

   
   

Many of these attacks can be Insider-aided, but insiders would include election officials and programmers and so on. There are many variations of all of these attacks.

No strong defenses now, …

Now, there are no strong defenses to most of these attacks; there just are no strong defenses. There are ameliorations, there are ways of handling certain special cases of these attacks. But there are no general solutions with technology that we have today.

They rest on some profound problems in computer science which Matt is going to tell you about in the in the next talk. These are the same threats that we encountered 25 years ago when I was the chair of the California Secretary of State’s Internet Voting Task force and they’re why we recommended that California not Institute internet voting in 1999.

… and probably never

These threats haven’t really changed materially in the last 25 years and they may not change materially in the next 25 years; they are that intractable! Now, the problem is that all of these attacks that I mentioned can be automated and scaled up to massive scale. Depending upon technical details of the architecture of the voting system, the attacks can come from anywhere on Earth, including rival nation states or our own domestic partisans.

Attack detection/identification

Successful attacks may go completely undetected; but if they are detected, they may be completely uncorrectable without running the election over again.

The perpetrators of the attack may never be identified. But even if they are identified, they’re likely to be out of reach of U.S. law—as the 12 Russians, who are under indictment for interfering with the 2020 election are out of reach of U.S. law.

So the problems with Internet voting are profound and I’m going to now turn it over to Matt so he can talk more about that subject. Thank you!
Screenshot from Matt Blaze talking. Click image to hear him talk.

Matt Blaze: IT security

Matt Blaze (09:27): So thanks, David! I just want to expand on what some of the stuff that David was talking about. He mentioned fundamental problems. And as a scientist or as an engineer, when somebody says, “that’s a theoretical problem,” we understand it to be different from when the general public uses the term “theoretical problem”.

A theoretical problem in normal life is one you don’t really have to worry about; a theoretical problem in science and engineering is the worst possible kind. Right, it’s the kind that is fundamental to the system; that it’s something that you cannot do anything about without either changing the assumptions or compromising on what the requirements are.

Fundamental, unsolvable problems

And there are two sets of fundamental problems:

1. The first set of fundamental problems are computer science problems and all of the problems in voting—in building a secure voting system—that we encounter from an engineering point of view, are problems that actually were around before voting was an application. People were even considering there is a fundamental theorem in computer science that essentially says, “it is impossible to compare a program with its specification and understand whether it meets it”. And this is not a problem that we simply haven’t worked hard enough to try to solve; it’s a problem that we know that we cannot solve. We will never be able to solve it!
   And what is the implication of that, is that general purpose complex software can never be assured to be completely correct. Now, that mostly doesn’t bother us for all sorts of applications of computing that we rely on for many things. In fact, the title of this panel «I can bank online; why can’t I vote online?» is an example of that.
   We rely on the same flawed computing systems for things like banking, so, why is it we’re able to get away with it? And the short answer is: We don’t. Right, bank fraud is enormously common; right, banks are robbed online all the time; there are identity theft and so on constantly.
2. The difference is a second set of fundamental problems which is the voting application itself has a set of incredibly stringent and in fact somewhat contradictory requirements for building a voting system.
   One of them is that your vote must be anonymous and it must be anonymous to the point where you can’t even voluntarily prove who you voted for. And that requirement exists to prevent people from being able to be coerced into voting a particular way or being able to sell their vote. And there’s a long history—even in the United States, prior to that requirement existing—of people having their franchise coerced away from them, because it’s possible to tell how someone voted.
   Banking transactions don’t have that requirement. A banking transaction is reversible. If money disappears from your bank account, it’s possible to be made whole again; but if your vote is changed, after it’s been cast, we don’t know whose it was. And you have no way as a voter of proving how your particular vote was cast in order to be able to correct that. And if that changed, you’d be able to prove how you voted.

Impossible reliability

So we have these two sets of fundamental problems clashing with each other: The first is, we don’t know how to build systems that are reliable enough to avoid problems like this; and the second is, voting requires us to build systems that avoid problems like this rather than correct them after the fact. And this combined with the fact that an online voting system requires using complex computer technology means that this is a problem that we won’t be able to solve no matter how hard we work at.

It’s not that we’re just not very smart, it’s that these problems are beyond human capacity.

Accepting the risks?

Where that leaves us is,

• we have to recognize that online voting is intrinsically very risky,
• that it will lead to elections that we will never be able to satisfactorily show were conducted without fraud, without hacking, and that the outcome is genuinely true.

And that will always be with us when we do it that way, unless we relax some very important requirements of voting systems.

So, by the way, I’m not the only one saying this. There was a report from the National Academy of Sciences called “Securing the Vote”, where the top experts in the field got together and produced what’s called a “consensus report”. It essentially makes a very strong statement: «This is something we do not know how to do» and recommends against it wholesale.

Conclusion

So, those who propose online voting systems are essentially proposing something that [according to] the consensus of scientists is impossible.

So, we should understand it in that context. So, thanks!
Screenshot from Harri Hursti’s talk. Click image to see him talk.

Harri Hursti: False promises

Harry Hursti (15:35): So internet voting is a whack-a-mole. It keeps on coming back and the argument is very often, say, well, we have this excuse: Shall we do just a little bit of Internet vote?

There’s two reasons why that’s not a good idea:

1. First of all, all the votes are one pool. The idea that I can vote insecurely myself, and that wouldn’t disenfranchise other voters, is a logical fallacy. Because if there’s only one result and if I’m choosing to make my own vote insecure, I’m also making everybody else’s vote vulnerable.
2. But there’s even more profound reason. A lot of nations, including the United States and a lot of states in the United States, but other nations have the same principle: that all voters should be voting with same method. So, once you are enabling the door that let’s have a little bit of Internet voting, the next step is to say, now everybody has to vote with internet voting because we cannot have separate methods. The common ways we are hearing always to give an excuse: What are the special groups who need to vote over the internet?
3. And one of the these in America is called UOCAVA Voters, Uniformed and Overseas Voters Empowerment Act [Transcriber’s note: Merge between UOCAVA and MOVE]. So, they are mainly the boys and girls in the military and who have a problem of getting the ballots done on time; however, this same problem is everywhere else in the world. And the other part is why UOCAVA is—or military voters in general are—a very good target for saying, “let’s do internet voting,” because in a lot of nations, military voters are not guaranteed to have secret ballot; it’s a best-effort basis only. So military voters don’t enjoy the same legal protections as the general public. And that also enables you to have a little bit more relaxed voting system, because you don’t have to guarantee secret ballots.
4. Another group is a very powerful lobbying group: The disabled voters and especially print disabled voters, so people who cannot read, cannot write, cannot hold a pen in their hand. There are a lot of devices, calling for example ballot marking devices, which are designed to access. But the idea is: Okay, well, let’s do that at home! Again, this whole path leads to a dual language, where a constant attempt is to call the voting not “internet voting”, but instead of calling it to be “electronic return of your ballot”. It’s the same thing. But the idea is, this is the way we sell the idea without getting into the trap of informing people that this is the bad idea again, internet voting.

Estonia

Internet voting has been claimed to be successful in Estonia. I went to Estonia with the professor Alex Halderman and a couple of other folks. We took a look in the system and it was a fairly decent high school project; that was the quality of the code.

However, there was a lot of interesting things in operations. For example, they rented the servers every year separately. So, from supply chain point of view, this one agency is renting three computers: That’s your target! The lowest bidder and you can poison all you want. There were a lot of designs in that area.

For example, they publish a video where a the code is signed cryptographically, so that the voters will know, this is an honest code. And they claim that this computer, where the video was taken, has never been connected to internet. But it had a µTorrent [Transcriber’s note: A BitTorrent Internet download software] and pirated movies and pirated films and online poker on the screen. So slightly suspicious that it might have been an intern.

Finland

In Finland, we tried internet voting or online voting. It was Kiosk Voting—but a system which can be used for internet loading too—in Three Counties and it was demonstrated that three and a half percent of the votes were lost and hence the election had to be reconducted, because three and a half percent in a what you call the Jefferson counting method means that it’s absolutely certain the last candidates in the city council will be [awarded to?] the wrong people.

«Young voters!»

The common excuse also is to claim that we need internet voting to activate young voters, young people who like mobile phones.

Estonia is a brilliant country from the point of view that they published age brackets. And when you look in Estonia, you see that the fastest growing group of Voters online is over 65 and the young voters are rejecting the idea of Internet voting. The same was [experienced] in Norway, so that the actual government public data doesn’t support the common wisdom that young voters would be activated by using internet voting.

«Understandable, verifiable»

Last but not least, I want to touch a very big topic. For example, in Europe and Germany, a lot of democracies have a rule that common person has to understand how votes are counted; and have to be able to verify the vote counting process with no special tools and education. Common man’s common knowledge has to be enough. Now, we are proposing very complex ideas like homomorphic encryption, blockchain, …

The joke in US is that the average age of poll workers [gets] one year older every year, because we don’t have enough young people coming to be a poll worker. But until we live in a Star Trek universe, where teenagers are casually talking about quantum mechanics: Who is going to be explaining to a 70 year old normal person, how homomorphic encryption works?

And in this today’s world, how could anyone believe that you could ever be getting normal people to accept these complex ideas, that even most of the experts don’t know how it works?

So let’s keep it simple. Thank you!
Screenshot of Susan Greenhalgh’s talk. Click to hear her talk.

Susan Greenhalgh: History

Susan Greenhalgh (20:10): After hearing all of that, I’m guessing everyone probably thinks, «who would ever want to do internet voting for public governmental elections?»; but unfortunately, right now 32 states permit some subset of voters to vote online either by email, fax, or some sort of online portal. And there’s a lot of ballots coming back online! In the 2020 election, there were over 300 000 ballots cast online; and in some states with small margins, there were a significant number of ballots cast online. And this is a problem, because those ballots we know are not secure and they can’t be audited.

Trying to create

So, I want to talk a little bit about the policy in the history of how we got here and how it’s playing out today to understand our situation. As I mentioned in the intro, back in 2004, David was part of a security study that examined a system that was being put together by the Department of Defense to a military and overseas voters to vote online.

This was something that Congress tasked them to do this. They built a system, had a peer review of the security. The peer review said, this is not secure, you cannot ensure the legitimacy of ballots cast online. So the project was scrapped.

Standards first

Congress turned around and said: Okay, we’ll have NIST—National Institute of Standards and Technology—develop standards for a secure online voting system and then we’ll have the Department of Defense build to those standards. So NIST spent the later part of the 2000s and early 2010s studying the problem, writing several reports, and they came to the conclusion—that the scientists have all come to—that there’s this broad scientific consensus that these problems are really not solvable with the security tools that we have today.

And they wrote a statement saying, we don’t know how to write security standards, because we don’t know how to do internet voting securely. It’s not yet feasible, so we we’re not doing it. So Congress said «okay» a couple years later; because Congress moved slowly between 2014 and 2015. Congress repealed the directive to the Department of Defense to build an online voting system; essentially taking the federal government out of it.

We often hear: «Why isn’t the federal government studying it?» The answer is: They already did; asked and answered. So in the subsequent years we’ve seen more reports come out; in 2018, the National Academy study came out that Matt mentioned. There’s been numerous academic studies, there’s been some states have done their own studies.

Time and again, when the computer scientists and the security experts look at the problems, they realize that voting is not something that you can apply today’s security tools to, in a sufficient way to secure it. So, we’ve never come up with anyone that says, «Here this is a secure way to do it from a scientific perspective».

Policy before Possibility

Yet, in that early 2000s period of time and even the late 90s, there was a reasonable expectation that we were going to have a secure online voting system from the Department of Defense. So States passed laws to allow electronic ballot return. By 2010, I think 29 or 30 States already had electronic ballot return laws in place. So that was before NIST came up with their statement saying, «we can’t write security standards for this», and before the bulk of the scientific research that’s so conclusive had come out by. So, in the mid 2010s, we’d seen a kind of a slowdown in the movement for online voting; but now we’re in the middle of an aggressive push once again to have people vote online and that’s coming mainly from two places:

1. Bradley Tusk

First, there’s a guy named Bradley Tusk who is an Uber multi-millionaire: Made a bunch of money for Uber and he helped change their policies. Not a tech guy, he’s a policy guy. He helped change state laws to allow Uber ride share policies around the country. He also was responsible for changing state laws to allow sports betting on the FanDuel app. So he knows what he’s doing as far as changing state laws. And he’s decided that he’s going to save American democracy by getting everybody to vote on their phones by 2028, he said that on his podcast. He has also said, that he will do anything unethical—short of committing a crime—to get everyone voting on their phone. So, he’s hired lobbyists, he’s got public relations people, and he’s introducing bills in different states around the country to allow people to vote online: Starting with subsets of military and overseas voters for states that don’t already have it, and then to expand it to voters with disabilities, to expand it to First Responders who may be displaced, and then ultimately with the goal of getting everybody to vote online.

Despite Federal warnings

One of the most definitive scientific studies that we saw—or I shouldn’t call it a study, it was a risk assessment, that came from the Department of Homeland Security CISA, FBI, NIST, and EAC in 2020, which warned States: «You don’t probably want to do this, because those ballots will be high risk of compromise, manipulation, deletion, or privacy violations. Any ballots cast online via any method, even with security tools in place.»

State legislation lobbies

So even with this security, all this guidance coming from the federal agencies: Those federal agencies can’t go into the States and lobby. They put out their risk assessment, hope the states look at it. Instead, it’s left to organizations like our organization. We work with Verified Voting, with Brennan Center, with Public Citizen. These are all groups. We are very deeply committed to ensuring access for all voters. We—my organization—actually takes legal actions to ensure people’s access to the ballot. But we also want to protect that ballot and make sure that the election is secure. So that’s why we are going in and raising these security concerns in the state legislatures and trying to keep States from introducing more bills to spread online voting.

In the last year and a half, we saw bills introduced in California, Washington, Maryland, Wisconsin, Michigan, Illinois, Georgia, New York, New Jersey, and Washington D.C.

That’s one aspect of the push for online voting.

2. Vendors

There’s another aspect that comes from the vendors. Because this is an industry that is not regulated at all, the systems that are being sold commercially don’t undergo any sort of public testing that anyone else can review. The vendors make claims of security or claims about the way the system operates that are unfounded, baseless. Our organization has written letters to Attorneys General, arguing that these could constitute false claims in deceptive marketing and could be actionable and asking for investigations. But there’s nothing to counter it, other than us bringing up the other side of it. So the vendors are also lobbying in state legislatures and promising State lawmakers that these systems can be secured.

And that’s another aspect of it.

Confidence in elections

So this is an ongoing problem that we’re going to continue to see, because of these two forces pushing online voting at a time when we really need to have auditable systems, transparent systems, secure systems, that we can ensure that all people can have confidence in the results of an election and not expand an system that we know is insecure.

«Theranos of voting»

Internet voting has been globally referred to as the «Theranos of voting» and I think that’s actually a very apt analogy. I don’t know if you’re familiar with the story: Theranos is the blood company that was founded that went to a billion dollars; and they were going to take a tiny pinprick of blood and be able to run a complete screen of every task that you could ever possibly need and know your entire health history. And it would be cheap and everyone would be able to do it at CVS or Walgreens.

And it was a great idea, who doesn’t want that? But the problem is: The science didn’t let you do it! You needed more blood to be able to run certain tests. The blood needed to be centrifuged, and separate out the cells, and reagents put in there. You can’t do it all, but the idea is so great, everybody wants to do it!

Yes, it would be really great if we could all vote on our phones, but the science isn’t there!

So I’m going to wrap with that and and we’re going to go to questions.
Screenshot of the Q&A session. Click image to watch the session.

Q&A

Auditing?

Susan Greenhalgh (31:01): David, I was speaking about the importance of auditing elections, especially that everyone should have confidence. We don’t want to just trust elections, we want to verify elections. How can you audit an online voting system or can you audit an online voting system?

David Jefferson (31:32): You hand mark the ballot and there is no question that the ballot actually reflects the voter’s intent. That hand marked ballot becomes a contemporaneous record of the voter intent. So that if those ballots are later counted by machine—and the software in those machines is full of bugs and is full of malware, and so the counts are wrong as produced by a machine—you can always go back, in fact, you should always go back to the original hand-marked paper ballots and audit the machine results using an RLA (a risk-limiting audit), for example, as was discussed apparently yesterday.

And therefore you can determine that the machine counts were wrong and you can correct the outcome of the election.

Now, with any kind of online voting system, if you are voting from your phone or your personal computer, there is no indelible contemporaneous record of what the voter’s actual intent was. There is no record from which to audit the election.

So, it’s really not possible to audit an online election and that’s just another reason why we shouldn’t be doing it.

Digital «voter-verified paper ballots» aren’t

Susan Greenhalgh (33:16): One of the things we see the vendor say, is that «we produce a voter-verified paper ballot, our system isn’t online voting, it isn’t internet voting». Oe of the the CEOs of one of the vendors told a radio show that «We don’t use the term “internet voting”, because it’s a loaded term; we say “electronic ballot returns”.» So it’s a little bit of this smoke and mirrors.

And that they produce a voter verified paper ballot: Well, a lot of times, the digital record is sent to the elections office and then it’s printed there. But obviously that paper ballot has never been verified by the voter, because it’s the digital record that was sent. But to say, «it’s a voter verified paper ballot», is highly misleading at best, so you don’t have a voter verified paper ballot to audit the election.

Eliminating vote secrecy?

Audience Member (34:16): You folks were talking about the kind of combating requirements of a secret ballot and a technically secure ballot. I vote for Mickey Mouse every year, I don’t care who knows that. From a purely technical perspective, if you omit the requirement of secrecy, does online voting become much more viable?

Matt Blaze (34:37): Sure, all sorts of problems get easier, if you reduce the requirements. The requirement for a secret ballot doesn’t exist just because a bunch of technologists said it should. The requirement for secret ballot evolved over centuries of U.S law; and centuries of experience with fraud in democracies, based on coercing votes from people.

We could—as a society—decide to eliminate the secret ballot and maybe we decide that we want to. But I think a poor reason to eliminate the secret ballot is simply to accommodate some future voting technology, that finds it an inconvenient requirement.

I think it’s very important to understand here: These requirements didn’t come from us, these requirements are not requirements that the technologists invented. These are requirements that society has decided are important properties for voting systems. We can discuss whether those requirements are good or not, but that discussion had nothing to do with technology, it’s a democracy requirement.

Perpetual motion machines

When I hear about internet voting, I find it helpful to substitute in my head «perpetual motion machine». If we had perpetual motion machines, it would be great! It would solve our energy problems.

Everybody agrees perpetual motion machines would be terrific! Unfortunately, a bunch of killjoy physicists tell us that we’ll never be able to have them. If you believe the killjoy physicists, it would be a bad idea to create policy on the assumption that we’re about to build a perpetual motion machine, because we’re really not. And internet voting has many, many of the same properties there.

Praise for secret ballots

David Jefferson (36:42): I want to praise the secret ballot requirement: The secrecy of the ballot is the strongest defense by far we have against voter coercion, vote retaliation, and vote buying and selling. Without the secret ballot, our elections could be irredeemably corrupted by those effects.

Internet voting is racist

Audience Member (37:10): I have more of a comment that I’d love to get our moderator’s response on here. What really worries me more than anything about online voting is much more lower tech, actually, it’s that if it goes large scale it’s subject to phishing attacks. You could have very large-scale voter suppression with fake emails coming from secretaries of State, apparently, and you go and you lose your vote and maybe you get your identity theft too. Now, phishing campaigns can be just 19, 20 % effective; targeted they can be 70 % effective and who’s going to get targeted in a voter suppression campaign? The same people who always get targeted: Communities of color! So, I think this whole issue very quickly becomes a racial justice issue, honestly, and that’s that’s not even getting into the stuff you all have been talking about, that I firmly agree with.

Susan Greenhalgh (38:13): My comment is: I agree. I don’t have much more to add that was very well put!

Biometrics

Audience Member (38:21): Just a quick question regarding authentication and biometric data: So can your team speak to the benefits of that? I know that the TSA for example is using biometric data for authentication purposes for international travel; comparing your passport photo to your face while you check in. Obviously, having biometric data stored by the government maybe isn’t the best idea; you could do something like hashing or something different like that. But can you speak to the advancements of biometric data and how they pertain to online voting in the future?

Matt Blaze (39:00): There are two unfortunate properties about Biometrics. The first is they are tied to you as an individual; you can’t change them if they’re compromised. So if something happens to your biometric data and other people learn about what it is, they know it and you’re stuck. That means that effectively supervised biometric authentication—you go into the kiosk, there’s a guard, you put your fingerprint on a reader—might be okay, because they know that you’re not bringing some equipment in, to fake what the fingerprint is. But unsupervised biometric authentication—I’m using my phone, it reads my biometric, and sends that data somewhere—is something that’s always going to be subject to compromise. So Biometrics solve some problems for in-person authentication that work very poorly in the online context.

Vote by phone isn’t secret

Audience Member (40:12): I think another issue that isn’t really considered, is the fact that, for instance, if Bea is going to vote with her cell phone and she’s asleep, I can just pick up her cell phone, unlock it with her face and vote on it. Or Bob over there wants me to vote for Pinkie Pie, so he gives me a thousand dollars to go vote for Pinkie Pie. We still have that problem in our regular elections and those are small little votes. But there’s no privacy.

If you have a partner that’s very controlling and they’re trying to force you to vote for somebody: When you walk into that voting booth by yourself and you close that curtain, you can vote for whoever you want. You lose that a hundred percent when you do online voting and vote by phone or any of this. Great for American Idol, not great for elections.

Remote (postal) voting

Audience Member (41:19): I have a general question about remote voting which is not electronical, such as postal voting, which is used in many countries to support for example disabled voters or voters who are otherwise unable to go to the polling station. And postal voting has many risks of the kind that you mentioned, such as the risk of coercion or the risk of not knowing that the ballot that arrived was actually marked by a legitimate voter. So given all this, what kind of secure enough options would you recommend for remote voting?

Matt Blaze (41:50): It’s important not to confuse online voting with the general problem of remote voting. Remote voting exists everywhere in the United States at least as a special case for absentee ballots: People who can’t travel and so on. It’s generally done on paper and by mail.

That has some of the same problems as online voting, but not all of them. It leaves us with the one-on-one coercion problem, that if you’re sent a paper ballot, it is possible you could be coerced by a partner or an employer to vote in a particular way. But that has to be done on a retail level, ballot by ballot.

In an online voting system, that same type of compromise can be done centrally: A piece of malware, that’s spread by a phishing or any of the other ways that malware spreads, can be used to wholesale compromise many, many different ballots.

So, my suggestion is that to accommodate voters who can’t travel, we stick to the paper-by-mail method and not introduce methods that also add the wholesale fraud and wholesale abuse vector. But even by mail, voting does compromise some of the properties of the secret ballot; and we have to be very careful when we scale that up.

Susan Greenhalgh (43:37): I’ll just add that there have been solutions that have been implemented: When the Military and Overseas Voter Empowerment Act was passed, it required that all Counties or States send ballots to Military and overseas voters 45 days before the election. It also stipulated, that they had to make the option available to send the blank ballot electronically. Blank ballots can be sent with reasonable acceptable security electronically, because they don’t have the vote, they don’t have the secret valued piece of data, on them; everybody knows what’s going to be on the blank ballot. So, you get your blank ballot in 45 days and then still have 45 days. The military have access to expedited free postal mail return that is provided to everyone in the military.

I mentioned there’s 32 states that currently allow electronic ballot return, 18 that do not. There are several states that don’t allow electronic ballot return, that have higher rates of participation for military and overseas voters, because they have robust communications in place: They’re making sure that they get the information to those voters. So, I don’t think that we can make a correlation that electronic ballot return is going to increase participation for those voters based on that information.

Voter outreach

Audience Member (45:03): Military ballots and voting is always kind of interesting on all the campaigns I’ve worked on. Generally, each county is autonomous and how they vote in it. You’re talking about military and state. I’m really a novice, I really don’t know what I’m doing on this one. So, you’re saying the states have better things in place. So, how does that work with the counties being autonomous and how they do their voting?

Susan Greenhalgh (45:45): It actually depends State-by-State, because some States run their UOCAVA outreach to those voters or military and overseas. The outreach of those people at the state level and some places do it at the county level; meaning that the county officials have to email the ballot or send the ballot to the people; or some places, they do it from the state level. So it really depends on the state: You have to go State by State.

Ballot marking machines vs. secrecy

Audience Member (46:20): I think it’s important for people to be careful not to generalize your personal experience of voting and think that’s how it is throughout the United States. It’s easy to make blanket statements that don’t apply. So, for instance, with respect to voting by mail: If you live in the state of Georgia, the only way to be able to do a hand-marked paper ballot is, if you vote by mail. The only way to have ballot secrecy is, if you vote by mail. Because, if we go into a precinct, we have ballot marking devices that are huge. They’re upright, they’re lit up, and anyone can see how you’re voting. So if you want ballot secrecy and hand-mark paper ballots in the state of Georgia, you have to be able to vote by mail. And the other thing to be aware of in the state of Georgia, is that the Secretary of State controls all counties. So, we’re required to do everything the same way throughout the entire State; it’s not county-by-county decisions. So I just want to caution people: Don’t generalize based on your own experience, because across the United States there are very different circumstances.

The transcript ends here, but some relevant information follows, for those wishing to dig deeper.

Related work

U.S.

• The National Academies of Sciences, Engineering, Medicine et al.: Securing the Vote: Protecting American Democracy, 2018.
  The «Consensus Report» mentioned above.
• Kim Zetter: US government plans to urge states to resist ‘high-risk’ internet voting, The Guardian, 2020-05-08 (or 2020-05-09 CEST).
  Report on the DHS risk assessment.
• Cybersecurity and Infrastructure Security Agency (CISA): Election Infrastructure Cyber Risk Assessment, 2020-07-28.
  Enumeration and quantification of risks related to internet voting; also mentioned above.
• Cybersecurity and Infrastructure Security Agency (CISA): Risk Management for Electronic Ballot Delivery, Marking, and Return, undated (but before 2020-05-08).
  Essentially a summary of the risk assessment above, referenced in the Guardian article; scanned, labelled as “draft”.

Estonia

• Märt Põder: Do voting machines dream of digital democracy?, 2023-10-17.
  Slides of his presentation in Zurich on the Estonian electronic voting system (including: how he might have stolen the election, but didn’t; that results differ greatly between internet and paper votes.)
• Estonian Cyber Security News Aggregator: Cyber Security Newsletter 2023-10-12 (i-voting / RK2023).
  Extensive list of the problems during the Spring internet voting in Estonia.
• Märt Põder: Should e-voting experience of Estonia be copied?, 37C3, 2023-12-30.
  Märt’s presentation at the 37th Chaos Communication Congress.

Switzerland

• James Walker: Swiss Post puts e-voting on hold after researchers uncover critical security errors, The Daily Swig, 2019-04-05.
  Sarah Jamie Lewis and others discovered bugs hidden deep in the hard-to-understand cryptographic core of the Scytl/Swiss Post eVoting system. (As of 2023, it is again in use in Swiss elections/votes. Many more articles not available in English.)
• Patrick Seemann: eVoting: No risk, have fun?, DNIP, 2023-09-04.
  According to the Swiss eVoting risk assessment, the risk is now lower. Without any substantial changes to the system. A critique (in German 🇩🇪).

Technology

Homomorphic Encryption and Blockchain are mentioned here (and elsewhere), as potential solutions to Internet voting aka eVoting. If you want to understand these technologies, here are some pointers:

• Marcel Waldvogel: Post Quantum and Homomorphic Encryption made easy, 2023-02-23.
  Toy versions of these topics explained, so that everyone can have a basic understanding.
• Marcel Waldvogel: Hitchhiker’s Guide to the Blockchain, 2022-04-09.
  Blockchain technology explained. Here, the link to my statement about electronic voting and blockchain.
• Marcel Waldvogel: Hitchhiker’s Guide to the Blockchain: An Overview.
  Overview over my articles about Blockchain and related technologies.

#eVoting

eVoting: No risk, have fun? - Das Netz ist politisch

Evoting hat in der Schweiz eine bewegte Geschichte hinter sich: Nachdem sowohl der Kanton Genf als auch die Post nach ersten Versuchen ihre Software wieder

^{Patrick Seemann (avongunten)}

Cryptoparty Köln-Bonn

2024-09-05 06:22:54

"Geht in die Cloud", haben sie gesagt. "Da sind eure Daten sicher", haben sie gesagt. "Backup, Serverpflege, für alles ist gesorgt", haben sie gesagt.

AM ╚╚|░☀▄☀░|╝╝

Marcel Waldvogel

2022-04-09 18:31:01

Hitchhiker’s Guide to the Blockchain

Blockchain, cryptocurrencies, smart contracts, Web3 and NFT are the talk of the town. Almost everyone has an opinion, but hardly anyone understands the foundations or relationships. The goal of this series, whose first part you are currently reading, is to provide a structured presentation of promises, the technology behind, and the reality. Using everyday analogies such as space-faring, stamp-throwing, anarchist notaries, the concepts are explained in a trilogy in five parts.

(Diesen Artikel gibt es auch auf Deutsch 🇩🇪: Per Anhalter durch die Blockchain.) More on blockchain in the simple, humorous, yet thorough article «Hitchhiker’s Guide to the Blockchain».

Solutions based on blockchain have been proposed as solutions to any problem even only remotely related to IT, digitalization, economy, democracy, and society. Like for every new topic, thinkers, gold diggers, freeloaders, charlatans, and doomsday prophets show up in an colorful mixture, making it hard to keep track of things.

The goal of this series of articles is to provide sound insight both to newcomers and experts, in an easy-to read manner. The focus is — as much as this is possible in this complicated, entangled topic — to present properties and relations transparently, substantively, and in a structured manner. Guidance will be provided by illustrative and memorable, sometimes hilarious, metaphors.

The huge topic will be structured in five layers:

1. The blockchain proper, a way to store data transparently and immutably (this article);
2. cryptocurrencies such as Bitcoin and Ethereum built on top of blockchain, which are touted to revolutionize our financial system (in an upcoming article); and
3. smart contracts, which — as generalizations of (conditional) cryptocurrency transactions — are hailed to simplify building and enforcing contracts (in an upcoming article).
   These smart contracts are used to build:
4. Non-fungible tokens (NFTs), digital artworks ready to revolutionize artist payments, art trade, and copyright (in an upcoming article); and
5. the promise of a democratization of the Internet, dubbed Web 3.0 or Web3, also the basis for decentralized autonomous organisations (DAO; in an upcoming article).

Each of these five layers will first be presented and objectively analysed in four chapters, followed by two more chapters of personal assessment and a list of take-away questions. Due to the complexity of the matter, this separation is not always

1. What hopes and promises stand behind the technology and which problems they are supposed to solve.
2. An accessible introduction of the inner workings of the actual technology and their possibilities and limitations.
3. Are blockchain-based solution the only possibility to address the problem? If not, what are alternatives and substitutes?
4. What is the reality behind the promises?
5. A subjective evaluation of the technology based on the items above.
6. A list of questions to ask yourself or an expert, before investing (financially or technologically) into that particular layer.

Ready? Let’s wink our Electronic Thumb and put our Babel fish into our ears, and let’s go! First stop: The foundational layer, the blockchain itself.

I tried to keep this text as neutral as possible. During my research, however, I learned two things:

1. Blockchain advocates criticize the current economic system as being plagued by greed, inefficiency, lack of transparency, and excessive complexity. However, the goal toward which these advocates work, is a new, now digital, economy, plagued by greed, inefficiency, lack of transparency, and excessive complexity.
2. Whenever I asked for a tangible benefit of blockchain-based technology compared to a solution without blockchain, the answers have been evading or inconsistent.

Nevertheless, this entire field is due for more insight. The Blockchain ecosystem has raised several important questions, and addressing them is relevant for the future of our society and our interaction with technology. The «blockchain» term was able to score high in the Buzzword Charts for over a decade. That alone should be reason enough for an in-depth analysis and understanding of this phenomenon.

Table of Contents

Toggle

• Part 1: The Blockchain itself
  
  • Promises
  • Technology
    
    • Analogy: notary’s office
    • Digital Blockchain
    • Wanted: Notaries without duty roster
    • Organizational structure
    • Carrot and stick
    • Work and wages
    • Immutability in the blockchain
    • Alternative rules
      
      • Proof of Stake
      • Permissioned Blockchains

      
      

    • At the top it wobbles the most
    • Technical summary

    
    

  • Alternatives
    
    • Prehistory and early history
    • Blockchain Trilemma
    • Can it be a little less?
      
      • Do we need global consensus?
      • Do we need write permissions for everyone?
      • Would you like a sprinkle of trust with this?

      
      

    
    

  • Reality
    
    • Digital elections
    • Degree Certificates
    • Supply chain 1: Provenance/origin
    • Supply Chain 2: Contracting

    
    

  • Evaluation
  • Questions
  • Further reading

  
  

Part 1: The Blockchain itself

TL;DR (or: The summary for all non-managers)

1. “Sufficiently advanced technology is indistinguishable from magic,” but if some technology is being sold as magic, it is important to ask if the technology actually can do what it claims or whether it is only capable of magic smoke-and-mirrors. (Or, to put it another way, if something seems too good to be true, it often is).
2. “If you add blockchain to a crap process, you have a crap blockchain process“. (Or to put it another way: good solutions do not emerge quasi-automatically through the purchase of consultants or technology, certainly not if these bring new complexities and inefficiencies).
3. A good idea alone is not automatically part of a good solution. (Or to put it another way: even a hammer should get to know other friends than just nails).
4. Trust increases efficiency and reduces complexity. Blockchain solutions want to do away with any form of trust. They buy this with inefficiency and complexity. (Or to put it another way: complexity is the enemy of security, transparency, efficiency and trust).

This is not a “management summary” but a “summary for non-managers” (or non-decision makers), because I think that especially decision makers should understand more about a technology that is considered revolutionary, that they can ask the right questions to distinguish dazzle from real benefit.

The blockchain was created as a solution to a very specific, particularly complex problem: Creating a digital equivalent of paper money, trying to prevent counterfeiting while attempting(!) to preserve anonymity. For this problem, it may be a good solution when applied directly. For most other processes, it is massive over-engineering, as even small changes to the preconditions lead to much more efficient solutions. But to know and understand these factors, a deeper understanding is needed. And this is exactly the goal of this text.

In the course of its creation, the text has become larger than planned. However, it has also gained in readability and comprehensibility. In other words, it was written precisely with the target audience of executives and decision-makers (and grandfathers and granddaughters) in mind: Many memorable analogies and explanatory comparisons with the real world, also suitable to liven up a business or family dinner.

I think the text deserves a chance: the advantage of text is that you can skim individual passages at any time and ruefully read it later after all, without resenting it. The often exaggerated, colorfully highlighted introductory sentences to a chapter hopefully help with these reading decisions.

The blockchain, and with it the Bitcoin, emerged at the height of the financial crisis in 2008 as a countermovement to the role of the banks in this crisis, which first made profits with non-transparent financial products on bad mortgage risks and then, due to their systemic relevance (“too big to fail”), generated bailout money. Accordingly, the desire for transparency and independence from central organizations (banks, states) is a leitmotif running through all levels of the blockchain ecosystem.

This development bears the signatures of cryptoanarchy and anarcho-capitalism, i.e., of movements that want to avoid trust in organizations and structures and, in particular, distrust the state. Only programs (“code is law“) or free, i.e. unregulated, markets deserve trust. This trait runs through all levels, even though they are most visible in cryptocurrencies and smart contracts.

Promises

The only chapter blockchain enthusiasts would advise you to read.

Since blockchain and Bitcoin emerged at the same time, the term blockchain is colloquially sometimes also used (pars pro toto)for applications based on it (cryptocurrency, smart contracts, etc.) as well as the respective ecosystems. In the context of this series, I will try to clearly separate the terms.

The four to six properties that a blockchain has or should have are not uniformly defined:

Wikipedia	Christian Cachin/IBM	MoreThanDigital
Chaining	Distributed Ledger	Data integrity
Decentralized storage	Cryptography	Reliability
Consensus	Distributed Consensus	Fast storage
Manipulation security	Business processes	Analysis, transparency
Transparency, confidentiality	—	—
Nonrepudiation	—	—

Let’s look at the four categories from Christian Cachin’s presentation as examples:

1. A distributed ledger as a transaction list with an unchangeable past.
2. Cryptography to ensure the integrity of accounting and authenticity of transactions.
3. Distributed, failure-tolerant consensus on the content of the ledger and the validity of transactions: All blockchain participants should be able to agree on a common world view (e.g., account balances), even when not all participants are always available.
4. Business processes (“business logic”), which are to ensure the validity of transactions and implement them (account management, smart contracts, …). We will defer this area to the next two articles, where they have the necessary context.

This is very abstract, especially as long as it remains unclear what is the actual goal to achieve. Since this article has set out to clearly structure the complex matter and we would like to be evaluated against this goal, we need to answer one more question first: What do heck do people want to use these features for? So let’s look at a typical “10 Applications for Blockchain” list and then extract or structure the benefits listed there:

1. International financial transactions: Data consistency, tamper resistance, removing intermediaries→lower transaction costs and higher transaction speed.
2. Healthcare: Storage in a distributed network allows storage of sensitive data: Patient records, medical findings, and clinical histories. Access only by users authorized by the owner.
3. Identity management: ID documents can be digitally converted securely, with no data loss; more secure and faster.
4. Prevention of money laundering: Transparency, record keeping, and attribution.
5. Insurance: Smart contracts for claims processing, insurance fraud detection.
6. Supply Chain Management: Simpler contracts, continuous tracking of goods, transparent documentation of supply chains from origin to store. Faster/simpler/cheaper investigations.
7. Mobility: Access rights, documentation of ownership, automatic vehicle rental+billing, secure billing even with electric vehicles.
8. Energy market: Dealing with change, traceability of transactions (private energy feed-in), billing/payment at e-fueling stations.
9. Digital elections: No fear of manipulation, tracking every vote.
10. Degree certificates: Issue degrees/certificates that cannot be falsified, internationally recognized.

These topics cover a wide spectrum, from blockchain itself to cryptocurrencies and smart contracts. It would be great if this could solve so many outstanding problems of modern civilization. However, since this hasn’t happened in the last 14 years, it doesn’t seem to be that simple after all.

­­­­­­­In the following (large) technology chapter, let’s take a look at the features and techniques used to solve these challenges before we move on to the reality check. Since we are focusing on the blockchain itself here, we will discuss the topics of data consistency/anti-tampering, data loss prevention, transparency/records and (partial) attribution/traceability/falsification at the end of this article We will look at the rest of the points in more detail in subsequent articles, after the necessary foundation stones have been laid.

Technology

The chapter in which the almost impenetrable jungle is explored and mapped.
Overview of the elements of the Bitcoin blockchain. On the left, the actual chain, a concatenation of blocks. Each block (center) contains, in particular, a list of transactions (right).
The technology of the lowest level alone, the blockchain, is quite complex. Before we go into depth, here is an overview, based on Bitcoin.

The Bitcoin blockchain consists of a chain of blocks (labeled “chain” in the right image) that grows over time. (In exceptional cases it can also branch, as we will see below.)

Currently, the Bitcoin blockchain is about 730,000 blocks long and a new one is added about every 10 minutes. Each of these blocks contains a collection of transactions. The whole thing is managed jointly (by consensus) by the computers (nodes) that build the system and where actually everyone can participate (no special authorization is needed).

To understand the interplay, let’s look at it in several small steps that together make up a table of contents for this technology chapter:

1. The structure and function of the blockchain
2. How to add a block even though no duty roster exists (the consensus)
3. How nodes communicate with each other (the peer-to-peer network)
4. Why anyone would do that to themselves (the incentive)
5. How a valid block is generated (mining and proof of work)
6. How else to settle this (Proof of Stake and friends)

This is followed by a short summary so that you can see the forest for the trees.

Before we analyze a digital blockchain, let’s build an analogy with paper and offices. We will watch anarchic accountants (or notaries) keep a tamper-proof loose-leaf collection. Those who want (and know the Hitchhiker’s Guide background) are welcome to imagine them as members of the Golgafrinchan “B” ark.

Analogy: notary’s office

The subchapter where we build ourselves an unchanging loose-leaf collection.
First stamped loose-leaf
Let’s start our approach to blockchain technology with an analogy from the analog world: an anarchic mix between accounting and the notary’s office. (As junior notaries, they are initially only allowed to juggle small financial assets. In later chapters, they are then allowed to notarize contracts and transfers of tangible assets. That is why we call them “notaries” even now, although they are more into bookkeeping for the time being).

For efficiency reasons, several notaries share the work. Because of the chronic back pain that came with it, the large, heavy notarial book with the collected confirmations of the last centuries has been abolished. Instead, a loose-leaf collection (much more popular with legal staff anyway) is used. So on the first day, the responsible notary fills out the list of transactions and confirms their accuracy with her official stamp.
Second loose-leaf with copy of the first
The next day, the notary on duty repeats the same procedure. But so that none of the notaries can later replace the sheet from the previous day with another, his list for today includes a scaled-down copy of the yellow list from the previous day. He stamps this compilation in the evening as usual to confirm its accuracy.

On the third day, the process is repeated with a third notary. This one also stamps his list in the evening together with a scaled-down copy of the list from the previous day, on which, transitively, again a scaled-down copy of the day before last can be seen and so on.
Third loose-leaf with copy of the second, on which the first is also visible
Continuing this process, the notaries generate a common chain of documents in a coordinated manner. In this chain, no previous document can be exchanged without simultaneously adjusting all subsequent documents as well. And that would definitely attract attention.

But coordination of the stamping right and duty also requires trust and recognition of authority. Below we will see how we can solve the paper blockchain without this prior agreement (and thus trust in anyone), because this is also the cryptoanarchic basis for the digital blockchain.

For simplicity’s sake, our junior notaries have a set work schedule for now and enjoy their time off, so there are no conflicts over who is responsible for which day. This will change as we get closer to understanding the real blockchain.

Digital Blockchain

The subchapter where we digitize the loose-leaf collection with Lego bricks.
The blockchain as stacked Lego blocks
Let’s switch to the digital blockchain, such as the one used by Bitcoin. It works very similar to the loose-leaf collection above: Each block consists of a list of transactions and someone asserts the veracity of the list. This someone is generally called the “creator” here; in cryptocurrencies, they are commonly know as “miners”.

A cryptographic checksum, a so-called hash, can be calculated for each block, and the checksum of the predecessor block is then stored in the current block, analogously to the scaled-down copy of the previous day in the notary example above. This means that the new block is irrevocably bound to its predecessor block and, indirectly (or transitively), to all of its ancestors.
Each block is unique (especially its end plate)
For a more detailed understanding, let’s tune our stackable blocks a bit: Instead of always having the same well-known regular Lego pattern, where each block matches every other block, each block now has a unique dot pattern on top, corresponding to its unique hash. The following block must now-like a matching lock and key-have the exact matching hole pattern so that the two blocks can be stacked.
The next block must have the matching holes, otherwise stacking will fail
The properties of the hashes used are such that even if all the computers in the world did nothing else for billions of years, they could not find a second block that had the same hash value. The end result is that we have a perfect reduction of the previous block stored in the current block: Instead of the 1-2 megabytes that a typical predecessor block occupies, only 32 bytes, about 50,000x less, are used.

(In contrast to the paper analogy, where it is still possible to read out all details directly from the slightly reduced copy, it is impossible to read out any contents of the predecessor block from the hash alone. The actual purpose of both paper copy and hash-the unique identification of the predecessor block-is, however, perfectly satisfied in both cases).

Wanted: Notaries without duty roster

The subchapter where we liberate the notaries and finally allow them to live and work independently.

Our notaries used to have a clear duty roster: On each day, exactly one person was responsible for keeping the list. The list was created by mutual agreement or by assignment of their boss. Bitcoin is a brainchild of both crypto-anarchy and the outrage at the behavior of the central power structures in the financial crisis; accordingly, there must be no supervisor role of any kind there! No matter how useful a boss is in increasing the efficiency of coordination and creating rules, at some point a boss could abuse their power and there would be no mechanism within the system to prevent it.

In the real world, there are mechanisms for deposing abusive or corrupt superiors, but this dismissal can sometimes be lengthy and laborious. Real-world mechanisms to prevent and detect bad developments at an early stage include honesty, empathy, and trust. These evolutionary advantages lead to avoiding such situations or remedying them quickly. However, these require regular interaction and therefore do not scale to 8 billion people. And they do not fit into the crypto-anarchic world view anyway, according to which one does not want to make oneself dependent on anyone.
Probably the best-known examples of self-organization
are provided by schools of fish and flocks of birds. Maybe some of you even remember the exaggerated (and thus particularly catchy) depiction of the moonfish in “Finding Nemo”.
(Image: adiprayogo liemena at Pexels)
This leaves only agreement between the notaries as a way out, the above-mentioned consensus. However, not only do we not have a boss who makes a duty roster, we also do not have a boss who hires notaries or calls them back if one of the notaries prefers to go fishing on their scheduled work day.

That means, we need a system that has to cope with a constantly changing number of notaries, all of whom do not want to take an aptitude test beforehand and do not want to announce their presence or absence beforehand. The purest chaos. Or, somewhat nicer, a self-organizing (or, even more educated, autopoietic) system.

Human groups are much less homogeneous than schools of fish; accordingly, there are hardly any self-organizing groups with more than a dozen people. For larger groups, sooner or later structures for the division of labor therefore emerge. In standardized work processes, these structures reduce the coordination effort and thus increase efficiency. But it is precisely these structures with the associated power positions and dependencies that one wants to avoid with cryptocurrencies. This is at the expense of efficiency, as we will see next.

Organizational structure

The subchapter in which notary publics learn to communicate with each other from their home offices.
A network to bind them all
For our paper-based notaries to form a notary’s office, we need to have both

1. an organizational structure (in this subchapter) and
2. an incentive or punishment system (carrot and stick), i.e., a substitute for bosses and wages, which we look at in the upcoming chapter.

First, the structure: All those who want to try their best at being notaries become part of a network of equal partners, also known as a peers, for the purpose of exchanging information. In such a peer-to-peer network, (1) transactions which are to be included in the blockchain are communicated to everyone, and (2) the newly created blocks (or, in the analogy, the stamped paper slips) are stored by everyone.

This peer-to-peer system is a set of computers (“nodes”, in the figure on the right the circles with the letters) and a number of connections (channels or “edges”) between them, over which messages can be exchanged. Now, if the blue node A has a new message, it sends it to all of its neighbors, as indicated by the blue arrows; in this case, nodes B and C. If the information is new for these two and passes their validity checks, they in turn send the information on to all their other neighbors: Thus B sends the message to C and D (red arrows). A is left out, since B has received the message from there and thus knows that A already must have this information.

C in turn sends the message to its neighbors B, E, and F. On the connection between B and C, the message travels once in either direction, since at the time of sending, B and C have no way of knowing that their respective peers already know the message.

This so-called “flooding” creates a (tiny) tidal wave, sweeping through the entire system of channels, reaching all the nodes from A to G. Many of the participants receive the message multiple times, in the worst case once from each neighbor. Not very efficient, but that’s how it is when you can’t or won’t trust anyone.

Finally, this means for our notaries that they can write off any thoughts of ever having any free time again. While this is not particularly conducive to motivation, it is robust against failure (or even malice) of individual participants. Lacking central authority, there are no options for sanctions, so everyone must look out for themselves first and rely as little as possible on anyone else. From a cryptoanarchic point of view, this waste is better than trust; a pattern that accompanies us again and again throughout the entire ecosystem.

Carrot and stick

The subchapter where we motivate freelancers.

However, the above-mentioned flooding of messages through the notary network is only a tiny part of the daily grind: our notaries not only have to constantly forward all messages, but everyone also has to constantly update the transaction list, because you do not trust your colleagues to do it right. On the other hand, this also means that from now on you have no free time, because you are busy working around the clock and checking the work of your colleagues. And even this is done in a very inefficient way.

But first back to real-world day-to-day work: One way to keep a team “on track” is to create an incentive system with defined criteria and rewards. With human teams, verifying that criteria have been met is very difficult, even if it has been attempted with piecework, for example; this is know to reduce (good) intrinsic motivation to (not as powerful) mostly extrinsic motivation, known as the Overjustification effect. This is hardly sustainable, as quantity comes at the expense of quality, or team members try to make their own performance look better or belittle the performance of colleagues: Intrigue, concealment, lies, and manipulation, possibly up to sabotage. These are key elements to guarantee suspense in movies and novels, but in reality they are highly detrimental to productivity and the achievement of common goals.

In our exotic notary’s office, processes are simple, repetitive, and standardized, which is why most blockchains assume objective measurability of work performance. Thus, a monetary incentive system was created for Bitcoin, which awards a reward (in Bitcoin) based on concrete, verifiable rules for the creation of a block if this block is generally recognized. This is why this procedure is called “Proof of Work” (PoW).

So far, so simple. But how can you punish someone if they have not done their work well enough? You make the work so strenuous and tedious that no one does it voluntarily unless they can expect to be generously rewarded for it!

Thus, the incentive is based on one of the strongest motivators humans have: Greed. Greed for money and power. And this incentive also works perfectly, at least superficially. But precisely because of its now corrupting strength, greed leads to the inexhaustible human inventiveness being put to its service and loopholes being sought and found. More on this after the facts in the “reality” chapters in this and the next post.

Work and wages

The subchapter in which honest cooperation is finally rewarded.

Anyone who wants to add a new block to the Bitcoin blockchain receives a reward of currently 6¼ Bitcoin (₿) for creating (“mining”) the new block, which is currently equivalent to just under a quarter of a million Swiss Francs (or, approximately, $ or € or £). Not bad for 10 minutes of work! And no wonder greed has become the driving force. (More on finance and its role in the ecosystem in the next article).

If you want to claim that quarter of a million, what do you have to do?

1. Collect incoming valid transactions (more on this then in the next article on cryptocurrencies and transactions).
2. Include as many pending transactions as possible in the new block to be created.
3. Process the block until “enough work” has been done (explained next).
4. The creator (“miner”) of these blocks then receives the 6¼ ₿ reward as well as the transaction fees of all transactions included in this block (the collected transaction fees of a block only amount to roughly 1 % of the mining reward, as of today). Let’s hope this is you!

This so-called d100 (or “Percentile dice”)
has “only” 100 faces. On average, it shows a 1 every hundredth roll.
“Sufficient work” is done when a cryptographic puzzle has been solved that requires repeated, arduous trial and error. For example, any mining computer on the Bitcoin network could tirelessly roll a 120-sextillion-sided die (1 sextillion is a 1 followed by 21 zeros!) until it scores a 1. This successful dice roll is obtained on average after 120 sextillion attempts. With this result, the “Proof of Work”, the miner can claim the block and collect the reward.
Our notaries incessantly drop 120 sextillion stamps from the ISS
­­Our notaries do not play dice, of course. But they love hide-and-seek games, are very forgetful, and at the same time passionate space tourists. That’s why, when their transaction collection work is done, they hide their completed transaction list somewhere on the 510 million square kilometers of the Earth’s surface, immediately forgetting where they put it, and head off into space. From there, they throw their rubber stamps as fast as they can onto the earth’s surface until one hits the 6 cm by 7 cm stamp field of their transaction list. (510 million km² / 120 sextillion ≈ 42 cm². 42. honestly! Hopefully nobody seriously gets the idea to use the earth as a giant ball…).

Computers do not roll dice or throw stamps, since cheating would be too easy with both techniques. Therefore, when attempting to “mine” a new block, a specially designated field in this new candidate block is filled with a random content until the value of the checksum (“hash”) over the block is sufficiently small; as small as it gets only once every 120 sextillion times. This sufficiently small hash, after countless trials, is thus the proof of our work. (Incidentally, the hash of the block cannot be predicted without actually computing it, i.e., there is no shortcut).

The more computing power there is for mining, the faster this puzzle is solved. However, a design decision of the Bitcoin protocol states that a new block should be added every 10 minutes on average. To ensure that this remains the case as computing power increases or fluctuates, the definition of “enough work” must be regularly adjusted to reflect the computing power available on the network. In Bitcoin, this adjustment of the difficulty happens every two weeks.

In the dice analogy, this would mean that if there are more or faster participants in the network, the dice would also be rolled with a correspondingly larger die, and thus the dice would have to be rolled more frequently until a one appears. (In the case of our space notaries, the size of the target field for the stamps would be reduced).

This results in the following:

1. It depends extremely on chance who “mines” the block and “wins” the quarter of a million. To achieve more even, predictable payouts, miners gather in pools, which then divide the proceeds among themselves.
2. It can happen that several nodes get lucky almost simultaneously and find one of the countless (around 1 septendecillion, a 1 with 54 zeros) possible solutions to the cryptographic puzzle. Thus, several valid new blocks exist simultaneously. In general, these blocks differ by the list of transactions included in them, so they are not interchangeable. Accordingly, the system must make a choice as to which block to continue working with. Details are given below.
   All others who have unsuccessfully “rolled the dice” have another chance (like in the lottery) with the next block. At some point the big win must come…
3. While the carrot is the chance to win (like a played lottery ticket), the stick could be seen as the wanton tearing of the lottery ticket: If you have made the immense effort to mine a valid block (“rolled a one”), but the other nodes in the Bitcoin network don’t accept that block because you made a mistake (e.g., recorded an invalid transaction), then you forfeit your chance to win and are guaranteed to remain on the accrued costs (electricity costs for computer and cooling, rent, amortization, …) without even a hint of a chance to win.
4. As long as someone believes that his or her accumulated costs are lower than the long-term expected share of a block’s proceeds, they will try to set up additional mining capacity. I.e., computing power follows the price of bitcoin as long as no bans change the rules).
5. Whoever can get electricity (and cooling) cheaply is at an advantage. As a result, mining tends to be done at locations with low electricity costs, which is often coal-fired power. (Unless you “get” the electricity for free).

Collapse of mining rate in China (yellow) after de facto ban on cryptocurrencies (Image: CBECI).
The Cambridge Bitcoin Energy Consumption Index (CBECI) assumes an annual electricity consumption of 125 TWh for bitcoin mining, the Digiconomist of 200 TWh. At the (for western Europe: unrealistically) low electricity price of 5 US cents per kWh assumed by CBECI, electricity alone would cost 6.25 or 10 billion USD, or 20 or 32 million dollars per day(!), and the trend is rising.

This high energy consumption is also brought up in between as an argument for banning proof-of-work cryptocurrencies. As high as this effort is, it should (like all political decisions, but not only these) always be seen as the result of a cost/benefit analysis. For this, I defer to the subsequent cryptocurrency article.

Immutability in the blockchain

The subchapter in which we try our hand at forgery and fail gloriously.
Finding a matching replacement block is “impossible”
One of the important arguments in favor of a blockchain is its immutability. Thus, replacing an existing, established block in the blockchain with another at a later date is not possible without also laboriously adapting each of the subsequent blocks (remember the loose-leaf analogy). That is, we cannot simply take one of the blue-purple blocks (for example, the one labeled “OK” in the image to the right) and replace it “just like that” with the cyan block (“BAD”), which is why it is also crossed out in red. This is due to the security of the cryptographic hash function used.

What would have to happen to replace the block “just like that”?

The Bitcoin network combines a massive computing power for its proof of work, and consumes 500 times more electricity than the world’s most powerful supercomputer. And despite this phenomenal computing power, the entire Bitcoin network would have to calculate for 20 octillion years to replace one block with another so that its checksum (hash) would be the same as that of the original block, i.e. it could be accepted as a valid member of the chain. (Whether it would actually be accepted is another matter).

20 quindecillion years are written as 2 with 49 zeros. Who prefers comparisons to the age of the universe: all those computers would have had to calculate continuously since the big bang more than 13 billion years ago and still would only have completed a minuscule fraction (one dodecillionth; a dodecillion being a 1 followed 39 zeros!) of their Sisyphus work. (And even Deep Thought would probably find the answer to the “question of all questions about life, the universe and all the rest” faster than a replacement block).

People from the IT security environment cautiously call this “impracticable”; ordinary mortals, however, prefer “impossible”.

Alternative rules

The subchapter where notaries look for a less repetitive, easier job.

The proof-of-work rules inevitably lead to energy waste, which usually only increases with time or popularity. This pleases neither environmentalists nor the operators of the mining computers (“rigs”) themselves: They would rather rake in more money themselves than spend it on electricity and hardware. Accordingly, alternative systems have been and are being considered, in particular Proof of Stake (PoS) and Proof of History (PoH).

The goal of all these rules is to achieve security, speed, and decentralization at the same time. Unfortunately, no one has yet managed to achieve all three simultaneously in an open blockchain. Despite intensive attempts, trade-offs have always been necessary so far, a realization which is referred to as the “blockchain trilemma“.

Proof of Stake

None of the prominent blockchains uses proof of stake productively as of now. Ethereum, the number two behind Bitcoin and based in Zug, is currently still working on a proof-of-work basis, for which more than half of Bitcoin’s power consumption is currently used. Ethereum has wanted to introduce PoS productively for years; after several postponements, it is currently scheduled for the second quarter of 2022, parallel to PoW, which is still running.

What is Proof of Stake? The underlying assumption is that the more shares of a cryptocurrency you own, the more likely you are to care about the welfare of the cryptocurrency as such and thus would not act against the interests of the cryptocurrency. (Since this would assume an extremely homogeneous humanity, this claim certainly does not cover everyone.)

Let’s start again with an analogy, a self-organizing village. The villagers feel disturbed in their work and leisure time day and night by the hectic running around of the proof-of-work notaries. Due to their lack of sleep, the notaries have also become very anti-social; no one wants to have anything to do with them anymore. Therefore, the Council of Elders decides to switch to Proof of Stake, and thus from (proof-of-work) miners to (proof-of-stake) validators.

Here is the PoS process using the example of the validator committee responsible for March:
Timeline of committee activity for Proof of Stake (PoS)

• Per hectare of land ownership, its owner can request a say in the new PoS village council. Those who own less must join with others and someone represents this pool; the internal organization in the pool does not matter to the other residents.
• Before January: Anyone who wants to apply for the right to a say must put their property on the line for this, so-called “staking” (and therefore also putting your land at stake). This application (and the accompanying pledge of the property) is entered in the blockchain and notarized (we will see how in a moment).
• January: 128 hectares are selected each month for the month after next (here, March) from the hectares with an active stake. Their representatives will be engaged as “validators” (or confirmers) for March.
• This PoS participation replaces PoW mining. It too comes with carrots and sticks: in their month of service (and only then), validators work analogously to PoW notaries. Instead of validating their honesty by willing to do useless work (endless dice rolling or stamp dropping), they do so by giving a portion of their real property as a pledge of their honesty, as seen above.
• February: The committee prepares mentally for their mission (to ensure that everyone is in the same boat at the beginning of March).
• March: For each day, one of the validators on duty was also selected as the “proposer”. This person maintains the loose-leaf list for that day. At the end of the day, they stamp the list, again with a small copy of the previous day’s sheet for chaining.
• April: All validators review the loose-leaf collection of their month of service.
• May: Our (March) validators go to the (May) validators responsible for the current month. There, they declare their support for the work submitted by their respective daily proposers by signing the current (May) loose-leaf. This process is called “attestation”. As soon as ⅔ of all March validators have attested, March is considered “justified” (or, more simply, confirmed) and the March validators receive their success reward: additional, new plot shares (the carrot, the substitute for the “mining reward” of PoW).

The stupid, repetitive work of PoW has been dropped at the expense of much more complex coordination. At the level of abstraction shown above, it may sounds quit simple and convincing. However, the above description is massively simplified compared to the actual function of PoS on Ethereum.

Additional complexity not covered above comes from the fact that Ethereum splits this work across 65 blockchains (one main or coordination chain, the “beacon chain”; and 64 transaction chains, the “shard chains”)

However, the greatest complexity in any distributed system always arises from the detection of errors and the handling of special cases. Countless rare corner cases have to be handled sensibly and it has to be ensured that everything continues to run, even if something goes wrong: Whether it is a proposer or other validator calling in sick, being overloaded, or otherwise unavailable; when there is disagreement between proposer and other validators; when someone falls asleep during the elections; and many more. In the case of Ethereum, all are implemented in an automated fashion with appropriate penalties for the wrongdoers and rewards for the rest. Even under the most unfortunate combinations of errors, the system must always be able to continue to operate in a meaningful way.

Random numbers are a special weak spot in this game. They are needed e.g. for the random, fair selection of committee members or the distribution of proposer activities among the members. In a blockchain environment, however, randomness is anything but simple, and the seemingly trivial task is implemented in Ethereum-PoS with an elaborate “smart contract” with (1) stakeholders of their own, (2) even more cryptocurrency put at stake, and (3) carrots and sticks again with credits being distributed and collected. This random number smart contract, dubbed “RANDAO“, is one of the many tiny cogs in the whole process. (A separate future article is devoted to how smart contracts work.)

As we can see, the blockchain itself can only function if countless smart contracts constantly interact tightly and correctly, like a finely tuned clockwork. In turn, however, the proper functioning of the blockchain also depends on these smart contracts. Computer scientists try to avoid such cyclical dependencies in distributed systems at all costs, since they lead to more complexity and additional single points of failure.

Full membership in the Ethereum-PoS VIP lounge starts at 32 Ether, currently available for around 80,000 francs. Parts of this stake or even their entirety can get lost if a computer crashes at the wrong moment or its network connection is disrupted (e.g. during the “RANDAO” mentioned above).

Risks with Proof of Stake vs. Proof of Work

If a proof-of-work machine fails (crash, power failure, network problem, DoS attack, …), its chance of making a profit may be reduced, but any capital earned before remains untouched.

With Proof of Stake, on the other hand, you want to “stake” as much of your assets as possible, since the profits are distributed in proportion to the capital staked. And if the computer fails at a bad point int time, your entire staked capital is gone.

Permissioned Blockchains

In addition to public, open (“permissionless”) blockchains based on the Bitcoin model, so-called private or “permissioned” blockchains are popular for closed user groups in business applications: To join the closed user group, traditional contracts with paper and signature are concluded. The members are then each allowed to integrate one computing node into this closed system.

These computer nodes then ensure that new entries are only added to the blockchain if they receive at least a ⅔-majority of approval. The system is thus immune to Byzantine errors, i.e. the system functions correctly as long as less than ⅓ of the nodes fail or act erroneously/maliciously.

In such a controlled environment, detecting or preventing dominant players is much easier than in a model where anyone can just join or leave at any time, no questions asked. In contrast, the permissioned model also lacks the universality that a public blockchain strives for.

Further, the permissioned model is mostly used for applications other than currencies, so it is typically not self-funded. The “miners” cannot be rewarded with something inherent in the system (e.g. a Bitcoin). Instead, somebody has to pay for the cost of the system (computers, electricity). That “somebody” is typically an organization formed specifically to operate the blockchain. But then the scheme is no longer fully decentralized: a centralized authority is funding it.

At the top it wobbles the most

The subchapter where we resolve Lego tower building conflicts and recheck stability.
Sometimes, there be more than one (simultaneous) new block
Since 2009, the Bitcoin blockchain has grown to a height of now over 730,000 “Lego blocks”. We have seen that it is “impossible” to pull out a block at the bottom and replace it. After all, it is Lego and not Jenga!

But what does it look like at the top? In the mining process, which is characterized by luck (rubber stamp or dice throwing), several new valid but different blocks can be created practically simultaneously. It often takes several dozen seconds, sometimes more than a minute, for all nodes to be informed about a new block. About every 11 days, therefore, two potential newest blocks are in wide circulation at the same time. But there can only be one, because consensus on the account balance must somehow be guaranteed.

Therefore, the top few blocks are considered unsafe, often until about six blocks have been stacked above them, which takes an hour on average, but can take up to 6 hours (the waiting time only depends on dice throwing luck). Then the probability is high that an additional, longer chain will not suddenly appear somewhere.

This leads to further conclusions:

1. If there are multiple candidate blocks in play, each participant chooses one of the candidates as the basis for the subsequent block, regardless of the decisions of all other participants. (Typically, this is the first valid block he has seen).
2. Candidate blocks that the majority is not “happy” with remain in irrelevant side arms of the blockchain and are therefore ignored.
3. The “happiness” is defined by the rules in the program code and may change over time.
4. In other words, the majority determines the course, even if there are individual stubborn minorities who then ride their special train (“hard fork,” a kind of declaration of independence). This mechanism has also been used for targeted discrimination or exclusion of members and technologies.
5. A transaction that only appears in one of these sidearms will not be recognized by most members. But if the transaction is basically valid, it should be included in one of the next regular blocks and thus eventually come to recognition.

Technical summary

The subchapter which tufts everything again nicely.

Millions of computers with a power consumption of 500 supercomputers or an industrialized country are constantly trying to solve a cryptographic puzzle. The puzzle difficult increases as more or faster computers take part in it, so that on average a new block is created every 10 minutes. Solving this cryptographic puzzle (“proof of work”) is intended to confirm that one is sufficiently interested to seriously commit to the principles of the blockchain, i.e. not to cheat.

However, if enough people do not agree with the rules (or cheat together), these rules become the de facto standard (“Code is Law“). This is how changes are implemented or spin-offs or exclusions occur.

The incentive to provide these computing resources, to bear the enormous power costs of 20-30 million francs a day, and to abide by the rules is based on the freshly minted cryptocurrency (currently around a quarter of a million francs every 10 minutes) created from nothing and the transaction fees, currently a few thousand francs per block. In turn, as we will also see later, there is also a desire to make the rules so that the income or value of the cryptocurrency becomes as high as possible.

Alternatives

The chapter where we review other Creations.

From the perspective of blockchain aficionados, the world was desolate and empty before Satoshi Nakamoto separated the world into light (blockchain and Bitcoin) and dark (everything else) on the first day and then retired; perhaps to watch the price development of his first million Bitcoins with relish.

But digital archaeologists, working tirelessly, have discovered that important approaches existed even before that:

Prehistory and early history

The subchapter where we travel back in time before the Bitcoin Big Bang.
Image source: Alan T. Sherman, Farid Javani, Haibin Zhang, and Enis Golaszewski: On the Origins and Variations of Blockchain Technologies, IEEE Security & Privacy, Jan/Feb 2019
David Chaum, the busy cryptographer we will meet a few more times in this series, already dedicated himself to a blockchain-like protocol in his 1982 dissertation “Computer Systems Established, Maintained, and Trusted by Mutually Suspicious Groups”.

In 1990/91, Stuart Haber and W. Scott Stornetta addressed the issue of the traceability of digital processes by means of time stamps, digital signatures that confirm the existence of a digital file at a certain point in time. In particular, they investigated the question of how to make the issuance of falsified (backdated) time stamps transparent and thus recognizable as forgeries. A variant of their method has been in continuous use since 1995 as the PGP Digital Timestamping Service.

Timestamps are especially useful when you want to prove the existence of a document at a certain point in time or to show that a document has not been modified since this point in time. Application areas are diverse and range from the patenting of inventions to copyright and use in forensics.

In 1997, Ross Anderson described the Eternity Service, an anonymous, decentralized storage medium that protected documents against denial of service. Since 2000, the LOCKSS (Lots of Copies Keep Stuff Safe) system has been protecting digital documents from loss or corruption in a decentralized manner. LOCKSS research also resulted in the first (award-winning) proof-of-work system for consensus building in 2003.

Since 2001, there have been distributed systems for tracking the development of program source code, in which the current state references the previous state by referencing its hash (the “checksum” mentioned repeatedly above), thus making backward substitutions of previous states impossible. The source code management system Git, published in 2005 and written for the distributed development of the Linux kernel, has become the dominant form of source code management for open source projects and is also indispensable for enterprise software development. As such, Git could arguably be described as the world’s most widely used blockchain solution. In contrast to the previously described systems, each developer can grow their private chain as they wish. Consensus is reached through (human) dialog. Multiple chains are not really a problem and when a new consensus is established, the work done in a distributed manner is not lost.

Blockchain Trilemma

The subchapter in which we learn the hard way that we get everything at the same time.
Not all three at once
The blockchain trilemma postulates that you can achieve a maximum of two of the three following implementation attributes simultaneously: security, speed and decentralization. There is no formal proof of this; however, until now, every blockchain project has run up against this barrier in some form or other.

Accordingly, any assertion to the contrary should be taken with extreme caution. Remember: “If something seems too good to be true, it probably is.”

Can it be a little less?

The subchapter where we see once again that if we want less, we get more.
Everything becomes easier if you can omit one of them (see enumeration)
From the point of view of functionality, we can also form a triangle:

1. Reaching a global consensus (everyone sees the same state in their books, the distributed ledger),
2. the complete absence of any trust between the participants; and
3. the desire for everyone to beable to enter their own data if they only meet certain minimum requirements; they do not have to go to a coordinator to do this.

Achieving all three goals simultaneously is very costly, as we have seen. If we could omit at least one of them, the problem would be much easier to solve. Let’s therefore look at them one by one:

Do we need global consensus?

Let’s divide the consensus problem into three cases: Private blockchains among contractors, public blockchains for traceability only, and public blockchains with cryptocurrencies.
Are the expensive extras really necessary?
The main use of private blockchains is for business partners to assure each other of certain things. According to the nature of things, these are mostly bilateral contracts. No global consensus is required for this, only the two business partners have to agree. This is much simpler and can be implemented much more efficiently than a global consensus. The complexity of the blockchain is therefore completely unnecessary or even harmful (slower response times, unnecessary publicity, costs, …).

In the case of a public blockchain on which a currency or other elements from the subsequent articles are built, global consensus seems important at first glance, since everyone should be informed about every account balance. But even this is not mandatory, as we will see with alternative payment solutions; local consensus or consistency (which is much simpler than consensus, as it only requires the absence of contradictions, instead of perfect agreement) is often enough. But more on this in the article on cryptocurrencies.

If public blockchains are only used as information repositories, as is the case with most blockchain-based public sector digitization projects, global consensus is entirely unnecessary. Integrity, transparency, and proof that the information has not been tampered with are quite sufficient, and these attributes are much easier to achieve. If I want to show that a certificate has not been altered, a digital signature from a trusted authority is sufficient. Although immutability is regularly cited as a goal, it often is not actually desirable. Errors such as typos or vandalism should be able to be corrected, and the right to be forgotten also has to be taken into account. That is, entries should be able to be corrected or deleted, but these changes should be traceable, either only by supervisory bodies or by the general public, depending on the actual application.

(The technically most expensive and most complicated of the additional options is the protection against using a single piece of currency multiple times in parallel, aka “double spending”. We only need it if the blockchain is to keep records of things that, like money, must only be spent once. More about this in the upcoming article on cryptocurrencies).

Do we need write permissions for everyone?

In many use cases, there are only a few authorized writers; ideally, they even belong to the same organization (commercial register, land registry, …). Alternatively, they are known to be responsible for only part of the data (hierarchy, federalism, …). I.e. even if consensus is necessary, it is clear who may contribute what to this consensus. Again, this leads to much simpler solutions.

Would you like a sprinkle of trust with this?

The huge effort that goes into proof-of-whatever and fully automated consensus is eliminated if there is at least a modicum of trust and external mechanisms (press, courts, …) can be used if this trust is abused.

Reality

The chapter where we revisit the original promises.

Let’s look again at the promises for which blockchain is being sold as a panacea.

A remark in advance: As the topics in the promises are only stated in very general terms, no detailed analysis can be made. Nevertheless, I have tried to make this more specific by adding my personal expectations from such a system as requirements.

The topics were analyzed according to eight criteria:

• Whether they need integrity, traceability, immutability, or protection against double spending
• The “global consensus” has been divided into two:
  
  1. Do we need something global or multilateral, or are much simpler bilateral agreements enough? (“More than two organizations”)
  2. Is multilateral/global consensus necessary? (Consensus between two organisations is much easier; this alos applies if only consistency is required)

  
  

• Whether this is a technical (or technically solvable) problem at all, or whether we are rather dealing with a Layer 8 problem here, i.e. the human desire to be involved in decision-making or to be allowed to go one’s own way.
• Last but not least: Do I think the complete, globally uniform digitization of the respective process is a good idea at all (either in general or specifically by means of a blockchain).

The purely financial topics “financial transactions” and “money laundering” can be found in this table; nevertheless, they will be dealt with in the next article.

Topic	Inte­grity	Traceability	Immutability	>2 Orgs	Consensus	Double Spending	Layer 8	Idea
Financial transactions	✅	✅	✅	(✅)	(✅)	✅	(✅)	✅
Health care	✅	✅	•	✅	•	•	✅	😨
Identity management	✅	✅	•	•	•	•	✅	❓
Money laundering	✅	✅	•	•	•	•	✅	❓
Insurances	✅	✅	✅	(✅)	•	•	✅	❓
Supply Chain	✅	✅	•	(✅)	•	•	✅	✅
Mobility	✅	•	•	•	•	•	✅	❓
Energy markets	✅	✅	✅	•	•	•	✅	✅
Digital elections	✅	(❌)	✅	•	•	•	•	😨
Digital certificates	✅	•	•	(✅)	•	•	✅	❓

Let’s take a look at a few hot topics as examples:

Digital elections

The subchapter where we shudder again more about the idea of digitizing elections.

e-Voting was a hotly debated topic in Switzerland a few years ago, so here are just a few key points. Trust is essential when it comes to voting:

• Trust that my vote is counted (and counted correctly);
• Trust that no one can assign my vote to me if I don’t want them to;
• Confidence that votes cannot be faked, bought, or extorted (at least not scalably). One traditional means to minimize vote buying is to ensure secrecy of the vote.

Therefore, we want integrity and immutability, but traceability on a large scale is already dangerous.

We do have a strict organization with hierarchy (federal, cantonal, municipal level) and not a horde of mutually distrusting individuals; thus, global consensus is ensured simply by passing the results to the next higher level of hierarchy (and verifying that they are included in the result).

Electronic systems of various kinds have turned out to be unreliably, easy to manipulate or faulty or insecure. Even in the absence of these technical, but in part also fundamental, issues, the problem of intransparency or lack of traceability remains: Currently, the paper-based vote counting process can be observed in many Swiss municipalities. Thanks to this critical public, some problems with e-counting in the city of Bern could also be identified and have led to improvements.

This means that electronic voting may seem sensible, but it carries high risks of electoral fraud or (even worse) a loss of trust, and it offers hardly any time advantage (at least in Switzerland, the results are usually known a few hours after the polls close). Despite the intense discussion, no one has yet even begun to show how a blockchain could help there (beyond hand-waving general claims). On the contrary, I could well imagine that such systems would be the wet dream of any totalitarian regime.

Accordingly, I see no reason to think electronic blockchain voting is anything but a horrible idea.

Degree Certificates

The subchapter where only failing grades are given.

In Germany, a project to blockchainize school report cards has just been scrapped without results after spending over €1 million.

First, there are fundamental concerns that any guaranteed genuine digital documents would increase pressure for data or identity theft. On the other hand, it is questionable how the quality of the data will be guaranteed, along the lines of:

“The blockchain can’t lie to you, but you can lie to the blockchain.”

(This is, by the way, half of the Blockchain Oracle Problem.)

Third, this also raises the question of what blockchains would contribute to Degree Certificates:

• In any school, several people are naturally involved in feeding data to the the certificate process and thus having the possibility to issue incorrect certificates directly or indirectly. False or bogus certificates introduced into the trusted process in this way would be indistinguishable from correct certificates, be it on a blockchain or not.
• Integrity, traceability and immutability would be guaranteed by a digital signature from an official body anyway, so there is no need for an (additional) blockchain.
• Subsequent backdating of certificates could be prevented via independent time stamps.
• Consensus between schools is not necessary. Each may issue certificates for its graduates independently.
• Even the decentralization of Blockchain is undermined: the verification of document authenticity only worked via the central gateway of the Bundesdruckerei.
• The reason for the lack of universal acceptance of digital Degree Certificates is the lack of widespread recognition of a uniform procedure, not the complexity of its technical implementation. i.e., it is a typical Layer-8 problem.

Furthermore, essential basics of secure design of (not only web) applications were violated when implementing the application, throwing generally accepted design criteria such as use of few, simple tools, don’t trust any user input, … in the wind. These things should be considered and built in from the beginning, not only if you want to build a particularly trustworthy application.

This project not only shows that fundamental questions seem never to have been asked. Its use of 16 (!) blockchains raises big questions. Already a year ago, an expensive prototype of a vaccination certificate (which was not put into operation afterwards) was publicly criticized by various sides without understanding the pompous use of 5 blockchains. The new increase to 16 blockchains not only looks weird, but IMHO only allows (either of) two conclusions to be drawn:

1. None of the 16 blockchains is reliably expected to continue to function and be secure in the future, i.e., to be able to play its primary role as a persistent, trustworthy storage.
2. Too many special interests were represented in the consortium: Everyone wanted to push “their” blockchain.

Neither speaks to confidence in blockchains and their proponents.

Both projects’ (proof of vaccination and certificates) use of multiple blockchains also points out that consensus is irrelevant. Instead, everything that matters is the (much, much simpler) proof of creation before a certain point in time, a.k.a. timestamp.

(Incidentally, this project also provides another frightening example of how technical implementations often completely ignore the needs of an important user group. The students, for example, who should certainly be important beneficiaries of this technology, were expecting the project to culminate in something entirely different: timely feedback if their performance is unsatisfactory and what they can do about it. This has nothing whatsoever to do with digital signatures on diplomas.)

Supply chain 1: Provenance/origin

The subchapter in which we repeat ourselves again. On purpose.

Were the bananas really grown under humane conditions? Are the medicines on my table genuine or are they not potentially dangerous counterfeits? These are the kinds of questions that blockchain technology is supposed to solve. Let’s keep it short, as many ideas have already been explained with certificates, above:

• Certificates of origin, certificates of organic growth, etc. are primarily about financial interests; and when this process is exploited by unscrupulous managers with lies, neither the certificates nor their authenticity are worth the paper (or bits) they are printed on.
• Whether the certificates or the products (or both) are replaced on the delivery route cannot be checked digitally (the Oracle Problem again).
• Once again, no technical features are required that extend beyond simple bookkeeping or digital signatures.

In both cases, the blockchain is not the solution, only trust (and control) can help. Yes, this requires human contact and the odd on-site visit; but anything else is nothing more than an open invitation to fraud. Deal with it.

Supply Chain 2: Contracting

The subchapter where only standard processes help.

The second promise around supply chains is easier and faster formation of contracts. A contract is only really important when the contracting parties disagree. Then it must be watertight, with clear rules on when the contractual obligations are deemed to have been provided and what dispute resolution mechanisms are accepted. As long as all is sunshine and roses, a rough definition of the respective duties is more than sufficient.

A contract in a blockchain (and even more so, as we will see, a smart contract) must also be suitable for those bad conditions. A real speed advantage only arises if one can rely on the cooperation of the counterparty (common interest, trust, small risk, …) or can reuse elements from standardized contracts.

Evaluation

The chapter in which we look back disillusioned.

Here is a brief summary of the preceding pages:
Misapplied security mechanisms, including blockchain, are a daunting obstacle for the good guys, but no protection against the bad guys. (Image source unknown)

• Blockchains are attributed all sorts of properties, but these are rarely justified in concrete terms. On the contrary, it seems as if there are no reasons at all to reduce cloudiness in requirements, complexity in systems, or lack of structure in explanations.
• Simple, clear solutions are always preferable when there is a sincere desire for transparency and security. Complex solutions not only offer higher potential for error or misuse; they are also often used intentionally to obscure the true processes.
• Whenever you implement a process, you should know in advance which technical features you really need. Clarity about your goals and essential requirements simplifies the implementation and reduces the resource consumption of the resulting solution; often massively.
• The technology itself is almost trivial; but by assuming complex distributed dependencies and refusing to include even an inkling of trust, complex and inefficient solutions result.
• The electricity costs for each of the major blockchains are at least on the order 20 million francs per day, and rising. Direct refinancing is not possible and can only be based on hope (and that in a system that absolutely tries to condemn trust!).
• By building up (sometimes exorbitant) financial incentives, human greed is excessively activated and other virtues fall into disuse.
• Alternative approaches (such as proof of stake) rely too much on additional complexity, the side effects of which are hardly foreseeable. Among other things, it seems possible that targeted network attacks on proof-of-stake participants could prove very lucrative financially for the attacker.
• For many applications targeted by blockchain claims, a combination of audit logs, digital signatures, and time stamps are sufficient. They are also easier to implement and cheaper in almost all aspects.
• If an application is to be secure, this must include all processes and participants, especially the users. Complexity and intransparency often lead to countermeasures by the users, which in turn can endanger the entire system.
• The ill-considered use of security mechanisms (not only blockchains) only leads to all honest participants being constantly demotivated in their daily work by seemingly pointless obstacles, while bad guys hardly have any additional effort or, on the contrary, even have it easier. And that should never be the purpose of digitization.

Possible decision diagram for Blockchain decisions according to DHS S&TD. (Image source: Recreation of NIST IR 8202: Blockchain Technology Overview, 2018; p. 42, PDF page 53)
From this we can draw the following conclusions, among others:

• Hardly any technology that is sold as magic is as easy to use as magic. On the contrary, the lack of understanding caused by magic might hold even greater hidden dangers, a familiar theme in fairy tales.
• Digitization cannot be solved simply by using technology (magical or not). The processes and people involved in a process are at least as important.
• Often, a pinch of trust simplifies the solution massively. But all parties involved have to earn it.
• The blockchain was created as a solution to a very specific, particularly complex problem: digital currency trying to mimic paper money, that is, anonymous yet hard-to-forge digital objects. For this problem, it may be a good solution when applied directly. For all other processes, it is massive over-engineering and even small simplifications to the assumptions can lead to much more efficient solutions. This is also illustrated by the (inherently simplifying) diagram on the right.

For every possible digitization approach, dozens of proposals exist for the use of blockchains. However, despite millions of dollars of investment in more than a decade, there is a lack of widely publicized recipes for success that leverage the specific properties of blockchains. Several aspects and considerations behind the concept of blockchain are inspiring and promising, but these inspirations have not yet been successfully implemented. Perhaps this is because blockchain really does not add value outside of the cryptocurrency environment; or perhaps it is because there has been a lack of understanding of how it works. I hope to have contributed something to this understanding and would be happy to hear about successful (but also unsuccessful) digitization projects.

Questions

The chapter to go.

Here are some questions that help to structure the digitization of a data-centric business process. If this process is to be specifically digitized by means of blockchain, consensus on the answers between all parties involved (“stakeholders“) is a must before starting the discussion “Blockchain? If yes, how?” should be started. I hope these questions support as many projects as possible in dealing with their data more clearly!

— — — — ✀ — — — — — — — — — — — — — — — —

Data lifecycle questionnaire

• Data: Which data with which properties (structure, dependencies, data protection) are we talking about exactly?
• Structure: What are the format, structure and dependencies of the data?
• Criteria: Are integrity, traceability, immutability, confidentiality, or global consensus necessary?
• Input: What are the data sources? How does the data get into the system?
• Quality: How is the quality (correctness, uniformity, authenticity, completeness, …) of the incoming data ensured?
• Error culture: What can/should/must happen if erroneous data (intentionally or unintentionally) creeps in?
• Format changes: How should future changes to the structure or format of data be handled?
• Data protection: How should the right to correction or deletion of personal data be implemented?
• Processing: What processing steps should be performed on this data?
• Trust: Is lasting mistrust between the actors to be expected? Can this mistrust be managed through hierarchies or (work) contracts?
• Output: What should happen with the data?
• Effects: What actions should happen (automatically) based on these results?
• End: Do the data have an expiration date? What should happen then?
• Universality: Do these properties apply equally to all data?

— — — — ✀ — — — — — — — — — — — — — — — —

As soon as data has to be changed or deleted, this data is probably not suitable for the blockchain. But there are alternatives.

This questionnaire on the lifecycle of data, not only for blockchains, is also available in a layouted, organized and expanded form.

Further reading

• David Golumbia: The Politics of Bitcoin: Software as Right-Wing Extremism, University of Minnesota Press, 2016.
  The libertarian ideology behind Bitcoin and the Blockchain. This review provides a summary.
• Felix “fefe” von Leitner: Hype-Tech, 2021.
  The wrong optimization criteria behind hyped technology (German).
• Thomas Schwendener: Blockchain Report, Inside IT. 5-part series, published between February 8 and 24, 2022.
  Information on the state of blockchain and blockchain projects in Switzerland (German).
• Stephen Diehl et al: Making Sense of Crypto & Web3, Life Itself Labs, 2022.
  Encyclopedia with explanations and podcasts on blockchain.
• David S. Rosenthal: EE380 Talk, February 9, 2022.
  Transcript (and video) of his Stanford University talk on the blockchain ecosystem (English).
• Cory Doctorow: The Inevitability of Trusted Third Parties, January 31, 2022.
• Nicolas Lenz: Blockchain is Dangerous Nonsense, April 27, 2022. Why it is not a Universal Miracle Cure, yet still spreads like wildfire.
• Rene Jan Veldwijk: Blockchain case evaluation flow chart, June 5, 2022. A business-focused flow chart. (Vectorized here.)
• Petr Hudeček and Michal Pokorný: The Deadlock Empire, 2016-2021.
  A game for budding computer scientists where you experience trace amounts of PoS complexity firsthand and have to make sure that multiple pieces of code running simultaneously do not interfere with each other.

#PeerToPeer #Timestamps #Blockchain

The Inevitability of Trusted Third Parties - OneZero

Hardly a day goes by without someone demanding that I listen to their explanation of their blockchain idea. A lot of times, I listen. Look, a lot of people I consider to be smart and thoughtful are…

^{Cory Doctorow (OneZero)}