Building a voting system everyone can trust @voting_works.
Past: Prod/Eng/Sec @Clever, @Square, @Mozilla, ..., Harvard, MIT.
Mastodon: @ben@adida.net
Oct 15, 2022 • 6 tweets • 2 min read
The last few years, and indeed the last few days, have seen cases of private emails publicly disclosed, where DKIM signatures for anti-spam are abused to allow for public verification that these private emails are authentic.
Fun fact: some colleagues and I wrote up a technique, 17 years ago, to practically achieve the same goals as DKIM while preventing this kind of privacy abuse.
Thanks Braden for engaging in this debate with thoughtfulness! I disagree with many points, but it's good to discuss these things respectfully and seek mutual understanding.
Of the points you made, I'm most sympathetic to the issue of modifying CVR records in secret fanning the flames of conspiracy theories.
To me, it doesn't rise to the level of making public disclosure the right option, but I agree it's a concern.
Oct 14, 2022 • 9 tweets • 2 min read
I'm really happy to see leading academic research groups analyzing voting systems, disclosing issues, and engaging with election administrators. Kudos to the whole team.
At the same time, I think this public report, 4 weeks before the election, is misguided. A few thoughts🧵
When disclosing a vuln, one has to weigh the benefits vs. the harms.
In my opinion, this vuln is not likely to be widely exploitable. Patching this vuln could have been achieved through private disclosure. And the harm done by public disclosure *now* could be meaningful.
Oct 12, 2022 • 12 tweets • 3 min read
So, a few thoughts on this announcement from @signalapp. High-level: I understand this decision, but I still think a better approach would be almost the opposite: doubling down on interop.
2/ the points raised by the Signal team are very legitimate. I've occasionally been confused about whether someone I'm talking with is over e2e or SMS. I think it would be a mistake to dismiss their concern.
Sep 4, 2022 • 13 tweets • 2 min read
1/ Spent a lovely two weeks in Portugal with family, half in Lisbon. Some thoughts, though I'm sure I won't be fully doing Lisbon or Portugal justice.
2/ almost everyone speaks English, most people quite well. I picked up zero Portuguese because it's just too easy to speak English. Not complaining! Just interesting.
Jun 13, 2022 • 13 tweets • 5 min read
1/ I just voted in the French legislative runoff elections… online.
A couple of weeks ago, for the first round, I detailed out the whole process:
In this thread, I want to show much more concretely why I worry about verifiability. 🧵
2/ Here I go picking a candidate, and confirming
May 31, 2022 • 26 tweets • 8 min read
1/ Fun fact: I’m a dual US/French citizen. This means I get to vote in French elections, too.
This year, France has Internet voting for citizens living abroad.
You know I couldn’t resist… 2/ Reminder: though I've built Helios Voting (heliosvoting.org), an end-to-end verifiable voting system made for small private groups, I’m not a fan of Internet voting for public elections:
1/ alright, say you want to add end-to-end encryption to Twitter DMs. Hypothetically, of course.
That's quite difficult. Not in the "must nerd harder" sense, more in the "tricky product tradeoff" sense.
2/ the central question is this: say you log into Twitter in a fresh browser, or on a brand new phone. Should you have access to your DMs? Because currently you do.
With end-to-end encryption, answering that question is tricky.
May 1, 2021 • 10 tweets • 2 min read
1/ I'm *still* not going to dunk on the Basecamp leadership team. I'm pretty sure the people leaving Basecamp are heartbroken. This is no time to gloat, no time to say I told you so.
I *am* going to do my best to reflect on what it means for me & any other leader.
2/ One of my colleagues put it best: as a founder, there comes a time when your organization becomes bigger than just you, bigger than just your dreams, bigger than just your vision. The org become a vessel for every team member's hopes and dreams.
This is not always obvious.
Apr 21, 2021 • 7 tweets • 2 min read
1/ thoughts on airtags, the physical trackers Apple released today to help you find personal items you might misplace.
Bottom line: Apple thought through many privacy scenarios, but not sure yet if they've thought through all. Possible I'm missing info, of course.
2/ the mind blowing part is: Apple is using deployed iPhones as transport network to relay airtag signals back to their owner.
It seems they're doing this responsibly, but wow, it's still a little weird to think my phone is being used to relay a signal for someone else's tag.
Apr 12, 2021 • 6 tweets • 2 min read
1/ I'm a fan of @doctorow, but in this thread on voting, he gets a few key things very, very wrong.
2/ most importantly, on hand counting votes. In the US, it's a bad idea. Not because of the number of people, but because of the complexity of ballots. We have dozens of questions on our ballots. It's not possible to count votes by hand without introducing error and bias.
Apr 6, 2021 • 11 tweets • 3 min read
1/ There continues to be an enormous gap in the public's understanding of voting security: Tim Cook tells @karaswisher he hopes Americans eventually vote on their iPhones.
We, election security experts, need to step up our communication game big time.
Of course it makes sense that people would want this! If we dismiss it out of hand, if we laugh it off, we're not going to successfully make our case.
It's not obvious that this is a bad idea!
Apr 3, 2021 • 19 tweets • 3 min read
1/ A few thoughts on Covid vaccine "passports." Starting with the use case, moving quickly to the tech and privacy.
2/ I'm not super optimistic that we'll hit herd immunity this year in the US. Too much vaccine hesitancy, not enough time to approve for and innoculate kids. So I suspect we'll still see small or medium outbreaks through end of this year.
Feb 7, 2021 • 16 tweets • 3 min read
1/ Saturday 🧵 on real-world security in voting machines.
Should voting machines be allowed to contain wifi hardware, later disabled in software?
At first glance, bad idea. Let's simply ban wifi hardware.
In practice, that would make machines less secure. Allow me to explain.
2/ Security is about threat models and tradeoffs. What this means in practice is more complex than it might seem. It means that "more security" on one specific aspect may lead to less security in the overall system.
Feb 5, 2021 • 6 tweets • 1 min read
1/ Thinking about the impact of the new strain (B117). Read this thread. It is significantly more transmissible than the previous strain, which means the measures we're used to can reduce classic infections, but they're *not yet good enough* in Denmark to stop growth.
2/ the difference between R < 1 and R > 1 is enormous. R<1, each day is better than the last. R>1, even a little, and each day is worse than the last.
Nov 22, 2020 • 13 tweets • 3 min read
1/ Why is Georgia counting votes for a third time? Let's talk about it.
npr.org/sections/biden…2/ most states have recount procedures that trigger below a certain margin of victory. Sometimes automatic, sometimes has to be requested by a candidate. In Georgia, threshold is 0.5% & recount needs to be requested by a candidate after certification. Wait, what's certification?
Nov 20, 2020 • 8 tweets • 3 min read
1/ The @voting_works team has been working around the clock for the last week to support the State of Georgia in running their first state-wide risk-limiting audit, which turned into a full hand-count.
1/ I spent a bit of time looking at the Canada COVID Alert app this evening. Bottom line: this app is pretty much the model for how to do this kind of tech.
2/ It's super clear about what data it collects and doesn't, and about how it works. This is not easy stuff to convey.
Jul 19, 2020 • 18 tweets • 3 min read
1/ In light of the voting question that will never die -- "if I can do X online, why can't I vote online" -- I'm reminded that most people don't have a good intuition for what makes things secure. So let's explore.
Security online depends predominantly on logging and auditing.
2/ This probably sounds weird and surprising, but hear me out. And there are exceptions that I'll get to. But truly, security depends predominantly on logging and auditing.
Jun 25, 2020 • 13 tweets • 2 min read
1/ a little story. When I was 18yo, summer 1995, I had the immense luck of working as an intern at Hearst Publishing in NYC. I was a rising sophomore, the web was just taking off, and that internship taught me so much, it dramatically kickstarted my career.
2/ the group VP was a guy who dressed like a banker and led the effort to create the first dynamic web site for Hearst. His office was on the 5th floor, top most floor of the Hearst building at the time, 57th and 8th (there's now a huge tower at that address.)
Apr 27, 2020 • 17 tweets • 4 min read
1/ Who's ready for another Apple/Google contact tracing thread? I know I am!
To me, the most interesting piece of the puzzle is how much trust we place in the phone operating system vs. the app, and the role of the phone's operating system in protecting your privacy *from apps*.
2/ Let's start with the most recent news: Germany has relented and is adopting the Apple/Google approach, the so-called "decentralized" approach, vs. the one Germany wanted (along with France).
