Create a risk analysis for permissions

Read the MRZ and save the contents as String

• Camera frame
• Reading String
• Check checksum
• Passport checksum
• Return result as HashMap to MainActivity
• Improved passport reading using full-res camera frames
• Continuous detection?
• Optimize detection speed
• • Create N threads where N is amount of cores on device. Then start new OCR with new frame in new thead if one is available about every 0.5 - 1 sec (about N/3 where 3 is avg detection time)
• Tests
• • Mrz validation
• • Tesseract OCR testing?
• • Camera and activity code?
• Remove all unneeded code - some shit like in setupcameraoutputs does tings related to orientation, which seems not needed?
• mrz.traineddata seems to cause crashes sometimes/on some devices?
• camera frame is upside down when rotated 270 degrees

Possible improvements to OCR

• adaptive thresholding (requires #opencv?) (mostly accuracy improvement when lighting is not uniform, maybe some performance)
• try load_freq_dawg=0 and load_system_dawg=0; theoretically prevents loading of the standard frequency dictionaries
• specify page segmentation mode as described here
• OpenCV 2.4.8 manipulation example in java here, howto add opencv lib here

TODO Before ready for develop merge:

• semaphore to protect device storage access
• finalize delays between thread starts and restarts, make them easily settable
• Fix behaviour on device rotation and sleep
• delete all commented out code + maybe some more useless code
• try to remove black bar in portrait mode
• handler tries to restart ocr scan thread after activity has finished
• correct thread handling

lots of parameters - bad documentation

How is the current voting process in the Netherlands shaped? What are the costs?

Process
https://www.rijksoverheid.nl/onderwerpen/verkiezingen
https://www.parlement.com/id/vhnnmt7iawxz/stemmen

• Municipalities send voting passes to voters home adress. These arrive at least 14 days before the election.
• With a voting pass and identification a person can vote in his own municipality at a voting booth
  • For voting in another municipality you need to request a "kiezerspas" at your local municipality. With the "kiezerspas" you can vote in the entire country.
  • For local elections you can only vote in your own municipality
• At the voting booth a person receives a "stembiljet" on which he can mark his vote and put it into a bin
• At the end of the election day, the bin is opened and the votes are counted by hand, the results are send to a main election office

Proxy voting
https://www.rijksoverheid.nl/onderwerpen/verkiezingen

• On your voting pass you can fill in a form to authorize someone else to vote on your behalf

• For proxy voting a copy of an identification card and the original voting pass are needed

• An authorized person can only cast the proxy-vote together with his own vote

• If you want someone from another municipality to vote for you, you need to fill in a form at your municipality.

• You and the person you want to authorize need to fill in this form and hand it in at the municipality

• The authorized person then receives a "volmachtsbewijs" with which he can vote for you, for which the normal proxy voting requirements apply

• You need to hand in the form 5 days before the election day, if you fail to do this you can get a "volmachtsbewijs" at your town hall before 12pm the day before the election.

Voting eligibility
https://www.parlement.com/id/vh8lnhrouwze/kiesrecht
Every dutch citizen of 18 years and older is eligible to vote for Dutch an European elections. With exception of people whose voting rights have been revoked by a judge. Excluding people from voting happens very rarely, 56 at the start of 2016. (https://www.kiesraad.nl/verkiezingen/inhoud/waterschappen/stemmen/uitsluiting-kiesrecht) (https://www.cbs.nl/nl-nl/nieuws/2017/07/bijna-13-miljoen-kiesgerechtigden-op-15-maart)

Non-Dutch residents of The Netherlands can vote for municipal elections if they contiguously stayed legally in the Netherlands for 5 years.

Dutch residents that are citizens of other EU-countries can vote for European elections. They need to register at their municipality first.

Facts

• 388 municipalities (https://www.cbs.nl/nl-nl/onze-diensten/methoden/classificaties/overig/gemeentelijke-indelingen/indeling%20per%20jaar/gemeentelijke-indeling-op-1-januari-2017)
• close to 13 million eligible voters (https://www.cbs.nl/nl-nl/nieuws/2017/07/bijna-13-miljoen-kiesgerechtigden-op-15-maart)

Costs
https://www.npo.nl/de-rekenkamer/06-09-2012/KRO_1556493 (sep 2012)
This program tries to estimate the costs of the 2012 parliament elections. They often do some assumptions, but this should give a reasonable estimate.

Total: 50 million euro (including campaign costs)
Total costs for municipalities: 24 million euro

Voting booths: 1,2 million euro
Voting passes, printing and distributing: 6.3 million euro
Labor costs civil servants: 9.8 million euro
Costs volunteers at voting booths (100 euro per volunteer): around 4 million euro
Pencils(12ct/pencil): around 14,400 euro
Bins to collect votes (125 euro): around 10,000 voting booths, so 1.250.000 euro, not really clear for how many years they are used.
Stemhok(275 euro)

Research what kind of parameters we can alter with MutliChain

Currently Multichain uses secp256k1, ePassports however use BRAINPOOLP320r1

• MultiChain verify and sign with brainpoolp320r1
• Split up hashes in 4 different parts

Fix some issues commented on commits

• Fix shady signature size
• Fix return true by checking signature encoding in interpreter.cpp
• Only sign/verify transactions in four parts, so mine should be signed in one go

A central authority issues blocks
Why a central authority?
Advantage:

• Mining blocks should be impossible for an individual
• Can decide who receives a vote
• Can freeze wallets (for individuals who died before the voting for example)

Disadvantage:
Authority is still in control?

Smart contracts creating own currency simple example, including freezing accounts

Fix the timeout in OCR scanning, sometimes a scan can take more than 10 seconds.
Also if this is fixed the threads can be closed when scanning is complete or user exits the activity.
Right now, when the stopScanning() is called, the current scanning task is completed and then the thread exits

When both issues are closed and the code is merged into develop, a coupling can be made between jMRTD and OCR so passport information does not need to be hard-coded.

Proposed solution to decoupling of users' keys and identity

What are currently used e-voting solutions, what are their characteristics?

Estonia voting

Bitcoin based

BitCongress

Ethereum based

Other

OpenVote
FollowMyVote

How can the blockchain technology be used to allow proxy voting?

When the entire voting system is digitized and people can vote from their homes, proxy-voting won't be necessary anymore and shouldn't be allowed. For now since we propose a full replacement of the paper voting pass, there should be a way to allow proxy-voting.

Currently a person can only cast two proxy-votes.
More details about current system
Issues

• How can you know if someone has freely approved of proxy-voting? (currently also an issue)
  Forcing someone to allow you to proxy-vote is illegal (obviously) see Artikel 4 and 8 of Kieswet
• Is there a way to deny a certain wallet from voting?
• Solution: revoking proxy-voting rights. (currently: blacklisting voting pass)
  You could freeze an account from using your tokens on Ethereum
• What if someone sends his token to another wallet and then dies. The token should be invalid, but this is very hard to do.

Sending voting tokens (or other implementations) to other wallets
Two options: via regular transactions or via smart contracts so there can be some kind of verification.

• Via smart contracts in order to limit amount of tokens someone can have
• Example Ethereum contract code has a function to allow someone else to spend tokens on your behalf https://ethereum.org/token
• To make it safer you could disable the proxy-voting function on election days, so people who were forced to give their vote have time to sent an alert to the authorities.

An app can make this process easier for users.
Pro:

• easy to use (not having to know your exact wallet string)
• verifiable if someone has indeed voted
• verifiable if the token has arrived at the proxy-voter

Con:

• App could be vulnerable to attacks so token can be sent to an attackers wallet
• If something goes wrong (e.g. wrong string) there is no way to reverse the process (but it is possible to invalidate the attackers wallet)
• Default contract could be modified?

Voting with someone elses wallet
You would need to get your hands on someone elses voting device.

• Hard to check if the device is not stolen

In case of voting with ID

• Current laws don't allow to use someone elses ID
• Hard to check if the ID is not recently stolen

You could make it possible to own multiple wallets, and transfer wallets between people.

problems
Combining two systems
What if you opted for the digital system but want to allow someone with a paper voting pass to vote for you?
Local elections
You shouldn't be able to send your token to someone who lives in another municipality when the election is local to municipalities.

• In the complete system a separate 'coin' has to be made for each municipality anyway because people can vote for entirely different parties

Smart contract platforms:

• Smart Oracle
• Tokens: Ethereum

Other interesting links:

• https://ethereum.gitbooks.io/frontier-guide/content/contract_coin.html
• https://blog.ethereum.org/2015/12/03/how-to-build-your-own-cryptocurrency/

How can blockchain technology be used to prevent a person from voting more than once?

Upon regisration, issue a single spendable token to registered voter, associated to their blockchan ID.
How can you verify identity without sacrificing anonymity?

• Issuing of token must be recorded by authority to prevent possibility of issuing multiple tokens to the same person.
• This token is than known to this authority ans linked to the person.
• • If the token can be used to verify the vote, it is no longer anonymous.

Bitcongress proof of tally system (section 5)

Access control system based on blockchain:
http://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=7163223

Biometric passport keypair
http://www.passport.go.kr/img/download/vol2.pdf

Signing data
https://github.com/andrew867/epassportviewer/blob/5425aef2300fc7f371f96c7d09ed0666e1cd8d28/pypassport-2.0/pypassport/iso7816.py

There is a black bar on the bottom of the screen in OCR mode (portrait) and to the right (landscape). This causes the preview of the camera to not be fully visible.

Explain choices and list pros and cons
Blockchain choice (eth, multichain)
Signing with passport, options and possible improvement if ICAO standard is changed so more can be signed.
State that we can ignore problems like gas cost and block times.

Find 4 more multichain alternatives.

4th generation YubiKey smartcards

YubiKey Neo contains a NFC chip, private keys can be stored securely

MiFare for SmartX might be used in epassports, so could be an option

Who runs nodes?
How can they be set-up?

• Multiple public keys associated with one account
• Enrollment procedure
• MRTD public key

What are the current trust issues with digital voting?
What is needed in order to get people to trust a digital voting solution?

http://wijvertrouwenstemcomputersniet.nl/Wij_vertrouwen_stemcomputers_niet

• non voter verifiable
• One central (hackable) machine
• closed source implementation
• non-transparent voting process

Sources:

• http://wijvertrouwenstemcomputersniet.nl/images/9/91/Es3b-en.pdf
  In-depth security analisys of Nedap/Groenendaal ES3B voting computers used until 2006

In order to be trustworthy a voting process must have the following:

• Easy vote verification, if the process is anything but trivial, people wont use it and that will be used as argument against the voting process
• People must be able to verify their vote, but must NOT be able to prove their vote after leaving the booth, as that opens up the possibility of selling your vote

Update research report so Tribler Multichain is called Trustchain per request of Pouwelse.

Ethereum

RootStock

Counterparty

• Build on blockchan
• open source

add a way to manually input the document number, date of birth, and expiry date in case OCR fails.

Located in sharelatex final report project.
https://www.sharelatex.com/project/591316c04419fd2825b2c98d

How can we check that a device (used as voting pass) is safe against malicious attacks that can influence the voting process.

Simple security tips/guidelines

Anti tampering app
Source

• Verifying app sign at runtime
• Verifying the installer
• Environment checks (check if debugger is running)

Anti tampering device
SafetyNet

Obfuscation
Good read

Options
Source

• ProGuard with maven plugin
• DexGuard, is better than ProGuard but costs $$$
• List of optimizers/obfuscators

Byte code encryption does not work:

To top it up, not so long ago a security engineer, frustrated by false claims of vendors whose tools implement bytecode encryption, has put together an article [3] showing how easily OpenJDK can be modified to defeat any byte code encryption scheme.

AOT compiler
Since Android 5.0 Google uses ART (Android RunTime), which uses an AOT compiler instead of a JIT compiler. But Android 7.0 has an JIT/AOT compiler, which uses profiling to determine which functions are “hot”

Packing

How do we write good code that is secure?

Static analysis tools:

• Find security bugs
• QARK

Penetration testing cheatsheet

• https://github.com/tanprathan/MobileApp-Pentest-Cheatsheet

Android Studio project

Make sure Travis works with the project

When the OCR activity is open on landscape mode, then the screen is locked, and then the screen is unlocked again while phone is held in portrait mode. The OCR activity crashes and won't start-up without restarting the entire app.

Communication between ePassport and Android device

Sign 8 byte array and retrieve public key from DG15

DigiD API info