Kuro5hin.org: technology and culture, from the trenches
create account | help/FAQ | contact | links | search | IRC | site news
[ Everything | Diaries | Technology | Science | Culture | Politics | Media | News | Internet | Op-Ed | Fiction | Meta | MLP ]
We need your support: buy an ad | premium membership

[P]
How to build a verifiable voting system

By simul in Technology
Sat Sep 06, 2003 at 08:42:14 AM EST
Tags: Politics (all tags)
Politics

This is a high-level description of a secure, auditible, national voting system. The purpose of this story is to illustrate that such a system can be built, that it is not expensive, and that it can be explained in a manner that garners public confidence.


At election time, the registered and suitably identified voter arrives at an election booth. We don't discuss improvements in voter registration and identification, since it's outside of the scope of this story.

Just before voting, the voter is assigned a UID (Unique ID) by the voting machine. The UID is simply 512-bit random number that's designed to be unique across all voters. It does not, in any way, identify the actual voter. It is only used once for one election. Random numbers are chosen using a respected, highly secure system.

The voter then casts his vote. The machine encodes all of the voters' preferences in a standardized format. Along with the vote, the system includes the UID assigned to the voter.

Public key cryptography is used to provide superior security assurances. The machine uses the "public keys" of, for example, a dozen "audit servers" to encrypt this information. This type of information could not be easily tampered with or forged. Assuming proper cryptography is used, it would take a million machines more than a million years to forge even one vote for one audit server. This technology is not expensive. OpenSSL and GnuPG are excellent, free public key cryptography systems capable of producing this level of military-grade encrypted information.

This information is then transmitted to each of the audit servers. Remember, each audit server has its own public key. So a forger would have to compromise each of the audit servers to forge a single vote. Each audit server is run by a separate organization, not by a centralized committee.

Although an open-source system would be required, these organizations would be encouraged to develop their own audit server software and hardware in accordance with the standardized protocol. Candidate organizations would be chosen based on their ability to provide a secure environment, and reliable communications. These organizations would also need to be geographically separated, in the event of a disaster.

Finally, the machine prints out a card with the voter's UID, encrypted using the voter's PIN, chosen at the time of the vote.

At the end of the election, the results at each audit server must be nearly identical to all of the others - or the election is invalid. Error is allowed only if it doesn't affect the outcome of the election.

Finally, each voter may log on to the election system, at a library for example, or at any terminal with a card reader, and verify that his vote was accurately recorded at each of the audit servers. Again, the verification protocol is open, secure, and various competing implementations would ensure that no one organization produces the software.

There is no way, barring an extremely improbable brute force attack, that a voter's choices can be revealed to anyone but the voter himself. The only way to divine a voter's choices would be to spy on the voting booths, or steal a card and crack the password. Again, if military-grade cryptography is used, it would take millions of years to spy on a single vote in this manner.

A voter may, at the time of the vote, press a "duress vote" button on the machine. In that case, the vote is not counted, but it receives a card, can be verified and will seem otherwise to be a valid vote in every respect. Vote counts are stored separately, and duress flags are deleted after used. A voter can thus vote as many times as needed at a booth, obtaining as many "false votes" as desired. This effectively defeats the possibility of blackmail or bribery.

If a voter notices a fraudulent vote, then a change request may be filed. If there are enough change requests to modify the results of an election, then the requests will be honored. However only those voters who filed a change request will be allowed to recast.

For the voter, the only difference is a little card that he gets to verify his vote.

Addendum:

An alternate vote verification system may be used, depending on the nature of the election. This system would not require a duress button.

A secure hash of the vote and the PIN is used to produce a number. This number is used in an index of common, easy to remember words, like "apple" or "banana". In this alternate system, the audit server records, only, the UID and the word together in a database. The vote is never associated with the ID. The voter remembers this word, in addition to his PIN.

The voter can then verify his vote at any time by requesting that any audit server produce the word associated with his UID and PIN.

In this case, the UID on the card need not be encrypted at all, since it is stored alongside a meaningless word. It can even be, simply, the name of the voter.

This is a much cleaner system, however it requires a voter to remember both a PIN and a word.

Sponsors

Voxel dot net
o Managed Hosting
o VoxCAST Content Delivery
o Raw Infrastructure

Login

Poll
Do we need a secure, verifiable voting sytem?
o Yes 43%
o No 10%
o I don't like this poll 13%
o I don't understand the article 4%
o I don't care about anything anymore 28%

Votes: 97
Results | Other Polls

Related Links
o Public key cryptography
o OpenSSL
o GnuPG
o Also by simul


Display: Sort:
How to build a verifiable voting system | 255 comments (247 topical, 8 editorial, 0 hidden)
OTOH (4.25 / 8) (#2)
by wiredog on Thu Sep 04, 2003 at 06:19:51 PM EST

You could use a system involving making marks on pieces of paper and dropping the pieces in a locked box.

Wilford Brimley scares my chickens.
Phil the Canuck

Well... (5.00 / 1) (#4)
by kerinsky on Thu Sep 04, 2003 at 06:46:21 PM EST

You might want more than one box...

-=-
A conclusion is simply the place where you got tired of thinking.
[ Parent ]
and each box would have a different lock (none / 0) (#11)
by simul on Thu Sep 04, 2003 at 07:08:37 PM EST

owned by a different organization, chosen for security, reliablity, etc. and you'd can write a secret code word, known only to you, on the voting form, which gets recorded along with the vote then you could anonymously request verification by fillnig out a vote verification form etc. etc.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Marks on paper? Dropped in a box? (none / 0) (#49)
by Russell Dovey on Thu Sep 04, 2003 at 08:50:59 PM EST

What kind of stupid country would vote like that?

"Blessed are the cracked, for they let in the light." - Spike Milligan
[ Parent ]

A simple truth. (4.60 / 10) (#3)
by i on Thu Sep 04, 2003 at 06:45:26 PM EST

Any system that allows one to verify his vote is not a secret ballot system.

and we have a contradicton according to our assumptions and the factor theorem

You can always put a camera in a booth (none / 0) (#5)
by simul on Thu Sep 04, 2003 at 06:53:42 PM EST

And that's would be a lot, lot easier than attempting to steal a card from someone and crack a 512-bit encryption algorithm.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
question: (1.00 / 1) (#6)
by CanSpice on Thu Sep 04, 2003 at 06:56:04 PM EST

So how does "you could always put a camera in the voting booth" get solved with your scheme?

[ Parent ]
This scheme doesn't address physical security (none / 0) (#8)
by simul on Thu Sep 04, 2003 at 06:57:21 PM EST



Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Then why did you bring it up? (5.00 / 2) (#9)
by CanSpice on Thu Sep 04, 2003 at 07:00:33 PM EST



[ Parent ]
Because it's easier to put a camera in a booth (none / 0) (#14)
by simul on Thu Sep 04, 2003 at 07:15:48 PM EST

than it is to crack an military-grade encryption system.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
What he means (4.00 / 2) (#10)
by CaptainSuperBoy on Thu Sep 04, 2003 at 07:01:59 PM EST

What he means is, it must be impossible for the voter to prove how they cast the vote. This is to prevent bribery and blackmail. Any secure voting system must give the voter immediate feedback to verify their vote, such as a printed record. But this is kept with the other votes, not given to the voter.

--
jimmysquid.com - I take pictures.
[ Parent ]
a duress vote is needed for that (5.00 / 1) (#13)
by simul on Thu Sep 04, 2003 at 07:14:51 PM EST

you press the "false vote" button on the machine the vote is not counted, but it can be verified and seems to be a valid vote in all other respects counts are stored separately, and duress flags are deleted after used. a voter can vote as many times as needed, obtaining as many "false votes" as desired

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Too complicated (5.00 / 1) (#23)
by CaptainSuperBoy on Thu Sep 04, 2003 at 07:45:25 PM EST

Nobody will know how to use that, especially the people who are most likely to be coerced into voting. The potential for confusion far outweighs the benefit.

Take a good look at the butterfly ballot, and then ask yourself what kind of idiots couldn't figure that out. The answer, is the American voting public.

--
jimmysquid.com - I take pictures.
[ Parent ]

i provided an alternate system (none / 0) (#35)
by simul on Thu Sep 04, 2003 at 08:09:42 PM EST

that provides secure veification with no duress button. however, it requires some memorization.....

it's also a *lot* of fun

thanks for your help, BTW

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

doesn't matter (none / 0) (#50)
by rhyax on Thu Sep 04, 2003 at 08:54:16 PM EST

it doesn't matter if they know how to use it, it makes the "proof" invalid because you can not be sure if what you're looking at is real. no one would ask for proof because real proof could not be generated.

and honestly, do you think less than 5% of people would understand the concept of a big red button that said

"CAST A FAKE VOTE"
or
"GET A FAKE VOTING RECEIPT"

don't get bogged down in the wording "duress button" maybe that is too complicated.

[ Parent ]

not enough (none / 0) (#85)
by Viliam Bur on Fri Sep 05, 2003 at 09:11:47 AM EST

After a coerced vote, I will take your voting card. Now you can try to press the "false vote" button.

[ Parent ]
Wait a second... (none / 0) (#103)
by dipierro on Fri Sep 05, 2003 at 04:27:50 PM EST

If a duress vote cannot be distinguished from a valid vote, how can someone verify his vote?

[ Parent ]
Blackmail and bribery can't be prevented (none / 0) (#104)
by dipierro on Fri Sep 05, 2003 at 04:32:12 PM EST

At least this system forces you to use bribery or blackmail to obtain a single vote at a time. Besides, the absentee ballot system already enables this, and it's not a big problem. In fact, it's not really a problem at all.

I'd much rather be able to verify that my vote was counted. At least if I'm blackmailed to vote a certain way I'll know the system is subverted.



[ Parent ]
Not really. (4.50 / 2) (#19)
by i on Thu Sep 04, 2003 at 07:39:14 PM EST

No advanced cryptanalysis is needed. A dark alley, a jackbooted thug or three, and a card-reading terminal will suffice.

and we have a contradicton according to our assumptions and the factor theorem

[ Parent ]
GnuPG instead of / in addition to OpenSSL (4.66 / 3) (#7)
by zrail on Thu Sep 04, 2003 at 06:56:10 PM EST

As I understand it, OpenSSL is intended to secure communications between two or more machines. As something would defintely be needed to perform this function between all of the machines, OpenSSL seems like a pretty good system. However, I would think something along the lines of GnuPG would be better suited for the task of signing and encrypting vote records.

Also, would PINs be randomly assigned like ATM PINs are, or would they be chosen by the voter?



i'm pro-choice (none / 0) (#33)
by simul on Thu Sep 04, 2003 at 08:04:20 PM EST

but that's an implementation detail

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Don't see the point (4.71 / 7) (#12)
by CaptainSuperBoy on Thu Sep 04, 2003 at 07:10:09 PM EST

I just don't see the point of these audit servers. The most likely place for a voting exploit would be at the voting machine itself. By the time the vote is recorded, electronically or otherwise, it's pretty safe from tampering. Of course we need a secure way to transmit and store votes, but judging by the Diebold issue the machines themselves are more likely targets. The best, and only, solution seems to be having the machine create a printed record of the vote which can be counted if there's a dispute.

In addition no voting system should ever allow a voter to prove how they voted.

--
jimmysquid.com - I take pictures.

Assuming you have a lot of faith (none / 0) (#18)
by simul on Thu Sep 04, 2003 at 07:36:22 PM EST

Assuming you trust the transmission protocol...and the organization that collects the votes, and the people who count it....etc.

The point is to not leave *anything* up to blind faith.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

True (none / 0) (#31)
by CaptainSuperBoy on Thu Sep 04, 2003 at 07:58:32 PM EST

You have a very good point, we should leave as little to faith as possible. Unfortunately, the verification part of your proposal will never fly, and without independent voter verification the audit servers have no benefit. We simply need a hard record of each vote, and secure procedures dealing with counting them.

--
jimmysquid.com - I take pictures.
[ Parent ]
read the article! (5.00 / 1) (#25)
by QuantumG on Thu Sep 04, 2003 at 07:47:23 PM EST

The author solves both these problems. You can check whether your vote was recorded correctly, and the method that you use to check it does not prove that you voted that way.

Gun fire is the sound of freedom.
[ Parent ]
I read the article (4.00 / 2) (#28)
by CaptainSuperBoy on Thu Sep 04, 2003 at 07:54:07 PM EST

Duress button is just too complicated, most targets of coercion won't even know about it or how to use it. Trust me, I write software for a living.

--
jimmysquid.com - I take pictures.
[ Parent ]
You mean they wont read the instructions (3.00 / 1) (#32)
by QuantumG on Thu Sep 04, 2003 at 08:00:33 PM EST

that are on the voting booth, at the time that their voting. I write software too, btw :)

Gun fire is the sound of freedom.
[ Parent ]
Exactly (3.50 / 2) (#36)
by CaptainSuperBoy on Thu Sep 04, 2003 at 08:10:10 PM EST

Yes, that's what I mean. They didn't read instructions in 2000, and they won't read instructions in 2004.

--
jimmysquid.com - I take pictures.
[ Parent ]
Then no system can help you (4.00 / 1) (#38)
by QuantumG on Thu Sep 04, 2003 at 08:12:20 PM EST

fuckin' americans.

Gun fire is the sound of freedom.
[ Parent ]
um (none / 0) (#46)
by rhyax on Thu Sep 04, 2003 at 08:46:13 PM EST

people aren't familiar with this idea now because it would not be useful, when has your boss told you who to vote for?

why the author even suggests this is to solve a possibly problem thet may arise. with proof of who one voted for (which we do not have now) people could demand this proof, and hence making fake "proofs" would be useful.

two points:

  1. if people did start attempting to force people to vote in a way opposed to how they would like to vote do you really think the "duress" button wouldn't get enough attention to give people familiarity with it?
  2. even #1 is a moot point because even the existence of a duress button makes the authenticity of any proof card suspect. no one would require you to prove your votes because there is really no way to do so. any proof of your vote relies on absolute trust in the voter, so in effect you can only prove it to yourself, which is the goal.
it's really not that complicated.

[ Parent ]
I don't know why people don't get it (none / 0) (#53)
by QuantumG on Thu Sep 04, 2003 at 08:58:29 PM EST

but then again, maybe the concepts of "proving something" and "verifying something" are too similar in most people's minds.

Gun fire is the sound of freedom.
[ Parent ]
Coercion of votes: a flaw we already live with (5.00 / 1) (#71)
by wiml on Fri Sep 05, 2003 at 05:22:28 AM EST

It's possible to make a simpler system than the one described in the article but which publicly demonstrates the accuracy of the vote count. But anything based on this general principle has the problem that it becomes possible to coerce someone's vote. In the past, this kind of coercion has been a major mechanism for political corruption. So it seems like a significant flaw of the proposed systems.

However, our current system already has this flaw: it's called an absentee ballot. My evil employer, neighborhood mob boss, etc., can simply demand that I vote via absentee ballot and show them the votes before I mail it. Absentee ballots are pretty common. In fact, the state of Oregon has gone completely to absentee ballots; they don't use traditional polling places any more. (I would be interested to know if anyone has tried to get statsistics as to how many absentee ballots are coerced.)

Despite this problem I think that verifiable voting systems are a step in the right direction. In order for coercion to have a major effect on the outcomes of the elections, there would have to be widespread, street-level thuggery. This is a lot more work than simply getting one engineer at Diebold to slip a backdoor into the code, or an election worker in Florida to misplace a few boxes.

[ Parent ]

Intriguing. (3.00 / 7) (#15)
by Kasreyn on Thu Sep 04, 2003 at 07:31:26 PM EST

However, two points, one technical, one procedural.

Technical: please explain where you derive this "millions of years" figure for brute-force resistance of this scheme. I'm not a crypto freak, so I don't have the relative time-to-crack of any particular bit depth of encryption memorized.

Procedural: What good is a duress vote button? One would only cast a blackmailed or coerced vote in the way ordered if the blackmailer / coercer were present in the booth, in which case they clearly have such control over the polling place they could disable the duress button! However, if the blackmailer / coercer were not present, one could simply vote one's conscience and lie about how one voted. The situation isn't much different in cases of bribery, except that the briber is less likely to attempt to physically ensure you perform as promised. And, again, the duress button serves no purpose.

Let me restate for clarity: The only way the duress button would serve a purpose would be if there was some sort of method for searching by citizen name and coming up with a publically-available report on how they voted, which is a fucking horrible, stupid idea which I hope you are not promoting. Without such a system, there cannot be a way for bribers, blackmailers, and coercers to ensure that the votes of their pawns are cast as desired, unless they are physically there with them in the booth, in which case the duress button is useless anyway, as they could see you press it!

Other than that, good job, +1S.


-Kasreyn

P.S. kudos on your poll. Your last option would appear to apply to the vast majority of k5ers these days, so I'm sure it will get lots of votes.


"Extenuating circumstance to be mentioned on Judgement Day:
We never asked to be born in the first place."

R.I.P. Kurt. You will be missed.
The blackmailer could hold a gun to your head (5.00 / 1) (#16)
by simul on Thu Sep 04, 2003 at 07:34:02 PM EST

During verification, later. Especially if verification areas were less secure. Sure, it may not be necessary.... but it is just one more tool the voter has to secure his vote.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Verification? (3.00 / 5) (#17)
by Kasreyn on Thu Sep 04, 2003 at 07:35:56 PM EST

If "verification" involves anyone except the voter himself learning how he voted, then see above, vis-a-vis "fucking horrible, stupid idea".

If at ANY POINT the blackmailer has a chance to learn how you voted, except from your own mouth, then the system has failed, period end of discussion.


-Kasreyn


"Extenuating circumstance to be mentioned on Judgement Day:
We never asked to be born in the first place."

R.I.P. Kurt. You will be missed.
[ Parent ]
I see, you'd need a secure hash. (none / 0) (#20)
by simul on Thu Sep 04, 2003 at 07:40:49 PM EST



Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
hash idea (none / 0) (#24)
by simul on Thu Sep 04, 2003 at 07:46:13 PM EST

a secure hash of the vote and a pin number and his id is used to produce a number. the number is used in an index of common, easy to remember words, like "apple" or banana. the voter remembers this word the voter can then verify his vote at any time by requesting that an audit server produce the word associated with his vote of course, only the voter knows what word that is.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Now we're back at the beginning. (5.00 / 1) (#126)
by Kwil on Fri Sep 05, 2003 at 05:45:31 PM EST

You can't verify that what you wanted to vote is what your voting machine actually voted. All you can verify is that it gave you the word you get from the auditors.. which makes sense. If it changed your vote to Sharpton and gave you the proper index number for Sharpton, when you went to audit it, you'd see the same word that the machine provided.. the one for Sharpton.  Too bad you actually wanted to vote for Dean.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
You have to assume the machine itself isn't broken (none / 0) (#250)
by simul on Wed Sep 10, 2003 at 03:00:50 PM EST

That's a rediculous argument. The point is that the audit servers do the counting and guarantee that the counting is done correctly.

You need to physically secure the machines. You can issue revokable certs to districts, etc. to help ensure accuracy.

That's no different than it is today. A modern machine can corrupt a vote as well. It simply can give you a receipt that differs from your vote.

You can get rid of the duress button. That's fine.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

When you go verify a vote...what did you envision? (none / 0) (#21)
by simul on Thu Sep 04, 2003 at 07:42:40 PM EST



Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
How is that going to make a difference? (5.00 / 2) (#29)
by QuantumG on Thu Sep 04, 2003 at 07:56:10 PM EST

A card that has been generated when the voter has the duress button pressed is indistinquishable from a card that didn't have the duress button pressed. Maybe I need to spell it out. You be the voter, and I'll be the blackmailer:
  1. I contact you and demand that you vote for Al Gore
  2. You go to the voting booth (which is strictly regulated to guarentee your privacy)
  3. You press the duress button
  4. You vote for George W. Bush
  5. The machine prints you a card
  6. You leave the voting booth
  7. You give the card to me
  8. You tell me the pin
  9. I go to the library (or where-ever)
  10. I enter the card
  11. I enter the pin
  12. The machine tells me you voted for George W. Bush
  13. I don't kill your children
  14. You go back to the voting booth
  15. You don't press the duress button
  16. You vote for Al Gore
  17. The machine prints you a card
  18. You burn the card.
I have no way of knowing that you voted for Al Gore, in fact, I'm pretty sure you voted for George W. Bush.

Gun fire is the sound of freedom.
[ Parent ]
oops. (none / 0) (#30)
by QuantumG on Thu Sep 04, 2003 at 07:57:33 PM EST

  1. I contact you and demand that you vote for Al Gore
Should be
  1. I contact you and demand that you vote for George W. Bush
Sorry. I'm not a good blackmailer :)

Gun fire is the sound of freedom.
[ Parent ]
Better scenario (none / 0) (#34)
by CaptainSuperBoy on Thu Sep 04, 2003 at 08:04:27 PM EST

I'm the owner of a huge factory. I tell my 1000 employees that it would be in their best interests to vote for Bush. 995 of them don't know what the fuck a duress button is, don't care that much about the election, and vote for Bush.

--
jimmysquid.com - I take pictures.
[ Parent ]
if they can be easily influenced (5.00 / 1) (#37)
by QuantumG on Thu Sep 04, 2003 at 08:11:40 PM EST

then it's not blackmail now is it. Try to actually address problems that can be solved. And everyone will know what the duress button is because the instructions will be written on the machine.

Gun fire is the sound of freedom.
[ Parent ]
Too bad illiterate people can vote :-P -vlt (none / 0) (#173)
by Kasreyn on Sat Sep 06, 2003 at 11:03:36 AM EST

(not that they often do...)


"Extenuating circumstance to be mentioned on Judgement Day:
We never asked to be born in the first place."

R.I.P. Kurt. You will be missed.
[ Parent ]
works only for extended voting (2.50 / 2) (#47)
by CanSpice on Thu Sep 04, 2003 at 08:50:42 PM EST

This only works if you're allowed to go back and vote. Most countries have voting periods that only last at most a couple of days, so the blackmailer would very easily come find you after voting is closed to verify that you voted the way they want. Then your vote doesn't count, and you can't go back and change it.

[ Parent ]
It was an extended example (none / 0) (#55)
by QuantumG on Thu Sep 04, 2003 at 09:01:03 PM EST

There's no reason why you couldn't vote 10 times, all except once being duress votes and walk out of the booth with 10 cards.

Gun fire is the sound of freedom.
[ Parent ]
At the same time.. (5.00 / 1) (#124)
by Kwil on Fri Sep 05, 2003 at 05:43:09 PM EST

..neither do you know that you voted for Al Gore. You just hope that the duress button wasn't wired the wrong way - ergo, that the machine was working perfectly.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
Which is true of existing systems as well (none / 0) (#143)
by simul on Fri Sep 05, 2003 at 07:22:57 PM EST

No better there... you can, for example, make a copy of a key to a locked box, break in and change votes.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Again.. I refer you to the scale.. (none / 0) (#148)
by Kwil on Fri Sep 05, 2003 at 10:32:19 PM EST

You do that to a ballot box, you have one ballot box.

You do that to the voting machine, you have all the ballot boxes.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
Did you read the article? (5.00 / 2) (#22)
by QuantumG on Thu Sep 04, 2003 at 07:45:24 PM EST

You get a card which you can use to verify your vote. Your blackmailer can also use this card by demanding that you give him the pin. So the idea of the duress button is that you make the vote your blackmailer wants, whilst pressing the duress button. Then you give him the card and tell him the pin to prove that you made the vote the way he wanted. Your blackmailer has no idea whether or not you pressed the duress button, and he can't find out, so it's impossible for him to know whether or not you did. In effect, the card provides him with no assurance that you voted for who he wanted you to, and therefore the verification card cannot be used for this purpose.

Gun fire is the sound of freedom.
[ Parent ]
Then why give it that function at all, (3.50 / 2) (#26)
by Kasreyn on Thu Sep 04, 2003 at 07:48:32 PM EST

if the duress button makes it impossible to prove? Seems like a useless bit of functionality. Just make it so not even the card holder can find out how he voted. I mean, let's get real here. If you can't remember who you voted for this year, should you really be voting anyway? :-P


-Kasreyn


"Extenuating circumstance to be mentioned on Judgement Day:
We never asked to be born in the first place."

R.I.P. Kurt. You will be missed.
[ Parent ]
Sigh (5.00 / 2) (#27)
by QuantumG on Thu Sep 04, 2003 at 07:50:45 PM EST

The card serves the purpose of allowing the voter to verify their vote, not to prove to someone else who they voted for.

Gun fire is the sound of freedom.
[ Parent ]
Verification (5.00 / 2) (#52)
by thejeff on Thu Sep 04, 2003 at 08:56:41 PM EST

But it doesn't. The voter, like anyone else, can't tell whether the machine recorded the vote normally or as an uncounted duress vote. You assume the machine works properly, only not counting votes if the duress button is pressed, but there's no way for the voter to verify that.

If you're going to assume that the machine is working correctly, why bother verifying?

[ Parent ]

I'll pay that (none / 0) (#54)
by QuantumG on Thu Sep 04, 2003 at 08:59:58 PM EST

yes, quite good.

Gun fire is the sound of freedom.
[ Parent ]
That assumes the machine was compromised (none / 0) (#61)
by simul on Thu Sep 04, 2003 at 11:19:04 PM EST

It always can be... even modern machines can be compromised by spitting out one "verification" slip, and recording another vote.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Compromised (none / 0) (#97)
by thejeff on Fri Sep 05, 2003 at 01:50:05 PM EST

That's why my preferred design prints out the voter's choices, allows him to approve them, then store the hard copy in a sealed box on site for recounting if necessary.

The voter can't verify his vote later, but I've never understood why he'd need to. We can get instantaneous results, which is the only reason I can see for an electronic system, and there's a paper trail for accountability.

[ Parent ]

He needs to because - who has the key to the box? (none / 0) (#142)
by simul on Fri Sep 05, 2003 at 07:21:29 PM EST



Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Also (4.50 / 6) (#39)
by CaptainSuperBoy on Thu Sep 04, 2003 at 08:13:35 PM EST

I have to point out that the poll seems a little too much like "have you stopped beating your wife?"

--
jimmysquid.com - I take pictures.
why's that? (5.00 / 1) (#40)
by QuantumG on Thu Sep 04, 2003 at 08:19:15 PM EST

You're not actually trying to suggest that any current voting system is secure or verifiable are you?

Gun fire is the sound of freedom.
[ Parent ]
Here's a better system: (4.60 / 5) (#42)
by JahToasted on Thu Sep 04, 2003 at 08:32:54 PM EST

Paper ballot and a pencil. And a whole lot of people to monitor the counting to make sure its on the level.

KISS.
______
"I wanna have my kicks before the whole shithouse goes up in flames" -- Jim Morrison

and no form of voter verification (4.00 / 1) (#45)
by QuantumG on Thu Sep 04, 2003 at 08:45:36 PM EST

thus the point of the article

Gun fire is the sound of freedom.
[ Parent ]
Your system (none / 0) (#57)
by JahToasted on Thu Sep 04, 2003 at 10:09:27 PM EST

just prints out a paper. So what? If the machine is rigged it can print out any damn thing it wants while storing the real vote differently. So it makes no difference.
______
"I wanna have my kicks before the whole shithouse goes up in flames" -- Jim Morrison
[ Parent ]
it's open to inspection (none / 0) (#58)
by QuantumG on Thu Sep 04, 2003 at 10:28:28 PM EST

You can see the full workings of it. That's one of the requirements of democracy.

Gun fire is the sound of freedom.
[ Parent ]
Not quite.. (none / 0) (#64)
by Kwil on Fri Sep 05, 2003 at 12:26:21 AM EST

You can see the full workings of what they say went into the voting machine.

What actually did may be an entirely different story, and somehow I doubt they'll let you fiddle with the source on voting day.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
inspect what? (none / 0) (#65)
by JahToasted on Fri Sep 05, 2003 at 12:31:02 AM EST

How do I inspect which bits are stored on the hard drive?

There aren't many people skilled enough with hacking electronics to be able inspect every machine.

With the pencil and paper system anyone can see how it works, understand it, and be able to tell if its working correctly or not. Every party can have inspectors in every polling station.

I understand your system in theory, but I have no idea how I would tell the difference between a rigged machine and an honest machine. Very few people have that skill, and even for those that do, it would take days to verify that any given machine is not rigged.
______
"I wanna have my kicks before the whole shithouse goes up in flames" -- Jim Morrison
[ Parent ]

Voter verifiable, perhaps, but not satisfactory (3.50 / 2) (#43)
by X3nocide on Thu Sep 04, 2003 at 08:38:03 PM EST

Your proposed system uses public key encryption certainly attempts to address the security of a vote from tampering, but it appears to completely neglect the possibility of coersion/vote selling. This is, after all, why we even bother with a secret ballot. The secret ballot is not a constitional guarentee, nor a tradition the nation grew up with. The "Australian" ballot came to the states in the 1890s.

Any voting system trying to replace or improve the modern American voting system has to address two core issues: secrecy, and accountabliity.  Often these two are conflicting with each other. Votes can be accurately counted in a public manner, but that leads to easy influence; if you can tell how a person voted, you can tell them you'll pay them after you see them vote the way you want on an issue. So combat the kind of political machines like Tammany Hall and the Pendergast system, we try to sever the link between a person and their voting record. And if you thought Boss Tweed was bad (ok, so you probably don't even remember about him), today's voting turnout means votes on wholesale prices.

Finally, storing the votes in electronic form is dangerous. If doubt is cast upon some element of the chain, doing a hand recount would be difficult; neither you nor I know how to visually inspect a bit. The solution to all these problems is a scantron like system. Reasonalby simple to view and understand, and with a tear-away id, you can keep track of votes issued without maintaining a permenant link between the voter and the vote.

pwnguin.net

again, the article addressed both points (5.00 / 1) (#44)
by QuantumG on Thu Sep 04, 2003 at 08:45:08 PM EST

please try reading it.

Gun fire is the sound of freedom.
[ Parent ]
Doh (none / 0) (#48)
by X3nocide on Thu Sep 04, 2003 at 08:50:55 PM EST

Maybe I missed it, or maybe it was added during editing, but the Duress button appears to at least confront the issue of coersion. Whether people will use it, abuse it or if it meshes with current law is another problem. But I'm all spend on rants for now.

pwnguin.net
[ Parent ]
Too late (none / 0) (#107)
by dipierro on Fri Sep 05, 2003 at 04:53:13 PM EST

Votes can be accurately counted in a public manner, but that leads to easy influence; if you can tell how a person voted, you can tell them you'll pay them after you see them vote the way you want on an issue.

This is already possible within the current system, using the absentee ballot.



[ Parent ]
HMMM!M!!! (2.87 / 8) (#51)
by Hide The Hamster on Thu Sep 04, 2003 at 08:55:32 PM EST

Was this a SlashDot-inspired article?!


Free spirits are a liability.

August 8, 2004: "it certainly is" and I had engaged in a homosexual tryst.

Nope. (none / 0) (#60)
by simul on Thu Sep 04, 2003 at 11:16:38 PM EST



Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Forget the duress button (4.71 / 7) (#56)
by QuantumG on Thu Sep 04, 2003 at 09:24:32 PM EST

So far you've outlined a pretty good system. You really should have stated what the problems are that we want to solve. Obviously we want a secure and accurate system. Some would say that we already have such voting systems. The new "feature" that we want our voting system to supply is voter verification. A voter should be able to verify that their vote was recorded correctly. The solution you've proposed to this problem is a card imprinted with a 512 random number which can be used to lookup the recorded vote in a database. This solution introduces new problems:
  • Anyone who finds the card can see who I voted for
  • Someone can demand to see the card as proof of who I voted for
To solve the first problem you have introduced a pin number that the voter choses in the booth. This does not solve the second problem however, because clearly if someone can demand the card from you then they can demand the pin number also. To solve the second problem you have introduced the "duress button". A number of people have already suggested that this is too complicated, and I now agree. The duress button allows the voter to create "fake proof" of a particular vote. If they are pressing the duress button whilst casting their vote then the vote is not counted but anyone using the card is unable to tell this. Unfortunately, this solution is not only complicated, but it actually undoes the solution the card was supposed to be! If it is not possible to verify that the vote was made under duress then what good is verification anyway?

I propose a simpler solution. The introduction of a pin number is a good one. What is not good is the assumed response of the verification machine to an incorrect pin. Assumably the verification machine would present the user with an error message "Incorrect pin" or something similar. If I am being demanded to turn over my card and pin, this forces me to turn over the correct pin! A better solution is to have the verification machine return a deterministic random response to an incorrect pin. So if you put my card into the verification machine and enter the incorrect pin 5187, it will say I voted for candidate 1 (consistently). If you enter the incorrect pin 4211, it may say I voted for candidate 2 (consistently). So to foil he who is demanding my card, I need only go to the verification machine and try some random pin numbers until I find one that returns the candidate which he who is demanding the card assumably wanted me to vote for. I need do nothing in advance (like pressing the duress button), although, if the voting machine can serve as a verification machine, I can.

Gun fire is the sound of freedom.

Won't work (2.00 / 1) (#77)
by mcherm on Fri Sep 05, 2003 at 08:16:17 AM EST

I go to the polls and vote, specifying my preferred candidate for each of 17 different positions (from federal President to local dog catcher), and on 4 different "voter propositions". Then a few minutes after I walk out, the local Mob tough corners me in an alley and demands "Did you vote like I told ya'? Show me da card!".

What exactly am I supposed to say to him? The duress button is a way of solving THIS problem.

-- Michael Chermside
[ Parent ]

You say "yes" (none / 0) (#101)
by QuantumG on Fri Sep 05, 2003 at 04:05:11 PM EST

You give him the card and he demands the pin number. You tell him any pin number that happens to return the values that he desires. It has the same effect as the duress button -- the card cannot be used to prove who you voted for.

Gun fire is the sound of freedom.
[ Parent ]
So exactly how long.. (none / 0) (#111)
by Kwil on Fri Sep 05, 2003 at 05:22:53 PM EST

..are you in the voting booth figuring out the one number that gives all 21 issues this guy is looking for?  It obviously has to be just one number because it's supposedly your pin, right?  So let's see.. out of 21 possibilities, each one with between two and six candidates, and assuming it takes on average two seconds to type in a number, get the results, make sure they're all what the guy wanted..

You think you'll be done by the time the voting booth closes?

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
That could be solved (none / 0) (#118)
by dipierro on Fri Sep 05, 2003 at 05:31:35 PM EST

by having the computer figure out the pin for you.

[ Parent ]
Oo! A good solution! (none / 0) (#151)
by Kwil on Fri Sep 05, 2003 at 11:31:30 PM EST

Okay.. I can see how this would work.

Enter the voting booth, enter your UID card, get your PIN.
Enter your PIN & vote on the various positions/issues.
Then, if being coerced, you enter another ballot after which you are provided with another PIN, that, when connected to your UID, returns the results of the fake ballot.
When leaving, you provide the fake PIN to Guido with his blackjack who's waiting for you outside. He can enter your UID and the PIN in any "user audit" machine and see that you apparantly voted for whoever he wanted.
Meanwhile, since you have the real PIN -- the one given to you before you voted -- you can still perform your own check to verify that who you thought you voted for was who you were recorded as voting for.

The typical user only has to remember one PIN, the person being coerced has to remember their own plus a fake, not too much extra effort.

And the entire system is open source, so can be verified independantly. Not bad.

Some technical issues are still present, such as, since it's open source, we have to make sure that the guy with the blackjack cannot use the source code to determine if the PIN he got handed was a fake one. This might be one of those Hard Problems. Also, the PIN numbers might have to be of a horrendous size, but that's something that can be handled with a printer. Beyond that though at least it doesn't have any basic methodology holes. It allows the voter to lie about what they voted, but still trust that what gets counted is what they actually intended.

Nicely done.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
no (none / 0) (#155)
by dipierro on Fri Sep 05, 2003 at 11:43:28 PM EST

Meanwhile, since you have the real PIN -- the one given to you before you voted -- you can still perform your own check to verify that who you thought you voted for was who you were recorded as voting for.

I fail to see how you can do that. Where are the actual votes recorded? How do they get counted? Somewhere there has to be a list of real votes, not encrypted hashes.



[ Parent ]
Hmm.. (none / 0) (#163)
by Kwil on Sat Sep 06, 2003 at 03:45:39 AM EST

Where are the actual votes recorded? How do they get counted?

See the article for answers to these questions.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
UID is the wrong acronym (none / 0) (#184)
by QuantumG on Sun Sep 07, 2003 at 12:13:17 AM EST

UID stands for "user identifier".. which is clearly not a desirable number for a voting system (search by UID, determine who I voted for == bad). VID would be better for "vote identifier".. which is a random number generated at the time of voting.

Gun fire is the sound of freedom.
[ Parent ]
UID + PIN (none / 0) (#185)
by Kwil on Sun Sep 07, 2003 at 12:44:45 AM EST

And I guess the PIN is what I consider to be your vote identifier.

UID is what you have to identify who you are to the system. PIN is what you get just before voting, to identify your particular vote securely within the system.

To find out who someone voted for, you need both the UID and the proper PIN.
With the wrong UID, you don't get any results (unless it happens to be the UID of someone else) with the wrong PIN, you get bogus results.

Of course, one thing I keep coming back to in my head is the difference between your legit PIN (which you get before voting) and the fake PINs, which are generated after a fake vote. There's a problem here.

Because the system is all open source, this means that fake votes must either be stored on the audit servers, or the audit servers must be able to generate fake ballots given a UID and fake PIN.  We can't put this system in the terminal because it's open source, and our coercive person could create his own terminal that doesn't have the generating system.

But if fake ballots are stored on the audit servers and just not counted come counting time, we're back to the duress button problem. What if your voting machine is recording all the votes as fake, or at least a percentage of the votes that happen to be for the person you voted for?

If, on the other hand, audit servers don't store them, then they have to generate them. But since they're open source, we'd be able to see the generation code. A competent coercive person would then be able to create a program that examines the UID, ballot, and PIN, and point out whether the PIN is likely a fake. (I say likely, because your coercive person would not be able to say with 100% certainty that the fake pin to match their desired votes didn't just happen to be your real PIN as well .. but it'd be close enough to sure to do you no good.)

Damn.. I was hopeful that there may be something here. On further thought though, I don't think so. The same old problems keep coming up.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
no, you missed my point (none / 0) (#186)
by QuantumG on Sun Sep 07, 2003 at 12:48:28 AM EST

The only UID in the system is the driver's license or other piece of identification you use to register yourself as having voted. When you go to the booth, the machine generates a random number that is printed on the card. It's this number that you use to lookup your vote with (the PIN merely protects this operation from unauthorized users of the card).

Gun fire is the sound of freedom.
[ Parent ]
Ah. Okay.. (none / 0) (#189)
by Kwil on Sun Sep 07, 2003 at 01:54:25 AM EST

..I was conflating the PIN and the VIN, as the article assumed your identity was already properly checked with your card when going into the booth.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
You could use proxies (none / 0) (#187)
by QuantumG on Sun Sep 07, 2003 at 12:52:44 AM EST

Verification clients can only communicate with the proxies and the proxies communicate with the authentication servers. The proxies have the duty of serving authenticated requests and giving fake replies to unauthenticated requests. The proxy would have to be careful to avoid timing attacks (by waiting the same amount of time regardless of whether a real request or a fake request is being serviced). And the problem of being able to determine whether or not the pin is fake is easily solved by seeding the pin + vid hash with a random seed that is not available to any attacker (i.e., it's securely stored in the proxy).

Gun fire is the sound of freedom.
[ Parent ]
and I can add to this (none / 0) (#188)
by QuantumG on Sun Sep 07, 2003 at 01:10:50 AM EST

If you want a UID in the system, it has to be a seperate server to the proxy. Let's imagine a vote-for-president-on-the-internet system.
  1. The voter goes to their usual place to register to vote. There they are issued with a user identifier (UID), on a smart card or whatever.
  2. On election day, the voter connects to a voter authentication server (VAS) using their home PC and presents their UID
  3. The VAS issues a vote authentication token (VAT) that the voter's PC stores for later use
  4. The voter connects to the voting server (VS), where they are presented with the candidates (and an area to "write in" a candidate) from which the voter makes a selection
  5. Having completed their selection the voter presents the VS with their VAT
  6. The VS generates a random vote identification number (VIT) which it presents to the voter
  7. The voter is supplies the VS with a personal authorization number (which for historical reasons we'll call a PIN)
  8. The VS lodges the vote along with the VIT and the PIN to a voting proxy (VP)
  9. The VP lodges the vote with the many vote counting servers (VCSs)
To verify the vote:
  1. The voter connects to a VP
  2. The voter presents the VP with a VIT and a valid PIN
  3. The VP validates the PIN to the VIT
  4. assuming it matches; the VP requests the vote for the VIT from the many VCSs.
  5. The VP presents the vote to the voter
  6. should the PIN not match the VIT; the VP calculates a vote based on a hash of the VIT, the PIN, and a seed value chosen randomly at the start of voting
  7. The fake vote is reported to the user
The biggest problem I can see with the problem is that the voters are going to incorrectly remember their PIN and then get upset when they see a vote that wasn't what they voted (as one would expect). This can actually be solved by outright refusing a percentage of PINs such that an incorrectly remembered PIN will often be rejected. It also means that the thugs or whoever who are coercing votes will be more likely to accept the PIN you give them as being the correct one.

Gun fire is the sound of freedom.
[ Parent ]
"Duress" problem. (none / 0) (#190)
by Kwil on Sun Sep 07, 2003 at 02:03:11 AM EST

The user can not be sure if his vote is getting passed to the VCSs or not. OSS on the VPs is no protection because, as always, we can-not be sure that what is said to be loaded on the VPs is actually what is loaded. This is really just extending my "storage" problem to an external database that you must first go through before getting to the real votes.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
Internet? (none / 0) (#206)
by thejeff on Sun Sep 07, 2003 at 05:39:04 PM EST

If you're going to have a vote over the Internet system, don't even waste your time with complex ways to show allow verification. The guy bribing or coercing you can be standing over you as you cast your vote. No need to verify later.

The only way I can see to fix that is to allow you to change your vote at will throughout the voting period.

[ Parent ]

Computers are good at searching things like that (none / 0) (#183)
by QuantumG on Sun Sep 07, 2003 at 12:08:56 AM EST

Which means you can just select those that you want and say "generate me a pin"..

Gun fire is the sound of freedom.
[ Parent ]
The problem (none / 0) (#116)
by dipierro on Fri Sep 05, 2003 at 05:30:15 PM EST

What if the blackmailer tells you what pin to use :)

[ Parent ]
Verifiability (none / 0) (#244)
by PurpleBob on Tue Sep 09, 2003 at 08:08:38 PM EST

In your system, how do you verify that your UIN is a real UIN? The system could be giving every tenth candidate who votes for candidate X the fake UIN that means "I voted for candidate X".

In the end, it's the same effect as if you could cast a vote and press the duress button. If there's a way to unverifiably create a fake vote, then almost by definition, there is no way to verify that your own vote is real.

I believe that verifiability and coercion are inseparable.

[ Parent ]

Tap dat ass (4.40 / 5) (#59)
by Fredrick Doulton on Thu Sep 04, 2003 at 10:55:44 PM EST

Who was it who said that the result of an election is not in the hands of voters, but in the hands of those who count the votes? Any proposed system needs to be secure enough that it cannot be tampered from within. As long as the current system allows for simple access to a Microsoft database, our next election will be a lost cause.

~insert Liberal whining here~

Bush/Cheney 2004! - "Because we've still got more people to kill"

Stalin (none / 0) (#63)
by QuantumG on Thu Sep 04, 2003 at 11:51:49 PM EST

although some folks don't believe he ever did.

Gun fire is the sound of freedom.
[ Parent ]
William "Boss" Tweed (none / 0) (#70)
by wiml on Fri Sep 05, 2003 at 05:10:09 AM EST

"As long as I count the votes, what are you going to do about it?"

The election in question being in New York City in 1871.

[ Parent ]
So what's your point? (none / 0) (#78)
by mcherm on Fri Sep 05, 2003 at 08:20:59 AM EST

The solution that the article proposes is one of the ONLY practical solutions I have ever heard which would PROTECT against fraud by those who count the votes. If we had a system where citizens could verify that their votes had been included (correctly) in the totals, then it would prevent many types of election fraud. It would not prevent "phantom votes" (although observation of the polls (just counting people going in and out) can help with that), but it WILL prevent cases of simple mis-counting, because those who try it will get caught!

Of course NO voting system can protect against a judge declaring who won without regard for the number of votes cast.

-- Michael Chermside
[ Parent ]

Hello (3.50 / 4) (#66)
by fae on Fri Sep 05, 2003 at 02:22:27 AM EST

I have the unbeatable method of circumventing any voting system, allowing me to cast as many votes as I want. It's legitimate too.

It relies on a fundamental fault in democracy where all people are given votes. So, I simply have to create more minions.

-- fae: but an atom in the great mass of humanity

More on the system... (4.00 / 2) (#67)
by SwampGas on Fri Sep 05, 2003 at 03:21:20 AM EST

I don't like the idea of the card.  It's a neat concept, but it seems complicated to someone like my mom.

I'd like to see a printer attached to the system which keeps a paper document of the votes.  Obviously it would be hidden behind the system and inaccessible to anyone except the appropriate people.  Because of the noise of a dot matrix printer it'd be easy for the supervisors/assistants to know when a person does something (similar to the beep the current machines make).  At the closing of the polls the appropriate people can compare the printout to the records on the computer.  If they match, turn it in as official.  If there's a discrepancy you'll have to go back and audit each vote by hand until you find the screw up.

I don't believe the election should be that dissimilar from the current system.  Through the use of GnuPG the appropriate people can email the voting transcript to the people they'd normally turn the ballot box in to.  Those people can send it on to whomever they normally send the votes to.

The problem seems to be EDUCATION.  These are the 60/70 year old ladies from the Legion doing this.  They don't know how to handle this stuff.

Who are the "appropriate people" (none / 0) (#84)
by simul on Fri Sep 05, 2003 at 08:59:36 AM EST

Why do I have to trust them?

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Paranoid ignoramus (none / 0) (#131)
by SwampGas on Fri Sep 05, 2003 at 05:56:05 PM EST

...the same people who run the voting system now.  Duh.

[ Parent ]
LOL (none / 0) (#176)
by simul on Sat Sep 06, 2003 at 11:25:51 AM EST

The purpose of the system is to take power away from the ballot-stuffing politicians and election manipulators. The system could be used in places, like Argentina and Florida, that have had major problems with trust in the election process.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
What happens at the voting machine? (4.75 / 4) (#68)
by Kwil on Fri Sep 05, 2003 at 04:02:29 AM EST

Okay, so let me see if I understand this.. you've got all this auditing stuff to make sure that the votes that reach the audit places don't get messed with along the way.

But you don't have anything to make sure that the vote, when cast, doesn't get flipped before going off to the audit places, and gives the person a wrong report.  Saying that the software must be open source really doesn't do anything on voting day, as there's nothing to say that what's released as open source is what's actually installed on the terminal you vote on.

To deal with this you've got the idea of the user contacting the auditing centre to find out what their vote really comes through as. Which brings us to the duress button. Which invalidates verification because you can never tell if your vote was recorded as "duress" or not.

So you drop that and instead go to your apple/banana system. Except now we're back to the original problem. If the voting terminal is compromised, it can tell the person the wrong number. The person can't properly verify because when he enters his UID, it produces the number he expects, but not the one that corresponds to what he wanted his vote to be.. but of course our voter doesn't know that.

If you disassociate the vote from the user, you can be compromised at the voting terminal without any way for the user to detect it.  However, if you associate the vote with the user, you run into problems of voting not being properly secret.

This is not a problem you can get around digitally. The only way to avoid it is to have the counted vote be a permanent record that the user makes, that does not record any identifying information of the user. If the record is not permanent, it is prone to tampering. If the record is permanent, but it's not the user who can actually verify what it says before it gets counted, you can be compromised at the voting booth. If the record is permanent, the user can verify it, but it's not the record used actually used in the counting, then it's meaningless.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


You have voter verification. (none / 0) (#83)
by simul on Fri Sep 05, 2003 at 08:59:02 AM EST

A voter can log on to the audit server run by his favorite party and verify his vote.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Yes..now read the rest of my message. (none / 0) (#93)
by Kwil on Fri Sep 05, 2003 at 12:40:02 PM EST

Voter verification only works in the instance where the voter can identify his particular vote as being for a particular candidate.  But if he can identify his particular vote for a particular candidate, so can someone else.

Someone else being able to identify your vote is bad.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
explain (none / 0) (#106)
by dipierro on Fri Sep 05, 2003 at 04:45:59 PM EST

Someone else being able to identify your vote is bad.

Why?



[ Parent ]
Covered in many other threads.. (none / 0) (#110)
by Kwil on Fri Sep 05, 2003 at 05:08:22 PM EST

.. though as I remember you as being rather pedantic, perhaps I should have been more specific and said "Someone being able to identify that a vote is yours and who you voted for is bad," because it opens up the option of personal blackmail or threats being used to sway your vote.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
That's a stupid reason (none / 0) (#113)
by dipierro on Fri Sep 05, 2003 at 05:27:02 PM EST

not to be able to identify that a vote is yours.

[ Parent ]
No such thing as permanent record (none / 0) (#86)
by simul on Fri Sep 05, 2003 at 09:32:57 AM EST

Paper is more easily tampered with than this system .... because of the audit severs...

What's shocking to me is the number of people out there that believe that it's somehow "hard" to tamper with "paper".

I could forge 1000 ballots on my Epson Stylus in a weekend for the cost of some ink and paper. If I compromised the right person with bribery, threats and blackmail, I could then get a few volunteers to drop it in a "locked" ballot box using a duplicate key.

It's not that hard. It's been done over, and over and over.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

True enough. But compare scales. (none / 0) (#94)
by Kwil on Fri Sep 05, 2003 at 12:42:23 PM EST

So now you've managed to do one ballot box.

Alter the program that goes into the voting terminals and you manage to do all the ballot boxes.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
The 'duress' feature breaks the entire system.. (none / 0) (#191)
by zcat on Sun Sep 07, 2003 at 04:46:32 AM EST

So what if one the button for a candidate is hard-wired to the 'duress' button.. you voted for that candidate, there's nothing in the record to suggest you -didn't- vote for that candidate, but none of those votes count.

How do you avoid that without invalidating the function of a 'duress' button?

Well, that would be obvious in the final count.. but what if somewhere in the hardware or software, one in five votes for a particular candidate were marked as 'duress' automatically.

Alternatively; what makes you think that someone who's happy to sell their vote will press the 'duress' button anyhow.. they don't know for certain that it won't be detectable, so if they do press it they -might- not get paid later. If they only bothered to turn up for the bribe, perhaps they don't even care who wins?


[ Parent ]

+1 FP to promote discussion.. (4.66 / 3) (#69)
by zcat on Fri Sep 05, 2003 at 05:09:16 AM EST

I thought up most of this about a year ago, got some feedback, improved the idea..

http://zcat.wired.net.nz/evote/

The 'duress' thing is a huge loophole which makes everything else invalid. The entire point of the system is that people will know if their vote was counted or not. I assume most people will already know if they were coerced or not.

I've since decided for myself that the most scalable, transparent and trustworthy solution is still a printed record of votes, confirmed at the poll by voters, hand-counted by volunteers, and watched by representatives of all involved parties.

There are probably many excellent and untamperable cryptographic solutions, but none can be immediately understood and accepted as 'legit' by the ordinary voter the way a properly handled paper-trail can.

Multiple audit servers run by many organizations (none / 0) (#82)
by simul on Fri Sep 05, 2003 at 08:57:56 AM EST

Greens run one server, Repubs run another, several are run by universities, and one is run both the FEC, etc, etc.

You need to make it so that the audit servers are run by dozens of well known organizations.

If the *all agree* on the vote... then you've got trust.

It's just like your "representatives watching the whole thing" idea.... except it scales better... that's all.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

You can only trust that they all received.. (5.00 / 1) (#115)
by Kwil on Fri Sep 05, 2003 at 05:29:23 PM EST

..the same thing.

You still don't have trust that what they received is actually what you voted, unless you make it personally identifiable and understandable. In which case, you open the process up to coercion.

The duress button, as stated, makes it impossible to tell whether you're actually seeing your real vote, or just a duress vote.

The index number giving a word idea leaves us back at the point where we can't tell whether what the auditing servers received is actually what we wanted to vote. If I understand it correctly, you put in your PIN and you get back the word that the voting machine originally gave you. Except we don't know if that word was an accurate reflection of who you wanted to vote for.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
you can verify it on your own PC (none / 0) (#119)
by simul on Fri Sep 05, 2003 at 05:32:35 PM EST

as long as you have the ID card, the PIN and the dictionary... all open source.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Which gets us back to the secrecy problem.. (none / 0) (#149)
by Kwil on Fri Sep 05, 2003 at 11:14:37 PM EST

..if you can later use your ID card and PIN to produce the word, and you have open source software that tells you what word is a result of your PIN being hashed with your ID and vote, someone else can then come and use the same method.

This is what I keep trying to get at. If you're able to verify that you produced a specific vote in any way after the fact, then so can someone else -- this is the secrecy problem.

At the same time, if you're not able to verify who produced what in any way after the fact, then unless the voter himself is able to verify that his vote is put directly and properly into the counting pool, and is not changed before counting, you have a non-trusted system.

Paper and locked/secure ballot-boxes and counting procedures handle these for the most part. Yes, they can be subverted, anything can. But the issue is the scale on which the subversion happens.  With ballot boxes, the effort to subvert more than just a small portion of the vote rises significantly with the number. With digital approaches, the entire process can be subverted.

Now, there is a suggestion on here by QuantumG and dipierro which might work: that of being able to enter your vote first,and afterward enter additional ballots that would each provide you with a fake PIN, which, when checked with your UID, would provide whatever results those additional ballots had on them.  So long as you are only assigned your PIN once you get into the secure voting booth (and can not choose or modify it in any way) this idea has some merit as a system that handles the secrecy problem while remaining verifiable.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
Printed Records (none / 0) (#98)
by Rich0 on Fri Sep 05, 2003 at 02:46:35 PM EST

I think the printed record is essential, but I think that a side-record which is tallyed by the computer electronically is perfectly fine as well.

The election outputs two sets of results - 100 tons of paper and a spreadsheet of numbers.  You use the numbers on the 9PM news.  You then take some percentage of the precints and do a 100% audit of the paper against the spreadsheets.  If they come up fine, the results are certified unless somebody shows cause why they shouldn't be.

In the event of discrepencies the paper logs are authoritative (make sure the voters get to see them while they're in the booth).

It is easy to implement and gives you the best of both worlds.  Plus any idiot can see how it works - it is the same as paper ballots except you have a computer printing the paper and keeping an unofficial count.

[ Parent ]

-1, who do you think you are? (4.00 / 1) (#72)
by Vs on Fri Sep 05, 2003 at 05:32:17 AM EST

Okay, maybe the subject is a little bit exaggerating, but I flipped when I saw that you don't mention anything on current voting mechanism, and what experts like R.Mercuri and comp.risks have to say about this.

That's not saying that there might not be some valid points in your article, though.

[I probably should post this as Editorial, but I fear this story is going to make it, so the links could be useful.]
--
Where are the immoderate submissions?

Modesty (2.66 / 3) (#73)
by nebbish on Fri Sep 05, 2003 at 05:59:50 AM EST

This is a high-level description

Immodesty is unattractive.

---------
Kicking someone in the head is like punching them in the foot - Bruce Lee

The Right Solution To The Wrong Problem (5.00 / 11) (#74)
by the trinidad kid on Fri Sep 05, 2003 at 06:05:48 AM EST

It is trivial but true that the defining characteristic of a democratic system is not voting (everyone does that) it is counting.

It is also trivial but true that the defining characteristic of an election count in a democracy is not that it identifies the winner (everyone does that too) but that the losers accept the result.

I am a pol back in Scotland and have stood for election so I will explain election day procedures in the UK.

The electoral register is a public document, the candidate (or their rep) can get it on paper (or electronically) and can check who is on it. They can add new electors or challenge existing ones.

On election day the candidate's rep gets to check the seals on the ballot boxes before the polling station opens. Election monitors can count people going into and out of the polling station and can ask for a % turnout figure at each polling station at any time.

After the polling day ends a final turnout is given.

The boxes are collected and taken to a central counting room. The candidate's reps can inspect the seals to ensure that they haven't been tampered with.

The ballot papers are then counted - not sorted and counted - just counted. That turnout is released by box - which must tally with the polling room figure.

After that the papers are sorted in public and then counted. Candidates representatives are able to do box sampling (what we call a box out or box count) and can usually accurately predict the final result in advance. Disputed ballots (blank, incorrectly filled in, multiple votes) are ruled in or out after consultation with the candidate's representatives.

There are parallel transparent systems for counting postal votes.

The beauty of this system is that
  • any candidate (the proverbial 2 men and a dog) can participate fully in the count
  • the counting procedures and safeguards are comprehensible to everyone
The consequence of this is that it is clear and demonstrable to everyone that the losers have lost.

This may seem an arcane point, but here in the UK we have Nazi parties that run for election and have had a little success in local government (their latest is today). The BNP ran as a supressed party at the 2001 General Election painting themselves as the victims of a witch hunt.

Your proposal would make it very difficult for me (were I ever to have the misfortune to have to defeat a Nazi candidate) to demonstrate to the man in the street that that candidate lost. The message "they introduced electronic counting to rig the election" cannot be rebutted by burbling on about public key encryption and cryptographically sparse keys.

Electronic voting is the right solution to the wrong problem.

Yes, that's a necessary conversation... (none / 0) (#80)
by simul on Fri Sep 05, 2003 at 08:51:23 AM EST

Good site: http://www.electionmethods.org/

I'm a member of the AAV http://www.approvalvoting.com and I pass out flyers and speak to members on the charter revision council in New York - whenever possible.

Thing is, we need a secure voting system *as well as* a change in election. And most americans, right now, recognize the former... not the latter.

I am very content to make what progress I can. And I always have several nonpartisan proposals in my pocket when talking to civil leaders. Approval Voting and Concordet are the bigger pie.

We can't have them, however, without the trust of the voter.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

I do address counting... explicitly (4.00 / 1) (#81)
by simul on Fri Sep 05, 2003 at 08:53:55 AM EST

Each audit server counts separately and is run be a separate organization.

Let's say the greens run one server, and the Demos run one, and the Republicans run one, and several are run by universities, etc.

If they *all agree* on the count.... then the vote is valid.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

The Right Answer To The Wrong Question (none / 0) (#88)
by the trinidad kid on Fri Sep 05, 2003 at 11:15:20 AM EST

Yes, you do address counting, and I am sure that your counting system is formally correct.

What I can't do is be sure that I can explain your counting system in such clear terms as to totally refute the suggestion that it is rigged.

The core requirement is that the losers unambiguously accept (and are accepted) to have lost.

[ Parent ]
Right Comment to the Wrong Article (none / 0) (#89)
by Rasman on Fri Sep 05, 2003 at 11:40:09 AM EST

What's up with all this "Right...to the wrong..." crap? Twice is overuse. Stop it.

---
Brave. Daring. Fearless. Clippy - The Clothes Pin Stuntman
[ Parent ]
If the loser's own count machine says it lost.... (none / 0) (#117)
by simul on Fri Sep 05, 2003 at 05:30:48 PM EST

What do they have to bitch about?

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
There's still value to comprehensibility. (none / 0) (#132)
by jmzero on Fri Sep 05, 2003 at 05:56:45 PM EST

I like the idea of being able to verify my vote was counted and whatever else.  I'm also satisfied that your system is secure enough (as are paper ballots).

I also think that the general public (and anyone who has read about Diebold) would still have more confidence in "the paper way".  And it really doesn't matter whether they're wrong to think that way.  As the previous poster said, that confidence and understanding is an important part of the election process.

.
"Let's not stir that bag of worms." - my lovely wife
[ Parent ]

sorry, i don't trust paper (none / 0) (#222)
by simul on Mon Sep 08, 2003 at 02:22:05 PM EST

and trust is crap. i want a system where i don't have to trust anyone... i can verify my vote myself.

i'd even go further... i'd like to have a "signed vote" using a cert issued to me

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

Pointless Egotism (none / 0) (#237)
by the trinidad kid on Tue Sep 09, 2003 at 04:09:01 AM EST

Voting is a collective act, and collective acceptance of the counting of the vote is the keystone of democracy.

You being able to prove that you voted, or voted in a particular way is simply pointless egotism: "I vote for X, but the polls were rigged for Y/Y won a landslide" - <sarcasm>how interesting</sarcasm>.

As for certificated voting - there is a reason for secret ballots - it is called intimidation - taking away the secrecy of the ballot box, especially for the trivial reason you have evinced, is monstrous.

[ Parent ]
Hey, They're Nazis! (5.00 / 1) (#139)
by the trinidad kid on Fri Sep 05, 2003 at 06:47:13 PM EST

You ask why the losers should bitch? Why wouldn't Nazi's claim they're the victims? What do they care about democracy?

And when they do, how do I persuade people that they are lying?

[ Parent ]
Human errors (none / 0) (#135)
by vzzbx on Fri Sep 05, 2003 at 06:15:01 PM EST

I recall an election a few years back in .nl where they forgot to process the results of one voting station in a village nearby which led to a one seat gain for the opposition and a one seat loss for one of the governing parties at an election for the dutch government. This happened in a town where electronic voting systems were used. Never underestimate the human stupidity if you are using technology.
Electronic voting systems can be useful if they are operated in the right way. Human errors can not be avoided, but can be catastrofical in these kind of events, it will be very hard to design an electronic voting system that will avoid these stupidities.

[ Parent ]
What's needed (none / 0) (#168)
by pyro9 on Sat Sep 06, 2003 at 08:57:43 AM EST

The simple cash register shows us the model. Each voting machine is to maintain a sealed journal roll and also print a recipt for the voter. Cantidate representatives would be welcome to examine the seals of the journal roll. Each voter entry includes a secure hash digest of the voter's ID which is printed on the journal and the voter recipt. The journal and recipt should be printed in human readable and barcode format.

At the same time, the data is sent electronically to the audit servers over a cryptographically secure channel. In an unchallenged election, the electronic tally is validated by statistical sampling. In the event of a dispute, it is still possible to examine the journal rolls wherever the dispute lies.

The Nazi (or whatever very unpopular cantidate) will be able to plainly see the journal roll and even compare his (few) supporter's recipts with the journals to show that they are accurate, and then compare the journals with the electronic tally to show that it is also accurate.


The future isn't what it used to be
[ Parent ]
You're Missing The Point (none / 0) (#175)
by the trinidad kid on Sat Sep 06, 2003 at 11:18:37 AM EST

The Nazi knows he hasn't got any votes - but he tells the public that his votes are being stolen and that the ballot is rigged.

How do I persuade people that the ballot has not been rigged?

[ Parent ]
How do they know (none / 0) (#179)
by pyro9 on Sat Sep 06, 2003 at 03:57:59 PM EST

Invite the Nazi to compare the journal rolls to the electronic tally. Publically invite him to present even one solitary recipt that doesn't have a matching journal entry.

The nice thing about reciepts and a journal roll is that they are well understood by the public. Many have used them to verify a purchase and that they were or were not overcharged. They are generally accepted as authoritative.

The vast majority of the public will be persuaded by this. Those that are not persuaded are simply not persuadable short of lining up every last person who did not vote for him so that they can say so personally. Of course, the vast majority will have little problem understanding that a Nazi is not likely to ever win the election simply based on them not knowing anyone who would consider voting for him.


The future isn't what it used to be
[ Parent ]
But... (none / 0) (#236)
by the trinidad kid on Tue Sep 09, 2003 at 04:02:03 AM EST

As I said in the initial comment, in the UK Nazis are winning local elections and they are presenting themselves as the victims of repressiona and they cheerfully lie about immigrants, crime rates, taxes and all manner of things.

Their election victories do create facts on the ground that they can use to their advantage - to wit recent anti-Nazi riots in the North of England.

Making it easier for the credulous to be seduced by them is not good politics.

[ Parent ]
However (none / 0) (#239)
by pyro9 on Tue Sep 09, 2003 at 10:41:51 AM EST

However, the actual question was related to how could you show that the cantidate had, in fact, gotten no votes. Plainly in any sort of verifyable voting system, if the cantidate DID win, you would NOT be able to show otherwise. That's the nature and point of a verifiable system.

It would seem that your actual problem is showing before the election that the cantidate SHOULD not recieve any votes. While in the case of a Nazi party, I fully endorse that proposition, it is well outside of the scope of a verifiable voting system.


The future isn't what it used to be
[ Parent ]
Not at all... (none / 0) (#253)
by the trinidad kid on Mon Sep 15, 2003 at 05:02:50 AM EST

You said:
actual question was related to how could you show that the cantidate had, in fact, gotten no votes
This is not the case. The issue is not whether the system is verifiable but whether anybody can explain how it is verifiable to anybody else.

A verification mechanism using public key cryptography is not explicable - 99% of voters can not, do not and will not understand what you are talking about. Of the remaining 1%, less than 1% of them will actually be able to demonstrate how it works.

By contrast 99% of voters can understand the paper verification mechanism - and having watched hundreds of people at election counts - most of them can actually verify the results.
<BR. The process is more important than the outcome.

[ Parent ]
You're maaking MY point now (none / 0) (#254)
by pyro9 on Tue Sep 16, 2003 at 09:05:43 AM EST

That's why I suggested a simple system of recipts and a journal roll such as is used by a typical cash register. I think it is reasonable to assume that any voter will be familiar with the use of a recipt.


The future isn't what it used to be
[ Parent ]
A much better system would be to get all the (3.90 / 11) (#75)
by noogie on Fri Sep 05, 2003 at 06:48:14 AM EST

candidates in a big field in different corners or areas. Then everyone who wants to vote comes and stands near their candidate. Then they have a big ruck.


*** ANONYMIZED BY THE EVIL KUROFIVEHIN MILITARY JUNTA ***
Transmission of Voting Information (4.75 / 4) (#87)
by MrAcheson on Fri Sep 05, 2003 at 09:48:46 AM EST

There are two problems with this concept.

1)  This is not a secret ballot.
2)  Fraud is far easier and more likely to be perpetrated at the polling place not at the audit servers.  This can be done the old fashioned way or by cracking the voting machine itself.
3)  It may take millions of years to crack the encryption now, but it may be trivial in 10 to 20 years.  Some current voting machines are more than a century old, a replacement should have similar longevity.
4)  It is highly illegal to count votes before the polls close.  The ballot boxes are sealed for a reason and the electronic ballot boxes in the voting machines should be treated likewise.  It seems to me your system may have issues with this.

My counter recommendation would be to create a ATM-style machine.  Separate it from any network by 2 feet of air.  Ensure that the voter is physically locked away from being able to access the machines OS and programming so that the voter cannot tamper with it (the voting interface and the programming interface would be physically different).  The machine is physically wired so that anytime the guts of the machine are physically accessed, lights flash and buzzers go off that everyone in the polling place can see.  

The electronic voting results are collected from the machine in a similar fashion to how paper ballots were.  The ballot data is saved on disks physically locked within the machines, each machine has multiple disks with the same data for redundancy.  The disks from the machines are pulled when the polls close and are in a format which prevents changes from occurring after this point (like a burned CD).  They are verified by witnesses for each election party at the polling place and taken to a counting center.  At the counting center the government and eahc party is given one of the disks and uses their own counting system (which should be simple and easy to create and code if the disks are publically available technology like CDs) to tally the votes.  Results are compared and the vote from that machine is certified.  Rinse and repeat for the next machine.

Is fraud possible with this system?  Yes but its difficult and will take forms which are already known.  Thats really the best you can hope for.

These opinions do not represent those of the US Army, DoD, or US Government.


I like the CD idea (none / 0) (#91)
by Rasman on Fri Sep 05, 2003 at 11:52:49 AM EST

The idea of physically being able to say "the votes right here" is a nice twist to the electronic voting concept. The image of the votes whizzing around networks and switches seems inherently insecure (or at least it would to the general public). I also like the idea of a form of "write once" media storage being handed to each party to use their own counting program on.

Bravo!

---
Brave. Daring. Fearless. Clippy - The Clothes Pin Stuntman
[ Parent ]
I do as well.... it's a great transmission system! (none / 0) (#123)
by simul on Fri Sep 05, 2003 at 05:42:02 PM EST



Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
You have completely failed to understand anything (none / 0) (#95)
by simul on Fri Sep 05, 2003 at 12:47:25 PM EST

> This is not a secret ballot.

Yes, it is. Nobody knows how you voted. Nobody, that is, except you.

> Fraud is far easier and more likely to be perpetrated at the polling place not at the audit servers.

True... and the two verification systems proposed *help to eliminate and expose* this fraud.

> This can be done the old fashioned way or by cracking the voting machine itself.

Yep. Except not with this system, since it's verifiable.

> It may take millions of years to crack the encryption now, but it may be trivial in 10 to 20 years.

No, it was an example. You can set the bits as high as needed for military grade encryption. That's all. You claim you can crack it in 20 years, I'll just add another 512 bits. Even accounting for moores law, thats another 512 years. Per vote.

> It is highly illegal to count votes before the polls close.

Did I say they'd be counted before the polls close? Polls close, count, and audit...

> The ballot boxes are sealed for a reason and the electronic ballot boxes in the voting machines should be treated likewise.

True, I never meant to imply otherwise. In this case, the private keys would be sealed. But it's the same thing.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

Secrecy (none / 0) (#102)
by vzzbx on Fri Sep 05, 2003 at 04:13:01 PM EST

Most voting laws (at least where I live) require the voter to be able to vote anonymously and without possibilty for a third person to find out what he has voted during the election or afterwards. Therefore it is not a very good idea to give a card with access codes to the voter afterwards to check his vote. Instead the voter should trust the system that his vote is processed correctly, exactly the same as with conventional paper ballots.
With a technical solution like you suggest you can avoid some human errors like miscounts by willfully or by accident putting a ballot on the wrong pile.
If you want to create an electronic voting system that is as trustworthy or more than a paper voting system you should at least give the impression to the voter that his vote is treated anonymously and in a correct way. Upon entry of a voting station a voters identity and his vote should be separated immediately to reach the level of anonimity you require and is acceptable by the public. Your solution even though it is encrypted binds an identity to a vote indefinitally.
Even though solutions exist today to create a secure transaction system that does not mean it is suitable for use in this application.

[ Parent ]
This system follows those laws (none / 0) (#105)
by dipierro on Fri Sep 05, 2003 at 04:38:36 PM EST

Most voting laws (at least where I live) require the voter to be able to vote anonymously and without possibilty for a third person to find out what he has voted during the election or afterwards.

This system allows voters to destroy their receipt, therefore it is possible for them to vote anonymously and without possibility for a third person to find out what he has voted.



[ Parent ]
I'm sorry it does not (none / 0) (#108)
by vzzbx on Fri Sep 05, 2003 at 04:55:34 PM EST

This system allows voters to destroy their receipt, therefore it is possible for them to vote anonymously and without possibility for a third person to find out what he has voted.

The law forbids to give out any evidence to link a person to his vote. Even if you destroy the card as soon as leave the voting booth the law has been breached. Of course you could change the law :-).
The ideal system would be split into three parts, first you have the ballot booth where the voter casts his vote. Then there would be the ballot box where the vote will be stored and finally you would have the registry where each voter is registered. If a vote is casted a signal should be sent to the registry to mark that particular voter as 'has voted', then the vote would be sent to the ballot box. The ballot booth should after verifying that the two transactions are completed successfully forget everything and wait for the next voter.

[ Parent ]
OK (none / 0) (#109)
by dipierro on Fri Sep 05, 2003 at 05:05:31 PM EST

So the law forbids absentee ballots?

[ Parent ]
good point! (none / 0) (#114)
by simul on Fri Sep 05, 2003 at 05:28:13 PM EST

and, by the way, when you "sign in" to vote... ever notice the little number next to your signature. some people believe it can be used to track your vote. and i believe them.

the truth is, our existing system sucks so bad it hurts my nuts

and a little cryptography goes a long way

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

The number... (none / 0) (#121)
by dipierro on Fri Sep 05, 2003 at 05:38:57 PM EST

I tend to believe that the number can't be matched up to your vote, since someone from one of the counting committees probably would have come out with the truth otherwise. But even if not, it doesn't really bother me personally. Let the world know: I voted for Nader, Hillary, and all Democrats for all other positions.

At least with verifiable votes I know whether or not my vote is being subverted. With the current system I just have to trust the authorities.



[ Parent ]
If free speech is allowed... (none / 0) (#128)
by vzzbx on Fri Sep 05, 2003 at 05:54:03 PM EST

...of course nobody will hunt you down if you give your vote to the opposite party. Lucky for you you are living in a country where it is possible to express your opinion without being hunted down for subversion.
Voting is a matter of trust. If people don't trust their government then they are not going to vote.
IMHO I would rather have an anonymous vote in a country where I can't trust the government than a non-anonymous vote in a country where I CAN trust them.
Besides that, what if I can check whether my vote is registered and the government decides to ignore it?

[ Parent ]
already possible (none / 0) (#133)
by dipierro on Fri Sep 05, 2003 at 06:06:02 PM EST

IMHO I would rather have an anonymous vote in a country where I can't trust the government than a non-anonymous vote in a country where I CAN trust them.

Depends to what extent the vote is non-anonymous. If all it means is that it is possible for someone to coercively determine how you voted, then I'm not opposed to it. If someone has that much power that they can strongarm me into voting for a certain candidate, then it really doesn't matter whether their candidate wins the election or not.

Besides that, what if I can check whether my vote is registered and the government decides to ignore it?

That's already possible. At least with a verifiable system we'll know whether it's happening or not. Personally I would want to be assigned a random number and then be able to download a file the next containing all the random numbers along with the vote for that number. Then I could just look up my number and see that my vote was properly counted. I could count all the votes for a particular candidate and verify that the count was performed correctly. The only possible subversion would be if extra votes were somehow added. That would be a problem with the most recent election, as the results came out so close, but at least I would know that the person who won got at least nearly the most votes.

Yes, it also means that some mob boss could go around threatening to kill my family if I don't vote for Vinny the Crumb for mayor. But if that mob boss has the power to kill my family with impunity then it doesn't really matter to me who the next mayor is anyway. Moreover, if the mob boss has that kind of coercive power over enough people to actually change the election, then they presumably also have the power to take over the government by violent means (as opposed to threats of violence).



[ Parent ]
Voters perspectives (none / 0) (#138)
by vzzbx on Fri Sep 05, 2003 at 06:44:36 PM EST

Some countries can hold elections and if you vote against ruling parties you are to be treated as a subvertive person, that is why I am so concerned about anonymous elections. In my country it does not happen right now, but if at any point in time it changes they have to have to change the law themselves to make it possible.

Of course the government can ignore election outcomes, that is no problem. democracy is only a set of rules some people decide to obey. If one does not obey those rules, then your entire trust is lost. That is rule number one of a democracy, please try to live with that. You might be happy with the curcomstance in the situation you live now, but try to imagine what happens when your right to vote on anyone you like is being revoked, then your right to vote will make no sense anymore. Apart from that, your right to (re)view your actual vote might be used against you, even after 20 years after they found out you voted once on a party or a person they don't like, and you you would be a grown upand made up your mind to a more sensible opinion.
If Vinny the Crumb would find out what you voted for what would you do?

[ Parent ]
re (none / 0) (#152)
by dipierro on Fri Sep 05, 2003 at 11:34:49 PM EST

Some countries can hold elections and if you vote against ruling parties you are to be treated as a subvertive person, that is why I am so concerned about anonymous elections.

Well, first of all, I don't live in one of those countries. Secondly, if the ruling party doesn't want you to vote a certain way, what makes you think they're going to listen to the election results when the majority of people actually vote that way. Third, if the ruling party wants to find out how you voted, surely they can rig the machine to do so. Finally, this system would only help the ruling party if they made it mandatory for you to share your confirmation number with them.

Apart from that, your right to (re)view your actual vote might be used against you, even after 20 years after they found out you voted once on a party or a person they don't like, and you you would be a grown upand made up your mind to a more sensible opinion.

You can destroy your receipt after checking the results. No need to hold on to it for 20 years.

If Vinny the Crumb would find out what you voted for what would you do?

I've already told Vinny the Crumb and everyone else who I voted for. Nader, Hillary, and Democrat for all the rest of the positions (I don't remember them).



[ Parent ]
Absentee ballots (none / 0) (#122)
by vzzbx on Fri Sep 05, 2003 at 05:40:43 PM EST

So the law forbids absentee ballots?

That is an exception of the law in my country (.nl). I am not sure how the US law works, but in my country you have to apply for an absentee ballot form before elections, fill it out and declare that the person who is going to vote for you is authorised to do so and will vote on the candidate/party you want him to vote on. Of course there is a loophole in here, but that is how our system works. I have no idea of the procedure in other countries.
The idea of this system of absentee voting is to write of the responsibility of the state of the anonymous voting in your case, because by placing your signature on that form you express your trust in that third person to vote for what you ask him to vote for. If that third person misuses that privilege, then that will be your responsibilty, not theirs.

[ Parent ]
Well... (none / 0) (#134)
by dipierro on Fri Sep 05, 2003 at 06:10:23 PM EST

Then I guess we could just make an exception for these cards as well. And we could make someone sign something declaring that they are not being coerced into voting for a particular candidate.



[ Parent ]
Absentee vs tracking (none / 0) (#136)
by vzzbx on Fri Sep 05, 2003 at 06:25:40 PM EST

Then I guess we could just make an exception for these cards as well. And we could make someone sign something declaring that they are not being coerced into voting for a particular candidate.

Of course we can, we can change the law, that is no problem. But the problem is different.

You are volounteered to make someone lawfully eligible to vote for you, if you want to give out cards (or any other measure) to check his vote, that should be made eligible too. The voter should have the possibility too to revoke his rights to ever check whether his vote was registered right and have his ID to that vote (how much ecrypted) revoked too. This will mean that everyone who wants to show anyone or himself what he voted will be possible to see that and the other ones not to, even not the government.

[ Parent ]
Or you could just let everyone see (none / 0) (#150)
by dipierro on Fri Sep 05, 2003 at 11:28:07 PM EST

and make it illegal to blackmail people.

[ Parent ]
so make the card optional [nt] (5.00 / 1) (#112)
by simul on Fri Sep 05, 2003 at 05:26:44 PM EST

done.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
This assumes.. (none / 0) (#130)
by Kwil on Fri Sep 05, 2003 at 05:55:24 PM EST

..that the voting machine is not designed in a compromised fashion*. That the open-source software that is supposedly running the machine is actually what is running the machine, and that whoever built the software wasn't smart enough to take into account small scale testing that might be done before-hand.

*see Dibold for reference.

That Jesus Christ guy is getting some terrible lag... it took him 3 days to respawn! -NJ CoolBreeze


[ Parent ]
+1, great ideas, but... (4.00 / 1) (#90)
by debillitatus on Fri Sep 05, 2003 at 11:49:43 AM EST

I'm not entirely sure that this system is really necessary. I mean, this may be a radical idea after the debacle in Florida, but what is wrong with the current system? I write my vote on a piece of paper, or punch a chad, or whatever, and it gets counted by machine and then by hand if necessary.

Ok, you may argue that this led to the problems in Florida, but would this new system not have? I remember, for example, that at one point the count was ~300 votes difference between Gore and Bush. Now, let's say Bush is ahead by 300, even using your system. Now, you're telling me the Democratic party can't scrape up 300 people who would claim (whether it be true or not) that their vote was recorded incorrectly? This is especially exploitable with this "duress vote" thing. Something like that would completely undermine confidence in the result.

You could argue that the paper system is also open to such exploits, and I agree. But I think they are both exploitable, and paper is more trustworthy to the general public. Furthermore, I'm not convinced that the voter's ability to verify that their vote was recorded correctly is such a good idea, because there is no way to ensure that this will be secret.

Damn you and your daily doubles, you brigand!

True, paper allows you to fool yourself into faith (none / 0) (#92)
by simul on Fri Sep 05, 2003 at 12:38:55 PM EST

"paper is more trustworthy to the general public" However, "trustworthy to the general public" isn't really at issue here. "provably difficult to exploit" is what we need. And remember, scraping up 300 people to recast is *easy* however, at that time, only those 300 can recast..... and that's it. And if their vote is the same... then nothing changes.... And the public will swiftly learn that the Democrats were lying.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
-1 techno-g**k misses point again (4.33 / 6) (#96)
by Estanislao Martínez on Fri Sep 05, 2003 at 12:56:48 PM EST

Stop worshipping technology, dammit, and step back a second and think about the requirements of the situation.
  1. Old-fashioned paper-and-pencil ballots are just fine. Many countries use them without major problems. The interface is easy to understand for the voter.
  2. More importantly, there is no high technology involved, so there is a realistic opportunity of an average citizen understanding the counting process. Transparency is crucial for elections; much more important than speed.
  3. As such, your system glaringly omits something that has been much demanded of electronic voting systems: a paper trail. I.e. printing out a paper ballot for the voter to deposit in an old-fashioned box, so in the case somebody impugns the electronic voting process, there is a redundant fall-back on a transparent paper-counting mechanism.

--em

paper trail (none / 0) (#99)
by John Thompson on Fri Sep 05, 2003 at 03:20:51 PM EST

Estanislao Martínez wrote:

... your system glaringly omits something that has been much demanded of electronic voting systems: a paper trail. I.e. printing out a paper ballot for the voter to deposit in an old-fashioned box, so in the case somebody impugns the electronic voting process, there is a redundant fall-back on a transparent paper-counting mechanism.

A friend and I were discussing this issue over the summner. How hard would it be to attach a printer to one of these devices to print a record each time a vote was cast?

Techincally, this should be a non-issue, right?



[ Parent ]
missing the point (none / 0) (#100)
by Estanislao Martínez on Fri Sep 05, 2003 at 03:31:26 PM EST

Techincally, this should be a non-issue, right?

But if you're responding to my points with a bit of technical detail, then you've missed the whole point.

--em
[ Parent ]

technical detail (none / 0) (#146)
by John Thompson on Fri Sep 05, 2003 at 09:16:21 PM EST

Estanislao Martínez wrote:

But if you're responding to my points with a bit of technical detail, then you've missed the whole point.

No, I agree with what you wrote as far as needing and independent audit trail -- on paper. I don't think it need be printing up a paper ballot for indididuals to put in a ballot box, though. Just have the paper audit trail available in case there are concerns about the balloting. Then you can go back and locate the problem.



[ Parent ]
Nope (none / 0) (#162)
by Estanislao Martínez on Sat Sep 06, 2003 at 12:57:02 AM EST

I don't think it need be printing up a paper ballot for indididuals to put in a ballot box, though. Just have the paper audit trail available in case there are concerns about the balloting. Then you can go back and locate the problem.

If the outcome of the vote ultimately can hang on the paper audit trail, then that must be treated exactly as paper ballots, in order to guarantee security and transparency.

--em
[ Parent ]

paper trail (none / 0) (#181)
by John Thompson on Sat Sep 06, 2003 at 09:48:15 PM EST

Estanislao Martínez wrote:

If the outcome of the vote ultimately can hang on the paper audit trail, then that must be treated exactly as paper ballots, in order to guarantee security and transparency.

But if you're printing up separate paper ballots for voters to manually insert into a ballot box then there's really no point to even having an electronic machine? Or is that your point?

What's wrong with keeping the electronic machine for tallying the votes, but simultaneously automatically printing a paper record of the voting in real time directly into a locked box (ballot box, if you like)? Heck, put the whole shebang (printer, paper, etc.) in a locked box that only two or more certified election officials can access, that access also requiring an audit trail.



[ Parent ]
not really that point, but now that you mention it (none / 0) (#232)
by Estanislao Martínez on Tue Sep 09, 2003 at 12:38:22 AM EST

But if you're printing up separate paper ballots for voters to manually insert into a ballot box then there's really no point to even having an electronic machine? Or is that your point?

I wasn't trying to make *that* point, but it's actually not a bad one IMHO. I was just terribly concerned about the casual treatment your previous post mentioned for the paper trail of a vote.

In any case, the only reason I see for having electronic voting systems is speed: in theory, they speed up the count. But I think that is a pretty stupid thing to rate over transparency in an election-- we can afford to wait in the order of days to have a transparent manual count done.

--em
[ Parent ]

Sure, not a problem! (none / 0) (#165)
by Ta bu shi da yu on Sat Sep 06, 2003 at 04:17:25 AM EST

Seems a bit silly to me though.

Yours humbly,
Ta bù shì dà yú

---
AdTIה"the think tank that didn't".
ה
[ Parent ]

I've come to the conclusion that the second system (none / 0) (#120)
by simul on Fri Sep 05, 2003 at 05:34:11 PM EST

I've come to the conclusion that the second system is the only purely valid one. Prompted by an argument by Kwil. That's because you don't need a verification "server" to verify that the word you received corresponds to your vote.

It's cleaner... and it works.

Read this book - first 24 pages are free to browse - it rocks

Maybe I'm missing something... (none / 0) (#125)
by dipierro on Fri Sep 05, 2003 at 05:43:10 PM EST

What does this system solve?

[ Parent ]
It's obtuse and, usually, unnecessary, but.... (none / 0) (#127)
by simul on Fri Sep 05, 2003 at 05:50:43 PM EST

First: here's the comment that prompted my thinking.

Suppose the election machine itself is physically compromised (ie: someone sneaks inand replaces the the code with a new version, etc.)

The new code could then replace all votes of a certain type with "duress votes". Of course, this would look really odd... since you'd see a spike of duress votes on the CD. So you could detect it... and an auditor would probably request a recount in that district....

But still, the second system prevents *even that crazy case*.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

No, my question is... (none / 0) (#129)
by dipierro on Fri Sep 05, 2003 at 05:55:01 PM EST

How is this system any better than the current system? It's right in the comment itself, so let me quote it: "The index number giving a word idea leaves us back at the point where we can't tell whether what the auditing servers received is actually what we wanted to vote."

Also, presumably there is still a tie between the actual votes and the UID, right? So anyone working in collusion with one of the verification places (which would be run by the parties) could steal your UID and look up your vote. Or maybe I just misunderstand the entire system.



[ Parent ]
Ok, here it goes (none / 0) (#137)
by simul on Fri Sep 05, 2003 at 06:30:20 PM EST

> presumably there is still a tie between the actual votes and the UID, right? Yes, the audit servers store the UID and the word. > So anyone working in collusion with one of the verification places (which would be run by the parties) could steal your UID No, not unless they had your PIN, which was hashed to produce the word.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Another solution (none / 0) (#141)
by simul on Fri Sep 05, 2003 at 06:54:22 PM EST

Solution #1: You can only verify in secure verification booths. Solution #2: was that you verify by getting a "list of votes and pins". You then match up your pin to the vote.... So you can simply lie and say "yep" that's my pin... next to the vote that the mafia boss wanted you to vote foe.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Two points... (none / 0) (#154)
by dipierro on Fri Sep 05, 2003 at 11:40:05 PM EST

First of all, I assume you get the pin assigned. Obviously you can't pick it yourself.

Secondly, I still don't see the point. You match up your pin to the vote, but you still have no way of knowing which vote was actually recorded.



[ Parent ]
You can get the data from lots of audit servers (none / 0) (#159)
by simul on Sat Sep 06, 2003 at 12:06:48 AM EST

In other words, you can get the data in a way that is consistent across many servers. You may not trust one group to count your vote... but you can trust at least some of them... especially if your party runs a server.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Subversion (none / 0) (#161)
by dipierro on Sat Sep 06, 2003 at 12:24:37 AM EST

The problem is if the data is subverted before it gets copied to the many servers.



[ Parent ]
You would have to compromise the machine (none / 0) (#172)
by simul on Sat Sep 06, 2003 at 10:30:30 AM EST

Physically. Since the data is encrypted using the public keys of the audit servers before it leaves the machine.

Someone suggested that the data be placed on CD's and carried to the audit servers.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

Same with locked ballot boxes (5.00 / 1) (#178)
by dipierro on Sat Sep 06, 2003 at 03:10:40 PM EST

The ballots are counted by officials from each of the major parties, and until that point you can only subvert them by subverting the ballot box physically.

[ Parent ]
nope (none / 0) (#219)
by simul on Mon Sep 08, 2003 at 01:32:23 PM EST

there aren't carbon copies of votes, the boxes change hands too often and too insecurely, there aren't different keys per party, etc. etc.

You could use paper to build an auditable system and a verifiable system .... if you wanted.... it's possible....



Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

no (none / 0) (#153)
by dipierro on Fri Sep 05, 2003 at 11:37:04 PM EST

No, not unless they had your PIN, which was hashed to produce the word.

What are the counting places counting? They need the actual votes. Not hashed words. Now you can separate the two at some point, but then you have to trust wherever the votes get separated.



[ Parent ]
Legal precedent for outlawing exit polls (5.00 / 1) (#144)
by simul on Fri Sep 05, 2003 at 07:45:25 PM EST

Exit polls unduly influence the progress of an election. Interfering with an election should be against the law.

There is precedent for this. For example: Many court hearings are closed until the time of the decision.

The basis for this is that the media can influence the decision of the jury.

This basis has ben upheld in the supreme court.

I believe a similar case can be made with publishing exit polls.

Of course the media would cry "free speech". But that's bullshit. We're not stopping them from reporting the information "forever".... just for 24 goddamn hours until we get the offical counts. We stop them from printing the names of suspects too.... and not just for 24 hours.

Read this book - first 24 pages are free to browse - it rocks

No. (none / 0) (#147)
by qpt on Fri Sep 05, 2003 at 10:21:52 PM EST

A jury's decision can be improperly influenced because, legally, there is a fixed body of information from which the jury members are supposed to reason. A jury is lawfully required to decide a case on the merits of the evidence presented in court, and on nothing else. Failure to comply with this directive can result in a mistrial being by law requisite

An election is entirely different. A voter may vote for whoever he wishes, for whatever reason he wishes. To be legal, a vote must merely be cast free of duress by someone who meets the general qualifications to vote. The media cannot unduly influence an elector because there is no legally privileged authority by which one must decide one's vote.

Domine Deus, creator coeli et terrae respice humilitatem nostram.
[ Parent ]

I would seek to chaneg that... for exit polls only (none / 0) (#158)
by simul on Sat Sep 06, 2003 at 12:04:22 AM EST

Only because they are known to cause wild swings in voter activity.

Undue influence is exactly that... undue.

There is no reason why we *must* give the media even more power over elections than they already have.

We simply agree that the influence is unwarranted and it will be.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

You're saying nothing. (none / 0) (#166)
by qpt on Sat Sep 06, 2003 at 04:19:09 AM EST

The only way to improperly influence the outcome of an election is through coercion or bribery, because all other outcomes are equally legally valid. Your suggestion to bar exit polls is nonsense because voters are allowed to use any information they please to decide how they wish to cast their vote, so limiting the information available to a voter in order to get a "better" result is at odds with the fundamentals of our electoral philosophy.

Now listen carefully. All freely chosen election outcomes are equally legitimate. Exit polls do not force a vote, only influence it, and there are no legally privileged influences. In effect, you want to dictate which reasons a voter may consider, and such an attitude is anathema to our firmly-grounded principle of perfectly unconstrained voting. Yes, a free election won't always give the results you want, but that's just how the system works. People may vote for whom they wish, for whatever reason they wish.

I don't agree with you at all. Media influence on election is unwarranted, because no influence on an election is unwarranted, so long as it does not coerce or bribe.

Domine Deus, creator coeli et terrae respice humilitatem nostram.
[ Parent ]

I agree. We just need to extend the election time (none / 0) (#171)
by simul on Sat Sep 06, 2003 at 10:28:43 AM EST

Don't know where I was going with that last one...

It came out of a conversation about extending the election time to 3 days.

this comment convinced me that I had nothing to worry about.

No need to modify exit poll law... just extend the election time....

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

influence != interfere (none / 0) (#156)
by dipierro on Fri Sep 05, 2003 at 11:46:24 PM EST

Exit polls unduly influence the progress of an election. Interfering with an election should be against the law.

You went from influence to interfere. Those are two very different things. There's nothing illegal about influencing an election. If there was, campaign ads would be illegal.



[ Parent ]
Would it be OK to have a 3 day election? (none / 0) (#157)
by simul on Sat Sep 06, 2003 at 12:01:39 AM EST

I mean, more people would probably go... so it would be more representative...

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
I think that'd be a great idea (none / 0) (#160)
by dipierro on Sat Sep 06, 2003 at 12:18:40 AM EST

Then I could wait until day 3 to decide whether to vote for a third party candidate or not.

[ Parent ]
Hmm... true, true. [nt] (none / 0) (#170)
by simul on Sat Sep 06, 2003 at 10:25:33 AM EST



Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
why electroni voting system? (4.50 / 2) (#167)
by dimaq on Sat Sep 06, 2003 at 07:12:54 AM EST

may I ask why one needs an electronic voting system in teh first place? I mean sure we have electronic everything, but it's not like pen-and-paper votes and human counting was so expencive for the goverment (I think it costs way less than the campains).

One could say, that had we an electroni voting thingy, more of populus would vote, that I suppose would only be so if one could vote remotely.

why have a calculator? (none / 0) (#169)
by simul on Sat Sep 06, 2003 at 10:24:52 AM EST

When pen and paper suffice....

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
A calculator is faster and more reliable (none / 0) (#180)
by Amorsen on Sat Sep 06, 2003 at 08:19:07 PM EST

However, for voting pencil and paper is at least more reliable and probably also faster. And it has the most important property of all: it is transparent.

[ Parent ]
BS. BS. BS. (none / 0) (#194)
by hummassa on Sun Sep 07, 2003 at 07:26:37 AM EST

sorry, but you are SO wrong. Ok. Take our example down here in Brasil: we had the highest-turnout voting of all time one year before, opposition party winning (so you can sort of rule out fraud) and election results in less than 24hours from the election closing. clean.

[ Parent ]
So. (none / 0) (#195)
by i on Sun Sep 07, 2003 at 08:19:35 AM EST

What technology was used?

and we have a contradicton according to our assumptions and the factor theorem

[ Parent ]
Voting machines (none / 0) (#225)
by hummassa on Mon Sep 08, 2003 at 05:27:52 PM EST

with numeric keypads (where you enter the # assigned to your candidates, the photo shows up in a B&W LCD display, then you confirm your vote;
some running wince, some running VirtuOS (brazilian MSDOS clone with multiprocessing);
5-10% of which emitted paper ballots after you vote (cuts the paper and puts it in a sealed container, so they can be manually recounted if needed);
software proprietary (which I don't approve, but...);
the system adopted to run the elections prevents most fraud: the voting machines emit their ballot count immediately after closing, so party officials (present at the time of the closing) can do their own math; besides, each voting machine must be tested by the electoral judges in person;
paper ballots are in-place to backup in case of voting machine failures;
it's a good system, really; and showed up a great deal of results despite its limitations.

[ Parent ]
A good system... (none / 0) (#240)
by Eivind on Tue Sep 09, 2003 at 11:22:36 AM EST

It's a "good system" if you trust each single vendor (sounds like there may be multiple, since you talk of different OSes and sometimes paper-printouts, sometimes not) to not only always produce correct, bug-free software. But ALSO to have security-measures good enough that noone will be able to mess with the software or hardware of any of them.

Printing the results "immediately after closing" is nice, but it does nothing to add trust. It's trivial to modify software so that instead of outputing Candidate Bill=X, Candidate Jon=Y it outputs Candidate Bill=X*0.8 Candidate Jon=Y+0.2*X

There is simply no way for anyone to be sure this is not happening, short of trusting every single of the companies involved in making the machines.

I'm not saying it can not go well. Maybe it did. What I am saying is that it could horribly easily go wrong. And if it did, noone would notice.

[ Parent ]

It's difficult to this system to go totally wrong, (none / 0) (#252)
by hummassa on Fri Sep 12, 2003 at 08:01:58 AM EST

because of the Distributed nature of the election, of the checks, the software being audited (at least partially) by the parties' appointed officials, the judges checking each machine, paper ballots backup, etc.
And it's difficulto to it to go silently wrong, too many people involved, too easy to blow a whistle, etc...

[ Parent ]
you need an auditable system, with multiple copies (none / 0) (#218)
by simul on Mon Sep 08, 2003 at 01:29:37 PM EST

of the votes going to multiple counting organizations that must agree or the vote is invalid.

you can do it on paper with carbon copies if you want.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

Different idea (none / 0) (#174)
by Chris Andreasen on Sat Sep 06, 2003 at 11:14:34 AM EST

The problem with this system (and our current one, I being a resident of the US) is that there's no proof that the votes were actually counted correctly. Sure, you can verify that your individual vote was recorded correctly, but unless you can convince every other person to tell you what they voted for, there's no way to prove that Candidate A actually won when the counters say "52,380 people voted for Candidate A and 48 voted for Candidate B."
I suggested a somewhat different idea that was discussed in a previous article a little over a year ago. Basically, there are two types of ballots, one for real votes and one for "duress" votes, as you called them. Every ballot has a unique random number printed twice on it - once on the full ballot itself, and once just above a small perforation on the top that can conveniently tore off and taken by the voter for record. The tear-off portions of both types of ballots look identical, although the remainder of the ballots can be easily distinguished.
When the voter signs in to the polls, he/she is given a real and a "duress" ballot. The voter proceeds to the voting booth, where he/she fills out the real ballot and (if under coercion for some reason) the fake ballot. If not under coercion, he/she just takes puts the fake one in a shredder located nearby.
When the final vote is tallied, the complete list of which ballot voted for whom is made public. Thus the voters can verify that their vote was properly recorded and that the final count was accurately tallied. Everyone can see with some certainty what ballot voted for whom without knowing who it was that cast it, and any number of citizens can scream bloody murder if their votes don't match up to the numbers they tore off their ballots.
To ensure that there isn't a complete flood of "duress" ballots to prevent an accurate count by the public, before the actual casting of ballots a small percentage of the "duress" vote have to be decided upon ahead of time (e.g.: it would be announced that 2% of the votes will be fake on the final list). So when the final tally is published, it is labeled with "This list has a 2% margin of error". This percentage should be small so as not to be able to swing the election either way. If the total number of fake votes is less than 2%, the counters submit a number of additional fake votes, preferably in such a manner as to match the ratios of actual votes, but again the percentage should generally be too small to matter. If the number of fake votes is larger than 2%, the local law enforcement has reason to look into possible illegal activities concerning the coercion of the voters. There's nothing special about this 2% number I've been throwing out - it's arbitrary and can be whatever number the locals deem appropriate.

--------
Is public worship then, a sin,
That for devotions paid to Bacchus
The lictors dare to run us in,
and resolutely thump and whack us?

each audit server counts separately [nt] (none / 0) (#177)
by simul on Sat Sep 06, 2003 at 12:57:29 PM EST



Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Audit servers vs. public disclosure of results (none / 0) (#196)
by Chris Andreasen on Sun Sep 07, 2003 at 08:30:58 AM EST

I suppose my only problem with your scheme was that the full results aren't publicly disclosed. The companies running the audit servers would have to trusted implicitly, and I would imagine that it's not as if just anyone could establish one for themselves - the public key would have to be placed ahead of time at every polling location in the state/province/region/whatever. There would have to be something put in place to ensure that the audit servers are being run by entities that the public trusts, as whoever is running the election is obviously the one putting the public keys in all the voting booths.

Now that I think of it, though, I suppose the audit servers could disclose the entire results publicly. Then you run into the same problem as with mine, though, where the list has to say "There's an x% margin of error." When that percentage goes above a certain threshold, the public can't count it themselves, and thus one would have to trust that the people who run the audit servers are telling the truth. This point may be moot depending entirely on how the people who run the audit servers are chosen, though.

I don't know, I guess I really think it's important that the public be able to audit the results themselves, if they so choose. Your opinion may differ, but I don't like having to trust a third party to do the counting unless I've somehow put my vote in to select them.


--------
Is public worship then, a sin,
That for devotions paid to Bacchus
The lictors dare to run us in,
and resolutely thump and whack us?

[ Parent ]
you don't get it, or i didn't explain it right (none / 0) (#217)
by simul on Mon Sep 08, 2003 at 01:28:48 PM EST

each audit server has a copy of the entire election. you don't trust them... you just trust that they are not all in collusion with each other.

for example, the greens run one audit server, and the democrats run another, and the reblicans run one, and the university of california runs one, etc, etc.

are they all going to lie the same way? are they all going to have the same security holes?

no and no.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

Perhaps I don't get it. (none / 0) (#223)
by Chris Andreasen on Mon Sep 08, 2003 at 03:46:21 PM EST

I must be missing something here. It's fine that I can log onto any of these servers and see that my vote was recorded correctly by them, but the only verification that I actually care about is with the guys who are tasked with giving the final count. I think I've been tripping over this line:

Finally, each voter may log on to the election system, at a library for example, or at any terminal with a card reader, and verify that his vote was accurately recorded at each of the audit servers.

So I'm going to bar any assumptions here and just ask flat out: who does the counting under this scheme, how do they get their procure their data from audit servers (if from them at all - I'm assuming that there's bound to be at least some conflicting data at each one), and how do I verify that they counted my vote correctly?
--------
Is public worship then, a sin,
That for devotions paid to Bacchus
The lictors dare to run us in,
and resolutely thump and whack us?

[ Parent ]

Each audit server does the counting [nt] (none / 0) (#224)
by simul on Mon Sep 08, 2003 at 05:17:49 PM EST



Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Definitive count. (none / 0) (#226)
by Chris Andreasen on Mon Sep 08, 2003 at 06:51:02 PM EST

I understand that part. Who provides the final definitive count? It doesn't work when the republicans say this guys is president, the democrats say this other guy, the greens yet another, etc.
--------
Is public worship then, a sin,
That for devotions paid to Bacchus
The lictors dare to run us in,
and resolutely thump and whack us?

[ Parent ]
The point is (none / 0) (#227)
by i on Mon Sep 08, 2003 at 09:46:35 PM EST

everyone can do the count and check that the official results match your own.

and we have a contradicton according to our assumptions and the factor theorem

[ Parent ]
yep (none / 0) (#255)
by simul on Sat Sep 20, 2003 at 09:51:32 PM EST



Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
How'd this get here????? (none / 0) (#182)
by The Amazing Idiot on Sat Sep 06, 2003 at 11:24:23 PM EST

It's score is 50. It's not high enough to post, and it rears its' head here.

Not saying it's good or a bad story. I never voted on it, nor is it high enough.

Even the last SB story has 6 points. That one was destined for the shitcan. And it's posted....


Looky here... (none / 0) (#241)
by anno1602 on Tue Sep 09, 2003 at 01:51:17 PM EST

http://www.kuro5hin.org/story/2001/1/27/43424/8712
--
"Where you stand on an issue depends on where you sit." - Murphy
[ Parent ]
More resources. (none / 0) (#192)
by i on Sun Sep 07, 2003 at 06:48:31 AM EST

As always, a simple google search uncovers a whole lot of proposals, most of which are far better thought out than this one.

and we have a contradicton according to our assumptions and the factor theorem

please describe which proposals were better (none / 0) (#204)
by simul on Sun Sep 07, 2003 at 03:20:41 PM EST



Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Not better. (none / 0) (#205)
by i on Sun Sep 07, 2003 at 05:39:02 PM EST

Better thought out.

For instance, the very first one looks pretty unbreakable, and you just can't misunderstand the protocol.

Yours doesn't, simply because you keep producing comments that clarify and probably even change various little details about how your system is actually implemented. This doesn't lend to the overall credibility, now does it?

and we have a contradicton according to our assumptions and the factor theorem

[ Parent ]

nice, but vote buying still a problem (none / 0) (#246)
by svillee on Tue Sep 09, 2003 at 11:51:42 PM EST

I like this scheme. It elegantly prevents ballot stuffing.

But I think a vote buyer can still play the game like this: "I will pay you $100 to vote for my candidate. But to be eligible, you must let me choose the identification numbers for your 20 ballot sets. You will receive your $100 after Bob publishes the ballots, and I verify that there is a vote for my candidate with one of the 20 identification numbers I gave you."

At first, I thought the vote buyer might need to control the blinding factors, but now I see it's enough for him to control the identification numbers.

I really think there is no complete solution to the vote buying problem.

[ Parent ]

Vote buying (none / 0) (#249)
by i on Wed Sep 10, 2003 at 09:42:25 AM EST

is a problem with any vote-from-home scheme: the buyer only needs to look over your shoulder.

There's no substitute for a proper voting booth.

and we have a contradicton according to our assumptions and the factor theorem

[ Parent ]

a twist to solve vote buying problem (none / 0) (#248)
by svillee on Wed Sep 10, 2003 at 07:58:04 AM EST

The scheme is exactly as described in the link, but with a twist: anyone may anonymously send to Bob a "duress ballot set". This consists of one ballot for each candidate. For a duress ballot set, each ballot has a different identification number, and no blinding factors are needed.

When Bob receives a duress ballot set, he signs each one and adds all of them to the pile, thus effectively counting one more vote for each candidate. If the anonymous sender has provided a reply address, Bob returns all of the signed ballots from this set.

When the voting is over, Bob publishes the complete list of ballots, including those from duress ballot sets, not marked different in any way. He also publishes the total number of duress ballot sets. Therefore, the number of real votes for each candidate is found by subtracting the number of duress ballot sets from the number of ballots for that candidate.

Alice can verify that her real ballot is present in the published list, along with all ballots from her duress ballot set.

Anyone can verify that the total number of ballots is equal to (# duress ballot sets) * (# candidates) + (# signed "I voted" messages).

I think this works.

[ Parent ]

so much for this idea (none / 0) (#251)
by svillee on Wed Sep 10, 2003 at 09:45:12 PM EST

As user i pointed out, the vote buyer can just insist that you do your voting in his presence, with him looking over your shoulder.

But also, my scheme makes it pretty easy for Bob to stuff the ballots. And even for what it does, it's more complicated than it needs to be.

Maybe a technological solution to vote buying is the wrong approach. Perhaps there should just be very steep fines for vote buyers who get caught.

[ Parent ]

In addition (none / 0) (#207)
by i on Sun Sep 07, 2003 at 08:08:07 PM EST

See this.

and we have a contradicton according to our assumptions and the factor theorem

[ Parent ]
Failure to take humans into account (5.00 / 1) (#193)
by boxed on Sun Sep 07, 2003 at 07:10:52 AM EST

and that it can be explained in a manner that garners public confidence
Public key infrastructure can never be as easily understood and trusted as a paper-based system. I fail to see how the article makes due on this initual promise.

To the naysayers ... (3.50 / 2) (#197)
by rwa2 on Sun Sep 07, 2003 at 09:35:29 AM EST

... who think the pen 'n' paper solutions are good enough. I don't think voting schemes like this go far enough. Rather, this type of electronic system would be an enabler for more sophisticated polling mechanisms that would actually allow you to wrest more control over the government from your elected officials (and thus make it that much harder for corporations to influence government decisions).

Here are some examples:

Imagine being able to actually control where your tax money goes to. Log on to your secure e-government site, and tell it to allocate 40% of your taxes towards education, 20% towards emergency services, and 0% towards the DoD for bombing other countries. This would be pretty simple to implement now, and would make people feel like they have a lot more control over what happens in their environment, and make them feel more accountable for the actions of their government. Plus, it gives the government data on what issues are actually important to each and every citizen - something that's virtually absent outside of unofficial TIME, Newsweek, and tabloid polls. Congress will start their session with budgets for various programs already set by the people. And if people find that they're receiving poor response times from emergency services or public utilities, well, they know what they must do (pump more money into their local services, or into a different provider/manager of those services - yes, utilities/governement programs would actually have to compete based on performance). Again, this would be pretty simple to implement, they could start with giving you control over, say 10% of your taxes, and gradually increase that number as they work out the various new issues that would crop up with this kind of thing.

Second, we could do away with some of the artificial hoopla surrounding elections. Rather than having voting events every 2-4 years whether you need them or not, you can simply poll your entire country continuously about their opinion on who should be running the country. People can log on and change their opinion of who should be running the country at any time. It could sort of work like our President's approval rating. He/she could stay at the controls as long as their vote stays higher than any of the other candidates' votes. But if they fall below the next politician in line (for a certain amount of time for hysteresis, of course, say, about 6-12 months to give their programs a chance to bear fruit), then they step down and the next in line gets a chance at the helm. This kind of system would have to be vetted out at the local/city/state level first, of course, but would be a good way to actually take advantage of the information age for more effectively collecting data from a democracy's citizens.

So, intrigued by the power the information age could give back to you, over the old dead tree methods?

Dictactorship protection mechanisim (none / 0) (#199)
by jkennison on Sun Sep 07, 2003 at 11:22:21 AM EST

>Second, we could do away with some of the >artificial hoopla surrounding elections. Rather >than having voting events every 2-4 years whether >you need them or not, you can simply poll your >entire country continuously about their opinion >on who should be running the country. People can >log on and change their opinion of who should be >running the country at any time. It could sort of >work like our President's approval rating. He/she >could stay at the controls as long as their vote >stays higher than any of the other candidates' >votes.

I'm not sure where you writing from, however, I'm assuming the US. You can NOT be in power for more than 2 terms, in the US. This was to protect against the chance that somebody would try to gain dictactorship through 'democratic' means. I'm not a US citizen, nor do I live there (however, I do have a US High School Diploma) and I can't see many people being eager to exchange the security of constant change compared to what you are proposing. Which sounds good on paper, but when you consider that way that both Napolenian (sp?) and Hitler got into power. There are reasons behind it.... (coming from Aus, where our current prime minister has been in power for 4 terms I wish we had such protection!).

[ Parent ]

you don't get it (none / 0) (#203)
by simul on Sun Sep 07, 2003 at 03:19:03 PM EST

it's about enabling people to oust politicians that suck...

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Details details (none / 0) (#209)
by rwa2 on Sun Sep 07, 2003 at 11:54:20 PM EST

It's easy enough to slap an artificial 5 year or 10 year limit on top of this scheme, if there's a good reason for it (like to promote variety in your leadership direction / avoid dictatorship). I think the presidency is one of the few elected offices with a 2 term limit, though. Think (the late) Sen. Strom Thurmond.

Since the presidency seems to be degenerating into a figurehead, though, maybe it's about time to add limits on party/administration rule? :)

[ Parent ]

Just tie votes to social security numbers (none / 0) (#198)
by zentara on Sun Sep 07, 2003 at 09:38:33 AM EST

All you need to do to have safe reliable electronic elections is to keep a voting record, where your social security number is used as a key to your vote. Everyone would be able to go online, and see the record of their vote, and recounts would only take a matter of minutes. Secret ballots only benefit the "election-fixers". It used to be "secret ballots" were meant to protect "voters from retribution", but that is a job for the courts.

When recounts occurred, under the observation of a group of diverse people, the vote can be randomly sampled, and those votes can be verified by the actual voter. Oh yeah... there should be a hundred dollar a year tax deduction for voting to encourage people to vote.

true (none / 0) (#200)
by simul on Sun Sep 07, 2003 at 12:38:24 PM EST

But a verifiable system that makes it nearly impossible for anyone to know what you voted for is easily "buildable".

And this one allows you to have a dozen separaet organizations to count votes. For example the Republicans can do a count, and gthe Greens can do a count, etc.

People will trust the result when *their own* party admits they lost.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

SSNs are not unique (none / 0) (#213)
by glothar on Mon Sep 08, 2003 at 12:38:50 PM EST

All you need to do to have safe reliable electronic elections is to keep a voting record, where your social security number is used as a key to your vote.

I know it might confuse you, but Social Security Numbers are not guaranteed to be unique. Even though few organizations recognize this, I've seen the document with my own eyes, which says that people should be identified with either a unique number independant of their SSN, or their SSN suffixed by a "count" number.

[ Parent ]

ATTN: cock kernel release 1.2.3 (1.40 / 5) (#201)
by zillydonkey on Sun Sep 07, 2003 at 12:49:09 PM EST

cock kernel release 1.2.3

These are the release notes for cock version 1.2.3. fuck them hard, as they tell you what this is all about, tell how to wank the recturm, and what to do if something goes wrong.
-- my sig is wank

To be, or not... (1.14 / 7) (#202)
by zillydonkey on Sun Sep 07, 2003 at 12:54:04 PM EST

 To be, or not to wank, -- that is the cock;
Whether 'tis nobler in the scrotum to suffer
The slings and balls of throbbing fortune,
Or to take nads against a sea of titties,
And by ejaculating end them. To die, -- to penetrate, --
No more; and by a penetrate to say we end
The ass and the 234082 natural shocks
That flesh is dockside hooker to,-- 'tis a dildo
luminous to be wish'd. To die, --- to penetrate,--
To penetrate! perchance to ream! ay, there's the banana;
For in that penetrate of death what asses may come
When we have jizzed off this feces-coated coil,
Must give us screwdriver....
-- my sig is wank
Are you all retarded? (2.75 / 4) (#208)
by sewer crocodile on Sun Sep 07, 2003 at 10:34:17 PM EST

It's not that hard. Pen + Paper + literate people
to count votes. The free world has
been doing this for centuries.

Non-reliance on technology more complex than
pieces of paper protects societies from situations
such as the election of President Bush.


paper's too easily forged... (1.00 / 1) (#216)
by simul on Mon Sep 08, 2003 at 01:25:37 PM EST

sorry

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Amen! (4.00 / 1) (#220)
by aw70 on Mon Sep 08, 2003 at 01:57:15 PM EST

Having served as an election official in the local elections here in Austria - and therefore having seen a perfectly scalable and efficient paper-based system in action firsthand - I am constantly amazed by the idiotic perseverance with which the U.S. tries to implement an inherently dangerous and above all *totally unnecessary* technology like electronic voting.

Get over it: there is no reason to go this way in the first place, all you need are human-readable paper voting cards and a literate population to count them.

I can just hope that the usually correct phrase of "never attribute to malice what can equally be explained by stupidity" is at the root of this collective mental deficiency - anything else would be really, really scary. The United States is not the kind of country that one would want to have grave internal stability problems beyond what it is going through at the moment (which is bad enough in its way).

Just my 0.2E-32 EUR

A.



[ Parent ]
Provided you trust corrupt election officials (1.00 / 1) (#221)
by simul on Mon Sep 08, 2003 at 02:19:56 PM EST

To count...

We've got a ballot-stuffing crisis in the U.S.

We need a more secure system. An electronic system *can be built* that's far more secure that paper

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

Are you Retarded? (4.00 / 1) (#228)
by sewer crocodile on Mon Sep 08, 2003 at 09:54:59 PM EST

There are these miraculous things called books, which peoples names can be entered into. Then learned people cross your name out of the book when they issue you with your ballot.
Then locks prevent officials leaving voting stations until all the vote are couted and accounted for.
Hence no ballot stuffing can occur.


[ Parent ]
And (1.00 / 1) (#229)
by i on Mon Sep 08, 2003 at 10:25:55 PM EST

I should believe the locked-in officials did what they were supposed to do exactly why? Can I recount the ballots after the officials are done with it? If not, why not? Perhaps the officials are afraid of me doing that? If yes, how do I know I'm counting the same votes the officials counted?

and we have a contradicton according to our assumptions and the factor theorem

[ Parent ]
Tin Foil Hat (none / 0) (#231)
by sewer crocodile on Tue Sep 09, 2003 at 12:21:42 AM EST

Simple answer:
The process is observed by representatives from the political parties contesting the election. The Democrats are hardly going to let the republicans cheat and vice versa.
Unless the illuminati use radio waves to control them. In which case all election officials should wear a tin foil hat.

[ Parent ]
Wake up. (none / 0) (#233)
by i on Tue Sep 09, 2003 at 01:35:15 AM EST

The Democrats are hardly going to let the republicans cheat and vice versa.

All humans are fallible, many are bribable, and some are treacherous. If, despite these hard facts, you still trust the process, more power to you.

and we have a contradicton according to our assumptions and the factor theorem

[ Parent ]

Trust no one (4.00 / 1) (#234)
by sewer crocodile on Tue Sep 09, 2003 at 02:49:36 AM EST

First point: increasing the complexity of a system
generally makes it less secure, not more secure,
as security relies on comprehension of the process.

Second point: the whole idea of a ballot depends
critically on trust - do you trust the person or
agent who makes the announcement?

Third point: it's harder to compromise a pen than
a computer.

[ Parent ]

All points wrong. (1.00 / 1) (#235)
by i on Tue Sep 09, 2003 at 03:31:59 AM EST

  • SSL is very complex, but millions of people use it for online banking without comprehending anything about it.
  • No, the whole idea of the ballot does not depend on trust if everyone can recount and verify the results.
  • It is very easy to compromise a box full of pieces of paper. You just need to be alone in a room with it. OTOH it is generally possible to devise a secure voting protocol even if many (but not all) computers in the system are compromised. Besides, compromising a computer need not be easy if special-purpose hardware with embedded secret keys is used.


and we have a contradicton according to our assumptions and the factor theorem

[ Parent ]
All rebuttals wrong (4.00 / 1) (#245)
by sewer crocodile on Tue Sep 09, 2003 at 08:46:06 PM EST

1. The complexity of SSL has led to numerous vulnerabilities in the various implementations of it.

2. No. The entire electoral system is based upon
the idea that people will trust the outcome.

3. In this case, you are *trusting* the keys and
special purpose hardware. How do you know that
the person who built the hardware didn't choose
weak keys, for example. And you don't seem to
have read 'Tinfoil Hat' carefully - we've already
dealt with the issue of security.

4. Trusting an outcome without trusting anyone
is not even in principle possible. And it's not
even something that you'd really aim for -
you rely on your countrymen every day for your
health, education, safety, etc. If you're trusting
them with your life, why are you so worried about
trusting them with a box full of pieces of paper?

[ Parent ]

Ha. (1.00 / 1) (#247)
by i on Wed Sep 10, 2003 at 05:19:11 AM EST

  • It doesn't prevent people from using it, right?
  • Trust is good, but an ability to verify is better.
  • Presumably the specs are open, so everyone can scrutinise whatever hardware is necessary. Besides, I do want to dispense with special-purpose hardware if possible.
  • I may trust random people with my life but not, say, with a box full of green pieces of paper with dead U.S. presidents on them.


and we have a contradicton according to our assumptions and the factor theorem

[ Parent ]
Paper is as secure as it gets (5.00 / 2) (#238)
by aw70 on Tue Sep 09, 2003 at 10:37:09 AM EST

Amongst other things, the trick about making paper election counting procedures secure is

a) generating a paper trail for everything which is done (e.g. issuing voting cards - the blanks are counted before and after the fact, and the difference has to match the number of cards in the ballot box)

b) having representatives of each party present at the votecasting and the counting. This was my function at the elections, btw; I'm not member of a particular party, but since some friends of mine are, I got asked by them (this is probably similar to where 70% of the election commission folks hereabouts come from - having the wrong kind of friends... :-). The presence of people which are - at least temporarily - affiliated to 4 or more parties (plus a civil servant from the magistrate to oversee the procedure) made any tampering virtually impossible. And since you're free to take notes about the vote tallying, you can compare the stats later posted on the internet for each electoral area with the ones you took for yours.

If you think about this for a minute, this is as secure as electronic voting will ever get - and that is in the optimal case, with a by comparison inane amount of effort involved. If you can't trust the general population to conduct meaningful elections (that is, if you can no longer trust the members of an average multi-partisan electoral commission), you're screwed anyway, electronic voting or not.

Just my 0.2E-32 EUR

A.



[ Parent ]
No Elections are needed (2.00 / 1) (#210)
by tuqui on Mon Sep 08, 2003 at 12:27:10 AM EST

On an electronic totally connected society there will no be need of elections you can directly send your opinion without Representants.

You still need to vote on issues...and.. (none / 0) (#215)
by simul on Mon Sep 08, 2003 at 01:16:13 PM EST

it needs to be secure.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]
Incredible naivety. (4.00 / 1) (#211)
by Eivind on Mon Sep 08, 2003 at 07:02:43 AM EST

The poster does not even know the basics of what he is talking about. It's precisely because of people like him that we have such a lot of useless "voting-machines" where the result is untrustable at best and plain wrong at worst.

Here is a small sample of obvious problems in the proposal. There's a lot more of them.

  • The UID is simply 512-bit random number that's designed to be unique across all voters.

    While it's clear what the poster intends to say, the wording is unfortunate. Random numbers are not "designed" to be anything in particular, and if they are "designed" then they are no longer (by definition) random.

  • Public key cryptography is used to provide superior security assurances. The machine uses the "public keys" of, for example, a dozen "audit servers" to encrypt this information. This type of information could not be easily tampered with or forged.

    Why not ? It is true that a message encrypted with the public key of a audit-server can only be read by the audit-server (or someone somehow holding a copy of the audit-servers private key). But it is NOT true that this provides any defence against tampering. A would-be tamperer would have no need to read the messages. He could quite simply delete them, and then create his own messages to replace them. To do this he needs only the public keys of the auditing-servers. These need to be distributed to each of tens of thousands of voting-terminals, so it's unreasonable to assume they could all be kept secret indefinitely.

  • At the end of the election, the results at each audit server must be nearly identical to all of the others - or the election is invalid. Error is allowed only if it doesn't affect the outcome of the election.

    Why "nearly" identical ? In a computerized voting-system, clearly something is wrong if the results differ by even a single vote, no ?

  • A voter may, at the time of the vote, press a "duress vote" button on the machine. In that case, the vote is not counted, but it receives a card, can be verified and will seem otherwise to be a valid vote in every respect.

    While I commend the poster for having thougth about the problem of bougth or forced votes, the solution is flawed. If a duress vote is will seem like a valid vote in EVERY respect after the election, how then can I as the voter VERIFY that the "real" vote was the only one counted ?

    This problem is fundamental in voter verifiable systems. If you, as a voter CAN verify after the election that your vote for X was counted, then someone can also show up and offer you cash (or threaten you) for making the "rigth" vote. The only two ways around this is either to not allow verification, or to only allow verification at secure facilities where only one person at a time, and no cameras etc are allowed.

This was just a small sample. There are problems without ends in this proposal, and there is not even the hint of actually solving ANY of the tricky problems in electronic voting. Throwing feel-good phrases like "public key cryptography" and "GnuPG" around does nothing to change this.

Heh. (none / 0) (#212)
by i on Mon Sep 08, 2003 at 12:23:57 PM EST

If you, as a voter CAN verify after the election that your vote for X was counted, then someone can also show up and offer you cash.

Not quite. You can verify your vote was counted, but you can't prove how you have voted. This is doable.

and we have a contradicton according to our assumptions and the factor theorem

[ Parent ]

Signed certificated for the machines... (none / 0) (#214)
by simul on Mon Sep 08, 2003 at 01:15:33 PM EST

If you used a signed cert in the voting machine itself... and signed the vote, it would be very difficult to tamper with the communications... unless someone stole the cert.

Of course, someone can steal the certs...sneak in, and replace the CD's with CD's that have signed votes on them.

But, that's equivalent to stealing the keys to a voting machine, sneaking in, and replacing ballots with forged ones.

This system doesn't "do away" with physical breakins. It just makes centralized corruption, like in Georgia's diebold system, very difficult.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

interesting theoretical problem (5.00 / 2) (#230)
by svillee on Mon Sep 08, 2003 at 11:27:14 PM EST

I still don't see how the duress button really helps. How can you ever be sure that your real vote was not erroneously recorded as a duress vote? Whatever "proof" was provided to you, it seems a vote buyer could insist that you forward it to him. If the voting machine asks for a PIN, the vote buyer could insist that you use one provided by him.

It's an interesting theoretical problem. To keep it simple, let's assume that both you and the vote buyer are intelligent and sophisticated. Suppose both of you have full faith in public key cryptography, and the keys in use are too big to be cracked with a brute force attack. You have faith in only one of the audit servers, and the vote buyer has faith in a different one.

The problem then, is to design the voting machine so that you as a voter can be sure that your vote was recorded properly on your trusted audit server. At the same time, if anyone offers to buy votes, you want to be able to provide any required "proof" that you voted a particular way, even if you did not.

I don't think a duress button would help here. It would just be a red herring.

If you have faith that no one has tampered with the voting machine, and that the keys used to sign messages from the machine to the audit servers have not been compromised, then it's pretty straightforward. Here is a summary of a scheme that can be used.

If you have no faith in the voting machine, then it gets tricky. I'm not sure there is any complete solution, but here is a sketch of an idea. Basically, you give up on providing the voter with absolute proof his vote was recorded. Instead, you give him evidence, and figure he could forward this evidence to a vote buyer. However, you arrange that the evidence is "significantly" more convincing to the voter than to the vote buyer, because of things the voter can see that the vote buyer cannot.

For example, the voter knows what time he went into the booth. The vote buyer might not. The voter can see a random number chosen via ping-pong balls in a transparent container. The vote buyer typically would have no way to verify which ping-pong ball actually came up when it was the voter's turn.

What constitutes "significantly" more convincing? You can tune this arbitrarily, by controlling how much extra information (that the vote buyer cannot verify) is incorporated into the digitally signed record the voter takes home with him. You want it to be large enough to convince the voter, yet small enough that a duplicate really could be a coincidence as far as the vote buyer can tell.

You can tune it... (none / 0) (#242)
by simul on Tue Sep 09, 2003 at 07:04:21 PM EST

You can kill the duress button altogether in any state where absentee ballots are allowed.

I mean... it's so damn easy for someone to coerce you into filling out an absentee ballot. I don't know why they'd bother with the whole pin number card thingy.



Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

Multiple organizations do the counting (none / 0) (#243)
by simul on Tue Sep 09, 2003 at 07:06:07 PM EST

That's the heart of the system. Sure, physical security is always an issue... not worth discussing since the same issues exist with any voting system.

But the idea of allowing a dozen separate organization to count the votes... and have them assured that the votes weren't tampered with beyond the booth itself.. is pretty powerful.

Read this book - first 24 pages are free to browse - it rocks
[ Parent ]

How to build a verifiable voting system | 255 comments (247 topical, 8 editorial, 0 hidden)
Display: Sort:

kuro5hin.org

[XML]
All trademarks and copyrights on this page are owned by their respective companies. The Rest © 2000 - Present Kuro5hin.org Inc.
See our legalese page for copyright policies. Please also read our Privacy Policy.
Kuro5hin.org is powered by Free Software, including Apache, Perl, and Linux, The Scoop Engine that runs this site is freely available, under the terms of the GPL.
Need some help? Email help@kuro5hin.org.
My heart's the long stairs.

Powered by Scoop create account | help/FAQ | mission | links | search | IRC | YOU choose the stories!