Perry Metzger writes, on his cryptography list: > By the way, I should mention that an important part of such a system > is the principle that representatives from the candidates on each side > get to oversee the entire process, assuring that the ballot boxes > start empty and stay untampered with all day, and that no one tampers > with the ballots as they're read. The inspectors also serve to assure > that the clerks are properly checking who can and can't vote, and can > do things like hand-recording the final counts from the readers, > providing a check against the totals reported centrally. > > The adversarial method does wonders for assuring that tampering is > difficult at all stages of a voting system.
On the contrary, the adversarial method is an extremely *weak* source of security in a voting system. In the first place, it fails for primary elections where there are multiple candidates, all of one party, running for a position. It's not unusual to have a dozen candidates or even more in some rare cases (the California gubernatorial election, while not a primary, had hundreds of candidates running for one seat). It is impractical for each candidate to supply an army of representatives to supervise the voting process, nor can each polling place accommodate the number of people required. In the second place, it fails for elections with more than two parties running. The casual reference above to representatives "on each side" betrays this error. Poorly funded third parties cannot provide representatives as easily as the Republicans and Democrats. We already know that the major parties fight to keep third party candidates off the ballots. Can we expect them to be vigilant in making sure that Libertarian and Green votes are counted? In the third place, tampering has to be protected against in each and every voting precinct. Any voting station where the voting observers for one party are lax or incompetent could be identified in advance and targeted for fraud. Given that these observers are often elderly and have limited faculties, such frauds are all too easy to accomplish. It's baffling that security experts today are clinging to the outmoded and insecure paper voting systems of the past, where evidence of fraud, error and incompetence is overwhelming. Cryptographic voting protocols have been in development for 20 years, and there are dozens of proposals in the literature with various characteristics in terms of scalability, security and privacy. The votehere.net scheme uses advanced cryptographic techniques including zero knowledge proofs and verifiable remixing, the same method that might be used in next generation anonymous remailers. Given that so many jurisdictions are moving towards electronic voting machines, this is a perfect opportunity to introduce mathematical protections instead of relying so heavily on human beings. I would encourage observers on these lists to familiarize themselves with the cryptographic literature and the heavily technical protocol details at http://www.votehere.com/documents.html before passing judgement on these technologies.
