Re: [IFWP] Voter authentication

[Michael Froomkin - U.Miami School of Law]

Now, crypto happens to be something I know a little
about.... ( http://www.law.miami.edu/~froomkin/#crypto )

On Sun, 18 Jul 1999, Kent Crispin wrote:
 
> Peer review of the code doesn't do the job at all, unfortunately. 
> How do you know that the reviewed code is in fact the code being

I agree that in a perfect world the system should be reistant to this.  
As an interim issue, it seems fairly low on the list of priorities.  Are
you seriously suggesting that there is a real risk of this fraud?  

In any case, proving that the code offered to the referee is the same as
the running code is trivially easy: you compile it, and hash the two
programs, and bit-compare them, or compare hashes.  (Of course you have to
use the exact same compiler and OS).  Ditigally sign every step for
long-run ease of comparison.

> used? How do you know that Joop doesn't go in and manually change the
> logs and the results?  Or an employee of his?
> 

This is also trivally easy to prevent: escrow copy of the ballots as they
come in (hold for a period of time, then destroy).

> A review of the system could build *some* confidence that a hacker
> couldn't break in and change things.  That is actually pretty far 
> down on my list of concerns, though.
> 
> The basic problem is this:  barring complex and totally unrealistic 
> cryptographic protocols, there is no way to do a secret ballot 
> election without a Trusted Third Party.  How do you find a TTP for
> the highly contentious international arena we are playing in?  

Easy.  Real easy.  Ethan Katsh, or Phil Agre, or some large law or
accounting firm that holds it pro bono.  So long as all they do is hold
the data, pending challenges, it won't cost them much.  

Or, every day hash the file of all ballots, and digitally sign and publish
the hashes.   Protects agains all frauds other than those on a rolling,
real-time basis.  Protects against subsequent log alteration, doesn't
protect against ballot-stuffing however (but then that's supposed to a
function of the underlying system, not the
protect-against-the-election-officer system).

> 
> Ideally the TTP should *actually* be trusted, and neutral to all
> concerned, but this is very tricky.  There was, for example, some
> discussion of the American Arbitration Association managing the
> election, and we were assured that the AAA is highly respected etc. 
> But the fact remains that the AAA is an unknown to most of the human
> race, and hence, on the face of it, not trusted.  In some circles,
> the word "American" automatically makes it suspect. 
> 

We can, however, settle for actually fair, and let them build the trust.
I bet we can find someone or a body with a reputation capital on a par
with, say, Esther Dyson (an American!).  Again, not a deity, but we are
all fallen are we not?

> To summarize a potentially lengthy argument, international secret
> ballots over the Internet are, IMO, quite problematic. 
> 

Do, make it actually fair, answer reasonable critics, and that ought to be
enough.

> [An obvious counter-example is the share-holder elections that are
> being held via email these days.  However, there are substantive
> differences: shareholder elections involve a very large voting
> population, the issues are not important to most shareholders, and
> the large shareholders who care and are decisive votes, probably
> don't use the Internet for voting.]
> 

This is a ridiculous statement.  The issues are important, lots of money
changes hands, and if anything goes wrong, esp. fraud, the people running
it can go to jail.  So there's a very powerful incentive to make it not
just right, but provably right.  So this is a far more powerful example
that you admit.

A better statement would have been, that most of these elections use some
sort of paper (or at least external e.g. via broker) validation of the
voter, since elaborate systems exist to show who can sell the share,
piggybacking voting on it is less hard than a system where members don't
have to buy in.

> However, if you drop the secret ballot requirement, and go to the
> Internet equivalent of open roll call voting, such as is used in
> Congress or other deliberative bodies (and that people demand of
> ICANN), these problems are greatly reduced, and some are effectively
> eliminated. 
> 

True, but secret balloting problems while quite real are not as enormous
as you make it sound.

-- 
A. Michael Froomkin   |    Professor of Law    |   [EMAIL PROTECTED]
U. Miami School of Law, P.O. Box 248087, Coral Gables, FL 33124 USA
+1 (305) 284-4285  |  +1 (305) 284-6506 (fax)  |  http://www.law.tm
                    -->   It's hot here.   <--