RE: Electronic elections.
Peter Trei wrote: I entirely agree. I don't truely trust voting machines either - I would like to see all elections decided by paper ballots stuffed in a box, after being marked in a way which is private, and publically observable to be private. The ballots should be counted with representatives of all candidates present. This has been the same when secret voting was introduced. The people did not have trust in the system. The public voting was much easier to control. but why do we trust in secret voting? Do you check every step from casting your vote to the final result? I personally don´t. With regard to Per Kangru´s initial question. At university of Osnabrueck, they did have e-voting in their last student parliament elections (www.internetwahlen.de). Maybe that will help, you only need to read German :-) Voting by mail is in Germany allowed as an exception. The constitutional court did allow this way in order to include old or whatever people. The reality is, that in some cities the percentage has been in the last national elections between 20 and 30 percent. this is not an exception. What to do? I think the first step with elections via computer will be that these computers will be placed in public places (like it used to be). This will happen quite soon. It pretty much depends on the tool you can vote with how fast the last step can be reached: voting from home. If e.g. cell phones can be used, I guess it won´t be very long. Harald Neymanns
RE: Electronic elections.
From: "Trei, Peter" [EMAIL PROTECTED] Date: Tue, 30 May 2000 09:33:33 -0400 There are a number of results in the crypto literature on receipt-free voting, most recently (that I'm aware of) one presented by Kazue Sako at last month's Eurocrypt 2000. Receipt-freeness means that voters cannot demonstrate to third parties how they voted, and thus addresses the bribery and coercion issue. This is nonsense. If the person whose vote is being coerced has the coercer looking over their shoulder as they cast it, no receipt is needed to convince the coercer that their demand has been met. My point (which I guess my example didn't adequately convey) was that even looking over the voter's shoulder the coercer may not be able to tell what the vote is, because it depends on a bit in the voter's head that s/he can undetectably lie about, and has no way to convince the coercer what it is. A completely different tack is to allow voters to cast as many ballots as they like and count only the last one. This effectively defends against buying and forcing of votes because the voter can always vote again. (I gather that corporate proxy voting works this way.) This is more workable, as it increases the work factor for the coercer: he/she/it has to ensure that the last vote cast was cast the way demanded. I don't regard it as sufficient however - the greater complexity opens the way for error. I think it might work reasonably well in practice, because ensuring that the last vote cast was cast the way demanded seems infeasible on any significant scale. I agree though that the additional complexity could lead to error. By the way, my parenthetical remark was intended to point out that multiple voting exists in practice, and not to imply that corporate proxy voting is immune to buying or forcing. Corporate elections lack some properties that political elections (allegedly) possess: 1. They are generally not secret ballot--it may be possible to verify how specific shares are voted, so changing a vote may be detectable. 2. They are not "one person, one vote", so it may be advantageous for a would-be coercer to single out a large shareholder and not only coerce his/her vote, but also prevent him/her from voting again. Of course buying votes in corporate elections is trivial (by buying shares), and this is generally considered a Good Thing rather than a Bad Thing, at least by those who approve of the corporation as an institution. Ray
Re: Electronic elections.
Date: Mon, 29 May 2000 07:52:24 -0400 From: Dan Geer [EMAIL PROTECTED] There is no doubt whatsoever that the sanctity of a vote once cast can be absolutely preserved as it is moved from your house to the counting house. What cannot be done, now or ever, is to ensure the sanctity of the voting booth anywhere but in a physical and, yes, public location attended to by persons both known to each other and drawn from those strata of society who care enough to be present. There are no replacements for the voting booth as a moment of privacy wrapped in inefficient but proven isolation by unarguable witness, a place where we are equal as in no other. Move the dispatch of a vote to a remote browser and $100 bills, concurrent sex acts, a pistol to the head, wife-beating or any other combination of bribes and coercion is an undiscoverable concommitant of the otherwise "assured" integrity of the so-called vote. There are a number of results in the crypto literature on receipt-free voting, most recently (that I'm aware of) one presented by Kazue Sako at last month's Eurocrypt 2000. Receipt-freeness means that voters cannot demonstrate to third parties how they voted, and thus addresses the bribery and coercion issue. For an oversimplified example of how this might work, consider a yes/no referendum with an advance registration process during which a coin is flipped to select a random bit that will be xor'd with the vote. For example, voting could be with red and blue, and the coin flip determines which color means yes. Later, in the privacy of her browser, the voter casts her red/blue vote, and no observer can tell what it stands for. Coercion to vote either red or blue randomizes the vote. That's still a threat, but a less serious one. (I think Sako and Hirt's scheme may address this as well, but I'm not sure.) Additional tricks can be used to ensure correct tallying of the vote and to protect its anonymity (against an untrusted polling authority). A completely different tack is to allow voters to cast as many ballots as they like and count only the last one. This effectively defends against buying and forcing of votes because the voter can always vote again. (I gather that corporate proxy voting works this way.) Although internet voting may be hunky-dory from a cryptographer's perspective, there are some cogent (both technical and political) arguments against its feasibility at this time. Cf. the report of California's task force at http://www.ss.ca.gov/executive/ivote. Sorry if I'm repeating stuff that's already been said--I just joined this discussion in the middle. Ray
RE: Electronic elections.
-- From: Ray Hirschfeld[SMTP:[EMAIL PROTECTED]] Reply To: [EMAIL PROTECTED] Sent: Tuesday, May 30, 2000 1:18 AM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Re: Electronic elections. Date: Mon, 29 May 2000 07:52:24 -0400 From: Dan Geer [EMAIL PROTECTED] There is no doubt whatsoever that the sanctity of a vote once cast can be absolutely preserved as it is moved from your house to the counting house. What cannot be done, now or ever, is to ensure the sanctity of the voting booth anywhere but in a physical and, yes, public location attended to by persons both known to each other and drawn from those strata of society who care enough to be present. There are no replacements for the voting booth as a moment of privacy wrapped in inefficient but proven isolation by unarguable witness, a place where we are equal as in no other. Move the dispatch of a vote to a remote browser and $100 bills, concurrent sex acts, a pistol to the head, wife-beating or any other combination of bribes and coercion is an undiscoverable concommitant of the otherwise "assured" integrity of the so-called vote. There are a number of results in the crypto literature on receipt-free voting, most recently (that I'm aware of) one presented by Kazue Sako at last month's Eurocrypt 2000. Receipt-freeness means that voters cannot demonstrate to third parties how they voted, and thus addresses the bribery and coercion issue. This is nonsense. If the person whose vote is being coerced has the coercer looking over their shoulder as they cast it, no receipt is needed to convince the coercer that their demand has been met. If a receipt *is* created - allowing a voter to determine that their vote was recorded as being for a certain candidate - the coercer can use that to ensure that their demands were followed. [..] A completely different tack is to allow voters to cast as many ballots as they like and count only the last one. This effectively defends against buying and forcing of votes because the voter can always vote again. (I gather that corporate proxy voting works this way.) This is more workable, as it increases the work factor for the coercer: he/she/it has to ensure that the last vote cast was cast the way demanded. I don't regard it as sufficient however - the greater complexity opens the way for error. Although internet voting may be hunky-dory from a cryptographer's perspective, there are some cogent (both technical and political) arguments against its feasibility at this time. Cf. the report of California's task force at http://www.ss.ca.gov/executive/ivote. I entirely agree. I don't truely trust voting machines either - I would like to see all elections decided by paper ballots stuffed in a box, after being marked in a way which is private, and publically observable to be private. The ballots should be counted with representatives of all candidates present. Yes, this is more expensive, and slower. However, public confidence in the fairness of elections is more than worthy of the expense. Dan is write, and David is wrong. Peter Trei Ray
Re: Electronic elections.
I'm not sure I care for the elitist tone in Dan's posting either, but he raises some points that deserve serious consideration. Sure we have mail-in absentee ballots now, but the number of people who choose to vote that way is small and an absentee ballot split that varied markedly from the regular vote would certainly stand out. Today's headline's include concerns over the fairness of Peru's election, just ended. Elections in the US have been free from major ballot tampering for so long that most of us have forgotten the reasons for the complex voting procedures we use. These were hard fought reforms when they were introduced. We should look at Internet voting from every angle, including historical lessons, before employing it to select our governmental leaders. Of course Internet voting has many applications besides political elections. And I don't think anyone would seriously consider its use in political elections until access to the Internet is nearly universal. We have time. Let's err on the side of caution. Arnold Reinhold At 6:39 AM -0700 5/29/2000, David Honig wrote: At 07:52 AM 5/29/00 -0400, Dan Geer wrote: There is no doubt whatsoever that the sanctity of a vote once cast can be absolutely preserved as it is moved from your house to the counting house. What cannot be done, now or ever, is to ensure the sanctity of the voting booth anywhere but in a physical and, yes, public location attended to by persons both known to each other and drawn from those strata of society who care enough to be present. So I typically elect to vote by mail. Is my vote worthless because of that? There are no replacements for the voting booth as a moment of privacy wrapped in inefficient but proven isolation by unarguable witness, a place where we are equal as in no other. 'Sanctity'? 'Moment of privacy?' Sorry, no sacred cows allowed here, unless they're seeing eye cows, or nicely barbequeued. Move the dispatch of a vote to a remote browser and $100 bills So standing in line with the masses like some Russian waiting for bread somehow immunizes against voter fraud? Internet voting is anti-democracy and those who cannot bestir themselves to be present upon that day and place which is never a surprise to do that which is the single most precious gift of all the blood of all the liberators can, in a word, shut up. Yeah right... real purty flame there, real Daughters of the American Revolution material, blood of the liberators and all, but how about a real argument? Or is your retro dogma supposed to be lapped up on the basis of your empty, inflamatory assertions?
RE: Electronic elections.
As a practical matter, requiring the voter to remember even one bit is unlikely to fly. If as always there are several races on the ballot, one bit is not enough, because the coercer can deduce the bit from the pattern of votes. No voter can be expected to remember several bits. The resulting uncertainty in the voter's mind, whether his/her vote had been recorded correctly, would be fatal. The "last vote" idea begs the question of why the coercer cannot disable the voter's computer after the coerced vote, until the deadline has passed, by removing a component or, if it's a cellphone, simply borrowing it. Or by holding a "voting party" that continues until the deadline has passed. Dan's point holds. Barney Wolff Date: Tue, 30 May 2000 17:06:06 +0200 (MET DST) From: Ray Hirschfeld [EMAIL PROTECTED] My point (which I guess my example didn't adequately convey) was that even looking over the voter's shoulder the coercer may not be able to tell what the vote is, because it depends on a bit in the voter's head that s/he can undetectably lie about, and has no way to convince the coercer what it is.
Re: Electronic elections.
I'm not sure I care for the elitist tone in Dan's posting either, but he raises some points that deserve serious consideration. Sure we have mail-in absentee ballots now, but the number of people who choose to vote that way is small and an absentee ballot split that varied markedly from the regular vote would certainly stand out. Actually, speaking as someone who has won a real world election so close it was decided by absentee ballots, that last part isn't true. Absentee voters have different demographics from the overall voter population -- they tend to be older and sicker. The village election here is held in March, and most of the absentees are older residents who spend the winter in Florida and tend to be more conservative and more Republican than the rest of the voters. But it's certainly true that a result markedly at odds with the regular vote skewed by the predictable biases of the absentees would raise eyebrows. Nonetheless, the absentee process is deliberately cumbersome and subject to public inspection to make it hard to spoof. Around here, you have to send in a paper application with a handwritten signature (unless you're on active duty in the military in which case you get the absentee ballot automatically), they send out the absentee ballot, you fill out the ballot, put it in nested envelopes, sign the outer envelope and mail it back. On the appointed day, the two commissioners, one from each party, open the envelopes, display the outer envelopes to everyone present who can challenge them if the signature looks wrong or otherwise doesn't look right, then they mechanically shuffle up the paper ballots and count them. The process is still subject to challenges similar to those for in-person voting, and I think that it's permissible to contact any voter with a questionable ballot and ask whether they sent one in. For the original question, I'd suggest a procedure similar to the one the ACM uses. They make up a bunch of random numbers with check digits, print them out, shuffle them up, and mail one printed number to each registered voter. To vote, you have to enter your number. This provides reasonable real world security that each voter is a real voter, while each vote is anonymous. Sorry that this procedure doesn't include any whizzo crypto features. Regards, John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies", Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
RE: Electronic elections.
-- From: R. A. Hettinga[SMTP:[EMAIL PROTECTED]] At 9:33 AM -0400 on 5/30/00, Trei, Peter wrote: If the person whose vote is being coerced has the coercer looking over their shoulder as they cast it Just for fun, think about the mathematics of this proposition? If you're the person with an abusive spouse leaning over your shoulder, the mathematics are 100%. If you're the ward heeler who visits 50-100 households on election day, and checks that the residents vote "right" (otherwise the local political machine will make things difficult for them) the numbers are pretty good as well. If the WH is better funded, she can let it be known that there's a $50 bill awaiting each voter in the preceinct who votes "right" from the PC in the heeler's office. In the old days, you didn't fill out your own ballot - you got one from the party rep outside the polling place, and were observed dropping it in the box. At first color coding made it abundantly clear which ballot you were using; later after 'white' had been mandated for ballots, the parties explored the color space of off-white, white, pale gray, etc. Only when the election process required the same form to be used by all parties was this abuse eliminated... The point has been made that paper ballots are also subject to stuffing, removal, tampering, etc. Perhaps, but in a system which pretends to fair elections, it can be made very tough. The one election whose process I observed carefully (rather than running in, voting, and leaving) was a British one around 1975 (the house I lived in was a polling station). Representatives from both major parties where there for the entire voting period. Having mutually suspicious observers of the public parts of the process greatly enhances security. After the period ended, the box was sealed (literally, with sealing wax seals by the observers), and they all transported it together to the counting station, where, once again, mutually suspicious observers from all parties watched and vetted the counting process. I'm sure it was not totally immune to tampering, but the system seemed pretty resistant to it. Peter Trei :-). Cheers, RAH
Re: Electronic elections.
"Arnold G. Reinhold" wrote: 7. The voting process should be simple enough to be used by people with minimal education and should in no way discourage legitimate voting. That gets a bit political. Some would argue voting should not be so simple (I had heard Isaac Asimov wanted voters to be able to pass some basic intelligence test, such as factoring a simple polynomial, in order to vote.* 8. (At least in the U.S.) The voting system should not require a national ID card or the equivalent. That's a whole other issue. The registration process is a problem in and of itself. Actually, it the generic bootstrapping problem in all security models, how do you prove someone's identity? One notion that people seem to be missing in this discussion is that voting procedures in the US generally assume the existence of political parties and that the parties have both an interest and the means to supervise the elections. The primary security comes from allowing representatives of each party to observe every stage in the process. Not true. Usually only the two major parties supervise elections, clearly not unbiased when minor parties are involved. I also vote in Cambridge. The role of the "little old ladies" is to insure that no registered name is voted twice and to call out the name of each voter so that the poll watchers can verify their identity if they wish. I have never been asked for an ID of any sort. Must be different polling stations. The ballots are guarded throughout the process, making such a correlation difficult Again a number of people are watching the polling place at all times The boxes are guarded throughout the process. Yes, yes. I'm not saying I can defeat the process at will. However the current system is very susceptible to force and or corruption. My point was that people hold electronic voting to a much higher standard than they do with physical elections. (Not that the higher standard is bad, I think its great, now we just need to revisit the present system. :-) Is this justified? Maybe. As you point out the strength of the system relies on the fact that it is so massively distributed, the cost benefit of compromising a polling station is not worthwhile (I'm assuming large elections, and not local ones, where maybe only 5 polling stations are used in the election). With computers, everything can be automated including attacks and corruption, possibly making the distribution effectively smaller. OTOH, it also means every computer can be a voting booth, and instead of 10,000 polling stations across the US (I'm guessing at this number), you can make 10,000,000. --Mark *There's another sticky issue of design. Hear you can easily (ignoring, for the moment, FEC and state regulations and approvals) create one or more formats for ballots, and, indeed, the process in general. However, the very design/layout of the ballot effect voters. There are issues or roll-off (less voting for elections further down on the ballot), name ordering, information included on the ballot, and even how many steps are required in voting (letting voters block vote for a party counteracts the roll-off effect). Really, there are a lot of social issues in elections, too. Cryptography can provide solutions, but as to whether or not those solutions should be employed is a different matter.
Re: Electronic elections.
Along the same lines as this discussion, http://www.ivta.org was recently brought to my attention in/on the "cert-talk" ([EMAIL PROTECTED]) mailing list. I appreciate that pointer (and others like it such as are appearing here and elsewhere) a great deal, especially in quotation: "Encryption alone is not sufficient for an Internet voting process because voting is not an e-commerce transaction. Anonymity and integrity must be assured, and we must know that the results in an election have not been tampered with in any step of the process." as it demonstrates in full that, as in all of engineering, the heavy lifting is in getting the problem statement right. The advocates of Internet voting do not, repeat, do not have the problem statement right. There is no doubt whatsoever that the sanctity of a vote once cast can be absolutely preserved as it is moved from your house to the counting house. What cannot be done, now or ever, is to ensure the sanctity of the voting booth anywhere but in a physical and, yes, public location attended to by persons both known to each other and drawn from those strata of society who care enough to be present. There are no replacements for the voting booth as a moment of privacy wrapped in inefficient but proven isolation by unarguable witness, a place where we are equal as in no other. Move the dispatch of a vote to a remote browser and $100 bills, concurrent sex acts, a pistol to the head, wife-beating or any other combination of bribes and coercion is an undiscoverable concommitant of the otherwise "assured" integrity of the so-called vote. Internet voting is anti-democracy and those who cannot bestir themselves to be present upon that day and place which is never a surprise to do that which is the single most precious gift of all the blood of all the liberators can, in a word, shut up. Trust is for sissies, --dan
Re: Electronic elections.
At 07:52 AM 5/29/00 -0400, Dan Geer wrote: There is no doubt whatsoever that the sanctity of a vote once cast can be absolutely preserved as it is moved from your house to the counting house. What cannot be done, now or ever, is to ensure the sanctity of the voting booth anywhere but in a physical and, yes, public location attended to by persons both known to each other and drawn from those strata of society who care enough to be present. So I typically elect to vote by mail. Is my vote worthless because of that? There are no replacements for the voting booth as a moment of privacy wrapped in inefficient but proven isolation by unarguable witness, a place where we are equal as in no other. 'Sanctity'? 'Moment of privacy?' Sorry, no sacred cows allowed here, unless they're seeing eye cows, or nicely barbequeued. Move the dispatch of a vote to a remote browser and $100 bills So standing in line with the masses like some Russian waiting for bread somehow immunizes against voter fraud? Internet voting is anti-democracy and those who cannot bestir themselves to be present upon that day and place which is never a surprise to do that which is the single most precious gift of all the blood of all the liberators can, in a word, shut up. Yeah right... real purty flame there, real Daughters of the American Revolution material, blood of the liberators and all, but how about a real argument? Or is your retro dogma supposed to be lapped up on the basis of your empty, inflamatory assertions?
Re: Electronic elections.
On Sat, 27 May 2000, Per Kangru wrote: So Im looking for a system that will give me the following: * Ease of use for non computer experts. * Secure, i.e. one vote per person. * Anonymous voting, i.e. no conection between a certain vote and a certain person. * Shall produce good statistics and be able to perform sanity checks of the data, i.e. if any cheating is undertaken it shall be easy to find out. * Easy to administrate, shall be able to handle both parties and persons. (A vote can be casted both on a party and on a special person in that party) Cryptographers are usually also concerned with the possibility that the server is corrupted. Your solution does not address that. My own a little bit (i.e. more than one year) survey 'for dummies' on e-voting is available at http://www.cc.ioc.ee/training/unesco/onlinegov/security/vote.html. Helger Lipmaa http://www.tcm.hut.fi/~helger
Re: Electronic elections.
A few years back I implemented the scheme described in "A practical secret voting scheme for large scale elections", by Atsushi Fujioka, Tatsuaki Okamoto, and Kazuo Ohta (Proceedings AUSCRYPT '92, 1993, 244-251). The system is called E-Vox and can be found at http://theory.lcs.mit.edu/~cis/voting/votin g.html This summer (probably July or August) I'm planning on turning it into an Open Source project, since neither Ben Adida nor I are currently doing work at MIT. The web page given above also has a list of other Electronic Voting projects. You should also check out Lorrie Cranor's web page http://www.research.att.com/~lorrie/voting/ --Mark