Re: Scientists question electronic voting
Ed, The whole idea of photographing paper ballots is a straw man. It is akin to saying that people will just run through red lights anyway so we shouldn't place them at intersections. I agree that we need to improve voting systems, but the current trend toward self-auditing devices is going backward rather than forward in this regard. In 2002 it was electronic ballots (on cartridges) that were misplaced (to the tune of over 100,000 votes) in Florida. Apparently you neglected to read the newspapers last fall. I didn't see any improvement in what was purchased over what they had before, unless you want to call tens of millions of extra dollars in expenditures an improvement. The salient requirement of Democratic elections is that the voters must be assured that their ballots are recorded and tabulated as cast. If the process is such that it can only be understood by a team of scientists with Ph.D.'s, the average citizen can have no confidence that their voice is being heard. I have never said that the paper balloting solution is a perfect one, but it provides assurances in a human- accessible format that is a considerable improvement over both the black-box systems and the chad-based ones. If you can devise a system that is equally user- friendly and has the same ability for independent auditing, then please do so. Rebecca Mercuri. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
In the US it is a felony (in most, perhaps all, states) to sell one's vote. One of the reason Internet voting is not having much appeal here is because it will make it much easier to do this (even simply by passing one's ID along). People here also don't like the idea of having biometric ID for election purposes because the folks who generally have been denied the right to vote in the past are the ones who are also the most wary about the government having their biometric information. Internet voting for sociological reasons alone (security and auditibility issues aside) is a really bad idea. (Yes, Ed, I know you disagree but your proposals do not solve the overwhelming sociological problems.) The question is really: how many more people will be disillusioned by the new technologies and will voter turnout decrease after it is no longer a novelty? There's something to be said for the community aspect of going to the polls. R. Mercuri. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
Barney Wolff wrote: > This is a perfect example of what I'm complaining about: You're holding > electronic voting to a much higher standard than you are paper ballots. If it's going to replace paper ballots, it needs to offer advantages that make up for its disadvantages, and if it gives us the opportunity to make a significantly better system, might as well try to do that too. The two main disadvantages of paper systems are slow speed and cost of counting. Problems with speed are really problems with lack of patience :-) But electronic systems have the major disadvantage that unless you have some kind of independently auditable record created at the time of voting, there's no way to tell that the system hasn't been set to cheat, whereas most of the easy ways to cheat paper and lever-machine systems are obvious, and can either be prevented by watching the materials at the right times, or audited by counting the holes and hanging chads and unused supplies afterwards. The primary complaint everybody had with Florida's paper ballot system was that the layout was confusing, making it hard to tell if you were voting for Gore or Buchanan, and any of you who've never seen a confusing layout on a computer interface can let me know At 12:39 PM 03/08/2003 -0800, Ed Gerck wrote: Bill Stewart wrote: > No, legal authorization is only required to do so _legally_. > We're talking about different threat models here, > since we're talking about stuffing ballot-boxes and bribing people - > what does it take to get the information without getting caught? > Can it be traced in real time, or after the fact, or both, > and how much is the voter's cooperation required? > How long is the data stored after the election? > (For instance, if the election isn't close enough to be contested > within N days, do they burn all the ballots?) The UK is still a sovereign nation and, thus, they can choose to have an election system where the ability to verify eligibility to vote after the election trumps the voter's right to privacy, fraud possibilities notwithstanding. The US and other countries have a different model for public elections, where voter privacy is absolute. Well, of course they can, if they want; they can also go back to strange women lying in ponds distributing swords for all I care... But the context of the discussion isn't whether the system will do the things it's supposed to when nobody's trying to cheat, and if they've got different rules, they've got different ways to cheat. > The two usual scenarios are > - Real-time: "Thank you for your receipt, here's your bottle of whiskey, > and the Democratic Party invites you to vote again this afternoon!" Not in the UK -- there is no Democratic party there ;-) What's the traditional bribe for a vote in the UK? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
On Fri, Mar 07, 2003 at 02:55:19PM -0500, Barney Wolff wrote: > On Fri, Mar 07, 2003 at 12:45:41PM -0600, (Mr) Lyn R. Kennedy wrote: > > > > Seems there is still a problem unless each eligible voter brings a smart- > > card, warm finger, eyeball, etc. > > This is a perfect example of what I'm complaining about: You're holding > electronic voting to a much higher standard than you are paper ballots. If it's not a higher standard then it violates the "If it aint broke, don't fixit" rule. But I'm concerned about "KISS" and "the right tool for the job" more than anything. > Perfect is the enemy of better. We do have to take care that electronic > voting does not introduce new and catastrophic vulnerabilities. Other > than that, it merely has to be better (and no more expensive) than the > best existing systems. Unfortunately, there is a trend toward more complex systems as a solution to everything. Families of firefighters who died in the WTC collapse would probably have been happier if they had the old low-tech radios from 20 years ago rather than whiz-bang gadgetry that failed. There was no plan to fall back on since politicians believed the salesman who told them it wouldn't fail. And the proposed fix is more complexity rather than the right tools for the job. This is what happened in the Florida elections as well. "Upgrading" the voting systems was the problem, not the solution. More complex machines add to the number of failure modes. I'm in favor of using modern technology. But I don't want to move to electronic systems just to make some salesman happy. Modern technology and public-key cryptography seems to offer some real advantages to verifying eligibility, one-person-one-vote, and vote- whever-you-are but many such issues are not even addressed. Passed over in favor of making money for voting machine companies. -- - | 73,E-mail | [EMAIL PROTECTED] | | Lyn Kennedywebpage | http://home.earthlink.net/~lrkn | | K5QWB ICBM | 32.5 North 96.9 West| ---Livin' on an information dirt road a few miles off the superhighway--- - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
At 01:33 PM 03/07/2003 -0800, Ed Gerck wrote: David Howe wrote: > This may be the case in france - but in england, every vote slip has a > unique number which is recorded against the voter id number on the > original voter card. any given vote *can* be traced back to the voter > that used it. This is true in the UK, but legal authorization is required to do so. No, legal authorization is only required to do so _legally_. We're talking about different threat models here, since we're talking about stuffing ballot-boxes and bribing people - what does it take to get the information without getting caught? Can it be traced in real time, or after the fact, or both, and how much is the voter's cooperation required? How long is the data stored after the election? (For instance, if the election isn't close enough to be contested within N days, do they burn all the ballots?) The two usual scenarios are - Real-time: "Thank you for your receipt, here's your bottle of whiskey, and the Democratic Party invites you to vote again this afternoon!" - Later: "Mr. Smith, we've been auditing the ballots and we see that you voted for Emmanuel Goldstein. We're taking you in for therapy." - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
"(Mr) Lyn R. Kennedy" wrote: > On Thu, Mar 06, 2003 at 10:35:22PM -0500, Barney Wolff wrote: > > > > We certainly don't want an electronic system that is more > > vulnerable than existing systems, but sticking with known-to-be-terrible > > systems is not a sensible choice either. > > Paper ballots, folded, and dropped into a large transparent box, is not a > broken system. The broken system is the *entire* system -- from voter registration, to ballot presentation (butterfly?), ballot casting, ballot storage, tallying, auditing, and reporting. > It's voting machines, punch cards, etc that are broken. > I don't recall seeing news pictures of an election in any other western > democracy where they used machines. Brazil, 120 million voters, 100% electronic in 2002, close to 100% since the 90's, no paper copy (and it failed when tried). BTW, the 3 nations with largest number of voters are, respectively: - India - Brazil - US Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
David Howe wrote: > "Francois Grieu" <[EMAIL PROTECTED]> wrote: > > Then there is the problem that the printed receipt must not be usable > > to determine who voted for who, even knowing in which order the > > voters went to the machine. Therefore the printed receipts must be > > shuffled. Which brings us straight back to papers in a box, that we > > shake before opening. > This may be the case in france - but in england, every vote slip has a > unique number which is recorded against the voter id number on the > original voter card. any given vote *can* be traced back to the voter > that used it. This is true in the UK, but legal authorization is required to do so. In the US, OTOH, the paper voting systems today are done in such a way that the privacy of the vote is immune even to a court order to disclose it. Voters are not anonymous, as they must be identified and listed in the voter list at each poll place, but it is impossible (or, should be) to link a voter to a vote. This imposes, for example, limits on the time-stamp accuracy and other factors suhc as storage ordering that could help in linking a voter to a vote. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
Anton Stiglic wrote: > - Original Message - > From: "Ed Gerck" <[EMAIL PROTECTED]> > > [...] > > "For example, using the proposed system a voter can easily, by using a > > small concealed camera or a cell phone with a camera, obtain a copy of > > that receipt and use it to get money for the vote, or keep the job. And > > no one would know or be able to trace it." > > But that brings up my point once again: These problems already exist > with current paper-ballot voting schemes, Maybe you missed some of my comments before, but these problems do not exist in current paper-ballot voting schemes. Why should e-voting make it worse? > what exactly are you trying to > achieve with an electronic voting scheme? My target is the same level of voter privacy and election integrity that a paper-ballot system has when ALL election clerks are honest and do not commit errors. Please see Proc. Financial Cryptography 2001, p. 257 and 258 of my article on "Voting System Requirements", Springer Verlag. > To you simply want to make > the counting of the votes more reliable, and maintain the security of all > other aspects, or improve absolutely everything? Of all aspects that need to be improved when moving to an electronic system, the most important is the suspicion or fear that thousands or even millions of electronic records could be altered with a keystroke, from a remote laptop or some untraceable source. This goes hand-in-hand with questions about the current "honor system" in voting systems, where vendors make the machines and also operate them during an election. It's the overall black box approach that needs to improved. The "trust me!" approach has had several documented problems in paper ballot systems and would present even more opportunities for fraud or even plain simple errors in an electronic system. The solution is to add multiple channels with at least some independence. The paper channel is actually hard to secure and expensive to store and process. Paper would also be a step backwards in terms of efficiency and there is nothing magical about a paper copy that would make it invulnerable to fraud/errors. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
On Fri, Mar 07, 2003 at 12:45:41PM -0600, (Mr) Lyn R. Kennedy wrote: > > > > Paper ballots ... > > > Surely you jest - where else did the term ballot-stuffing come from? > > Perhaps you can elaborate on how ballot-stuffing is done without the > co-operation of most of the people overseeing a polling place. > > > > The key, imho, is >=2 independent means of counting the votes. Online, > > as each vote is cast, and a paper trail, for later reconciliation. > > It's hard for both to be skewed by the same amount, and differences > > will both raise suspicion and give an order of magnitude of the fraud. > > That seems to be the direction the experts are heading. > > What is to prevent the people overseeing a polling place from casting the > votes for the dead? They would be recorded properly both ways. > > Or they could void and re-vote for ordinary voters. > > Seems there is still a problem unless each eligible voter brings a smart- > card, warm finger, eyeball, etc. This is a perfect example of what I'm complaining about: You're holding electronic voting to a much higher standard than you are paper ballots. Perfect is the enemy of better. We do have to take care that electronic voting does not introduce new and catastrophic vulnerabilities. Other than that, it merely has to be better (and no more expensive) than the best existing systems. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
On Fri, Mar 07, 2003 at 02:22:23AM -0500, Barney Wolff wrote: > On Fri, Mar 07, 2003 at 12:50:44AM -0600, (Mr) Lyn R. Kennedy wrote: > > > > Paper ballots, folded, and dropped into a large transparent box, is not a > > broken system. It's voting machines, punch cards, etc that are broken. > > I don't recall seeing news pictures of an election in any other western > > democracy where they used machines. > > Surely you jest - where else did the term ballot-stuffing come from? Perhaps you can elaborate on how ballot-stuffing is done without the co-operation of most of the people overseeing a polling place. > The key, imho, is >=2 independent means of counting the votes. Online, > as each vote is cast, and a paper trail, for later reconciliation. > It's hard for both to be skewed by the same amount, and differences > will both raise suspicion and give an order of magnitude of the fraud. > That seems to be the direction the experts are heading. What is to prevent the people overseeing a polling place from casting the votes for the dead? They would be recorded properly both ways. Or they could void and re-vote for ordinary voters. Seems there is still a problem unless each eligible voter brings a smart- card, warm finger, eyeball, etc. -- - | 73,E-mail | [EMAIL PROTECTED] | | Lyn Kennedywebpage | http://home.earthlink.net/~lrkn | | K5QWB ICBM | 32.5 North 96.9 West| ---Livin' on an information dirt road a few miles off the superhighway--- - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
"Francois Grieu" <[EMAIL PROTECTED]> wrote: > Then there is the problem that the printed receipt must not be usable > to determine who voted for who, even knowing in which order the > voters went to the machine. Therefore the printed receipts must be > shuffled. Which brings us straight back to papers in a box, that we > shake before opening. This may be the case in france - but in england, every vote slip has a unique number which is recorded against the voter id number on the original voter card. any given vote *can* be traced back to the voter that used it. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
- Original Message - From: "Ed Gerck" <[EMAIL PROTECTED]> [...] > "For example, using the proposed system a voter can easily, by using a > small concealed camera or a cell phone with a camera, obtain a copy of > that receipt and use it to get money for the vote, or keep the job. And > no one would know or be able to trace it." But that brings up my point once again: These problems already exist with current paper-ballot voting schemes, what exactly are you trying to achieve with an electronic voting scheme? To you simply want to make the counting of the votes more reliable, and maintain the security of all other aspects, or improve absolutely everything? --Anton - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
On Fri, Mar 07, 2003 at 12:50:44AM -0600, (Mr) Lyn R. Kennedy wrote: > > Paper ballots, folded, and dropped into a large transparent box, is not a > broken system. It's voting machines, punch cards, etc that are broken. > I don't recall seeing news pictures of an election in any other western > democracy where they used machines. Surely you jest - where else did the term ballot-stuffing come from? The key, imho, is >=2 independent means of counting the votes. Online, as each vote is cast, and a paper trail, for later reconciliation. It's hard for both to be skewed by the same amount, and differences will both raise suspicion and give an order of magnitude of the fraud. That seems to be the direction the experts are heading. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
On Thu, Mar 06, 2003 at 10:35:22PM -0500, Barney Wolff wrote: > > We certainly don't want an electronic system that is more > vulnerable than existing systems, but sticking with known-to-be-terrible > systems is not a sensible choice either. Paper ballots, folded, and dropped into a large transparent box, is not a broken system. It's voting machines, punch cards, etc that are broken. I don't recall seeing news pictures of an election in any other western democracy where they used machines. And the Florida election was apparently affected more by eligible voters turned away from the polls than by votes sold. Maybe crypto, smart-cards, biometrics, etc would help authenticate voter eligibility and enforce one vote per live voter (zero per dead voter). -- - | 73,E-mail | [EMAIL PROTECTED] | | Lyn Kennedywebpage | http://home.earthlink.net/~lrkn | | K5QWB ICBM | 32.5 North 96.9 West| ---Livin' on an information dirt road a few miles off the superhighway--- - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
At 10:35 PM 3/6/03 -0500, Barney Wolff wrote: On Thu, Mar 06, 2003 at 08:38:42PM -0500, Dan Riley wrote: > > But this whole discussion is terribly last century--still pictures are > passe. What's the defense of any of these systems against cell phones > that transmit live video? A Faraday cage. Seriously, what current or historic voting system would defend against these risks? We certainly don't want an electronic system that is more vulnerable than existing systems, but sticking with known-to-be-terrible systems is not a sensible choice either. I think the real defense against vote-buying or vote-extortion schemes is external--detecting any such scheme that has much of an impact because it necessarily involves hundreds or thousands of people. This assumes that the authorities and media aren't totally corrupted, but so does any voting technology. With a lot of the more elaborate technological attacks, though, it's hard to see an attacker with current technology being able to afford them. Barney Wolff http://www.databus.com/bwresume.pdf --John Kelsey, [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: multiple system - Re: Scientists question electronic voting
At 12:25 PM 3/6/03 -0800, Ed Gerck wrote: "Trei, Peter" wrote: > Ballot boxes are also subject to many forms of fraud. But a dual > system (electronic backed up by paper) is more resistant to > attack then either alone. The dual, and multiple, system can be done without paper ballot. There is nothing "magic" about paper as a record medium. I think one benefit of using paper ballots as the backup is that there are already pretty well-understood ways to deal with paper ballots. I like the idea of the election observers having at least one piece of the technology they really understand. I can send a link for a paper on this that was presented at the Tomales Bay conference on voting systems last year, using Shannon's Tenth Theorem as the theoretical background, introducing the idea of multiple "witnesses". If two witnesses are not 100% mutually dependent, the probability that both witnesses may fail at the same time is smaller than that of any single witness to fail. Is the relevant question here about probabilistic failures, or about conspiracies? Clearly, the size and cost of the conspiracy gets much bigger if there's a check value on the election results that is handled completely outside the voting machine. Cheers, Ed Gerck --John Kelsey, [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
On Thu, Mar 06, 2003 at 10:35:22PM -0500, Barney Wolff wrote: | On Thu, Mar 06, 2003 at 08:38:42PM -0500, Dan Riley wrote: | > | > But this whole discussion is terribly last century--still pictures are | > passe. What's the defense of any of these systems against cell phones | > that transmit live video? | | A Faraday cage. | | Seriously, what current or historic voting system would defend against | these risks? We certainly don't want an electronic system that is more | vulnerable than existing systems, but sticking with known-to-be-terrible | systems is not a sensible choice either. Break the trust of the vote buyers and sellers by making confirmation hard. Pictures in the booth of party line ballots that you can draw over the screen would be very hard to distinguish from the real thing over a cell-phone quality video picture. Adam -- "It is seldom that liberty of any kind is lost all at once." -Hume - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Scientists question electronic voting
At 02:39 AM 3/6/03 +, Ian Brown wrote: Ed Gerck wrote: ... > For example, using the proposed system a voter can easily, by > using a small concealed camera or a cell phone with a camera, > obtain a copy of that receipt and use it to get money for the > vote, or keep the job. And no one would know or be able to trace it. As a voter could record what they did with pencil-and-paper or a mechanical voting machine. The big theoretical question is whether you could tell whether the vote-seller was faking it. A design goal ought to be to make plausible fake proofs of how you voted easy to generate, IMO. Why only sell your vote to one side, when you can sell it to both sides multiple times? In practice, if it's more trouble to generate fakes than to just vote and bring the proof to sell, then the individual vote seller will probably just vote as he's told. After all, most people eligible to vote don't bother most of the time; presumably, they just don't care that much who wins the next election. I assume most people who sell their votes aren't committed ideologues who are selling out their cause, but rather people who didn't much care either way. (But surely someone, somewhere has real data on this.) --John Kelsey, [EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
On Thu, Mar 06, 2003 at 08:38:42PM -0500, Dan Riley wrote: > > But this whole discussion is terribly last century--still pictures are > passe. What's the defense of any of these systems against cell phones > that transmit live video? A Faraday cage. Seriously, what current or historic voting system would defend against these risks? We certainly don't want an electronic system that is more vulnerable than existing systems, but sticking with known-to-be-terrible systems is not a sensible choice either. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
Dan Riley wrote: > The vote can't be final until the voter confirms the paper receipt. > It's inevitable that some voters won't realize they voted the wrong > way until seeing the printed receipt, so that has to be allowed for. > Elementary human factors. This brings in two other factors I have against this idea: - a user should not be called upon to distrust the system that the user is trusting in the first place. - too many users may reject the paper receipt because they changed their minds, making it impossible to say whether the e-vote was wrong or correct based on the number of rejected e-votes. > But this whole discussion is terribly last century--still pictures are > passe. What's the defense of any of these systems against cell phones > that transmit live video? This was in my first message, and some subsequent ones too: "For example, using the proposed system a voter can easily, by using a small concealed camera or a cell phone with a camera, obtain a copy of that receipt and use it to get money for the vote, or keep the job. And no one would know or be able to trace it." Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
Ed Gerck <[EMAIL PROTECTED]> writes: > This is not possible for current paper ballots, for several reasons. For > example, if you take a picture of your punch card as a proof of how you > voted, what is to prevent you -- after the picture is taken -- to punch > another hole for the same race and invalidate your vote? [...] > On the other hand, photographing a paper receipt behind a glass, > which receipt is printed after your vote choices are final, is not > readily deniable because that receipt is printed only after you > confirm your choices. The vote can't be final until the voter confirms the paper receipt. It's inevitable that some voters won't realize they voted the wrong way until seeing the printed receipt, so that has to be allowed for. Elementary human factors. But this whole discussion is terribly last century--still pictures are passe. What's the defense of any of these systems against cell phones that transmit live video? -dan - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
multiple system - Re: Scientists question electronic voting
"Trei, Peter" wrote: > Ballot boxes are also subject to many forms of fraud. But a dual > system (electronic backed up by paper) is more resistant to > attack then either alone. The dual, and multiple, system can be done without paper ballot. There is nothing "magic" about paper as a record medium. I can send a link for a paper on this that was presented at the Tomales Bay conference on voting systems last year, using Shannon's Tenth Theorem as the theoretical background, introducing the idea of multiple "witnesses". If two witnesses are not 100% mutually dependent, the probability that both witnesses may fail at the same time is smaller than that of any single witness to fail. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
David Howe wrote: > at Thursday, March 06, 2003 5:02 PM, Ed Gerck <[EMAIL PROTECTED]> was seen > to say: > > On the other hand, photographing a paper receipt behind a glass, which > > receipt is printed after your vote choices are final, is not readily > > deniable because that receipt is printed only after you confirm your > > choices. > as has been pointed out repeatedly - either you have some way to "bin" > the receipt and start over, or it is worthless (and merely confirms you > made a bad vote without giving you any opportunity to correct it) > That given, you could vote once for each party, take your photograph, > void the vote (and receipt) for each one, and then vote the way you > originally intended to :) No, as I commented before, voiding the vote in that proposal after the paper receipt is printed is a serious matter -- it means that either the machine made an error in recording the e-vote or (as it is oftentimes neglected) the machine made an error in printing the vote. The voter's final choice and legally binding confirmation is made before the printing. And that is where the problems reside (the problems that we were trying to solve in the first place), in that printed ballot. Plus the problem of the voter being able to photograph that final receipt and present it as direct proof of voting, as the voter leaves the poll place (with no chance for image processing) or by an immediate link by cell phone (ditto). Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
bear wrote: > Let's face it, if somebody can *see* their vote, they can record it. Not necessarily. Current paper ballots do not offer you a way to record *your* vote. You may even photograph your ballot but there is no way to prove that *that* was the ballot you did cast. In the past, we had ballots with different collors for each party ;-) so people could see if you were voting Republican or Democrat, but this is no longer the case. > and if someone can record it, then systems for counterfeiting such a > record already exist and are already widely dispersed. It's easier than one may think to have a reliable proof, if you can photograph the ballot that you *did* cast (as in that proposal for printing a paper receipt with your vote choices) -- just wait out of the poll place and demand the film right there, or wait out of the poll place, hear the voter's voice right then and get the image sent by the cell phone before the voter leaves the poll booth. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Scientists question electronic voting
> Francois Grieu[SMTP:[EMAIL PROTECTED] > > Peter Trei wrote: > > > I'd prefer that the printed receipt be retained at the polling > > station, after the voter has had an opportunity to examine it. > > This serves two purposes: First, it prevents the vote selling > > described above, and second, if a recount is required, it allows > > the recount to be done on the basis of a trustworthy record, > > already certified by the voter as accurate. > > Then there is the problem that the printed receipt must not be usable > to determine who voted for who, even knowing in which order the > voters went to the machine. Therefore the printed receipts must be > shuffled. Which brings us straight back to papers in a box, that we > shake before opening. > > Every way I look at it, electronic voting has a hard time to match > the resilience to abuse of the traditional > bulletin-in-an-enveloppe-in-a-box. > >Francois Grieu > I absolutely agree. Here in the US, where voters often have to make over a dozen choices each time they vote, the value of automating the process is significant. But it *must* be done in a way which increases voter confidence in the result. Ballot boxes are also subject to many forms of fraud. But a dual system (electronic backed up by paper) is more resistant to attack then either alone. Peter - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Scientists question electronic voting
Peter Trei wrote: I'd prefer that the printed receipt be retained at the polling station, after the voter has had an opportunity to examine it. This serves two purposes: First, it prevents the vote selling described above, and second, if a recount is required, it allows the recount to be done on the basis of a trustworthy record, already certified by the voter as accurate. Then there is the problem that the printed receipt must not be usable to determine who voted for who, even knowing in which order the voters went to the machine. Therefore the printed receipts must be shuffled. Which brings us straight back to papers in a box, that we shake before opening. Every way I look at it, electronic voting has a hard time to match the resilience to abuse of the traditional bulletin-in-an-enveloppe-in-a-box. Francois Grieu - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
at Thursday, March 06, 2003 5:02 PM, Ed Gerck <[EMAIL PROTECTED]> was seen to say: > On the other hand, photographing a paper receipt behind a glass, which > receipt is printed after your vote choices are final, is not readily > deniable because that receipt is printed only after you confirm your > choices. as has been pointed out repeatedly - either you have some way to "bin" the receipt and start over, or it is worthless (and merely confirms you made a bad vote without giving you any opportunity to correct it) That given, you could vote once for each party, take your photograph, void the vote (and receipt) for each one, and then vote the way you originally intended to :) - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
Anton Stiglic wrote: > -Well the whole process can be filmed, not necessarily photographed... > It's difficult to counter the "attack". In you screen example, you can > photograph > the vote and then immediately photograph the "thank you", if the photographs > include the time in milliseconds, and the interval is short, you can be > confident > to some degree that the vote that was photographed was really the vote that > was casted. > You can have tamper resistant film/photograph devices and whatever you want, > have the frames digitally signed and timestamped, > but this is where I point out that you need to consider the value of the > vote to > estimate how far an extortionist would be willing to go. The electronic process can be made much harder to circumvent by allowing voters to cast any number of ballots but counting only the last ballot cast. Since a voter could always cast another vote after the one that was so carefully filmed, there would be no value for such film. BTW, a similar process happens in proxy voting for shareholders meeting, where voters can send their vote (called a "proxy") before the meeting but can also go to the meeting and vote any way they please -- trumping the original vote. Much work needs to be done, and tested, to protect the integrity of public elections. Even with all such precautions, if the choices made by a voter are disclosed (ie, not just the tally for all voters) then a voter can be identified by using an unlikely pattern -- and the Mafia has, reportedly, used this method in Italy to force (and enforce) voter choices in an otherwise private ballot. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
- Original Message - From: "Ed Gerck" <[EMAIL PROTECTED]> [...] > This is not possible for current paper ballots, for several reasons. For > example, if you take a picture of your punch card as a proof of how you > voted, what is to prevent you -- after the picture is taken -- to punch > another hole for the same race and invalidate your vote? Or, to ask the > clerk for a second ballot, saying that you punched the wrong hole, > and vote for another candidate? The same happens for optical scan > cards. These "proofs" are easily deniable and, thus, have no value > to prove how the voter actually voted. > > Likewise, electronically, there is no way that a voter could prove how he > voted, even if the confirmation screen does list all the choices that the voter > has chosen, if that screen has two buttons: "go back", "confirm", and a > suitable logic. After the voter presses "confirm" the voter sees a "thank you" > screen without any choices present. The logic canbe set up in such a way > in terms of key presses and intermediate states that even photographing > the mouse cursor on a pressed "confirm" button does not prove that the voter > did not take the mouse out and, instead, pressed the "go back" button to > change his choices. Well the whole process can be filmed, not necessarily photographed... It's difficult to counter the "attack". In you screen example, you can photograph the vote and then immediately photograph the "thank you", if the photographs include the time in milliseconds, and the interval is short, you can be confident to some degree that the vote that was photographed was really the vote that was casted. You can have tamper resistant film/photograph devices and whatever you want, have the frames digitally signed and timestamped, but this is where I point out that you need to consider the value of the vote to estimate how far an extortionist would be willing to go. --Anton - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
Anton Stiglic wrote: > An extortionist could provide their own camera device to the voter, which > has > a built in clock that timestamps the photos and does some watermarking, or > something like that, which could complicate the counter-measures. But this > problem already exists with current non-electronic voting scheme. > It depends on the value attributed to a vote (would an extortionist be > willing to provide these custom devices?). This is not possible for current paper ballots, for several reasons. For example, if you take a picture of your punch card as a proof of how you voted, what is to prevent you -- after the picture is taken -- to punch another hole for the same race and invalidate your vote? Or, to ask the clerk for a second ballot, saying that you punched the wrong hole, and vote for another candidate? The same happens for optical scan cards. These "proofs" are easily deniable and, thus, have no value to prove how the voter actually voted. Likewise, electronically, there is no way that a voter could prove how he voted, even if the confirmation screen does list all the choices that the voter has chosen, if that screen has two buttons: "go back", "confirm", and a suitable logic. After the voter presses "confirm" the voter sees a "thank you" screen without any choices present. The logic canbe set up in such a way in terms of key presses and intermediate states that even photographing the mouse cursor on a pressed "confirm" button does not prove that the voter did not take the mouse out and, instead, pressed the "go back" button to change his choices. On the other hand, photographing a paper receipt behind a glass, which receipt is printed after your vote choices are final, is not readily deniable because that receipt is printed only after you confirm your choices. To deny that receipt the voter would have to say that the machine erred, which, if proved otherwise, could lead to criminal charges (e.g., the machine would be taken off the polls and, after the polls close the machine would be tallied; if the electronic tally would agree with the paper tally, the voter would be in trouble). Protection against providing voters a receipt, voluntary or not, is often overlooked by those who are not familiar with election issues. For example, the first press release by MIT/Caltech principals after Nov/2000 said that the solution would be to provide the voter with a receipt showing how they voted. Later on, MIT/Caltech reformed that view and have been doing an excellent job at what I see as a process of transforming elections from art to science, which is a good development after Nov/2000. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
On Wed, 5 Mar 2003, Bill Frantz wrote: >The best counter to this problem is widely available systems to produce >fake photos of the vote, so the vote buyer can't know whether the votes he >sees in the photo are the real votes, or fake ones. blink, blink. you mean *MORE* widely available than photoshop/gimp/illustrator/etc? Let's face it, if somebody can *see* their vote, they can record it. and if someone can record it, then systems for counterfeiting such a record already exist and are already widely dispersed. If the republicans, democrats, greens, libertarians, natural law party, and communist party all offer you a bottle of beer for a record of your vote for them next year, there's no reason why you shouldn't go home without a six-pack. Bear - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
- Original Message - From: "Bill Frantz" <[EMAIL PROTECTED]> To: "Ed Gerck" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Thursday, March 06, 2003 2:14 AM Subject: Re: Scientists question electronic voting [..] > The best counter to this problem is widely available systems to produce > fake photos of the vote, so the vote buyer can't know whether the votes he > sees in the photo are the real votes, or fake ones. > > The easiest way to implement is to let people photograph the paper on the > sample/practice -- not for real voting -- machine that poll workers use to > teach voters how to use the real machines. An extortionist could provide their own camera device to the voter, which has a built in clock that timestamps the photos and does some watermarking, or something like that, which could complicate the counter-measures. But this problem already exists with current non-electronic voting scheme. It depends on the value attributed to a vote (would an extortionist be willing to provide these custom devices?). --Anton - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Scientists question electronic voting
Peter Trei wrote: > I'd prefer that the printed receipt be retained at the > polling station, after the voter has had an opportunity to > examine it. This serves two purposes: First, it prevents the > vote selling described above, and second, if a recount is > required, it allows the recount to be done on the basis of a > trustworthy record, already certified by the voter as accurate. Indeed, that's essential for both the reasons you state. Mercuri's design is for the voter to see the printed receipt behind a glass screen. They then press a "Yes" or "No" button to either vote and send the receipt to the trustworthy record, or void it and send the receipt to the bin. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Scientists question electronic voting
> Ian Brown[SMTP:[EMAIL PROTECTED] wrote: > > > Ed Gerck wrote: > > Printing a paper receipt that the voter can see is a proposal > > that addresses one of the major weaknesses of electronic > > voting. However, it creates problems that are even harder to > > solve than the silent subversion of e-records. > > > > For example, using the proposed system a voter can easily, by > > using a small concealed camera or a cell phone with a camera, > > obtain a copy of that receipt and use it to get money for the > > vote, or keep the job. And no one would know or be able to trace it. > > As a voter could record what they did with pencil-and-paper or a > mechanical voting machine. > > The partial defence in all three systems is that the voter should be > able to void the vote after photographing a "receipt" to hand over later > to the vote-buyer, and then cast a real vote. In the UK, for example, > you can obtain a new ballot paper from a polling station official in > exchange for a "spoiled" one. I believe Rebecca Mercuri has always > suggested that a voter should be able to confirm whether a receipt > printed by an electronic voting machine correctly records their intended > vote, and if not to void it. > I'd prefer that the printed receipt be retained at the polling station, after the voter has had an opportunity to examine it. This serves two purposes: First, it prevents the vote selling described above, and second, if a recount is required, it allows the recount to be done on the basis of a trustworthy record, already certified by the voter as accurate. This loses some of the economic benefits of all-electronic systems, since security still needs to be provided for the receipts for some period, but is far less prone to invisible abuse. Peter Trei - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Scientists question electronic voting
At 5:21 PM -0800 3/3/03, Ed Gerck wrote: >Henry Norr had an interesting article today at >http://sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2003/03/03/BU1227 >67.DTL&type=business > >Printing a paper receipt that the voter can see is a proposal that addresses >one of the major weaknesses of electronic voting. However, it creates >problems that are even harder to solve than the silent subversion of >e-records. > >For example, using the proposed system a voter can easily, by using a >small concealed camera or a cell phone with a camera, obtain a copy of >that receipt and use it to get money for the vote, or keep the job. And >no one would know or be able to trace it. The best counter to this problem is widely available systems to produce fake photos of the vote, so the vote buyer can't know whether the votes he sees in the photo are the real votes, or fake ones. The easiest way to implement is to let people photograph the paper on the sample/practice -- not for real voting -- machine that poll workers use to teach voters how to use the real machines. Cheers - Bill - Bill Frantz | Due process for all| Periwinkle -- Consulting (408)356-8506 | used to be the | 16345 Englewood Ave. [EMAIL PROTECTED] | American way. | Los Gatos, CA 95032, USA - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: Scientists question electronic voting
Ed Gerck wrote: > Printing a paper receipt that the voter can see is a proposal > that addresses one of the major weaknesses of electronic > voting. However, it creates problems that are even harder to > solve than the silent subversion of e-records. > > For example, using the proposed system a voter can easily, by > using a small concealed camera or a cell phone with a camera, > obtain a copy of that receipt and use it to get money for the > vote, or keep the job. And no one would know or be able to trace it. As a voter could record what they did with pencil-and-paper or a mechanical voting machine. The partial defence in all three systems is that the voter should be able to void the vote after photographing a "receipt" to hand over later to the vote-buyer, and then cast a real vote. In the UK, for example, you can obtain a new ballot paper from a polling station official in exchange for a "spoiled" one. I believe Rebecca Mercuri has always suggested that a voter should be able to confirm whether a receipt printed by an electronic voting machine correctly records their intended vote, and if not to void it. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]