Re: voting
David Jablon wrote: [...] Where is the privacy problem with Chaum receipts when Ed and others still have the freedom to refuse theirs or throw them away? At 11:43 AM 4/16/04 -0700, Ed Gerck wrote: The privacy, coercion, intimidation, vote selling and election integrity problems begin with giving away a receipt that is linkable to a ballot. These problems begin elsewhere. Whether a receipt would add any new problem depends on further analysis. It is not relevant to the security problem whether a voter may destroy his receipt, so that some receipts may disappear. What is relevant is that voters may HAVE to keep their receipt or... suffer retaliation... not get paid... lose their jobs... not get a promotion... etc. Also relevant is that voters may WANT to keep their receipts, for the same reasons. These are all relevant issues, and the system needs to be considered as a whole. The threat of coercion is present regardless of whether there's a system-provided receipt, linkable, anonymous, or none. For example, I might be told that after I vote I'll come face-to-face with a thug around the corner, who will ask who I voted for, and who has a knack for spotting liars. Or I may be told there's a secret camera in the booth. Or I may think I'm at risk in simply showing up to vote, due to my public party affiliation records, physical appearance, etc. These issues must be addressed, and these concerns show that the integrity of receipt validation must be ensured to at least the same degree as the integrity of vote casting. But *absolute* voter privacy seems like an unobtainable goal, and it should not be used to trump other important goals, like accountability. -- David
Re: voting
David Jablon wrote: [...] Where is the privacy problem with Chaum receipts when Ed and others still have the freedom to refuse theirs or throw them away? At 11:43 AM 4/16/04 -0700, Ed Gerck wrote: The privacy, coercion, intimidation, vote selling and election integrity problems begin with giving away a receipt that is linkable to a ballot. These problems begin elsewhere. Whether a receipt would add any new problem depends on further analysis. It is not relevant to the security problem whether a voter may destroy his receipt, so that some receipts may disappear. What is relevant is that voters may HAVE to keep their receipt or... suffer retaliation... not get paid... lose their jobs... not get a promotion... etc. Also relevant is that voters may WANT to keep their receipts, for the same reasons. These are all relevant issues, and the system needs to be considered as a whole. The threat of coercion is present regardless of whether there's a system-provided receipt, linkable, anonymous, or none. For example, I might be told that after I vote I'll come face-to-face with a thug around the corner, who will ask who I voted for, and who has a knack for spotting liars. Or I may be told there's a secret camera in the booth. Or I may think I'm at risk in simply showing up to vote, due to my public party affiliation records, physical appearance, etc. These issues must be addressed, and these concerns show that the integrity of receipt validation must be ensured to at least the same degree as the integrity of vote casting. But *absolute* voter privacy seems like an unobtainable goal, and it should not be used to trump other important goals, like accountability. -- David
Re: voting
David Jablon wrote: ... *absolute* voter privacy seems like an unobtainable goal, and it should not be used to trump other important goals, like accountability. But it IS assured today by paper ballots. Nothing less should be accepted in electronic systems, otherwise new, easy and silent fraud modes become possible. Coercion and vote selling are just the most obvious. Ed Gerck
Re: voting
Yeoh Yiu wrote: Ed Gerck [EMAIL PROTECTED] writes: The 'second law' also takes precedence: ballots are always secret, only vote totals are known and are known only after the election ends. You get totals per nation, per state, per county, per riding, per precinct, per polling stion and maybe per ballot box. The lowest possible totals are per race, per ballot box. The 'second law' allows you to have such totals -- which are the election results for that race in that ballot box. For example, if there are two candidates (X and Y) in race A , two candidates (Z and W) in race B, and only one vote per candidate is allowed in each race, the election results for ballot box K might be: Vote totals for race A in ballot box K: Votes for candidate X: 5 Votes for candidate Y: 60 Blank votes: 50 Vote totals for race B in ballot box K: Votes for candidate Z: 45 Votes for candidate W: 50 Blank votes: 20 Total ballots in ballot box K: 115 Because only the vote totals are known for each race, a voter cannot be identified by recognizing a pre-defined, unlikely voting pattern in each race of a ballot. This exemplifies one reason why we need the 'second law' -- to preserve unlinkability between ballots and voters. So there's a need to design the system to have more voters than ballot boxes to conform to your second law. No. All you need is that there should be more than one voter per ballot box. This is a rather trivial requirement to meet. Cheers, Ed Gerck
Re: voting
Yeoh Yiu wrote: Ed Gerck [EMAIL PROTECTED] writes: The 'second law' also takes precedence: ballots are always secret, only vote totals are known and are known only after the election ends. You get totals per nation, per state, per county, per riding, per precinct, per polling stion and maybe per ballot box. The lowest possible totals are per race, per ballot box. The 'second law' allows you to have such totals -- which are the election results for that race in that ballot box. For example, if there are two candidates (X and Y) in race A , two candidates (Z and W) in race B, and only one vote per candidate is allowed in each race, the election results for ballot box K might be: Vote totals for race A in ballot box K: Votes for candidate X: 5 Votes for candidate Y: 60 Blank votes: 50 Vote totals for race B in ballot box K: Votes for candidate Z: 45 Votes for candidate W: 50 Blank votes: 20 Total ballots in ballot box K: 115 Because only the vote totals are known for each race, a voter cannot be identified by recognizing a pre-defined, unlikely voting pattern in each race of a ballot. This exemplifies one reason why we need the 'second law' -- to preserve unlinkability between ballots and voters. So there's a need to design the system to have more voters than ballot boxes to conform to your second law. No. All you need is that there should be more than one voter per ballot box. This is a rather trivial requirement to meet. Cheers, Ed Gerck
Re: voting
Ed Gerck [EMAIL PROTECTED] writes: David Jablon wrote: The 'second law' also takes precedence: ballots are always secret, only vote totals are known and are known only after the election ends. What I see in serious voting system research efforts are attempts to build systems that provide both accountability and privacy, with minimal tradeoffs. There is no tradeoff prossible for voter privacy and ballot secrecy. Take away one of them and the voting process is no longer a valid measure. Serious voting system research efforts do not begin by denying the requirements. You get totals per nation, per state, per county, per riding, per precinct, per polling stion and maybe per ballot box. So there's a need to design the system to have more voters than ballot boxes to conform to your second law.
RE: voting
Ed Gerck[SMTP:[EMAIL PROTECTED] John Kelsey wrote: At 11:05 AM 4/9/04 -0400, Trei, Peter wrote: 1. The use of receipts which a voter takes from the voting place to 'verify' that their vote was correctly included in the total opens the way for voter coercion. I think the VoteHere scheme and David Chaum's scheme both claim to solve this problem. The voting machine gives you a receipt that convinces you (based on other information you get) that your vote was counted as cast, but which doesn't leak any information at all about who you voted for to anyone else. Anyone can take that receipt, and prove to themselves that your vote was counted (if it was) or was not counted (if it wasn't). The flaw in *both* cases is that it reduces the level of privacy protection currently provided by paper ballots. Currently, voter privacy is absolute in the US and does not depend even on the will of the courts. For example, there is no way for a judge to assure that a voter under oath is telling the truth about how they voted, or not. This effectively protects the secrecy of the ballot and prevents coercion and intimidation in all cases. I'd pretty much dropped this topic after it became clear that Mr. Leichter's only response to the problems that people pointed out in VoteHere's scheme (in particular, its vulnerability to vote coercion, and lack of recountability) was to attempt to redefine them as non-problems. However, since the topic has arisen again. Ed's got a very good point. I always prefer security which relies for its integrity on the laws of nature, rather than on people behaving with integrity. Peter Trei
Re: voting
I think Ed's criticism is off-target. Where is the privacy problem with Chaum receipts when Ed and others still have the freedom to refuse theirs or throw them away? It seems a legitimate priority for a voting system to be designed to assure voters that the system is working. What I see in serious voting system research efforts are attempts to build systems that provide both accountability and privacy, with minimal tradeoffs. If some kind of tradeoff between accountability and privacy is inevitable, in an extreme scenario, I'd still prefer the option to make the tradeoff for myself, rather than have the system automatically choose for me. -- David At 11:05 AM 4/9/04 -0400, Trei, Peter wrote: 1. The use of receipts which a voter takes from the voting place to 'verify' that their vote was correctly included in the total opens the way for voter coercion. John Kelsey wrote: I think the VoteHere scheme and David Chaum's scheme both claim to solve this problem. The voting machine gives you a receipt that convinces you (based on other information you get) that your vote was counted as cast, but which doesn't leak any information at all about who you voted for to anyone else. Anyone can take that receipt, and prove to themselves that your vote was counted (if it was) or was not counted (if it wasn't). At 06:58 PM 4/15/04 -0700, Ed Gerck wrote: The flaw in *both* cases is that it reduces the level of privacy protection currently provided by paper ballots. Currently, voter privacy is absolute in the US and does not depend even on the will of the courts. For example, there is no way for a judge to assure that a voter under oath is telling the truth about how they voted, or not. This effectively protects the secrecy of the ballot and prevents coercion and intimidation in all cases.
Re: voting
David Jablon wrote: I think Ed's criticism is off-target. Where is the privacy problem with Chaum receipts when Ed and others still have the freedom to refuse theirs or throw them away? The privacy, coercion, intimidation, vote selling and election integrity problems begin with giving away a receipt that is linkable to a ballot. It is not relevant to the security problem whether a voter may destroy his receipt, so that some receipts may disappear. What is relevant is that voters may HAVE to keep their receipt or... suffer retaliation... not get paid... lose their jobs... not get a promotion... etc. Also relevant is that voters may WANT to keep their receipts, for the same reasons. It seems a legitimate priority for a voting system to be designed to assure voters that the system is working. As long as this does not go against the 'first law' for public voting systems: voters must not be linkable to ballots. The 'second law' also takes precedence: ballots are always secret, only vote totals are known and are known only after the election ends. What I see in serious voting system research efforts are attempts to build systems that provide both accountability and privacy, with minimal tradeoffs. There is no tradeoff prossible for voter privacy and ballot secrecy. Take away one of them and the voting process is no longer a valid measure. Serious voting system research efforts do not begin by denying the requirements. If some kind of tradeoff between accountability and privacy is inevitable, There is no such principle. in an extreme scenario, I'd still prefer the option to make the tradeoff for myself, rather than have the system automatically choose for me. You don't have this option when the public at large is considered, for a public election. You can do it in a private election for a club, for example, but even then only if the bylaws allow it. Cheers, Ed Gerck
RE: voting
| Currently, voter privacy is absolute in the US and does not depend | even on the will of the courts. For example, there is no way for a | judge to assure that a voter under oath is telling the truth about how | they voted, or not. This effectively protects the secrecy of the ballot | and prevents coercion and intimidation in all cases. | | | I'd pretty much dropped this topic after it became clear that Mr. Leichter's | only response to the problems that people pointed out in VoteHere's | scheme (in particular, its vulnerability to vote coercion, and lack of | recountability) was to attempt to redefine them as non-problems. I did nothing of the sort. With respect to voter coercion, I did raise the question of how absolute a value it was. Since mathematics tends to provide clearcut yes/no answers, we tend to insist on them in the real world, too - but the real world is rarely so simple. I also pointed out that voter coercion could be dealt with within VoteHere's framework by trading it off against the vote verifiability which is the new feature they bring to the table (by only giving some fraction of voters a receipt). I didn't mention recountability. VoteHere's method is equivalent to everyone else's here: Keep unalterable logs of data as close to the vote as possible. But | However, since the topic has arisen again. | | Ed's got a very good point. I always prefer security which relies for | its integrity on the laws of nature, rather than on people behaving | with integrity. This basically doesn't exist in systems today. Consider paper ballots: How do you guarantee that the ballots are adequately shuffled? If they aren't, anyone keeping track of the order that voters cast ballots might be able to come up with a reasonably accurate assignment of ballots to voters. This problem applies to many related systems. Consider the paper under glass proposals for recounting: The obvious way to do that is is to print onto a roll of paper and just wind it up on a roll after printing. But that's really bad, because it *guarantees* the ordering. Are those calling for such systems ensuring that the vendors who provide them actually cut apart the individual records? Even if they do that, how are they guaranteeing an adequate shuffle of those records? Just dropping them into a big box is terrible; certainly, those who vote very early or very late get very little privacy. Interestingly enough, proper shuffling of the votes is very much a central concern of systems like VoteHere's! The only system that by the laws of nature avoids this kind of attack is the mechanical voting machine, which inherently only stores vote totals, not individual votes. But these are big, complicated machines. Why should you trust that the totals are kept correctly? How could you check? How many people in the world have the competence to examine the mechanical details of such a device? How does that compare to the number of programmers who can examine C code? Is there really all that much of a difference between the complexity/verifiability of such a machine, and of a programmed box where *all* the code, including the compilers and other tools, is publically available? Yes, I know all about the attack in Dennis Ritchie's ACM paper. But this, too, can be defended against by checking the generated code - or pretty much prevented by using a compiler that was in existence before the software development began. In any case, these days, the mechanical systems could be compromised by what is an analogous attack (of going to a different level of abstraction): Sure, that *looks* like a solid brass 50-tooth gear, but maybe there's a tiny motor embedded inside that makes it act in a very non-classical fashion under radio control -- Jerry
RE: voting
Ed Gerck[SMTP:[EMAIL PROTECTED] John Kelsey wrote: At 11:05 AM 4/9/04 -0400, Trei, Peter wrote: 1. The use of receipts which a voter takes from the voting place to 'verify' that their vote was correctly included in the total opens the way for voter coercion. I think the VoteHere scheme and David Chaum's scheme both claim to solve this problem. The voting machine gives you a receipt that convinces you (based on other information you get) that your vote was counted as cast, but which doesn't leak any information at all about who you voted for to anyone else. Anyone can take that receipt, and prove to themselves that your vote was counted (if it was) or was not counted (if it wasn't). The flaw in *both* cases is that it reduces the level of privacy protection currently provided by paper ballots. Currently, voter privacy is absolute in the US and does not depend even on the will of the courts. For example, there is no way for a judge to assure that a voter under oath is telling the truth about how they voted, or not. This effectively protects the secrecy of the ballot and prevents coercion and intimidation in all cases. I'd pretty much dropped this topic after it became clear that Mr. Leichter's only response to the problems that people pointed out in VoteHere's scheme (in particular, its vulnerability to vote coercion, and lack of recountability) was to attempt to redefine them as non-problems. However, since the topic has arisen again. Ed's got a very good point. I always prefer security which relies for its integrity on the laws of nature, rather than on people behaving with integrity. Peter Trei
Re: voting
David Jablon wrote: I think Ed's criticism is off-target. Where is the privacy problem with Chaum receipts when Ed and others still have the freedom to refuse theirs or throw them away? The privacy, coercion, intimidation, vote selling and election integrity problems begin with giving away a receipt that is linkable to a ballot. It is not relevant to the security problem whether a voter may destroy his receipt, so that some receipts may disappear. What is relevant is that voters may HAVE to keep their receipt or... suffer retaliation... not get paid... lose their jobs... not get a promotion... etc. Also relevant is that voters may WANT to keep their receipts, for the same reasons. It seems a legitimate priority for a voting system to be designed to assure voters that the system is working. As long as this does not go against the 'first law' for public voting systems: voters must not be linkable to ballots. The 'second law' also takes precedence: ballots are always secret, only vote totals are known and are known only after the election ends. What I see in serious voting system research efforts are attempts to build systems that provide both accountability and privacy, with minimal tradeoffs. There is no tradeoff prossible for voter privacy and ballot secrecy. Take away one of them and the voting process is no longer a valid measure. Serious voting system research efforts do not begin by denying the requirements. If some kind of tradeoff between accountability and privacy is inevitable, There is no such principle. in an extreme scenario, I'd still prefer the option to make the tradeoff for myself, rather than have the system automatically choose for me. You don't have this option when the public at large is considered, for a public election. You can do it in a private election for a club, for example, but even then only if the bylaws allow it. Cheers, Ed Gerck
Re: voting
I think Ed's criticism is off-target. Where is the privacy problem with Chaum receipts when Ed and others still have the freedom to refuse theirs or throw them away? It seems a legitimate priority for a voting system to be designed to assure voters that the system is working. What I see in serious voting system research efforts are attempts to build systems that provide both accountability and privacy, with minimal tradeoffs. If some kind of tradeoff between accountability and privacy is inevitable, in an extreme scenario, I'd still prefer the option to make the tradeoff for myself, rather than have the system automatically choose for me. -- David At 11:05 AM 4/9/04 -0400, Trei, Peter wrote: 1. The use of receipts which a voter takes from the voting place to 'verify' that their vote was correctly included in the total opens the way for voter coercion. John Kelsey wrote: I think the VoteHere scheme and David Chaum's scheme both claim to solve this problem. The voting machine gives you a receipt that convinces you (based on other information you get) that your vote was counted as cast, but which doesn't leak any information at all about who you voted for to anyone else. Anyone can take that receipt, and prove to themselves that your vote was counted (if it was) or was not counted (if it wasn't). At 06:58 PM 4/15/04 -0700, Ed Gerck wrote: The flaw in *both* cases is that it reduces the level of privacy protection currently provided by paper ballots. Currently, voter privacy is absolute in the US and does not depend even on the will of the courts. For example, there is no way for a judge to assure that a voter under oath is telling the truth about how they voted, or not. This effectively protects the secrecy of the ballot and prevents coercion and intimidation in all cases.
RE: voting
| Currently, voter privacy is absolute in the US and does not depend | even on the will of the courts. For example, there is no way for a | judge to assure that a voter under oath is telling the truth about how | they voted, or not. This effectively protects the secrecy of the ballot | and prevents coercion and intimidation in all cases. | | | I'd pretty much dropped this topic after it became clear that Mr. Leichter's | only response to the problems that people pointed out in VoteHere's | scheme (in particular, its vulnerability to vote coercion, and lack of | recountability) was to attempt to redefine them as non-problems. I did nothing of the sort. With respect to voter coercion, I did raise the question of how absolute a value it was. Since mathematics tends to provide clearcut yes/no answers, we tend to insist on them in the real world, too - but the real world is rarely so simple. I also pointed out that voter coercion could be dealt with within VoteHere's framework by trading it off against the vote verifiability which is the new feature they bring to the table (by only giving some fraction of voters a receipt). I didn't mention recountability. VoteHere's method is equivalent to everyone else's here: Keep unalterable logs of data as close to the vote as possible. But | However, since the topic has arisen again. | | Ed's got a very good point. I always prefer security which relies for | its integrity on the laws of nature, rather than on people behaving | with integrity. This basically doesn't exist in systems today. Consider paper ballots: How do you guarantee that the ballots are adequately shuffled? If they aren't, anyone keeping track of the order that voters cast ballots might be able to come up with a reasonably accurate assignment of ballots to voters. This problem applies to many related systems. Consider the paper under glass proposals for recounting: The obvious way to do that is is to print onto a roll of paper and just wind it up on a roll after printing. But that's really bad, because it *guarantees* the ordering. Are those calling for such systems ensuring that the vendors who provide them actually cut apart the individual records? Even if they do that, how are they guaranteeing an adequate shuffle of those records? Just dropping them into a big box is terrible; certainly, those who vote very early or very late get very little privacy. Interestingly enough, proper shuffling of the votes is very much a central concern of systems like VoteHere's! The only system that by the laws of nature avoids this kind of attack is the mechanical voting machine, which inherently only stores vote totals, not individual votes. But these are big, complicated machines. Why should you trust that the totals are kept correctly? How could you check? How many people in the world have the competence to examine the mechanical details of such a device? How does that compare to the number of programmers who can examine C code? Is there really all that much of a difference between the complexity/verifiability of such a machine, and of a programmed box where *all* the code, including the compilers and other tools, is publically available? Yes, I know all about the attack in Dennis Ritchie's ACM paper. But this, too, can be defended against by checking the generated code - or pretty much prevented by using a compiler that was in existence before the software development began. In any case, these days, the mechanical systems could be compromised by what is an analogous attack (of going to a different level of abstraction): Sure, that *looks* like a solid brass 50-tooth gear, but maybe there's a tiny motor embedded inside that makes it act in a very non-classical fashion under radio control -- Jerry
RE: voting
At 11:05 AM 4/9/04 -0400, Trei, Peter wrote: ... 1. The use of receipts which a voter takes from the voting place to 'verify' that their vote was correctly included in the total opens the way for voter coercion. I think the VoteHere scheme and David Chaum's scheme both claim to solve this problem. The voting machine gives you a receipt that convinces you (based on other information you get) that your vote was counted as cast, but which doesn't leak any information at all about who you voted for to anyone else. Anyone can take that receipt, and prove to themselves that your vote was counted (if it was) or was not counted (if it wasn't). (This is based on attending a presentation of David's scheme at George Washington a few months ago, a conversation I had with a VoteHere guy, and some conversations and documents given to me by each. I haven't tried to verify the protocols or proofs, but I'm convinced that all this is possible, modulo various assumptions. There may be a dozen other people doing similar things, that I've simply not heard of.) ... 1. How does this system prevent voter coercion, while still allowing receipt based recounts? Or do you have some mechanism by which I can personally verify every vote which went into the total, to make sure they are correct? The way I understood these schemes, you can see the initial encrypted ballots (they're published), and then there are several rounds of publically verifiable shuffling and decryption by different TTPs. After the last round of shuffling and decryption, you have raw votes. So anyone can verify the count, assuming the set of initial encrypted ballots are legitimate. And anyone can produce a receipt that can be shown to be one of those encrypted ballots, if it was counted. That doesn't keep someone from stuffing the ballot box, but it does mean that anyone who throws away unfavorable votes is going to leave behind evidence, which can potentially call the whole vote into question. The way I saw these schemes described, there was no recount capability, but the count was done in a completely public way. It seems to me that this kind of scheme has a lot of potential for disruption attacks, since one compromised voting machine can be used to call any election into question. But I could be missing something, as this is really not something I've spent a lot of time on 2. On what basis do you think the average voter should trust this system, seeing as it's based on mechanisms he or she cant personally verify? I see your point, but there's an awful lot of any voting system that isn't being closely observed by the voters, or that isn't really well-understood by most of them. It's not so clear to me that the average voter is going to walk away convinced that a voter-verified paper ballot, or a mark-sense ballot, or whatever other thing isn't going to somehow be subject to attack. Or that if they do walk away convinced, that this has much to do with whether they *should* walk away convinced. 3. What chain of events do I have to beleive to trust that the code which is running in the machine is actually and correctly derived from the source code I've audited? I refer you to Ken Thompsons classic paper Reflections on trusting trust, as well as the recent Diebold debacle with uncertified patches being loaded into the machine at the last moment. Yep, this is a big issue. Which is why I think everyone with any sense agrees that we need some kind of independent audit trail, regardless of whether we're doing voting with computers, or with pens for punching out holes. There are a bunch of ways to do this, one obvious and pretty easy-to-field choice being voter-verified paper ballots. This last is an important point - there is no way you can eliminate the requirement of election officials to behave legitimately. Since that requirement can't be done away with by technology, adding technology only adds more places the system can be compromised. Huh? Do you think the same is true of payment systems? Those also ultimately require some humans to play by the rules, but it sure seems like a well-designed payment system can remove a lot of the ambiguity about who has violated the rules, and can outright prevent other kinds of rule violations. And it seems to me that this is very similar to the situation with voting. Touch screen voting (with the audio extensions) has at least one huge advantage over pen-and-paper schemes, because blind people can vote with them. The VoteHere and Chaum schemes provide other benefits (a lot of kinds of misbehavior by the authorities are prevented by the design, though of course, not *all* possible misbehavior), at various costs in system complexity, dependence on lots of interacting systems that might not be all that reliable, ability to recover from some low level of fraud, etc. Paper ballots printed behind glass provide a different set of tradeoffs. And you could
RE: voting
One area we are not addressing in voting security is absentee ballots. The use of absentee ballots is rising in US elections, and is even being advocated as a way for individuals to get a printed ballot in jurisdictions which use electronic-only voting machines. Political parties are encouraging their supporters to vote absentee. I believe that one election in Oregon was recently held entirely with absentee ballots. For classic polling place elections, one strength of an electronic system which prints paper ballots is that there are two separate paths for the counts. The machine can keep its own totals and report them at the end of the election. These totals can then be compared with the totals generated for that precinct by counting the paper ballots. This redundancy seems to me to provide higher security than either system alone. Cheers - Bill - Bill Frantz| There's nothing so clear as a | Periwinkle (408)356-8506 | vague idea you haven't written | 16345 Englewood Ave www.pwpconsult.com | down yet. -- Dean Tribble | Los Gatos, CA 95032
Re: voting
John Kelsey wrote: At 11:05 AM 4/9/04 -0400, Trei, Peter wrote: 1. The use of receipts which a voter takes from the voting place to 'verify' that their vote was correctly included in the total opens the way for voter coercion. I think the VoteHere scheme and David Chaum's scheme both claim to solve this problem. The voting machine gives you a receipt that convinces you (based on other information you get) that your vote was counted as cast, but which doesn't leak any information at all about who you voted for to anyone else. Anyone can take that receipt, and prove to themselves that your vote was counted (if it was) or was not counted (if it wasn't). The flaw in *both* cases is that it reduces the level of privacy protection currently provided by paper ballots. Currently, voter privacy is absolute in the US and does not depend even on the will of the courts. For example, there is no way for a judge to assure that a voter under oath is telling the truth about how they voted, or not. This effectively protects the secrecy of the ballot and prevents coercion and intimidation in all cases. Thus, while the assertion that Only if all the trustees collude can the election be defrauded may seem to be reasonable at first glance, it fails to protect the system in the case of a court order -- when all the trustees are ordered to disclose whatever they know and control. Also, the assertion that All of this is possible while still m aintaining voter secrecy and privacy essential to all public elections is incorrect, for the same reason. Moreover, the assertion that Vote receipts cannot be used for vote selling or to coerce your vote is also incorrect, for the same reason. These shortcomings do not depend on any specific flaw of a shuffling process, a TTP, or any other component of either system. Rather, it is a design flaw. A new election system should do no harm -- reducing the level of voter privacy and ballot secrecy should not be an acceptable trade-off for changing from paper to electronic records, or even electronic verification. Court challenges are a real scenario that election officials talk about and want to avoid. Without making voter privacy inherently safe from court orders, voter privacy and ballot secrecy are at the mercy of casuistic, political and corruption influences -- either real or potential. When the stakes are high, we need fail-safe procedures. Now, you may ask, is there any realistic possibility of a court order for all trustees to reveal their keys? Yes, especially in a hot and contested election -- and not only Bush vs. Gore. Many local elections are very close and last year an election in California was decided by *one* vote. For example, the California Secretary of State asked this as an evaluation question, when they were testing voting systems for the 2000 Shadow Election Project. The question was whether and to what extent the voting system could be broken under court order for example, if some unqualified voters were wrongly allowed to vote in a tight election and there would be a court order to seek out and disqualify their votes under best efforts. Perhaps a trustee could be chosen who would be immune even from a US court order? Well, not for a US election, which is 100% under state and/or federal jurisdiction. But there are additional scenarios -- a bug, Trojan horse, worm and/or virus that infects the systems used by all trustees would also compromise voter secrecy and, thereby, election integrity. Cheers, Ed Gerck
RE: voting
At 11:05 AM 4/9/04 -0400, Trei, Peter wrote: .. 1. The use of receipts which a voter takes from the voting place to 'verify' that their vote was correctly included in the total opens the way for voter coercion. I think the VoteHere scheme and David Chaum's scheme both claim to solve this problem. The voting machine gives you a receipt that convinces you (based on other information you get) that your vote was counted as cast, but which doesn't leak any information at all about who you voted for to anyone else. Anyone can take that receipt, and prove to themselves that your vote was counted (if it was) or was not counted (if it wasn't). (This is based on attending a presentation of David's scheme at George Washington a few months ago, a conversation I had with a VoteHere guy, and some conversations and documents given to me by each. I haven't tried to verify the protocols or proofs, but I'm convinced that all this is possible, modulo various assumptions. There may be a dozen other people doing similar things, that I've simply not heard of.) .. 1. How does this system prevent voter coercion, while still allowing receipt based recounts? Or do you have some mechanism by which I can personally verify every vote which went into the total, to make sure they are correct? The way I understood these schemes, you can see the initial encrypted ballots (they're published), and then there are several rounds of publically verifiable shuffling and decryption by different TTPs. After the last round of shuffling and decryption, you have raw votes. So anyone can verify the count, assuming the set of initial encrypted ballots are legitimate. And anyone can produce a receipt that can be shown to be one of those encrypted ballots, if it was counted. That doesn't keep someone from stuffing the ballot box, but it does mean that anyone who throws away unfavorable votes is going to leave behind evidence, which can potentially call the whole vote into question. The way I saw these schemes described, there was no recount capability, but the count was done in a completely public way. It seems to me that this kind of scheme has a lot of potential for disruption attacks, since one compromised voting machine can be used to call any election into question. But I could be missing something, as this is really not something I've spent a lot of time on 2. On what basis do you think the average voter should trust this system, seeing as it's based on mechanisms he or she cant personally verify? I see your point, but there's an awful lot of any voting system that isn't being closely observed by the voters, or that isn't really well-understood by most of them. It's not so clear to me that the average voter is going to walk away convinced that a voter-verified paper ballot, or a mark-sense ballot, or whatever other thing isn't going to somehow be subject to attack. Or that if they do walk away convinced, that this has much to do with whether they *should* walk away convinced. 3. What chain of events do I have to beleive to trust that the code which is running in the machine is actually and correctly derived from the source code I've audited? I refer you to Ken Thompsons classic paper Reflections on trusting trust, as well as the recent Diebold debacle with uncertified patches being loaded into the machine at the last moment. Yep, this is a big issue. Which is why I think everyone with any sense agrees that we need some kind of independent audit trail, regardless of whether we're doing voting with computers, or with pens for punching out holes. There are a bunch of ways to do this, one obvious and pretty easy-to-field choice being voter-verified paper ballots. This last is an important point - there is no way you can eliminate the requirement of election officials to behave legitimately. Since that requirement can't be done away with by technology, adding technology only adds more places the system can be compromised. Huh? Do you think the same is true of payment systems? Those also ultimately require some humans to play by the rules, but it sure seems like a well-designed payment system can remove a lot of the ambiguity about who has violated the rules, and can outright prevent other kinds of rule violations. And it seems to me that this is very similar to the situation with voting. Touch screen voting (with the audio extensions) has at least one huge advantage over pen-and-paper schemes, because blind people can vote with them. The VoteHere and Chaum schemes provide other benefits (a lot of kinds of misbehavior by the authorities are prevented by the design, though of course, not *all* possible misbehavior), at various costs in system complexity, dependence on lots of interacting systems that might not be all that reliable, ability to recover from some low level of fraud, etc. Paper ballots printed behind glass provide a different set of tradeoffs. And you could design
RE: voting
One area we are not addressing in voting security is absentee ballots. The use of absentee ballots is rising in US elections, and is even being advocated as a way for individuals to get a printed ballot in jurisdictions which use electronic-only voting machines. Political parties are encouraging their supporters to vote absentee. I believe that one election in Oregon was recently held entirely with absentee ballots. For classic polling place elections, one strength of an electronic system which prints paper ballots is that there are two separate paths for the counts. The machine can keep its own totals and report them at the end of the election. These totals can then be compared with the totals generated for that precinct by counting the paper ballots. This redundancy seems to me to provide higher security than either system alone. Cheers - Bill - Bill Frantz| There's nothing so clear as a | Periwinkle (408)356-8506 | vague idea you haven't written | 16345 Englewood Ave www.pwpconsult.com | down yet. -- Dean Tribble | Los Gatos, CA 95032
Re: voting
John Kelsey wrote: At 11:05 AM 4/9/04 -0400, Trei, Peter wrote: 1. The use of receipts which a voter takes from the voting place to 'verify' that their vote was correctly included in the total opens the way for voter coercion. I think the VoteHere scheme and David Chaum's scheme both claim to solve this problem. The voting machine gives you a receipt that convinces you (based on other information you get) that your vote was counted as cast, but which doesn't leak any information at all about who you voted for to anyone else. Anyone can take that receipt, and prove to themselves that your vote was counted (if it was) or was not counted (if it wasn't). The flaw in *both* cases is that it reduces the level of privacy protection currently provided by paper ballots. Currently, voter privacy is absolute in the US and does not depend even on the will of the courts. For example, there is no way for a judge to assure that a voter under oath is telling the truth about how they voted, or not. This effectively protects the secrecy of the ballot and prevents coercion and intimidation in all cases. Thus, while the assertion that Only if all the trustees collude can the election be defrauded may seem to be reasonable at first glance, it fails to protect the system in the case of a court order -- when all the trustees are ordered to disclose whatever they know and control. Also, the assertion that All of this is possible while still m aintaining voter secrecy and privacy essential to all public elections is incorrect, for the same reason. Moreover, the assertion that Vote receipts cannot be used for vote selling or to coerce your vote is also incorrect, for the same reason. These shortcomings do not depend on any specific flaw of a shuffling process, a TTP, or any other component of either system. Rather, it is a design flaw. A new election system should do no harm -- reducing the level of voter privacy and ballot secrecy should not be an acceptable trade-off for changing from paper to electronic records, or even electronic verification. Court challenges are a real scenario that election officials talk about and want to avoid. Without making voter privacy inherently safe from court orders, voter privacy and ballot secrecy are at the mercy of casuistic, political and corruption influences -- either real or potential. When the stakes are high, we need fail-safe procedures. Now, you may ask, is there any realistic possibility of a court order for all trustees to reveal their keys? Yes, especially in a hot and contested election -- and not only Bush vs. Gore. Many local elections are very close and last year an election in California was decided by *one* vote. For example, the California Secretary of State asked this as an evaluation question, when they were testing voting systems for the 2000 Shadow Election Project. The question was whether and to what extent the voting system could be broken under court order for example, if some unqualified voters were wrongly allowed to vote in a tight election and there would be a court order to seek out and disqualify their votes under best efforts. Perhaps a trustee could be chosen who would be immune even from a US court order? Well, not for a US election, which is 100% under state and/or federal jurisdiction. But there are additional scenarios -- a bug, Trojan horse, worm and/or virus that infects the systems used by all trustees would also compromise voter secrecy and, thereby, election integrity. Cheers, Ed Gerck
Re: voting, KISS, etc. ( social bias)
Perry I agree with you on all *except* that you are prejudiced against folks who are not mobile, have immobile dependants, are busy or agoraphobes. In-person voting doesn't resist graveyard voting much better than lining up the meat. One could say that in-person voting rewards those too lazy or careless with their time to request absentee status. Home voting is important to keep participation high. I believe 25% of the Calif governor votes were absentee. Participation is nominally a figure of merit for elections. And the voter authentication is the weakest I know of: to register you submit a name, signature, and address. To vote, you submit same. Nothing prevents graveyard registration except the law. Why is this relevent? Because you have to consider threat models. Spousal coercion vote buying is one, well-addressed in this thread. So are tech-implementation and social-trust issues. Snipers or bombers at polling places is another, ignored because we're all modern westerners. Rain and immobility have only been touched on because most of us can drive and walk. Voting from home should be *encouraged* and it should use paper as the transport, not computers. (The paper being kept by the counters not the voters.) Which is how it should be at the in-person polls. Again, keeping tech away is good, fighting coercion is good, but don't argue against absentee voting. In fact, absentee voting (vs. tech in the polling booth) is a good *example* of how to keep things simple and resistant to many (eg tech-enabled) attacks. At 12:46 PM 4/9/04 -0400, Perry E. Metzger wrote: I'm especially scared about mechanisms that let people vote at home and such. Lots of people seem to think that the five minute trip to the polling place is what is preventing people from voting, and they want to let people vote from their computers. Lets ignore the question of whether it is important that the people who can't be bothered to spend ten minutes going to the polling place care enough about the election to be voting anyway. Lets also ignore the totally unimportant question of vote buying -- vote buying has happened plenty of times over the centuries without any need for the purchaser to verify that the vote was cast as promised. Tammany Hall did not need to watch people's votes to run a political machine. I'm much more concerned that we may be automating the graveyard vote, which is currently kept in check by the need to personally appear at polling places. I'm also concerned about the forms of fraud I haven't even considered yet because no one has invented them yet. Election security isn't just about assuring that votes are correctly counted.
RE: voting
| privacy wrote: | [good points about weaknesses in adversarial system deleted] | | It's baffling that security experts today are clinging to the outmoded | and insecure paper voting systems of the past, where evidence of fraud, | error and incompetence is overwhelming. Cryptographic voting protocols | have been in development for 20 years, and there are dozens of proposals | in the literature with various characteristics in terms of scalability, | security and privacy. The votehere.net scheme uses advanced cryptographic | techniques including zero knowledge proofs and verifiable remixing, | the same method that might be used in next generation anonymous remailers. | | Our anonymous corrospondent has not addressed the issues I raised in my | initial post on the 7th: | | 1. The use of receipts which a voter takes from the voting place to 'verify' | that their vote was correctly included in the total opens the way for voter | coercion. | | 2. The proposed fix - a blizzard of decoy receipts - makes recounts based | on the receipts impossible. The VoteHere system is really quite clever, and you're attacking it for not being the same as everything that went before. Current systems - whether paper, machine, or whatever - provide no inherent assurance that the vote you cast is the one that got counted. Ballot boxes can be lost, their contents can be replaced; machines can be rigged. We use procedural mechanisms to try to prevent such attacks. It's impossible to know how effective they are: We have no real way to measure the effectiveness, since there is no independent check on what they are controlling. There are regular allegations of all kinds of abuses, poll watchers or no. And there are plenty of suspect results. | Answer this: | | 1. How does this system prevent voter coercion, while still allowing receipt | based recounts? a) Receipts in the VoteHere system are *not* used for recounts. No receipt that a user takes away can possibly be used for that - the chances of you being able to recover even half the receipts a day after the election are probably about nil. Receipts play exactly one role: They allow a voter who wishes to to confirm that his vote actually was tallied. b) We've raised prevention of voter coercion on some kind of pedestal. The fact is, I doubt it plays much of a real role. If someone wants to coerce voters, they'll use the kind of goons who collect on gambling debts to do it. The vast majority of people who they try to coerce will be too frightened to even think about trying to fool them - and if they do try, will lie so unconvincingly that they'll get beaten up anyway. Political parties that want to play games regularly bring busloads of people to polling places. They don't check how the people they bus in vote - they don't need to. They know who to pick. However, if this really bothers you, a system like this lets you trade off non-coercion and checkability: When you enter the polling place, you draw a random ball - say, using one of those machines they use for lotteries. If the ball is red, you get a receipt; if it's blue, the receipt is retained in a sealed box (where it's useless to anyone except as some kind of cross-check of number of votes cast, etc.) No one but you gets to see the color of the ball. Now, even if you are being coerced and get a red ball, you can simply discard the receipt - the polling place should have a secure, private receptacle; or maybe you can even push a button on the machine that says Pretend I got a blue ball - and claim you got a blue ball. The fraction of red and blue balls is adjustable, depending on how you choose to value checkability vs. non-coercion. | Or do you have some mechanism by which I can | personally verify every vote which went into the total, to make sure they | are correct? In VoteHere's system, you can't possibly verify that every vote that went into the total was correctly handled. You can verify that the votes *that the system claims were recorded* are actually counted correctly. And you can verify that *your* vote was actually recorded as you cast it - something you can't do today. The point of the system is that any manipulation is likely to hit someone who chooses to verify their vote, sooner or later - and it only takes one such detected manipulation to start an inquiry. Whether in practice people want this enough to take the trouble ... we'll have to wait and see. | 2. On what basis do you think the average voter should trust this system, | seeing as it's based on mechanisms he or she cant personally verify? On what basis should an average voter trust today's systems? How many people have any idea what safeguards are currently used? How many have any personal contact with the poll watchers on whom the system relies? Could *you* verify, in any meaningful sense, the proper handling of a vote you cast? Could you watch the machines/boxes/whatever being handled?
RE: voting
privacy wrote: [good points about weaknesses in adversarial system deleted] It's baffling that security experts today are clinging to the outmoded and insecure paper voting systems of the past, where evidence of fraud, error and incompetence is overwhelming. Cryptographic voting protocols have been in development for 20 years, and there are dozens of proposals in the literature with various characteristics in terms of scalability, security and privacy. The votehere.net scheme uses advanced cryptographic techniques including zero knowledge proofs and verifiable remixing, the same method that might be used in next generation anonymous remailers. Our anonymous corrospondent has not addressed the issues I raised in my initial post on the 7th: 1. The use of receipts which a voter takes from the voting place to 'verify' that their vote was correctly included in the total opens the way for voter coercion. 2. The proposed fix - a blizzard of decoy receipts - makes recounts based on the receipts impossible. Given that so many jurisdictions are moving towards electronic voting machines, this is a perfect opportunity to introduce mathematical protections instead of relying so heavily on human beings. I would encourage observers on these lists to familiarize themselves with the cryptographic literature and the heavily technical protocol details at http://www.votehere.com/documents.html before passing judgement on these technologies. Asking the readers of this list to 'familiarize themselves with the cryptographic literature', is, in many cases, a little like telling Tiger Woods that he needs to familiarize himself with the rules of golf. We know the 'advanced cryptographic techniques' you refer to. We also know what their limitations - what they can and cannot do. This is not the appropriate forum to try to say trust me. Answer this: 1. How does this system prevent voter coercion, while still allowing receipt based recounts? Or do you have some mechanism by which I can personally verify every vote which went into the total, to make sure they are correct? 2. On what basis do you think the average voter should trust this system, seeing as it's based on mechanisms he or she cant personally verify? 3. What chain of events do I have to beleive to trust that the code which is running in the machine is actually and correctly derived from the source code I've audited? I refer you to Ken Thompsons classic paper Reflections on trusting trust, as well as the recent Diebold debacle with uncertified patches being loaded into the machine at the last moment. This last is an important point - there is no way you can eliminate the requirement of election officials to behave legitimately. Since that requirement can't be done away with by technology, adding technology only adds more places the system can be compromised. Based on the tone of this letter, I'd hazard a guess that 'privacy' has a vested interest in VoteHere. If this true, it's a little odd that they are willing to expose their source code, but not their name. We don't bite, unless the victim deserves it :-) Opening your source is an admirable first step - why not step out of the shadows so we can help you make your system better? I fear a system which does not have a backup mechanism that the average voter can understand. While it's true that non-electronic systems are subject to compromise, so are electronic ones, regardless of their use of ZK proofs, or 'advanced cryptographic techniques. I do think electronic voting machines are coming, and a good thing. But they should be promoted on the basis that they are easier to use, and fairer in presentation, then are manual methods. Promoting them on the basis that they are more secure, and less subject to vote tampering is simply false. Peter Trei Cryptoengineer RSA Security Disclaimer: The above represents my personal opinions only.
RE: voting
privacy wrote: [good points about weaknesses in adversarial system deleted] It's baffling that security experts today are clinging to the outmoded and insecure paper voting systems of the past, where evidence of fraud, error and incompetence is overwhelming. Cryptographic voting protocols have been in development for 20 years, and there are dozens of proposals in the literature with various characteristics in terms of scalability, security and privacy. The votehere.net scheme uses advanced cryptographic techniques including zero knowledge proofs and verifiable remixing, the same method that might be used in next generation anonymous remailers. Our anonymous corrospondent has not addressed the issues I raised in my initial post on the 7th: 1. The use of receipts which a voter takes from the voting place to 'verify' that their vote was correctly included in the total opens the way for voter coercion. 2. The proposed fix - a blizzard of decoy receipts - makes recounts based on the receipts impossible. Given that so many jurisdictions are moving towards electronic voting machines, this is a perfect opportunity to introduce mathematical protections instead of relying so heavily on human beings. I would encourage observers on these lists to familiarize themselves with the cryptographic literature and the heavily technical protocol details at http://www.votehere.com/documents.html before passing judgement on these technologies. Asking the readers of this list to 'familiarize themselves with the cryptographic literature', is, in many cases, a little like telling Tiger Woods that he needs to familiarize himself with the rules of golf. We know the 'advanced cryptographic techniques' you refer to. We also know what their limitations - what they can and cannot do. This is not the appropriate forum to try to say trust me. Answer this: 1. How does this system prevent voter coercion, while still allowing receipt based recounts? Or do you have some mechanism by which I can personally verify every vote which went into the total, to make sure they are correct? 2. On what basis do you think the average voter should trust this system, seeing as it's based on mechanisms he or she cant personally verify? 3. What chain of events do I have to beleive to trust that the code which is running in the machine is actually and correctly derived from the source code I've audited? I refer you to Ken Thompsons classic paper Reflections on trusting trust, as well as the recent Diebold debacle with uncertified patches being loaded into the machine at the last moment. This last is an important point - there is no way you can eliminate the requirement of election officials to behave legitimately. Since that requirement can't be done away with by technology, adding technology only adds more places the system can be compromised. Based on the tone of this letter, I'd hazard a guess that 'privacy' has a vested interest in VoteHere. If this true, it's a little odd that they are willing to expose their source code, but not their name. We don't bite, unless the victim deserves it :-) Opening your source is an admirable first step - why not step out of the shadows so we can help you make your system better? I fear a system which does not have a backup mechanism that the average voter can understand. While it's true that non-electronic systems are subject to compromise, so are electronic ones, regardless of their use of ZK proofs, or 'advanced cryptographic techniques. I do think electronic voting machines are coming, and a good thing. But they should be promoted on the basis that they are easier to use, and fairer in presentation, then are manual methods. Promoting them on the basis that they are more secure, and less subject to vote tampering is simply false. Peter Trei Cryptoengineer RSA Security Disclaimer: The above represents my personal opinions only.
Re: voting, KISS, etc. ( social bias)
Perry I agree with you on all *except* that you are prejudiced against folks who are not mobile, have immobile dependants, are busy or agoraphobes. In-person voting doesn't resist graveyard voting much better than lining up the meat. One could say that in-person voting rewards those too lazy or careless with their time to request absentee status. Home voting is important to keep participation high. I believe 25% of the Calif governor votes were absentee. Participation is nominally a figure of merit for elections. And the voter authentication is the weakest I know of: to register you submit a name, signature, and address. To vote, you submit same. Nothing prevents graveyard registration except the law. Why is this relevent? Because you have to consider threat models. Spousal coercion vote buying is one, well-addressed in this thread. So are tech-implementation and social-trust issues. Snipers or bombers at polling places is another, ignored because we're all modern westerners. Rain and immobility have only been touched on because most of us can drive and walk. Voting from home should be *encouraged* and it should use paper as the transport, not computers. (The paper being kept by the counters not the voters.) Which is how it should be at the in-person polls. Again, keeping tech away is good, fighting coercion is good, but don't argue against absentee voting. In fact, absentee voting (vs. tech in the polling booth) is a good *example* of how to keep things simple and resistant to many (eg tech-enabled) attacks. At 12:46 PM 4/9/04 -0400, Perry E. Metzger wrote: I'm especially scared about mechanisms that let people vote at home and such. Lots of people seem to think that the five minute trip to the polling place is what is preventing people from voting, and they want to let people vote from their computers. Lets ignore the question of whether it is important that the people who can't be bothered to spend ten minutes going to the polling place care enough about the election to be voting anyway. Lets also ignore the totally unimportant question of vote buying -- vote buying has happened plenty of times over the centuries without any need for the purchaser to verify that the vote was cast as promised. Tammany Hall did not need to watch people's votes to run a political machine. I'm much more concerned that we may be automating the graveyard vote, which is currently kept in check by the need to personally appear at polling places. I'm also concerned about the forms of fraud I haven't even considered yet because no one has invented them yet. Election security isn't just about assuring that votes are correctly counted.
RE: voting
| privacy wrote: | [good points about weaknesses in adversarial system deleted] | | It's baffling that security experts today are clinging to the outmoded | and insecure paper voting systems of the past, where evidence of fraud, | error and incompetence is overwhelming. Cryptographic voting protocols | have been in development for 20 years, and there are dozens of proposals | in the literature with various characteristics in terms of scalability, | security and privacy. The votehere.net scheme uses advanced cryptographic | techniques including zero knowledge proofs and verifiable remixing, | the same method that might be used in next generation anonymous remailers. | | Our anonymous corrospondent has not addressed the issues I raised in my | initial post on the 7th: | | 1. The use of receipts which a voter takes from the voting place to 'verify' | that their vote was correctly included in the total opens the way for voter | coercion. | | 2. The proposed fix - a blizzard of decoy receipts - makes recounts based | on the receipts impossible. The VoteHere system is really quite clever, and you're attacking it for not being the same as everything that went before. Current systems - whether paper, machine, or whatever - provide no inherent assurance that the vote you cast is the one that got counted. Ballot boxes can be lost, their contents can be replaced; machines can be rigged. We use procedural mechanisms to try to prevent such attacks. It's impossible to know how effective they are: We have no real way to measure the effectiveness, since there is no independent check on what they are controlling. There are regular allegations of all kinds of abuses, poll watchers or no. And there are plenty of suspect results. | Answer this: | | 1. How does this system prevent voter coercion, while still allowing receipt | based recounts? a) Receipts in the VoteHere system are *not* used for recounts. No receipt that a user takes away can possibly be used for that - the chances of you being able to recover even half the receipts a day after the election are probably about nil. Receipts play exactly one role: They allow a voter who wishes to to confirm that his vote actually was tallied. b) We've raised prevention of voter coercion on some kind of pedestal. The fact is, I doubt it plays much of a real role. If someone wants to coerce voters, they'll use the kind of goons who collect on gambling debts to do it. The vast majority of people who they try to coerce will be too frightened to even think about trying to fool them - and if they do try, will lie so unconvincingly that they'll get beaten up anyway. Political parties that want to play games regularly bring busloads of people to polling places. They don't check how the people they bus in vote - they don't need to. They know who to pick. However, if this really bothers you, a system like this lets you trade off non-coercion and checkability: When you enter the polling place, you draw a random ball - say, using one of those machines they use for lotteries. If the ball is red, you get a receipt; if it's blue, the receipt is retained in a sealed box (where it's useless to anyone except as some kind of cross-check of number of votes cast, etc.) No one but you gets to see the color of the ball. Now, even if you are being coerced and get a red ball, you can simply discard the receipt - the polling place should have a secure, private receptacle; or maybe you can even push a button on the machine that says Pretend I got a blue ball - and claim you got a blue ball. The fraction of red and blue balls is adjustable, depending on how you choose to value checkability vs. non-coercion. | Or do you have some mechanism by which I can | personally verify every vote which went into the total, to make sure they | are correct? In VoteHere's system, you can't possibly verify that every vote that went into the total was correctly handled. You can verify that the votes *that the system claims were recorded* are actually counted correctly. And you can verify that *your* vote was actually recorded as you cast it - something you can't do today. The point of the system is that any manipulation is likely to hit someone who chooses to verify their vote, sooner or later - and it only takes one such detected manipulation to start an inquiry. Whether in practice people want this enough to take the trouble ... we'll have to wait and see. | 2. On what basis do you think the average voter should trust this system, | seeing as it's based on mechanisms he or she cant personally verify? On what basis should an average voter trust today's systems? How many people have any idea what safeguards are currently used? How many have any personal contact with the poll watchers on whom the system relies? Could *you* verify, in any meaningful sense, the proper handling of a vote you cast? Could you watch the machines/boxes/whatever being handled?
Re: voting
Perry Metzger writes, on his cryptography list: By the way, I should mention that an important part of such a system is the principle that representatives from the candidates on each side get to oversee the entire process, assuring that the ballot boxes start empty and stay untampered with all day, and that no one tampers with the ballots as they're read. The inspectors also serve to assure that the clerks are properly checking who can and can't vote, and can do things like hand-recording the final counts from the readers, providing a check against the totals reported centrally. The adversarial method does wonders for assuring that tampering is difficult at all stages of a voting system. On the contrary, the adversarial method is an extremely *weak* source of security in a voting system. In the first place, it fails for primary elections where there are multiple candidates, all of one party, running for a position. It's not unusual to have a dozen candidates or even more in some rare cases (the California gubernatorial election, while not a primary, had hundreds of candidates running for one seat). It is impractical for each candidate to supply an army of representatives to supervise the voting process, nor can each polling place accommodate the number of people required. In the second place, it fails for elections with more than two parties running. The casual reference above to representatives on each side betrays this error. Poorly funded third parties cannot provide representatives as easily as the Republicans and Democrats. We already know that the major parties fight to keep third party candidates off the ballots. Can we expect them to be vigilant in making sure that Libertarian and Green votes are counted? In the third place, tampering has to be protected against in each and every voting precinct. Any voting station where the voting observers for one party are lax or incompetent could be identified in advance and targeted for fraud. Given that these observers are often elderly and have limited faculties, such frauds are all too easy to accomplish. It's baffling that security experts today are clinging to the outmoded and insecure paper voting systems of the past, where evidence of fraud, error and incompetence is overwhelming. Cryptographic voting protocols have been in development for 20 years, and there are dozens of proposals in the literature with various characteristics in terms of scalability, security and privacy. The votehere.net scheme uses advanced cryptographic techniques including zero knowledge proofs and verifiable remixing, the same method that might be used in next generation anonymous remailers. Given that so many jurisdictions are moving towards electronic voting machines, this is a perfect opportunity to introduce mathematical protections instead of relying so heavily on human beings. I would encourage observers on these lists to familiarize themselves with the cryptographic literature and the heavily technical protocol details at http://www.votehere.com/documents.html before passing judgement on these technologies.
Re: voting
At 11:16 PM 4/8/04 +0200, privacy.at Anonymous Remailer wrote: In the second place, it fails for elections with more than two parties running. The casual reference above to representatives on each side betrays this error. Poorly funded third parties cannot provide representatives as easily as the Republicans and Democrats. We already know that the major parties fight to keep third party candidates off the ballots. Can we expect them to be vigilant in making sure that Libertarian and Green votes are counted? Your points about the weaknesses of adversarial observers are stimulating, valid points, but the Reps and Dems *can* count on those votes *not* being moved into their de facto adversary's (Dems, Reps, respectively) bin. And in practice the fringe votes usually don't matter. (I vote Lib..) Its not uncommon for elections to be upheld *even when votes are known lost* if the margins are sufficient. (It happened in California last election, human error plus tech.) Ultimately the adversarial parties are the ones who have to check the whole process, including any tech that gets used. And that process is open to the Libs, etc. As to your other point, the clever protocols, Perry and other KISS advocates have a very strong (albeit social) point. Joe Sixpack can understand *and test* levers or Hollerith cards or their optical counterparts. Good luck getting him to understand number theory. It would be better in many estimations to have even coercible voting than to have Trust Me apply to electing a government. (Not that the govt will avoid using that phrase once elected :-)
Re: voting
At 11:16 PM 4/8/04 +0200, privacy.at Anonymous Remailer wrote: In the second place, it fails for elections with more than two parties running. The casual reference above to representatives on each side betrays this error. Poorly funded third parties cannot provide representatives as easily as the Republicans and Democrats. We already know that the major parties fight to keep third party candidates off the ballots. Can we expect them to be vigilant in making sure that Libertarian and Green votes are counted? Your points about the weaknesses of adversarial observers are stimulating, valid points, but the Reps and Dems *can* count on those votes *not* being moved into their de facto adversary's (Dems, Reps, respectively) bin. And in practice the fringe votes usually don't matter. (I vote Lib..) Its not uncommon for elections to be upheld *even when votes are known lost* if the margins are sufficient. (It happened in California last election, human error plus tech.) Ultimately the adversarial parties are the ones who have to check the whole process, including any tech that gets used. And that process is open to the Libs, etc. As to your other point, the clever protocols, Perry and other KISS advocates have a very strong (albeit social) point. Joe Sixpack can understand *and test* levers or Hollerith cards or their optical counterparts. Good luck getting him to understand number theory. It would be better in many estimations to have even coercible voting than to have Trust Me apply to electing a government. (Not that the govt will avoid using that phrase once elected :-)
Re: voting
Perry Metzger writes, on his cryptography list: By the way, I should mention that an important part of such a system is the principle that representatives from the candidates on each side get to oversee the entire process, assuring that the ballot boxes start empty and stay untampered with all day, and that no one tampers with the ballots as they're read. The inspectors also serve to assure that the clerks are properly checking who can and can't vote, and can do things like hand-recording the final counts from the readers, providing a check against the totals reported centrally. The adversarial method does wonders for assuring that tampering is difficult at all stages of a voting system. On the contrary, the adversarial method is an extremely *weak* source of security in a voting system. In the first place, it fails for primary elections where there are multiple candidates, all of one party, running for a position. It's not unusual to have a dozen candidates or even more in some rare cases (the California gubernatorial election, while not a primary, had hundreds of candidates running for one seat). It is impractical for each candidate to supply an army of representatives to supervise the voting process, nor can each polling place accommodate the number of people required. In the second place, it fails for elections with more than two parties running. The casual reference above to representatives on each side betrays this error. Poorly funded third parties cannot provide representatives as easily as the Republicans and Democrats. We already know that the major parties fight to keep third party candidates off the ballots. Can we expect them to be vigilant in making sure that Libertarian and Green votes are counted? In the third place, tampering has to be protected against in each and every voting precinct. Any voting station where the voting observers for one party are lax or incompetent could be identified in advance and targeted for fraud. Given that these observers are often elderly and have limited faculties, such frauds are all too easy to accomplish. It's baffling that security experts today are clinging to the outmoded and insecure paper voting systems of the past, where evidence of fraud, error and incompetence is overwhelming. Cryptographic voting protocols have been in development for 20 years, and there are dozens of proposals in the literature with various characteristics in terms of scalability, security and privacy. The votehere.net scheme uses advanced cryptographic techniques including zero knowledge proofs and verifiable remixing, the same method that might be used in next generation anonymous remailers. Given that so many jurisdictions are moving towards electronic voting machines, this is a perfect opportunity to introduce mathematical protections instead of relying so heavily on human beings. I would encourage observers on these lists to familiarize themselves with the cryptographic literature and the heavily technical protocol details at http://www.votehere.com/documents.html before passing judgement on these technologies.