On Sun, Dec 19, 2010 at 12:53:37AM +0530, Pranesh Prakash wrote: > Most of the problems discussed are very design-dependent. The e-voting
The most daming objections are meta-level, and not design-dependent. > machines used in India, for instance, aren't touch-screen based. Not relevant. > Favouring particular candidates in advance (at the factory stage) is Not relevant. > difficult because the order of the candidates isn't pre-determined, and Not relevant. > there is no certainty which EVM will end up where. Malicious changes in > the software can affect thousands, true, but the corrupt politician If you can change the vote with little probability of detection there is every incentive to do so. And where's a lot of will, there's always a way. Never invite the devil in, no matter what. > wouldn't know in advance whether the insider she's contacted will do > something that favours her or not—there is simply no way of telling. Not relevant. > > Paper is self-documenting. It creates its own documentation trail. > > A paper-based audit trail can be combined with electronic voting. See, there's the problem with the electronic voting already. A paper based model defaults to a trail, and in the electronic version it's an optional feature, and can easily be omitted, since we *know* the systems are secure. We know how? The experts told the authorities. Feeling safer already? > > Paper is offline, so it can't be scrambled. Paper is distributed > > over multiple independant physically securable compartments. > > They might be multiple and independent compartments, but they aren't secure. Securable doesn't mean secure. People intuitively understand securability and tampering with physical facilities. > > People understand sealed urns, counting, locks, guards. > > People beat up guards, stuff ballot boxes. Beating up is tamper-evidence, and should result in vote declared invalid and rescheduled. If representatives from several parties as well as local neutral observers are present, manipulation of the sealed urn is very evident. Yes, you can bribe, intimidate, but this all involves manipulating people, not computers. Computers are trivial to manipulate. People less so. If you bamboozle a lot of people, there will be stink. > > Paper can be trusted to be fully inspectable to uninstrumented humans. > > Yes, but how useful is that if there isn't much to inspect? Then you know what you're doing wrong already! So fix it. > > Paper can be counted independently by mutually distrusting observers. > > The voting process can be observed (and is) by mutually distrusting > observers even with e-voting. The seals are inspected by mutually Nope. You're looking at a display. Displays lie. Everything that can lie, can be made to. There's certainly enough incentive to, given the stakes. > distrusting observers. The difference is that counting isn't involved > and the process is much faster. Fast is irrelevant, because it's not about convenience, and in Germany local votes are available within hours after the offices close. It's a scaling issue. The more warm bodies involved, the better. The existing systems are good enough. Don't fix what isn't broken. Never change a running system. > > Paper is physical, and is subject to the usual safety protocols. > > Which have been demonstrated to be failures. Most of the cracks > demonstrated in http://indiaevm.org/evm_tr2010-jul29.pdf are either not > specific to e-voting (and are worse with paper ballots), or are close to > impossible to realistically carry out as they require physical access to > the inner workings of the machine *after* the commencement of voting. If you trust computers, you know neither computers, nor people. > Only one of the attacks was (if I recall correctly) even remotely > possible. (Disclaimer: I read the report in April, not the apparently > revised version of July 2010. So I don't know whether they've come up > with new attacks.) Absence of know attacks doesn't prove the system is secure. Paper-based methods offer passive security, in principle. > > People understand protocols and processes for physical objects. > > And the hundreds of millions have successfully voted with EVMs in India. Completely irrelevant. In fact, you illustrate what's wrong with voting computers in principle. You always get people who don't understand the problem space yet are perceived as experts, and are vocal about the issue. These people are very convincing, without realizing what they're doing. Never offer people enough rope to hang themselves. They will. > > It is possible to combine electronical and paper-based methods, > > to combine the advantages (e.g. by allowing voter receipts which > > cannot be used as proof to third parties, but can be used to > > validate a fishy result after the fact). No such option for > > electrons. > > Not quite clear about this point. Could you elaborate on it? I shouldn't have mentioned it, because it is assumes existance of electronic voting systems, which *can* *facultatively* produce pigmented dead tree which can be verified by following protocol P which is obvious to experts, but nobody else. Protocols are extremely sensitive to each step. Something apparently trivial invalidates the whole chain. And nobody notices, but the experts. And who's an expert? > >> in "developed" countries (though the infamous Hanging Chads of Florida > > > > Paper isn't fool-proof. However, hanging chads is one of the cases > > where the problem is discovered by inspection and is understood by > > anyone. Many established paper-based methods are easy, and fool-proof. > > Don't fix what isn't broken. > > Show me a system that is fool-proof and I will show you a fool who can > outwit that system. Ok, I've started with it, but we're at trading pithy aphorisms stage. Let's just agree to disagree. I've spent enough brain cycles on the problem space to realize that it can't be done. Not because of systems, but because of people. You can change systems, but you can't change people. > >> could be used to argue against that), but in many developed countries > >> where problems like ballot-stuff, booth-capturing, etc., are rampant, > > > > You cannot fix systemic problems with hardware. You need to get > > as many people from the opposition monitoring the collection, counting > > and reporting up the chain. > > Booth-capturing happens by all parties. However, because of the limits I don't really know what booth-capturing is. > to the number of votes that can be cast per minute on an EVM, the > benefits of booth-capturing are diminished vastly. Thus, in this case, > a little bit of technology helps vastly. The alternative proposals I've Technology is a capability amplifier. In this case, a nontransparent capability amplifier. This is unconditionally evil, and need to be rejected. No compromise possible. Just a simple NO. Anyone voting enthusiastic yes is either a fool, or a knave. Or both. > heard (from people like Arun Mehta who believe paper ballots are better > and distrust EVMs) involve (what I believe are) extremely complicated > processes. Anything complicated doesn't work. > [snip] > > make the ballot boxes out of transparent plastic, without a lid so can > > only be cut open. I would have long-distance video of the ballots going > > into the box, and along the slit through which the ballots enter I would > > have an array of LEDs facing an array of photodiodes, feeding > > information to a chip that time stamps it. Nobody would be able to fake > > the long-distance video and the information the chip provides in a > > manner that agrees. > [/snip] > > >> the cracks against EVMs *might* (depending on the design of the EVM) be > > > > How do you even know an attack has occured? People don't understand > > cryptographic protocols, and attacks against such, which are completely > > transparent to nonexperts. It is not obvious to a nonexpert who > > is an expert and not, so why not eliminate that problem right > > from the start. > > I support an open audit of the software. Security by obscurity is no Completely irrelevant. > answer. And then additional processes need to be introduced. Not to Introduced by whom, validated by whom? > ensure that attacks can't occur. Nothing can ensure that. But to > ensure that 0) a very simple machine is used; 1) silent attacks (at the Paper and pencil and urns are about the simplest machine there is. > factory stage, etc.) are meaningless (by introducing variables that Again, you're barking up a completely different tree, and insisting you've covered the entire forest. > can't be known that far in advance); 2) corrupt officials at any one > level (whether at the top, or the bottom) in the hierarchy can't > independently influence the performance of the machine; 3) having > machine-level safeguards (limits on votes per minute, etc.) which can be > physically checked easily enough by independent/multi-party observers; > 4) have redundant verifiability built-in (paper trail), just in case. Give that list to a random guy in Andhra Pradesh and see what he makes from that list. > >> more difficult to carry out than against paper ballots. > > > > The more I know about computers, the less I trust computers. > > Don't allow electronic voting machines, if you don't want your > > votes to be stolen, even without anyone being the wiser. > > > > Just don't. > > I am highly distrustful of EVMs in the US, Germany, Netherlands, as they I'm highly distrustful of computers, period, because I'm reasonably informed in the various types of perversions and compromises, and in fact have to deal with these a couple times per year. Even the known manipulations of noncritical systems executed by nonexperts are scary as hell. Targeted attacks by experts... you'll never know what hit you. > have well-demonstrated failures. I find the paper on the failures of > the Indian EVMs to be very weak. Ed Felten, Bruce Schneier, etc., who > featured it, don't analyse it in detail. My conclusion is that the > Indian EVMs are much better designed than other EVMs and are better > suited to Indian elections than paper ballots. Please realize that you're part of the problem. Because of people with attitudes like yours (no slight intended, I used to be be like that) it is imperative to not allow electronic voting systems. Just don't do it. Deal with the devil you know. -- Eugen* Leitl <a href="http://leitl.org";>leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE
