Electronic Voting: The Other Side of the Story

_randy_64 writes "We've all read about the perils of online voting. But in an article in MIT's Tech Review, noted technologist Simson Garfinkel looks at the other side of the story and comes away thinking that e-voting might not be so bad, if done properly. He mentions several ways that traditional ballot voting is just as 'hackable' as the electronic version."

Why not use digital cash-like protocols?

[astrashe]

I don't understand why a cryptographic protocol using a blind signature can't be used to make an auditable voting system.

To me it seems like it could be a special case of the digital cash problem that guys like David Chaum worked on. You give everyone a single vote that they can cast -- a blob of data with a blinded digital signature. Then you let them spend them (vote) however they want.

You could even let candidates set up their own sites to collect their own votes. So someone could give Dean or Bush their vote, and then Dean or Bush could turn them into the election commision. It wouldn't be necessary to do that -- a central site makes more sense -- but wouldn't it be secure enough to let the candidates collect their own votes, with a realtime online election commision protecting against double voting?

If DigiCash is secure (and although it's been dead for a long time, I think it was considered secure), it seems like this should be secure.

The article is right when it points out that we have a lot of election fraud now -- it ought to be possible to improve things substantially.

Re:Why not use digital cash-like protocols?

[randyest]

Wait! Let's not dive into the good ideas just yet. First, someone needs to point out that the article author is a little confused on several key issues.

Got a hotel with perfectly good door locks and metal keys? Rip them out and replace them with computerized locks and swipe-cards.

There is nothing "perfectly good" about a lock whose keying needs to be changed every few days for liability and safety purposes. On-staff locksmitch or programmable locks? Hmmm.

These computer professionals say that accurately counted free elections are the bedrock of democracy. Voting, they claim, is too important to be done on a computer. The irony is delicious--it's sort of like group of doctors arguing for the return of leeches because the President of the United States is too important to be treated by modern medicine.

Oh boy. Even if this analogy were suitable (it isn't, obviously), there is still no irony here.

Because the voting is done on a large touch screen, they can use big fonts that are easier for the elderly to read.

Eh? How, exactly, is it easier to print big fonts on a screen than a piece of paper? I think the cost of paper varies less strongly with size than, say CRT and LCD technology.

They can even confirm the voter's choices on a second screen--which means that there would be no more elderly Jewish voters in Palm Beach accidentally casting their ballots for Pat Buchanan.

Oyve. Wow, two screens. Well, that sure represents carved-in-stone untemperable data to me. Regardless of the fact that the data could still be sitting in memory, not recorded permanently, and still quite subject to fraud or incompetence.

The [trojan or back-door] logic could be so well hidden that not even a careful review of the machine's source code would find it. This isn't as far-fetched as it might sound: Unauthorized features called "Easter eggs" are routinely hidden in commercial software, even software shipped by Microsoft.

(Emphasis mine). Bullshit! Careful review of source code finds as much as it wants to. And the example of "Easter eggs" in MS software is inappropriate since MS doesn't release source code.

paper is a fundamentally bad way of making and keeping accurate records. Paper is bulky and heavy. It can be hard to read something recorded on paper, no matter whether the marks were made by hand with pen-and-ink or by a computerized printer. Paper rips and gets jammed in machines. Paper dust gets everywhere. Eliminating paper, Selker explained to me, has the potential for dramatically improving elections.

WTF? And computers are less buggy than paper?!?! Help me.

"But what about all of the ways that you can hack the voting machines?" I asked him. Selker laughed. Politicians, he told me, have been hacking elections in America for more than 200 years.

Hahah, haha. Good pun. Now, seriously, what about all the ways that you can hack the voting machines?

thousands of Democrats, many of them minorities, showed up at voting places and discovered that they were no longer registered. Why? Because it's illegal for convicted felons to vote unless that right is specifically restored. Florida had recently purged the voting roles against a computerized database of convicted felons; tens of thousands of people were removed, some apparently in error.

Oh no, the felons couldn't vote. Whatever shall we do? Jeebus, I think I know the case in question, and the "some apparently in error" were 2 people with repeatedly rejected appeals. Not pending appeals mind you, flat-out rejections for appeal -- though apparently the felons claimed that was unfair. this is not the sort of election hacking that worries me.

Other techniques for stealing an election, Selker told me, are stationing tow trucks outside the polls to intimidate voters; setting up po

Re:Why not use digital cash-like protocols?

If the vote is trackable through the system today, but only by the originating party, then fraud would be rapidly exposed. If the voter's ballot is a key countersigned by the party receiving the vote upon voting, then anonynimity is protected, and all votes are provable in both directions.

This might not be a good idea. The basis for non-trackability of the vote is rooted in the need to remove incentive to buy votes. If somebody pays me to vote properly then he/she certainly wants the proof that I did vote as agreed. If the my votes happens to be trackable by me, then I can prove that I have cast my vote properly and claim the agreed sum of the money. If there is no such trackability, I can not prove or disprove that I have voted as agreed, so incentive is gone: cheaters know very well they too can be cheated, so they alwasy want solid proof.

Not all things are as simple as they seem. The way we vote today has developed through the last couple of centuries, and each piece neatly fits in the greater picture. There is always possbility of "hacking" the voting process, but in the long run it's hard to revolutionize something that has evolved through time to become what we know today as the act of casting a ballot. IMHO revolution in case of voting system isn't Good Thing.

Anonymous Cowards Unite

Redundancy, anyone?

[Empiric]

He mentions several ways that traditional ballot voting is just as 'hackable' as the electronic version.

Though, naturally, the distinction between manual ballot stuffing and computer ballot-stuffing (and the like) has similar differences as between bank robbery and embezzlement... the former usually leaves a lot more physical signature and is usually more easily traceable as to the "who's" and "how's".

update nationalvotes set candidatechosen = "Bush" where name like "%e%" ... could be hard to detect or trace, if there was a security lapse.

As an idea, how about having in effect two buttons for a given candidate, each of which hooks up to a completely different network run by a different company, then comparing the results between the two? It seems like this could go a long way to verifying accuracy and providing a traceback method for voting fraud.

Just a thought.

voting customs make voting insecure

[commrade]

The mechanism of voting must be ethically secure from all forms of fraud. Currently, there is no standard voting mechanism. Paper voting machines, long the standard, are cumbersome and inefficient. Electronic voting mechanisms are prone to fraud from outside interestes or from internal corruption.

To solve the problem of voting fraud at a mechanical level, many would seek to improve the mechanism. These voting machines are, at their core, computers. From touchscreens to punchcards to beans in a hat, voting machines are all computational devices. There are limits to the security/infallibility of any secret voting machine. The mechanism can be tampered with at too many levels. Any mechanism installed to monitor another anti-fraud mechanism could be tampered with as well.

The only solution that comes to mind is public voting. Public voting would be the case that you let your vote be associated with you. No more voting anonymously. This may seem like a great loss of freedom, but consider the increased power it gives the public. Votes could be counted and recounted by several independant parties after and during the vote. Being responsible and accountable for the vote that you make might seem like a liablity, but it may be a small price to pay for equal and accurate representation.

Why must it always include the internet?

[lordvdr]

Who says "the solution" has to include the internet in some or any form?
Put a kiosk in every grocery store, have it dial-up to a central server push/pull whatever it needs to. for practical purposes, you could have it do this every 30 min to save phone lines or something.
Alternately, have the kiosk connected to internet, but "hide" all IPs, this isn't a security through obscurity issue, this is because every stupid script-kiddie would DOS any "central" or even semi-central server.

And just as a side note, at least in Texas, stop w/ this bullshit about having to go to a specific location to vote. I have to drive half way across town to vote in "my district". Put the voter registration on the server as well, when I scan my barcoded AND (wtf?) magstriped DL through it, mark me voted. You can know what to pull up based on my voter registration.

Re:Paper ballot problems

[Brandybuck]

Well here in California some ballots were found floating is SF bay, and a ballot box left too long in the trunk of a pollworker's car. I don't have the facts, but I read it in several different local newspapers. No, I don't have sources, since I through out newspapers more than a week old.

But simple logic should tell you that after a few recounts in Dade county involving manual handling, the odds of unpunched chads becoming loose or even falling out, are not insignificant.

I also have experience on the latter. I spent a few months working for a major printing press that had the contract for the upcoming state primary elections for several states. All the ballots were punch-style. Loose chads were all over the floor at the end of the shift. Just sliding a ballot sheet over another would guarantee a chad dropping out. Fortunately there were a lot of QA procedures in place. Overall the damaged ballots would be an insignificant factor in an election. But when the 2000 Florida race was so close, that factor could make a whole bunch of people get their panties in a twist.