Slashdot Mirror
A Secure and Verifiable Voting System
meese writes "The cryptographer David Chaum, through discussion with top cryptographers such as Ron Rivest, has designed a secure and verifiable voting system. One of the goals of his design is that anyone can verify that votes were tabulated correctly. It's good to see real security/crypto people working on this problem. They also have a press release."
And about time, too. Too many rainy-day stories about e-voting.
Will there be people involved at any point? If so then its not secure, however it may be verifiable.
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Open source + Paper trail = secure voting.
How much longer till they figure this out?
Damn! Now there's no way I can become the president!
...would be as secure as an ATM and as verifiable as a blue screen. Anyone around here know any company that could deliver on such elusive goals? I'll keep dreaming till it happens.
I dunno, to me this still seems like another case of "if it ain't broke, don't fix it". Sure, it's nice to move to digital and save a few trees in doing so. But those dead trees leave a paper trail. And if people are incapable of punching out a hole next to who they vote for and making sure there's no hanging chads, do we really care about their votes that much?
I am a viral sig. Please copy me and help me spread. Thank you.
It clearly shows nonyAmous woCard voted.
but didn't work in 2000 did it?
Sounds like a good idea to me - similar to public-key cryptography applied to the voting process, but with the decoding possible from two places...
Simon
Physicists get Hadrons!
...is an awesome mathematician/cryptographer. I'm working on a project (on SourceForge, but it's not nearly far enough along for me to announce anything on /. yet) based on his digital cash system, and some other things he's done. Yes, I know it's patented, but it's really meant as a proof-of-concept type deal.
I just hope that if Chaum starts a company for his e-voting solution, it fares better than Digicash. IIRC, he wouldn't sell to M$ for $100M or to Visa for $40M, but ended up bankrupting Digicash and having to leave it. I'm not sure if I've got all the details right, so anyone's welcome to correct me.
I claim first use of "Error No. 0B" - or "No. 0B error." It'll be the new ID 10T!
Hmmm... Do you subscribe to the "Vote Early, Vote Often" theory? :)
I vote on Tuesday, personally...
There's so little difference between politics and jihad lately...
Require everyone to vote by law, no exceptions. Then assign everyone one .. wait for it a voting smartcard and bam hit the polls vote and see ... wait for it a real system of choices as the number won't be the a lack luster 20 to 30% turnout and we may acutally see some of these stupid laws not passed as your elected officals will do much more to keep those he/she represents happy
I vote (ha! get it?) that we just stick with paper and pen until we have more chance to discuss and develop alternatives. Just voting is key to any democracy, so tread lightly!
Visit the best Liberal Blog: DU
Now that you have a decent electronic voting system, you can start developing decent electronic candidates.
After all, if the choices are
1) Skynet takes over by force
2) Skynet takes over by vote
I, for one, prefer the vote method. Besides, could it really do any worse than the current leaders ?
Seriously, thought, we might want to turn the running of day-to-day things over to an artificial intelligence someday in the future, because it would be less prone to stupid mistakes and corruption than humans, and because it would free us to think about the overall picture.
I wonder if, in time, we humans will form some kind of aristocracy, ruling over hordes of intelligent (but willess) machines...
I, for one, welcome our new artificial intelligence underlings.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
It's too bad this won't get any support, as it doesn't make politicians any profit. Maybe if they could promise Bush Ohio's vote, or line some pockets with green, they'll get some government backing. I think there should be a law against a politician having invested interest into the means by which they are elected.
Everyone is entitled to their own opinion. It's just that yours is stupid.
How in the world do you expect the penny ante politicians to get elected with an honest, secure system? More importantly, how is Bu$h supposed to get re-elected with a fair, impartial, secure and verifiable voting system? Fortunately, here in the good ol' US of A, we're free to chose a more politically useful system. ;)
You must be the change you wish to see in the world - Ghandi
The fancy printing seems a little complicated, and If you were to take the 'unreadable' copy and identify the individual 'pixels' printed on the paper, then holding up a patterned transparency which blocked the obfuscating elements of the image would reveal the real vote.
What if instead, the voter was given a printout of the MD5 of a combination of (digesting all of) everyone they voted for and their (the voter's) social security number? It would be nonsense to anyone looking at it, but if they needed to verify their vote, they could specify all of their choices and their ssn again, and get the same MD5.
The key is that it is an expensive operation to find an individual's SSN, then combine that with every permutation of who could be voted for, and match that with a printed MD5. You have reasonable privacy, and the ability to verify the vote. What more do we need?
The problem of being able to verify information and keep it private has long been solved by cryptographic one way hashes.
What do you think?
Celebrate Excellence!
Most lay people assume the voting system is secure simply by virtue of it being computerized.
I haven't looked at the spec for this yet, but I have to believe that this cannot be the answer, simply because most people won't be able to understand how this system is any different than the (electronic) one it replaces.
More than anything else, voters have to be able to trust that their vote is being counted. And there will always be talk of powerful interests being given backdoors or being able to skew the results using exotic technologies like quantum cryptoanalysis.
The only sure way of a) having a legitimate election where b) everyone can know their vote was counted is by c) publishing all the votes.
Publish the votes. No batteries (cryptographic or otherwise) required.
Is this truly the only Earth I can live on?
prove they have an authentic receipt
audit the records
would also help quite a bit.
Now, even that still doesn't handle stuff like people voting twice. We'll still need to worry about stuff like folks using false/invalid ID and voting(which is pretty rare I would suspect, but give them time).
The fogies in Fla missed voting correctly by about a 1/4 inch. You just missed voting correctly by 24 hours.
You know what?
patent pending
patent pending
patent pending
Like, hey, who the hell does this Rivest guy think he is, and what (apart from this stupid "Ph.D" stuff in "Computer Science" or "Mathematics" or "Cryptography", such a small title he has) makes him think he's any smarter than Penelope Bonsall, who's got a way cooler title "Director of the Office of Election Administration at the Federal Election Commission".
Rivest's system is clearly unworkable. Where's the wining and dining of sales reps? Where's the backroom deals involving hookers and cocaine? Where's the vendor-lock-in? Where are the service contracts and extra government departments required to oversee them? Oh, sure, Rivest can lay the smack down on "where's the beef" when it comes to building a secure and verifiable electronic voting system, but where's the pork?
Don't get me wrong... the ability to verify that your vote is tabulated (which this system claims to do) is a good thing. But I keep reading endless articles about how just adding a "paper trail" to any voting system makes it magically all better, without addressing any of the security issues.
The mechanical lever machines many of us use don't generate a paper trail either, and you don't see anyone all up in arms about that. Besides, how many people will really hold on to their paper ballot (slashdotters not included), on the off chance that voting irregularities are discovered.
I'm not trying to troll here, but I really don't see that the paper trail is all that important. Instead, there should be a push to developing and certifying an open source voting system that can be trusted. If that includes a verifiable paper trail, all that better.
Beauty is in the eye of the beerholder.
I like the idea of being about to verify that my vote counted, but how will everyone being able to verify their vote stop dead people from voting?
Wh47 d1d j00 541, 31337 15n't t3h r0xor5 ne m0r3???
shouldn't it be \. so the slash leans to the left like most of the readers?
With YRO posts about Voting and politics you think someone would come with with a politics website for slashdot readers. (No, not the EFF)
Move to New Hampshire, the free state, and set this up. I know, voting procedures and libertarianism are two different topics. But they are related in the sense that they are both progressive attempts to reform government. Perhaps it would be easier to advocate such a project in a free New Hampshire (should the Free State project succeed) than elsewhere. Just a random thought.
--Lawrence Lessig for Congress!
We'll know that this is a real and secure voting method just as soon as all the incumbents and lobbyists come out and blast it as "dangerous" and find some way to connect it to terrorism.
From the press release:
Once the logistics of getting every registered US voter into a single large room have been sorted out, we believe our system offers a foolproof system for counting votes.
How are they going to see the guys in the back? They didn't address that issue.. binoculars perhaps? I think leaving it up to the states is a much better idea.
So they decided not to use Microsoft?
The original generic sig.
Game Over!!
Insert Coin
stop supporting microsoft with pirating their software!!!!!
Here's what we need...
A touch screen voting booth that lets voters select the canidates they want.
After the voter casts their vote the booth prints out a ballot that's a machine readable scantron sheet.
The voter checks to make sure that the canidates they selected are recorded on the ballot and feeds it into a scantron reader. It's this machine that actually records the voter's vote.
This way not only do we get the benifit of a machine count but a paper trail to boot.
It appears from a quick read that the guy behind this has patented about every form of limited traceability and other feature one could think of. If any of this proposal is patented it should be ruled out instantly.
If all the "trustees" co-operated, it seems information could leak. In todays age of FBI power, one must assume that all "trustees" are breakable.
I'm also a fan of simpler systems that are slightly more user understandable.
AOL News is doing a follow-up article
Click Here to see it
Tee hee
I like your idea, but neither the system in the article nor the system above you mentioned would work in a real life voting scenario. Given all the press surrounding e-voting and messed up votes, it's apparent that voting machine operators can't compute their way out of a paper bag. Yeah, you might say votes got messed up because someone hacked the boxes...that might very well be true, but a large amount of votes are losts or tainted simply because of OPERATOR ERROR.
Now someone is proposing a solution that sounds unworkable. Cryptographic keys? MD5 sums? C'mon, this is voting we are talking about. People are going to be leery about voting using devices they can't take the time to understand and therefore aren't going to vote!
here's my solution:
Touchscreen voting is fine, but have the vote be transferred from a computer screen to a punch-card ballot. machine accuracy will eliminate hanging chads. all the software will be open-source, auditable, etc. if counted by hand, great, if counted by optical scanner, make sure the software is open source and the votes are tallied in a way that leaves no room for tampering. this is all common sense. no need for complicated solutions.
people should understand any new voting technology instantly. public education campaigns will leave many people in the dark and those people will probably be poor people and one party or the other will claim that group as an important portion of their electoral base, all heck will break loose, etc.
How do you know its the same? No one reloaded it while your back was turned?
Yay me!
Even if there is an open audit of the source and a paper trail, most of the canidates will still request a recount of the ballots by hand. Call me a bit old fashion, but I still believe that the best way to hold an election is to do it on paper rather than on a computer. Even the most secure open-source OS can have security holes....
"shouldn't it be \. so the slash leans to the left like most of the readers?
;) )
With YRO posts about Voting and politics you think someone would come with with a politics website for slashdot readers. "
Look! Someone did!
(It's just a joke, mods, chill out
-- "Government is the great fiction through which everybody endeavors to live at the expense of everybody else."
With this system how are they supposed to fix elections? This will never work.
in an workshop held here in Brazil (Alfred Menezes and Darrel Hankerson were the other lecturers). Folks, the system is perfect. There's nothing to complain about it -- laymen can check that their votes were counted through so-called `visual cryptography' (an idea of Adi Shamir IIRC), while everything else you'd expect from a secure and reliable voting system is provided. One can only hope that this is deployed somewhere, but I'm not holding my breath.
Read the paper, it's really jawdropping. Cryptography at its finest.
Join the NFSNET. Our prime goal is making little numbers out of big ones. http://www.nfsnet.org/
I wrote this before the evote thread came out and posted it to the spam thread... and low and behold it appeared here.
I pressed the button for the democrat, like 55% of all voters did, and somehow the republican won. But computers can't make mistakes and people who irresponsibly suggest that they could are just luddites!
1. Paper Ballot
... ).
2. Pen or pencil
3. Assistance for the statistically insignificant minority physically unable to use aforementioned.
4. Monitoring of ballot transportation and counting by anyone who cares to do so.
Any problems with that? Sure. But the system as a whole compares favorably to pretty much every other proposal and *their* inherent drawbacks.
The only thing I would add is perhaps giving each ballot a number, then later publishing the results on-line (i.e., ballot number such-and-such registered the following votes
Not very sexy, but there you go.
Folks can' still vote multiple times if they get more than multiple registration cards. Dead people can still vote. Illegal aliens can still vote(i.e. someoen can get a drivers license with Mexican ID-and then get a voter registration card).
The main thing the Chaum proposal handles is fraud by a few people via voting machines. Fraud by election officials using lower tech mechanisms would be more difficult-but still possible.
They say this is encrypted with a one time pad, and is therefore secure. Where does their OTP come from?
They're using public key encryption. But, one concern with PKE is that if you are trying to communicate one of two messages (Republican or Democrat) then you're only going to get one of two results. I suppose they could add some randomness to the encrypted names, but that might cause problems further down the road.
After several transformations, it looks like they want to get something that's human-readable, for the final vote tally. That will be subject to being mis-read, just like anything else. Perhaps more-so.
They give you a receipt with a bar-code. Supposedly this can be used to prove you voted, but not who you voted for. So you can confirm your vote was counted, but not that it was counted correctly. What happens if someone disputes how their vote was tallied?
The point of the two-receipt system is that it's easily verifiable in the booth, but impossible to verify outside. That means that any random voter can look and, instead of a long number to verify, they just see the text of who they voted for.
The single receipt cannot be decoded as you suggest -- each pixel is utterly random. There will be no pattern to detect, within the limits of pseudorandom numbers.
That works because the two receipts basically perform an XOR. Each pixel is either
XO or OX
OX XO
Call the first '1' and the second '0'. Then 0^0 = partially clear, and 1^1 = partially clear. 0^1 or 1^0 = fully black. When you're printing a pixel, then, you completely, utterly randomly select 1 or 0 for one receipt. You then print either the same, or the opposite, on the other. There is no pattern whatsoever from pixel to pixel, and once half the receipt is destroyed, it is quite impossible to read the other half.
The problem with the system you propose, by the way, is that anyone who had your SSN and MD5 hash could relatively quickly determine the choices you made just by trying all the combinations. If I was buying votes, I could tell you what choices to make, and then demand my money back if I couldn't reproduce your MD5.
I'm not a dumb guy, but this system is WAAAY too complex. That will prevent it from ever being adopted, as people would much rather have a fallable system they understand than an infallible system they don't understand.
And, it's just way too much work to actually count the votes. Unless I'm reading it wrong, he's talking about having a video of each transformation step of each ballot, and then ensuring the security of the voting process by auditing half of the videos for each step of transformation process. With about 100 million votes per presidential election, that seems rather expensive.
Especially when there are much easier solutions: Have the machine print a ballot, put the printed ballot in a box. When the polls close, count the ballots. Let's remember that the problem we're trying to fix is the inability to read what a ballot says. That's it. So, fix THAT problem, and leave everything else that works alone.
paintball
Oh big media can't instantly report the winner, thats right.
Some how thats a bad thing.
Scantron type cards would deal with that and the ballot is human readable.
We don't need expensive, complicated machine voting when cheaper technology exist.
Just because you can do a thing doesn't mean you must.
I still say paper ballots are more tamper resistant.
If you don't like what I write don't be a CS and mod it down. Refute it.
Yea I can't spell. So what is your point?
Incidentally, most of the alternative suggestions offered by slashdotters seem to compromise the secrecy of the ballot. Secrecy might not seem important to the average slashdotter, but it is important if your family will disappear when you get caught voting for the opposition.
Something tells me that we won't ever see this in real life. It'll turn out to be just another "perfect world" scenario that'll turn up in some optimist's futuristic fiction. Living in Iowa, I have had the (mis)fortune of meeting virtually every presidential cantidate since I started voting. In the political arena, the citizens of my state have some power, too bad most of them are elderly farmers who rarely watch anything besides the local news. It will take a state who sees that Open Source and Verifiable are the ONLY way to go. I'd love to see this happen in Iowa, but with all our youth leaving, that might be hard. Thankfully, I live in Iowa City (see previous link). All you fellow Iowans out there! Call your state representative! Let's show the country how great electronic voting can be!
but if they needed to verify their vote, they could specify all of their choices and their ssn again, and get the same MD5.
They do *not* want you to be able to verify how you voted, because then you might be *forced* to verify it. What they're trying to do is give you a recipt that you have delivered a valid vote, and that this vote can be verified as having been counted, without revealing for which candidate the vote was for.
The reason for this is simple - with manual counting, you need to involve a lot of people around the country to reasonably affect the vote. With an electronic count, who's to know if you simply replaced the final numbers?
Unfortunately, it's more difficult to show that your vote is a subset of a group (the total votes) than it is to make a 1-to-1 mapping. It sounds quite smart from the brief read-through I made, but yes, I wouldn't make any hasty decisions.
Kjella
Live today, because you never know what tomorrow brings
It may be mathematically provable, but it lacks the "common sense" aspect that would allow the adoption of such a system. It tends to be better to use technology "under the hood" where it works as one would expect, but is resilient to attacks on the inside. I described a system I believe would work in the last story on voting machines.
Javascript + Nintendo DSi = DSiCade
David Chaum looks like Jon Lord from Deep Purple
Hey, buttbreath! How about warning people that you're linking to a pdf!
I hate Adobe; their shit takes soooo long to load and display.
In a secure legitimate election?
Carol Mosely Brown?..Kucinich?...Edwards?
He is popular there is a war on and the opposition is?
"The President in particular is very much a figurehead - he wields no real power whatsoever. He is apparently chosen by the government, but the qualities he is required to display are not those of leadership but those of finely judged outrage... Very very few people realize that the President and the Government have virtually no power at all, and of these few people only six know whence ultimate political power is wielded. Most of the others secretly believe that the ultimate decision-making process is handled by a computer. They couldn't be more wrong."
Actually I was thinking of moving to Iraq. I hear it's going to be this great, secure, free country any day now.
presumably, they will be doing the voting.
I tried to read the article and hopefully I am mistaken but would appreciate some comment on this.
It seems that you are deprived of the ability to reproduce your vote outside the booth by seperating the information into two pieces either of which is illegible/useless by itself. However, with the cellular phones taking digital pictures nowadays, could you not essentially take both of them with you if you want?
If this is true then further security is needed to ensure that although you choose one of the two equally valid pieces, you cannot reach the other one at all. This, btw, can be done cryptographically.
ato
Lets have equal time for these partisan conspiracy theories on /.
Oh, sorry.
Look, I'm not a very smart guy. Actually, I'm socially backward, and I spent a lot of my youth drunk. For myself, I would rather be relaxing on my Texas ranch. However, my father told me to help his oil and weapons buddies get rich.
There's no way I'm going to be elected again without Diebold's and my brother's help, and maybe the Supreme Court's help. So, please, let Diebold be bold. Hehee.
-- G. W. Bush
I Tivo Monday night football, personally.
Is that it takes too long to count them all. With a computerized system, it can be quick and accurate. Eliminate the volunteer ballot counters and you eliminate the human error. 10,000 ballots must begin to look the same after a while.
After all, computers do not lie, unless you have the Pentium chip FP bug.
I don't think it would be that difficult to actually increase voter turnout, but people have to actually want to increase turnout. Politicians don't want to do that because then voters are far less predictable. The 30% of people who actually do vote fall into nice categories that are convenient for pollsters and campaigners. If politicians know they only need to convince upper middle class 60+ year olds, their jobs are easier.
"Automate a mess and you get a really fast mess".
The whole "voting systems" thing is just soooooo wrong and silly.
The issue is what people want. Address that, THEN work on how to record what it is they want. Sound IT projects start with objectives, not technologies.
Let me suggest that Americans modernise the voting system before automating it. As it stands a candidate with 30% of the vote (that is, NOT wanted by 70% of voters) can win because all the others get less than 30%.
You need optional preferential voting - so that someone can vote "1" (first preference) for the most preferred candidate (say, Nader) and if that the preferred candidate doesn't get over 50%, that voter's votes are added to the candidate designated "2" (second preference - perhaps Al Gore in this example).
Different outcome because most people did not want Bush (on other occasions perhaps most people didn't want Clinton).
Hey, there could even be multiple candidates from the same party - let the PEOPLE choose not the party machines (and don't tell me that Primaries do that - pah!)
My personal tweak is to have an option called "none of the above" (NOTA). If candidate NOTA wins you have another election with none of the first bunch of turkeys allowed to stand.
Why punish Germany? Have him go to France instead!
Why spend all this time, money, and effort on such a small problem? Yes, all mechanical systems are going to have some error rate, but that error rate can be (and generally IS) miniscule. The only time error has the potential to change the outcome of a vote, even under the most poorly designed systems, is when the actual vote is extremely close. What's more, this mechanical error is essentially RANDOM, in other words, it's not likely to be biased towards one side or the other. Somehow to talk about this changing the "will of the people" strikes me as an extremely hollow complaint.
Do NOT confuse mechanical error with HUMAN error on the part of the voters (as in the case of Florida in 2000 "voting" for multiple candidates). It is very possible to design a mechanical system to make these sorts of HUMAN errors extremely rare (which are generally pretty exceptional in the first place); electronic voting generally provides no better assurances that this cannot happen. Even where HUMAN error occur, unless you believe certain groups of voters are innately dumber or more naive than other groups, this error can largely be made irrelevant by ensuring consistency in voting methods across all counties at far less cost and trouble than these electronic systems.
It's too early to really comment on this particular system, but as a general rule it comes out for me like this:
a)Face random error (0.3%) that comes with mechanical voting systems, without very little possibility for wide spread fraud.
b) Face no random error but accept the potential for massive fraud because of the very electronic nature of it. In other words, a small group of people who are smart or powerful enough could potentially alter the votes enough to put a candidate who is otherwise unelectable (e.g., some wacko on the far left or far right). These problems are unique to electronic voting. The integrity of the mechanical voting as a whole can be verified and audited by someone with modest intelligence. Either the lever swings and punches a HOLE or it does NOT--they are not complicated devices. All this at the cost of billions of dollars! WHY?
No group benefits is apt to benefit or be hurt statistically by spending the money on this (fixing the other problems is a different argument). So why bother, particularly when it increases the risks of some fringe group rising to power?
It publicly debuts in beta next month! And its open source and voter verifiable. Its on source forge right now if you want to look. see EVM2003 or open voting By the way they still need more developers, testers and documentation writers. Also they need financial backers to package finished systems with tech supprt for the end users.
Some drink at the fountain of knowledge. Others just gargle.
The problem is that if laymen can check that their votes were counted after the fact, it is possible to sell your vote and let a 3rd party check on this as well. Any design where you keep the recipet is flawed.
Laymen can check that their votes were counted correctly after the fact. However they can not check what their vote actually was, so a third party can't verify that the layman voted the way they wished.
This is accomplished by printing two receipts which combined form an image of the voters vote, but seperated are random as in a one time pad encryption scheme. The voter is required to surrender one of these reciepts for destruction, retaining an almost random sheet, which is uninterperatable without the posession of a large number of private keys.
The voting machine can only forge one of the sheets (either internally or externally) and still record a recordable vote. The chance of it being detected is 50% either way, so to forge a mere 32 votes, the machine would have a 1 in 2^32, or one in 4 billion chance of going undetected.
Similarly every trustee who holds private keys for the interperatation of votes has only a 50% chance of tampering with one vote, and having it be undetected by the other trustees, and has only a one in 4 billion chance of getting away with tampering with 32 votes. Similarly a collusion of all but one of the trustees has only a 50% chance of being undetected tampering with one vote, and has only a one in 4 billion chance of being undetected in tampering with 32 votes.
As soon as you think you've mastered the alphabet, they go and add all these extra little letters.
-- A proud patriot who doesn't vote.
Instead of trying to computerize the normal voting process, why not try to find a way people can vote on issues from local govt. to presidential elections from their own house (or public libraries)?
Of course a few things will have to be kept in mind, like preventing multiple voting, verifying if a person voted or not, and not storing who voted for whom. If this cannot be done, has someone actually PROVED that this cannot be done online?
The proposal allows a VOTER to verify that their vote was properly cast and recorded.
There is no protection for a candidate.
With physical ballots, a candidate can ask for a recount of those ballots.
As far as I can see, under this proposed system, you either accept the word of the computer, or you try and round up the anonymous (out-of-district or out of state) voters and ask them to please check their ballots.
Snowball I can vote with impunity. Indeed I can add as many votes to the machine record as I want - I can have the machine churning out thousands of votes per hour, shred both copies, and just make sure the legitimate votes are also included in the tally.
The proposal address completeness (all votes are recorded), accuracy (the votes are correctly recorded, or can be verified as having been so) BUT only by the voter - NOT the candidate who has to trust the machine or hope a voter picks up a fault.
Validity (only proper votes are cast) is not addressed. Unless I'm missing something.
Recycle PCs and build a wireless community network www.hillsborough.org.nz
After all, if the choices are
1) Skynet takes over by force
2) Skynet takes over by vote
I, for one, prefer the vote method. Besides, could it really do any worse than the current leaders ?
Don't blame me, I voted for HAL-9000!
Cheers,
IT
Power corrupts. PowerPoint corrupts absolutely.
If anybody is interested in an unbiased (thought incomplete) overview of this area, here is congressional report on the topic
http://www.epic.org/privacy/voting/crsreport.pdf
They will also be candidates. Now we're doomed!
Infuriate left and right
I would trust that Diebold vote-counting machine
if (a) it was open-source, (b) the software wasn't updated after certification,
and (c) it isn't attached to any network (write CD's or something to get the tallies out midstream).
The counting task is simple, and very amenable to computerization.
The shipping of a verifiable paper trail for purposes of a recount is what the suggested method adds.
Actually, I think recounts should be standard procedure: send the tallies from the precincts to satisfy the news hounds, then re-do the entire tally AGAIN the next day and verify that the results are identical.
As it happens I discussed Chaum's system just today on the Voting-Project mailing list. I guess I might as well quote myself:
Buy Text Processing in Python
Damn, I really like the idea of mandatory recounts. You could even mandate seperate computers and even a completely different software package be used for the recount. Wouldn't that give confidence to the populace? Great idea.
can only be obtained iff either no one is able to access it or it is removed from the hands of machines. ALL other security methods may be compromised, and even these are not fool proof. They are just more fool proof.
Yes, a Secure and Verifiable Voting System, I've got one. It's called VOTING ON A FRIGGIN' PIECE OF PAPER!
If it ain't broke, don't fix it!
The system as a whole allows
- each voter to verify that their vote was "cast as intended" (i.e., what's got into the ballot box hasn't been corrupted on the way); and
- anyone at all to verify that the tally was "counted as cast", i.e., is an accurate sum of what's in the ballot box
All, naturally, without violating the voter's privacy.This means that, apart from denial-of-service problems, it doesn't really matter what software is on the machine in the polling place -- if the voter was able to confirm that their ballot was "cast as intended", then by definition the machine did the right thing.
That's it. Macrocomputers.
People can use the old punch-cards most places already have. After the polls close, the cards can be submitted to the mainframe operator for overnight batch-processing. The elections officials can pick up their printed results in the morning.
Best part is, there's only a need for about five of these mainframes in the whole world!
We just had our municipal election in Toronto.
You get this big piece of paper with all of your choices, and a big arrow next to each name, like this:
- -> David Miller
You fill in the gap in the arrow and then put your paper inside a cardboard cover so nobody can see your choice.
The election volunteers put your cardboard cover onto this fax-like machine that sits atop a large box. The machine takes the paper, reads your vote and drops the paper into the box.
It's straightforward, it's electronically counted and there's a full paper trail. The equipment is simple and reliable, and if there's a dispute the paper records can be counted right there.
The US Army: promoting democracy through unquestioned obedience
Ah. I see you are the finest breed of American; one who cherises the finest values of this country, such as respect and tolerance for all opinions. Truly, what a fine American you are!
I've talked to David Dill about this, He considers cryptographic solutions to be too complex for the real world. I tend to agree.
Printers are more practical. If you have two printers, and the voting machine chooses one of them randomly, the receipt can be displayed to the voter behind a window, then wound onto a takeup roll, without compromising voting anonymity. With receipts on a roll, a recount is possible either manually or with a suitable scanner.
If you're willing to accept a sequential vote log (which has some privacy implications), just videotaping the touch screen images would give a good log. Put a VGA splitter on the line to the touch screen panel, run the output through a VGA->NTSC converter, and pipe the output into a recorder. Preferably an analog VCR, one too dumb to do anything to the video. This can be recounted by hand (slowly), or by computer means (checkable by viewing the tape). Also, because you get to see all the user interaction, you can find out if voters seem to be having problems.
The video solution gets rid of the paper handling problem. People are comfortable with VCR technology.
You yanks are crazy when it comes to voting! Why do you need to have a machine count the votes? Why can't you standardise the way you vote across the country?
Here in Australia we all vote the same way - *everyone* has to go to a polling place and line up. You have your name marked off the roll then you take your ballot papers into a booth and write your preferences for candidates in boxes that are clearly alongside each candidate's name, with candidates listed vertically so you don't get confused as to what box belongs to which candidate.
You then fold the ballot paper in half so that no-one can see your vote and place it in the appropriate sealed ballot box on your way out of the place. There are independent observers for every step apart from when you're actually inside the booth voting.
No-one but you gets to see your vote. There are no issues with invalid votes and hanging chads. If you don't want to vote then you donkey it. (Don't fill in the ballot paper or scribble your manifesto on it or tell the PM to bugger-off or something.)
At the close of polling the ballot boxes are taken to the counting place, where multiple people count the votes whilst under observation. If everything matches and nobody is upset about anything then the votes are added to the tally.
So except for in the case of a close election (where they have to wait for postal votes to come in) we know who the winners are by the end of the night.
There's no machines to break-down or be tampered with. It's that simple. The only reason for doing it without paper is that it's faster and possibly cheaper. Democracies aren't the most efficient or cheapest ways to run a country, but bloody hell - I wouldn't have it any other way!
For anyone who is interested in this stuff, there will be a conference on voting transparency at Swarthmore College on December 6th (called Choosing Clarity). See http://clarity.sccs.swarthmore.edu/ for more information. The symposium is free of charge and it is open to anyone who wishes to attend.
It's clear that many people have either not read the paper or have misunderstood the proposal. Here's my attempt at a brief description of how and why the scheme works.
VOTING
(1) The voter makes a choice at the voting machine.
(2) The voting machine prints out a partial receipt showing the voter's choice and the voter verifies that the partial reciept is correct.
(3) The voter makes a choice as to whether to keep the top part or the bottom part of the receipt.
(4) The voting machine completes the print-out of the receipt by adding a serial number (used for verification purposes) to the bottom.
(5) The voter tears the top part from the bottom part, keeps the part they picked in step (3), and gives the other part to an official who destroys it in the presence of the voter.
Only the non-destroyed part of a receipt is stored digitally. This information is used for verification and counting and is made public on the web.
The top and bottom parts of the receipt are printed on transparent plastic; individually they show just random dots, but when superimposed they reveal an image showing the voter's choice.
A one-time pad is used to construct the parts of the receipt (the counting process has the other copy of the OTP.)
The random choice by the voter as to which part to keep means that a compromised voting machine can always be spotted.
VERIFICATION
Possession of one part of a receipt is sufficient to prove the legitimacy of the receipt, but not to identify the voter's choice (only the counting process, with the OTP, can reconstruct the original ballot.)
After voting, a copy of the non-destroyed part of each voter's receipt is published on the web. A voter can verify that their receipt and the one on the web are the same (and hence that their vote will be counted.)
COUNTING
A pipeline of independent trustees processes the digital receipt-parts, with the final stage of the pipeline producing the original, readable complete receipts, from which the tally can be made.
(In essence, the OTP used to construct the original, complete receipts is itself encrypted and distributed among the pipeline stages.)
Each receipt part at each stage of the pipeline has a 50% chance of being audited. Provided there is not complete collusion between the pipeline stages, corruption is exponentially likely to be detected. The auditing procedure never reveals enough information to work back to a particular voter, hence anonymity and integrity are both assured.
Full details are, of course, available in the paper...
Like going to Church on a Thursday or getting laid on a Monday...
There's so little difference between politics and jihad lately...
That article had lots of detail about the mechanics of the printing system but very little description of overall architecture.
The gist is that the voter's choices are printed out in a visually readable form on two surfaces laminated together. The printing is done in such a way that one half can't be read without the other and one of the two sides has to be left at the polling place.
I didn't understand the part about being able to scan the one you take with you to verify it was valid and later verify that it had been counted. What exactly are you taking away? Is it equivalent to a signature/digest for the vote, or does an encrypted for of the actual vote, or simply a form of the vote that is only readable by machines? How do you know the system recorded the same vote it displayed to you?
The only paper in this system is taken with the voter so what gets stored electronically in the voting system? Is it the same data as what the voter took with them? Is it Encrypted? Signed? Both? How can you make it so people can see that their vote has been entered without letting anyone ever find out what that vote was?
Why can't we just print out a ballot with an MD5 hash of the choices in a tear-off section at the bottom. Have a machine read the ballot we printed out and display the MD5 to us. We check the MD5 against what the part we tore off to know that the vote was generated and scanned properly. We can then take the MD5 with us and can check for that MD5 in the results when they are tallied. Add a secret key into the mix before the MD5 and you can't figure out what was voted for from the MD5 you take away.
What is the difference between a simple MD5 based system and this one?
set softtabstop=4 shiftwidth=4 expandtab nocp worlddomination
The proposed system addresses your concerns, and others that you are blissfully unaware of.
1. The receipt does not allow anyone to determine how you voted. To figure that out, you'd need every single private key used by the election "trustees".
2. You can verify that your vote was not tempered with, and that it was included in the tally as you cast it.
Your suggestion requires that we blindly trust the counting and transmission and final tallying of the votes, and that noone can temper with or substitute sealed ballots. In addition, there would be no traces of tempering if it occured, and there are no means for anyone to verify the corectness of the voting process without a manual recount. In other words, it isn't any more secure than the systems in use today.
If you read (and understand) the article, you'll realize that the complexity is worth it -- it guarantees that any single altered vote will have at least a 50% chance of being detected. Temper with more than a few dozen, and you're more likely to win the lottery than to get away with it undetected.
If the system lives up to its claims then this is unprecedented, and far better than any voting system we have had to date.
Just a quick idea, critique at will:
How about they get say 3 or 4 different companies to each make a voting machine completely independently of each other. Each machine does the same thing in terms of the initial input and the final output, but the coding between these two points would be different because they are each made idependently. Kind of like the three or more copmuters which I believe control the Airbus to help ensure that if one of the machines goes wrong the remainging two copmuters outvote it.
When Grandma and Grandpa get presented with the choice of layer, they're not going to understand what it's about, and many of the electoral officials I've met, after being asked for the third time will end up responding with "just press 1" which will destroy that random element, so errors could then occur on the 2nd layer, with a much higher likelihood of going undetected.
Also, given that as far as most people are concerned, the choice is completely meaningless, is there really a 50% chance of both being picked? Or would people be more likely to just go with the first option they're presented? Anyone know the statistics for this?
Did you read the article? This method covers every one of the issues you raise and solves them using the most innovative math/technology I have ever seen.
The receipt is readable until you leave the booth. It is verifiable later. You can make your receipt readable when the official data is posted on a web site after the polls close. You can verify that YOUR votes were included in the final count. It does all this while preserving your privacy.
It is an amazing tour de force in cryptology. Everyone should read this paper.
Rob:-]
you would see these issures addressed and solved.
I agree with what you said except for the part about the "pseudorandom numbers". They said that they use a truly random one-time-pad. This is totally, provably unbreakable.
We already know our votes are not all being counted. Remember Florida in the last presidential election?
If, as you say, most lay people assume the computerized voting system is secure then they will think this one is too. The difference is that this one WILL actually be secure. Isn't that better?
One way around this system for somebody who wants to buy or coerce somebody's vote is to tell them to photograph the ballot before they separate the layers.
Careful examination of the punch card devices show obvious opportunities for fraud. What if somebody decided to alter the pins that correspond to disfavored candidates to make a clean punch unlikely?
Open Source alone is an inadequate solution. What if the software run on the voting machines or tabulation systems is not what we all signed off on?
Many, many ways have been found by clever, determined, or connected people to commit electoral fraud in the past. Only vigilance will prevent the new technologies from being used for fraud in the future.
An independent paper trail gives us something to be vigilant with.
Tech Public Policy stuff
Seriously, the answer is careful cleaning of voting lists before the election. That's why you have to keep voting to stay registered, if you miss x general elections in a row, you get dumped off the rolls. Secondary checks... if you get 100% or better turnout at a precinct, something is wrong.
Before automatic purging of the rolls, there have been historic examples of 130% turnouts. Read Dirty Politics by Bruce Felknor for that story.
Tech Public Policy stuff
All it takes is a simple file. If the edges of the pin are rounded a bit, the probability of a clean punch will drop dramatically. A careful examination of the "voting machine" will turn up other possibilities. Find some information on the internals and if you have any mechanical aptitude, you'll find some.
Any system is probably breakable given time, lots of clever, determined, and/or connected people will be working on the problem. That in itself is reason enough to shitcan the mechanical systems.
Tech Public Policy stuff
Nachi worm infected Diebold ATMs
Tech Public Policy stuff
Lisa: "OK, Aaron A. Aaronson voted for...Bob. Aaron L. Aaronson voted for...Bob. Arthur B. Ablabab voted for...Bob."
some time later...
Bart: "Oh my God...the dead have risen and they're voting Republican."
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
The real question: can this stand up to the reality-warping effects of Florida on voting?
I suggest that someone put that PDF describing the technique on a web server in Florida, and see how much the proposal alters..
The problem of exclusion
The problem of exclusion in an electonic election is significant, as it is in a paper election. The exclusion problem is assuring that only individuals with the right to vote vote, and that they do so only once. In paper elections this is typically implemented through a roster and ballot system.
In a roster and ballot system a precinct or polling place keeps a roster either of the individuals who have the priveledge of voting there, or of the ones who did. In the first case it works like this:
When the voter entered the polling place, her right to vote was represented by her name appearing on the roster. She then traded her right to vote for a ballot, which now represnts her right to vote. When she submits the ballot she relinqueshes her right to vote in exchange for the act of voting. Since her ballot, while she possesses it, is the representation of her right to vote it is absolutely essential that it be replacable in case of deffect or error - a huge problem with every voting machine I've read descriptions of.
In the second case like this:
He relenquished his right to vote by having his name added to the roster. The ballot then represented his right to vote. It is therefore important that the ballot be exchangable. In this case he can even exchange it for his original voting right, by surrendering it to election officials in exchange for removal of his name from the roster; he could then go to another polling place and vote there.
This presents the first oportunity for fraud. A voter could visit multipl polling places, or even the same polling place multiple times, and vote multiple times- each time having his identification added to the roster. This is discouraged using criminal law - the rosters are checked for duplicates and the offender is investigated / prosecuted. It is impossible to remove the offendors vote from an election with secret ballots because there is no way to know how he voted. The smart ballot stuffer would lie to the authorities when caught, doubling his impact on the election by voting x times for proposition a and -x times for proposition b.
The best way to address this problem is through a computerized analogy of the roster and ballot system.
If she doesn't like what happens, she tries again. The final election system will remove all overlapping ballots cast before the final one. If she gets fed up with the machine or polling place she can leave and go elsewhere to vote, taking her ballot with her, or she can surrender her ballot, canceling all her attempts to vote, in exchange for removal from the already-voted-voters list.
Every piece of equipment produces a paper trail. No piece of ewuipment makes any record that could be used to corelate the signed in voter with the ballot.
Problems with exclusion
So don't just sit there posting comments on this site, let your representatives know about this. Email them the urls for the paper and press release. (And email the media to keep those politicians honest).
Finally, A verifiably correct "electronic" voting system.
This seems to rely on voters later checking their vote to ensure it is on record as correct, some percentage anyway. My choice would be to have election judges auditing the results. This solution provides that.
This also seems expensive with all the printers required. And with all that peeling and tearing, that sounds like a "help desk nightmare".
Initial report by Miami Hearald
e rald.recount/
http://www.cnn.com/2001/ALLPOLITICS/02/26/miami.h
There's a Washington Post report on the final results, but I can't find a complete text. I have been able to find that a complete recount would have given the state (and therefore the election) to Bush. People need to face these facts and stop carping about a "stolen" election.
I read the paper briefly, and it sounds good (closer re-examination required of course). Suppose this method is independantly verified by a LOT of experts and blessed as "good". We now risk the press and the public taking away the message that "electronic voting systems are fine" according to experts. It is important that they understand only THIS KIND of electronic system is OK if that's the case. It is also only OK if all the verification methods are in place, along with the public posting of the required data etc...
Moreover, imagine some scandal occurs whereby all the keys are made public. Perhaps the Voting Trustee's Union doesn't like their benefits package, and so threatens to reveal all the keys. With this scheme, every voter's privacy in every vote could be held ransomed indefinitely.
Patrick Doyle
I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
Here in Washington state the fact is that the law would prevent this system from ever being used in Washington before it was used for 2 years in another state. Other states have similar laws.
If you look into the Help Amerca Vote Act (HAVA), the media presents the case that HAVA requires upgrades. When in fact the bill states entirely different requirments, many systems in place do not need to be upgrade to comply with the act.
Read TITLE III--UNIFORM AND NONDISCRIMINATORY ELECTION TECHNOLOGY AND ADMINISTRATION REQUIREMENTS , of the act for a lot more info. But here's a few key excerpts:
HAVA states:
(A) Except as provided in subparagraph (B), the voting system (including any lever voting system, optical scanning voting system, or direct recording electronic system) shall--(i) permit the voter to verify (in a private and independent manner) the votes selected by the voter on the ballot before the ballot is cast and counted.
Then later it states:
Manual audit capacity.-- (i) The voting system shall produce a permanent paper record with a manual audit capacity for such system.... (iii) The paper record produced under subparagraph (A) shall be available as an official record for any recount conducted with respect to any election in which the system is used.
So when the media says that Diebold machines are being purchased to comply with the act, isn't that blatantly false? These machines do not comply with the act, and to purchase and install them in fact violates these requirements.
There was fairly obvious reason to force the elimination of lever-actuated mechanical voting machines.
If you want a simple technology that's hard to break without leaving obvious traces, try ink on paper, either by manual count or optical scan.
Tech Public Policy stuff
A verifier outside the polling place...can immediately check...
2. was it made by an authorized voting station
You are absolutely right - it cannot be done within the bounds of their assumptions (or at all in my view). They assume that the voting machine is compromisable, and must contain naught but information that, were it available to the public, would not be usable in performing election fraud. However if you posessed a voting machine (which they assume is possible - as their security system is not allowed to depend on the security of the voting machine) you could produce a receipt for an unposted ballot.
Of course the officials won't post the ballot unless it was made by an authorized voting station. But how do the officials know, and more importantly, how does the public know that you didn't forge the receipt?
The only way I can think of to do this is through the system of issuing ballots - a ballot is issued to the voter, and its number is recorded on the receipt and on the list of issued ballots, and with the ballot image at the beginning of the tally process (not at any other step - as it would invalidate secrecy against coersion). Point 2 could then be validated based on weather or not that ballot number was issued. We then place the responsability of overseeing the voting system back in the hands of the voter - They validate that their vote was included correctly, and that the ballot they were issued worked, by having it counted correctly. Of course, this only displaces the problem one step further - to the issuing of ballots. However at this step the issues and "paperwork" involved are much more closely related to the individual voters and making these problems, hopefully, easier to rectify. See sibling to your post for more ramblings on ballots.
They shouldn't have claimed Point 2. It belongs in a discussion of excluding invalid voting, which their system (and any technical system) cannot rectify. A very large claim which I will support shortly.
Cedric's Theorem of Election Fraud
Or of the necesity for notaries
Let c (a constituent) and e (an election system) be parties to a dispute arbitrated by a (an arbitrator). a cannot decide the truth of statements made by either c or e without choosing to trust one part over the other.
Proof: This problem is so small we can discuss all possible cases.
If any party makes any non-unanimous claim, it cannot be trusted because it cannot be trusted over the counter claim of the opposing party. If any party makes a claim claiming the non-unanimous authority of the other party, it cannot be trusted because it cannot be trusted over the counter claim of the other party against the authority.
Tell it to the sailors of the USS Cole, who, after being bombed by terrorists, had Al Gore's people trying to have their absentee ballots thrown out because the military postal system is not required to use postmarks.
Florida had problems with 16,000 ballots in 1996 in the same counties that had problems with 24,000 ballots in 2000. What do you think the Democrat-controlled election boards of those troubled counties did to fix the problem in the four years between 1996 and 2000? (answer: Nothing). They knew they had significant problems counting ballots and chose to ignore those problems for years, until forced to face the issue by a contentious election and national attention being focused on their negligence.
On top of that, the recounts being requested by the Gore campaign were against the law. The recounts that were specified by Florida law had already been conducted within the time allocated by the law. Gore's lawsuit basically attempted to ignore the written election law because he did not like the results of the counts and recounts that were conducted according to the law. Attempting to ignore election law would be a pretty good definition of "subverting democracy" to any reasonable person.