A Secure and Verifiable Voting System

meese writes "The cryptographer David Chaum, through discussion with top cryptographers such as Ron Rivest, has designed a secure and verifiable voting system. One of the goals of his design is that anyone can verify that votes were tabulated correctly. It's good to see real security/crypto people working on this problem. They also have a press release."

One question....

[Kenja]

Will there be people involved at any point? If so then its not secure, however it may be verifiable.

Re:One question....

[gumbi+west]

You may care to read the article, but they actually appear to have found a secure and verifable way of voting. In fact, the best objection to it would be that it is either too verifiable (i.e. you can decript its result after voting to a third party) or not verifiable (i.e. try to verify a 1024 bit encripted key).

The only way I can think of to keep vote you made readable would be to take into the booth a bogus second layer and then hand it to the poll worker to shred--leaving your vote intact and readable.

As far as not verifiable, you have to be able to tell if this random hash you have in your hands is the one on the screen--how would you do that? It's not like you can print it, all .pdf viewers are different and even if they weren't only a very few printers have the precision to print exactly to scale to the precision that would be required... Consider that even printing machines have errors on the scale that they would require.

Re:One question....

[mOdQuArK!]

After the election, you can go to a webpage and type in that number and it will tell you how that person voted. Thats allows the voter to veryify the results.

(sigh) Classic mistake naively implementing a "voting verification" system. You don't want a voter to be able to prove how they voted. If you do that, historically it has been proven that voters will be encouraged (either through positive - money, gifts, etc - or negative - intimidation, beatings, etc - feedback) to vote particular ways, instead of their conscience. Every voter has to have plausible deniability.

That's why real voting systems try to only verify that each ballot was from a unique voter, and that the reported counts of the election can be reconstructed from the individual ballots.

Re:One question....

[egarland]

Someone please mod this down as overrated!!!

You can build secure systems on top of insecure components. See any encrypted internet protocol for an example.

Re:One question....

[gumbi+west]

Actually, I was asking about how you would verify that the random hash piece of paper you took home from the election is the same as what is on the screen. I imagine a vote would look very complex (if you look at how complex even a simple character looked in the paper when it was encripted). You may note that this paper does not propose a humanly readable vote, just a human readable id number. That way you can't prove who you voted for, but you can (if you try hard) verify your vote.

Combination..

[403Forbidden]

Open source + Paper trail = secure voting.

How much longer till they figure this out?

Re:Combination..

Closed source + Paper green = secure voting.

They've figured out already.

Re:Combination..

It's not as simple as that. To prevent vote-selling, it can't be possible to someone to walk out the door with proof that they voted for a certain person. The press release gets further into these details; describing a convoluted two-piece receipt system.

Re:Combination..

[cjgross]

In order to be verifiable, you need the paper output. If they voting machines would generate a unique paper output from each machine as a backup, votes could be recounted and audited. Each paper ballot could be encrypted and stored in 2D electronic barcode. It would be easy to scan and verify and data could not be altered without invalidating the crc's. Electronic voting will never be stand alone until we have a valid way to audit the results. cjg

Re:Combination..

Me again from VoteHere, open source is fine if it is all you have, but it is far better to have an auditable data trail. Remember, that computers like the ones in most voting machines are "general purpose computing devices" so it is difficult to know exactly what code is running on them. Opening the source will help you be sure that there somewhere exists good software that if you ran it in the voting machines would lead to an accurate election, but it does not give any confidence that the machine actually was running that software, and only that software. Paper makes for a fine audit trail if you have nothing better, but ask anyone who voted in Chicago in the last century how well it does by itself to prevent election fraud. It is far better to extend the auditable portion of the data all the way through the election process to tabulation so that anyone could verify that the final count did in fact match the populous' intent.

Re:Combination..

[Jeremiah+Cornelius]

You really don't undeerstand what happened here do you?

A proprietary back-door hidden in object code and protected by DMCA is the alternative to the proposal of open source voting technology. Die Die Die -bold and ESS have demonstrated this in actuality.

Hiding algorithms does not improve cryptography - and revealing them does not weaken it.

Re:Combination..

[kilgore_47]

bigpat wrote: Having some sort of receipt just misses the point and seems overly complicated. But mostly it doesn't properly address privacy concerns and vote buying or coersion... if you have a receipt and the votes that correspond to that receipt are publicly released and you were told to vote a certain way by your union or boss, then you can be coerced to show your receipt to someone

You didn't read it right. You can't print out your throwaway half and see who you voted for. You can print out (from the website) a copy of the half you took with you, to confirm that your vote wasn't tampered with between you placing it and it getting to the central database or wherever. This sentence (from the article) confused me for a moment too, and I think you misunderstood it: "You would then be able to check for yourself that it has been posted correctly by, for instance, printing it out and overlaying the two and seeing that they are the same." They mean you can print out your half, not the other half that would reveal who you voted for.

The whole point of these fancy reciepts is that nobody can use your receipt to see who you voted for. They can only use your receipt to confirm your vote is on the site (and as such, that you voted).

(Mods should really mod the parent comment down as it's spreading a total misunderstanding of the concept).

Re:Combination..

[The+Raven]

You did not read the paper very carefully. The receipt can be proven to have the proper 'signature' (think public key cryptography), and it can be proven to have been tallied. But it CANNOT be proven to correspond to a specific vote, thus it cannot be used for coercion. The paper makes that explicitly clear in the first couple pages of the report.

Re:Combination..

[cfradenburg]

While the barcode is a good idea, in my opinion the main advantage to having a paper printout is so that the voter can visually verify that their vote is correct. Due to the fact that the main issue here is votes getting recorded correctly confirmation on the screen isn't enough. A barcode isn't good enough for that unless it's easy to read (have a sheet with what each code matches for example.) While we're at it, why do electronic voting at all if they need to be verified with counting? If the paper is just there in case someone disputes the results that's one thing but if it will be counted to verify anyway it's not worth doing electronic voting. The other issue with a printout is voter privacy. This isn't as large with the groups I hang out with but to others it may be a very big deal. This means that every page or section of a page that records a vote on paper must be hidden before the next voter enters. Not something that's hard but it needs to be considered.

David Chaum...

[Stile+65]

...is an awesome mathematician/cryptographer. I'm working on a project (on SourceForge, but it's not nearly far enough along for me to announce anything on /. yet) based on his digital cash system, and some other things he's done. Yes, I know it's patented, but it's really meant as a proof-of-concept type deal.

I just hope that if Chaum starts a company for his e-voting solution, it fares better than Digicash. IIRC, he wouldn't sell to M$ for $100M or to Visa for $40M, but ended up bankrupting Digicash and having to leave it. I'm not sure if I've got all the details right, so anyone's welcome to correct me.

Re:How about

[Hank+Reardon]

...get your fat ass away from monday night football for 30 minutes, drive down to the polling location, and vote.

Hmmm... Do you subscribe to the "Vote Early, Vote Often" theory? :)

I vote on Tuesday, personally...

I'm sure he put lots of thought into it,

[blueberry(4*atan(1))]

and it may be a good system. However, it is more complex than the current checkbox or hole punch system. The more complexity, the more difficult it is to fully consider all the possible vulnerabilities.

I vote (ha! get it?) that we just stick with paper and pen until we have more chance to discuss and develop alternatives. Just voting is key to any democracy, so tread lightly!

Re:I'm sure he put lots of thought into it,

[Dastardly]

Am I missing anything?

Yep. Independent verification that your vote is valid and was counted.

In terms of voting and counting votes it isn'y as complicated as it sounds.

1) Vote on a computer.
2) Computer prints receipt.
3) Select top or bottom from the computer screen.
4) Computer prints validation code.
5) Take receipt.
6) Give half that says "Give to poll personel" to poll personel for shredding.
7) Encrypted voting data transferred to counting location where keys are used to decrypt and count results.
8) Celebrate your candidate winning.

The complicated stuff comes in withthe verification that your vote is valid and counted. That is the posting of the image of your receipt on the website. If it is identical to the part you kept your vote was counted correctly, if it was not, your vote was not counted.

Third parties can verify your vote was valid as you exit by checking the digital signature. So, a hacked polling place can be identified as well.

I may miss some subtleties by simplifying, but while the implimentation seesm comlicated, the practice is a lot less complicated.

In thinking about it, the computer could still tally votes as each voter removes their receipt. You then still post the receipt images on the web, but only perform the full recount of the encrypted data if there is a complaint.

Re:I'm sure he put lots of thought into it,

[ralphbecket]

I never cease to be amazed at what is considered insightful on this forum.

The *process* is very simple and completely automatic.

The *reason* it works is *slightly* more complex, but is considerably easier to understand than, say, public key cryptography. This is not rocket science.

Properties of the system:

- it allows each voter to verify that their vote has been recorded;

- it does not allow a voter, or anybody else involved, to prove which way they voted (i.e. voter anonymity is preserved throughout);

- it includes an (automatic) auditing scheme that provides statistical near certainty (in the absence of *complete* collusion by the authorities) of detecting fifty or more instances of ballot rigging.

It's elegant and simple and very easy to verify. Evidently, alas, the paper does not make this clear to everyone...

Good, now step two

[ultranova]

Now that you have a decent electronic voting system, you can start developing decent electronic candidates.

After all, if the choices are

1) Skynet takes over by force
2) Skynet takes over by vote

I, for one, prefer the vote method. Besides, could it really do any worse than the current leaders ?

Seriously, thought, we might want to turn the running of day-to-day things over to an artificial intelligence someday in the future, because it would be less prone to stupid mistakes and corruption than humans, and because it would free us to think about the overall picture.

I wonder if, in time, we humans will form some kind of aristocracy, ruling over hordes of intelligent (but willess) machines...

I, for one, welcome our new artificial intelligence underlings.

Too bad..

[xchino]

It's too bad this won't get any support, as it doesn't make politicians any profit. Maybe if they could promise Bush Ohio's vote, or line some pockets with green, they'll get some government backing. I think there should be a law against a politician having invested interest into the means by which they are elected.

Not acceptable

[Marcus+Erroneous]

How in the world do you expect the penny ante politicians to get elected with an honest, secure system? More importantly, how is Bu$h supposed to get re-elected with a fair, impartial, secure and verifiable voting system? Fortunately, here in the good ol' US of A, we're free to chose a more politically useful system. ;)

Misses the point completely

[corebreech]

Most lay people assume the voting system is secure simply by virtue of it being computerized.

I haven't looked at the spec for this yet, but I have to believe that this cannot be the answer, simply because most people won't be able to understand how this system is any different than the (electronic) one it replaces.

More than anything else, voters have to be able to trust that their vote is being counted. And there will always be talk of powerful interests being given backdoors or being able to skew the results using exotic technologies like quantum cryptoanalysis.

The only sure way of a) having a legitimate election where b) everyone can know their vote was counted is by c) publishing all the votes.

Publish the votes. No batteries (cryptographic or otherwise) required.

Re:Combination..--not quite

[randall_burns]

There are still quite a few low tech means of commiting vote fraud. IMHO open source and a paper trail are decent steps-but hard encryption so that anyone with a receipt can :

prove they have an authentic receipt

audit the records

would also help quite a bit.

Now, even that still doesn't handle stuff like people voting twice. We'll still need to worry about stuff like folks using false/invalid ID and voting(which is pretty rare I would suspect, but give them time).

Re:How about

[switcha]

You get your fat ass away from monday night football for 30 minutes, drive down to the polling location, and vote.

The fogies in Fla missed voting correctly by about a 1/4 inch. You just missed voting correctly by 24 hours.

Designed by Cryptographers, not Committees!

[Tackhead]

So a couple of noted cryptographers have come up with a secure, verifiable, electronic voting system and put the design out in the open for anyone to use. Like that was a challenge.

Like, hey, who the hell does this Rivest guy think he is, and what (apart from this stupid "Ph.D" stuff in "Computer Science" or "Mathematics" or "Cryptography", such a small title he has) makes him think he's any smarter than Penelope Bonsall, who's got a way cooler title "Director of the Office of Election Administration at the Federal Election Commission".

"The computer scientists are saying, 'The machinery you vote on is inaccurate and could be threatened; therefore, don't go. Your vote doesn't mean anything.'

Penelope Bonsall, Director of the Office of Election Administration at the Federal Election Commission, A Very Important Person Who's Smarter And Better Than Those Goofy Computer Scientists Because She Has A Bigger Title And Burns Through More Taxpayer Dollars In A Week Than That Rivest Dude Probably Generated In His Entire Working Career!

Rivest's system is clearly unworkable. Where's the wining and dining of sales reps? Where's the backroom deals involving hookers and cocaine? Where's the vendor-lock-in? Where are the service contracts and extra government departments required to oversee them? Oh, sure, Rivest can lay the smack down on "where's the beef" when it comes to building a secure and verifiable electronic voting system, but where's the pork?

but still

[rock_climbing_guy]

I like the idea of being about to verify that my vote counted, but how will everyone being able to verify their vote stop dead people from voting?

Re:This doesn't seem quite bulletproof enough...

[harangutan]

What if instead, the voter was given a printout of the MD5 of a combination of (digesting all of) everyone they voted for and their (the voter's) social security number?

Not a chance. First of all the SSN, even if it were as difficult to obtain as you suppose (hint: it's not), this wouldn't be of help in vote-selling, as the voter would cheerfully surrender his SSN if he wanted to get paid.

As for the rest, you're radically overestimating the number of permutations an election can typically have -- a dozen yes or no decisions and one or two candidates each for a handful of offices could be permuted by any cheap desktop PC in very short order.

How we'll REALLY know . . .

[CleverNickName]

We'll know that this is a real and secure voting method just as soon as all the incumbents and lobbyists come out and blast it as "dangerous" and find some way to connect it to terrorism.

Re:Is a paper trail really that important?

A paper trail does make it magically more secure. This isn't referring to you keeping paper, it is referring to a piece of paper with the vote on it being stored somewhere.

Those machines with levers? They make paper trails.

Without this, the votes are ONLY digital. As such, any unauthorized access can, en-masse, change the only record of the votes. Paper cannot be changed nearly so easily, and especially not so secretly. It allows a recount if the machine count seems unreasonable.

It is genuinely an incredible increase in election reliability, especially for something so simple.

US democracy struggle

[Spellbinder]

Game Over!!
Insert Coin

Too complicated...

[jjh37997]

Here's what we need...

A touch screen voting booth that lets voters select the canidates they want.

After the voter casts their vote the booth prints out a ballot that's a machine readable scantron sheet.

The voter checks to make sure that the canidates they selected are recorded on the ballot and feeds it into a scantron reader. It's this machine that actually records the voter's vote.

This way not only do we get the benifit of a machine count but a paper trail to boot.

Re:Too complicated...

[waynemcdougall]

Double counting is the answer.

Touchscreen records your ballot, prints it out for you to check, AND KEEPS COUNT ITSELF.

You feed your paper ballot into a scanning machine that keeps count. And post your paper ballot in a ballot box.

The touchscreen ballot generator and the scanner are produced by two entirely separate companies. Public specifications on the interface.

Now if the two machines disagree about the ballot count you do a paper recount (and find out which vendor stuffed up, and don't use them again).

Re:Too complicated...

[gumbi+west]

Only a few need to check to make sure that this vote was tallied correctly.

Re:Too complicated...

[waynemcdougall]

Paper recounts are not unreliable. That was not the problem in the last election in the United States.

Paper recounts can be slow and tedious (relatively speaking) but will done under independent scruitineers AND observers from all parties with a vested interest in the best outcome for themselves (which cancels out, meaning everyone is watching to make sure no one else cheats). Often paper recounts are done twice (to verify the answer) - with actual paper ballots you can count them as often as required. In practice if you've got two machine tallies that agree (or disagree) and then do a paper recount and it agrees (or agrees with one or all three disagree) you can look at which is closest and whether it makes a difference to the result. So someone picks up two ballots by mistake leaving you with a 1 vote error (in total and for one candidate). We'd expect a 1 vote discrepancy from the machines. Since the votes are physically placed in piles according to the votes cast, it is easy to flick through and check that all the votes in one pile belong to the same candidate. If 1 vote makes a difference we can count again.

The problem in America was two-fold:

a) some of the ballots were illegally laid out according to Flordia state law (the butterfly ballot). This may have led some people to cast their vote for someone other than they intended. It's worth noting that all parties saw and approve the ballots before the election, and the same ballot layout was used in previous elections.

b) they physical ballots in some places is made by a paper punch - in some cases the square of paper for a candidate hadn't been fully removed. In other cases an indentation had been made (weak wrists? or an elderly and infirm voter? changed their mind? or too many pieces of cardboard jammed in behind the punch?) And during each recount more and more cardboard pieces would fall out. :-(

Neither of these is an issue with touch screens and computer printed ballots.

I'm just saying separate the voting machine from the counting machine - have them check on each other - and keep a printed record you can go back to if the machines disagree (or someone doesn't trust both machines)

Re:Excellent

[E.S+Taog]

Hey, this is the only website in America that's not afraid to tell the truth, that everything is just fine.

paper trail

[mehtars]

Even if there is an open audit of the source and a paper trail, most of the canidates will still request a recount of the ballots by hand. Call me a bit old fashion, but I still believe that the best way to hold an election is to do it on paper rather than on a computer. Even the most secure open-source OS can have security holes....

It will never work!

[SQLz]

With this system how are they supposed to fix elections? This will never work.

I've attended a David Chaum lecture

[acidblood]

in an workshop held here in Brazil (Alfred Menezes and Darrel Hankerson were the other lecturers). Folks, the system is perfect. There's nothing to complain about it -- laymen can check that their votes were counted through so-called `visual cryptography' (an idea of Adi Shamir IIRC), while everything else you'd expect from a secure and reliable voting system is provided. One can only hope that this is deployed somewhere, but I'm not holding my breath.

Read the paper, it's really jawdropping. Cryptography at its finest.

Still Lots of room for Fraud

[randall_burns]

This is a step forward, but:

Folks can' still vote multiple times if they get more than multiple registration cards. Dead people can still vote. Illegal aliens can still vote(i.e. someoen can get a drivers license with Mexican ID-and then get a voter registration card).

The main thing the Chaum proposal handles is fraud by a few people via voting machines. Fraud by election officials using lower tech mechanisms would be more difficult-but still possible.

not decryptable -- it's an XOR

[Heisenbug]

The point of the two-receipt system is that it's easily verifiable in the booth, but impossible to verify outside. That means that any random voter can look and, instead of a long number to verify, they just see the text of who they voted for.

The single receipt cannot be decoded as you suggest -- each pixel is utterly random. There will be no pattern to detect, within the limits of pseudorandom numbers.

That works because the two receipts basically perform an XOR. Each pixel is either

XO or OX
OX XO

Call the first '1' and the second '0'. Then 0^0 = partially clear, and 1^1 = partially clear. 0^1 or 1^0 = fully black. When you're printing a pixel, then, you completely, utterly randomly select 1 or 0 for one receipt. You then print either the same, or the opposite, on the other. There is no pattern whatsoever from pixel to pixel, and once half the receipt is destroyed, it is quite impossible to read the other half.

The problem with the system you propose, by the way, is that anyone who had your SSN and MD5 hash could relatively quickly determine the choices you made just by trying all the combinations. If I was buying votes, I could tell you what choices to make, and then demand my money back if I couldn't reproduce your MD5.

Printing Technology

[femto]

One would have to make sure the printing technology was 'perfect'. What if there was some residual image of the 'red' layer superimposed on the 'white' layer (for example, heat leaking between the two layers of a thermal printer)? Then it would be possible to 'reverse engineer' a receipt and the ballot may no longer be secret.

Incidentally, most of the alternative suggestions offered by slashdotters seem to compromise the secrecy of the ballot. Secrecy might not seem important to the average slashdotter, but it is important if your family will disappear when you get caught voting for the opposition.

Which is exactly what they *don't* want to achieve

[Kjella]

but if they needed to verify their vote, they could specify all of their choices and their ssn again, and get the same MD5.

They do *not* want you to be able to verify how you voted, because then you might be *forced* to verify it. What they're trying to do is give you a recipt that you have delivered a valid vote, and that this vote can be verified as having been counted, without revealing for which candidate the vote was for.

The reason for this is simple - with manual counting, you need to involve a lot of people around the country to reasonably affect the vote. With an electronic count, who's to know if you simply replaced the final numbers?

Unfortunately, it's more difficult to show that your vote is a subset of a group (the total votes) than it is to make a 1-to-1 mapping. It sounds quite smart from the brief read-through I made, but yes, I wouldn't make any hasty decisions.

Kjella

Re:Nice idea

[PurpleBob]

You misunderstand what he meant by "checking".

Your ballot can be checked to ensure that it is a valid vote. The pixelating XOR stuff he did is to ensure that, while your vote can be checked for validity, it cannot be checked to see who you voted for, except by the board of trustees, who have the other half of the vote and have no information about who you are.

Re:Is this really nessicary?

[Total_Wimp]

Well, it is broke. Lots of recent elections have proved this, including the last presidential election. The hanging chads were not even close to the only issue either.

That said, there are many things that truly weren't broke about the last system that need to be preserved.

1. Your receipt should not include a way to find out how you voted. If your vote doesn't stay completely in the voting booth then some people will try to coerce your vote because they will be able to ask you to "prove" how you voted. Picture your boss asking everyone to print out their receipts on line and show him that you voted for his pet project. This is very important and the old system preserved this confidentiality.

2. You should be able to easily, visually verify how you voted and THE EXACT SAME verification paper should be used to tabulate the vote. In other words, you should be able to look at a paper receipt listing all your choices with a big check mark next to them and that receipt goes straight in the ballot box which then electronically tabulates from the paper, just like the old system.

Folks, this is ridiculously simple. Vote on screen, print the vote, put the printout in a privacy envelope. Take the vote to the ballot box. The ballot box sucks in the vote, tabulates and encrypts it on the spot, then electronically sends it to the polling database. You take a receipt stub out with you and you can check online that it was valid, and you can track it to its final storage place much like the FedEx tracking system, but you can't find out details of the vote online. If there is impropriety, the ballots have already been neatly stacked by the ballot boxes (they work kind of like ATMs do with your deposit) so they can be reread at high speed by recount machines and everyone could check online to be sure their vote was recounted. In special circumstances the votes could be visually recounted and, yes, you could check online to make sure your ballot got the visual recount as well.

The important point here is that no one can do any funny business with the paper because it's in that secure box and no one can coerce you to vote their way. But most importantly, if the computer is messed up, fixes could be made and a second, third or fourth vote can take place from the original ballots almost as rapidly as what happened with the first ones. Finally, it's very simple for any non-technical person to understand, so regular people will have faith in the process. And don't we all need faith for the system to truly work?

TW

yes

[commodoresloat]

presumably, they will be doing the voting.

a flaw?

[agurkan]

I tried to read the article and hopefully I am mistaken but would appreciate some comment on this.
It seems that you are deprived of the ability to reproduce your vote outside the booth by seperating the information into two pieces either of which is illegible/useless by itself. However, with the cellular phones taking digital pictures nowadays, could you not essentially take both of them with you if you want?
If this is true then further security is needed to ensure that although you choose one of the two equally valid pieces, you cannot reach the other one at all. This, btw, can be done cryptographically.

Re:The absolute fix

[Dunark]

That won't fix anything. The reason we're in such bad shape today is all the couch potatoes that get rousted from their television-induced stupor just long enough to vote the way the television tells them to. Forcing more of them to go do the same thing will just increase the influence the paid ads have over the election outcome.

My idea is to conceal the polling places, so that only people who are willing to go to some effort can find them.

openvoting.org is a super nova of sunshine

[goombah99]

Open voting.org doesn't just have a "design" they have the whole system including the hardware and screen shots. Even the ballot design. Most importantly its not just a mthematical show piece, it actually conforms to the bizarre voting system laws common in states.

It publicly debuts in beta next month! And its open source and voter verifiable. Its on source forge right now if you want to look. see EVM2003 or open voting By the way they still need more developers, testers and documentation writers. Also they need financial backers to package finished systems with tech supprt for the end users.

RTFA

[CedgeS]

The problem is that if laymen can check that their votes were counted after the fact, it is possible to sell your vote and let a 3rd party check on this as well. Any design where you keep the recipet is flawed.

Laymen can check that their votes were counted correctly after the fact. However they can not check what their vote actually was, so a third party can't verify that the layman voted the way they wished.

This is accomplished by printing two receipts which combined form an image of the voters vote, but seperated are random as in a one time pad encryption scheme. The voter is required to surrender one of these reciepts for destruction, retaining an almost random sheet, which is uninterperatable without the posession of a large number of private keys.

The voting machine can only forge one of the sheets (either internally or externally) and still record a recordable vote. The chance of it being detected is 50% either way, so to forge a mere 32 votes, the machine would have a 1 in 2^32, or one in 4 billion chance of going undetected.

Similarly every trustee who holds private keys for the interperatation of votes has only a 50% chance of tampering with one vote, and having it be undetected by the other trustees, and has only a one in 4 billion chance of getting away with tampering with 32 votes. Similarly a collusion of all but one of the trustees has only a 50% chance of being undetected tampering with one vote, and has only a one in 4 billion chance of being undetected in tampering with 32 votes.

Mathematicians don't think EVILLY enough

[waynemcdougall]

Mod parent up.

The proposal allows a VOTER to verify that their vote was properly cast and recorded.

There is no protection for a candidate.

With physical ballots, a candidate can ask for a recount of those ballots.

As far as I can see, under this proposed system, you either accept the word of the computer, or you try and round up the anonymous (out-of-district or out of state) voters and ask them to please check their ballots.

Snowball I can vote with impunity. Indeed I can add as many votes to the machine record as I want - I can have the machine churning out thousands of votes per hour, shred both copies, and just make sure the legitimate votes are also included in the tally.

The proposal address completeness (all votes are recorded), accuracy (the votes are correctly recorded, or can be verified as having been so) BUT only by the voter - NOT the candidate who has to trust the machine or hope a voter picks up a fault.

Validity (only proper votes are cast) is not addressed. Unless I'm missing something.

Re:Mathematicians don't think EVILLY enough

[randall_burns]

I think you are right-mathemeticians are trusting folks. I'm not an especially good mathematician. However, I have substantial experience dealing with fraud detection systems. I did an early database implementation for what become the world's most popular credit card fraud detection system. I've also worked on an investigation that put the CEO of a major corporation in prison.

Much fraud is pretty low tech but involves manipulating lots of people. Basically many security mechanisms come down to the word of some combination of people-if those people can be compromised, the security is compromised.

In the credit card world, it became pretty obvious that lots of license departments and law enforcement agencies were pretty much infiltrated. Stuff like voter registration cards? Well, it all comes down to paper. You might handle this to some extent by cameras in the polling places-but then there are still the mail-in ballots.

The thing is that winner take all elections tend to encourage fraud-particularlly in close elections. It is hard to very results wildly from the polls these days(say more than 5%). This is all an excellent argument for proportional representation at least in the house. Condorcet voting offers another option for races where you are electing a single guy(the idea is to pick the least bad candidate in series of 2 way races that are simulated from candidate rankings).

What folks miss: there is pretty substantial evidence that Kennedy, Johnson and Nixon all engaged in substantial fraud. Between that and corporate influence-the US political system is pretty sick.

Re:Mathematicians don't think EVILLY enough

[ralphbecket]

Yes, there is protection for the candidate.

The auditing process provides statistical guarantees that (in the absence of complete collusion by the polling agents) (a) every ballot is counted, (b) no extra ballots have been inserted, and (c) no ballot has been tampered with.

Furthermore, all of this information is provided on the web. Each voter can check that their vote was recorded and anybody at all can check the final tally (the plaintext electronic ballot papers are also published, but they cannot be traced back to individual voters.)

It's a great system. It's just a shame that the paper doesn't explain it simply enough (for the Slashdot crowd to understand, at any rate :-)

Oh god, it gets worse...

[A+nonymous+Coward]

They will also be candidates. Now we're doomed!