OSS Election Systems Desired, but Not Ready

An anonymous reader writes "Even though many American voters are ready for open source systems at the polls, Newsforge (a Slashdot sister site) has an interesting story about why open source may not be ready for the polls. From the article: 'The only open source e-voting effort that Rubin [an e-voting expert] noted was the Open Voting Consortium (OVC). "I don't agree with everything they are doing, but they are all about transparency and open source," Rubin said. OVC President and CEO Alan Dechert says it would take a large investment of time and money to provide an alternative to traditional e-voting systems vendors, but he says an effort known as Open Voting Solutions (OVS) is looking to do just that.'"

The disabled, the confused, and the stupid

[Beryllium+Sphere(tm)]

A blind citizen given a paper ballot has to get someone to help, raising problems of confidentiality and trust.

A computer UI can, in principle, be made easier to follow than a crowded piece of paper. Googling for "butterfly ballot" will get you an example that turned out to be important. A computerized ballot can do validity checking and spare the counting system from having to divine "voter intent" from a double-voted or unreadable ballot.

Those are the only real advantages I've ever seen mentioned.

I agree.

[jd]

There are only a few criteria:

• You must be able to prove that every valid vote was counted exactly once - no more, no less
  
• You must also be able to prove that fake ballots cannot be injected into the system
  
• You must finally be able to prove that valid votes cannot be deducted from the system for the required length of time
  

These are a bit trickier than just building a machine that can add 1 to a column, but not THAT much harder.

I would ascribe every digital ballot paper with a hash value that uniquely identifies that paper and would be hard to forge. eg: Have each ballot paper marked with a serial number, then digitally signed by the electoral authorities.

Each voter's voting card would have a totally random public encryption key on it, plus a number. On going to the voting machine, the card would first tick the person off on the list of people who had voted. After casting the votes, the machine would encrypt the ballot paper with the encryption key, then it would append the number to the end. The electronic ballot paper would then, after a random delay, be sent back to the central repository via an SSL connection. The machine would keep no tallies and no records whatsoever. Nor would the local office. It would all be central. (The local office could count votes cast, though, as it would be useful to compare against votes decoded.)

The central system would use the number to select a relatively small set of private keys. It would try each key in turn until it found the key that unlocked that ballot paper. That private key would then be deleted. The unlocked ballot paper would be placed into a secure database. The number of valid votes identified would be counted and publicly published in real-time.

Just to be absolutely certain what is meant here, the database must be write-only from the central system and must be in a tamper-proof environment. Once all ballots are uploaded, it will then perform the count and download the results, ALL of the decrypted ballots and ALL of the encrypted ballots.

That way, anyone can perform a recount and although it would be a monumental task to validate the votes, it could be done. This system is pseudo-anonymous, not truly anonymous, using a VERY large base to make anonymity effective. The upshot is that if a random sample of voter cards were gathered (anonymously!), it would be possible to show that each of those cards matches to exactly one encrypted vote and one decrypted vote.

This shouldn't be necessary, as most of the avenues for fraud have already been eliminated. The effort to fraudulently enter a vote in this system would be extraordinary, as it would require breaking the ballot paper generation system, the encryption key system AND the decryption system, in order to be transparent. Failure to break all of these would result in the votes being rejected by the unbroken component.

I don't think an actual voting system need be this complex, but that's not the point. The point here is that it is possible to imagine a system that is (a) Open Source and (b) so damn-near impervious that it would be cheaper to just buy the person who'd been elected than rig so much as a single vote.

Has this been done? Probably not. Could it be done? Sure. Give me a couple of weeks, a few smart-cards, readers, kiosks and a tamper-proof computer case. There should be no difficulty in writing a system that would be close to iron-clad for the next 50-100 years, with so close to zero chance of tampering that it's just not going to happen.

If an OSS election system group has the hardware and would like to play with this scheme, I'd be happy to write it for them.