Slashdot Mirror
Verifiable Elections Via Cryptography
An anonymous reader writes, "Cryptographer David Chaum and his research team have invented a new voting protocol which allows voters to verify that their vote has been correctly cast and counted. This is enabled using a surprisingly low-tech technique of cryptographic secret sharing. The secret — your marked ballot — is split into two halves using a hole punch" You take half home and can verify later via a Web interface how your particular ballot was counted.
I'll sell my vote for $500, you can even verify it with this hole thingy.
One goal of the modern election regime is to prevent vote-buying and similar kinds of fraud. One of the best safeguards to prevent it is by making it impossible to prove to anyone which way you voted after you leave the poll; that way, if someone tries to buy your vote, you can take his money and, vote your conscience, and he'll never know the difference. With this method, the vote-buyer could collect cryptographic stubs for verification before disbursing payment. That's why so many states have restrictions on who can cast absentee ballots: so you can't prove to the vote-buyer which way your vote was cast.
This is exactly the kind of thing that is necessary for a verifiable and secure system, the toughest part will be winning-over the public though.
There should be a moderation category "Dumbest Comment EVER"
Usually it is desirable that the voter cannot prove what he voted for to prevent that voters could sell their votes. If a voter can verify that his vote was counted as a vote for one particular party, then he can prove to the buyer that the vote was successfully bought.
What I have to ask is how do you verify that the database and actual count tally? A receipt is nice and fine, and a database is nice (assuming you are not connected to your number in anyway other than the receipt, eg. it's just the nth number person you happen to be, polling at that time) but how can you really be certain that the official count has anything to do with the database contents? This always bugs me about electronic voting - there's no obvious pile disparity between votes for each candidate. You can't observe the numeracy of the thing. Also, this won't stop other dirty tricks like voter caging etc. Thoughts?
Scientists point out problems, engineers fix them
altslashdot.org: The future of slashdot.
Okay, I've watched the video and read the article.
I still don't understand it. Why does their video have two different types of hand writing on it? Is the voter supposed to write in all the options when s/he votes?
What's to stop someone from getting a copy of the form and threatening you unless you vote the way they want you to? Unless every form is different (is this the part why the hand writing is different?), any attempt to match the vote online can be used to verify that you voted the way you were told to.
I always thought that a major point of a secret ballot was to ensure that no-one would ever be able to give proof that they (or anyone else) voted a certain way. The whole 'secret' part of the secret ballot was implemented for a reason - to make vote buying and selling impossible. Otherwise we're right on the way back to giving undue influence to employers, union leaders, whomever your bogeyman of choice may be, etc. Show me your voting card on the way in to work, or to get needed supplies from the food bank, or to receive your 'free' voucher for a happy meal...
Yet again we're introducing yet another fatal flaw into the voting process through this headlong rush into electronic voting. Paper, pencils, and marking an 'X' are an elegant and well tested solution. Reducing (unnecessary) complexity can rarely turn out ill...
-srw
I will sell my vote for $100. Lets just me more direct with this political corruption :D
Verifying a single vote was never the problem. Verifying the vote is. In the US, at least.
Hello,
Youre post advocates a change to the electronic voting system....
You suggest:
[ ] An open source system
[ ] Going back to paper ballots
[ ] A paper trail
[X] A receipt that a voter can take home
[ ] A poll test
This wont work because:
[ ] It will be hacked
[X] Someone with sufficient funding can buy votes
[X] Voters wont take the time to do this
[X] Costs too much
[ ] It benifits Republicans
[ ] No way to verify code on the disk is code that was open sourced
You are:
[X] an ivory tower elitist who doesnt understand the problem at hand
[ ] a criminal mastermind
[ ] Stupid
What is the proof of responsibility and how valid is it?
Unless the voter is expected to write in the various options (that's stupid), or the ballot forms are randomly generated (that's expensive), it would be easy for anyone who voted to check whether your receipt matched his/her's.
Unfortunately, from the video, I cannot tell which approach they are advocating.
they explain that it's impossible to determine how somebody voted without the other half of the ballot.
http://punchscan.org/demos/election/
http://video.google.com/videoplay?docid=-723679120 7107726851&q=hacking+democracy
I'll sell my vote for $500, you can even verify it with this hole thingy.
.pdf on it that explains how it works better than I can...particularly because I'm still trying to wrap my head around it.
The slideshow is a little opaque, but the concept is you can't. The only way you can tell how the voter voted is by having both pieces of paper. (Look closer at the paper being shredded. While there is a mark on it, it was the piece of paper the voter kept that indicated whether that mark was for A or B.)
Their website has a
Buy Steampunk Clothing Online!
That's retarded. If it can be done, someone will do it.
Trust me, you are far better off with a system where "they" can't know that you didn't vote against them. They may still break your legs anyhow, but they'll never know how you voted.
BTW, I think breaking your legs is against the law too. Lots of things are against the law.
Laws solve no problems. Laws only provide the means to legally punish offenders, if they are caught.
This issue is a bit more complicated than you think.
Many people here have pointed out the uselessness of this method, not to add the
social pressures it may cause in communities or groups where things have a
to happen a certain way if you know what I mean...
To add to that I can see no place where cryptography is used other than possibly
trying to determine the probability that on any particular ballot card Party A
was on the right or the left, thats just simple probability theory nothing else.
Arash Partow's Philosophy: Be a person who knows what they don't know, and not a person who doesn't know.
Like counting people barred from voting as part of the population in redistricting calculations isn't cheating? Or imposing burdensome ID requirements? Or barring people from voting on the basis of *similar* names to those of felons? Or changing the distribution of voting booths to make your supporters able to vote faster then your opponents supporters? Or how about confusing ballots? When it comes to elections, the appearance of impropriety is improper itself. Or what about approving voting machines which fail to meet basic security standards? Are any of these actions ever part of an ideal election?
Inventions have long since reached their limit, and I see no hope for further development.-- Frontinus, 1st cent. AD
If you can show how you specifically voted outside the voting booth, then you can sell your vote or (arguably) worse can have your vote coerced away from you.
You want to see how you voted, then print a paper ballot from the machine that shows---IN PLAIN TEXT---what your vote was. Place that paper in the ballot box. The paper is anonymous. You don't carry home a receipt. If the vote needs to be recounted by hand any volunteer with an 85 or higher I.Q. can be employed to do a manual recount based on the plain text version to compare against to ballot box's count of bar codes. If they don't agree, something went awry.
This is simple stuff. We don't need encryption, web 2.0 interfaces, juggling monkeys, or moon rock sculptures! We need 3 things:
1) a way for the computer to count fast (barcode or some such)
2) a way for the voter to see what he's voted for (plain text on the same bar coded ballot)
3) a way to do a manual recount for verification (see "plain text" comment above
Tom Caudron
http://tom.digitalelite.com/
-Tom
...that it is almost certain that American voting authorities would have no interest whatsoever in adopting measures to ensure the integrity of the electronic voting process.
Electronic voting has fairly demonstrably been adopted for the express purpose of more easily committing fraud.
Anyone who is interested in ensuring genuinely honest voting should, in my opinion, advocate a return to non-electronic paper voting, with the vote counting being performed in a completely open, monitored, and transparent manner.
Remember, the ballots are numbered. So the printing process has to run off X variations where X is the sum of every candidate running for every office listed on that ballot.
And the ballots cannot be numbered sequentially. Or it would just be a matter of checking what version of the ballot was in that sequence. This can be done with friends and family who are already going to vote the way you do. Just stagger their voting throughout the day.
This system also depends upon a computer to remember which windows were associated with which letters on which ballot number. Any failure in that and these ballots cannot be hand-counted or verified in any other fashion.
This is stupid. Rather than go through all of that, why not just focus on getting the basics done and done right? Leave "verified" voting until after we've managed to identify who can vote and that their votes are actually counted.
(S)he is right, this is complete snakeoil, and the discussion thus far is inane.
I agree. If your vote was counted wrong, there isn't anything that can be done about it. If you believed your vote was counted wrong and it could be changed if in error, there would be the problem of folks claiming their vote was counted wrong to tie up the process of acting on the election results. For example, if vote verification was implemented today in California, and people had the ability to contest the election, Proposition 85 (which would require parental notification 48 hours prior to performing an abortion on a minor) would never be resolved. If the proposition didn't pass, extreme right-to-lifers would contend that their votes were miscounted just to tie up the system. If it passed, the extreme pro-choicers would contend that their vote was miscounted. To avoid this possible debaucle (sp?), challenging votes cannot be allowed, thus, what is the point of verifiable voting?
Of course, I could be missing something - please enlighten me if so.
I mean really... its too easy to be adopted... and you would able to have recounts... no go from the gitgo
It looks like they addressed the sticky problem of having a husband/boss/union demanding you vote a certain way then verifying it. Check it out before freaking out over this scenario.
However they solved the wrong problem. The problem is not that a solution like this did not exist, the problem is that the government does not want it. We cannot even get Diebold to print out a paper trail or get their software certified legally (they sneak around and use uncertified patches at the last minute).
The real problem is this stupid obsession we have over knowing the results of the election NOW. We want to go to bed knowing who won (although that did not go so well in 2000), and damn everything else. If we could just wait a day or so and let paper ballots be counted we would not have these issues. Sure paper ballots could be miscounted but there are more eyeballs, and it would certainly be harder to pull off a massive fraud like what would be trivial with today's Diebold machines. But (1) we want results now, and we want computers involved because we KNOW those cannot be wrong and (2) the government seems to like this idea of unverifiable votes.
Finkployd
So, we have a vote that is logged somewhere that is matched to a ballot. Then we have the server logs that will connect the ballot (with vote) to an IP address. That IP address will be attached to an account at the ISP.
Basically, if you check your vote, your vote can be determined... trivially. Or at least that vote from that house-hold. Which is "good enough" for profiling purposes.
One of the whole points of crypto has just been circumvented. Nice job guys.
I love it, the appearance of impropriety is improper itself.
How about the willful manipulation of the appearance of impropriety is a severe attack on our democracy, and should be viewed as seditious.
Really, all this stuff is in the noise, and is a complete distraction. Consider how much more variation there is due to the weather or the press incorrectly calling the election for Gore.
The real wackos think someone might actually rig the voting machines. As if a political party would have so much stake in one election/candidate they would be willing to risk destruction of the entire party. Jeez.
Ed Barbar, President and General Manager, Furnit USA
Of course, this doesn't prevent traditional vote-tampering methods from working, like
- TV commercials scaring voters about the other parties, or
- politicians making bogus promises, or
- dead people voting (as long as people with their names show up to vote), or
- election departments not providing enough voting machines or ballots at heavily-one-party-dominated precincts, or
- election officials invalidating registrations of people in the wrong party, or
- police harassing motorists in black areas on the way to the polls, etc.
But at least it's better than Diebold.Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
So they punch your card and after you vote 5 times you get a bonus vote? Sweet, I hope they make me a moderator.
Good lord! How is it that 70% of people have completely missed the point?
This system DOES NOT allow ANYONE to see WHOM you voted for.
That's right. NO ONE short of the people in charge can see who you voted for. You boss can't make you prove it, nor can your spouse, or whoever else.
All the ballot half you keep records is that you voted A, B, B, A. All you can verify online is that your vote was recorded as A, B, B, A. Because the ballot choices are randomized, no one can tell who A was for your particular ballot. Ahh, but I already hear the tin-foil brigade saying: "But the people in charge can check!!" Really, how? The ID # of your ballot isn't recorded next to your name in the voter rolls, I suppose someone who had access to all the decryption keys could fingerprint each and every ballot, but anyone who can get ahold of any of the paper ballots can do that now. Is it no less secure than any traditional method of voting, and superior in a vast number of ways. As long as a few percent of people check that their votes match what they recorded, elections will be a lot closer to tamper-proof.
How did so many people fail to figure all that out?
My rantings, only longer and with better spelling..
The problem was never "I need to be able to verify my ballot while others can't". That is a very easy thing to do.
The problem is "I need to be able to have faith my ballot was counted properly, while being unable to prove to anyone (or have proven by anyone) that I voted a particular way".
You have solved nothing.
-- 'The' Lord and Master Bitman On High, Master Of All
I guess this will be the first study of how many people really don't RTFA.
For the love of god, this is simply snake oil, I don't know why some asshat is modding the insightful posts down. You cannot verify your vote using this method.
Mod him up.
The machine doesn't keep the "printed" ballot configuration. Instead, it randomly generates an equivalent imaginary ballot such that if you know which side you voted for, your vote will be counted the same on your printed ballot. The trick to protect secrecy is that they allow election official to check only one side for any given ballot. Don't know if that could be enforced, however.
I once had a signature.
By the way, in their terminology, a "side" is the box that you color your vote, painting through the top and bottom sheets.
I once had a signature.
Imagine for just a moment, that the elections in 2000 and 2004 had been just as they were; but with verifiable voting in place. Yes, all those things you mentioned are reasons we should not allow the process to get tied up in what would surely be an exercise in poor sportsmanship.
What we had were polls that were drastically different for the first time in our countries history. Were votes changed with bogus electronic voting machines, as some say? Were pollsters lied to en masse by voters, claiming to support Gore/Kerry but secretly voting for Bush?
There are a growing number of people who feel there is enough evidence to conduct an investigation even without verified voting. If we had had verified voting, one way or another, we would not be having this discussion today -- either we'd have a solid answer supporting the Bush presidency, or we'd be having a revolution. That is your safeguard against abuse -- if the discrepancy isn't worth a revolution, then it has no value.
~Rebecca
Cryptography is all about probability, really. When you use hash functions like MD5 and SHA-1, you're counting on the low probability of collision. When you encrypt something, you're counting on the ciphertext being in a way that your probability of guessing the nature of plaintext is the same no matter how you guess it. A ciphertext that simply looks like random noise isn't enough.
I once had a signature.
Exactly the problem. The very reason that votes are typically retained by the people who conduct elections and copies are not sent home is to avoid vote-selling and worse, intimidation. As a basic upshot consider the problems of a few decently-armed thugs going house-to-house and pointing guns to people's heads to confirm that they voted the right way. Given enough terrified individuals you can easily manipulate a local election if not a national one. If a sufficient number of thugs can be rounded up (and historicaly they have) then this crypto protocol can be an invidation to abuse. Some people might argue that this would be eliminated by making it secret but as long as the vote can be verified then more than one person can verify it.
Electronic voting has fairly demonstrably been adopted for the express purpose of more easily committing fraud.
First, I agree with you that voting needs to be open and verifiable. That's probably the only thing 91% of the electorate agrees on.
But I'm not sure electronic voting fraud on a national scale would be all that easy. Not all the voting machines are made by one company and the voting process can be quite different place to place. Though I'm sure cheating here and there has occurred, fraud on a massive scale takes people cooperating. The more people involved, the more the potential one of them will get cold feet or attack of conscience and squeal. I'm not sure there are a lot of people willing to risk trading their country club membership for federal prison to help Karl Rove.
Besides another potential problem with counting on people to cheat in elections is what happens if they decide to cheat on you?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
This is the same ancient idea, with the same ancient problems...
It allows for extortion and buying of votes (others can verify who you really voted for).
There's no guarantee that the machine verifying your reciept, is acurately reflecting how your vote was really counted, as opposed to counting all votes in reverse.
It does nothing to stop dead (or phantom) people from voting. They aren't going to complain...
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
You must be new here...
"..."
The problem with this method, if you read through the PDFs, is that it rests on the secrecy of the final form of the ballot. If this is perfectly secret, it is indeed impossible for the voters receipt to prove how they voted. However, if the form of the ballot is NOT secret (i.e. someone votes, looks at the ballot and reports that to someone outside the polling station) then it's entirely possible to recover how the person with the receipt voted. The problem with this whole method is that the "secret", i.e. the structure of the ballot, must necessarily be public. The potential solution to this is to make random variants of the ballots(like tests where there are multiple copies with the same sets of questions and answers, but in different oder), but then the vote is not necessarily recoverable and this reduces the transparency of problems like the infamous florida butterfly debacle. Then again, at least the votes would have been more evenly distributed among non-Democratic candidates...
Basically, this whole system does not seem terribly impressive.
>No, I disagree that that system works (again, I haven't RTFA
It's auditable, unlike certain other systems that have actually made it to the field. Machines that cheat can be detected.
The real problem is the one shown by the discussion in this thread. Even career computer people (both the posters and the moderators) can't understand what the security properties are. Understanding how the security properties are met requires some crypto knowledge which is not common among the electorate.
It looks like this system cannot meet the human interface requirement of being understandable enough, to enough people, to have the credibility to make people accept its results.
Shamir's three-ballot system, in contrast, includes no crypto and anyone with a high school education should be able to understand it, but I shudder at the thought of explaining it well enough to reach the bottom decile of the electorate.
Fascinating... the liberals have been fixing the vote so that they themselves lose the elections? No doubt it's all part of their devious strategy to avoid responsibility for the Iraq debacle by keeping themselves out of power. Those wily bastards! They won't get away with it this time, though, the GOP has their number for sure!
And don't even get me started about the press losing elections... those sorry saps blow it every time, usually by forgetting to declare their candidacy.
I don't care if it's 90,000 hectares. That lake was not my doing.
Definitely. I've just gone and watched the demo, and read a bit about it. Good on these people for coming up with a system where it's (apparently) impossible to prove to anyone else who you voted for, yet still allows for someone to be able to verify their vote to some extent. That said, I still think that trying to solve this is really trying to fix the wrong problem.
The only reason receipts are wanted right now is because some voters have a lot of doubt about whether their vote was counted correctly. The problem could be solved much better by fixing the cause rather than trying to treat the symptoms. Letting people have receipts won't actually improve the validity of the election, anyway, it'll only help people feel better about themselves. It certainly doesn't mean that a reliable recount can take place, because the vast majority of people will never check their vote, keep their receipt, or bother to return it on request. At best it'll indicate that there's been a problem with the election, but it's not as if we don't already know that, and it hasn't taken voter-only-verifiable receipts to figure it out.
Trying to do something this complex on the scale of a national election, or even small elections that involve a typical cross-section of the general public, is asking for trouble. An election is trusted because it's kept simple, and the people who vote can see and have a reasonable understanding of how it actually works. People can understand the concept of writing a vote on a piece of paper, dropping it in a secure box, having trusted people empty the box and count the votes, and allowing other trusted people to observe the process at all stages.
Tying the whole thing into computers, digitized logic hidden inside electronic machines, abstract metaphor (such as dragging and dropping virtual objects), and abstract automated counting methods, reduces the number of people who can understand the entire process, let alone any of the process, by orders of magnitude. It just opens up more possibilities for misunderstanding, confusion and concerned citizens who no longer trust the process.
Perhaps this system can be used for other things, but I really hope we don't resort to using it in large scale elections. There are so many other very basic things that need fixing first, and I'm skeptical whether anything like this will be beneficial once the root causes of the problems have been dealt with.
No.
True, the system doesn't allow people to sell their vote, but it doesn't allow people to actually verify their vote either. As I mentioned in a previous post:
Basically, the method you describe only lets me verify that the ballot was thrown into some machine with the left side marked or the right side marked. It then counts the vote as being for Al Gore or George Bush based on some machine which matches my ballot (left or right side), with the machine's knowledge of whether left or right means Al Gore or George Bush. But how do I know that the cheating doesn't happen at this stage? It would be very easy for the machine to count all votes as being for George Bush regardless of what the bottom half of the ballot says (because the bottom half of the ballot has been destroyed).
This is just a more complicated voting system with the same problems (lack of verifyability).
It claims to get around this by some auditing process. But we can already have auditing (probably the simplest being hand count the paper ballots and allow the candidates to have people look over their shoulders). Or use open source voting machines. So this process is silly -- the actual verification happens at the auditing stage done by the candidates which is already possible.
Deconstruct the State
You're right. However, this system has a more basic issue: A generalized variant of the "Stroop" effect as we call it in psychology. People excpect consistency. This system relies on randomization of both "letter" assignment (A. or B. to choice 1 or 2) and randomization of side (A or B is on left or right). This is a clusterfuck in the making. People expect the first choice to correspond to the leftmost option, and that the first choice will be choice A. Always. Furthermore, on a ballot, people expect item to item consistency. If Democrats are first, they need to be first the whole way down. I know it takes just a little attention and control to flexibly and correctly deal with a randomized ballot, but people will unquestionably botch this badly. It will make 2000's "butterfly" ballot look trivial in comparison. It's an ingenious system Chaum has devised...but it needs to really be thought about how to present this to allow people's "automatic" mapping between option and response to be the expected ones.
I looked at the ballot for this year's elections, and guess what? There was no one I wanted to vote for. No one. Frequently, the two candidates in a race are competing to see who can screw me over the worse: Candidate A says he wants to revoke my U.S. citizenship, for example, and Candidate B says he wants to throw me in jail for life (in both cases, for thought crimes).
Why would I want to vote for either one?
My ballot will be nearly blank this year - and even the one person I'm voting for, I'll have to hold my nose while I do it.
The two parties in the US have collaborated to deprive the people of any real choice. Surely there is a reason why voter turnout rarely exceeds 50% - everyone knows that they are not going to get any real representation, whatever choice they make.
I like the idea of "absolute representation", where each person gets their own personal representative, and that representative serves both as an ombudsman, and casts a number of votes in Congress equal to the number of persons they are representing. Besides the obvious question of whether we could actually get this enacted, the question comes up, how could the voter and the representative verify their connection, while keeping this information sufficiently confidential?
Also, if we could do this, we should also return the election of senators to the respective state governments, in order to regain the system of balances that has long been lost.
I'm tired of not having any representation in government.
Well, if they handed you the exact ballot to vote, shouldn't the results come out the other side the same? If people voted exactly the same down the entire ballot their outside keys should match...doesn't matter how it is scrambled, unless they do some scrambling via your specific key.
I posted this on Slashdot a couple of months ago... How different is the concept?
= 15828335
http://it.slashdot.org/comments.pl?sid=192817&cid
No sig. Move along - nothing to see here.
Election fraud is not limited to "rigging the voting machines"; in fact, the most likely fraud scenarios take place after the votes have been cast. It sounds like you're assuming that election fraud would have to be coordinated by an entire political party, but that's unlikely for obvious reasons.
I don't see much of an opportunity for tampering with vote totals once the votes hit the state-level, but do you know how many opportunities (and how easy it is) to tamper with vote totals before they reach the state-level? Do you realize that the same people who have those opportunities also have an opinion, one way or the other, on how the election should turn out? Would you blindly trust each and every one of those people (the ones who voted differently than you) to fill out & submit your absentee ballot? Didn't think so - and that's why people like you scare the shit out of me.
I would explain in greater detail, but since you've obviously chosen to ignore anything outside the pretty picture painted for you by the media, I would just be wasting (more of) my time.
In some ways, I wish I lived in your utopian dreamworld where people and events are always just how the media portrays them. Then I wouldn't have to worry about what's really going on, simply dismissing alternative points of view as coming from "wackos".
How did so many people fail to figure all that out?
How is it that you've been a Slashdot member since at least July and you're still asking questions like this?
Bad assumptions. 1) Ballot Choices in all states are NOT Randomized. Some use National, State, Local and within that alphabetical order, some incumbents first, etc. so for someone to know your vote from the A,B,B, A receipt they just have to know the order. Many states also print up Sample Ballots which could also be used to check up on someone based on the choices on the receipt. 2) Someone else posted that Ohio does associate your ballot number with your name so your secrecy is gone already that way.
I would think some form of PKI could be used to insure the security and anononimity of your ballot. I don't want to post the idea here until I'm more sure it'll work (and also if it DOES work so no one steals it!!)
It only seems suitable for first past the post voting. How about those of us with instant runoffs?
Classical Liberalism: All your base are belong to you.
My district has roughly 650,000 voters in it.
Let's assume we have the best turnout in a non-Presidential election in the past 40 years: 54%. That's highly unlikely - no one's really contesting in my district (our guy's an old time shoo-in) - but who knows? People might show up.
54% of 650,000 = 350,000, give or take a few.
How long would it take to count 350,000 votes for something?
Let's assume a person can count 1 vote every 3 seconds. Count it out loud. "1. 2. 3." It's pretty slow, actually, but let's be fair: some of our more civic-minded people are also some of our eldest, and they're a bit slow.
So 1 vote every 3 seconds, that's 20 votes a minute, which is 1200 votes an hour.
350,000 / 1200 = 291 man hours.
In 8 hour shifts, that's 37 people. And considering my district is spread out over 30 towns, that's roughly 1 person per city - 2 for some of the larger ones. Find 37 more people and you've even got redundancy.
And that's if you want it done in one day.
How about the Presidential election? 2004 was considered a banner year for turnout. Number of voters? 122,294,978. We'll round it down to 120 million. Again, 1200 votes an hour: that's 100,000 man hours.
8 hour shifts, that's 12,500 people. Again, that's in 8 hours, reading 1 vote every 3 seconds. If you got it down to 1 vote every 2.5 seconds (and trust me, when things are repetitive, it's easy to speed through), suddenly you only need 10,417 people.
You've just laid off 2,100 poll workers in half a second.
There is no reason at all for a backlash against paper balloting. It is quick enough. In fact that should be the motto for all paper balloting:
PAPER Balloting: It's Quick Enough.(TM)
I vote for ABBA everytime, is it such a crime for others to know about it?
You make a good point, and I agree with your point that there is a purpose to verifiable voting, but I don't think it should be left to the individual. For example, if I recall correctly, the Gore/Bush vote in Florida was done on voting cards, and the vote by vote recount proved Bush won, even though the votes of many overseas servicepeople (who vote Republican more than Democrat) weren't counted due to missing postmarks. The punch-card votes allowed the votes to be verified. A few overzealous (sp?) people came out and said that they didn't understand the ballot, and thus the punch cards weren't valid, either, causing some court hassles, but in the end not affecting the outcome. To me, this recount and vote verification proved that the system could work, but was too slow, and if left to individuals, was too likely to be abused by those individuals with extreme views.
In my opinion, if we are to use an independently verifiable electronic voting system, it should be an independent auditor (or two or three) that does the verification, not idividuals, so that extremists on either side cannot affect the outcome. Additionally, a machine readable paper trail that is verifiable as one votes would be ideal. In the Bush/Gore example, this would have provided a quicker answer to the question of the vote count, and would have probably decreased (but not eliminated*) the skepticism about his victory.
* - there will always be those with extra-thick tin foil hats who think all elections are/will be rigged. No technology will change their paranoia.
This method is vulnerable at the part when you log onto the web site. How can you know the government won't read the information it sends you as you access it?
The point is not to have a theoretically bulletproof system, but one which can be understood and checked by _everyone_.
Lets take a look at the "pen and paper" vote. The one who votes marks boxes on his paper, then folds it and puts it into a box. Then, after all people have voted. They take out those pieces of paper and count them. Then they compare that to how many people have voted. Then they count how many people have market a certain box, etc....
This is a process I could send anybody there to watch. It _has_ to be public, and it has to be understood by the public. And furthermore it is efficient enought. Despite the complex systems, Germany has official results the day after the election. It takes about an hour to count all the votes, so we are not talking about _that_ much work here.
BTW, there is another serious flaw in the US elections. It's not on a public holiday, so only people who can afford to take a day off can vote.
Great, I know my vote was recorded as A, B, B, A (I hope that wasn't a Freudian slip referring to the music group Abba), but how do I know that when my ballot is counted as A, B, B, A, that the order of the selections used to match up my ballot to my selections wasn't switched?
Anytime that you can separate the selection from the question and choices of answers, you introduce a means of switching the voter's desired selections for somebody else's selections. A big black "X" on a paper ballot next to the voter's selection is foolproof.
I don't give two shits about being able to carry out of the polling place proof of my vote; I want to verify my vote WHEN I CAST IT, by a means that CANNOT be misinterpreted.
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
Uh, why do you think they want to remove the requirement to have a photo ID?
Ed Barbar, President and General Manager, Furnit USA
You are of course correct in principle, but not necessarily for this method. It seems to allow the ballots to be mixed so that picking the first choice on one is not the same as the first choice on another. The vote-buyer will never know how you voted. (Watch the flash movie at the link.) However, this presents a problem just as bad as you describe... the non-secret ballot. The vote counting people now know how you voted. Well, they would if they tracked the ID number that you keep. That's unacceptable.
Ah, if a poll worker knows what you vote then a vote buyer can too. They can buy the poll worker.
FalconShould there be a Law?
http://www.youtube.com/watch?v=TtPiGIqSljE&mode=re lated&search=
the you tube that still works
http://www.captainsquartersblog.com/mt/archives/ca t_silence_of_the_cheese.php
3 1.shtml
Talks about Wisconsin Democrat voter fraud
http://www.newsmax.com/archives/ic/2004/10/19/853
Talks about using crack to register voters.
Ed Barbar, President and General Manager, Furnit USA
While you are at it, count the votes in the container without moving it. Do it in full view of anyone who wants to stay and witness the counting. Those vote totals then become an entry in a big spreadsheet that anyone can see and verify. The individual votes stay private, but the voting precinct totals are now public knowledge. You don't need encryption or tamperproof transport of ballots. Everything is transparent and witnessed.
Bah!
Great, so now about 100 people in a district that went for the opposition create some forged receipts. They claim election fraud and manage to get the entire district's votes invalidated due to "rampant irregularities", swinging the election results and electing their candidate.
People scream paper trail, but don't forget how easily documents are forged. They would have to be cryptographically secure, with a timestamp and possibly the voter's registration number encrypted on the receipt. Only the central election authority would have access to the private key that would be used to validate any claims of miscounts. Of course, you still have to trust the software. Basically the same technology that makes digitally signed contracts work.
This "new" voting system sounds remarkably similar to a system proposed by Ronald Rivest (of RSA fame).
The problem with either system is it requres you to trust a computer.
In the case of Rivest's work, you must trust a computer to do certain logical computations. (Engineers and professors can do them in their head, but 90+% of the public in a given country do not have that skill.)
In the case of Chaum's system, which I believe to be an inferior version of Rivest's work, you must trust that the A and B the computer showed you are the same A and B actually used to tally your vote. It deals with the case of a false scan, but it DOES NOTHING TO SOLVE THE CASE OF DELIBERATE MANIPULATION.
Both systems add practically unverifyable processes to a system that previously didn't have them. (Assuming you were using paper ballots.) As an electrical engineer, believe me that PAPER is the way to go.
Life is too short to proofread.
I'm not sure why you think Punchcard doesn't allow you to do that, but I suggest you read the following thesis:
http://ben.adida.net/research/phd-thesis.pdf
Afterwards, you may have some relevant opinions. Until then, please pretend that the cryptographers designing this thing consulted with a five-year-old before publishing their results.
---
http://tinyurl.com/yfauow, same URL but clickable and valid (the parent has a space inserted into it).
horribly broken, if not obsolete. Unfortunately democracy having many problems as populations become very large and economies become very complex and interdependent, this would partly explain the horrible choices of political leaders in the U.S.
You have many fold problems:
1) People too ignorant to vote, voting
2) People to crazy to vote, voting
3) Too many people voting (redundant voting, think of all people who vote the same way
for the same reasons)
4) The fact that all peoples votes of equal value is a flawed concept to begin with.
5) Those with extreme power and money can hide their fraudulent actions from public scrutiny almost with impunity, hence the paranoia. How would you know if votes are counted ( correctly and that the votes themselves are those of valid people) outside your local district if you cannot check yourself? How can everyone check on everyone else? It's not an easy problem to solve.
Lastly, you have the problem of "democratic theater", government actors lying to the public about problems instead of facing the seriousness of their problems, but it's not easy as "its their fault" it's as much a side effect of mass ignorance of populations as well.
Note to xquark: Read The Fucking Article next time.
"I clearly don't see how this new 'autmobile' thing could ever help anyone! I've been riding cattle for the last ten years, I know what I'm talking about, and from your brief transportation of this new 'automobile' concept I don't see what's so useful about it. Sure doesn't sound like the wave of the future you claim it to be at all! No, of course I don't want to learn about it! It's obviously useless, why would I want to learn about it!"
That's what you sound like right now. Don't lecture others about things you don't know about. The guy who's publishing this report did the research. He had a whole team do research and figuring. For months. You just pulled some stupid assumption out of your ass. I guess that would explain why he's leading a team at Princeton and you're not.
There seems to be one thing missing from the whole thing: write-ins. How do you write in a vote for a candidate that's not on the ballot? A common way of having "elections" in a dictatorship without seriously jeopardizing anything is to disqualify anyone who poses a serious threat to unseating the government in power (see, for instance, Iran). The ability to write in a vote dilutes this power.
Vote for me and I'll give you a tax break.
Indirect pay off already happens.
Democracy Now! - uncensored, anti-establishment news
July '01 maybe ;) It just blew my mind. I would have thought that with everyone 'round here bitching about electronic voting people would have jumped on this like it was the greatest idea since sliced bread.
I guess I was just shocked, that's all.
And for the record it's a pretty good idea.
My rantings, only longer and with better spelling..
What's worse that listening to a bunch of self-righteous people yammer on about a subject they obviously know nothing about? Noy much.
If you examine the process (go to 'learn more' and view the videos), you'll see that it's impossible for anyone to know who you voted for but you (and even then, it's up to memory, all you can verify is that they counted the hole you punched correctly, you can't actually have it display what that punched hole meant in terms of who you voted for.)
Don't have the time to watch a video on it? Too busy? Fine. But don't act like you know something about it.
The first? haha. YOU must be new here :)
:P
I guess I just expected slashdot to be all over this like it was the holy writ of God/Budda/Whatever else. It's a pretty good idea. I don't know why people are faulting it for:
a) not solving every single problem. Hell it solves a few, let it slide. *nix wasn't perfect instantly. or
b) not understanding a very simple concept because they didn't RTFA.
I guess I was expecting far more positive comments. Silly me, I must have missed the part of 'TA' that said it came from Microsoft
My rantings, only longer and with better spelling..
There is NO WAY to hand count these ballots.
The relationship of part A to part B must be kept on a computer. There's no way to count them otherwise. They don't have a complete vote on either part. The computer has to have been programmed with what letters correspond to which candidate on which ballots. And since having that information PUBLICLY AVAILABLE would invalidate the entire rest of the process
Which brings us back to the issue of whether we trust computers without a paper trail in our elections.
Since I do not trust computers without a paper trail, why would I trust some scheme that depends upon computers without a paper trail? And a bunch of "ink cover paper" is not a paper trail.
PAPER ballots could be validated using encryption. Then ballots could not just be printed and stuffed. It would also be cheaper than having special ballots, normal paper could be used.
Money should have something like this in it for fast validation. Public key encryption would work.
Counts should be done by hand; if ballot stuffing happens like in Mexico you have something to fall back on.
Democracy Now! - uncensored, anti-establishment news
The entire system depends upon computer voting systems without a verifiable paper trail. I thought that this issue was settled already, but apparently it is not.
... and you can verify that the machine counted your vote marked in the 4th window on the ballot.
In this scheme, your ballot has a part A and a part B. Neither of the parts has a human readable vote on it.
A computer is required and it must have been programmed with the relationship of your particular ballot's part A and part B. That means that on your ballot, the computer knows that selections A, B, C and D relate to John, Paul, George and Ringo, respectively.
Now, this relationship information CANNOT BE MADE PUBLIC because if it was, your vote receipt would be able to be used by anyone to confirm how you voted.
Since the information in the system CANNOT BE MADE PUBLIC, we are right back to the current Diebold situation. All it takes is a minor change in the programming that CANNOT BE MADE PUBLIC and the votes are going to another party. And this is, by design, UNVERIFIABLE by the public.
So, you vote this way, you follow all the instructions
It's up the whomever programmed the computer to decide who your vote will count towards. And, by design, you'll never be able to validate that.
I assume that the order is consistant within ballots, but randomized between voters.
The reason you don't want to do this is that with a system like this, buying and selling votes becomes possible. up till now this practise is rendered useless as the person buying votes can never be sure of what his money actually gets him (this is not to sat that some people wont try it anyway).
Your points are based on problems with the current voting system in some states. This is suggestion a NEW voting system. So yes, order would have to be randomized. This is a change that would have to be made. I don't see the problem..
BTW, there is another serious flaw in the US elections. It's not on a public holiday, so only people who can afford to take a day off can vote.
While elections on on a workday, by law all employers have to give workers tyme to vote.
FalconShould there be a Law?
Exactly. Voter-verifiable voting is not the issue. Ideally, you want to be able to verify your vote but not prove your verified result to a third party. This is a very difficult problem, and I don't know of any solutions.
If you want to keep your vote secret there is no way to verifiy the vote. If you can verify the vote then someone can verify with you to make sure you voted the way they said to vote.
FalconShould there be a Law?
For voters to trust the system, they need to be able to verify with their own eyes that the system is reasonably secure. Paper ballots and locked boxes work. People understand physical security.
Don't obfuscate the issue. Secure voting needs a voter verified papertrail and random auditing. The rest of the process will always be a black box to most people because 99% of the voting population don't understand computers, let alone cryptography.
What really annoys me is that Diebold already know this. Banks DEMAND paper-trail audits from their ATM machines, voters need to demand paper-trail audits from their voting machines too.
455fe10422ca29c4933f95052b792ab2
It's pretty clear that both incidents were poor individual decisions, as opposed to an order that came down from the Democratic party (e.g., "Kerry just called, he wants us to slash the tires on a couple GOP vans. Let's move."). The guilty parties were subject to due process of law and received the appropriate punishments, so the system worked. Are you trying to say that those two incidents are indicative of general Democrat behavior?
Remember when the CEO of Diebold wrote a fund raising letter promising to "deliver Ohio to Bush"? That seems a little bit more important than those 20-30 votes (that were never actually cast) referenced in the two articles you linked.
That's like an NFL referee, right before the SuperBowl, sending a letter to one of the team fan clubs saying, "we promise to deliver a victory for your team".
You still don't understand the system, and have gotten bogged down with just one feature of it. This system also can be audited in such a way that it verifies that votes in total were not switched and actually counted as intended. Being able to verify your vote with your receipt is just one part of that system. It verifies that there was not an interpretation error, which other systems DON'T give you. Your big black X is far from foolproof. If it is read by a human he can easily make a mistake and put it in the wrong pile, either deliberately or by mistake. You would never know. If it is read by a machine, then the machine can make a mistake reading it. If it is a punch card, it could have been misread. If it is a mark sense card it could have been misscanned, etc.
If the mistakes above were innocent, well that is inevitable, and you would not know. But if they were fraudulent, you still would not know. The punchscan is better because you can see the interpretation of your marks at the polling place, which locks them in, which is far better than placing a ballot into a scanner and having no idea whether or not it was scanned correctly. Then you can once again verify that your ballot was interpreted correctly and properly included in the final tally at home. If a few people have receipts which show errors, then that is tolerable, due to the fact that nothing (even your magic black X) is perfect. They most likely didn't verify the marks at the polling place in the first place. But if there is fraud there will be a LOT of people with mismatched receipts. That is what keeps things honest. Many people won't check, however, the interesting thing is that if people start declaring fraud, more people will check their receipts and more people will audit the election results.
Your issue with the switching of the interpretation AFTER the ballot has been cast has been addressed by this system also. It involves cryptography (cryptological "commitments") and auditing before and after the election. Auditing that you can actually choose to do if you want to (e.g. even if you don't trust other peoples auditing software you could actually write your own, because the whole process is completely open).
There are multiple levels of detail at the site, which you obviously have not read, but that is not surprising, given that this is Slashdot after all. There are details that you can get which I won't try to go into here, but in an attempt to simply explain the system of commitments and auditing they offer the following analogy at the website. Note that in the below quote, consider the "table where all rows are sealed" as the state of the random ballots BEFORE they have been cast. The "switch" they are talking about is the same issue that you are talking about. It might not completely satisfy you, but at least you may understand that they have addressed your issue, and if you really care to understand it in depth, the details are there if you look deep enough:
1) HOW DOES ONE CORRECT ERRORS? Just dealing with people who don't remember correctly thinking it or they messed up would be a nightmare.
;-)
2) Letting you see what you voted doesn't say what was actually counted in the county tabulator software.
Exit polls point out problems in a similar fashion and have similar problems. (They were made illegal here because they worked in pointing out problems... but have been ignored when they mattered.)
3) Statistical Sampling
Non-expert polling will result in more upset people: "friends & neighbors didn't match the results"
Do whatever 'secure' thing you want, but give me root on the tabulator
3) Hand recounts are not possible
4) Ballot stuffing is still possible (easy enough to fix that)
5) Still trusting the hardware, OS, libraries, compiler, sysadmin, vendor, support people to be honest. Where there is will($$$) there is a way comes to mind...
6) Loss of tables destroys an election (many backups...)
7) Leaking of the obscure tables would break it.
Democracy Now! - uncensored, anti-establishment news
Head of (Household, Gang, Union, Department whatever organisation legal or not)
"Ok, now that you've voted, show me that you voted the way I told you too."
Yes there are ways around this, but they do need to be implemented so that a person cannot be forced to prove that they voted in a given way.
D
http://davesboat.blogspot.com/
http://davesboat.blogspot.com/
I remember one of my computer science professors telling us in college about what I believe was a journal article from the 1970's discussing electronic voting. The way you do it is a two stage process. People vote on the machine. It then prints out a paper ballot that has machine readable code and human readable type indicating your vote, all on the same ballot. You do not get to touch the ballot. It prints up behind a glass screen. There is a red button and a green button. If you approve your printed ballot, you press the green button and you see your ballot drop into the sealed ballot box, and your vote is tallied in the machine. If you disapprove you press the red button and see your ballot get shredded and your vote is not tallied in the machine, at which point you have the opportunity to restart the process. The first official count is recorded and tallied by the machines you vote on. In the event of a recount, you have the choice of scanning your printed paper ballots by machine, human recount, or a combination. Because the ballot boxes are only needed in the event of a recount they can remain sealed until such a count.
This solution has been available for more than 30 years. If anyone is making electronic voting machines that do not allow a human verifiable recount, the only possible reason is that they want to leave the possibility of fixing an election open. Which is not to say this technique isn't open to tampering, but it is no more open than paper ballot systems, unlike the contemporary electronic voting solutions.
Replying to myself. I know. Sin!
:)
An addendum to my first post for everyone who says: yes but they could still hack the software etc..
True, but that is just as possible with paper ballots (you don't think they count those by HAND do you? They've been feeding 'em through a scanner for years now..), punch ballots, and far MORE likely with fully electronic voting. Like I said, with good software (i.e. posts what was actually tabulated for your vote, not what your vote was scanned in at, although still easily hackable) at least it would be a new take on the same process. It also opens up the process more. Heck maybe it could even be done with OSS!
My rantings, only longer and with better spelling..
yes, YOU voted the democrats... but 99% of the rest voted the republicans
very special simpsons reference: edgar neubauer
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
How do you verify that the computer readable code matches the human readable type? How do you know that the machine actually tallies your vote properly? This scheme assumes that fraud can be detected without actually giving a reasonable procedure for doing so.
I don't get it. If nobody can prove who you voted for from either sheet, how can you ever know your vote was counted _correctly_? Sure, you can check that your vote has been included in the count...but what if it were counted as a vote for the wrong candidate? I find that a much bigger problem than other people being able to know whom you voted for.
Please correct me if I got my facts wrong.
You missed the point. That's just electronic vote counting - that's easy. This is voter-verifiable vote counting - you can verify after the fact that your vote was counted the way you voted it. Doing this, without revealing to anybody else how you voted, is tricky - but it's possible.
Just because you can verify your vote was counted correctly, says nothing about the anonymous abstainers (who typically outnumber voters by 3:1) in whose name votes may have been falsely cast by the cheating party but who by definition aren't going to check anything.
Receipts, if they are given and if they show for whom the holder voted, must be readily forgeable. Unless a person can with 100% plausibility pretend that they voted for a different candidate than for whom they really voted, a receipt provides an opportunity for voter coercion. (Even abstainers should be given a receipt, since an abstention is a valid vote. Compulsory voting only makes people vote along the wrong lines; a savvy party could win an election on compelled votes alone, by fielding a candidate with the right charismatic qualities.) Of course, this reduces a receipt to mere proof of having been entitled to vote; but with Universal Franchise, such proof is redundant anyway; since the holder -- by virtue of their existence -- is entitled to vote.
Voting receipts are a smokescreen. They mask the symptoms of a problem without addressing its root cause. As long as any technology is used in the process of an election which is beyond the comprehension of a school-leaver with passing grades, and as long as there are any secrets -- beside who voted for whom -- anywhere in the process, there will be unfair elections.
Je fume. Tu fumes. Nous fûmes!
I still don't understand why manual, scrutinised counting of paper ballots at the polling place is impractical.
That's why I send one possible recount you could do is a combination machine/human recount. Just pick a random sampling of ballots and verify the machine code matches the voter verified text. Once you've convinced yourself it statistically unlikely that the machine code isn't matching the text, you can save time by scanning. That is one of many forms of auditing possible with this system.
I didn't miss the point. I just didn't bother pointing out again what others have already: it doesn't add anything. The technique in the article doesn't make me feel any more secure that my vote made it to the candidate I chose, and without that I just don't care. Introducing a layer of abstraction just moves the problem of verification. It doesn't alleviate it. What does it mean to me that I get my pattern of choices back without any verifiable connection to what those choices actually mean. I think the hope is it would confuse people enough that they would think it actually means something.
I would much rather talk about something that adds meaningful recounts to electronic voting, yet still opens the door to the efficiency benefits, and does in fact include a voter-verified step to back up the results produced.
I don't vote. It only encourages them.
And the more times I vote, the more stubs I have to verify the tally system, thus ensuring even more the integrity of the system.
I am anarch of all I survey.
It's incredible how many people would flunk computer security 101. One of the most fundamental rules is that you can not trust a compromised machine, ever. Unless there's some non-electronic evidence of how you cast your vote (not just that you cast a vote), the computer could claim anything happened. Clearly we can't let the voter take the vote home, nor can we let anyone else know what happened in there. It can only be solved in one way, by installing a printer in every voting machine and let the voter verify that the physical ballot matches the vote.
Clearly there's a few more things you need to do, like ensuring that you don't give your id to the voting machine, one vote per voter, that these paper ballot are concealed before next voter and possibly the order physically randomized so the order can't be matched to the people entering the cubicle, but I'm leaving out the details. Most of these are solved by getting a vote token rather than a ballot anyway. But if you do not have a paper trail, you have already lost since there's no possible way to prove that a vote ended up with the right candidate.
The next question is, how would you like to mske sure the electronic count matches the paper count, without actually doing hand counts. My suggestion: On each vote, print voting machine id, a random vote id and poll option with a digital signature (remember, these have no connection to any voter). These IDs are essentially public. So you have a list of 100 million lines like "Machine 2342343 - Vote 325432432 - Option 5 - Signature 4534643642523423423523632653252". Then after the election, pick any sample you want to validate and bring in an OCR machine. Checking a few thousand votes should be statistically enough to ensure no tampering has taken place.
These votes can't be forged, can't be duped, can't be miscounted unless you had the original voting machine, someone on the inside to fix he electronic vote and someone on the outside to replace the paper votes. In that case, you're pretty much screwed under the current system as well. Noone aggregating the data would be able to fiddle with the numbers either. Basicly, you have 100 million electronic votes that you can verify against 100 million little pieces of paper, which are true because they've been verified by each voter personally. You can't trust a computer who'll say 2+2=5 if it has been programmed to.
What are the sources of error? Well, there's printer jams but beyond that, I don't see any. These should all be reported upstream anyway, and you couldn't get away with much even if you put in a "if ( vote_we_don't_like ) then jam printer" in rhe code. Even that you could probably stop if the vote was not officially counted until the physical print was accepted. You could still have the physical ballots disappear, but that's no different than today. Plus you'd have no "doubtful" votes, either it is a vote or it isn't (unless someone lets accepts an almost unreadable print, I guess). Hell, even the people that claim they didn't understand what they were voting for would have a hard trouble complaining if it was printed in bold on their vote.
Live today, because you never know what tomorrow brings
Is this a trivial extension to the protocol, or something that just isn't possible? Multiple party elections aren't that unusual!
...which is exactly why it'll never be used. Takes all the fun out of a national election if you can't fake it anymore, doesn't it?
Assorted stuff I do sometimes: Lemuria.org
It's easy, let's go all the way to internet democracy and use data replication to ensure verifiability.
You add PGP signatures to votes, P2P servers to disseminate them, and electoral lists to calculate results.
It's so easy and straightforward, that you could rely on a general consensus in order to obtain results, and everybody can participate in it!
Of course there is one problem with it: votes can technically be bought.
But you get quite some advantages, you can vote from anywhere, anytime, on anything! Direct democracy at last.
The project I'm working on, aimed at just that => http://leparlement.org/security
I'm kind of lazy, not an American and haven't looked but before but how long did it take to count votes in the states before the electronic voting took place. Granted that electronic voting may take less time in some cases, but alot of people seem to be either afraid of it or untrusting of it. The point that I'm leading into is the election of George Bush Jr. in his first term. I remember Canada(which does have a lower population than the US) having their results in their Prime minister election long before the Americans had their President decided(excluding absentee ballots). If I recall this had to do with a bung up of Florida which I believe was using electronic voting in some regions at the time. I can't recall now but were some of the slow downs because of the electronic voting or were they just with manual recounting of the votes themselves?
Yes it could be done, but change is difficult! And changing something like ballot order would require an act of the State Legislature which is not a given. They are going to come up with all types of reasons not to randomize. So, it's not a technical problem, it's a political problem.
Whilst from a cryptographic point of view this is rather interesting, I have a couple of serious doubts as to how well this kind of system might work in practice:
1. What happens if candidates claim the system is flawed? You can't conduct a recount in a crypto system such as this (and get a different answer) so in effect if someone manages to contest the election, it's now void.
2. The audit is based on a statistical sampling of the ballots (IIRC checking the link between the candidate list and the voting receipt is correct) -- in no way is the actual counting audited. This means that the outcome of an election is based on someone pushing a button and a *machine* spewing out a total.
You simply cannot conduct a manual recount (you go and try to decrypt these numbers by hand!). In a perfect world the counting algorithm is ideal and doesn't make mistakes and is provable, in the real world the algorithm doing the counting might not be the same as the one in the perfect world... And the best you can do is get an expert to review the counting software, hardly an open and accountable process where anyone can volunteer...
Not only is it quick enough. If you hired temp workers to do it, the cost compared to what you pay in taxes would be absolutely irrelevant. 3 seconds of labor at what hourly rate?
One problem with adding more accountability and verifiability is you reduce the anonymity. Just because your name isn't on the half of the ballot you carry home doesn't mean someone couldn't figure out it was yours if they took it from you. The problem with this is that it invites employers to demand of their employees, "Vote for X, and bring me your receipt, or you're fired." If you can use your ticket to verify your vote, so can someone else.
I swear, the more technology people try to think about voting the worse their ideas.
" You take half home and can verify later via a Web interface how your particular ballot was counted. "
All this verifies is how the vote was cast. Not how it was counted. Besides that, how does this benefit anybody? Ok, so you know you voted for A, even though B won. So what? What good is it.
As long as the votes are stored in a computer, they can be easily manipulated at various points in the chain. Sure digital data can be very secure. In banking we make sure everything adds up correctly. But that's because if it's not, you are going to get a phone call from one of the two people involved in the transaction. "Why is there $600 less in my checking account?"
But there's no way to get that kind of verification with voting, because the net result of your one vote is nothing. It's when it is taken in aggregate. So what are you expecting? 300,000 people show up at the election offices with their ballot stubs proving they voted for A? Doubt it.
Call me a luddite, but paper is the answer. The only reason technology comes up is because we can count ballots faster, but you know what? I don't give a shit about speed. I care about being able to monitor the whole process.
So, if the people running the election can be given a copy of your receipt, because they're in cahoots with the union bosses who forced you to hand over your receipt, then your vote can be revealed.
Also, there is another way the anonymity of the vote can be compromised: If the people in charge "accidentally" reveal both halves of one of the mapping tables. That would effectively reveal all of the votes. Anyone who can find out your ballot number can find out how you voted.
This is a very clever system, and I think it could be highly secure, but very careful oversight of the election officials is required. I haven't yet had time to read the paper to see if Chaum's team has addressed mechanisms for ensuring the oversight requirements. There may be a way to ensure that any malfeasance by the officials could be detected by any of several mutually antagonistic oversight parties (i.e. the candidates) without giving those oversight parties any ability to alter or compromise the votes. If so, and if the system can be extended to more complex ballots (which I see Chaum claims it can), then it is a truly perfect system.
If not, then I still think this may be the best system yet proposed, but it requires careful analysis to determine exactly what sort of oversight is required, and how we can ensure that it is performed correctly.
The advantage of traditional, anonymous paper ballots is that the oversight requirements are well-understood, very easy to implement and provide the overseeing parties with no opportunity to modify the ballots cast or the counting process.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Why all this focus on the technology of voting, when voting is completly flawed before you ever enter the voting booth. With bans on political advertising, restricting ballots to only two parties, and limits on fundraising that only effect third parties, the vote is illegit even if ballots are counted with 100% accuracy.
If I am not allowed to vote for the party or candidate that I want, and am forced to vote for only one of two virtually identitcal political parties, does it really matter if the vote is 100% accurate? If Cuba determines that 98.554% of people vote for Castro, as opposed to 100%, does it really matter when it is a one party system? The U.S. system is only marginally better, in that it has two virtually identical parties instead of one party.
I know people are caught up in the Republican-Democrat sports rivalry mentality, but who really cares if one of those parties steals the election from the other party? It is not like people could choose a candidate in a fair election anyway!
They still fail to account for the fact that the only thing that does the counting is the computer. Computers are programmed by humans. Humans with an interest in commiting fraud.
The only way to check that the computer did not change the order of YOUR ballot AFTER you voted is by publishing the database and checking the actually USED ballots instead of the unused ones.
The database can match your ballot-id to your vote so that can not be published.
Computers can not be trusted. Any voting scheme that has a step that is only done in the computer is therefore flawed untill a way is invented that allows us to verify the software that is actually running on the computer, while it is running.
Paper ballots CAN be counted by hand. They can be counted by an automatic counting machine, but the still CAN be counted by hand... As a check...
Is organizing elections really a responsibility of the state? Why not just average the outcomes of randomly selected opinion polls?
I don't understand how 'verifying' your vote online can do anything useful. Look at it this way: We have 1,000,000 people who cast their votes 50/50 for Bob and Dick. They all check them online and they all are correct. What's to stop me from tallying the votes wrong and reporting something like 57/43? The technology is not the issue here. The issue is that private companies with monied interests are secretly going about building these systems. You cannot observe, analyze or audit the software, hardware, practices or workings independently--legally or practically. Elections have been rigged for a long time in various ways(see the re-election rates for a shocker), but now it's out in the open for all to see. Unless these secret systems and practices become open and able to be examined, expect the voter turnout to become meaningless whereupon elections will be quietly abolished. They will become nothing more than the 99% of the vote charades that Saddam was getting with a western 51/49 twist. I don't know how to release the death-grip that corporations have on congress, but I do know that if nothing is done, people will be forced to start caring.
"You're everywhere. You're omnivorous."
Not sure about that, but I still have mod points that should have expired a while ago: You have moderator access and 2 points (expire on 2006-10-27).
-IOVAR Web Dev Platform
First, SERIOUSLY read the FAQ. Please.
Next, you can prove to YOURSELF that your vote was cast as intended and recorded as cast. You can prove to yourself and anyone else that your vote was (or wasn't) counted as recorded. You ABSOLUTELY CANNOT prove to anyone else the VALUE of your vote (i.e: who you voted for.)
Third, yes we know that the people at the top don't want a verifiable system. This has to come from the bottom up. Fortunately, it is largely local governments who are responsible for the purchase and use of voting equipment. Since this technology is out here, you should DEMAND it from your government. You should NOT accept unverifiable elections anymore.
Feel free to ask me questions, by the way.
It is you who don't get it. Yes, you can randomize choices and verify that you voted A, B, B, A. Now, do you remember what exectly A, B, B, A was on your ballot? No. If you can look it up - anybody can. If you can't look it up - what's the point of verifying that it is A, B, B, A in the first place?
I'm replying to myself to explain what I think is an interesting bit of math related to this. Chaum's paper assumes that 50% of the ballot commitments will be verified, which is a lot of work and requires that double the number of required ballots be printed. That's fine for expository purposes, but in practice you don't need to verify nearly that many.
To see how many you do need to verify (and therefore how many extras you need to print), we have to make some assumptions.
First, we have to estimate how many bad ballots are required to change an election result, because we don't really care if there are a tiny number of bad ballots that don't actually result in a change in the outcome. Express this number as a ratio and call it b. So if modifying 0.1% of the ballots could change a race, b=0.001.
Second, we have to pick a desired level of confidence in the results. This basically boils down to an estimate of the crook's risk tolerance. If you think an official would be okay with a 50/50 chance -- 50% of the time he throws the election, 50% of the time he goes to prison without affecting the election, then a 50% confidence is fine. Just to be conservative, I'd pick a 99% confidence level, meaning the crook has a 1% chance of succeeding and a 99% chance of being caught, though in practice a 10% confidence level is probably good enough, assuming you pick suitably risk-averse people as officials. Whatever it is, call the desired confidence c. So I'd pick c=0.99, implying I consider (1-c)=1% of the closest elections being wrong as acceptable.
Call the number of ballots verified n. What are the odds that none of the bad ballots are detected in n verifications? Restated, what is the probability that all of the n ballots are good? The probability that a selected ballot is good is (1-b), so the probability that all n are good is (1-b)^n.
So, what we want is to find a value of n such that:
(1 - b)^n <= 1 - c
In words, we want to find n such that probability of a bad ballot slipping through unnoticed is less than or equal to our "acceptable" election failure rate.
Solving for n:
(1 - b)^n <= 1 - c
n ln (1 - b) <= ln (1 - c)
n >= (ln (1 - c))/(ln (1 - b))
One small discrepancy in this calculation is that b is the percentage of ballots to be cast (not verified) which are bad, and these inequalities assume that b is the percentage of printed ballots (which includes verified and castable ballots). That's not too hard to correct for, but gets much messier. I'm not sure there's a closed-form solution.
So, plug in some numbers. Assume that one million ballots are cast, and it's considered possible that the closest race will be decided by, say, 100 votes, or 0.01% of the ballots. Using my choice of c=.99:
n >= ln (1-0.99) / ln (1-0.0001) = ln 0.01 / ln 0.9999 = 46,049.4
So, for such an election, we really only need to print 1,046,050 ballots and the candidates only need to randomly verify 46,050 of them. A 10% confidence level would require only 1,054 to be verified. Well, due to the discrepancy noted above, you need slightly higher numbers, but not much.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Governments dont have GDP's countries do. The Government doesn't product 11 trillion dollars in product. Gee "Gross Domestic Product" doesn't say anything about government
Finally a system that is reasuring! Surely other parts of the world will try this method?
As long as the votes are stored in a computer, they can be easily manipulated at various points in the chain. Sure digital data can be very secure. In banking we make sure everything adds up correctly. But that's because if it's not, you are going to get a phone call from one of the two people involved in the transaction. "Why is there $600 less in my checking account?"
Actually, they can't be modified without invalidating the commitments generated *before* the election. As far as I can tell the commitments are secure HMACs (keyed hashes) of the initial data tables before the election to ensure that the permutation for the top and bottom ballot pieces are not changed afterward. The only place where data manipulation can occur is at the point where the voter chooses P3 in the system. If this value is recorded incorrectly, it must be detected by the voter looking the vote up online. The key insight is that with each additional voter checking his or her result online, the probability of being able to change a vote undetected drops exponentially, eventually becoming zero if more voters check their vote than n-k, where n is the total number of voters and k is the number of modified votes.
http://theory.csail.mit.edu/~rivest/Rivest-TheThre eBallotVotingSystem.pdf
Rivest, the R of RSA, came out with this a couple months ago. I think he covered pretty much all the attacks on an election. I need to think about this punchscan thing some more, but it feels like it's missing something.
Start Running Better Polls
I've written up a simplified FAQ to address the first questions everyone has about this scheme (I work on cryptographic voting, but not on PunchScan specifically.)
a n-faq-revisited/
http://benlog.com/articles/2006/11/06/the-punchsc
I haven't RTFA, does it include security against fraudulent claim of fraud?
say in a close race one candidate lost by a small margin. some of his supporters can easily alter their receipts to claim that the election is rigged. this is not just a possibility, it is bound to happen.
My Mailclad scheme that uses unbreakable random numbers ready does this, but THIS was a very reason many critics have shot it down.
Apparently one of the requirments critics have said is that you should not be able to show or prove who you voted for.
The argument goes that an employier or union or organization, might demand to see who you voted for, and pressure people to vote one way or another.
Yes I know, the Mailclad aglorythem hasn't been open to the public.
Anyhow at this point I have decided to opensource and publish everything for the MailClad scheme on the site soon.
It had become very apparent, that Voting machine companies are not interesting in low cost, hacker proof schemes.
So any hope for adoption is going to be by opening it on sourceforge.
John
I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso
Do you have a cite for that? I had never heard that before. And is this a federal law, or state?
Glad you asked. I thought it was a federal law so I googled. While I didn't find a reference to a federal law that required employers to give tyme off to employees so they can vote, I did find this that states that 30 states have such laws:
The good news is that while there are many things that could go wrong that is out of our control this Election Day, this is a problem that ordinary citizens can fix. Thirty states have laws giving workers the right to take time off to vote. For example, Illinois voters are entitled to two hours leave, Minnesota voters can take election morning off to vote, and Ohio voters cannot be fired or penalized for taking a reasonable amount of time off to vote. But to take time off to vote, many states require voters to notify their employers in advance. West Virginia requires three days notice in writing, California requires two days notice and voters in Illinois and Wisconsin must apply for leave at some point before Election Day.
FalconShould there be a Law?
Hmm... an ink-and-paper system that employs destroying one copy of the ballot and assuring me that my copy doesn't prove a thing?
The guys at Enron would have loved this approach.
Aside from the high-school-quality demonstration, (nice handwriting... NOT) the guys have a point; a system based on forensic-reliable data (ink on paper) that can be machine-readable and provides a "receipt" to the voter for verification at a later time.
The idea of splitting the form, where only the two "layers" of the ballot together provide an indication of the actual vote, is a quality idea. Encrypted links for ballot-to-voter data? Brilliant. It's already out there and it's name is PGP. It's already open-source and it's well established. (the "serial number" is also a no-brainer, use my SSN) None of that addresses the issue of how our votes are physically counted.
Despite the elegance of the concept and the seemingly extensive explanations in the FAQ, it's apparent they didn't think this through. The evidence is right there in the first question.
So... does "briefly" mean the-following-statement-shall-employ-brevity, or does it modify the "yes!" answer? To wit, did they just tell us that we DO have to trust in a black-box system, but only for a brief moment? I think the Diebold study at Princeton proved to all of us that it doesn't take that long for our collective trust to be betrayed.
Also from the FAQ...
Is that so? If the one half of the ballot, the "key" that can indicate the vote, is destroyed, how can the results be re-tallied? As I see it, any "deliberate cheating" would taint the count, the ballot's "shredded half" already eliminates any possibility of a re-count, and a re-vote (or concession/state-arbitration) is eminently necessary. This answer is bogus.
While we're at it, where is the demonstration of this "transparent" software and hardware? I can tell you this, if any part of the system relies on electronic storage to present ballot items or candidates to the voter, it is succeptible to fraud. (my emphasis)
In this context, the definition of "transparent" would have to be thus:
An apparatus that, in its full and complete capacity...
Add to this the idea that each "receipt" will consist of forensic marking, indicating the individual ballot choices, and encrypted to the individual voter by a unique geometric shape. (the cut-out on the top "layer" of the ballot) If you're wondering which shapes to use... I suggest a 4x4 square grid with specific patterns cut-out... think "Tetris". Consider the variations in those shapes, multiplied by the number of items and candidates on any particular ballot, and you have a sufficiently encrypted system.
If we want to take this to the next level, (i.e., to address the potential for corruption within the various Election Committees) we would take a page from our god-fearing Founding Fathers. A sort of "tribunal" of authenticity.
Voting machines would NOT come from just one maker. The "core" of the voting machine would include components from no-less-than three technology ma
This post © Copyrite Duggeek, all rights reversed.
and
Notice the difference between these two. They are both individual decisions, but one was just a poor choice of words (Diebold's comments). Yet, and ironically, you give more credence to the Diebold comment when nothing was actually done.
Regarding the big thing that is happening is the liberalization of voting rules.
From the opinion piece:
Ed Barbar, President and General Manager, Furnit USA
Officials there purged tens of thousands of eligible voters from the rolls, neglected to process registration cards generated by Democratic voter drives, shortchanged Democratic precincts when they allocated voting machines and illegally derailed a recount that could have given Kerry the presidency.
Oh, and the situation with the Diebold CEO wasn't a poor choice of words in the sense that he mis-worded his statement. Even Diebold went on record saying, "our CEO lets his personal beliefs influence his business decisions", and apologized.
So given all of those facts, how can you possibly rule out any wrongdoing? What you do know that nobody else does? And where do you get enough nerve to suggest that two attempts to influence no more than 30 or 40 votes is a bigger problem than the 350,000 voters who were denied in Ohio? And I'm the "wacko"?
Choosing to turn a blind eye to certain facts and/or events doesn't mean they didn't happen. Notice how I fully acknowledge the two incidents you mentioned - be a man and do the same.
If by consistent within ballot you mean, for example, Republican is always the third choice listed (let's say), then that degrades the security of the ballot. If someone knows the position of even one Republican candidate on your ballot, then they can deduce the remainder of the ballot (at least as far as Republicans are concerned--so they know, by looking at your receipt, when you did or did not vote Republican).
But, it remains the case that even with an internally consistent ballot you will have selections such as...
Choice List:
Democrat Candidate
Libertarian Candidate
Republican Candidate
Socialist Candidate
Response List:
Libertarian Republican Democrat Socialist
By nature of the design, there must be a disconnect between the ordering of the choices and the ordering of the responses. This is one of the obscuring factors. Even if this odd mapping is kept consistent within ballot, it is inherently effortful and non-intuitive and certainly will produce errors. So, the system can guarantee votes were "counted-as-cast" but votes are a lot less likely to be "cast-as-intended."
The voters of Ohio delivered Ohio to George Bush. What an amazingly sore loser you are.
Ed Barbar, President and General Manager, Furnit USA
Like I said, I wish I lived in the fantasy world you call 'reality'.. but then again, does a caged animal have a good life, assuming it's never experienced life outside the cage? Nope (but the animal doesn't know that).
Have fun in your cage.
One would assume that if ballots are randomized, they do not know "the position of even one Republican candidate." What you're saying here is, if they know something about the order of the ballot, they can deduce the order of the ballot. Wow, nice insight. The whole point is that the order is randomized. If it's randomized between ballots, I don't see how they could know anything about the vote on that particular ballot. All they would see, if the person votes consistantly for the same party, is, "A A A A", or "B B B B". They still have no idea what that means, and thus can't see whether they voted Republican or Democrat or whatever. All they know is that the person voted for the same party in each section.
So... maybe I just don't understand your point.
Cryptography is not one of my fields of study, nor is computer engineering. Now, you take John Q. Public who can do email and some web surfing, and try to explain cryptography and electronic auditing and hacking, etc. Chances are they won't understand this whole process either.
And that, my friend, is where the problem lies. The process of casting and tabulating votes MUST be as transparent as possible. Your point about auditing software:
Tell that to the auto mechanic at the corner service station. "Hey Jack, you want to make sure your vote was counted right? Go take some classes at the community college before the next election!"
It should not take a math degree or experience in cryptography to be able to verify the vote. For the love of all that is good, we're simply counting votes here, it's a very easy process to do with a minimum of overhead. Excruciatingly important that it is done correctly, but so incredibly easy to do at the same time. I, or any member of the public, should be able to watch the counting process and not have any question whatsoever about the choice made on each and every ballot.
You make a true statement. That is why there are observers who watch the counting taking place, one from each party to prevent this sort of thing. Each observer is there to prevent these mistakes. You have, in essence, three people counting one ballot. A representative from each party cannot watch a machine count the votes, hell NOBODY can watch the machine count the votes. It's all bits inside a sealed box.
Like I said, I read the site, and couldn't figure it out. Maybe if I read it again and studied it, I might grasp it. But for counting votes, is this much complexity really needed?
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
What a wonderful election! Two more years and we won't have to deal with ANY Republicans with any sort of power.. can't wait. Unless, of course, they rig the election again..
So the bottom half would be the same for everybody, a completely empty sheet, maybe with some markers on them for lining up the sheets.
It would just become very important to destroy the correct half, or everybody could see your vote. And you know people are going to mess that up
You want to list the candidates on the wall, with numbers, then on the ballot link the number to another number, and list those last ones in the holes?
That's a mistake waiting to happen, lots of people are not very good with numbers. If you don't bring in that second set of numbers, one of the two halves will be the same for everybody. If you print the numbers next to the holes all bottom halves would be the same, if you print the numbers in the holes, the top-halfs would be the same.
So the bottom half would be the same for everybody, a completely empty sheet
No, the bottom half would have numbers (or letters, or whatever symbols you like), shifted.
It would just become very important to destroy the correct half, or everybody could see your vote.
Doh! You're absolutely right. Scratch that idea, it was stupid.
You want to list the candidates on the wall, with numbers, then on the ballot link the number to another number, and list those last ones in the holes?
No, I didn't mean to add a second set of numbers that the voter would have to care about.
Still, my suggestion wouldn't work. The approach defined by the paper is the right one... each ballot with a list of candidates' names and a number by each, then a corresponding number in the hole (on the bottom sheet). And perhaps letters would be better. A two-letter code would be enough for all 275 candidates, and might be easier for people than numbers.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
What, the Dems didn't rig this election with their press buddies? Come on, they dont' actually stand for anything.
Ed Barbar, President and General Manager, Furnit USA
News flash: if the press misreports the result of an election, it doesn't actually change the result. It just means that people are misinformed for a short period of time.
The press isn't capable of "rigging" an election unless they use the same method the Republicans use.