Slashdot Mirror
Verifiable Elections Via Cryptography
An anonymous reader writes, "Cryptographer David Chaum and his research team have invented a new voting protocol which allows voters to verify that their vote has been correctly cast and counted. This is enabled using a surprisingly low-tech technique of cryptographic secret sharing. The secret — your marked ballot — is split into two halves using a hole punch" You take half home and can verify later via a Web interface how your particular ballot was counted.
All employees are required to vote for the boss' favourite party, bring receipts on Monday or find a new job.
How we know is more important than what we know.
This is exactly the kind of thing that is necessary for a verifiable and secure system, the toughest part will be winning-over the public though.
There should be a moderation category "Dumbest Comment EVER"
$500? Sorry bud, if you want to keep your job, you will vote the way that the company tells you to.
Exactly. Voter-verifiable voting is not the issue. Ideally, you want to be able to verify your vote but not prove your verified result to a third party. This is a very difficult problem, and I don't know of any solutions.
I am TheRaven on Soylent News
Ill bring my lawyer instead, i think ill looking into expensive homes with beutyful senery.
Okay, I've watched the video and read the article.
I still don't understand it. Why does their video have two different types of hand writing on it? Is the voter supposed to write in all the options when s/he votes?
What's to stop someone from getting a copy of the form and threatening you unless you vote the way they want you to? Unless every form is different (is this the part why the hand writing is different?), any attempt to match the vote online can be used to verify that you voted the way you were told to.
It would be interesting to come up with a receipt system that could be used to prove that you voted for whoever you wanted to prove you voted for. For instance, a square card, rotate it 90 degrees and you voted Democratic instead of Republican, or flip it upside down and rotate 180 for third party. As long as you remember which way was up, you'd be able to figure out who you voted for.
Of course, using such a system where the machine gives candidate A 100000 votes and candidate B -5000 votes doesn't help much, since they'll claim you've rotated your vote 90 degrees and cast an imaginary ballot.
If I have been able to see further than others, it is because I bought a pair of binoculars.
You are of course correct in principle, but not necessarily for this method. It seems to allow the ballots to be mixed so that picking the first choice on one is not the same as the first choice on another. The vote-buyer will never know how you voted. (Watch the flash movie at the link.) However, this presents a problem just as bad as you describe... the non-secret ballot. The vote counting people now know how you voted. Well, they would if they tracked the ID number that you keep. That's unacceptable.
--
dman123 forever!
Filtering out the -1s and 0s since 1999.
The solution is to physically see your physical vote dropping into a one-way tamper-proof container.
What's worse:
Votes that may be bought, but if the buyer is successful enough to sway an election, it's completely obvious to all parties involved?
Or, votes that may be electronically flipped, without anyone even knowing it happened?
Actually, I'd like to be able to verify my vote. And if it's made into federal law that it's illegal to force anyone to show their vote, I think 99% of people would be safe. That margin of error is much better than what we have now. I don't get why people, when looking to upgrade from a severely flawed system, think that only an upgrade that is 100% perfect would suffice.
Actualy if we all went and RTFA first, we would see that they have solved the problem. You can't prove how you voted to someone who didn't see the other half of the ballot you voted with.
I will sell my vote for $100. Lets just me more direct with this political corruption :D
Verifying a single vote was never the problem. Verifying the vote is. In the US, at least.
Yeah, I haven't RTFA but it sure sounds like snakeoil. You can't have a scheme which allows each individual to verify their vote and do so in a way which doesn't allow them to prove how they voted (and thus sell their vote).
But one could imagine more robust schemes which allow voters to verify the total tally of the vote without allowing any individual to prove how they voted. But I seem to remember that it has actually been proven that even this is impossible. Or perhaps it is just believed to be inpossilbe (to have a voting scheme which is both verifyable and secure from vote selling). Anyone have a reference or know more?
Deconstruct the State
By the way, why are so few posts getting modded up the last couple of days? In the article about melting arctic ice only 7 out of 250 posts got modded above the noise of the +2 posts and only 2 got modded to +4 or 5.
Unless the voter is expected to write in the various options (that's stupid), or the ballot forms are randomly generated (that's expensive), it would be easy for anyone who voted to check whether your receipt matched his/her's.
Unfortunately, from the video, I cannot tell which approach they are advocating.
Funny yes. But he has a good point. The point of not being able to verify your ballot after submission is to prevent vote-mongering. Besides which, what do I do if I discover I voted wrong? Nothing. What if mine was counted wrong? (don't know how that works, more privacy invasion I imagine) I suppose I could call and ask for a recount (2000 anyone?) but, they can't even verify that mine was the one counted wrong. Verify with extremely high assurance that all votes were counted properly Really pointless and dangerous if you ask me.
It looks like the receipt cannot be used to prove which candidates were selected. The only thing that is verified is that the vote was not changed after the vote is submitted, sort of like a fingerprint of the ballot instead of a simple copy, but I haven't read the details yet. http://punchscan.org/faq-general.php#1
Here's how it works:
Top sheet of paper says, "Do you want A. The Simpleton B. The Communist", but on the next ballot they are reversed, e.g. "Do you want B. The Simpleton A. The Communist"
The bottom sheet just has the options "A or B" you mark one and keep the bottom half that just shows you voted for 'B'. No one is going to pay you/beat you up for voting for an arbitrary letter.
You can then go home and lookup your ID number and it will show you the bottom half, again confirming that you voted for 'B'. But, only you (and the machine) know who 'B' was.
http://video.google.com/videoplay?docid=-723679120 7107726851&q=hacking+democracy
How about a hash on the selections in combination with a passphrase.
Sorta PGP/GPG signed and encrypted.
You are being MICROattacked, from various angles, in a SOFT manner.
From the article. In the middle of the only fucking paragraph on the page:
Wrong, your employer could visit the site. Don't say "you could have the page disappear after one visit," because then your boss will say you can't check the site.
I'll sell my vote for $500, you can even verify it with this hole thingy.
.pdf on it that explains how it works better than I can...particularly because I'm still trying to wrap my head around it.
The slideshow is a little opaque, but the concept is you can't. The only way you can tell how the voter voted is by having both pieces of paper. (Look closer at the paper being shredded. While there is a mark on it, it was the piece of paper the voter kept that indicated whether that mark was for A or B.)
Their website has a
Buy Steampunk Clothing Online!
Says on my Social Security Card that the card is not to be used for ID purposes, yet I am forced to show it to register a car in Ohio.
(No, additional ID will not suffice according to the Batavia, Ohio BMV)
Just because something is illegal does not stop it from being abused on a large level.
Or are you not from the USA? That might explain you missing the last 6 years here.
There are 4 boxes to use in the defense of liberty: soap, ballot, jury, ammo. Use in that order- Ed Howdershelt Via Tass
I dunno about Leftpondia, but us UKians have had unsecret "secret" ballots for decades. Every ballot paper has a serial code written on it, and when you turn up to vote, they write that serial code beside your name in a ledger and hand you your ballot paper. There have been reports by vote counters, going back 60 years now, of Special Branch officers (our secret political police AND the people who look into electoral fraud) removing the boxes of left wing candidates for further examination. They then have 6 months to match the names with the ballot papers and hand the data to MI5 or whoever, before the ballots are destroyed.
Strangely enough, the Nazi party used to hold referenda with the same tactic. However, the Nazis were circumspect enough to put THEIR serial numbers in invisible ink (who'd have thought the Gestapo were more subtle than the British police force?), and the consequences of voting wrong were more severe (i.e. being hauled off to concentration camps instead of mysteriously "losing" your government job).
If you're talking about a vote in the US elections, you have severely overpriced it.
No no, what is better:
Vote, and get stuck with a bad government for four years, or
Get paid to vote, and get stuck with a bad government for four years
Virtual Betting on Facebook for non-geeks.
You can have a system where a person can verify their vote, but not prove to a third party that they voted a particular way. Consider... each ballot has a sequential number on it. The voter remembers (or writes down) this number when they vote. Later they can look up their ballot and see that it was tallied correctly.
Since the valid ballot numbers are known you could just sift through for a ballot and claim it is yours if you want to collect your voting selling payment, but then the vote buyers would know that and it would be no proof at all.
The problem is, that if your vote was not tallied correctly then you have no way of proving that either. You can claim ballot 3939 should have voted for candidate XYZ, but then anyone could do that. That limits its usefulness as fraud countermeasure.
A nice side effect, anyone can check the count by just checking all the ballots and adding them up for themselves.
The more I think about this, the better I like it. It allows "the people" to audit the election for accuracy. Anyone can get together a body of voters and check for problems.
On the other hand. People are dicks and I'm sure some of them would pick opposition ballots, claim them as their own and claim they were misread.
It is also so simple that anyone with a scantron type system could do it and there would not be room for massive profits so no one will lobby the local election offices and it would never be deployed.
I appear to have a case of election grumpiness already.
2. Don't paper receipts and online checking facilitate vote selling or coercion of voters?
No. Whichever of the two sheets of a Punchscan ballot form--top or bottom-the voter keeps as a receipt, it does not reveal the votes: the top sheet does not reveal what letters were visible through the holes in it; and the bottom sheet does not reveal which letter was next to which candidate name on the top sheet. What is displayed online is just a copy of the receipt the voter keeps. Thus, short of illegally making a photograph in the booth, there is no way for voters to convince others of who they voted for.
http://punchscan.org/faq-general.php#1
That's retarded. If it can be done, someone will do it.
Trust me, you are far better off with a system where "they" can't know that you didn't vote against them. They may still break your legs anyhow, but they'll never know how you voted.
BTW, I think breaking your legs is against the law too. Lots of things are against the law.
Laws solve no problems. Laws only provide the means to legally punish offenders, if they are caught.
This issue is a bit more complicated than you think.
But then you can't verify that your vote was counted for the correct candidate, making the entire idea pointless. You can't have a secret ballot with verification, its just not possible.
I still have more fans than freaks. WTF is wrong with you people?
Many people here have pointed out the uselessness of this method, not to add the
social pressures it may cause in communities or groups where things have a
to happen a certain way if you know what I mean...
To add to that I can see no place where cryptography is used other than possibly
trying to determine the probability that on any particular ballot card Party A
was on the right or the left, thats just simple probability theory nothing else.
Arash Partow's Philosophy: Be a person who knows what they don't know, and not a person who doesn't know.
I'll post without reading the article, reading the FAQ, or viewing the sample video; you can even verify it by my stupid comment.
RTFA.
...and the person that reverse engineers/has access to and leaks the random number generator/sequence.
I'm not sure whether that's an acceptable risk or not. I've been an election judge, I'm not sure I would trust the system not to have leaks...I certainly had enough access that I could have take such a sequence had it been used. Whomever has access to the ballots before the voters use them, can write down the mapping.
Tharkban (It is a signature after all)
Maybe you should RTFA. The receipt can't be used to prove your vote to a third party.
Like counting people barred from voting as part of the population in redistricting calculations isn't cheating? Or imposing burdensome ID requirements? Or barring people from voting on the basis of *similar* names to those of felons? Or changing the distribution of voting booths to make your supporters able to vote faster then your opponents supporters? Or how about confusing ballots? When it comes to elections, the appearance of impropriety is improper itself. Or what about approving voting machines which fail to meet basic security standards? Are any of these actions ever part of an ideal election?
Inventions have long since reached their limit, and I see no hope for further development.-- Frontinus, 1st cent. AD
You just KNOW Unions will be doing this.
Probably some churches too.
Finkployd
$500? Sorry bud, if you want to keep your job, you will vote the way that the company tells you to.
Can you say "unlawful termination?" I knew you could.
All it takes is one employee willing to fork over the $250 to file a court case, and they get to own the small business they work for. Governments and publicly traded businesses already have pretty strong employment rules against that, leaving only the "small business" as a bastion of that kind of stupidity.
Is that warning an actual federal law or is just toothless fingerwagging?
Oftentimes, we underestimate the power of a well-enforced law. Our postal service is so secure relative to other countries because the laws passed on postal fraud ensure anyone tampering with our mail gets a stiff penalty, and even postal carriers get pounded by it making it effective. And I have seen postal services in other first world countries (Germany, Italy, England, Spain) where the level of reliability doesn't even compare because the penalties/enforcement is laughable.
OTOH, if you are talking about creating a braindead law to enforce problems that inherently can't be solved by laws, like spam, I agree.
Remember, the ballots are numbered. So the printing process has to run off X variations where X is the sum of every candidate running for every office listed on that ballot.
And the ballots cannot be numbered sequentially. Or it would just be a matter of checking what version of the ballot was in that sequence. This can be done with friends and family who are already going to vote the way you do. Just stagger their voting throughout the day.
This system also depends upon a computer to remember which windows were associated with which letters on which ballot number. Any failure in that and these ballots cannot be hand-counted or verified in any other fashion.
This is stupid. Rather than go through all of that, why not just focus on getting the basics done and done right? Leave "verified" voting until after we've managed to identify who can vote and that their votes are actually counted.
I agree. If your vote was counted wrong, there isn't anything that can be done about it. If you believed your vote was counted wrong and it could be changed if in error, there would be the problem of folks claiming their vote was counted wrong to tie up the process of acting on the election results. For example, if vote verification was implemented today in California, and people had the ability to contest the election, Proposition 85 (which would require parental notification 48 hours prior to performing an abortion on a minor) would never be resolved. If the proposition didn't pass, extreme right-to-lifers would contend that their votes were miscounted just to tie up the system. If it passed, the extreme pro-choicers would contend that their vote was miscounted. To avoid this possible debaucle (sp?), challenging votes cannot be allowed, thus, what is the point of verifiable voting?
Of course, I could be missing something - please enlighten me if so.
The hole thingy only says if your vote was counted or not as you voted.
So, just a yes or no answer.
You'd ask the webserver to send you a text and you do some computation with your portion of it. Then, your computer tells you yes or no.
i don't think that's the major problem you would face. it would be more like an unwritten, never formulated "law" where you have to vote X or you could find yourself passed over for promotions, given the shit jobs and all that to make YOU quit, no unlawful termination business, and virtually impossible to prove
I mean really... its too easy to be adopted... and you would able to have recounts... no go from the gitgo
And how can you ensure that cheating doesnt occur using current methods?
If its done by a machine its safer as there is less handling by humans and there is a paper (or source code) trail.
It looks like they addressed the sticky problem of having a husband/boss/union demanding you vote a certain way then verifying it. Check it out before freaking out over this scenario.
However they solved the wrong problem. The problem is not that a solution like this did not exist, the problem is that the government does not want it. We cannot even get Diebold to print out a paper trail or get their software certified legally (they sneak around and use uncertified patches at the last minute).
The real problem is this stupid obsession we have over knowing the results of the election NOW. We want to go to bed knowing who won (although that did not go so well in 2000), and damn everything else. If we could just wait a day or so and let paper ballots be counted we would not have these issues. Sure paper ballots could be miscounted but there are more eyeballs, and it would certainly be harder to pull off a massive fraud like what would be trivial with today's Diebold machines. But (1) we want results now, and we want computers involved because we KNOW those cannot be wrong and (2) the government seems to like this idea of unverifiable votes.
Finkployd
Interestingly, paper voting trails on DRE machines can cause a similar issues.
Here in Ohio, when the voters credentials are verified, the voter is issued an authority to vote slip which has a number (first one of the day is 1001, next one is 1002, et cetera.) The number on the slip is written in the pollbook.
The pollworker would put the authority to vote slip in an envelope stuck to the side of a machine. That was ok, because even though we knew John Smith was issued slip #1055, and that he voted on machine #2, the older machines just printed up a receipt with total votes cast.
The new machines, in contrast, have a complete auditing paper trail. *Hopefully* pollworkers will not associate each authority to vote slip with the machine the ballot was cast on, because then you'd know exactly who voted when. (I'm told we just insert the authority to vote slip in one or two envelopes that are not associated with a machine.) However, I think the paper verification does print a time stamp at the beginning of the vote session, which would imply that if you examined the pollbooks and the machine rolls from the 3 or 4 machines in the precinct, you probably could figure out how someone voted. (If there is no time stamp, I guess it's more or less impossible to figure out how someone voted except within a range of voters.)
So, we have a vote that is logged somewhere that is matched to a ballot. Then we have the server logs that will connect the ballot (with vote) to an IP address. That IP address will be attached to an account at the ISP.
Basically, if you check your vote, your vote can be determined... trivially. Or at least that vote from that house-hold. Which is "good enough" for profiling purposes.
One of the whole points of crypto has just been circumvented. Nice job guys.
How is that any different from absentee voting? Bring the ballot the day before the election or find a new job. That way the boss can even verify it beforehand. Then take it from you and mail it so you can't change anything? I don't hear about it happening too much though...
I love it, the appearance of impropriety is improper itself.
How about the willful manipulation of the appearance of impropriety is a severe attack on our democracy, and should be viewed as seditious.
Really, all this stuff is in the noise, and is a complete distraction. Consider how much more variation there is due to the weather or the press incorrectly calling the election for Gore.
The real wackos think someone might actually rig the voting machines. As if a political party would have so much stake in one election/candidate they would be willing to risk destruction of the entire party. Jeez.
Ed Barbar, President and General Manager, Furnit USA
I'm posting this all the way up here because it seems like most people have missed the entire point..
You can't verify what candidate you voted for, only which letters you picked. I'll say again, all you can verify is that when you voted, you chose: A, B, B, A, that the vote was recorded as: A, B, B, A.
As long as the letters are shuffled randomly (sounds like they are) then there is no way to prove which candidate you voted for, because since they are random no one can prove that A was bush or gore on your specific ballot.
Is everyone so logic-impaired around here?
My rantings, only longer and with better spelling..
Okay, so you check whether your choice was correctly entered. You voted B and lo, the website shows you that you voted for B. You know that B corresponds to Coke -- vote verified. Phew.
But wait, what have you really verified? Only you know what B corresponded to... for all we know, thanks to a bug in the software (malicious or otherwise), the computed tally counted your vote B as a vote for Pepsi. We have to trust that the computer actually tallied the vote properly. We have to trust that the computer correctly recorded the ballot's mapping from letter-choice to candidate.
Electronic voting is an answer in search of a problem. Why not have regular paper ballots and let a scanner scan the ballot as it enters the ballot box -- use machine vision to count the ballot (or mark it as questionable). The computer can give us a preliminary count and if necessary (or to audit) we can always fall back to recounting each and every paper ballot. I guess the problem is that it's not as sexy as touch screens.
Yeah, like one person's vote is worth $500. Or like an employer could get away with demanding to see your receipt lest you be fired.
No system can ever be perfect. You have to weigh out the possible downsides with the advantages. I'd rather know that my vote counted rather than worry about the unlikeliness of a receipt system being abused by a few people who sell their votes.
Vote verification can be performed only in your local library computer. Need to show ID to get to the terminal. And you can verify the vote of only the name mentioned in the ID. But would people go through the hazzle to verify? But some will do. And the threat of verification would remove the incentive to try to hack the elections.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I should be due for some mod points but I havent gotten any for awhile.
Maybe mod points arent being handed out?
Of course, this doesn't prevent traditional vote-tampering methods from working, like
- TV commercials scaring voters about the other parties, or
- politicians making bogus promises, or
- dead people voting (as long as people with their names show up to vote), or
- election departments not providing enough voting machines or ballots at heavily-one-party-dominated precincts, or
- election officials invalidating registrations of people in the wrong party, or
- police harassing motorists in black areas on the way to the polls, etc.
But at least it's better than Diebold.Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
I'm living in germany, they are pretty stiff. Never heard of a lost letter or package.
If you open a letter not addressed to you, you will get up to 5 years prison time and/or cash penalty.
Heres the original law text. from http://dejure.org/gesetze/StGB/206.html
How exactly do they know what you voted for then? They can't require that you show them the receipts.
Good lord! How is it that 70% of people have completely missed the point?
This system DOES NOT allow ANYONE to see WHOM you voted for.
That's right. NO ONE short of the people in charge can see who you voted for. You boss can't make you prove it, nor can your spouse, or whoever else.
All the ballot half you keep records is that you voted A, B, B, A. All you can verify online is that your vote was recorded as A, B, B, A. Because the ballot choices are randomized, no one can tell who A was for your particular ballot. Ahh, but I already hear the tin-foil brigade saying: "But the people in charge can check!!" Really, how? The ID # of your ballot isn't recorded next to your name in the voter rolls, I suppose someone who had access to all the decryption keys could fingerprint each and every ballot, but anyone who can get ahold of any of the paper ballots can do that now. Is it no less secure than any traditional method of voting, and superior in a vast number of ways. As long as a few percent of people check that their votes match what they recorded, elections will be a lot closer to tamper-proof.
How did so many people fail to figure all that out?
My rantings, only longer and with better spelling..
Yeah... This is one reason why we have a SECRET BALLOT. Its hard to sell your vote if you haven't got a receipt.
A Good Troll is better than a Bad Human.
They could really easily fix this. The machine could give you 2 codes, one gives you your vote and the other one gives you the exact opposite vote.
Copyright infringement is "piracy" in the same way DRM is "consumer rape"
If you had read the paper (it isn't complicated) you would know that
- you can only verify that the mark you made was the mark that was recorded, you cannot verify which option you marked
- the auditors (normally the candidates) randomly sample the ballots before and after the election in such a way that they can verify statistically that counting proceeded fairly without violating voter anonymity. The chance of k miscounted votes going undetected is 1/2^k, so just thirty miscounted votes will have less than one in a billion chance of going unnoticed.
What on Earth does this system have to do with touch screens?
I guess this will be the first study of how many people really don't RTFA.
RTFA? I dont know, but it might work.
emt 377 emt 4
Incorrect, there's an audit of that. Watch the overview, esp. the 2nd part of introduction and "security."
But wait, what have you really verified? Only you know what B corresponded to... for all we know, thanks to a bug in the software (malicious or otherwise), the computed tally counted your vote B as a vote for Pepsi. We have to trust that the computer actually tallied the vote properly. We have to trust that the computer correctly recorded the ballot's mapping from letter-choice to candidate.
Exactly. This system is useless for identifying fraud.
HOWEVER, if there were a scanning mistake, rather than a bug in the software or something malicious, it would detect it.
Electronic voting is an answer in search of a problem.
I don't know if this is totally true. To say that something is in search of a problem usually implies that the problem that it supposedly solves doesn't actually exist. There is a problem. Electronic voting is one solution to the problem; your proposal is another. Either, if done well, is better than what we have now.
Personally, I think that either a fully-electronic system (with a VVPT that is randomly audited each election) or one in which there is a machine similar to current DREs but whose sole purpose is to produce ballots readable by the actual counter, then have the counter separate, is the best way. (Essentially the second option is the same as your proposal with the caveat that the "regular paper ballots" aren't hand-produced. (Preferably aren't even ever touched by the voter, though this may be hard to de well.)
The use of an electronic machine to produce ballots (with a backup method if they should fail) has a couple advantages. One, it carries the biggest benefit of current DREs, which is that it's a good solution to allow blind people to vote. Two, there's much less possibility for "questionable" ballots. It adds complexity, but I think it's very possible that the benefits are worth it. (At least to have a couple per precinct for the disabled vote.)
Going with the separate ballot-producer and counter though, as opposed to just a DRE with VVPT, I think has much less advantage than adding the ballot-producer or going with either of these schemes over current systems. The only advantage I see is that if the ballot-counter fails, but the ballot-producer works, the election can continue uninterrupted. With just a DRE, the method of voting has to change. (To provisional ballots or another backup.)
It's because Slashdot is dying.
And now, a PSA from David Lynch.
Mod him up.
But how do I know that the cheating doesn't happen at this stage?
As far as I can tell from the technical paper the election authority creates twice as many ballots than needed, and then half of them are randomly selected for auditing prior to the election. With security and other auditing controls, once the ballots and the machinery pass the auditing test, all you need to do is ensure that the counting machines and other half of ballots are not tampered with prior to the election.
The machine doesn't keep the "printed" ballot configuration. Instead, it randomly generates an equivalent imaginary ballot such that if you know which side you voted for, your vote will be counted the same on your printed ballot. The trick to protect secrecy is that they allow election official to check only one side for any given ballot. Don't know if that could be enforced, however.
I once had a signature.
Why the hell was this modded "Troll"? It's a very good point.
Presumably, one could gain some benefit from a system such as the on proposed -- without creating this particular problem -- by allowing the cryptographic stub to used merely for confirmation that _a vote had been counted_, but not whom it was cast for.
In the UK, tampering with the mail is a serious crime. This is only a comparatively recent law. Originally mail carried by the Royal Mail was regarded at the property of the monarch and so tampering with it was regarded as treason. I very much doubt that the USA has stricter laws than that...
I am TheRaven on Soylent News
Go read their faq. This system is better and simpler. It even allows potentially for ballots to be reconstructed from the receipts if the polling place was blown of the face of the earth.
By the way, in their terminology, a "side" is the box that you color your vote, painting through the top and bottom sheets.
I once had a signature.
Why is (was) the above reply marked Score 1: Troll? It is absolutely right. Another basis for fraud I was thinking of was voting one way, counterfeiting the voter receipts to appear to go the other way, and charging electoral fraud after the fact. Too bad the designers of this system didn't have fraud in mind when they designed it.
You're right of course, but there IS one thing that this would detect, which is scanning errors. It wouldn't detect the computer counting "left" as "Zaphod Beeblebrox" when it should have said "Yooden Vranx" (let's stay away from real politics), but it would detect the computer counting "left" as "right".
If the counting software could be otherwise verified correct, that would give a higher assurance that votes are counted correctly than is presently possible.
Imagine for just a moment, that the elections in 2000 and 2004 had been just as they were; but with verifiable voting in place. Yes, all those things you mentioned are reasons we should not allow the process to get tied up in what would surely be an exercise in poor sportsmanship.
What we had were polls that were drastically different for the first time in our countries history. Were votes changed with bogus electronic voting machines, as some say? Were pollsters lied to en masse by voters, claiming to support Gore/Kerry but secretly voting for Bush?
There are a growing number of people who feel there is enough evidence to conduct an investigation even without verified voting. If we had had verified voting, one way or another, we would not be having this discussion today -- either we'd have a solid answer supporting the Bush presidency, or we'd be having a revolution. That is your safeguard against abuse -- if the discrepancy isn't worth a revolution, then it has no value.
~Rebecca
Cryptography is all about probability, really. When you use hash functions like MD5 and SHA-1, you're counting on the low probability of collision. When you encrypt something, you're counting on the ciphertext being in a way that your probability of guessing the nature of plaintext is the same no matter how you guess it. A ciphertext that simply looks like random noise isn't enough.
I once had a signature.
Exactly the problem. The very reason that votes are typically retained by the people who conduct elections and copies are not sent home is to avoid vote-selling and worse, intimidation. As a basic upshot consider the problems of a few decently-armed thugs going house-to-house and pointing guns to people's heads to confirm that they voted the right way. Given enough terrified individuals you can easily manipulate a local election if not a national one. If a sufficient number of thugs can be rounded up (and historicaly they have) then this crypto protocol can be an invidation to abuse. Some people might argue that this would be eliminated by making it secret but as long as the vote can be verified then more than one person can verify it.
Electronic voting has fairly demonstrably been adopted for the express purpose of more easily committing fraud.
First, I agree with you that voting needs to be open and verifiable. That's probably the only thing 91% of the electorate agrees on.
But I'm not sure electronic voting fraud on a national scale would be all that easy. Not all the voting machines are made by one company and the voting process can be quite different place to place. Though I'm sure cheating here and there has occurred, fraud on a massive scale takes people cooperating. The more people involved, the more the potential one of them will get cold feet or attack of conscience and squeal. I'm not sure there are a lot of people willing to risk trading their country club membership for federal prison to help Karl Rove.
Besides another potential problem with counting on people to cheat in elections is what happens if they decide to cheat on you?
That's our life, the big wheel of shit. - The Fat Man, Blue Tango Salvage
This is the same ancient idea, with the same ancient problems...
It allows for extortion and buying of votes (others can verify who you really voted for).
There's no guarantee that the machine verifying your reciept, is acurately reflecting how your vote was really counted, as opposed to counting all votes in reverse.
It does nothing to stop dead (or phantom) people from voting. They aren't going to complain...
Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
I think you're right. I don't see this problem listed in the Bugs list so I'm going to submit a bug report.
RTFA
Believe me, it can be done. Before this, I didn't believe it was possible (besides some external enforcement, like "verify your vote in this room after we check your ID with 100% accuracy"), and I nearly posted a comment about it, but then I decided to look at the actual method. And actually, to some extent, it works.
It CAN'T be used to prove that you voted a certain way. (At least to non-Vulcans or other telepaths. Or people with polygraph machines.) It also can't be used to verify that your vote was associated with a particular candidate, but it CAN be used to verify that the machine read your ballot correctly in a totally non-traceable way.
You were saying what about "bring receit or find another job" ?
By reading this signature you agree to not disagree with the post you just read.
You must be new here...
"..."
It is none of their fucking business who i vote for. If they ask me to volunteer i will fucking sue them right back to the fucking hole they crawled out of. It would be in civil court, you could easily win if they asked to see your ballot. God, I'm cynical but even you pissed me off.
You mad
Perhaps you're not familiar with how this industry works. Allow me to help:
1) a way for the computer to count fast (barcode or some such)
This is where juggling monkeys can be used with moon rock sculptures to quickly count the ballots.
2) a way for the voter to see what he's voted for (plain text on the same bar coded ballot)
A web 2.0 interface to interpret the moon rock sculptures would give a clean user interface while still remaining functional.
3) a way to do a manual recount for verification (see "plain text" comment above
All you need is a geologist to look at the moon rock sculptures and a manual recount would be easy.
You possibly also forgot:
4) a way of ensuring that the votes can't be intercepted and altered.
Here comes the encryption..
No, there can be an audit (of the software for example), but that can (and should) happen already. Basically, if the candidates are allowed to look over the shoulder of the ballot counters, then that is an audit. But this can happen already (its what happens in many elections outside the states where the ballots are counted manually, and there are scrutineers). So how is this different?
The solution is manual open counts or opensource machines. Not some scheme like this...
Deconstruct the State
Hmm, the reports I'm thinking about go back to the 1940s right through to the 1970s at the very least - your article talks about the practice since the RIPA in 1983, so perhaps that law streamlined the process of mass political spying so that Special Branch didn't need to get involved. (That might partly account for the 3 million subversives that MI5 was keeping tabs on by 1991).
The problem with this method, if you read through the PDFs, is that it rests on the secrecy of the final form of the ballot. If this is perfectly secret, it is indeed impossible for the voters receipt to prove how they voted. However, if the form of the ballot is NOT secret (i.e. someone votes, looks at the ballot and reports that to someone outside the polling station) then it's entirely possible to recover how the person with the receipt voted. The problem with this whole method is that the "secret", i.e. the structure of the ballot, must necessarily be public. The potential solution to this is to make random variants of the ballots(like tests where there are multiple copies with the same sets of questions and answers, but in different oder), but then the vote is not necessarily recoverable and this reduces the transparency of problems like the infamous florida butterfly debacle. Then again, at least the votes would have been more evenly distributed among non-Democratic candidates...
Basically, this whole system does not seem terribly impressive.
>No, I disagree that that system works (again, I haven't RTFA
It's auditable, unlike certain other systems that have actually made it to the field. Machines that cheat can be detected.
The real problem is the one shown by the discussion in this thread. Even career computer people (both the posters and the moderators) can't understand what the security properties are. Understanding how the security properties are met requires some crypto knowledge which is not common among the electorate.
It looks like this system cannot meet the human interface requirement of being understandable enough, to enough people, to have the credibility to make people accept its results.
Shamir's three-ballot system, in contrast, includes no crypto and anyone with a high school education should be able to understand it, but I shudder at the thought of explaining it well enough to reach the bottom decile of the electorate.
Fascinating... the liberals have been fixing the vote so that they themselves lose the elections? No doubt it's all part of their devious strategy to avoid responsibility for the Iraq debacle by keeping themselves out of power. Those wily bastards! They won't get away with it this time, though, the GOP has their number for sure!
And don't even get me started about the press losing elections... those sorry saps blow it every time, usually by forgetting to declare their candidacy.
I don't care if it's 90,000 hectares. That lake was not my doing.
Well for one thing there is the time factor. In Ohio there is only a 30 day window to request and return an absentee ballot. With a receipt you can check your Union workers voting history for lifetimes.
Are we perfect? No. But where I should move when I renounce my U.S. citizenship, North Korea, Libya, China, or Iran?
Definitely. I've just gone and watched the demo, and read a bit about it. Good on these people for coming up with a system where it's (apparently) impossible to prove to anyone else who you voted for, yet still allows for someone to be able to verify their vote to some extent. That said, I still think that trying to solve this is really trying to fix the wrong problem.
The only reason receipts are wanted right now is because some voters have a lot of doubt about whether their vote was counted correctly. The problem could be solved much better by fixing the cause rather than trying to treat the symptoms. Letting people have receipts won't actually improve the validity of the election, anyway, it'll only help people feel better about themselves. It certainly doesn't mean that a reliable recount can take place, because the vast majority of people will never check their vote, keep their receipt, or bother to return it on request. At best it'll indicate that there's been a problem with the election, but it's not as if we don't already know that, and it hasn't taken voter-only-verifiable receipts to figure it out.
Trying to do something this complex on the scale of a national election, or even small elections that involve a typical cross-section of the general public, is asking for trouble. An election is trusted because it's kept simple, and the people who vote can see and have a reasonable understanding of how it actually works. People can understand the concept of writing a vote on a piece of paper, dropping it in a secure box, having trusted people empty the box and count the votes, and allowing other trusted people to observe the process at all stages.
Tying the whole thing into computers, digitized logic hidden inside electronic machines, abstract metaphor (such as dragging and dropping virtual objects), and abstract automated counting methods, reduces the number of people who can understand the entire process, let alone any of the process, by orders of magnitude. It just opens up more possibilities for misunderstanding, confusion and concerned citizens who no longer trust the process.
Perhaps this system can be used for other things, but I really hope we don't resort to using it in large scale elections. There are so many other very basic things that need fixing first, and I'm skeptical whether anything like this will be beneficial once the root causes of the problems have been dealt with.
No.
True, the system doesn't allow people to sell their vote, but it doesn't allow people to actually verify their vote either. As I mentioned in a previous post:
Basically, the method you describe only lets me verify that the ballot was thrown into some machine with the left side marked or the right side marked. It then counts the vote as being for Al Gore or George Bush based on some machine which matches my ballot (left or right side), with the machine's knowledge of whether left or right means Al Gore or George Bush. But how do I know that the cheating doesn't happen at this stage? It would be very easy for the machine to count all votes as being for George Bush regardless of what the bottom half of the ballot says (because the bottom half of the ballot has been destroyed).
This is just a more complicated voting system with the same problems (lack of verifyability).
It claims to get around this by some auditing process. But we can already have auditing (probably the simplest being hand count the paper ballots and allow the candidates to have people look over their shoulders). Or use open source voting machines. So this process is silly -- the actual verification happens at the auditing stage done by the candidates which is already possible.
Deconstruct the State
You're right. However, this system has a more basic issue: A generalized variant of the "Stroop" effect as we call it in psychology. People excpect consistency. This system relies on randomization of both "letter" assignment (A. or B. to choice 1 or 2) and randomization of side (A or B is on left or right). This is a clusterfuck in the making. People expect the first choice to correspond to the leftmost option, and that the first choice will be choice A. Always. Furthermore, on a ballot, people expect item to item consistency. If Democrats are first, they need to be first the whole way down. I know it takes just a little attention and control to flexibly and correctly deal with a randomized ballot, but people will unquestionably botch this badly. It will make 2000's "butterfly" ballot look trivial in comparison. It's an ingenious system Chaum has devised...but it needs to really be thought about how to present this to allow people's "automatic" mapping between option and response to be the expected ones.
Next time RTFA before you post your comment. Then you wont end up looking so stupid. That goes for the parent and grandparent as well.
that is, unless they vote too and see the same ballot.
Of course, you can have variations, but that almost makes the whole system flawed- what if (deliberately or otherwise) the information on which ballots are associated with which keys is lost or confused? Suddenly, you have so much ink covered paper...
I looked at the ballot for this year's elections, and guess what? There was no one I wanted to vote for. No one. Frequently, the two candidates in a race are competing to see who can screw me over the worse: Candidate A says he wants to revoke my U.S. citizenship, for example, and Candidate B says he wants to throw me in jail for life (in both cases, for thought crimes).
Why would I want to vote for either one?
My ballot will be nearly blank this year - and even the one person I'm voting for, I'll have to hold my nose while I do it.
The two parties in the US have collaborated to deprive the people of any real choice. Surely there is a reason why voter turnout rarely exceeds 50% - everyone knows that they are not going to get any real representation, whatever choice they make.
I like the idea of "absolute representation", where each person gets their own personal representative, and that representative serves both as an ombudsman, and casts a number of votes in Congress equal to the number of persons they are representing. Besides the obvious question of whether we could actually get this enacted, the question comes up, how could the voter and the representative verify their connection, while keeping this information sufficiently confidential?
Also, if we could do this, we should also return the election of senators to the respective state governments, in order to regain the system of balances that has long been lost.
I'm tired of not having any representation in government.
You really have a thing for 70's Swedish pop bands don't you.
Well, if they handed you the exact ballot to vote, shouldn't the results come out the other side the same? If people voted exactly the same down the entire ballot their outside keys should match...doesn't matter how it is scrambled, unless they do some scrambling via your specific key.
I posted this on Slashdot a couple of months ago... How different is the concept?
= 15828335
http://it.slashdot.org/comments.pl?sid=192817&cid
No sig. Move along - nothing to see here.
I'd say this problem is pretty easily fixed by having a sanity check on the database. As long as the count for B goes up by 1 after you click "vote for B", it's done and verified. All the better if you can go back later and double check the reading and verify the integrity of your vote and the database.
Great idea. In the process, you completely nullify what the system purpotedly did in the first place, since you can't verify your real vote any better than (any of the) fake one(s).
Election fraud is not limited to "rigging the voting machines"; in fact, the most likely fraud scenarios take place after the votes have been cast. It sounds like you're assuming that election fraud would have to be coordinated by an entire political party, but that's unlikely for obvious reasons.
I don't see much of an opportunity for tampering with vote totals once the votes hit the state-level, but do you know how many opportunities (and how easy it is) to tamper with vote totals before they reach the state-level? Do you realize that the same people who have those opportunities also have an opinion, one way or the other, on how the election should turn out? Would you blindly trust each and every one of those people (the ones who voted differently than you) to fill out & submit your absentee ballot? Didn't think so - and that's why people like you scare the shit out of me.
I would explain in greater detail, but since you've obviously chosen to ignore anything outside the pretty picture painted for you by the media, I would just be wasting (more of) my time.
In some ways, I wish I lived in your utopian dreamworld where people and events are always just how the media portrays them. Then I wouldn't have to worry about what's really going on, simply dismissing alternative points of view as coming from "wackos".
How did so many people fail to figure all that out?
How is it that you've been a Slashdot member since at least July and you're still asking questions like this?
Mod points are being handed out, I just got some last Friday. I get some about every 10 days. I think there is some formula based on posting frequency, karma level and scoring of posts but I can't prove it.
If it's done solely by machine then nobody is able to check that the machine counted correctly... you just have to trust the people who created the machine to be honest (and competent!). That isn't acceptable. The safest way to count ballots is to have a Democrat and a Republican (and a representative from any other interested party) sit down at a table together, in public, and have them tally up the vote out loud... and preferrably have their counting session videotaped for posterity also. That way if anyone tries to cheat, they will be caught out by the others immediately.
Of course that's a very tedious way to do things, so it probably is only worth doing that during recounts of suspect elections... which means there must be a paper trail no matter what mechanism is used for the initial count. Paper ballots are an excellent implementation of that. If you want to use a machine to place marks on those paper ballots, fine. If you want to hand-mark them with a pen, that's good too.
I don't care if it's 90,000 hectares. That lake was not my doing.
Funny how in a government with a GDP of $11,000,000,000,000 it takes programmers working for free to make a system that is actually secure in order to maintain democracy..
Shame is the only thing I feel right now.
MABASPLOOM!
Since I can revoke my absentee ballot, you'd have to keep me from getting to the elections office to revoke my ballot and re-vote.
Of course that's possible, but so is terrorizing people who would likely vote against your desires as well...
Awesome furniture, accessories and cabinetry in Santa Rosa, CA: http://humanity-home.com/
I don't think it's necessarily impossible... it would be a form of zero-knowledge proof. As defined by Wikipedia:
In cryptography, a zero-knowledge proof or zero-knowledge protocol is an interactive method for one party to prove to another that a (usually mathematical) statement is true, without revealing anything other than the veracity of the statement.
Whether it's doable in practice or simple enough for non-computer people to understand/accept is debatable, but perhaps this guy has a viable solution. (I don't know, I can't watch flash files on the computer I'm on)
I don't care if it's 90,000 hectares. That lake was not my doing.
Bad assumptions. 1) Ballot Choices in all states are NOT Randomized. Some use National, State, Local and within that alphabetical order, some incumbents first, etc. so for someone to know your vote from the A,B,B, A receipt they just have to know the order. Many states also print up Sample Ballots which could also be used to check up on someone based on the choices on the receipt. 2) Someone else posted that Ohio does associate your ballot number with your name so your secrecy is gone already that way.
I would think some form of PKI could be used to insure the security and anononimity of your ballot. I don't want to post the idea here until I'm more sure it'll work (and also if it DOES work so no one steals it!!)
It only seems suitable for first past the post voting. How about those of us with instant runoffs?
Classical Liberalism: All your base are belong to you.
Of course not. You don't get to go back and change your vote after the election. It's your responsibility to double-check your ballot before turning it in.
What if mine was counted wrong? (don't know how that works, more privacy invasion I imagine) I suppose I could call and ask for a recount (2000 anyone?)
If, say 5,000 people all find that their votes haven't been registered correctly, they could report it to the elections board, or if that doesn't work, to the news media. At that point an investigation could be started, possibly leading to a nullification of the election if necessary.
but, they can't even verify that mine was the one counted wrong.
Sure they can... show them your receipt, then they can look it up that receipt on their web site just the same way you did. They won't be able to tell who you voted for, but they will be able to tell that the votes you punched in didn't match your vote as they tallied it.
Really pointless and dangerous if you ask me
Try keeping an open mind for a while. Or better yet, reading the article.
I don't care if it's 90,000 hectares. That lake was not my doing.
My district has roughly 650,000 voters in it.
Let's assume we have the best turnout in a non-Presidential election in the past 40 years: 54%. That's highly unlikely - no one's really contesting in my district (our guy's an old time shoo-in) - but who knows? People might show up.
54% of 650,000 = 350,000, give or take a few.
How long would it take to count 350,000 votes for something?
Let's assume a person can count 1 vote every 3 seconds. Count it out loud. "1. 2. 3." It's pretty slow, actually, but let's be fair: some of our more civic-minded people are also some of our eldest, and they're a bit slow.
So 1 vote every 3 seconds, that's 20 votes a minute, which is 1200 votes an hour.
350,000 / 1200 = 291 man hours.
In 8 hour shifts, that's 37 people. And considering my district is spread out over 30 towns, that's roughly 1 person per city - 2 for some of the larger ones. Find 37 more people and you've even got redundancy.
And that's if you want it done in one day.
How about the Presidential election? 2004 was considered a banner year for turnout. Number of voters? 122,294,978. We'll round it down to 120 million. Again, 1200 votes an hour: that's 100,000 man hours.
8 hour shifts, that's 12,500 people. Again, that's in 8 hours, reading 1 vote every 3 seconds. If you got it down to 1 vote every 2.5 seconds (and trust me, when things are repetitive, it's easy to speed through), suddenly you only need 10,417 people.
You've just laid off 2,100 poll workers in half a second.
There is no reason at all for a backlash against paper balloting. It is quick enough. In fact that should be the motto for all paper balloting:
PAPER Balloting: It's Quick Enough.(TM)
You make a good point, and I agree with your point that there is a purpose to verifiable voting, but I don't think it should be left to the individual. For example, if I recall correctly, the Gore/Bush vote in Florida was done on voting cards, and the vote by vote recount proved Bush won, even though the votes of many overseas servicepeople (who vote Republican more than Democrat) weren't counted due to missing postmarks. The punch-card votes allowed the votes to be verified. A few overzealous (sp?) people came out and said that they didn't understand the ballot, and thus the punch cards weren't valid, either, causing some court hassles, but in the end not affecting the outcome. To me, this recount and vote verification proved that the system could work, but was too slow, and if left to individuals, was too likely to be abused by those individuals with extreme views.
In my opinion, if we are to use an independently verifiable electronic voting system, it should be an independent auditor (or two or three) that does the verification, not idividuals, so that extremists on either side cannot affect the outcome. Additionally, a machine readable paper trail that is verifiable as one votes would be ideal. In the Bush/Gore example, this would have provided a quicker answer to the question of the vote count, and would have probably decreased (but not eliminated*) the skepticism about his victory.
* - there will always be those with extra-thick tin foil hats who think all elections are/will be rigged. No technology will change their paranoia.
So, when you check your vote, it tells you right or left, but it doesn't tell you which candidate that was. It would seem the computers could still be programmed to count the votes however you like, and still spit out the correct answers to right or left. By design, there is no way to correlate right and left to particular candidates. So, even if you had ALL of the data and could count all the votes yourself, but without knowing what each R or L represents, you have no way of verifying the results.
Si vis pacem, para bellum
The only thing more annoying than a Libertarian is an (un|mis)informed Libertarian
How about elections where there is more than one office up?
Will your system generate 2^n codes?
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
Simpler? How do you get simpler than putting a big black "X" next to your selection on a ballot and dropping it in a locked box? Lining up holes, encrypted receipts, there is NO NEED to make things this complicated.
Remember: KISS
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
The point is not to have a theoretically bulletproof system, but one which can be understood and checked by _everyone_.
Lets take a look at the "pen and paper" vote. The one who votes marks boxes on his paper, then folds it and puts it into a box. Then, after all people have voted. They take out those pieces of paper and count them. Then they compare that to how many people have voted. Then they count how many people have market a certain box, etc....
This is a process I could send anybody there to watch. It _has_ to be public, and it has to be understood by the public. And furthermore it is efficient enought. Despite the complex systems, Germany has official results the day after the election. It takes about an hour to count all the votes, so we are not talking about _that_ much work here.
BTW, there is another serious flaw in the US elections. It's not on a public holiday, so only people who can afford to take a day off can vote.
There is a video on the website that explains how this works.
So why do this again if the voter can't verify it?
The voter CAN verify it, at least in part. The voter CAN'T prove it to anyone who isn't Vulcan (and thus able to do a mind meld). As a voter, you can remember "Zaphod Beeblebrox" was the second candidate listed, I voted for Zaphod Beeblebrox, look at the site and see that it recorded that you voted for the second candidate. But if someone else asks "which spot was Zaphod Beeblebrox, you didn't vote for him, did you?" you can say "no, Zaphod was the first candidate listed; I voted for the second."
See now?
This doesn't get you anything in precincts that use DRE equipment, but it would in places that have and use physical ballots. In those locations, there's the potential that they are scanned incorrectly. This provides a mechanism for you to verify that your vote was scanned correctly.
Give me 1, a single example, of a XXXX-proof anything. Outside of 1-time pads http://en.wikipedia.org/wiki/One_time_pads , given enough time and power, everything is crackable. The real issue is how much time and power (read $$ & cycles) can/will someone throw at a system to break it. If the break-cost is high enough, the implementation-cost is low enough, and the time between implementation and use is short enough, it would be very difficult to defraud the electorate. That's all we can ask for.
DNA, the splice of life.
I take it you don't bother to read the article before posting?
Need a Python, C++, Unix, Linux develop
So, the only way someone can break the law by selling their vote is to break the law by sneaking a camera phone into the booth?
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
Great, I know my vote was recorded as A, B, B, A (I hope that wasn't a Freudian slip referring to the music group Abba), but how do I know that when my ballot is counted as A, B, B, A, that the order of the selections used to match up my ballot to my selections wasn't switched?
Anytime that you can separate the selection from the question and choices of answers, you introduce a means of switching the voter's desired selections for somebody else's selections. A big black "X" on a paper ballot next to the voter's selection is foolproof.
I don't give two shits about being able to carry out of the polling place proof of my vote; I want to verify my vote WHEN I CAST IT, by a means that CANNOT be misinterpreted.
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
The site doesn't tell you what each option meant. It just provides a way for you to verify that your vote for "A" was recorded as a vote for "A." "A" could have been anything.
Uh, why do you think they want to remove the requirement to have a photo ID?
Ed Barbar, President and General Manager, Furnit USA
You are of course correct in principle, but not necessarily for this method. It seems to allow the ballots to be mixed so that picking the first choice on one is not the same as the first choice on another. The vote-buyer will never know how you voted. (Watch the flash movie at the link.) However, this presents a problem just as bad as you describe... the non-secret ballot. The vote counting people now know how you voted. Well, they would if they tracked the ID number that you keep. That's unacceptable.
Ah, if a poll worker knows what you vote then a vote buyer can too. They can buy the poll worker.
FalconShould there be a Law?
http://www.youtube.com/watch?v=TtPiGIqSljE&mode=re lated&search=
the you tube that still works
http://www.captainsquartersblog.com/mt/archives/ca t_silence_of_the_cheese.php
3 1.shtml
Talks about Wisconsin Democrat voter fraud
http://www.newsmax.com/archives/ic/2004/10/19/853
Talks about using crack to register voters.
Ed Barbar, President and General Manager, Furnit USA
While you are at it, count the votes in the container without moving it. Do it in full view of anyone who wants to stay and witness the counting. Those vote totals then become an entry in a big spreadsheet that anyone can see and verify. The individual votes stay private, but the voting precinct totals are now public knowledge. You don't need encryption or tamperproof transport of ballots. Everything is transparent and witnessed.
Bah!
No, it is impossible. If a person can verify his vote, it means he can verify it to another person as well. The only way to prevent that is to withhold some key piece of info from the person you're verifying to, which means it isn't a true verification. FOr example, you can verify that someone voted for, but not who. Or you can verify that he voted for the 3rd person, but not who the 3rd person was (which means you aren't really verifying that the vote is going for the right person, since you can't verify the 3rd person is the person you wanted). Its one or the other.
I still have more fans than freaks. WTF is wrong with you people?
Nah, see, what's really scary is the people who modded me up to +4 without reading the article. That's democracy.
How we know is more important than what we know.
Great, so now about 100 people in a district that went for the opposition create some forged receipts. They claim election fraud and manage to get the entire district's votes invalidated due to "rampant irregularities", swinging the election results and electing their candidate.
People scream paper trail, but don't forget how easily documents are forged. They would have to be cryptographically secure, with a timestamp and possibly the voter's registration number encrypted on the receipt. Only the central election authority would have access to the private key that would be used to validate any claims of miscounts. Of course, you still have to trust the software. Basically the same technology that makes digitally signed contracts work.
I cracked a one-time pad last week, it took me 4 days to write the program to do it and the program runs on the ciphertext in about 3 seconds (it's blindingly inefficient). It recovers the key size in one pass using 2-tuple analysis (which passes the ciphertext, then passes the 2-tuple list, then passes the ciphertext again to count distances between the most common 2-tuple, then passes that list to normalize it...), then splits the ciphertext up such that each chunk is aligned to a byte of the key, does some frequency analysis (which passes the ciphertext once per byte in the key), and recovers the key for each (which passes the results once). Then it strings all the byte keys together to form the original key, and decrypts the text (final pass on the ciphertext). Theoretically I only need a few kilobytes of ciphertext to perform the analysis; it stops after finding 100 copies of the proper 2-tuple in the second pass, but otherwise needs to be taught to behave.
One time pads are nice, but only when used with an already strong algorithm. I can't break a one-time-pad AES; then again, I can't really break AES either. Now, a one-time pad Caeser Cipher I don't NEED to write a program to crack; I can do that in my head in 5 minutes.
Support my political activism on Patreon.
This "new" voting system sounds remarkably similar to a system proposed by Ronald Rivest (of RSA fame).
The problem with either system is it requres you to trust a computer.
In the case of Rivest's work, you must trust a computer to do certain logical computations. (Engineers and professors can do them in their head, but 90+% of the public in a given country do not have that skill.)
In the case of Chaum's system, which I believe to be an inferior version of Rivest's work, you must trust that the A and B the computer showed you are the same A and B actually used to tally your vote. It deals with the case of a false scan, but it DOES NOTHING TO SOLVE THE CASE OF DELIBERATE MANIPULATION.
Both systems add practically unverifyable processes to a system that previously didn't have them. (Assuming you were using paper ballots.) As an electrical engineer, believe me that PAPER is the way to go.
Life is too short to proofread.
You can have a small mock election where you vote 1,000 times recording what you choose manually and compare with the machine's result.
There is no reason why the machine wouldnt output the correct answer.
Wouldnt that constitute as checking that the machine counts correctly?
It also can't be used to verify that your vote was associated with a particular candidate
Which makes it useless for PRACITCAL purposes.
What do I give a shit that my vote gets counted if I have no assurance of who it was counted for?
This system CREATES a step in the system where it is possible to rig an election. Sure the numbers add up to the correct total, but that's not the point of an election.
Look at Ronald Rivest's work on this subject. It makes much more sense.
Life is too short to proofread.
err, isn't the first rule of onetime pads to have enough key to not reuse it? And if you DO run out of OTP, you have to find an out of band transmission method to generate more?
This comment is guaranteed*
*not guaranteed
Actually I just read TFA and this doesn't prevent anyone from making it LOOK as though all these votes are being tallied correctly and still have inaccurate information come out the other end.
Sure you've cast your ballot, you've verified it online. What's to say it's been TALLIED that way?
Independent tallies, you say? What's to say they're not getting the tampered tally, so that their results match up to the official (corrupted) version? This might make it more compli^H^H^H^H^H^Hof a pain in the ass to steal and election, but in the end it's still all smoke and mirrors, folks.
CAn'T CompreHend SARcaSm?
I'm not sure why you think Punchcard doesn't allow you to do that, but I suggest you read the following thesis:
http://ben.adida.net/research/phd-thesis.pdf
Afterwards, you may have some relevant opinions. Until then, please pretend that the cryptographers designing this thing consulted with a five-year-old before publishing their results.
---
You don't even need to remember that. You just need to see that the choices you marked are the same as those reported on the site. If there's a discrepancy you'll know your vote was misrecorded or tampered with since it's not possible to make different marks on your "keep" sheet and your "turn in" sheet.
If someone looks at the machine and matches the B you voted for with the candidate B was under your ballot ID, then tracks your ip address/timestamp, you lose privacy. But who cares - it's a lot of work, and lots of voters are willing to sacrifice privacy to ensure the system is working, and all it would need is like 1% of the voters doing the anonimity sacrificing spot checking, the rest could just simply not check. What your boss wouldn't be allowed to do by law is force you to go check your vote make sure it was done right. Then if you feel you have anything to fear, you don't check it. By the way, most likely your boss knows you enough and your thoughtprocesses that he can guess with 99% certainty who you voted for anyway. It's just how it is, man.
they will be able to tell that the votes you punched in didn't match your vote as they tallied it.
No they can't.
The can verify that the election authority had the ABILITY to count their vote properly, but they cannot prove that it was actually counted correctly, only that it was counted.
Ronald Rivest has actually developed a system which is superior in this respect.
Life is too short to proofread.
If you can't find your id in the database, you caught the voting process redhanded. However the vulnerability is getting a lot of extra junk votes into the database by unscrupulous people, that tilts the balance, how do you catch that? There also needs to be a certified counter at the door counting how many people went through the door, with watchdog volunteers certifying it, then the final results at any voting site database better match the number of people walking through the front door, within very tight margins. After the election is over, the databases are made public, you and professors at all kinds of universities download the databases, and do their own counts, or, you can give a copy of the database to your neighbour who checks his own vote in it, without anyone knowing which ID he's gonna look at, and he can do his own counting with his computer. You basically need 3 things - your receipt, the full database, and the total count verifying that there are no extra votes inserted into the database.
Of course no system like this stops open vote buying promises such as - if you vote on me, if I get elected I'll give you a taxcut, and send you a check, pretty much how Bush sent everyone a taxcut check when he first got elected, a check that voters liked a lot, but with shortsighted paybacks like that a leader can drive a country deeply into debt and could be bad leadership in the longrun. People are vulnerable to such selfishness, but if that's how the voters are, and that's what they want, bad leadership and bad decisions, then the idea democracy, that people know what they want and get it good and hard too, is working great!
You should also be allowed to go to any voting site within driving distance when it's about voting for president and not local issues, so that your boss couldn't look up the district you live in and say 1 person in that district voted democrat, everyone else republican, and chances are you were not that person, you live in a very republican neighbourhood. Local elections should be voted for on separate occasions, and issues with global reach should make it possible to you to drive to Texas from Minnesota and cast your vote for president from there. I know that's not how it works, you have to stay withing Minnesota, but at least you should be allowed to drive anywhere within your district, and then when your boss looks up the voting booth database in your district, you could say you voted somewhere else. Strangers showing up at all kinds of districts would also make sure elections there aren't rigged.
Which makes it useless for PRACITCAL purposes.
No it doesn't not for elections that are conducted on anything but DREs.
In any system where there are physical ballots, there are three steps:
1. Produce a ballot
2. Scan the ballots and determine who and what the voter voted for
3. Add 1 to the totals of each of the things and people the voter voted for
This system splits step 2 into two substeps:
2a. Determine which ovals are marked
2b. Determine who those ovals correspond to
This system "ensures" that step (2a) is done correctly. Outside of DREs, this is the only way that I've seen to ensure this that doesn't appear to compromise voter secrecy. It's certainly not the case that (2a) is satisfied with our current system... see Florida, 2000 and trying to figure out voter intent based upon the number of chad corners that were severed.
I'm not sure how big of a problem (2a) is in relation to other systems, and DREs eliminate it as a problem essentially entirely, so I don't know if the Punchscan system is worth the complexity or not. I'm also still not fully convinced of its secrecy. But, if it does what it appears to, it DOES HELP.
Vote for me and I'll give you a tax break.
Indirect pay off already happens.
Democracy Now! - uncensored, anti-establishment news
July '01 maybe ;) It just blew my mind. I would have thought that with everyone 'round here bitching about electronic voting people would have jumped on this like it was the greatest idea since sliced bread.
I guess I was just shocked, that's all.
And for the record it's a pretty good idea.
My rantings, only longer and with better spelling..
Umm.. How embarrassing.. My apologies.
A Good Troll is better than a Bad Human.
The first? haha. YOU must be new here :)
:P
I guess I just expected slashdot to be all over this like it was the holy writ of God/Budda/Whatever else. It's a pretty good idea. I don't know why people are faulting it for:
a) not solving every single problem. Hell it solves a few, let it slide. *nix wasn't perfect instantly. or
b) not understanding a very simple concept because they didn't RTFA.
I guess I was expecting far more positive comments. Silly me, I must have missed the part of 'TA' that said it came from Microsoft
My rantings, only longer and with better spelling..
Well, the point I was trying to make was that figuring out who you voted for requires use of your memory as to who was on which side of the ballot. Though in retrospect this is sorta stupid, because remembering who you voted for is probably easier anyway...
There is NO WAY to hand count these ballots.
The relationship of part A to part B must be kept on a computer. There's no way to count them otherwise. They don't have a complete vote on either part. The computer has to have been programmed with what letters correspond to which candidate on which ballots. And since having that information PUBLICLY AVAILABLE would invalidate the entire rest of the process
Which brings us back to the issue of whether we trust computers without a paper trail in our elections.
Since I do not trust computers without a paper trail, why would I trust some scheme that depends upon computers without a paper trail? And a bunch of "ink cover paper" is not a paper trail.
PAPER ballots could be validated using encryption. Then ballots could not just be printed and stuffed. It would also be cheaper than having special ballots, normal paper could be used.
Money should have something like this in it for fast validation. Public key encryption would work.
Counts should be done by hand; if ballot stuffing happens like in Mexico you have something to fall back on.
Democracy Now! - uncensored, anti-establishment news
The entire system depends upon computer voting systems without a verifiable paper trail. I thought that this issue was settled already, but apparently it is not.
... and you can verify that the machine counted your vote marked in the 4th window on the ballot.
In this scheme, your ballot has a part A and a part B. Neither of the parts has a human readable vote on it.
A computer is required and it must have been programmed with the relationship of your particular ballot's part A and part B. That means that on your ballot, the computer knows that selections A, B, C and D relate to John, Paul, George and Ringo, respectively.
Now, this relationship information CANNOT BE MADE PUBLIC because if it was, your vote receipt would be able to be used by anyone to confirm how you voted.
Since the information in the system CANNOT BE MADE PUBLIC, we are right back to the current Diebold situation. All it takes is a minor change in the programming that CANNOT BE MADE PUBLIC and the votes are going to another party. And this is, by design, UNVERIFIABLE by the public.
So, you vote this way, you follow all the instructions
It's up the whomever programmed the computer to decide who your vote will count towards. And, by design, you'll never be able to validate that.
I assume that the order is consistant within ballots, but randomized between voters.
The reason you don't want to do this is that with a system like this, buying and selling votes becomes possible. up till now this practise is rendered useless as the person buying votes can never be sure of what his money actually gets him (this is not to sat that some people wont try it anyway).
Your points are based on problems with the current voting system in some states. This is suggestion a NEW voting system. So yes, order would have to be randomized. This is a change that would have to be made. I don't see the problem..
BTW, there is another serious flaw in the US elections. It's not on a public holiday, so only people who can afford to take a day off can vote.
While elections on on a workday, by law all employers have to give workers tyme to vote.
FalconShould there be a Law?
Exactly. Voter-verifiable voting is not the issue. Ideally, you want to be able to verify your vote but not prove your verified result to a third party. This is a very difficult problem, and I don't know of any solutions.
If you want to keep your vote secret there is no way to verifiy the vote. If you can verify the vote then someone can verify with you to make sure you voted the way they said to vote.
FalconShould there be a Law?
The receipt does not reveal for whom you voted.
It only allows you to verify that your vote was counted in the final tally.
Right. I was just trying to quell any "but not everyone can remember all their choices" objections.
Where the majority of internet users go = Where to find the most morons.
Not to say slashdot is moron-free, but at least they're not deified celebrities as on digg.
kartune85 : Incapable of reason, observation or learning. A kind of dim, drab, flightless parrot.
For voters to trust the system, they need to be able to verify with their own eyes that the system is reasonably secure. Paper ballots and locked boxes work. People understand physical security.
Don't obfuscate the issue. Secure voting needs a voter verified papertrail and random auditing. The rest of the process will always be a black box to most people because 99% of the voting population don't understand computers, let alone cryptography.
What really annoys me is that Diebold already know this. Banks DEMAND paper-trail audits from their ATM machines, voters need to demand paper-trail audits from their voting machines too.
455fe10422ca29c4933f95052b792ab2
Well, except that that is the exact problem with other voting systems too. Once your ballot is in the box, who knows what they do with it?
I'm glad you brought this up.
With paper ballots, everyone who can see the box, knows what they do with it. It is easy to get people who can see and are willing to do so.
With electronic ballots, nobody really knows what's going on inside. It's a black box and essentially impossible to verify.
To give you an example, for about $1 million I could design a keyboard driver chip that behaves just like a normal keyboard driver except under very special circumstances. The only way to catch this is to have someone involved in the production confess or to depackage the chip and examine it under an electron microscope. How often do you think that is going to happen?
Life is too short to proofread.
It's pretty clear that both incidents were poor individual decisions, as opposed to an order that came down from the Democratic party (e.g., "Kerry just called, he wants us to slash the tires on a couple GOP vans. Let's move."). The guilty parties were subject to due process of law and received the appropriate punishments, so the system worked. Are you trying to say that those two incidents are indicative of general Democrat behavior?
Remember when the CEO of Diebold wrote a fund raising letter promising to "deliver Ohio to Bush"? That seems a little bit more important than those 20-30 votes (that were never actually cast) referenced in the two articles you linked.
That's like an NFL referee, right before the SuperBowl, sending a letter to one of the team fan clubs saying, "we promise to deliver a victory for your team".
You still don't understand the system, and have gotten bogged down with just one feature of it. This system also can be audited in such a way that it verifies that votes in total were not switched and actually counted as intended. Being able to verify your vote with your receipt is just one part of that system. It verifies that there was not an interpretation error, which other systems DON'T give you. Your big black X is far from foolproof. If it is read by a human he can easily make a mistake and put it in the wrong pile, either deliberately or by mistake. You would never know. If it is read by a machine, then the machine can make a mistake reading it. If it is a punch card, it could have been misread. If it is a mark sense card it could have been misscanned, etc.
If the mistakes above were innocent, well that is inevitable, and you would not know. But if they were fraudulent, you still would not know. The punchscan is better because you can see the interpretation of your marks at the polling place, which locks them in, which is far better than placing a ballot into a scanner and having no idea whether or not it was scanned correctly. Then you can once again verify that your ballot was interpreted correctly and properly included in the final tally at home. If a few people have receipts which show errors, then that is tolerable, due to the fact that nothing (even your magic black X) is perfect. They most likely didn't verify the marks at the polling place in the first place. But if there is fraud there will be a LOT of people with mismatched receipts. That is what keeps things honest. Many people won't check, however, the interesting thing is that if people start declaring fraud, more people will check their receipts and more people will audit the election results.
Your issue with the switching of the interpretation AFTER the ballot has been cast has been addressed by this system also. It involves cryptography (cryptological "commitments") and auditing before and after the election. Auditing that you can actually choose to do if you want to (e.g. even if you don't trust other peoples auditing software you could actually write your own, because the whole process is completely open).
There are multiple levels of detail at the site, which you obviously have not read, but that is not surprising, given that this is Slashdot after all. There are details that you can get which I won't try to go into here, but in an attempt to simply explain the system of commitments and auditing they offer the following analogy at the website. Note that in the below quote, consider the "table where all rows are sealed" as the state of the random ballots BEFORE they have been cast. The "switch" they are talking about is the same issue that you are talking about. It might not completely satisfy you, but at least you may understand that they have addressed your issue, and if you really care to understand it in depth, the details are there if you look deep enough:
The site doesn't tell you what each option meant. It just provides a way for you to verify that your vote for "A" was recorded as a vote for "A." "A" could have been anything.
That's right, "A" coud be anyone so you can't verifiy your vote counted the way you wanted. Sure you can see the reciept online but you can't see who the vote is for, therefore you can't verify your vote.
FalconShould there be a Law?
Same here, except that I got two highly probable results, both of which were equally likely: "VIOLENCE INHERENT IN THE SYSADMIN" or "ELECTRIC SHAMPOOS IN OUR BATHROOM".
Hmm...
Yah, I know, I was replying to someone who was claiming they could sell their receipt. If you can sell your receipt then you can be forced to give it up unwillingly.
How we know is more important than what we know.
No it doesn't not for elections that are conducted on anything but DREs.
... be in random order". Rivest's solution is vastly superior to this one IMO, but both rely on "black boxes".
This is a dodge of the issue. If this system WORKS, then it does so as described in TFA.
If the system has vulnerabilities, additional measures NOT OUTLINED ON THEIR WEBSITE might fix them, but that's not exactly the discussion we're having.
My own suggested additional measure would be to throw all the electronic voting equipment off a bridge and go buy some pens and paper.
You really aren't thinking about this right. You need to consider the situation where the people in power have millions of dollars at their disposal and the ability to modify documents and equipment at their leisure.
The solution to this is lots of humans watching and counting, not a bunch of unverifyable black boxes.
To put it simply, I can add another step:
4) Switch 5,000 votes to another canidate before generating the final printout.
The creators of this system believe it is resistant to this, but there is entirely too much handwaving such as "it is necessary that the intermediary state of the ballots
Life is too short to proofread.
1) HOW DOES ONE CORRECT ERRORS? Just dealing with people who don't remember correctly thinking it or they messed up would be a nightmare.
;-)
2) Letting you see what you voted doesn't say what was actually counted in the county tabulator software.
Exit polls point out problems in a similar fashion and have similar problems. (They were made illegal here because they worked in pointing out problems... but have been ignored when they mattered.)
3) Statistical Sampling
Non-expert polling will result in more upset people: "friends & neighbors didn't match the results"
Do whatever 'secure' thing you want, but give me root on the tabulator
3) Hand recounts are not possible
4) Ballot stuffing is still possible (easy enough to fix that)
5) Still trusting the hardware, OS, libraries, compiler, sysadmin, vendor, support people to be honest. Where there is will($$$) there is a way comes to mind...
6) Loss of tables destroys an election (many backups...)
7) Leaking of the obscure tables would break it.
Democracy Now! - uncensored, anti-establishment news
The recipts don't show who you voted for. They can not be used to determine who you voted for. And, if vote buying was something wanted, then they'd already be doing it. Just get the absentee vote forms, fill them out for your employees, have them sign them, then send them in for the employees. Vote buying is extremely easy today. So why the panic over a system that makes it no easier?
Learn to love Alaska
Head of (Household, Gang, Union, Department whatever organisation legal or not)
"Ok, now that you've voted, show me that you voted the way I told you too."
Yes there are ways around this, but they do need to be implemented so that a person cannot be forced to prove that they voted in a given way.
D
http://davesboat.blogspot.com/
http://davesboat.blogspot.com/
I remember one of my computer science professors telling us in college about what I believe was a journal article from the 1970's discussing electronic voting. The way you do it is a two stage process. People vote on the machine. It then prints out a paper ballot that has machine readable code and human readable type indicating your vote, all on the same ballot. You do not get to touch the ballot. It prints up behind a glass screen. There is a red button and a green button. If you approve your printed ballot, you press the green button and you see your ballot drop into the sealed ballot box, and your vote is tallied in the machine. If you disapprove you press the red button and see your ballot get shredded and your vote is not tallied in the machine, at which point you have the opportunity to restart the process. The first official count is recorded and tallied by the machines you vote on. In the event of a recount, you have the choice of scanning your printed paper ballots by machine, human recount, or a combination. Because the ballot boxes are only needed in the event of a recount they can remain sealed until such a count.
This solution has been available for more than 30 years. If anyone is making electronic voting machines that do not allow a human verifiable recount, the only possible reason is that they want to leave the possibility of fixing an election open. Which is not to say this technique isn't open to tampering, but it is no more open than paper ballot systems, unlike the contemporary electronic voting solutions.
Replying to myself. I know. Sin!
:)
An addendum to my first post for everyone who says: yes but they could still hack the software etc..
True, but that is just as possible with paper ballots (you don't think they count those by HAND do you? They've been feeding 'em through a scanner for years now..), punch ballots, and far MORE likely with fully electronic voting. Like I said, with good software (i.e. posts what was actually tabulated for your vote, not what your vote was scanned in at, although still easily hackable) at least it would be a new take on the same process. It also opens up the process more. Heck maybe it could even be done with OSS!
My rantings, only longer and with better spelling..
From TFA :
Welcome Slashdot! Pretty please, read the FAQ! And NO, the receipt DOES NOT allow you to prove to ANYONE how you voted.
And yet, strangely, I don't understand what prevents anyone to do so...
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Yep, Australia has a similar leagal history for the mail, treason was the most serious charge for intefering with it. When I went for my drivers license (late 70's), the postal service were the only people legally permitted to speed, a phone call from Australia to the UK cost roughly one adult-hours-pay per minute. Everything changed when the telegram died.
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
yes, YOU voted the democrats... but 99% of the rest voted the republicans
very special simpsons reference: edgar neubauer
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
I don't get it. If nobody can prove who you voted for from either sheet, how can you ever know your vote was counted _correctly_? Sure, you can check that your vote has been included in the count...but what if it were counted as a vote for the wrong candidate? I find that a much bigger problem than other people being able to know whom you voted for.
Please correct me if I got my facts wrong.
You missed the point. That's just electronic vote counting - that's easy. This is voter-verifiable vote counting - you can verify after the fact that your vote was counted the way you voted it. Doing this, without revealing to anybody else how you voted, is tricky - but it's possible.
Just because you can verify your vote was counted correctly, says nothing about the anonymous abstainers (who typically outnumber voters by 3:1) in whose name votes may have been falsely cast by the cheating party but who by definition aren't going to check anything.
Receipts, if they are given and if they show for whom the holder voted, must be readily forgeable. Unless a person can with 100% plausibility pretend that they voted for a different candidate than for whom they really voted, a receipt provides an opportunity for voter coercion. (Even abstainers should be given a receipt, since an abstention is a valid vote. Compulsory voting only makes people vote along the wrong lines; a savvy party could win an election on compelled votes alone, by fielding a candidate with the right charismatic qualities.) Of course, this reduces a receipt to mere proof of having been entitled to vote; but with Universal Franchise, such proof is redundant anyway; since the holder -- by virtue of their existence -- is entitled to vote.
Voting receipts are a smokescreen. They mask the symptoms of a problem without addressing its root cause. As long as any technology is used in the process of an election which is beyond the comprehension of a school-leaver with passing grades, and as long as there are any secrets -- beside who voted for whom -- anywhere in the process, there will be unfair elections.
Je fume. Tu fumes. Nous fûmes!
I still don't understand why manual, scrutinised counting of paper ballots at the polling place is impractical.
That's why I send one possible recount you could do is a combination machine/human recount. Just pick a random sampling of ballots and verify the machine code matches the voter verified text. Once you've convinced yourself it statistically unlikely that the machine code isn't matching the text, you can save time by scanning. That is one of many forms of auditing possible with this system.
I didn't miss the point. I just didn't bother pointing out again what others have already: it doesn't add anything. The technique in the article doesn't make me feel any more secure that my vote made it to the candidate I chose, and without that I just don't care. Introducing a layer of abstraction just moves the problem of verification. It doesn't alleviate it. What does it mean to me that I get my pattern of choices back without any verifiable connection to what those choices actually mean. I think the hope is it would confuse people enough that they would think it actually means something.
I would much rather talk about something that adds meaningful recounts to electronic voting, yet still opens the door to the efficiency benefits, and does in fact include a voter-verified step to back up the results produced.
Most of them were below "see" level :)
Yes I read/watched it right after posting. It's not like we're actually using this system now, or have any guarantee of using it in the future. So the question of which scenario you should complain louder about (potential vote buying or no paper trail) is still valid. I also don't see how this system helps. Your receipt doesn't show who you voted for. The vote you can look up doesn't show who you voted for. So you're still relying on the "Election Authority" to maintain the same connection between the cards throughout the election.
And the more times I vote, the more stubs I have to verify the tally system, thus ensuring even more the integrity of the system.
I am anarch of all I survey.
You know what it was on your ballot. Of course they could make the machine register a vote for someone else and still make the front-end display the same result but I think that'd be harder to hide since you'd have to tamper with both the voting machine and the central system for displaying the results.
Justice is the sheep getting arrested while an impartial judge declares the vote void.
It's incredible how many people would flunk computer security 101. One of the most fundamental rules is that you can not trust a compromised machine, ever. Unless there's some non-electronic evidence of how you cast your vote (not just that you cast a vote), the computer could claim anything happened. Clearly we can't let the voter take the vote home, nor can we let anyone else know what happened in there. It can only be solved in one way, by installing a printer in every voting machine and let the voter verify that the physical ballot matches the vote.
Clearly there's a few more things you need to do, like ensuring that you don't give your id to the voting machine, one vote per voter, that these paper ballot are concealed before next voter and possibly the order physically randomized so the order can't be matched to the people entering the cubicle, but I'm leaving out the details. Most of these are solved by getting a vote token rather than a ballot anyway. But if you do not have a paper trail, you have already lost since there's no possible way to prove that a vote ended up with the right candidate.
The next question is, how would you like to mske sure the electronic count matches the paper count, without actually doing hand counts. My suggestion: On each vote, print voting machine id, a random vote id and poll option with a digital signature (remember, these have no connection to any voter). These IDs are essentially public. So you have a list of 100 million lines like "Machine 2342343 - Vote 325432432 - Option 5 - Signature 4534643642523423423523632653252". Then after the election, pick any sample you want to validate and bring in an OCR machine. Checking a few thousand votes should be statistically enough to ensure no tampering has taken place.
These votes can't be forged, can't be duped, can't be miscounted unless you had the original voting machine, someone on the inside to fix he electronic vote and someone on the outside to replace the paper votes. In that case, you're pretty much screwed under the current system as well. Noone aggregating the data would be able to fiddle with the numbers either. Basicly, you have 100 million electronic votes that you can verify against 100 million little pieces of paper, which are true because they've been verified by each voter personally. You can't trust a computer who'll say 2+2=5 if it has been programmed to.
What are the sources of error? Well, there's printer jams but beyond that, I don't see any. These should all be reported upstream anyway, and you couldn't get away with much even if you put in a "if ( vote_we_don't_like ) then jam printer" in rhe code. Even that you could probably stop if the vote was not officially counted until the physical print was accepted. You could still have the physical ballots disappear, but that's no different than today. Plus you'd have no "doubtful" votes, either it is a vote or it isn't (unless someone lets accepts an almost unreadable print, I guess). Hell, even the people that claim they didn't understand what they were voting for would have a hard trouble complaining if it was printed in bold on their vote.
Live today, because you never know what tomorrow brings
Mod parent up
Is this a trivial extension to the protocol, or something that just isn't possible? Multiple party elections aren't that unusual!
...which is exactly why it'll never be used. Takes all the fun out of a national election if you can't fake it anymore, doesn't it?
Assorted stuff I do sometimes: Lemuria.org
It's easy, let's go all the way to internet democracy and use data replication to ensure verifiability.
You add PGP signatures to votes, P2P servers to disseminate them, and electoral lists to calculate results.
It's so easy and straightforward, that you could rely on a general consensus in order to obtain results, and everybody can participate in it!
Of course there is one problem with it: votes can technically be bought.
But you get quite some advantages, you can vote from anywhere, anytime, on anything! Direct democracy at last.
The project I'm working on, aimed at just that => http://leparlement.org/security
I'm kind of lazy, not an American and haven't looked but before but how long did it take to count votes in the states before the electronic voting took place. Granted that electronic voting may take less time in some cases, but alot of people seem to be either afraid of it or untrusting of it. The point that I'm leading into is the election of George Bush Jr. in his first term. I remember Canada(which does have a lower population than the US) having their results in their Prime minister election long before the Americans had their President decided(excluding absentee ballots). If I recall this had to do with a bung up of Florida which I believe was using electronic voting in some regions at the time. I can't recall now but were some of the slow downs because of the electronic voting or were they just with manual recounting of the votes themselves?
You realize you're full of it, right? A one time pad is a random string equal in length to the cleartext. Thus, a ciphertext of length N can decode to any message of length N with equal likelihood. Well, there *is* a bias, but the bias is of the form "sensible decodings are more likely than unsensible decodings." But the semantic meaning of the decoded message could be anything. Your decoder should do no better than a high quality random number generator driving a statistical model of your cleartext in a manner similar to Mark V. Chaney.
Program Intellivision!
Except the "Have faith" part, which seems to be the intended point of this method.
I am not saying this introduces new problems, but it doesnt actually solve the problem it intends to. The sheet need only lie about which hole means which letter (a problem which exists for all modern voting machines) to thwart this system. Given that this system would likely still be implemented using electronic voting machines (for ease of tallying), nothing has changed.
-- 'The' Lord and Master Bitman On High, Master Of All
references please
Yes it could be done, but change is difficult! And changing something like ballot order would require an act of the State Legislature which is not a given. They are going to come up with all types of reasons not to randomize. So, it's not a technical problem, it's a political problem.
No but it certainly don't give everyone the chance to know who've you voted for. And if your boss force you to tell him, well he does not have any rights.
Of Code And Men
Whilst from a cryptographic point of view this is rather interesting, I have a couple of serious doubts as to how well this kind of system might work in practice:
1. What happens if candidates claim the system is flawed? You can't conduct a recount in a crypto system such as this (and get a different answer) so in effect if someone manages to contest the election, it's now void.
2. The audit is based on a statistical sampling of the ballots (IIRC checking the link between the candidate list and the voting receipt is correct) -- in no way is the actual counting audited. This means that the outcome of an election is based on someone pushing a button and a *machine* spewing out a total.
You simply cannot conduct a manual recount (you go and try to decrypt these numbers by hand!). In a perfect world the counting algorithm is ideal and doesn't make mistakes and is provable, in the real world the algorithm doing the counting might not be the same as the one in the perfect world... And the best you can do is get an expert to review the counting software, hardly an open and accountable process where anyone can volunteer...
Not only is it quick enough. If you hired temp workers to do it, the cost compared to what you pay in taxes would be absolutely irrelevant. 3 seconds of labor at what hourly rate?
One problem with adding more accountability and verifiability is you reduce the anonymity. Just because your name isn't on the half of the ballot you carry home doesn't mean someone couldn't figure out it was yours if they took it from you. The problem with this is that it invites employers to demand of their employees, "Vote for X, and bring me your receipt, or you're fired." If you can use your ticket to verify your vote, so can someone else.
Secure, but prohibitively expensive, extraordinarily labor intensive to recount, harder to actually cast a ballot, and requires *secrecy* in an office that traditionally has had open records.
This is an accident waiting for a place to happen. It'd make Florida in 2000 look like a walk in the park, a day at the beach.
I swear, the more technology people try to think about voting the worse their ideas.
" You take half home and can verify later via a Web interface how your particular ballot was counted. "
All this verifies is how the vote was cast. Not how it was counted. Besides that, how does this benefit anybody? Ok, so you know you voted for A, even though B won. So what? What good is it.
As long as the votes are stored in a computer, they can be easily manipulated at various points in the chain. Sure digital data can be very secure. In banking we make sure everything adds up correctly. But that's because if it's not, you are going to get a phone call from one of the two people involved in the transaction. "Why is there $600 less in my checking account?"
But there's no way to get that kind of verification with voting, because the net result of your one vote is nothing. It's when it is taken in aggregate. So what are you expecting? 300,000 people show up at the election offices with their ballot stubs proving they voted for A? Doubt it.
Call me a luddite, but paper is the answer. The only reason technology comes up is because we can count ballots faster, but you know what? I don't give a shit about speed. I care about being able to monitor the whole process.
So, if the people running the election can be given a copy of your receipt, because they're in cahoots with the union bosses who forced you to hand over your receipt, then your vote can be revealed.
Also, there is another way the anonymity of the vote can be compromised: If the people in charge "accidentally" reveal both halves of one of the mapping tables. That would effectively reveal all of the votes. Anyone who can find out your ballot number can find out how you voted.
This is a very clever system, and I think it could be highly secure, but very careful oversight of the election officials is required. I haven't yet had time to read the paper to see if Chaum's team has addressed mechanisms for ensuring the oversight requirements. There may be a way to ensure that any malfeasance by the officials could be detected by any of several mutually antagonistic oversight parties (i.e. the candidates) without giving those oversight parties any ability to alter or compromise the votes. If so, and if the system can be extended to more complex ballots (which I see Chaum claims it can), then it is a truly perfect system.
If not, then I still think this may be the best system yet proposed, but it requires careful analysis to determine exactly what sort of oversight is required, and how we can ensure that it is performed correctly.
The advantage of traditional, anonymous paper ballots is that the oversight requirements are well-understood, very easy to implement and provide the overseeing parties with no opportunity to modify the ballots cast or the counting process.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Why all this focus on the technology of voting, when voting is completly flawed before you ever enter the voting booth. With bans on political advertising, restricting ballots to only two parties, and limits on fundraising that only effect third parties, the vote is illegit even if ballots are counted with 100% accuracy.
If I am not allowed to vote for the party or candidate that I want, and am forced to vote for only one of two virtually identitcal political parties, does it really matter if the vote is 100% accurate? If Cuba determines that 98.554% of people vote for Castro, as opposed to 100%, does it really matter when it is a one party system? The U.S. system is only marginally better, in that it has two virtually identical parties instead of one party.
I know people are caught up in the Republican-Democrat sports rivalry mentality, but who really cares if one of those parties steals the election from the other party? It is not like people could choose a candidate in a fair election anyway!
They still fail to account for the fact that the only thing that does the counting is the computer. Computers are programmed by humans. Humans with an interest in commiting fraud.
The only way to check that the computer did not change the order of YOUR ballot AFTER you voted is by publishing the database and checking the actually USED ballots instead of the unused ones.
The database can match your ballot-id to your vote so that can not be published.
Computers can not be trusted. Any voting scheme that has a step that is only done in the computer is therefore flawed untill a way is invented that allows us to verify the software that is actually running on the computer, while it is running.
Paper ballots CAN be counted by hand. They can be counted by an automatic counting machine, but the still CAN be counted by hand... As a check...
>short of illegally making a photograph in the booth,
I couldn't see the video, but it seams the whole plan relies on every both at the same voting site be identical (one scanning machine, multiple boths with keys.)
So if you boss/wife/mom voted at the same location, all they have to do is hold your card up to theirs, and they know if you voted the same.
now they could just as simply allow you to have practice cards inside the booth, so you could make up a ballot to show your boss, etc and the real one you submitted. Although could be a bit much to allow you to submit a fake ballot to be checked online also...
but also it seams quite easy to alter a single booth, to swing a bunch of votes, unless they had another master key visible to all, which then defeats the whole anonymity.
IE if your a republican, you send the democrats to a altered both, where the template causes your vote to be switched...
No, the ID number at the top determines the ordering of the questions. Everyone gets a unique ID number with a specific ordering of questions based on that ID (kept secret).
It's not wasting time, I'm educating myself.
Bullshit! The "key size" in a one time pad is the size of the whole message. That gives you absolutely nothing to work with.
Is organizing elections really a responsibility of the state? Why not just average the outcomes of randomly selected opinion polls?
as opposed to allowing election fraud to take place, easily?
MABASPLOOM!
I don't understand how 'verifying' your vote online can do anything useful. Look at it this way: We have 1,000,000 people who cast their votes 50/50 for Bob and Dick. They all check them online and they all are correct. What's to stop me from tallying the votes wrong and reporting something like 57/43? The technology is not the issue here. The issue is that private companies with monied interests are secretly going about building these systems. You cannot observe, analyze or audit the software, hardware, practices or workings independently--legally or practically. Elections have been rigged for a long time in various ways(see the re-election rates for a shocker), but now it's out in the open for all to see. Unless these secret systems and practices become open and able to be examined, expect the voter turnout to become meaningless whereupon elections will be quietly abolished. They will become nothing more than the 99% of the vote charades that Saddam was getting with a western 51/49 twist. I don't know how to release the death-grip that corporations have on congress, but I do know that if nothing is done, people will be forced to start caring.
"You're everywhere. You're omnivorous."
The way the system works is that half of all votes ARE switched. Half of all people (on average) who vote for candidate A check the left box, the other half check the right box. Which box the candidate appears in is random.
"Because Science" is one step from "Because old book". Try "Because of my experiment testing my falsifiable assertion".
Not sure about that, but I still have mod points that should have expired a while ago: You have moderator access and 2 points (expire on 2006-10-27).
-IOVAR Web Dev Platform
First, SERIOUSLY read the FAQ. Please.
Next, you can prove to YOURSELF that your vote was cast as intended and recorded as cast. You can prove to yourself and anyone else that your vote was (or wasn't) counted as recorded. You ABSOLUTELY CANNOT prove to anyone else the VALUE of your vote (i.e: who you voted for.)
Third, yes we know that the people at the top don't want a verifiable system. This has to come from the bottom up. Fortunately, it is largely local governments who are responsible for the purchase and use of voting equipment. Since this technology is out here, you should DEMAND it from your government. You should NOT accept unverifiable elections anymore.
Feel free to ask me questions, by the way.
They might be holding back on mod points, I've seen some complaints that there were too many +5 posts and asking for a +6 or similar.
:)
I used to get mod points a lot more frequently (up to the point that I couldn't use them, since I wanted to actually reply some times). Maybe I was meta-modded down
There are three kinds of lies: lies, damned lies, and statistics.
I love it when people talk loudly about things they don't understand. There are a number of information-theoretic secure constructs in cryptography that are unbreakable no matter how much computational might you bring to bear on the problem. One simple example is Shamir secret sharing (and the many variants) where you essentially have a system of equations with fewer equations than unknowns, thus like one time pads, every assignment is equally likely to be the correct solution to the problem.
-30-
I'm replying to myself to explain what I think is an interesting bit of math related to this. Chaum's paper assumes that 50% of the ballot commitments will be verified, which is a lot of work and requires that double the number of required ballots be printed. That's fine for expository purposes, but in practice you don't need to verify nearly that many.
To see how many you do need to verify (and therefore how many extras you need to print), we have to make some assumptions.
First, we have to estimate how many bad ballots are required to change an election result, because we don't really care if there are a tiny number of bad ballots that don't actually result in a change in the outcome. Express this number as a ratio and call it b. So if modifying 0.1% of the ballots could change a race, b=0.001.
Second, we have to pick a desired level of confidence in the results. This basically boils down to an estimate of the crook's risk tolerance. If you think an official would be okay with a 50/50 chance -- 50% of the time he throws the election, 50% of the time he goes to prison without affecting the election, then a 50% confidence is fine. Just to be conservative, I'd pick a 99% confidence level, meaning the crook has a 1% chance of succeeding and a 99% chance of being caught, though in practice a 10% confidence level is probably good enough, assuming you pick suitably risk-averse people as officials. Whatever it is, call the desired confidence c. So I'd pick c=0.99, implying I consider (1-c)=1% of the closest elections being wrong as acceptable.
Call the number of ballots verified n. What are the odds that none of the bad ballots are detected in n verifications? Restated, what is the probability that all of the n ballots are good? The probability that a selected ballot is good is (1-b), so the probability that all n are good is (1-b)^n.
So, what we want is to find a value of n such that:
(1 - b)^n <= 1 - c
In words, we want to find n such that probability of a bad ballot slipping through unnoticed is less than or equal to our "acceptable" election failure rate.
Solving for n:
(1 - b)^n <= 1 - c
n ln (1 - b) <= ln (1 - c)
n >= (ln (1 - c))/(ln (1 - b))
One small discrepancy in this calculation is that b is the percentage of ballots to be cast (not verified) which are bad, and these inequalities assume that b is the percentage of printed ballots (which includes verified and castable ballots). That's not too hard to correct for, but gets much messier. I'm not sure there's a closed-form solution.
So, plug in some numbers. Assume that one million ballots are cast, and it's considered possible that the closest race will be decided by, say, 100 votes, or 0.01% of the ballots. Using my choice of c=.99:
n >= ln (1-0.99) / ln (1-0.0001) = ln 0.01 / ln 0.9999 = 46,049.4
So, for such an election, we really only need to print 1,046,050 ballots and the candidates only need to randomly verify 46,050 of them. A 10% confidence level would require only 1,054 to be verified. Well, due to the discrepancy noted above, you need slightly higher numbers, but not much.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Finally a system that is reasuring! Surely other parts of the world will try this method?
As long as the votes are stored in a computer, they can be easily manipulated at various points in the chain. Sure digital data can be very secure. In banking we make sure everything adds up correctly. But that's because if it's not, you are going to get a phone call from one of the two people involved in the transaction. "Why is there $600 less in my checking account?"
Actually, they can't be modified without invalidating the commitments generated *before* the election. As far as I can tell the commitments are secure HMACs (keyed hashes) of the initial data tables before the election to ensure that the permutation for the top and bottom ballot pieces are not changed afterward. The only place where data manipulation can occur is at the point where the voter chooses P3 in the system. If this value is recorded incorrectly, it must be detected by the voter looking the vote up online. The key insight is that with each additional voter checking his or her result online, the probability of being able to change a vote undetected drops exponentially, eventually becoming zero if more voters check their vote than n-k, where n is the total number of voters and k is the number of modified votes.
In public key cryptography, the asymmetric algorithm is slow and bulky (RSA, ElGamal); so it is not used on the message. Instead, a unique, random AES key is generated and used as a one-time pad to encrypt the message with. (Further, AES is applied in an intelligent way; ECB just goes block by block, but AES uses a method that uses the previous block to encode the current block and then encrypts the result. Because of this, the statistical properties are hidden).
Support my political activism on Patreon.
Hmm. The Wikipedia article I read a couple years back said it was a key used only once to encrypt a message.. although it was a lot shorter than the current one too.
Support my political activism on Patreon.
http://theory.csail.mit.edu/~rivest/Rivest-TheThre eBallotVotingSystem.pdf
Rivest, the R of RSA, came out with this a couple months ago. I think he covered pretty much all the attacks on an election. I need to think about this punchscan thing some more, but it feels like it's missing something.
Start Running Better Polls
My Mailclad scheme that uses unbreakable random numbers ready does this, but THIS was a very reason many critics have shot it down.
Apparently one of the requirments critics have said is that you should not be able to show or prove who you voted for.
The argument goes that an employier or union or organization, might demand to see who you voted for, and pressure people to vote one way or another.
Yes I know, the Mailclad aglorythem hasn't been open to the public.
Anyhow at this point I have decided to opensource and publish everything for the MailClad scheme on the site soon.
It had become very apparent, that Voting machine companies are not interesting in low cost, hacker proof schemes.
So any hope for adoption is going to be by opening it on sourceforge.
John
I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso
Nope. It wouldn't catch the case where the machine was programmed to work correctly on every day except election day.
Such behavior could definitely happen in the case of deliberate fraud, but it could also happen accidentally... I know I have released programs with bugs where the bug's symptoms only showed up after a certain date.
It also wouldn't catch bugs that happen only once in every 10,000 tries, or bugs that occur in other situations that your test didn't cover. (e.g. bugs that occur only when the election is held in a county whose name is more than 20 characters long)
I don't care if it's 90,000 hectares. That lake was not my doing.
Do you have a cite for that? I had never heard that before. And is this a federal law, or state?
Glad you asked. I thought it was a federal law so I googled. While I didn't find a reference to a federal law that required employers to give tyme off to employees so they can vote, I did find this that states that 30 states have such laws:
The good news is that while there are many things that could go wrong that is out of our control this Election Day, this is a problem that ordinary citizens can fix. Thirty states have laws giving workers the right to take time off to vote. For example, Illinois voters are entitled to two hours leave, Minnesota voters can take election morning off to vote, and Ohio voters cannot be fired or penalized for taking a reasonable amount of time off to vote. But to take time off to vote, many states require voters to notify their employers in advance. West Virginia requires three days notice in writing, California requires two days notice and voters in Illinois and Wisconsin must apply for leave at some point before Election Day.
FalconShould there be a Law?
Hmm... an ink-and-paper system that employs destroying one copy of the ballot and assuring me that my copy doesn't prove a thing?
The guys at Enron would have loved this approach.
Aside from the high-school-quality demonstration, (nice handwriting... NOT) the guys have a point; a system based on forensic-reliable data (ink on paper) that can be machine-readable and provides a "receipt" to the voter for verification at a later time.
The idea of splitting the form, where only the two "layers" of the ballot together provide an indication of the actual vote, is a quality idea. Encrypted links for ballot-to-voter data? Brilliant. It's already out there and it's name is PGP. It's already open-source and it's well established. (the "serial number" is also a no-brainer, use my SSN) None of that addresses the issue of how our votes are physically counted.
Despite the elegance of the concept and the seemingly extensive explanations in the FAQ, it's apparent they didn't think this through. The evidence is right there in the first question.
So... does "briefly" mean the-following-statement-shall-employ-brevity, or does it modify the "yes!" answer? To wit, did they just tell us that we DO have to trust in a black-box system, but only for a brief moment? I think the Diebold study at Princeton proved to all of us that it doesn't take that long for our collective trust to be betrayed.
Also from the FAQ...
Is that so? If the one half of the ballot, the "key" that can indicate the vote, is destroyed, how can the results be re-tallied? As I see it, any "deliberate cheating" would taint the count, the ballot's "shredded half" already eliminates any possibility of a re-count, and a re-vote (or concession/state-arbitration) is eminently necessary. This answer is bogus.
While we're at it, where is the demonstration of this "transparent" software and hardware? I can tell you this, if any part of the system relies on electronic storage to present ballot items or candidates to the voter, it is succeptible to fraud. (my emphasis)
In this context, the definition of "transparent" would have to be thus:
An apparatus that, in its full and complete capacity...
Add to this the idea that each "receipt" will consist of forensic marking, indicating the individual ballot choices, and encrypted to the individual voter by a unique geometric shape. (the cut-out on the top "layer" of the ballot) If you're wondering which shapes to use... I suggest a 4x4 square grid with specific patterns cut-out... think "Tetris". Consider the variations in those shapes, multiplied by the number of items and candidates on any particular ballot, and you have a sufficiently encrypted system.
If we want to take this to the next level, (i.e., to address the potential for corruption within the various Election Committees) we would take a page from our god-fearing Founding Fathers. A sort of "tribunal" of authenticity.
Voting machines would NOT come from just one maker. The "core" of the voting machine would include components from no-less-than three technology ma
This post © Copyrite Duggeek, all rights reversed.
Dude, you're *seriously* misunderstanding the idea of a one time pad. A one time pad is not generated algorithmically (e.g. generate a pad of binary nonsense by flipping a fair coin) and is thus not breakable because the number of possible values it is limited only by the number of bits in the stream. What you're describing is a particular class of stream cipher. It is breakable because the number of possible values is limited by the number of bits in the key used to generate the stream. A real OTP cipher cannot be broken simply because any ciphertext of length N can map to any plaintext of length N with equal probability. This is not true for the schemes you described.
An interesting anagram of "BANACH TARSKI" is "BANACH TARSKI BANACH TARSKI"
Thats why you audit the source code.
Its not like the source is overly complex either. It just records which candidate was voted for.
Well I'm remembering various Guardian articles, so I can't draw any citations up at will. "Inside BOSS" by Gordon Winter, an ex South African Intelligence officer, does make the claim that MI5 did use this tactic to find out the name of every Communist voter.
They can't see from your receipt who you voted for though. All you can lookup is whether the left or the right box was counted in the tallying. If your box asks you which one was the candidate you were supposed to vote for you can lie and tell him it's the one you colored.
In other words, RTFA.
and
Notice the difference between these two. They are both individual decisions, but one was just a poor choice of words (Diebold's comments). Yet, and ironically, you give more credence to the Diebold comment when nothing was actually done.
Regarding the big thing that is happening is the liberalization of voting rules.
From the opinion piece:
Ed Barbar, President and General Manager, Furnit USA
Officials there purged tens of thousands of eligible voters from the rolls, neglected to process registration cards generated by Democratic voter drives, shortchanged Democratic precincts when they allocated voting machines and illegally derailed a recount that could have given Kerry the presidency.
Oh, and the situation with the Diebold CEO wasn't a poor choice of words in the sense that he mis-worded his statement. Even Diebold went on record saying, "our CEO lets his personal beliefs influence his business decisions", and apologized.
So given all of those facts, how can you possibly rule out any wrongdoing? What you do know that nobody else does? And where do you get enough nerve to suggest that two attempts to influence no more than 30 or 40 votes is a bigger problem than the 350,000 voters who were denied in Ohio? And I'm the "wacko"?
Choosing to turn a blind eye to certain facts and/or events doesn't mean they didn't happen. Notice how I fully acknowledge the two incidents you mentioned - be a man and do the same.
If by consistent within ballot you mean, for example, Republican is always the third choice listed (let's say), then that degrades the security of the ballot. If someone knows the position of even one Republican candidate on your ballot, then they can deduce the remainder of the ballot (at least as far as Republicans are concerned--so they know, by looking at your receipt, when you did or did not vote Republican).
But, it remains the case that even with an internally consistent ballot you will have selections such as...
Choice List:
Democrat Candidate
Libertarian Candidate
Republican Candidate
Socialist Candidate
Response List:
Libertarian Republican Democrat Socialist
By nature of the design, there must be a disconnect between the ordering of the choices and the ordering of the responses. This is one of the obscuring factors. Even if this odd mapping is kept consistent within ballot, it is inherently effortful and non-intuitive and certainly will produce errors. So, the system can guarantee votes were "counted-as-cast" but votes are a lot less likely to be "cast-as-intended."
The voters of Ohio delivered Ohio to George Bush. What an amazingly sore loser you are.
Ed Barbar, President and General Manager, Furnit USA
Like I said, I wish I lived in the fantasy world you call 'reality'.. but then again, does a caged animal have a good life, assuming it's never experienced life outside the cage? Nope (but the animal doesn't know that).
Have fun in your cage.
Auditing the source code doesn't guarantee anything, because there is no way for you to know whether the machines at the polling centers are running the same program you audited, and running it correctly.
It would be very easy to show the auditors one version of the source code but actually install a different version. Hashcode checks and the like don't help either, because they can easily be faked. And even if you do get the expected object code loaded in to the machine, there's no guarantee that the compiler wasn't hacked to add back-doors to the generated object code, and no guarantee that the hardware itself doesn't have back doors, bugs, or other "special hidden features" in it.
I don't care if it's 90,000 hectares. That lake was not my doing.
One would assume that if ballots are randomized, they do not know "the position of even one Republican candidate." What you're saying here is, if they know something about the order of the ballot, they can deduce the order of the ballot. Wow, nice insight. The whole point is that the order is randomized. If it's randomized between ballots, I don't see how they could know anything about the vote on that particular ballot. All they would see, if the person votes consistantly for the same party, is, "A A A A", or "B B B B". They still have no idea what that means, and thus can't see whether they voted Republican or Democrat or whatever. All they know is that the person voted for the same party in each section.
So... maybe I just don't understand your point.
The problem is "I need to be able to have faith my ballot was counted properly, while being unable to prove to anyone (or have proven by anyone) that I voted a particular way".
You have solved nothing.
You have read nothing. If you actually read the material on the site you would realize that the protocol for counting the full result totals are also much more reliably done with this system, because the total counts become public information, rather than becoming proprietary counts held hostage in hackable memory cards, or suspicious central tabulators.
Let me aquaint you with a little friend of mine. He's called Mr. MD5. ;)
Cryptography is not one of my fields of study, nor is computer engineering. Now, you take John Q. Public who can do email and some web surfing, and try to explain cryptography and electronic auditing and hacking, etc. Chances are they won't understand this whole process either.
And that, my friend, is where the problem lies. The process of casting and tabulating votes MUST be as transparent as possible. Your point about auditing software:
Tell that to the auto mechanic at the corner service station. "Hey Jack, you want to make sure your vote was counted right? Go take some classes at the community college before the next election!"
It should not take a math degree or experience in cryptography to be able to verify the vote. For the love of all that is good, we're simply counting votes here, it's a very easy process to do with a minimum of overhead. Excruciatingly important that it is done correctly, but so incredibly easy to do at the same time. I, or any member of the public, should be able to watch the counting process and not have any question whatsoever about the choice made on each and every ballot.
You make a true statement. That is why there are observers who watch the counting taking place, one from each party to prevent this sort of thing. Each observer is there to prevent these mistakes. You have, in essence, three people counting one ballot. A representative from each party cannot watch a machine count the votes, hell NOBODY can watch the machine count the votes. It's all bits inside a sealed box.
Like I said, I read the site, and couldn't figure it out. Maybe if I read it again and studied it, I might grasp it. But for counting votes, is this much complexity really needed?
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
And what exactly is going to be running Mr. MD5? Are you going to trust the very voting machine you are trying to test, to run an honest MD5 hash for you, and honestly tell you whether it has been compromised? How would you know whether the machine is actually running the MD5 algorithm, and not simply printing out the "correct" result values that you expected to see?
It's like asking a compulsive liar if they are telling the truth... of course they are going to say yes, but that doesn't mean that they are honest, it only means that they are willing to lie about their honesty also.
I don't care if it's 90,000 hectares. That lake was not my doing.
What a wonderful election! Two more years and we won't have to deal with ANY Republicans with any sort of power.. can't wait. Unless, of course, they rig the election again..
So the bottom half would be the same for everybody, a completely empty sheet, maybe with some markers on them for lining up the sheets.
It would just become very important to destroy the correct half, or everybody could see your vote. And you know people are going to mess that up
You want to list the candidates on the wall, with numbers, then on the ballot link the number to another number, and list those last ones in the holes?
That's a mistake waiting to happen, lots of people are not very good with numbers. If you don't bring in that second set of numbers, one of the two halves will be the same for everybody. If you print the numbers next to the holes all bottom halves would be the same, if you print the numbers in the holes, the top-halfs would be the same.
So the bottom half would be the same for everybody, a completely empty sheet
No, the bottom half would have numbers (or letters, or whatever symbols you like), shifted.
It would just become very important to destroy the correct half, or everybody could see your vote.
Doh! You're absolutely right. Scratch that idea, it was stupid.
You want to list the candidates on the wall, with numbers, then on the ballot link the number to another number, and list those last ones in the holes?
No, I didn't mean to add a second set of numbers that the voter would have to care about.
Still, my suggestion wouldn't work. The approach defined by the paper is the right one... each ballot with a list of candidates' names and a number by each, then a corresponding number in the hole (on the bottom sheet). And perhaps letters would be better. A two-letter code would be enough for all 275 candidates, and might be easier for people than numbers.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
What, the Dems didn't rig this election with their press buddies? Come on, they dont' actually stand for anything.
Ed Barbar, President and General Manager, Furnit USA
News flash: if the press misreports the result of an election, it doesn't actually change the result. It just means that people are misinformed for a short period of time.
The press isn't capable of "rigging" an election unless they use the same method the Republicans use.