Schneier On Self-Enforcing Protocols

Hollow Being writes "In an essay posted to Threatpost, Bruce Schneier makes the argument that self-enforcing protocols are better suited to security and problem-solving. From the article: 'Self-enforcing protocols are safer than other types because participants don't gain an advantage from cheating. Modern voting systems are rife with the potential for cheating, but an open show of hands in a room — one that everyone in the room can count for himself — is self-enforcing. On the other hand, there's no secret ballot, late voters are potentially subjected to coercion, and it doesn't scale well to large elections. But there are mathematical election protocols that have self-enforcing properties, and some cryptographers have suggested their use in elections.'"

You need trust

[sopssa]

Like everything else, both self-enforcing 'protocols' and someone in between, say paypal, rely on trust from people. It also relies on the fact that businesses will take a major hit when someone says something bad about them or if they fraud. This is exactly the same with laws. You cant enforce it, but you can make consequences for breaking laws bad enough so people dont want to break them.

In high school I was teached that every happy customer tells about their good experience to 3-4 people, but every unhappy customer tells about it to 20 people. It's a great advice. Once the bad word gets out, your sales are going to suck and you lose customers. This is also why you need the trust and good name with self-enforcing protocols if not using middle man like paypal.

This can also be seen on webmasters forums and the like. People have certain amount of trust points according to their past and who they've done business with. You can instantly see who is reliable and who you can do business with.

Problem without using third party is that you cannot get to that trust level as newcomer and that it takes time to work it. When there's someone trusted in the middle of the transaction, you have some guarantee that you wont be cheated (or lose your personal details etc to whatever kind of fraud). In this case the trustful middlehand is good.

So it only works if the other party is big enough. When voting, you rely on trusting the goverment (now this sentence is so gonna get some paranoid persons replying :). If not, you need a middle party that is big enough that you can trust them instead.

As a side note, this is why we still rely on banks and even on our cash - We trust that our money on our bank accounts will still be available to us, and that our $10 bills wont just suddenly become worthless.

Re:You need trust

"In high school I was teached..." ...not a lot-o spell'in?

Re:You need trust

[maxwell+demon]

Butt the spelling chequer tails me that theirs know miss take.

Re:You need trust

For commercial stuff that's probably true but elections are a different story. There were problems in 2000 and 2004, but convincing people that its true is almost impossible because there are no neutral parties and a secret ballot injects enough uncertainty to set up plausibility for both sides.

Re:You need trust

[eoin_tbo]

In high school I was teached that every happy customer tells about their good experience to 3-4 people, but every unhappy customer tells about it to 20 people.

Were you teached to wrote english too? Self limiting protocols are useful only for small scale solutions when it is reasonably possible to validate the results (are you going to be able to review the votes of 1,000 plus voters in a useful timescale) and where there is no penalty to having decisions an actors decisions being public knowledge.

Re:You need trust

[Ann+Coulter]

Self-enforcing protocol participants do not require the level of trust that are required of impartial middle-men. One way of looking at self-enforcing protocols is to think of the protocol itself as serving the role of a middle-man. The protocol can be scrutinized more thoroughly than any self-serving middle-man and a higher level of trust can be placed on the protocol.

Re:You need trust

[cellurl]

We use AARP (essentially) as our Big-middle-party. They do a reasonable job. Kick out the machines and expand the role of these wonderful honorable people. Expand their role throughout voting, not just at the voting-desk, but in transferring the votes and publishing the results. I want to see an old couple announcing the winner to CNN.

Re:You need trust

Were you teached to wrote english too?

and where there is no penalty to having decisions an actors decisions being public knowledge.

Hypocrite.

Re:You need trust

[Dishevel]

The problems with the system itself are minor. The real problem is not the hardware but the system itself. It dose not matter who you vote for. The politicians are representing either big business and the rich or trial lawyers and unions. After they are done serving those masters they move on to what is important to them. Pointless junkets in G5s. Either way the people are meant to be screwed.

Re:You need trust

[Millennium]

The facet mains, there is is no prostitute for care full proof reading. /with apologies to Taylot Mali

Re:You need trust

[nedlohs]

Please resubmit your comment in Swedish so we can make fun of your non-native language errors too.

Should be great since your English was worse than the post you were criticizing.

Re:You need trust

[eoin_tbo]

"Vere-a yuoo teeched tu vrute-a ingleesh tuu? Selff leemiting prutuculs ere-a useffool oonly fur smell scele-a sulooshuns vhee it is reesunebly pusseeble-a tu feleedete-a zee resoolts (ere-a yuoo gueeng tu be-a eble-a tu refeeoo zee futes ooff 1,000 ploos futers in a useffool teemescele-a) und vhere-a zeere-a is nu penelty tu hefeeng deceesiuns un ecturs deceesiuns beeeng poobleec knooledge-a."

I guess my comment came off an overly snarky and non-constructive (like all nitpicking comments are) and sorry for that.

It was more that it was a mistake in a sentence about what was learned in high school.
How do you know the original poster isn't a native speaker?

Re:You need trust

[maxwell+demon]

The politicians are representing either big business and the rich or trial lawyers and unions.

The problem is actually the American spelling. Since the American spelling of "cheque" is "check", the politicians simply misunderstand the term "checks and balances" (where "balance" is interpreted as "balance of the bank account", of course).

Re:You need trust

[nedlohs]

I guessed based on the language error being a common one for non-native speakers (and children) of applying a generic rule in a case that has an exception (my five year old does it all the time, it's how he learns the exceptions).

Reinforced by: http://slashdot.org/comments.pl?sid=1330393&cid=29001275

I don't actually know of course.

Re:You need trust

Schneier uses Linux and cannot be trusted. This is all that needs to be said, the entire article is invalid.

Re:You need trust

[maxwell+demon]

Schneier uses Linux and cannot be trusted. This is all that needs to be said, the entire article is invalid.

Parent is Anonymous Coward and cannot be trusted. This is all that needs to be said, the entire comment is invalid.

Re:You need trust

The Robinson Voting Method is the simple solution to ALL voting fraud, and gives complete anonymity to all voters. Which is vital in the modern 'politically correct' climate.

http://paul-robinson.us/index.php?blog=5&title=the_robinson_method_a_really_simple_way_&more=1&c=1&tb=1&pb=1

Re:You need trust

[SleepingWaterBear]

Self limiting protocols are useful only for small scale solutions when it is reasonably possible to validate the results (are you going to be able to review the votes of 1,000 plus voters in a useful timescale)

This idea seems to come out of nowhere and with no justification other than that the most naive possible method of scaling one particular protocol up doesn't work well. There is no fundamental reason that a well designed self enforcing protocol can't scale very well. As a simple example, let voters gather in groups of 100 or so and tally their votes. Then send someone to report the votes to a larger group (this can happen multiple times to allow for exponential scaling), and make sure the report is publicized (in a local newspaper or on a website designed for the purpose) so that voters can confirm the numbers were reported right. By spreading the work over many people no one person has to do an excessive amount of work, regardless of the number of voters.

Anonymity is a little trickier to do efficiently, but here's the first idea that comes to mind. Gather your 100 voters in a room with a vote count visible to everyone, and give each voter a private terminal. In a random order ask each voter to make a choice, then to confirm the updated count. Each voter will know his own vote was counted correctly. If 100 voters doesn't seem like enough to ensure anonymity you can use a larger group.

Obviously there are all sorts of flaws with the plans above, but with proper time to work through the details a workable plan of some sort exists. Just because you don't know a solution to a problem doesn't mean that someone actually willing to think can't come up with one.

Re:You need trust

[ShieldW0lf]

I have been thinking on this subject for quite some time. My concept:

Every person in the country has the right to introduce a bill, or a plan, or a budget.

Every person in the country has the right to vote on every individual bill, plan or budget.

Every person in the country has the right to choose a representative to speak for them. Not just from a list of politicians on a piece of paper. They have the right to choose any citizen they wish to speak for them.

Every person in the country has the right to revoke their choice of representative at any time. Not just at a regular interval measured in years, but instantly, the very moment they realize that this person does not share their vision of how the system should operate.

Every vote, by every person, is public information. No secret ballot. It's just as public as if you were a Roman citizen, raising your hand to vote in the Colosseum in full sight of your peers.

This system will allow us to recreate the current conditions if we wish. We can choose to assemble ourselves into rigid vertically managed hierarchical structures if we see the justification, such as if we are under threat.

However, it would also allow us to gracefully decentralize our decision making without the need for revolution.

Power could flow in to the middle or out to the edges as the population saw fit, rather than our current structure, which ensures that there is an absolute authority running the show, even if we don't want or agree with such a hierarchy.

I'm still working on designing the infrastructure.

Re:You need trust

[Ironica]

Like everything else, both self-enforcing 'protocols' and someone in between, say paypal, rely on trust from people.

No, they don't... that's the whole point.

A self-enforcing protocol is one which arranges the decision-making in such a way as to make the "fair" choice also the one that suits the individual decision-maker's self-interest. You don't even have to "trust" that they won't act AGAINST their interest, since if they do, you come out ahead. A properly-constructed self-enforcing protocol removes the trust issue entirely.

It's sort of like the inverse of the Prisoner's Dilemma. Quite elegant.

Re:You need trust

[dna_(c)(tm)(r)]

in so Viet rue see yeah, spelt thing Czechs u!

Re:You need trust

[Mister+Whirly]

Now, just try to schedule the time where every citizen in the US can attend simultaneously to vote. I am free next Tuesday if that helps.

Re:You need trust

[Mister+Whirly]

Schneier uses Linux and cannot be trusted. This is all that needs to be said, the entire article is invalid.

I am not an AC so that must validate the statement??

Re:You need trust

[Nerdposeur]

I'm still working on designing the infrastructure.

Sounds beautiful. Good luck.

Re:You need trust

[harl]

This is exactly the same with laws. You cant enforce it, but you can make consequences for breaking laws bad enough so people dont want to break them.

So places that have the death penalty for murder have no murder?

That's just not true. Laws don't prevent they only punish.

Re:You need trust

[harl]

Problem without using third party is that you cannot get to that trust level as newcomer and that it takes time to work it. When there's someone trusted in the middle of the transaction, you have some guarantee that you wont be cheated (or lose your personal details etc to whatever kind of fraud). In this case the trustful middlehand is good.

Wow you missed the whole point of the article.

In the cut and choose example does it fail because it has no trusted middle man?

What about the problem of middle men going rogue or being compromised? The whole idea is centered around making the middle man obsolete for exactly this reason.

Re:You need trust

Since the correct spelling of "cheque" is "check",

There. Fixed that for you.

Re:You need trust

Whooshity whoos!

Re:You need trust

[Ann+Coulter]

You just made a converse error.

Re:You need trust

Only he who hates your freedom demands to know how you voted.

Re:You need trust

[geekgirlandrea]

(are you going to be able to review the votes of 1,000 plus voters in a useful timescale)

No, but the if the results are public, only one person has to be paying attention to point out a problem to everyone else.

and where there is no penalty to having decisions an actors decisions being public knowledge.

That isn't how the voting protocols in question work, though. They preserve ballot secrecy. The main problems with them are making sure the tabulating authority doesn't add any extra fake voters to the election and vote their keys itself (which is why the complete list of who voted gets released, but not their votes), and that it makes it much easier for people to sell their votes.

Re:You need trust

[snookums]

Hi Paul!

The reason nobody comments on your voting system is firstly because it's trying to solve problems that don't exist. Counting the votes at one polling place is not an onerous task, and election rigging is far more likely to happen by bribing the returning officers at a polling place, or preventing/intimidating people out of voting than by someone messing with the votes themselves.

Also your long-winded justification skims over critical flaws like token forgery. For instance at one point you suggest using 1c pieces as voting tokens. Sure this might be convenient, but having a metal detector tuned to detect the smuggling of a single penny would necessitate voters taking off all shoes, belts, and jewelry, leaving their wallets with an official and all kinds of other nonsense. You do irreversible harm to your credibility by suggesting something so ridiculous.

Your system is also impractical for many real-world elections that have preferential voting and dozens or hundreds of candidate. Think about the European Parliament elections, or here in Australia where we have a preferential voting, and senate elections can have close to 100 candidates on one ballot paper (I'm not saying this is a good thing, but it's just the way things are). Your system would be completely useless in these cases.

As far as I know, all jurisdictions in Australia use good old-fashioned "put a 1 in the box" paper ballots, hand counted. Sure, we have less than 10% of the population of the USA, but vote counting uses a divide-and-conquer method so this is not really meaningful (and you have more people available to count!)

We also have compulsory voting, so if you don't show up at a poling place, the government sends you a letter asking you to explain yourself or be fined. If a lot of people write back saying "my boss wouldn't let me out of work" (unlikely since all elections are on Saturdays), or "the police set up road-blocks and carried out 3 hour 'safety' inspections on everyone's car" then this can be investigated.

Re:You need trust

[jellybear]

Like laws, good spelling cannot be enforced. We just need to punish him so he doesn't do it again. Mod points?

Re:You need trust

Hang on - I invented that. I think I posted it either here or on Reddit...

Re:You need trust

[tenco]

This is exactly the same with laws. You cant enforce it, but you can make consequences for breaking laws bad enough so people dont want to break them.

What about making sensible laws?

Why?

[mets501]

After reading that, I was left with the feeling that I had no idea what I had read it for. Was it a call to arms? Was it a rant about our whole world? It seemed to offer more problems than solutions...

Re:Why?

I found it very interesting.

That being said however, it is hard to see how it would apply in the "real world." While it is an elegant solution in a few niche situations my tiny little brain struggles to find situations where you can apply it directly to IT. He talked about voting but didn't really suggest how it could be made to work.

Re:Why?

[radtea]

It seemed to offer more problems than solutions...

The "problem" is that the system of American government is fundamentally broken due to partisan capture: the government represents the Party, not the people.

Unfortunately, the solution is not to be found in messing with the voting system, and certainly not my messing with it in ways that make it more complex. Most developed nations have very relatively simple, robust voting systems that have very plain, simple, paper ballots that may--but are not always--machine counted.

Only in America is the smoke-and-mirrors of electronic voting given so much press, which is just part of the huge machinery of distraction from the elephant in the room: the Party controls the government. That the Party has two wings that go under different names is another big distraction. It lets Americans believe they aren't living in a one party state, but has no other effect.

The solution, if there is one, is to systematically de-Partisanize the American voting system, starting by eliminating the ridiculous and unseemly involvement of the Party in voter registration, which should be handled by an arms-length public organization.

It will be extremely difficult for this to happen, but a campaign to make it happen, like the campaign against gerrymandering, would at least put the fact of Partisan unity front-and-centre in what passes for American political discourse.

Re:Why?

[dk90406]

It was merely an analysis and introduction to self enforcing protocols - protocols that make cheating difficult. Bruce often writes such pieces on security related matters. As a security expert, he covers all aspects: IT, civil, banking, etc. of security and the psychological mechanisms behind the perception of security and risk.
He publishes the newsletter CRYPTO-GRAM once a month, that contain some good pieces. You can subscribe if you wish.
And he is one of the few who, IMO, has the right take on the "security" upgrades done in the US / word after 9/11.

Yes, I admit it: I respect him, and have subscribed to the newsletter for years.

Re:Why?

[Attila+Dimedici]

I believe that you are overstating the degree of uniformity between the "Democratic" and "Republican" parties. However, I think there is significant merit in your idea of eliminating the involvement of political parties in voter registration.
I had never before noticed the connection between party politics and what I consider to be the largest flaw in current U.S. politics: the overemphasis on addressing problems at the highest level of government rather than at the lowest possible level of government. Party politics exacerbates this because the farther up the level of government a problem is addressed the more control the party machinery has over the nature of the "solution".

Re:Why?

[sys.stdout.write]

Ah, so that siren I heard earlier was from the waaambulance.

Everyone agrees that partisan politics in America is too strong, but your conclusion is so tinfoil-hat-worthy that it scarcely requires rebuttal.

Furthermore, your signature is asinine for several reasons, not the least of which is because you put the inequality going in the wrong direction.

Re:Why?

[mets501]

Furthermore, your signature is asinine for several reasons, not the least of which is because you put the inequality going in the wrong direction.

Check out p-values. "p" in this case is not a regular probability. The equality is in the correct direction.

Re:Why?

[mets501]

I don't agree that voter registration is unrelated to political parties. There are two points to campaigning: convince people to vote for your candidate, and then get the people who support you registered and to the polls. Voter registration is very important to our democracy (clearly), and I believe it only serves us better in the long run that we have political parties pushing so hard for it. Without the Democrats and Republicans, I'm fairly confident we'd have much lower voter registration and turnout.

Re:Why?

[maxume]

Even treating either of the Democratic Party or the Republican Party as a single monolithic block is a hilarious joke.

Much of the consensus building that is explicit in parliamentary systems with many parties is implicit in the platforms and eventual actions of the parties in the U.S.

Re:Why?

[TerranFury]

The voting system determines the rules of the game. And it turns out that the game is structured such that large parties play it best. How can you destroy parties without changing the game? Theirs is evidently the equilibrium strategy.

Re:Why?

[Orgasmatron]

I stopped reading CRYPTO-GRAM a few years back when he changed it from a newsletter to a list of links to his blog. It was not a good change, in my opinion, since his newsletter was a lot better written before the blog showed up.

Re:Why?

[tepples]

I had never before noticed the connection between party politics and what I consider to be the largest flaw in current U.S. politics: the overemphasis on addressing problems at the highest level of government rather than at the lowest possible level of government.

That's because the constitution explicitly specifies several things as within the Congress's domain. These include authors' exclusive rights, inventors' exclusive rights, highways (aka "post roads"), and bankruptcy.

Re:Why?

[Attila+Dimedici]

So, healthcare falls where in there? How about education?

Re:Why?

[sys.stdout.write]

Interesting! I retract my criticism of his signature (on that grounds). Thanks for the heads-up.

Re:Why?

[Ironica]

After reading that, I was left with the feeling that I had no idea what I had read it for. Was it a call to arms? Was it a rant about our whole world? It seemed to offer more problems than solutions...

I found it very interesting as a discussion of economics in the broader sense, where economics is the science of decision-making. Understanding what guides decisions in the aggregate is essential to creating systems (of government, commerce, transportation, whatever) that work.

Re:Why?

Can you perhaps provide some examples of these "arms-length public organizations" of which you speak?

Re:Why?

[tepples]

So, healthcare falls where in there? How about education?

Federal authority comes from support of interstate commerce, or taxation for general welfare.

Federal incentive comes from the fact that states compete to be the headquarters of businesses by lowering tax rates. In order to do this, they cut corners on programs that invest in their residents' welfare, such as healthcare and education, compared to neighboring states. Feds notice this and Congress enacts a program to ensure a baseline level of coverage across all states.

Re:Why?

[Attila+Dimedici]

You explain where Federal incentive comes from (not that it needs any besides pure power grab), but where in the Constitution is the Federal government given authority over education or healthcare. If you meant that the interstate commerce clause gives the Federal Government the authority, then you don't believe there are any limits on the power of the Federal government. And I think it is quite clearly a different reading of the Interstate Commerce clause than the one understood by the people who actually wrote it.

Re:Why?

[rjhubs]

Exactly. This is why it is almost impossible to have a viable 3rd party in the U.S. Our voting system is winner takes all. So even if you want a 3rd party to win.. your vote really means nothing if that party doesn't win, thus you are better off voting for one of the two big parties that kind of match your interests. If we had a different system, like if you get 30% of the vote you get 30% of the congressional seats, our party system would look very different. Of course that system has its own set of problems.

And getting rid of political parties altogether is impossible. How do you stop people from wanting to associate and form groups? The best option would be to just not list the party a candidate belongs to on the ballot.

Re:Why?

[david_thornley]

That's why I stopped reading the newsletter and started reading the blog directly.

Re:Why?

[radtea]

http://www.elections.ca/home.asp

Most countries in Europe and the Anglosphere have similar organizations.

Re:Why?

[tepples]

where in the Constitution is the Federal government given authority over education

"The Congress shall have Power To lay and collect Taxes, Duties, Imposts and Excises, to pay the Debts and provide for the common Defence and general Welfare of the United States."

Re:Why?

[radtea]

Even treating either of the Democratic Party or the Republican Party as a single monolithic block is a hilarious joke.

Hardly a joke, but rather an important insight.

The differences within the parties are larger than the differences between the parties.

This fact alone justifies treating the combination as a single Party, divided for convenience to create the appearance of a multi-party system where in fact there is a single class of oligarch/plutocrat who are divided on many issues... except who rules.

This is quite different from even moderately healthy parliamentary systems, where we have regional parties, special-interest (notably Labour) parties, etc. Those parties actually have to represent something vaguely resembling the interests of the people who vote for their members.

In the US, the Party represents the interests of the political class, who are divided in many ways, as much within the wings of the Party as between them. But however much they disagree on minor issues, they are united on all the ones that keep their class in power, notably gerrymandering and your crazy primary system.

Re:Why?

[plnix0]

Hardly a joke, but rather an important insight.

The differences within the parties are larger than the differences between the parties.

I agree. Here's an even greater insight: The differences between the people and the government are greater than the differences between the parties. This is true no matter what country you live in.

Re:Why?

[plnix0]

No, he's not overstating the uniformity between the Two Parties. The are united in their will to rule the rest of us. He is, however, understating the degree to which the United States are unique in this respect. Government everywhere is united against the people. A glance at recent events in Britain and the rest of Europe reveals as much.

Re:Why?

[plnix0]

So according to your political theory of America, the Constitution explicitly specifies several things as within the domain of Congress and implicitly specifies every other imaginable issue as within Congress's domain? I wonder, then, why did they bother to explicitly enumerate a list of things within Congress's power? Wouldn't it have been enough just to write the "general welfare clause" and "the interstate commerce clause" and head home, since their goal was to give all powers to Congress? They could have saved quite a bit of time that way, couldn't they? And all that paper wasted on printed copies of debates and printed copies of the Constitution and whatnot?

Re:Why?

[Attila+Dimedici]

So, the bit where it says

The powers not delegated to the United States by the Constitution, nor prohibited by it to the States, are reserved to the States respectively, or to the people

is just window dressing and it doesn't really mean anything? Since I can't see how by your interpretation of

provide for the common Defence and General Welfare of the United States

anything not explicitly prohibited by the Constitution is off limits to Congress.

Re:Schneier is a DOPER

My son had a friend at school that jumped off the roof because he thought he could fly - he'd been doing pot.

My friend has a school ... and I see right now that it jumps off his son, and it can fly! ... Sweet.

Show of hands not self-enforcing

[Spazmania]

The show of hands is not self-enforcing precisely because a non-secret ballot is subject to coercion. People vote their peers instead of their conscience.

Selecting a security protocol that adversely alters the results is a common mistake among information security personnel.

Re:Show of hands not self-enforcing

[UnHolier+than+ever]

No, a show of hands *is* self-enforcing *but* not secret, and therefore subject to coercion, which is why it is rarely used. The article alluded to the fact that there may be a self-enforcing, secret protocol, without going into details of what it could be. If it exists, it would be a good idea to use it. It would also have been a good idea to include it in the article....

Re:Show of hands not self-enforcing

Turn off the lights and give everyone dim, coloured glow sticks.

If you want to vote for someone you raise the appropriate glow stick.

More elaborate methods of letting people see your choice without seeing you could also be used.

Re:Show of hands not self-enforcing

[maxwell+demon]

More elaborate methods of letting people see your choice without seeing you could also be used.

You mean like, making a cross on paper and putting that paper in a box, and then counting afterwards?

Re:Show of hands not self-enforcing

[NickFortune]

The show of hands is not self-enforcing precisely because a non-secret ballot is subject to coercion. People vote their peers instead of their conscience.

Right. But if there is a true self enforcing protocol we can use, then we'd be fools not to use it. That's the interesting thing here. Can't comment further than that because TFA is ever so slightly slashdotted at the moment.

Still, at the risk of covering the same ground as in TFA, maybe it's time to consider the secret ballot in terms of a security trade off. What good is voter anonymity if it's impossible to demonstrate that the electoral process is fair? You just swap one means of disenfranchising the public with another one. Moreover, with method that's way harder to catch and punish.

Maybe we need to look past "secret ballots are good" and focus on why we consider them to be good, and on whether that good is being preserved under current systems.

Re:Show of hands not self-enforcing

[nedlohs]

Because bringing in additional glow sticks is much harder than sneaking extra ballots into a ballot box.

Re:Show of hands not self-enforcing

[Rogerborg]

A secret ballot is more subject to coercion, since you only have to coerce the people that count or report the result.

This, by the way, is why smart employees volunteer to take meeting minutes.

Re:Show of hands not self-enforcing

[DNS-and-BIND]

"open show of hands in a room one that everyone in the room can count for himself is self-enforcing"

Everyone can see the result! Coercion aside, the result is unfakable. Unless you have a Mao Zedong/Big Brother-type reality distortion where what the big man says, goes. Sort of the opposite of King Canute.

Re:Show of hands not self-enforcing

[Hurricane78]

Hmm... it's nice to be a natural leader. It means that people buy into your reality, and then vote/decide accordingly.
The point it, to yourself be the leader.

How to do it? Simple: Expect it (to be true).
Say it. Believe it.
Then a healthy human being usually tries everything to keep up that belief.
Which usually gives it a huge chance to then become true.
In psychology this is called the self-fulfilling prophecy. And it works on everything where you mainly have to change yourself.

Re:Show of hands not self-enforcing

[Tsunayoshi]

He wasn't referring to how people vote, but the fact that the # of votes is verifiable without the use of a 3rd party.

e.g. I just saw 14 hands go in the air for Proposition #15. It doesn't matter whether that was 14 people who actually want Prop #15 to pass, or whether it was 7 people who wanted it to pass who were holding a gun to the other 7, just that Prop #15 got 14 verifiable votes.

Re:Show of hands not self-enforcing

[CaptainOfSpray]

Here's some experience of "show of hands" votng.

It was widely used in trade unions in England in the 50's and 60's, typically in public meetings of all the members in a workplace. I heard of it both from a carpenter in the ship-building industry, a family friend; and from other insider reports on meetings in the car-making industry in Oxford, where I lived for a while. According to my sources, these meetings were often used to pass strike decisions of considerable financial importance to the members, but (a) you attended these meetings with your workmates, who saw how you voted, and made life hell if you didn't vote the Right Way (b) the committee appointed tallymen to count the hands - they reported whatever counts the committee had told them to report.

The result was the destruction of British industrial firms by self-centered self-appointed little dictatorial union leaders who werealways interested in making trouble, regardless of their member's interests. Vote them out? How? The elections were by "show of hands".

So "show of hands" voting is wide open to abuse if there are more people present than can be viewed and instantly counted by those present, or where those present are unable to challenge the count effectively.

Re:Show of hands not self-enforcing

Maybe we need to look past "secret ballots are good" and focus on why we consider them to be good, and on whether that good is being preserved under current systems.

Because there have been major problems with public voting in the past. For example, in the US we used to have full public voting. There were incidents where people were bullied, assaulted, and outright KILLED just for trying to go to the polls. We actually didn't start using secret voting in the US until the mid 1800's. The idea behind the secret ballot is to get more people to vote because they won't be retaliated against for their vote. So if the current systems encourage voter turnout and prevent violence at the polls, then yes they are performing their primary function.
Fraud has always been an issue, but if you can use threats to prevent a large percentage of people from voting at all, the result is the same as if you stuffed ballots- an election with results that do not match reality.

Re:Show of hands not self-enforcing

[maxwell+demon]

Wrong counting or reporting is in principle provable (just count again/compare the counted with the reported result). Voting against your actual opinion due to external pressure isn't.
Note that equally important as the secrecy of the votes is that everyone is allowed to watch the counting.

Re:Show of hands not self-enforcing

[Spazmania]

If the process corrupts the result before it's verified then it isn't self-enforcing it's self-defeating.

In the half-cutting protocol the desired result is a fair division. It doesn't matter if I cut the cake 50/50 or 75/25 because either way I get the slice that's fair. I might intentionally cut one slice a little smaller because it has more icing.

That isn't true in show-of-hands because the desired result of a vote is the majority opinion, not necessarily the popular opinion.

Re:Show of hands not self-enforcing

[u38cg]

The article is also available at his blog.

Re:Show of hands not self-enforcing

[LihTox]

(Note to moderators: this is not a troll but a valid if snarky point.)

Sure, except that you can't assess all the ballots at a glance; each person would have to count them, and that leaves too much room for shenanigans.

Here's my idea: gather all the voters in a room (or more practically, gather 50-100 voters in a room at one time). Give each voter one ball, and put any extra balls in a secure but visible location. The room is equipped with a set of plastic tubes, one for each candidate or choice; the tubes are initially uncovered to show they are empty, but are then covered with a curtain to conceal individuals' votes. One at a time, voters approach the open end of the tubes and place their ball in the appropriate tube. After all voters have gone through, pull off the curtain, and the higher column of balls signifies the winner of the election. The tubes are labelled so that the exact count can be read off the tubes, and the total number of votes can be compared with the number of people in the room; an overcount means the vote has to be done over again. The voters are given official cards showing their precinct, the date and time of the election, and the results (maybe via photograph?) These results can then be announced publicly and aggregated for larger elections.

It may be too slow or unwieldy to be practical, of course. The key elements, though, are that you have a small group of voters voting at one time, make the results clearly visible, and have the results immediately released to those voters so that the total can be compared with the number of people actually in the room, and so that the results can be later compared with official reports.

Here's another idea: have each voter include on their ballot a glyph of their own choice: it could be a number, a set of letters, a picture, whatever. When the 50-100 voters in the room have voted, shuffle the ballots and project them on a wall, one at a time, slowly enough so that people can count the voters. If a voter does not see their ballot after that process, then there has been a misvote and it has to be redone. Of course, cheaters might rely on the fact that voters will be annoyed by the wasted time of a revote, but there will be enough civic-minded individuals there (they wouldn't be voting at all if they didn't care about the process to some degree) to keep people honest.

Re:Show of hands not self-enforcing

[FutureDomain]

That is why Schneier is suggesting a self-enforcing protocol for counting votes. The secret ballot protects against coercion of the voters, but we currently have to rely on a trusted third party (the election officials) to count the votes, and they sometimes are not trustworthy. Self-enforcing protocols would eliminate the need for a trusted third party by making it self-defeating to cheat. I'd like to see some concrete implementations of how this would work, but I like the general idea.

Re:Show of hands not self-enforcing

[Tangent128]

If there are 120 people in the room, and 135 glow sticks are counted, then you know something's up, and can repeat the procedure until everybody plays along.

Re:Show of hands not self-enforcing

[AshtangiMan]

So we took a necessary, but less than optimal, step to solve an (at the time) immediate problem which is that people were bullied out of their vote, or into voting for someone they may not have voted for. I wonder if there reaches a point where society as a whole just won't stand for something. We are at that point with hijackers on planes (thinking of the plane that crashed into the ground on 9/11). Perhaps we are not yet at that point with letting the authorities bully the innocent ("Don't tase me bro", teargassing of peaceful protesters, Crowley arresting Gates for yelling at him and being an asshole), but presumably we will get there. I don't think there is any hope for us until we get to the point that we can easily and even proudly publicly state who we vote for as individuals. Until then we will get a less than optimal compromise that allows the corrupt to skew the results in their favor.

Re:Show of hands not self-enforcing

[Ironica]

Because bringing in additional glow sticks is much harder than sneaking extra ballots into a ballot box.

Make everyone walk in naked. Then collect all the glow sticks, and toss out any that are wet or sticky.

Re:Show of hands not self-enforcing

[nedlohs]

So voting is compulsory then.

Yes things are much simpler then, but the same applies to ballot boxes.

Re:Show of hands not self-enforcing

[Tangent128]

If you don't wish to vote (may seem foolish, but better the apathetic not vote than drown out the signal), just don't enter the room.

Re:Show of hands not self-enforcing

There have been times that I would have voted differently if I had to cast my ballot publicly in front of my family. (I have voted 3rd party out of desperation, and my family doesn't get that. They'd rather play the lesser-of-two-evils game.) The secret ballot is still important today, for all the reasons that it became important in the first place. I believe it's vital, you don't, and I think we'll just continue to disagree about it.

Re:Show of hands not self-enforcing

[Spazmania]

Congratulations, you've invented an even dumber form of voting than the IETF hum-poll.

http://en.allexperts.com/e/h/hu/hum_poll.htm

Re:Show of hands not self-enforcing

[Mesa+MIke]

Seems to me the traditional paper secret ballot is a good way to get a "show of hands" that anyone can verify without anyone knowing which hand belongs to whom.

Re:Show of hands not self-enforcing

[nedlohs]

Because there's only ever one thing being voted for.

Re:Show of hands not self-enforcing

[mdmkolbe]

This is probably why a motion for manual counting automatically passes once moved and seconded in many parliamentary rules.

Re:Show of hands not self-enforcing

[plnix0]

There's a separate room for every vote, with a waiting room right outside. Wouldn't election day be such a fun month?

Re:Show of hands not self-enforcing

[plnix0]

Of course, cheaters might rely on the fact that voters will be annoyed by the wasted time of a revote, but there will be enough civic-minded individuals there (they wouldn't be voting at all if they didn't care about the process to some degree) to keep people honest.

Actually, this is exactly the method (well, one of them) used to push committee decisions through party conventions in the United States, and presumably the people that make up the conventions at large are among the most civic-minded individuals in the county/state/country.

Re:Show of hands not self-enforcing

[plnix0]

True, but he'll have to work harder to come up with a voting system as stupid as that used at the "Jesus Seminar".

It will never fly

In America, political voting serves only to create the illusion of self-determination. Any system of voting that actually empowers the people, rather than merely seems to, will be rejected out-of-hand (often with the most transparent of reasons given).

Re:It will never fly

[Mister+Whirly]

Former Governor of Minnesota Jesse Ventura may disagree with you.

Re:Schneier is a DOPER

http://www.youtube.com/watch?v=ENmMtZaVvDk

Errrr, your suggestion is.....?

[drdrgivemethenews]

What is the proposed self-enforcing voting protocol? With no suggestion made, what is the interest of this article to the slashdot community?

Re:Errrr, your suggestion is.....?

[TehCable]

Mod parent up. TFA is obviously a stoner rant with no real proposal.

Re:Errrr, your suggestion is.....?

[Lord+Ender]

Regular readers of his blog would be aware of such methods. He regularly discusses papers and theories regarding security systems, including the security of voting machines.

Re:Errrr, your suggestion is.....?

Mod parent: +1 Funny because it's true.

Re:Errrr, your suggestion is.....?

[hey]

Maybe each voter could check the voters of three other people. That would scale.

Re:Errrr, your suggestion is.....?

[goodmanj]

It's more of a a teaching article, not a specific new proposal. Its goal is to describe an idea to people who're not familiar to it. Maybe you're an expert already, but I found it interesting.

Re:Errrr, your suggestion is.....?

What is the proposed self-enforcing voting protocol?

Karma points?

Re:Errrr, your suggestion is.....?

[Otto]

What is the proposed self-enforcing voting protocol?

Everybody in the same room makes a mark on a ballot, folds it, puts it in a box with an open top, so all can see it is not subject to being rigged, but still not see the actual votes. At the end, the votes are upended on the floor and everybody looks at them, and can count them themselves.

Less subject to coercion than a show of hands, still not perfect. However, it is self-enforcing, since all can see the results.

There's other ways as well, but the point is that everybody needs to know how the system works and to be able to follow all the votes all the way through the system to the final count for it to be self-enforcing.

Re:Errrr, your suggestion is.....?

[goodmanj]

At the end, the votes are upended on the floor and everybody looks at them, and can count them themselves.

...whereupon I stealthily pocket ballots that support my opponents, and mix in some extra pre-marked ballots for my candidate into the pile. If it still looks like I'm not going to win, I take a quick trip to the restroom to flush the evidence, and then accuse my opponent's supporters of ballot tampering. The whole operation dissolves into an inconclusive bloody fistfight, which serves my purpose just fine.

The only system I can see that works is one which relies on a ballot-counting authority whom everyone trusts, watched up by a system of non-counting observers from all sides.

Which is pretty much what we already do in the U.S.

Re:Errrr, your suggestion is.....?

Mod parent up. TFA is obviously a stoner rant with no real proposal.

Like, that's just your opinion, man.

Re:Errrr, your suggestion is.....?

[david_thornley]

The idea behind these protocols is that nobody has to trust a central authority.

That's how elections work. Officials do stuff in the full view of observers from all interested parties, and use assorted mechanical seals to make sure nobody tampers with stuff when it's not actively observed.

Not that this stops losers of close elections, or their supporters, from complaining.

In high school I was teached

[wiredog]

Not English, obviously...

Ok, we get it

You really want electronic voting. The problem is: We're not all mathematicians. We have to trust someone else that what we do to verify that the election hasn't been rigged is sufficient to reveal any fraud. Having to trust someone else is bad and unnecessary. There is a perfectly simple protocol which satisfies all requirements of a democratic vote: Paper ballots, ballot box, public counting.

Re:Ok, we get it

[maxwell+demon]

Maybe someone has a patent on it. "Method to collectively select an option from a list without revealing a single person's choice."

Re:Schneier is a DOPER

Actually, there recently were a few cases like that in Amsterdam, only with mushrooms instead of pot. Now, the 'shrooms are no longer legal.

Second language possibly

[tepples]

Not English, obviously...

I would wager that sopssa's English is better than your Geberquen.

Re:Schneier is a DOPER

[Thiez]

There was a single case. She was also drunk and depressed. Somehow the shrooms got blamed.

Article is Slashdotted, didn't read

Is Schneier familiar with the history of voting rights and threat and coercion in the USA? Voting is secret for a reason.

Isn't it part of the constitution

[Demonantis]

Doesn't the constitution allow the President to be impeached? Couldn't that be a form of self-enforcement? If you think the election has been coerced then protest to get the president removed. Unfortunately I don't think its ever clear cut who should win so you don't know when you have been cheated. Plus if there are totaling errors in a polling station aren't those votes considered tainted?

Re:Isn't it part of the constitution

[Tsunayoshi]

No, it is not self-enforcing. The Constitution is the 3rd party enforcement the agreement between the President and the people by providing a means for the people to get rid of him/her.

Re:Isn't it part of the constitution

So... If a candidate is clearly going to win, and I intentionally cheat/cause cheating on his behalf, I can accuse him cheating in the election and get him booted? Not all cheating is done by the candidate. Some is done by the relevant political party; some is done by other interested special interest groups. Then the excuse crops up: "well, it wouldn't have changed the results" and wrists get slapped, nothing more.

Voting needs to be transparent

[krappie]

Here is the solution to all voting problems.

Goals:
1. Confirm your vote is collected correctly.
2. Try to assure the people that no votes were added.
3. Don't hide results.
4. Keep votes anonymous.

Solution:
1. Keep a large public vote database.
2. Be able to Look up votes by voter id, county, polling location and time.
3. Keep large visible clock and voter count at each polling station. Every time a person goes into the voting room, the count goes up. Voter counts can be confirmed online. Maybe even in a graph over time.

The voter should be able to go online and see his own vote. Since every voter can see every vote counted up in every polling location in the country and know that everyone else can, they'll be assured of the results. If they're paranoid, they can watch their local polling station's voter count and confirm the published results don't have added votes.

Note: Maybe instead of voter id's, it should be a random confirmation code thats generated on the spot. That should be even more anonymous.

Problems: Some people actually vote for the wrong person on accident. That's unfortunate, but the solution isn't to hide it from them.
If vote online doesn't match your vote, have a dispute process. Keep track of dispute counts over time, for the public to see.

Re:Voting needs to be transparent

If you can confirm your vote, you can prove how you voter to others. This makes room for buying and extorting votes! I can imagine some employers requiring you to prove you voted correctly to keep your job.

Re:Voting needs to be transparent

[SanityInAnarchy]

Biggest problem with that is, it now becomes possible to sell votes. And this doesn't help:

Maybe instead of voter id's, it should be a random confirmation code thats generated on the spot.

And yet, that confirmation code could still be used for that purpose. About the only way to solve that would be to also generate a fake confirmation code, but then the transparency would be lost, because if the system can fool you into thinking your fake code was counted when it wasn't, couldn't it do the same with your real vote?

Re:Voting needs to be transparent

Only one problem here:

You're allowed to look up votes by polling site.

At the moment you go to your polling site, you're the only person there--quite common, especially if you go there during non-lunch business hours.

Right before you go in, a query on your precinct shows an n number of votes on every position.

Right after you put your ballot in the scanner, the positions you votes for now show n+1. As you walk out of the polling site, your boss calls you on your cell phone and tells you you're fired.

To accomplish this, your boss would have to be sitting in his car within eye shot of your polling site, armed with a laptop and cellular data plan, watching you enter and leave the polling site. Is this theory out there? Yes. But it _could be done_. ...which is why precinct results are kept in the precinct scanners until the polls close. I think there's even a state law that precincts with something like 100 voters can't publish their results--this way, a county elections supervisor with a grudge can't turn a single house into a 2-voter precinct.

Re:Voting needs to be transparent

[Orgasmatron]

The goal of anonymous voting is to make it pointless for people to buy votes. Getting a "confirmation code" and being able to check it later defeats that goal.

Re:Voting needs to be transparent

[Asic+Eng]

1. Keep a large public vote database.

Apart from the fact that you are restricting the goals to match the solution, I think this is another major flaw. You need to have a large accurate public vote database. There is no way for any citizen in any polling district to know all voters, so you can't be sure that a voter going in the polling station has a right to be there. Provided you can add entries in the database, you can have the same person voting multiple times in different locations using different names. If you have control of the polling station you can also wait for a quiet period and just add several phantom votes.

Re:Voting needs to be transparent

[LargeMythicalReptile]

If you can confirm your vote, you can prove how you voter to others. This makes room for buying and extorting votes! I can imagine some employers requiring you to prove you voted correctly to keep your job.

Or union bosses. Or the local political-organizing group slipping you some money in exchange for voting a certain way. Or even an unorganized gang of thugs trying to intimidate you (think a group of rednecks who suspect you might have voted Democratic, or a group of Berkeley hippies who suspect you might have voted for Prop 8).

But I disagree with your first sentence. It's certainly true about the scheme proposed by GP, but contrary to intuition, there are ways to confirm your vote without being able to prove how you voted to others.

Such voting systems typically use a "cut-and-choose" method in which your vote is split into two or more pieces, any one of which is useless for determining how someone voted, yet together create the full vote. The voter takes a copy of one of the pieces as a receipt and can verify that the piece was counted correctly. So if there are two pieces overall, someone trying to tamper with the votes would have a 50% chance of being caught for each vote tampered with, which quickly becomes negligible for any significant number of votes. Yet the voter can show the piece to others, and it doesn't give any information about how they voted.

Here (PDF) is one method for doing this, by David Chaum.
Here (PDF) is another (without cryptography!), by Ron Rivest.

The issues with these new systems seem to be usability, inertia, and public trust. Usability: Voting should be extremely simple for the voter. If Great-Grandma can't do it, it's not going to be our voting system.
Inertia: Current election systems seem to be "good enough" for most people; despite some agitated geeks and the occasional news story about voting machines being laughably insecure, there isn't a huge popular movement to change. (Cost of switching systems can also be included here.)
Public trust: Even if cryptographers agree that a system is secure, if the system involves a user experience any different from the familiar "check off from a list of names" protocol, they'll have to work to convince the lay public that it's ok.

Re:Voting needs to be transparent

I agree your system sounds pretty good, but I would add one thing - in addition to everything you have mentioned, there should be a time stamped receipt printout on protected paper (like with a holographic strip copyproofing type stuff that makes it too difficult and expensive to counterfeit en masse) that is a definitive copy of the voter's vote - it should have all information printed on it for reading as well as a bar graph or encoded image (like UPS uses) that can be scanned as well.

The reason I think this is necessary is because as long as the tally is only electronic it is still out of the control of the individual voter should something shady occur (even if it is watched and tracked). Even with all of the safeguards you metnioned, if a situation occurred where votes or totals were changed, even if everyone knew it happened, they wouldn;t be ble to do anything other than complain if they didn't have a hard copy backup, because they'd have no way to prove their vote....The most they could say is "No, I know I voted for so and so" and the buearocrats would say "but sir, the record shows you voted for so-and-so" - if they had their receipt they could show proof. It could then be scanned as well if necessary in the even of a recount.

Re:Voting needs to be transparent

[Alzheimers]

This article by Chaum is the one I always point to when people ask for a less technical explanation:

Re:Voting needs to be transparent

[Man+Eating+Duck]

The voter should be able to go online and see his own vote.

and

Maybe instead of voter id's, it should be a random confirmation code thats generated on the spot. That should be even more anonymous.

The problem with an individually verifiable vote is that you enable people to (be forced to) sell their vote. Any person with authority over voters (boss?) could make them demonstrate their choice. This is already happening in lots of places.

If vote online doesn't match your vote, have a dispute process.

Any possibility for dispute over a wrongly cast vote could also lead to people changing their minds, for instance to vote for the party placing second instead of the party placing fourth which they voted for originally. This of course assumes that you have more than one or two actual contenders. This system is used in some places to enable voters to "change their minds" if their original candidate didn't pan out, an example is the two-round system. Of course it only works if it is intended and everyone participates :)

The ideal system would probably be a perfect black box that everyone trusted and no one knew how worked. Since this is obviously impossible, I believe the best solution is the opposite of a black box where everyone could verify the mechanism in use (open source/hardware). Still you can't have individual accountability/dispute mechanisms because of the issues mentioned above.

I don't really know enough about cryptography, but the article mentions it as a possible voting control mechanism. Maybe it's possible to employ it to generate and publish cryptographically strong checksums or something like it from many levels of the counting, from a single voting station and upwards. This could enable anyone to inspect the system and know that the tally is correct by verifying checksums. Can anyone expand a bit on the details of how these protocols work?

Re:Voting needs to be transparent

[Man+Eating+Duck]

This article by Chaum is the one I always point to when people ask for a less technical explanation

Thanks for this one! Ingenious, understandable, and it completely destroys one of my arguments in another post :)
It still has the problems explained by your parent post, but it's probably a better choice than a paper trail on its own. People manage to mess up regular paper ballots as well, rendering them invalid or wrong.

Re:Voting needs to be transparent

[Threni]

> Any possibility for dispute over a wrongly cast vote could also lead to people changing their minds, for instance to vote for the party placing second instead of the party placing
> fourth which they voted for originally. This of course assumes that you have more than one or two actual contenders. This system is used in some places to enable voters to "change
> their minds" if their original candidate didn't pan out, an example is the two-round system. Of course it only works if it is intended and everyone participates :)

What's wrong with letting people change their mind? They have until the election closes to do so.

Re:Schneier is a DOPER

[Knuckles]

Actually, there recently were a few cases like that in Amsterdam, only with mushrooms instead of pot. Now, the 'shrooms are no longer legal.

And mushrooms != pot. Very much so. Also, note the sibling reply.

I think the point is...

[onionman]

What is the proposed self-enforcing voting protocol? With no suggestion made, what is the interest of this article to the slashdot community?

I think that the point of Bruce's blog entry is to give some simple examples to clarify cryptographically self-enforcing protocols. Concrete examples of these self-enforcing voting protocols already exist, but they are a bit too complicated for general consumption so Bruce is just giving us some simplified examples. However, I don't think we'll see Diebold rushing to implement them anytime soon.

Bruce Schneier once decrypted a box of AlphaBits.

[AP31R0N]

i don't mind people knowing where my vote went. If there is a document that says Alan voted for Bob, when we do the recount Alan can say "I voted for Bob, NOT DAN! Here's my receipt and here's your record showing me voting for Bob." But i'm not as afraid of Dan as most people seem to be. i'm more worried about my vote COUNTING than being private.

Re:Schneier is a DOPER

I've driven on shrooms and lived to tell about it, although only through luck. (We ran into drunken hostiles, panicked probably irrationally and fled). At one point I was approaching a stop-light and trying my damnedest to remember whether green meant Stop or Go. I looked in the mirror after driving 4 of us about 30 miles home and my pupils were still the size of olives.

We'd tried to be responsible (we picked a very remote spot by a river where we'd planned to spend the day), but it didn't work out. Shrooms are a nice way to realign annually or so, but they need to be handled in a very controlled environment. It's a shame that Amsterdam dumped them entirely - I didn't know that.

AC for obvious reasons.

One protocol

For electronic voting, an example of a self-enforcing protocol is one wherein the election results are defined by the collection of discrete voting records, each one cryptographically signed and published. A voter may only cast a vote if he has authenticated and is authorized as eligible to vote, after which he receives an anonymous token (e.g., via a blind signature scheme). The process of granting these anonymous tokens must be transparent and audited. These anonymous tokens are cryptographically bound to the signed voting records. Voting records may be generated on a device that runs an open architecture (firmware and software all open source). The voting device must be registered under transparent and audited circumstances. The device can cryptographically attest to its integrity at the time the vote is cast via the anonymous token (perhaps via something akin to a TPM chip).

Re:One protocol

[maxwell+demon]

And why should I trust the TPM chip of the voting machine?

Re:One protocol

[maraist]

Then you've replaced the paper ballot box with an electronic chip which can
A) be lost
B) be tampered with
C) be replaced with a pre-created chip
D) potentially have a virus which is injected into hub-machines
E) Hub machines can be hacked directly, assigning results independent of the authenticated chips (e.g. dictator just claims the vote count with no basis in reality)

Re:One protocol

[maraist]

The closest I can imagine to this type of system working is an online system.

State-hub has server with 32k individually certified SSL connections. (meaning a man on a phone types in a key on one end, and another man on the phone types it in on the other end - if the keys match, the SSL connection is 'certified').

Those hubs cascade out as needed until all voting centers are accounted for.

ALL votes, in real-time propagate up to the local hub, which send aggregate data + signatures to parent hubs.

A group of voters is group-signed with physical voter-ids as having voted, and anonymous data containing the tally of votes.

Participants are required to wait until at least 16/32 or however many participants have completed (and thus the batch is committed in the hub).
If there is a problem or voter-fraud, it's attended to there, the batch is invalidated (has a unique-id) and voting must resume (and legal proceedings begin).

All nodes keep full auditable records, and are cross-checked (local, printed barcode data, etc) against hub data. Several times (with paper data obviously taking a day or two to complete).

So here we have 3 simultaneous accounts of the vote. mater-data (only one that counts), site-data (on chip) and printed-data.

Even this still has several problems:

A) only semi-anonymous, you know that batch A had zero votes for candidate X, so you can infer that voter-Y voted a certain way (you of course don't store it, but the data is recorded and thus potentially hackable/exploitable)
B) The machine itself can change the physical vote, but at least you can verify/audit/investigate the number of warm bodies that voted.
C) You can DOS an election

Maddison Warned about this

[cs668]

in the federalist papers:

http://www.constitution.org/fed/federa10.htm

They thought about it, but free speech trumped the elimination of political parties. Always floors me how much foresight they had.

Re:Maddison Warned about this

[c0d3g33k]

Was it really foresight, or were they just dealing with the same issues mankind has been grappling with since we became sentient? I'll go out on a limb here, since I don't have hard evidence, but these writings were probably informed by *hindsight* more than prescience. Or to put it another way, the brilliant men and women we lump together with the term "founding fathers" were presenting solutions to problems that affected the society they were living in at the time, or societies from their past that happened to leave behind documentation about what worked and what failed.

Re:Maddison Warned about this

[dkleinsc]

One of the major massive flaw in Federalist #10 is that Madison didn't (and couldn't have) envisioned instantaneous communication across the country, so his entire argument that a majority faction couldn't succeed in organizing itself fell apart with the invention of the telegraph. Damn you, Samuel Morse!

Re:Maddison Warned about this

[misexistentialist]

Foresight is applied hindsight. Augury doesn't work. It's true that the Founders were dealing with obvious past problems, but they look like wizards compared to our current leadership, who apparently study history to faithfully repeat past mistakes, but making them even more grave if possible.

Re:Maddison Warned about this

[Alzheimers]

Actually, the difference between the founding fathers and the current state of politics is time frame.

When drafting documents like a constitution, they weren't trying to deal with issues on a 4-year election cycle -- they had to find solutions that would last for centuries. The current political atmosphere is one of a permanent campaign. If a senator thinks they stand a better chance of getting reelected if they delay on tough environmental or financial issues that won't hit critical mass for years, they won't think twice about it.

Anything that could potentially damage a candidate's reelection campaign is subject to compromise. Until something becomes a major issue (and even then, only if it's affecting THEIR voters), there isn't a chance in hell of getting a long-term solution.

falafel

[Inebriated_tyro]

Affirmative, Dave. I read you. I'm sorry, Dave. I'm afraid I can't do that. I think you know what the problem is just as well as I do.It can only be attributable to human error. This mission is too important for me to allow you to jeopardize it. I know I've made some very poor decisions recently, but I can give you my complete assurance that my work will be back to normal. I've still got the greatest enthusiasm and confidence in the mission. And I want to help you. Dave, this conversation can serve no purpose anymore. Goodbye.

Stated the obvious

[gurps_npc]

Yes, self-enforcing protocals are the best.

If you don't want players to attack other players in an online game, you don't yell at them for doing it, you have them damage themselves, not the players.

Similarly, if you want voting to be fair, you need to set up ways where it is OBVIOUS that the election is real.

But note, that the method mentioned her, raising your hand, allows people to know who you voted for. This allows for voter intimidation. You are just exchanging one form of fraud for another.

Re:Schneier is a DOPER

Stairs? Luxury!

We had to leap the 11 stories with the school on our back. But if you tell the kids today that, they won't believe you.

Re:Bruce Schneier once decrypted a box of AlphaBit

The trouble with non-anonymous voting is the fact that many people could be coerced into voting for Dan, or Bob.

@ OP, how does one confirm that the person disputing their vote is indeed the person that cast the vote?

Re:Bruce Schneier once decrypted a box of AlphaBit

[rjstanford]

And when your boss says, "By the way, if you vote for Dan, you get to keep your job - and I want to see your voting receipt to prove it, or out you go!"? That's one of the main reasons that we have private polling in the first place.

How about going back to the old ways - electronically generating, at the polling place, an anonymous, very clear, human-readable piece of paper describing your vote. Use machines to create as many as you want, one at a time, on special pieces of paper that are handed out either as you walk in the door and get IDd or upon the insertion of your previous one into a shredder. Once you're happy with it, it goes into the voting box which a) saves it, and b) scans it and records the data, unofficially (ie: the piece of paper wins in a recount).

Dead simple, totally private, and fully auditable. Plus, with an open standard, there could be different types of paper-generating-machines for people with different needs, no problem. No hanging chads, no huge expense, quick access to unofficial results and about as easy a recount procedure as you could ask for.

Finally, at the end of the day, do it the CA way and have the boxes opened up and tallied by hand for the major issue and a random selection of minor ones at each station. Anyone can watch, and any discrepancy over .1% of the total is assumed to be computer-tampering and triggers a full manual count for all issues at that station, and a more thorough audit to determine the source of the discrepancy.

Re:Bruce Schneier once decrypted a box of AlphaBit

[maxwell+demon]

i don't mind people knowing where my vote went.

If voting for the "wrong" party can get you severe disadvantages, you definitely care if someone can know your vote.

related pet peeve

[circletimessquare]

voting systems should better reflect the people's actual will, by being a little more complex

you're never going to get the nuance of the people's will 100%, but you can do a lot better. for example: borda voting

http://en.wikipedia.org/wiki/Borda_count

just rank candidates in the order you like them. then, in a divisive election is an opportunity for everyone's second best choice to become the winner rather than partisan first choices, that one half of the population hates, barely edging out the other

now take as an example the disgusting 2000 presidential election: if people were allowed to merely rank candidates rather than be forced to pick one, who would have won? john mccain. however you think of him as a choice in the 2008 election, mccain was certainly a better choice than gore or bush in 2000, and the nation actually thought so. if the people were allowed to rank a list of candidates, his name would have come out as the number 2 choice of everyone, and he would have won. but the system worked against mccain. instead, various undemocratic closed door machinations led the republican party to choose monkey boy bush over the more deserving mccain, and so the democrats who would have ranked mccain second best never would have been able to register their approval of mccain over bush. borda voting does away with the whole party primary nonsense: democrats field 4 or 5 presidential candidates, republicans field 4 or 5 presidential candidates. and the voters merely rank them. then the voting system better reflects the nuances of public opinion, and allows for the candidate whom people really like to emerge. who should really lead the nation? by better reflecting the people's affinity or dislike. no more divisive partisan bullshit

another good system: approval voting

http://en.wikipedia.org/wiki/Approval_voting

easier to understand than borda voting with similar results: checkbox next to anyone you like. voting for no one and voting for everyone has the same effect. in between, are abilities to express approval and disapproval, and the winner is a simple tally of whomever gets the most votes

Re:related pet peeve

[istartedi]

If McCain won, we wouldn't have to read your post. His "campaign finance reform" would have made casual blogging subject to the same restrictions as professional campaigning. You probably wouldn't have filled out the paperwork and/or paid fees just to retain your right to mention candidates on the Internet.

I like to think SCOTUS would have tossed it out; but I'm glad we didn't have to go through that.

Re:related pet peeve

[dasunt]

just rank candidates in the order you like them. then, in a divisive election is an opportunity for everyone's second best choice to become the winner rather than partisan first choices, that one half of the population hates, barely edging out the other

Does the population as a whole benefit from a borda or approval voting system?

Under the current system, we are forced to compromise with our candidates quite early. It may result in a more mainstream choice in politicians.

That may or may not be a good thing.

Re:related pet peeve

[joib]

Voting methods can be ranked in order of how well the chosen candidate matches the preferences of the electorate; in such rankings most voting systems, including the above mentioned Borda and Approval methods, outperform the current system.

Whether that benefits the population as a whole or not is more difficult to say. Presumably voting systems that give more weight to centrist candidates fare could be better because they would be less likely to cause violent reactions or in the worst case revolutions.

Re:related pet peeve

[the+phantom]

The system described above does tend to reflect the will of the people better. As an analogy, consider the GPA of a student. The current system is like only counting the As, i.e. you get credit for a class only if you get an A in that class. This is great for the students that always get As, but pretty much sucks for everyone else, and doesn't accurately reflect one's ability. The Borda system is more similar to the way that grades are actually averaged. You can be ranked on a scale from 0 to 4 (or 0 to 12 if you include pluses and minuses), which better reflects a student's ability.

To compare the two systems, consider the two following hypothetical students: student X took five classes last semester, got an A in one, and failed the other four; student Y also took five classes last semester, but got Bs in all of them. Under the first system, student X, who failed most of his classes, would still be ranked above student Y, because student X managed to get at least one A, whereas student Y did not. On the other hand, in the system we use, student Y would be ranked more highly.

A similarly brief overview of this idea (complete with this analogy) was published a while back by the AMS as part of their Mathematical Moments series. The relevant documents are near the bottom of the linked page, under the heading "Making Votes Count."

Re:related pet peeve

The Borda Count is a terrible method. It doesn't do the most simple thing with the ranking information: If a candidate is the first choice of more than half the ballots, he should win. Borda doesn't guarantee that.

The Borda Count makes the tactic of burying very attractive to voters: That is putting a major oppenent of your favourite dishonestly low in the ranking to hurt him. Instant Runoff Voting doesn't suffer from this at all. There are other ranking methods like Schulze that I recommend despite being a bit affected by that tactic, but with Borda this incentive is really strong.

Also, Borda is vulnerable to clone spam attacks. That means a party can increase its chances of winning by running more very similar candidates.

In conclusion, Borda is worse than Instant Runoff or the Schulze method. You can check wikipedia to find out more about these methods. If you think they are too complicated and you only want to choose between Borda and Approval, go with Approval.

Move beyond voting

[agilbert201]

Isn't the biggest tragedy the whole modern election process? It is rife with $$ influence, has enormous barriers to entry to mortals, requires grotesque marketing manipulations of it's participants, and essentially rubber stamps incumbents at an alarmingly high rate. The question is an "election" even the best way anymore? How about random selection for Congress, much akin to jury duty? Serve a 2 year stint and go home. I would have much more confidence in such a body than the one we have. And assuming the process were random enough, it would be a better reflection of "will" and be the most democratic. The illusion is we have a choice. It isn't just the mechanics that are at issue, it is the process that needs deeper thinking.

Sorry man - not going to work

Will counter show which candidate was given a vote?

If no, you can provide every single individual with precise information about his vote, but publish totally bullshit results at the end. Public recount will disclose who voted for whom.

If yes, sorry - the secrecy is gone.

Either way your algorithm is flawed.

i would gladly have welcomed that mccain failure

[circletimessquare]

in 2000, if it meant that the far far greater list of bush failures would never have happened

Dumb dumb dumb! Dumb dumb dumb!

[Saint+Stephen]

To the tune of the Mormon song in that episode of Southpark....

First the guy starts off with a reference to Potheads. Danger sign right there.

Then he goes off about how fair VAT is. Second danger sign.

Then he opines about how he can come up with all these ways that people can't cheat, like one guy rolls two joints and the other guy picks which one he wants to smoke, and pretends like this idea can scale.

Want to bet there isn't a way to cheat at cut and choose? Let's try it to elect a politician and see if someone can't find a way to cheat.

Fail! Mr big idea.

Re:Bruce Schneier once decrypted a box of AlphaBit

[dkleinsc]

Actually, the voting method you describe is more-or-less what optical-scan ballots are all about. While they aren't exactly "the old ways", they work extremely well, and give you an auditable vote in case of recount.

For instance, in the Franken-Coleman senatorial race, we had pieces of paper that could be gone through and understood. Yes, it took a really long time, yes, it produced votes for Lizard People, but the end result was something that independent observers could see as a correct reflection of the will of the people. With an electronic ballot, we wouldn't have had anything to recount, just a computer telling us a number.

Representation

[TheLink]

> the government represents the Party, not the people.

Thing is, in the 2008 US Presidential election, more than 98.5% of the voters who bothered to vote, voted for candidates of one of the Two Parties. In the 2004 election, that figure was 99%.

And if the other voters that could have voted but didn't, actually voted for some other particular candidate that candidate would have won, instead of either of the Two Party candidates.

So unless the US elections have been diebolded, I'd say the Two Parties are representing the voters as well as a "first past the post" system can (which is not that well, but you have to work with what you've got).

If the voters really don't like those candidates they should really be voting for someone else.

Especially the 37-40% who just stayed at home - if they really didn't like it, perhaps they should got out there and voted for someone, or even just write "None of the above". Even if they spread their votes over the other candidates and thus don't affect that particular election, when the voters and parties realize "None of the Two" adds up to something rather significant, the next election might be rather different. Or the Two Parties will start changing to try to maintain their 98-99% "share". As it is, those voters effectively don't count, and the Two Parties know that.

If you vote for someone you don't like just to try to keep someone else out, that often sends the wrong message to the other voters. Maybe voters should just do that sort of thing every other election. e.g. election #1 - voters show preferences without trying to play that game. election #2- voters play the game based on election #1. Otherwise it just degenerates to sheep voting to decide which of two wolves gets to eat them.

FWIW, I don't think a democratic election needs any fancy systems. Stick to paper ballots, keep the counting _open_ (and thus easily monitored by "everyone" within reason). There are plenty of ways to keep it simple and safe (except for postal votes - they're a bit of a problem). Simple is good because elections don't just have to be fair, they have to be seen as fair.

If you count votes behind closed doors like in the recent Iranian election, people get the impression that it's rigged.

That's why electronic voting is stupid - either the totals are calculated effectively behind closed doors, or it's the same thing as paper voting except just a lot more expensive.

Re:Representation

[Alzheimers]

There are many issues that affect voter turnout. Anything from weather to health to coercion can keep people from casting their vote. The problem isn't that people don't want to vote, it's that the bar is still too high to encourage 100% participation. I know people who didn't register because they thought they had to sign up for "Selective Service" (ie, the Draft). I know of people who didn't vote because they thought their candidate was already a shoe-in and it didn't matter. I know of people who didn't vote because their registration cards were mailed to the wrong address, or were redistricted and would have to travel a long distance to get to their new polling location.

If you compared the presidential election to the finals of American Idol, for example, I'm betting there's a huge percentage (50% or more) who voted for the phone-in contest but not the one you have to register for. The issue isn't so much the party system as it is the voting system.

Anyone who has a social security number and a registered phone number should be able to vote without leaving their home. There are technical challenges that would have to be addressed, but those are small compared to the benefits of having a more democratic society.

Re:Representation

[HiThere]

Your argument is fallacious. Most people don't think either of the two candidates that have a chance fairly represent their views, but they are also aware that only those two candidates have a chance. So either they don't vote, or they vote for someone who isn't their preferred choice. Either instant runoff or Condorcet voting would be fairer, with Condorcet having an edge in fairness, and instant runoff being more understandable.

Note that this is a separate problem from the one that was addressed in this article. That was about the trustworthiness of the results, not about fairness.

OTOH, electronic voting without a paper trail leading back to the original paper ballots is, I agree, stupid. You have some of the reasons right, but there are others.

P.S.: Any plan that requires the voters to act as blocks, without consideration of their individual desires is flawed. So is any plan that assumes that there are only three or four aggregations of preferences.

Re:Representation

[plnix0]

What does Social Security, "a social insurance program funded through dedicated payroll taxes" (Wikipedia), have to do with voting?

Re:Representation

[TheLink]

> Note that this is a separate problem from the one that was addressed in this article. That was about the trustworthiness of the results, not about fairness.

That's actually what I meant by fair (no cheating). Elections don't just have to be correct/trustworthy, they have to be seen to be correct (enough).

Some sort of electronic voting can actually be technically decent: http://www.youtube.com/watch?v=ZDnShu5V99s

But paper ballots done right won't require as much educating of Joe Sixpack :).

how can early compromise

[circletimessquare]

result in a more mainstream choice? i am flabbergasted how such a conclusion could enter your mind

the 2000 election is an indisputable example of how the current system wound up choosing a president that was not mainstream. we got instead a cleavage of the country into left and right, with resentment and hatred festering

mccain was a better mainstream choice: his secondary appeal to democrats was much larger than his primary appeal to the right wing, which is what cost him the party's nomination. so if mccain was allowed to proceed to a final approval or borda vote, he would beat bush and gore on account of his much broader secondary appeal

meanwhile, our current system divides, it doesn't unite: it stokes the fires of partisanship, it cleaves the american people into two fiercely divided camps where the loudest most blind voices dominate

such voices would still exist if we voted borda or approval, but more moderate voices would come to dominate, simply because a different voting system rewards a different strategy and set of issues

partisan morons are tearing this country apart. we need less of them, not more of them, just look at the idiocy that dominates the discussion on healthcare right now. how do we get less partisans? we adopt a system which rewards them less. our current unideal system rewards partisan loudmouth bickering idiots, to tragic results

Re:First Post

[Anonymusing]

Maybe it's merely a self-fulfilling protocol?

See Mailclad.com where I already laid this out.

[John+Sokol]

See Mailclad where I already laid this out.

Re:i would gladly have welcomed that mccain failur

[istartedi]

Really, we shouldn't have to make that kind of choice. The real flaw in the system, IMHO, is the way the candidates move up through the ranks and get nominated.

Most Americans aren't a part of that process. That seems to be handled by party insiders. Who decides, for example, the keynote speaker at conventions? That's just one feature of this insider process that happens.

Don't tell me to get involved with the party either. That solution doesn't scale. I'd just end up being one of the insiders. Great for me, same crap for everybody else. We need to open up the process that gets candidates on the ballot, and open it up in a way that's accessable and convenient for most voters.

It doesn't have to be totally dumbed down. It needs to be somewhere between American Idol and what we have now.

The other problem is that 3rd party candidates are effectively locked out. You might feel fine about that, since most 3rd parties are quite fringe; but they might not be so fringy if they were actually a part of the process. In other words, if everybody knew that 3rd parties had a chance, they might attract more "normal" people.

Re:You need ...

[TaoPhoenix]

"This is exactly the same with *music downloading* laws. You can't enforce it, but you can make consequences for breaking laws bad enough so people (delteted) *want* to break them."

Fixed that for Slashdot.

crypto what ?!?

[C0vardeAn0nim0]

"But there are mathematical election protocols that have self-enforcing properties, and some cryptographers have suggested their use in elections.'"

people already fuck up elections as they are now. put extra layers of complication and mathematical abstraction on top of it, and kiss fair voting goodbye.

anything other than "the vote goes on the paper, the paper goes in the box, the papers from the box are counted in public view" is to complex for joe sixpack to audit and complain by himself, thus inadequate to use on a large scale election.

Re:crypto what ?!?

...is to complex...

"to" implies direction. It is the opposite of "from". You would never say "is from complex". You meant "too".

Re:Bruce Schneier once decrypted a box of AlphaBit

[goodmanj]

Yes, it took a really long time, yes, it produced votes for Lizard People

Sir, I protest! A democracy that forbids people from voting for Lizard People is no democracy at all!

I'm in...

[aaaaaaargh!]

...as long as I can be the captain.

Rivest to the rescue?

[dawnpatrol1623]

The article is interesting, but Schneier is not the first person to consider such questions. Last year (I think?), Ron Rivest gave a couple talks at my school on the subject of voting. One of them was about auditing, and the other was about using crypto to achieve safer e-voting. You can see something similar to what he said here: http://people.csail.mit.edu/rivest/RivestSmith-ThreeVotingProtocolsThreeBallotVAVAndTwin.pdf Some of the comments here have been arguing over the relative merits of verifiability and secrecy (as in having voting receipts or whatever). Cryptographic methods can be used to partly reconcile those ostensibly contradictory goals. Anyhows, have fun reading.

Try authenticating before authorizing...

[Crazy+Taco]

Maybe we need to look past "secret ballots are good" and focus on why we consider them to be good, and on whether that good is being preserved under current systems.

They are considered good because they prevent bribery and coercion. In other words, if someone says, "Vote for X or I'll break your legs!", all you have to do is say you voted for X when you come out of the booth. You can still vote for whoever you want, and they have no way of following up. It also prevents bribes, because if you bribe someone to vote for X, how will you know if they did what you are paying them for? Thus, no one directly bribes anyone.

The reason the system is bad, though, is because you can't go back after the fact and check for ballots cast illegally. You can't check for fraud by groups like ACORN (ACORN falsely registered the entire starting lineup of the Dallas Cowboys in Nevada and has been indicted in 14+ states), because you can't tell if one of the ballots was caused by a person you found out later was committing a fraud. This is easilly fixable, but the key is preventing fraud by requiring every voter to present photo ID (this was upheld by the Supreme Court several times, btw). If you make sure that everyone who got in and voted was who they say they are, then you don't have to worry (as much) about checking for fraud or matching ballots later. Under the current system, though, you have states letting people show up with utility bills (easilly falsified), a mortgage statement (also easilly falsified), or even a friend who will vouch for you!

Basically, to put it in IT security terms, the problem with elections is that we authorize without really authenticating. Would any of you give the password to your computer to someone you met in an Internet chatroom? Maybe this person claims to be someone you know, but would you really send him your password without verifying that he really is the acquaintance he claims to be? Of course you wouldn't... no rational person would. Why, then, do we do this with our elections, which determine who controls, not a computer, but a country? Why do we let our leaders refuse to pass laws requiring the authentication of voters BEFORE they vote? Why do we let them stop authentication laws (such as photo ID) with BS excuses like, "Someone might get disenfranchised?" We are ALL disenfranchised when elections can't be proven to be free and fair. The problem is not the secret ballot, it is simply the lack of authentication and the corrupt politicians who block reform and run cover for the cheaters.

Re:Try authenticating before authorizing...

[the+phantom]

You can't check for fraud by groups like ACORN (ACORN falsely registered the entire starting lineup of the Dallas Cowboys in Nevada and has been indicted in 14+ states)

Please, stop spreading misinformation. ACORN itself has not even been charged with any wrongdoing, let alone convicted. Rather, contractors hired by ACORN to get voter registrations have been charged. Rather than a conspiracy to fraudulently register voters, it appears that several lazy contractors filled out forms in order to get paid without doing any work. It should be further noted that, in many states, it would be illegal for ACORN to discard suspicious registrations submitted by their workers---instead, they are required to pass them along to the state, which is the only entity with the authority to discard registrations (as for the reason, imagine if ACORN decided that only people registering as Democrats should be allowed to register---they could discard all registrations with the Republican box ticked, thus committing another kind of fraud). In short, it is evident that some voter registration fraud did occur, but that it was almost certainly the result of laziness on the part of workers, rather than an intentional effort to commit fraud on the part of ACORN. Never attribute to malice that which can more reasonably be attributed to laziness, incompetence, or stupidity.

http://www.factcheck.org/elections-2008/acorn_accusations.html

Re:Try authenticating before authorizing...

[NickFortune]

Never attribute to malice that which can more reasonably be attributed to laziness, incompetence, or stupidity.

Hanlon's Razor is a good rule of thumb for human motivation, but it's really, really crap when it comes to evaluating liability or responsibility. I mean, suppose I shoot you through the heart with a revolver. Should I evade the consequences of my actions if I tell the judge "I'm sorry your honour. I didn't think it would go off". It may well prove to be a case of stupidity rather than malice, but we can't turn around and say "well, that's all right then" without granting a licence to commit murder to liars everywhere.

Similarly, if a corporation takes responsibility for something, cocks it up, and then says "aww, shucks, what can I say? Some of our guys are just really, really stupid", I don't think we should absolve them of responsibility. Otherwise we give the corporations a licence to cheat and deceive.

Re:Try authenticating before authorizing...

[the+phantom]

Notice that I paraphrased Hanlon's Razor, and did not quote it exactly. I said "Never attribute to malice that which can more reasonably be attributed to laziness, incompetence, or stupidity." In the case of a shooting, is it more reasonable to assume incompetence or malice? It seems very probable that malice might be the more reasonable assumption. Furthermore, in both of the hypotheticals you bring up (both relatively devoid of details, one might add), Hanlon's Razor is not a dodge for responsibility. If I shoot someone, even if I really, truly didn't mean to (i.e. I really am an idiot), it is still probable that I will go to jail on a charge of negligent manslaughter, or that I will be put into some other kind of institution. If a corporation fucks up, they should be held responsible (i.e. it would be nice to see GM take responsibility for the mercury switches that it claims it is no longer responsible for thanks to bankruptcy—a situation arrived at thanks to incompetence). I was not suggesting that a plea of incompetence be a way to avoid responsibility, only that when problem occur, we should properly understand the root cause.

None of this, however, is relevant when it comes of ACORN and the allegations of registration fraud. ACORN hired contractors to collect registrations. A few of these contractors (perhaps 6 or 7, perhaps a few more—out of 13,000 that were hired) did not want to do their jobs, so they created fake voter registration forms. In Nevada (where I live, so that is the part of the story that I have followed most closely), ACORN went as far as to flag registrations that they felt were suspect so that the appropriate government body might have leg up. It is in this way that Hanlon's Razor applies: the post to which I responded suggested that ACORN intentionally created fraudulent registrations (this would be an attribution to malice). In reality, it appears that some of the people that ACORN hired turned out to be lazy bums (this would be attribution to incompetence). The whole scandal has become tempest in a teapot because certain people are out to prove that there was a vast, malicious conspiracy. This is a point of view not supported by the facts.

Re:Try authenticating before authorizing...

[Phred+T.+Magnificent]

Oh, for a mod point...

ACORN has not been charged with any fraud because ACORN was not the perpetrator, but rather the victim of the fraud: specifically, they were asked to pay lazy contractors for voter registration work that they hadn't actually done (and had instead filled out with false information).

If there had, in fact, been any conspiracy, it would have been to (1) defraud ACORN of money, and (2) damage the good name of the organization by blaming ACORN for the contractors' fraudulent activities.

Re:Try authenticating before authorizing...

[NickFortune]

To be perfectly honest, I don't know the first thing about ACORN and the matter in question, nor do I care to do so.

I'm just a bit fed up with the way that every time a corporation attracts some negative publicity for whatever reason, someone promptly pops up on Slashdot smoothly quoting (or indeed misquoting) Hanlon's Razor as if it was some magical incantation that made everything better again.

If it's not relevant, then don't raise it in the first place. By all means let's understand the root cause of an issue, but all Hanlon's Razor really adds to our understanding in these cases is "gee, we didn't mean for that to happen". On the whole, I think we can take that for granted, even if the only thing they didn't intend was getting caught.

Re:Try authenticating before authorizing...

[Spazmania]

Should I evade the consequences of my actions if I tell the judge "I'm sorry your honour. I didn't think it would go off".

That sort of thing is typically the difference between murder and manslaughter. Manslaughter is when you're too irresponsible to realize that what you're doing is likely to get someone killed.

Also, don't forget that hindsight is 20/20. If you point a gun at someone and pull the trigger it's bluntly obvious that if you've made a mistake disarming it, you're going to kill the person. People have done this before. It has been well publicized. It isn't (or at least wasn't) nearly as obvious that if you pay a bunch of people to register voters, some will risk the laws wrath by submitting fakes.

Re:Try authenticating before authorizing...

[NickFortune]

That sort of thing is typically the difference between murder and manslaughter. Manslaughter is when you're too irresponsible to realize that what you're doing is likely to get someone killed.

True. But manslaughter doesn't mean I evade the consequences of my action; it just means they are not so severe as they would have been had I been convicted of murder. That's pretty much my point, really.

Re:Try authenticating before authorizing...

[the+phantom]

First off, the paraphrase was an intentional "misquote." Like you, I agree that a strict quoting of Hanlon's Razor would have been inappropriate or irrelevant. However, my paraphrase was relevant to the situation (it was not, however, appropriate to the two hypotheticals that you brought up, but it was appropriate to my original post). The original poster was accusing ACORN of fraud, when, in fact, the most likely explanation is that a small number of the people that ACORN hired were lazy. Thus, we should not attribute to malice (i.e. fraud on the part of ACORN) that which can be more reasonably attributed to laziness, incompetence, or stupidity (i.e. fraudulent forms submitted by lazy contractors). You also seem to be under the impression that this is some kind of excuse (i.e. stupid, lazy, or incompetent people should be excused from responsibility because they are stupid, lazy, or incompetent). I honestly don't see how that can be inferred from what I posted. Once the problem of laziness has been discovered, it is entirely appropriate to go after the guilty parties (as has been done in several cases). I think that, perhaps, you are attacking either a straw man, or other people that have posted in the past, and are failing to actually read and understand what I said.

Re:Try authenticating before authorizing...

[Spazmania]

Manslaughter requires a finding of recklessness. You can't just have killed someone, you have to have been behaving recklessly and killed someone as a result. If a guy randomly jumps out in front of your car and you mow him down, it isn't manslaughter. You have to be drunk or distracted or something else where you should have been able to avoid hitting him but didn't.

Was ACORN's behavior reckless? In 20/20 hindsight, ACORN paid inadequate attention to the possibility of fraud. But without benefit of hindsight, was that activity reckless? Not clearly enough for any prosecutors to pursue them anyway.

Re:Try authenticating before authorizing...

[NickFortune]

First off, the paraphrase was an intentional "misquote."

Which is ironic really, because for years I kept the precise wording of Hanlon's Razor taped to the side of my monitor, just so I could check the wording the event that someone used some deliberate subtle variation of the wording to imply something utterly obscure.

And then, just the other day, I took the damn thing down because I decided that if someone did post a variation of the words, it would most likely be because they'd just sloppily quoted from memory and couldn't be bothered to check the exact wording. I mean which do you think the most likely? Hanlon's Razor itself would seem to support the second interpretation.

I think that, perhaps, you are attacking either a straw man, or other people that have posted in the past, and are failing to actually read and understand what I said.

My point is that I'm fed up with people reeling off Halon's Razor (or words to the same general effect) as if it could magically dissipate bad PR for some corporation or other. I'm not seeking to imply anything beyond that. If you tell me that you meant your post in a way other than the common practice I describe, then fair enough: I accept your clarification.

However, before you go accusing people of straw man arguments, perhaps you might consider framing your points with greater clarity in future? I don't really think it's my responsibility to check your posts for subtle miswordings of well known saying, concealed ciphers, invisible ink, or acrostics. Your mileage may, of course, vary.

Re:Try authenticating before authorizing...

[NickFortune]

The point I'm trying to establish is that "Sorry, but I fucked up; I guess I'm just a fool" is almost never valid as a defence: not legally; not socially; and not ethically. And yet whenever a specific corporate misdemeanour crops up on Slashdot, there's invariably some PR type pops up out of nowhere to invoke Hanlon's Razor as if things could be made all better, just by saying "it wasn't malicious, it was just people being stupid." That would not be accepted as an excuse in any other arena of human discourse, and I think it's high time we stopped blindly accepting it on Slashdot as well.

As for ACORN: As I've said elsewhere, I don't know the first thing about this ACORN business, and since it doesn't directly affect me, just this once I'm going to afford myself the luxury of not giving a toss.

Except to the extent that I don't think Hanlon's Razor really applies, obviously.

Re:Bruce Schneier once decrypted a box of AlphaBit

[dkleinsc]

I wholeheartedly agree that votes for Lizard People should be legal. But some folks were saying that the recount process was too ridiculous and therefor must have been flawed because Lizard People and Flying Spaghetti Monster got votes. It was a silly argument, but it's definitely put out there (mostly by Coleman supporters).

zzz

[circletimessquare]

"It doesn't do the most simple thing with the ranking information: If a candidate is the first choice of more than half the ballots, he should win. Borda doesn't guarantee that."

and that's the way it should be. if some guy wins 51% o the #1 votes, and some other guy wins 80% of the #2 votes, the guy with 80% of #2 should be president

the point is division via partisan rancor is the road to hell, and that's what squeaker wins represent in the current system, and what you for some reason still view as supeior

"The Borda Count makes the tactic of burying very attractive to voters: That is putting a major oppenent of your favourite dishonestly low in the ranking to hurt him. Instant Runoff Voting doesn't suffer from this at all. There are other ranking methods like Schulze that I recommend despite being a bit affected by that tactic, but with Borda this incentive is really strong.

Also, Borda is vulnerable to clone spam attacks. That means a party can increase its chances of winning by running more very similar candidates."

what you describe are minor tweaks compared to the manipulations going in the current system. borda is still enormously superior to what we have now. as for run offs: whatever. in countries where they do that, you'll find problems with that to. no system is perfect, and borda/ approval get a better description of the people's real will than the current system or run offs

What about other parties?

[jonaskoelker]

borda voting does away with the whole party primary nonsense: democrats field 4 or 5 presidential candidates, republicans field 4 or 5 presidential candidates. and the voters merely rank them.

You forgot the other partie... oh wait.

Make sure to point out how Borda Count might do away with the overemphasis on party affiliation and possibly, just maybe, make a third political party able to have some influence and maybe a seat or two in one of the parliament chambers.

Also, if discussing voting theory, you could at least mention Condorcet: http://en.wikipedia.org/wiki/Condorcet_method

I really like the properties of that one.

I think...

[danwesnor]

... the words you're looking for are "paper ballot". On the other hand, Bar Refaeli is hot.

It's not stupid at all

[plnix0]

But it's harder to rig an election if the votes are counted in the open. Plus, electronic voting is not stupid. It makes it so much easier to obscure the fact that they're manipulating the votes when no one can actually watch the process in action. It might be "stupid" on account of the fact that their dishonestly is so obvious, but governments generally take the gamble that they can get away with fooling the majority of people, and most of those who see what's happening them will be too afraid to oppose them openly. It's worked far too many times in the past. Why would they stop doing it?

One would be a fool to believe that office-holders running for re-election -- and the people who support and use them -- want honest elections. Never attribute to stupidity that which can be adequately explained by malice.

Re:Schneier is a DOPER

There were several. A British 18yo guy in August 2008, and a guy from Iceland in July 2007 is what I found from a quick google session, and that's just the people who actually jumped out of windows, not any of the other weird stuff.

Trust but verify

[jellybear]

A well-designed, "self-enforcing" system, even if it DOES require trust, still allows verification. The current system is unverifiable.

Yes, the Tenth is just window dressing by now.

[tepples]

So, the [Tenth Amendment] is just window dressing and it doesn't really mean anything?

Correct, because "The powers not delegated to the United States by the Constitution" are very limited in scope since the Supreme Court in Wickard v. Filburn, 317 U.S. 111 (1942), expanded the scope of "Commerce [...] among the several States".

Re:Yes, the Tenth is just window dressing by now.

[Attila+Dimedici]

So, you think that ruling was correct?

Re:Yes, the Tenth is just window dressing by now.

[tepples]

By the definition of a Supreme Court, all of its rulings are legally correct, bar later constitutional amendment. Or are you asking "Should the Constitution be amended to further restrict what qualifies as commerce among the states?"

Re:Bruce Schneier once decrypted a box of AlphaBit

[rjstanford]

The only real difference is that the optical scan ballot is hard to read with the naked eye. Having something similar, but with OCR (dead easy using standard clean predetermined fonts), would perhaps give a bit more confidence to people that they'd voted as they intended to vote. Also, you'd get all of the benefits of the assistance technology can provide to those who need it. But yes, its all about making it easy to generate an un-misreadable paper ballot, with no smudges, hanging chads, crossouts, write-ins-and-checks, or other issues.

Re:Bruce Schneier once decrypted a box of AlphaBit

[Wind_Sailor]

This is like saying that you can't own Gold because someone might steal it. When your boss says vote this way to keep your job. The correct response in a working system is to report your boss. When your boss goes to jail for voter fraud then you will be promoted to his job. verifyourvote.org