Maryland Town Tests New Cryptographic Voting System

ceswiedler writes "In Tuesday's election voters in Takoma Park, MD used a new cryptographic voting system designed by David Chaum with researchers from several universities including MIT and the University of Maryland. Voters use a special ink to mark their ballots, which reveals three-digit codes which they can later check against a website to verify their vote was tallied. Additionally, anyone can download election data from a Subversion repository and verify the overall accuracy of the results without seeing the actual choices of any individual voter."

first vote!

457

Very interesting stuff.

All that really matters after reading TFA:

Chaum says he hasn’t decided on a cost yet for jurisdictions who will license it after the initial adopter but says he can easily sell it for half the cost of current optical-scan voting systems, which run about $6,000 apiece.

Very good stuff. I would just avoid using the word "subversion" when talking about it. You know, because of its double meaning

Re:Very interesting stuff.

Ya, they should be using git anyway. Like gitmo is where you go if you tamper with the votes.

Re:Very interesting stuff.

[ScentCone]

avoid using the word "subversion"

I can see you've never been to Takoma Park, MD.

Cost of printing?

[dgatwood]

Maybe I'm missing something, but for this to be truly secure against the problem of being able to see who somebody else voted for, you would have to have a distinct set of three-digit codes for every ballot, or at least such a large number of distinct ballots that no person could practically conspire with a few other people to figure out that XWP in the third field means Hillary Clinton. Wouldn't printing each ballot individually result in a tremendous cost compared with traditional ballot printing? I'm just trying to understand how this could be feasible on a large scale....

Re:Cost of printing?

[Fry-kun]

Each ballot has a unique ID number to start off with, so they have that system in place already.
They just need to add printing a unique cryptographic IDs with special ink to the process - might not even require a 3rd reprint

Re:Cost of printing?

[Areyoukiddingme]

The printing of ballots in most jurisdictions already falls under the category of "custom" printing. Ballots are unique every election (despite an enormous preponderance of re-elected incumbents). Ballots can vary from precinct to precinct to the extent that, in theory, no two precincts are alike, because of differing jurisdictions (different counties, different cities, different municipalities of various flavors). That combined with the relatively low number of copies made for any particular precinct means that the cost of printing each one uniquely isn't different. The printing won't be done by high-speed high-volume expensive-setup full-color color-separated presses anyway. It'll be done by laser printer or thermal printer or such.

Re:Cost of printing?

[jd]

It depends on what the three digit code represents. It's too short to be a hash and since the ballot isn't printed by a computer, it can't be any form of error-correction or tamper-proofing code. And although there's not going to be 1000 candidates in a given district, there's probably going to be in the hundreds in some cases, so there's a limit to the number of codes that could equal an individual.

Personally, I'd have gone for a 5 or 6 digit code. I'd also have the ballot papers printed by an electronic voting machine, so that the codes could contain error-correcting information and thus prevent alterations to the ballot.

Re:Cost of printing?

[sustik]

As I understand, the 3 digit code you need to remember in order to verify later. Maybe they worried that more than 3 digits will be difficult to remember. It may not be preferred if people would need to write the number down.

So how long...

[fuzzyfuzzyfungus]

Before one of the current election systems players sues them for being all mean and competitive, after the fashion of TDS?

Re:So how long...

[jd]

I doubt they'd sue. Not effective. Much better to bribe the elected officials. Proven technique and all that.

Chaum's system is very cool

[swillden]

It does what many people would have said is impossible: It allows voters to verify that their votes were cast and counted correctly, but does not provide them with any way to prove to anyone who they voted for. An audit trail, without opening the door to coercion. This is a major improvement over traditional voting technologies.

Re:Chaum's system is very cool

[CannonballHead]

but does not provide them with any way to prove to anyone who they voted for.

But can I check to make sure not just that my vote "was counted" but that my vote was for the right person?

Re:Chaum's system is very cool

[zn0k]

"But voters can't be sure just by looking at their ballot image that the system interpreted the codes accurately to apply the vote to the correct candidate. That's where independent auditors come in."

TFA to the rescue.

Re:Chaum's system is very cool

[CannonballHead]

I read it. Just ... lightly... hehe...

Re:Chaum's system is very cool

[gd2shoe]

but does not provide them with any way to prove to anyone who they voted for.

But can I check to make sure not just that my vote "was counted" but that my vote was for the right person?

You can verify that your vote was received correctly. This still doesn't tell you that your vote winds up in the final tally. There's an important distinction there.

Re:Chaum's system is very cool

[nacturation]

but does not provide them with any way to prove to anyone who they voted for.

But can I check to make sure not just that my vote "was counted" but that my vote was for the right person?

Yes:

Voters make their selections on a paper ballot using special pens with ink designed by Chaum. When a voter fills in an oval on the ballot, the ink in the pen, which is similar to the yellow ink in highlighter pens, reacts with invisible ink in the oval and turns most of the oval black. At the same time, a unique three-letter code pre-printed on the ballot inside each oval is revealed to the voter.

After making their choices, voters use a form to write down the serial number that is printed on their ballot as well as the three-digit codes inside the ovals they’ve chosen. The codes are generated cryptographically and are different on every ballot to prevent someone from deciphering the voter’s choices and engaging in vote-buying.

So that's the "verify that it was recorded correctly" part. For the "verify it went to the right candidate part":

Voters can also see, based on the three-letter codes, that the system seems to have recorded their selections accurately. But voters can’t be sure just by looking at their ballot image that the system interpreted the codes accurately to apply the vote to the correct candidate. That’s where independent auditors come in.

Scantegrity uses a process called “zero knowledge” that allows skilled, independent auditors to verify that the codes result in votes going to the right candidates, without actually revealing an individual voter’s selections.

I don't know how it works exactly, but I assume it's similar to a public/private keypair given that they describe it as a cryptographic mechanism. The interesting thing is that anyone can audit the election results to demonstrate that votes were counted accurately: https://scantegrity.org/svn/data/takoma-nov3-2009/PUBLIC/PUBLIC/

Re:Chaum's system is very cool

[Judinous]

How exactly do we verify that the choices we didn't pick on the form don't have the same set of verification characters as the candidate we did choose? It appears as though we can only see the code for a candidate if we reveal it with the invisible ink; checking the others would ruin the form. I think that these verification characters should be readily visible with or without the invisible ink applied. Otherwise, it would still be possible to fudge with the system and change the vote count while passing all of the verification tests.

Perhaps this is somehow handled by the "independent auditors", but TFA is light on details in that area. Since they don't have access to the voting machines and their source code, nor the actual forms themselves, I don't see how they could verify this, though.

Re:Chaum's system is very cool

[dgatwood]

But the practical implementation could provide a way to prove that they voted for someone. My cynical suspicion is that by the second or third election, they'll use mass-produced ballots ballots that only have three or four different sets of codes on them to reduce the cost of ballot printing. And no one will be the wiser except for the people exploiting it. Where this system fails is in proving that the codes are truly unique. The only way you can guarantee that is if instead of using fixed printed codes, you provide the person with an electronically-generated cryptographic hash of the vote data with a random number that the voter cannot obtain.

Re:Chaum's system is very cool

[arose]

It does what many people would have said is impossible: It allows voters to verify that their votes were cast and counted correctly, but does not provide them with any way to prove to anyone who they voted for.

No, apparently it's only "skilled auditors" who can verify things. And voters can prove who they voted for to anyone who has access to the ballots post election.

Re:Chaum's system is very cool

[commodore64_love]

Who the heck cares? My State already has this "check your vote online" deal, and I didn't even bother to look it up when I got home. I don't honestly believe that if my choice McCain had won, anything would be any better. So what's it matter whether my vote was counted or not.

I have this novel idea that we should follow the KISS principle. Take a piece of paper. Circle your guy. Toss it into a box. Count the ballots by hand. Keep. It. Simple.

Re:Chaum's system is very cool

[swillden]

How exactly do we verify that the choices we didn't pick on the form don't have the same set of verification characters as the candidate we did choose?

That's handled by pre-election auditing. There's more information on how at http://scantegrity.org./

Or, go straight to the research paper at http://www.scantegrity.org/papers/ScantegrityII-EVT.pdf

Re:Chaum's system is very cool

[swillden]

But the practical implementation could provide a way to prove that they voted for someone. My cynical suspicion is that by the second or third election, they'll use mass-produced ballots ballots that only have three or four different sets of codes on them to reduce the cost of ballot printing.

See section 4.9 of the paper (actually, read the whole thing). Auditing is done both by candidates and by independent auditors.

Re:Chaum's system is very cool

[gd2shoe]

I don't honestly believe that if my choice McCain had won, anything would be any better. So what's it matter whether my vote was counted or not.

This is a major problem, but it is a separate issue. We can't have a healthy democracy without solving both of them. You can't tell me which needs to be solved first.

Re:Chaum's system is very cool

[bill_mcgonigle]

I have this novel idea that we should follow the KISS principle. Take a piece of paper. Circle your guy. Toss it into a box. Count the ballots by hand. Keep. It. Simple.

That's how my town does it - each volunteer counts 100-200 ballots. It's not a hard ratio to achieve in any way. On average, each citizen would only have to volunteer once per hundred elections, not bad.

It is, however, second best. There's no stopping an organized gang from switching out the ballot box like Chaum's system does.

Still, on a cost/benefit basis there's alot going to KISS.

Now, can I start a flamewar about our system being inferior to Condorcet methods, please?
 

Re:Chaum's system is very cool

[VGPowerlord]

Just as long as the auditors don't decide that Death isn't doing his job, try to stop people from believing in Santa Claus, or try to destroy the world by trapping time...

Re:Chaum's system is very cool

[gd2shoe]

Now, can I start a flamewar about our system being inferior to Condorcet methods, please?

You have my vote. ;)

Just about anything is better than first-past-the-post. I'm partial to the Condorcet Principle, but every time I bring it up, I either get blank stares, or get slapped with Arrows Theorem.

Re:Chaum's system is very cool

[girlintraining]

yeah, one problem: the moment you enter that code, you are giving up personal information that can be tracked to you, individually. Don't forget, an IP address is traceable. Private citizens may not know how you vote, but data correlation means the voting authority may.

Re:Chaum's system is very cool

[Mystic+Pixel]

I don't know how it works exactly, but I assume it's similar to a public/private keypair given that they describe it as a cryptographic mechanism.

Given the author of the Python files in the SVN repo, this might not be a bad guess:

# post_election_audit.py
# Ronald L. Rivest
# October 4, 2009
#
# This Python program is for use with the Scantegrity II election system.
# See www.scantegrity.org for information on Scantegrity II.

Re:Chaum's system is very cool

[jd]

It is cool. I proposed something similar, albeit electronic voting, in the past on Slashdot but I'm thinking their approach has many advantages - not least that it reduces the number of attack vectors.

A three digit code is probably adequate, but I'd have probably opted for a longer value. It depends on how the code is used and what it represents. I'm assuming it represents a given candidate, as you're unlikely to have more than 1000 candidates for a given district but will likely have more than 1000 voters in a given voting station.

Regardless, a larger code would allow for easier detection of ballot-stuffing or ballot-concealing, so long as it wasn't too much larger. I presume 3 digits was picked as a compromise value.

Re:Chaum's system is very cool

[jd]

I'm going to argue that for electing Senators, they'd do better by doubling the size of the Senate and allowing both first- and second-place candidates a seat with voting power equal to their percentage in the election.

(That way, a person who wins 50.1% of the vote has 50.1% of a vote. Proportional representation that's proportional.)

It's not KISS, it would be a bugbear to administer, but it would stop a lot of the razor-edge fiascos we've seen in past elections. Winning an extra few votes wouldn't win you enough extra voting power to be worth a damn, as opposed to the current system of winner-takes-all. That would all but eliminate the court challenge except in gross situations.

It would also get people what they actually wanted, which (hopefully) would rapidly teach them to stop wanting stupid things.

Re:Chaum's system is very cool

[bill_mcgonigle]

Arrows Theorem.

thanks for the pointer. If the Wikipedia article is correct, the big problem seems to be his requirement that any sub-set of elections should turn out the same as the whole election if considered separately. I'm not sure that's a sensible expectation in a real election.

Re:Chaum's system is very cool

[bill_mcgonigle]

Interesting! Walter E. Williams has calculated that the US Congress should be up to about 3500 people by now, proportional to historical judgement about how many people a legislator can represent (this has anti-corruption themes behind it).

Re:Chaum's system is very cool

[BitZtream]

Of course with a little help from your local ISP, they can see who is viewing what ballots, tie that to an IP and an IP to a home or in some cases a specific user.

They haven't really done what others said was impossible, but the process requires enough different organizations to be involved in the fraud to be an improvement over the existing methods since they added another layer to the process.

You want to have it so no one holds all the data so correlations can't be made without everyone being in on it, while at the same time allowing verification to be possible. It is a non-trivial task and I don't think a magic bullet will pop up.

Much like computing however, there is rarely a major breakthrough, its almost always incremental based on previous experience and innovations.

Re:Chaum's system is very cool

[dgatwood]

Similarly, our current paper ballots are audited by candidates and by independent auditors. There's still fraud. :-) There are many attacks I can see on this scheme:

First, to be secure, this assumes that the auditor can remember every code from previous ballots to verify that are unique. Yet the instructions seem to indicate that the auditor sees only one ballot at a time instead of half a dozen ballots.

Even if they see multiple ballots, it's not a given that patterns will be detected. If you repeat the codes every 101 ballots, that would reduce the odds of detection to near zero without making it very hard at all to find out who someone voted for, so long as you have 101 blank ballots and know the voter's ballot number and codes. Or if there's a pattern, you might only need to be able to see one ballot and know the pattern.

Second, this ignores the possibility of an intelligent adversary colluding with an election official. It is trivial to generate a sequence of codes that are cryptographically trivially derived from one another that are mathematically related. For example, take a known starting pattern and shift each letter by... say (n *k) mod 26 where n is a different number for each letter of each candidate's code (but a known number) and k is the ballot number. Slide all of the codes down by 1 every 100 ballots, but keep the shift distances attached to the candidate and letter position. Doing this would result in a pattern that would appear random to all but the most cryptographically brilliant observers, but votes could still be trivially verified by anyone who knows the particular shift/mod scheme. All they would have to have is a particular person's three-letter codes, knowledge of the scheme, and access to a single ballot (any ballot) to provide a reference point for comparison.

Third, the problem of disenfranchised voters can result in mass voter fraud just like incorrectly recorded votes, and it's unlikely you'll be able to do anything about it when it happens. How do you cause mass disenfranchisement of votes with this system? Print up one fake ballot that has the same code numbers as another fake ballot. Introduce both, and flag them for auditing. BAM. That district's votes get tossed out. You've just eliminated a district that always votes heavily for one party, and have thrown the vote to the other party.

I could probably go on, but you get the idea. This is a cool idea, but ultimately electronic voting can provide much better protections against vote fraud than paper voting, assuming you do it correctly (with mandatory paper trail, separate manufacturers for a vote verifying machine than the vote taking machine, paper tokens from the verifier machine with cryptographic hashes of the vote using a UUID generated instantaneously at vote time keyed off the voting machine/time of day/PRNG, and so on. And still none of that guarantees that your vote really got counted, but the ability to total up the numbers in multiple places at least makes it very hard to inject or discard votes without going through the disenfranchisement process.

*sigh*

Re:Chaum's system is very cool

[dgatwood]

Actually, I realized that it would have to shift every 25 ballots. Otherwise, it would repeat every 26th ballot; for all values of n, (n * 26) MOD 26 = 0. Oops. Still, if you have 300 candidates/ballot measure checkboxes, that gives you, if my sleepy math is right, about 7500 ballots before you repeat at all. That would be good enough for many smaller districts.

Shift the shift numbers backwards by three slots every thousand and you've ensured that the repeat occurs about 21 ballot slots away, likely on a different page, making it even less likely to be detected, and you won't get a repeat on the same page until you've gone through tens of thousands of ballots if you pick the numbers right. That's enough for large districts.

Add something like swapping the nth set of shift numbers with the n+kth set after every hundred ballots, where k is the hundreds place of the ballot number, then repeat for all values of n (e.g. if the 100s place is a 3, you swap sets 1 and 4, 2 and 5, etc.) and you've just raised the level of apparent randomness high enough that for any reasonable district size, you aren't going to detect it by a human looking for duplication, period. (Within a district, the probability of the same three characters being in the same spot is, I believe, lower than the odds of it occurring by chance, so it is trivially detectable by broad statistical analysis, of course.) Yet with such a scheme, determining who someone voted for is still computationally within the realm of possibility using a mere programmable calculator.

With a scheme like this, we are asked to trust that the ballots were printed legitimately by a printing machine that we can neither examine nor validate based on the contents of the ballots themselves. It's a cool idea, but I just don't have that much faith in our elected officials.... :-) We have to assume adversaries have much better access to the inner workings of the voting system than we do, so if we want to protect people from being coerced into voting a particular way, we have to design a voting system that takes that into account....

Re:Chaum's system is very cool

[swillden]

First, to be secure, this assumes that the auditor can remember every code from previous ballots to verify that are unique. Yet the instructions seem to indicate that the auditor sees only one ballot at a time instead of half a dozen ballots.

You should read section 4.3 of the paper. I think most of your concerns about it are addressed there.

For this part, the auditor is comparing the ballot with the relevant row of table Q, which specifies what the codes are -- but not which candidates they correspond to. And by examining table Q as a whole, the auditor can verify overall uniqueness. As long as the ballots to be audited are selected at random, the scheme is secure.

This is a cool idea, but ultimately electronic voting can provide much better protections against vote fraud than paper voting, assuming you do it correctly (with mandatory paper trail, separate manufacturers for a vote verifying machine than the vote taking machine, paper tokens from the verifier machine with cryptographic hashes of the vote using a UUID generated instantaneously at vote time keyed off the voting machine/time of day/PRNG, and so on. And still none of that guarantees that your vote really got counted, but the ability to total up the numbers in multiple places at least makes it very hard to inject or discard votes without going through the disenfranchisement process.

This system provides all of the benefits you describe. The only difference is that the crypto work in ballot preparation is done in advance, rather than at the time of voting, which allows several additional verifications of the process to be done, AND allows you to verify (statistically) that your vote got got counted. More precisely, it provides an assurance that any systematic exclusion or alteration of ballots will be detected with very high probability.

This system also allows ANYONE to perform that statistical verification that the aggregation was done correctly.

If you haven't read the research papers that underly the system, I recommend that you do. They're from some serious security researchers, including the likes of David Chaum and Ron Rivest. If you can find significant holes in their scheme, they'd be glad to hear it.

Re:Chaum's system is very cool

[swillden]

Actually, I realized that it would have to shift every 25 ballots. Otherwise, it would repeat every 26th ballot; for all values of n, (n * 26) MOD 26 = 0. Oops. Still, if you have 300 candidates/ballot measure checkboxes, that gives you, if my sleepy math is right, about 7500 ballots before you repeat at all. That would be good enough for many smaller districts.

Any such pattern would be pretty easy to detect by examining table Q. Also, part of proper oversight of a Scantegrity II election would be verification that the PRNG used to generate the codes is cryptographically sound and properly employed.

Re:Chaum's system is very cool

[swillden]

Of course with a little help from your local ISP, they can see who is viewing what ballots, tie that to an IP and an IP to a home or in some cases a specific user.

True. There are some protections against this loss of anonymity, though.

First, only voters who choose to verify have any risk, and of those only the ones who choose to verify from a location that can be connected to them. Since only a tiny percentage of voters need to verify in order to statistically exclude the possibility of ballot loss or alteration, you only need a small number of people willing to take the "risk".

Second, it's only possible to match voter with ballot if you have possession of the physical ballots. The system is designed so that no one needs access to the full set of ballots after they've been scanned. Verification of the integrity of both counting and collection can be done without access to the ballots. Some verification of cast ballots needs to be done, but that requires only small sample (at most a couple thousand randomly-chosen ballots).

You want to have it so no one holds all the data so correlations can't be made without everyone being in on it, while at the same time allowing verification to be possible. It is a non-trivial task and I don't think a magic bullet will pop up.

Agreed, the ideal is probably information-theoretically impossible. However, as a practical matter, successfully defrauding a Scantegrity II election with any degree of real oversight in place would be impossible. Well, to be precise, it would be very, very unlikely. With probabilistic verification methods, there's always a chance of failure, but that chance can be made arbitrarily small.

Much like computing however, there is rarely a major breakthrough, its almost always incremental based on previous experience and innovations.

I think from the perspective of real-world, in-use voting systems this IS a breakthrough. Of course, the approach itself was developed incrementally, starting with some secure but completely impractical approaches, gradually refined (Punchscan, Scantegrity I) into something usable. And there's no doubt that further refinements will be applied.

But from a real-world perspective, this system (and it's immediate ancestors) is the first one that provides a way to mathematically prove (with probability p) that ballots were not discarded or altered, yet retaining an extremely high degree of anonymity.

Re:Chaum's system is very cool

[swillden]

A three digit code is probably adequate, but I'd have probably opted for a longer value. It depends on how the code is used and what it represents. I'm assuming it represents a given candidate, as you're unlikely to have more than 1000 candidates for a given district but will likely have more than 1000 voters in a given voting station.

The three-digit code doesn't represent a given candidate, except on a given part of a given ballot.

Suppose that the ballot had only one race (any more complex ballot can be decomposed into a set of such simple ballots, so this assumption doesn't limit generality). Each slot in that ballot, corresponding to a candidate, has a three-letter code, which is only revealed to the voter when he or she selects that candidate. That same set of three letter codes, but WITHOUT any association between code and candidate, is a row in table "Q".

After the election, you can look up your ballot on-line and it will show you all of the three-letter codes that were on your ballot. You verify that the one you revealed is in the list.

But what if it isn't? That's when you come forward to say there's a problem. There are two basic possibilities: either you are wrong or the system is wrong. Either possibility could come about through either error or malice. If you made a mistake, or invented a code, the probability that your erroneous or invented code is in the list for your ballot is determined by the code length. The three-letter codes were chosen because they make that possibility sufficiently small that few voter errors will go undetected. A statistical model is used to decide when those that do (called "plausible discrepancies") are numerous enough to indicate a likelihood of system error/fraud.

Re:Chaum's system is very cool

[dgatwood]

But again, if we have problems with ballot stuffing in corrupt districts, it would be just as easy for someone to swap out the real ballots with fake ones printed elsewhere before voters cast their votes. Unless the ballots are physically printed on-the-fly, there's not sufficient protection from that sort of attack.

Re:Chaum's system is very cool

[dgatwood]

Okay, so you have a table with a list of what the valid options would be for a given ballot without giving the order. This still leaves open to the possibility that someone could substitute fake ballots that put those options in an order that is determinable mathematically from the ballot number. What checks are put in place for proving that the order has not been manipulated (beyond the usual physical security on ballots, which has been insufficient at preventing ballot stuffing for years)?

Re:Chaum's system is very cool

[clone53421]

Okay, do it from the library. Sheesh, you're paranoid... I bet you'd check for cameras in the library, too. :p

Re:Chaum's system is very cool

[swillden]

That's why voters should also audit the ballots at random. Read the paper for a description of how this is done.

Re:Chaum's system is very cool

[swillden]

If the fake ballots don't have the codes in the order specified in the S-pointer column of the Q table, then the votes would in fact get redirected to different candidates. However, those ballots would be identified as fake by any of the ballot audits, whether the audits done pre-election, post-election by voters, or post-election by poll workers.

Re:Chaum's system is very cool

[dgatwood]

You either have the order of the codes or you don't. If you do, then anyone with access to that table can determine who someone voted for. If you don't, then the ballots can't be audited. So is this basically assuming that the Q table will never get leaked? *confused*

Re:Chaum's system is very cool

[gd2shoe]

IIA addresses the "spoiler candidate" issue. You cannot add one or more candidates to change the outcome. (This is opposite the way the criteria is phrased, but it's equivalent.) Thus, the election method itself cannot encourage or dissuade a candidate from running.

It also strikes me as essential to remove any and all incentive for strategic voting. The most effective tactic for a voter to deal with a spoiler candidate is, after all, the bluntest form of strategic voting: ignoring their true preference and voting for the lesser of two evils. It also allows the Condorcet Principle for the second, third, etc runners up (important in some races).

But, as the article points out, you're not alone in your conclusion. And yes, I'm still in favor of Condorcet methods, dispite Arrow's Theorum.

Re:Chaum's system is very cool

[bill_mcgonigle]

IIA addresses the "spoiler candidate" issue. You cannot add one or more candidates to change the outcome. (This is opposite the way the criteria is phrased, but it's equivalent.)

Do they change the election if they don't get votes? I'm not sure I understand - if the number of candidates changes (each being different from each other in some way) then that ought to change the voting preferences of the electorate since the relative appeal will change for some people.

Thus, the election method itself cannot encourage or dissuade a candidate from running.

So, if I think that a more representative voting system would encourage more 'good' candidates and fewer 'poor' candidates, then that violates the IIA principle?

Re:Chaum's system is very cool

[swillden]

So is this basically assuming that the Q table will never get leaked? *confused*

Very good question. It took me some time to dig into it to figure out the answer.

The answer is yes. The system assumes that the full contents of the tables will never get leaked. Table P is never revealed at all and table Q is partially revealed according to a specific scheme. Access to the full contents of Q, R and S allows the reconstruction of P. Access to P reveals the structure of all ballots.

Improper access to the contents of the tables, plus access to a voter's verification codes reveals who that voter voted for.

The authors' solution to this is in assumption 5 of section 5.2.1: "Election officials use a special trusted computer workstation (as described in [14]) to enforce the privacy of the tables of confirmation codes."

The secure diskless workstation mentioned in [14] is adequate for a university election, but in my opinion it's insufficiently secure for an important election. However, I think that an adequate machine can be built, and I build high-security cryptographic key management systems for a living. The same techniques and approach used to protect the master cryptographic keys that protect hundreds of billions of dollars should be sufficient.

My recommendation would be to use something like an IBM 4764 cryptographic coprocessor -- or any other programmable FIPS 140-2 level 4 certified device. Use it to generate P, and program it to output P for external storage (because P is likely too large for internal storage) only in encrypted form. Likewise with Q. The selective revelation of Q should be done by the secure device, with an external input providing the "coin flips".

The source code for the device should be open source and published, and the binary should also be published. The 4764 already includes a very clever and very secure mechanism for incrementally loading verified software, starting with a dead simple boot loader which is trivial to verify and produces hashes of each further loading stage. Loading should be done under oversight by all interested parties.

If generation of P is done by a deterministic PRNG, then you can have P generated in parallel by multiple identical devices, one under the control of each major party and perhaps a watchdog group or two as well, and all can verify that the encrypted version of P is identical. The way to do that is to start with one device and then use a secure clone operation to replicate the master key and the PRNG seed from one device to another.

Even though the devices are highly, highly resistant to penetration (millions must be spent in multiple serious attempts to penetrate a device in order for it to achieve level 4 certification), all parties operating such a device must allow oversight from any other interested parties. This is also necessary to ensure that no unauthorized clones are created -- though the software should make use of the device's hardware "security ratchet" to ensure that once put into the "generate P" mode, the cloning functionality is disabled.

After the partial revelation of Q (done in parallel), all of the devices should be breached, in public, under oversight, which will cause them to destroy their master keys. The devices should probably also be publicly destroyed.

The final potential weakness is pre-tampering with the devices. If the device could be subverted even before the first software is loaded, then all of the security disappears. Manufacturers of such devices take great pains in the manufacturing process to be able to prove that they produce reliable devices, but those measures are insufficient for something like a major election.

I think another iteration of the cut-and-choose style verification Chaum is so fond of is the solution. Or in this case perhaps it should be called 'choose and cut'. The election officials should de

Re:Interesting, but...

I know the Florida ballot count debacle wasn't all that long ago, but are we that concerned about votes not being counted?

If we were concerned about people's votes not being counted would we be testing a Cryptic New Voting System? ... Oops sorry, Freudian misread.

I think I know what the 3 letter code is...

[ickeicke]

... obviously it is DRE (700), serial number 34491.

Let's hope that this new system prevents premature revelation of election results...

Re:Interesting, but...

[noundi]

but are we that concerned about votes not being counted?

I was about to write a long reply about how democracy depends on the fact that bla bla bla... and how you cannot trust people, especially what in politics and bla bla bla... but you asked a simple question so I'll give you a simple answer:
 
  Yes.

What's a digit?

[CannonballHead]

The image in wired.com shows a two letter code "JX" appearing in the oval. The article mentions "three digit" codes. Nice.

Re:What's a digit?

[icebike]

Specimens need not be perfect renditions is my guess.

Question?

[__aagmrb7289]

I like where they are going with several of these things, but why go with paper and magic markers? Why not use the same exact concept, only put it on a computer, print out a receipt with the codes and serial number, and go from there? It seems like a no brainer. Not only does it reduce overhead in terms of manpower, but it also reduces the amount of paper wasted, the cost of these "special markers", etc.

Re:Question?

[icebike]

The objection to receipts is that receipts that show voting choices can be used for Vote buying.

If we stick to codes, vote buying is not so easy.
You'd need a crib sheet as well.

But all you know is that your vote entered this machine, not that it was tallied by Deep Thought at election central.

 

The Real question...

[gd2shoe]

Ok, so this system proves that your vote reached the tally server, but how does it prove that your vote is actually in the total?

I'm serious. Just because your vote wasn't lost, doesn't mean it was counted. This helps guard against grievous mistakes, not against wholesale fraud.

Re:The Real question...

[noundi]

Ok, so this system proves that your vote reached the tally server, but how does it prove that your vote is actually in the total?

I'm serious. Just because your vote wasn't lost, doesn't mean it was counted. This helps guard against grievous mistakes, not against wholesale fraud.

I'm confused, are you replying to me? I only answered his question if we are concerned about votes not being counted. I never said nor did I imply that this was the right or the wrong way to do it.
 
But to answer your question, the only way to make sure of this is if the software that is in use is completely open source. That way anybody who's interested may view the source and follow the the procedure, from submission to results.

Re:The Real question...

[gd2shoe]

I know the Florida ballot count debacle wasn't all that long ago, but are we that concerned about votes not being counted?

(Implying issues about votes being lost accidentally)

.. and how you cannot trust people, especially what in politics and...

(I interpreted this as votes being lost intentionally; inline with my post)

I was pointing something out. It was both on-topic (closely related to your "simple answer"), and highly visible (near the top of the thread).

This is Slashdot. A reply doesn't need to be a direct response to be on topic. There'd be very little discussion if there were. Maybe I should have shoehorned my response, rephrasing it to more closely match the wording and context of your post. I thought that would have been superfluous. Two posts later, and it probably would have been cleaner if I did.

Re:The Real question...

[Runaway1956]

I dunno. But, at least this appears to be a step in the right direction. Open government - wow.

There's supposed to be some independent monitoring scheme, which is good. I suppose that in and of itself, this isn't enough to keep things honest. But the concept of allowing a citizen to look into the workings of the ballot system any further than the booth is good. Given some time, some interest, and some ingenuity, we could be looking much further inside the system.

Open source. Open government. Transparency. Gotta love it. Maryland never was high on my list of favorite states, but they've just moved up a couple notches. They've left Florida sucking dust, anyway. ;^)

Re:The Real question...

[jhol13]

You can get, say, 100 friends, download the subversion repo and check that all your votes are counted in your copy of the repo.

Therefore official count very likely has all votes, and without grand scale fraud definitely your vote. I'd say more likely than in paper ballot.

Similarly *I assume* the repository can be checked that there are not (many) extra votes.

Re:The Real question...

Ok, so this system proves that your vote reached the tally server, but how does it prove that your vote is actually in the total?

I'm serious. Just because your vote wasn't lost, doesn't mean it was counted. This helps guard against grievous mistakes, not against wholesale fraud.

This is covered in their paper:

http://www.scantegrity.org/papers/ScantegrityII-EVT.pdf

It can be done via independent auditors, and the code is available so you can do it yourself if you want.

Re:The Real question...

[Runaway1956]

Let's just say that we have different standards.

East coast is out of the question, except for maybe Maine and Vermont. The only place I'd want to live on the west coast might be in the Cascade mountains. Texas is a bit warm for me, but I can tolerate it. Moving north from Texas, the further north I get, the happier I am. I prefer mountains, but low hills work alright. The more trees there are, the more beautiful the land is. I wouldn't last to long in Colorado, thanks to the huge influx of liberal city boys and girls. Montana and Wyoming are about as good as it gets, unless you cross the 49th parallel, into God's Country. Man was not meant to live in densities over 20 people per square mile. Optimum density is about 2 people per 10 square miles. A guy can drive into town and socialize a couple times a month, buy supplies, then beat it back to the home spread. Now, THAT is LIFE!!! If a guy can put up a few hundred pounds of venison, elk, beef, and pork, some vegetables in the root cellar, and a couple truck loads of beer, he's pretty much got it made for the winter. Ten to twenty cord of wood, depending on how cold the winter gets. And, a fast internet link - COME ON AT&T!! I'm STILL WAITING FOR THOSE LAST MILES!!!!

Re:The Real question...

[cmiller173]

http://www.usnews.com/money/personal-finance/real-estate/articles/2009/06/08/best-places-to-live-2009.html

Re:The Real question...

[BitZtream]

And this is different from existing methods how?

In reality, since the the data is available and public information, someone could create an entirely seperate website, with the tallies based on the information in svn. People could check their votes there.

Then if the secondary website notices discrepancies reported by users checking their own votes or in the totals, the fraud is reveled.

Its much harder to commit fraud in the view of the public. It can be done I'm sure, just harder.

Re:The Real question...

[mlts]

DRM isn't the right term here. DRM is for locking away content. Instead, what is needed is trusted computing. This is a double edge sword, on one hand, it can be used for making closed appliances like consoles. On the other hand, it can ensure that the contents of a stolen laptop are not accessible even to an intruder who manages to briefly gain access to install a bogus MBR.

For a voting machine, the best way would be to have an open source OS [1], a TPM, and a boot path that would not allow decryption of the root filesystem or any other filesystem containing data if the kernel, MBR, BIOS, or boot sector has been modified. Of course someone can attack the TPM chip, but this requires access to a chip fab and James Bond style tech, not just someone with a USB flash drive and a screwdriver.

Maybe Infineon and the Trusted Computing Group could work on a specification designed with open source operating systems in mind so transparency is maintained as well as security.

[1]: OSS operating system of choice. This could be Linux, BSD, or any other operating system with the source code available for study and runnable in a VM.

Re:The Real question...

[HamburglerJones]

Would this prove anything? It seems like the candidate / party that people voted for might be correlated with their willingness to verify their votes on this third-party website. How could you be certain that the people checking were truly representative of the voting electorate? If I got all my friends who voted for Kodos to check on my website, and you got all your friends who voted for Kang to check on your website, and Ross Perot set up his own website, couldn't we all claim that our candidate actually won? It still wouldn't prove that any fraud had taken place.

Re:The Real question...

[dkleinsc]

Oh and Hawaii is out because the culture is less American than many other countries.

How can a part of America be "less American"? Yes, it's culturally different than, say, Florida, but it is part of the United States, and thus by definition Hawaiian culture is American culture.

Or in the immortal words of Dan Quayle: "Hawaii has always been a very pivotal role in the Pacific. It is in the Pacific. It is a part of the United States that is an island that is right here."

Re:The Real question...

[WaywardGeek]

Ok, so this system proves that your vote reached the tally server, but how does it prove that your vote is actually in the total?

Good question. They use "zero knowledge" proofs:

"Scantegrity uses a process called “zero knowledge” that allows skilled, independent auditors to verify that the codes result in votes going to the right candidates, without actually revealing an individual voter’s selections."

It's super-cool stuff every slashdot geek needs to know. So, this allows us to insure our vote was counted without enabling us to sell our votes. Very cool! However, it still not fool-proof. A friend of a friend of mine has gotten so worked up over an election that she went to the polls early, and often, and voted for her whole extended family. Without requiring photo-IDs, it's really easy to do. Every show up to a poll and see your name has already been crossed off?

Re:The Real question...

[mea37]

Being able to see your own code doesn't prove anything. Presumably, though, that's what the subversion repository is for.

Now I don't know what exactly they put in the repository, or how it's meant to be used. But let's take a simple example of something one might do: Post all of the codes that were counted, and which vote they represent.

Now, I can download the repository, confirm that the number of codes attributed to "Yes" is greater than the number of codes attributed to "No", that the list contains my code, and that my code is attributed correctly to either "Yes" or "No" (or whatever the voting choices were). So can anybody else. To not count someone's vote, you have to hope they don't download the data and check.

Fraud-proof? Nope. In a close race I might be able to stuff the ballot box with codes/votes that weren't on anybody's ballot. Not intractable, just shows that the above is an over-simplification.

Re:The Real question...

[jtgd]

If all the votes are public, you can tally them yourself and see if they match the official total.

Re:The Real question...

[b0bby]

Maryland has the Bay, which is awesome. But we also have (in the DC area) the 2nd worst traffic in the nation. Overall, I think it's a pretty good place to be.
Takoma Park, it should be noted, is not really representative of Maryland as a whole - it's generally marching to the beat of its own drummer, for both good and bad (mostly good, imo).

Re:The Real question...

[clone53421]

A friend of a friend of mine has gotten so worked up over an election that she went to the polls early, and often, and voted for her whole extended family.

If I found out that someone did that, I'd report them.

Re:The Real question...

[gd2shoe]

The codes are made public. What the votes represent (who was voted for) are not.

Re:The Real question...

[gd2shoe]

Being able to see your own code doesn't prove anything...

Sure it does. They cannot record the correct code unless your ballot has been processed. It doesn't mean that your vote was actually counted, though.

Now I don't know what exactly they put in the repository, or how it's meant to be used. But let's take a simple example of something one might do: Post all of the codes that were counted, and which vote they represent.

Nope, can't do that. Not with this ballot anyway. If you reveal which codes link to which candidates, you can prove how you've voted. That's exactly the type of problem they're trying to avoid.

... confirm that the number of codes attributed to "Yes" is greater than the number of codes attributed to "No", that the list contains my code,...

If you cannot link the codes to votes, you cannot directly verify the election. This is the first I've read about a zero-knowledge proof. I'm still trying to find details of how this is supposed to work in this system. I hope I don't have to resort to reading source code (the hardest way I can think to learn an algorithm). The few zero-knowledge proofs I'm familiar with simply wouldn't work, and it's a large field. I'm not going to be happy with it until somebody at least attempts an overview of this specific system and how it addresses voting issues.

... and that my code is attributed correctly to either "Yes" or "No" ...

Can't be done, as explained above. On the other hand, I've read previously that they would let you intentionally void your ballot by filling in multiple bubbles to prove that each candidate on the ballot has a unique code. A replacement ballot would then be supplied. This is a crucial step to proving that your vote was actually read.

Fraud-proof? Nope. In a close race I might be able to stuff the ballot box with codes/votes that weren't on anybody's ballot...

Very true. There have been elections recently with >100% voter turn-out in select areas. Makes you wonder...

Re:The Real question...

[mea37]

"'Being able to see your own code doesn't prove anything...'

Sure it does. They cannot record the correct code unless your ballot has been processed. It doesn't mean that your vote was actually counted, though."

I'm not in the mood for literalists this morning. If you insist, I suppsoe I could've phrased that "...doens't prove anything useful".

You'rr using a very loose definition of "processed". It proves that someone looked at the ballot long enoguh to copy the code onto a web site.

"Nope, can't do that. Not with this ballot anyway. If you reveal which codes link to which candidates, you can prove how you've voted. That's exactly the type of problem they're trying to avoid."

No, you can't prove who you voted for, because you can't prove what code showed up on your ballot. "Oh, sure, I voted for your candidate; my code was 375. No, no, of course I didn't just look up a random code for your candidate on the list after the election; trust me and pay up!"

Think about it - no matter what, I'm going to know my code and I'm going to know what vote my code means. What's necessary is for one of those facts to be unknown to anyone but me. You're assuming that has to be the 2nd one, but it doens't.

Re:The Real question...

[gd2shoe]

You're not in a mood for literalists, and yet you still replied without carefully reading what I wrote.

... Post all of the codes that were counted, and which vote they represent.

Nope, can't do that. Not with this ballot anyway...

The ballot that you're imagining is different from the one they're proposing. You can't read all the codes on your ballot. You can only read the codes for the candidates and measures that you voted for. If those last two sentences didn't cause you to rethink your statement, then reread them. That's how this ballot is designed to work (for better or worse). You can log in after the election and view the codes associated with your specific ballot. The codes are too short to be a unique identifier unless they're combined with the ballot number.

We can discus what's possible all day long. We started out by discussing this specific system. If you'd like to talk about a different system that also uses codes on the ballot, then please describe it to me so that we can have a rational discussion about the merits and flaws of that system.

Re:The Real question...

[gd2shoe]

If I found out that someone did that, I'd report them.

I would too. But if it really is a "friend of a friend", he may only be able to urge someone else to report them. Based on context, it is possible (even if unlikely) that she was reported.

Re:The Real question...

[gd2shoe]

As I've now written elsewhere in this thread: this article is the first I've seen to mention that zero-knowledge proofs may be involved with this system. There are many, many types of zero-knowledge proofs, and I don't see an obvious choice here. Until I can find an overview of the process used by this system, I won't be happy with it.

Hand waving is fine in general publications only as long as the details are readily accessible. I haven't found anything that discusses the algorithm and believe it is not easily obtained on the Internet. And no, reading source code does not count as "readily accessible". (It counts as barely accessible; it usually counts as obfuscated.) If I have to resort to reading source code to understand their claim, I'm going to scream.

Re:The Real question...

[clone53421]

Yeah. After posting that, I wondered if maybe somebody did report it, and wondered if I implied that I thought no one had. Which I did think, until right after I posted...

Re:The Real question...

[gd2shoe]

You can get, say, 100 friends, download the subversion repo and check that all your votes are counted in your copy of the repo.

You can check to see if the codes match. That's irrelevant. Every code can match in the entire repository. How does that confirm that those actual votes are in the official tally? It's that disconnect that I was pointing to.

Re:The Real question...

[gd2shoe]

No problem.

Re:The Real question...

[clone53421]

Heh. I just noticed how amusingly appropriate your sig is.

And mine, for that matter.

Transparency fail.

[arose]

On Tuesday voters in Takoma Park, Maryland, got to try out a new, transparent voting system that lets voters go online to verify that their ballots got counted in the final tally.

Scantegrity uses a process called “zero knowledge” that allows skilled, independent auditors to verify that the codes result in votes going to the right candidates, without actually revealing an individual voter’s selections.

Transparency fail.

Re:Transparency fail.

[DriedClexler]

Scantegrity uses a process called "zero knowledge" that allows skilled, independent auditors ...

Looks to me like yet another example of how mainstream reporters lack basic knowledge of the topics they're reporting on. Based on the description of the system, it sounds like the process is actually called a zero-knowledge proof, which allows you to verify certain properties of data without actually seeing the data. And the whole point of ZKPs is that you don't need skill or a specially-designated auditor set to verify the data.

Looks like "Kim Zetter" was in over her head and couldn't even keep track of what the term "zero knowledge" refers to.

Web Logs?

[icebike]

Quoting TFA

"When polls close, voters can go to the election office website, type in their ballot serial number and see a rendition of a ballot, showing the three-digit codes for their votes. This way voters can be assured that their ballot was included in the final tally."

One would hope there are no web logs kept, because simply checking your ballot would reveal your identity, and someone is sure to wrangle a subpoena for that.

Re:Web Logs?

[swillden]

One would hope there are no web logs kept, because simply checking your ballot would reveal your identity, and someone is sure to wrangle a subpoena for that.

Reveal your identity and.... what? The ballot you check on-line just has some random letters on it that should match what you wrote down in the voting booth. It says nothing about who you voted for. So if someone identifies you from the web log, all they've verified is that (a) you voted and (b) you verified your ballot.

Re:Web Logs?

[arose]

And if they have access to the actual ballots, who you voted for. A non-transparent system with a way to match voters with their votes that has been "verified to be secure by the brightest minds at MIT". Every dictators wet dream.

Re:Web Logs?

[icebike]

Clearly you understand the SOMEONE knows exactly which candidate those letters on your specific ballot refer to?

Re:Web Logs?

[icebike]

That is not at all what it says.

The info displayed on line does not indicate a candidate by name.

But the whole system wouldn't work at all if there was not a linkage between your three letters and the Candidate's name SOMEWHERE.

That SOMEWHERE happens to be in the hands of the SAME people who would have the web logs showing IP address of the person looking up ballot number 2879193274.

Re:Web Logs?

[swillden]

But the whole system wouldn't work at all if there was not a linkage between your three letters and the Candidate's name SOMEWHERE.

Incorrect. Those letters have nothing to do with your vote selection, they're just an integrity check.

Again, read the paper.

Re:Web Logs?

[arose]

There's nothing to connect the information displayed with the physical ballot. The linkage to vote selection cannot be made.

Except the 'ballot's unique ID number' of course. Have you read the paper?

Re:Web Logs?

[arose]

No, the system is carefully design to ensure that NO ONE knows who those letters refer to.

Read the paper.

Just because table P isn't published doesn't mean that it doesn't exist and can't be accessed.

Re:Web Logs?

[arose]

Incorrect. Those letters have nothing to do with your vote selection, they're just an integrity check.

Table P.

Again, read the paper.

Again, transparency fail.

Re:Web Logs?

[jcochran]

And if they have access to the actual ballots, who you voted for. A non-transparent system with a way to match voters with their votes that has been "verified to be secure by the brightest minds at MIT". Every dictators wet dream.

So? Seems to me that the proper countermeasure if you want to verify your vote and keep someone who has access to your ballot from determining who your voted for is quite simple:

Go home. Select N random serial numbers. I am assuming the ballot serial numbers are not random, but well known. Add your ballot serial number to the list. Shuffle the list. Request the read out from all the serial numbers you have. And N doesn't have to be very large. I'm thinking somewhere between 10 and 20 would work.

Re:Web Logs?

[RoFLKOPTr]

But the whole system wouldn't work at all if there was not a linkage between your three letters and the Candidate's name SOMEWHERE.

Incorrect. Those letters have nothing to do with your vote selection, they're just an integrity check.

Again, read the paper.

Read what he's saying. I have ballot 24664971 in my hand. I download apache.log and find the IP address of the person who accessed votecheck.net/check?ballot=24664971 and I trace that back to you. I now know who you voted for. It has nothing to do with the three-digit numbers.

Now, in my opinion, that's not a big deal, but I thought I'd explain it to you anyway.

Re:Web Logs?

[arose]

Go home. Select N random serial numbers. I am assuming the ballot serial numbers are not random, but well known. Add your ballot serial number to the list. Shuffle the list. Request the read out from all the serial numbers you have. And N doesn't have to be very large. I'm thinking somewhere between 10 and 20 would work.

Really depends on ballot distribution. Looking up a vote from a location you didn't vote at will do nothing to increase anonymity.

Re:Web Logs?

[swillden]

You are correct. I hadn't fully read the paper, but was basing my understanding on previous incarnations of the system.

Scantegrity II assumes that the physical ballots are stored security after scanning and not made available to anyone trying to link voters to ballots.

I wouldn't consider this a fatal flaw in the system, though. If ballots are handled properly, there is no risk to voter anonymity, and the system is designed so that the paper ballots are not needed to verify the integrity of the election, so there's no reason for them not to be locked away. Even if they're not locked away, any voter who wishes to ensure his or her anonymity can simply not take the receipt.

Re:Web Logs?

[swillden]

You are correct. If someone has access to both the physical ballots (which no one should; the system is designed so that no such access is needed for normal verification), and to the web logs, and can link the web logs to individual identities, then that person can find out how voters who verified their votes voted.

Not keeping web logs is a good idea. Securing the ballots is a good idea.

Re:Web Logs?

[icebike]

Finally!!!

So now that you understand the issue, and the fact that ALL elements needed to identify you AND your vote are in the hands of the voting authority will you go back and re-read the paper http://www.scantegrity.org/papers/ScantegrityII-EVT.pdf with a more critical eye?

Re:Web Logs?

[BasilBrush]

That only applies if the web server requires one to input one's specific ballot ID. If on the other hand all ballot numbers and codes recorded are displayed on the same (long) web page, or say 100 at a time are, then there's no way from the logs for you to know which ballot ID the individual was checking.

From skimming the paper I can's see which of the two solutions is intended. But since the solution it to the problem you suggest was so simple it occurred to me in 30 seconds, I suggest that the system designer has worked it out too.

Re:Web Logs?

[BasilBrush]

Even simpler. Have the system display ranges of ballot numbers and codes, not just single ones. If I have serial number 12345 and I click on a link to examine papers 12300-12399, the eavesdropper doesn't know which of the 100 ballots displayed I checked.

Re:Web Logs?

[swillden]

:-)

Actually, I hadn't finished this version of the paper. I was basing my comments on previous iterations, which were slightly different.

That said, if the Scantegrity II sytem is begin operated as designed, it is not the case that the voting authority has the paper ballots. After scanning, they should be locked away, since they're not needed for counting or integrity verification. They're only needed to handle disputes, and even then the voting authority doesn't need to actually handle the ballots.

In the case that ballots are not locked away as they should be AND web logs are kept AND voters can be identified from the logs, then those voters who verified their votes could lose the anonymity of their votes.

Re:Web Logs?

[Cal27]

But what if the eavesdropper has installed eye tracking software on my webcam and analyzes which code I look at? Clearly the system is flawed and will not be anonymous enough.

Re:Web Logs?

[arose]

That essentially requires two voting authorities, one to handle the printing of ballots and online 'verification' and another to handle the counting and storage of ballots after the vote. Besides the administrative problems there is also potential collusion. In short the whole thing has too many audits and secrets. A good pen and paper voting system only has one secret (your vote) and independent observers all throughout the relevant parts, as opposed to pre and post auditing.

Re:Web Logs?

[dch24]

I like that suggestion, but I have a better one: since the voting authority already has all the data, why post it online? The voting authority should be able to post the entire vote log as many printed pages on a bulletin board (behind glass). Then monitor the room where the vote log is posted so that no one takes pictures (either to "scrape" the voting log and try to crack it, or to identify those who are counting their vote). No security cameras visible either, since the voting authority doesn't need to photograph people either.

Now people can come and verify their vote and there is no log at all. Even if they are identified, their actions in the room do not pinpoint a single ballot.

It has one other benefit: people who don't want to / can't access the internet can still verify their vote. (Vote fraud also can't be done by DoSing the vote verification server.)

Re:Web Logs?

[Onymous+Coward]

;)

Nice. Now that I'm laughing at the curmudgeons who are rationalizing objections to match their ornery feelings about computer voting I'm made to think that we should be careful in mocking them. All critiques should be welcomed! Only the attitude of "mumble mumble... there's still something wrong with it I bet" should be ruthlessly denigrated.

Re:Web Logs?

[Sky+Cry]

Maybe you made a typo when looking up the number.
Also you can look up 50 different numbers.

Re:Web Logs?

[SLi]

So it's, after all, not that much different from a voting system where your name is printed on the ballot. Sure, the authorities can decide to keep that secret too. However any voting system that needs to rely on that is much worse than the plain old paper system.

And the old system is verified just as well. The verification comes from the ballot handling and counting being done together by a group of diverse people, at least one person for each candidate, so they don't have the motivation to collude to commit fraud.

Another hyped e-voting system that is no good.

Re:Web Logs?

[SLi]

So the tyrant can just come one day and unlock it and see who voted whom. No problem at all?

Re:Web Logs?

[marcansoft]

It's also worth noting that Table P can be derived from the other tables if given in full (with all the entries revealed).

Re:Web Logs?

[noidentity]

How would knowing your identity reveal anything? All you see are the codes that were on your ballow next to the choices you made. Each ballot has different codes.

Re:Web Logs?

[gfreeman]

You can't always trace an IP back to a person. Where I live, for a couple of bucks I can buy 30 minutes of internet time from an internet cafe, no-one takes my name or ID of any description, there's no personal logon required, and a court order is required to get access to any CCTV that may or may not be present in the cafe ... probably not, and even then I bet it's VHS over-recorded every couple of days (why would an independent internet cafe invest thousands in a networked video surveillance system? Their margins are small enough as it is).

Re:Web Logs?

[swillden]

A good reason for not keeping logs -- and if you're really concerned about it, for not verifying your vote. The system doesn't need *everyone* to verify, just a small percentage.

Re:Web Logs?

[swillden]

So it's, after all, not that much different from a voting system where your name is printed on the ballot.

That's quite a stretch.

• If logs aren't kept, you can't be linked to your ballot.
• If ballots are secured, you can't be linked to your ballot.
• If you choose not to verify, you can't be linked to your ballot.
• If you choose to verify from a public Internet connection, you can't be linked to your ballot.

If any ONE of the above hold, then you're anonymous, and two of the four are entirely within your control. Oh, and better make sure you wear gloves when you vote so that you don't leave fingerprints on the ballot.

And the old system is verified just as well. The verification comes from the ballot handling and counting being done together by a group of diverse people, at least one person for each candidate, so they don't have the motivation to collude to commit fraud.

But that verification has been shown not to do a good job of preventing ballots from getting lost or ignored. This system closes that hole while maintaining the other advantages of a paper ballot system.

Another hyped e-voting system that is no good.

This is not an e-voting scheme. There is no requirement for any computerization at all; the whole thing can be done manually. It's more convenient to process the results electronically, but it's not necessary, and doing so in no way compromises the integrity of the result. In the words of the authors, it's a mathematical voting system, not an electronic voting system.

Re:Web Logs?

[clone53421]

checking your ballot would reveal your identity, and someone is sure to wrangle a subpoena for that.

No chance in hell. It's illegal to force someone to disclose their vote, and there's no way a court is going to grant a subpoena that breaks the law.

Re:Web Logs?

[clone53421]

I download apache.log and find the IP address of the person who accessed votecheck.net/check?ballot=24664971 and I trace that back to you.

Good luck with that if I do it from the library or the nearest open WiFi.

Re:Web Logs?

[RoFLKOPTr]

Wow, people just don't get it. A few people have replied to my post saying "I can go to an internet cafe" and "Good luck with that if I do it from the library" as though I'm threatening people or something. I don't care if you go to a library. If I have one ballot, I likely have an entire box of ballots. I can identify people and use that information for whatever crazy purposes I want.

But also, as I said, it's not really a big deal if I find out who someone voted for. Does it really matter? What am I gonna do with that?

Re:Web Logs?

[clone53421]

My point wasn't that you're SOL if I check my ballot from the library. It was that I'm safe from whatever nefarious intent you had, because even if you can identify a bunch of other people, you can't identify me.

But also, as I said, it's not really a big deal if I find out who someone voted for. Does it really matter? What am I gonna do with that?

Fire them, let's say... of course the pink slip can't say "voted for the wrong person", but there are plenty of other excuses to fire someone.

Great on paper - but in real life?

[fremen]

This system assumes three things:

• Everyone participates - voters have to validate their vote afterward to make sure it's still correct.
• Everyone is perfect - people who incorrectly cast their vote will always suspect fraud, calling the entire election into question.
• Everyone is sane - individual voters do not lie about about their vote to game the system, cast doubt on the election, etc.

Re:Great on paper - but in real life?

[CannonballHead]

With perfect, sane, always-participating people, who needs a government? ;)

Re:Great on paper - but in real life?

[swillden]

This system assumes three things:

• Everyone participates - voters have to validate their vote afterward to make sure it's still correct.

Per TFA, only about 5% of participants have to validate their vote afterward to assure the election's integrity to within normal margins. Also, exit polls in the Maryland town showed that about 30% of voters copied down their validation info. If a third of them bother to go online to check their ballots, that will be double the required participation.

Everyone is perfect - people who incorrectly cast their vote will always suspect fraud, calling the entire election into question.

Individuals will always have suspicions, but unless there is a widespread pattern of "errors", rational voters will be able to have greater confidence than they do in any other system. Unlike any other system, this one actually provide a way where lost or altered ballots have a chance of being discovered.

Everyone is sane - individual voters do not lie about about their vote to game the system, cast doubt on the election, etc.

Again, isolated cases will occur, but that happens regardless. In the absence of significant numbers of reports from generally honest and reliable people, then we'll have more confidence in the accuracy of the vote than any other system can provide.

Basically, your objections boil down to "Nothing is perfect". Well, duh. But it doesn't have to be perfect, it just has to be better. And it is.

Re:Great on paper - but in real life?

[rm999]

The system doesn't assume "everyone" does anything. Statistically, only a small sample is necessary.
FTFA: "People who don't want to do it or don't care can completely ignore it," Chaum said. "We only need 3 to 5 percent of people to verify their votes [to make it effective], depending on how close the contest is. If it becomes close, then you need a larger percentage to get the same level of confidence."

Re:Great on paper - but in real life?

[Strilanc]

Not everyone has to verify their vote. An attacker will have to throw away a large number of ballots in order to sway an election. If each voter has a 5% probability of checking their vote and only 100 votes are thrown away, the probability that the attacker is at least detected is greater than 99%.

There's also no need for perfection. The number of reports will be higher when the election is attacked. Apply basic statistics to figure out how likely it is the election was stolen instead of just people making mistakes.

Re:Great on paper - but in real life?

[BasilBrush]

I don't. At least not when it's Diebold computers.

Re:Great on paper - but in real life?

This system assumes three things:

• Everyone participates - voters have to validate their vote afterward to make sure it's still correct.
• Everyone is perfect - people who incorrectly cast their vote will always suspect fraud, calling the entire election into question.
• Everyone is sane - individual voters do not lie about about their vote to game the system, cast doubt on the election, etc.

I voted the parent post down as a troll, but instead the Slashcode modded it up as "funny"...what the hell? I demand this site be taken down until the parent post is rated -1 Troll as it has been voted.

Re:Great on paper - but in real life?

Everyone is sane - individual voters do not lie about about their vote to game the system, cast doubt on the election, etc.

Again, isolated cases will occur, but that happens regardless. In the absence of significant numbers of reports from generally honest and reliable people, then we'll have more confidence in the accuracy of the vote than any other system can provide.

Interesting. I hadn't thought about this before reading this comment, but to effectively lie about which vote you cast, you'd have to know the code ("secret") hidden behind one of the alternative selections. You'd have to find a way to figure it out without spoiling the ballot by marking both the alternative (lie) selection and your real (affects election results) selection, which would make the ballot invalid.

It might be possible (technologically). I'm not sure what you'd gain from such an exercise though. You would need to conspire secretly with a number of people to do this on a large enough scale to be newsworthy, and all you'd gain is another election and possibly a different voting system.

Re:Great on paper - but in real life?

[fremen]

What defines a "widespread pattern of errors?" In small elections or close elections, changing a small fraction of votes could affect the outcome.

Re:Great on paper - but in real life?

[swillden]

What defines a "widespread pattern of errors?" In small elections or close elections, changing a small fraction of votes could affect the outcome.

The use of the three-letter codes allows most errors (whether deliberate or accidental) to be weeded out because the odds of accidentally providing a valid code are small. The remaining complaints are called "plausible discrepancies" and the paper explains how to calculate an appropriate trigger threshold, based on the number of plausible discrepancies vs the total discrepancies, the number of candidates, the size of the code space and the degree of certainty required (which is dependent on the closeness of the race). If the trigger threshold is exceeded, then there is evidence of systemic failure and an investigation is required.

Re:Great on paper - but in real life?

[KraftDinner]

As well, anyone who says the system is rigged will be asked to produce their code and then one can actually check to see if they're lying.

Re:Great on paper - but in real life?

[clone53421]

What you meant to say was "Government employees".

Re:Great on paper - but in real life?

[clone53421]

If each voter has a 5% probability of checking their vote and only 100 votes are thrown away, the probability that the attacker is at least detected is greater than 99%.

Wow. I had to do the math on that, just to make myself believe it, and you're dead-on correct.

95% chance of not verifying your vote ^ 100 people = 0.59% chance of all 100 people not verifying their vote.

I.e. a 99.41% chance of detecting the fraud.

Re:Interesting, but...

[icebike]

I'm far more concerned about phantom votes being counted than real votes not being counted.

There is a long history of not counting write in candidates and absentee votes when the total number of such ballots does not exceed margin the winner holds.

Many people just start whining when you tell them this and insist every vote be counted, but it is irrational emotionalism unswayed by 3rd grade math skills.

Re:Interesting, but...

[NoYob]

but are we that concerned about votes not being counted?

I was about to write a long reply about how democracy depends on the fact that bla bla bla... and how you cannot trust people, especially what in politics and bla bla bla... but you asked a simple question so I'll give you a simple answer: Yes.

To most people it's only "Yes" if the election doesn't go their way.

Approval voting

[tepples]

It appears as though we can only see the code for a candidate if we reveal it with the invisible ink; checking the others would ruin the form.

Lobby your legislators to switch your jurisdiction to approval voting. This system allows voters to sort candidates into two bins: desirable and undesirable. Once your jurisdiction uses approval voting, you can mark two candidates that you'd be happy with (e.g. a Democrat and a Green, or a Libertarian and a Conservative), and both votes will be counted.

Adaptable to a ranked voting system?

[John+Whitley]

A quick surfing of the Scantegrity Wikipedia article and the links above didn't definitively answer an interesting (to me) question: can it be applied to a ranked voting system such as IRV or Condorcet?

The offhand solution would be to use Scantegrity's technology with a matrix of bubbles for ranks vs. candidates. Anyone familiar with this work know whether this has been addressed? I skimmed through the IEEE article as well, and found no mention of any ranked voting systems.

Re:Interesting, but...

[swillden]

I'm far more concerned about phantom votes being counted than real votes not being counted.

Both are real issues. There are plenty of examples of ballot boxes getting "lost", so those are real problems. Dead people voting, multiple votes, systematic exclusion of voters (not losing their ballots, but preventing them from voting), all of these things are problems.

This system doesn't solve all of those other problems, but it does solve the problem of votes getting lost, altered or counted incorrectly. And it does it in a mathematically-provable fashion.

See the paper.

Why didn't they just use Punchscan???

[Bourdain]

Seemingly very easy to implement...
http://www.punchscan.org/

Re:Why didn't they just use Punchscan???

[pavon]

Scantegrity is the successor to Punchscan, developed by the same people (David Chaum et al). The only detailed analyses that I can find about their differences are behind journal paywalls like this one at the IEEE.

Exploit....

[reverendbeer]

...on fulldisclosure in 3...2...1...

Re:Interesting, but...

[calmofthestorm]

I'd trust it a lot more if I could log on online and verify my vote. I have heard one reason against it: Suppose you work for a company that enjoys putting [illegal, but still] pressure on employees to vote for the Baby Eating party because it supports their economic policy. They could then demand that employees tell them their numbers so they can check that they didn't vote for the Cute Animal Hugging party instead.

There are ways to mitigate this, and it isn't a huge concern, buth worth mentioning.

What are the options?

[AHuxley]

Have paper and select who you like, drop into a sealed box.
Election workers keep eyes open. At the end of the day reps of all the people involved stand around in a open room and count.
Takes time, expensive, but hard to fake.
If you cannot make it, postal or an election worker comes to you.
As for digital, open source, simple and all parties can see the unit, code.
On the day you press and its collected at a central point.
Instant and the press love it.
The problem with the above is no room for profit or stuffing.
Your part of the world has to have been so corrupt, at war or new to democracy to get it working.
In the US you are told its so open free and fair and transparent every day.
Is it? Why are AMT sellers making the closed source units? With cable pundits and talking heads screaming at you "they are used in banks, its fine", dont mind the party political rants by the owner.
Enigma, cryptoAG ect all gave perfect service on the day.
In Capitalist West a nice man owns the IP to your vote.
In Soviet Russia a nice gov owns the IP to your vote.
In both parts of the world, you have a right to vote.
As Stalin said "It's not the people who vote that count. It's the people who count the votes."
The end count is the elephant in the room, not just the cute open source, optical-scan $x,000 input device.

Re:What are the options?

[Onymous+Coward]

http://openvotingconsortium.org/

Please support.

Re:What are the options?

[BitZtream]

Open source voting software isn't really going to help.

You can see the open source software is safe.

You can't see what the binaries or even hardware on the system is doing. You can't verify that its running the code you see. You can't even copy it off the system and be sure you're looking at what was running rather than a copy put there just in case you try to copy it off.

Re:What are the options?

[sapphire+wyvern]

In Australia, vote counting is a public process which can be attended by anyone (I think). In practice, the major parties send scrutineers, and I imagine independents tend to keep an eye on things as well. Mutual suspicion, a spread of power amongst interested parties so that no-one can dominate the proceedings, and a panopticon process are the best way to handle such things.

Of course, we use old school paper voting. We have two systems: instant run-off preferential voting for House of Representatives (equivalent to the British House of Commons) electorates, and a much more complicated preferential system for the Senate electorates. Our Senate is like the American Senate except that it strictly serves as a review board for legislation, and Australian senators are much less powerful than American senators. That's the federal system; state parliaments are similar, but some have dispensed with the upper house entirely.

Funnily enough, despite the fact that we have far more complex vote counting systems than Americans (first past the post is beyond sucky), we get results the night of the election without needing to resort to black box electrickery.

Re:Interesting, but...

[vilhuber]

Not sure I'm reading you properly, but this system allows you to verify your vote was COUNTED, nothing more. You can't show or prove to anyone HOW you voted, just that you did and that your vote is in the tally AS CAST.

This is huge. I've been waiting for chaum's election stuff to actually be used for quite some time now. I'm hugely excited.

Re:Interesting, but...

[4181]

... putting [illegal, but still] pressure on employees to vote for ...

... it isn't a huge concern, but worth mentioning.

I'd say it is a huge concern. Besides voter intimidation (be it by employer, spouse, or local thug -- ever read Rohinton Mistry's "A Fine Balance"?) it also raises problems with vote buying. A secret ballot is "sine qua non for a functioning democracy." While a voter is permitted to reveal his or her choice, the system must not be allowed to verify it to anyone else, allowing the voter to lie and thus making voter intimidation and vote buying less effective.

Some "get out the vote" campaigns can be seen as a form of intimidation, and while they are always targeted at favorable populations, they run the risk of alienating the voter if they go too far, and the voter must be allowed to secretly either spoil the ballot or vote for an opposing candidate. Unless this system offers a none-of-the-above option (with corresponding code) for each office or measure, this system degrades a voter's ability to anonymously spoil his or her ballot.

There are ways to mitigate this, ...

Do you have any concrete suggestions?

creepy

[goga_russian]

so they are saying that my forum captcha and craigslist copy and paste is more secure then the vote verification thing?

It's Takoma Park, folks

[R2.0]

This is the place they like to call the "Berkeley of the East". It's so liberal it's almost a parody. I think the MD Democratic Party keeps it around as a pure strain in a petri dish so that they can pretend they are also liberal.

It also means that if Takoma Park thinks it's a good idea, everyone else in MD will think it's a joke and ignore it.

Re:It's Takoma Park, folks

[Alkivar]

Having spent my teenage years there, I can verify everything this poster says is true. Takoma Park is a joke to the rest of the state, and results will sadly be ignored by state government.

Re:Interesting, but...

[calmofthestorm]

I have a few concrete suggestions but none are complete fixes. For example, you have many more voter-verification numbers than actual votes, distributed uniformly, so it's easy for any employee to find a number that corresponds to any vote and claim it was his. Problem: What if the company gets the same number from two employees. This isn't an issue for integrity because while everyone knows there are loads of fake votes in the numbers, he can still look up his own number.

Have the system only give you a lookup number with probability 0.5/0.1/whatever, so each employee can reasonably claim he didn't get one. Problem: Some companies have a statistically significant number of employees. Even if they don't know which ones to punish, they can just take it out on the group.

Give the user a secret code that can be used to change the number on the site after viewing it. Problem: Security risk, trust issues, too complicated for most people to use.

Have strict laws against voter intimidation. Problem: We do already; it still happens.

I personally believe that with all the crooked electric voting we've had in the past ten years, accountability is more important than anonymity. But the fact is: There's no system that's COMPLETELY immune to government tampering. One some level you have to trust the government. But there are different levels of trust, and making it as hard as you can to mess with is a good idea. And I'm not convinced we need to give up anonymity to obtain greater accountability.

Then again, I've never been personally threatened regarding my vote. It sounds really scary, I hope I never am.

Re:Interesting, but...

[harryjohnston]

If you take a photo of your ballot, what prevents you from proving who you voted for?

Re:The Real answer...

[gd2shoe]

"I've always said there was something fundamentally wrong with the universe."

Re:Interesting, but...

[Mr2001]

Not sure I'm reading you properly, but this system allows you to verify your vote was COUNTED, nothing more. You can't show or prove to anyone HOW you voted, just that you did and that your vote is in the tally AS CAST.

Er, unless I'm missing something, it's still possible to prove to someone how you voted. You just need to take a picture of your ballot, showing that the code "JX" is in the bubble next to "John Smith" -- this is pretty easy if you're voting absentee, or if you aren't frisked and metal-detected on your way into the voting booth. When the local thug comes around to verify your vote, you show him the picture and your ballot ID, and then he goes online to make sure that your ballot ID and your "JX" vote are in the system.

Is voter verification really desirable?

[wfstanle]

I have real doubts about allowing voters to check how they voted AFTER they leave the polling place. By allowing a voter a way to verify how he voted you open the door to all sorts of abuses. A voter could sell his vote and the buyer could have a way to check he indeed did vote the way the buyer wanted. Another abuse is employers threatening his employees with firing if he did not vote the way the employer wanted.

The problems might be overcome if the voter would have to visit the election clerks office and prove his identity and was also alone when he viewed the way he voted.

This allows vote buying!

[xant]

I don't see a single thing in this system that would prevent vote buying. You get a receipt with your choices on it, encoded in some form, yes? You can then go to a website, and enter codes, to see who you voted for, yes? True, only the individual voter (or someone possessing the receipt) can do this.. but that doesn't matter a damn to a vote buyer. Why? Because, as this system's designers seem to have forgotten, the voter is complicit in vote buying. The voter gets money for turning over his receipt and secret knowledge, whatever that may be, to the person who wants a verified vote for his candidate.

Re:This allows vote buying!

[dch24]

There is no way to connect your codes on your receipt (two letters each) with the name of the candidate. Every ballot uses different codes.

The website only shows you: serial number 1234567 voted for these codes: two-letters two-letters two-letters, etc.

Re:This allows vote buying!

[tmassa99]

You can then go to a website, and enter codes, to see who you voted for, yes?

No!

Re:This allows vote buying!

[BitZtream]

Uhm, nothing prevents vote buying now, its just hard to verify.

Re:This allows vote buying!

[RAMMS+EIN]

It's right in your post:

``The voter gets money for turning over his receipt and secret knowledge, whatever that may be, to the person who wants a verified vote for his candidate.''

The key is in the words I've emphasized. You can show your sponsor the codes you wrote down. Your sponsor can then go to the website and see that there indeed exists a ballot that matches these codes. You get paid, you're both happy. Only you have the secret knowledge that these codes mean you voted for Bob, not Alice as you told your sponsor.

Re:This allows vote buying!

[Attila+Dimedici]

No, this system does not allow vote buying, it does not verify that your vote was counted the way you voted, only that your vote was counted. Of course that is part of the problem, how do I know that the system recorded my vote the way I entered it? Second, how does a non computer programmer know that the system actually does what is claimed? Finally, how does even a computer programmer know that the software that does this is actually installed on the voting machine he/she votes on (and not some software that mimics it).

Re:This allows vote buying!

[xant]

Ohh. Then you're right, it's just another false verification scheme.

Re:This allows vote buying!

[2obvious4u]

Why does vote buying matter? Look at the NYC mayoral race $157.27 per vote for Bloomberg, $13.12 per vote for Thompson. They did it in advertising.

We already buy and sell votes. I don't think it would really matter if you could buy or sell a vote. If the issues matter in an election they couldn't pay you enough to change your vote. If the issues don't matter then why not sell your vote. You couldn't have paid me enough money to vote for Barack Obama (I voted Ron Paul - McCain is as bad or worse). As for city elections for something like school board, I'd so sell my vote because it really doesn't matter to me. But for any office where they have the option to tax or make something illegal you couldn't buy my vote (well in a way you do by your policies...) The entire system is based on buying and selling votes. You think that Barack's promises of health care for all weren't vote buying? Or not taxing anyone making less than $250,000 a year. That was so vote buying. A direct check from the candidate would be a much more efficient method.

The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.

- not Tocqueville or Tytler so we'll say unknown.

Re:Interesting, but...

[dch24]

Your proposed vote buying system is interesting and I might consider subscribing to your newspaper.

But it doesn't scale, imho. Everybody voting absentee in a district? Red flag. Digital camera in the booth too often? (Some people are savvy enough to turn off the sounds, and some people are savvy enough to hide their camera. But most people are not.) Red flag. Game over.

Besides, buying people off is expensive. Much easier to move corrupt ops to a district that isn't as secure as this one. Remember, you only have to be more secure than the next state! Vote early, vote often!

Re:Interesting, but...

Er, unless I'm missing something, it's still possible to prove to someone how you voted. You just need to take a picture of your ballot, showing that the code "JX" is in the bubble next to "John Smith" -- this is pretty easy if you're voting absentee, or if you aren't frisked and metal-detected on your way into the voting booth. When the local thug comes around to verify your vote, you show him the picture and your ballot ID, and then he goes online to make sure that your ballot ID and your "JX" vote are in the system.

I believe there is a fundamental choice here. Either you can

a) have the design flaw be your vote is discovered

or

b) have the design flaw be a stolen election

Either way, I guess we must contend with thugs. Thugs in "a)" system have to go after voters individually and run afoul of numerous laws in front of innumerable witnesses. In the "b)" system, you target a few polling places with few witnesses, possibly none if done over a network.

On another note, I may favor anonymous speech ;), but I have mixed feelings about anonymous exercise of political power. That is what voting is. Our legislatures are not allowed to hide their votes (except for near-unanimous voice votes).

first the machines, then the system

[Onymous+Coward]

Hear hear!

I believe FPTP is killing our political system by making it a constantly devolving lesser-of-two-evils non-choice.

Getting a well-working computerized voting system is a first step to implementing something more sensible than First Past The Post.

1. implement computerized voting
2. switch to a Condorcet or preference voting system from FPTP, thus truly enfranchising the electorate
3. ...
4. Profit?

Re:first the machines, then the system

[amplt1337]

Antiprofit, unfortunately, for those doing 1) and 2) -- because the entrenched politicians who're doing quite well by the current system would have to be the ones to make the change.

That said, I absolutely want this to happen.

Re:Interesting, but...

[Mr2001]

But it doesn't scale, imho. Everybody voting absentee in a district? Red flag.

In the state where I live, 37 of the 39 counties have nothing but absentee voting. You can go to the election office to drop off your ballot, but everyone gets a ballot weeks in advance.

On the other hand, that means we've already conceded the battle against this sort of voter intimidation/bribery. The thug can just watch you fill out the ballot. Hasn't been a problem in practice, though... yet.

Digital camera in the booth too often? (Some people are savvy enough to turn off the sounds, and some people are savvy enough to hide their camera. But most people are not.) Red flag. Game over.

I don't know about your camera, but mine is cleverly hidden inside my cell phone. Doesn't take much savvy to get one of those, and before long, almost everyone will have a 3+ megapixel camera in their pocket -- if we're not there already.

Re:Interesting, but...

[Zerth]

I don't know about your camera, but mine is cleverly hidden inside my cell phone. Doesn't take much savvy to get one of those, and before long, almost everyone will have a 3+ megapixel camera in their pocket -- if we're not there already.

And not long after that, every phone will have photoshop on it.

No more verification for mister vote buyer.

And if you suggest cheapo film cameras, what stops me from taking a picture of my phone's screen while badly out of focus? Besides a beating, anyway...

It completely misses the point

[Casandro]

It completely misses the point. The point is not that a system is "impossible" to manipulate. The point is that _every_ voter has the ability to check the vote.

Just compare it with the pen and paper based system. Everybody can understand it. You have a box which must be empty when they start voting. And people come in, get a piece of paper each, fill it out in private fold it and throw it into the box. At the same time his name gets crossed out on a list. Now everybody can check this fairly easily.

Now let's look at whatever machine-based system you've got. You've got this machine, either mechanical or electronical. You usually cannot look inside of it. You cannot tell if the levers are labelled correctly or if the firmware is really what it's supposed to be. Even if you have sourcecode that's completely unusable for the 90% of people who cannot read code. Relying on others is not an option as the others could be against you. Just imagine a party forming beeing against computers, which programmer would help them?

Re:Interesting, but...

[Anthem.uxp]

In a two party system that is. In a fictitious country with five equally strong parties it'll be "Yes" to at about 80% of the people.

Combining new tech and old tech

[twomi]

How about combining new tech and old tech for a new solution: instead of using pen and paper you use voting machine, which prints your vote on a paper (ballot card), and also stores the vote in some database. You then drop the ballot card for voting box (same as you do now). Electronic votes are used for result approximation and for press and news etc (you can use simpler scheme than in TFA), and the paper votes are still the official result and are counted and verified by hand. Obviously this does not cut down costs, but gives you the security of a current pen and paper system, yet delivering speedy results and other benefits electronic systems have.

Useless

[justinlee37]

Speedy results don't help us when we can't act on them and have to wait for the hand count to be completed.

Re:Interesting, but...

[TheLink]

Why are you all so worried about voter intimidation?

Countries where voter intimidation is a significant problem are normally so screwed that you'd be glad you're actually getting paid to vote however they want, rather than them just announcing the results (before the elections even ;) ). And if you can't report them to the cops or election officials and still live unharmed, they and their cop friends could escort you to the voting booth and force you to vote the way they want on whatever fancy system there is. So what's the big deal?

The big problem with insecure electronic voting systems is that millions of votes could get tampered with, without a trace. The other big problem is even if there isn't tampering how do you convince the loser and enough of his supporters that he lost fair and square?

At least with this system the losing team can prove to themselves that yes their votes were counted and too bad they really lost, try again next time.

With some crypto voting systems though, the voters could forget or "forget" how they voted and so they may think their votes were tampered with. I don't know whether this could happen with this particular voting system.

Re:Interesting, but...

[jonbryce]

Election frauds are usually due to additional votes being counted which shouldn't be counted. This isn't going to stop that.

The proof I'm a genius is gone

[Spinlock_1977]

With the exception of the 'magic ink', I proposed this exact mechanism on Slashdot about 18 months ago. I'd provide a link to the post, but it was a comment on someone else's thread, and apparently they get purged after a time. Ain't that ducky? I've finally proven to my own satisfaction that I'm far smarter than everyone keeps telling me, and the proof is gone. Maryland, if you're looking for someone with a huge ego to help out with that/my system, drop me a line.

Re:The proof I'm a genius is gone

[clone53421]

Do you mean this comment?

FWIW, your suggestion didn't include randomizing the codes and using different ones on each ballot. If the codes are the same on all the ballots, you lose the anonymity of your vote – someone could force you to reveal your ballot number, check the codes on the website, and tell from the codes who you voted for.

With random codes, you know which candidate that code went to, but there's no way for the goons to know.

Re:Interesting, but...

[gfreeman]

In a two party system that is. In most countries outside the US where a two-party state is not the norm it'll be "Yes" to at about 80% of the people.

Fixed that for you.

The Problem Is...

[sycodon]

I believe one of the benefits of and primary arguments for a secret vote is that one may vote their conscious without fear of reprisal or other repercussions. The paper ballot fulfills this perfectly.

The system described here has a double edged sword. If the voter can log on to verify their vote, then someone else can force them to log on a prove they voted "correctly".

A simple solution would be to enable a voter to only confirm their vote was tallied correctly at the registrar's office, after providing picture ID, allowing only the voter to view the confirmation, and not providing any kind of receipt.

CVS?

[scorp1us]

Why not use CVS instead of subversion? then you could have your CVS Voting System? And all the bearded admins would be happy. You want your admins to be happy.

Re:Interesting, but...

[clone53421]

Do you have any concrete suggestions?

Concrete boots?

Oh wait... you meant to eliminate worker intimidation. Never mind.

Re:Interesting, but...

[Josh04]

You misread "cryptic" as "cryptographic" and this is a sign of sexual frustration?

Re:Interesting, but...

[mea37]

Absolutely.

The interesting thing about the Florida debacle isn't that it was a unique breakdown in our voting system. Quite the opposite - the interesting thing is that it goes on all the time but usually nobody notices.

Florida's count wasn't the worst in the 2000 election, even. It just happened that, in the order results were tallied and reported, Florida's was perceived to be the one screw-up that was deciding the election. Gore chose to make political hay over it, and while it didn't work out, it threw a spotlight on one instance of a problem that is ever-present in any large-scale vote, and that should have as much attention as is required to correct.

For the record - I don't know or care who the "legitimate" winner of the FL vote was. I am not a Bush supporter, but I do think Gore was in the wrong in that you can't pick and choose where to set more stringent counting standards, especially after the vote has been taken. And that's the point - what we should want are better counting standards everywhere, in every election.

Re:Interesting, but...

[Mr2001]

Won't work.

3) Thug looks at your picture and verification code.
4) Thug goes online and sees that your ballot wasn't entered.
5) Broken legs!

Re:Interesting, but...

[Mr2001]

Why are you all so worried about voter intimidation?

I don't think voter intimidation is a realistic problem in America. Voter bribery, on the other hand, might be. Look at how many apathetic voters there are, even here on Slashdot ("Democrats and Republicans are the saaaaaame, man! Why even bother?"). How many of them would be willing to sell their votes? They're not using those votes anyway!

Re:Interesting, but...

[clone53421]

"Excuse me, sir, but I accidentally the whole ballot. Can I have another one?"

They'll just void the first ballot and give you another.

Piss them off by doing it too many times, though, and I'm not sure what they'll do.

Re:Interesting, but...

[harryjohnston]

But then the website will show that the ballot you photographed wasn't counted.

Very Cool

[Zotdogg]

I sure this new system is not where electronic voting needs to be in the end but the fact that people are working on making these systems better truly puts my mind at ease.

Re:Interesting, but...

[clone53421]

So don't photograph the ballot.

If you don't, you have no way, after you vote, of proving who you voted for.

The point is that you can't be forced, after voting, to prove who you voted for. If you wanted to prove it from the get-go, of course you could photograph the ballot.

There are still plenty of ways of fooling the snoops, though.

Say you "forget" to reveal the code before taking the picture. Then you void the ballot and cast a new one. "Correct" votes, but no code to verify them. But hey, it was an honest mistake.

If you think that won't satisfy them, just digitally edit the photo to show the code off the second ballot (the one you did cast). There's no way of proving that the ballot corresponding to the code didn't have those choices selected. Or just edit the choices so it looks like you voted for someone you didn't. Save the original JPEG metadata and no-one's the wiser.

Re:Interesting, but...

[harryjohnston]

Say you "forget" to reveal the code before taking the picture. Then you void the ballot and cast a new one. "Correct" votes, but no code to verify them. But hey, it was an honest mistake.

Won't stop the bad guys killing you. Or refusing to pay.

If you think that won't satisfy them, just digitally edit the photo to show the code off the second ballot (the one you did cast).

Granted, I didn't think of that. However, this wouldn't work if you were required to send the photo while actually at the ballot box.

UMBC, not University of Maryland

[Arathon]

We're kinda touchy about this. ;)

Slashdot has run stories about this system before, too, and it's awesome. But yeah, this was developed largely at the University of Maryland, Baltimore County.

Re:Interesting, but...

[TheLink]

I don't see what's so wrong with voter bribery.

Politicians already promise to bribe voters with their own money and many dumb voters keep falling for that (they don't bother to use their brains to see whether it's good or bad in the long term or not).

This is just shortcutting the process, and you can ask for the money upfront.

The Freemarket fanatics should be fine with it- willing buyer, willing seller.

As you said, they're not using those votes anyway or care very much about "alternatives". So they might as well sell them. This happens in many 3rd world countries.

If voters really bothered they could work out a system so that they could trade or swap their votes with other voters. I wonder if that would make gerrymandering less predictable ;).

Re:Interesting, but...

[Mr2001]

Politicians already promise to bribe voters with their own money and many dumb voters keep falling for that (they don't bother to use their brains to see whether it's good or bad in the long term or not).

This is just shortcutting the process, and you can ask for the money upfront.

You're assuming it's the politicians who would be doing the bribing -- rather than, say, the RIAA bribing people to vote for a candidate who will support their latest DMCA sequel.

Re:Interesting, but...

[clone53421]

Granted, I didn't think of that. However, this wouldn't work if you were required to send the photo while actually at the ballot box.

Just wait... someday cameras will have Photoshop built-in! ;D

Re:Interesting, but...

[clone53421]

Digital wizardry to the rescue...

I still prefer...

[simonfunk]

I still prefer this: http://sifter.org/~simon/journal/20081009.html (if I don't say so myself...)