Slashdot Mirror
An Anonymous, Verifiable E-Voting Tech
Kilrah_il writes "After the recent news items about the obstacles facing E-voting systems, many of us feel it is not yet time for this technology. A recent TED talk by David Bismark unveiled a proposal for a new E-voting technology that is both anonymous and verifiable. I am not a cryptography expert, but it does seem interesting and possibly doable."
and how much better is it than marking a circle with a pen and having someone scan the ballot into a machine? most of the issues with e-voting have been that people are too dumb to see what they are doing
Better voting systems still won't fix the root issue: the people who get elected into power are corrupted by that power.
Metagovernment isn't perfect, and it will take a long time to get up and running, but... how does it compare to what we have now, where votes are sold to the highest bidder, idiots are in charge, and our participation is limited to 30 seconds in a booth every two years?
Here in Indiana... also known as "flyover country" to you sophisticated Coasties, we are just so primitive and backwards. All we have here are paper ballots that are easy to fill in and are then automatically optically scanned to register the vote electronically while still having a full paper record of the ballots. I wish we could be more sophisticated and have exotic electronic systems that employ security experts to both verify them and crack into them at the same time.. think of all the taxpayer money we could spend!
AntiFA: An abbreviation for Anti First Amendment.
I read the article - all zero words of it - so perhaps the multimedia component of it addressed this concern, but I find it hard to imagine how:
If I can verify that my vote was counted, and can prove how I voted if there was a fraud to force a recount/etc, how does the system make it impossible for me to prove to my boss/spouse/friends/church/etc how I voted?
The problem with receipts is that if you can prove how you voted, then you can punish people for not voting the right way. All an abusive husband has to do is tell her wife to show up with a receipt showing the correct votes or they'll be beaten. You can make the receipt private, but an abusive husband/wife/parent/boss/etc will just tell people to turn them over or they'll be punished.
The effects of this kind of thing can be very subtle. People will change their voting patterns even if they think they MIGHT be asked to show that receipt. Maybe everybody in their union or church or whatever voluntarily posts their receipts as a show of solidarity, and who wants to then be the one person who doesn't join in?
If a voting system is well-designed it should not be possible for anybody to prove how they voted. Other controls should be used to ensure all votes are counted.
Given the recent corruption in all government levels, I don't feel I can entirely trust manual systems, let alone e-voting. I might warm up to the idea a little bit more if basic things, such as - gasp - an audit trail is added to the e-voting. I never understood how an electronic voting machine would not include auditing facilities.
How do you get over the idiocracy, though ? There's always going to be someone who protests the system purely because they do not understand how it works. And as recent elections have proved, you need not be right to be heard by many, all you need to be is loud.
You must NOT be able to prove your vote was counted correctly for a specific candidate. That leads to bribes/threats (i.e. your boss can ask to see the proof. if you want to assume that's illegal, think of all the other people who may "ask" to see it or offer something if you volunteer)
There are ways to do this and meet your requirements, but there is more to it than the 3 you listed.
A fragile democracy is one where, among other things,
no-one trusts the current paper-ballot voting system,
because it is highly manipulated and corrupted.
Many countries fall into this category.
Iran is a notable recent case.
They could use a well-principled Internet voting system
administered by a UN agency.
You could run the election for a month to prevent
voter intimidation. You could have the computer,
rather than the dictator's cronies, count the votes.
There would be no more 10% to 20% discrepencies in
the claimed voting results.
Where are we going and why are we in a handbasket?
Please tell me - do we get ANYTHING out of e-voting apart from a time saving between closing the polling stations and declaring the result?
For elections regarding terms of more than 4 years - forget it. The potential lack of trust in e-voting (as opposed to regular paper voting), because conspiracy theorists will immediately claim any election was stolen, which is a lot harder to do if there are actual people counting the votes publicly...
Just think about how much time is still being wasted discussing whether Obama is a muslim, or whether he is a naturally born US citizen -- think about how much time will be wasted afterwards in endless discussions brought by conspiracy theorists of the 'losing side' in ANY poll....
It's not worth it.
http://www.pretavoter.com/faq.php
Besides, it's not that hard to create a paper ballot system that is secret and fair, but uses computers to speed the creation and counting.
Step 1. Have a printer kiosk that lets you select who you vote for electronically. It also shows 3 colors/icons/etc. You select a color/icon when you vote.
Step 2. The kiosk then prints out TWO identical bar coded paper receipts that does not have anything but numbers on it.
Step 3. Take bar coded paper receipt to second machine, called a reader.
Step 4. Feed one (either one) into the reader. That reader displays who you voted for, you can confirm or deny. Assuming you confirm, it keeps the one recepit and you keep your own. If you deny, it spits out the bad receipt, and you are legally required to shred both before you try again.
Step 5. To confirm your vote, you log on to a database, look for your recepit number and enter the color/icon you remembered. If you enter the wrong one, it displays a false vote without reveleaing that you entered the wrong color/icon.
Net result is that you and only you know who you voted for, and you can verify that your vote was counted.
excitingthingstodo.blogspot.com
I'm assuming that not everyone is as obsessed with the "paper trail" as some fanatics are (really, data is data whether it's on a paper or stored digitally, if your vote is anonymous it can still be tampered with).
Why not a basic e-ID system (we have several here in Sweden although the most popular is simply called BankID) which is used to login to the voting website/voting machine. When logged in you get to create a new username and password for the actual voting. Your real identity gets marked as "has an id" and the new account is completely disconnected from your regular identity, you can now use the new username+password to cast your vote. This system even opens up the possibility to change your vote before the end of the election period.
For all I know this could be the solution suggested in this video, I just couldn't be bothered watching a video right now, does anyone have a good transcript?
Greylisting is to SMTP as NAT is to IPv4
I like all of the ideas he mentioned, from the uniqueness of each ballot, to the tear off receipt, to the shredding of the plaintext ballot "key". These are great for maintaining anonymity, but what about ballot stuffing? How do you prevent someone that's been dead for a couple months from "voting"? My polling place didn't ask for ID, just my name, I imagine that probably happens quite a bit...
If you're removing the candidate list from the side you keep, that means that the barcode somehow has your specific ordering of candidates stored. While this may be encrypted, the computer has a way of knowing for that specific ballot, what each option is for, which means that someone, somewhere, has access to that key to be able to determine how to get the per ballot candidate ordering.
That key will be much easier to get access to than people think, and once you do, you've compromised the secrecy of the entire election. Walk into your local election clerk's office and see if they're the type of person who could safely store and maintain a vital electronic key.
md5 hashes and cookies?
Just askin...
I'm not a lawyer, but I play one on the Internet. Blog
Fundemental flaw: you still have to trust the computer program is what it claims to be when it matches the ballots with the receipts.
Election fraud risk (in a mature democracy) is measured by the minimum number of people who are required to act in a corrupt way in order to get away with a mutation of the result. Paper ballots with scrutineers from opposing parties requires a massive degree of conspiracy in order to affect enough polling stations to swing the result. As soon as you trust a computer with the audit trail, you need only one corrupt person: a programmer who installs one program on the machines while providing a different version of the program to auditers. Even if you could trust the auditors get an untampered version of the machine to dismantle and are able to do so perfectly, you are still trusting that small audit team to be honest and never be replaced with a front group.
Does it run Windows and save its votes in an Access database? Ideas are great, but even the best ideas are defeated by typical commercial implementations. Nobody in government cares enough about voting processes to allocate the money needed for anything better than lowest-bid development.
The problem isn't necessarily the voting machines, it is the choices of the candidates.
Why are we always forced to choose from the lesser of two evils under a broken electoral system in a broken government?
We need multiple candidates on a multiple choice ballot ranking your first, second and third choices using a secure system. This is needed due to recent voting scandals that arose at the very last minute.
He who knows best knows how little he knows. - Thomas Jefferson
My license has one of those complex bar codes on the back. Why not produce a receipt encoded with this value, the allow the voter in votes that are contested by the candidates to be able to return to a polling place and swipe the results to see that their vote was accepted? If like my voting place, no one but the voter is allowed at the booth except under very special circumstances. This of course would require making sure that the poll watchers only permit the owner of the strip to use it.
Even with such a system you can engineer abuses. I find that many stamping their feet over e-voting are those who stand a better chance of manipulating results if a paper system is used. Regardless of system employed, we also need a simple means to ensure people are who they say they are and they only vote once per election.
Still its good to see many people concerned with the privacy of their vote. Just remember your friends in union shops as some in Congress want to take away the secret ballot in union votes just for the purpose of intimidation.
* Winners compare their achievements to their goals, losers compare theirs to that of others.
When we use media, we capture the voter intent perfectly. There is a chain of trust between the voter intent, and the record of the vote, because that record only passes through the voter.
Making a mark on a piece of paper, voting by mail like we do in Oregon, is cost effective, and verifiable, and trustworthy. Recounts are possible too.
I know my intent was correctly recorded, and if there is a issue with the counting, we can all go into a room, and visibly verify every vote, getting a correct tally.
With a machine, it's a vote by proxy. We fail to record the voter intent, because the electronics only record what the machine thought the intent was, not the intent itself.
Because of this, no electronic system makes sense. I like counting them electronically, with scanners and such. We can audit that, verify, recount.
I don't like a touch screen, because we fail to actually capture the intent, only the machine record of what it thought the intent was.
Blogging because I can...
Transparency ensures that a voter can prove his vote, thus sell it!
Wouldn't it be nice if people WERE encouraged to post their vote-receipts to prove that they've voted? Not if it shows who their chosen candidate was, of course, but just a token to demonstrate that they've taken part in the electoral process and thus bucked the trend of political apathy.
Seems to me that harnessing that peer-pressure to encourage people to take an active interest would be very beneficial to the democratic process.
As long as we can trust it, of course...
Meta will eat itself
So this brilliant system allows me to go online and verify that I voted for "option number 3" Which could be anything, since I cannot verify what my candidate list order was. So to manipulate the votes the counteres simply rearrange the candidate listings of all voters to make Sara Palin the president, and there is no way of proving it, since noone other then the counters have access to the candidate list orders.
There is no way to make it verifiable that you voted X, while making it impossible to prove you voted X. We simply can't have it both ways. I would sooner trust that the counting of the votes was done correctly then trust every single american didn't sell their vote to the highest bidder.
What is the point of detaching and shredding the list of candidates part of the form in his method? Surely the 2D barcode must have this information of what box is what candidate. Just means counting by hand would now be impossible as one would have to decode the 2D barcode. I guess it's so the ballot worker doing the scanning doesn't see it. But the scanner is a computer and can decode the barcode by definition.
Removing the candidate list seems like an dangerous complication to the system. The system can verify that a ballot was collected, but there is no possibility to correct a ballot that was miscounted.
Once removed, voters cannot verify for themselves who they marked their ballot for. On the counting side, it allows for fraud simply by changing the correspondences.
Also, if someone cracks the servers, they could replace or delete every ballot in the country, causing detectable but widespread chaos as every ballot would have to be rescanned.
(It's never too late to join the Renaissance)
This sounds a lot like the punchscan voting system. I am at work and not able to see the video right now, but I googled bismark and found this article, which has some details.
Punchscan and its variants do allow you to be able to prove to yourself (with a 50% probability) that your vote was counted as you intended. That might not sound like much comfort (only 50%?), but if the election authority tries to change 2 votes, their probability of getting away with it falls to 1/4, then to 1/8 with 3 votes, and so on. So stealing more than one or two votes becomes infesible pretty quickly.
However, I do believe that in all such schemes, the possibility of large scale vote buying becomes a real threat that has to be managed carefully, since the election authority has the keys that allows the all the ballots to be decoded. So if the Election Authority shares the keys with, say, the autoworkers union, or with GM, then those orgs would be in a position to decrypt the votes and thus coerce their voters. Of course, large scale intimidation of that type would be hard to hide from investigators. For this and other reasons, I think the threat of large scale vote buying is managable, and well worth the accuracy and accountability these systems provide.
The 2 key ideas that makes these schemes work are "cryptographic commitment" and the "cut and choose" protocol. If you are insterested, I've written up a detailed explanation of these concepts, and how punchscan like systems work, here.
I think the method presented in the video is fundamentally flawed. The presenter claims that, given just your receipt, no one can determine how you voted. But that's obviously false -- SOMEONE, somewhere, must have the cryptographic key that can correlate an 'X' in the third box down on your individual ballot as a vote for John Smith. Otherwise there's no way for your vote to be counted.
The presenter goes on to claim that third-parties (news media, international observers, etc.) can take the scanned ballots and count them independently. To do so, they must have access to the crypto key, just like the official ballot-counters. Now you have potentially many people with access to the key. The key will undoubtedly be leaked. Once it's out there, anyone with physical access to my receipt can see how I voted.
Chelloveck
I give up on debugging. From now on, SIGSEGV is a feature.
Over the years I've hear of various ways in which the democratic process can be improved. I saw this TED talk last night and it certainly looks interesting; if it can make the proceedings so much more transparent, let's set up a trial somewhere and see how it goes. Personally, I'd like to see it combined with instant-runoff voting; a system that has seen only limited implementation despite its advantages. Yet, I wonder if I will ever encounter these concepts in practice.
I find it disappointing that, all over the world, older democracies seem to be deeply conservative about their voting processes, resisting change even when the flaws in their systems are obvious and better solutions are available. We are quick to criticize the voting processes of emerging democracies, but resist doing anything when the problems are closer to home.
Poor voting practices at home also have a knock-on effect: why, for example, should the Afghans improve their voting system when we can't be bothered to improve ours? By saying one thing and doing another, we send the message that it's really not that important to be so respectful of the voting process. In such cases, we have no right to be so proud of our democracies.
http://en.wikipedia.org/wiki/End-to-end_auditable_voting_systems I think the system described in the TED talk is the Prêt à Voter system.
I found a link to David Bismark's home page here. He is explaining how Pret a Voter works. This is related to the punchscan system, although it works by randomizing the order of the candidate list instead of introducing an indirection symbol like punchscan does.
Odd that the wired article would not give credit where it is due and mention Pret-a-Voter.
BTW, everyone, this is not an electronic voting system, even though it is uses computers if various ways, it is an optical scan paper ballot system.
Another epic fail. When will academics learn that e-voting simply makes fraud easier and less detectable, no matter how good the math is?
When will academics learn that a voting system the average voter can't understand is a system the average voter can't trust?
The primary requirement for voting is that convinces the losers they lost fairly. Technology impedes that objective and Cryptography that no one understands denies it entirely. Transparent observation that people with high school educations can appreciate. Things that decentralize rather than centralize control are valuable too since it makes cheating a retail operation not a wholesale operation. cryptography centralizes things. someone controls the keys.
All other desired features pale in comparison to transparency and anonymity. Don't lard them on.
Some drink at the fountain of knowledge. Others just gargle.
I recently went to a thesis conference upon this very subject (e-vote protocols).
Not that I really understood the entire speech, but I do remember the conclusion being that such mechanisms will never be absolutly secure.
Got a link for the few french-reading IT-security-unterstanding guys interested.
Perhaps the most important element in maintaining relevant citizenship and participatory democracy; however, apparently not important enough to summon people to count votes (like jury duty) or even have "officials" manually count all votes with observation, oversight, and verification. I love techno gadgetry and innovative doodads - but when it comes to voting on what our government does and how it acts I go Luddite. I mean paper and pencil on a form simple - not even "scantron" bubbles. Illiterate or otherwise unable to cast a ballot with paper and pencil? Issue your votes to two election officials or come up with some better idea. Every vote ought to be manually counted in the presence of officials with double verification. People volunteer for this kind of thing - hell, even if it costs thousands of dollars for the full day of counting (likely less, done by precinct) it seems like a small price to pay to keep the potential for corruption out of our political institutions (or this area of them at least). Even computer scanned bubble ballots could be (relatively) easily manipulated in the posted results. Simply keep the margin out of the range that triggers manual recounts and there are not legal grounds for reviewing the archival hardcopies. Why risk it?
I'd just like to point out that "recount" is a procedure designed to correct for inaccuracies in human-counted
elections.
The concept of recount does not make sense for a computer-counted vote. A recount would get the same
result every time, or something is REALLY wrong.
The equivalent of "recount" (purpose-wise) for a computerized election is:
Code and process review + security(privacy & integrity) analysis + Random ballot receipt audit
Where are we going and why are we in a handbasket?
Maybe this is covered in the video, but it's a small miracle that I can get a connection out here at all...
But the reality is that most people's systems are compromised already. If we have online voting, the same guys that set up botnets with thousands of systems will have a field day stealing votes.
I don't see how you can do voting online as long as so many clients are hopelessly compromised.
Voting systems need to be understandable by the voter. This means KEEP IT SIMPLE, STUPID. A computer expert should not be involved.
A counting machine based on PAPER can be physically verified and observed by anybody who can COUNT including the interested parties so all are confident of the result. Even a closed corrupt count could come to light if the paper record is preserved. A counting machine can be ignored during a recount; if there is nothing to count then there is no recount and even less deterrent since one can't validate the results. One can't even know if the machine is hacked while a counting machine can be compared against a paper count.
You have to be ignorant OR foolish to think that ANY computer system is better than a paper one under the same conditions. A totally open computer system can be hacked and all traces removed - you do realize that linux still gets patched for security holes right? A hacked compiler or linker can produce bad programs despite clean code. Foreign made hardware components are also suspect (doesn't he NSA have a chip fab plant of their own?) It would take multiple experts just to verify machine at 1 point in time; even then could easily miss a clever attack or a serious security hole. That is barring any tampering after 100% verification (which would only be in theory because you can't get to 100% just like you can't ever be 100% sure a program is bug free.)
The hanging chad problem was over hyped but it is a great example of a solution for a non-problem that complicated the paper system thereby creating a security flaw. It should be obvious that a simple system everybody could see was flawed took so long to be killed off was a problem and now we have people asking about a much much much more complex system and one which only a specialized few could identify flaws?? It defies reason.
Of course, its a somewhat moot issue since the system favors 2 parties which are for sale so any games between the zealots are just a distraction from the larger gaming of the public by the powerful.
Democracy Now! - uncensored, anti-establishment news
1. In order for democracy to be stable and people to maintain trust in their government, they must be able to see that their votes do count. Electronic voting unavoidably violates this very important principle, because it makes the mechanism of voting completely opaque to almost everybody. A person can see a piece of paper, and people can watch all the pieces go into a box, and verify the box was empty beforehand, and confirm the number of ballots equals the number of voters, and count every piece of paper in front of all interested citizens. A person cannot see electronic impulses or magnetic encodings, nor observe counting or validation algorithms in action (much less raw disk drivers, magnetic heads, error-correction algorithms, and so on). This means the machinery of democracy is enclosed in a black box.
This is opposite the principles of democracy, and it has nothing to do with procedure, nor with particular algorithms, it has to do with the entire idea of sticking the mechanisms of voting inside an unobservable space. Even with the best possible such system, the whole thing relies on the faith of the people that what is going on is in fact what they have been told. It takes voting disputes out of the realm of opening up locked boxes on camera in front of people from different parties, something all can watch and understand, and puts it in the realm of whether you believe the claims of a few reputed experts against the word of others who claim to also be experts. And even if you think you are one of those elite, stop and think about whether A) you have the means to prove whether there were forged microprocessors in the voting computer, or even that the software actually running was the software whose source code you might have examined; and B) the public trust in democracy being based on faith in the word of a few elite is ever a good idea.
2. A voting system which can be tampered with is bad for democracy. But a voting system where tampering across all districts can be centralized is horrible. To alter the outcome of a paper ballot election over a whole state, people would have to physically visit potentially hundreds or thousands of voting locations. That is a very risky action, and the greater the geographical extent of tampering, the greater the chances of detection. An electronic election, on the other hand, has multiple centralized attack points. Changing the source code, the processor supply, the central vote database (depending on how the system works), building in hidden back doors, all of these are actions that could be done by a single person in a single place. It is much better to risk more small-scale fraud, none of which can get very widespread without being likely to be detected, than to design things in such a way as to allow the entire system to be compromised all at once in a single incident that may or may not be detected.
Computers are wonderful tools. And we computer people use them like hammers, which is to say that we make everything look like a nail. But the beauty of some imaginably potential unbreakable, verifiable, cryptographically strong, instantly tallied system blinds us to the fact that the whole notion of hiding democracy inside computers is a bad idea in the first place. Computerizing voting is like using a microwave oven to warm up your baby. It is simply a tool that is incompatible with the task, regardless of whatever efficiency it may gain and effort it may save.
Voting needs to give you a receipt. That receipt would have a hash encoded number that you could then compare to a publicly available vote count and verify that your vote was counted correctly. As simple as a .gov website with SSL that allows me to either download the entire data count or to enter a hash key and see the resulting voting.
It seems ridiculously simple to me. You can verify your own vote and tally all the votes yourself to ensure that the totals are accurate.
The absolute must of an e-voting machine is a hard copy version that can be latter verified. Essentially I would have thought that the voter enters their vote, the machine electronically records the vote and the paper vote is verified by the voter before being lodged along with teh electronic version. Voters dont need receipts, infact that can cause problems with coersion. A voter must go in with nothing and come out with nothing but be assured that their vote is recorded correctly. you can never fully trust an electronic e-voting system without a hard copy verification system. But at the end of the day the e-voting system just allows the votes to be tallied quickly, the hard copy would still need to be counted to provide a check and balance. I was thinking the other day that we already have a distributed system that people trust to record vital transactions, the banking Atm system. Why not turn ATM's into voting booths by giving all voters an anonymous voting "bank card".
Seriously; what they need to do if they want to stop voter fraud and corruption (which they don't- its how they get into office, but this is if they did) they would just make the machines extremely simple single purpose hardware. What's it take to record a value (Say 0 for GOP, 1 for Dem, 2 for libertarian etc.) and send it in to be counted? Not much; barley anything. Hell, I could probably build one keeping the price in the double digits with parts from radioshack (though maybe I'm overestimating my abilities).
Reminds me of these xkcds a bit:http://xkcd.com/801/ http://xkcd.com/463/
"People don't want to learn linux" hasn't been a valid excuse since '03.
That system does not directly record voter intent.
When we make a physical record, we do record voter intent, because the chain of trust from the intent of the voter, through to the actual vote record is intact.
With a machine --any machine, it's not. There is absolutely no way for the voter to know their vote intent is reflected in the record of their vote. It is a vote by proxy.
Blogging because I can...
With traditional paper ballots, the vote is unencrypted but there is no easy way to track a ballot back to a voter. With this system, your ballot is linked to your ID. Your vote is encrypted but must be decryptable for the counting machine, and thus for government. Fail.
this looks a lot like a system proposed by Ben Adida in 2006 called Scratch & Vote.
http://www.youtube.com/watch?v=ZDnShu5V99s