Your Amnesty International link seem to be to the 2003 report. It would probably also be a good idea to provide the links the US reports as well, since you are (presumably) doing a comparison. A good summary is that you don't want to be in the wrong group in either country:
It's also worth remembering, whenever Iran is being discussed, that the present government is a fairly direct outcome of Operation Ajax, in which the US and Britian overthrew the original (and very progressive) Iranian democratic government and installed a very brutal dictator (the Shah) because Iran planned to nationalize its oil (which was the result of, amongst other things, them being denied the right to even audit British Petroleum's books).
The problem with paper ballots is that checking for fraud is a mass effort, and even then there is no guarantee that ballots have not been added or removed. It requires trust in those running the election. The aforementioned scheme does not have this problem as any individual can verify the results themselves.
Further, the system also does not seem overly complex to me. Joe Average comes in. The system says your vote number is XYZ. He touches his vote choices on the screen. It prints him a receipt. It then offers to print him out any number of additional bogus receipts (which, of course, he will not require as everyone knows receipts can claim anything). He leaves.
Only a very small percentage of the population had to go home and check the totals and their votes keeps the system honest. If anything funny is happening to very many votes at all, the probability of it effecting the vote of someone who checks becomes very large. As they have the receipt to prove tampering occurred, their complaining will trigger a snowball of checking.
(Personally, paper ballots are also fine by me, as long as everybody who wants to is allowed to observe the proceedings. My interest in electronic voting is only in ways it can offer more security than paper ballots and the sort of inevitable its coming feeling.)
I've been thinking about the electronic voting machine problem for a while now (and posted about it twice before -- thanks for the feedback). Now, unless I've missed something, I believe there is a simple electronic scheme that protects anonymity (avoids coercion) and makes it impossible to rig the election through bad software.
To do this, the voting machines would be required to print each voter an official receipt tagged with a random number indicating their vote. At the end of the election, all the votes (a large table consisting of random number and vote tuples) could be posted so anyone who wanted could verify the tally and their vote. Vote injection would be avoided by permitting anyone (e.g., a representative from each party) to come out and count the turnout at each station on voting night.
The coercion problem introduced by the receipts is that a third party insists a voter shows them their receipt to verify they voted as instructed. This can be avoided by providing an option for voters to print as many additional fake receipts as desired, as well as providing them with the ability to secretly dispose of any of their receipts.
Valid fake receipts would actually be duplicate receipts for existing votes. This would make them indistinguishable from an actual vote, as they are an actual vote, just not that voters vote. This is easily accomplished by having the user indicate which additional votes they require receipts for, querying the database of existing votes for a random match, and then printing duplicate receipts.
The secret disposal of receipts could be accomplished by simply including a receipt disposal box in each booth. To avoid any attempts to alter votes who's receipts have been disposed of (this attack is already complicated by the fact that each vote could have had several receipts printed for it) the disposal boxes would have to be publicly disposed of in a secure manner immediately after the booths close (e.g., burnt in front of anyone who wishes to watch).
Finally, requiring the machines to display and print (on the receipt) the voters random number before they enter their vote avoids the possibility of bad software actually printing a duplicate receipt for the voter's actual vote and secretively casting an alternative ballot for the actual vote. The randome number generation, although not strictly necessary, can be further strengthened by requiring it to be a combination of machine and voter.
The machine would first displays and print its random number, and then the voter would enter another (non-trivial) number to multiply it by. This way, neither the machine nor the user (unless the former can do long division of very large numbers in their head) would be able to determine the final random number. Both numbers would be printed on the receipt so the machine could not cheat on the multiplication. This does not interfear with the coercing avoidance scheme as duplicate receipts for any existing vote and user's random number can be produced via long division.
I would love to hear some feedback, particularly any realistic attack vectors I've failed to account for. Thanks!
Slashdot Mirror
Your Amnesty International link seem to be to the 2003 report. It would probably also be a good idea to provide the links the US reports as well, since you are (presumably) doing a comparison. A good summary is that you don't want to be in the wrong group in either country:
Iran:
amnesty international
human rights watch
US:
amnesty international
human rights watch
It's also worth remembering, whenever Iran is being discussed, that the present government is a fairly direct outcome of Operation Ajax, in which the US and Britian overthrew the original (and very progressive) Iranian democratic government and installed a very brutal dictator (the Shah) because Iran planned to nationalize its oil (which was the result of, amongst other things, them being denied the right to even audit British Petroleum's books).
The problem with paper ballots is that checking for fraud is a mass effort, and even then there is no guarantee that ballots have not been added or removed. It requires trust in those running the election. The aforementioned scheme does not have this problem as any individual can verify the results themselves.
Further, the system also does not seem overly complex to me. Joe Average comes in. The system says your vote number is XYZ. He touches his vote choices on the screen. It prints him a receipt. It then offers to print him out any number of additional bogus receipts (which, of course, he will not require as everyone knows receipts can claim anything). He leaves.
Only a very small percentage of the population had to go home and check the totals and their votes keeps the system honest. If anything funny is happening to very many votes at all, the probability of it effecting the vote of someone who checks becomes very large. As they have the receipt to prove tampering occurred, their complaining will trigger a snowball of checking.
(Personally, paper ballots are also fine by me, as long as everybody who wants to is allowed to observe the proceedings. My interest in electronic voting is only in ways it can offer more security than paper ballots and the sort of inevitable its coming feeling.)
I've been thinking about the electronic voting machine problem for a while now (and posted about it twice before -- thanks for the feedback). Now, unless I've missed something, I believe there is a simple electronic scheme that protects anonymity (avoids coercion) and makes it impossible to rig the election through bad software.
To do this, the voting machines would be required to print each voter an official receipt tagged with a random number indicating their vote. At the end of the election, all the votes (a large table consisting of random number and vote tuples) could be posted so anyone who wanted could verify the tally and their vote. Vote injection would be avoided by permitting anyone (e.g., a representative from each party) to come out and count the turnout at each station on voting night.
The coercion problem introduced by the receipts is that a third party insists a voter shows them their receipt to verify they voted as instructed. This can be avoided by providing an option for voters to print as many additional fake receipts as desired, as well as providing them with the ability to secretly dispose of any of their receipts.
Valid fake receipts would actually be duplicate receipts for existing votes. This would make them indistinguishable from an actual vote, as they are an actual vote, just not that voters vote. This is easily accomplished by having the user indicate which additional votes they require receipts for, querying the database of existing votes for a random match, and then printing duplicate receipts.
The secret disposal of receipts could be accomplished by simply including a receipt disposal box in each booth. To avoid any attempts to alter votes who's receipts have been disposed of (this attack is already complicated by the fact that each vote could have had several receipts printed for it) the disposal boxes would have to be publicly disposed of in a secure manner immediately after the booths close (e.g., burnt in front of anyone who wishes to watch).
Finally, requiring the machines to display and print (on the receipt) the voters random number before they enter their vote avoids the possibility of bad software actually printing a duplicate receipt for the voter's actual vote and secretively casting an alternative ballot for the actual vote. The randome number generation, although not strictly necessary, can be further strengthened by requiring it to be a combination of machine and voter.
The machine would first displays and print its random number, and then the voter would enter another (non-trivial) number to multiply it by. This way, neither the machine nor the user (unless the former can do long division of very large numbers in their head) would be able to determine the final random number. Both numbers would be printed on the receipt so the machine could not cheat on the multiplication. This does not interfear with the coercing avoidance scheme as duplicate receipts for any existing vote and user's random number can be produced via long division.
I would love to hear some feedback, particularly any realistic attack vectors I've failed to account for. Thanks!