Physical reality is that if you can run fiber, you can run as much fiber as you want. Further, once you have a bunch of fiber, you can ship basically as much data as you want. Now, when it comes to existing cross-oceanic links, that may not apply so much, but there's certainly no excuse for Australian ISPs to not be able to ship an arbitrary amount of data around the continent on backbone fibers.
At least, it's how it happens here in Brasil. Even the most obscure candidates show up in every ballot, and we don't have to vote J.F. Kerry to stop Bush from winning, as we hold runoffs.
Hold runoffs, as in "go back to the polls if there wasn't a majority winner the first time"? Unless you have one runoff per candidate (drop the worst one each time) that system still requires strategic voting and still has a spoiler effect. It's just a bit more complicated than in a "plurality wins" system. The key idea is that you still have to vote for your favorite candidate among the top few, so that they make the runoff.
After looking at voting systems a bit, only Condorcet methods and range voting schemes seem to solve the spoiler problem in a fixed number of trips to the polls. Among those, I think that Approval voting does the best due to its simplicity - "vote for any number" is something that pretty much anyone should be able to figure out.
Given that, I wonder if a system of explicit runoffs where each round dropped the bottom half of the candidates would be good enough...
If there are "detailed technical, legal and ethical reasons why ISP-level filtering won't work", well then it can't be implemented can it.
ISP-level filtering won't work. That in no way implies that the government can't mandate some sort of horrible kludge that breaks everything (without successfully filtering).
Different attacks have different difficulties and different impacts.
If the best attack available is to corrupt every election volunteer at each polling place, then the system is pretty solid. In the worst case, a voter suspecting fraud can simply volunteer personally.
In contrast, if all you have to do is corrupt one or two voting machines (as is typical of DRE voting systems) then the system is useless. Other electronic systems allow for different attacks with different impacts, but those attacks all have the unacceptable properties that they can be executed before election day and they can't be detected by a non-expert observer (and usually not even by an expert observer).
As for the horror stories you mention from Chicago, that's a different class of problem. The best the voting system can do is detect fraud, once that's happened it's up to the courts and the rule of law. If the rule of law isn't working, you have bigger problems then voting fraud.
Because no one cares who voted for whom, I've not seen the paranoid actions you describe. And even if it is done that way, it would take a conspiracy to get timestamps into and out of the computer voting of no smaller a scale than getting all the "guards" to be in on the vote ordering. Again, nothing there that can't already be done as easily or more easily with paper methods.
The "guards" are anyone who volunteers to observe the election. You can't get all of them in on a fraud attempt unless you exclude people who volunteer, which is an obvious fraud attempt itself.
With an all-paper system it is sufficient to secure the polling location, the ballot box, and the counting location on election day. With any electronic components, you would have to ensure that those components haven't been tampered with *ever*, which is impossible in practice.
Are you talking about the current system where people are recorded when they enter in a large voter roll, then vote, and votes are placed in order received in a box?
A voter roll where voting times are not recorded? A box which is carefully guarded by multiple volunteers until it's opened and dumped out, destroying the order? Yes. That's the system I'm talking about. The "destroy the order" step is part of the procedure -
If I wanted to record the vote of any one person I'm buying a vote off of, I could and have photographic proof. That's easy and not expensive. The electronic system you complain about is no more or less "aonymous" than the current system.
What are you going to do, rig every voting booth at their polling place with hidden cameras? That's certainly harder than rigging voting machines beforehand would be.
If vote buying happened now, I'd be concerned. It doesn't happen (there are easier ways to cheat) and it isn't any easier with electronic voting.
Vote buying and (more importantly) vote coercion has happened numerous times in the past. The secret ballot is an essential part of a democratic voting system not for when everyone is playing nice, but for those times when people are playing dirty - just like all the other security properties of such a system.
The system is physically secured, the same way that a box full of ballots being moved around is secured. Meaning the system offers the same security as the previous paperbased system only its easier to use.
That's absolutely false.
A traditional ballot box needs to be secured from just before the first ballot is put in it until it's dumped out on the counting table - so all day on election day. Further, the security required is straightforward and any non-expert can do it. You check to make sure it's a legit ballot box, it starts empty, and no one messes with it during the day.
An electronic system requires constant security - 24/7/365 - because there's no straightforward way to check if "it's a legit electronic voting device" or "it's empty". And there is no practical way to get security on the same level as a ballot box at a polling place every single day for a pile of electronics.
Even if all the machine is doing is replacing the pencil, there's still at least one issue left: What's to say that the machine isn't remembering the votes with timestamps, allowing the votes to be matched with voters, thus compromising the secret ballot?
Also, a paper trail deters gaming the system because it becomes only a matter of time before someone does a random audit and the cheaters get caught.
If elections occurred every day and going 10 elections before catching anyone was good enough, that'd be great. As it is, a single election is worth billions of dollars. Attackers will sure as hell take even a 50% chance of "getting caught" if winning an election would guarantee their company a major government contract, especially if they can claim that the attack was a mistake and no-one will understand the situation well enough to actually punish them for voting fraud.
Look at what happened with the 2004 Ohio recount if you want to see how statistical sampling gets gamed in practice.
If Wikipedia is correct, this system has the basic problems of any DRE voting system:
- There is no guarantee that the voting machines have the "secure" chips in them.
- There is no guarantee that the software in the "secure" chips don't have cracks built in.
- There is no guarantee that a machine that's being used is an "official" machine.
- The votes are stored in solid state memory, and every instruction executed on the chip could change the vote count arbitrarily and unobserved.
The Wikipedia article makes it sound like the main perceived benifit to the Indian system is tamper resistance ("if the voting system is high tech, people won't be able to figure out how to attack it"). Security through obscurity is great if there's no attacker, but as soon as someone attacks this system all it will do is make it harder to detect the attack.
The town I live in has voted with paper and pencil, a ballot box with a crank, and a public hand counting of ballots for decades (at least). This system works very well, and scales with n*log n volunteers (with a tree of intermediate tabulation locations).
This system has a key security property: Voting, collection, and counting are all observable by a non-expert. I have seen no electronic system described that has this property. The only properties it doesn't have compared to a "perfect" electronic system are: zero counting time (which is not a requirement for a fair democratic voting system) and perfect counting accuracy (which is irrelevant if there are larger sources of error in a system).
Because the machine count would not match the collected paper ballots.
If you're going to count the paper ballots, there's no need to have an electronic count.
Only a small number of districts need a hand count to check this, as long as which districts was unknown before the election. This would make it far too risky to tamper with the software in the optical scan machine.
Statistical sampling works great in theory, but it's far too easy to game in practice. Minor modifications to make the process "more convenient" can completely remove the intended statistical properties - see the Ohio 2004 recount.
Yea, I guess that one isn't entirely clear. What I meant is that each individual participant in the system is a potential attacker, so the system really wants to have the properties that:
- If all but one poll worker at a location attempt an attack, the attack is caught by the one trustworthy one.
- if all poll workers at a location are untrustworthy, they can effect, at most, that one location.
I thought that at least a few countries had fairly simple systems with voter-verifiable paper trails...was I mistaken?
Just adding a VVPT is insufficient to provide the properties necessary for a democratic voting system. If there is some specific system you have in mind, post a link so I can take a look. Every system I've looked at so far has had major problems.
while providing the paper trail the old systems do.
Whoever started this "paper trail" meme was well intentioned, but foolish. A paper trail that is never consulted is exactly the same as no paper trail. Even statistical sampling - an excellent solution theoretically - turns out to not work in practice, as demonstrated by the Ohio 2004 recount debacle.
That way you can verify the vote totals if there are any questions, and you get the advantages of the machines.
There will always be questions, and the votes will rarely be recounted. See the Ohio 2004 recount for an example.
If the paper ballots are "better" than an electronic count, they should always be used so there can be no argument about when to use them.
Everyone from security experts to laymen could understand how the system works and help to improve it.
Every programmer at least. Normally, I would think that was fine, but in the case of a democratic voting system *every* voter needs to be able to understand the system.
Elections should be based on the popular vote, not the outdated electoral college system and electronic voting is really the only way to make it happen.
Completely unrelated issue. The current tallying system produces vote totals a the state level. The "popular vote" could be calculated using an advanced mathematical technique called "adding". Some organizations, like TV news stations, already do this.
The problem with electronic voting systems isn't with casting votes, and the legitimate complaints against paper systems aren't with summing totals above the county level. The relevent argument here is about vote submission and tallying - which electronic systems do quickly, but not in a manner that can be trusted to produce valid results.
Open source vs. proprietary code isn't relevant here either. The problem is with observability of vote collection and counting procedures - and "we still can't watch it, but we're hoping that every single machine is running some code that is known to be good" isn't good enough.
Dear non-expert, thank you for trying to design a secure voting system. Your proposal fails one or more of the basic requirements nessisary for practical democratic voting: [X] It assumes that every voter can operate a computer. [ ] It assumes that every voter is a computer security expert. [ ] It assumes that every voter is a mathematician. [X] It doesn't preserve the secret ballot, allowing coersion and buying of votes. [ ] It assumes that government is trustworthy. [ ] It assumes that the volunteer poll workers are trustworthy. [ ] It assumes that the creation of tamper-proof hardware is possible. [ ] It ignores the massive monetary value of a stolen election. Therefore, I suggest the following: [ ] You should revise your proposal, it looks pretty solid. [X] You should probably leave secure protocal design to experts. [ ] You are clearly trying to set things up so you can commit election fraud.
Or, more accurately, several countries spent a bunch of money, ignored the problems, and declared victory. Sort of like Bush and "Mission Accomplished".
As far as I know - and I've been paying pretty careful attention - there are no designs for electronic ballot submission or ballot tallying that meet the requirements for a democratic election with voters who are not experts in mathematics and/or computer security.
fell in love with Python because it felt like "Perl done right"
If it just had lexical closures and the ability to declare and statically check variable names, I'd totally agree with you. As it is, it's basically just like PHP - Perl with useful features *removed*.
Unfortunately there aren't a lot of options. Perl isn't all that great because while it's awesome at the usability and text processing part it's not so good from a structured design point of view. It's difficult to design complicated software in Perl. Plus Perl is basically dead since they decided to start that idiotic Perl 6 project that will never be finished (and even if it is I'm sure it will suck).
Can you *please* stop spreading this anti-Perl FUD?
Perl5 is neither the unmaintainable mess that Perl4 was, nor is it "dead" because Perl6 is being worked on. Considering the important things about a HLL (maturity, library quantity and quality, expressiveness), Perl5 continues to be one of best options out there.
Statistical checking isn't good enough. That's what the policy was in Ohio in the 2004 presidential election, and they managed to screw it up by ignoring the meaning of "random". An arbitrary voter *must* be able to personally understand that the voting process was executed correctly (to produce a correct result) - and they must be able to understand fraud claims (so they can tell that they're serious).
I've got a pretty solid college-level mathematics background, and it would take me a couple hours with a couple textbooks to verify that a proposed voting procedure involving statistical sampling was correct. In the event of a mathematically obscure fraud claim against that system, I could only form a useful opinion if I had a detailed description of the supposed fraud *and* had gone to the hours of effort to understand the procedure.
Someone without a math background would have no hope - at best, they'd have the word of someone they trusted that the system was secure, and if fraud was claimed they would have to take the word of an expert that that fraud was/wasn't important. Compare "there were more ballots in the ballot box than there were voters in precinct #12" to "Professor Smith claims that the random number generation procedure used for the statistical sampling of votes in Ohio was biased".
Slashdot Mirror
Physical reality is that if you can run fiber, you can run as much fiber as you want. Further, once you have a bunch of fiber, you can ship basically as much data as you want. Now, when it comes to existing cross-oceanic links, that may not apply so much, but there's certainly no excuse for Australian ISPs to not be able to ship an arbitrary amount of data around the continent on backbone fibers.
Hold runoffs, as in "go back to the polls if there wasn't a majority winner the first time"? Unless you have one runoff per candidate (drop the worst one each time) that system still requires strategic voting and still has a spoiler effect. It's just a bit more complicated than in a "plurality wins" system. The key idea is that you still have to vote for your favorite candidate among the top few, so that they make the runoff.
After looking at voting systems a bit, only Condorcet methods and range voting schemes seem to solve the spoiler problem in a fixed number of trips to the polls. Among those, I think that Approval voting does the best due to its simplicity - "vote for any number" is something that pretty much anyone should be able to figure out.
Given that, I wonder if a system of explicit runoffs where each round dropped the bottom half of the candidates would be good enough...
Or the opposite, if you remember that Android supports neither native Linux applications nor J2ME applications.
ISP-level filtering won't work. That in no way implies that the government can't mandate some sort of horrible kludge that breaks everything (without successfully filtering).
Different attacks have different difficulties and different impacts.
If the best attack available is to corrupt every election volunteer at each polling place, then the system is pretty solid. In the worst case, a voter suspecting fraud can simply volunteer personally.
In contrast, if all you have to do is corrupt one or two voting machines (as is typical of DRE voting systems) then the system is useless. Other electronic systems allow for different attacks with different impacts, but those attacks all have the unacceptable properties that they can be executed before election day and they can't be detected by a non-expert observer (and usually not even by an expert observer).
As for the horror stories you mention from Chicago, that's a different class of problem. The best the voting system can do is detect fraud, once that's happened it's up to the courts and the rule of law. If the rule of law isn't working, you have bigger problems then voting fraud.
The "guards" are anyone who volunteers to observe the election. You can't get all of them in on a fraud attempt unless you exclude people who volunteer, which is an obvious fraud attempt itself.
With an all-paper system it is sufficient to secure the polling location, the ballot box, and the counting location on election day. With any electronic components, you would have to ensure that those components haven't been tampered with *ever*, which is impossible in practice.
A voter roll where voting times are not recorded? A box which is carefully guarded by multiple volunteers until it's opened and dumped out, destroying the order? Yes. That's the system I'm talking about. The "destroy the order" step is part of the procedure -
What are you going to do, rig every voting booth at their polling place with hidden cameras? That's certainly harder than rigging voting machines beforehand would be.
Vote buying and (more importantly) vote coercion has happened numerous times in the past. The secret ballot is an essential part of a democratic voting system not for when everyone is playing nice, but for those times when people are playing dirty - just like all the other security properties of such a system.
That's absolutely false.
A traditional ballot box needs to be secured from just before the first ballot is put in it until it's dumped out on the counting table - so all day on election day. Further, the security required is straightforward and any non-expert can do it. You check to make sure it's a legit ballot box, it starts empty, and no one messes with it during the day.
An electronic system requires constant security - 24/7/365 - because there's no straightforward way to check if "it's a legit electronic voting device" or "it's empty". And there is no practical way to get security on the same level as a ballot box at a polling place every single day for a pile of electronics.
Or just by not using any software.
How do they count the votes? By hand?
Even if all the machine is doing is replacing the pencil, there's still at least one issue left: What's to say that the machine isn't remembering the votes with timestamps, allowing the votes to be matched with voters, thus compromising the secret ballot?
If elections occurred every day and going 10 elections before catching anyone was good enough, that'd be great. As it is, a single election is worth billions of dollars. Attackers will sure as hell take even a 50% chance of "getting caught" if winning an election would guarantee their company a major government contract, especially if they can claim that the attack was a mistake and no-one will understand the situation well enough to actually punish them for voting fraud.
Look at what happened with the 2004 Ohio recount if you want to see how statistical sampling gets gamed in practice.
If Wikipedia is correct, this system has the basic problems of any DRE voting system:
- There is no guarantee that the voting machines have the "secure" chips in them.
- There is no guarantee that the software in the "secure" chips don't have cracks built in.
- There is no guarantee that a machine that's being used is an "official" machine.
- The votes are stored in solid state memory, and every instruction executed on the chip could change the vote count arbitrarily and unobserved.
The Wikipedia article makes it sound like the main perceived benifit to the Indian system is tamper resistance ("if the voting system is high tech, people won't be able to figure out how to attack it"). Security through obscurity is great if there's no attacker, but as soon as someone attacks this system all it will do is make it harder to detect the attack.
The town I live in has voted with paper and pencil, a ballot box with a crank, and a public hand counting of ballots for decades (at least). This system works very well, and scales with n*log n volunteers (with a tree of intermediate tabulation locations).
This system has a key security property: Voting, collection, and counting are all observable by a non-expert. I have seen no electronic system described that has this property. The only properties it doesn't have compared to a "perfect" electronic system are: zero counting time (which is not a requirement for a fair democratic voting system) and perfect counting accuracy (which is irrelevant if there are larger sources of error in a system).
If you're going to count the paper ballots, there's no need to have an electronic count.
Statistical sampling works great in theory, but it's far too easy to game in practice. Minor modifications to make the process "more convenient" can completely remove the intended statistical properties - see the Ohio 2004 recount.
Yea, I guess that one isn't entirely clear. What I meant is that each individual participant in the system is a potential attacker, so the system really wants to have the properties that:
- If all but one poll worker at a location attempt an attack, the attack is caught by the one trustworthy one.
- if all poll workers at a location are untrustworthy, they can effect, at most, that one location.
Just adding a VVPT is insufficient to provide the properties necessary for a democratic voting system. If there is some specific system you have in mind, post a link so I can take a look. Every system I've looked at so far has had major problems.
Whoever started this "paper trail" meme was well intentioned, but foolish. A paper trail that is never consulted is exactly the same as no paper trail. Even statistical sampling - an excellent solution theoretically - turns out to not work in practice, as demonstrated by the Ohio 2004 recount debacle.
What makes you think it's foolproof. If it decided to count every 3rd McCain vote for Obama, how would you know?
There will always be questions, and the votes will rarely be recounted. See the Ohio 2004 recount for an example. If the paper ballots are "better" than an electronic count, they should always be used so there can be no argument about when to use them.
Every programmer at least. Normally, I would think that was fine, but in the case of a democratic voting system *every* voter needs to be able to understand the system.
Completely unrelated issue. The current tallying system produces vote totals a the state level. The "popular vote" could be calculated using an advanced mathematical technique called "adding". Some organizations, like TV news stations, already do this.
The problem with electronic voting systems isn't with casting votes, and the legitimate complaints against paper systems aren't with summing totals above the county level. The relevent argument here is about vote submission and tallying - which electronic systems do quickly, but not in a manner that can be trusted to produce valid results.
Open source vs. proprietary code isn't relevant here either. The problem is with observability of vote collection and counting procedures - and "we still can't watch it, but we're hoping that every single machine is running some code that is known to be good" isn't good enough.
Or, more accurately, several countries spent a bunch of money, ignored the problems, and declared victory. Sort of like Bush and "Mission Accomplished".
As far as I know - and I've been paying pretty careful attention - there are no designs for electronic ballot submission or ballot tallying that meet the requirements for a democratic election with voters who are not experts in mathematics and/or computer security.
If it just had lexical closures and the ability to declare and statically check variable names, I'd totally agree with you. As it is, it's basically just like PHP - Perl with useful features *removed*.
Can you *please* stop spreading this anti-Perl FUD?
Perl5 is neither the unmaintainable mess that Perl4 was, nor is it "dead" because Perl6 is being worked on. Considering the important things about a HLL (maturity, library quantity and quality, expressiveness), Perl5 continues to be one of best options out there.
Statistical checking isn't good enough. That's what the policy was in Ohio in the 2004 presidential election, and they managed to screw it up by ignoring the meaning of "random". An arbitrary voter *must* be able to personally understand that the voting process was executed correctly (to produce a correct result) - and they must be able to understand fraud claims (so they can tell that they're serious).
I've got a pretty solid college-level mathematics background, and it would take me a couple hours with a couple textbooks to verify that a proposed voting procedure involving statistical sampling was correct. In the event of a mathematically obscure fraud claim against that system, I could only form a useful opinion if I had a detailed description of the supposed fraud *and* had gone to the hours of effort to understand the procedure.
Someone without a math background would have no hope - at best, they'd have the word of someone they trusted that the system was secure, and if fraud was claimed they would have to take the word of an expert that that fraud was/wasn't important. Compare "there were more ballots in the ballot box than there were voters in precinct #12" to "Professor Smith claims that the random number generation procedure used for the statistical sampling of votes in Ohio was biased".