Bottom line is, if you want the best democracy, you have to firmly trust the people, and that means, a single human counter, and that's that. no recounts, no challenges, no nothing.
So... you want to solve the problem of people exploiting the system to cheat by just designating a single cheater? I fail to see how that helps anything.
Dispute resolution procedures open up the election to judges again, don't they?
That's one possible dispute resolution procedure. It's not the one I'd suggest.
There's a reason I said "procedure" and not "arbitrator" - I meant it in the sense of "algorithm", a set of steps that can be followed to produce a single deterministic result. Now, you're absolutely right that it's impossible to get a group of people who are all acting in bad faith to come to a consensus on anything. What is possible is to build a procedure such that an overwhelming majority acting in good faith can recognize a couple of douchebags acting in bad faith and ignore them. That's the best we can do with democracy - and in practice, people arguing in a room generally *can* come to a consensus because no one will actually "wait forever" and refuse to agree.
If they confirm it then either A.) it's real or B.) they'd prefer that you think it's real rather than continuing your investigation - most likely because the reality makes them look significantly worse.
You're still a bit better off if they had to fabricate a charge than if you were really guilty of something as easy and obvious to demonstrate as software piracy. Looking at it from another angle, this is one of the reasons why it's socially detrimental to have poorly enforced laws against common activities (whether it be piracy, drug possession, low speed limits, whatever) - it gives abusive authorities the ability to selectively enforce those laws against people they don't like for some reason.
the candidate with the fewest votes is removed, and his/her votes removed from the pool, causing anyone who chose that person as their first choice to now elevate their second choice to first position, and run the numbers over and over until someone has 50+1.
This is "Instant Runoff Voting", which isn't a Condorcet method. This doesn't solve the "spoiler effect" from first-past-the-post system. It doesn't show up quite as quickly, but it still shows up and favors a two-party system. See the discussion here: http://minguo.info/election_methods/irv/
It basically points towards collective ownership, because capital accumulation is required for large projects. If you get rid of corporations ( which I agree that we should ), the state is the only other entity that can take their place.
Not really, people can still organize in groups and pool their wealth to accomplish things. They just don't get to hide behind corporations in the process - every check that gets written would have an actual person's name in the "from" and "to" fields.
So I'm not really sure that your 'hybird' system is very hybrid. It sounds like a good socialist model to me.
It still has money. It still allows people to accrue wealth and buy and sell in a market. People even still work for each other. It's more socialist than many models, but it still retains many of the useful properties of free market capitalism.
My general point is that once you start saying "Let's chose a good system without considering the current situation", there are more than just a couple of possible answers.
Yes. Do you have the mathematical background or experience with secure systems, six months from your BS, to make these claims?
Yea. I have the mathematical background to understand basic cryptographic protocols (I'll admit that I'm just taking the properties of most cryptographic primitives as a given), I even have some professional experience building secure systems. What are your amazing credentials?
But to hand-wave at problems with the "anything could happen" defense like you do is amateurish science and engineering at best.
I'm not sure where I used an "anything can happen" defense. What I said is that electronic-ballot systems tend to add a whole crowd of trusted parties (like device manufacturers), and that one of the basic properties of voting is that no participant can trust any other participant. With paper ballots, any participant can audit their entire local election if they chose - with no special background required to understand what's happening. Most electronic-ballot proposals don't even let a cryptographer or electrical engineer watch an election and know it was legitimate.
Besides, my main issue is trying to suggest silly things like, apparently, the absence of write-once, tamper-proof protocols and storage.
I'm not arguing that these things don't exist. I'm arguing that their existence isn't sufficient to give us acceptable electronic-ballot voting systems. Every one of these techniques or devices prevents one specific attack and introduces one attack (secretly replace the secure component with the insecure version). At absolute best you'll force the attackers to resort to stealing voting machines and hard-modding them - which still isn't a system as secure as paper ballots.
The back up for optical scan is to hand count the votes.
This only matters if a hand count actually occurs. If an automatic count occurs and there's *any question* of a full hand count not also occurring, all the problems of automatic counting apply.
Have separate machines that sort and count. Sort first (based on symbol), then like money-counting machines, count the sorted ballots in front of a large number of witnesses (some of whom are undisclosed election officials).
This is probably the only way to do mechanized counting cleanly.
Submit the results to the total electronically (everyone interested gets to see the number submitted), and at the same time, print the totals onto a piece of paper in front of the witnesses and put into a sealed, box with a unique serial carved into the box. Send/carry the sealed box (guarded by local and federal law enforcement) to the place that collects results. Witnesses should be encouraged to accompany. If that box gets lost, the witnesses can verify the correct number was sent, and the serial of the location gets changed. Otherwise, just match up the box and the sent number. If there's a difference, poll the witnesses. Obviously under oath and signature.
Publishing all the totals is a bit cleaner so that people can verify the number they saw at their local polling station and redo the full tally by hand to check it is a bit cleaner.
Avoiding ninja-magician vote counters is much easier than avoiding buggy / malicious software. And by "much easier than" I mean "actually possible, unlike".
A proper counting procedure can avoid most of these problems. You don't just have one guy count all the ballots while some other people watch, you have three people from different parties sit down and each count each ballot while keeping separate tallies.
If things are really as bad as you say, then none of this matters for you because there is no democracy where you live.
But... in the places where there is democracy this method works great. The town where I live is a good example. If you want to pretend to have democracy where you live, you should follow the system described - any other system is so blatantly not democracy that your pretense won't be credible.
It also then prints a 2D barcode, which I suppose is for easy scanning, though of course there's no way to tell if the barcode matches the votes.
This didn't bother you? They went to all that effort to print a paper ballot with your vote on it, and then they made the actual "vote" part unreadable... and you "found this satisfying"?
Remember the big fuss about election fraud in the 2004 elections?
Those complaints weren't about DRE voting machines, they were about optical scan vote counting systems.
Now, unlike DRE systems, it's *possible* to have a legitimate election with optical scan counting machines. The basic principle is that the partisan and independent observers need to observe the validity of a statistically-useful sample of the ballot counts. The mathematical requirements are non-trivial, and all of the participants need to understand them for the process to be valid. That didn't happen in Ohio in 2004.
Note how the observer requirement differs from a hand-counted election. With a hand count, *any* observer can personally understand that the count was performed correctly and the election was legitimate. With a statistically checked optical scan count, only someone with a college-level math background can be sure about the count, and then only if they were paying close attention to the details.
Requiring that people be statisticians to audit an election pretty strongly misses the point of democracy even if they're actually there and everything gets run correctly. In practice, the election officials in the United States can't even accomplish that. Seems to me that the proposal to require hand counts everywhere is pretty reasonable.
In the initial count, you avoid having to do a manual count of every ballot (as it's done electronically), but we still have the option to do this if there is question as to the validity of the electronic count.
There's no reason to ever trust an electronic count, so it's validity should always be questioned.
Given that, it should be pretty obvious that it makes more sense to just count the damn paper ballots to begin with. Otherwise you'll get into messes like Ohio 2004, except even sketchier.
Does this voting protocol have the property that a layman can watch what happens on election day and personally understand that the vote was legitimate?
But in addition to that, also include a copy of all the votes in bar code, along with a secure checksum.
Absolutely not. If you can't see the basic problem with this, you haven't understood the requirements for the system you're designing - I suggest you think about the problem a bit more.
When making decisions, there are frequently tradeoffs.
If people can't even be bothered to spend the time counting the votes for that many public officials, maybe we could do with less of them. That's certainly a much more legitimate option than throwing away the ability to trust election results at all.
We hand-count our votes in the Massachusetts town I live in. The volunteers usually get the job done in about 5 hours.
You don't have a handful of people count the votes for the whole county, you have the polling station volunteers stay up until 10 or 11pm that night (or come back the next day) and count the votes.
This is democracy. If half a percent of the population needs to spend two days every couple years making it happen, so be it.
Count them as many times as needed, either by machine or hand.
Remember the accusations of voting fraud in the 2004 election? They were all against automatic vote counting machines rather than DRE machines. In Ohio - one of the few places where presidential candidates insisted on a recount - the a statistically-meaningless sample was fraudulently recounted and then all the ballots were destroyed. This isn't a conspiracy theory, it's a matter of public record - google it if you want evidence.
Now that doesn't mean that automatic ballot counting machines can't be a legitimate part of a democratic election, but it does strongly imply that simply having paper ballots isn't good enough on its own. The rules and procedures must be such that observers can verify that the votes have been counted legitimately - and if statistical methods are used to simplify things, they need to be understood and properly used by the election officials involved.
IRV is innately flawed, and the fix for it (any of the Condorcet methods) is too complicated to quickly explain - which is an unacceptable property for a voting system to be used in a democratic society. On the other hand, "first past the post" is also unacceptable.
The only acceptable answer that I've discovered is Approval Voting. It fixes the basic problems with first-past-the-post and IRV while being conceptually simpler than any of the ranked voting systems.
If you're not convinced because Approval Voting seems "odd", think about how it would work in a real election and consider what effect the strategies that people would suggest and use would have on election outcomes. I'd expect the results to be as good as could be expected from a voting system to elect a single person.
But even if it wasn't, it wouldn't make electronic-ballot voting systems trustworthy. Making it so that some of the people who could have hacked the voting system would lose their "IT license" if they were found out changes absolutely nothing - it was already a felony to tamper with an election to begin with.
With a standard paper-ballot voting procedure there are no trusted personnel who can tamper with votes. Not the voting officials, not the party observers, not even the country judge. The failure case for that is that if every election official and observer at a given counting location is corrupt, that one count will be wrong (and no other count will be effected).
We wouldn't let a judge, or an army general, or the Pope, or *anyone* spend alone time with a single box of paper ballots. What makes you think that trusting "Guild Programmers" with the code that will count *every* vote is somehow even slightly more acceptable than it would be with random programmers?
There is a procedure for a paper-ballot election that can be followed to produce a reasonably trustworthy election. Any person can observe and verify that all the necessary steps were followed for a given voting place and ballot box - and if they do so they will personally have seen with their own eyes that those ballots were produced and counted properly and the result is valid.
There is no such procedure for an electronic-ballot election that is even vaguely practical. In order for an observer to have the same level of trust in the result they would need to be an electrical engineer who hand built every voting machine from simple chips (nothing so complicated it can't be exhaustively tested - definitely no microprocessors), physically watch the machines until the vote occurred, and then perform the vote tallying procedure by hand themselves.
I guess a person could do that. Hell, I could probably do that. But designing a vote so that only one person can possibly trust it sort of misses the point of voting at all.
What I'm trying to say is that no-one can audit an electronic-ballot election. It was implied that only some people, experts in the field, can see if a voting event is legitimate - and as someone in the general vicinity of that category I'm calling BS - honestly auditing an electronic-ballot election is impossible with any reasonable amount of effort.
First, there are cryptographic means of preventing data from being tampered with tracelessly.
Cryptography is neat, but it's not magic dust that you can sprinkle on things and make them secure. There are specific algorithms and protocols that have specific properties, and not a single one of those properties is "you can know what a given electronic device does by looking at it". Unfortunately, that property is absolutely essential for any of the electronic-ballot systems I've seen to be trustworthy at all.
Just because a problem seems difficult and complicated to you doesn't justify trying to claim that there's no solution.
And just because you know of ways to exert massive engineering effort solve small pieces of a problem doesn't mean that it will be possible to solve the entire problem at once in the real world. Voting systems require a set of security properties, and no complete electronic voting system that I've looked at can satisfy them.
There are cryptographic voting protocols that would allow a group of mathematicians to sit down with pencils and paper and have an election with no mutual trust. The minute you try to implement those protocols in hardware or software, you get into an utter mess of trusted parties which utterly wreck all of the interesting security properties of the protocols for a voting system.
I've actually taken the time to sit down and understand the cryptographic protocols that apply to this problem, what properties they have, and why the cryptographic algorithms involved ensure those properties. Have you?
We can. We, computers savvy people who understand computers and who can test, probe and verify the mechanisms behind the machines. Joe Average cannot.
Can we? I'm about six months short of my bachelors degree in CS, and I couldn't examine a computer voting machine and determine that it was trustworthy in any reasonable amount of time. With a properly marked paper ballot, anyone can tell you what it says and any attempt to change it requires at least couple of seconds alone with it. With a flash memory card, who knows? A person can't say *anything* about what's stored on it without putting it in a reader, and any reader device can trivially and tracelessly change the data in milliseconds.
So not only is your point absolutely correct - it's understated. We absolutely do need a system where "everyone can read" the ballots, and any sort of electronic ballot system is a system where *no-one* can read them. Obviously Joe Average can't, but even the engineers who built the thing can't read the ballots directly.
Slashdot Mirror
So... you want to solve the problem of people exploiting the system to cheat by just designating a single cheater? I fail to see how that helps anything.
That's one possible dispute resolution procedure. It's not the one I'd suggest.
There's a reason I said "procedure" and not "arbitrator" - I meant it in the sense of "algorithm", a set of steps that can be followed to produce a single deterministic result. Now, you're absolutely right that it's impossible to get a group of people who are all acting in bad faith to come to a consensus on anything. What is possible is to build a procedure such that an overwhelming majority acting in good faith can recognize a couple of douchebags acting in bad faith and ignore them. That's the best we can do with democracy - and in practice, people arguing in a room generally *can* come to a consensus because no one will actually "wait forever" and refuse to agree.
If they confirm it then either A.) it's real or B.) they'd prefer that you think it's real rather than continuing your investigation - most likely because the reality makes them look significantly worse.
You're still a bit better off if they had to fabricate a charge than if you were really guilty of something as easy and obvious to demonstrate as software piracy. Looking at it from another angle, this is one of the reasons why it's socially detrimental to have poorly enforced laws against common activities (whether it be piracy, drug possession, low speed limits, whatever) - it gives abusive authorities the ability to selectively enforce those laws against people they don't like for some reason.
This is "Instant Runoff Voting", which isn't a Condorcet method. This doesn't solve the "spoiler effect" from first-past-the-post system. It doesn't show up quite as quickly, but it still shows up and favors a two-party system. See the discussion here: http://minguo.info/election_methods/irv/
Not really, people can still organize in groups and pool their wealth to accomplish things. They just don't get to hide behind corporations in the process - every check that gets written would have an actual person's name in the "from" and "to" fields.
It still has money. It still allows people to accrue wealth and buy and sell in a market. People even still work for each other. It's more socialist than many models, but it still retains many of the useful properties of free market capitalism.
My general point is that once you start saying "Let's chose a good system without considering the current situation", there are more than just a couple of possible answers.
Yea. I have the mathematical background to understand basic cryptographic protocols (I'll admit that I'm just taking the properties of most cryptographic primitives as a given), I even have some professional experience building secure systems. What are your amazing credentials?
I'm not sure where I used an "anything can happen" defense. What I said is that electronic-ballot systems tend to add a whole crowd of trusted parties (like device manufacturers), and that one of the basic properties of voting is that no participant can trust any other participant. With paper ballots, any participant can audit their entire local election if they chose - with no special background required to understand what's happening. Most electronic-ballot proposals don't even let a cryptographer or electrical engineer watch an election and know it was legitimate.
I'm not arguing that these things don't exist. I'm arguing that their existence isn't sufficient to give us acceptable electronic-ballot voting systems. Every one of these techniques or devices prevents one specific attack and introduces one attack (secretly replace the secure component with the insecure version). At absolute best you'll force the attackers to resort to stealing voting machines and hard-modding them - which still isn't a system as secure as paper ballots.
This only matters if a hand count actually occurs. If an automatic count occurs and there's *any question* of a full hand count not also occurring, all the problems of automatic counting apply.
The simplest answer is this: The party volunteers don't get to leave until they agree on the counts.
But if that's too simple for you, any number of dispute resolution procedures will work fine.
This is probably the only way to do mechanized counting cleanly.
Publishing all the totals is a bit cleaner so that people can verify the number they saw at their local polling station and redo the full tally by hand to check it is a bit cleaner.
Avoiding ninja-magician vote counters is much easier than avoiding buggy / malicious software. And by "much easier than" I mean "actually possible, unlike".
A proper counting procedure can avoid most of these problems. You don't just have one guy count all the ballots while some other people watch, you have three people from different parties sit down and each count each ballot while keeping separate tallies.
If things are really as bad as you say, then none of this matters for you because there is no democracy where you live.
But... in the places where there is democracy this method works great. The town where I live is a good example. If you want to pretend to have democracy where you live, you should follow the system described - any other system is so blatantly not democracy that your pretense won't be credible.
This didn't bother you? They went to all that effort to print a paper ballot with your vote on it, and then they made the actual "vote" part unreadable... and you "found this satisfying"?
Remember the big fuss about election fraud in the 2004 elections?
Those complaints weren't about DRE voting machines, they were about optical scan vote counting systems.
Now, unlike DRE systems, it's *possible* to have a legitimate election with optical scan counting machines. The basic principle is that the partisan and independent observers need to observe the validity of a statistically-useful sample of the ballot counts. The mathematical requirements are non-trivial, and all of the participants need to understand them for the process to be valid. That didn't happen in Ohio in 2004.
Note how the observer requirement differs from a hand-counted election. With a hand count, *any* observer can personally understand that the count was performed correctly and the election was legitimate. With a statistically checked optical scan count, only someone with a college-level math background can be sure about the count, and then only if they were paying close attention to the details.
Requiring that people be statisticians to audit an election pretty strongly misses the point of democracy even if they're actually there and everything gets run correctly. In practice, the election officials in the United States can't even accomplish that. Seems to me that the proposal to require hand counts everywhere is pretty reasonable.
There's no reason to ever trust an electronic count, so it's validity should always be questioned.
Given that, it should be pretty obvious that it makes more sense to just count the damn paper ballots to begin with. Otherwise you'll get into messes like Ohio 2004, except even sketchier.
Does this voting protocol have the property that a layman can watch what happens on election day and personally understand that the vote was legitimate?
If not, it's not acceptable for a democracy.
Absolutely not. If you can't see the basic problem with this, you haven't understood the requirements for the system you're designing - I suggest you think about the problem a bit more.
When making decisions, there are frequently tradeoffs.
If people can't even be bothered to spend the time counting the votes for that many public officials, maybe we could do with less of them. That's certainly a much more legitimate option than throwing away the ability to trust election results at all.
You're doing it wrong.
We hand-count our votes in the Massachusetts town I live in. The volunteers usually get the job done in about 5 hours.
You don't have a handful of people count the votes for the whole county, you have the polling station volunteers stay up until 10 or 11pm that night (or come back the next day) and count the votes.
This is democracy. If half a percent of the population needs to spend two days every couple years making it happen, so be it.
Remember the accusations of voting fraud in the 2004 election? They were all against automatic vote counting machines rather than DRE machines. In Ohio - one of the few places where presidential candidates insisted on a recount - the a statistically-meaningless sample was fraudulently recounted and then all the ballots were destroyed. This isn't a conspiracy theory, it's a matter of public record - google it if you want evidence.
Now that doesn't mean that automatic ballot counting machines can't be a legitimate part of a democratic election, but it does strongly imply that simply having paper ballots isn't good enough on its own. The rules and procedures must be such that observers can verify that the votes have been counted legitimately - and if statistical methods are used to simplify things, they need to be understood and properly used by the election officials involved.
IRV is innately flawed, and the fix for it (any of the Condorcet methods) is too complicated to quickly explain - which is an unacceptable property for a voting system to be used in a democratic society. On the other hand, "first past the post" is also unacceptable.
The only acceptable answer that I've discovered is Approval Voting. It fixes the basic problems with first-past-the-post and IRV while being conceptually simpler than any of the ranked voting systems.
If you're not convinced because Approval Voting seems "odd", think about how it would work in a real election and consider what effect the strategies that people would suggest and use would have on election outcomes. I'd expect the results to be as good as could be expected from a voting system to elect a single person.
Your idea is stupid.
But even if it wasn't, it wouldn't make electronic-ballot voting systems trustworthy. Making it so that some of the people who could have hacked the voting system would lose their "IT license" if they were found out changes absolutely nothing - it was already a felony to tamper with an election to begin with.
With a standard paper-ballot voting procedure there are no trusted personnel who can tamper with votes. Not the voting officials, not the party observers, not even the country judge. The failure case for that is that if every election official and observer at a given counting location is corrupt, that one count will be wrong (and no other count will be effected).
We wouldn't let a judge, or an army general, or the Pope, or *anyone* spend alone time with a single box of paper ballots. What makes you think that trusting "Guild Programmers" with the code that will count *every* vote is somehow even slightly more acceptable than it would be with random programmers?
There is a procedure for a paper-ballot election that can be followed to produce a reasonably trustworthy election. Any person can observe and verify that all the necessary steps were followed for a given voting place and ballot box - and if they do so they will personally have seen with their own eyes that those ballots were produced and counted properly and the result is valid.
There is no such procedure for an electronic-ballot election that is even vaguely practical. In order for an observer to have the same level of trust in the result they would need to be an electrical engineer who hand built every voting machine from simple chips (nothing so complicated it can't be exhaustively tested - definitely no microprocessors), physically watch the machines until the vote occurred, and then perform the vote tallying procedure by hand themselves.
I guess a person could do that. Hell, I could probably do that. But designing a vote so that only one person can possibly trust it sort of misses the point of voting at all.
What I'm trying to say is that no-one can audit an electronic-ballot election. It was implied that only some people, experts in the field, can see if a voting event is legitimate - and as someone in the general vicinity of that category I'm calling BS - honestly auditing an electronic-ballot election is impossible with any reasonable amount of effort.
Cryptography is neat, but it's not magic dust that you can sprinkle on things and make them secure. There are specific algorithms and protocols that have specific properties, and not a single one of those properties is "you can know what a given electronic device does by looking at it". Unfortunately, that property is absolutely essential for any of the electronic-ballot systems I've seen to be trustworthy at all.
And just because you know of ways to exert massive engineering effort solve small pieces of a problem doesn't mean that it will be possible to solve the entire problem at once in the real world. Voting systems require a set of security properties, and no complete electronic voting system that I've looked at can satisfy them.
There are cryptographic voting protocols that would allow a group of mathematicians to sit down with pencils and paper and have an election with no mutual trust. The minute you try to implement those protocols in hardware or software, you get into an utter mess of trusted parties which utterly wreck all of the interesting security properties of the protocols for a voting system.
I've actually taken the time to sit down and understand the cryptographic protocols that apply to this problem, what properties they have, and why the cryptographic algorithms involved ensure those properties. Have you?
Can we? I'm about six months short of my bachelors degree in CS, and I couldn't examine a computer voting machine and determine that it was trustworthy in any reasonable amount of time. With a properly marked paper ballot, anyone can tell you what it says and any attempt to change it requires at least couple of seconds alone with it. With a flash memory card, who knows? A person can't say *anything* about what's stored on it without putting it in a reader, and any reader device can trivially and tracelessly change the data in milliseconds.
So not only is your point absolutely correct - it's understated. We absolutely do need a system where "everyone can read" the ballots, and any sort of electronic ballot system is a system where *no-one* can read them. Obviously Joe Average can't, but even the engineers who built the thing can't read the ballots directly.