"What I don't understand is this: how can you stop the voting machine from adding fake votes? Let's say I voted and asked for no coercion receipts. And then, automatically, the machine creates a fake coercion entry, but rather than adding 1 to each candidate, adds n votes to candidate-who-happens-to-be-a-friend-of-machine-creator and zero to the others (and also creates one coercion entry). In this case I will check with my only receipt and it will be ok (my vote will be validated). But I cannot check that no other vote has been done in my name..."
In order for the machine to add 10 votes to a candidate, it has to actually generate 10 votes and pass them on (each vote is an individual object, not just an incremented counter). At each hourly audit, the following check is done:
1) The number of votes is counted for each candidate, for no candidate, and coercion votes.
2) The number of coercion votes is multiplied by the number of candidates and subtracted from the number of votes for each candidate or for no candidate.
3) This number is compared to the number of voters for that hour.
Any extra votes injected into the system will thus be caught within an hour. It will be known which polling place and which hour they were injected.
In other words, for each coercion vote generated, a vote is generated for each candidate. In the final tally, the number of coercion votes is subtracted from the count for each candidate. This total must equal the number of real votes cast.
If you opt not to cast any vote at all, you will be given an "I chose not to vote (in this race)" receipt. You may keep that receipt to make sure your vote appears in the final tally. This is counted as a vote, so the machine cannot put in votes for voters who choose not to vote in a particular race.
If you are worried about people being pressured not to vote, you can include an "I chose not to vote" receipt in the coercion system and adjust the totaling process to compensate.
Again, I am not arguing that any of these systems are practical or that they are the best or that we should switch to them immediately. What I am arguing is that these systems prove that cryptographic voting systems can do many things that it is commonly believed are impossible. For example, they can allow a voter to convince himself that his individual vote is properly reflected in the final tally without allowing him to prove how he voted. Some have argued that this is impossible.
Note that I never said this system could prevent extra votes from being injected. And the paper ballot systems we are comparing it to don't prevent that. So that really doesn't matter. This system isn't intended to show that we can prevent extra votes from being injected. It is only intended to show that cryptographic systems can provide the same assurances a paper drop system provides.
Also, someone at the polling place can drop in extra votes in such a system. Or simply let in 50 of their friends to vote multiple times. These systems aren't aimed at that vulnerability.
Obviously, an actual practical system would have to address all vulnerabilities.
""Okay I get the idea that you can "vote" evenly across the field -- this of course makes checking for other types of voter fraud -- too many votes, very difficult if not impossible, because now the number of votes cast is almost meaningless.""
Not at all. The total number of "real" votes still must equal the number of voters. The total number of real votes is just a bit more difficult to count.
One way to do it is to create a "vote for no candidate" for any voter who does not select a candidate in a particular race. For a coercion vote, you also generate a "no candidate" vote. Then the total number of votes for each candidate, plus the no candidate votes, minus the number of coercion votes multiplied by the number of candidates plus one must equal the number of voters.
Now doing this for the election as a whole wouldn't be particular useful, because it almost certainly would be off by something and you would not know what. But doing it by polling place is of much more value. You can actually investigate any discrepencies.
This can be done hourly at each polling place.
"Additionally, the percent of the vote will be much closer. But assuming you are not worried about old fashion fraud --> the dead voting, this would work."
That's, of course, still a big problem. None of the proposed voting systems do anything about the basic problem of who you allow into the voting booth.
"But it also requires an electorate that validates its own votes."
Or political parties or civics groups that do it for them. The higher the percentage of validated votes, the better.
"There is also the worry about someone with access to the voting hardware intensionally undermining the integrity of the vote. With full access to the voting machine (in particular what ever "keys" it is using to sign the votes), I could easily generate fake voting slips that would not be on the official register."
That's why each voting area would have its own key. I would use a hierarchical PKI scheme. That way, if there was fraud, you would know at what level it occurred and could isolate the pool of potentially impacted votes.
There are quite a few other techniques, varying from the simple to the complex, designed to mitigate exactly this type of fraud. Honestly, it's not as difficult as you might think.
One way is to keep a real-time log of votes cast with a system at the polling place designed by a different company and physically sealed. It could report by telephone to a master center hourly.
"I could then invalidate/call into question the results of polls that are not favorable to my candidate."
Well, you can always do that. The question is what evidence can you muster that the results are unfair and what evidence is they that they are fair.
I'm not sure it's clear to anyone reading this just how funny your observation is.
Let's assume she's right and that communication did contains privileged information. The attorney-client privilege exists solely for the benefit of the client and covers information the client shares with their attorney.
That is, she is saying that she sent Google information that the City shared with her in confidence.
He actually had a fourth strike. He missed the obvious slam dunk argument. The pay stubs are not subject to copyright because the contain no significant expressive or creative content. Every bit of content in them is purely functional.
Maybe they had a colorful background image of a beautiful young woman running through the grass towards a gazebo with a unicorn in it?
It is totally obvious here that the city was trying to suppress factual information. You can't do that with copyright.
"How is this any different from no paper trail at all? If you can't prove the paper receipt is for a real vote, how is it useful in any way?"
Because if it happens to be for a real vote, and that real vote is not counted, you can prove that the vote wasn't counted. So if you choose to keep the receipt for your real vote, which you always can, you will know if your vote is not counted and can prove that someone's vote was not counted.
Perhaps you missed that for every vote that's not "real", a vote is generated for each candidate and a special "coercion" vote is generated. These votes are mixed in with the real votes and can be verified the same way. In the end, each candidates vote is tallied and from that tally, the number of coercion votes is subtracted.
You can't tamper with coercion votes for three reasons:
1) Someone might have kept all the receipts. So if you tamper with any coercion votes, you risk detection.
2) The total number of candidate votes, minus the number of coercion votes multiplied by the number of candidates must equal the total number of voters. So you cannot add or remove votes without detection.
3) You can dual path the votes. One way would be to let voters scan their receipts inside the polling place into a system that feeds the receipts to independent auditors from multiple parties each free to use their own software. You could even do this wirelessly.
Note that votes would be cryptographically signed by polling place. So if a key or polling place was compromised, you could at least isolate the potentially compromised pool of votes.
Note also that I'm not advocating that we actually do this. I'm saying this proves that it's possible for a voter to know that their vote was counted without being able to prove how they voted. I'm responding to the argument that that's impossible. It's not.
I'm saying that people who say that the laws of the universe require that we trust that voting systems are properly implemented because there's simply no way to design a system that's inherently nearly tamper-proof are wrong. Such systems *can* be designed. (Though they are not quite practical yet, that may change very soon.)
My whole point is that you don't have to trust the people who make the system, and because you don't have to, you shouldn't. First it seems that you don't agree with this, but then you say this:
"In summary, I totally agree that a hypothetically secure system could be fairly secure against a random attacker, and that what we actually have looks like it was written with monkeys and typewriters by comparison, giving us banana democracy at best. The current system isn't just hackable, it's SO hackable it's almost definitely been done - and we KNOW that they waved their magic wand and threw out results after obvious problems in a bunch of different areas; Diebold techs basically said some vote counts that even their machines didn't say, and that's who got elected."
Now that's where I 100% agree with you. The proofs that we can have systems that are secure all make us wonder why we don't have systems that are secure. And as I see that, there are only a few possible reasons and I'm not happy with any of them:
1) The voting machine manufacturers really don't care if the machines are secure. They'll sell anyway, so why bother doing it right?
2) The voting machine manufacturers want their machines to be insecure because they benefit from vote tampering.
3) The voting machine manufacturers are really trying their best to make these systems secure, but they're just too incompetent to do it.
None of these should be tolerated.
By showing that secure, trustable cryptographic schemes can be generated, people seem to think I'm arguing that therefore we should accept any scheme that comes along. Quite the reverse, because we can have secure schemes where you don't have to trust the manufacturers, we should reject insecure schemes.
And damn it, we need someone in the decision process who is smart enough to be able to tell the difference.
""I don't dispute that, as I understand it the main goal of your scheme is to allow the voter to verify to him/herself that their vote was counted correctly,""
Correct.
""but as another poster said this is a "red herring". The problem with voter verification after the fact is: if a voter can "prove" to themselves their vote was correctly counted after the fact then it is no longer a secret ballot, ie: the voter can be coerced/forced to "prove" how they voted, it's common knowledge Saddam obtained his famous 99% results using this particular technique in a unusually systematic and ruthless manner."""
For the last goddamn time, NO, this is not true. This is true if and only if the receipts contains both who was voted for and who cast the vote. Nobody is suggesting the receipts contain both of these pieces of information.
Please read any of my 500 other comments where I explain in detail why a voter cannot prove how they voted in this system.
""And I can be coerced into recording my voter id to prove my vote later""
No, that's physically impossible. You could simply push the coercion button (which casts one vote for each candidate and one 'coercion' vote and does not count as your vote - these are canceled out in the final tally), take the coercion vote for the appropriate candidate, and write down that voter id. Nobody could prove that that id was not yours.
""or choose to record it, to sell my vote. Either way, there is no anonymity.""
How would anyone know that was in fact your id? There is anonymity because it is impossible to map an id to a voter.
Because these schemes would not work, there would be no point in anyone even attempting these things. You can cast your vote for any candidate and still walk out with any number of vote receipts for any candidate.
The basic idea is this, say there are 4 candidates. We make 5 tallies, one for each candidate's votes and one for each coercion vote. We subtract the coercion tally from each candidate's final tally.
Suppose you want to vote for candidate 1 but walk out with 2 receipts for candidate 3 and 1 receipt for candidate 4. Just vote for candidate 1, push the coercion button twice, and keep the appropriate receipts. Nobody can tell from those receipts how you voted. You would have cast 2 votes for candidate 1, 1 for every other candidate, and 1 coercion vote. In the final tally, the net effect would just be your one real vote for candidate 1.
Some people might push the coercion button and keep all their receipts, so you can't tamper with coercion votes. You can't add extra votes because the total number of candidate votes minus the total number of coercion votes multiplied by the number of candidates must equal the number of real votes cast.
Do you get that you can cast a vote for any candidate and still walk out with any number of vote receipts (or none) for any and all candidates?
""The BSD license (which some of the files in question are exclusively licensed under, before anybody brings out the "dual license" answer) has, as part of its terms, a requirement to reproduce the license notice in a source distribution of a derived work. Removing the license notice, thus, violates the license.""
I agree. If Theo had accused them of a notice violation he would be right. But that's not what Theo said. RTFA. He accuses them of affecting recipient's substantive rights to the original work, which is impossible.
""Even if there wasn't that clause, if you deliberately change the license notice of the work, you are certainly misrepresenting the license that you and your recipients have to that code. That is, at the very least, sketchy.""
If that were true, there could be no dual-licensed works. Any time you removed one license, you would be misrepresenting the rights recipients have to those elements in the work that are in the original. (Since the recipients still get both licenses from the original author and you cannot stop that.)
"Assured how? At the end of the day, all you have is a piece of paper with a number on it. You are still just taking the election officials at their word that your number means something about the election."
You are assured because if the ID on your piece of paper does not appear on the list of votes for the candidate on your piece of paper, you have cryptographic proof that that ID cast a vote for that candidate. When the results come out, you can check if your ID (although only you know its yours) appears on the list of votes for your candidate. If it does not, you can prove that that vote was not counted (though you cannot prove it was your vote, you can prove it was validly cast but not counted).
"Does it much matter whose ticket it is? If the ticket proves that somebody voted for Mr. Millionaire, and tickets are impractical to forge, then Mr. Millionaire will pay the $100 bribe in return for any ticket that indicates a vote for him. Perhaps a few people will try to swap tickets with someone else in order to vote for who they want and still get the $100 bribe, but many people would just do the easy thing and vote for Mr. Millionaire, take the ticket they are issued, and collect their $100. Enough people to swing the election to Mr. Millionaire, anyway."
No, that won't work. All that will happen is everybody will push the coercion button and Mr. Millionaire will pay $100 for votes that aren't real. He won't be able to tell which is which.
Remember, the coercion button doesn't count as your vote and casts one vote for every candidate as well as one "coercion" vote. When the final tally is made, the number of coercion votes is subtracted from the number of votes cast.
So since he will wind up paying for votes that will be canceled out by coercion votes, and can't tell real votes from coercion votes, he simply wouldn't offer the money.
"Okay, but doesn't that defeat the purpose? If I have receipts showing I voted for all five candidates, how can I prove to myself which one my vote was actually counted for?"
That wasn't your vote, that was you pushing the coercion button. Pushing the coercion button is an option you may do after your vote or all by itself if you prefer not to vote. If you vote for all five candidates by pushing the coercion button, the net effect is zero (you cast a +1 and -1 vote for everyone). This does not count as your vote.
If you vote for candidate X then push the coercion button and there are 5 candidates, you will cast two votes for X, one vote for every other candidate, and one coercion vote (a -1 for every candidate). It will sum to one vote for X, as it should. You can walk out with a fully valid ticket for a vote for any candidate you choose, or all of them.
If someone demands you produce a second vote ticket for X, simply push the coercion button twice. Keep two X tickets and one for everyone else.
The point is, you cannot cast more than one effective vote, you can vote for anyone you choose, and you can walk out with as many tickets for any candidates as you would like. You can prove that any votes whose tickets you retain are properly counted.
I don't understand how you could so seriously misunderstand what I'm saying. Where are you getting this "no vote for this serial number" concept from? I'll try it again:
You vote for the candidate you want. You get a receipt. It doesn't say who you are, but it says who you voted for. You may keep this receipt to prove that your vote was counted. You may throw it away.
If you are coerced, you may push the coercion button as many times as you like. Each time a set of votes will be created, one for each candidate and one "for the coercion button". You will get receipts for all of these votes and they will all be counted. You may keep or throw out any of these receipts.
When the final vote tally is made, the count of coercion votes is subtracted from the count for each candidate. So all the votes but your one real vote cancel out.
There is no combination of receipts that you can keep in this scheme that proves you voted for any particular candidate. You can walk out of that room with *any* combination of vote receipts for any of the candidates.
Some people who are not coerced might push the coercion button anyway and keep *all* their receipts. So if you methodically suppress any votes, you stand a good chance of getting caught. There are simple ways to increase this chance to essentially certainty.
For example, you can pass all the receipts through a bar code reader that reports them to a separate system made by another company. It can be as simple as a bar code reader going into a logger.
(I'm not suggesting that this is a practical scheme. It just proves that it's possible to issue such receipts and still not have a voter able to prove how he voted. All I'm trying to do in the thread is rebut misconceptions about what's possible in a cryptographic voting system.)
I think I've responded with more comments here than all my other/. comments combined. So I'll stop. This isn't the place to hold a back-and-forth debate. I hope I've stated my views clearly enough for them to come through.
My apologies. I thought you were the same person who made that original argument. A second after I submitted I realized you weren't. In any event, most of my argument still stands.
When someone makes an incorrect argument, if I think that argument is incorrect, I'll say so. I will do this even if the argument argues for something I agree with. I believe that you should kill with legal blows.
If someone said, "because two plus two is four, you shouldn't torture innocent children", I might reply that this argument makes no sense and that's not a reason you shouldn't torture innocent children. You'd be right there to argue that I'm missing/avoiding all the other arguments why you shouldn't torture innocent children, and you would be right. However, your comment would also be irrelevant unless I said you should torture innocent children. So long as I stuck to rebutting his comment, your comment is unjustified.
Why should I address arguments people haven't made when they *are* making bad arguments? There's no point in addressing arguments that are *correct* other than to say "me too". In any event, for just this reason, I did add "me toos" to many of my comments in this thread, where I make it clear that I'm rebutting invalid arguments even though they sometimes argue for things I agree with (for other reasons entirely).
There's a very specific reason why I bother. We won't get good voting systems if we don't understand what's possible, what we really want, and how to judge voting systems. Bad arguments muddy this pool. So I make it a point to refute them even when I agree with the position they're arguing for.
We all win when it's a clean fight. That way, the best voting system runs.
Here's another "me too" just in case you missed the other three: Right now the best voting system is probably the "paper vote drop" system discussed elsewhere. The only problem with that system is if the machine drops a ballot with the wrong vote even if you didn't ask it to. The only thing you can do is go to a poll worker and say, "Hey! I voted for X and it dropped a vote for Y even though I pressed X and then when it printed Y I pushed cancel." It's not clear what a poll worker should do in that case. Otherwise, it's an excellent system -- easy to understand and hard to screw up, and that's important.
Let's go back to your point that I was responding to. You said:
"Any hypothetical electronic system, no matter how secure, is vulnerable to basically _universal_, unauditable fraud by a tiny number of conspirators in the right place - as low as 1. Any kind of cryptographic system can be defeated by the guy who actually controls where the actually-compiled source code - and the COMPILER source code - came from. Even in an OSS system, it's awfully hard to prove that's really the source that's being compiled and that it's being done by a fair compiler."
I responded to this because it was wrong. I showed that it was wrong. I am not "missing (avoiding)" the point you are only now making.
I fully understand and agree with your new point. I never said otherwise.
I'm being honest and admitting that your completely new argument is right. Now, will you be as honest as me and admit that your original argument (the one I quoted above) is wrong?
Do you see the difference between these two arguments:
1) We should use cryptographic voting scheme X because it's the best.
2) Hypothetical cryptographic voting scheme X has property Y, proving that it is possible for that type of voting system to have that property.
I am making an argument of type 2. You are now responding as if it was an argument of type 1.
"Some of those aren't even easy to legislate against. E.g., how would you legislate against parents demanding to see their 21 year old son's ticket?"
Did you read anything I wrote. That's simply *IMPOSSIBLE*. The tickets don't say whose they are, so there's no way their son can prove which ticket is his.
If it makes you happy, imagine there's a button on the machine that says "coercion" on it. When you press it, it generates one vote for each candidate and one "I created a vote for each candidate" vote. You are given a receipt for every single one of those votes, all indistinguishable from a regular receipt.
You can discard every one of those receipts except the one for the "right" candidate, so you have that to show. You then vote for the candidate you really want to win, and throw that receipt away along with the others.
Some of the people who do this will not be coerced and will actually keep all the vote receipts. So the machine had better not suppress any of those votes.
All of the schemes proposed make it impossible for any voter to prove who they voted for.
"Also remember that it's not enough to hold on for it for 5 minutes. You must hold on to it all the way to the recounts, at least. If you just prove before leaving that the machine still has your vote, then there's not thing to say someone can't flip the votes in the database later."
If they do that, and you did keep the receipt, they are totally screwed. That would be an extremely dangerous thing to do. If civics groups collect receipts outside of voting areas (or just scan them into their database) they can check in mass in the final results. Anyone doing that would likely get caught.
"The problem is this: any proof of how you voted, can be used for electoral fraud by itself."
I agree. That's why nobody is suggesting a receipt that identifies both the voter and the vote.
""Remember that the voter can be coerced into cooperation.""
If that's true then there's nothing you can do. If you coerce the voter into cooperating, simply coerce him into voting for the candidate of your choice, and you're done.
However, I don't think the voter can be coerced into cooperation unless it's possible for the voter to prove how he voted. None of the systems discussed make this possible. So I would argue that the voter cannot be coerced into cooperation in any of these systems.
""So it becomes "prove us that you voted Bush or you'll be fired!", doesn't change a damn thing for the outcome. You could make it so that the voter can give a false "secret" that shows a vote he didn't make but how is he going to prove to a regulator that he gave a correct secret? Will the verification interface contain false records a voter can peruse to give a false secret? Then how can he be sure it's his real secret that got counted instead of the machine tagging his false secret as his vote?""
There are many ways. One easy to understand way is to immediately generate one false vote for each candidate and provide the voter all the receipts. You mix all these false votes in with the real votes and also produce one "I added a false vote for everyone" vote, for which you also give the voter a receipt. He may keep or throw out any of these receipts he pleases.
Of course, the net result is that he can't prove he voted for Bush no matter how hard he tries. So everyone gets fired.
I'm not suggesting we actually do this. I'm saying that this proves that the problem can be solved.
"Any hypothetical electronic system, no matter how secure, is vulnerable to basically _universal_, unauditable fraud by a tiny number of conspirators in the right place - as low as 1. Any kind of cryptographic system can be defeated by the guy who actually controls where the actually-compiled source code - and the COMPILER source code - came from. Even in an OSS system, it's awfully hard to prove that's really the source that's being compiled and that it's being done by a fair compiler."
That is simply not true. I presented a hypothetical electronic system in the comments (admittedly not a practical one, but you said hypothetical too) where it is essentially mathematically impossible for the machine to produce incorrect votes without being detected almost immediately.
If it added extra votes, the tallies wouldn't match. This would be caught by those supervising the machine locally.
If it suppressed valid votes, the receipts wouldn't appear in the aggregates. This would be caught by those supervising the machine locally.
If the aggregates didn't match what was in the final vote results, this would be caught by anyone who verified a vote receipt against the final results. Local officials could definitely keep a copy of the aggregates they verified, so they can check them against what was finally submitted.
I suppose you have to trust things like laptops to actually keep the numbers on. Ideally, you'd have an open standard and you'd use spreadsheets, voting machines, and verifying machines made by different manufacturers. Poll monitors from each party could use their own hardware and software to store and track information. You'd need a huge conspiracy to tamper with all of this.
There are actually ways to eliminate even that, but they get very complicated. One way is if you think you can rely on hardware tokens to not be backdoored, but these are validated by government agencies and very simple.
I do agree that you have to trust something, somewhere. But I think you can solve that. For example, you have to generate master keys, but you can do that at a ceremony attended by both parties using crypto hardware that prohibits key extraction.
Again, we don't quite know how to do all of this practically yet. But I think it's a huge mistake to say no *hypothetical* system can do this.
Of course, I think we would all agree that the vast majority (all?) currently available electronic voting machines that don't provide paper audit trails produce electronic counts that should not be trusted and that are much too easy to tamper with on a massive scale. But this is largely because they don't use or mis use cryptographic principles. It's not due to any inherent flaw in electronic voting (except perhaps that complexity is necessary and complexity can lead to mistakes.)
If you want to argue that nobody, not even any organization, is smart enough to make sure any such system is as secure as it's supposed to be, that might be true for quite some time.
""As a degree qualified developer with 20yrs commercial experience it is my considered (and privately researched) opinion is that there is no "safe" way for a machine to count votes, the human counting system is by far the most fault tolerent system.""
Can they at least use calculators? Can they enter the votes into a spreadsheet? I think we've reached the point where humans are going to have to use machines to count the votes.
In any event, the schemes I've discussed don't really use machines to count the votes. (The output produced by the machines is not a count but a list of individual votes. Those individual votes can then be counted any way you want.)
"Are you suggesting handing out fictitious receipts or random receipts of other people's votes?"
No. I'm not suggesting doing anything. Just proving what's possible.
You can only hand out fictitious receipts if you create the same number of such receipts for each candidate and then subtract them later. This is possible, though it seems kind of inelegant.
Handing out other people's votes, why not? (So long as the voter can't be identified, of course.) That a vote was cast for a particular candidate is a matter of public record.
"The problem is that, either way, if I'm receiving a bribe to vote a certain way then I want a receipt that says how I voted. If I can't control how my fake receipt reads, I might was well vote as instructed and only ask for a single, accurate, receipt. If I can control how my fake receipt reads, I can cheat the bad guy by requesting a receipt that contains a given vote, but that means that either I get a fictitious receipt or someone else's. The former is easy to defeat, since the bad guy just has to check the published results and see if the receipt he was given appears on it."
The fictitious results could be included and not identified as fictitious. This is a bit tricky as you need a verified system to make sure the same number of fictitious votes are created for each candidate. Ideally, it would also make it as hard as possible to know which votes were fictitious. It's possible, but not particularly practical.
"The latter means that early voters have fewer receipts to choose between (heck, the first voter won't be able to get *any* other receipts), which makes it easier for the bad guy to tell he's being cheated, so it's safer to only ask for the single receipt."
I agree. Any practical system would have to solve this. It's clearly possible to solve it, though not clear that there's an elegant solution for it that we can all be happy with.
Again, we don't know what voting system is best yet. One of the reasons is that people have incorrect assumptions about what they want in a voting system. I'm trying to break those assumptions.
For example, one incorrect assumption is "you can't let a voter prove his vote was counted without making it possible for a voter to prove how he voted". The scheme I discuss above proves this assumption is true. Hopefully this will result in people fixing their requirements so instead of saying "no voter receipts are acceptable" they will correctly read "it should be as difficult as possible for a person to prove to anyone else that they voted a particular way".
I'm trying to do only two things:
1) Get people to refine their requirements so they say what they actually want, not what they assume is possible. (Because many things might be possible that they can't think of. We need to know the requirements so innovations can be made and applied.)
2) Prove that it's possible to have cryptographic verifications that go beyond what a "drop a ballot in a box" system can provide.
I think you completely missed the point. The point is not to actually implement the voting system as described. The point is to show that you can have a system where a voter can prove that his vote wasn't counted or was miscounted if it in fact is without him being able to prove who he voted for. The point is to show that you can have voting receipts without it being possible to pressure people to vote a particular way.
The point is to prove that cryptographic systems can make specific types of vote rigging much more difficult in ways that just a paper trail cannot. The point is to get people to re-examine their assumptions and realize that when they say "voting receipts are bad" they mean "a voter should not be able to prove how they voted it".
The point is to get people to understand what they actually *want* in a voting system so they have some kind of change of *getting* what they want. The point is to clear up the misconception that cryptographic systems can't be used to validate the actual tally.
"If you do away completely with any tangible ballot, like a paper ballot, please tell me how the voter is to determine by himself that what is displayed on the screen corresponds to the real vote, which is a tiny electric charge deep down in the machine. Until you've solved that issue, all the rest is moot."
There are any number of ways you could do this. Remember, I'm not advocating a particular scheme, just proving what is possible. One way is a paper voting receipt with the vote ID, who was voted for, and cryptographic signature. Another way is by giving the voter a vote tracking device made by another manufacturer that he can plug into the voting machine and that he can use to verify his vote's cryptographic signature. There are many other ways. I'm not advocating one particular way, just proving what's possible.
"No, with a 100% paper based election you never have to reveal whom you intend to vote for. It's only when you have an electronic machine that you have to show what you did, and thus reveal who you intended to vote for, to prove they're not working right."
Nonsense. You simply have to prove that *SOME* *VOTER* did something.
In any event, this is true of *every* voting system known. Consider the traditional paper scheme. You vote for Al Gore. It prints out "George W. Bush". You push "cancel". It drops the vote in the box. Now what?
Again, I'm saying cryptographic schemes can provide the same assurances the "drop paper in a box" system can. Not that it can get you into the polls if armed KKK protestors won't let you in.
"Again, good for you if you can read barcodes but I (and >99% of the population) can't. So I would have no way to know if the barcode says 'Candidate X' or 'Candidate Y', so if the barcode is the authoritative piece of information the receipt means nothing to me. And if the barcode is not authoritative then there's no point for it being there in the first place."
There are numerous obvious solutions to this. First, if the barcode doesn't match the text, you have absolute proof of that with the piece of paper. Everyone would know this was happening immediately. The point is to be able to know if the system is being tampered with, and you would know this.
Another solution is a barcode reader outside the polling place. Any church group, civics group, or whatever can provide them. If a voter wants to verify any receipt, they can do that right there.
"There is one significant problem, if there is a tally somewhere with votes tied to voters, anonymity is lost. It is either possible to verify my vote to my voter id -- or -- it is possible for a malicious hack to the machine to count my vote to the wrong candidate and give me incorrect verification."
There is nowhere a tally with votes tied to voters. There is a tally with votes tied to vote IDs, but each vote ID is randomly generated just as the ballot is cast. Nobody is with you in the voting booth.
"So, assuming what you say above is right for a minute, I would say, just print a paper ballot along with the paper receipt providing cryptographic proof that the voter ID you were shown in step 1 voted for the candidate you chose. And you optional receipts... no optional ballots..."
Sure, you could ask me to do that, but you would have no way of knowing whether I complied or not. You don't know what voter ID I was shown in step 1 since you're not allowed into the voting booth with me.
'There's a lot of resistance to any idea that would allow a voter to prove who he voted for since that could be used to blackmail people into voting a certain way (e.g. "anyone who didn't vote for Bush gets fired!").'
Right, that's why nobody's suggesting that. None of the proposed schemes make it possible to determine who a voter voted for without that voter's cooperation. With that voter's cooperation, he can simply tell you. None of them make it possible for a voter to *prove* that he voted a particular way.
A common mistake is to assume that "voting receipt" must make it possible to prove how any given voter voted. This is true if and only if the receipt contains two items of information: 1) Who voted. 2) How they voted.
Nobody is suggesting any kind of receipt that contains both of these pieces of information. The scheme I proposed above contains how the vote was cast but as for the "who voted" part, it contains only an identifier that is randomly chosen by the voting machine and that cannot be provably associated with any particular voter.
(And note that that proposed scheme above was not intended to be a practical scheme. It was just intended to prove specific points. For example, it proves that you can provide receipts that allow a voter to prove to themselves and those with whom they cooperate that their vote was counted but not be coerced into voting a particular way. It proves that a cryptographic scheme can provide certain types of assurances that many think such scheme cannot provide. And so on. It's not suggested as an actual practical scheme.)
"And if you decide to always trust, say, the paper total over the electronic total when they diverge, what is the real value of the electronic total?"
The idea is that 90% of the time, you trust the electronic total. But if the election is really close or some results are suspicious, you can fall back on the paper total (which you don't bother to create otherwise).
If you ever do discover a discrepancy between the two totals, you investigate it carefully. You also audit some percentage of the electronic totals by computing paper totals. If you catch a discrepancy, you investigate.
Generally, you will know if results are suspicious. Generally, the vast majority of results will not be suspicious.
The point of the paper is so that if there's any question about any subset of the votes, they can be validated. The purpose of the machine total is to save money and provide quicker results that are almost always going to be correct. The harm of a bogus initial result is much less if it can be shown to be bogus soon after.
By the way, while I am a firm believer that cryptographic voting systems can eventually provide the same assurances paper trails can and then some, I do agree that of all the current proposed and available voting schemes, this one is probably the best.
It has no known flaws. It is cheap and simple to implement. It makes vote-tampering significantly harder than all other systems currently in use.
"1) Good luck finding a write instrument, how many have you gone to post office, bank, etc where you need a pen to fill out a form and could actually find a pen?:) Besides you are giving them a printout why not print it on there."
This is not really essential. It's just to protect against a tampered voting machine that basically doesn't record your vote at all. Even paper trails have this same limitation -- if a voter doesn't *look* at the paper, it does no good.
"3) How would that printout prove anything on how your vote is recorded, if you really wanted to mess up the machine you would display the correct results and record the wrong. If I wanted to add votes the old ways are still the best ways; get the dead to vote."
If the machine displays the correct results but records it wrong, it has to do one of two things: 1) Provide correct cryptographic proof, in which case the voting machine will have to turn in two votes for every one that goes in. A paper printer can do this too and it would be just as easy to detect. 2) Provide incorrect cryptographic proof, in which case the first poll monitor to get an invalid receipt would immediately know that this is happening.
There may be better ways to handle this. I don't recall in detail.
"4) The giving of extra papers does nothing, except cause a whole bunch of extra receipts to be floating around. If I was forcing/bribing someone to vote my way I would just use early or mail voting and not worry about it; what states do not provide mail in absentee voting for any reason?"
This doesn't affect the choice of in-person voting methods, so it's not an objection or advantage of either system. I do agree that mail in voting and internet voting present problems that are much harder to solve than these.
"5) If you cannot verify what the vote was for what are you adding? Again if I am changing votes in the software I would print out everything as correct and record the vote the way I want it to be."
Then there would be two votes going out for every one going in. The machine would have to do one of two things: 1) Not pass on the votes it printed receipts for. In which case the first poll monitor to see a receipt not in the pass on list would know this was going on. 2) Pass on both votes, in which case the first poll monitor to check the counts would see this.
"6) The problem here is you are giving outside people access to the list of voters, even though it is just a random ID assigned to that person."
How is giving outside people a list of random numbers harmful?
"How would use keep that bar code reader up to date with the latest people who voted, wireless, rotating the readers in/out, have them connected to a network? That is a whole bunch of technology that someone would need to setup and manage. Also the main place you would want to check is after all the votes have been turned into the central location. You would be better off with systems like the blood banks use where you can call number enter a private key and get the results."
You can certainly output the votes wireless or use other kinds of ways to make the voting information either publically available or available to monitors from various agencies. This is already done in most current voting systems. I agree that the type of voting system I'm discussing is not easy to implement.
Maybe you're missing the point. I'm not saying "here's the best voting system ever, let's use this". I'm saying: Here's a voting system that demonstrates a lot of things that people may not realize. For example, it shows that a cryptographic voting system can provide the same assurances a paper trail does. Here's a system that provides voter receipts so voters can be sure their votes are counted but doesn't make it possible to tell how any particular person voted.
So I am saying, your assumptions about voting are broken. If you want to be able to judge voting systems competently, the first thing you have to do is figure out w
Slashdot Mirror
"What I don't understand is this: how can you stop the voting machine from adding fake votes?
Let's say I voted and asked for no coercion receipts. And then, automatically, the machine creates a fake coercion entry, but rather than adding 1 to each candidate, adds n votes to candidate-who-happens-to-be-a-friend-of-machine-creator and zero to the others (and also creates one coercion entry). In this case I will check with my only receipt and it will be ok (my vote will be validated). But I cannot check that no other vote has been done in my name..."
In order for the machine to add 10 votes to a candidate, it has to actually generate 10 votes and pass them on (each vote is an individual object, not just an incremented counter). At each hourly audit, the following check is done:
1) The number of votes is counted for each candidate, for no candidate, and coercion votes.
2) The number of coercion votes is multiplied by the number of candidates and subtracted from the number of votes for each candidate or for no candidate.
3) This number is compared to the number of voters for that hour.
Any extra votes injected into the system will thus be caught within an hour. It will be known which polling place and which hour they were injected.
In other words, for each coercion vote generated, a vote is generated for each candidate. In the final tally, the number of coercion votes is subtracted from the count for each candidate. This total must equal the number of real votes cast.
If you opt not to cast any vote at all, you will be given an "I chose not to vote (in this race)" receipt. You may keep that receipt to make sure your vote appears in the final tally. This is counted as a vote, so the machine cannot put in votes for voters who choose not to vote in a particular race.
If you are worried about people being pressured not to vote, you can include an "I chose not to vote" receipt in the coercion system and adjust the totaling process to compensate.
Again, I am not arguing that any of these systems are practical or that they are the best or that we should switch to them immediately. What I am arguing is that these systems prove that cryptographic voting systems can do many things that it is commonly believed are impossible. For example, they can allow a voter to convince himself that his individual vote is properly reflected in the final tally without allowing him to prove how he voted. Some have argued that this is impossible.
Note that I never said this system could prevent extra votes from being injected. And the paper ballot systems we are comparing it to don't prevent that. So that really doesn't matter. This system isn't intended to show that we can prevent extra votes from being injected. It is only intended to show that cryptographic systems can provide the same assurances a paper drop system provides.
Also, someone at the polling place can drop in extra votes in such a system. Or simply let in 50 of their friends to vote multiple times. These systems aren't aimed at that vulnerability.
Obviously, an actual practical system would have to address all vulnerabilities.
""Okay I get the idea that you can "vote" evenly across the field -- this of course makes checking for other types of voter fraud -- too many votes, very difficult if not impossible, because now the number of votes cast is almost meaningless.""
Not at all. The total number of "real" votes still must equal the number of voters. The total number of real votes is just a bit more difficult to count.
One way to do it is to create a "vote for no candidate" for any voter who does not select a candidate in a particular race. For a coercion vote, you also generate a "no candidate" vote. Then the total number of votes for each candidate, plus the no candidate votes, minus the number of coercion votes multiplied by the number of candidates plus one must equal the number of voters.
Now doing this for the election as a whole wouldn't be particular useful, because it almost certainly would be off by something and you would not know what. But doing it by polling place is of much more value. You can actually investigate any discrepencies.
This can be done hourly at each polling place.
"Additionally, the percent of the vote will be much closer. But assuming you are not worried about old fashion fraud --> the dead voting, this would work."
That's, of course, still a big problem. None of the proposed voting systems do anything about the basic problem of who you allow into the voting booth.
"But it also requires an electorate that validates its own votes."
Or political parties or civics groups that do it for them. The higher the percentage of validated votes, the better.
"There is also the worry about someone with access to the voting hardware intensionally undermining the integrity of the vote. With full access to the voting machine (in particular what ever "keys" it is using to sign the votes), I could easily generate fake voting slips that would not be on the official register."
That's why each voting area would have its own key. I would use a hierarchical PKI scheme. That way, if there was fraud, you would know at what level it occurred and could isolate the pool of potentially impacted votes.
There are quite a few other techniques, varying from the simple to the complex, designed to mitigate exactly this type of fraud. Honestly, it's not as difficult as you might think.
One way is to keep a real-time log of votes cast with a system at the polling place designed by a different company and physically sealed. It could report by telephone to a master center hourly.
"I could then invalidate/call into question the results of polls that are not favorable to my candidate."
Well, you can always do that. The question is what evidence can you muster that the results are unfair and what evidence is they that they are fair.
I'm not sure it's clear to anyone reading this just how funny your observation is.
Let's assume she's right and that communication did contains privileged information. The attorney-client privilege exists solely for the benefit of the client and covers information the client shares with their attorney.
That is, she is saying that she sent Google information that the City shared with her in confidence.
He actually had a fourth strike. He missed the obvious slam dunk argument. The pay stubs are not subject to copyright because the contain no significant expressive or creative content. Every bit of content in them is purely functional.
Maybe they had a colorful background image of a beautiful young woman running through the grass towards a gazebo with a unicorn in it?
It is totally obvious here that the city was trying to suppress factual information. You can't do that with copyright.
"How is this any different from no paper trail at all? If you can't prove the paper receipt is for a real vote, how is it useful in any way?"
Because if it happens to be for a real vote, and that real vote is not counted, you can prove that the vote wasn't counted. So if you choose to keep the receipt for your real vote, which you always can, you will know if your vote is not counted and can prove that someone's vote was not counted.
Perhaps you missed that for every vote that's not "real", a vote is generated for each candidate and a special "coercion" vote is generated. These votes are mixed in with the real votes and can be verified the same way. In the end, each candidates vote is tallied and from that tally, the number of coercion votes is subtracted.
You can't tamper with coercion votes for three reasons:
1) Someone might have kept all the receipts. So if you tamper with any coercion votes, you risk detection.
2) The total number of candidate votes, minus the number of coercion votes multiplied by the number of candidates must equal the total number of voters. So you cannot add or remove votes without detection.
3) You can dual path the votes. One way would be to let voters scan their receipts inside the polling place into a system that feeds the receipts to independent auditors from multiple parties each free to use their own software. You could even do this wirelessly.
Note that votes would be cryptographically signed by polling place. So if a key or polling place was compromised, you could at least isolate the potentially compromised pool of votes.
Note also that I'm not advocating that we actually do this. I'm saying this proves that it's possible for a voter to know that their vote was counted without being able to prove how they voted. I'm responding to the argument that that's impossible. It's not.
I'm saying that people who say that the laws of the universe require that we trust that voting systems are properly implemented because there's simply no way to design a system that's inherently nearly tamper-proof are wrong. Such systems *can* be designed. (Though they are not quite practical yet, that may change very soon.)
My whole point is that you don't have to trust the people who make the system, and because you don't have to, you shouldn't. First it seems that you don't agree with this, but then you say this:
"In summary, I totally agree that a hypothetically secure system could be fairly secure against a random attacker, and that what we actually have looks like it was written with monkeys and typewriters by comparison, giving us banana democracy at best. The current system isn't just hackable, it's SO hackable it's almost definitely been done - and we KNOW that they waved their magic wand and threw out results after obvious problems in a bunch of different areas; Diebold techs basically said some vote counts that even their machines didn't say, and that's who got elected."
Now that's where I 100% agree with you. The proofs that we can have systems that are secure all make us wonder why we don't have systems that are secure. And as I see that, there are only a few possible reasons and I'm not happy with any of them:
1) The voting machine manufacturers really don't care if the machines are secure. They'll sell anyway, so why bother doing it right?
2) The voting machine manufacturers want their machines to be insecure because they benefit from vote tampering.
3) The voting machine manufacturers are really trying their best to make these systems secure, but they're just too incompetent to do it.
None of these should be tolerated.
By showing that secure, trustable cryptographic schemes can be generated, people seem to think I'm arguing that therefore we should accept any scheme that comes along. Quite the reverse, because we can have secure schemes where you don't have to trust the manufacturers, we should reject insecure schemes.
And damn it, we need someone in the decision process who is smart enough to be able to tell the difference.
""I don't dispute that, as I understand it the main goal of your scheme is to allow the voter to verify to him/herself that their vote was counted correctly,""
Correct.
""but as another poster said this is a "red herring". The problem with voter verification after the fact is: if a voter can "prove" to themselves their vote was correctly counted after the fact then it is no longer a secret ballot, ie: the voter can be coerced/forced to "prove" how they voted, it's common knowledge Saddam obtained his famous 99% results using this particular technique in a unusually systematic and ruthless manner."""
For the last goddamn time, NO, this is not true. This is true if and only if the receipts contains both who was voted for and who cast the vote. Nobody is suggesting the receipts contain both of these pieces of information.
Please read any of my 500 other comments where I explain in detail why a voter cannot prove how they voted in this system.
""And I can be coerced into recording my voter id to prove my vote later""
No, that's physically impossible. You could simply push the coercion button (which casts one vote for each candidate and one 'coercion' vote and does not count as your vote - these are canceled out in the final tally), take the coercion vote for the appropriate candidate, and write down that voter id. Nobody could prove that that id was not yours.
""or choose to record it, to sell my vote. Either way, there is no anonymity.""
How would anyone know that was in fact your id? There is anonymity because it is impossible to map an id to a voter.
Because these schemes would not work, there would be no point in anyone even attempting these things. You can cast your vote for any candidate and still walk out with any number of vote receipts for any candidate.
The basic idea is this, say there are 4 candidates. We make 5 tallies, one for each candidate's votes and one for each coercion vote. We subtract the coercion tally from each candidate's final tally.
Suppose you want to vote for candidate 1 but walk out with 2 receipts for candidate 3 and 1 receipt for candidate 4. Just vote for candidate 1, push the coercion button twice, and keep the appropriate receipts. Nobody can tell from those receipts how you voted. You would have cast 2 votes for candidate 1, 1 for every other candidate, and 1 coercion vote. In the final tally, the net effect would just be your one real vote for candidate 1.
Some people might push the coercion button and keep all their receipts, so you can't tamper with coercion votes. You can't add extra votes because the total number of candidate votes minus the total number of coercion votes multiplied by the number of candidates must equal the number of real votes cast.
Do you get that you can cast a vote for any candidate and still walk out with any number of vote receipts (or none) for any and all candidates?
""The BSD license (which some of the files in question are exclusively licensed under, before anybody brings out the "dual license" answer) has, as part of its terms, a requirement to reproduce the license notice in a source distribution of a derived work. Removing the license notice, thus, violates the license.""
I agree. If Theo had accused them of a notice violation he would be right. But that's not what Theo said. RTFA. He accuses them of affecting recipient's substantive rights to the original work, which is impossible.
""Even if there wasn't that clause, if you deliberately change the license notice of the work, you are certainly misrepresenting the license that you and your recipients have to that code. That is, at the very least, sketchy.""
If that were true, there could be no dual-licensed works. Any time you removed one license, you would be misrepresenting the rights recipients have to those elements in the work that are in the original. (Since the recipients still get both licenses from the original author and you cannot stop that.)
"Assured how? At the end of the day, all you have is a piece of paper with a number on it. You are still just taking the election officials at their word that your number means something about the election."
You are assured because if the ID on your piece of paper does not appear on the list of votes for the candidate on your piece of paper, you have cryptographic proof that that ID cast a vote for that candidate. When the results come out, you can check if your ID (although only you know its yours) appears on the list of votes for your candidate. If it does not, you can prove that that vote was not counted (though you cannot prove it was your vote, you can prove it was validly cast but not counted).
"Does it much matter whose ticket it is? If the ticket proves that somebody voted for Mr. Millionaire, and tickets are impractical to forge, then Mr. Millionaire will pay the $100 bribe in return for any ticket that indicates a vote for him. Perhaps a few people will try to swap tickets with someone else in order to vote for who they want and still get the $100 bribe, but many people would just do the easy thing and vote for Mr. Millionaire, take the ticket they are issued, and collect their $100. Enough people to swing the election to Mr. Millionaire, anyway."
No, that won't work. All that will happen is everybody will push the coercion button and Mr. Millionaire will pay $100 for votes that aren't real. He won't be able to tell which is which.
Remember, the coercion button doesn't count as your vote and casts one vote for every candidate as well as one "coercion" vote. When the final tally is made, the number of coercion votes is subtracted from the number of votes cast.
So since he will wind up paying for votes that will be canceled out by coercion votes, and can't tell real votes from coercion votes, he simply wouldn't offer the money.
"Okay, but doesn't that defeat the purpose? If I have receipts showing I voted for all five candidates, how can I prove to myself which one my vote was actually counted for?"
That wasn't your vote, that was you pushing the coercion button. Pushing the coercion button is an option you may do after your vote or all by itself if you prefer not to vote. If you vote for all five candidates by pushing the coercion button, the net effect is zero (you cast a +1 and -1 vote for everyone). This does not count as your vote.
If you vote for candidate X then push the coercion button and there are 5 candidates, you will cast two votes for X, one vote for every other candidate, and one coercion vote (a -1 for every candidate). It will sum to one vote for X, as it should. You can walk out with a fully valid ticket for a vote for any candidate you choose, or all of them.
If someone demands you produce a second vote ticket for X, simply push the coercion button twice. Keep two X tickets and one for everyone else.
The point is, you cannot cast more than one effective vote, you can vote for anyone you choose, and you can walk out with as many tickets for any candidates as you would like. You can prove that any votes whose tickets you retain are properly counted.
I don't understand how you could so seriously misunderstand what I'm saying. Where are you getting this "no vote for this serial number" concept from? I'll try it again:
/. comments combined. So I'll stop. This isn't the place to hold a back-and-forth debate. I hope I've stated my views clearly enough for them to come through.
You vote for the candidate you want. You get a receipt. It doesn't say who you are, but it says who you voted for. You may keep this receipt to prove that your vote was counted. You may throw it away.
If you are coerced, you may push the coercion button as many times as you like. Each time a set of votes will be created, one for each candidate and one "for the coercion button". You will get receipts for all of these votes and they will all be counted. You may keep or throw out any of these receipts.
When the final vote tally is made, the count of coercion votes is subtracted from the count for each candidate. So all the votes but your one real vote cancel out.
There is no combination of receipts that you can keep in this scheme that proves you voted for any particular candidate. You can walk out of that room with *any* combination of vote receipts for any of the candidates.
Some people who are not coerced might push the coercion button anyway and keep *all* their receipts. So if you methodically suppress any votes, you stand a good chance of getting caught. There are simple ways to increase this chance to essentially certainty.
For example, you can pass all the receipts through a bar code reader that reports them to a separate system made by another company. It can be as simple as a bar code reader going into a logger.
(I'm not suggesting that this is a practical scheme. It just proves that it's possible to issue such receipts and still not have a voter able to prove how he voted. All I'm trying to do in the thread is rebut misconceptions about what's possible in a cryptographic voting system.)
I think I've responded with more comments here than all my other
My apologies. I thought you were the same person who made that original argument. A second after I submitted I realized you weren't. In any event, most of my argument still stands.
When someone makes an incorrect argument, if I think that argument is incorrect, I'll say so. I will do this even if the argument argues for something I agree with. I believe that you should kill with legal blows.
If someone said, "because two plus two is four, you shouldn't torture innocent children", I might reply that this argument makes no sense and that's not a reason you shouldn't torture innocent children. You'd be right there to argue that I'm missing/avoiding all the other arguments why you shouldn't torture innocent children, and you would be right. However, your comment would also be irrelevant unless I said you should torture innocent children. So long as I stuck to rebutting his comment, your comment is unjustified.
Why should I address arguments people haven't made when they *are* making bad arguments? There's no point in addressing arguments that are *correct* other than to say "me too". In any event, for just this reason, I did add "me toos" to many of my comments in this thread, where I make it clear that I'm rebutting invalid arguments even though they sometimes argue for things I agree with (for other reasons entirely).
There's a very specific reason why I bother. We won't get good voting systems if we don't understand what's possible, what we really want, and how to judge voting systems. Bad arguments muddy this pool. So I make it a point to refute them even when I agree with the position they're arguing for.
We all win when it's a clean fight. That way, the best voting system runs.
Here's another "me too" just in case you missed the other three:
Right now the best voting system is probably the "paper vote drop" system discussed elsewhere. The only problem with that system is if the machine drops a ballot with the wrong vote even if you didn't ask it to. The only thing you can do is go to a poll worker and say, "Hey! I voted for X and it dropped a vote for Y even though I pressed X and then when it printed Y I pushed cancel." It's not clear what a poll worker should do in that case. Otherwise, it's an excellent system -- easy to understand and hard to screw up, and that's important.
Let's go back to your point that I was responding to. You said:
"Any hypothetical electronic system, no matter how secure, is vulnerable to basically _universal_, unauditable fraud by a tiny number of conspirators in the right place - as low as 1. Any kind of cryptographic system can be defeated by the guy who actually controls where the actually-compiled source code - and the COMPILER source code - came from. Even in an OSS system, it's awfully hard to prove that's really the source that's being compiled and that it's being done by a fair compiler."
I responded to this because it was wrong. I showed that it was wrong. I am not "missing (avoiding)" the point you are only now making.
I fully understand and agree with your new point. I never said otherwise.
I'm being honest and admitting that your completely new argument is right. Now, will you be as honest as me and admit that your original argument (the one I quoted above) is wrong?
Do you see the difference between these two arguments:
1) We should use cryptographic voting scheme X because it's the best.
2) Hypothetical cryptographic voting scheme X has property Y, proving that it is possible for that type of voting system to have that property.
I am making an argument of type 2. You are now responding as if it was an argument of type 1.
"Some of those aren't even easy to legislate against. E.g., how would you legislate against parents demanding to see their 21 year old son's ticket?"
Did you read anything I wrote. That's simply *IMPOSSIBLE*. The tickets don't say whose they are, so there's no way their son can prove which ticket is his.
If it makes you happy, imagine there's a button on the machine that says "coercion" on it. When you press it, it generates one vote for each candidate and one "I created a vote for each candidate" vote. You are given a receipt for every single one of those votes, all indistinguishable from a regular receipt.
You can discard every one of those receipts except the one for the "right" candidate, so you have that to show. You then vote for the candidate you really want to win, and throw that receipt away along with the others.
Some of the people who do this will not be coerced and will actually keep all the vote receipts. So the machine had better not suppress any of those votes.
All of the schemes proposed make it impossible for any voter to prove who they voted for.
"Also remember that it's not enough to hold on for it for 5 minutes. You must hold on to it all the way to the recounts, at least. If you just prove before leaving that the machine still has your vote, then there's not thing to say someone can't flip the votes in the database later."
If they do that, and you did keep the receipt, they are totally screwed. That would be an extremely dangerous thing to do. If civics groups collect receipts outside of voting areas (or just scan them into their database) they can check in mass in the final results. Anyone doing that would likely get caught.
"The problem is this: any proof of how you voted, can be used for electoral fraud by itself."
I agree. That's why nobody is suggesting a receipt that identifies both the voter and the vote.
""Remember that the voter can be coerced into cooperation.""
If that's true then there's nothing you can do. If you coerce the voter into cooperating, simply coerce him into voting for the candidate of your choice, and you're done.
However, I don't think the voter can be coerced into cooperation unless it's possible for the voter to prove how he voted. None of the systems discussed make this possible. So I would argue that the voter cannot be coerced into cooperation in any of these systems.
""So it becomes "prove us that you voted Bush or you'll be fired!", doesn't change a damn thing for the outcome. You could make it so that the voter can give a false "secret" that shows a vote he didn't make but how is he going to prove to a regulator that he gave a correct secret? Will the verification interface contain false records a voter can peruse to give a false secret? Then how can he be sure it's his real secret that got counted instead of the machine tagging his false secret as his vote?""
There are many ways. One easy to understand way is to immediately generate one false vote for each candidate and provide the voter all the receipts. You mix all these false votes in with the real votes and also produce one "I added a false vote for everyone" vote, for which you also give the voter a receipt. He may keep or throw out any of these receipts he pleases.
Of course, the net result is that he can't prove he voted for Bush no matter how hard he tries. So everyone gets fired.
I'm not suggesting we actually do this. I'm saying that this proves that the problem can be solved.
"Any hypothetical electronic system, no matter how secure, is vulnerable to basically _universal_, unauditable fraud by a tiny number of conspirators in the right place - as low as 1. Any kind of cryptographic system can be defeated by the guy who actually controls where the actually-compiled source code - and the COMPILER source code - came from. Even in an OSS system, it's awfully hard to prove that's really the source that's being compiled and that it's being done by a fair compiler."
That is simply not true. I presented a hypothetical electronic system in the comments (admittedly not a practical one, but you said hypothetical too) where it is essentially mathematically impossible for the machine to produce incorrect votes without being detected almost immediately.
If it added extra votes, the tallies wouldn't match. This would be caught by those supervising the machine locally.
If it suppressed valid votes, the receipts wouldn't appear in the aggregates. This would be caught by those supervising the machine locally.
If the aggregates didn't match what was in the final vote results, this would be caught by anyone who verified a vote receipt against the final results. Local officials could definitely keep a copy of the aggregates they verified, so they can check them against what was finally submitted.
I suppose you have to trust things like laptops to actually keep the numbers on. Ideally, you'd have an open standard and you'd use spreadsheets, voting machines, and verifying machines made by different manufacturers. Poll monitors from each party could use their own hardware and software to store and track information. You'd need a huge conspiracy to tamper with all of this.
There are actually ways to eliminate even that, but they get very complicated. One way is if you think you can rely on hardware tokens to not be backdoored, but these are validated by government agencies and very simple.
I do agree that you have to trust something, somewhere. But I think you can solve that. For example, you have to generate master keys, but you can do that at a ceremony attended by both parties using crypto hardware that prohibits key extraction.
Again, we don't quite know how to do all of this practically yet. But I think it's a huge mistake to say no *hypothetical* system can do this.
Of course, I think we would all agree that the vast majority (all?) currently available electronic voting machines that don't provide paper audit trails produce electronic counts that should not be trusted and that are much too easy to tamper with on a massive scale. But this is largely because they don't use or mis use cryptographic principles. It's not due to any inherent flaw in electronic voting (except perhaps that complexity is necessary and complexity can lead to mistakes.)
If you want to argue that nobody, not even any organization, is smart enough to make sure any such system is as secure as it's supposed to be, that might be true for quite some time.
""As a degree qualified developer with 20yrs commercial experience it is my considered (and privately researched) opinion is that there is no "safe" way for a machine to count votes, the human counting system is by far the most fault tolerent system.""
Can they at least use calculators? Can they enter the votes into a spreadsheet? I think we've reached the point where humans are going to have to use machines to count the votes.
In any event, the schemes I've discussed don't really use machines to count the votes. (The output produced by the machines is not a count but a list of individual votes. Those individual votes can then be counted any way you want.)
"Are you suggesting handing out fictitious receipts or random receipts of other people's votes?"
No. I'm not suggesting doing anything. Just proving what's possible.
You can only hand out fictitious receipts if you create the same number of such receipts for each candidate and then subtract them later. This is possible, though it seems kind of inelegant.
Handing out other people's votes, why not? (So long as the voter can't be identified, of course.) That a vote was cast for a particular candidate is a matter of public record.
"The problem is that, either way, if I'm receiving a bribe to vote a certain way then I want a receipt that says how I voted. If I can't control how my fake receipt reads, I might was well vote as instructed and only ask for a single, accurate, receipt. If I can control how my fake receipt reads, I can cheat the bad guy by requesting a receipt that contains a given vote, but that means that either I get a fictitious receipt or someone else's. The former is easy to defeat, since the bad guy just has to check the published results and see if the receipt he was given appears on it."
The fictitious results could be included and not identified as fictitious. This is a bit tricky as you need a verified system to make sure the same number of fictitious votes are created for each candidate. Ideally, it would also make it as hard as possible to know which votes were fictitious. It's possible, but not particularly practical.
"The latter means that early voters have fewer receipts to choose between (heck, the first voter won't be able to get *any* other receipts), which makes it easier for the bad guy to tell he's being cheated, so it's safer to only ask for the single receipt."
I agree. Any practical system would have to solve this. It's clearly possible to solve it, though not clear that there's an elegant solution for it that we can all be happy with.
Again, we don't know what voting system is best yet. One of the reasons is that people have incorrect assumptions about what they want in a voting system. I'm trying to break those assumptions.
For example, one incorrect assumption is "you can't let a voter prove his vote was counted without making it possible for a voter to prove how he voted". The scheme I discuss above proves this assumption is true. Hopefully this will result in people fixing their requirements so instead of saying "no voter receipts are acceptable" they will correctly read "it should be as difficult as possible for a person to prove to anyone else that they voted a particular way".
I'm trying to do only two things:
1) Get people to refine their requirements so they say what they actually want, not what they assume is possible. (Because many things might be possible that they can't think of. We need to know the requirements so innovations can be made and applied.)
2) Prove that it's possible to have cryptographic verifications that go beyond what a "drop a ballot in a box" system can provide.
I think you completely missed the point. The point is not to actually implement the voting system as described. The point is to show that you can have a system where a voter can prove that his vote wasn't counted or was miscounted if it in fact is without him being able to prove who he voted for. The point is to show that you can have voting receipts without it being possible to pressure people to vote a particular way.
The point is to prove that cryptographic systems can make specific types of vote rigging much more difficult in ways that just a paper trail cannot. The point is to get people to re-examine their assumptions and realize that when they say "voting receipts are bad" they mean "a voter should not be able to prove how they voted it".
The point is to get people to understand what they actually *want* in a voting system so they have some kind of change of *getting* what they want. The point is to clear up the misconception that cryptographic systems can't be used to validate the actual tally.
"If you do away completely with any tangible ballot, like a paper ballot, please tell me how the voter is to determine by himself that what is displayed on the screen corresponds to the real vote, which is a tiny electric charge deep down in the machine. Until you've solved that issue, all the rest is moot."
There are any number of ways you could do this. Remember, I'm not advocating a particular scheme, just proving what is possible. One way is a paper voting receipt with the vote ID, who was voted for, and cryptographic signature. Another way is by giving the voter a vote tracking device made by another manufacturer that he can plug into the voting machine and that he can use to verify his vote's cryptographic signature. There are many other ways. I'm not advocating one particular way, just proving what's possible.
"No, with a 100% paper based election you never have to reveal whom you intend to vote for. It's only when you have an electronic machine that you have to show what you did, and thus reveal who you intended to vote for, to prove they're not working right."
Nonsense. You simply have to prove that *SOME* *VOTER* did something.
In any event, this is true of *every* voting system known. Consider the traditional paper scheme. You vote for Al Gore. It prints out "George W. Bush". You push "cancel". It drops the vote in the box. Now what?
Again, I'm saying cryptographic schemes can provide the same assurances the "drop paper in a box" system can. Not that it can get you into the polls if armed KKK protestors won't let you in.
"Again, good for you if you can read barcodes but I (and >99% of the population) can't. So I would have no way to know if the barcode says 'Candidate X' or 'Candidate Y', so if the barcode is the authoritative piece of information the receipt means nothing to me. And if the barcode is not authoritative then there's no point for it being there in the first place."
There are numerous obvious solutions to this. First, if the barcode doesn't match the text, you have absolute proof of that with the piece of paper. Everyone would know this was happening immediately. The point is to be able to know if the system is being tampered with, and you would know this.
Another solution is a barcode reader outside the polling place. Any church group, civics group, or whatever can provide them. If a voter wants to verify any receipt, they can do that right there.
"There is one significant problem, if there is a tally somewhere with votes tied to voters, anonymity is lost. It is either possible to verify my vote to my voter id -- or -- it is possible for a malicious hack to the machine to count my vote to the wrong candidate and give me incorrect verification."
There is nowhere a tally with votes tied to voters. There is a tally with votes tied to vote IDs, but each vote ID is randomly generated just as the ballot is cast. Nobody is with you in the voting booth.
"So, assuming what you say above is right for a minute, I would say, just print a paper ballot along with the paper receipt providing cryptographic proof that the voter ID you were shown in step 1 voted for the candidate you chose. And you optional receipts... no optional ballots..."
Sure, you could ask me to do that, but you would have no way of knowing whether I complied or not. You don't know what voter ID I was shown in step 1 since you're not allowed into the voting booth with me.
'There's a lot of resistance to any idea that would allow a voter to prove who he voted for since that could be used to blackmail people into voting a certain way (e.g. "anyone who didn't vote for Bush gets fired!").'
Right, that's why nobody's suggesting that. None of the proposed schemes make it possible to determine who a voter voted for without that voter's cooperation. With that voter's cooperation, he can simply tell you. None of them make it possible for a voter to *prove* that he voted a particular way.
A common mistake is to assume that "voting receipt" must make it possible to prove how any given voter voted. This is true if and only if the receipt contains two items of information:
1) Who voted.
2) How they voted.
Nobody is suggesting any kind of receipt that contains both of these pieces of information. The scheme I proposed above contains how the vote was cast but as for the "who voted" part, it contains only an identifier that is randomly chosen by the voting machine and that cannot be provably associated with any particular voter.
(And note that that proposed scheme above was not intended to be a practical scheme. It was just intended to prove specific points. For example, it proves that you can provide receipts that allow a voter to prove to themselves and those with whom they cooperate that their vote was counted but not be coerced into voting a particular way. It proves that a cryptographic scheme can provide certain types of assurances that many think such scheme cannot provide. And so on. It's not suggested as an actual practical scheme.)
"And if you decide to always trust, say, the paper total over the electronic total when they diverge, what is the real value of the electronic total?"
The idea is that 90% of the time, you trust the electronic total. But if the election is really close or some results are suspicious, you can fall back on the paper total (which you don't bother to create otherwise).
If you ever do discover a discrepancy between the two totals, you investigate it carefully. You also audit some percentage of the electronic totals by computing paper totals. If you catch a discrepancy, you investigate.
Generally, you will know if results are suspicious. Generally, the vast majority of results will not be suspicious.
The point of the paper is so that if there's any question about any subset of the votes, they can be validated. The purpose of the machine total is to save money and provide quicker results that are almost always going to be correct. The harm of a bogus initial result is much less if it can be shown to be bogus soon after.
By the way, while I am a firm believer that cryptographic voting systems can eventually provide the same assurances paper trails can and then some, I do agree that of all the current proposed and available voting schemes, this one is probably the best.
It has no known flaws. It is cheap and simple to implement. It makes vote-tampering significantly harder than all other systems currently in use.
"1) Good luck finding a write instrument, how many have you gone to post office, bank, etc where you need a pen to fill out a form and could actually find a pen? :) Besides you are giving them a printout why not print it on there."
This is not really essential. It's just to protect against a tampered voting machine that basically doesn't record your vote at all. Even paper trails have this same limitation -- if a voter doesn't *look* at the paper, it does no good.
"3) How would that printout prove anything on how your vote is recorded, if you really wanted to mess up the machine you would display the correct results and record the wrong. If I wanted to add votes the old ways are still the best ways; get the dead to vote."
If the machine displays the correct results but records it wrong, it has to do one of two things:
1) Provide correct cryptographic proof, in which case the voting machine will have to turn in two votes for every one that goes in. A paper printer can do this too and it would be just as easy to detect.
2) Provide incorrect cryptographic proof, in which case the first poll monitor to get an invalid receipt would immediately know that this is happening.
There may be better ways to handle this. I don't recall in detail.
"4) The giving of extra papers does nothing, except cause a whole bunch of extra receipts to be floating around. If I was forcing/bribing someone to vote my way I would just use early or mail voting and not worry about it; what states do not provide mail in absentee voting for any reason?"
This doesn't affect the choice of in-person voting methods, so it's not an objection or advantage of either system. I do agree that mail in voting and internet voting present problems that are much harder to solve than these.
"5) If you cannot verify what the vote was for what are you adding? Again if I am changing votes in the software I would print out everything as correct and record the vote the way I want it to be."
Then there would be two votes going out for every one going in. The machine would have to do one of two things:
1) Not pass on the votes it printed receipts for. In which case the first poll monitor to see a receipt not in the pass on list would know this was going on.
2) Pass on both votes, in which case the first poll monitor to check the counts would see this.
"6) The problem here is you are giving outside people access to the list of voters, even though it is just a random ID assigned to that person."
How is giving outside people a list of random numbers harmful?
"How would use keep that bar code reader up to date with the latest people who voted, wireless, rotating the readers in/out, have them connected to a network? That is a whole bunch of technology that someone would need to setup and manage. Also the main place you would want to check is after all the votes have been turned into the central location. You would be better off with systems like the blood banks use where you can call number enter a private key and get the results."
You can certainly output the votes wireless or use other kinds of ways to make the voting information either publically available or available to monitors from various agencies. This is already done in most current voting systems. I agree that the type of voting system I'm discussing is not easy to implement.
Maybe you're missing the point. I'm not saying "here's the best voting system ever, let's use this". I'm saying: Here's a voting system that demonstrates a lot of things that people may not realize. For example, it shows that a cryptographic voting system can provide the same assurances a paper trail does. Here's a system that provides voter receipts so voters can be sure their votes are counted but doesn't make it possible to tell how any particular person voted.
So I am saying, your assumptions about voting are broken. If you want to be able to judge voting systems competently, the first thing you have to do is figure out w