[ale] OT and long: Re: [ale] Is there any way to stop this travesty? -- NO, of course not!

Joseph A. Knapka jknapka at earthlink.net
Sat Aug 24 01:37:41 EDT 2002


mainwizard at vei.net wrote:
> 
> ----- Original Message -----
> From: Joseph A. Knapka
> Sent: 8/23/2002 2:49:06 PM
> To: tis3 at cdc.gov
> Cc: ale at ale.org
> Subject: Re: [ale] Is there any way to stop this travesty? -- NO, of  course not!
> 
> > "SanMillan, Todd" wrote:
> > >
> > > The deeper problem with electronic voting is the lack of an audit trail.
> > > See RISKS LIST http://catless.ncl.ac.uk/Risks/21.12.html#subj1.1 for an
> > > intro.  These are all closed source systems that are "self-auditing".
> > > Meaning that once the election results are reported, there is no possibility
> > > of a recount to verify results.  If there are systemic problems, how can you
> > > rely on the system to find and report errors?
> >
> > Gosh, I hope I'm misundertanding what you're saying here.
> >
> > Why would anyone, even a politician, ever -consider- the use
> > of a voting system that didn't permit external
> > auditing of election results? Not only can't you rely on the
> > system to find and report errors, you can't rely on it not to
> > -intentionally introduce- errors in order to push an agenda.
> > Any electronic voting system would have to, at minimum, allow
> > a voter to verify that their vote was recorded properly (without,
> > of course, allowing anyone else to do so), at any time after
> > the vote was cast, IMO.
> >
> > There would still be room for the processing firm to manipulate
> > the results, however, since nothing short of a complete manual
> > count could verify the electronic results, unless further
> > measures were taken to ensure the integrity of the data. I'm
> > not sure what those measures would be, though. The very fact
> > that no one other than the voter should be permitted to
> > find out the mapping between votes and voters places pretty
> > strong limits on how much verification can be done. (Of course,
> > this sort of game can be played with paper ballots as well,
> > but it would be a great deal more effort, and therefore harder
> > to conceal.)
> >
> > -- Joe
> >
> 
> You could combat this by having two machines. The first machine uses a computer to print a paper ballot with the choices selected and then use the standard reader machine to count the ballots. In the case of a dispute, you have a paper ballot to hand count, while ensuring that the choices were properly selected. (circles filled in vice name being circled).

But how do you gaurantee that the paper ballots match what the
voter selected, short of hand-verifying at every stage?
When the voter punches the ballot directly, altering the
count requires complete replacement of a physical
ballot, which is not a particularly easy thing to do (though
I'm sure it has been done). Changing the count with any
electronic scheme is merely a matter of diddling some code,
unless very stringent precautions are taken. I believe that
Bruce Schneier elucidates some secure voting protocols in
"Applied Cryptography", but I'm not sure whether they address
this concern or not...

OK, here it is (Applied Cryptography, 1st ed. p 105):

"Computerized voting will never be used for general elections unless
there
is a protocol that both prevents cheating and maintains individual
privacy. The ideal protocol has, at the very least, these
five characteristics:

1. Only authorized votoers can vote.

2. No one can vote more than once.

3. No one can determine for whom anyone [else] voted.

4. No one can change anyone else's vote without
being discovered.

5. All voters can make sure that their vote has been
taken into account in the final tabulation."

He then discusses a number of voting schemes that
fail on at least one of the five requirements,
and how and why they fail. Finally, he details
a number of schemes that -do- fulfill
the five requirements, and describes in detail
the reasons that the attacks that worked on the
simpler protocols fail to subvert the "good"
ones. He specifically addresses the problem of
subversion by the tabulation authority. The
basic idea is that each voter is assigned a
cryptographically-secure random ID on a per-vote
basis (not a persistent ID like an SSN). The vote
is anonymous, but associated with the voter ID in
a way that is known to the voter but not to the
tabulation authority. Each individual voter can
then verify that his vote was counted correctly
in the final, published tabulation (by ensuring
that his published voter ID matches his published
vote), and furthermore can verify that the
tabulation authority has tabulated all votes
correctly (by tabulating the published votes).
A voter cannot, however, discover how
another voter voted. There is also a provision
to prevent the tabulation authority from
stuffing the ballot box - basically, the list
of voters for the vote is published before the
vote occurs, so provided every voter verifies
his vote, foul play will be immediately
detected. Of course, that's assuming a lot,
but the tabulation authority would be taking
a big risk in changing any votes, since even
if people don't verify their votes, they
*could* do so.

Based on this account, I'm willing to believe
that anonymous, non-subvertible, secure electronic
voting -can- be done.

Cheers,

-- Joe
  "I'd rather chew my leg off than maintain Java code, which
   sucks, 'cause I have a lot of Java code to maintain and
   the leg surgery is starting to get expensive." - Me

---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.






More information about the Ale mailing list