Re: voting

[David Jablon]

David Jablon wrote:
 [...] Where is the privacy problem with
 Chaum receipts when Ed and others still have the freedom to refuse
 theirs or throw them away?

At 11:43 AM 4/16/04 -0700, Ed Gerck wrote:
The privacy, coercion, intimidation, vote selling and election integrity
problems begin with giving away a receipt that is linkable to a ballot. 

These problems begin elsewhere.  Whether a receipt would add any
new problem depends on further analysis.

It is not relevant to the security problem whether a voter may destroy 
his receipt, so that some receipts may disappear. What is relevant is 
that voters may HAVE to keep their receipt or... suffer retaliation...
not get paid... lose their jobs... not get a promotion... etc. Also
relevant is that voters may WANT to keep their receipts, for the same
reasons.

These are all relevant issues, and the system needs to be considered
as a whole.

The threat of coercion is present regardless of whether there's a
system-provided receipt, linkable, anonymous, or none. For example,
I might be told that after I vote I'll come face-to-face with a thug around
the corner, who will ask who I voted for, and who has a knack for
spotting liars. Or I may be told there's a secret camera in the booth.
Or I may think I'm at risk in simply showing up to vote, due to my public
party affiliation records, physical appearance, etc.

These issues must be addressed, and these concerns show that the
integrity of receipt validation must be ensured to at least the same
degree as the integrity of vote casting.  But *absolute* voter privacy
seems like an unobtainable goal, and it should not be used to trump
other important goals, like accountability.

-- David

Re: voting

[Ed Gerck]

David Jablon wrote:

 ... *absolute* voter privacy
 seems like an unobtainable goal, and it should not be used to trump
 other important goals, like accountability.

But it IS assured today by paper ballots. Nothing less should be
accepted in electronic systems, otherwise new, easy and silent
fraud modes become possible. Coercion and vote selling are just
the most obvious.

Ed Gerck

Re: voting

[Ed Gerck]

Yeoh Yiu wrote:
 
 Ed Gerck [EMAIL PROTECTED] writes:
 
  The 'second law' also takes precedence: ballots are always secret, only
  vote totals are known and are known only after the election ends.
 
 You get totals per nation, per state, per county, per riding,
 per precinct, per polling stion and maybe per ballot box.

The lowest possible totals are per race, per ballot box. The 
'second law' allows you to have such totals -- which are 
the election results for that race in that ballot box. For 
example, if there are two candidates (X and Y) in race A ,
two candidates (Z and W) in race B, and only one vote per 
candidate is allowed in each race, the election results for 
ballot box K might be:

Vote totals for race A in ballot box K:
  Votes for candidate X:  5
  Votes for candidate Y: 60
  Blank votes:   50

Vote totals for race B in ballot box K:
  Votes for candidate Z: 45
  Votes for candidate W: 50
  Blank votes:   20

Total ballots in ballot box K:  115

Because only the vote totals are known for each race, a 
voter cannot be identified by recognizing a pre-defined, 
unlikely voting pattern in each race of a ballot. This 
exemplifies one reason why we need the 'second law' -- to 
preserve unlinkability between ballots and voters.

 So there's a need to design the system to have more voters
 than ballot boxes to conform to your second law.

No. All you need is that there should be more than one voter
per ballot box. This is a rather trivial requirement to meet.

Cheers,
Ed Gerck

Re: voting

[Yeoh Yiu]

Ed Gerck [EMAIL PROTECTED] writes:

 David Jablon wrote:
  

 The 'second law' also takes precedence: ballots are always secret, only
 vote totals are known and are known only after the election ends.
 
  What I see in serious
  voting system research efforts are attempts to build systems that
  provide both accountability and privacy, with minimal tradeoffs.
 
 There is no tradeoff prossible for voter privacy and ballot secrecy.
 Take away one of them and the voting process is no longer a valid
 measure. Serious voting system research efforts do not begin by
 denying the requirements.

You get totals per nation, per state, per county, per riding,
per precinct, per polling stion and maybe per ballot box.
So there's a need to design the system to have more voters
than ballot boxes to conform to your second law.

RE: voting

[Trei, Peter]

 Ed Gerck[SMTP:[EMAIL PROTECTED]
 
 John Kelsey wrote:
  
  At 11:05 AM 4/9/04 -0400, Trei, Peter wrote:
  
  1. The use of receipts which a voter takes from the voting place to
 'verify'
  that their vote was correctly included in the total opens the way for
 voter
  coercion.
  
  I think the VoteHere scheme and David Chaum's scheme both claim to solve
  this problem.  The voting machine gives you a receipt that convinces you
  (based on other information you get) that your vote was counted as cast,
  but which doesn't leak any information at all about who you voted for to
  anyone else.  Anyone can take that receipt, and prove to themselves that
  your vote was counted (if it was) or was not counted (if it wasn't). 
 
 The flaw in *both* cases is that it reduces the level of privacy
 protection
 currently provided by paper ballots.
 
 Currently, voter privacy is absolute in the US and does not depend
 even on the will of the courts. For example,  there is no way for a
 judge to assure that a voter under oath is telling the truth about how
 they voted, or not. This effectively protects the secrecy of the ballot
 and prevents coercion and intimidation in all cases.
 
 
I'd pretty much dropped this topic after it became clear that Mr. Leichter's
only response to the problems that people pointed out in VoteHere's
scheme (in particular, its vulnerability to vote coercion, and lack of
recountability) was to attempt to redefine them as non-problems. 
However, since the topic has arisen again.

Ed's got a very good point. I always prefer security which relies for
its integrity on the laws of nature, rather than on people behaving
with integrity.

Peter Trei

Re: voting

[Ed Gerck]

David Jablon wrote:
 
 I think Ed's criticism is off-target.  Where is the privacy problem with
 Chaum receipts when Ed and others still have the freedom to refuse
 theirs or throw them away?

The privacy, coercion, intimidation, vote selling and election integrity
problems begin with giving away a receipt that is linkable to a ballot. 

It is not relevant to the security problem whether a voter may destroy 
his receipt, so that some receipts may disappear. What is relevant is 
that voters may HAVE to keep their receipt or... suffer retaliation...
not get paid... lose their jobs... not get a promotion... etc. Also
relevant is that voters may WANT to keep their receipts, for the same
reasons.

 It seems a legitimate priority for a voting system to be designed to
 assure voters that the system is working. 

As long as this does not go against the 'first law' for public voting 
systems: voters must not be linkable to ballots.

The 'second law' also takes precedence: ballots are always secret, only
vote totals are known and are known only after the election ends.

 What I see in serious
 voting system research efforts are attempts to build systems that
 provide both accountability and privacy, with minimal tradeoffs.

There is no tradeoff prossible for voter privacy and ballot secrecy.
Take away one of them and the voting process is no longer a valid
measure. Serious voting system research efforts do not begin by
denying the requirements.

 If some kind of tradeoff between accountability and privacy is inevitable,

There is no such principle.

 in an extreme scenario, I'd still prefer the option to make the tradeoff for
 myself, rather than have the system automatically choose for me.

You don't have this option when the public at large is considered, for
a public election. You can do it in a private election for a club,
for example, but even then only if the bylaws allow it.

Cheers,
Ed Gerck

Re: voting

[David Jablon]

I think Ed's criticism is off-target.  Where is the privacy problem with
Chaum receipts when Ed and others still have the freedom to refuse
theirs or throw them away?

It seems a legitimate priority for a voting system to be designed to
assure voters that the system is working.  What I see in serious
voting system research efforts are attempts to build systems that
provide both accountability and privacy, with minimal tradeoffs.

If some kind of tradeoff between accountability and privacy is inevitable,
in an extreme scenario, I'd still prefer the option to make the tradeoff for
myself, rather than have the system automatically choose for me.

-- David


 At 11:05 AM 4/9/04 -0400, Trei, Peter wrote:
 
 1. The use of receipts which a voter takes from the voting place to 'verify'
 that their vote was correctly included in the total opens the way for voter
 coercion.

John Kelsey wrote:
 I think the VoteHere scheme and David Chaum's scheme both claim to solve
 this problem.  The voting machine gives you a receipt that convinces you
 (based on other information you get) that your vote was counted as cast,
 but which doesn't leak any information at all about who you voted for to
 anyone else.  Anyone can take that receipt, and prove to themselves that
 your vote was counted (if it was) or was not counted (if it wasn't). 

At 06:58 PM 4/15/04 -0700, Ed Gerck wrote:
The flaw in *both* cases is that it reduces the level of privacy protection
currently provided by paper ballots.

Currently, voter privacy is absolute in the US and does not depend
even on the will of the courts. For example,  there is no way for a
judge to assure that a voter under oath is telling the truth about how
they voted, or not. This effectively protects the secrecy of the ballot
and prevents coercion and intimidation in all cases.

RE: voting

[Jerrold Leichter]

|  Currently, voter privacy is absolute in the US and does not depend
|  even on the will of the courts. For example,  there is no way for a
|  judge to assure that a voter under oath is telling the truth about how
|  they voted, or not. This effectively protects the secrecy of the ballot
|  and prevents coercion and intimidation in all cases.
| 
| 
| I'd pretty much dropped this topic after it became clear that Mr. Leichter's
| only response to the problems that people pointed out in VoteHere's
| scheme (in particular, its vulnerability to vote coercion, and lack of
| recountability) was to attempt to redefine them as non-problems.
I did nothing of the sort.  With respect to voter coercion, I did raise the
question of how absolute a value it was.  Since mathematics tends to provide
clearcut yes/no answers, we tend to insist on them in the real world, too -
but the real world is rarely so simple.

I also pointed out that voter coercion could be dealt with within VoteHere's
framework by trading it off against the vote verifiability which is the new
feature they bring to the table (by only giving some fraction of voters a
receipt).

I didn't mention recountability.  VoteHere's method is equivalent to everyone
else's here:  Keep unalterable logs of data as close to the vote as possible.
But

| However, since the topic has arisen again.
|
| Ed's got a very good point. I always prefer security which relies for
| its integrity on the laws of nature, rather than on people behaving
| with integrity.
This basically doesn't exist in systems today.  Consider paper ballots: How do
you guarantee that the ballots are adequately shuffled?  If they aren't,
anyone keeping track of the order that voters cast ballots might be able to
come up with a reasonably accurate assignment of ballots to voters. This
problem applies to many related systems.  Consider the paper under glass
proposals for recounting:  The obvious way to do that is is to print onto a
roll of paper and just wind it up on a roll after printing.  But that's really
bad, because it *guarantees* the ordering.  Are those calling for such systems
ensuring that the vendors who provide them actually cut apart the individual
records?  Even if they do that, how are they guaranteeing an adequate shuffle
of those records?  Just dropping them into a big box is terrible; certainly,
those who vote very early or very late get very little privacy.

Interestingly enough, proper shuffling of the votes is very much a central
concern of systems like VoteHere's!

The only system that by the laws of nature avoids this kind of attack is
the mechanical voting machine, which inherently only stores vote totals, not
individual votes.  But these are big, complicated machines.  Why should you
trust that the totals are kept correctly?  How could you check?  How many
people in the world have the competence to examine the mechanical details of
such a device?  How does that compare to the number of programmers who can
examine C code?  Is there really all that much of a difference between the
complexity/verifiability of such a machine, and of a programmed box where
*all* the code, including the compilers and other tools, is publically
available?  Yes, I know all about the attack in Dennis Ritchie's ACM paper.
But this, too, can be defended against by checking the generated code - or
pretty much prevented by using a compiler that was in existence before the
software development began.  In any case, these days, the mechanical systems
could be compromised by what is an analogous attack (of going to a different
level of abstraction):  Sure, that *looks* like a solid brass 50-tooth gear,
but maybe there's a tiny motor embedded inside that makes it act in a very
non-classical fashion under radio control
-- Jerry

RE: voting

[John Kelsey]

At 11:05 AM 4/9/04 -0400, Trei, Peter wrote:
..
1. The use of receipts which a voter takes from the voting place to 'verify'
that their vote was correctly included in the total opens the way for voter
coercion.
I think the VoteHere scheme and David Chaum's scheme both claim to solve 
this problem.  The voting machine gives you a receipt that convinces you 
(based on other information you get) that your vote was counted as cast, 
but which doesn't leak any information at all about who you voted for to 
anyone else.  Anyone can take that receipt, and prove to themselves that 
your vote was counted (if it was) or was not counted (if it wasn't).  (This 
is based on attending a presentation of David's scheme at George Washington 
a few months ago, a conversation I had with a VoteHere guy, and some 
conversations and documents given to me by each.  I haven't tried to verify 
the protocols or proofs, but I'm convinced that all this is possible, 
modulo various assumptions.  There may be a dozen other people doing 
similar things, that I've simply not heard of.)

..
1. How does this system prevent voter coercion, while still allowing receipt
based recounts? Or do you have some mechanism by which I can
personally verify every vote which went into the total, to make sure they
are correct?
The way I understood these schemes, you can see the initial encrypted 
ballots (they're published), and then there are several rounds of 
publically verifiable shuffling and decryption by different TTPs.  After 
the last round of shuffling and decryption, you have raw votes.  So anyone 
can verify the count, assuming the set of initial encrypted ballots are 
legitimate.  And anyone can produce a receipt that can be shown to be one 
of those encrypted ballots, if it was counted.  That doesn't keep someone 
from stuffing the ballot box, but it does mean that anyone who throws away 
unfavorable votes is going to leave behind evidence, which can potentially 
call the whole vote into question.  The way I saw these schemes described, 
there was no recount capability, but the count was done in a completely 
public way.

It seems to me that this kind of scheme has a lot of potential for 
disruption attacks, since one compromised voting machine can be used to 
call any election into question.  But I could be missing something, as this 
is really not something I've spent a lot of time on

2. On what basis do you think the average voter should trust this system,
seeing as it's based on mechanisms he or she cant personally verify?
I see your point, but there's an awful lot of any voting system that isn't 
being closely observed by the voters, or that isn't really well-understood 
by most of them.  It's not so clear to me that the average voter is going 
to walk away convinced that a voter-verified paper ballot, or a mark-sense 
ballot, or whatever other thing isn't going to somehow be subject to 
attack.  Or that if they do walk away convinced, that this has much to do 
with whether they *should* walk away convinced.

3. What chain of events do I have to beleive to trust that the code which
is running in the machine is actually and correctly derived from the
source code I've audited? I refer you to Ken Thompsons classic paper
Reflections on trusting trust, as well as the recent Diebold debacle
with uncertified patches being loaded into the machine at the
last moment.
Yep, this is a big issue.  Which is why I think everyone with any sense 
agrees that we need some kind of independent audit trail, regardless of 
whether we're doing voting with computers, or with pens for punching out 
holes.  There are a bunch of ways to do this, one obvious and pretty 
easy-to-field choice being voter-verified paper ballots.

This last is an important point - there is no way you can eliminate the
requirement of election officials to behave legitimately. Since that
requirement can't be done away with by technology, adding technology
only adds more places the system can be compromised.
Huh?  Do you think the same is true of payment systems?  Those also 
ultimately require some humans to play by the rules, but it sure seems like 
a well-designed payment system can remove a lot of the ambiguity about who 
has violated the rules, and can outright prevent other kinds of rule 
violations.  And it seems to me that this is very similar to the situation 
with voting.

Touch screen voting (with the audio extensions) has at least one huge 
advantage over pen-and-paper schemes, because blind people can vote with 
them.  The VoteHere and Chaum schemes provide other benefits (a lot of 
kinds of misbehavior by the authorities are prevented by the design, though 
of course, not *all* possible misbehavior), at various costs in system 
complexity, dependence on lots of interacting systems that might not be all 
that reliable, ability to recover from some low level of fraud, etc.  Paper 
ballots printed behind glass provide a different set of tradeoffs.  And you 
could design 

RE: voting

[Bill Frantz]

One area we are not addressing in voting security is absentee ballots.  The
use of absentee ballots is rising in US elections, and is even being
advocated as a way for individuals to get a printed ballot in jurisdictions
which use electronic-only voting machines.  Political parties are
encouraging their supporters to vote absentee.  I believe that one election
in Oregon was recently held entirely with absentee ballots.

For classic polling place elections, one strength of an electronic system
which prints paper ballots is that there are two separate paths for the
counts.  The machine can keep its own totals and report them at the end of
the election.  These totals can then be compared with the totals generated
for that precinct by counting the paper ballots.  This redundancy seems to
me to provide higher security than either system alone.

Cheers - Bill


-
Bill Frantz| There's nothing so clear as a | Periwinkle
(408)356-8506  | vague idea you haven't written | 16345 Englewood Ave
www.pwpconsult.com | down yet. -- Dean Tribble | Los Gatos, CA 95032

Re: voting

[Ed Gerck]

John Kelsey wrote:
 
 At 11:05 AM 4/9/04 -0400, Trei, Peter wrote:
 
 1. The use of receipts which a voter takes from the voting place to 'verify'
 that their vote was correctly included in the total opens the way for voter
 coercion.
 
 I think the VoteHere scheme and David Chaum's scheme both claim to solve
 this problem.  The voting machine gives you a receipt that convinces you
 (based on other information you get) that your vote was counted as cast,
 but which doesn't leak any information at all about who you voted for to
 anyone else.  Anyone can take that receipt, and prove to themselves that
 your vote was counted (if it was) or was not counted (if it wasn't). 

The flaw in *both* cases is that it reduces the level of privacy protection
currently provided by paper ballots.

Currently, voter privacy is absolute in the US and does not depend
even on the will of the courts. For example,  there is no way for a
judge to assure that a voter under oath is telling the truth about how
they voted, or not. This effectively protects the secrecy of the ballot
and prevents coercion and intimidation in all cases.

Thus, while the assertion that Only if all the trustees collude can
the election be defrauded may seem to be reasonable at first glance, it
fails to protect the system in the case of a court order -- when all the
trustees are ordered to disclose whatever they know and control.

Also, the assertion that All of this is possible while still m
aintaining voter secrecy and privacy essential to all public elections 
is incorrect, for the same reason.

Moreover, the assertion that Vote receipts cannot be used for vote 
selling or to coerce your vote is also incorrect, for the same reason.

These shortcomings do not depend on any specific flaw of a shuffling
process, a TTP, or any other component of either system. Rather, it is 
a design flaw. A new election system should do no harm -- reducing the 
level of voter privacy and ballot secrecy should not be an acceptable 
trade-off for changing from paper to electronic records, or even
electronic verification.

Court challenges are a real scenario that election officials talk about 
and want to avoid. Without making voter privacy inherently safe from court
orders, voter privacy and ballot secrecy are at the mercy of casuistic, 
political and corruption influences -- either real or potential. When the 
stakes are high, we need fail-safe procedures.

Now, you may ask, is there any realistic possibility of a court order 
for all trustees to reveal their keys?

Yes, especially in a hot and contested election -- and not only Bush vs.
Gore. Many local elections are very close and last year an election
in California was decided by *one* vote. 

For example, the California Secretary of State asked this as an 
evaluation question, when they were testing voting systems for the 2000 
Shadow Election Project.

The question was whether and to what extent the voting system could be 
broken under court order  – for example, if some unqualified voters 
were wrongly allowed to vote in a tight election and there would be a 
court order to seek out and disqualify their votes under best efforts.

Perhaps a trustee could be chosen who would be immune even from a US
court order?

Well, not for a US election, which is 100% under state and/or federal 
jurisdiction.

But there are additional scenarios -- a bug, Trojan horse, worm and/or 
virus that infects the systems used by all trustees would also 
compromise voter secrecy and, thereby, election integrity.

Cheers,
Ed Gerck

Re: voting, KISS, etc. ( social bias)

[Major Variola (ret)]

Perry I agree with you on all *except* that you are prejudiced
against folks who are not mobile, have immobile dependants, are busy
or agoraphobes.

In-person voting doesn't resist graveyard voting much better than
lining up the meat.
One could say that in-person voting rewards those too lazy or careless
with their time
to request absentee status.

Home voting is important to keep participation high.  I believe 25%
of the Calif governor votes were absentee.   Participation is nominally
a figure of merit for elections.

And the voter authentication is the weakest I know of: to register you
submit a name, signature, and address.  To vote, you submit
same.  Nothing prevents graveyard registration except the law.

Why is this relevent?  Because you have to consider threat models.
Spousal coercion  vote buying is one, well-addressed in this thread.
So are tech-implementation and social-trust issues.

Snipers or bombers at polling places is another, ignored because
we're all modern westerners.  Rain and immobility have only been
touched on because most of us can drive and walk.

Voting from home should be *encouraged* and it should use
paper as the transport, not computers.  (The paper being kept
by the counters not the voters.)  Which is how it should
be at the in-person polls.

Again, keeping tech away is good, fighting coercion is good, but
don't argue against absentee voting.  In fact, absentee voting
(vs. tech in the polling booth) is a good *example* of how to
keep things simple and resistant to many (eg tech-enabled) attacks.

At 12:46 PM 4/9/04 -0400, Perry E. Metzger wrote:

I'm especially scared about mechanisms that let people vote at home
and such. Lots of people seem to think that the five minute trip to
the polling place is what is preventing people from voting, and they
want to let people vote from their computers. Lets ignore the question
of whether it is important that the people who can't be bothered to
spend ten minutes going to the polling place care enough about the
election to be voting anyway. Lets also ignore the totally unimportant
question of vote buying -- vote buying has happened plenty of times
over the centuries without any need for the purchaser to verify that
the vote was cast as promised. Tammany Hall did not need to watch
people's votes to run a political machine.

I'm much more concerned that we may be automating the graveyard
vote, which is currently kept in check by the need to personally
appear at polling places. I'm also concerned about the forms of fraud
I haven't even considered yet because no one has invented them yet.
Election security isn't just about assuring that votes are correctly
counted.

RE: voting

[Jerrold Leichter]

|   privacy wrote:
|   [good points about weaknesses in adversarial system deleted]
|
|  It's baffling that security experts today are clinging to the outmoded
|  and insecure paper voting systems of the past, where evidence of fraud,
|  error and incompetence is overwhelming.  Cryptographic voting protocols
|  have been in development for 20 years, and there are dozens of proposals
|  in the literature with various characteristics in terms of scalability,
|  security and privacy.  The votehere.net scheme uses advanced cryptographic
|  techniques including zero knowledge proofs and verifiable remixing,
|  the same method that might be used in next generation anonymous remailers.
| 
| Our anonymous corrospondent has not addressed the issues I raised in my
| initial post on the 7th:
|
| 1. The use of receipts which a voter takes from the voting place to 'verify'
| that their vote was correctly included in the total opens the way for voter
| coercion.
|
| 2. The proposed fix - a blizzard of decoy receipts - makes recounts based
| on the receipts impossible.
The VoteHere system is really quite clever, and you're attacking it for not
being the same as everything that went before.

Current systems - whether paper, machine, or whatever - provide no inherent
assurance that the vote you cast is the one that got counted.  Ballot boxes
can be lost, their contents can be replaced; machines can be rigged.  We
use procedural mechanisms to try to prevent such attacks.  It's impossible to
know how effective they are:  We have no real way to measure the effectiveness,
since there is no independent check on what they are controlling.  There are
regular allegations of all kinds of abuses, poll watchers or no.  And there
are plenty of suspect results.

| Answer this:
|
| 1. How does this system prevent voter coercion, while still allowing receipt
| based recounts?
a)  Receipts in the VoteHere system are *not* used for recounts.  No receipt
that a user takes away can possibly be used for that - the chances of you being
able to recover even half the receipts a day after the election are probably
about nil.  Receipts play exactly one role:  They allow a voter who wishes to
to confirm that his vote actually was tallied.

b)  We've raised prevention of voter coercion on some kind of pedestal.
The fact is, I doubt it plays much of a real role.  If someone wants to coerce
voters, they'll use the kind of goons who collect on gambling debts to do it.
The vast majority of people who they try to coerce will be too frightened to
even think about trying to fool them - and if they do try, will lie so
unconvincingly that they'll get beaten up anyway.  Political parties that want
to play games regularly bring busloads of people to polling places.  They
don't check how the people they bus in vote - they don't need to.  They know
who to pick.

However, if this really bothers you, a system like this lets you trade off
non-coercion and checkability:  When you enter the polling place, you draw a
random ball - say, using one of those machines they use for lotteries.  If the
ball is red, you get a receipt; if it's blue, the receipt is retained in a
sealed box (where it's useless to anyone except as some kind of cross-check of
number of votes cast, etc.)  No one but you gets to see the color of the ball.
Now, even if you are being coerced and get a red ball, you can simply discard
the receipt - the polling place should have a secure, private receptacle; or
maybe you can even push a button on the machine that says Pretend I got a
blue ball - and claim you got a blue ball.  The fraction of red and blue
balls is adjustable, depending on how you choose to value checkability vs.
non-coercion.

| Or do you have some mechanism by which I can
| personally verify every vote which went into the total, to make sure they
| are correct?
In VoteHere's system, you can't possibly verify that every vote that went into
the total was correctly handled.  You can verify that the votes *that the
system claims were recorded* are actually counted correctly.  And you can
verify that *your* vote was actually recorded as you cast it - something you
can't do today.  The point of the system is that any manipulation is likely to
hit someone who chooses to verify their vote, sooner or later - and it only
takes one such detected manipulation to start an inquiry.

Whether in practice people want this enough to take the trouble ... we'll have
to wait and see.

| 2. On what basis do you think the average voter should trust this system,
| seeing as it's based on mechanisms he or she cant personally verify?
On what basis should an average voter trust today's systems?  How many people
have any idea what safeguards are currently used?  How many have any personal
contact with the poll watchers on whom the system relies?  Could *you* verify,
in any meaningful sense, the proper handling of a vote you cast?  Could you
watch the machines/boxes/whatever being handled?  

RE: voting

[Trei, Peter]

privacy wrote:
[good points about weaknesses in adversarial system deleted]

 It's baffling that security experts today are clinging to the outmoded
 and insecure paper voting systems of the past, where evidence of fraud,
 error and incompetence is overwhelming.  Cryptographic voting protocols
 have been in development for 20 years, and there are dozens of proposals
 in the literature with various characteristics in terms of scalability,
 security and privacy.  The votehere.net scheme uses advanced cryptographic
 techniques including zero knowledge proofs and verifiable remixing,
 the same method that might be used in next generation anonymous remailers.
 
Our anonymous corrospondent has not addressed the issues I raised in my 
initial post on the 7th:

1. The use of receipts which a voter takes from the voting place to 'verify'
that
their vote was correctly included in the total opens the way for voter
coercion.

2. The proposed fix - a blizzard of decoy receipts - makes recounts based
on the receipts impossible.

 Given that so many jurisdictions are moving towards electronic voting
 machines, this is a perfect opportunity to introduce mathematical
 protections instead of relying so heavily on human beings.  I would
 encourage observers on these lists to familiarize themselves with the
 cryptographic literature and the heavily technical protocol details
 at http://www.votehere.com/documents.html before passing judgement on
 these technologies.
 
Asking the readers of this list to 'familiarize themselves with the
cryptographic
literature', is, in many cases,  a little like telling Tiger Woods that he 
needs to familiarize himself with the rules of golf. We know the 'advanced 
cryptographic techniques' you refer to. We also know what their limitations
- 
what they can and cannot do. This is not the appropriate forum to try to say

trust me.

Answer this:

1. How does this system prevent voter coercion, while still allowing receipt
based recounts? Or do you have some mechanism by which I can
personally verify every vote which went into the total, to make sure they
are correct?

2. On what basis do you think the average voter should trust this system,
seeing as it's based on mechanisms he or she cant personally verify?

3. What chain of events do I have to beleive to trust that the code which
is running in the machine is actually and correctly derived from the 
source code I've audited? I refer you to Ken Thompsons classic paper 
Reflections on trusting trust, as well as the recent Diebold debacle
with uncertified patches being loaded into the machine at the 
last moment.

This last is an important point - there is no way you can eliminate the
requirement of election officials to behave legitimately. Since that
requirement can't be done away with by technology, adding technology
only adds more places the system can be compromised.

Based on the tone of this letter, I'd hazard a guess that 'privacy' has a
vested interest in VoteHere. If this true, it's a little odd that they are
willing to expose their source code, but not their name. We don't
bite, unless the victim deserves it :-) Opening your source is an
admirable first step - why not step out of the shadows so we can
help you make your system better?

I fear a system which does not have a backup mechanism that the
average voter can understand. While it's true that non-electronic
systems are subject to compromise, so are electronic ones, 
regardless of their use of ZK proofs, or 'advanced cryptographic
techniques.

I do think electronic voting machines are coming, and a good
thing. But they should be promoted on the basis that they 
are easier to use, and fairer in presentation, then are manual
methods. Promoting them on the basis that they are more
secure, and less subject to vote tampering is simply false.

Peter Trei
Cryptoengineer
RSA Security

Disclaimer: The above represents my personal opinions only.

Re: voting

[Major Variola (ret)]

At 11:16 PM 4/8/04 +0200, privacy.at Anonymous Remailer wrote:
In the second place, it fails for elections with more than two parties
running.  The casual reference above to representatives on each
side betrays this error.  Poorly funded third parties cannot provide
representatives as easily as the Republicans and Democrats.  We already

know that the major parties fight to keep third party candidates off
the ballots.  Can we expect them to be vigilant in making sure that
Libertarian and Green votes are counted?

Your points about the weaknesses of adversarial observers are
stimulating,
valid points, but the Reps and Dems *can* count on those votes *not*
being moved
into their de facto adversary's (Dems, Reps, respectively) bin.  And
in practice the fringe votes usually don't matter.  (I vote Lib..)
Its not uncommon for elections to be upheld *even when votes are known
lost* if the margins are sufficient. (It happened in California last
election, human error plus tech.)

Ultimately the adversarial parties are the ones who have to check the
whole process, including any tech that gets used.  And that process
is open to the Libs, etc.

As to your other point, the clever protocols, Perry and other
KISS advocates have a very strong (albeit social) point.  Joe
Sixpack can understand *and test* levers or Hollerith cards
or their optical counterparts.  Good luck getting him to understand
number theory.  It would be better in many estimations to have
even coercible voting than to have Trust Me apply to electing a
government.
(Not that the govt will avoid using that phrase once elected :-)

Re: voting

[privacy.at Anonymous Remailer]

Perry Metzger writes, on his cryptography list:

 By the way, I should mention that an important part of such a system
 is the principle that representatives from the candidates on each side
 get to oversee the entire process, assuring that the ballot boxes
 start empty and stay untampered with all day, and that no one tampers
 with the ballots as they're read. The inspectors also serve to assure
 that the clerks are properly checking who can and can't vote, and can
 do things like hand-recording the final counts from the readers,
 providing a check against the totals reported centrally.

 The adversarial method does wonders for assuring that tampering is
 difficult at all stages of a voting system.

On the contrary, the adversarial method is an extremely *weak* source
of security in a voting system.

In the first place, it fails for primary elections where there are
multiple candidates, all of one party, running for a position.  It's not
unusual to have a dozen candidates or even more in some rare cases (the
California gubernatorial election, while not a primary, had hundreds of
candidates running for one seat).  It is impractical for each candidate
to supply an army of representatives to supervise the voting process,
nor can each polling place accommodate the number of people required.

In the second place, it fails for elections with more than two parties
running.  The casual reference above to representatives on each
side betrays this error.  Poorly funded third parties cannot provide
representatives as easily as the Republicans and Democrats.  We already
know that the major parties fight to keep third party candidates off
the ballots.  Can we expect them to be vigilant in making sure that
Libertarian and Green votes are counted?

In the third place, tampering has to be protected against in each and
every voting precinct.  Any voting station where the voting observers
for one party are lax or incompetent could be identified in advance and
targeted for fraud.  Given that these observers are often elderly and
have limited faculties, such frauds are all too easy to accomplish.

It's baffling that security experts today are clinging to the outmoded
and insecure paper voting systems of the past, where evidence of fraud,
error and incompetence is overwhelming.  Cryptographic voting protocols
have been in development for 20 years, and there are dozens of proposals
in the literature with various characteristics in terms of scalability,
security and privacy.  The votehere.net scheme uses advanced cryptographic
techniques including zero knowledge proofs and verifiable remixing,
the same method that might be used in next generation anonymous remailers.

Given that so many jurisdictions are moving towards electronic voting
machines, this is a perfect opportunity to introduce mathematical
protections instead of relying so heavily on human beings.  I would
encourage observers on these lists to familiarize themselves with the
cryptographic literature and the heavily technical protocol details
at http://www.votehere.com/documents.html before passing judgement on
these technologies.