At 12:39 PM -0400 5/30/2000, Mark A. Herschberg wrote:
>...
>Applied Cryptography by Bruce Schneier lists 6 requirements of voting
>(1996, p. 125):
>
>1) Only authorized voters can vote.
>2) No one can vote more than once.
>3) No one can determine for whom anyone else voted.
>4) No one can dispute anyone else's vote.
>5) No one can change anyone else's vote without being discovered.
>6) Every voter can make sure that his vote has been taken into account
>in the final tabulation.
I would add:
7. The voting process should be simple enough to be used by people
with minimal education and should in no way discourage legitimate
voting.
8. (At least in the U.S.) The voting system should not require a
national ID card or the equivalent.
>
>Very few of these are upheld with any serious security measures.
One notion that people seem to be missing in this discussion is that
voting procedures in the US generally assume the existence of
political parties and that the parties have both an interest and the
means to supervise the elections. The primary security comes from
allowing representatives of each party to observe every stage in the
process.
>
>- (2) Where I currently vote (Cambridge, MA), the little old ladies can
>barely figure out who I am. They also don't require photo IDs. I could
>have easily taken my roommates ID and voted for him, too. (Granted,
>this isn't easy to duplicate, because it depends on who's working the
>voting booth.)
I also vote in Cambridge. The role of the "little old ladies" is to
insure that no registered name is voted twice and to call out the
name of each voter so that the poll watchers can verify their
identity if they wish. I have never been asked for an ID of any sort.
>
>- (3) Also at my currently polling station is a box into which voting
>forms are fed. The fed forms maintain their order, hence, if you know
>the order of people voting, you can look up their votes.
The ballots are guarded throughout the process, making such a
correlation difficult. They are now counted electronically but a few
years back, when they were counted on paper, the process took place
in a school gym where anyone could watch. (The actual voting process
used in Cambridge is regrettably far to complex to explain on a
cryptography list.)
>- (3) The booths themselves are insecure (someone could install a hidden
>video camera. (And the computer could record keystrokes.) This problem
>can be solved by voting from your home.
Again a number of people are watching the polling place at all times,
including representatives of the political parties if they wish.
There are 8-12 booths at each of about 45 polling places. This would
not be so easy to do on a mass scale.
>- (5/6) After you walk out of the polling station, you really have no
>way of knowing if your vote got counted. It's completely based on trust
>of the system.
You get to see your ballot fed into the ballot box. The boxes are
guarded throughout the process. The paper ballots are kept and can be
counted manually if there is a challenge. Ballot boxes are designed
to be tamper resistant (Not, I suspect, to FIPS 140 tho).
I trusted the older manual process more than I do the present
electronic voting. I would be even more distrustful of Internet
voting until I was satisfied that the design was valid, was
implemented correctly and only validated software was being used. I
think that is a tall order.
BTW, someone in this thread mentioned Internet voting for corporate
elections. Proxy Services Inc., which just about every public
corporation in the US uses, currently allows Internet voting at
www.proxyvote.com. If you gut a paper ballot, you just have to enter
its control number and proxyvote.com brings up a facsimile of your
ballot. If you receive voting information by e-mail you also need a
PIN number. You can request e-mail confirmation if you want. The
proxyvote.com link is SSL protected.
Arnold Reinhold
