On 02/26/2013 03:49 PM, Joseph Lorenzo Hall wrote: > (most of the statements I make below can be cited... holler if you want > some reading.) > > On Tue Feb 26 08:15:54 2013, Ruben Bloemgarten wrote: >> Irrespective of zombies et al. Voting requires the following basic >> elements : >> 1. verifiability when casting the vote, i.e. the voter can see that the >> vote that is cast will be the vote that is counted. This is not possible >> without a paper trail which is also a valid vote. > > This is a very complex topic, one that I've worked on for many years and > was the central them of my PhD thesis. I think it's important to > recognize that there are cryptographic voting systems that do verifiable > paperless voting. With out-of-band secret sharing, it gets most of the > way to what one would want to see... of course, the client-side malware > problem and the general problem of unsupervised voting (people voting > outside of an official location with polices that make sure only one > person enters the booth, etc.).
I mean verifiable by the voter. Using their eyes. Without a PhD in cryptography, preferably. "One man. One vote." not "One educated man." > > As a member of the board of directors of the Verified Voting Foundation, > I should say that currently a paper trail backed by robust > "risk-limiting audits" are the state-of-the-art for governmental elections. > >> 2. Counting control. Each step of the electoral process has to be >> transparent for it to be valid. This means that *anyone* is allowed to >> observe the counting of the votes, *and* is able to understand that >> counting process. A printout of a result is not sufficient. Don´t forget >> that casting the vote is the least important of the process, counting >> the votes is. > > This is somewhat of a strawman... there is no way that one individual > can observe all the steps in an election as complicated as the ones we > regularly run in the U.S. (the U.S. is very strange compared to most > other countries in terms of the massive requirements we place on the > voting process... I would argue for very good public policy reasons). > This is why the academic literature on these kinds of topics > increasingly uses cryptographic auditing mechanisms to ensure that once > a valid ballot enters the system, it can be tracked. (And, believe it or > not, RFID-based inventory controls can do a lot.) Not really a strawman. I´m not suggesting that any single individual will be able to observe every step from each voting office, but that all steps are legally allowed to be and can practically be observed by a citizen (a layman), ensuring the likelihood of a significant number of the vote counting being observed, for instance by the cat-lady from a few houses down the street. This is the case for the voting legislation that I do know (the Dutch one), I have no idea what the details of U.S. electoral law are. > >> 3. Anonimity. There can not be any moment that a vote can be backtracked >> to the person voting. Again, this can not be based on "trusting a >> system". In many voting laws this anonymity has to be guaranteed, a >> guarantee that even with paper ballots is problematic, but is >> practically impossible in the case of electronic voting. > > I wouldn't agree that it's practically impossible... fancy primitives > like mix-nets and interactive zero-knowledge proofs have been put to > good use to come up with some basic assurances of secrecy. How important is understanding how a person´s secrecy is guaranteed to the person counting on that secrecy ? With practically I do mean practical, I´m sure that its technically possible to reach a similar level of secrecy of a paper ballot, but to achieve both actual secrecy and a common understanding of how that secrecy is guaranteed I would say is ,more likely than not, practically impossible. As I think > you imply, there are fundamental limits... e.g., there are a number of > small precincts in CA that I'm familiar with where all the cast ballots > are virtually identical (this is just to underline that there are > fundamental practical limits on ballot secrecy). Yes, quite. It would even be possible to do a massive fingerprint query of the paper ballots, so there are many scenarios, some more obscure than others that would break the secrecy of the ballot. And, as Josh Benaloh > from MSR highlighted recently, this can be extended in steps to > construct pretty interesting ballot secrecy violations (as one example, > if I vote for candidate B and I see that all other ballots were counted > for candidate A, I know everyone else's vote with certainty while they > don't necessarily have the same level of certainty about others' ballots). > >> When we are discussing voting in its function of the backbone of a >> democratic system, i.e. the moment when we temporarily delegate our >> individual power to a representative, deciding who will wield the >> monopoly on violence, there can be no aspect of this process that is >> based on trust. If ever there was a system which has distrust at its >> core, it is voting. > > The popular refrain in the field, I believe from Rice's Dan Wallach is: > "the purpose of voting is to convince the loser they lost." > >> The only way to have any form of electronic voting be reliable is when >> it is seconded by a re-countable paper copy, which means the choice is >> between one big central printer distributing paper ballots or lots of >> little little ones printing the ballot on the fly. This excludes online >> voting completely and makes the entire concept a little silly really. > > I would say paper is necessary (at the moment) but not sufficient... > meaningful audits are key. And no state in the U.S. is currently doing > them in a robust manner. That is a different issue, but I don´t see how the absence of meaningful audits lead to paper being insufficient. CA is the only state that has a pilot program > to study and test practical implementation of "risk limiting audits"; > the idea being that an audit must test the hypothesis "hand-counting all > ballots will not find enough error to change the outcome of the race." Why ? What´s the objection to simply recounting all the votes? Why would you want a mechanism that prohibits a recount for any reason ? > This is a formalized notion that many of us have worked on for a number > of years... and, frankly, it's the biggest development in elections *for > the entire world* in many decades. Here is a great Ars post on this that > profiles UC Berkeley's Philip Stark, who is the leading mind here: > > http://arstechnica.com/tech-policy/2012/07/saving-american-elections-with-10-sided-dice-one-stats-profs-quest/ > >> Apart from a child-like enthusiasm for anything with buttons and shiny >> lights, can anyone here explain to me what the intended benefits of >> electronic voting over paper voting would be ? > > Experts in voting distinguish between "electronic voting" -- > computer-mediated vote casting -- and "internet voting" -- adding in > public networks to the equation. I would consider the difference moot, but sure. Electronic voting is no panacea, but > most experts would agree (that may not matter to you, I'm not sure) that > some of the real gains of computer interactivity with voting interfaces > and the unique pressures of U.S. elections are such that we won't go > back to completely paper-based elections. Always wonderful when experts agree that there are gains, can you point me to what those gains are exactly ? Or more interestingly, what do you think those gains are. I really for the life of me can not think of any. Also, trust in expert opinions should not be required for an electoral process. Sure, there are some very > small jurisdictions that do all-paper in the U.S., but they're outliers. You´re not making the argument "everybody does it" are you ? I don´t know the statistics for the U.S., but off-hand I know that after much discussion electronic voting was never implemented in Ireland and ditched in The Netherlands after 2007. http://www.environ.ie/en/LocalGovernment/Voting/News/MainBody,20056,en.htm http://wijvertrouwenstemcomputersniet.nl/English > >> Please note that all of the above only applies to political elections, >> electronic voting is perfectly fine when voting for the X-factor. > > I would also raise labor union elections... they're different but > subject to some seriously heavy regulation in the U.S. due to past abuse. Good point. > > best, Joe > >> >> >> >> On 02/26/2013 01:35 PM, Rich Kulawiec wrote: >>> >>> It won't work. Until the bot/zombie is solved, online voting is >>> a non-starter, since any election worthy of being stolen can be. >>> It doesn't matter what you do on the server side: you can construct as >>> elaborate and clever and secure an infrastructure as you wish...because >>> on the client side, there is no way to ensure that what the user sees >>> is what's actually happening. (After all: it's not *their* computer >>> any more. Its new owners can, if they wish, cause a vote for candidate >>> A to be sent as a vote for candidate B, and they can prevent the user >>> from knowing that's happened.) >>> >>> And given that (a) we're now about a decade into the zombie problem >>> (b) no significant effort against them has ever been attempted, >>> let alone completed [1] and (c) the problem is already epidemic and >>> continues to get worse [2] [3], there is no reason whatsoever to think >>> it will be mitigated, let alone solved, in the forseeable future. >>> >>> This doesn't just apply to your proposal: it applies to *all* of >>> them. Unless you can propose and execute a viable plan for solving >>> the zombie problem, then whatever you design/build can be undercut >>> whenever someone chooses to make the effort. (And provided they're >>> not foolishly heavy-handed about it, it's unlikely you would be able >>> to detect this. [4]) >>> >>> ---rsk >>> >>> [1] Botnet "takedowns" are unimportant and irrelevant; their only >>> purpose is to provide a forum for the spokesliars at Microsoft et.al. >>> to trumpet their prowess while a gullible press and public overlook >>> that they *created* this problem. Merely removing C&C networks does >>> nothing to remediate the individual members of the botnets, which are >>> still compromised, still vulnerable, and likely to be conscripted into >>> other botnets before the day is out. >>> >>> [2] We're now seeing portable devices zombie'd: phones, tablets, etc. >>> >>> [3] Estimates of zombie population vary, of course, but clearly, any >>> estimate under 100M should be laughed out of the room. Vint Cerf gave >>> an estimate of 150M just about six years ago, and based on my own work >>> as well as that of others in the anti-spam/abuse area, I thought that >>> was on the high side at the time...but it's most certainly not now. >>> I think the number's probably in the 200-300M range at this point. >>> See: http://arstechnica.com/news.ars/post/20070125-8707.html for >>> Cerf's comments. >>> >>> [4] See Schneier's insightful and chilling piece on this here: >>> >>> https://www.schneier.com/crypto-gram-0404.html#4 >>> >>> That piece should be absolutely mandatory reading for anyone even >>> considering voting systems. It not only provides a method for >>> estimating attacker budgets, but it correctly points out that attackers >>> quite often could tip the balance of an election by manipulating a >>> rather small number of votes -- with a corresponding reduction in the >>> probability that the manipulation will be detected. >>> >>> Note that Schneier wrote that in 2004. If you repeat his analysis >>> with numbers from the 2012 election cycle you'll end up with *much* >>> large attacker budgets. For example, Schneier says that in 2002, >>> Congressional candidates raised over 500M. But >>> >>> >>> https://www.opensecrets.org/news/2012/10/2012-election-spending-will-reach-6.html >>> >>> says that in 2012, they spent about $1.82B. >>> >>> -- >>> Too many emails? Unsubscribe, change to digest, or change password by >>> emailing moderator at compa...@stanford.edu or changing your settings at >>> https://mailman.stanford.edu/mailman/listinfo/liberationtech >>> >> >> -- >> Too many emails? Unsubscribe, change to digest, or change password by >> emailing moderator at compa...@stanford.edu or changing your settings at >> https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
