Re: Firm invites experts to punch holes in ballot software
On Wed, Apr 07, 2004 at 03:42:47PM -0400, Ian Grigg wrote: Trei, Peter wrote: Frankly, the whole online-verification step seems like an unneccesary complication. It seems to me that the requirement for after-the-vote verification (to prove your vote was counted) clashes rather directly with the requirement to protect voters from coercion (I can't prove I voted in a particular way.) or other incentives-based attacks. You can have one, or the other, but not both, right? Suppose individual ballots weren't usable to verify a vote, but instead confirming data was distributed across 2-3 future ballot receipts such that all of them were needed to reconstruct another ballot's vote. It would then be possible to verify an election with reasonable confidence if a large number of ballot receipts were collected, but individual ballot receipts would be worthless. signature.asc Description: Digital signature
Re: Firm invites experts to punch holes in ballot software
Brian McGroarty wrote: On Wed, Apr 07, 2004 at 03:42:47PM -0400, Ian Grigg wrote: It seems to me that the requirement for after-the-vote verification (to prove your vote was counted) clashes rather directly with the requirement to protect voters from coercion (I can't prove I voted in a particular way.) or other incentives-based attacks. You can have one, or the other, but not both, right? Suppose individual ballots weren't usable to verify a vote, but instead confirming data was distributed across 2-3 future ballot receipts such that all of them were needed to reconstruct another ballot's vote. It would then be possible to verify an election with reasonable confidence if a large number of ballot receipts were collected, but individual ballot receipts would be worthless. If I'm happy to pervert the electoral process, then I'm quite happy to do it in busloads. In fact, this is a common approach, busses are paid for by a party candidate, the 1st stop is the polling booth, the 2nd stop is the party booth. In the west, this is done with old people's homes, so I hear. Now, one could say that we'd distribute the verifiability over a random set of pollees, but that would make the verification impractically expensive. iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
See-Through Voting Software
http://www.wired.com/news/print/0,1294,62983,00.html Wired News See-Through Voting Software By Kim Zetter 02:00 AM Apr. 08, 2004 PT VoteHere, an electronic voting systems company, released its source code this week in a bid to let others examine how the machines work and help people gain confidence in the e-voting process. In addition, the Bellevue, Washington, company revealed a novel alternative to paper trails to verify the accuracy of the vote count: Voters would get an encrypted code on a receipt that corresponds to their vote, and at the end of the election voters could check through the Internet to see that their vote was tallied correctly. Other voting-system makers have resisted calls for scrutiny of the inner workings of their machines. In contrast, VoteHere released its source code on its website this week after spending the past few months submitting details of its machines to conferences and journals to solicit feedback from security experts. We went into this business to make voting better, said VoteHere founder and chief executive Jim Adler. We're doing everything we can to move the ball in that direction. VoteHere doesn't manufacture voting machines. Instead, the company patented a technology called VoteHere Technology inside, or VHTi, that it hopes to license to voting-machine manufacturers. It can even be integrated into current electronic touch-screen voting machines, adding auditing capability to help verify that the machines record votes accurately. So far, only one of dozens of voting companies has partnered with VoteHere. Sequoia Voting Systems of Oakland, California, will install the software in its touch-screen machines, though Sequoia hasn't said by when. The Sequoia system would need to undergo federal and state certification testing once the VoteHere software is installed. Activists have criticized paperless electronic touch-screen voting machines because they don't produce an audit trail that voters can use to verify that the machines counted votes correctly and that the results weren't altered. Some have called for machines to produce a voter-verified paper trail. But Adler said, The call to go back to paper ballots has drowned out any other solution. He said the VoteHere method ensures the accuracy of the machines in a way that is more secure than a simple paper receipt. Here's how it works: Next to each candidate's name on the ballot, a random code appears that changes for each voter. After making their selections, voters receive a printed receipt containing their unique codes, along with encrypted information that assures that the codes match the correct candidates. Once the voters verify their votes, they cast their ballots on the machine. After the election, voting codes appear on the county website so voters can see that the codes on their receipts translated to a counted vote. While the county tallies the votes, the public can tally them independently as well. Adler said nonpartisan watchdog groups and computer scientists also could verify the results independently in this way to ensure that no votes were lost or changed. Since all of the ballots are published, there's an entire election transcript, he said. So the voters can do their bit to verify their own vote and then anyone can verify the backend. I think that's what's important. This verifies that the count was right. Adler said that with so much transparency and with so many people monitoring the results, somebody is bound to catch any anomalies. If someone comes through your yard, there is a dog barking to tell you it's happening. We're trying to make sure that there is a dog barking if someone touches those ballots, he said. Some critics pointed out that the VoteHere procedure might be too complicated for some voters. But Adler said not all voters would have to check their votes at the end of the election to ensure the vote count was correct. It would take only a small percentage to verify the election. In December, a hacker broke into VoteHere's internal computer network and copied its source code. Adler said his company's decision to release the source code didn't have anything to do with the hack. VoteHere had been planning to release the code before the break-in, but was waiting to obtain sufficient feedback. We felt the source code was finally at a sufficient state of maturity to release it, Adler said. Josh Benaloh, a cryptographer and researcher with Microsoft, has examined VoteHere's research papers and methodology. He said the VoteHere paper receipt is a nicety but not a necessity. What matters is the cryptography and the public counting afterward. If you use cryptography and use it properly, you can build an electronic system that is much safer than a paper system and has a much higher level of integrity, Benaloh said. You can follow your vote right through to the end and make sure that your vote is counted. No other system does this. He also said allowing
Re: voting
a counterpoint... Perry E. Metzger wrote: I'm a believer in the KISS principle. :-) that's one S too many. For true believers, KIS is enough. A ballot that is both machine and human readable and is constructed by machine seems ideal. You enter your votes, a card drops down, you verify it and drop it in a slot. Ideally, the cards would be marked with something like OCR-B so that the correspondence between machine marking and human marking is trivial. If the real vote (the thing that gets counted) is machine-read from the OCR-B, and the voter is verifying the human-readable OCR-B text on the ballot, then how can one say the vote is really verified? You end up trusting the machines after all, both for scanning as well as for tallying. In addition, the paper ballots could also be falsified and the totals would be wrong even if someone would have us believe that their machines are infallible. You can't have hanging chads or mismarks on optical cards because a machine marks it for you. You can always do a recount, just by running the cards through the reader again. Machines are not 100% efficient when counting paper ballots. There are misreads, rejections, jamming, etc. The usual procedure is to feed the ballots twice in the machine, for verification. What happens if the result differs? Since you don't know which paper ballots were misread, you MUST end up having to count them ALL manually. Florida law, for example, unequivocally requires a manual recount in a close election -- even if no one complains. This is the same scenario, btw, as the November 2000 election. You can prevent ballot stuffing by having representatives of several parties physically present during the handling of the ballot boxes -- just like now. Just like now, ballot boxes are lost, some ballots are not counted, some ballots can be changed. For 200 years, fraud has been endemic fraud in paper ballots in the US. This is exactly one of the reasons that is driving this society to develop better solutions. Better solutions, IMO, should include independent representations of the ballot data, witnesses of the ballot as cast by the voter. When these witnesses exist, they must all be audited for consistency. This can be done efficiently with a proper random sampling. Further, as it is already legal today in the U.S., I think that voters should be able to cast their ballots at a poll precinct as well as at home, at work, and abroad. Moreover, election systems need to eliminate all physical connections between production system (the election) and development (the vendor). This is a lesson from the banking sector. Vendors must not be allowed to operate their machines during an election, as it is routinely done today in the US. This current (bad) practice also contains a conflict of interest, as the vendor has an interest in selling a machine that is hard to operate. You can verify that the counting mechanisms are working right by manually counting if needed. There are at least three problems with this statement. Manually counting? If someone even suggests that a city like Los Angeles (1.9M voters) is going to HAND COUNT all of it's ballots, they won't go very far. It is humanly impossible to do this without mistakes creeping in, in addition to time and costs. Working right? Contrary to banking, a ballot (ie, a transaction in bank terms) must be not be linkable to whoever did it. A voter should not be able to prove, not even to himself, how he voted. Nonetheless, voters are not anonymous (they have to be well-identified). Compare this with working right in banking: if there is a debit of $10,000.00 in our account, how would you feel if no one (not even you) could prove that the debit is not yours? Counting mechanisms? There is no way to know with current paper ballots if they are in fact counted right from an auditing viewpoint, which depends whether what is counted is what was cast by a voter or just stuffed in, or changed. Complicated systems are the bane of security. Systems like this are simple to understand, simple to audit, simple to guard. Simple to defraud too, as has been done here for 200 years. Cheers, Ed Gerck - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: voting
At 8:24 AM -0400 4/8/04, Perry E. Metzger wrote: Trei, Peter [EMAIL PROTECTED] writes: I think Perry has hit it on the head, with the one exception that the voter should never have the receipt in his hand - that opens the way for serial voting fraud. The receipt should be exposed to the voter behind glass, and when he/she presses the 'accept' button, it visibly drops into the sealed, opaque ballot box. Seems fine by me, except I'd make the ballot box only lightly frosted -- enough that you can't read the contents, but light enough that poll inspectors can visually assure themselves that the contents aren't mysteriously altered during the course of the day. I can see one potential problem with having the machine produce the receipts. Let's say the system is well designed and completely fair. There will be a certain percentage of voters who will complain that the receipt recorded the wrong vote because they in fact inadvertently pressed the wrong button. Over time, that percentage and its variance will become well known. Call that rate r.' A party with the ability to make surreptitious changes to the voting software can then have it occasionally record a vote and print a receipt contrary to what the voter chose as long as the number of such bogus votes is small enough relative r and its variance to escape notice. They can then determine what fraction, f, of voters who get wrong receipts report them. They can then increase the fraction of bogus votes by 1/f. Over the course of several elections they can slowly grow the fraction of bogus votes, claiming that voters are getting sloppy. Since major elections are often decided by less than one percent of the vote, this attack can be significant. We have a system now in Cambridge, Massachusetts where we are given a paper mark sense ballot and fill in little ovals, like those on standardized tests. We then carry our ballot to a machine that sucks it in and reads it. The totals are reported after the polls close, but the mark sense ballots are saved inside the machine (which I assume is inspected before the voting starts and then locked) can easily be recounted at any time. This system seems ideal to me. By the way, I should mention that an important part of such a system is the principle that representatives from the candidates on each side get to oversee the entire process, assuring that the ballot boxes start empty and stay untampered with all day, and that no one tampers with the ballots as they're read. The inspectors also serve to assure that the clerks are properly checking who can and can't vote, and can do things like hand-recording the final counts from the readers, providing a check against the totals reported centrally. The adversarial method does wonders for assuring that tampering is difficult at all stages of a voting system. A important thing to remember is that these poll watchers, along with the workers running the voting for the election authorities are often retired people who have very little computer skills. It is much easier for them to understand and safeguard systems based on paper and mechanical locks. Arnold Reinhold - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: voting
Having a paper ballot printed by machine (and checked by the votor) before being dropped in a box may permit some additional cross-checks: * Put serial numbers or something like them, on each ballot, so that missing or added ballots can be detected. * Put check digits on each ballot, so that alterations can be detected. In order to avoid a big key management problem, perhaps each machine could generate its own key-pair, and print the public half on each ballot. Perhaps the check digits could be chained through the whole sequence of ballots so that adversaries have to modify the whole tail sequence to change one. Perhaps at the end of the sequence, the machine could generate a known set of void ballots, making changing the tail after the fact impossible. * Print a receipt for the actual votor that can be used by the votor to check that her vote was actually recorded. Ideally, the receipt should also be able to confirm that the actual intended votes were recorded. It should not be possible to compute the votes from the receipt. It should not be possible for an inquiry about a vote from the receipt holder to tie the identity of the votor to the votes. This last item would help my degree of confidence - I'd like to be able to independently confirm, myself, that my vote was accurately recorded. Naturally, the sequence information must not be traceable to an individual - this is usually the case in manual sign-in systems that match votors to registration books. I would be skeptical about automated sign-in. -Larry - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: voting
At 11:16 PM 4/8/04 +0200, privacy.at Anonymous Remailer wrote: In the second place, it fails for elections with more than two parties running. The casual reference above to representatives on each side betrays this error. Poorly funded third parties cannot provide representatives as easily as the Republicans and Democrats. We already know that the major parties fight to keep third party candidates off the ballots. Can we expect them to be vigilant in making sure that Libertarian and Green votes are counted? Your points about the weaknesses of adversarial observers are stimulating, valid points, but the Reps and Dems *can* count on those votes *not* being moved into their de facto adversary's (Dems, Reps, respectively) bin. And in practice the fringe votes usually don't matter. (I vote Lib..) Its not uncommon for elections to be upheld *even when votes are known lost* if the margins are sufficient. (It happened in California last election, human error plus tech.) Ultimately the adversarial parties are the ones who have to check the whole process, including any tech that gets used. And that process is open to the Libs, etc. As to your other point, the clever protocols, Perry and other KISS advocates have a very strong (albeit social) point. Joe Sixpack can understand *and test* levers or Hollerith cards or their optical counterparts. Good luck getting him to understand number theory. It would be better in many estimations to have even coercible voting than to have Trust Me apply to electing a government. (Not that the govt will avoid using that phrase once elected :-) - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
eCompute ECC2-109 Project has PROBABLE solution
http://www.ecompute.org/ecc2/ There has been a PROBABLE solution generated as of 1425 hrs GMT, April 8, 2004. Until Certicom has confirmed this, it will be treated as a PROBABLE solution and the DP collection will continue. The two people who have submitted the DP values have been emailed. Until Certicom formally accepts this, please do not stop your clients. Remember, this is only a PROBABLE solution and we do not done yet! The ECC2-109 Team -- Anne Lynn Wheeler - http://www.garlic.com/~lynn/ - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: voting
privacy wrote: [good points about weaknesses in adversarial system deleted] It's baffling that security experts today are clinging to the outmoded and insecure paper voting systems of the past, where evidence of fraud, error and incompetence is overwhelming. Cryptographic voting protocols have been in development for 20 years, and there are dozens of proposals in the literature with various characteristics in terms of scalability, security and privacy. The votehere.net scheme uses advanced cryptographic techniques including zero knowledge proofs and verifiable remixing, the same method that might be used in next generation anonymous remailers. Our anonymous corrospondent has not addressed the issues I raised in my initial post on the 7th: 1. The use of receipts which a voter takes from the voting place to 'verify' that their vote was correctly included in the total opens the way for voter coercion. 2. The proposed fix - a blizzard of decoy receipts - makes recounts based on the receipts impossible. Given that so many jurisdictions are moving towards electronic voting machines, this is a perfect opportunity to introduce mathematical protections instead of relying so heavily on human beings. I would encourage observers on these lists to familiarize themselves with the cryptographic literature and the heavily technical protocol details at http://www.votehere.com/documents.html before passing judgement on these technologies. Asking the readers of this list to 'familiarize themselves with the cryptographic literature', is, in many cases, a little like telling Tiger Woods that he needs to familiarize himself with the rules of golf. We know the 'advanced cryptographic techniques' you refer to. We also know what their limitations - what they can and cannot do. This is not the appropriate forum to try to say trust me. Answer this: 1. How does this system prevent voter coercion, while still allowing receipt based recounts? Or do you have some mechanism by which I can personally verify every vote which went into the total, to make sure they are correct? 2. On what basis do you think the average voter should trust this system, seeing as it's based on mechanisms he or she cant personally verify? 3. What chain of events do I have to beleive to trust that the code which is running in the machine is actually and correctly derived from the source code I've audited? I refer you to Ken Thompsons classic paper Reflections on trusting trust, as well as the recent Diebold debacle with uncertified patches being loaded into the machine at the last moment. This last is an important point - there is no way you can eliminate the requirement of election officials to behave legitimately. Since that requirement can't be done away with by technology, adding technology only adds more places the system can be compromised. Based on the tone of this letter, I'd hazard a guess that 'privacy' has a vested interest in VoteHere. If this true, it's a little odd that they are willing to expose their source code, but not their name. We don't bite, unless the victim deserves it :-) Opening your source is an admirable first step - why not step out of the shadows so we can help you make your system better? I fear a system which does not have a backup mechanism that the average voter can understand. While it's true that non-electronic systems are subject to compromise, so are electronic ones, regardless of their use of ZK proofs, or 'advanced cryptographic techniques. I do think electronic voting machines are coming, and a good thing. But they should be promoted on the basis that they are easier to use, and fairer in presentation, then are manual methods. Promoting them on the basis that they are more secure, and less subject to vote tampering is simply false. Peter Trei Cryptoengineer RSA Security Disclaimer: The above represents my personal opinions only. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
voting, KISS, etc.
I think that those that advocate cryptographic protocols to ensure voting security miss the point entirely. They start with the assumption that something is broken about the current voting system. I contend it is just fine. For example, it takes a long time to count pieces of papers compared with bits. However, there is no actual need for speed in reporting election results. This is not a stock exchange -- another election will not be held the next day, and the number of elections being held will not rise 8% per quarter. If it takes a day or even several days to get an accurate count, no one will be hurt. The desires of television networks to report the results in ten minutes is not connected to the need for a democracy to have widespread confidence in the election results. Speed is not a requirement. As it is, however, automated counts of paper ballots are plenty fast enough already. It also is seemingly behind the times to use paper and such to hold an election when computers are available -- but the goal is not to seem modern -- it is to hold a fair election with accurately reported results that can be easily audited both before, during and after the fact. It seems to some to be easier to vote using an electronic screen. Perhaps, perhaps not. My mother would not find an electronic screen easier at all, but lets ignore that issue. Whether or not the vote is entered on a screen, the fact that paper ballots can be counted both mechanically (for speed) and by hand (as an audit measure), where purely electronic systems lack any mechanism for after-the-fact audit or recount, leads one to conclude that old fashioned paper seems like a good idea, and if it is not to be marked by hand, then at least let it be marked by the computer entry device. It is also seemingly better to have a system where a complex cryptographic protocol secures the results -- but the truth is that it is more important that a system be obvious, simple and secure even to relatively uneducated members of society, and the marginal security produced by such systems over one in which physical paper ballots are generated is not obvious or significant. (The marginal security issue is significant. Consider that simple mechanisms can render the amount of fraud possible in the old fashioned system significantly smaller than the number of miscast votes caused by voter mistakes, but that no technology can eliminate voter mistakes. Then ask why a fully electronic fraudless system understandable to a miniscule fraction of the population but where miscast votes continue to occur -- and possibly to be inaccurately perceived as evidence of fraud -- would be superior.) To those that don't understand the understandable to even those who are not especially educated problem, consider for moment that many people will not care what your claims are about the safety of the system if they think fraud occurred, even if you hand them a mathematical proof of the system. I suspect, by the way, that they'll be right, because the proofs don't cover all the mechanisms by which fraud can occur, including graveyard voting. We tamper with the current system at our peril. Most security mechanisms evolve over time to adjust to the threats that happen in the real world. The protocols embedded in modern election laws, like having poll watchers from opposing sides, etc., come from hundreds of years of experience with voting fraud. Over centuries, lots of tricks were tried, and the system evolved to cope with them. Simple measures like counting the number of people voting and making sure the number of ballots cast essentially corresponds, physically guarding ballot boxes and having members of opposing parties watch them, etc., serve very well and work just fine. Someone mentioned that in some elections it is impractical for the people running to have representatives at all polling places. It is, in fact, not necessary for them to -- the threat of their doing so and having enough poll watchers from enough organizations in a reasonably random assortment of polling places is enough to prevent significant fraud. I'm especially scared about mechanisms that let people vote at home and such. Lots of people seem to think that the five minute trip to the polling place is what is preventing people from voting, and they want to let people vote from their computers. Lets ignore the question of whether it is important that the people who can't be bothered to spend ten minutes going to the polling place care enough about the election to be voting anyway. Lets also ignore the totally unimportant question of vote buying -- vote buying has happened plenty of times over the centuries without any need for the purchaser to verify that the vote was cast as promised. Tammany Hall did not need to watch people's votes to run a political machine. I'm much more concerned that we may be automating the graveyard vote, which is currently kept in check by the need to personally appear at polling
Re: voting, KISS, etc.
On Fri, Apr 09, 2004 at 12:46:47PM -0400, Perry E. Metzger wrote: I think that those that advocate cryptographic protocols to ensure voting security miss the point entirely. [...] I'm a technophile. I've loved technology all my life. I'm also a security professional, and I love a good cryptographic algorithm. Please keep technology as far away as possible from the voting booth -- it will make everyone a lot safer. Hear, hear! As the supposed experts, how do we get the idea out of people's heads that making everything electronic and automated is somehow intrinsically better, regardless of the actual risks and benefits of doing so? -- - Adam - http://www.adamfields.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
RE: voting
| privacy wrote: | [good points about weaknesses in adversarial system deleted] | | It's baffling that security experts today are clinging to the outmoded | and insecure paper voting systems of the past, where evidence of fraud, | error and incompetence is overwhelming. Cryptographic voting protocols | have been in development for 20 years, and there are dozens of proposals | in the literature with various characteristics in terms of scalability, | security and privacy. The votehere.net scheme uses advanced cryptographic | techniques including zero knowledge proofs and verifiable remixing, | the same method that might be used in next generation anonymous remailers. | | Our anonymous corrospondent has not addressed the issues I raised in my | initial post on the 7th: | | 1. The use of receipts which a voter takes from the voting place to 'verify' | that their vote was correctly included in the total opens the way for voter | coercion. | | 2. The proposed fix - a blizzard of decoy receipts - makes recounts based | on the receipts impossible. The VoteHere system is really quite clever, and you're attacking it for not being the same as everything that went before. Current systems - whether paper, machine, or whatever - provide no inherent assurance that the vote you cast is the one that got counted. Ballot boxes can be lost, their contents can be replaced; machines can be rigged. We use procedural mechanisms to try to prevent such attacks. It's impossible to know how effective they are: We have no real way to measure the effectiveness, since there is no independent check on what they are controlling. There are regular allegations of all kinds of abuses, poll watchers or no. And there are plenty of suspect results. | Answer this: | | 1. How does this system prevent voter coercion, while still allowing receipt | based recounts? a) Receipts in the VoteHere system are *not* used for recounts. No receipt that a user takes away can possibly be used for that - the chances of you being able to recover even half the receipts a day after the election are probably about nil. Receipts play exactly one role: They allow a voter who wishes to to confirm that his vote actually was tallied. b) We've raised prevention of voter coercion on some kind of pedestal. The fact is, I doubt it plays much of a real role. If someone wants to coerce voters, they'll use the kind of goons who collect on gambling debts to do it. The vast majority of people who they try to coerce will be too frightened to even think about trying to fool them - and if they do try, will lie so unconvincingly that they'll get beaten up anyway. Political parties that want to play games regularly bring busloads of people to polling places. They don't check how the people they bus in vote - they don't need to. They know who to pick. However, if this really bothers you, a system like this lets you trade off non-coercion and checkability: When you enter the polling place, you draw a random ball - say, using one of those machines they use for lotteries. If the ball is red, you get a receipt; if it's blue, the receipt is retained in a sealed box (where it's useless to anyone except as some kind of cross-check of number of votes cast, etc.) No one but you gets to see the color of the ball. Now, even if you are being coerced and get a red ball, you can simply discard the receipt - the polling place should have a secure, private receptacle; or maybe you can even push a button on the machine that says Pretend I got a blue ball - and claim you got a blue ball. The fraction of red and blue balls is adjustable, depending on how you choose to value checkability vs. non-coercion. | Or do you have some mechanism by which I can | personally verify every vote which went into the total, to make sure they | are correct? In VoteHere's system, you can't possibly verify that every vote that went into the total was correctly handled. You can verify that the votes *that the system claims were recorded* are actually counted correctly. And you can verify that *your* vote was actually recorded as you cast it - something you can't do today. The point of the system is that any manipulation is likely to hit someone who chooses to verify their vote, sooner or later - and it only takes one such detected manipulation to start an inquiry. Whether in practice people want this enough to take the trouble ... we'll have to wait and see. | 2. On what basis do you think the average voter should trust this system, | seeing as it's based on mechanisms he or she cant personally verify? On what basis should an average voter trust today's systems? How many people have any idea what safeguards are currently used? How many have any personal contact with the poll watchers on whom the system relies? Could *you* verify, in any meaningful sense, the proper handling of a vote you cast? Could you watch the machines/boxes/whatever being handled?
Re: voting
Perry E. Metzger wrote: Complicated systems are the bane of security. Systems like this are simple to understand, simple to audit, simple to guard. I fully agree, but there is a wide variety of voting schemes out there, of varying complexity. In a ballot with only very few options, your proposal makes sense. But in some cases, the complete description of a vote doesn't necessarily fit onto an A4 paper sheet. Our own municipal elections are so complicated that you fill in your votes at home and bring the paperwork to the election office. In the U.S., some of the simple votes are linked to dozens of plebiscites, and you'll have a hard time to print that onto a small piece of paper, too. But I can't see why computerized voting is so important. Here in Germany, the pencil-and-paper method is doing just fine. Volunteers do the counting, so there is no monetary incentive to automate this process. It means that we have to wait a few hours (or even days, in case of the municipal elections) before preliminary official results are available, but this doesn't seem to be a significant problem, IMHO. However, I'm sure our own paper-based voting system would fall apart if subjected to the same scrutiny as Diebold's voting machines. It's just a different kind of insecurity. -- Current mail filters: many dial-up/DSL/cable modem hosts, and the following domains: postino.it, tiscali.co.uk, tiscali.cz, tiscali.it, voila.fr. - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]