voting, KISS, etc.

2004-04-09 Thread Perry E. Metzger

I think that those that advocate cryptographic protocols to ensure
voting security miss the point entirely.

They start with the assumption that something is broken about the
current voting system. I contend it is just fine.

For example, it takes a long time to count pieces of papers compared
with bits. However, there is no actual need for speed in reporting
election results. This is not a stock exchange -- another election
will not be held the next day, and the number of elections being held
will not rise 8% per quarter. If it takes a day or even several days
to get an accurate count, no one will be hurt. The desires of
television networks to report the results in ten minutes is not
connected to the need for a democracy to have widespread confidence in
the election results. Speed is not a requirement. As it is, however,
automated counts of paper ballots are plenty fast enough already.

It also is seemingly behind the times to use paper and such to hold
an election when computers are available -- but the goal is not to seem
modern -- it is to hold a fair election with accurately reported
results that can be easily audited both before, during and after the

It seems to some to be easier to vote using an electronic
screen. Perhaps, perhaps not. My mother would not find an electronic
screen easier at all, but lets ignore that issue. Whether or not the
vote is entered on a screen, the fact that paper ballots can be
counted both mechanically (for speed) and by hand (as an audit
measure), where purely electronic systems lack any mechanism for
after-the-fact audit or recount, leads one to conclude that old
fashioned paper seems like a good idea, and if it is not to be marked
by hand, then at least let it be marked by the computer entry device.

It is also seemingly better to have a system where a complex
cryptographic protocol secures the results -- but the truth is that
it is more important that a system be obvious, simple and secure even
to relatively uneducated members of society, and the marginal security
produced by such systems over one in which physical paper ballots are
generated is not obvious or significant.

(The marginal security issue is significant. Consider that simple
mechanisms can render the amount of fraud possible in the old
fashioned system significantly smaller than the number of miscast
votes caused by voter mistakes, but that no technology can eliminate
voter mistakes. Then ask why a fully electronic fraudless system
understandable to a miniscule fraction of the population but where
miscast votes continue to occur -- and possibly to be inaccurately
perceived as evidence of fraud -- would be superior.)

To those that don't understand the understandable to even those who
are not especially educated problem, consider for moment that many
people will not care what your claims are about the safety of the
system if they think fraud occurred, even if you hand them a
mathematical proof of the system. I suspect, by the way, that they'll
be right, because the proofs don't cover all the mechanisms by which
fraud can occur, including graveyard voting.

We tamper with the current system at our peril. Most security
mechanisms evolve over time to adjust to the threats that happen in
the real world.  The protocols embedded in modern election laws,
like having poll watchers from opposing sides, etc., come from
hundreds of years of experience with voting fraud. Over centuries,
lots of tricks were tried, and the system evolved to cope with
them. Simple measures like counting the number of people voting and
making sure the number of ballots cast essentially corresponds,
physically guarding ballot boxes and having members of opposing
parties watch them, etc., serve very well and work just fine.

Someone mentioned that in some elections it is impractical for the
people running to have representatives at all polling places. It is,
in fact, not necessary for them to -- the threat of their doing so and
having enough poll watchers from enough organizations in a reasonably
random assortment of polling places is enough to prevent significant

I'm especially scared about mechanisms that let people vote at home
and such. Lots of people seem to think that the five minute trip to
the polling place is what is preventing people from voting, and they
want to let people vote from their computers. Lets ignore the question
of whether it is important that the people who can't be bothered to
spend ten minutes going to the polling place care enough about the
election to be voting anyway. Lets also ignore the totally unimportant
question of vote buying -- vote buying has happened plenty of times
over the centuries without any need for the purchaser to verify that
the vote was cast as promised. Tammany Hall did not need to watch
people's votes to run a political machine.

I'm much more concerned that we may be automating the graveyard
vote, which is currently kept in check by the need to personally
appear at polling 

Re: voting, KISS, etc.

2004-04-09 Thread Adam Fields
On Fri, Apr 09, 2004 at 12:46:47PM -0400, Perry E. Metzger wrote:
 I think that those that advocate cryptographic protocols to ensure
 voting security miss the point entirely.
 I'm a technophile. I've loved technology all my life. I'm also a
 security professional, and I love a good cryptographic
 algorithm. Please keep technology as far away as possible from the
 voting booth -- it will make everyone a lot safer.

Hear, hear!

As the supposed experts, how do we get the idea out of people's heads
that making everything electronic and automated is somehow
intrinsically better, regardless of the actual risks and benefits of
doing so?

- Adam


The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]