On Nov 25, 2003, at 11:21 AM, Trei, Peter wrote:
Tim May [mailto:timcmay@got.net] wrote:
On Nov 25, 2003, at 9:56 AM, Sunder wrote:
Um, last I checked, phone cameras have really shitty resolution, usually less than 320x200. Even so, you'd need MUCH higher resolution, say 3-5Mpixels to be able to read text on a printout in a picture.
Add focus and aiming issues, and this just won't work unless you carry a good camera into the booth with you.
1. Vinnie the Votebuyer knows the _layout_ of the ballot. He only needs to see that the correct box is punched/marked. Or that the screen version has been checked.
I realize you big city types (yes, Tim, Corralitos is big compared to my little burg) have full scale voting booths with curtains (I used the big mechanical machines when I lived in Manhatten), but out here in the sticks, the 'voting booth' is a little standing desk affair with 18 inch privacy shields on 3 sides. If someone tried to take a photo of their ballot in one of those it would be instantly obvious.
All I want is a system which is not more easily screwed around with then paper ballots. Have some imagination - you could, for example, set things up so the voter, and only the voter, can see the screen and/or paper receipt while voting, but still make it impossible to use a camera without being detected.
But how could a restriction on gargoyling oneself be constitutional? If Alice wishes to record her surroundings, including the ballot and/or touchscreen she just voted with, this is her business. (I fully support vote buying and selling, needless to say. Simple right to make a contract.) I wasn't endorsing the practicality of people trying to use digital cameras of any sort in any kind of voting booth, just addressing the claim that cellphone cameras don't have enough resolution. Even 320 x 240 has more than enough resolution to show which boxes have been checked, or to mostly give a usable image with a printed receipt. As for creating tamper-resistant and unforgeable and nonrepudiable voting systems, this is a hard problem. For ontological reasons (who controls machine code, etc.). I start with the canonical model of a very hard to manipulate system: blackballing (voting with black or white stones or balls). Given ontological limits on containers (hard to teleport stones into or out of a container), given ontological limits on number of stones one can hold, and so on (I'll leave it open for readers to ponder the process of blackball voting), this is a fairly robust system. (One can imagine schemes whereby the container is on a scale, showing the weight. This detects double voting for a candidate. One lets each person approach the container, reach into his pocket, and then place one stone into the container (which he of course cannot see into, nor can he remove any stone). If the scale increments by the correct amount, e.g, 3.6 grams, then one is fairly sure no double voting has occurred. And if the voter kept his fist clenched, he as strong assurance that no one else saw whether he was depositing a black stone or a white stone into the container. Then if the stones are counted in front of witnesses, 675 black stones vs. 431 white stones is a fairly robust and trusted outcome. Details would include ensuring that one person voted only once (usual trick: indelible dye on arm when stones issued, witnesses present, etc. Attacks would include the Ruling Party depositing extra stones, etc. And consolidating the distributed results has the usual weaknesses.) Things get much more problematic as soon as this is electronified, computerized, as the normal "ontological" constraints evaporate. Stones can vanish, teleport, be miscounted, suddenly appear, etc. Designing a system which is both robust (all the crypto buzzwords about nonforgeability, satisfaction of is-a-person or one-person constraints, visibility, etc.) and which is also comprehensible to people who are, frankly, unable to correctly punch a paper ballot for Al Gore, is a challenge. I'm not sure either Joe Sixpack in Bakersfield or Irma Yenta in Palm Beach want to spend time learning about "all-or-nothing-disclosure" and "vote commitment protocols." I know about David Chaum's system. He has gotten interested in this problem. I am not interested in this problem. Moreover, I think working on electronic voting only encourages the political process (though implementing wide computer voting and then having more of the "winning totals posted before polls close" exposures of shenanigans might be useful in undermining support for the concept of democracy, which would be a good thing.) I don't say it's not a security problem worth thinking about. It reminds me a lot of the capabilities stuff, including Granovetter diagrams and boundaries. Probably a nice category theory outlook on voting lurking here (e.g., voting as a pushout in an appropriate category, or something whacky like that). Electronic voting of the type being pushed now is going to cause some major loss of faith in the system when some scandals emerge (and when even analyzing the protocols and talking about what one has learned results in a "cyst and decease" order from Diebold and that ilk).