Re: voting

15 Apr 2004

      John Kelsey wrote:
...
At 11:05 AM 4/9/04 -0400, Trei, Peter wrote:
....
...
1. The use of receipts which a voter takes from the voting place to 'verify'
that their vote was correctly included in the total opens the way for voter
coercion.
I think the VoteHere scheme and David Chaum's scheme both claim to solve
this problem.  The voting machine gives you a receipt that convinces you
(based on other information you get) that your vote was counted as cast,
but which doesn't leak any information at all about who you voted for to
anyone else.  Anyone can take that receipt, and prove to themselves that
your vote was counted (if it was) or was not counted (if it wasn't).
The flaw in *both* cases is that it reduces the level of privacy protection
currently provided by paper ballots.

Currently, voter privacy is absolute in the US and does not depend
even on the will of the courts. For example,  there is no way for a
judge to assure that a voter under oath is telling the truth about how
they voted, or not. This effectively protects the secrecy of the ballot
and prevents coercion and intimidation in all cases.

Thus, while the assertion that "Only if all the trustees collude can
the election be defrauded" may seem to be reasonable at first glance, it
fails to protect the system in the case of a court order -- when all the
trustees are ordered to disclose whatever they know and control.

Also, the assertion that "All of this is possible while still m
aintaining voter secrecy and privacy essential to all public elections" 
is incorrect, for the same reason.

Moreover, the assertion that "Vote receipts cannot be used for vote 
selling or to coerce your vote" is also incorrect, for the same reason.

These shortcomings do not depend on any specific flaw of a shuffling
process, a TTP, or any other component of either system. Rather, it is 
a design flaw. A new election system should do "no harm" -- reducing the 
level of voter privacy and ballot secrecy should not be an acceptable 
trade-off for changing from paper to electronic records, or even
electronic verification.

Court challenges are a real scenario that election officials talk about 
and want to avoid. Without making voter privacy inherently safe from court
orders, voter privacy and ballot secrecy are at the mercy of casuistic, 
political and corruption influences -- either real or potential. When the 
stakes are high, we need fail-safe procedures.

Now, you may ask, is there any realistic possibility of a court order 
for all trustees to reveal their keys?

Yes, especially in a hot and contested election -- and not only Bush vs.
Gore. Many local elections are very close and last year an election
in California was decided by *one* vote. 

For example, the California Secretary of State asked this as an 
evaluation question, when they were testing voting systems for the 2000 
Shadow Election Project.

The question was whether and to what extent the voting system could be 
broken under court order   for example, if some unqualified voters 
were wrongly allowed to vote in a tight election and there would be a 
court order to seek out and disqualify their votes under best efforts.

Perhaps a trustee could be chosen who would be immune even from a US
court order?

Well, not for a US election, which is 100% under state and/or federal 
jurisdiction.

But there are additional scenarios -- a bug, Trojan horse, worm and/or 
virus that infects the systems used by all trustees would also 
compromise voter secrecy and, thereby, election integrity.

Cheers,
Ed Gerck