| "privacy" wrote: | [good points about weaknesses in adversarial system deleted] | | > It's baffling that security experts today are clinging to the outmoded | > and insecure paper voting systems of the past, where evidence of fraud, | > error and incompetence is overwhelming. Cryptographic voting protocols | > have been in development for 20 years, and there are dozens of proposals | > in the literature with various characteristics in terms of scalability, | > security and privacy. The votehere.net scheme uses advanced cryptographic | > techniques including zero knowledge proofs and verifiable remixing, | > the same method that might be used in next generation anonymous remailers. | > | Our anonymous corrospondent has not addressed the issues I raised in my | initial post on the 7th: | | 1. The use of receipts which a voter takes from the voting place to 'verify' | that their vote was correctly included in the total opens the way for voter | coercion. | | 2. The proposed fix - a blizzard of decoy receipts - makes recounts based | on the receipts impossible. The VoteHere system is really quite clever, and you're attacking it for not being the same as everything that went before. Current systems - whether paper, machine, or whatever - provide no inherent assurance that the vote you cast is the one that got counted. Ballot boxes can be lost, their contents can be replaced; machines can be rigged. We use procedural mechanisms to try to prevent such attacks. It's impossible to know how effective they are: We have no real way to measure the effectiveness, since there is no independent check on what they are controlling. There are regular allegations of all kinds of abuses, poll watchers or no. And there are plenty of suspect results. | Answer this: | | 1. How does this system prevent voter coercion, while still allowing receipt | based recounts? a) Receipts in the VoteHere system are *not* used for recounts. No receipt that a user takes away can possibly be used for that - the chances of you being able to recover even half the receipts a day after the election are probably about nil. Receipts play exactly one role: They allow a voter who wishes to to confirm that his vote actually was tallied. b) We've raised "prevention of voter coercion" on some kind of pedestal. The fact is, I doubt it plays much of a real role. If someone wants to coerce voters, they'll use the kind of goons who collect on gambling debts to do it. The vast majority of people who they try to coerce will be too frightened to even think about trying to fool them - and if they do try, will lie so unconvincingly that they'll get beaten up anyway. Political parties that want to play games regularly bring busloads of people to polling places. They don't check how the people they bus in vote - they don't need to. They know who to pick. However, if this really bothers you, a system like this lets you trade off non-coercion and checkability: When you enter the polling place, you draw a random ball - say, using one of those machines they use for lotteries. If the ball is red, you get a receipt; if it's blue, the receipt is retained in a sealed box (where it's useless to anyone except as some kind of cross-check of number of votes cast, etc.) No one but you gets to see the color of the ball. Now, even if you are being coerced and get a red ball, you can simply discard the receipt - the polling place should have a secure, private receptacle; or maybe you can even push a button on the machine that says "Pretend I got a blue ball" - and claim you got a blue ball. The fraction of red and blue balls is adjustable, depending on how you choose to value checkability vs. non-coercion. | Or do you have some mechanism by which I can | personally verify every vote which went into the total, to make sure they | are correct? In VoteHere's system, you can't possibly verify that every vote that went into the total was correctly handled. You can verify that the votes *that the system claims were recorded* are actually counted correctly. And you can verify that *your* vote was actually recorded as you cast it - something you can't do today. The point of the system is that any manipulation is likely to hit someone who chooses to verify their vote, sooner or later - and it only takes one such detected manipulation to start an inquiry. Whether in practice people want this enough to take the trouble ... we'll have to wait and see. | 2. On what basis do you think the average voter should trust this system, | seeing as it's based on mechanisms he or she cant personally verify? On what basis should an average voter trust today's systems? How many people have any idea what safeguards are currently used? How many have any personal contact with the poll watchers on whom the system relies? Could *you* verify, in any meaningful sense, the proper handling of a vote you cast? Could you watch the machines/boxes/whatever being handled? Unless you're in with the local politicians, don't bet on it. | 3. What chain of events do I have to beleive to trust that the code which | is running in the machine is actually and correctly derived from the | source code I've audited? I refer you to Ken Thompsons classic paper | "Reflections on trusting trust", as well as the recent Diebold debacle | with uncertified patches being loaded into the machine at the | last moment. Actually, it makes no difference at all. The algorithms are public, and all the data that goes into the calculations are published after the election. Anyone can implement the algorithms themselves and re-run all the calculations. There are conceivable attacks on the various random number generators, which could be used to reveal information that the system is supposed to keep secret - but I don't think they can be used to change the election results. This is one place where the system could use some kind of "hardening", but it seems very amenable to procedural fixes - e.g., each major party contributes a "randomization module" that it trusts, and the results are combined. Each randomization module is also allowed to say "I want this result checked", at random every k votes or so, *after* the combiner has produced its value. When any randomization module says that, all the inputs and the combiners output are printed, then not used. These values are published after the election, and a bad combiner will quickly reveal itself. -- Jerry