I think that those that advocate cryptographic protocols to ensure voting security miss the point entirely. They start with the assumption that something is "broken" about the current voting system. I contend it is just fine. For example, it takes a long time to count pieces of papers compared with bits. However, there is no actual need for speed in reporting election results. This is not a stock exchange -- another election will not be held the next day, and the number of elections being held will not rise 8% per quarter. If it takes a day or even several days to get an accurate count, no one will be hurt. The desires of television networks to report the results in ten minutes is not connected to the need for a democracy to have widespread confidence in the election results. Speed is not a requirement. As it is, however, automated counts of paper ballots are plenty fast enough already. It also is seemingly "behind the times" to use paper and such to hold an election when computers are available -- but the goal is not to seem "modern" -- it is to hold a fair election with accurately reported results that can be easily audited both before, during and after the fact. It seems to some to be "easier" to vote using an electronic screen. Perhaps, perhaps not. My mother would not find an electronic screen "easier" at all, but lets ignore that issue. Whether or not the vote is entered on a screen, the fact that paper ballots can be counted both mechanically (for speed) and by hand (as an audit measure), where purely electronic systems lack any mechanism for after-the-fact audit or recount, leads one to conclude that old fashioned paper seems like a good idea, and if it is not to be marked by hand, then at least let it be marked by the computer entry device. It is also seemingly "better" to have a system where a complex cryptographic protocol "secures" the results -- but the truth is that it is more important that a system be obvious, simple and secure even to relatively uneducated members of society, and the marginal security produced by such systems over one in which physical paper ballots are generated is not obvious or significant. (The marginal security issue is significant. Consider that simple mechanisms can render the amount of fraud possible in the "old fashioned" system significantly smaller than the number of miscast votes caused by voter mistakes, but that no technology can eliminate voter mistakes. Then ask why a fully electronic "fraudless" system understandable to a miniscule fraction of the population but where miscast votes continue to occur -- and possibly to be inaccurately perceived as evidence of fraud -- would be superior.) To those that don't understand the "understandable to even those who are not especially educated" problem, consider for moment that many people will not care what your claims are about the safety of the system if they think fraud occurred, even if you hand them a mathematical proof of the system. I suspect, by the way, that they'll be right, because the proofs don't cover all the mechanisms by which fraud can occur, including "graveyard" voting. We tamper with the current system at our peril. Most security mechanisms evolve over time to adjust to the threats that happen in the real world. The "protocols" embedded in modern election laws, like having poll watchers from opposing sides, etc., come from hundreds of years of experience with voting fraud. Over centuries, lots of tricks were tried, and the system evolved to cope with them. Simple measures like counting the number of people voting and making sure the number of ballots cast essentially corresponds, physically guarding ballot boxes and having members of opposing parties watch them, etc., serve very well and work just fine. Someone mentioned that in some elections it is impractical for the people running to have representatives at all polling places. It is, in fact, not necessary for them to -- the threat of their doing so and having enough poll watchers from enough organizations in a reasonably random assortment of polling places is enough to prevent significant fraud. I'm especially scared about mechanisms that let people "vote at home" and such. Lots of people seem to think that the five minute trip to the polling place is what is preventing people from voting, and they want to let people vote from their computers. Lets ignore the question of whether it is important that the people who can't be bothered to spend ten minutes going to the polling place care enough about the election to be voting anyway. Lets also ignore the totally unimportant question of vote buying -- vote buying has happened plenty of times over the centuries without any need for the purchaser to verify that the vote was cast as promised. Tammany Hall did not need to watch people's votes to run a political machine. I'm much more concerned that we may be automating the "graveyard" vote, which is currently kept in check by the need to personally appear at polling places. I'm also concerned about the forms of fraud I haven't even considered yet because no one has invented them yet. Election security isn't just about assuring that votes are correctly counted. I'm a technophile. I've loved technology all my life. I'm also a security professional, and I love a good cryptographic algorithm. Please keep technology as far away as possible from the voting booth -- it will make everyone a lot safer. -- Perry E. Metzger perry@piermont.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com --- end forwarded text -- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'