At 11:05 AM 4/9/04 -0400, Trei, Peter wrote: ...

1. The use of receipts which a voter takes from the voting place to 'verify' that their vote was correctly included in the total opens the way for voter coercion.

I think the VoteHere scheme and David Chaum's scheme both claim to solve this problem. The voting machine gives you a receipt that convinces you (based on other information you get) that your vote was counted as cast, but which doesn't leak any information at all about who you voted for to anyone else. Anyone can take that receipt, and prove to themselves that your vote was counted (if it was) or was not counted (if it wasn't). (This is based on attending a presentation of David's scheme at George Washington a few months ago, a conversation I had with a VoteHere guy, and some conversations and documents given to me by each. I haven't tried to verify the protocols or proofs, but I'm convinced that all this is possible, modulo various assumptions. There may be a dozen other people doing similar things, that I've simply not heard of.) ...

1. How does this system prevent voter coercion, while still allowing receipt based recounts? Or do you have some mechanism by which I can personally verify every vote which went into the total, to make sure they are correct?

The way I understood these schemes, you can see the initial encrypted ballots (they're published), and then there are several rounds of publically verifiable shuffling and decryption by different TTPs. After the last round of shuffling and decryption, you have raw votes. So anyone can verify the count, assuming the set of initial encrypted ballots are legitimate. And anyone can produce a receipt that can be shown to be one of those encrypted ballots, if it was counted. That doesn't keep someone from stuffing the ballot box, but it does mean that anyone who throws away unfavorable votes is going to leave behind evidence, which can potentially call the whole vote into question. The way I saw these schemes described, there was no recount capability, but the count was done in a completely public way. It seems to me that this kind of scheme has a lot of potential for disruption attacks, since one compromised voting machine can be used to call any election into question. But I could be missing something, as this is really not something I've spent a lot of time on....

2. On what basis do you think the average voter should trust this system, seeing as it's based on mechanisms he or she cant personally verify?

I see your point, but there's an awful lot of any voting system that isn't being closely observed by the voters, or that isn't really well-understood by most of them. It's not so clear to me that the average voter is going to walk away convinced that a voter-verified paper ballot, or a mark-sense ballot, or whatever other thing isn't going to somehow be subject to attack. Or that if they do walk away convinced, that this has much to do with whether they *should* walk away convinced.

3. What chain of events do I have to beleive to trust that the code which is running in the machine is actually and correctly derived from the source code I've audited? I refer you to Ken Thompsons classic paper "Reflections on trusting trust", as well as the recent Diebold debacle with uncertified patches being loaded into the machine at the last moment.

Yep, this is a big issue. Which is why I think everyone with any sense agrees that we need some kind of independent audit trail, regardless of whether we're doing voting with computers, or with pens for punching out holes. There are a bunch of ways to do this, one obvious and pretty easy-to-field choice being voter-verified paper ballots.

This last is an important point - there is no way you can eliminate the requirement of election officials to behave legitimately. Since that requirement can't be done away with by technology, adding technology only adds more places the system can be compromised.

Huh? Do you think the same is true of payment systems? Those also ultimately require some humans to play by the rules, but it sure seems like a well-designed payment system can remove a lot of the ambiguity about who has violated the rules, and can outright prevent other kinds of rule violations. And it seems to me that this is very similar to the situation with voting. Touch screen voting (with the audio extensions) has at least one huge advantage over pen-and-paper schemes, because blind people can vote with them. The VoteHere and Chaum schemes provide other benefits (a lot of kinds of misbehavior by the authorities are prevented by the design, though of course, not *all* possible misbehavior), at various costs in system complexity, dependence on lots of interacting systems that might not be all that reliable, ability to recover from some low level of fraud, etc. Paper ballots printed behind glass provide a different set of tradeoffs. And you could design twenty other sets of tradeoffs. I'm not at all convinced that the way we optimize for best security is to minimize technology. I agree that it's easy to get carried away by the elegance of your mathematics, or by the really spiffy blinking lights on the computer, and forget the essentials. But technology and math aren't somehow inherently bad things to introduce to voting systems. It just has to be done in a way that makes sense, right? ...

I do think electronic voting machines are coming, and a good thing. But they should be promoted on the basis that they are easier to use, and fairer in presentation, then are manual methods. Promoting them on the basis that they are more secure, and less subject to vote tampering is simply false.

Less subject to vote tampering than the old machines with mechanical counters and levers? That's not too hard. Less subject to vote tampering than paper ballots marked by hand, that may be a little more of a challenge. I think it's more fair to say that the attacks and threats will be different, and that the risk of a class break (work out the details of the attack once, then change votes all over the country) is seriously scary. But it's sure not clear to me that adding computers to the mix must decrease security, or even must leave it unchanged.

Peter Trei

--John Kelsey, kelsey.j@ix.netcom.com, who is definitely speaking only for himself. PGP: FA48 3237 9AD5 30AC EEDD BBC8 2A80 6948 4CAA F259