voting

[privacy.at Anonymous Remailer]

Perry Metzger writes, on his cryptography list:

> By the way, I should mention that an important part of such a system
> is the principle that representatives from the candidates on each side
> get to oversee the entire process, assuring that the ballot boxes
> start empty and stay untampered with all day, and that no one tampers
> with the ballots as they're read. The inspectors also serve to assure
> that the clerks are properly checking who can and can't vote, and can
> do things like hand-recording the final counts from the readers,
> providing a check against the totals reported centrally.
>
> The adversarial method does wonders for assuring that tampering is
> difficult at all stages of a voting system.

On the contrary, the adversarial method is an extremely *weak* source
of security in a voting system.

In the first place, it fails for primary elections where there are
multiple candidates, all of one party, running for a position.  It's not
unusual to have a dozen candidates or even more in some rare cases (the
California gubernatorial election, while not a primary, had hundreds of
candidates running for one seat).  It is impractical for each candidate
to supply an army of representatives to supervise the voting process,
nor can each polling place accommodate the number of people required.

In the second place, it fails for elections with more than two parties
running.  The casual reference above to representatives "on each
side" betrays this error.  Poorly funded third parties cannot provide
representatives as easily as the Republicans and Democrats.  We already
know that the major parties fight to keep third party candidates off
the ballots.  Can we expect them to be vigilant in making sure that
Libertarian and Green votes are counted?

In the third place, tampering has to be protected against in each and
every voting precinct.  Any voting station where the voting observers
for one party are lax or incompetent could be identified in advance and
targeted for fraud.  Given that these observers are often elderly and
have limited faculties, such frauds are all too easy to accomplish.

It's baffling that security experts today are clinging to the outmoded
and insecure paper voting systems of the past, where evidence of fraud,
error and incompetence is overwhelming.  Cryptographic voting protocols
have been in development for 20 years, and there are dozens of proposals
in the literature with various characteristics in terms of scalability,
security and privacy.  The votehere.net scheme uses advanced cryptographic
techniques including zero knowledge proofs and verifiable remixing,
the same method that might be used in next generation anonymous remailers.

Given that so many jurisdictions are moving towards electronic voting
machines, this is a perfect opportunity to introduce mathematical
protections instead of relying so heavily on human beings.  I would
encourage observers on these lists to familiarize themselves with the
cryptographic literature and the heavily technical protocol details
at http://www.votehere.com/documents.html before passing judgement on
these technologies.