From: Hal Finney (hal@finney.org)
Date: Fri May 16 2003 - 15:31:15 MDT
I applaud Lee Crocker for coming up with an original proposal for
electronic voting. However I will offer some criticisms.
> At the polling place, each voter goes through the touch-screen
> hand-holding menu options of the voting software. When he's done,
> a simple paper receipt is printed that shows an overview of his
> votes, which he is asked to read and confirm by placing it through
> a reader and pressing a comfirmation button. On that receipt is
> also printed a large random number unique to each voter. The
> reader processes the vote and sends it to a central server. If
> the user made a mistake, he just discards the reciept without
> submitting it and starts over. The voter retains this receipt.
I see two problems here. The lesser one is that no paper is left at
the polling place. I understand that you have other mechanisms to
address this. Nevertheless the traditional systems have the advantage
that a stack of paper ballots is there to be counted, and re-counted
if necessary. Your system relies on a more distributed and abstract
mechanism for auditing.
The greater problem is that this system facilitates selling votes.
After the election, an official receipt showing a certain vote will
probably be able to be turned in for cash in many jurisdictions.
We could address the first problem by building a Xerox machine into the
vote scanner so that either the voter or the precinct gets a copy of
the vote and the other gets the original. (Or wait - is there really
a difference between the copy and the original? That's something we
should definitely spend many, many hours debating!)
For the second problem, maybe you could somehow make the receipts be
easily forgeable, but allow forgeries to be distinguished from true
receipts only by the voting office. There could be a secret checksum
algorithm embedded in the serial number, or some such.
> After election day, each precinct publishes two lists (on the
> net, on paper, whatever): one is nothing but a list of names of
> everyone who voted. This is already public information (when you
> go in to vote today, your name is checked off on the registration
> list). This way, everyone who voted can verify that his name
> appears on the list, and that names of people who he knows didn't
> vote (or who are dead, etc.) do not appear.
This is a good idea in any case, and as you say it is already done
at least implicitly, and no doubt explicitly in some jurisdictions.
You can probably walk into the voting office and look in some big ledger
to find the list of all the people who voted, and then see if any of them
look bogus. Putting that data on the net would facilitate this process.
There may be some privacy concerns, though.
> The second list is the same number of entries, each of which is a
> plaintext list of votes cast, along with a random number index made
> by hashing together the random number printed on the voter stub
> with info such as the voter's name, address, birthdate, etc., and
> the votes themselves (a one-way hash). Each voter can then run a
> program (with a published algorithm) to hash the random number on
> his receipt with the information he knows, and then go to the list,
> find that index, and verify that the published votes match.
Here it may be getting a little too complex. Many voters won't have
the ability to run these algorithms, especially the elderly, who vote
in large numbers. I don't see why you can't just use the same receipt
numbers that are already on the ballot, though.
There may also be a privacy concern here. Especially in smaller towns,
distinctive votes on certain issues may give people a good idea of
who certain ballots belong to. This would then reveal the content of
their other votes. Maybe the same thing happens in principle under the
present system; in some areas people may be able to inspect the votes,
which would reveal the same sorts of correlations. But your proposal
requires all this to be put on the net and be widely available, making
the privacy impact worse. (However it would be a mother lode for data
miners intent on learning how political issues related to each other.)
In any case, this auditing procedure looks reliable in theory. But I'm
not sure that we could confidently say that it is as good as the present
system. Some elections are very close, and even a fraction of a percent
will swing the results. If it were possible to get away with a small
amount of "virtual ballot stuffing" then people would lose confidence
in the system.
Of course, paper ballot box stuffing happens, too. But in that case
we use well-understood principles of physical security and auditing to
make it difficult for one or just a few people to get away with it.
All handling of the ballots is done under the watchful eyes of
representatives of the political parties, as well as disinterested
observers. You're going to need either a good conspiracy, or some clever
security hacking, to get fake ballots into the box.
Unfortunately, it's not clear that we can expect this level of security
in the computer world. While we can no doubt do better than just running
this software on Windows on an Internet-connected computer, it still may
be possible that people can get access to it somehow, and make changes
without being caught.
The point is that given the lack of deterrence to such attempts,
we need a very strong degree of reliability in the auditing process.
And I don't see that your proposal provides that. It depends on people
checking their own recorded vote, but how many people will do so?
Few enough even vote. Probably most voters will have lost their
receipts by the time this information is published a few days later.
And if they do get motivated and check the results the first few times,
over the years, they are likely to become careless. I'd guess that only
a small percentage would make the effort in a typical election.
Having said that, your system could still have a good chance of catching
at least some kinds of fraud. Suppose the hackers can't alter the voting
rolls. Then they can't add more votes to the list, or the number of votes
won't equal the number of voters. So they have to change or delete some
votes and hope that those voters don't happen to check their results.
Maybe they'll change half a percent of the votes in order to sway a
close election. Then 99.5% of the votes are fine. At first I thought
this meant that 99.5% of the people would have to check their votes in
order to have a good chance of catching the fraud.
But that's not so. 1 voter has a 0.5% chance of being one of the victims,
so that is his chance of catching it. 2 voters increase the chance to 1%
that one of their votes has been altered. The chances of catching the
fraud increase almost linearly with the number of voters, up through the
50% level or so. That means that if only 200 or so voters check their
ballots, they will detect the stuffing with a high degree of likelihood.
And in a typical election, such numbers would represent a very small
percentage of the voters.
So your system does work very well to catch altered or deleted votes, if
there are enough to swing any but the most hairs-breadth-close elections,
even if only a few percent of the voters audit their results. The harder
type of fraud to catch would be added votes, which means putting fake
names onto the voter rolls. I'm not sure how the vulnerability of your
approach to this problem would compare with how things are done today.
Hal
This archive was generated by hypermail 2.1.5 : Fri May 16 2003 - 15:44:44 MDT