Electronic voting conceptual question
-
Can you think of any way for an electronic voting system to make it possible for a person to verify that his vote counted and was not changed, and yet prevent a person from selling his vote?
Here are the reasons for those two conflicting requirements:
If you vote with a paper ballot, you fill out the ballet and you can look at it yourself and see that you filled it out correctly. If you didn't fill it out correctly, you have no one to blame but yourself. When you vote on a computer, the computer says, "thank you" and that's all you get. I don't have the same confidence in that as I do in a piece of paper. If someone wants to tamper with the paper ballots, he has to secretly dispose of the paper. If you get caught burning ballots of putting them into a dumpster, you are in big trouble. It's possible, but there is risk involved. With votes stored in a database, all you have to do is, "update tblBallots set Vote = 1" wipe your prints off the keyboard, and you're home free. Very little risk.
One way to make that electronic-vote-changing-scheme absolutely impossible is to give each voter a receipt with 1: a random number, 2: a record of who they voted for, and 3: a cryptographic signature (to prevent the voter changing it himself for whatever reason). After the election, you publish the complete list of receipts. Now anybody who wants to count the votes themselves can do so, but the receipts are still anonymous. A person can check the published list and know with confidence that his vote counted.
This doesn't prevent adding votes to the database. That is prevented by having each person sign a roster on entering a voting place. At the end of the day, the number of votes the database for a given voting place must match the number of signatures. At most, you could add a dozen or so votes to each polling place. Not enough to throw the election.
But here is the problem. The prospect of vote buying is very real. Or worse, not even buying votes - imagine armed gunmen standing outside a polling place saying, "you'd better show us your receipt and you'd better have voted for the guy we like."
So the question is, is there any way that you can think of to let a person know that his vote counted, but prohibit him from selling that information or being coerced into providing it? At first, these seem like mutually exclusive requirements, but maybe there is a solution in public key cryptography and the design of the system. Splitting the receipt into two parts is also a good idea. The other half of the receipt is kept by the polling place.
-
Your question reminds me of those great debates in my under-grad years. (That's not an insult; that means it's fun!)
I don't see how you could ensure that someone could not sell their vote. How could you ever say "Hah! Caught you! You voted for A, but I know you would have really voted for B unless you were bribed!"? The only real way to prevent it is to catch the money (or whatever) changing hands.
imagine armed gunmen standing outside a polling place saying, "you'd better show us your receipt and you'd better have voted for the guy we like."
At the point this becomes a problem, those guys outside the polling place will be able to know who you voted for before you go into the booth!
-
@R.Flowers said:
I don't see how you could ensure that someone could not sell their vote. How could you ever say "Hah! Caught you! You voted for A, but I know you would have really voted for B unless you were bribed!"?
Catching vote-sellers isn't the point.
So long as nobody can prove who they voted for, buying a vote is a
waste of your time. Someone offers $20 to each person who votes for
candidate A. Someone else offers $20 to each person who votes for
candidate B. I can make $40 on election day because I can lie! As a
result, nobody is stupid enough to actually pay money for a vote.The point is to maintain that ability to lie. I should be able to walk out of the polling place and say whatever I want to say, and nobody should be able to prove me wrong.
@R.Flowers said:
imagine armed gunmen standing outside a polling place saying, "you'd better show us your receipt and you'd better have voted for the guy we like."
At the point this becomes a problem, those guys outside the polling place will be able to know who you voted for before you go into the booth!
Well, imagine something like Iraq. You live in a neighborhood controlled by some thug who wants to get elected. You can (and to protect your family you do) promise to vote for the thug. You go to the polling place (protected by US troops) and happily vote for somebody else. After the election, you commensurate with the thug, "gee, I don't know how you lost, I totally voted for you!"
-
Sure. Print the votes to a paper receipt, show the user the receipt through a glass window. If the user accepts the receipt, drop it (visibly) into a ballot box; otherwise drop it (visibly) into a shredder and allow the user to correct his vote.
The receipt must carry no identifying information, just the vote and any information that would be on any other paper ballot. The receipt must also not be given to the user to keep, merely shown to the user and kept for recounts.
The voting machines can then keep an electronic total as well as a paper total which can be recounted if there are problems with or suspicions about the electronic total.
Anything else is untrustable.
<font size="1">(I'm in Canada, where we don't hold with letting computers decide our elections. Somehow, we never take more than a day to get the counts over with, even with hand-counted paper ballots. We also don't have problems with people getting confused about our ballots. But that's a flamewar for another thread.)</font>
-
No.
The only reliable way in this case is a non-technical solution.
To be able to prove that the vote was not changed, it must be
non-repudiatable in the cryptographic sense. This requires a proof of
identity (a secret key), which is compromisable.
You could choose not to keep the secret key, but in that case, verifying votes during a recount is impossible.
-
If I vote electronically on your question, how can I be sure my vote is counted?
-
@tofu said:
Catching vote-sellers isn't the point. So long as nobody can prove who they voted for, buying a vote is a waste of your time. Someone offers $20 to each person who votes for candidate A. Someone else offers $20 to each person who votes for candidate B. I can make $40 on election day because I can lie! As a result, nobody is stupid enough to actually pay money for a vote.The point is to maintain that ability to lie. I should be able to walk out of the polling place and say whatever I want to say, and nobody should be able to prove me wrong.
Yeah, sorry. I kind of realized after I posted that I had missed your point. [:$]
-
@devdas said:
The only reliable way in this case is a non-technical solution.
Well, the reason people want to get away from non-technical solutions is that
1: they aren't scalable.
2: they have their own unique ways of cheating. For example
2.a: several districts regularly get many more votes than registered voters in that district. Quite obviously, what is happening is that the workers at those polls are giving voters multiple ballots, knowing that voters are going to vote the right way.
2.b: hand counts are ridiculous. A vote is a boolean. There is no room for interpretation. In the famous 2000 florida fiasco, the people doing the hand counts were obviously casting votes, "oh, well this person really intended to vote for my guy, so I'll just count it that way."
I don't know that these methods of cheating are necessarily worse than a poorly designed electronic system, but what I do know is that a well-designed electronic system is definitely better.
-
@tofu said:
@devdas said:
The only reliable way in this case is a non-technical solution.
Well, the reason people want to get away from non-technical solutions is that
1: they aren't scalable.
Oddly enough, non-technical solutions have been used for a long time and have been proven to be very scalable. More people - get more counters in. Most countries seem to manage this pretty well, to be honest.
@tofu said:2.b: hand counts are ridiculous. A vote is a boolean. There is no room for interpretation. In the famous 2000 florida fiasco, the people doing the hand counts were obviously casting votes, "oh, well this person really intended to vote for my guy, so I'll just count it that way."
In the infamous 2000 Florida fiasco, the need for massive recounts and all sorts of "recounting oddities" were, I believe due to the infamous "hanging chads" and "pregnant chads" - i.e. a failure of a technological solution that would be better replaced with the age old "marking a cross in a box using a pen" technique.
At least with a fully manual system, there is an easy way to determine which way someone intended to vote. Or if they have spoiled their ballot. With the system used in Florida, people had to make a judgement call on whether a particular card was deliberately spoiled, had been interfered with, or was simply fouled up by machinery. That could well be seen as "casting votes" but it's not a problem with hand-counting, rather a problem with the technological solution used.
@tofu said:I don't know that these methods of cheating are necessarily worse than a poorly designed electronic system, but what I do know is that a well-designed electronic system is definitely better.
Point out a well-designed electronic system then. Y'know, one that is hackproof, fraudproof and trustworthy.
Simon
-
@tufty said:
Point out a well-designed electronic system then. Y'know, one that is hackproof, fraudproof and trustworthy.
uh well, MIT has a group working on it
-
@tofu said:
A vote is a boolean. There is no room for interpretation.
I must disagree. There are many voting systems and a vote may be: boolean, enum, integer or a fraction.
-
@nonDev said:
@tofu said:
A vote is a boolean. There is no room for interpretation.
I must disagree. There are many voting systems and a vote may be: boolean, enum, integer or a fraction.
Can I just make an observation. This is why people don't like talking to geeks. We come off as so goddamned arrogant.
Do you think that I am talking about a voting system that is anything other than yes/no votes? You know good and well that the existing system is one of yes/no votes. You know that a replacement system must be yes/no votes. You know that my comment re: boolean was to contrast a vote vs. an interpretation of a vote.
Yet you come along and bring up alternate voting systems, as if you're adding something to the conversation. hint: you're not.
-
@tofu said:
Do you think that I am talking about a voting system that is anything other than yes/no votes? You know good and well that the existing system is one of yes/no votes. You know that a replacement system must be yes/no votes. You know that my comment re: boolean was to contrast a vote vs. an interpretation of a vote.
Eh? most of the world's voting is done in one of two styles: a mutually-exclusive one-of-many (radio button in the UI paradigm, usually for first-past-the-post systems); or a preference ranking ("least despicable" to "most likely to appoint himself president for life", for proportional represention systems or automated multi-round elimination). You might see yes/no for plebescites and referenda, but not for elections, in general. So to an innocent, non-geek bystander, a Boolean would be the least likely analogue for his/her vote, even if the data representation of the recorded votes used a set of Boolean values. One doesn't imagine oneself recording four Nos and a Yes when choosing among five candidates, one merely selects one from the list of five. At least that's what you'd get from the stakeholders when doing your requirments gathering.
-
@tofu said:
This is why people don't like talking to geeks. We come off as so goddamned arrogant.
Oops - I'm sorry. I did not intend my observation to sound arrogant. I found the original question interesting and I did not think your followup statement was true (or had any bearing on the original question). I'm a lawyer by proffesion and I found my self in IT by accident (which may explaing why I'm so hung up on voting systems). I do however still stand on my position that votes are data and the result of voting is the interpretation of that data by using the rules of a particular voting systems in use.
As to your original question - the only way I see it your system must enable the voting party to check his vote in such a way, that only the voting party may correctly interpret the information.
Lets say the system generates a code for "yes" and "no" that is unique to every voting party and shows it to the voting party before his vote is made. Afterwards the voter my access his voting information publicly. Instead of getting "tofu voted yes", you get "tofu voted 90ivx". Only you know what 90ivx means and can check your vote any time. Other voters have no clue what 90ivx means and must accept that it means whatever you tell them it means.
Sure - you can not be sure 90ivx means what he was told it means in the voting booth, but this is true for any representation of your vote.
-
@tofu said:
So the question is, is there any way that you can think of to let a person know that his vote counted, but prohibit him from selling that information or being coerced into providing it? At first, these seem like mutually exclusive requirements, but maybe there is a solution in public key cryptography and the design of the system. Splitting the receipt into two parts is also a good idea. The other half of the receipt is kept by the polling place.
The common theme in "Applied Cryptography" on electronic voting, and verifiability, is there being an id number on each vote. This id number cannot be automatically correlated to any one person, except by that person handing it out. The way I understand it, it's more or less supposed to be a "these ids voted this" that is publicly available afterwards.
Perhaps it could be defeated by providing them with a valid ID number of a random earlier voter (after a sufficient number has already voted, etc) to tell the goons?
-
You can't really let someone check after they vote when goons are involved - The goons will force you to check, and then they'll see who you voted for. Even if you give people the ID of a random earlier voter, that vote might not have voted for the goons, and then the voters would be stuck.
You'd have to give people two numbers - one for the goons and one for your real vote - but that wouldn't work either, because the goons could make you check for both numbers.
You can't really let people check after they leave the voting booth - so you have to let them check beforehand.
-
Here's a paper that tackles that very issue.
-
I know this an old thread but I wanted to offer an idea to do this.
give the person a receipt with 2 (or however many) numbers on it like, 15432 & 15433. tell them that such and such one is such and such candidate (make the order random). then just publish the list of which numbers counted. that way the person knows which number is going to show up and can say whatever he wants about which candidate is which number.
also the electronic voting machines generate paper ballot receipts.
-
@devdas said:
No.
The only reliable way in this case is a non-technical solution.
To be able to prove that the vote was not changed, it must be
non-repudiatable in the cryptographic sense. This requires a proof of
identity (a secret key), which is compromisable.
You could choose not to keep the secret key, but in that case, verifying votes during a recount is impossible.
The accuracy rates of the current paper ballot/optical machine count are absolutely horrendous.
If we had a really brilliant electronic solution I think accuracy above 3or 4 9's would be quite likely (not counting cheating by other means). The problem is that governments are rushing out to buy electronic voting booths without having anybody in the government who actually understands the technology. And these booths are running voting software written by some small firm in Ohio with 25 developers, nowhere near the amount of security as befits our national electoral process, and completely closed-source code. (PS, it runs on G.D. windows!)
Frankly, we should have the Pentagon hire a small group of classified developers to develop in-house, publish the source code publically and review every stage of design and implementation with well-known experts. Every hobbyist in the world should be able to download the source code.
Of course, the real problem I see is how do we know that that source code ends up in production? At one time I played with the idea of forcing election workers to compile the code on the morning of the election (a major WTF in itself, most election workers are 80% brain-dead), but how do you know the compiler itself wasn't compromised? Or any other part of the system? It seems to me like these things need to run on embedded systems with a minimum of firmware, and the ability to compute a crytographic hash of its own memory.
Anyway, this problem rapidly gets complicated, but I have to imagine there are security experts out there who could design a system that really is improbably difficult to cheat.
-
I would be bothered with the idea of a legitimate voting system during this day and age, as there's always gonna be someone paid to rig these elections anyhow, whether they're in the loop or not.
-
@tofu said:
@devdas said:
The only reliable way in this case is a non-technical solution.
Well, the reason people want to get away from non-technical solutions is that
1: they aren't scalable.Is that why all of europe (~700million people) or countries like India (1b people) use good ol' paper ballots and don't have an issue with that?
You see, the thing is how you think about it. Counting 100million ballots at once is a lot of work.
Having 100.000 count 1000 ballots each is a lot less work, and it's how people do it: they highly parallelize the ballot-counting, add some redundancy (2 or 3 people counting the same ballots), do it publicly (so that the conting can be performed under public scrutiny and verified), and it Just Works.
Ballots are usually counted within hours of the vote closing, and large-scale tampering becomes much harder to do (still possible though, in France we've had dead people voting in some places... ~ scary ~)
-
@Hitsuji said:
I would be bothered with the idea of a legitimate voting system during this day and age, as there's always gonna be someone paid to rig these elections anyhow, whether they're in the loop or not.
This video seems kind of.... well... maybe not the most legit thing I've ever seen.
-
Here's an idea.
Show the candidates on the screen with a random number next to each one.
13552 Liberal Wacko
43424 Right Wing Nutjob
09033 Waste your vote on the libertarian Party
24233 Waste your vote on the Green Party
92399 All these guys are A-holes, refrain from voting.
Then show a confirmation screen with the translations, but don't print it.
-
Oh, In case you didn't get my implication. The random number for each candidate would be reset for each voter.
@jfuex said:
Here's an idea.
Show the candidates on the screen with a random number next to each one.
13552 Liberal Wacko
43424 Right Wing Nutjob
09033 Waste your vote on the libertarian Party
24233 Waste your vote on the Green Party
92399 All these guys are A-holes, refrain from voting.
Then show a confirmation screen with the translations, but don't print it.
-
@jfuex said:
Here's an idea.
Show the candidates on the screen with a random number next to each one.
13552 Liberal Wacko
43424 Right Wing Nutjob
09033 Waste your vote on the libertarian Party
24233 Waste your vote on the Green Party
92399 All these guys are A-holes, refrain from voting.
Then show a confirmation screen with the translations, but don't print it.
I like the extra level of indirection in your example, that means we could have a cross-reference table to the actual electronic candidates:<font face="Courier New">US 2008 Popular Vote</font>
<font face="Courier New">99,999,999 Bill Gates</font>
<font face="Courier New">42,040,610 Larry Ellison</font>
<font face="Courier New">39,028,111 Vladimir Putin</font>
Research | MIT CSAIL
Shoutwire
