How to vote anonymously under ubiquitous surveillance (Light Blue Touchpaper) [LWN.net]

The point is... ?

Posted Dec 1, 2009 9:08 UTC (Tue) by johill (subscriber, #25196) [Link]

I barely dare ask, but have you read and understood the paper?

To me, it seems fairly easily implemented and executed within a group of cooperative voters.

The authors aren't thinking of larger-scale political elections (yet), and make that very clear in the paper. But for instance a project like Debian could adopt the protocol to make votes anonymous (they're currently fully transparent, as far as I can tell.)

Debian's votes

Posted Dec 1, 2009 15:44 UTC (Tue) by philh (subscriber, #14797) [Link]

For things like General Resolutions, the votes are published after the event, but the Leadership votes are anonymous, as you can see here:

http://www.debian.org/vote/2009/vote_001_tally.txt

Of course the data behind that is available to the project secretary, so we're in what the paper calls class 2) trusting central authorities, as opposed to the class 1) decentralised systems (which are the focus of the paper).

I doubt anyone will have the combined enthusiasm and paranoia required to persuade the Debian project that a) there's a problem with trusting the secretary, and b) that this is the solution to that problem.

Of course, the anonymity provided by the Debian system, and by this decentralised system, both fail to provide coercion-resistance (i.e. fail to prevent vote selling) - in both systems one is able to prove how one voted after the event, so if one is threatened or bribed to vote in a particular way, the vote can be checked - this makes it unsuitable for national votes.

Debian's votes

Posted Dec 1, 2009 16:39 UTC (Tue) by tzafrir (subscriber, #11501) [Link]

Note that even with current national election mechanism, you can have the same problem on a larger scale. This is because votes are counted in smaller, local polls.

So if you can make some sort of dirty deal with a group that represents over half of the voters in a certain area, you'll have a pretty good idea if they indeed kept their side of the bargain.

The point is... ?

Posted Dec 1, 2009 15:53 UTC (Tue) by dskoll (subscriber, #1630) [Link]

I have read the paper. I didn't study it deeply enough to really understand it, though. I have no doubt their mathematics is correct, but I ask again: What's the point?

The point is... ?

Posted Dec 1, 2009 18:41 UTC (Tue) by johill (subscriber, #25196) [Link]

Well if you've read the paper than no doubt you've seen that the focus isn't on general elections on any scale, at least not yet.

I'm not sure how you can dismiss it as irrelevant -- if we hadn't started computing with tubes a long time ago we'd probably not have computers the way we do now? And at the time tube computers were not usable by the general public, so you would have asked "what's the point"?

The point is... ?

Posted Dec 2, 2009 0:13 UTC (Wed) by PaulWay (✭ supporter ✭, #45600) [Link]

Nothing is truly academic, with no application in the real world.

That said, this is but a small part of the chain of processes to make voting safer for the voters and more secure for governments. There are numerous other academic papers, open source voting machines, and even standard UN voting procedures and monitoring, that also contribute to this. While this paper doesn't "solve all problems", it's a link in that chain.

And it raises awareness of voter rights and election fairness, which is also a good thing.

Have fun,

Paul

The point is... ?

Posted Dec 3, 2009 6:18 UTC (Thu) by lambda (subscriber, #40735) [Link]

What's the point of any academic research? To increase human knowledge. Not all of that knowledge turns out to be useful; but some of it does. This particular protocol may never be used itself, but it may inspire someone else designing a protocol for a similar situation in the future.

Do you demand that every paper written be immediately and obviously applicable to the real world? Tons of research would never get done if that's the bar you set; and much of that research is stuff that could be built upon for later real world applications.

Some possible uses of this protocol: voting for ops privileges on an IRC channel, or admin privileges on a wiki. I would imagine it could be used in a game situation that needs anonymous voting without a trusted authority. While most online games involve a trusted authority (the game server), if you start gambling on them, putting trust in an authority can be very dangerous (trust is also harder in these situations because online gambling is banned in the US, and thus often occurs in rather dubious jurisdictions). I don't know if there are games that people gamble on that involve voting, though with real money trading in MMORPGs and virtual worlds, I can imagine that voting in guilds could become contentious enough for something like this to become useful at some point.

The point is... ?

Posted Dec 1, 2009 21:47 UTC (Tue) by dskoll (subscriber, #1630) [Link]

To me, it seems fairly easily implemented and executed within a group of cooperative voters.

So again, I ask: What's the point? A group of cooperative voters is a rather restricted problem that's of academic interest only.

The point is... ?

Posted Dec 5, 2009 0:41 UTC (Sat) by Baylink (guest, #755) [Link]

> the authors aren't thinking of full scale political elections

And they cannot.

Voting systems have to fulfill quite a number of (by now, fairly well understood) requirements. There's a thing called, I think, Arrow's Paradox, that says you *can't* fulfill them all simultaneously...

but before you start ignoring any, you have to know what purpose they fulfill.

"Voter enters a closed compartment" obviously fulfills "no one can see the voter's choice"... but it *also* fulfills "the voter cannot sell his or her vote because they can't prove how they voted"; this is also why we don't give Official Receipts showing the votes.

Cellphones with cameras are *threatening* to violate this rule, but *any voting protocol which does not require most voters to appear in person and vote in a private booth* *necessarily violates it*, and is therefore unsuitable for public political plebiscites.

99%

Posted Dec 1, 2009 14:38 UTC (Tue) by felixfix (subscriber, #242) [Link]

99% of the world won't understand design specs of something they use every day, whether it be electricity coming from the wall or a car or an escalator or a dung cooking stove with special metals to retain heat better.

How much of the kernel or web browser do you understand?

99%

Posted Dec 1, 2009 15:56 UTC (Tue) by dskoll (subscriber, #1630) [Link]

How much of the kernel or web browser do you understand?

That's an unfair question because I'm a professional software developer, so I understand the basic design and principles of both of them pretty well. (Obviously, I don't know all the intimate details because that's not what I work on.)

However, I don't feel I have to understand those, whereas I certainly feel I have to understand how my country's democracy works in order to feel that my vote counts.

I'm lucky enough to live in Canada, which still uses paper ballots for federal elections. So I don't need to spend a few intense hours studying academic papers to understand how our votes are counted, nor to feel reasonably certain I understand the possible attacks against our system.

99%

Posted Dec 1, 2009 16:24 UTC (Tue) by felixfix (subscriber, #242) [Link]

It's an absolutely fair question. I write programs too, but I depend on experts to get the SSL right, the kernel drivers with interrupts and race conditions, the compilers used to put them together, every step of the process. I have no doubt I could understand a given state of the kernel if I had years to poke thru it and get all sorts of specs for the hardware to study. But then I'd be years out of date. I will NEVER be a kernel expert or an SSL expert and I doubt you will be either. Yet you trust them and rely on them WITHOUT understanding them.

Why do you complain that 99% of the people will never understand this? Why do you think they should, or even could?

How much do you know of the paper ballot process? How do you know they haven't used disappearing ink? How do you know they don't switch ballots or simply fake all the backroom stuff? You don't. You rely on others to vet the process because they are among the .001% of the population who understand their little specialty. You are not among them. You are part of the 99.999% that doesn't understand the process and never will.

Modern civilization is far too complicated and intertwined for anybody to understand even 1% of what happens in their daily lives. We rely on those who do understand their little specialties to do the right thing, which is not To Do The Right Thing(tm), but to watch the other experts.

Voting in Australia

Posted Dec 1, 2009 17:48 UTC (Tue) by gmatht (subscriber, #58961) [Link]

> How much do you know of the paper ballot process?

With respect to Australia: enough.

> How do you know they haven't used disappearing ink?

I imagine the number of blank ballots would then become more significant. I
guess they could use magical appearing ink though.

> How do you know they don't switch ballots or simply fake all the backroom

Each of the candidates is allowed to nominate someone to oversee the
process. If all the candidates are conspiring to rig the election then the
election is kind of pointless anyway.

In a sense this supports your argument, as if all the candidates agree that
the voting method is not tamperable then the voter does not need to care.
Still it would be nice if the vote was still anonymous and also that the
voter was able to understand the concept when the candidates do not agree.
So the voter should be expected to understand "they miscounted the hanging
chads" but if things start to get more complicated than md5 hash collisions
that would be unfortunate.

99%

Posted Dec 1, 2009 19:48 UTC (Tue) by njs (guest, #40338) [Link]

> I will NEVER be a kernel expert or an SSL expert and I doubt you will be either. Yet you trust them and rely on them WITHOUT understanding them.

If kernel design were the ultimate determinant of my taxes, health care access, the state of my public schools and justice system, the effectiveness of environmental, financial, and food safety regulation, and decisions about whether to kill millions of people in military action, then, uh... yeah, I would be a bit less willing to take its code on trust than I am now.

99%

Posted Dec 1, 2009 21:25 UTC (Tue) by tzafrir (subscriber, #11501) [Link]

Do all voters understand the exact calculation of votes in a multi-party system? Many don't know the fine details. They still know that generally the more votes a party gets, the more seats it gets in the parliament.

99%

Posted Dec 1, 2009 21:50 UTC (Tue) by dskoll (subscriber, #1630) [Link]

Do all voters understand the exact calculation of votes in a multi-party system?

Yep. Canada uses the First-Past-The-Post system, which is dead easy to understand. Many people criticize it for being unfair or for marginalizing smaller parties, but there has been strong resistance to changing it in Canada, partly (I think) because FPTP is so easy to understand.

99%

Posted Dec 1, 2009 21:46 UTC (Tue) by dskoll (subscriber, #1630) [Link]

Why do you complain that 99% of the people will never understand this? Why do you think they should, or even could?

If the system is eventually used on a large scale for votes about important public policy or for electing officials, then it is vital for voters to understand the system. If you fail to see that, then you don't understand public policy or human nature.

How much do you know of the paper ballot process?

A lot.

How do you know they haven't used disappearing ink?

Because (1) the polling place supplies pencils, not pens. (2) you can bring your own marker if you like. (3) the ballot boxes are sealed and opened only in the presence of representatives from each of the candidates contesting a riding. It would therefore require subverting many (hundreds or thousands) of people with a vested interest in fairness to materially affect the outcome of the vote.

You rely on others to vet the process because they are among the .001% of the population who understand their little specialty. You are not among them. You are part of the 99.999% that doesn't understand the process and never will.

You are completely wrong. Anyone can read Canada's election laws and guidelines and find out exactly how the process works. Everyone understands the process I described a couple of paragraphs ago. Everyone understands hand-counting in the presence of scrutineers representing each candidate. And anyone can be nominated to be a scrutineer; it doesn't require special skills.

One step at a time

Posted Dec 1, 2009 23:24 UTC (Tue) by djao (subscriber, #4263) [Link]

I think you're being a little unfair in your criticism. Yes, I am an academic who has previously worked on voting related topics, but I think the points I am about to make are valid.

The nature of progress is that you start with small steps and work your way up to better things. I completely agree that this protocol by itself is only of academic interest right now. I also perhaps agree that the authors of the protocol are overhyping it. But I absolutely do not agree that this work is useless. It is a necessary first step to bigger and better solutions.

No matter which direction you seek to improve things, you need to start somewhere. You may not be aware of it, but a lot of prominent researchers (including Ron Rivest, the R in RSA) are actively working on non-mathematical secure voting protocols. We don't have any such protocols yet, but it is a major goal of current research. There is an awareness within the research community that the most important feature of a voting protocol is to avoid complicated mathematics. It is perhaps true that the authors of this particular protocol have not optimized for simplicity, but part of your criticism was directed at all voting researchers, not just the authors of this protocol. That accusation goes too far; we are not all alike, and you should not paint us all with the same brush.

Another point that you need to understand is that over the time scale of centuries, it is possible to expect that general improvements in public schooling will expand the level of education that can be safely incorporated into institutional systems. For example, many centuries ago, not everyone was literate, but nowadays we expect and rely on literacy in everyday life. Maybe you don't care about improving life for future generations, but some of us do.

One step at a time

Posted Dec 2, 2009 18:18 UTC (Wed) by dskoll (subscriber, #1630) [Link]

The nature of progress is that you start with small steps and work your way up to better things.

Why do you assume that electronic voting is better than physical ballots?

Sometimes, things are done in the name of progress that are really regressions. However, our society is so geared to prefer high-tech over low-tech, dazzling over mundane, electronic over physical that we sometimes fail to see that we actually have a worse solution to the problem than the older solution.

I would never say such research is useless. Of course, it isn't; tomorrow a completely unrelated problem domain may arise that can benefit from the research. I do think, however, that efforts to make national elections electronic rather than physical are misguided at best and malicious at worst.

One step at a time

Posted Dec 2, 2009 19:37 UTC (Wed) by felixfix (subscriber, #242) [Link]

Why do YOU assume electronic voting is useless?

Consider the absentee voting required by overseas citizens. It takes a relatively long time to send paper ballots overseas and get them mailed back. Business people, travelers, soldiers ... they could all benefit from being able to vote closer to the election date from a laptop than having to process snail mail results. Snail mail balloting itself is hardly secure. For an extreme example, consider astronauts on the space station for a six month tour with resupply ships once a month.

The internet was useless before being proposed and built, but still took years before it transformed society in ways very few people would object to.

Ditto for every invention that has had great success. The telegraph, steam engines. Just because you can see no immediate need or use for something does not make it forever worthless.

You come across as someone with a grudge, I dare say a luddite opposed to all progress. Its probably not true in every respect, but that is how you come across.

One step at a time

Posted Dec 3, 2009 12:04 UTC (Thu) by dskoll (subscriber, #1630) [Link]

Why do YOU assume electronic voting is useless?

It's not. It's fine for votes in which no-one has much interest in subverting the outcome.

However, it is utterly useless for any vote in which someone might have a significant interest in subverting the outcome, such as national elections. That's because history has shown that every single computer network has been successfully attacked. There is not a single operating system, DRM stack or network stack that has resisted attacks from motivated attackers.

All your objections to physical voting basically boil down to "we don't get instant gratification." Well, the point of an election is to accurately gauge voters' intentions, not quickly gauge them.

And yes, I am someone with a grudge, because I see democracy being eroded because of flashy and seductive technology, and that is very worrying.

Stop lumping everything together

Posted Dec 3, 2009 14:33 UTC (Thu) by felixfix (subscriber, #242) [Link]

All your objections to physical voting basically boil down to "we don't get instant gratification."

Whoa there .... I have NEVER said that. Stop misquoting. You just lost a lot of credibility right there.

There is not a single operating system, DRM stack or network stack that has resisted attacks from motivated attackers.

You fail to distinguish between unsubvertable mathematics and subvertable operating systems.

To confuse DRM with voting cryptography is further erosion of your credibility. DRM is laughable because of the internal inconsistency of giving users secret private keys to play content while wanting to hide the secret private keys because they would use it to play content.

Stop lumping together everything which your preconceived notions don't like.

Stop lumping everything together

Posted Dec 3, 2009 17:21 UTC (Thu) by dskoll (subscriber, #1630) [Link]

You fail to distinguish between unsubvertable mathematics and subvertable operating systems.

No, I'm insisting on that distinction. Mathematics may be insubvertible, but in every single case in history when mathematics has been applied to build a real system, the real system was subvertible.

So that mathematics is cool and worthwhile as an academic exercise, and it may even lead to something practical someday, but it will certainly not lead to secure e-voting because such a thing is an oxymoron.

One step at a time

Posted Dec 4, 2009 14:20 UTC (Fri) by ms (subscriber, #41272) [Link]

All your objections to physical voting basically boil down to "we don't get instant gratification." Well, the point of an election is to accurately gauge voters' intentions, not quickly gauge them.

I realise it's a moot point (and possibly inflammatory), but with instant counting, it's likely Dubya would never have been "elected". Now isn't that something worth fighting for? ;) (tongue in cheek, and a I don't disagree with your point at all)

One step at a time

Posted Dec 2, 2009 21:56 UTC (Wed) by djao (subscriber, #4263) [Link]

Why do you assume that electronic voting is better than physical ballots?

With physical ballots, there is no way to verify that my ballot is actually included in the final total. I can verify that my ballot is in the box that they claim is the ballot box, but I cannot verify that my exact ballot is actually included in the final published total. There is no way for a physical ballot to allow end-to-end verification of published vote totals, not without violating the requirement that ballots be secret.

However, with electronic ballots, and some complicated mathematics, it is possible for any voter who knows the mathematics to verify that his own exact vote is actually included in the published vote total. Amazingly, this can even be done without violating the secret ballot requirement. In other words, I can verify that my own vote is counted correctly, but I cannot prove to anybody else that my vote was counted correctly. In fact, both of these statements can be proved. Yes, it is actually possible to prove that I cannot prove to anyone else how I voted. For many mathematicians and researchers, the realization that this kind of breakthrough is possible with electronic voting makes it impossible to go back to physical ballots. Why would you regress to having to trust election officials, when there is a better technology that allows everyone to verify the accuracy of a vote count even in the face of one or or malicious election officials?

Of course, I am a mathematician, and I have no trouble understanding the mathematics involved. As I said before, I am very aware that electronic voting is a hard sell to the general public, because the average person does not understand the mathematics. However, I think the potential benefits of electronic voting are so enormous that we should be trying to resolve the obstacles that stand in the way of electronic voting, rather than opposing the entire concept altogether.

One step at a time

Posted Dec 3, 2009 18:17 UTC (Thu) by dskoll (subscriber, #1630) [Link]

With physical ballots, there is no way to verify that my ballot is actually included in the final total.

That's true, but if you live in a parliamentary democracy with multiple parties, each of whom have scrutineers overseeing the counting (all of whom have to agree on the final tally), then you see that the system contains a large amount of self-correction, making systematic bias or fraud difficult.

Note that the security comes from human nature, not from technology. We make sure the scrutineers have competing interests in the outcome, so it's very hard to bias them all.

However, with electronic ballots, and some complicated mathematics, it is possible for any voter who knows the mathematics to verify that his own exact vote is actually included in the published vote total. Amazingly, this can even be done without violating the secret ballot requirement....

Yes, I'm sure the mathematics is very beautiful and amazing, but you're making the same mistake many do by assuming that beautiful mathematics translates into beautiful real-life implementations. The flaws are almost never in the mathematics; they're almost always in the real-life details.

As I said before, I am very aware that electronic voting is a hard sell to the general public, because the average person does not understand the mathematics. However, I think the potential benefits of electronic voting are so enormous that we should be trying to resolve the obstacles that stand in the way of electronic voting, rather than opposing the entire concept altogether.

Here, we disagree. Even in the unlikely case that someone proves me wrong and comes up with an unhackable e-voting system, I would still oppose it on principle. Unless every voter can understand the system and believe in its honesty, the system is undemocratic. Paraphrasing a remark about the law: Honesty must not only exist, it must be seen to exist.

I'd certainly trust the assurances over many scrutineers from competing parties over the assurances of intelligent, well-meaning, but naive mathematicians.

One step at a time

Posted Dec 3, 2009 20:38 UTC (Thu) by djao (subscriber, #4263) [Link]

I am certainly not making any of the mistakes that you accuse me of making. I fully understand that real life implementation details are the main sticking point in voting systems. I completely agree that every voter must fully understand and trust the integrity of the system. I am not naive about human nature. To the contrary, it seems that you are the one who is naively trusting of human nature.

I trust a mathematical proof more than I trust any amount of human nature or any number of election officials, no matter how well meaning or self correcting they are. Very simply, I can personally check a mathematical proof. I know you can't, and I know normal people can't, but I can, and that makes a difference to me. I am not trying to explain why I support deployment of electronic voting systems -- I don't support that, so please stop accusing me of this straw man. I am simply trying to explain why I think electronic voting is deserving of further research.

There are, as you rightly keep pointing out, enormous practical difficulties in deploying a secure actual implementation of an election system. However, this holds true for any election system, whether electronic or physical. To say otherwise is to grossly underrate the hundreds of years of development and the countless man-hours of work that go into running a democratic election today. The implementation challenges presented by an electronic voting system are certainly different from those of a physical system, but I do not regard them as insurmountable. Possibly the level of difficulty is even the same in both cases. However, it will take further research and possibly experimental data to find out, both of which you seem to oppose. I strongly and vehemently reject the premise that we should allow our fear of the implementation difficulty to prevent all research altogether.

As to your second main point, that the mathematics is too complicated, I have already explained that this deficiency is actively being addressed in the short term through the development of non-mathematical electronic voting schemes, and also in the long term (centuries) by improvements in public education. There is absolutely nothing unusual about mathematics being developed centuries ahead of any practical applications; for example, the vast majority of today's computer hardware and encryption software owes its existence to centuries-old calculus and number theory.

Electronic voting is unsuitable for deployment right now, and will remain so for some time, but it offers far greater potential than paper voting, if the implementation details can be sorted out. There is no reason right now to believe that the implementation difficulties are insurmountable. Hell, if worst comes to worst, we can deploy a system that generates two simultaneous ballots for each vote, one electronic and one paper, each as an integrity check on the other. Because of the greater potential of electronic voting, it deserves further research. NOT present deployment, but further research.

I also emphasize that when I talk about electronic voting, I mean something totally different from the electronic voting systems that have currently been deployed in some areas of the world. I am talking about end-to-end voter-verifiable voting schemes, which is not at all what is actually being deployed.

One step at a time

Posted Dec 4, 2009 14:31 UTC (Fri) by ms (subscriber, #41272) [Link]

With physical ballots, there is no way to verify that my ballot is actually included in the final total.

Actually, that's not true. In the UK we use plain old FPTP and paper voting and there have still been several cases of fraud over the last few years, sometimes with ballots going missing but mainly with postal votes. I've heard of cases of people going to retirement homes / nursing homes and coercing people there to vote a particular way, and these people quite possibly are incapable of resisting.

Frankly, I've no fear about what goes on in a polling station. What terrifies me is the way the media gets to dictate the outcome of an election, legally. Not only that, but in many cases dictate policy too. That is truly astonishing and pretty good evidence that none of us live in a democracy.

One step at a time

Posted Dec 5, 2009 0:46 UTC (Sat) by Baylink (guest, #755) [Link]

> Why do you assume that electronic voting is better than physical ballots?

Why do *you* assume that electronic voting can't *involve* physical ballots.

In fact, any provable electronic voting system I'm tempted to say, *must* require them. They must must br voter-verifiable. You can aid voters with visual or motion problems in creating them, and you can count them with optical scanners for speed, but my personal mantra is "A Vote Is A Physical Object". Such a protocol would have stamped out *every* electronic voting irregularity of which I'm currently aware, while requiring *no* complicated math of trusted code.

You trust *people*, whom you can watch and understand their actions.

A few clarifications

Posted Dec 3, 2009 12:07 UTC (Thu) by dskoll (subscriber, #1630) [Link]

2. Voting is all about public confidence.

Good. I'm glad you understand it.

You can have a simple paper-based voting that everyone can understand, but that doesn't necessarily make it trustworthy.

As usual, the devil is in the details. Canada's system is trustworthy; its checks and balances with independent scrutineers is very robust. To my knowledge, we have never had any serious dispute about the outcome of an election, unlike in the United States.

When disputes arise, you find you can't really verify.

That is untrue; see above.

What's the percentage of population who understand RSA, Diffie-Hellman, AES? But that doesn't prevent people from using these technologies in daily life on on-line banking, ATM withdrawal, PGP-email etc.

We do that because the stakes are low. Our liability is limited; the banks will cover any losses once they are informed of a hacked card or computer. If my bank said to me I was liable for every single loss caused by a hacked ATM or computer, I would certainly not use electronic banking. The security here lies in non-technical policies and laws, not in the technology itself.

A few clarifications

Posted Dec 3, 2009 13:30 UTC (Thu) by haofeng (guest, #62296) [Link]

We're discussing it in the context of electronic voting, right?

I actually like the paper-based election because it is simple. It's not perfect, but somehow it works depending on how effective are the physical controls in the election. I think Canada does well on that.

What we want to explore in the paper is to find an digital alternative to the paper-based voting. In particular, given the ease of manipulating data in the digital world, how to prevent the computer "eating" your vote? How do you verify? How do you control the privacy of your vote without relying on someone else?

In this context, it is necessary to change the mindset from the physical controls to technological controls. What we did is just that (in a small-scale though). Note, e-voting, as a technology, is not to replace paper-based election.

A few clarifications

Posted Dec 3, 2009 17:26 UTC (Thu) by dskoll (subscriber, #1630) [Link]

We're discussing it in the context of electronic voting, right?

Well actually, I was discussing the concept of electronic voting in general. I don't accept the premise that electronic voting is a given, so now we just have to try to fix it up so it works properly.

And the answer is: You can't. Because real-world computer systems are insecure against a powerful and resourceful attacker, and those who would manipulate elections are powerful and resourceful indeed.

You can't even do those things with paper ballots, but the resources needed to significantly affect a paper ballot vote are much higher. You can hack a computer once and then efficiently distribute and implement the hack. To subvert people, you need to bribe or blackmail lots of different people, some of whom might react unpredictably and expose you.

How many billions of dollars are spent on US national election campaigns? How much hacking resources could those dollars buy? It may well be considerably cheaper to hack an electronic election than waste money on a campaign.

A few clarifications

Posted Dec 3, 2009 20:30 UTC (Thu) by dmag (subscriber, #17775) [Link]

> And the answer is: You can't. Because real-world computer systems are insecure against a powerful and resourceful attacker, and those who would manipulate elections are powerful and resourceful indeed.

Same can be said for paper ballots. (True story: A few decades ago, Republicans in New York City went to the Democrat districts and threw their ballot boxes in the river. Since the (mostly democrat) votes couldn't be counted, the Republicans won. Now NYC has massive metal voting machines that are too heavy to move.)

I don't think this discussion is going in the right direction. Step back and look at the big picture.

If I had announced 30 years ago that I was going to base the security of almost all world-wide bank/business/government transactions on the completely unproven mathematical assertion that "P != NP", you would have laughed in my face. But here we are, moving billions of dollars daily based on that fact. (And we know quantum computers will ruin the system soon.)

Or what if I said "an OS will be written by 1000's of strangers from around the world, and it will be more trusted that the OS from the world's largest software company". Nobody would believe me 30 years ago.

The researchers in this paper do not assert that "we can make secure real-world e-voting today". They might even agree with you that "it's not possible today".

But saying "we will never have secure e-voting" goes against human ingenuity.

The other reality: In the US, we have known-to-be-insecure e-voting written by a company filled with criminals. Making them store MD5s instead of raw vote counts in an Access database would be an improvement.

A few clarifications

Posted Dec 3, 2009 22:03 UTC (Thu) by dskoll (subscriber, #1630) [Link]

Well, that incident shows a shocking lack of concern for physical security.

I don't think this discussion is going in the right direction. Step back and look at the big picture.

I believe I am. I think we need to step back and ask ourselves: Is secure electronic voting a problem that needs to be solved? And I believe the honest answer is "No."

All the other examples you mentioned were problems in which a solution would be clearly beneficial. Electronic voting? Not so much.

A few clarifications

Posted Dec 4, 2009 1:15 UTC (Fri) by nix (subscriber, #2304) [Link]

Academia doesn't care if a problem 'needs' to be solved. It matters only
that it is there.

That's the *point* of academia. You can never tell what may be useful five
hundred years from now, or even one hundred.

A few clarifications

Posted Dec 4, 2009 18:06 UTC (Fri) by tialaramex (subscriber, #21167) [Link]

But you've just helped illustrate how important it is for people to be able to actually understand the system.

With the paper ballots your example was easy. How did the Republicans steal an election? By throwing away the ballots. What happened to my ballot? It's in the river. My grandmother and a primary school child can both see that the election was stolen and how it was done, they know who the bad guys are in the story.

Fast forward to electronic voting systems, and we're talking about someone who supposedly modified a computer program (a what now? says my grandmother) to have a statistical bias (what's that? says the school child) in favour of ignoring votes for one candidates whose affiliation matches the regular expression /public/ (now explain regular expressions and why this ordinary word is a problem in this context).

The election is still stolen, but now the people it was stolen from don't know enough to even be angry about it. It's like taking candy from a baby. Scratch that, in that example the baby knows it got ripped off, it just can't do anything about it, the whole point of electronic voting is that you won't know you got ripped off.

A few clarifications

Posted Dec 4, 2009 20:15 UTC (Fri) by anton (guest, #25547) [Link]

What's the percentage of population who understand RSA, Diffie-Hellman, AES? But that doesn't prevent people from using these technologies in daily life on on-line banking, ATM withdrawal, PGP-email etc. The fact that these techniques have been rigorously analyzed by a small group of trusted mathematicians and still remain solidly secure builds up the public confidence. For e-voting, it will be the same.

No. The fact that people can check their account balance (without needing to know anything about these things, and without needing to trust a small group of mathematicians) and see if something funny happened builds up confidence. For e-voting, it won't be the same.

Also, ATM cards have been pretty insecure, their PINs could be found out, etc., and most people still used them; many of them prefer the convenience over the little insecurity. For on-line banking, many people do that with Windows machines (plus, from what I hear, most on-line banking requires you to use technology full of security holes, in particular JavaScript), and these machines can be and sometimes have been subverted to do something other than the owner of the machine thinks he does in on-line banking; still, apparently there are people who are prepared to take the risk in order to get the convenience of on-line banking.

And you may be right, that this will be the same for e-voting: People may also prefer convenience of e-voting over running a proper election, and if enough people do this, we will eventually lose democracy.

A few clarifications

Posted Dec 20, 2009 19:53 UTC (Sun) by dbarv (subscriber, #55094) [Link]

4. It's not difficult to implement the protocol. For example, in a campus voting, every student logs in to the voting system and posts a public message on the website. All the student needs to do is to open a webpage (with a Java applet) and clicks a button. The applet can do the rest computation in a transparent way. All the voting data (including the applet source code) will be publicly available on the bulletin board for auditors (in fact anyone) to verify. We think this openness is crucial in building up the confidence in the election.

How auditors can be sure that the available source code is the _exact_ source code of the applet that is currently running on the server ? As far I see, they can not. So students can not be confident in the implementation of the procotol.