LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Why the need for a paper trail?

Why the need for a paper trail?

Posted Aug 20, 2004 0:57 UTC (Fri) by vdvo (guest, #24133)
In reply to: Will 'controlled open source' software take over election work? (NewsForge) by QuisUtDeus
Parent article: Will 'controlled open source' software take over election work? (NewsForge)

The problem with computer-based voting is that, without a paper trail that takes the place of the ballot (so the counting of the votes is done with tangible ballots), no one can truly convince anyone (even himself) that the counting of the votes was accurate and reliable. There is nothing to show, nothing tangible to handle.

Why do we need papers or something tangible to convince us of anything? I thought we were hackers, here?

This argument is so often repeated that I keep thinking I must be overlooking something, because it seems so obviously false. I offer you a paper-less, yet verifiable solution. In fact, my solution seems to be much better that paper voting, because only a few selected individuals have access to the paper ballots, so most people can't verify anything. Tell me where I'm wrong.

The solution:

  1. The voter comes to the e-voting booth and presents to the machine a token of authorization to vote; this token is consumed or invalidated. The handing out of these tokens is a separate matter not under discussion here.
  2. The machine asks the voter to enter any unique identifier, password, PIN, nickname, or whatever. This will serve to identify his vote. At the voter's option, the machine may offer to generate a random identifier for him. The machine will make sure the identifier is unique at least within the voting district. The voter will make sure to not tell the identifier to anyone (the on-screen instructions should advice him to this).
  3. The machine lets the voter choose his preferred candidate(s), or whatever is the matter of the election or vote.
  4. The machine stores in a database a tuple of the identifier and the ballot. After making sure the entry is permanently stored, it thanks the voter and indicates that the vote is done.
  5. The voter goes home. He fires up his web browser and surfs to the election's home page. He enters his chosen (or generated), secret identifier, and the server responds by showing his ballot. Thus, the voter has verified that his vote has been registered correctly - something he isn't able to do right now, even with paper ballots or paper trails. Furthermore, they can do this verification instantly, without even waiting for the elections to close.
  6. Once the elections have closed, the voter surfs to the election's home page again and clicks on a link for his (or any other) district's complete results listing. The server responds by giving a listing of potentially thousands of identifier-ballot pairs. These are public, because there is no reason for them to be secret. They can be published in newspapers for the benefit of the internet-impaired. Anyone can verify that their ballot was registered. Anyone can verify that there weren't more votes than eligible voters. Anyone can make a recount in the comfort of their homes, and compare his results to the official numbers. All these things are impossible right now, even with a paper ballot or a paper trail.
  7. Every voter's privacy is preserved, assuming that they keep their ID's secret (remember, they can choose their own) and that there is no way to connect the tokens (see 1.) to the ballots.

What have I missed?

(Log in to post comments)

Why the need for a paper trail?

Posted Aug 20, 2004 1:29 UTC (Fri) by vdvo (guest, #24133) [Link]

There's one more thing I forgot to add: with this solution, it doesn't matter whether the voting machine's software is open source or proprietary, nor whether it's made by Diebold or whoever. When you can verify the results, it's not important how you obtained them.

Why the need for a paper trail?

Posted Aug 20, 2004 3:44 UTC (Fri) by freemars (subscriber, #4235) [Link]

What have I missed?

Sammy the Enforcer hangs around outside the polls and offers you $100 to vote for Slimey Fred. He instructs you "use 8353459322 as your identifier."

The day after the election Sammy reads the newspaper and notes that voter "8353459322" voted for Honest Ellen. After breakfast Sammy stops by your house and breaks your legs.

Or Sammy reads the paper and notices that nobody used ID "8353459322" in your ward. After breakfast Sammy stops by your house and breaks your legs.

But if Sammy sees that voter "8353459322" cast a ballot for Slimey Fred he'll stop by your house and give you $100.

Isn't it simpler to just print the official, recountable, ballot, let the voter view it behind glass, and then drop it into the locked box?

Why the need for a paper trail?

Posted Aug 20, 2004 11:23 UTC (Fri) by hingo (guest, #14792) [Link]

You have missed Sammy as explained above, also known as coercion. But other than that, your thinking is on the right tracks, just add some appropriate cryptography.

see http://www.eucybervote.org/xootic2000.pdf, http://citeseer.ist.psu.edu/40542.html and http://votehere.net/.

Of course, even with this kind of system you could add paper receipts as well, but there is less need for them.

Why the need for a paper trail?

Posted Aug 20, 2004 13:35 UTC (Fri) by arafel (subscriber, #18557) [Link]

You've missed people forgetting their ID, particularly if it's a random string of numbers. You've also missed the fact that who you vote for is supposed to be confidential, unless you choose to tell people. Having it published in a paper doesn't sound too confidential to me. :-)

Also, unless someone takes the printed paper, and counts up the number of people listed as voting for X, and the number of people the system *said* voted for X, how do you know they match?

I'm not entirely sure why people are rushing for electronic voting anyway. What's wrong with the systems currently in use?

Why the need for a paper trail?

Posted Aug 20, 2004 14:52 UTC (Fri) by dskoll (subscriber, #1630) [Link]

Complicated series of steps deleted

What have I missed?

A very important point:

Joe Average's eyes will glaze over when he gets to step 2. Voting must not only be fair, it must be seen to be fair by average members of the public. A voting system is no good if only 1% of the population (computer scientists) can understand and trust it.

A simple paper ballot is easily understandable by anyone capable of voting. Recounting paper ballots is easily understandable and verifiable by anyone capable of voting.

Even if someone came up with hack-proof hardware, hack-proof software, hack-proof officials and a hack-proof voting protocol (all of which is highly unlikely), it would still not be good enough because it's too complex for the large majority of the population to understand.

I don't know why people insist on trying to mis-apply technology where it will only create new problems. There is no problem whatsoever with paper ballots; there's absolutely no need to corrupt the system with technology.

Copyright © 2012, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds