Verifiable Elections Via Cryptography

An anonymous reader writes, "Cryptographer David Chaum and his research team have invented a new voting protocol which allows voters to verify that their vote has been correctly cast and counted. This is enabled using a surprisingly low-tech technique of cryptographic secret sharing. The secret — your marked ballot — is split into two halves using a hole punch" You take half home and can verify later via a Web interface how your particular ballot was counted.

What the ... ?

[khasim]

Okay, I've watched the video and read the article.

I still don't understand it. Why does their video have two different types of hand writing on it? Is the voter supposed to write in all the options when s/he votes?

What's to stop someone from getting a copy of the form and threatening you unless you vote the way they want you to? Unless every form is different (is this the part why the hand writing is different?), any attempt to match the vote online can be used to verify that you voted the way you were told

Government

[Lord_Dweomer]

Doesn't this method require a government willing to hold itself up to scrutiny? I love the fact that people are coming up with excellent ways to ensure a secure vote, but the fact of the matter is, nothing has been done to fix the existing holes that have been found in the voting machines that are being used, even after widespread media coverage. New methods of voting aren't going to solve things, getting the existing government out of power so that we can actually implement these ideas will.

Very Pointless Technqiue

[xquark]

Many people here have pointed out the uselessness of this method, not to add the
social pressures it may cause in communities or groups where things have a
to happen a certain way if you know what I mean...

To add to that I can see no place where cryptography is used other than possibly
trying to determine the probability that on any particular ballot card Party A
was on the right or the left, thats just simple probability theory nothing else.

cryptography is probability

[pikine]

Cryptography is all about probability, really. When you use hash functions like MD5 and SHA-1, you're counting on the low probability of collision. When you encrypt something, you're counting on the ciphertext being in a way that your probability of guessing the nature of plaintext is the same no matter how you guess it. A ciphertext that simply looks like random noise isn't enough.

Wow... this is too easy

[Rooked_One]

I mean really... its too easy to be adopted... and you would able to have recounts... no go from the gitgo

Re:

[account_deleted]

Comment removed based on user account deletion

Let's just go back to basic paper ballots

[jesterzog]

If we could just wait a day or so and let paper ballots be counted we would not have these issues. Sure paper ballots could be miscounted but there are more eyeballs, and it would certainly be harder to pull off a massive fraud like what would be trivial with today's Diebold machines.

Definitely. I've just gone and watched the demo, and read a bit about it. Good on these people for coming up with a system where it's (apparently) impossible to prove to anyone else who you voted for, yet still allows for s

Everyone has so far completely missed the point!

[X-treme-LLama]

Good lord! How is it that 70% of people have completely missed the point?

This system DOES NOT allow ANYONE to see WHOM you voted for.

That's right. NO ONE short of the people in charge can see who you voted for. You boss can't make you prove it, nor can your spouse, or whoever else.

All the ballot half you keep records is that you voted A, B, B, A. All you can verify online is that your vote was recorded as A, B, B, A. Because the ballot choices are randomized, no one can tell who A was for your particular ballot. Ahh, but I already hear the tin-foil brigade saying: "But the people in charge can check!!" Really, how? The ID # of your ballot isn't recorded next to your name in the voter rolls, I suppose someone who had access to all the decryption keys could fingerprint each and every ballot, but anyone who can get ahold of any of the paper ballots can do that now. Is it no less secure than any traditional method of voting, and superior in a vast number of ways. As long as a few percent of people check that their votes match what they recorded, elections will be a lot closer to tamper-proof.

How did so many people fail to figure all that out?

Because it is snake oil

[wwwrench]

No.
True, the system doesn't allow people to sell their vote, but it doesn't allow people to actually verify their vote either. As I mentioned in a previous post:

Basically, the method you describe only lets me verify that the ballot was thrown into some machine with the left side marked or the right side marked. It then counts the vote as being for Al Gore or George Bush based on some machine which matches my ballot (left or right side), with the machine's knowledge of whether left or right means Al Gore or

Re:

[ralphbecket]

But how do I know that the cheating doesn't happen at this stage? It would be very easy for the machine to count all votes as being for George Bush regardless of what the bottom half of the ballot says (because the bottom half of the ballot has been destroyed).

No, because...

It claims to get around this by some auditing process.

If you READ THE POXY PAPER you would understand the auditing process. The candidates can audit 50% of the votes to check that they were counted correctly without violating voter anon

Re:

[swillden]

Sure, by opening up the right side of 50% of all votes, and the left side of the other 50% you can verify that the tables are indeed correct.

No, you open up the right side of 100% of the votes and the left side of 100% of the votes -- but you permute the votes so that they can't be lined up. This is why multiple mapping tables are used.

But that still does not mean they are counted correctly.

Yes, it does. All of the tables with the decrypted vote sides opened provide everything you need to tally the

Re:Everyone has so far completely missed the point

[NoData]

You're right. However, this system has a more basic issue: A generalized variant of the "Stroop" effect [wikipedia.org] as we call it in psychology. People excpect consistency. This system relies on randomization of both "letter" assignment (A. or B. to choice 1 or 2) and randomization of side (A or B is on left or right). This is a clusterfuck in the making. People expect the first choice to correspond to the leftmost option, and that the first choice will be choice A. Always. Furthermore, on a ballot, people expect i

Re:Everyone has so far completely missed the point

[mattwarden]

How did so many people fail to figure all that out?

How is it that you've been a Slashdot member since at least July and you're still asking questions like this?

Re:Everyone has so far completely missed the point

[twiddlingbits]

Bad assumptions. 1) Ballot Choices in all states are NOT Randomized. Some use National, State, Local and within that alphabetical order, some incumbents first, etc. so for someone to know your vote from the A,B,B, A receipt they just have to know the order. Many states also print up Sample Ballots which could also be used to check up on someone based on the choices on the receipt. 2) Someone else posted that Ohio does associate your ballot number with your name so your secrecy is gone already that way.

I wou

Old News, Old Problems...

[evilviper]

This is the same ancient idea, with the same ancient problems...

It allows for extortion and buying of votes (others can verify who you really voted for).

There's no guarantee that the machine verifying your reciept, is acurately reflecting how your vote was really counted, as opposed to counting all votes in reverse.

It does nothing to stop dead (or phantom) people from voting. They aren't going to complain...

How different is it to...

[Antony T Curtis]

I posted this on Slashdot a couple of months ago... How different is the concept?

http://it.slashdot.org/comments.pl?sid=192817&cid= 15828335 [slashdot.org]

Is it compatible with other voting systems?

[Jacques Chester]

It only seems suitable for first past the post voting. How about those of us with instant runoffs?

Handcounting: How Slow Is It?

[kthejoker]

My district has roughly 650,000 voters in it.

Let's assume we have the best turnout in a non-Presidential election in the past 40 years: 54%. That's highly unlikely - no one's really contesting in my district (our guy's an old time shoo-in) - but who knows? People might show up.

54% of 650,000 = 350,000, give or take a few.

How long would it take to count 350,000 votes for something?

Let's assume a person can count 1 vote every 3 seconds. Count it out loud. "1. 2. 3." It's pretty slow, actually, but let's be fair: some of our more civic-minded people are also some of our eldest, and they're a bit slow.

So 1 vote every 3 seconds, that's 20 votes a minute, which is 1200 votes an hour.

350,000 / 1200 = 291 man hours.

In 8 hour shifts, that's 37 people. And considering my district is spread out over 30 towns, that's roughly 1 person per city - 2 for some of the larger ones. Find 37 more people and you've even got redundancy.

And that's if you want it done in one day.

How about the Presidential election? 2004 was considered a banner year for turnout. Number of voters? 122,294,978. We'll round it down to 120 million. Again, 1200 votes an hour: that's 100,000 man hours.

8 hour shifts, that's 12,500 people. Again, that's in 8 hours, reading 1 vote every 3 seconds. If you got it down to 1 vote every 2.5 seconds (and trust me, when things are repetitive, it's easy to speed through), suddenly you only need 10,417 people.

You've just laid off 2,100 poll workers in half a second.

There is no reason at all for a backlash against paper balloting. It is quick enough. In fact that should be the motto for all paper balloting:

PAPER Balloting: It's Quick Enough.(TM)

Re:

[KillerCow]

I'll sell my vote for $500, you can even verify it with this hole thingy.

$500? Sorry bud, if you want to keep your job, you will vote the way that the company tells you to.

Re:

[Planesdragon]

$500? Sorry bud, if you want to keep your job, you will vote the way that the company tells you to.

Can you say "unlawful termination?" I knew you could.

All it takes is one employee willing to fork over the $250 to file a court case, and they get to own the small business they work for. Governments and publicly traded businesses already have pretty strong employment rules against that, leaving only the "small business" as a bastion of that kind of stupidity.

Re:

[Feyr]

i don't think that's the major problem you would face. it would be more like an unwritten, never formulated "law" where you have to vote X or you could find yourself passed over for promotions, given the shit jobs and all that to make YOU quit, no unlawful termination business, and virtually impossible to prove

Re:

[Broken scope]

It is none of their fucking business who i vote for. If they ask me to volunteer i will fucking sue them right back to the fucking hole they crawled out of. It would be in civil court, you could easily win if they asked to see your ballot. God, I'm cynical but even you pissed me off.

Re:

[TheRaven64]

Exactly. Voter-verifiable voting is not the issue. Ideally, you want to be able to verify your vote but not prove your verified result to a third party. This is a very difficult problem, and I don't know of any solutions.

Re:

[KillerCow]

Voter-verifiable voting is not the issue. Ideally, you want to be able to verify your vote but not prove your verified result to a third party. This is a very difficult problem, and I don't know of any solutions.

The solution is to physically see your physical vote dropping into a one-way tamper-proof container.

Re:

[Fahrenheit 450]

I love it when people talk loudly about things they don't understand. There are a number of information-theoretic secure constructs in cryptography that are unbreakable no matter how much computational might you bring to bear on the problem. One simple example is Shamir secret sharing (and the many variants) where you essentially have a system of equations with fewer equations than unknowns, thus like one time pads, every assignment is equally likely to be the correct solution to the problem.

Re:Start your biding...

[aprilsound]

Actualy if we all went and RTFA first, we would see that they have solved the problem. You can't prove how you voted to someone who didn't see the other half of the ballot you voted with.

Unless the ballot forms are random ...

[khasim]

You can't prove how you voted to someone who didn't see the other half of the ballot you voted with.

Unless the voter is expected to write in the various options (that's stupid), or the ballot forms are randomly generated (that's expensive), it would be easy for anyone who voted to check whether your receipt matched his/her's.

Unfortunately, from the video, I cannot tell which approach they are advocating.

Re:

[aprilsound]

They don't need to be very random, just have as many variants as contenders. So there is a ballot version where each candidate gets to be 'A'.

That also takes care of biases towards the person at the top.

And numbered non-sequentially.

[khasim]

Remember, the ballots are numbered. So the printing process has to run off X variations where X is the sum of every candidate running for every office listed on that ballot.

And the ballots cannot be numbered sequentially. Or it would just be a matter of checking what version of the ballot was in that sequence. This can be done with friends and family who are already going to vote the way you do. Just stagger their voting throughout the day.

This system also depends upon a computer to remember which windows w

Re:And numbered non-sequentially.

[Catskul]

This is stupid. Rather than go through all of that, why not just focus on getting the basics done and done right? Leave "verified" voting until after we've managed to identify who can vote and that their votes are actually counted.

You are so right... how stupid for those cryptographers to be doing research that might improve voting verification when we haven't even cured cancer yet.

Re:

[YU Nicks NE Way]

It's not at all expensive to randomly produce two separate forms and shuffle them together. That's enough to take care of the most straightforward forms of ballot fraud. The system still seems defeatable to me, but it is not stupid, and does take care of the worst of the problems implicit in receipt-based voting.

Re:

[Mydron]

Okay, so you check whether your choice was correctly entered. You voted B and lo, the website shows you that you voted for B. You know that B corresponds to Coke -- vote verified. Phew.

But wait, what have you really verified? Only you know what B corresponded to... for all we know, thanks to a bug in the software (malicious or otherwise), the computed tally counted your vote B as a vote for Pepsi. We have to trust that the computer actually tallied the vote properly. We have to trust that the computer co

Re:Start your biding...

[ralphbecket]

If you had read the paper (it isn't complicated) you would know that
- you can only verify that the mark you made was the mark that was recorded, you cannot verify which option you marked
- the auditors (normally the candidates) randomly sample the ballots before and after the election in such a way that they can verify statistically that counting proceeded fairly without violating voter anonymity. The chance of k miscounted votes going undetected is 1/2^k, so just thirty miscounted votes will have less than one in a billion chance of going unnoticed.

What on Earth does this system have to do with touch screens?

Re:

[neoform]

Funny how in a government with a GDP of $11,000,000,000,000 it takes programmers working for free to make a system that is actually secure in order to maintain democracy..

Shame is the only thing I feel right now.

Re:

[EvanED]

So why do this again if the voter can't verify it?

The voter CAN verify it, at least in part. The voter CAN'T prove it to anyone who isn't Vulcan (and thus able to do a mind meld). As a voter, you can remember "Zaphod Beeblebrox" was the second candidate listed, I voted for Zaphod Beeblebrox, look at the site and see that it recorded that you voted for the second candidate. But if someone else asks "which spot was Zaphod Beeblebrox, you didn't vote for him, did you?" you can say "no, Zaphod was the first can

Re:

[SpaceLifeForm]

How about a hash on the selections in combination with a passphrase.

Sorta PGP/GPG signed and encrypted.

Re:

[140Mandak262Jamuna]

Vote verification can be performed only in your local library computer. Need to show ID to get to the terminal. And you can verify the vote of only the name mentioned in the ID. But would people go through the hazzle to verify? But some will do. And the threat of verification would remove the incentive to try to hack the elections.

Re:

[Vexorian]

They could really easily fix this. The machine could give you 2 codes, one gives you your vote and the other one gives you the exact opposite vote.

Re:

[Duhavid]

RTFA? I dont know, but it might work.

Re:

[ShadowBlasko]

Says on my Social Security Card that the card is not to be used for ID purposes, yet I am forced to show it to register a car in Ohio.

(No, additional ID will not suffice according to the Batavia, Ohio BMV)

Just because something is illegal does not stop it from being abused on a large level.

Or are you not from the USA? That might explain you missing the last 6 years here.

Re:

[TheRaven64]

And I have seen postal services in other first world countries (Germany, Italy, England, Spain) where the level of reliability doesn't even compare because the penalties/enforcement is laughable.

In the UK, tampering with the mail is a serious crime. This is only a comparatively recent law. Originally mail carried by the Royal Mail was regarded at the property of the monarch and so tampering with it was regarded as treason. I very much doubt that the USA has stricter laws than that...

"Illegal" doesn't scare criminals...

[NotQuiteReal]

if it's made into federal law that it's illegal to force anyone to show their vote

That's retarded. If it can be done, someone will do it.

Trust me, you are far better off with a system where "they" can't know that you didn't vote against them. They may still break your legs anyhow, but they'll never know how you voted.

BTW, I think breaking your legs is against the law too. Lots of things are against the law.

Laws solve no problems. Laws only provide the means to legally punish offenders, if they are c

Re:

[ben there...]

What's worse:

Votes that may be bought, but if the buyer is successful enough to sway an election, it's completely obvious to all parties involved?

Or, votes that may be electronically flipped, without anyone even knowing it happened?

Re:

[biocute]

No no, what is better:

Vote, and get stuck with a bad government for four years, or

Get paid to vote, and get stuck with a bad government for four years

Re:

[wwwrench]

Yeah, I haven't RTFA but it sure sounds like snakeoil. You can't have a scheme which allows each individual to verify their vote and do so in a way which doesn't allow them to prove how they voted (and thus sell their vote).

But one could imagine more robust schemes which allow voters to verify the total tally of the vote without allowing any individual to prove how they voted. But I seem to remember that it has actually been proven that even this is impossible. Or perhaps it is just believed to be inpossi

Re:

[aprilsound]

Here's how it works:
Top sheet of paper says, "Do you want A. The Simpleton B. The Communist", but on the next ballot they are reversed, e.g. "Do you want B. The Simpleton A. The Communist"
The bottom sheet just has the options "A or B" you mark one and keep the bottom half that just shows you voted for 'B'. No one is going to pay you/beat you up for voting for an arbitrary letter.

You can then go home and lookup your ID number and it will show you the bottom half, again confirming that you voted for 'B'. Bu

Re:

[AuMatar]

But then you can't verify that your vote was counted for the correct candidate, making the entire idea pointless. You can't have a secret ballot with verification, its just not possible.

Re:

[Jeremi]

But then you can't verify that your vote was counted for the correct candidate, making the entire idea pointless. You can't have a secret ballot with verification, its just not possible

I don't think it's necessarily impossible... it would be a form of zero-knowledge proof [wikipedia.org]. As defined by Wikipedia:

In cryptography, a zero-knowledge proof or zero-knowledge protocol is an interactive method for one party to prove to another that a (usually mathematical) statement is true, without revealing anything other than

Re:

[Tharkban]

...and the person that reverse engineers/has access to and leaks the random number generator/sequence.
I'm not sure whether that's an acceptable risk or not. I've been an election judge, I'm not sure I would trust the system not to have leaks...I certainly had enough access that I could have take such a sequence had it been used. Whomever has access to the ballots before the voters use them, can write down the mapping.

Re:

[jamie]

Incorrect, there's an audit of that. Watch the overview [punchscan.org], esp. the 2nd part of introduction and "security."

Re:

[wwwrench]

No, there can be an audit (of the software for example), but that can (and should) happen already. Basically, if the candidates are allowed to look over the shoulder of the ballot counters, then that is an audit. But this can happen already (its what happens in many elections outside the states where the ballots are counted manually, and there are scrutineers). So how is this different?

The solution is manual open counts or opensource machines. Not some scheme like this...

Re:

[JimBobJoe]

But how do I know that the cheating doesn't happen at this stage?

As far as I can tell from the technical paper [punchscan.org] the election authority creates twice as many ballots than needed, and then half of them are randomly selected for auditing prior to the election. With security and other auditing controls, once the ballots and the machinery pass the auditing test, all you need to do is ensure that the counting machines and other half of ballots are not tampered with prior to the election.

Re:

[EvanED]

You're right of course, but there IS one thing that this would detect, which is scanning errors. It wouldn't detect the computer counting "left" as "Zaphod Beeblebrox" when it should have said "Yooden Vranx" (let's stay away from real politics), but it would detect the computer counting "left" as "right".

If the counting software could be otherwise verified correct, that would give a higher assurance that votes are counted correctly than is presently possible.

The real reason it won't fly

[Beryllium Sphere(tm)]

>No, I disagree that that system works (again, I haven't RTFA

It's auditable, unlike certain other systems that have actually made it to the field. Machines that cheat can be detected.

The real problem is the one shown by the discussion in this thread. Even career computer people (both the posters and the moderators) can't understand what the security properties are. Understanding how the security properties are met requires some crypto knowledge which is not common among the electorate.

It looks like this

Re:

[pHatidic]

There is a video on the website that explains how this works [punchscan.org].

Re:

[Jeremi]

If its done by a machine its safer as there is less handling by humans and there is a paper (or source code) trail.

If it's done solely by machine then nobody is able to check that the machine counted correctly... you just have to trust the people who created the machine to be honest (and competent!). That isn't acceptable. The safest way to count ballots is to have a Democrat and a Republican (and a representative from any other interested party) sit down at a table together, in public, and have them tall

you can't verify the vote with this system

[JimBobJoe]

I'll sell my vote for $500, you can even verify it with this hole thingy.

The slideshow is a little opaque, but the concept is you can't. The only way you can tell how the voter voted is by having both pieces of paper. (Look closer at the paper being shredded. While there is a mark on it, it was the piece of paper the voter kept that indicated whether that mark was for A or B.)

Their website has a .pdf on it that explains how it works [punchscan.org] better than I can...particularly because I'm still trying to wrap my head a

Re:

[mattwarden]

If you're talking about a vote in the US elections, you have severely overpriced it.

Re:

[victim]

You can have a system where a person can verify their vote, but not prove to a third party that they voted a particular way. Consider... each ballot has a sequential number on it. The voter remembers (or writes down) this number when they vote. Later they can look up their ballot and see that it was tallied correctly.

Since the valid ballot numbers are known you could just sift through for a ballot and claim it is yours if you want to collect your voting selling payment, but then the vote buyers would know t

Re:

[linuxmop]

I'll post without reading the article, reading the FAQ, or viewing the sample video; you can even verify it by my stupid comment.

RTFA.

Re:

[harlows_monkeys]

I'll sell my vote for $500, you can even verify it with this hole thingy

Maybe you should RTFA. The receipt can't be used to prove your vote to a third party.

Re:

[mochan_s]

The hole thingy only says if your vote was counted or not as you voted.

So, just a yes or no answer.

You'd ask the webserver to send you a text and you do some computation with your portion of it. Then, your computer tells you yes or no.

Exactly the problem.

[Irvu]

Exactly the problem. The very reason that votes are typically retained by the people who conduct elections and copies are not sent home is to avoid vote-selling and worse, intimidation. As a basic upshot consider the problems of a few decently-armed thugs going house-to-house and pointing guns to people's heads to confirm that they voted the right way. Given enough terrified individuals you can easily manipulate a local election if not a national one. If a sufficient number of thugs can be rounded up (a

Re:

[account_deleted]

Comment removed based on user account deletion

This system prevents that problem

[billstewart]

David Chaum [wikipedia.org]'s done a lot of work on the topic of secure voting, and this is a really cool simplification of some of his earlier work. It's nice and low-tech, and still does the job. If you go read the Punchscan.org FAQ [wikipedia.org], the second item is about preventing coercion and verifiable-vote-buying.

Of course, this doesn't prevent traditional vote-tampering methods from working, like

• TV commercials scaring voters about the other parties, or
• politicians making bogus promises, or
• dead people voting (as long as people with their names show up to vote), or
• election departments not providing enough voting machines or ballots at heavily-one-party-dominated precincts, or
• election officials invalidating registrations of people in the wrong party, or
• police harassing motorists in black areas on the way to the polls, etc.

But at least it's better than Diebold.

Re:

[tibike77]

[...]allows voters to take a piece of the ballot home with them as a receipt. This receipt does not allow voters to prove how they voted to others, but it does permit them to:
Verify that they have properly indicated their votes to election officials (cast-as-intended).
Verify with extremely high assurance that all votes were counted properly (counted-as-cast).

You were saying what about "bring receit or find another job" ?

Re:

[buswolley]

Yeah... This is one reason why we have a SECRET BALLOT. Its hard to sell your vote if you haven't got a receipt.

Re:

[QuantumG]

Nah, see, what's really scary is the people who modded me up to +4 without reading the article. That's democracy.

Yes, it could cause more problems than it solves

[wasted]

I agree. If your vote was counted wrong, there isn't anything that can be done about it. If you believed your vote was counted wrong and it could be changed if in error, there would be the problem of folks claiming their vote was counted wrong to tie up the process of acting on the election results. For example, if vote verification was implemented today in California, and people had the ability to contest the election, Proposition 85 (which would require parental notification 48 hours prior to performi

Re:Yes, it could cause more problems than it solve

[rkcallaghan]

wasted wrote:

what is the point of verifiable voting?

Imagine for just a moment, that the elections in 2000 and 2004 had been just as they were; but with verifiable voting in place. Yes, all those things you mentioned are reasons we should not allow the process to get tied up in what would surely be an exercise in poor sportsmanship.

What we had were polls that were drastically different for the first time in our countries history. Were votes changed with bogus electronic voting machines, as some say?

Re:

[wasted]

You make a good point, and I agree with your point that there is a purpose to verifiable voting, but I don't think it should be left to the individual. For example, if I recall correctly, the Gore/Bush vote in Florida was done on voting cards, and the vote by vote recount proved Bush won, even though the votes of many overseas servicepeople (who vote Republican more than Democrat) weren't counted due to missing postmarks. The punch-card votes allowed the votes to be verified. A few overzealous (sp?) peop

Re:

[Jeremi]

Besides which, what do I do if I discover I voted wrong? Nothing.

Of course not. You don't get to go back and change your vote after the election. It's your responsibility to double-check your ballot before turning it in.

What if mine was counted wrong? (don't know how that works, more privacy invasion I imagine) I suppose I could call and ask for a recount (2000 anyone?)

If, say 5,000 people all find that their votes haven't been registered correctly, they could report it to the elections board, or if that

Re:

[Qzukk]

It would be interesting to come up with a receipt system that could be used to prove that you voted for whoever you wanted to prove you voted for. For instance, a square card, rotate it 90 degrees and you voted Democratic instead of Republican, or flip it upside down and rotate 180 for third party. As long as you remember which way was up, you'd be able to figure out who you voted for.

Of course, using such a system where the machine gives candidate A 100000 votes and candidate B -5000 votes doesn't help m

Re:

[dman123]

You are of course correct in principle, but not necessarily for this method. It seems to allow the ballots to be mixed so that picking the first choice on one is not the same as the first choice on another. The vote-buyer will never know how you voted. (Watch the flash movie at the link.) However, this presents a problem just as bad as you describe... the non-secret ballot. The vote counting people now know how you voted. Well, they would if they tracked the ID number that you keep. That's unacceptable.

Re:

[aprilsound]

The vote counting people now know how you voted. Well, they would if they tracked the ID number that you keep. That's unacceptable.

I think the point of the paper is that you can just have a box full of these things and let the voter pick one at random so they don't know what your ID number is. They could log access to the web site, but you could always go to the library.

Re:

[Aim Here]

I dunno about Leftpondia, but us UKians have had unsecret "secret" ballots for decades. Every ballot paper has a serial code written on it, and when you turn up to vote, they write that serial code beside your name in a ledger and hand you your ballot paper. There have been reports by vote counters, going back 60 years now, of Special Branch officers (our secret political police AND the people who look into electoral fraud) removing the boxes of left wing candidates for further examination. They then have 6

Re:

[Aim Here]

Hmm, the reports I'm thinking about go back to the 1940s right through to the 1970s at the very least - your article talks about the practice since the RIPA in 1983, so perhaps that law streamlined the process of mass political spying so that Special Branch didn't need to get involved. (That might partly account for the 3 million subversives that MI5 was keeping tabs on by 1991).

counting votes

[pikine]

The machine doesn't keep the "printed" ballot configuration. Instead, it randomly generates an equivalent imaginary ballot such that if you know which side you voted for, your vote will be counted the same on your printed ballot. The trick to protect secrecy is that they allow election official to check only one side for any given ballot. Don't know if that could be enforced, however.

ballot "side"

[pikine]

By the way, in their terminology, a "side" is the box that you color your vote, painting through the top and bottom sheets.

Re:

[monkeydo]

So, when you check your vote, it tells you right or left, but it doesn't tell you which candidate that was. It would seem the computers could still be programmed to count the votes however you like, and still spit out the correct answers to right or left. By design, there is no way to correlate right and left to particular candidates. So, even if you had ALL of the data and could count all the votes yourself, but without knowing what each R or L represents, you have no way of verifying the results.

Re:

[mrcaseyj]

I was thinking that it was an important goal that votes not be verifiable by vote buyers or extortionists like bosses and husbands, but then I realized that the current absentee system has no secrecy anyway. In my area I'm not even allowed to vote any other way but absentee. Absentee balots could ruin the election even for people who don't vote absentee.

By the way, why are so few posts getting modded up the last couple of days? In the article about melting arctic ice only 7 out of 250 posts got modded above

Re:

[Pink Tinkletini]

It's because Slashdot is dying. [google.com]

Re:

[rthille]

Since I can revoke my absentee ballot, you'd have to keep me from getting to the elections office to revoke my ballot and re-vote.
Of course that's possible, but so is terrorizing people who would likely vote against your desires as well...

Re:

[mrcaseyj]

I think you're right. I don't see this problem listed in the Bugs list so I'm going to submit a bug report.

Re:

[twiddlingbits]

Mod points are being handed out, I just got some last Friday. I get some about every 10 days. I think there is some formula based on posting frequency, karma level and scoring of posts but I can't prove it.

Re:

[JimBobJoe]

Interestingly, paper voting trails on DRE machines can cause a similar issues.

Here in Ohio, when the voters credentials are verified, the voter is issued an authority to vote slip which has a number (first one of the day is 1001, next one is 1002, et cetera.) The number on the slip is written in the pollbook.

The pollworker would put the authority to vote slip in an envelope stuck to the side of a machine. That was ok, because even though we knew John Smith was issued slip #1055, and that he voted on machine

Re:

[saforrest]

Why the hell was this modded "Troll"? It's a very good point.

Presumably, one could gain some benefit from a system such as the on proposed -- without creating this particular problem -- by allowing the cryptographic stub to used merely for confirmation that _a vote had been counted_, but not whom it was cast for.

Re:

[Dr. Eggman]

Bah, the public is a push over. How do you think we got into our electronic voting situation as it is? We've already broadcast all the fears of electronic voting. All we need is a couple "hanging chads" style incidents involving electronic voting systems then have some "experts" (marketers) present this solution to the public shortly after. They'll all be clamoring for it and it'll be installed in time for the 2008 election.

Re:

[Firehed]

Well chances are at this point that your vote is just being tossed, ignored, destroyed, miscounted, or spoofed. Might as well make a few bucks since if it doesn't mean anything anyways.

Re:

[Jeremi]

I will sell my vote for $100. Lets just me more direct with this political corruption :D

Aim higher, my good man. Sell your vote to the Republicans for $100, to the Democrats for another $100, and maybe you can also get the Greens and Libertarians to chip in $50 each. Since you won't be able to prove who you voted for, none of them will be any the wiser. :^)

Re:

[Watson Ladd]

Like counting people barred from voting as part of the population in redistricting calculations isn't cheating? Or imposing burdensome ID requirements? Or barring people from voting on the basis of *similar* names to those of felons? Or changing the distribution of voting booths to make your supporters able to vote faster then your opponents supporters? Or how about confusing ballots? When it comes to elections, the appearance of impropriety is improper itself. Or what about approving voting machines which

Re:

[edbarbar]

I love it, the appearance of impropriety is improper itself.

How about the willful manipulation of the appearance of impropriety is a severe attack on our democracy, and should be viewed as seditious.

Really, all this stuff is in the noise, and is a complete distraction. Consider how much more variation there is due to the weather or the press incorrectly calling the election for Gore.

The real wackos think someone might actually rig the voting machines. As if a political party would have so much stake in on

Re:

[Jeremi]

Maybe the press and liberals will stop complaining when they lose elections, and start focusing on the real issue. Voter fraud brought about by liberals

Fascinating... the liberals have been fixing the vote so that they themselves lose the elections? No doubt it's all part of their devious strategy to avoid responsibility for the Iraq debacle by keeping themselves out of power. Those wily bastards! They won't get away with it this time, though, the GOP has their number for sure!

And don't even get me sta

Re:

[The_Wilschon]

eh? How do you go about verifying a single vote then? Individual vote verification is a serious problem and a threat to democracy (vote-buying/bullying), so if you've figured out a way to do it, it might be a good idea to try to do something about stopping it.

Re:

[Jeremi]

Basically, if you check your vote, your vote can be determined... trivially. Or at least that vote from that house-hold. Which is "good enough" for profiling purposes

There's no reason that the ACLU/NRA/NAACP/(insert your preferred organization here) couldn't set up proxy servers that would hide the user's IP address from the government. All the government would know is that the request came from such-and-such and organization.

Re:

[penguinboy]

The ISP doesn't need to sniff the traffic; IP addresses could be logged by the voting servers. That data could then be correlated with account information via ISP records.

Re:

[Slashcrunch]

If you don't trust the end service (in this case the voting servers) then you have a serious problem to begin with. No amount of cryptography will get around that issue. The service verifying the data must be trusted by the user.

It wouldn't be easy

[HangingChad]

Electronic voting has fairly demonstrably been adopted for the express purpose of more easily committing fraud.

First, I agree with you that voting needs to be open and verifiable. That's probably the only thing 91% of the electorate agrees on.

But I'm not sure electronic voting fraud on a national scale would be all that easy. Not all the voting machines are made by one company and the voting process can be quite different place to place. Though I'm sure cheating here and there has occurred, fraud on

Re:

[EvanED]

RTFA

Believe me, it can be done. Before this, I didn't believe it was possible (besides some external enforcement, like "verify your vote in this room after we check your ID with 100% accuracy"), and I nearly posted a comment about it, but then I decided to look at the actual method. And actually, to some extent, it works.

It CAN'T be used to prove that you voted a certain way. (At least to non-Vulcans or other telepaths. Or people with polygraph machines.) It also can't be used to verify that your vote was a

Re:

[frdmfghtr]

Go read their faq. This system is better and simpler. It even allows potentially for ballots to be reconstructed from the receipts if the polling place was blown of the face of the earth.

Simpler? How do you get simpler than putting a big black "X" next to your selection on a ballot and dropping it in a locked box? Lining up holes, encrypted receipts, there is NO NEED to make things this complicated.

Remember: KISS