Apart from the laudable statement, I believe the biggest mistake was to remove the humans from the process. Given a big enough and generally well behaving crowd to count the votes, it has been verified that abuse could be limited and detected. This is possible because the process is simple enough that each person involved can verify what’s going on.

By throwing cryptography and other technologies into the process, you effectively reduce the number of people who can be involved and thus increasing the risks of fraud, which I find kind of ironical because, if the system is secure, you will probably have less errors, but on the other hand if the system is corrupted, it may be completely.

All this may sound anti-technological but I am not. It’s just that I believe enineers where given a problem and instead of improving the proven and existing one, they, as usual, decided to re-invent the whell (or voting in that case).

Hope this brings another interesting point of view.
Cheers,
zimbatm

Cryptographic verification that a particular vote was counted is practically useless. Imagine attempts to use it in the ongoing Minnesota senate election contest (the two candidates are separated by a few hundred votes out of millions) or the notorious Florida 2000 contest. Do you really expect millions of voters to all run a cryptographic verification on some bunch of weird numbers? Otherwise there’s no way to detect a few thousand votes being added, or for that matter a few thousand being flipped or suppressed in areas where voters tend not to be computer literate. We already know that in every election, some votes are lost due to procedural errors or the like. Cryptography just doesn’t sound like an effective way to tell when this is done maliciously. The old system of keeping paper ballots locked up under constant observation by representives of the candidates is a lot more effective if done without gaps.

First, the distinction between secrecy and privacy is indeed a good one, and one I didn’t give it sufficient thought. Thanks for pointing it out.

Second, I’d like to say that I don’t make any claims that the approach proposed in this posting is complete. A practical, trustworthy system will certainly depend on mechanisms beyond software. Physical security is important for some of the computer systems that this approach would use, and the existing safeguards in place to protect the integrity of manual, paper-only elections are still important.

However, it’s important to also point out that the number of computers that need to be trusted for this system to work is fairly small. The posting does not, in any way, advocate touch-screen voting machines, or any similar technology. The methods cited work with pen-marked paper ballots and unmodified optical scanners. The scanners need not be trusted, as any malfunction can be detected by the public. The only
computer system that needs to be trusted is the one that creates ballots. There may be one of these machines in each precinct, or each county, but probably no more. It is certainly important to verify that this machine is running the intended software, and is protected from tampering.

Third, there’s a key property that I didn’t adequately emphasize in the original posting that systems like Scantegrity have, and that no voting system in widespread use can claim. This property is the ability to check that an individual vote was recorded correctly (not just that the total is correct) without allowing a voter to prove that he or she cast a particular vote. It would certainly be much less appealing to implement an electronic system that has no benefits over a purely paper-based process.

The alternative option of posting a scanned image of each ballot in a public place has two problems: a) it allows voters to make distinguishing marks on their ballots (though policy could dictate that such ballots always be rejected, as I believe they already are), and b) there is still no way to verify an individual vote. Schemes based on cryptography, while certainly more complex, can provide a high degree of confidence that all cast votes are included. Only a tiny percentage of the voting population need check their votes in order to make the probability of fraud effectively zero. The same mechanism also makes it very difficult to inject fraudulent votes, because each vote needs to be verifiable against a secret key.

A final point is that there is one major legal impediment to the adoption of such a voting system. Some states require that unmarked ballots be identical. In the Scantegrity system, each ballot contains a random code under each bubble, invisible at first but revealed by special in in the marking pen. In addition, each ballot is marked with a unique serial number. However, it may be sufficient that all unmarked ballots are visually indistinguishable, which is certainly achievable.

Formal verification is a way to guard against accidental malfunction. Airplanes need working software to not crash. But: The easiest way to bring down an airplane is not to maliciously modify its operating software, but to get a stinger. The easiest way to make an election malfunction in a tiny way *is* to modify the election software.

Likewise does the trusted services engine provedly guard against accesses from the wrong side, but it does not guard against physical attack on the machine.

Where I’m voting now, I can just volunteer to work in the election office or even stay after the election closes and watch how the ballot boxes are opened and the contents counted. Those numbers must appear on the official lists for the election.

When there is a machine doing the tallying, I need a degree in formal methods to verify the proof for the software as well as the proover itself – in short: *all* the software that was used to build the voting engine. How many voters are going to do that? Or even are able to do so: in germany the operating software of some election machines is under a trade secret of the vendor, and only some government agencies are even allowed to look at the code.

And finally: How am I supposed to find out whether the engine is actually running the verified and licensed version of the software (and of the setup of the current election)?

The simultaneous requirements for openness of the voting in total and the anonymity of the individual ballot are ridiculously simply implemented with a ballot box and equally ridiculously complicated to do with machinery.

In response to the previous comment, publishing the unencrypted ballots is not an option. In particular with PRSTV/IRV there are enough preferences on each ballot paper to allow for the possibility of vote signing (a.k.a. ‘The Italian Attack’. There has been recent work (see EVT08) which shows how to count ballots cryptographically.

All this cryptographic stuff seems like a waste of time too, unless a way is provided to verify that the code running inside the counting machine is the same as the code that has been certified. Part of the regulatory structure of the Las Vegas casino gambling industry includes that 1) ROM code is submitted as part of the certification process for a given new model of slot machine; and 2) inspectors from the gambling commission can come into a casino at any time, pull slot machines out of service, yank the roms out, and verify that the machine isn’t running rigged code. Unfortunately it’s a lot easier to technologically defeat such inspections now than it was decades ago when those rules were written.

Fortunately there’s a much simpler way to verify optically scanned ballots. The election commission runs a scanning machine that scans all the ballots and creates the official scans, which are uploaded to the internet so anyone can download them and run their own counting software. Also, representatives of the major candidates are invited to bring their own scanning equipment, so the stack of ballots is scanned 3 times (once by the election commission, once by the democrats, and once by the republicans). All three sets of scans go up on the web. Any significant discrepancies are resolved with a hand recount. Done.