Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Maryland Town Tests New Cryptographic Voting System

samzenpus posted more than 4 years ago | from the super-safe-voting dept.

Security 227

ceswiedler writes "In Tuesday's election voters in Takoma Park, MD used a new cryptographic voting system designed by David Chaum with researchers from several universities including MIT and the University of Maryland. Voters use a special ink to mark their ballots, which reveals three-digit codes which they can later check against a website to verify their vote was tallied. Additionally, anyone can download election data from a Subversion repository and verify the overall accuracy of the results without seeing the actual choices of any individual voter."

cancel ×

227 comments

Sorry! There are no comments related to the filter you selected.

first vote! (1, Funny)

Anonymous Coward | more than 4 years ago | (#29988374)

457

Interesting, but... (1, Insightful)

allknowingfrog (1661721) | more than 4 years ago | (#29988388)

This is an interesting idea, but I wonder what additional cost and labor is involved? I know the Florida ballot count debacle wasn't all that long ago, but are we that concerned about votes not being counted?

Re:Interesting, but... (2, Funny)

Anonymous Coward | more than 4 years ago | (#29988526)

I know the Florida ballot count debacle wasn't all that long ago, but are we that concerned about votes not being counted?

If we were concerned about people's votes not being counted would we be testing a Cryptic New Voting System? ... Oops sorry, Freudian misread.

Re:Interesting, but... (5, Insightful)

noundi (1044080) | more than 4 years ago | (#29988540)

but are we that concerned about votes not being counted?

I was about to write a long reply about how democracy depends on the fact that bla bla bla... and how you cannot trust people, especially what in politics and bla bla bla... but you asked a simple question so I'll give you a simple answer:
 
  Yes.

The Real question... (4, Insightful)

gd2shoe (747932) | more than 4 years ago | (#29988606)

Ok, so this system proves that your vote reached the tally server, but how does it prove that your vote is actually in the total?

I'm serious. Just because your vote wasn't lost, doesn't mean it was counted. This helps guard against grievous mistakes, not against wholesale fraud.

Re:The Real question... (1)

noundi (1044080) | more than 4 years ago | (#29988728)

Ok, so this system proves that your vote reached the tally server, but how does it prove that your vote is actually in the total?

I'm serious. Just because your vote wasn't lost, doesn't mean it was counted. This helps guard against grievous mistakes, not against wholesale fraud.

I'm confused, are you replying to me? I only answered his question if we are concerned about votes not being counted. I never said nor did I imply that this was the right or the wrong way to do it.
 
But to answer your question, the only way to make sure of this is if the software that is in use is completely open source. That way anybody who's interested may view the source and follow the the procedure, from submission to results.

Re:The Real question... (1)

gd2shoe (747932) | more than 4 years ago | (#29988894)

I know the Florida ballot count debacle wasn't all that long ago, but are we that concerned about votes not being counted?

(Implying issues about votes being lost accidentally)

.. and how you cannot trust people, especially what in politics and...

(I interpreted this as votes being lost intentionally; inline with my post)

I was pointing something out. It was both on-topic (closely related to your "simple answer"), and highly visible (near the top of the thread).

This is Slashdot. A reply doesn't need to be a direct response to be on topic. There'd be very little discussion if there were. Maybe I should have shoehorned my response, rephrasing it to more closely match the wording and context of your post. I thought that would have been superfluous. Two posts later, and it probably would have been cleaner if I did.

Re:The Real question... (1)

Runaway1956 (1322357) | more than 4 years ago | (#29989374)

I dunno. But, at least this appears to be a step in the right direction. Open government - wow.

There's supposed to be some independent monitoring scheme, which is good. I suppose that in and of itself, this isn't enough to keep things honest. But the concept of allowing a citizen to look into the workings of the ballot system any further than the booth is good. Given some time, some interest, and some ingenuity, we could be looking much further inside the system.

Open source. Open government. Transparency. Gotta love it. Maryland never was high on my list of favorite states, but they've just moved up a couple notches. They've left Florida sucking dust, anyway. ;^)

The Real answer... (0)

Anonymous Coward | more than 4 years ago | (#29989490)

is 42.

Re:The Real answer... (1)

gd2shoe (747932) | more than 4 years ago | (#29990108)

"I've always said there was something fundamentally wrong with the universe."

Re:The Real question... (1)

jhol13 (1087781) | more than 4 years ago | (#29990312)

You can get, say, 100 friends, download the subversion repo and check that all your votes are counted in your copy of the repo.

Therefore official count very likely has all votes, and without grand scale fraud definitely your vote. I'd say more likely than in paper ballot.

Similarly *I assume* the repository can be checked that there are not (many) extra votes.

Re:The Real question... (1, Interesting)

Anonymous Coward | more than 4 years ago | (#29990522)

Ok, so this system proves that your vote reached the tally server, but how does it prove that your vote is actually in the total?

I'm serious. Just because your vote wasn't lost, doesn't mean it was counted. This helps guard against grievous mistakes, not against wholesale fraud.

This is covered in their paper:

http://www.scantegrity.org/papers/ScantegrityII-EVT.pdf

It can be done via independent auditors, and the code is available so you can do it yourself if you want.

Re:Interesting, but... (1)

icebike (68054) | more than 4 years ago | (#29988924)

I'm far more concerned about phantom votes being counted than real votes not being counted.

There is a long history of not counting write in candidates and absentee votes when the total number of such ballots does not exceed margin the winner holds.

Many people just start whining when you tell them this and insist every vote be counted, but it is irrational emotionalism unswayed by 3rd grade math skills.

Re:Interesting, but... (3, Informative)

swillden (191260) | more than 4 years ago | (#29989000)

I'm far more concerned about phantom votes being counted than real votes not being counted.

Both are real issues. There are plenty of examples of ballot boxes getting "lost", so those are real problems. Dead people voting, multiple votes, systematic exclusion of voters (not losing their ballots, but preventing them from voting), all of these things are problems.

This system doesn't solve all of those other problems, but it does solve the problem of votes getting lost, altered or counted incorrectly. And it does it in a mathematically-provable fashion.

See the paper [scantegrity.org] .

Re:Interesting, but... (3, Insightful)

NoYob (1630681) | more than 4 years ago | (#29988964)

but are we that concerned about votes not being counted?

I was about to write a long reply about how democracy depends on the fact that bla bla bla... and how you cannot trust people, especially what in politics and bla bla bla... but you asked a simple question so I'll give you a simple answer: Yes.

To most people it's only "Yes" if the election doesn't go their way.

Re:Interesting, but... (0)

Anonymous Coward | more than 4 years ago | (#29989872)

It is irrelevant anyway, because once the person is elected, all of their decisions are "closed source." They can do whatever the hell they want as long as they don't piss off an enormous amount of people enough to get themselves impeached. And they do. Much to the detriment of this alleged democracy.

If you really care about democracy, then open everything. Get rid of the politicos. Make everything inclusive and transparent.

Yes all of that is possible and in the works: http://metagovernment.org/ [metagovernment.org]

Re:Interesting, but... (1)

calmofthestorm (1344385) | more than 4 years ago | (#29989232)

I'd trust it a lot more if I could log on online and verify my vote. I have heard one reason against it: Suppose you work for a company that enjoys putting [illegal, but still] pressure on employees to vote for the Baby Eating party because it supports their economic policy. They could then demand that employees tell them their numbers so they can check that they didn't vote for the Cute Animal Hugging party instead.

There are ways to mitigate this, and it isn't a huge concern, buth worth mentioning.

Re:Interesting, but... (4, Informative)

vilhuber (246952) | more than 4 years ago | (#29989508)

Not sure I'm reading you properly, but this system allows you to verify your vote was COUNTED, nothing more. You can't show or prove to anyone HOW you voted, just that you did and that your vote is in the tally AS CAST.

This is huge. I've been waiting for chaum's election stuff to actually be used for quite some time now. I'm hugely excited.

Re:Interesting, but... (1)

harryjohnston (1118069) | more than 4 years ago | (#29990038)

If you take a photo of your ballot, what prevents you from proving who you voted for?

Re:Interesting, but... (5, Informative)

Mr2001 (90979) | more than 4 years ago | (#29990122)

Not sure I'm reading you properly, but this system allows you to verify your vote was COUNTED, nothing more. You can't show or prove to anyone HOW you voted, just that you did and that your vote is in the tally AS CAST.

Er, unless I'm missing something, it's still possible to prove to someone how you voted. You just need to take a picture of your ballot, showing that the code "JX" is in the bubble next to "John Smith" -- this is pretty easy if you're voting absentee, or if you aren't frisked and metal-detected on your way into the voting booth. When the local thug comes around to verify your vote, you show him the picture and your ballot ID, and then he goes online to make sure that your ballot ID and your "JX" vote are in the system.

Re:Interesting, but... (1)

4181 (551316) | more than 4 years ago | (#29989642)

... putting [illegal, but still] pressure on employees to vote for ...

... it isn't a huge concern, but worth mentioning.

I'd say it is a huge concern. Besides voter intimidation (be it by employer, spouse, or local thug -- ever read Rohinton Mistry's "A Fine Balance"?) it also raises problems with vote buying. A secret ballot [wikipedia.org] is "sine qua non for a functioning democracy." While a voter is permitted to reveal his or her choice, the system must not be allowed to verify it to anyone else, allowing the voter to lie and thus making voter intimidation and vote buying less effective.

Some "get out the vote" campaigns can be seen as a form of intimidation, and while they are always targeted at favorable populations, they run the risk of alienating the voter if they go too far, and the voter must be allowed to secretly either spoil the ballot or vote for an opposing candidate. Unless this system offers a none-of-the-above option (with corresponding code) for each office or measure, this system degrades a voter's ability to anonymously spoil his or her ballot.

There are ways to mitigate this, ...

Do you have any concrete suggestions?

Re:Interesting, but... (1)

calmofthestorm (1344385) | more than 4 years ago | (#29989772)

I have a few concrete suggestions but none are complete fixes. For example, you have many more voter-verification numbers than actual votes, distributed uniformly, so it's easy for any employee to find a number that corresponds to any vote and claim it was his. Problem: What if the company gets the same number from two employees. This isn't an issue for integrity because while everyone knows there are loads of fake votes in the numbers, he can still look up his own number.

Have the system only give you a lookup number with probability 0.5/0.1/whatever, so each employee can reasonably claim he didn't get one. Problem: Some companies have a statistically significant number of employees. Even if they don't know which ones to punish, they can just take it out on the group.

Give the user a secret code that can be used to change the number on the site after viewing it. Problem: Security risk, trust issues, too complicated for most people to use.

Have strict laws against voter intimidation. Problem: We do already; it still happens.

I personally believe that with all the crooked electric voting we've had in the past ten years, accountability is more important than anonymity. But the fact is: There's no system that's COMPLETELY immune to government tampering. One some level you have to trust the government. But there are different levels of trust, and making it as hard as you can to mess with is a good idea. And I'm not convinced we need to give up anonymity to obtain greater accountability.

Then again, I've never been personally threatened regarding my vote. It sounds really scary, I hope I never am.

Very interesting stuff. (2, Insightful)

Anonymous Coward | more than 4 years ago | (#29988406)

All that really matters after reading TFA:

Chaum says he hasn’t decided on a cost yet for jurisdictions who will license it after the initial adopter but says he can easily sell it for half the cost of current optical-scan voting systems, which run about $6,000 apiece.

Very good stuff. I would just avoid using the word "subversion" when talking about it. You know, because of its double meaning

Re:Very interesting stuff. (1, Funny)

Anonymous Coward | more than 4 years ago | (#29989200)

Ya, they should be using git anyway. Like gitmo is where you go if you tamper with the votes.

Cost of printing? (2, Interesting)

dgatwood (11270) | more than 4 years ago | (#29988410)

Maybe I'm missing something, but for this to be truly secure against the problem of being able to see who somebody else voted for, you would have to have a distinct set of three-digit codes for every ballot, or at least such a large number of distinct ballots that no person could practically conspire with a few other people to figure out that XWP in the third field means Hillary Clinton. Wouldn't printing each ballot individually result in a tremendous cost compared with traditional ballot printing? I'm just trying to understand how this could be feasible on a large scale....

Re:Cost of printing? (1)

Fry-kun (619632) | more than 4 years ago | (#29988672)

Each ballot has a unique ID number to start off with, so they have that system in place already.
They just need to add printing a unique cryptographic IDs with special ink to the process - might not even require a 3rd reprint

Re:Cost of printing? (3, Informative)

Areyoukiddingme (1289470) | more than 4 years ago | (#29988954)

The printing of ballots in most jurisdictions already falls under the category of "custom" printing. Ballots are unique every election (despite an enormous preponderance of re-elected incumbents). Ballots can vary from precinct to precinct to the extent that, in theory, no two precincts are alike, because of differing jurisdictions (different counties, different cities, different municipalities of various flavors). That combined with the relatively low number of copies made for any particular precinct means that the cost of printing each one uniquely isn't different. The printing won't be done by high-speed high-volume expensive-setup full-color color-separated presses anyway. It'll be done by laser printer or thermal printer or such.

So how long... (1)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#29988422)

Before one of the current election systems players sues them for being all mean and competitive, after the fashion of TDS?

Chaum's system is very cool (4, Insightful)

swillden (191260) | more than 4 years ago | (#29988454)

It does what many people would have said is impossible: It allows voters to verify that their votes were cast and counted correctly, but does not provide them with any way to prove to anyone who they voted for. An audit trail, without opening the door to coercion. This is a major improvement over traditional voting technologies.

Re:Chaum's system is very cool (1)

CannonballHead (842625) | more than 4 years ago | (#29988548)

but does not provide them with any way to prove to anyone who they voted for.

But can I check to make sure not just that my vote "was counted" but that my vote was for the right person?

Re:Chaum's system is very cool (4, Informative)

zn0k (1082797) | more than 4 years ago | (#29988572)

"But voters can't be sure just by looking at their ballot image that the system interpreted the codes accurately to apply the vote to the correct candidate. That's where independent auditors come in."

TFA to the rescue.

Re:Chaum's system is very cool (1)

CannonballHead (842625) | more than 4 years ago | (#29988616)

I read it. Just ... lightly... hehe...

Re:Chaum's system is very cool (1)

VGPowerlord (621254) | more than 4 years ago | (#29989936)

Just as long as the auditors don't decide that Death isn't doing his job, try to stop people from believing in Santa Claus, or try to destroy the world by trapping time...

Re:Chaum's system is very cool (0)

Anonymous Coward | more than 4 years ago | (#29988586)

dont be stupid. that would open you up to rubber hose crypto.

Re:Chaum's system is very cool (1)

gd2shoe (747932) | more than 4 years ago | (#29988630)

but does not provide them with any way to prove to anyone who they voted for.

But can I check to make sure not just that my vote "was counted" but that my vote was for the right person?

You can verify that your vote was received correctly. This still doesn't tell you that your vote winds up in the final tally. There's an important distinction there.

Re:Chaum's system is very cool (1)

commodore64_love (1445365) | more than 4 years ago | (#29988884)

Who the heck cares? My State already has this "check your vote online" deal, and I didn't even bother to look it up when I got home. I don't honestly believe that if my choice McCain had won, anything would be any better. So what's it matter whether my vote was counted or not.

I have this novel idea that we should follow the KISS principle. Take a piece of paper. Circle your guy. Toss it into a box. Count the ballots by hand. Keep. It. Simple.

Re:Chaum's system is very cool (1)

gd2shoe (747932) | more than 4 years ago | (#29989176)

I don't honestly believe that if my choice McCain had won, anything would be any better. So what's it matter whether my vote was counted or not.

This is a major problem, but it is a separate issue. We can't have a healthy democracy without solving both of them. You can't tell me which needs to be solved first.

Re:Chaum's system is very cool (0, Troll)

unwastaken (1586569) | more than 4 years ago | (#29989704)

I don't honestly believe that if my choice McCain had won, anything would be any better. So what's it matter whether my vote was counted or not.

This is a major problem, but it is a separate issue. We can't have a healthy democracy without solving both of them. You can't tell me which needs to be solved first.

Healthy REPUBLIC! No wonder it's unhealthy, no one knows what they actually want...

Re:Chaum's system is very cool (2, Informative)

bill_mcgonigle (4333) | more than 4 years ago | (#29989364)

I have this novel idea that we should follow the KISS principle. Take a piece of paper. Circle your guy. Toss it into a box. Count the ballots by hand. Keep. It. Simple.

That's how my town does it - each volunteer counts 100-200 ballots. It's not a hard ratio to achieve in any way. On average, each citizen would only have to volunteer once per hundred elections, not bad.

It is, however, second best. There's no stopping an organized gang from switching out the ballot box like Chaum's system does.

Still, on a cost/benefit basis there's alot going to KISS.

Now, can I start a flamewar about our system being inferior to Condorcet methods, please?
 

Re:Chaum's system is very cool (1)

gd2shoe (747932) | more than 4 years ago | (#29990082)

Now, can I start a flamewar about our system being inferior to Condorcet methods, please?

You have my vote. ;)

Just about anything is better than first-past-the-post. I'm partial to the Condorcet Principle, but every time I bring it up, I either get blank stares, or get slapped with Arrows Theorem.

Re:Chaum's system is very cool (4, Informative)

nacturation (646836) | more than 4 years ago | (#29988656)

but does not provide them with any way to prove to anyone who they voted for.

But can I check to make sure not just that my vote "was counted" but that my vote was for the right person?

Yes:

Voters make their selections on a paper ballot using special pens with ink designed by Chaum. When a voter fills in an oval on the ballot, the ink in the pen, which is similar to the yellow ink in highlighter pens, reacts with invisible ink in the oval and turns most of the oval black. At the same time, a unique three-letter code pre-printed on the ballot inside each oval is revealed to the voter.

After making their choices, voters use a form to write down the serial number that is printed on their ballot as well as the three-digit codes inside the ovals they’ve chosen. The codes are generated cryptographically and are different on every ballot to prevent someone from deciphering the voter’s choices and engaging in vote-buying.

So that's the "verify that it was recorded correctly" part. For the "verify it went to the right candidate part":

Voters can also see, based on the three-letter codes, that the system seems to have recorded their selections accurately. But voters can’t be sure just by looking at their ballot image that the system interpreted the codes accurately to apply the vote to the correct candidate. That’s where independent auditors come in.

Scantegrity uses a process called “zero knowledge” that allows skilled, independent auditors to verify that the codes result in votes going to the right candidates, without actually revealing an individual voter’s selections.

I don't know how it works exactly, but I assume it's similar to a public/private keypair given that they describe it as a cryptographic mechanism. The interesting thing is that anyone can audit the election results to demonstrate that votes were counted accurately: https://scantegrity.org/svn/data/takoma-nov3-2009/PUBLIC/PUBLIC/ [scantegrity.org]

Re:Chaum's system is very cool (1)

Judinous (1093945) | more than 4 years ago | (#29988676)

How exactly do we verify that the choices we didn't pick on the form don't have the same set of verification characters as the candidate we did choose? It appears as though we can only see the code for a candidate if we reveal it with the invisible ink; checking the others would ruin the form. I think that these verification characters should be readily visible with or without the invisible ink applied. Otherwise, it would still be possible to fudge with the system and change the vote count while passing all of the verification tests.

Perhaps this is somehow handled by the "independent auditors", but TFA is light on details in that area. Since they don't have access to the voting machines and their source code, nor the actual forms themselves, I don't see how they could verify this, though.

Re:Chaum's system is very cool (2, Informative)

swillden (191260) | more than 4 years ago | (#29988904)

How exactly do we verify that the choices we didn't pick on the form don't have the same set of verification characters as the candidate we did choose?

That's handled by pre-election auditing. There's more information on how at http://scantegrity.org./ [scantegrity.org.]

Or, go straight to the research paper at http://www.scantegrity.org/papers/ScantegrityII-EVT.pdf [scantegrity.org]

Approval voting (1)

tepples (727027) | more than 4 years ago | (#29988986)

It appears as though we can only see the code for a candidate if we reveal it with the invisible ink; checking the others would ruin the form.

Lobby your legislators to switch your jurisdiction to approval voting [wikipedia.org] . This system allows voters to sort candidates into two bins: desirable and undesirable. Once your jurisdiction uses approval voting, you can mark two candidates that you'd be happy with (e.g. a Democrat and a Green, or a Libertarian and a Conservative), and both votes will be counted.

Re:Chaum's system is very cool (1)

dgatwood (11270) | more than 4 years ago | (#29988724)

But the practical implementation could provide a way to prove that they voted for someone. My cynical suspicion is that by the second or third election, they'll use mass-produced ballots ballots that only have three or four different sets of codes on them to reduce the cost of ballot printing. And no one will be the wiser except for the people exploiting it. Where this system fails is in proving that the codes are truly unique. The only way you can guarantee that is if instead of using fixed printed codes, you provide the person with an electronically-generated cryptographic hash of the vote data with a random number that the voter cannot obtain.

Re:Chaum's system is very cool (1)

swillden (191260) | more than 4 years ago | (#29988938)

But the practical implementation could provide a way to prove that they voted for someone. My cynical suspicion is that by the second or third election, they'll use mass-produced ballots ballots that only have three or four different sets of codes on them to reduce the cost of ballot printing.

See section 4.9 of the paper [scantegrity.org] (actually, read the whole thing). Auditing is done both by candidates and by independent auditors.

Re:Chaum's system is very cool (1)

arose (644256) | more than 4 years ago | (#29988736)

It does what many people would have said is impossible: It allows voters to verify that their votes were cast and counted correctly, but does not provide them with any way to prove to anyone who they voted for.

No, apparently it's only "skilled auditors" who can verify things. And voters can prove who they voted for to anyone who has access to the ballots post election.

Re:Chaum's system is very cool (1)

girlintraining (1395911) | more than 4 years ago | (#29990214)

yeah, one problem: the moment you enter that code, you are giving up personal information that can be tracked to you, individually. Don't forget, an IP address is traceable. Private citizens may not know how you vote, but data correlation means the voting authority may.

What's a digit? (1)

CannonballHead (842625) | more than 4 years ago | (#29988566)

The image in wired.com shows a two letter code "JX" appearing in the oval. The article mentions "three digit" codes. Nice.

Re:What's a digit? (1)

icebike (68054) | more than 4 years ago | (#29988650)

Specimens need not be perfect renditions is my guess.

Question? (1)

javelinco (652113) | more than 4 years ago | (#29988584)

I like where they are going with several of these things, but why go with paper and magic markers? Why not use the same exact concept, only put it on a computer, print out a receipt with the codes and serial number, and go from there? It seems like a no brainer. Not only does it reduce overhead in terms of manpower, but it also reduces the amount of paper wasted, the cost of these "special markers", etc.

Re:Question? (2, Insightful)

icebike (68054) | more than 4 years ago | (#29988814)

The objection to receipts is that receipts that show voting choices can be used for Vote buying.

If we stick to codes, vote buying is not so easy.
You'd need a crib sheet as well.

But all you know is that your vote entered this machine, not that it was tallied by Deep Thought at election central.

 

Transparency fail. (1)

arose (644256) | more than 4 years ago | (#29988618)

On Tuesday voters in Takoma Park, Maryland, got to try out a new, transparent voting system that lets voters go online to verify that their ballots got counted in the final tally.

Scantegrity uses a process called “zero knowledge” that allows skilled, independent auditors to verify that the codes result in votes going to the right candidates, without actually revealing an individual voter’s selections.

Transparency fail.

Re:Transparency fail. (1)

DriedClexler (814907) | more than 4 years ago | (#29990542)

Scantegrity uses a process called "zero knowledge" that allows skilled, independent auditors ...

Looks to me like yet another example of how mainstream reporters lack basic knowledge of the topics they're reporting on. Based on the description of the system, it sounds like the process is actually called a zero-knowledge proof [wikipedia.org] , which allows you to verify certain properties of data without actually seeing the data. And the whole point of ZKPs is that you don't need skill or a specially-designated auditor set to verify the data.

Looks like "Kim Zetter" was in over her head and couldn't even keep track of what the term "zero knowledge" refers to.

Web Logs? (3, Insightful)

icebike (68054) | more than 4 years ago | (#29988632)

Quoting TFA

"When polls close, voters can go to the election office website, type in their ballot serial number and see a rendition of a ballot, showing the three-digit codes for their votes. This way voters can be assured that their ballot was included in the final tally."

One would hope there are no web logs kept, because simply checking your ballot would reveal your identity, and someone is sure to wrangle a subpoena for that.

Re:Web Logs? (2, Informative)

swillden (191260) | more than 4 years ago | (#29988754)

One would hope there are no web logs kept, because simply checking your ballot would reveal your identity, and someone is sure to wrangle a subpoena for that.

Reveal your identity and.... what? The ballot you check on-line just has some random letters on it that should match what you wrote down in the voting booth. It says nothing about who you voted for. So if someone identifies you from the web log, all they've verified is that (a) you voted and (b) you verified your ballot.

Re:Web Logs? (2, Insightful)

arose (644256) | more than 4 years ago | (#29988864)

And if they have access to the actual ballots, who you voted for. A non-transparent system with a way to match voters with their votes that has been "verified to be secure by the brightest minds at MIT". Every dictators wet dream.

Re:Web Logs? (0)

swillden (191260) | more than 4 years ago | (#29988952)

And if they have access to the actual ballots, who you voted for. A non-transparent system with a way to match voters with their votes that has been "verified to be secure by the brightest minds at MIT". Every dictators wet dream.

There's nothing to connect the information displayed with the physical ballot. The linkage to vote selection cannot be made.

Read the paper [scantegrity.org] .

Re:Web Logs? (1, Insightful)

icebike (68054) | more than 4 years ago | (#29989044)

That is not at all what it says.

The info displayed on line does not indicate a candidate by name.

But the whole system wouldn't work at all if there was not a linkage between your three letters and the Candidate's name SOMEWHERE.

That SOMEWHERE happens to be in the hands of the SAME people who would have the web logs showing IP address of the person looking up ballot number 2879193274.

Re:Web Logs? (2, Informative)

swillden (191260) | more than 4 years ago | (#29989094)

But the whole system wouldn't work at all if there was not a linkage between your three letters and the Candidate's name SOMEWHERE.

Incorrect. Those letters have nothing to do with your vote selection, they're just an integrity check.

Again, read the paper [scantegrity.org] .

Re:Web Logs? (1)

arose (644256) | more than 4 years ago | (#29989186)

Incorrect. Those letters have nothing to do with your vote selection, they're just an integrity check.

Table P.

Again, read the paper.

Again, transparency fail.

Re:Web Logs? (0)

Anonymous Coward | more than 4 years ago | (#29989854)

This is when you go to the library to check your vote tally. Or any of the 1000's of other public access internet locations. Or use a proxy server. Being anonymous on the Internet is quite easy.

Re:Web Logs? (2, Informative)

RoFLKOPTr (1294290) | more than 4 years ago | (#29989196)

But the whole system wouldn't work at all if there was not a linkage between your three letters and the Candidate's name SOMEWHERE.

Incorrect. Those letters have nothing to do with your vote selection, they're just an integrity check.

Again, read the paper [scantegrity.org] .

Read what he's saying. I have ballot 24664971 in my hand. I download apache.log and find the IP address of the person who accessed votecheck.net/check?ballot=24664971 and I trace that back to you. I now know who you voted for. It has nothing to do with the three-digit numbers.

Now, in my opinion, that's not a big deal, but I thought I'd explain it to you anyway.

Re:Web Logs? (1)

swillden (191260) | more than 4 years ago | (#29989370)

You are correct. If someone has access to both the physical ballots (which no one should; the system is designed so that no such access is needed for normal verification), and to the web logs, and can link the web logs to individual identities, then that person can find out how voters who verified their votes voted.

Not keeping web logs is a good idea. Securing the ballots is a good idea.

Re:Web Logs? (1)

icebike (68054) | more than 4 years ago | (#29989422)

Finally!!!

So now that you understand the issue, and the fact that ALL elements needed to identify you AND your vote are in the hands of the voting authority will you go back and re-read the paper http://www.scantegrity.org/papers/ScantegrityII-EVT.pdf [scantegrity.org] with a more critical eye?

Re:Web Logs? (1)

swillden (191260) | more than 4 years ago | (#29989578)

:-)

Actually, I hadn't finished this version of the paper. I was basing my comments on previous iterations, which were slightly different.

That said, if the Scantegrity II sytem is begin operated as designed, it is not the case that the voting authority has the paper ballots. After scanning, they should be locked away, since they're not needed for counting or integrity verification. They're only needed to handle disputes, and even then the voting authority doesn't need to actually handle the ballots.

In the case that ballots are not locked away as they should be AND web logs are kept AND voters can be identified from the logs, then those voters who verified their votes could lose the anonymity of their votes.

Re:Web Logs? (1)

arose (644256) | more than 4 years ago | (#29990074)

That essentially requires two voting authorities, one to handle the printing of ballots and online 'verification' and another to handle the counting and storage of ballots after the vote. Besides the administrative problems there is also potential collusion. In short the whole thing has too many audits and secrets. A good pen and paper voting system only has one secret (your vote) and independent observers all throughout the relevant parts, as opposed to pre and post auditing.

Re:Web Logs? (1)

BasilBrush (643681) | more than 4 years ago | (#29989452)

That only applies if the web server requires one to input one's specific ballot ID. If on the other hand all ballot numbers and codes recorded are displayed on the same (long) web page, or say 100 at a time are, then there's no way from the logs for you to know which ballot ID the individual was checking.

From skimming the paper I can's see which of the two solutions is intended. But since the solution it to the problem you suggest was so simple it occurred to me in 30 seconds, I suggest that the system designer has worked it out too.

Re:Web Logs? (1)

arose (644256) | more than 4 years ago | (#29989112)

There's nothing to connect the information displayed with the physical ballot. The linkage to vote selection cannot be made.

Except the 'ballot's unique ID number' of course. Have you read the paper?

Re:Web Logs? (1)

swillden (191260) | more than 4 years ago | (#29989350)

You are correct. I hadn't fully read the paper, but was basing my understanding on previous incarnations of the system.

Scantegrity II assumes that the physical ballots are stored security after scanning and not made available to anyone trying to link voters to ballots.

I wouldn't consider this a fatal flaw in the system, though. If ballots are handled properly, there is no risk to voter anonymity, and the system is designed so that the paper ballots are not needed to verify the integrity of the election, so there's no reason for them not to be locked away. Even if they're not locked away, any voter who wishes to ensure his or her anonymity can simply not take the receipt.

Re:Web Logs? (1)

jcochran (309950) | more than 4 years ago | (#29989192)

And if they have access to the actual ballots, who you voted for. A non-transparent system with a way to match voters with their votes that has been "verified to be secure by the brightest minds at MIT". Every dictators wet dream.

So? Seems to me that the proper countermeasure if you want to verify your vote and keep someone who has access to your ballot from determining who your voted for is quite simple:

Go home. Select N random serial numbers. I am assuming the ballot serial numbers are not random, but well known. Add your ballot serial number to the list. Shuffle the list. Request the read out from all the serial numbers you have. And N doesn't have to be very large. I'm thinking somewhere between 10 and 20 would work.

Re:Web Logs? (1)

arose (644256) | more than 4 years ago | (#29989276)

Go home. Select N random serial numbers. I am assuming the ballot serial numbers are not random, but well known. Add your ballot serial number to the list. Shuffle the list. Request the read out from all the serial numbers you have. And N doesn't have to be very large. I'm thinking somewhere between 10 and 20 would work.

Really depends on ballot distribution. Looking up a vote from a location you didn't vote at will do nothing to increase anonymity.

Re:Web Logs? (3, Interesting)

BasilBrush (643681) | more than 4 years ago | (#29989506)

Even simpler. Have the system display ranges of ballot numbers and codes, not just single ones. If I have serial number 12345 and I click on a link to examine papers 12300-12399, the eavesdropper doesn't know which of the 100 ballots displayed I checked.

Re:Web Logs? (1)

Cal27 (1610211) | more than 4 years ago | (#29989764)

But what if the eavesdropper has installed eye tracking software on my webcam and analyzes which code I look at? Clearly the system is flawed and will not be anonymous enough.

Re:Web Logs? (1)

icebike (68054) | more than 4 years ago | (#29988950)

Clearly you understand the SOMEONE knows exactly which candidate those letters on your specific ballot refer to?

Re:Web Logs? (0)

swillden (191260) | more than 4 years ago | (#29989028)

Clearly you understand the SOMEONE knows exactly which candidate those letters on your specific ballot refer to?

No, the system is carefully design to ensure that NO ONE knows who those letters refer to.

Read the paper [scantegrity.org] .

Re:Web Logs? (1)

arose (644256) | more than 4 years ago | (#29989154)

No, the system is carefully design to ensure that NO ONE knows who those letters refer to.

Read the paper.

Just because table P isn't published doesn't mean that it doesn't exist and can't be accessed.

Great on paper - but in real life? (5, Insightful)

fremen (33537) | more than 4 years ago | (#29988648)

This system assumes three things:

  • Everyone participates - voters have to validate their vote afterward to make sure it's still correct.
  • Everyone is perfect - people who incorrectly cast their vote will always suspect fraud, calling the entire election into question.
  • Everyone is sane - individual voters do not lie about about their vote to game the system, cast doubt on the election, etc.

Re:Great on paper - but in real life? (4, Insightful)

CannonballHead (842625) | more than 4 years ago | (#29988678)

With perfect, sane, always-participating people, who needs a government? ;)

Re:Great on paper - but in real life? (0)

Anonymous Coward | more than 4 years ago | (#29988832)

"Everyone is sane - individual voters do not lie about about their vote to game the system, cast doubt on the election, etc."
  ah one of the great features of democracy the recount. it does not matter how many votes you actually win but how much doubt you can cast about your opponents votes. gone are the days when the middle east leaders won their position by favor from the previous leader or through direct conquest themselves. now all they have to do is create doubt that no one can easily refute and they will if not win the election get a rerun, ah abdullah cough*, and drop out of the rerun thus removing any possibility that the issue can be laid to rest. who really benefits from this big question about the validity of Karzai? the taliban because now many people from the Afghans to the international community are questioning weather or not he should be the leader of the country. or maybe abdullah did it for personal reasons I don't know but Karzai does not benefit from any doubt to his legitimacy in any way just makes his job harder. only other real option, and honestly the thought that the taliban committed the fraud to steal legitimacy is a long shot, is the many different factions, groups, organizations, companies in and outside of Afghanistan participating in the fraud hopefully to get their preferred candidate in office whoever he may be. as for the first point of yours, not everyone needs to participate in the validation to ensure that there is limited fraud.

Re:Great on paper - but in real life? (4, Insightful)

swillden (191260) | more than 4 years ago | (#29988856)

This system assumes three things:

  • Everyone participates - voters have to validate their vote afterward to make sure it's still correct.

Per TFA, only about 5% of participants have to validate their vote afterward to assure the election's integrity to within normal margins. Also, exit polls in the Maryland town showed that about 30% of voters copied down their validation info. If a third of them bother to go online to check their ballots, that will be double the required participation.

Everyone is perfect - people who incorrectly cast their vote will always suspect fraud, calling the entire election into question.

Individuals will always have suspicions, but unless there is a widespread pattern of "errors", rational voters will be able to have greater confidence than they do in any other system. Unlike any other system, this one actually provide a way where lost or altered ballots have a chance of being discovered.

Everyone is sane - individual voters do not lie about about their vote to game the system, cast doubt on the election, etc.

Again, isolated cases will occur, but that happens regardless. In the absence of significant numbers of reports from generally honest and reliable people, then we'll have more confidence in the accuracy of the vote than any other system can provide.

Basically, your objections boil down to "Nothing is perfect". Well, duh. But it doesn't have to be perfect, it just has to be better. And it is.

Re:Great on paper - but in real life? (1, Interesting)

Anonymous Coward | more than 4 years ago | (#29990400)

Everyone is sane - individual voters do not lie about about their vote to game the system, cast doubt on the election, etc.

Again, isolated cases will occur, but that happens regardless. In the absence of significant numbers of reports from generally honest and reliable people, then we'll have more confidence in the accuracy of the vote than any other system can provide.

Interesting. I hadn't thought about this before reading this comment, but to effectively lie about which vote you cast, you'd have to know the code ("secret") hidden behind one of the alternative selections. You'd have to find a way to figure it out without spoiling the ballot by marking both the alternative (lie) selection and your real (affects election results) selection, which would make the ballot invalid.

It might be possible (technologically). I'm not sure what you'd gain from such an exercise though. You would need to conspire secretly with a number of people to do this on a large enough scale to be newsworthy, and all you'd gain is another election and possibly a different voting system.

Re:Great on paper - but in real life? (1)

rm999 (775449) | more than 4 years ago | (#29988886)

The system doesn't assume "everyone" does anything. Statistically, only a small sample is necessary.
FTFA: "People who don't want to do it or don't care can completely ignore it," Chaum said. "We only need 3 to 5 percent of people to verify their votes [to make it effective], depending on how close the contest is. If it becomes close, then you need a larger percentage to get the same level of confidence."

Re:Great on paper - but in real life? (0)

Anonymous Coward | more than 4 years ago | (#29988900)

Our current voting system has the same issues plus old people tallying the votes. I personally trust the computer's counting skills more.

Re:Great on paper - but in real life? (1)

BasilBrush (643681) | more than 4 years ago | (#29989234)

I don't. At least not when it's Diebold computers.

Re:Great on paper - but in real life? (1)

Strilanc (1077197) | more than 4 years ago | (#29989120)

Not everyone has to verify their vote. An attacker will have to throw away a large number of ballots in order to sway an election. If each voter has a 5% probability of checking their vote and only 100 votes are thrown away, the probability that the attacker is at least detected is greater than 99%.

There's also no need for perfection. The number of reports will be higher when the election is attacked. Apply basic statistics to figure out how likely it is the election was stolen instead of just people making mistakes.

Re:Great on paper - but in real life? (1, Funny)

Anonymous Coward | more than 4 years ago | (#29989240)

This system assumes three things:

  • Everyone participates - voters have to validate their vote afterward to make sure it's still correct.
  • Everyone is perfect - people who incorrectly cast their vote will always suspect fraud, calling the entire election into question.
  • Everyone is sane - individual voters do not lie about about their vote to game the system, cast doubt on the election, etc.

I voted the parent post down as a troll, but instead the Slashcode modded it up as "funny"...what the hell? I demand this site be taken down until the parent post is rated -1 Troll as it has been voted.

Written in Java (0)

Anonymous Coward | more than 4 years ago | (#29988734)

Heh, just like an academic.

Good luck with that. ;)

Adaptable to a ranked voting system? (1)

John Whitley (6067) | more than 4 years ago | (#29988990)

A quick surfing of the Scantegrity Wikipedia article [wikipedia.org] and the links above didn't definitively answer an interesting (to me) question: can it be applied to a ranked voting system such as IRV [wikipedia.org] or Condorcet [wikipedia.org] ?

The offhand solution would be to use Scantegrity's technology with a matrix of bubbles for ranks vs. candidates. Anyone familiar with this work know whether this has been addressed? I skimmed through the IEEE article as well, and found no mention of any ranked voting systems.

Why didn't they just use Punchscan??? (1)

Bourdain (683477) | more than 4 years ago | (#29989118)

Seemingly very easy to implement...
http://www.punchscan.org/ [punchscan.org]

Re:Why didn't they just use Punchscan??? (1)

pavon (30274) | more than 4 years ago | (#29989742)

Scantegrity is the successor [scantegrity.org] to Punchscan, developed by the same people (David Chaum et al). The only detailed analyses that I can find about their differences are behind journal paywalls like this one at the IEEE [computer.org] .

Exploit.... (1)

reverendbeer (1496637) | more than 4 years ago | (#29989126)

...on fulldisclosure in 3...2...1...

What are the options? (2, Interesting)

AHuxley (892839) | more than 4 years ago | (#29989328)

Have paper and select who you like, drop into a sealed box.
Election workers keep eyes open. At the end of the day reps of all the people involved stand around in a open room and count.
Takes time, expensive, but hard to fake.
If you cannot make it, postal or an election worker comes to you.
As for digital, open source, simple and all parties can see the unit, code.
On the day you press and its collected at a central point.
Instant and the press love it.
The problem with the above is no room for profit or stuffing.
Your part of the world has to have been so corrupt, at war or new to democracy to get it working.
In the US you are told its so open free and fair and transparent every day.
Is it? Why are AMT sellers making the closed source units? With cable pundits and talking heads screaming at you "they are used in banks, its fine", dont mind the party political rants by the owner.
Enigma, cryptoAG ect all gave perfect service on the day.
In Capitalist West a nice man owns the IP to your vote.
In Soviet Russia a nice gov owns the IP to your vote.
In both parts of the world, you have a right to vote.
As Stalin said "It's not the people who vote that count. It's the people who count the votes."
The end count is the elephant in the room, not just the cute open source, optical-scan $x,000 input device.

creepy (2, Insightful)

goga_russian (544604) | more than 4 years ago | (#29989656)

so they are saying that my forum captcha and craigslist copy and paste is more secure then the vote verification thing?

It's Takoma Park, folks (3, Interesting)

R2.0 (532027) | more than 4 years ago | (#29989692)

This is the place they like to call the "Berkeley of the East". It's so liberal it's almost a parody. I think the MD Democratic Party keeps it around as a pure strain in a petri dish so that they can pretend they are also liberal.

It also means that if Takoma Park thinks it's a good idea, everyone else in MD will think it's a joke and ignore it.

Is voter verification really desirable? (2, Interesting)

wfstanle (1188751) | more than 4 years ago | (#29990288)

I have real doubts about allowing voters to check how they voted AFTER they leave the polling place. By allowing a voter a way to verify how he voted you open the door to all sorts of abuses. A voter could sell his vote and the buyer could have a way to check he indeed did vote the way the buyer wanted. Another abuse is employers threatening his employees with firing if he did not vote the way the employer wanted.

The problems might be overcome if the voter would have to visit the election clerks office and prove his identity and was also alone when he viewed the way he voted.

Who does this benefit? (0)

Anonymous Coward | more than 4 years ago | (#29990398)

If candidate a loses to candidate b, you are going to have millions of A voters claiming that their vote wasn't counted properly. Not to mention that you are walking out of the booth with proof of who you voted for.

This allows vote buying! (2, Informative)

xant (99438) | more than 4 years ago | (#29990494)

I don't see a single thing in this system that would prevent vote buying. You get a receipt with your choices on it, encoded in some form, yes? You can then go to a website, and enter codes, to see who you voted for, yes? True, only the individual voter (or someone possessing the receipt) can do this.. but that doesn't matter a damn to a vote buyer. Why? Because, as this system's designers seem to have forgotten, the voter is complicit in vote buying. The voter gets money for turning over his receipt and secret knowledge, whatever that may be, to the person who wants a verified vote for his candidate.

yes, yes, and yes (0)

Anonymous Coward | more than 4 years ago | (#29990598)

Read the paper on it people. They've though this through a whole lot better than 99.99% of the people here could.

http://www.scantegrity.org/papers/ScantegrityII-EVT.pdf

For sure there are no stupid things like the vote checking showing who you voted for.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>