Foolproof online voting

Someone please explain to me why this voting scheme isn't fair and virtually unexploitable (and it doesn't require a paper trail).

Every voter is assigned a unique voter ID (large integer) which is different for each election. Votes are cast online at a central voting authority website, where the voter IDs are used for identification. RSA encryption is used (the same encryption used now for online transactions) with the authority having the only private key. After the election, all results are posted on the website in electronic format, identifying voters only by their voter ID.

A suitable number (2%?) of voter IDs are chosen by each candidate's campaign. The campaigns are allowed to match the IDs to actually name and contact information to verify that the votes were recorded as cast. If a significant percentage of votes are bogus, the results are declared void.

Disadvantages: Not completely private (campaign verifications would disclose how some people voted).
Advantages: Vote is statistically verifiable to within 1% (or better). Voters can confirm their own vote online. Anyone can download the results and do their own tallies.

?

near the id, then what?

the election is void. Statistically it would be impossible to conduct widespread fraud this way.

A campaign would have to provide, to the central voting authority, affidavits for a minimum percentage of voters showing their vote was misrecorded.

... we get a new election automatically?

Cool!

Oh, wait... that means the other guys can do that too.

Perhaps if voters had a certain time period to amend their vote after the results are made public, there is no way they could claim there vote was wrong unless it truly was.

:shrug:

If results are posted in realtime online, you could check immediately to confirm your vote was recorded as you voted it.

Watchdog groups could download the votes whenever they wanted to to confirm nothing was being changed throughout the day...

:shrug:

do you mean people could vote from their homes, or do you mean going to a polling place and voting on-line?

If it's at home I'd have a problem because I'd envision campaign workers saying that you need to vote for Bush and I'll just stand here with a $ 20 bill out and watch you vote. This would be the end of secret ballots.

We'd also see divorces skyrocket, because an awful lot of marriages survive because the husband assumes his wife is voting the same way that he is, or vice-versa.

If it's at a central polling place with a secret place to vote, I'd be more inclined to support it.

to accomodate voters who don't have computers. The interface could be set up very similar to what a voting machine shows now.

But others could vote online. If vote-buying seems like it would be a problem, envisioning risking three years in a federal penitentiary for each vote you buy. Pretty risky business.

The whole procedure could be carried out at voting facilities too, with the advantages you mentioned. There are the downsides that people would have to wait in line (sometimes for a long time, as in Ohio) and handicapped voters would be less likely to vote.

Re: divorces, one would have to wait until the spouse goes to bed :)

as does Oregon's mail in voting.

I just think the secret ballot should be enforced by someone.

It doesn't even have to be vote buying. It can just be intimidation.

It could be the husband who tells his wife "let's get on the computer and vote while we're both free." Or it could be a parent and a kid.

Or it could be the precinct chairman who's also your boss who comes by and says that he's pledged that everyone on his block will vote, so let's get it done right now so I can mark your name off the list.

Maybe I'm being paranoid, but people will find ways to exploit any loophole in the system, and tere are no shortage of people willing to knock on doors to get their candidates votes.

although there really isn't that much enforced privacy in voting anymore anyway. Nevadans in 2004 had something like two weeks to mail in votes, and could vote in grocery stores.

You're not being paranoid at all. These are real threats to a fair election. What bothers me is that some refuse to acknowledge that there are real threats with paper-verified voting too, or are unwilling to accept online ideas because they've heard "online is bad".

When people insist they voted for Kerry, yet Bush "wins" anyway.

Your question is a valid one, regardless of the medium.

Im not one of those folks who thinks that electronic voting, or Internet voting cannot be made reliable, it can be.

There are methods to which it can be done, but the ones that have been proposed publicly (or being used) or to simplistic so far

the central tabulation will include that vote you verified in a static listing or database. Audits and random sampling are essential to determine if a representative sample of the names listed, o IDs, are included in the final tally..

all results are downloadable online, in Excel format or something comparable.

Each campaign would be able to audit a significant percentage of voters. It would have to be a number that is minimally intrusive from a privacy point of view, but assures statistical certainty of the results.

It could even be dynamic. If the results were close a higher percentage of votes would be auditable.

It's one thing to be able to validate a small database. It's another to be able to personally audit with a degree of certainty. If there are disputes regarding the database, the results will also reflect those votes that are in contention. Databases can be changed on a whim as well.

So what if I can audit but names of voters have been removed? The end result is the same, but the accuracy is not there.

There are too many loopholes in this proposal which opens it up to fraud, which we have now.

The fact that the regressives proposed web-based voting is a red flag in and of itself. They have quite a bit of experience tampering with electronic votes so this would be right up their alley--and the public could/would mistakenly believe that the results ae accurate.

because everyone would have it as soon as the election was over. Everyone. You could load an Excel file and count them yourself. Now the database belongs to every American.

Right now, you personally can't audit anything. You have to have complete faith that the government is doing "the right thing".

This is the antithesis of earlier web-based proposals because every vote is public. You won't see *any* Republican proposals for a public database (there's a very good reason for that).

Millions of people would possess differing databases after inevitable corrections are made, etc.

Who would have the authentic database? The master record? What law would support Average Joe contesting his database against the master database?

Everybody's accountabilility equals no ones accountability.

Thousands of people presenting different information would result in confusion that can hardly be fathomed--that and the sheer number of names within the database don't make it feasible for individuals to handle such massive amounts of data.

Beyond that, the data and system would have to be supported by laws which aren't in place. Without laws regarding possession of the master database, timeframes for changes and for contesting errors, etc. this would be no better than Diebold or other other EV methods.

You address some very legit concerns.

First of all, there could be no changes to the database by voters or the voting authority once votes are recorded.

As one other poster pointed out, a bloc of voters from a losing position couldn't be able to throw an election by simply declaring they voted differently than they actually had.

So what if you cast your vote and it shows up wrong on the website? You would have to immediately protest the recording by filing an affidavit (the way you do now when a machine malfunctions). What form would the affidavit take? :shrug:

Though not every individual would have the computing power to do tallies, many would. It would be well within the capability of special-interest groups and campaigns.

or if there are, that they will be timely? It still opens up the results to tampering, a total lack of confidence in the system, etc.

I'm not sure that is possible. I don't understand why you feel the Campaigns would have to verify by matching voter ID's to name and contact info. Couldn't you just permit a voter to verify his own vote? As far as I know, campaigns don't have the ability to verify votes to names now? And I don't mean electronic voting, but any kind.

I have been using online banking and billpay for quite a few years and have never had a problem or concern. I'm not sure if that security is sufficient for voting or not. just don't let the credit crd companies get their hands in it!

The reason why campaigns must be able to verify a percentage of the votes is that a malicious voting authority worker could potentially *add* thousands of numbers to the tally which belong to no one, and cast the votes how he/she sees fit.

If the campaigns came across a significant number of these "ghost" voters the results are thrown out.

ID #'s issued to voter registration lists. Then a match can be run between all the ID's issued against voter ID's casting votes. There would be no need to ID how that voter voted, just that he/she was eligible to vote at all. Thus, no violation of the secret ballot.

who does the verification? If you trust the voting authority, we're back to square one. One programmer could swear up and down that all the votes matched up--but the results are still worthless.

Even if the list was made public, who's to say that there were/weren't more numbers issued than is on the list provided by the voting authority?

monitoring, checking, verifying or anything else you want to call it, the voter registration against the voter list.

Right now, when I moved to Ga from Pa, I registered here in Ga via my computer! When I vote, I have to present my DL for ID, and that's it!

I don't understand the difference.

is that good enough? I don't think so (nor do a lot of people who trusted Ken Blackwell to record their vote in Ohio).

If both campaigns could statistically certify the results there is no possibility for fraud. Again, the tradeoff is there is going to be a small random chance that Republicans might find out how you voted (I'd be proud to tell them, if they wanted to know :P)

people who do. Some people's jobs hinge on who they support! That's why I don't think this random sampling would fly. Some folks who really don't even have a reson to care get all excited when something thretens their "secret ballot"!

There has to be another way.

How does a CIA agent know they're really communicating with another agent? I realize that sounds like a bit of a streach, but, all these gov't agencies seem to have figured out how to maintain security. There has to be a way to have internet voting and include the same knid of security!

is that both campaigns would be threatened with a huge fine (or jail) for revealing personal information publicly (postal employees already have this restriction).

The reason government agencies can maintain security is that they're all on the same side. :)

I've had this same idea. Simple and verifiable.

like towards paper ballots. Too many unknowns and potential for hacking/denial of service, etc. Even foreign governments could get involved in trying to rig an election. Scary stuff if we were to go down that path.

Far fewer unknowns, because everyone could check their own vote *after* the election.

Denial of service is a possibility, but the voting authority would have to certify that the servers were operational for a significant percentage of the actual balloting time.

How could foreign governments rig the election if everyone sees the numbers afterward?

--which is in between the voter and his or her vote. If I take your ballot from you and ask you how you want it filled out, fill it out without letting you see it, and deposit it in the box, is that OK?

No? What if I say "But I'm a computer programmer! Trust me!"? Does that make it all better?

Sorry, this kind of intermediation is theft, even if I vote the way you want me to.

You are able to check your own vote *after* the election.

Not unless I understand the software.

After the election, you go to the website, find your number, and there is every vote you cast, the way you cast it. Anyone can count the votes who has online access.

--can hack the system.

How can someone hack your vote when you can confirm it afterwards?

it's difficult to go through all the options of what could go wrong because there are so many.

that the vote shown on the website wasn't the one you cast.

It could tell me one thing, and the tabulator another.

If one cries foul and can come up with voter affidavits to prove it, the results are tossed.

--unless every campaign had someone who thoroughly knew the particular software. And if there are disparities among campaigns, whythefuck should an election outcome depend on who can pay for the most computer experts?

to people, and confirming they voted the way their number said they did. There is nothing mysterious or complicated about it.

The mystery is why anyone would believe that the program told them exactly what it told the tabulator.

use a bunch of different sites to pay my credit card bills, car insurance, and even pay for my purchases on Ebay?

Are you really saying there are no intermediate software programs involved in those transactions?

I'm willing to hire experts to make cash transactions for me, fly me in a plane, etc. I am not willing to allow anyone to vote on my behalf.

...much would depend on verification. Not just from the side of the voter, but also on the server side.
This means that there must be some kind of contingency. The vote must be simultaneously sent to mulitple servers, who must each acknowledge the vote back to the client within a short time frame.
The servers must then consolidate among each other, etc.

There are additional concerns but I believe it would be possible to construct a secure system.

Of course if such a system were to be designed, it would be a no-bid contract for Halliburton and THAT is where the real problem lies ;)

If every vote is public after the election it's all out in the open anyway.

There must be a method to test the authenticity of the vote and eliminate spoofing schemes.
That's why I mentioned multiple servers (and I should have added with different verification procedures). Let's call it the electronic equivalent of a paper trail.

but the only important verification is on the back end. After the election, when all the results are public. If there is significant spoofing the results are tossed.

Any complex system has bugs. This is absolutely unavoidable. However, complex systems can be made robust and stable only if they are banged up against the real world a lot.

ATMs are used millions of times an hour, 24/7, so all of the bugs that cause problems have been eliminated. And if not, you have at least six months to straighten out your problem.

We vote once or twice a year, which means that elections are de facto beta tests. This is absolutely unacceptable! What would cars be like if they were only driven for two hours a year?

I actually worked on early ATMs and I'm intimately familiar with their initial flaws. Ahh, the good old days ;)

Anyway, testing is the Achilles heel of any system and designing a good testing method for a voting system would be extremely difficult. It would obviously also heavily rely on simulation (for lack of 100 million dedicated testers).

Also, providing that there is sufficient contingency and verification, a discrepancy or two can be corrected.

Manual counts aren't perfect either.

Two separate and distinct processes. The voting process should have nothing between me and recording my vote in a way that I don't have to be a programmer to understand.

No problem with computer-assisted tabulation, provided that
1. A random 5 or 10% of precincts manually audited, with the paper ballot being the legal ballot of record in case of discrepancies.
2. Precinct total votes are tabulated on the spot, and the total number of ballots crosschecked with the voter's sign-in sheet.
3. In no case will the central tabulator be linked electronically with machines at precincts.

And this is another reason why making voting and tabulation occur concurrently sucks--it is a major reason for long lines at polling places. People who spend a lot of time voting, checking over their voter info pamphlets and everything they got in the mail, checking again, can get really big lines forming behind them. No one else can use the machine until they finish.

Optical scanning separates the two processes. When I was a poll worker, people didn't just stand around when the privacy booths were all full. Since the polling place was a school library, they just wandered off into the stacks and study carrels. The tabulation at the scanning machine was very quick by comparison, even with occasionally spitting back ballots to be marked correctly. Thus the slow process of voting didn't screw up the fast process of tabulation. Also, when we crosschecked with the sign-in sheets, we had only 4 extra ballots out of several thousand, which we attributed to people sticking provisional ballots in the scanner instead of giving them back to us.

The suggestion is that database records be checked against voters' memories instead of an actual original document. Go to court, tell the judge you "remember" some contractual agreement, get laughed out. You have to show the original paperwork to have any case at all.

for Bush, would you remember? There will be no incentive to lie about the way you voted, unless you decide to change your vote immediately after the election. Statistically the number of those voters would be insignificant.

And I certainly won't remember some of the less prominant offices.

In any case, my recollection, or lack of it, or candor, or lack of it, is not proof of how I actually voted. The approach you describe is no more useful than simply doing a post-election poll and trying to argue that the poll results are more valid than the actual vote count. Might be true, but it is not proof. We need original documents (ballots) if we are ever to have any chance of checking the truthfulness of the reported vote totals. There is no alternative to a voter verified paper ballot. (Although Tyvek or hemp based paper would be better than wood pulp.)

how do you have any idea that your vote was counted in the final tally?

Answer: you don't.

What we need is simply to keep the original ballots available so that. in the case of disputed totals, the original records can again be tallied up in front of witnesses and the true numbers decided.

back to paper ballots! People are way to anxious tofind out the results ASAP for that to ever happen!

There are so many things we do securely online already, there's no reason voting can't be done as well.

I've filed my tax returns online for the past 3 years! There's been no problem. I do all my banking online, I use billpay, I pay all my credit card bills on the Cr card web site, I pay for all my Ebay purchases via Paypal, I accept Paypal for all the things I sell there too.

At work, I filed all of our SEC filings via the net, comunicated all kind of confidential info between owners, suppliers officers, etc.

This CAN BE DONE!!!!

They are a backup in case of failure or tampering. Are you suggesting that we are better off without the possibility of ever verifying whatever numbers get reported?

The examples you cite are irrelevent, since in all those cases there is simple two-entity transaction, and both have the opportunity, obligation even, to check that the final report is what they agreed to.

The importance of actually having the original documentation in elections is shown by several elections, Florida's vote recount was stopped before the Gore victory could be determined; Washington's went thorough a full recount process; there are many examples where recounts were needed and the results changed because the actual ballots were available as evidence. With some magical (presumed to be true) computer generated number no verification is possible, and tampering or fraud, if suspected, could never be proven or disproven.

is that now you're trusting the people sitting in a room, and even the person they hand their results to.

If every vote was online, anyone could do a recount. Eveyone would see every vote cast. Hard to get more transparent than that.

Normally reps from all interested parties participate, and the evidence is real and tangible. Phantom voters are very hard to catch in e-world, but the meat-world voters at least have to show up and leave a document behind.

you're still relying on a relatively small number of people to tell the truth.

Why not rely on a vote total you can count yourself?

Never the total, and that is the crucial number.

and count the totals, the net effect of which is far more powerful than one entity doing all the verifying and counting.

--at least they are when they are being watched, as they have been in any properly done recount. In the WA state recouht, the Republican and the Democrat had to get the same total. When they didn't their batch of ballots was taken away and given to another pair. Not only that, you can understand what you are watching, as opposed to watching a computer work, which you will never understand unless you were the programmer.

Online, there are never any real recounts, not ever. Just a machine spitting out the same number over and over, which can't be trusted. The programmer is the vote counter who can't be watched.

It has to be clear and obvious.

How's about this:
The machine that takes the vote makes two copies of the vote at the same time.. one for the voter and one for the box (so a person could tell if their vote started out right). The boxed copy would constitute a paper ballot for recount purposes.

--so that's fine by me. Then you would have to have mandatory random auditing as a requirement--otherwise programmers could make your ballot say one thing and the tabulator say its opposite.

It would make it possible for people to sell votes--they would have a copy of how they voted to show someone, although in practice I don't believe this would be a significant problem.

The problem with any recounts at all is shown by what happened in FL in 2000. The recount was stopped. It didn't matter how honest the counters were, how securely the boxes were locked.

None of those online activities are completely secure. The reason why this is irrelevant is that it fixing screwups is easy, and you have six months to do it, and are backed by a lot of consumer laws with real teeth.

More importantly, millions upon millions of those transactions are done daily, providing a truly strenuous reality check. Voting, in contrast, is done once a year. It is flat out impossible to guarantee the security of a complicated system that is used only once a year. ELECTIONS AS BETA TESTS ARE NOT EVER, EVER ACCEPTABLE! Period.

is flawless. No voting system is flawless. The argument I'm trying to make is that by making the vote tally 100% transparent (impossible with a paper system) you more than make up for its deficiencies.

Not flawless, but 0.1% accuracy at their best. And I don't give a flying fuck if it isn't flawless. what I care about is that I can see and understand unaided. If the vote is counted by a program that nobody but the programmer really understands, how in bloody hell is that supposed to be "transparent"?

why do you have so much faith in that program? At least this way every vote cast would be online, so you could download them all and count them yourself if you wanted to.

Plus, you could see that your own vote was part of the tally.

TIme to go to bed. I need to reread a lot of this in the AM :hi:

In fact, I am considering suing my county auditor on the grounds that private tabulation software in and of itself amounts to vote theft. If it were open source, that would be acceptable. But the real reason for favoring audited optically scanned ballots is that we can require a defined percentage of random audits by handcount, and the PAPER BALLOT (that I saw and understood when I filled it out) would be the legal vote in case of conflict.

I don't care to download meaningless, untrustworthy vote tabulations. You have no way of knowing whether the vote you see online is the same one that the tabulator saw.

You are counting the exact same votes the "tabulator" is. If the number of votes the "tabulator saw" exactly matches the totals that you come up with for every candidate and every issue, their totals are correct, no?

as per some of the funky "official" totals for oddball candidates in the last California gubernatorial election.

anyone can count the vote. Everyone has access to every vote.

That is the only way that I will ever trust software. Of course, having the software as another counting method is helpful, just as it is reassuring to get the same date from carbon-14 data that you get from measuring tree rings.

.. if your guy lost.

I like the concept, but I'd never want to vote online. Just for peace-of-mind, I'd want to go to a polling station, see a voting judge face-to-face...punch the ballot and have the chance to physically look at it (chads & all) before it gets cast...and then that little paper receipt that proves I voted and it counted (or so I hope).

I live by the George Carlin theory that if you invent a better mousetrap, some asshole will invent a bigger mouse. The intrusive nature of makes manipulation and fraud a sport. Look at how many viruses and spyware scams are flying out there and imagine if these tools could be manipulated to rig an online election. The bait is too tempting...especially for those who considering winning at all costs.

Love that Carlin quote :rofl:

I think you've probably identified the biggest hurdle--public confidence. I don't think it's insurmountable (I was nervous as hell the first time I punched my CC number into a website form and now I don't even think about it).

Paper ballots with long lines, partisan Secretary of States, and "black boxes" which offer no guarantee your vote is actually tallied aren't inspiring a lot of confidence now, either. At least you would be able to see your vote and know that it was part of a tally.

I like your idea for shut-ins and in assisting those who can't get to a polling place in doing so...but as an option rather than the sole means to vote. I could see many benefits on that front, and if properly supervised can be a very good.

The issue of long lines, and I got trashed on this discussion once, is a totally political manner. You usually only see long lines in precincts where the party that controls the elections wants to depress voting. We saw that in Ohio and Florida. I used to see it done by the Democrats in Chicago. Nothing will scare a person away from a polling place more than a long line.

The problem is having enough judges and polling places. You can be assured in the heavily Repugnican areas there wasn't any of those troubles.

Lastly, a question...would you be able to review really review your vote before it goes out? I'm sure you can include a "are you really sure screen" or even display the choices. I've had situations where I've taken polls and later found out I either mis-read or the way the question was framed I chose the wrong answer, but couldn't go back to correct my answer. I'm just curious...especially if you have a long ballot, what type of recall or ability to review your choices you can make before they are truly sent?

Thanks for your replies...lots of good food for thought.

and to model it after a voting machine, where you can go through your choices before you actually submitting them, would make people feel more comfortable about it.

Maybe it would disenfranchise poorer voters who are less likely to have computers, so there would still have to be some polling places with computers set up.

Thanks for your input. I'll have to read again in the morning. :hi:

Passwords can be brute-forced, guesses, or cracked. If you meant to say that each individual will receive a privaye key in order to use two-factor authentication (something like an RSA token), this immediately becomes a headache as you are now dealing with incredible key management complexities. Further, Denial of Service is not just a possibility, but is guaranteed considering the number of people that hate us around the world. Finally, when complexity is added to any process, you always increase the potential for errors or vulnerabilities. It is a neat idea in theory, but we're not ready for it in practice.

but it would take on the order of a trillion years or so. Pretty good odds in my book.

RSA only requires one private key and one public key. The goal is to prevent someone from monitoring your vote in transmission (keep it private). It doesn't affect that outcome of the election either way.

A DoS attack which would last all day long is probably comparable odds-wise as a nationwide power blackout. Either way your screwed, but it's still highly, highly unlikely.

type ping -t www.centralvotingserver.gov
There's your DOS. Not too hard and will last as long as you want.

Not all people who hate America would agree that taking down our election is in their best interest.

International IPs which are pinging the server can be blocked virtually instantaneously.

already have back door keys into most encryption schemes?

No thanks. If my ATM or online transaction gets hosed, I can redress it with my CC company or bank - I have time. Plus, it's only money.

My vote is sacred. Voter Verified Paper Ballots are the only real solution ...as Andy has stated so eloquently with his lifes work.

I am a network engineer - and no way would I ever trust any vote going across the internet - to set up 250 million VPN clients for dedicated use would be one helluva chore - and too much could go wrong. The expense would be horrendous with current technology.

When bioscans and other security technologies are more mainstream in 15 years, we can talk then. And maybe I'll think about it....

and that's the beauty of it.

The voting authority website would have to hold the private key to unencrypt incoming votes. The worst that could be compromised is that the government could find out how you voted, something that they know right now anyway.

Bioscans, encryption, etc. are essentially beside the point. You wouldn't trust your vote going over the internet if you could go to the website immediately afterward and see every choice you made online?

that is 'tamperproof" I would not.

Have you ever ran a sniffer? Seen what is inside an 'actual' unencryted packet? There is too much that could be done to it to corrupt it by third party means while in transit. Not the least of which is copying it and getting your identity. So much for a secret ballot. Spoofing is so easy...I could never be sure the data I am seeing is the data that was really reported...without a VPN connection that I trusted no way would I ever send a SACRED vote across the public wire.


Also, to expect my home pc to load up a database locally of 250 million entries to 'check it' myself would be ludicrous ...

No, we are not ready for internet voting...the technology is not here yet...and won't be for at least 15 years. Even then, technology is not always a good thing...better to rely on the old fashioned method...Voter Verified Paper Ballots.

and do a number of things to get people to vote.

50% of people don't vote in this country. While some of it is because people don't have time, some people literally don't care. It would be easy for some people to go around and offer lunches for votes, or even just tell people who to vote for. They could even go to the voting website with the person and do everything for them. That type of system is just begging for a voter ID# for money scandal.

because the risk/reward is too great. There is a $10,000 fine for attempting to buy someone's vote now. Is it really worth it for one vote?

--which is what an online system makes possible.

You seem to be against the idea simply because it's online (millions of people refused to make online transactions until they saw how safe it was--now they don't even think about it).

Online transactions get done millions of times a day, so this very complex system has had a chance to get the bugs worked out of it. It is flat out not possible to get the bugs out of a system that is used, at most, twice a year.

Besides which, online transactions are hacked all the time (0.1% of a billion transactions hacked is one million screwups)--it's just that there are no consequences--screwups are easy to fix, there are consumer laws protecting you, and you have six months minimum to get errors fixed. None of this applies to elections.

and would outdo any election we've ever had.

IMO you bring up a good point about "getting the bugs worked out". That would take a major effort. It would have to work the very first time out of the box.

There is simply no voting system that is perfect. But to see every vote cast online, and be able to confirm that my own vote was counted--to me, these factors make the risks acceptable ones.

--nothing whatsoever. You have no way of knowing whether what you saw online is the same thing as what the tabulator saw.

Actually, optical scanning has a 0.2% error rate, and hand counting that is doublechecked (as in the WA state gubernatorial recounts) an error rate of 0.1%. (Though in that last case, the vote differential was 0.01%, so we still can't possibly know who "really" won.)

Getting the bugs worked out is not just a major effort, it's close to impossible. Voting is something that just isn't done often enough. You may think it's fine for our elections to all be beta tests, but I damned well don't.

possibilities. It's 12:30AM here and I'm going to bed, but I think it's a very good idea to persue. I'm not quite sure where you would even begin, but I believe this IS the voting of the future.

Everyone wants the darn results ASAP, so that prevents us from ever going back to paper ballots. WE have to face the facts. Heck, I remember having to go down to the borough office and look at the results that were posted on the door! (I was a little kid and my parents went to look!)

wtmusic, stay with this. I for one will help you any way I can to get your idea the attention it deserves!

for your input, and goodnight :hi:

when I'm more rested and not drinking the white wine, but I like the verification. Because no matter what you do with E-voting, the machines can be diddled with.

I like the verification part very much.

(I have not read all the replys to this thread to see what the doom-sayers will bring up, but, damn I like it!)

Putting expert intermediaries between me and my vote is theft, period.

Explain please how verification is intermeditary...?

--which is impossible to understand unless you are a programmer, and even then maybe not. It is in now way different from taking my ballot by force and marking it according to my instructions, but without letting me see the process.

I don't care whether I understand how the microprocessor in my fuel injection system is programmed, but voting is an entirely different matter.

I'm a big advocate of getting the tech in place but there are a number of huge problems involved, to which there aren't many easy answers to.

You mention only the encryption portion, but two things need to happen (both accomplished by the above), the document would need to be digitally signed AND encypted. The digital signature irrefutably verifies that the document was not altered from when it was sent. Otherwise, if even a single character was deleted, it would change the encypted message and it would no longer match up with the user's public key. The encyption makes it unreadable to anyone else as it goes from your computer to their server.

Now to the nitty gritty...

How do we get folks their keys exactly? The key pair must be generated at the user's computer, rather than issued to them my the state. If I have an existing valid digital signature then I could just generate my voting keys and sign them with my legally binding signature. If the state sends you your private key electronically by email for example (and you dont have a key in place to encypt it with), they would have to send it in plain text which would be a HUGE security problem. Same security problem with doing it through physical medium unless every voter has to go pick up in person their own key (at which point whats my motivation to vote from home if i have to physically go to a brick and mortar place to get my key?) Additionally, I'm not going to have the state keep a copy of my private key and be able to uniquely identify who i voted for.

Next is the issue of voter identification. So lets say we find a good method to get through what I mention above. I have my key on my computer. How do I prevent my roommate from voting with the keys on my computer? Furthermore, the causal user is still subject to his or her private key being compromised through an attack on their own computer. We could use something like a smart card, but in reality it is not something that your non-geek friends would have the hardware for using and it would be a technical support nightmare using something like this. Think about it in terms of e-commerce. I buy something with my Visa online. The company takes my name address and credit card info. It runs this against what Visa has for me and if it all matches, it is sufficent for the company to get payment from the credit card. In honesty, it doesn't actually prove that it was ME that made the transaction. Same problem if they tried to do a login/password system. When they mail it to me, there isn't a way to prove my neighborhood republican didn't steal it from my mailbox. I'm kinda sick of typing about this now but would be happy to elaborate later if people seem to care.

one private, one public for the actual encryption--it's SSL, just like you use for a transaction. Just to prevent prying eyes in transit.

Verifying that a vote is coming from where it should be is never foolproof, but it would be at least as foolproof as it is now, or better. All you would need to do is send the voter a username/password combination (if the voter compromises it that's his/her problem) to gain entry into the voting authority website. Could your neighbor steal the envelope? Sure, but would he risk being prosecuted for a felony to add one vote to his candidate's total?

Again, all this stuff is *not* critical, because votes are verifiable after the election.

What I call that is disenfranchisement. Every time you throw bells and whistles into the system that average people can't personally understand, you throw more voters out of the system.

People still would need to have the option to go to their polling place.

:evilgrin:

To treat everyone the same, require brick and mortar for all. Computer users can do this much more easily than non-users can learn to accept computers.

>>it's SSL
Well then you're not really talking about getting a seperate key for every election per se. If you're talking about an SSL method, everyone on DU that doesn't like an election result is going to claim that the fix is in with Microsoft, yada yada. Plus, using SSL doesn't really provide the legal requirement of nonrepudation in the same way as a digital signature does. It avoids the transaction being veiwed by a third party, but it doesn't uniquely tie the vote to the voter's identity in the same way as what I was describing. Password combinations aren't enough in this case. What happens when my local election office accidentally lets a copy of the username/password list into the wild? Oops, sorry we have to invalidate this election and try again isn't a very good answer. I think this would have to involve having a key from a CA that is unquirely tied to the voter.


>>Verifying that a vote is coming from where it should be is never foolproof

The technology is relatively easy to understand when it is spelled out. But for a system like this to go over, it has to be virtually foolproof. We need to be able to verify:
1) The person voting is who they say they are (a legally valid digital signature unquiely tied to the voter's identity)
2) Their message was not altered (encryption and signature verification.)
Right now I guess there is no way to prove that I didn't go down somewhere and forge their signature on the ballot. But the requirement needs to be there for an online system for people to buy into it.

>>Again, all this stuff is *not* critical, because votes are verifiable after the election.

It is critical because lets say I try to deny that I voted a particular way an the election. I choose not to verify something. Then what?

The only reason for SSL is to provide a good degree of privacy. It would serve no function whatsoever as far as ensuring voters are who they say they are.

You can digitally sign your vote too, but even that isn't critical. If you see your number on the website afterwards and the corresponding choices don't reflect your vote accurately, you send an affidavit (within a prescribed time period) to the voting authority. Meanwhile candidates and campaigns are manually verifying a percentage of the voter IDs.

site is spoofed--that is to say, it shows how you voted BUT your vote is not counted in that way. Just because you see a verification site, that doesn't mean your vote is actually counted.

It's a great debate, but I worry that there are just that many more ways we could be fooled this way.

you can count them yourself.

From what I've seen here there are several issues that would need to be addressed:

1) It would involve some compromise of privacy.
2) It is potentially vulnerable to a DoS attack.
3) It would involve a considerable amount of work on the campaigns' part for verification.
4) The public would have to be given a high level of confidence in the system.

As I've said elsewhere, no voting system is perfect. Every system is a balance between expense and accuracy, between privacy and transparency. But all of the above problems could be dealt with, and to have every vote before the public eye is an extremely powerful weapon against fraud.

verify how their vote was cast is mandatory.

Where is your proof? What if there are bogus entries? How will you know?

but if each campaign could verify thousands of votes by matching up their online number with a name and contacting them to confirm their vote, statistically it would be *impossible* for enough fraud to occur to sway an election.

and completely without any documentation to prove anything. So what if you go back to 2% or whatever and get different results. I can gurantee you will if you include judges and fire district commissioners. You can't prove one is any better than the other, and you are left with believing whatever those who programmed the machinery want you to believe. You can never prove there is any problem. and even worse, you can never prove that the results are honest ones.

the results would (and should) be thrown out. Who wants results where people won't stand by their vote, whether it's bogus or not?

I don't know if 2% is the magic number. But I think it could be shown that very few voters change their mind right after an election. All you have to do is set the verification percentage higher than that, and you are assured of accurate results.

of an approach that can only say the totals are "probably" wrong?

The error percentage of a manual recount would be far higher than a statistical recount, *and* you would be counting votes all across the country. A nationwide manual recount has never happened, and will never happen.

When you start talking about "nationwide" recounts you really go off into lalaland. You must know that the only nationwide elections are for president, and these are not based on totals but on state totals and the electoral votes they generate. Statewide recounts are not uncommon nor particularly difficult. That is the lamest red herring ever dragged into this kind of discussion.

I'm getting tired...a nationwide recount would only work after we lose the electoral college, now wouldn't it? :crazy:

Re: the sampling--believe it or not, all a manual recount does is determine odds. There has never been a perfect (or close to perfect) manual recount. Assuming that because there's a tangible item involved it will be counted completely and correctly is a huge fallacy (in 2000 we were up against the odds that SCOTUS would call off the recount--there's no chance of that, is there?)

I would trade it all for results I can see, and confirmation that my vote was part of it.

You seem to trust that software that one rogue programmer can tamper with is superior to paper ballots, which can be kept indefinitely, which are counted in front of witnesses from all parties concerned, and which can be recounted any number of times.

The "fixes" you propose for the flaws that other posters have pointed out make the proposed system even more complex and vulnerable.

There's only ONE "reason" for the sudden push toward electronic voting (other than the desire of Republicans to cheat), and that is the TV networks' desire to get instant results to broadcast.

In real life, so what if the results are delayed a day or two? Big hairy deal. In the 1968 election, we didn't know till about 2PM the next day whether Nixon or Humphrey had won.

So what?

;)

One rogue programmer would have far less effect on an election than one rogue Secretary of State does now.

Everyone in the country could verify the vote. There is no mysterious technology here. I want to put every vote in the public eye. To me, that's a far less vulnerable approach than 9 people on a court shutting down a recount.

In truth, you could still use this system with paper ballots (although it would make it less secure). Just post all the votes online with ID numbers after the ballots were counted.

:shrug:

I still haven't seen a flaw in this system which makes it worse than what we have now.

Which flaws are you talking about?

You have no goddam right to take my vote away from me. You have no right to grab my ballot, ask me how I want it filled out, and then fill it out where I can't see you doing it. If you say "But I'm a computer programmer!" that doesn't change a thing. You have no right to require specialized knowledge and extensive experience with computers to do something as straightforward and as essential to citizenship as voting. Everyone understands a mark on a piece of paper, and few understand the inner workings of computers.

expect there not to be flaws and problems, AND, of course, that we don't even have a right to vote, which means we don't really have a right to have our votes counted.

I'm surprised, however, to see a DUer trot out that vote-denying, fraud-enabling argument.

The simple answer to your question for me is this: I know of no way to ensure that there's nothing that comes between my vote and its proper tabulation, nothing that can ensure what I and even others "see" as the way it was tabulated actually IS the way it was tabulated. Further, the more technology that gets added, the more you need experts and the less transparent it becomes.

that's not my point of view, or PR. There are inherent risks, and different systems accept different risks as the least likely to skew the outcome. If you're going to deny that we have no discussion. You are wrong.

There is far less "technology" between you and your vote when you are voting this way. You see everyone's vote. You can count everyone's vote. You can confirm your vote is part of the count. Directly. That's something that paper ballots stuffed in locked boxes can never accomplish.

It's really about common sense. And I'm suspicious about the reasons this is being pushed so hard by the author of the thread.

I just can't understand why you persist in confusing a vote with a credit card transaction. For the latter, all you need is your own information. You have no access whatsoever to the dollar and transaction totals for any given merchant, nor do you know the dollar and transaction totals for your particular credit care issuer. And you could care less.

With voting, I care about my own vote, but having transparent and accurate TOTALS for candidates is the whole goddam POINT of having an election in the first place! Whythehhell would knowing only about my own vote tell me who won? Your system would let any hacker show my vote for Kerry to me and still count it as a Bush vote in the tabulator.

You can program the site to provide feedback to the voter after they vote AND manipulate the final totals. from a programming standpoint it wouldn't be hard to do.

I wish we could say there is a sure fire way to get around that but as long as humans are providing the code to run such a site - it will not be foolproof.

and every vote is listed online. How could someone manipulate the totals without you knowing right away?

are you saying the votes will appear then hand counted?

One example of how a programming can play with the results.. Fake IDs could be included with the vote of choice.. how would anyone know that by looking at the site?


The votes could appear.. but he final total be manipulated. When you're talking about millions of votes this is easy to get away with.

Voter ID President Local Initiative #1 Local Initiative #2

56827469182 Kerry Yes No
97509384796 Kerry No No
75983749570 Bush Yes Yes
98437209348 Kerry Yes No

etc etc.

Each campaign would be able to choose a percentage of the IDs to confirm they are legit. For example, Kerry's campaign would contact voter #75983749570 and ID them to be sure they exist and voted for Bush.

Any group or individual could download every vote and count them her/himself.

there are too many ways to get around this or any method that requres programming on any level. The method you describe is really no different than the voting machines in the long run with the exception of being able to 'see' the individual IDs etc.. The guts of what is running in the background can still be manipulated. When you have 2% checked, you still leave 98% that are not.

In a perfect world with honest people it would work great.

and would make manipulations of totals far more difficult than it is now.

Confirming 2% of the votes at random, over millions of votes, would provide an almost certain degree of likelihood that less than 1 in 50 votes had been faked. Possibly the percentage should be higher, but not by much (Q: Of the 122,293,332 votes cast for president in 2004, how many were confirmed by the voters themselves? A: Zero. Zilch. Nada.)

Nothing here assumes a perfect world. On the contrary, it assumes an imperfect world where everyone is trying to corrupt the vote in any possible way they can. Programming counts your vote right now, and it is programmed by a very small group of ahem, *motivated* individuals.

code reviews? etc..

it's not the method as much as the govt's lack of concern to verify things are correct as long as it is their self interest to not do it.

The freaking diebold machines can be setup to be foolproof but they won't as long as there is not accountability.

Those who don't have it are the poorest, the elderly and the homeless.
Those are the ones that a new internet voting model would most
disenfranchise, as surely there would be fewer voting precincts, and
even LESS likelihood that their votes would be counted.

Internet voting is another way of saying "rich" voting... a not-so
subtle regressive poll tax. Unless you can ensure that ALL voters get
to vote, the system is failed from the outset.

Otherwise, i agree, that it would be excellent, and with the correct
software designs, could be accountable and auditable without hacking
or fraud.

Just as well, remember that voting fraud is mostly performed at the
point of registration. I'd love to see how you see this "system" would
handle all registrations in real-time online. Would you put access in
to every post office, so that when you identity is authenticated by the
postmaster, they can put your registration through? Online regstration
databases, inquiry and voter servicing for problems such as wrong felon
lists and whatnot, are something that is just as, if not more so,
critical to fair electoral process.

and there would still have to be polling stations set up to accomodate people who don't have online access.

For registration, people would receive a username/password with the voter ID in the mail. The voting authority website would automatically ID them that way. Could their vote be hacked? Sure, with a lot of effort. But it almost doesn't matter. You can check your vote online afterward anyway. Any attempt to game the system would be discovered immediately.

I think the primary failure of such voting systems is that they
concentrate the vote in to a very small set of servers if not one
server, that, if hacked in to, can allow single-point election
corruption.

I would recommend a more complex architecture, where the site-server
is replicated (maintained a real-time mirror image) at the offices of
the main political parties as well as public images, so that there
is no single point, and if one server is hacked.... well, you know.

Another consideration, is to permit mobile telephone access, from a
voice menu as well in your electronic system, with push-button voting
much as is used in switzerland. A well designed software server can
integrate the internet with mobile and fixed line telecoms to provide
a more robust service thereby minimizing the problem of no-access.

But you point to another area of election reform in your original post.
This, i believe should be a separate bill, "the election margins of
error and runoff qualificaiton bill" If statistical margins are set
for what constitutes "within the margin of error", then elections that
fall in to that category can have runoffs, so that people are more
inclined to trust the democratic process given clear victories, and
not this bickering about sore losers. One need only observe any
close race to see how a runoff election would make things a lot
more pleasant (like washington state recently, and of course 2000
and 2004's bush frauds).

Great ideas all. :thumbsup:

--how would you check your vote? And why would it even matter, when you don't know what is going on in the goddam tabulator anyway?

I've not read the other responses so my points may have been addressed already.

You don't need a voter ID in the system if you're using RSA or some other public key system. You'd be better off allowing each voter to generate his own public key. The voter signs the vote with his private key and encrypts the vote and the signature with the voting authority's public key.

You would also need a side channel that can be used to pass the public keys from the voter to the central authority. For this, I would propose that the authority publish a different public key with which the voters public key can be encrypted. A voter registration ssytem in other words.

I would also consider building some sort of receipt system. Conceptually this is a paper trail but in reality it would just be a signed acknowledgement from the authority to the voter.

However, all online voting systems are broken in the sense that they are susceptible to voter coercion. For that reason alone I wouldn't ever trust an Internet solution.

IMO, putting a cross in a box in a designated polling booth is the only safe system.

The voter ID is so that anyone can go online and check their vote. Encryption is only used to prevent interception in transmission and a good degree of privacy. If we start requiring side channels, etc we open up a can of worms that is not even necessary.

How is this susceptible to voter coercion?

The only consideration in whether something is too complicated is how complicated it is for the end-user. In the proposed system there would be nothing required of the voter other than to decide who to vote for. Everything would be handled by the software automagically.

I also disagree that you'd be opening a can of worms. If anything this more complicated system would prevent a can of worms being opened. Your system is susceptible to man-in-the-middle attacks that are only detectable if the voter actually checks to see if the vote has been
cast correctly and I wouldn't trust the electorate to check. Better the computer does it each and every time.

on edit: this system also solves the problem of voters disrupting the vote by claiming that their vote has been registered wrong. In other words, they can't retract their vote once they've signed it.

"How is this susceptible to voter coercion?"

As it is, it would be obvious to election officers if someone had a gun to your head or was otherwise standing over you whilst you're casting your vote. Internet voting is susceptible to this; as are postal ballots IMO.

man-in-the-middle attacks would be virtually impossible with conventional SSL. What percentage of online transactions are hacked now, with far more personal gain to the hacker than one vote added to his/her favorite candidate's tally?

Re: side channels: if we had a small bit of information that is highly critical, like plans for a nuclear weapon, I would agree with you. But in this case a side channel by its very nature is a security breach that doesn't even need to be there, and complicates it for people who already have a hard enough time understanding it.

The penalty for attempting to buy even one vote now is $10,000 and is a felony. This risk/reward ratio makes the threat insignificant in regards to the outcome of an election.

With regards to man-in-the-middle attacks, there's no comparison between existing online transactions and the online voting system you propose. The voter ID in your system is not protected in any way and so anyone could vote in your name. Of course, you would discover this when you went to cast your vote for real but a man-in-the-middle could just intercept the transaction and route it to null. The only way to check against this is if the voter checks the vote, but since we're talking about men-in-the-middle what's to stop him from intercepting data from the remote computer to the voter?

With regards to the "side channel", I simply don't see how this is a security breach any more than the other parts of the system. I didn't describe it very well but I was thinking of the Shamir key exchange protocol. As far as I know, there's no flaws in this system.


FWIW, I like the core of your idea, that anyone can tally the vote at any time. Sort of like an "open-source" counting system: with many eyes watching, fraudulant activity can be detected far quicker.

One had better check the experience of the Internet founders who tested a vote among themselves and had a great deal of difficulty. I am not sure of their final thoughts about the process. But putting the entire election in cyberworld? The possibilities for fraud are limitless and invisible. It boils down to certain logical presumptions based on trust, simplicity and security, none of which may prevail against determined criminals inside and out, but especially inside. Voting by telephone was once an idea too and that had a voice record potential.

The government IS working towards voting online starting with overseas and military ballots. It is a nightmare plus sales pitch that will go the same way as touchscreen voting promotions.

I am sure someone can provide the basic links on the incredible insecurities of online voting but in essence it seems foolhardy even to consider it at this time when "ease and convenience" is a fraud beartrap for the trusting soul.

Right now you can trust your local people or at least see who is accountable. A cyber "authority" is exactly how accountable to a citizen now cut loose in a maze of electrons?

"Foolproof' is just plain wrong. However...

I am going to reject out of hand the idea that because it's on the internet it's more susceptible to fraud, when the exact opposite is true. It is far more transparent than what we have now. The advantage of convenience is not even a factor.

The voting authority is a necessary evil of any voting system. But why trust them with the vote count the way we do now, when everyone in the country can count the vote themselves?

If you can show me a specific possibility for significant fraud with this, I love to be educated. ;)

argument since I personally am not technically qualified to argue. But transparency of votes that are still private would seem to enable the existence of phantom voters and people who are no shows being replaced by frauds. It would only take a few logical tricks to convince a person online the tabulation was "OK". It really assumes we can be one big open small town where everything is above board. In fact, the goons we have now will clumsily complicate things and make fraud a way of life and you'll never see your system tried anyway.

It would change things and make the on the ground plethora of vote suppression such a thing of the past that one would hope people would forget the skills of hands on cheating. But I doubt that would be much of a benefit. An all or nothing method method trusting one central authority and one "unchanging" digital record is a big gamble at a very bad time, though they are doing so nicely they will likely only install online voting partially, suspiciously partially.

And the poor would have to queue up somewhere to get online and they would be still the probable victims in any small scams.

But really, someone with expertise should weigh in.

I am not convinced.

That many people here agree is needed. If you're not convinced I'm sorry, but you haven't explained why.

with encryption. And the lack of a verifiable permanent record only makes the issue of voter accountability even more nebulous. That is a problem and your proposal is not a solution.

By the way, you've been online answering questions about this over the past two days. Are you being paid to advocate this system? What's your involvement here? Why are you pushing this so hard?

that everyone has access to. It begins the moment the first vote is cast and extends indefinitely. Why can't it be hacked? Because its public information--everyone would know instantly if something was changed on the site.

Although your comments make it clear that you don't understand it, I really can't explain it any clearer than I have.

btw no I'm not being paid, but if you hear of a good advocate gig let me know--I could use the money :)

Why are you answering every post as though you are an expert?

Did you create the program?

And, BTW, I do not understand...nor would many others who would be asked to use the same type of system.

Transparency in voting is not just about data and systems, transparency is also about simplicity. The average American should be able to undertstand what happened to their vote. This doesn't make that happen and if you can't explain it or your strong advocacy better then, it just doesn't cut the mustard.

and simplicity is an essential part of public trust. It's actually far simpler than what we have now. And it's very possible I could be explaining it better than I am.

I'm not an expert. I'm a web designer with some math & programming background, with a nasty idea that is bugging me. I'm advocating only for the purpose of drawing people like yourself into the discussion to expose flaws, which is the only way to see if it's worth anything at all.

I'm setting up a website at pvvoting.org ("Publicly-Verified Voting"). Visitors will be able to request an ID, cast a vote, and view the process. I do appreciate your feedback and would welcome some when I get the site together.

With anonymous voting, there is little incentive to "buy" your vote because there's no way to know that you didn't take the money and vote as you wished.

With such a scheme you could verify your vote and collect a fee.

My (not unique) idea: Your vote generates a paper ballot. You inspect the paper ballot to insure it's correct, then place it in a lock box.

Outside governing entity is required to audit a certain percentage of voting locations to insure that the reported electronic tally matches the paper ballot count. Auditing is random and electronic tally must be submitted before audits.

If a certain number of errors are found, results are declared null pending count of paper ballots.

As with any good system, including paper ballot only, ONLY OUTSIDE THIRD PARTY AUDITS, which are random, insure the system is not crooked.

for recounts, there MUST be paper..
Have the ol' atm-type machine print out your vote on 2 (TWO) pieces of paper,, one for you and one for "the box" - which would constitute the legal ballot for recount purposes..

Andy had it right... Voter Verified Paper Ballots

the country voting is not a tinhorn dictatorship. The U.S. has certainly forfeited the right to that presumption.

your vote was counted. With the entire result of an election depending on an "impartial" third party (Diebold?) you're back to square one--trading one risk for another.

Risk/reward ratio makes buying votes a non-starter as has been put forth in many other posts on this thread. All it takes is one person to squeal and the buyer ends up in jail with a felony count.

neutral party whom all sides agree their findings are binding.

Paper backup and random audits "confirm" the result.

today who Democrats and Republicans would agree could confirm the results? I don't think there is.

Another way to hinder "vote buying" would be to provide the ID to the voter *after* they've actually voted, and only onscreen. It would be difficult for a vote seller to prove that they were the person who belonged to that ID.

I'm playing devil's advocate here. I agree that paper-trail audited voting is a good system. I'm not convinced it's the best.