e voting (receipts, votebuying, brinworld)

[Tim May]

On Nov 25, 2003, at 11:21 AM, Trei, Peter wrote:

> Tim May [mailto:timcmay at got.net] wrote:
>
>
>> On Nov 25, 2003, at 9:56 AM, Sunder wrote:
>>> Um, last I checked, phone cameras have really shitty resolution,
>>> usually
>>> less than 320x200.  Even so, you'd need MUCH higher resolution, say
>>> 3-5Mpixels to be able to read text on a printout in a picture.
>>>
>>> Add focus and aiming issues, and this just won't work unless you 
>>> carry
>>> a
>>> good camera into the booth with you.
>
>> 1. Vinnie the Votebuyer knows the _layout_ of the ballot. He only 
>> needs
>> to see that the correct box is punched/marked. Or that the screen
>> version has been checked.
>
> I realize you big city types (yes, Tim, Corralitos is big compared to 
> my
> little burg) have full scale voting booths with curtains (I used the 
> big
> mechanical machines when I lived in Manhatten), but out here in the 
> sticks,
> the 'voting booth' is a little standing desk affair with 18 inch 
> privacy
> shields on 3 sides. If someone tried to take a photo of their ballot 
> in one
> of those it would be instantly obvious.
>
> All I want is a system which is not more easily screwed around with 
> then
> paper ballots. Have some imagination - you could, for example, set 
> things
> up so the voter, and only the voter, can see the screen and/or paper 
> receipt
> while voting, but still make it impossible to use a camera without 
> being
> detected.

But how could a restriction on gargoyling oneself be constitutional? If 
Alice wishes to record her surroundings, including the ballot and/or 
touchscreen she just voted with, this is her business.

(I fully support vote buying and selling, needless to say. Simple right 
to make a contract.)

I wasn't endorsing the practicality of people trying to use digital 
cameras of any sort in any kind of voting booth, just addressing the 
claim that cellphone cameras don't have enough resolution. Even 320 x 
240 has more than enough resolution to show which boxes have been 
checked, or to mostly give a usable image with a printed receipt.


As for creating tamper-resistant and unforgeable and nonrepudiable 
voting systems, this is a hard problem. For ontological reasons (who 
controls machine code, etc.). I start with the canonical model of a 
very hard to manipulate system: blackballing (voting with black or 
white stones or balls). Given ontological limits on containers (hard to 
teleport stones into or out of a container), given ontological limits 
on number of stones one can hold, and so on (I'll leave it open for 
readers to ponder the process of blackball voting), this is a fairly 
robust system.

(One can imagine schemes whereby the container is on a scale, showing 
the weight. This detects double voting for a candidate. One lets each 
person approach the container, reach into his pocket, and then place 
one stone into the container (which he of course cannot see into, nor 
can he remove any stone). If the scale increments by the correct 
amount, e.g, 3.6 grams, then one is fairly sure no double voting has 
occurred. And if the voter kept his fist clenched, he as strong 
assurance that no one else saw whether he was depositing a black stone 
or a white stone into the container. Then if the stones are counted in 
front of witnesses, 675 black stones vs. 431 white stones is a fairly 
robust and trusted outcome. Details would include ensuring that one 
person voted only once (usual trick: indelible dye on arm when stones 
issued, witnesses present, etc. Attacks would include the Ruling Party 
depositing extra stones, etc. And consolidating the distributed results 
has the usual weaknesses.)

Things get much more problematic as soon as this is electronified, 
computerized, as the normal "ontological" constraints evaporate. Stones 
can vanish, teleport, be miscounted, suddenly appear, etc.

Designing a system which is both robust (all the crypto buzzwords about 
nonforgeability, satisfaction of is-a-person or one-person constraints, 
visibility, etc.) and which is also comprehensible to people who are, 
frankly, unable to correctly punch a paper ballot for Al Gore, is a 
challenge. I'm not sure either Joe Sixpack in Bakersfield or Irma Yenta 
in Palm Beach want to spend time learning about 
"all-or-nothing-disclosure" and "vote commitment protocols."

I know about David Chaum's system. He has gotten interested in this 
problem. I am not interested in this problem. Moreover, I think working 
on electronic voting only encourages the political process (though 
implementing wide computer voting and then having more of the "winning 
totals posted before polls close" exposures of shenanigans might be 
useful in undermining support for the concept of democracy, which would 
be a good thing.)

I don't say it's not a security problem worth thinking about. It 
reminds me a lot of the capabilities stuff, including Granovetter 
diagrams and boundaries. Probably a nice category theory outlook on 
voting lurking here (e.g., voting as a pushout in an appropriate 
category, or something whacky like that).

Electronic voting of the type being pushed now is going to cause some 
major loss of faith in the system when some scandals emerge (and when 
even analyzing the protocols and talking about what one has learned 
results in a "cyst and decease" order from Diebold and that ilk).