e voting (receipts, votebuying, brinworld)
Tim May
timcmay at got.net
Tue Nov 25 15:26:18 PST 2003
On Nov 25, 2003, at 11:21 AM, Trei, Peter wrote:
> Tim May [mailto:timcmay at got.net] wrote:
>
>
>> On Nov 25, 2003, at 9:56 AM, Sunder wrote:
>>> Um, last I checked, phone cameras have really shitty resolution,
>>> usually
>>> less than 320x200. Even so, you'd need MUCH higher resolution, say
>>> 3-5Mpixels to be able to read text on a printout in a picture.
>>>
>>> Add focus and aiming issues, and this just won't work unless you
>>> carry
>>> a
>>> good camera into the booth with you.
>
>> 1. Vinnie the Votebuyer knows the _layout_ of the ballot. He only
>> needs
>> to see that the correct box is punched/marked. Or that the screen
>> version has been checked.
>
> I realize you big city types (yes, Tim, Corralitos is big compared to
> my
> little burg) have full scale voting booths with curtains (I used the
> big
> mechanical machines when I lived in Manhatten), but out here in the
> sticks,
> the 'voting booth' is a little standing desk affair with 18 inch
> privacy
> shields on 3 sides. If someone tried to take a photo of their ballot
> in one
> of those it would be instantly obvious.
>
> All I want is a system which is not more easily screwed around with
> then
> paper ballots. Have some imagination - you could, for example, set
> things
> up so the voter, and only the voter, can see the screen and/or paper
> receipt
> while voting, but still make it impossible to use a camera without
> being
> detected.
But how could a restriction on gargoyling oneself be constitutional? If
Alice wishes to record her surroundings, including the ballot and/or
touchscreen she just voted with, this is her business.
(I fully support vote buying and selling, needless to say. Simple right
to make a contract.)
I wasn't endorsing the practicality of people trying to use digital
cameras of any sort in any kind of voting booth, just addressing the
claim that cellphone cameras don't have enough resolution. Even 320 x
240 has more than enough resolution to show which boxes have been
checked, or to mostly give a usable image with a printed receipt.
As for creating tamper-resistant and unforgeable and nonrepudiable
voting systems, this is a hard problem. For ontological reasons (who
controls machine code, etc.). I start with the canonical model of a
very hard to manipulate system: blackballing (voting with black or
white stones or balls). Given ontological limits on containers (hard to
teleport stones into or out of a container), given ontological limits
on number of stones one can hold, and so on (I'll leave it open for
readers to ponder the process of blackball voting), this is a fairly
robust system.
(One can imagine schemes whereby the container is on a scale, showing
the weight. This detects double voting for a candidate. One lets each
person approach the container, reach into his pocket, and then place
one stone into the container (which he of course cannot see into, nor
can he remove any stone). If the scale increments by the correct
amount, e.g, 3.6 grams, then one is fairly sure no double voting has
occurred. And if the voter kept his fist clenched, he as strong
assurance that no one else saw whether he was depositing a black stone
or a white stone into the container. Then if the stones are counted in
front of witnesses, 675 black stones vs. 431 white stones is a fairly
robust and trusted outcome. Details would include ensuring that one
person voted only once (usual trick: indelible dye on arm when stones
issued, witnesses present, etc. Attacks would include the Ruling Party
depositing extra stones, etc. And consolidating the distributed results
has the usual weaknesses.)
Things get much more problematic as soon as this is electronified,
computerized, as the normal "ontological" constraints evaporate. Stones
can vanish, teleport, be miscounted, suddenly appear, etc.
Designing a system which is both robust (all the crypto buzzwords about
nonforgeability, satisfaction of is-a-person or one-person constraints,
visibility, etc.) and which is also comprehensible to people who are,
frankly, unable to correctly punch a paper ballot for Al Gore, is a
challenge. I'm not sure either Joe Sixpack in Bakersfield or Irma Yenta
in Palm Beach want to spend time learning about
"all-or-nothing-disclosure" and "vote commitment protocols."
I know about David Chaum's system. He has gotten interested in this
problem. I am not interested in this problem. Moreover, I think working
on electronic voting only encourages the political process (though
implementing wide computer voting and then having more of the "winning
totals posted before polls close" exposures of shenanigans might be
useful in undermining support for the concept of democracy, which would
be a good thing.)
I don't say it's not a security problem worth thinking about. It
reminds me a lot of the capabilities stuff, including Granovetter
diagrams and boundaries. Probably a nice category theory outlook on
voting lurking here (e.g., voting as a pushout in an appropriate
category, or something whacky like that).
Electronic voting of the type being pushed now is going to cause some
major loss of faith in the system when some scandals emerge (and when
even analyzing the protocols and talking about what one has learned
results in a "cyst and decease" order from Diebold and that ilk).
More information about the Testlist
mailing list