[clug] eVACS lives!

David Gibson david at gibson.dropbear.id.au
Tue Jan 27 02:32:10 GMT 2004


On Tue, Jan 27, 2004 at 11:52:20AM +1100, Martin Pool wrote:
> On 27 Jan 2004, David Gibson <david at gibson.dropbear.id.au> wrote:
> > On Sat, Jan 24, 2004 at 11:56:28AM +1100, Steve Jenkin wrote:
> > > Saw this on the ACM Technews list and thought that some of the
> > > contributors may still read the CLUG list.
> > > Love the way that 'Software Improvements' are
> > > 
> > > http://www.acm.org/technews/articles/2004-6/0121w.html#item1 [copied at
> > > end]
> > > 
> > > This summary points to the base article.  I'm sure there's many more.
> > > http://www.wired.com/news/evote/0,2645,61968,00.html
> > > 
> > > Canberra consistently 'punches above it weight' in IT, especially in
> > > Open Source.
> > > 
> > > Something I wasn't aware of [is this claim true?] - that the AEC was
> > > offered but did not want a 'VVPAT' - Voter Verified Paper Audit Trail.
> > > [A printer in _every_ polling booth - many $$$$]
> > 
> > Not just many $$$.  Printers just aren't reliable - they jam, mess up
> > prints, etc. etc.  When you're trying to guarantee various properties
> > about the number and nature of receipts printed, this makes life very
> > difficult indeed.  This, I think, is one of the primary reasons the
> > AEC didn't like the idea of a attempting to implement a vvpat.
> 
> Printing a receipt sounds fairly silly.  There are severe theoretical
> problems, aside from practicality and cost.
> 
> Australian elections are meant to be secret ballots.  Printing a
> record of how someone voted would encourage coercion or vote-buying by
> giving a record of how the person voted.

Printed receipts doesn't make this any worse though - the idea is that
they would go into a ballot box just like hand written ballot papers
do now.  At present you're *supposed* to drop your ballot paper in the
ballot box before leaving (and everyone does), but I gather that
electoral officials can't actually force you to do so.  This situation
would be similar with printed receipts.

> Printing a receipt does not address any important threat model.  If
> the machines are corrupt it would be trivial for them to print one
> thing and record another.  If the machines are merely flaky then it is
> easy to imagine that some votes would be lost after being printed.

I think the idea of a voter verified receipt is that they provide a
way (if expensive) of checking the integity of the process after the
fact.  You only actually do the checking if there is some other
evidence or suggestion of tampering/flakiness.  Presumably the idea is
that after comparing the paper records to the electronic records on
several (small?)  elections, people become more confident that the
software does indeed do what it is purported to.

If you think this allows for ambiguity due to pieces of paper being
dropped in the wrong place (or mangled by a printer), the inevitable
slight errors in a hand count, and voters being confused as to why
they seem to be voting twice (once on the computer, once by dropping
the receipt in the ballot box) then you're almost certainly right.
This is exactly the sort of problem Phil Green and the others at
Elections ACT were worried about with a paper audit trail.

> Printing out receipts does not give a credible voter-verified audit
> trail anyhow, since the voter cannot verify that that the vote was
> permanently recorded and counted.  There are crypto protocols to allow
> voters to verify the whole process and it might be nice to use them,
> but they are a very large change from how we vote at the moment[0].
> The paper voting system relies on trusted observers monitoring the
> process, so it is reasonable that electronic voting works the same
> way.

Yes, except that a piece of software is rather harder to scrutineer -
or at least requires much more specialised knowledge on the part of
the scrutineers - than the hand counting process.

> If you *did* go to a crypto protocol that allowed both verifiability
> and anonymity, then you lose the ability for humans to verify it.
> (Factored many 2048-bit numbers recently?)
> 
> If the receipt *does* show something different to how you meant to
> vote, how are you supposed to resolve this?

Quite.

> Electoral officials should not normally connect a completed ballot
> with the voter[1], but resolving any problems with a receipt probably
> involves the person presenting the receipt to an official and losing
> their anonymity.
> 
> You don't get a receipt for a paper vote.  Why should an electronic
> vote be any different?

-- 
David Gibson			| For every complex problem there is a
david AT gibson.dropbear.id.au	| solution which is simple, neat and
				| wrong.
http://www.ozlabs.org/people/dgibson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://lists.samba.org/archive/linux/attachments/20040127/2d8ceee3/attachment.bin


More information about the linux mailing list