New York Times coverage of electronic voting

[ciphergoth]

I can't normally be bothered with lying to the NYT registration form every time I want to read an article, but these seemed worth reading.

Democracy at Risk, Paul Krugman (thanks to vvalkyri)

The Perils of Online Voting, Editorial (thanks to webcowgirl)

That last annoys me a little. It finishes

What is clear, however, is that until the vulnerabilities they identified are eliminated, the risks are too great.

Contrast with conclusion (e) of the report itself:

The vulnerabilities we describe cannot be fixed by design changes or bug fixes to SERVE. These vulnerabilities are fundamental in the architecture of the Internet and of the PC hardware and software that is ubiquitous today. They cannot all be eliminated for the foreseeable future without some unforeseen radical breakthrough. It is quite possible that they will not be eliminated without a wholesale redesign and replacement of much of the hardware and software security systems that are part of, or connected to, today's Internet.

This makes it clear that it's not a question simply of ensuring that "the vulnerabilities they identified are eliminated", but one of abandoning Internet voting altogether for the foreseeable future.

Comments

Is it possible in principle?

[pavlos.livejournal.com]

Actually, I find the expert's findings milder than my intuitive guess. I would have guessed that even with perfectly secure computing infrastructure (for general use), you could only achieve two of the following:

• Accountable results.
• 
  
• Anonymous ballot.
• 
  
• Robust against voter apathy.
• 
  
• Robust against identity stuffing.
  

Three out of these would be good, but it doesn't seem obvious how to do that even in principle. I have in mind an insider attack against the voting code and a defense by issuing cryptographic voting certificates to voters and asking them to verify theirs in the public record.

As always, IANAC.

Pavlos

Re: Is it possible in principle?

[ex-meta.livejournal.com]

Right. The experts are being wildly optimistic. Even if we had a 100% secure Internet and issued everyone with tamper-proof voting terminals in their homes, the system would still be open to abuse--people could sell their votes, and the buyer could watch them vote to ensure compliance. There would be no hope of detecting this.

Re: Is it possible in principle?

[pavlos.livejournal.com]

Eeek, sorry for my garbled HTML! Yes, I understand that coercion and vote selling is an issue and that is why traditional ballots are anonymous AND do not issue voting certificates. Here I was thinking whether it's possible to build a voting system which is all of the above:

• Untrusted. While appearing plausible, it could implement any function cleverly crafted by an insider.
• Verifiable. Anyone could independently confirm the results (or prove fraud) using the published output, with respect to votes that they know.
• Anonymous. Does not force voters to reveal their vote except to the verifying agent.

Such a system would be very robust if A. The great majority of voters bother to confirm their votes, B. They have the trusted equipment to do so, and C. The benefits outweigh the social risks of issuing voting certificates.

Pavlos

Actually I mean "voting receipts"

[pavlos.livejournal.com]

I just realised my comments would have made more sense if I had used the term "voting receipts" instead of "voting certificates". A voting receipt is some cryptographic ticket you can use to prove what you voted, if you choose to do so, for example MD5 sum of voterID+passphrase+vote.