Critical analysis of VoteHere

From: charlie strauss <cems_at_earthlink_dot_net>
Date: Sat Dec 13 2003 - 00:56:43 CST

Has there been a critical analysis of the VoteHere technology on this
forum or published elsewhere? If so please point me to it so I dont
waste your time.

Assuming there has not been I'd like to start a discussion on VoteHere.

the question is what are the problems with the VoteHere Scheme? So far
I see two flaws but perhaps they can be remedied. It does add a layer
of complexity but it may not be too bad since it does not require that
every voter actually check their receipt just some.

Here is a nutshell summary of how VoteHere Works for those that dont

"receipts don't work or allow coercion".

After selecting his votes on the touch screen the voter is presented
with a final summary of his choices and a "cast ballot" button.
But BEFORE the voter presses this button he is also given a paper
receipt which shows his choices in an easy-to-read code. THe voter
will take home the receipt, the vote is recorded electronically after
being cast.

When you were deciding who to vote for the ballot question looked like
"who do you want for president?"
Joe Blow (56)
Sam Jones (63)
Hilbert Holler (13)

Your final summary on screen looks like this:
Ballot ID: 5444321
president: 56 joe blow
senator: 32 jane doe

The receipt does not show the names just the numbers
Ballot ID: 5444321
president: 56
senator: 32

Before pressing the "cast ballot" button, the voter can if he wants to
verify the numbers on screen and receipt match.

The clever part here is that the relationships between the numbers and
the candidates names are different for every ballot. That for ballot
5444321, joe blow corresonded to the number 56, but on ballot 544321
joe blow might correspond to, say 15.
thus by not knowing how the mapping was randomly chosen, no one can
know by looking at your receipt who you voted for.

Now after the election is over, you decide you want to check your
ballot. You call the 800 number and punch in your ballot Id and it
gives you back the numbers and you can check them against your receipt.
  This way you know your ballot was counted as cast.

the final ingredient is this. the actual mappings between candidate
names and numbers for each ballot is known by the election officers is
publicly published in an encrypted form before the election.

--- that's mostly it---

So lets work a scenarios:
On the vote selection menu, the machine shows you that Joe Blow is 56
and sam Jones is 63 before you have voted, so it might seem that there
would be no incentive at this point to swap the numbers. (more on this
At the summary screen, but before you cast the vote you can verify the
receipt matches the number. And the machine cant change your number
after your vote since it could get caught by your phone call later.

So are there flaws. I can think of two, but maybe there are more.
1) suppose its known with virtual certainty that joe blow wil win.
Then if the machines simply swaps sam and joes numbers right from the
start then even though it does no know how an individual voter will
vote, it will reveres all the results giving Joes win to Sam.
    Solutions: the mapping is also printed out on a separate receipt
for the voter to check but not take home. THe mapping could be dropped
in a box for later spot checking by election officials.

2) How can you prove your receipt is a valid one. The votehere sytem
has the machine print a digital signature on the receipt to allow you
to prove the receiot is real. But suppose that when it wants to change
your vote it simply munges the digital signature so that you cant later
prove its a real receipt.
    Solutions: well if a lot of munged receipts turn up you know
something is wrong. But you could also simply pre-print all the
receipts with a watermark and skip the digital signature.

3) one might complain that this code stuff causes headaches for the
voter. But to work not every voter has to check every vote. Just some
spot checking by some voters is all that is required.

their solutions to ballot stuffing is to publish the voter rolls.


= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Wed Dec 31 23:17:09 2003

This archive was generated by hypermail 2.1.8 : Wed Dec 31 2003 - 23:17:18 CST