Re: Critical analysis of VoteHere

From: David Jefferson <d_jefferson_at_yahoo_dot_com>
Date: Fri Dec 19 2003 - 18:11:18 CST

Folks, as I read the discussion of the VoteHere system, I get
the feeling that we are looking for reasons to dislike it,
instead of looking at the contribution it makes. The VoteHere
people are very smart and know what they are doing. They do not
make false claims for their systems as far as I have seen. Do
not hash them into the same bin as Diebold.

The point of their voting receipt is to prove to the VOTER (not
a 3rd party) that the voter's intent was captured correctly by
the machine. This it manifestly does do. Of course, it does
not prove that the votes are later counted correctly. But to be
fair, when a paper ballot image is printed and the voter
verifies it, that also does not prove that the ballot is later
counted correctly.

It is also true that with paper ballot images, you can have a
meaningful recount (under the assumption that none of the paper
ballots have been lost). It is also true that with the VoteHere
system, you cannot use the receipts for any kind of meaningful
recount, and they do not claim that. Instead, VoteHere actually
has a much stronger system than recounts for backend processing
of ballots, namely, the production of a formal,
cryptographic-based, mathematical proof that no ballots have
been lost, forged, or added incorrectly, a concept that has no
analog in the paper world. This formal proof can be published
on the Web, and is checkable by anyone, and indeed one can
imagine the Democrats, Republicans, and Communists all hiring
their own experts to write proof-checkers (a simple task) so
they do not have to believe each other's (or the government's)
proof checker.

This proof is irrefutable; it is far stronger basis for the
claim that the election is OK than any recount, since counting
is frought with opportunities for error, whether done by machine
or human. Remember, there is nothing that can be done about a
lost paper ballot, and no recount can fix it.

I have no connection with VoteHere, and am not promoting their
products. But I do know them and their work, and I don't think
they can be easily dismissed. They are, as I said before, the
only "vendor" doing original research in voting system security,
and they do know what they are doing.
My point is not that the VoteHere system is "better" than the
paper ballot system. (It certainly is not understandable in all
detail to non-cryptographers.) I just think that it should be
criticised with full knowledge of the system and the rationale
behind it.


--- Edward Cherlin <> wrote:
> On Wednesday 17 December 2003 06:38 pm, Clay Lenhart wrote:
> > On Sun, 2003-12-14 at 19:43, Arthur Keller wrote:
> > > That's why we need to have an FAQ, as I have proposed, on
> > > the differences between a voter-verified RECEIPT and a
> > > voter-verified BALLOT. Even a receipt does NOT ensure
> that
> > > the vote recorded in the computer is correct, and it does
> > > not ensure the ability to do manual recounts. Only voter
> > > verified BALLOTS do that. This is, in fact, a most
> > > important lesson from our demo, a point we need to make
> loud
> > > and clear. It is an important distinguishing factor
> between
> > > us and DREs with printers. Unless the receipts are
> > > themselves counted, the computer could print what the user
> > > wanted and the user's ballot recorded on the computer
> could
> > > still be wrong.
> >
> > I agree too, that receipts are not very useful.
> Receipts make secret voting impossible, as discussed on
> another
> thread recently.
> > The
> > verification *data* (the reciepts) is dispersed among
> millions
> > of people. It would be difficult to prove that something
> > might be wrong with the electronic copies to force a count
> of
> > the real (paper) ballots since a group of lawyers would not
> > have all the verification data in their hands to prove the
> > electronic ballots are wrong. The receipts only give a warm
> > and fuzzy feeling for voters,
> Except those under some compulsion to prove how they voted.
> > but do not prove that their
> > ballot was counted -- just that their ballot is in a pool of
> > ballots *claimed* to be counted correctly. It also does not
> > detect if extra illegal electronic ballots are in the pool
> of
> > ballots.
> >
> > It would be better to have all verification data accessible.
> > To give an example, if the electronic ballots are signed
> with
> > public/private keys, then the public keys, signatures and
> > ballots would be available for anyone to download, verify
> the
> > signatures, and count the ballots themselves*.
> >
> > Having voter-verified receipts is not bad, just less useful
> > than verification schemes that can verify the *whole*
> process.
> > If they can be included without conflicts, sure.
> >
> > -Clay
> >
> > * The simple pub/priv key scheme is not very good: it
> doesn't
> > detect inserts or deletes, but you could add to the
> > verification data a signed list of ballot numbers printed by
> > the voting machine -- but then you have the paper jam issue
> > where you will have signed ballot numbers but the ballots
> > legitimately should not be in the count.
> Sign a digest of the scanned and verified ballots. This has
> been
> discussed in another thread.
> --
> Edward Cherlin, Simputer Evangelist
> Encore Technologies (S) Pte. Ltd.
> Computers for all of us
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Wed Dec 31 23:17:15 2003

This archive was generated by hypermail 2.1.8 : Wed Dec 31 2003 - 23:17:19 CST