Re: open-audit elections

From: Ben Adida <ben_at_eecs_dot_harvard_dot_edu>
Date: Tue Dec 12 2006 - 12:06:42 CST


Thanks for the responses, these are all important points to address. I
want to clarify up front that open-audit elections is about ensuring
*all* of the security features you mentioned, not just personal

Let's start with the one aspect that is the least well understood:

Charlie said:

> 2) No transparency. Even if it did work, and was inviable, this is
> not self evident to joe voter. This lack of self evidence means two
> things first it means Joe voter's ignorance can be used to intimidate
> him. (e.g. tell immigrants you will be able to see how they
> voted). Second, in the event of an audit, no one really believes
> your black box results.

and Richard added:

> crypto invariably means a loss of transparency.

I disagree with the way you're using the terms "transparency" and "black
box." We shouldn't confuse complexity with lack of transparency. (We
shouldn't ignore complexity, of course, but let's call it by its name.)

Point #1: Current elections, even if they were to use open-source
software, lack transparency.

In Boston, optically scanned ballots are transported by police officers
from the precincts to City Hall, where they're counted in a
high-security area called "The War Room." Even with party observers in
the War Room, there's an obvious lack of transparency: everyday citizens
can't audit the process. It doesn't matter how hard you try, or how much
you learn, or how involved you try to be, the election is simply not
available for you to audit.

I don't think open-source would change that aspect (though it would
improve the front end of the process.)

Transparency means that you can see how it works, even if that requires
some complexity. (Again, I'm not dismissing complexity, I'm just calling
it by its name.)

Point #2: Self-evidence is not always a good yardstick.

There's a huge push in the US to move towards mail-in ballots. Mail-in
ballots are inherently coercible, with significant anecdotal evidence of
nursing-home coercion, implicit spousal coercion, and even union or
place-of-worship "ballot-filling-out parties."

So, the importance of the secret-ballot is not self-evident to voters,
even after 115 years of secret-ballot elections in the US. Yet most
people agree that the secret-ballot is a good thing for the system as a

Optical-scanning is also not self-evident. It's not obvious to folks
that improperly calibrated scanners, improperly filled-in ovals,
wrong-color markers, or a dozen other issues could result in the loss of
their vote. How the scanner works is not self-evident by any means.

Then take typical DREs (without paper or crypto trail.) They are
*really* simple to use. When they don't fail, voters love them. But we
know how opaque they actually are. So self-evidence again fails us here.

Point #3: Open-Audit means *anyone* can audit: it means you pick whom
you trust. It's the exact opposite of a black box.

I don't expect that most voters will audit the tally themselves. But the
point is, in an open-audit system, they *could*. More importantly, they
could easily call up the organization of their choice: ACLU, LOWV,
Democrats, Republicans, NRA, Family Research Council, etc... and ask
that organization: "how did things go?" In an open-audit election, any
such organization, *even if they have no privileged access to election
officials*, can perform the audit on their own, using only published
data about the election.

(Jerry referred to "checking things in Excel." That's exactly the right

With an open-source voting system, you can look under the hood of a
piece of election software. Things look simple, but when it comes time
to run the election, you have to trust that what you audited is still
running, unchanged, and that the chain of custody of ballots remains
un-compromised after casting.

With an open-audit voting system, you can look under the hood of the
*actual* election you're running, while it's running, all the way
through to the tally. It may be a bit complex under there, but you get
to pick your trusted mechanic who's going to tell you if it looks okay.
(Or you can learn how to be a mechanic and do it yourself.)

Complexity is certainly worth discussing, but let's not confuse
complexity and transparency. If anyone can perform the audit, it's
*more* transparent, not less.

OVC-discuss mailing list
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Sun Dec 31 23:17:10 2006

This archive was generated by hypermail 2.1.8 : Sun Dec 31 2006 - 23:17:16 CST