Re: open-audit elections

From: Ben Adida <ben_at_eecs_dot_harvard_dot_edu>
Date: Wed Dec 13 2006 - 00:18:27 CST

Ronald Crane wrote:
> Even so, these systems still act as intermediaries between a voter and a presentation of the
> ballot. They are, therefore, capable of manipulating the presentation so as to
> influence, deceive, or even force the voter into choosing a candidate whom she
> would not, absent the attack, have chosen. For example, an attacker might
> program the system to omit a candidate from the ballot, to reorder the ballot,
> or to make a candidate difficult to select. Because this kind of attack can
> affect the votes a voter actually casts, it bypasses audits aimed at
> determining whether votes are counted as cast.

This is a very good point and here's how open-audit voting systems
generally address it: ballot preparation can be separated from ballot
casting. In other words, there's a machine that lets you prepare an
encrypted ballot, and a separate machine where you have to identify
yourself and cast your prepared ballot (this is called the Frog Method
by the Caltech/MIT project, and is further proposed by Josh Benaloh in
his recent paper.)

Thus, *during the election*, auditors can go audit the live ballot
preparation machines, to make sure they're presenting ballots correctly,
that they're calibrated appropriately, etc.... This is a particularly
effective auditing method, because you're interweaving real voters and
auditors, so that a malicious machine would have an impossibly hard time
not getting caught. It's obviously better than parallel auditing of
*different* machines, which is the best you can do with chain-of-custody
systems, since you can't really audit the real counting machines.


> There is always, somewhere, a trust problem for real elections. I would like
> to minimize it by making it as easy as possible for ordinary citizens, with
> minimal or no expert input, to use their native intelligence and common sense
> effectively to audit their elections. Paper systems come much closer to
> allowing this than do crypto systems.

Do you agree that, if folks *could* find experts they trusted to verify
the crypto, or if they could learn it themselves, then crypto-based
systems would provide *far* better auditability than chain-of-custody
based systems?

If you don't agree, then I have not clearly explained the power of
open-audit voting.

If we're left discussing whether it's possible to find the right
experts, then that's a fairly satisfying conclusion for me, because
that's an easily quantifiable thing once we have a full system to
evaluate. I'm happy if we've reduced the disagreement to this one point.


OVC-discuss mailing list
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Sun Dec 31 23:17:11 2006

This archive was generated by hypermail 2.1.8 : Sun Dec 31 2006 - 23:17:16 CST