Re: open-audit elections

From: Ronald Crane <voting_at_lastland_dot_net>
Date: Wed Dec 13 2006 - 00:46:41 CST

On Wed, 13 Dec 2006 01:18:27 -0500, Ben Adida wrote
> Ronald Crane wrote:
> > Even so, these systems still act as intermediaries between a voter and a
presentation of the
> > ballot. They are, therefore, capable of manipulating the presentation so as to
> > influence, deceive, or even force the voter into choosing a candidate whom she
> > would not, absent the attack, have chosen. For example, an attacker might
> > program the system to omit a candidate from the ballot, to reorder the ballot,
> > or to make a candidate difficult to select. Because this kind of attack can
> > affect the votes a voter actually casts, it bypasses audits aimed at
> > determining whether votes are counted as cast.
> This is a very good point and here's how open-audit voting systems
> generally address it: ballot preparation can be separated from ballot
> casting. In other words, there's a machine that lets you prepare an
> encrypted ballot, and a separate machine where you have to identify
> yourself and cast your prepared ballot (this is called the Frog
> Method by the Caltech/MIT project, and is further proposed by Josh
> Benaloh in his recent paper.)
> Thus, *during the election*, auditors can go audit the live ballot
> preparation machines, to make sure they're presenting ballots
> correctly, that they're calibrated appropriately, etc....

This is yet another layer of testing that ordinary citizens won't understand
the need for, and that must, therefore, be delegated to experts. The deeper
you go, the more complex it gets, as with chain-of-custody e-voting systems.

> This is a particularly effective auditing method, because you're
> interweaving real voters
> and auditors, so that a malicious machine would have an impossibly
> hard time not getting caught.

Not so impossibly hard. It's really quite easy for auditors to slip up and do
something that permits a sufficiently crafty attacker to distinguish an
auditor from a real voter, e.g., using the same voter cards over and over.

There's also the whole new area of attacks against parallel (or interleaved)
testing. For example, a vendor might decide to use a RFID card to activate its
machines for voting instead of a smart card (more durable, cheaper, harder for
voters to break...) [1]. An attacker might then program the machine to scan
not just the card in the reader, but the "voter" herself for RFID tags. If it
finds a constellation of RFID tags that it's previously seen, it knows that
the voter is an auditor. Within a few years, RFID tags will be ubiquitous
enough to make this attack workable.

Or a vendor might build a proximity-sensor into its machine to welcome the
voter as she approaches (great for blind voters, right?), to turn on the
screen, etc. An attacker might then program the machine to determine whether
the person in front of it goes away after casting each ballot. If the person
doesn't, she's an auditor.

Cryptographic systems do nothing to end this game of cloak and dagger.
Instead, like all e-voting systems, they open attack vectors that are
ill-understood and easy to stab yourself upon.

> > There is always, somewhere, a trust problem for real elections. I would like
> > to minimize it by making it as easy as possible for ordinary citizens, with
> > minimal or no expert input, to use their native intelligence and common sense
> > effectively to audit their elections. Paper systems come much closer to
> > allowing this than do crypto systems.
> Do you agree that, if folks *could* find experts they trusted to verify
> the crypto, or if they could learn it themselves, then crypto-based
> systems would provide *far* better auditability than chain-of-custody
> based systems?

I still need to plow through the VHTI paper to better understand what
guarantees crypto systems really provide. Before I do that, I will not venture
an opinion on the relative merits of crypto systems' auditability versus that
of chain-of-custody systems.
> If you don't agree, then I have not clearly explained the power of
> open-audit voting.

Um, your explanation is a gloss over a very complex machine. I need to
understand the machine to judge the gloss. As I said, I'll examine the VHTI
paper again, and see whether I can completely understand it. At that point I
might have something more to say about what crypto voting systems really

> If we're left discussing whether it's possible to find the right
> experts, then that's a fairly satisfying conclusion for me, because
> that's an easily quantifiable thing once we have a full system to
> evaluate. I'm happy if we've reduced the disagreement to this one point.

Please see my recent message on citizen supervision of government for more
background on why I oppose systems that require lots of expert input to
effectively audit.


[1] For example, Avante uses ISO 14443 short-range RFID cards in its
Vote-Trakker. These aren't the same as ordinary RFID tags, but ISO 14443 cards
are now being built into cell phones (e.g., for instant payments), so they,
like ordinary RFID tags, will soon become ubiquitous.
OVC-discuss mailing list
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Sun Dec 31 23:17:12 2006

This archive was generated by hypermail 2.1.8 : Sun Dec 31 2006 - 23:17:16 CST