Re: open-audit elections

From: Ronald Crane <voting_at_lastland_dot_net>
Date: Wed Dec 13 2006 - 15:07:35 CST

On Wed, 13 Dec 2006 14:38:04 -0500, Ben Adida wrote
> Ronald,
> > My plan is to put in place better CoC systems. The prototype is a hand-filled
> > paper ballot system where the ballots are counted at the precincts in which
> > they're cast, either by hand or via opscans. A randomly-selected subset of
> > precincts, sufficient to guarantee p=0.99 of finding at least one miscounted
> > precinct (should any exist) is then hand audited. Upon finding such a
> > precinct, further recursive audits are undertaken until either all the
> > precincts are audited or no more miscounted precincts are found. All of this
> > is done under full public supervision, and ideally by members of the public as
> > well.
> I wish you luck with that. I have significant issues with the
> auditability of such a system, but it certainly sounds better than what
> we currently have.

Please describe your issues. It is, of course, true that the process will
(like all processes) be imperfectly implemented. Not every precinct will do
everything right every time. Paper ballot CoC systems are susceptible to a
variety of local attacks. But their big advantages over e-voting systems are
(a) that they are basically immune to global attacks (to which e-voting
systems are uniquely susceptible) and (b) that they can effectively be
supervised by most members of the general public without much expert input.
> [...]
> > Ah, yet another level of complexity that most citizens won't understand the
> > first thing about and won't be able effectively to audit.
> This seems to be your recurring point.

Indeed it is.
> In my opinion, you've chosen a perception of security over actual
> security, for fear that actual security will be "too complicated."
> I'd like to work on simplifying truly secure systems so that they
> are acceptable enough, but not at the expense of real security.

I have chosen citizen participation over centralized election administration,
as I explained in my earlier note. I also have pointed out that crypto systems
are susceptible to a variety of subtle attacks (e.g., presentation attacks)
that can be detected only via rigorous, regular expert supervision. A system
that allows those attacks does not provide "real security." Crypto systems
(assuming, again, that they provide the guarantees you cite) solve only one of
several security problems inherent in voting systems. Please be careful not to
overstate what they do.
> >>> Instead, like all e-voting systems, they open attack vectors that are
> >>> ill-understood and easy to stab yourself upon.
> >> so you're proposing paper only?
> >
> > Yes, and ideally counted only by hand.
> You've chosen to ignore a number of real security issues with this
> approach, but it seems that you're okay with that because the system
> is simple and understandable. Again, it seems to me you've chosen perceived
> security over real security.

I am attempting to identify and classify as many of the issues with
hand-filled paper-based systems as I can so as to achieve at once a system
that is (a) open to effective supervision by the general public; (b) very
resistant to global attacks (e.g., insertion of malware at a vendor); and (c)
reasonably resistant to local attacks (e.g., ballot box stuffing).

> > Right. I don't, and I will. There's nothing personal in this; I just need to
> > know for my own satisfaction just how a proposed crypto system (e.g., VHTI)
> > works and what it really guarantees. Fortunately, I (believe that I) can do
> > this. Most citizens cannot and would have to trust you (or me).
> I'm not taking any of this personally. I'm disappointed that folks have
> so little confidence in what the public can understand.

Let's try to keep the rhetoric down. The fact is that the vast majority of the
public has no understanding of cryptography, and cannot, without consulting a
tiny coterie of experts, tell whether the guarantees you cite are exactly on
target or pure bunk.
> Transparency---using its dictionary definition that anyone can *see*
> what's happening, even if it's complicated---is the most important issue
> to me. I trust that people will find the experts they need to verify
> the system, as long as the user experience is simple enough, and as
> long as they can pick any expert they choose.

This is the nub of our disagreement. I want voting systems that most citizens
can fully supervise using only a small amount of expert input that's readily
available (the design of the sampling audits). You want voting systems that
require the general public to trust a tiny group of crypto experts, and that
(as I have shown) are open to a variety of subtle attacks that sidestep the
crypto guarantees by attacking other aspects of the systems (e.g., the
> It sounds like we have an intractable disagreement :)
> That said, I'm glad to see that there are so many folks passionate about
> improving elections and our democracy, even if we have strong disagreements.

Agreed ;-). I am glad that you're working on your approach, even though I
believe that it's not the right one. But please try to see where I'm coming
from with respect to public participation and the appropriateness (or not) of
citizens delegating to experts the authority over election administration, and
of centralizing that task.

OVC-discuss mailing list
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Sun Dec 31 23:17:13 2006

This archive was generated by hypermail 2.1.8 : Sun Dec 31 2006 - 23:17:16 CST