FYI - [IP] Secret ballots the Tel-Aviv University way. Risks Digest 23.11

From: Karl Auerbach <karl_at_cavebear_dot_com>
Date: Thu Jan 08 2004 - 15:34:49 CST

FYI - this, from Dave Farber's IP list, may (or may not) be of interest
regarding how voting systems might be perceived.


---------- Forwarded message ----------
Date: Thu, 08 Jan 2004 15:22:08 -0500
From: Dave Farber <>
Subject: [IP] Secret ballots the Tel-Aviv University way. Risks Digest

Date: Thu, 01 Jan 2004 14:33:29 +0200
From: Yaron Davidson <>
Subject: Secret ballots the Tel-Aviv University way...

The elections for faculty representatives in the Tel-Aviv University student
union were held two days ago. (Now, this may be not as important as votes
for government, but many of the representative run for actual political
parties, and there are serious sums of money involved higher up, so these
votes to have a meaning)

In the last couple of years , for all the usual reasons, the voting
mechanism was changed to e-voting, namely a temporary PC with custom-made
software connected over the university LAN to a server. No paper audit of
course, have to match industry leading standards after all. The voting
process itself is quite simple. You pass a bar-code reader over the student
card to get an ID, select the faculty to vote in if you have more than one,
get a list of all available candidates for the faculty, click on small
"select" buttons next to those you want (with visual indications being both
a check-box next to the names, and a second list containing those you voted
for), and press a confirmation button.

No problems for me last year, but is seems many students had difficulties
with either the bar-code reader or the program interface. So, the delays
caused being apparently the most serious problem with the system, this year
we had a wonderful solution. Oh, yes, before that, if I forgot to mention,
votes of course must be secret, and they place a temporary barrier around
the computer preventing anyone from looking in at you while you vote.

I got to the computer, and a man with a badge claiming him a "voting
supervisor" or some such takes my student's card, pass the bar-code reader
in front of it, hands it back to me, motions toward the chair, and tells me
to go ahead and vote. But he stays there, and looks at me and at the
computer screen with a bored expression.

Me:"Eh... The votes are supposed to be secret..."
Him:"Yes, so ?"
Me:"So you can see who I'm voting for"
Him:"Oh, don't worry about that. I'm not related to any of this. See ?"
   and points to the nice badge.
Me:"What do you mean, not related. You're here, and you can see who I
   vote for. That's not secret!"
I get a "Why can't this idiot get it" and again
Him:"But it doesn't matter. I'm not even from this faculty. I don't care
   who you vote for."
Me:"But surely I can't know that. I do have a right not to have people
   seeing who I vote for". Heck, right, officially I'm not even supposed to
   have a choice, nobody should come in a look even if I want them to.
Him:"Look, I'm not here to look at your vote. We had lots of people
   having trouble understanding how to vote, and the reader couldn't handle
   about two thirds of the cards, so I'm just here to help students vote
   and save time. And you're holding up the line. Just vote already"
Me:"Fine, but not until you get outside this barrier and don't look in.
   This won't solve the very serious general problem here, but it will
   solve my immediate one and let me finish..."
So the dear fellow gets out with a bemused expression. I vote. I press the
confirmation button (15sec process so far, mostly spent locating my least
worse candidates in the rather long list). Then I have to wait around 20-30
seconds more because the confirmation screen insists on staying there with
my name and the candidates regardless of my clicking on it to make to go
away. All the while the "supervisor" muttering that it takes too long and
that's what he's there for. You want to speed up the process, put an OK
button on the confirm screen instead of time delaying it. That's 20 seconds
per student times several thousands of student, right there.

I go out, someone else gets in, and after he reads his cards and explains
what those "select" buttons are for to the poor soul, the "supervisor" turns
back to me still trying to figure out what the fuss is about.
Him:"You know, I really don't care about those votes. What I see doesn't
   matter. I don't know who you are or who the candidates are."
   I see one of our esteemed candidates standing there, points at her and
Me:"And I'm supposed to trust your word for it? How can I know
   you're not friends with her, or supports the same party that's behind
   her? Maybe she bribed me to vote for her, and I could see I didn't?
   Maybe you just nods to her to indicate who voted and who didn't? It
   doesn't matter if none of these things are true. What matter it that it
   can theoretically be. You want to say the votes are not secret, take
   away this barrier, and let anyone see, fine. That's one way to do it.
   But if you claim the votes are secret, and go through all this trouble,
   then keep it secret and don't put someone in with me."
   At this point several other students on the line starts to claim that
   I'm right, and another one asked him to look outside. A former student
   representative in the faculty gets there too and tries to mollify me by
   saying that she'd watch over him. Right.
   Anyway, than the guy comes up with another brilliant riposte.
Him: "Besides, if I wanted to see what you voted, I could just look it
   up at the server later, I wouldn't have to sit here and watch you"
Ah. So he's saying that:
1. It doesn't matter what he does is wrong and forbidden, since he can
    do the same thing in several different ways. Makes perfect sense to me.
2. He can see at the server not only total vote counts, but WHAT I
Me: "Are you trying to tell me your database doesn't hold an aggregate
   count of vote and a separate list of who voted, but a list of what every
   ID has voted ?!"
Him: "Ah... Well... See... Err..."
Me: "Because that's very bad practices. You should never keep this
   information in the database in a way that's easily accessible. It would
   make a mockery of calling these elections secret." Oh, wait, aren't we
   doing that already? Hmmm...
Him: "No, no. Of course we only keep aggregative information. Sure.
   Certainly. No individual votes. Nope. Not at all." Well, he denies it
   three times, even more actually, so he must have been convincing. So why
   didn't I buy it? Well, let's attack on a different front.
Me: "So in that case you can't go to the computer later and see what I
   voted, then. You can only see the totals, but that will be published
   anyway. If you want to see what I voted, you have to look here" Or put a
   sniffer on a connected computer, or logging software on this computer,
   or... Anyway, there went argument #1. I'd felt better to see #2 go but
   I'd have a hard time buying that now.

Unfortunately, by that time the former representative got really insistent
about making me stop making a fuss, and the "supervisor" just had to help to
current voter, so I left the scene.

At least they solved the problem of students not understanding the voting
system. It is a biggie. Imagine someone solving that whole butterfly-ballot
fiasco at the US by putting someone to help people punch the right hole, and
not to worry since he's from a different state so he really doesn't care...

Archives at:

= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Mon Jan 10 00:48:09 2005

This archive was generated by hypermail 2.1.8 : Mon Jan 10 2005 - 00:48:14 CST