

Cryptographic voting system developed by MIT prof has first real world trial - davidbalbert
http://web.mit.edu/newsoffice/2009/rivest-voting.html

======
JimmyL
Hint: the MIT prof referenced in the headline is Ron Rivest, the R in RSA.

While the description ("MIT prof") is factually correct, that's like
describing Donald Knuth as a "Stanford prof". Both place the focus on the
affiliation, whereas (at least with this crowd) the identity of the professor
is more interesting and eye-catching.

~~~
jeremyw
The article fails to mention the principle driver of this technology, David
Chaum. The system is a descendant of Chaum's prior voting works with broader
participation.

~~~
jacquesm
David Chaum was/is the guy behind 'digicash'.

------
ghshephard
This combines much of what I've wanted in a voting system:

o Physical Tokens - Something people can see and touch. Something that human
beings can physically recount if they have to and will (at random) to confirm
that the automated system has not been compromised.

o Cryptographic Verification - I can check after the fact to determine if my
vote was counted. Supposedly only 2% of the population needs to check to
determine if there was a compromise.

o Simple Counting system - The computer code required to count how many votes
were cast for each party should be relatively straight forward and easy to
verify.

After thinking about this for a while I'm not sure what happens with the False
Positives - what if I write my number down incorrectly and can't find it after
voting. I suspect that a certain number (0.5%?) will do so and now be
convinced that there was fraud with the new system. Possible downside. Of
course, the electoral commissioner will be able to take this into account -
Let's say we have 100 Million people voting, and that 4% of those check their
votes, and that 0.5 % of the people who checked their votes wrote the number
down incorrectly, and 10% of those people report it to the electoral
commissioner, there should be about 2,000 reports, on average, of Fraud.

Now - what about DELIBERATE false positive - an attack on this system is now
to have the losing party overwhelm the electoral commissioner with reports of
fraud.

The great thing about a system with Physical Tokens (Paper) is you can have
scrutineers from both parties, in the presence of independent observers,
_physically watch people count tokens and challenge_

Physical Ballot Box stuffing in a first world country is next to impossible,
as long as you have strong representation from the population during the
casting of votes and counting.

I hate the idea of purely electronic voting for things where the incentive to
cheat is huge, and the recourse for the ordinary citizen to help ensure that
the count is fair is absent.

Let's hope that this system (or something like it) takes off.

~~~
bayareaguy
_I write my number down incorrectly and can't find it after voting._

Straightforward error correction techniques would help identify and compensate
for minor errors and simple adding machine style recipt printers incorporating
such logic could be made available within voting booths. Voters who want a
recipt would just type the revealed code into the printer.

------
ars
Voting is more complicated than it seems.

Here are two rules I discovered about voting that are quite non-obvious:

You can not print out a receipt of the votes, in order. Because in a small
town, someone could write down the order that people show up, and then
correlate it with the order of votes on the receipt. (This is why paper trails
of electronic votes were never implemented.)

The voter must never be given a receipt that allows a third party to verify
who they voted for. This is because it allows vote buying: I buy votes, and
you show me your receipt and prove you voted for who I want before getting
paid.

This system fails the second rule, and thus will never be implemented widely.

~~~
Dove
Actually, it doesn't. The correlation between the revealed code and the
selected candidate is not published.

~~~
by
But there's a difference between "not being published" and not existing.
Unpublished information is still available to some group of people, stored on
disks etc. It could be accidentally or deliberately released. Given the amount
of confidential information that does get inappropriately released I would
expect this information to, at some point, be seen by people who shouldn't
have access to it. Better that the files don't exist in the first place. Maybe
it could be a probablistic correlation set at a level which would require a
number of votes to obtain sufficient certainty.

------
nzmsv
One problem is that voter turnout is generally low. And as far as I can tell,
there is nothing in the system to stop a lot of fake ballots from being
counted. And it's not possible to claim that a turnout of 75% is fraud, even
if the usual turnout is around 50. Russian elections routinely get 95% turnout
with almost no one going to the booths.

There needs to be a way to verify whether a person has _not voted_. Could be
based on SSN in some way. But it also has to be simple to use.

~~~
ars
They thought of that. I didn't catch the details but they have something
called the "Unused Ballot Audit".

[http://sites.google.com/site/takomapark2009audit/audit-
data/...](http://sites.google.com/site/takomapark2009audit/audit-data/unused-
ballots)

------
yason
This is tangential but I must:

Oh, oh why someone like Ron Rivest allows himself to be associated with a name
like "Scantegrity". It's a name I could expect to see in the title of the next
Doghouse on Bruce Scheier's blog. And it almost reads like Scam-tegrity. D'uh.

To offset the above, there's a nice summary of the system on Wikipedia as
well: <http://en.wikipedia.org/wiki/Scantegrity>.

------
eli
I've read the details of this system. It's quite clever, but it won't work.

The problem is not people "hacking" elections. Actual instances of voter fraud
or attemted voter fraud are extremely rare in this country.

The problem is the _perception_ of fraud. And this system is WAY too
complicated for anyone to understand. Sure, it's great and I hope it gets
adopted all over, but _actual_ security at the polls was never really the
issue.

~~~
gfodor
From the voters perspective I fail to see how this is in any way more complex
than what they currently do. Fill in a bubble. (Hell, some of them used a pen
anyway, so it was literally the same as they were doing before.)

The only extra complexity is an _optional_ post-vote verification of your vote
online.

I don't see how one can be so sure of the low frequency of voter fraud when
the whole point of this system is to make it something that's actually
possible to detect.

------
sweis
Ben Adida has been blogging about the election and verification in Takoma
Park: [http://benlog.com/articles/2009/11/09/takoma-park-
verifying-...](http://benlog.com/articles/2009/11/09/takoma-park-verifying-
the-shuffle-and-the-unopened-ballots/)

------
tspiteri
Being able to confirm your vote later using a serial number may be convenient,
but it makes it possible to sell your vote. I could offer my vote for sale and
then give the serial number to the buyer so that he makes sure I voted the way
I was supposed to.

~~~
falsestprophet
That is false. The purpose of the code business is to make votes anonymous.

 _The key to the system is that before the election, the election commission
prepares a set of tables that, taken together, link the ballot codes and the
candidates’ names; but that link can’t be deduced from any one table by
itself._

------
mseebach
It says that the ballots have serial numbers. In any transparent election,
ballots are made public on request -- I think it was a TV station that did a
100% recount in Florida after 2000?

If I take home a ballot serial number, a vote-buyer would be able to look up
my ballot later and confirm my vote.

But as I understand it, vote buying barely registers as a source of fraud --
it's stuffing voter registration lists, keeping voters from going to the polls
and stuffing blank ballots.

