
Your vote counts (Cryptographic Voting System) - Hellcat
http://www.wombat-voting.com/
======
3pt14159
The way you do a voting system that works is by copying Canada's way. We don't
need computers in voting.

Step one: Public list of every single polling location.

Step two: Communication to the public that observers are freely admitted. Post
a notice that some extra women will be needed in some areas since some Muslim
female voters only identify themselves to women.

Step three: Public voters list that show who in the county is eligible to
vote.

Step four: Communicate the polling day well in advance. Hire people from the
local community to handle the actual taking of ballots.

Step five: Polling day. Starts off with every observer verifying that the
serial numbered ballot box is empty. This happens for every box. Person walks
in. Every observer increments the number of total people coming in. Person
identifies themselves at the registration table with government ID and as a
backup, utility bills or statements of note from public members for the
homeless (A priest could verify that a homeless person lives in the area, for
example. In some places the homeless do not even need to be verified), every
observer crosses that person off their own copy of the list. If the person is
a female Muslim, only women observers get to verify the identity of the voter.
The voter then gets a piece of paper with the options clearly printed in large
print and goes to a private place that has a poster that shows how to fill out
the ballot. The voter puts an X by the person they wish to vote for. Folds the
ballot and brings it to the ballot box. The observers see that the voter put
the vote in the ballot box. Once the box is full, it is sealed with a tape
that matches the serial number of the box and is left in open view to
observers until it is time to open them and count them.

It is now known that how many votes is in each box, how many people voted, and
the total number of votes for each candidate all with open access to Observers
from the public (but more usually, the political parties).

How fucking complicated is that? Paper, pens, ballots, observers meanwhile we
satisfy the only possible complaint (Covered Muslim women) while never ever
having allegations of ballot stuffing. The only allegation that comes every
now and then is the homeless vote, but it really doesn't matter in the grand
picture.

Do we have other problems? Sure, of course, yeah. But things like this:
<http://en.wikipedia.org/wiki/Robocall_scandal> happen everywhere and if the
public were more informed to our process then they wouldn't happen at all. You
can _always_ call elections Canada to verify a polling station relocation.

Keep computers out of voting. I want every vote counted by humans. Not just
paper ballot receipts held to check _in case of allegations of voter fraud_.
No. Observers and humans do the counting. I don't see the point of public
encrypted votes.

~~~
VMG
> I want every vote counted by humans.

Then you have to trust these humans to count accurately. Many people don't.

~~~
doc4t
I think we can safely assume that the number of votes inaccurately counted is
not statistically significant. In the cases where a tie is present a second or
even third count usually takes place.

I will trust this system of humans counting any day over a sum function in a
database implemented by a private company with their own agenda

~~~
planckscnst
> I will trust this system of humans counting any day over a sum function in a
> database implemented by a private company with their own agenda

How about over an open source one? I have occationally thought of starting a
kickstarter for an open-source voting system. It would be completely open-
even down to choosing an open-source processor, and completely and
transparently audited.

~~~
doc4t
The point is not open source code. You still have to place trust in the system
and the people executing it. While this is also true for a paper based manual-
counted system the later is so transparent to anyone that cheating becomes
very very difficult.

Source code will never be transparent to anyone but programmers.

------
Groxx
> _The checking algorithm can either pass or fail:

If the plain text does not match the cipher-text on the ballot printed in Step
2, the inconsistency is revealed and the voting machine is disqualified.

Otherwise, the ballot is consistent. The voter goes back to Step 2 to vote
with another ballot (because an audited ballot cannot be used for voting)._

So... how do you know that your _current_ vote was recorded correctly? If
auditing destroys your vote, then you have to go back and do it again,
trusting that _this time_ it will be correct. Since you'd have to go vote
again, I doubt very many people would actually audit the results, so you could
probably still sneak bad machines into the smaller and less techy areas of a
country.

edit:

> _A simple statistical calculation shows that very few audits (of about 1-2%
> of the votes) suffice for catching a cheating (or bogus) machine._

Seriously? You think 1-2% of voters will press the audit button and perform
their own side decryption process with a trusted device?

~~~
Hellcat
You verify the votes to ensure that the system is working correctly, Wombat
allows voters who suspect that the machine is not work correctly to audit, but
it is not necessary for voters to verify. It is sufficient that supervisors do
so occasionally and that having inspectors randomly audit about 1-2% of the
ballots is very reasonable.

~~~
Groxx
Because supervisors are never suspect. It's not the _machines_ people worry
about, it's the people programming and tending the machines. So to catch a
supervisor, you'd need 1-2% of voters to audit the machine... which I find
extremely unlikely to ever occur.

~~~
Hellcat
you seems to be confused about the role of a supervisor. It is the supervisor
that is supposed to make sure that the programmers and tenders did not do
something improper.

------
Kilimanjaro
One big problem with voting (as seen in the last couple of contested elections
(everywhere)) is that we mostly witness how people vote in big cities, leaving
small towns unattended, where most of the fraud occurs.

Fraudsters will leave big cities untouched so people's choice win by close
margin and therefore they can't complain about the voting system, inflating
ballots everywhere else, sometimes seeing statistically improbable 80% or 90%
votes favoring the surprisingly elected incumbent candidate.

Happens in both sides of the pond...

------
jd
I think that for voting to work well it has to be completely anonymous. So you
can vote the way you want and nobody can prove you voted for the wrong guy.

Otherwise your Friendly Neighborhood Thug can drop by the day before the
election and kindly ask everybody to vote B. He'll come back the day after the
election to check the receipts and punish those who didn't vote the right way.

~~~
Hellcat
Using Wombat you can't convince someone ELSE that you voted the way he wanted
you to vote, but you CAN convince yourself that your vote was counted! Wombat
also offer a verification mechanism, if the voter is unsatisfied that the
system actually counts correctly. What it does is it encrypts the vote and
then asks you if you want to verify that it was correct. If you do, it will
print the decrypt key onto the ballot, rendering the ballot unvotable (because
it can be decrypted), but you can then decrypt the encrypted text and see that
it matches the plaintext. You don't even need to trust the machine itself :)

------
tomjen3
It is not the voting system that needs to be changed -- counting and sorting
is an embarrassingly parallel problem -- it is the voter or at least the
distribution of votes. It is simply insane to give a homeless alcoholic the
same influence on how the country should be run as you give a chemistry
professor, a factory worker or a librarian.

~~~
xnxn
I challenge you (or any HN reader) to describe the implementation of a
function that would accept an individual and yield the weight their vote
should carry.

------
iamgopal
I wonder why no body had think of all year online secure voting season. Like,
GRE tests are taken, you are allowed to vote anytime you want and you will get
10 vote per season ( 4 year etc ). There will be public voting booth for
people who do not have internet access, rest all will use some security
protected website.

------
k33l0r
Reminds me of this TED talk by David Bismark from 2010: E-voting without fraud
([http://www.ted.com/talks/lang/en/david_bismark_e_voting_with...](http://www.ted.com/talks/lang/en/david_bismark_e_voting_without_fraud.html))

------
eof
I contacted them; but I don't see how I can implement this in my city.

I think the key to something like this ever taking off at the national level
is smaller progressive towns impelementing it locally and people eventually
demanding it.

~~~
Hellcat
Wombat was used is 2 different elections in Israel this year.

------
tzs
An earlier, similar system with similer goals:
<http://scantegrity.org/index.php>

------
BoppreH
Brazil has been using electronic voting machines since 1996. The ballots are
used for both local and national elections, and the 2005 disarmament
referendum.

You don't get any receipt to check later (aside from the one that proves you
voted, because voting is mandatory), and yet I don't remember the population
ever distrusting the electronic system.

TV covers the election with up-to-the-minute results as the ballots are
closed, and the winner is known on the same day, which is a nice plus.

------
my8bird
the big issue I see with this system is that the audit ballots are invalid.
this means the developer only has to ensure that the audit system works. they
can do whatever they want with the rest if the ballots since they can not be
audited

~~~
Hellcat
I'm glad you raised this question, because I'm sure most people will think
that. The fact is, that the system doesn't act any different in the 2 cases
(audit and real), in both cases it FIRST prints the encrypted vote (and now
the voter can actually see the his vote hanging out of the machine, but he
still can't touch it), and now it asks the voter if he would like to verify
(audit) or not (real), if he chooses to verify, the machine will print the key
to decrypt the encrypted text and then the voter can verify that what was
encrypted was really what he voted for. If he chooses not to verify, it will
print the cleartext (unencrypted). Notice that for the machine to "fool" the
voter it needs to predict when a voter will choose to verify or not in 100%
accuracy because if 1 voter finds that what was encrypted wasn't really his
choice, then the whole election is a shame and can be closed ignoring all
votes.

------
avirambm
So nice to see an IDC Herzlyia project in here.

