
Building Reliable Voting Machine Software (2007) [pdf] - agronaut
http://zesty.ca/pubs/yee-phd.pdf
======
brownbat
Very comprehensive discussion.

p39 correctly points out that post-election verifiability significantly
reduces the burden on the system. If you can later prove your vote was cast
correctly, it doesn't really matter if the system that correctly recorded your
vote has some theoretical flaw.

Verifiability could also prevent or reveal traditional attacks or miscounting,
like lost ballot boxes, hanging chads, misdelivered absentee ballots, or
simple hand counting errors. It could have a separate benefit of drastically
increasing trust in the system, preventing allegations of fraud by those who
simply want to undermine faith in Democratic institutions (be they foreign
governments or sore losers).

The author quickly dismisses verifiability as a practical goal though, despite
its potential benefits, citing an old objection: verifiability enables vote
selling.

Since verifiability could lead to significant benefits, it's worth asking two
questions at this point: (1) might there be other ways to mitigate the risk of
vote selling under verifiability, and (2) does verifiability really increase
the risks of the status quo?

(1) Other Mitigations

Two possible mitigations immediately spring to mind, there are probably
others.

First, we could just make vote buying or vote extortion a serious federal
crime, where any whistleblower voter gets some portion of the fine, enough to
outweigh whatever they were offered. The new incentive would make these
attacks highly risky, as they'd have to involve an improbable number of close
confederates you can rely on, but who won't vote the way you recommend without
a bribe. This becomes basically impossible to scale.

As a second option, we could instead give voters a true receipt and a false
receipt. Voters could privately confirm their vote was cast correctly, but the
system would have deniability, the voter would be unable to prove it. Maybe
the true receipt holds a secret shared with the election commission that can
only be unsealed under credible allegations of outcome-altering
irregularities.

(2) Unclear New Risks

The argument against verifiability is that it would suddenly allow proof of
vote, and that creates the risks of extortion and selling.

Proof of vote is already trivial in the status quo though. Sure, there are
prohibitions on voting booth selfies, but if you had entered into a vote
buying cartel, you would easily be able to defeat these with a discreet photo
behind the curtain.

Mail-in absentee ballots allow one to fill in a ballot while being directly
observed by an attacker.

Despite these possibilities in the current system, there isn't significant
evidence that vote buying is a widespread problem, so the risk may be wildly
overstated anyway.

If it is not clear we're avoiding a new risk, and if verifiability could
dramatically increase the trust in the system, I think it's worth a harder
look than most voting security analysis gives it.

That said, this amount to a quibble about one page in a significant piece of
research, which is still an admirable summary of the issues in secure voting
theory and design.

