Maryland Town Tests New Cryptographic Voting System 227
ceswiedler writes "In Tuesday's election voters in Takoma Park, MD used a new cryptographic voting system designed by David Chaum with researchers from several universities including MIT and the University of Maryland. Voters use a special ink to mark their ballots, which reveals three-digit codes which they can later check against a website to verify their vote was tallied. Additionally, anyone can download election data from a Subversion repository and verify the overall accuracy of the results without seeing the actual choices of any individual voter."
Re:Chaum's system is very cool (Score:5, Informative)
"But voters can't be sure just by looking at their ballot image that the system interpreted the codes accurately to apply the vote to the correct candidate. That's where independent auditors come in."
TFA to the rescue.
Re:Chaum's system is very cool (Score:5, Informative)
but does not provide them with any way to prove to anyone who they voted for.
But can I check to make sure not just that my vote "was counted" but that my vote was for the right person?
Yes:
Voters make their selections on a paper ballot using special pens with ink designed by Chaum. When a voter fills in an oval on the ballot, the ink in the pen, which is similar to the yellow ink in highlighter pens, reacts with invisible ink in the oval and turns most of the oval black. At the same time, a unique three-letter code pre-printed on the ballot inside each oval is revealed to the voter.
After making their choices, voters use a form to write down the serial number that is printed on their ballot as well as the three-digit codes inside the ovals they’ve chosen. The codes are generated cryptographically and are different on every ballot to prevent someone from deciphering the voter’s choices and engaging in vote-buying.
So that's the "verify that it was recorded correctly" part. For the "verify it went to the right candidate part":
Voters can also see, based on the three-letter codes, that the system seems to have recorded their selections accurately. But voters can’t be sure just by looking at their ballot image that the system interpreted the codes accurately to apply the vote to the correct candidate. That’s where independent auditors come in.
Scantegrity uses a process called “zero knowledge” that allows skilled, independent auditors to verify that the codes result in votes going to the right candidates, without actually revealing an individual voter’s selections.
I don't know how it works exactly, but I assume it's similar to a public/private keypair given that they describe it as a cryptographic mechanism. The interesting thing is that anyone can audit the election results to demonstrate that votes were counted accurately: https://scantegrity.org/svn/data/takoma-nov3-2009/PUBLIC/PUBLIC/ [scantegrity.org]
Re:Web Logs? (Score:3, Informative)
One would hope there are no web logs kept, because simply checking your ballot would reveal your identity, and someone is sure to wrangle a subpoena for that.
Reveal your identity and.... what? The ballot you check on-line just has some random letters on it that should match what you wrote down in the voting booth. It says nothing about who you voted for. So if someone identifies you from the web log, all they've verified is that (a) you voted and (b) you verified your ballot.
Re:Chaum's system is very cool (Score:3, Informative)
How exactly do we verify that the choices we didn't pick on the form don't have the same set of verification characters as the candidate we did choose?
That's handled by pre-election auditing. There's more information on how at http://scantegrity.org./ [scantegrity.org.]
Or, go straight to the research paper at http://www.scantegrity.org/papers/ScantegrityII-EVT.pdf [scantegrity.org]
Re:Cost of printing? (Score:4, Informative)
The printing of ballots in most jurisdictions already falls under the category of "custom" printing. Ballots are unique every election (despite an enormous preponderance of re-elected incumbents). Ballots can vary from precinct to precinct to the extent that, in theory, no two precincts are alike, because of differing jurisdictions (different counties, different cities, different municipalities of various flavors). That combined with the relatively low number of copies made for any particular precinct means that the cost of printing each one uniquely isn't different. The printing won't be done by high-speed high-volume expensive-setup full-color color-separated presses anyway. It'll be done by laser printer or thermal printer or such.
Re:Interesting, but... (Score:4, Informative)
I'm far more concerned about phantom votes being counted than real votes not being counted.
Both are real issues. There are plenty of examples of ballot boxes getting "lost", so those are real problems. Dead people voting, multiple votes, systematic exclusion of voters (not losing their ballots, but preventing them from voting), all of these things are problems.
This system doesn't solve all of those other problems, but it does solve the problem of votes getting lost, altered or counted incorrectly. And it does it in a mathematically-provable fashion.
See the paper [scantegrity.org].
Re:Web Logs? (Score:3, Informative)
But the whole system wouldn't work at all if there was not a linkage between your three letters and the Candidate's name SOMEWHERE.
Incorrect. Those letters have nothing to do with your vote selection, they're just an integrity check.
Again, read the paper [scantegrity.org].
Re:Web Logs? (Score:2, Informative)
But the whole system wouldn't work at all if there was not a linkage between your three letters and the Candidate's name SOMEWHERE.
Incorrect. Those letters have nothing to do with your vote selection, they're just an integrity check.
Again, read the paper [scantegrity.org].
Read what he's saying. I have ballot 24664971 in my hand. I download apache.log and find the IP address of the person who accessed votecheck.net/check?ballot=24664971 and I trace that back to you. I now know who you voted for. It has nothing to do with the three-digit numbers.
Now, in my opinion, that's not a big deal, but I thought I'd explain it to you anyway.
Re:Chaum's system is very cool (Score:3, Informative)
I have this novel idea that we should follow the KISS principle. Take a piece of paper. Circle your guy. Toss it into a box. Count the ballots by hand. Keep. It. Simple.
That's how my town does it - each volunteer counts 100-200 ballots. It's not a hard ratio to achieve in any way. On average, each citizen would only have to volunteer once per hundred elections, not bad.
It is, however, second best. There's no stopping an organized gang from switching out the ballot box like Chaum's system does.
Still, on a cost/benefit basis there's alot going to KISS.
Now, can I start a flamewar about our system being inferior to Condorcet methods, please?
Re:Interesting, but... (Score:4, Informative)
Not sure I'm reading you properly, but this system allows you to verify your vote was COUNTED, nothing more. You can't show or prove to anyone HOW you voted, just that you did and that your vote is in the tally AS CAST.
This is huge. I've been waiting for chaum's election stuff to actually be used for quite some time now. I'm hugely excited.
Re:Interesting, but... (Score:5, Informative)
Not sure I'm reading you properly, but this system allows you to verify your vote was COUNTED, nothing more. You can't show or prove to anyone HOW you voted, just that you did and that your vote is in the tally AS CAST.
Er, unless I'm missing something, it's still possible to prove to someone how you voted. You just need to take a picture of your ballot, showing that the code "JX" is in the bubble next to "John Smith" -- this is pretty easy if you're voting absentee, or if you aren't frisked and metal-detected on your way into the voting booth. When the local thug comes around to verify your vote, you show him the picture and your ballot ID, and then he goes online to make sure that your ballot ID and your "JX" vote are in the system.
This allows vote buying! (Score:3, Informative)
I don't see a single thing in this system that would prevent vote buying. You get a receipt with your choices on it, encoded in some form, yes? You can then go to a website, and enter codes, to see who you voted for, yes? True, only the individual voter (or someone possessing the receipt) can do this.. but that doesn't matter a damn to a vote buyer. Why? Because, as this system's designers seem to have forgotten, the voter is complicit in vote buying. The voter gets money for turning over his receipt and secret knowledge, whatever that may be, to the person who wants a verified vote for his candidate.
Re:This allows vote buying! (Score:4, Informative)
The website only shows you: serial number 1234567 voted for these codes: two-letters two-letters two-letters, etc.
Re:Interesting, but... (Score:5, Informative)
But it doesn't scale, imho. Everybody voting absentee in a district? Red flag.
In the state where I live, 37 of the 39 counties have nothing but absentee voting. You can go to the election office to drop off your ballot, but everyone gets a ballot weeks in advance.
On the other hand, that means we've already conceded the battle against this sort of voter intimidation/bribery. The thug can just watch you fill out the ballot. Hasn't been a problem in practice, though... yet.
Digital camera in the booth too often? (Some people are savvy enough to turn off the sounds, and some people are savvy enough to hide their camera. But most people are not.) Red flag. Game over.
I don't know about your camera, but mine is cleverly hidden inside my cell phone. Doesn't take much savvy to get one of those, and before long, almost everyone will have a 3+ megapixel camera in their pocket -- if we're not there already.
Re:The Real question... (Score:4, Informative)
Good question. They use "zero knowledge" proofs: [wikipedia.org]
"Scantegrity uses a process called “zero knowledge” that allows skilled, independent auditors to verify that the codes result in votes going to the right candidates, without actually revealing an individual voter’s selections."
It's super-cool stuff every slashdot geek needs to know. So, this allows us to insure our vote was counted without enabling us to sell our votes. Very cool! However, it still not fool-proof. A friend of a friend of mine has gotten so worked up over an election that she went to the polls early, and often, and voted for her whole extended family. Without requiring photo-IDs, it's really easy to do. Every show up to a poll and see your name has already been crossed off?