Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Security Politics Technology

Maryland Town Tests New Cryptographic Voting System 227

Posted by samzenpus
from the super-safe-voting dept.
ceswiedler writes "In Tuesday's election voters in Takoma Park, MD used a new cryptographic voting system designed by David Chaum with researchers from several universities including MIT and the University of Maryland. Voters use a special ink to mark their ballots, which reveals three-digit codes which they can later check against a website to verify their vote was tallied. Additionally, anyone can download election data from a Subversion repository and verify the overall accuracy of the results without seeing the actual choices of any individual voter."
This discussion has been archived. No new comments can be posted.

Maryland Town Tests New Cryptographic Voting System

Comments Filter:
  • by Anonymous Coward

    All that really matters after reading TFA:

    Chaum says he hasn’t decided on a cost yet for jurisdictions who will license it after the initial adopter but says he can easily sell it for half the cost of current optical-scan voting systems, which run about $6,000 apiece.

    Very good stuff. I would just avoid using the word "subversion" when talking about it. You know, because of its double meaning

  • Cost of printing? (Score:3, Interesting)

    by dgatwood (11270) on Wednesday November 04, 2009 @07:09PM (#29988410) Journal

    Maybe I'm missing something, but for this to be truly secure against the problem of being able to see who somebody else voted for, you would have to have a distinct set of three-digit codes for every ballot, or at least such a large number of distinct ballots that no person could practically conspire with a few other people to figure out that XWP in the third field means Hillary Clinton. Wouldn't printing each ballot individually result in a tremendous cost compared with traditional ballot printing? I'm just trying to understand how this could be feasible on a large scale....

    • by Fry-kun (619632)

      Each ballot has a unique ID number to start off with, so they have that system in place already.
      They just need to add printing a unique cryptographic IDs with special ink to the process - might not even require a 3rd reprint

    • Re:Cost of printing? (Score:4, Informative)

      by Areyoukiddingme (1289470) on Wednesday November 04, 2009 @07:54PM (#29988954)

      The printing of ballots in most jurisdictions already falls under the category of "custom" printing. Ballots are unique every election (despite an enormous preponderance of re-elected incumbents). Ballots can vary from precinct to precinct to the extent that, in theory, no two precincts are alike, because of differing jurisdictions (different counties, different cities, different municipalities of various flavors). That combined with the relatively low number of copies made for any particular precinct means that the cost of printing each one uniquely isn't different. The printing won't be done by high-speed high-volume expensive-setup full-color color-separated presses anyway. It'll be done by laser printer or thermal printer or such.

    • by jd (1658)

      It depends on what the three digit code represents. It's too short to be a hash and since the ballot isn't printed by a computer, it can't be any form of error-correction or tamper-proofing code. And although there's not going to be 1000 candidates in a given district, there's probably going to be in the hundreds in some cases, so there's a limit to the number of codes that could equal an individual.

      Personally, I'd have gone for a 5 or 6 digit code. I'd also have the ballot papers printed by an electronic v

  • Before one of the current election systems players sues them for being all mean and competitive, after the fashion of TDS?
    • by jd (1658)

      I doubt they'd sue. Not effective. Much better to bribe the elected officials. Proven technique and all that.

  • by swillden (191260) <shawn-ds@willden.org> on Wednesday November 04, 2009 @07:13PM (#29988454) Homepage Journal

    It does what many people would have said is impossible: It allows voters to verify that their votes were cast and counted correctly, but does not provide them with any way to prove to anyone who they voted for. An audit trail, without opening the door to coercion. This is a major improvement over traditional voting technologies.

    • but does not provide them with any way to prove to anyone who they voted for.

      But can I check to make sure not just that my vote "was counted" but that my vote was for the right person?

      • by zn0k (1082797) on Wednesday November 04, 2009 @07:23PM (#29988572)

        "But voters can't be sure just by looking at their ballot image that the system interpreted the codes accurately to apply the vote to the correct candidate. That's where independent auditors come in."

        TFA to the rescue.

      • by gd2shoe (747932)

        but does not provide them with any way to prove to anyone who they voted for.

        But can I check to make sure not just that my vote "was counted" but that my vote was for the right person?

        You can verify that your vote was received correctly. This still doesn't tell you that your vote winds up in the final tally. There's an important distinction there.

        • Who the heck cares? My State already has this "check your vote online" deal, and I didn't even bother to look it up when I got home. I don't honestly believe that if my choice McCain had won, anything would be any better. So what's it matter whether my vote was counted or not.

          I have this novel idea that we should follow the KISS principle. Take a piece of paper. Circle your guy. Toss it into a box. Count the ballots by hand. Keep. It. Simple.

          • by gd2shoe (747932)

            I don't honestly believe that if my choice McCain had won, anything would be any better. So what's it matter whether my vote was counted or not.

            This is a major problem, but it is a separate issue. We can't have a healthy democracy without solving both of them. You can't tell me which needs to be solved first.

            • Hear hear!

              I believe FPTP is killing our political system by making it a constantly devolving lesser-of-two-evils non-choice.

              Getting a well-working computerized voting system is a first step to implementing something more sensible than First Past The Post.

              1. implement computerized voting
              2. switch to a Condorcet or preference voting system from FPTP, thus truly enfranchising the electorate
              3. ...
              4. Profit?
          • Re: (Score:3, Informative)

            by bill_mcgonigle (4333) *

            I have this novel idea that we should follow the KISS principle. Take a piece of paper. Circle your guy. Toss it into a box. Count the ballots by hand. Keep. It. Simple.

            That's how my town does it - each volunteer counts 100-200 ballots. It's not a hard ratio to achieve in any way. On average, each citizen would only have to volunteer once per hundred elections, not bad.

            It is, however, second best. There's no stopping an organized gang from switching out the ballot box like Chaum's system does.

            Still, on a

            • by gd2shoe (747932)

              Now, can I start a flamewar about our system being inferior to Condorcet methods, please?

              You have my vote. ;)

              Just about anything is better than first-past-the-post. I'm partial to the Condorcet Principle, but every time I bring it up, I either get blank stares, or get slapped with Arrows Theorem.

              • Re: (Score:3, Insightful)

                by bill_mcgonigle (4333) *

                Arrows Theorem.

                thanks for the pointer. If the Wikipedia article is correct, the big problem seems to be his requirement that any sub-set of elections should turn out the same as the whole election if considered separately. I'm not sure that's a sensible expectation in a real election.

            • by jd (1658)

              I'm going to argue that for electing Senators, they'd do better by doubling the size of the Senate and allowing both first- and second-place candidates a seat with voting power equal to their percentage in the election.

              (That way, a person who wins 50.1% of the vote has 50.1% of a vote. Proportional representation that's proportional.)

              It's not KISS, it would be a bugbear to administer, but it would stop a lot of the razor-edge fiascos we've seen in past elections. Winning an extra few votes wouldn't win you

              • Interesting! Walter E. Williams has calculated that the US Congress should be up to about 3500 people by now, proportional to historical judgement about how many people a legislator can represent (this has anti-corruption themes behind it).

      • by nacturation (646836) * <`moc.liamg' `ta' `noitarutcan'> on Wednesday November 04, 2009 @07:29PM (#29988656) Journal

        but does not provide them with any way to prove to anyone who they voted for.

        But can I check to make sure not just that my vote "was counted" but that my vote was for the right person?

        Yes:

        Voters make their selections on a paper ballot using special pens with ink designed by Chaum. When a voter fills in an oval on the ballot, the ink in the pen, which is similar to the yellow ink in highlighter pens, reacts with invisible ink in the oval and turns most of the oval black. At the same time, a unique three-letter code pre-printed on the ballot inside each oval is revealed to the voter.

        After making their choices, voters use a form to write down the serial number that is printed on their ballot as well as the three-digit codes inside the ovals they’ve chosen. The codes are generated cryptographically and are different on every ballot to prevent someone from deciphering the voter’s choices and engaging in vote-buying.

        So that's the "verify that it was recorded correctly" part. For the "verify it went to the right candidate part":

        Voters can also see, based on the three-letter codes, that the system seems to have recorded their selections accurately. But voters can’t be sure just by looking at their ballot image that the system interpreted the codes accurately to apply the vote to the correct candidate. That’s where independent auditors come in.

        Scantegrity uses a process called “zero knowledge” that allows skilled, independent auditors to verify that the codes result in votes going to the right candidates, without actually revealing an individual voter’s selections.

        I don't know how it works exactly, but I assume it's similar to a public/private keypair given that they describe it as a cryptographic mechanism. The interesting thing is that anyone can audit the election results to demonstrate that votes were counted accurately: https://scantegrity.org/svn/data/takoma-nov3-2009/PUBLIC/PUBLIC/ [scantegrity.org]

    • by Judinous (1093945)
      How exactly do we verify that the choices we didn't pick on the form don't have the same set of verification characters as the candidate we did choose? It appears as though we can only see the code for a candidate if we reveal it with the invisible ink; checking the others would ruin the form. I think that these verification characters should be readily visible with or without the invisible ink applied. Otherwise, it would still be possible to fudge with the system and change the vote count while passin
      • Re: (Score:3, Informative)

        by swillden (191260)

        How exactly do we verify that the choices we didn't pick on the form don't have the same set of verification characters as the candidate we did choose?

        That's handled by pre-election auditing. There's more information on how at http://scantegrity.org./ [scantegrity.org.]

        Or, go straight to the research paper at http://www.scantegrity.org/papers/ScantegrityII-EVT.pdf [scantegrity.org]

      • It appears as though we can only see the code for a candidate if we reveal it with the invisible ink; checking the others would ruin the form.

        Lobby your legislators to switch your jurisdiction to approval voting [wikipedia.org]. This system allows voters to sort candidates into two bins: desirable and undesirable. Once your jurisdiction uses approval voting, you can mark two candidates that you'd be happy with (e.g. a Democrat and a Green, or a Libertarian and a Conservative), and both votes will be counted.

    • by dgatwood (11270)

      But the practical implementation could provide a way to prove that they voted for someone. My cynical suspicion is that by the second or third election, they'll use mass-produced ballots ballots that only have three or four different sets of codes on them to reduce the cost of ballot printing. And no one will be the wiser except for the people exploiting it. Where this system fails is in proving that the codes are truly unique. The only way you can guarantee that is if instead of using fixed printed cod

      • by swillden (191260)

        But the practical implementation could provide a way to prove that they voted for someone. My cynical suspicion is that by the second or third election, they'll use mass-produced ballots ballots that only have three or four different sets of codes on them to reduce the cost of ballot printing.

        See section 4.9 of the paper [scantegrity.org] (actually, read the whole thing). Auditing is done both by candidates and by independent auditors.

    • by arose (644256)

      It does what many people would have said is impossible: It allows voters to verify that their votes were cast and counted correctly, but does not provide them with any way to prove to anyone who they voted for.

      No, apparently it's only "skilled auditors" who can verify things. And voters can prove who they voted for to anyone who has access to the ballots post election.

    • yeah, one problem: the moment you enter that code, you are giving up personal information that can be tracked to you, individually. Don't forget, an IP address is traceable. Private citizens may not know how you vote, but data correlation means the voting authority may.

    • by jd (1658)

      It is cool. I proposed something similar, albeit electronic voting, in the past on Slashdot but I'm thinking their approach has many advantages - not least that it reduces the number of attack vectors.

      A three digit code is probably adequate, but I'd have probably opted for a longer value. It depends on how the code is used and what it represents. I'm assuming it represents a given candidate, as you're unlikely to have more than 1000 candidates for a given district but will likely have more than 1000 voters

    • by BitZtream (692029)

      Of course with a little help from your local ISP, they can see who is viewing what ballots, tie that to an IP and an IP to a home or in some cases a specific user.

      They haven't really done what others said was impossible, but the process requires enough different organizations to be involved in the fraud to be an improvement over the existing methods since they added another layer to the process.

      You want to have it so no one holds all the data so correlations can't be made without everyone being in on it, wh

  • ... obviously it is DRE (700), serial number 34491. [youtube.com]

    Let's hope that this new system prevents premature revelation of election results... [youtube.com]
  • The image in wired.com shows a two letter code "JX" appearing in the oval. The article mentions "three digit" codes. Nice.
  • I like where they are going with several of these things, but why go with paper and magic markers? Why not use the same exact concept, only put it on a computer, print out a receipt with the codes and serial number, and go from there? It seems like a no brainer. Not only does it reduce overhead in terms of manpower, but it also reduces the amount of paper wasted, the cost of these "special markers", etc.
    • Re: (Score:3, Insightful)

      by icebike (68054)

      The objection to receipts is that receipts that show voting choices can be used for Vote buying.

      If we stick to codes, vote buying is not so easy.
      You'd need a crib sheet as well.

      But all you know is that your vote entered this machine, not that it was tallied by Deep Thought at election central.

       

  • On Tuesday voters in Takoma Park, Maryland, got to try out a new, transparent voting system that lets voters go online to verify that their ballots got counted in the final tally.

    Scantegrity uses a process called “zero knowledge” that allows skilled, independent auditors to verify that the codes result in votes going to the right candidates, without actually revealing an individual voter’s selections.

    Transparency fail.

    • Scantegrity uses a process called "zero knowledge" that allows skilled, independent auditors ...

      Looks to me like yet another example of how mainstream reporters lack basic knowledge of the topics they're reporting on. Based on the description of the system, it sounds like the process is actually called a zero-knowledge proof [wikipedia.org], which allows you to verify certain properties of data without actually seeing the data. And the whole point of ZKPs is that you don't need skill or a specially-designated auditor set to verify the data.

      Looks like "Kim Zetter" was in over her head and couldn't even keep track of

  • Web Logs? (Score:4, Insightful)

    by icebike (68054) on Wednesday November 04, 2009 @07:28PM (#29988632)

    Quoting TFA

    "When polls close, voters can go to the election office website, type in their ballot serial number and see a rendition of a ballot, showing the three-digit codes for their votes. This way voters can be assured that their ballot was included in the final tally."

    One would hope there are no web logs kept, because simply checking your ballot would reveal your identity, and someone is sure to wrangle a subpoena for that.

    • Re: (Score:3, Informative)

      by swillden (191260)

      One would hope there are no web logs kept, because simply checking your ballot would reveal your identity, and someone is sure to wrangle a subpoena for that.

      Reveal your identity and.... what? The ballot you check on-line just has some random letters on it that should match what you wrote down in the voting booth. It says nothing about who you voted for. So if someone identifies you from the web log, all they've verified is that (a) you voted and (b) you verified your ballot.

      • Re: (Score:3, Insightful)

        by arose (644256)
        And if they have access to the actual ballots, who you voted for. A non-transparent system with a way to match voters with their votes that has been "verified to be secure by the brightest minds at MIT". Every dictators wet dream.
        • by jcochran (309950)

          And if they have access to the actual ballots, who you voted for. A non-transparent system with a way to match voters with their votes that has been "verified to be secure by the brightest minds at MIT". Every dictators wet dream.

          So? Seems to me that the proper countermeasure if you want to verify your vote and keep someone who has access to your ballot from determining who your voted for is quite simple:

          Go home. Select N random serial numbers. I am assuming the ballot serial numbers are not random, but wel

          • by arose (644256)

            Go home. Select N random serial numbers. I am assuming the ballot serial numbers are not random, but well known. Add your ballot serial number to the list. Shuffle the list. Request the read out from all the serial numbers you have. And N doesn't have to be very large. I'm thinking somewhere between 10 and 20 would work.

            Really depends on ballot distribution. Looking up a vote from a location you didn't vote at will do nothing to increase anonymity.

          • Re:Web Logs? (Score:4, Interesting)

            by BasilBrush (643681) on Wednesday November 04, 2009 @08:43PM (#29989506)

            Even simpler. Have the system display ranges of ballot numbers and codes, not just single ones. If I have serial number 12345 and I click on a link to examine papers 12300-12399, the eavesdropper doesn't know which of the 100 ballots displayed I checked.

      • by icebike (68054)

        Clearly you understand the SOMEONE knows exactly which candidate those letters on your specific ballot refer to?

  • by fremen (33537) on Wednesday November 04, 2009 @07:29PM (#29988648)

    This system assumes three things:

    • Everyone participates - voters have to validate their vote afterward to make sure it's still correct.
    • Everyone is perfect - people who incorrectly cast their vote will always suspect fraud, calling the entire election into question.
    • Everyone is sane - individual voters do not lie about about their vote to game the system, cast doubt on the election, etc.
    • by CannonballHead (842625) on Wednesday November 04, 2009 @07:31PM (#29988678)
      With perfect, sane, always-participating people, who needs a government? ;)
    • by swillden (191260) <shawn-ds@willden.org> on Wednesday November 04, 2009 @07:46PM (#29988856) Homepage Journal

      This system assumes three things:

      • Everyone participates - voters have to validate their vote afterward to make sure it's still correct.

      Per TFA, only about 5% of participants have to validate their vote afterward to assure the election's integrity to within normal margins. Also, exit polls in the Maryland town showed that about 30% of voters copied down their validation info. If a third of them bother to go online to check their ballots, that will be double the required participation.

      Everyone is perfect - people who incorrectly cast their vote will always suspect fraud, calling the entire election into question.

      Individuals will always have suspicions, but unless there is a widespread pattern of "errors", rational voters will be able to have greater confidence than they do in any other system. Unlike any other system, this one actually provide a way where lost or altered ballots have a chance of being discovered.

      Everyone is sane - individual voters do not lie about about their vote to game the system, cast doubt on the election, etc.

      Again, isolated cases will occur, but that happens regardless. In the absence of significant numbers of reports from generally honest and reliable people, then we'll have more confidence in the accuracy of the vote than any other system can provide.

      Basically, your objections boil down to "Nothing is perfect". Well, duh. But it doesn't have to be perfect, it just has to be better. And it is.

    • by rm999 (775449)

      The system doesn't assume "everyone" does anything. Statistically, only a small sample is necessary.
      FTFA: "People who don't want to do it or don't care can completely ignore it," Chaum said. "We only need 3 to 5 percent of people to verify their votes [to make it effective], depending on how close the contest is. If it becomes close, then you need a larger percentage to get the same level of confidence."

    • by Strilanc (1077197)

      Not everyone has to verify their vote. An attacker will have to throw away a large number of ballots in order to sway an election. If each voter has a 5% probability of checking their vote and only 100 votes are thrown away, the probability that the attacker is at least detected is greater than 99%.

      There's also no need for perfection. The number of reports will be higher when the election is attacked. Apply basic statistics to figure out how likely it is the election was stolen instead of just people making

  • A quick surfing of the Scantegrity Wikipedia article [wikipedia.org] and the links above didn't definitively answer an interesting (to me) question: can it be applied to a ranked voting system such as IRV [wikipedia.org] or Condorcet [wikipedia.org]?

    The offhand solution would be to use Scantegrity's technology with a matrix of bubbles for ranks vs. candidates. Anyone familiar with this work know whether this has been addressed? I skimmed through the IEEE article as well, and found no mention of any ranked voting systems.

  • by AHuxley (892839) on Wednesday November 04, 2009 @08:27PM (#29989328) Homepage Journal
    Have paper and select who you like, drop into a sealed box.
    Election workers keep eyes open. At the end of the day reps of all the people involved stand around in a open room and count.
    Takes time, expensive, but hard to fake.
    If you cannot make it, postal or an election worker comes to you.
    As for digital, open source, simple and all parties can see the unit, code.
    On the day you press and its collected at a central point.
    Instant and the press love it.
    The problem with the above is no room for profit or stuffing.
    Your part of the world has to have been so corrupt, at war or new to democracy to get it working.
    In the US you are told its so open free and fair and transparent every day.
    Is it? Why are AMT sellers making the closed source units? With cable pundits and talking heads screaming at you "they are used in banks, its fine", dont mind the party political rants by the owner.
    Enigma, cryptoAG ect all gave perfect service on the day.
    In Capitalist West a nice man owns the IP to your vote.
    In Soviet Russia a nice gov owns the IP to your vote.
    In both parts of the world, you have a right to vote.
    As Stalin said "It's not the people who vote that count. It's the people who count the votes."
    The end count is the elephant in the room, not just the cute open source, optical-scan $x,000 input device.
    • http://openvotingconsortium.org/ [openvotingconsortium.org]

      Please support.

    • by BitZtream (692029)

      Open source voting software isn't really going to help.

      You can see the open source software is safe.

      You can't see what the binaries or even hardware on the system is doing. You can't verify that its running the code you see. You can't even copy it off the system and be sure you're looking at what was running rather than a copy put there just in case you try to copy it off.

  • creepy (Score:2, Insightful)

    by goga_russian (544604)
    so they are saying that my forum captcha and craigslist copy and paste is more secure then the vote verification thing?
  • by R2.0 (532027) on Wednesday November 04, 2009 @09:01PM (#29989692)

    This is the place they like to call the "Berkeley of the East". It's so liberal it's almost a parody. I think the MD Democratic Party keeps it around as a pure strain in a petri dish so that they can pretend they are also liberal.

    It also means that if Takoma Park thinks it's a good idea, everyone else in MD will think it's a joke and ignore it.

  • by wfstanle (1188751) on Wednesday November 04, 2009 @10:16PM (#29990288)

    I have real doubts about allowing voters to check how they voted AFTER they leave the polling place. By allowing a voter a way to verify how he voted you open the door to all sorts of abuses. A voter could sell his vote and the buyer could have a way to check he indeed did vote the way the buyer wanted. Another abuse is employers threatening his employees with firing if he did not vote the way the employer wanted.

    The problems might be overcome if the voter would have to visit the election clerks office and prove his identity and was also alone when he viewed the way he voted.

  • by xant (99438) on Wednesday November 04, 2009 @10:39PM (#29990494) Homepage

    I don't see a single thing in this system that would prevent vote buying. You get a receipt with your choices on it, encoded in some form, yes? You can then go to a website, and enter codes, to see who you voted for, yes? True, only the individual voter (or someone possessing the receipt) can do this.. but that doesn't matter a damn to a vote buyer. Why? Because, as this system's designers seem to have forgotten, the voter is complicit in vote buying. The voter gets money for turning over his receipt and secret knowledge, whatever that may be, to the person who wants a verified vote for his candidate.

  • by Casandro (751346) on Thursday November 05, 2009 @01:15AM (#29991542)

    It completely misses the point. The point is not that a system is "impossible" to manipulate. The point is that _every_ voter has the ability to check the vote.

    Just compare it with the pen and paper based system. Everybody can understand it. You have a box which must be empty when they start voting. And people come in, get a piece of paper each, fill it out in private fold it and throw it into the box. At the same time his name gets crossed out on a list. Now everybody can check this fairly easily.

    Now let's look at whatever machine-based system you've got. You've got this machine, either mechanical or electronical. You usually cannot look inside of it. You cannot tell if the levers are labelled correctly or if the firmware is really what it's supposed to be. Even if you have sourcecode that's completely unusable for the 90% of people who cannot read code. Relying on others is not an option as the others could be against you. Just imagine a party forming beeing against computers, which programmer would help them?

All the simple programs have been written.

Working...