voting, KISS, etc.

[Perry E. Metzger]

I think that those that advocate cryptographic protocols to ensure
voting security miss the point entirely.

They start with the assumption that something is "broken" about the
current voting system. I contend it is just fine.

For example, it takes a long time to count pieces of papers compared
with bits. However, there is no actual need for speed in reporting
election results. This is not a stock exchange -- another election
will not be held the next day, and the number of elections being held
will not rise 8% per quarter. If it takes a day or even several days
to get an accurate count, no one will be hurt. The desires of
television networks to report the results in ten minutes is not
connected to the need for a democracy to have widespread confidence in
the election results. Speed is not a requirement. As it is, however,
automated counts of paper ballots are plenty fast enough already.

It also is seemingly "behind the times" to use paper and such to hold
an election when computers are available -- but the goal is not to seem
"modern" -- it is to hold a fair election with accurately reported
results that can be easily audited both before, during and after the
fact.

It seems to some to be "easier" to vote using an electronic
screen. Perhaps, perhaps not. My mother would not find an electronic
screen "easier" at all, but lets ignore that issue. Whether or not the
vote is entered on a screen, the fact that paper ballots can be
counted both mechanically (for speed) and by hand (as an audit
measure), where purely electronic systems lack any mechanism for
after-the-fact audit or recount, leads one to conclude that old
fashioned paper seems like a good idea, and if it is not to be marked
by hand, then at least let it be marked by the computer entry device.

It is also seemingly "better" to have a system where a complex
cryptographic protocol "secures" the results -- but the truth is that
it is more important that a system be obvious, simple and secure even
to relatively uneducated members of society, and the marginal security
produced by such systems over one in which physical paper ballots are
generated is not obvious or significant.

(The marginal security issue is significant. Consider that simple
mechanisms can render the amount of fraud possible in the "old
fashioned" system significantly smaller than the number of miscast
votes caused by voter mistakes, but that no technology can eliminate
voter mistakes. Then ask why a fully electronic "fraudless" system
understandable to a miniscule fraction of the population but where
miscast votes continue to occur -- and possibly to be inaccurately
perceived as evidence of fraud -- would be superior.)

To those that don't understand the "understandable to even those who
are not especially educated" problem, consider for moment that many
people will not care what your claims are about the safety of the
system if they think fraud occurred, even if you hand them a
mathematical proof of the system. I suspect, by the way, that they'll
be right, because the proofs don't cover all the mechanisms by which
fraud can occur, including "graveyard" voting.

We tamper with the current system at our peril. Most security
mechanisms evolve over time to adjust to the threats that happen in
the real world.  The "protocols" embedded in modern election laws,
like having poll watchers from opposing sides, etc., come from
hundreds of years of experience with voting fraud. Over centuries,
lots of tricks were tried, and the system evolved to cope with
them. Simple measures like counting the number of people voting and
making sure the number of ballots cast essentially corresponds,
physically guarding ballot boxes and having members of opposing
parties watch them, etc., serve very well and work just fine.

Someone mentioned that in some elections it is impractical for the
people running to have representatives at all polling places. It is,
in fact, not necessary for them to -- the threat of their doing so and
having enough poll watchers from enough organizations in a reasonably
random assortment of polling places is enough to prevent significant
fraud.

I'm especially scared about mechanisms that let people "vote at home"
and such. Lots of people seem to think that the five minute trip to
the polling place is what is preventing people from voting, and they
want to let people vote from their computers. Lets ignore the question
of whether it is important that the people who can't be bothered to
spend ten minutes going to the polling place care enough about the
election to be voting anyway. Lets also ignore the totally unimportant
question of vote buying -- vote buying has happened plenty of times
over the centuries without any need for the purchaser to verify that
the vote was cast as promised. Tammany Hall did not need to watch
people's votes to run a political machine.

I'm much more concerned that we may be automating the "graveyard"
vote, which is currently kept in check by the need to personally
appear at polling places. I'm also concerned about the forms of fraud
I haven't even considered yet because no one has invented them yet.
Election security isn't just about assuring that votes are correctly
counted.

I'm a technophile. I've loved technology all my life. I'm also a
security professional, and I love a good cryptographic
algorithm. Please keep technology as far away as possible from the
voting booth -- it will make everyone a lot safer.


-- 
Perry E. Metzger		perry at piermont.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com