thorfinn: <user name="seedy_girl"> and <user name="thorfinn"> (Default)
[personal profile] thorfinn

In Australian Greens MP Adam Bandt's post "Do you think should people be able to enrol to vote online?", a number of people in the post also wanted to actually vote online (or electronically).

My response to that is that electronic voting is currently not possible to secure because of the requirement to preserve anonymity of voting.

With most electoral voting systems today, an essential part of the system is that the vote cannot be linked with the original voter. If votes can be linked to voters, then you open the likelihood that people may not vote honestly, because they can targeted due to the nature of their vote.

The difficulty is that all electronic data is essentially trivially copiable, and an edited version is usually indistinguishable from an original. For example, your computer copies the digital original every single time you look at something online - that's how it gets from the server to your computer so that your computer can even display it to you.

This text you are reading now has been copied in that way lots of times, and you could trivially make more copies of it, edit it however you like, and release a digital text which has been modified, but is in exactly the same format to the original text and nobody can truly verify which one was the real original.

There is only one kind of electronic data that is not editable in that way - that is electronic data which has been securely digitally signed in a non anonymous fashion. That means that if the data is edited, the digital signature will no longer match. For example, digital signatures are used by online banking systems to verify to your web browser that the online website you are talking to is actually the bank you think it is, not someone else pretending to be the bank.

The problem is, digital votes that are secure and verifiable must remain attached to their original digital signature - which fully identifies the voter. Once you detach the digital vote from the digital signature, they can immediately be trivially copied and faked (just like this unsigned digital text you are reading), and cannot be verified using any means.

No matter how much auditing you do on the software and hardware, at any point between the detachment of the digital signature and the final vote count, there is the possibility of trivial and currently impossible to check and verify against digital vote fraud.

Paper votes are physical objects which are much much harder to create copies and fakes of. Once the voter is identified, they can be given a blank voting paper, and the physical vote can then be passed around and verified without having any link to the voter any more.

As regards the original question posed, enrolling to vote online is actually fine, just like Internet banking and similar systems, the point is to be identified to prove that you are you. It could even tie in well to the electoral system at booths - secure identification that ties in with your digital enrolment at the tick off point in order to receive the physical voting papers would actually improve voting security, not decrease it.

In short: Online voter registration, no worries. Online voting, just no.

(no subject)

Date: 2011-03-02 04:15 (UTC)
chaos_crafter: (Default)
From: [personal profile] chaos_crafter
So in essence the problem is not of identity - as you say, we manage the disconnect in a physical environment. The problem is the fact that a digital ballot paper can be readily reproduced.
That to me suggests that we should be looking at the mechanisms that are used to handle that. In the physical form, the ballot paper is signed by the electoral officer to mark it as genuine - that can be reproduced digitally. The person filling in the document then modifies it - that could be done by anyone, but a local physical security is used to make sure that doesn't occur. Again that can be managed in a digital fashion, though I'll admit with some provisos. Finally the document is placed in a nominally secure facility for counting (again, this stage is easily replicated digitally).
In the real world, to interrupt that process means fiddling with the contents of the locked box, or adding false records to it - in the digital environment both of these are more readily prevented.
The other mechanism of attack is to interfere in the physical voting process - pretending to be someone else (you seem happy enough that this can be avoided), taking over the entire voting centre and forcing electoral officials to fill things in the way you want (not so common here, but not unknown elsewhere), or standing over the person voting to make them vote as you wish (This is to my mind one of the worst risks in digital voting.)

It seems to me that much of the digital process is exactly as securable. The issue is security within an application (which we don't trust) vs. security within a polling station (which at least here we can trust)
If we could secure and be sure of the application, then to my mind digital voting is able to be better secured than physical. The real problem is we can't prevent someone forcing others to vote as we wish, if they don't get to vote in an environment where they are safe from observation (and I don't just mean digital snooping)

Mind you, all this assumes you are happy you can secure a communications channel from user to polling app, and you have some mechanis to validate the applications - the equivalent of making sure you don't have armed scrutineers, or someone hiding a box of fake ballots in a corner somewhere.

Certainly, I'm not convinced digital voting is actually meaningfully different from physical, once you get people to turn up in person to vote.

(no subject)

Date: 2011-03-02 20:45 (UTC)
pauamma: Cartooney crab holding drink (Default)
From: [personal profile] pauamma
I'm wondering whether a combination of blind signing and protocols similar to the digital cash ones described in Schneier would solve some of the problems.

(no subject)

Date: 2011-03-03 08:31 (UTC)
bens_dad: (Default)
From: [personal profile] bens_dad
I agree. As far as I can see any system which allows the returning officer to prove to Dave that he has correctly counted Alice's vote reveals Alice's vote.

(no subject)

Date: 2011-03-02 07:42 (UTC)
cdybedahl: (Default)
From: [personal profile] cdybedahl
"Impossible" is a big word... It took me less than a minute to come up with the idea of using a trusted intermediary layer (which we have in paper voting today too). You send a signed-by-you vote to the intermediary, which verifies your signature, signs the vote with its own key, securely logs the fact that you have voted and then deletes the vote you sent in. Presto, signed anonymous vote.

Now, I don't for a moment doubt that there are problems with that scenario. But I also don't doubt that if someone who actually knows crypto protocol stuff spent significantly more than a minute thinking about the problem it could be solved. Personally, I think the paper voting system we (as in Sweden) have works rather well and I don't think we should change it without thinking about the problem for several election cycles at least. But declaring that it's impossible to create an electronic system that works at least as well as paper ones... well, you need a much better argument than you're providing here.

(no subject)

Date: 2011-03-02 13:19 (UTC)
heliumbreath: (Default)
From: [personal profile] heliumbreath
The case of a voter being threatened is an extreme case; vote-buying is something that used to happen quite a bit. Eve, acting as candidate's agent for the Bribery Party, offers modest sums of money to Alice, Bob, and Charlie if they'll vote for her candidate. The current ballot system (at least in Canada) tries to make it impossible for Alice to prove how she voted to anyone else, and thus Eve doesn't know if the vote went to the Honest Party instead and the vote-buying scheme fails.

(no subject)

Date: 2011-03-02 14:59 (UTC)
greylock: (Default)
From: [personal profile] greylock
People are stupid.
I can't help but hope the physical act of voting makes them think.

(no subject)

Date: 2011-03-02 20:35 (UTC)
reddragdiva: (Default)
From: [personal profile] reddragdiva
When I first voted in the UK, my head exploded when I saw that each ballot paper was numbered with the number recorded against my name. I nearly walked out and didn't vote. (I did vote and still do.)

(no subject)

Date: 2011-03-03 10:48 (UTC)
vatine: Generated with some CL code and a hand-designed blackletter font (Default)
From: [personal profile] vatine
I believe that was actually gone, last time I voted in the UK. It made me happy to see a small amount of progress.

(no subject)

Date: 2011-03-03 07:34 (UTC)
bens_dad: (Default)
From: [personal profile] bens_dad
As reddragdiva says, the premise that voting is anonymous is not valid under the current long standing completely manual physical voting system in the UK.

I think the justification is that if I come in to vote and find that someone has already voted in my name (we don't have to prove our identity, just claim it, when collecting a ballot paper) the imposter's vote can be removed from the count.

However an electronic system would make it easier for someone to find out how an individual voted or generate a list of people who voted a particular way.

(no subject)

Date: 2011-03-03 08:39 (UTC)
bens_dad: (Default)
From: [personal profile] bens_dad
Presumably if I claim that someone else has stolen my vote I will then be asked to prove my identity. I guess that means that we assume trust most of the time but can back-date verification of trust should anyone object.

If you kill me when I object then no one else can verify that it is my vote, so you get to keep the vote you stole :-(
From: (Anonymous)
There are definitely problems with electronic (or, indeed, online) voting, but the conclusions you draw here are far too simplistic. If you look around you'll find that this is an open research area with a variety of relatively robust and developed solutions. Many of them suffer from various levels of complexity, but your assumption that anonymity and verifiable voting are mutually exclusive is simply not true.

Rather than going into the details, you might want to have a quick look at the Prêt à Voter system (, which is a relatively recent approach that gives some strong properties. (For the details, read the paper:

There's plenty of other work on verifiable anonymous voting, using Chaumian mixnets; see, for example:

Spotting the basic problems of electronic voting is fine, and there are certainly no commercial products available now, but your claim of impossibility (and that "no matter how much auditing you do on the software and hardware, at any point between the detachment of the digital signature and the final vote count, there is the possibility of trivial and currently impossible to check and verify against digital vote fraud") is simply untrue.

When looking at a problem like this, it's really worth Googling around a bit to see if anyone has approached the problems first. Electronic voting is a very active, and very interesting, current area of crypto research.

(No offence intended! It's great that people care about this topic. :D)

(no subject)

Date: 2011-04-10 03:06 (UTC)
jeshyr: Blessed are the broken. Harry Potter. (Default)
From: [personal profile] jeshyr
OTOH for the purposes of "we should give an OPTION for electronic voting which MAY be taken up by somebody who finds physical at-poll-station voting difficult for any reason" the non-anonymity factor may not be a big problem (please excuse my RFCish capitalisation of keywords here).

Assuming that the vast majority (as now) will still vote at the polling place in the regular physical way, and that there's still an OPTION to use the anonymous-as-now postal vote (they double-bag these with the outer sealed envelope only being identifiable and the vote in the inner - with a presumably-trusted man in the middle), having the OPTION to use a non-anonymous electronic vote could be a real boon for remote, disabled, overseas, etc. peoples.

I think this is especially relevant for those whose disabilities prevent them from voting in an independent way anyway. Requiring physical help to fill in a ballot paper renders you non-anonymous in a very immediate way to somebody who's usually a person you depend on every day (and who therefore has both explicit and implicit power over you) whereas a signed digital ballot renders you non-anonymous to a probably-unknown polling official who probably has no immediate power over you or wish to make your life difficult because you didn't vote the way they wanted. Remembering that most blind people and a large number of quadriplegic and other-disabled people fit into these categories, it's a non-trivial category of voters who should be given a chance. And assuming you're implementing it for these people anyway, it would be stupid not to allow other voters the OPTION to make use of it.


(no subject)

Date: 2011-04-11 05:39 (UTC)
jeshyr: Blessed are the broken. Harry Potter. (Default)
From: [personal profile] jeshyr
I had not thought of that. Damm.

There's always a catch, isn't there.

April 2014

6789 101112

Most Popular Tags

Style Credit

Expand Cut Tags

No cut tags