OVC: Use chain of custody to fix chain of custody!? July 31, 2008
Posted by Aleks Essex, and Richard Carback in : Concepts in E2E, Voting Goals , 5 commentsOpen Voting Consortium and Okori Group offered a new open source voting system solution at LinuxWorld 08. According to the CNET interview:
Dechert says his system is better because it doesn’t use fancy cryptography, it uses a simple chain of custody.
This statement right here is the deal breaker. Why? I would hope it’s obvious:
A solution requiring the non-existence of the very fault-condition it attempts to solve is not a solution.
Folks, accept no substitutes. End-to-end verification: often imitated, never duplicated.
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
Semiprime Time July 4, 2008
Posted by Aleks Essex in : Voting Goals, Voting Policy , add a commentComputer scientist and election technology analyst Avi Rubin touched on some familiar themes in an interview yesterday:
There are cryptographic techniques that can be used to achieve software independence so that even if there’s a bug in the software, you’ll detect if there’s a problem. But those are not ready for prime time in my opinion.
Though I’m generally more optimistic about this, it’s a fair statement, especially since there hasn’t yet been any definitive event to have changed many minds. The question I put to you, fair reader, is how do we recognize when the time has come? It would seem, as in Rubin’s case, a conservative assessment of the situation would best allow one to avoid taking a premature position on the matter.
I suppose there are only two factors to take into account. One is a stable convergence of the technology with a consistent, set of security ideals. However this by itself may be too abstract to be appreciated by the general public.
Naturally for me as an engineer, the defining characteristic of a technology entering “prime time” is its first successful deployment in the field.
But perhaps we can never say for certain the time has come, only that now is as good a time as any.
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
Scantegrity: Choice in audit trails June 7, 2008
Posted by Aleks Essex in : Concepts in E2E, Voting Goals , add a commentWith respect to Scantegrity and our design objectives, Flaherty has it wrong:
A system that started as an attempt at secure voting without paper ballots has, ironically, evolved into a system designed for compatibility with existing paper ballot voting systems.
If he were to live in the shoes of a voting system designer for one day he would learn an interesting lesson: the barrier to entry for new paradigms is so vast, and onus on voters to learn anything new is so low, the only way to present truly new ideas, regrettably, seems to be to allow some people to believe they’re not new ideas at all.
We didn’t integrate a paper trail into Scantegrity because we necessarily think it adds security. But the pride of the 1850’s still gives folks comfort, and we’re not out to take that away from them.
What we’ve done, I think quite reasonably, gives people who want to verify an election a choice: paper trail verification if it floats your boat, and for those who want something more compelling, a new approach to proof of election integrity called E2E.
The fact is, Scantegrity incorporates both “old” and “new” into one system, which we felt was a vital direction, and I’m not bashful about telling you a lot of work went into it.
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
When internet voting ruled the Earth March 13, 2008
Posted by Aleks Essex and Richard Carback in : Voting Goals, Voting Policy , 3 commentsThinking about remote voting options such as mail-in and internet voting (by which I mean voting remotely via the internet) , a quote from Jurassic Park comes to mind:
“Your scientists were so preoccupied with whether or not they could, they didn’t stop to think if they should. ”
This comes back to the question of priorities for a country’s democratic process. Given two seemingly rivalrous options, universal accessibility and universal ballot secrecy, which is the priority?
If, as in Canada’s case, you allow everyone the option of using remote voting then at least in theory you cannot guarantee protection from undue influence. It could therefore be said accessibility is given precedence.
It may be that a plausible middle ground is, as has been suggested, that voters are afforded remote voting as an option only if they can demonstrate an accessibility need. Therefore everyone gets access to the election, and ballot secrecy is still maintained for the majority of voters who are (presumably) able to attend the polling place.
So how do you demonstrate and accessibility need? I suppose you cannot directly. But in Canada many aspects of the voting process rely heavily on the use of statutory declarations to get around various unprovable situations. So the scheme would work like this: you get to vote remotely only if you’re absent or otherwise unable to attend the polling place which you affirm in a statutory declaration made as a pre-condition for remote voting.
But again we come back to priorities. In this case there’s a third priority beyond accessibility and secrecy: convenience. So what’s the priority? Should remote voting be about convenience for all voters, or accessibility for special needs voters?
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
Eesti VOTEariik March 11, 2008
Posted by Aleks Essex in : Voting Goals, Voting Policy , 3 commentsVoting through the tubes was a topic came up at the ITIF Future of Voting forum: is internet voting really how we see our future?
According to a Government Computer News article my position is that “the jury is out” on the fundamental acceptability of internet voting and I that go on to point that we should be doing our best to develop secure solutions because with respect to adoption in certain countries “it’s here.” I do not believe these were precise quotes of mine–perhaps taken out of a greater context. So allow me to disagree with “myself.”
Consider Estonia, the first country to offer internet voting. My grandmother–herself Estonian–fled to Canada during WWII to escape the Soviets. Fifty years passed. There were no elections. But when the iron curtain fell, she got to vote in the Estonian national elections–like many there–for the first time in her life. I still remember going with her to a church basement (in small-town Canada) to cast her vote. What would she think about internet voting if she were here today? To be honest, I think she would say, “Estonia’s voting, that’s what I care about.”
But think about it. They’re an internet savvy country, they have a national PKI, and (pursuant to the little history lesson) they have a relatively clean slate in terms of equipment, precedent and procedure (unlike the US). So it really seems they had all the ‘right stuff.’ I admit to even feeling a little 2nd-generation pride that they pulled it off.
But how far does this model extend with respect to other countries? Well, allow me stick to what I can legitimately editorialize on; my own country. The Canadian federal government has been moving toward internetizing services for several years now. I did my taxes yesterday (that is to say, my wife collected my T4’s from me) and we filed our return online. In ‘06 for the first time we were given the option to complete our census questions online. I actually (at the time) got into a protracted clash with the ministry responsible because they absolutely refused to tell me anything about the security of the software they wanted *ME* to use–but that’s another story all together.
But with respect to voting, we’re Austrlian ballot all the way. At least federally and provincially. And what’s more, there seems to be no desire to change. But could we do it? Yes, actually I think so. We have the underlying organizational infrastructure (though no national id smart-cards). The credential-issuing solution would be paper-based and could parallel the existing government e-services. (Except they would likely contract a 3rd party to write the software and then not allow voters to ask how their vote is secured.)
But I see two problems:
- Voting ain’t like taxes or census. Your vote (individually) is not factual information that government is entitled to know.
- The internet voting model doesn’t (or rather hasn’t yet) satisfactorily addressed the issue of vote-buying.
But as Paul DeGregorio pointed out to me, with mail-in voting you can show people how you vote, yet it is an acceptable method, so how is internet voting fundamentally different? I guess I don’t know. But if you spend as much time worrying about voter-privacy as I do, your reaction may be that mail-in voting should not be a valid option for the majority of the voting population.
In the 2006, Elections Canada announced that the mail-in option was made available to every voter. Yet in a different document they say “the security of the ballot is paramount, and the system makes it impossible to discover for whom a specific voter has voted … to ensure that no electors are intimidated or bribed into voting in a particular way.” That would seem to be a contradiction.
Is there not a tipping point where when enough voters use the mail-in option (or by extension the internet option) that the outcome of an election itself is malleable by intimidation or bribery?
I think it comes down to this: what is important? If ballot secrecy is important, then perhaps internet voting is not the correct avenue to pursue (unless you’re trying to include this in the design, which turns out to be pretty difficult–so far). If perhaps you think “well, privacy is dead anyway” then the convenience it offers is attractive. We really should set our priorities straight before we talk about internet voting system design.
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
Telephone Integrity November 21, 2007
Posted by Aleks Essex and Richard Carback in : Security, Voting Goals , add a commentIn trying to categorize integrity in voting systems, its become clear to me that a parallel exists between many other human-technology interactions. Consider the things that have to go right when you want to call someone on the phone:
Dialed as Intended - Given a phone number, you can figure out how to press the buttons to dial it.
Signaled as Dialed - The telephone unit must emit DTMF tones (or pulses) consistent with the buttons you pressed.
Routed as Signaled - The telephone network must correctly route your call based on the signal it received.
Putting it together your call is Routed as Intended.
Obviously the integrity chain is easy for the caller to validate, when the correct person picks up the phone at the other end. But what about when its not? I often phone my sister in the arctic and have to try several times to get through. I could’ve accidentally dialed the wrong number (i.e. not dialed as intended). I could’ve pressed the button quickly and the DTMF tone was not registered (i.e. not signaled as dialed). Or, as often appears to usually be the case, the call is not routed as signaled. The call, being routed through satellite, is often subject to reliability issues, and even bad weather (it IS the arctic!).
Obviously telephone integrity is not currently the focus of much research. But taking these ideas and applying them to electronic voting is.
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
Complexity and Transparency are not the same October 17, 2007
Posted by Richard Carback and in : Voting Goals , add a commentOften when we attempt to explain Punchscan to activists and others we hear something like the following:
Darn it. If my 80-year-old grandma can’t understand it, then we shouldn’t use it. Elections should be transparent.
I have been meaning to address this issue in a blog post for some time, but today I see that Ben Adida has already done a pretty good job. While people may have a point that Punchscan and E2E in general is somewhat complex, this is not the same as transparency. While not everyone will take the time to understand it, the fact remains that a normal citizen could do it if they so desired, and that is the key distinction between E2E and many other systems. There are no experts, closed sources, closed designs, or NDAs. Ben’s definition of transparency is as follows:
A system is transparent if, given a reasonable amount of time and effort, a person with a college education can understand it. Then, those without the education, time, or willingness to understand it can consult with someone they trust who does understand it.
I sort-of agree with this statement, although I would use high-school instead of college. In reality, I think that transparency is fundamentally different, and it has to do with the level of observance people can exert on the election. Anyway, we have been saying something similar to this for a long time now. Here’s what we say on our FAQ about it:
The actual system could, we expect, with such a mock election as introduction, be taught in advanced high school science or college classes. This is many times simpler than convincing anyone of how the software in current voting systems works—even if people were allowed to see it!
I see no reason why anyone with a minimal education would not be able to understand Punchscan with the help of a 1-2 week (or day) course.
The only thing I find even a little objectionable about Ben’s post is the following:
…to anyone familiar with quality control processes, the ballot chain-of-custody is a reliability nightmare: how does one check that no one has tampered with a ballot box full of de-identified ballots that no one can look at during the 24 crucial hours where low-wage, minimally trained election workers are entirely responsible for them?
This doesn’t exactly do justice to the solution most activists are trying to promote. They want semi-translucent boxes in full view, and counting done on the same day at the same place in a specific way in front of anyone who is able to observe. There are still many problems with this but it is a bit different than centralized counting or the DREs we have today.
Kudos to Ben on an excellent post.
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
Rasing the E2E Profile in the Public Eye September 25, 2007
Posted by Aleks Essex, and Richard Carback in : Voting Goals , 6 commentsOur colleague at allaboutvoting.com has pointed out a few of the top misconceptions about E2E floating around out there on the internet. I know them well.
The allaboutvoting suggestion was to establish an outreach to the broader public about E2E. Of course this is a good idea, and something that’s overdue. But that’s going to be tough. As for Punchscan, our approach to raising its profile has always been by “doing.” First we designed and built it. Then we debuted it in a binding election. Then we won an international competition. I think that these milestones were all necessary; people need things they can “touch.” Pictures and movie of real voters using Punchscan I think helped “make it real” to people, because it was real. Winning the ten thousand dollars sure got people interested. So I’d say it’s these “press” moments that will see E2E find its way into “normal” conversation, if only for a moment.
But what aberrations do we have to deal with in the mean time?
“There are no concerns with present electronic voting machines”
I think there’s been enough treatment in the news to allow me to go ahead and skip this point.
“Your solution is something only geeks can understand”
This one always bothers me. Not because I think the “average person” should understand cryptography, but because you don’t need cryptography to understand Punchscan.
The entire Punchscan process can be explained and performed using paper — without math, without computers.
Certainly I think anyone can understand our goals: to give voters the ability to prove their vote made it into the tally.
Certainly I think anyone can check their receipt: either online or give it to someone you trust (e.g. Democracy Watch) to check for you. This receipt data can even be published in a booklet or newspaper. This is (in the worst case) equivalent to the “hand counted paper audit” solution.
Certainly I think anyone with the internet can download and run the open source audit application on the election data, or ask someone you trust (e.g. Democracy Watch) to do it for you.
Certainly I think that anyone can understand how Punchscan works because the entire process can be explained using only paper products and simple steps (no crypto, no math, no computers). This will be the subject of a future post.
“Your solution is to just ‘trust us’”
Independent Verification. What does it mean? Exactly what it says, that’s why they chose the words!
THE ENTIRE REASON we designed Punchscan was to give voters a mechanism to prove to themselves, and by themselves THAT:
- their vote made it into the election tally
- all votes were counted as they were cast
Now this is an academic project, which means you’re entirely welcome to examine and critique the method by which we attempt to realize these goals, however this particular critique is just another way of saying “I haven’t even read your home page.” :-p
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
Information Security vs. Physical Security - Cats and dogs of voting? September 20, 2007
Posted by Aleks Essex, and Richard Carback in : Voting Goals, Voting Policy , add a commentA while back I visited the Black Box Voting online forum trying to elicit collaboration with what I saw as a shared goal of our respective projects: voter verifiability of election results. They weren’t interested. I don’t think it was the ends that was the problem as much as the means. BBV attempts to address with paper that which Punchscan attempts to address with paper and some cryptography. Although I understand what they find attractive about the old-school approach (being a practitioner of hand counting myself) I just don’t agree with any totalistic views in connection with computers being wholly bad for voting.
Today I received an email announcing a new BBV investigative report, which I took a read through and pulled out this:
When you introduce computers into the voting process this forces the citizens - who own the government - to trust government insiders to tell the truth about election results. [...] Citizens can see paper ballots counted in public at the polling place, but we can’t see what goes on inside a computer.
- Sentence one: Disagree - Punchscan proves (or disproves) election results to voters… independent of government insiders (whomever they’re supposed to be).
- Sentence two: Agree. We can’t see what happens inside, but we voters can see and control what comes in and out. And that forms the basis for an information based solution.
One of the requirements of an E2E system is no single trustee is able to decrypt ballots, in the exact same way that no one returning officer may have unobserved custody of a ballot box. Same idea. What you’re doing is distributing trust across several people or groups. There’s a physical solution obviously: chain of custody and observers. There are also ways to distribute trust across an information system. Simply put: everyone gets a key, and you can only run your election correctly with all the keys.
We proposed and implemented an open-source verifiable trust distribution system where everybody gets a copy of the software, and everyone checks everyone else’s copy matches theirs. It uses passwords and USB keys. We demoed this at VoComp.
For the record, Punchscan doesn’t really use that much cryptography and the entire system can actually be explained without any crypto at all. But for all the bellyaching that frequently accompanies the mention of the word, it really does buy you something: integrity of election results. The government insiders can’t change the outcome.
Punchscan is built on the use of digital bit commitments. That’s just a fancy way of saying: I write my wife a love letter, put it in an envelope, lick it, seal it, give it to her, and tell her to open it on Valentine’s day. Then when she reads it, she knows I really was capable of saying those “3 words” on more days than one. 
But hey, obviously this is way too hard for the “average person” to understand… so just forget about it. (Note to self: Hash “I LOVE YOU” and email to Anna).
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.
Exploring Voting System Goals: Other Goals August 13, 2007
Posted by Richard Carback and in : Voting Goals , add a commentVoting is a unique large scale system intended for use by the public for a very short time. Thus, it has a need for a higher level of the assurance than other systems that are used daily by the public. With this in mind, we can add reliability, scaleability, and recoverability to our list of goals that voting systems should strive toward. These goals are not unique to voting systems, and there are many goals voting systems should meet that are not listed here, but the nature of a voting system makes these goals stand out.
Scalability
The system should scale, but when we say scale we mean many things. The first of which is that it should scale with the number of voters. There should not be an upper limit to the number of voters, and the counting processes should still finish in a reasonable amount of time after the election is complete. This should also be true for the number of candidates per race and number of races per ballot, although there is a limit to what most people are able to tolerate. Lastly, the system should not have technical limitations preventing it from implementing certain election rules such as plurality, approval voting, range voting, and rank voting systems.
Reliability
It must be more reliable and resistant to disruption than the power grid, and any voting system must support a way to continue operation without power. Barring natural disaster or violent military actions that keep voters away from the polls, the system must work.
Recoverability
There should be ways to recover as best as is possible from catastrophic failures. In many cases this is a matter of redundancy and procedures (e.g. constantly publish the current count of votes each time period). The difficulty here is that you wish to achieve recoverability without drastically affecting the rest of the system or putting a lot of responsibility on volunteers.
That’s all I have for now, and I am heading out for a vacation. For those who have been following, I look forward to reading your comments when I get back (as I am certain there are many other goals that I am missing). I think a next step for this discussion would be to make some sort of report card for systems we’ve come across. Suggestions are welcome, I hope my posts so far have got you thinking.
The content of posts to the Punchscan blog belong to the author and do not necessarily reflect the thoughts, feelings, or opinions of the Punchscan voting project.