On Mon, Mar 01, 2004 at 02:07:20AM -0000, Niall Douglas wrote:
Data signing only works for the person who checks the signature and since I'm not going to be let near a machine in order to check the ROM signature, it's no good for me. It's also no good for people who have no idea what a "ROM signature" is. They shouldn't have to know.
I was more thinking of the data signing mechanisms used to ensure CIA wire tap boxes haven't been compromised. These boxes get stuck in the wild so there's a chance they could be interfered with by an outside party. Basically it's a loopy state machine whereby the software is encrypted with a key and that key is derived from the signature of the encrypted image. Basically if you alter the image you must alter its signature thus losing the ability to run it - and it can't be faked.
Unless you take out the bit that actually cares about the signature. Maybe not possible in a single chip custom listening device but quite possible in a machine built from off the shelf chips and building voting machines from anything except off the shelf chips is not going to change any time soon.
Something(s) on the board must be the key to the trust system, usually the processor but maybe there are multiple chips that check the signatures. You only need to replace these with look-a-likes that will also trust your switched image. No one can discover this without examining the chip layout under an electron microscope, rather impractical.
How do I check the signature of a PCI controller or a chip that's labelled as a Motorola 68000 anyway?
You'd use one of the military spec processors. They are hardened to EMP and are very hard to hack into. This is a good thing, given they control the world's nuclear arsenel.
They don't need to be hacked, they just need to be replaced with something that looks the same and appears to function the same until it gets the "switch to vote stealing mode" signal. There's now way of calculating a signature from an IC, you have to break the packaging and examine the cicuits.
If people will insist on using off the shelf components, they will have this problem. When I was working for EuroFighter, I was appalled to discover they use x86 kit and Windows which is totally unsuitable.
Commercial off the shelf kit is mass produced cheaply. It's not of high quality and certainly not of high security. As an example, DEC VMS didn't have a single root exploit in 17 years.
The voting machines are using m68k and a very small custom OS which is little more than a loader. It's probably very secure as it had almost no functionality. It's also got ECC RAM.
The counting machine however is Win 98 + Access on a non-ECC PC! Then again it only has a quick job to do that can be verified in other ways.
We actually have a very secure system at moment. It's secure because people from all sides of the election are keeping one-another honest. There is no single point of failure. The ballot boxes are watched by multiple people (who don't trust each other) from the time they're opened to the time they're emptied.
I think it's less secure than you might think. I have no Irish examples, but vote rigging is as old as time and it never completely goes away even with the very best of systems.
Nice example is "the shuffle". Send 1 punter in with a blank piece of paper, he puts that in the box and comes back with a stamped ballot. Fill that out, send the next punter in with that and he comes back with another blank. Repeat until no punters left, then go in yourself with the last ballot. Everyone gets a tenner.
Computers will eliminate that.
Think about the other areas where public access is granted to ensure public confidence - most government meetings eg; trials, Dail debates, public archives - even FOIA. All these are too technical to the the lay person. Voting software is an identical issue - the lay person won't and can't understand, but it's having the free access is what's important.
Dail debates are not beyond the layman, in fact the Dail has several men who are as lay as it gets. The other examples can occasionally get very complicated but I'd imagine there are very few people who get convicted without actually understanding why.
However, I really do think if people could vote say by mobile phone, you'd get a lot more people voting (even better if the phone asked you for a vote on polling day). So to me, any substantially improved voting system must have this feature. Just replacing paper ballots with an electronic system seems pointless to me - one is spending money for zero gain. Of course, current mobile phones aren't secure enough and neither will be the next generation. But maybe thereafter given how much they want us to buy stuff using them eg; a distributed self-repairing peer to peer voting network based on all mobiles reaching a consensus (and attacking every mobile phone in the country is a tad hard).
I don't think technological security is the issue here, personal security is much more important. Mobile phone voting in the North would be a good laugh, where the bloke looking over your shoulder, watching you vote, wears a balaclava for a bit of petrol bombing fun at the weekend. Even taking threats and violence out of the mix, remote voting allows vote selling.
The tests done in the UK showed very small increases in turnout,
F
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Fergal Daly writes:
On Mon, Mar 01, 2004 at 02:07:20AM -0000, Niall Douglas wrote:
If people will insist on using off the shelf components, they will have this problem. When I was working for EuroFighter, I was appalled to discover they use x86 kit and Windows which is totally unsuitable.
Commercial off the shelf kit is mass produced cheaply. It's not of high quality and certainly not of high security. As an example, DEC VMS didn't have a single root exploit in 17 years.
The voting machines are using m68k and a very small custom OS which is little more than a loader. It's probably very secure as it had almost no functionality. It's also got ECC RAM.
BTW if Niall's suggesting using tamper-resilient military-spec hardware, I think the cost increases would scupper the project immediately. I get the impression it's a lot easier to spend that kind of money when it's coming out of a "black budget" ;)
- --j.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 1 Mar 2004 at 10:51, Fergal Daly wrote:
Unless you take out the bit that actually cares about the signature. Maybe not possible in a single chip custom listening device but quite possible in a machine built from off the shelf chips and building voting machines from anything except off the shelf chips is not going to change any time soon.
Why? You can get a military hardened CPU from Atmel or even Intel for less than a x86 CPU. It just won't run Windows.
Something(s) on the board must be the key to the trust system, usually the processor but maybe there are multiple chips that check the signatures. You only need to replace these with look-a-likes that will also trust your switched image. No one can discover this without examining the chip layout under an electron microscope, rather impractical.
You're wrong on this. There are these key generating boxes which spit out encryption keys for use in X509 certs and such and they usually live inside a fire proof safe. They're very very tamper proof, you can't even let them get too hot or cold or else they reset themselves and you lose the key sequence. You could have something similar for voting machines.
I know them from having to go through the rigmarole of accessing one. You had to sign this log book and two people had to be present at all times to make sure you didn't drop it etc.
I don't think technological security is the issue here, personal security is much more important. Mobile phone voting in the North would be a good laugh, where the bloke looking over your shoulder, watching you vote, wears a balaclava for a bit of petrol bombing fun at the weekend. Even taking threats and violence out of the mix, remote voting allows vote selling.
No more so than a fellow paying you a tenner to vote a certain way. Of course you could vote differently anyway - however under a mobile phone voting system, I see no problem with being able to change your vote later.
Cheers, Niall
On Tue, Mar 02, 2004 at 12:56:18AM -0000, Niall Douglas wrote:
voting machines from anything except off the shelf chips is not going to change any time soon.
Why? You can get a military hardened CPU from Atmel or even Intel for less than a x86 CPU. It just won't run Windows.
Fair enough. I assumed they'd be more expensive. Still doesn't change the fact that when you look at the circuit board all you can see is a plastic package and that there's no non-destructive way of finding out if you've really, really got an genuine xyz military hardened processor or just something pretending to be one.
Something(s) on the board must be the key to the trust system, usually the processor but maybe there are multiple chips that check the signatures. You only need to replace these with look-a-likes that will also trust your switched image. No one can discover this without examining the chip layout under an electron microscope, rather impractical.
You're wrong on this. There are these key generating boxes which spit out encryption keys for use in X509 certs and such and they usually live inside a fire proof safe. They're very very tamper proof, you can't even let them get too hot or cold or else they reset themselves and you lose the key sequence. You could have something similar for voting machines.
I know them from having to go through the rigmarole of accessing one. You had to sign this log book and two people had to be present at all times to make sure you didn't drop it etc.
You've gone way outside the requirements for a voting machine here. I agree with you that a practically tamper proof machine is possible, however we are talking about machines which will spend 364 days a year switched off in a warehouse in the back of beyond and then they'll spend a full day in an unfriendly environment being used in private by punters.
If a machine is not running continuously then I can swap chips on it so that it behaves perfectly correctly until it gets my signal and there is nothing anyone can do to discover this, short of cracking open all the chips.
I don't think technological security is the issue here, personal security is much more important. Mobile phone voting in the North would be a good laugh, where the bloke looking over your shoulder, watching you vote, wears a balaclava for a bit of petrol bombing fun at the weekend. Even taking threats and violence out of the mix, remote voting allows vote selling.
No more so than a fellow paying you a tenner to vote a certain way. Of course you could vote differently anyway - however under a mobile phone voting system, I see no problem with being able to change your vote later.
One problem is that it greatly complicates vote storage and anonymnity. I can't see it ever being accepted because most people want to know that when they cast their vote it's done and nothing can undo it.
F
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 2 Mar 2004 at 9:54, Fergal Daly wrote:
Why? You can get a military hardened CPU from Atmel or even Intel for less than a x86 CPU. It just won't run Windows.
Fair enough. I assumed they'd be more expensive. Still doesn't change the fact that when you look at the circuit board all you can see is a plastic package and that there's no non-destructive way of finding out if you've really, really got an genuine xyz military hardened processor or just something pretending to be one.
x86 processors are /vastly/ more complex than they need to be because of the legacy requirements. Really they're a RISC CPU nowadays with a translation front-end converting the x86 into RISC ops. However that said, there is a huge scale of economy in x86 chips only ARM could probably come close to - hence me suggesting the Atmel.
I think you're thinking too much in how it could be compromised on a technical level whilst ignoring the feedback effects of a compromise. Voting is not like a bank vault where if you break it you win outright - at best, you get four years or so of power. In reality, many factors can play to make your term much shorter and certainly if it emerged that an election was tampered with, any sitting government would have to call another election. The media simply wouldn't permit otherwise.
If you look at the US 2000 presidential elections which were almost certainly rigged, nevertheless Congress allocated quite a lot of money to replace the voting equipment despite the major spending cutbacks of the Bush administration. Unfortunately that's gone on Diebold voting machines which make the Irish voting machines look fantastic, but it's a good example of the feedback system working.
You've gone way outside the requirements for a voting machine here. I agree with you that a practically tamper proof machine is possible, however we are talking about machines which will spend 364 days a year switched off in a warehouse in the back of beyond and then they'll spend a full day in an unfriendly environment being used in private by punters.
What's important is not that the machines are tamper proof - it's that there's *fairly* tamper proof, enough that people trust them and the process. If they emerge to not be so (and there's plenty of journalists sniffing around here never mind whistleblowers), there will be substantial feedback from the public to improve the system. Which means politicians get to give more wads of cash to their friends and thus everyone is happy.
Nevertheless, I'm still opposed to them. For what is gained per euro spent, they are a waste of money better spent on (say) health.
One problem is that it greatly complicates vote storage and anonymnity. I can't see it ever being accepted because most people want to know that when they cast their vote it's done and nothing can undo it.
I did say peer to peer and distributed - therefore there is no central server apart from the trust delegator (which says which phones can vote and which can't). Anonymity is easy to implement in a massively distributed system. And what I really like about such a system is that anyone can ask their mobile what votes were cast for the country and get precisely the same figures as the TV or anyone else gets - obviously if they don't, one can kick up a fuss. My mobile is equal to Bertie's mobile in every way in such a configuration.
Cheers, Niall
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Niall Douglas wrote: | Voting is not like a bank vault where if you break it you win | outright - at best, you get four years or so of power.
Dangerously optimistic. If someone has the capability to rig an election before they get into office, then they will definitely be able to rig it again once they are in office, and each time they do, it will be exponentially more difficult to undo.
Your claim that the media will act as a self-correcting mechanism is, again, dangerously optimistic. In the US (where I lived until very recently), not one of the mainstream TV stations raised or raise the obvious questions about why GWB is the US President when we now know that if the count hadn't been stopped, he would have lost. In the next election, whether he wins or loses, the manner in which he won the previous election will not be an issue for the vast majority of Americans.
Rigging an election is the political equivalent of someone getting root on your server. You must assume that your democracy/server will remain compromised until you do a ground-up reinstall / have a revolution. It is extremely difficult to unpick such a compromise piece by piece.
This is why it is so essential to ensure that it does not happen in the first place.
Ian.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 3 Mar 2004 at 10:01, Ian Clarke wrote:
| Voting is not like a bank vault where if you break it you win | outright - at best, you get four years or so of power.
Dangerously optimistic. If someone has the capability to rig an election before they get into office, then they will definitely be able to rig it again once they are in office, and each time they do, it will be exponentially more difficult to undo.
Only if the population is not being vigilant. You like most people view well written laws and well designed systems as central to a healthy democracy.
The reality is anything but. Zimbabwe has as modern a constitution, legal system and voting process as anyone yet we have seen it spectacularly subverted in recent years. The US is still widely considered the leader of the free world yet in recent years secret police have vanished over 1500 people (that we know of) in the middle of the night and its constitution has been blatently ignored with much of the recent legislation.
A democracy lives through its people - it is very hard to force a population who want to be democratic to not be so as we saw in Eastern Europe. No special laws were required for this - it spontaneously emerged.
Well written laws, a questioning media and an independent judicial system are all important planks for maintaining *stability* in a democracy. But to even for a moment assume that they can protect or enforce democracy is to invite what we are witnessing in the US right now.
Rigging an election is the political equivalent of someone getting root on your server. You must assume that your democracy/server will remain compromised until you do a ground-up reinstall / have a revolution. It is extremely difficult to unpick such a compromise piece by piece.
If you had installed an OS like KeyKOS or EROS compromises are inherently limited. Lesson: Unix is inherently insecure.
This is why it is so essential to ensure that it does not happen in the first place.
Do you know that statistically the safer a car is, the more people die in car accidents?
Cheers, Niall
On Wed, Mar 03, 2004 at 03:28:52AM -0000, Niall Douglas wrote:
Fair enough. I assumed they'd be more expensive. Still doesn't change the fact that when you look at the circuit board all you can see is a plastic package and that there's no non-destructive way of finding out if you've really, really got an genuine xyz military hardened processor or just something pretending to be one.
x86 processors are /vastly/ more complex than they need to be because of the legacy requirements. Really they're a RISC CPU nowadays with a translation front-end converting the x86 into RISC ops. However that said, there is a huge scale of economy in x86 chips only ARM could probably come close to - hence me suggesting the Atmel.
Thank you, I know what modern x86s do and why they're cheap, hence my impression that it would be cheaper than a specialised processor.
Again, it doesn't matter in the slightest whether the chip is hardened or commodity, cheap or expensige or anything else it will still be easy to replace it with a rigged look-a-like.
I think you're thinking too much in how it could be compromised on a technical level whilst ignoring the feedback effects of a compromise. Voting is not like a bank vault where if you break it you win outright - at best, you get four years or so of power. In reality, many factors can play to make your term much shorter and certainly if it emerged that an election was tampered with, any sitting government would have to call another election. The media simply wouldn't permit otherwise.
If you look at the US 2000 presidential elections which were almost certainly rigged, nevertheless Congress allocated quite a lot of money to replace the voting equipment despite the major spending cutbacks of the Bush administration. Unfortunately that's gone on Diebold voting machines which make the Irish voting machines look fantastic, but it's a good example of the feedback system working.
This current government has a slim majority and they have gutted the Freedom of Information Act despite public and media outcry. They are probably about to pass fundamentally change our voting system a completely united opposition and massive media and public discomfort. Once you have a majority in the Dail you can do what you like as long as it's constitutional and in 5 years that covers a hell of a lot of bad stuff. There is no "congress" which will come to the rescue. The closest thing is the Seanad which can only delay legislation, it cannot stop it.
You've gone way outside the requirements for a voting machine here. I agree with you that a practically tamper proof machine is possible, however we are talking about machines which will spend 364 days a year switched off in a warehouse in the back of beyond and then they'll spend a full day in an unfriendly environment being used in private by punters.
What's important is not that the machines are tamper proof - it's that there's *fairly* tamper proof, enough that people trust them and the process. If they emerge to not be so (and there's plenty of journalists sniffing around here never mind whistleblowers), there will be substantial feedback from the public to improve the system. Which means politicians get to give more wads of cash to their friends and thus everyone is happy.
"Fairly" is not enough. The stakes are very high, high enough that someone could decide to invest quite a chunk of money into winning. Finding tampering after the fact is a disaster, it's possible that laws would be unmade, tax "uncollected" and criminals "unconvicted" and it totally undermines the credibility of any future system.
There is only 1 improvement needed and it makes tamper proofing, open source and everything else nice to have but not essential. Add paper. Once you have paper, it doesn't matter how badly the machines perform whether through tampering or through other errors the paper will not change. Paper is not perfect of course but it's a hell of a lot harder to fiddle and the attacks are well known and well understood by the people who are keeping guard.
Everything else is doing things the hard way.
One problem is that it greatly complicates vote storage and anonymnity. I can't see it ever being accepted because most people want to know that when they cast their vote it's done and nothing can undo it.
I did say peer to peer and distributed - therefore there is no central server apart from the trust delegator (which says which phones can vote and which can't). Anonymity is easy to implement in a massively distributed system. And what I really like about such a system is that anyone can ask their mobile what votes were cast for the country and get precisely the same figures as the TV or anyone else gets - obviously if they don't, one can kick up a fuss. My mobile is equal to Bertie's mobile in every way in such a configuration.
I don't see how distributed and peer to peer makes vote revocation and recasting any easier. If anything it makes it harder because you could have multiple copies of both your new and your old vote(s) floating around the system.
The requirements for voting are unusual. In this system you must retain anonymity without allowing multiple voting which is quite different to Freenet for example. In the system you favour, you must combine anonymity with the ability to cancel your old vote and vote again. Also, anonymity and audit trails do not go well together.
While it may be theoretically possible to design this system correctly, it would complex, it would still require that you trust the central server (which could wrongly deny you your right to vote or could be DOSed) and most importantly, it would be totally incomprehensible to the vast majority of voters, including many IT professionals,
F
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 3 Mar 2004 at 10:49, Fergal Daly wrote:
x86 processors are /vastly/ more complex than they need to be because of the legacy requirements. Really they're a RISC CPU nowadays with a translation front-end converting the x86 into RISC ops. However that said, there is a huge scale of economy in x86 chips only ARM could probably come close to - hence me suggesting the Atmel.
Thank you, I know what modern x86s do and why they're cheap, hence my impression that it would be cheaper than a specialised processor.
Sorry, I didn't mean to sound condescending - I merely meant to say that military CPU's are cheaper because they're much simpler than x86 CPU's.
Again, it doesn't matter in the slightest whether the chip is hardened or commodity, cheap or expensige or anything else it will still be easy to replace it with a rigged look-a-like.
I'd like to see anyone design a CPU which can recognise when the software running on it is tallying votes and adjust them appropriately.
This current government has a slim majority and they have gutted the Freedom of Information Act despite public and media outcry. They are probably about to pass fundamentally change our voting system a completely united opposition and massive media and public discomfort. Once you have a majority in the Dail you can do what you like as long as it's constitutional and in 5 years that covers a hell of a lot of bad stuff. There is no "congress" which will come to the rescue. The closest thing is the Seanad which can only delay legislation, it cannot stop it.
Well, that's what governments do - get into power, spread government cash among their friends and change the system to ensure they stay in power. What else did you expect? The system has been identical for over 2000 years!
This is why I like rainbow coalitions - the more they hate each other, the less chance of corruption. Unfortunately they're not very efficient :(
"Fairly" is not enough. The stakes are very high, high enough that someone could decide to invest quite a chunk of money into winning.
Really? And you honestly believe elections aren't already bought?
Finding tampering after the fact is a disaster, it's possible that laws would be unmade, tax "uncollected" and criminals "unconvicted" and it totally undermines the credibility of any future system.
Certainly not, that would undermine public confidence and besides, I know of no government that wasn't extremely keen to enact more laws, collect more taxes and lock up more criminals. The principal purpose of government is to create more need for government.
There is only 1 improvement needed and it makes tamper proofing, open source and everything else nice to have but not essential. Add paper. Once you have paper, it doesn't matter how badly the machines perform whether through tampering or through other errors the paper will not change. Paper is not perfect of course but it's a hell of a lot harder to fiddle and the attacks are well known and well understood by the people who are keeping guard.
When you have lots of people in a system, you get the best chance for whistleblowing. An automated system will not flag abuse except in very obvious easily circumvented ways.
Therefore the least corruptible voting system is one with the least machines in it. Paper trails help, but it's the people who really count.
I don't see how distributed and peer to peer makes vote revocation and recasting any easier. If anything it makes it harder because you could have multiple copies of both your new and your old vote(s) floating around the system.
You need to look into how capabilities are revoked in a capability system. Obviously there must be a closing time after which votes cannot be changed - after that the network propagates changes until all nodes are in homeostasis which couldn't take more than an hour for a population of 4 million. Until that final point your mobile merely reports the (inaccurate) state of the voting so far, thus enabling people to recast their vote based on who's winning or losing. I think this system would improve on PR substantially.
The requirements for voting are unusual. In this system you must retain anonymity without allowing multiple voting which is quite different to Freenet for example. In the system you favour, you must combine anonymity with the ability to cancel your old vote and vote again. Also, anonymity and audit trails do not go well together.
I see no problem. The technology required is similar for anonymous p2p systems whereby your encrypted vote travels randomly along a random set of other nodes similarly to anonymous remailers. Backtracing that vote wouldn't be impossible, but it would be extremely hard - harder than installing a spycam into a voting booth.
In terms of auditing, your mobile knows your vote and so can ask other nodes for what they think your vote is. Your mobile possesses the only key to read that vote, thus ensuring anonymity. An alternative method could be a kohonen style neural network which by its regularity indicates the quality of the network.
While you can't guarantee your vote was cast correctly in such a system, you can to a better percentile than the current manual system loses votes. This is good enough being an improvement and all.
While it may be theoretically possible to design this system correctly, it would complex, it would still require that you trust the central server (which could wrongly deny you your right to vote or could be DOSed) and most importantly, it would be totally incomprehensible to the vast majority of voters, including many IT professionals,
The voter merely need navigate a menu and choose their candidate. They can also check a real time graph of the current voting results. I can't see this being incomprehensible for anyone able to use a mobile phone.
I admit that there is no current system implementing such an idea but from what I know of ancillory technologies, it is feasible. We do need mobile phones to be considerably better number crunchers than at present plus the government would have to buy the bandwidth off the operators so it's free for everyone to use. But I bet it'd be vastly cheaper than current election costs and besides, I really think people will like the immediacy of it.
Cheers, Niall
On Thu, Mar 04, 2004 at 01:14:38AM -0000, Niall Douglas wrote:
Again, it doesn't matter in the slightest whether the chip is hardened or commodity, cheap or expensige or anything else it will still be easy to replace it with a rigged look-a-like.
I'd like to see anyone design a CPU which can recognise when the software running on it is tallying votes and adjust them appropriately.
It's much easier than that, a very simple RF signal would do the trick or perhaps a timer or a specific sequence of instructions or a sequence of data values some register (corresponding to a specific set of voting preferences).
"Fairly" is not enough. The stakes are very high, high enough that someone could decide to invest quite a chunk of money into winning.
Really? And you honestly believe elections aren't already bought?
Depnds on what you mean by bought. If you mean bribed and tampered then, I don't believe that. If you mean the biggest advertiser wins then there is some truth to that but there are issues that no amount of spending will buy a vote for.
Finding tampering after the fact is a disaster, it's possible that laws would be unmade, tax "uncollected" and criminals "unconvicted" and it totally undermines the credibility of any future system.
Certainly not, that would undermine public confidence and besides, I know of no government that wasn't extremely keen to enact more laws, collect more taxes and lock up more criminals. The principal purpose of government is to create more need for government.
If a government is found to have been illegally elected then any laws it passed would well be invalid. I wasn't suggesting that the incoming government would choose to unconvict criminals and unmake laws. They may have no choice. If I'm convicted under a law enacted by an illegally elected goverment then I have a very good case for being freed.
In fact, this is the reason the president has the power to refer a law to the supreme court before it is enacted. If it is found to be constitutional at that stage then it can never be challenged afterwards. This has been done before, by DeValera and one other president I think (there was an article in the Times a few days ago about it). He rightly pissed off the goverment by doing this, a FF government who couldn't believe that Dev was doing this to his own party. He did it because the laws were so important that if they were overturned later it would be disastrous.
Apparently there's a good chance our President will do this with the evoting law for exactly this reason.
When you have lots of people in a system, you get the best chance for whistleblowing. An automated system will not flag abuse except in very obvious easily circumvented ways.
Therefore the least corruptible voting system is one with the least machines in it. Paper trails help, but it's the people who really count.
Absolutely. Although I do think machines can help. A scanner in every booth that allows you to check your vote for legibility and unspoiledness is a good machine. No storage, no connections, dirt cheap.
Similar scanners to help the counters might be good also but extensive manual checks should be done too.
I don't see how distributed and peer to peer makes vote revocation and recasting any easier. If anything it makes it harder because you could have multiple copies of both your new and your old vote(s) floating around the system.
You need to look into how capabilities are revoked in a capability system. Obviously there must be a closing time after which votes cannot be changed - after that the network propagates changes until all nodes are in homeostasis which couldn't take more than an hour for a population of 4 million. Until that final point your mobile merely reports the (inaccurate) state of the voting so far, thus enabling people to recast their vote based on who's winning or losing. I think this system would improve on PR substantially.
It's an interesting system but could suffer from an accelerating big crunch as it gets towards closing time as people cast, count, recast and recount more and more more frantically towards the end, it also means that everyone is tied up voting all day if things are going to be close.
In terms of auditing, your mobile knows your vote and so can ask other nodes for what they think your vote is. Your mobile possesses the only key to read that vote, thus ensuring anonymity. An alternative method could be a kohonen style neural network which by its regularity indicates the quality of the network.
While you can't guarantee your vote was cast correctly in such a system, you can to a better percentile than the current manual system loses votes. This is good enough being an improvement and all.
I don't have figures on it but the number of lost votes has not been raised as an issue here.
While it may be theoretically possible to design this system correctly, it would complex, it would still require that you trust the central server (which could wrongly deny you your right to vote or could be DOSed) and most importantly, it would be totally incomprehensible to the vast majority of voters, including many IT professionals,
The voter merely need navigate a menu and choose their candidate. They can also check a real time graph of the current voting results. I can't see this being incomprehensible for anyone able to use a mobile phone.
I didn't mean the interface, I'm talking about the fact that no one will actually understand what's going on behind the scenes. The current paper system is absolutely transparent. Anyone can watch any part of it, that is why people trust it. A system which seems to magically produce the result, no matter how fair it actually is, is a big step backwards in my view,
F
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 4 Mar 2004 at 10:54, Fergal Daly wrote:
I'd like to see anyone design a CPU which can recognise when the software running on it is tallying votes and adjust them appropriately.
It's much easier than that, a very simple RF signal would do the trick or perhaps a timer or a specific sequence of instructions or a sequence of data values some register (corresponding to a specific set of voting preferences).
Defensively written software easily flags up such corruption. Really, I think you're placing undue emphasis on a method of vote rigging when easier, less costly ways are available.
Really? And you honestly believe elections aren't already bought?
Depnds on what you mean by bought. If you mean bribed and tampered then, I don't believe that. If you mean the biggest advertiser wins then there is some truth to that but there are issues that no amount of spending will buy a vote for.
That would depend on how you spend the money. Do you think Berlusconi could have got elected without his media empire? Why is it that more viewers of FOX in the US voted for Bush, support the Iraq war and believe crime is higher than it is than viewers of any other news service?
If a government is found to have been illegally elected then any laws it passed would well be invalid. I wasn't suggesting that the incoming government would choose to unconvict criminals and unmake laws. They may have no choice. If I'm convicted under a law enacted by an illegally elected goverment then I have a very good case for being freed.
Hmm, a peculiar artifact of our system.
I didn't mean the interface, I'm talking about the fact that no one will actually understand what's going on behind the scenes. The current paper system is absolutely transparent. Anyone can watch any part of it, that is why people trust it. A system which seems to magically produce the result, no matter how fair it actually is, is a big step backwards in my view,
The thing is, most things in life appear to work magically to most people. So long as they work consistent with what they expect ie; are fair, trust builds irrespective of transparency - for example, most people have never seen the inside of a court but do trust the judicial system. For those who are more interested in the detail, if they investigate the mathematical properties of such a system and review the software themselves, they'll find it works as expected. Needless to say, anyone should be able to crack open the copy of the evoting software on their mobile and see if it's what they expect it to be.
What I'm trying really to say is that trust is more often delegated than built - if various key people endorse a system, most people will believe them without ever investigating the system for themselves. This is why after all people sell stuff through getting sports heroes to endorse products.
Cheers, Niall