[EM] 3ballot - revolutionary new protocol for secure secret ballot elections
Dave Ketchum
davek at clarityconnect.com
Fri Oct 13 19:30:54 PDT 2006
On Fri, 13 Oct 2006 18:28:18 +0300 Juho wrote:
> On Oct 9, 2006, at 1:15 , Dave Ketchum wrote:
>
>
>>Is 3ballot worth the pain?
>
>
> I think Rivest proved the concept to work. He obviously also tried to
> make the method as usable as possible. Wether benefits are bigger
> than pain may depend on where the system is used. In countries with
> no tradition of foul play there may be no need to use it. But in
> countries where foul play is common in the counting process the
> benefits could be sufficient.
>
> It is also possible to simplify the method (trade out some unneeded
> features). See one method at the end of the mail.
>
>
>>Does it REALLY provide the claimed service?
>
>
> Yes, I think so. Usability might be questionable like you pointed
> out. Some risks remain like malicious software, when compared to
> traditional paper based methods, but I didn't see any major holes in
> the method.
Attending to "malicious software" should be a TOP PRIORITY regardless of
method!
>
>
>>Does it complicate the voters' lives?
>
>
> In its original form, yes. Increased trust on the method might
> compensate some of the pain.
>
>
>>Is it compatible with Condorcet? I remain a backer for Condorcet's
>>combining capability with tolerable complexity.
>
>
> I think yes, but unfortunately it is more difficult to serve
> Condorcet than e.g. plurality (one has to trade a bit with complexity
> and/or privacy since the Condorcet ballot format is not as easy to
> split in separate votes).
>
The voter does equivalent of ranking each candidate. Counter counts =/>/<
rank between each two candidates 1/3/6/10 pairs for 2 to 5 candidates.
Voter thinking plurality could be recorded as a special case.
Else best I can see right now is a vote for each > or < pair - a LOT
of records if many candidates - but no records for = whether reason is
same voter rank or voter ranked neither.
>
>>Is it worth bothering with without demanding a TRUE voting machine
>>for its
>>installation? ABSOLUTELY NOT, for there are too many ways to
>>falsify the
>>counting!
>
>
> I think Rivest managed to keep the voting machine quite simple, which
> reduces the risk. But whenever there are machines involved one needs
> to be very careful. I favour manual methods in most cases (Rivest
> said so too) but if machines clearly bring benefits, then they must
> be ok.
>
I stay with Condorcet for letting voters state preferences more
completely, yet easily, than with Plurality or Approval. But counting
such manually AND correctly is a challenge.
>
>>Given a TRUE voting machine, why add 3ballot? ZERO value in this
>>effort.
>
>
> I think ThreeBallot does good job in defending against foul play in
> the vote counting process. I don't know what you exactly mean with a
> TRUE voting machine but maybe any kind of machines could be improved.
> The voting machines could be thoroughly and neutrally tested and
> sealed and be based on open source code. If they collect all the
> results in electronic format they could be connected to Internet and
> memory sticks immediately after the voting ends and results would be
> public after that. Hard drives and/or memory could be destroyed if
> needed. Paper trail is still possible also in the machine based
> scenarios.
>
I question whether 3ballot helps the counting process, It complicates
counting, making more room for those inclined to do evil.
Open source should be classified as ESSENTIAL, but even with this it takes
time and skill to look for evil.
DO NOT GO NEAR the internet, other than reporting final results after
polls close and making them public locally - there is too little value,
but too many ways to do evil.
I am against destroying any kind of memory:
There should be nothing there that needs privacy.
Could be data evil ones wish destroyed.
I do not object to paper trail for those willing to pay that bill, but
strongly suspect such would not prevent evil activity.
>
>>ps, As to privacy, I read of video-camera phones. Their usage has
>>to be
>>tricky - can they verify a voter's actual vote as such without voting
>>machine operation being set up compatible with such?
>
>
> Yes, video cameras are a relevant threat. Vote buying and coercion
> can be implemented with them. Additional defences against these
> should take into account also the existence of the video camera and
> still camera threat. One simple way to defend against video cameras
> is btw to ban them and make voters aware of this. At least the voter
> could tell to the coercer that she could not record the voting event
> since she was not allowed to. One could put the voting machines in a
> place where others can see the voter but not how she votes.
>
>
>>ps, quoting: "I doubt there is a voting system in existence that is
>>immune from enough vote verification to support vote buying or
>>coercion"
>> The lever machines I have been voting on all my life are
>>immune, for
>>they keep NONE of the records of interest.
>
>
> I don't know what kind of machines you have used but I have a feeling
> that also they might be vulnerable to recording the whole voting
> event with a video camera.
>
I was not thinking of video when I wrote the above. With skill a record
could be doable while recording that the vote was cast next, without
moving the levers during the recording. I was thinking of the fact that
the old lever machines have no record as to what any one voter does.
>
> Some more words about the complexity of the method. I'll give one
> example of an alternative and simpler method. How do you evaluate the
> usability/complexity of this method?
> - the voting machine puts one copy of each ballot in one basket and
> several receipt copies of it in another basket
> - we may have several ballots per voter if we use ThreeBallot
> style ballots (receipt copies could be made of all of them)
> - or alternatively only one if that is secure enough (could suit
> your needs)
> - it is also possible that the voter gives only her opinion to
> the machine and the machine then generates more complex ballots
> (three or maybe broken into separate "rows")
> (also Condorcet based votes could be split this way)
> - the voting machine has no memory
> - the first basket contains the results of the election
> - the second basket is used for distributing receipts
> - the receipts will be distributed to interested people, limited
> number of random receipts to each of them
> - there are several copies of the receipts and limitations in
> the distribution to defend against receipt holders using them
> maliciously
> - the distribution may start right after the election is closed, or
> when the basket contains many enough ballots to protect privacy
>
> At least in basic plurality voting this method may be considerably
> simpler than the one that Rivest described (numbers based ballots
> with negative votes, as discussed by Warren Smith and Michael Rouse
> on this list).
>
> Distributing personal receipts is also possible but maybe not done if
> simplicity is what we seek.
>
> I assumed that the machine had no memory. If it had, I'd recommend
> full publicity of the right after the voting closes.
>
> Any chances of making the "receipt style" methods simple enough for you?
Would take a lot of thought as to how they offer value without destroying
privacy, and do something good about evil doers.
>
> Juho Laatu
--
davek at clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.
More information about the Election-Methods
mailing list