[EM] Why We Shouldn't Count Votes with Machines

[Mike Frank]

Kathy Dopp wrote:

> In fact there has never been even a theoretical design for an
> electronic voting system or even electronic paper ballot vote counting
> system that does not have known security leaks.

In my design, whether or not there are security holes in the vote-counting
system itself, the certificates that it produces cannot feasibly be forged
without first solving mathematical problems that have never yet been
solved despite extreme efforts by many very smart people (namely, finding
an efficient way to invert one-way functions).  So in this way, the possibility
of leaks can be rendered irrelevant, in the sense that if the security of the
system was compromised, the election outcome could still not be affected
substantially, without the forgeries being easily detected by many parties.

> In fact some computer scientists just recently mathematically PROVED
> that it is impossible to even verify that the certified software is
> actually running on a voting machine.

Can you give me the reference to that?  I'd like to take a look at their
assumptions.

Although that theorem may be true in some technical sense, it seems to me
that voters who are sufficiently paranoid ought still to be able to convince
themselves to their satisfaction of the validity of the certificates
they receive
from the system.  They could use several independent computers or services
to verify the certificate.   They could write the validation software
themselves
and run it on a computer fresh from the factory that has never been exposed to
a possible source of viruses.  Or on several computers from independent
companies.  Or if nothing else, a sufficiently intelligent and determined voter
can always carry out the mathematical checks by hand.

The fact that there will a few people who are both intelligent enough and
paranoid enough to do these checks should give the rest of the voters a
high level of confidence that there is not any widespread miscounting going
on (else it would have been noticed by these people).

The opposite problem, that a few voters could accuse the electronic system
of a misreading of their ballot that didn't actually occur, in order
to undermine
the system's credibility (motivated possibly because these people found it
easier to stuff ballot boxes themselves in a paper system) is more difficult to
solve.  But one approach would be to require that physical evidence be
provided to support such claims.

For example, organizations concerned about possible miscounting could
test the accuracy of the system themselves by sending "test voters" into
public polling places; these voters could carry with them hidden video
cameras recording the entire process of entering their vote into the system.

Then later, if the certificate generated by the system for that voter did not
match the video showing the ballot selections that were actually entered, the
organization could produce the certificate and the video, and together that
could be considered to be unimpeachable physical evidence that some
miscounting really had occurred somewhere in the system.

If many organizations try to perform such checks, and are unable to produce
any such physical evidence of ballot misreading, and all voters who verify their
certificates (using multiple verification tools) find them to be
valid, it should
be possible to generate a high level of confidence in the overall system.

No system is perfectly secure (even paper balloting) and so the goal is just to
make fraud and miscounting more difficult than it is presently.  I
believe this is
possible to do electronically, given the right system design.

I'll post a white paper describing my system in a later message.

-Mike
--
Dr. Michael P. Frank, Ph.D. (MIT '99)
820 Hillcrest Ave., Quincy FL  32351-1618
email: michael.patrick.frank at gmail.com
cell: (850) 597-2046, fax/tel: (850) 627-6585