E-Voting System

Red Alert

The e-vote system now has been 'sort of' certified. The hardware is physically secure but the software appears to be dud.

These machines are like a cash-register or x-ray machine in nature, it's not a case of ripping out the software and replacing it with a drop-in replacement. The hardware is undocumented outside of the Nedap corporation for proprietary reasons. Bertie is foolish to believe that this is possible and sadly with the limited technical knowledge of much of the electorate means that he will succeed in promoting this belief.

This has shades of the Leyland double-deckers which CIE spent wagon loads of money on fixing by replacing engines, often from new. CIE and the government eventually had to start the Bombardier Project to deal with the issue.

The machines themselves are programmed in C, fair enough, a lot of embedded stuff is. However the count PC is a windows-based job running a Delphi program - not suitable at all! The source code is closed and known only to Nedap.

Do you think it will appear in the next or subsequent election? Should we try and fix it or implement a new system?

I would personally favour the latter, and send the current machines to Bob Mugabe or similar, where the result does not matter. An open source alternative system should be developed with source code that any voter can download and peruse from the web.

EDIT: My sources for any info is the currently running 5-7 live programme.

lostexpectation

well if they are not going to be used for the next election what other vote will they try to reintroduce it on?

I guess they will 'test' the system in the general elction next yr again.

I guess the local elections will be in 2009?

have they renewed the contract with the same people, its hard to lobby for opensource when there no election looming that it will be used in.

and by then we'll have our on HAVA

Red Alert

They will have to keep the FF-supporting lock-up owners in the standard to which they're accustomed for another while.

I'd bet if FF get in again after the general election they'll slip them in for the next round of local elections.

Ruu_Old

I started the thread below not long ago, after I spotted it on rte.ie. Reports back the use of e-voting machines

DublinWriter

Red Alert wrote:

The machines themselves are programmed in C, fair enough, a lot of embedded stuff is. However the count PC is a windows-based job running a Delphi program - not suitable at all! The source code is closed and known only to Nedap.

Excuse me, but do you really have a clue about Delphi?

Secondly, do you know most modern ATMs are actually "dressed up" Windows 2000 Workstations?

It would have been an even worse situation if those voting machines were running embedded firmware in terms of transparency.

I do agree about the lack of availability to the source-code. That's absolute nutz, especially for a function so important as democracy.

Even in a situation were such software is not 'Open Source' , there should still be an Escrow agreement in place allowing for the disclosure of the source code in a audit situation.

Scarier still was the revelation that the results were basically written out unencrypted from voting booths onto CD and physically brought to the count centre. No encryption, no digital signing...madness.

Hotblack Desiato

What's wrong with paper voting anyway?

oscarBravo

Very little.

Bards

ninja900 wrote:

What's wrong with paper voting anyway?

Disabled, Older, those living away from home are unable to vote using the paper method. Hopefully some day we will see not only e-voting replacing the paper system but using E-voting to its fullist potential allowing those who are not able to make it to polling stations vote electronically over the Internet.

People trtansfer funds from bank accounts over the Internet everyday of the week so it should be possible to code a secure enough system. Maybe assigning everyone a Pin code like how the Motor Tax renewal system works.

Just a thought

bonkey

Its not cool and trendy enough for the governments who want to show they're embracing mo-duh-rn technology.

jc

oscarBravo

Bards wrote:

Disabled, Older, those living away from home are unable to vote using the paper method.

Equally true of the proposed electronic system.

Bards wrote:

Hopefully some day we will see not only e-voting replacing the paper system but using E-voting to its fullist potential allowing those who are not able to make it to polling stations vote electronically over the Internet.

Ye gods, we can only hope not.

Bards wrote:

People trtansfer funds from bank accounts over the Internet everyday of the week so it should be possible to code a secure enough system. Maybe assigning everyone a Pin code like how the Motor Tax renewal system works.

This is a misunderstanding worthy of Martin Cullen himself.

How do you propose to secure such a system from voter intimidation/vote buying? How, in other words, do you guarantee a secret ballot?

Red Alert

Sorry, to the above poster I do indeed have a clue about delphi and ATM machines as i'm practically expert in C, Perl, PHP, Delphi and Visual Basic. And yes BOI's machines amongst others are dressed up 2000 machines (not AIB's).

The trouble with online voting is that your employer/mammy/daddy/cat could exert undue influence on you to vote in a specific way. The polling & personation officers at the polling station ensures that nobody votes as you and that nobody sees your vote.

Bards

oscarBravo wrote:

Equally true of the proposed electronic system. Ye gods, we can only hope not. This is a misunderstanding worthy of Martin Cullen himself.

How do you propose to secure such a system from voter intimidation/vote buying? How, in other words, do you guarantee a secret ballot?

Very same way I transfer funds between bank accounts from home. No intimidation there. More chance of intimidation from polstres up the strret from polling stations.

As far as I am aware my own house has enough privacy.

Even in the paper based system You can get intimidation... Sinn Fein driving people to Polling stations is intimidation/vore buyinig in my mind

Bards

Red Alert wrote:

Sorry, to the above poster I do indeed have a clue about delphi and ATM machines as i'm practically expert in C, Perl, PHP, Delphi and Visual Basic. And yes BOI's machines amongst others are dressed up 2000 machines (not AIB's).

The trouble with online voting is that your employer/mammy/daddy/cat could exert undue influence on you to vote in a specific way. The polling & personation officers at the polling station ensures that nobody votes as you and that nobody sees your vote.

And party political broadcasts/advertisments/media campaigns don't have an influence.

Get Real.. we are influenced by these things every day in our lives except we just don't realise it

Red Alert

And therefore for a reason there's limits on what sort of polling, canvassing, postering etc can be done within and near to a polling station.

Take an elderly person for example who is completely dependent on his/her family to support them so they can live independently. If it was done online they could be coerced by overzealous family members who would offer to do it for them.

Bards

Or by Sinn Fein who offers to drive them to the polling station... .

We are being brainwashed by the media every day. how many people here are convinced E-Voting Was Martin Cullen's Idea.

Well they would all be wrong. Mr Noel Dempsey Introduces E-Voting when he was Minister for the Environment and was used successfully in two elections

Back on topic... On-Line is only an extra option for those who are actually able to use the Internet and who cannot make it to a Polling station

gandalf

To the best of my knowledge some of these systems are indeed based on PC's. Given they have been in storage now for around 2 years and the normal corporate lifespan of a PC is 2 years and the normal warranty on the systems that are used for this contract is 3 years they are about to start costing us a hell of alot more for maintenance. I mean by the time they are used the OS may not be even supported by MS.

E-Voting itself if impliemented properly is a step forward. Having a closed system like this with no tracking is where this has failed totally and shows what a bunch of incompetents this current bunch are.

oscarBravo

Bards wrote:

Very same way I transfer funds between bank accounts from home. No intimidation there. More chance of intimidation from polstres up the strret from polling stations.

As far as I am aware my own house has enough privacy.

Riight. So, because you've never been intimidated into transferring money from your bank account against your will, that's a cast-iron guarantee that no-one else could ever be intimidated or coerced into voting a particular way in their own home? Or, indeed, that they were in the comfort and safety of their own home when they voted?

Bards wrote:

Even in the paper based system You can get intimidation... Sinn Fein driving people to Polling stations is intimidation/vore buyinig in my mind

Here's the point you're missing: even if the local mobsters picked me up in my house and pointed a gun at my head in the back of the car all the way to the polling station, and threatened me with all sorts of recriminations if I didn't vote for
the "right" candidate - I can still cast my vote in perfect secrecy with our current system, and they're none the wiser.

Do you honestly think that can ever be guaranteed with remote voting?

oscarBravo

Bards wrote:

And party political broadcasts/advertisments/media campaigns don't have an influence.

Get Real.. we are influenced by these things every day in our lives except we just don't realise it

I realise it. I take it into account when weighing up the pros and cons of the various candidates. I try to vote in the way that I think is best.

That's a little harder to do when someone's watching you vote, and threatening you with physical violence if you don't do it "right".

oscarBravo

Bards wrote:

[e-voting] was used successfully in two elections

How do you know? How does anyone know? Weren't there questions about the total number of votes counted versus the number of votes cast?

yomchi

Bards wrote:

Very same way I transfer funds between bank accounts from home. No intimidation there. More chance of intimidation from polstres up the strret from polling stations.

As far as I am aware my own house has enough privacy.

Even in the paper based system You can get intimidation... Sinn Fein driving people to Polling stations is intimidation/vore buyinig in my mind

My good man, the driving of people to polling booths is a common practice by ALL political parties. Its part of the polling day operation that is established through the use of each parties registered voters, thats the logic behind tactical canvassing.
Why would you find your friends and neighbours being drivin to polling booths intimidating?

On another note, I believe the E voting will be another disaster. Is it true that it will elimate the transfer votes?

Crash

Just out of interest - you mentioned the hardware is undocumented - absolutely nothing has been found out about them? just wondering cus it would interest me to find out what kind of architecture these machines run on - if anyone came across anything it'd be great - thanks!

bonkey

oscarBravo wrote:

Do you honestly think that can ever be guaranteed with remote voting?

Questions like that always remind me of the horrors people predicted would follow the use of "weak" encryption for HTTPS, in terms of CC transactions etc. not being safe.

The banks, predictably, took a different approach - they asked themselves if, on balance, the resultant system was more or less prone to abuse than high-street and/or phone-based transactions. Conclusion: it was less prone to abuse.

Can remote-voting be 100% secure? No, it can't. But thats not the real question. The real question is whether or not remote voting can provide an acceptably secure and functional system, which - on balance - is not statistically likely to produce a significantly different result.

The thought of organised "holding of guns to heads" is simply untenable, so at most we're talking about there being isolated cases. Sure, mom and pop can "convince" granny or junior to vote for their party of choice, but y'know what...thats not likely to actually benefit any single party. Its as likely to happen to FF as it is the PDs as it is the Greens or anyone else. Over a large-enough sample-space, it should balance out.

secondly, lets not be under any illusion that our paper-based system is proofed against all abuse. "Vote early and often" is not something thats just a joke. The graveyard vote also exists. Do we lose sleep over these things? Do we fear that our world will come crashing down because there are imperfections in our system? Do we see people arguing as vociferously about the need to reform the known flaws as against new systems which have potential small-scale flaws we can blow out of proportion?

Or what about the postal votes currently in Ireland? The old, the disabled, those in full-time education....all may be eligible for a postal vote. Whats to stop these votes being corrupted? Why don't we get up in arms and protest that the postal vote must stop now if these are genuine fears?

Indeed, if I wanted to force young Johnny to vote a certain way today, I'd make use of the fact that although no-one can hold a gun to his head whle he votes, they can hold a gun to his (or someone else's) head before and afterwards until and unless he provides proof (a phone-camera comes in handy here) that he voted a certain way.

Jon wrote:

On another note, I believe the E voting will be another disaster. Is it true that it will elimate the transfer votes?

I'm constantly amazed at how people can admit to an ignorance of what is being proposed and a simultaneous belief that they know enough to be able to predict its failure.

Macy

E voting is dead and buried for a while because the electorate have no confidence in it anymore, and rightly given the lack of control in the proposed system.

Cullen takes the blame, as he signed the contracts despite all the questions/issues that were raised before he did, that are also flagged in this report. I don't think alot of us that are opposed to the proposed system aren't opposed to e-voting in general (although the this debacle makes me more sceptical). How Cullen keeps his job is beyond me, but I've been told that FF have no one else from the South East to replace him hence he stays :rolleyes:

I also think it was bizarre that the proposed electronic voting didn't make transfers proportional, but that's kinda irrelevant given the wider issues of this.

Red Alert

the machines themselves i don't think are PC's, they resemble the sort of POS terminal that Penney's or many restaurants use, not quite dumb but not quite a PC. it's also questionable as to whether any part of the system should be running a Microsoft (or uncertified, sealed and audited Linux) operating system.

Martin Cullen has rightly taken a lot of the flak for this system. Aside from whoever introduced it, he has been its main proponent and backer all along since he took over. E-Votinng is now dead in the water - which is a bad thing.

I support the idea of e-voting but not the use of this Nedap system. There is enough expertise in this country to develop a simple, functional and secure system (in the words of Theo deRaadt). It should be made using minimal code and a text-only display, making the code exceptionally easy to read. It must be open source and the code downloadable WITH EXPLANATIONS so a non-programmer could follow exactly what's going on.

Bards

bonkey wrote:

Questions like that always remind me of the horrors people predicted would follow the use of "weak" encryption for HTTPS, in terms of CC transactions etc. not being safe.

The banks, predictably, took a different approach - they asked themselves if, on balance, the resultant system was more or less prone to abuse than high-street and/or phone-based transactions. Conclusion: it was less prone to abuse.

Can remote-voting be 100% secure? No, it can't. But thats not the real question. The real question is whether or not remote voting can provide an acceptably secure and functional system, which - on balance - is not statistically likely to produce a significantly different result.

The thought of organised "holding of guns to heads" is simply untenable, so at most we're talking about there being isolated cases. Sure, mom and pop can "convince" granny or junior to vote for their party of choice, but y'know what...thats not likely to actually benefit any single party. Its as likely to happen to FF as it is the PDs as it is the Greens or anyone else. Over a large-enough sample-space, it should balance out.

secondly, lets not be under any illusion that our paper-based system is proofed against all abuse. "Vote early and often" is not something thats just a joke. The graveyard vote also exists. Do we lose sleep over these things? Do we fear that our world will come crashing down because there are imperfections in our system? Do we see people arguing as vociferously about the need to reform the known flaws as against new systems which have potential small-scale flaws we can blow out of proportion?

Or what about the postal votes currently in Ireland? The old, the disabled, those in full-time education....all may be eligible for a postal vote. Whats to stop these votes being corrupted? Why don't we get up in arms and protest that the postal vote must stop now if these are genuine fears?

Indeed, if I wanted to force young Johnny to vote a certain way today, I'd make use of the fact that although no-one can hold a gun to his head whle he votes, they can hold a gun to his (or someone else's) head before and afterwards until and unless he provides proof (a phone-camera comes in handy here) that he voted a certain way.




I'm constantly amazed at how people can admit to an ignorance of what is being proposed and a simultaneous belief that they know enough to be able to predict its failure.

Couldn't agree with you more

bonkey

Red Alert wrote:

It should be made using minimal code and a text-only display, making the code exceptionally easy to read.

Minimal code sounds nice, but minimal to what extent? You need security, reliability, your basic ACID properties etc.

Minimal, in this case, is going to be pretty damned complex.

As for a text-only display....that doesn't particularly gain you anything in readability. You still need a display-manager to turn your text into on-screen text, and unless you're gonna get down-and-dirty with the code for that, you're no better off trust-wise and not much (if any) better off simplicity-wise.

]It must be open source and the code downloadable WITH EXPLANATIONS so a non-programmer could follow exactly what's going on.

There's absolutely no benefit in the latter part of that, and questionable benefit in open-source compared to peer-reviewed code and/or code which is proprietary but available on demand for review and/or code which is not publically available but which has been reviewed by qualified independant experts.

Ther eason there is no benefit in maknig it accessible for non-programmers is as follows:

1) THe non-programmer does not have the ability to judge whether or not the explanations are an accurate description of what is goign on. Thus, all they have is someone else's word that this is how things work.

This is fundamentally no different to what they have in the absence of these comments - someone else's word.

thus, there is no advantage in shouldering the additional cost of such "dumbing down".

Cardinal

Reading this forum I've been wondering how people feel about e-voting as a concept? If there was a system which was sufficiently secure and transparent how would people feel about using this system as opposed to traditional paper voting methods?

Bards

As a concept I think it is a great idea and brings us into the 21st Century

dahamsta

I think people are getting distracted with this whole arm-twisting sideshow. The real issue with remote voting is that millions of home computers worldwide have trojans installed on them, and probably tens of thousands of those will be Irish. These botnets are controlled by individuals or close-knit groups, and getting in touch with these people and getting their help is not difficult. Even ten thousand machines in Ireland could sway an election; even less could sway a local election.

The computer security environment isn't appropriate for this sort of thing right now, and it won't be for another ten years if Windows Vista is anything to go by (Windows Vista = Wndows XP+1 = Windows 2000+1 = Windows NT+1). Arguing for remote voting is just plain silly in light of that, and a waste of everyone's time. Whether people would have their arms twisted or not is neither here nor there.

adam

oscarBravo

bonkey wrote:

Questions like that always remind me of the horrors people predicted would follow the use of "weak" encryption for HTTPS, in terms of CC transactions etc. not being safe.

The banks, predictably, took a different approach - they asked themselves if, on balance, the resultant system was more or less prone to abuse than high-street and/or phone-based transactions. Conclusion: it was less prone to abuse.

Right, but that's a completely different issue. Yes, there are parallels, but the most important issue - what's actually at stake - is not one of them.

The fundamental difference between electronic voting and electronic pretty-much-anything-else is the absolute requirement for privacy. Whether you're talking about a credit card payment on online banking transaction secured by TLS, you're still looking at a scenario where the potential victim can check a paper trail and become aware of any fraud. Our constitution requires that such not be the case in an election. Therefore the need for secrecy and accuracy at the point of recording the vote is critical.

bonkey wrote:

Can remote-voting be 100% secure? No, it can't. But thats not the real question. The real question is whether or not remote voting can provide an acceptably secure and functional system, which - on balance - is not statistically likely to produce a significantly different result.

That's the question if your only concern is the broad statistical outline of the result. If you're concerned that your vote accurately reflects your intentions, then the question changes.

bonkey wrote:

The thought of organised "holding of guns to heads" is simply untenable, so at most we're talking about there being isolated cases. Sure, mom and pop can "convince" granny or junior to vote for their party of choice, but y'know what...thats not likely to actually benefit any single party. Its as likely to happen to FF as it is the PDs as it is the Greens or anyone else. Over a large-enough sample-space, it should balance out.

I'm not as convinced that large-scale coercion is unlikely, should widespread remote voting become possible. Even leaving that aside for a moment, it's not safe to assume that coercion is zero-sum. The only safe assumption should be that if coercion is possible, it will happen, and that therefore opportunities for coercion should be strictly limited.

bonkey wrote:

secondly, lets not be under any illusion that our paper-based system is proofed against all abuse. "Vote early and often" is not something thats just a joke. The graveyard vote also exists. Do we lose sleep over these things? Do we fear that our world will come crashing down because there are imperfections in our system? Do we see people arguing as vociferously about the need to reform the known flaws as against new systems which have potential small-scale flaws we can blow out of proportion?

I agree completely that our voting system has potential flaws. I would argue that a fraction of the effort and expense that has been put into developing a crap e-voting system could have been used to fix the flaws in the current system.

Most of those flaws are to do with the quality of the electoral register, which the electronic system does nothing to address. In fact, the flaws that exist would be much more open to exploitation should remote voting become a possibility.

bonkey wrote:

Or what about the postal votes currently in Ireland? The old, the disabled, those in full-time education....all may be eligible for a postal vote. Whats to stop these votes being corrupted? Why don't we get up in arms and protest that the postal vote must stop now if these are genuine fears?

I have always had reservations about postal voting, but as I understand it a postal vote is very difficult to get. I wasn't aware that the categories you listed were eligible; I thought that only police and armed forces and certain others could vote by post. I'm open to correction.

bonkey wrote:

Indeed, if I wanted to force young Johnny to vote a certain way today, I'd make use of the fact that although no-one can hold a gun to his head whle he votes, they can hold a gun to his (or someone else's) head before and afterwards until and unless he provides proof (a phone-camera comes in handy here) that he voted a certain way.

A phone-camera is a recent threat model that's been introduced to the security of our existing system. Rather than shrug it off and resignedly accept that voting security is impossible, I'd rather see precautions taken to tackle such threats.

OT: the C S Lewis quote in your sig has been one of my favourites ever since I first read Dawn Treader about 25 years ago.

oscarBravo

Bards wrote:

As a concept I think it is a great idea and brings us into the 21st Century

I've been in the 21st Century for several years now. Where have you been?

Jackie laughlin

There is a tendency to confuse our voting machines with on-line voting. Our machines must rate as one of the most flagrant misuses of public money ever. Had there been no problems whatever with them, they would have produced absolutely nothing. OK, we'd get a fast count! Not only should whoever approved them be sacked but the fool who suggested it should go too.

On-line voting is another matter. In the face on declining voter turnout, it is argued that going on-line will attract younger voters who are among the least likely to vote. There are all sorts of problems - security being the least of them - but it has worked in primaries in the US and in the Baltic.

bonkey

oscarBravo wrote:

The fundamental difference between electronic voting and electronic pretty-much-anything-else is the absolute requirement for privacy.

I disagree.

There is already a postal vote for some people. This means that we already have a system which doesn't meet this absolute requirement you mention. Either its absolute or its not, there's no moddle ground with a term like that.

I live in Switzerland. Here, you are posted your ballot and you can return it by post, by dropping it into a box at the local Gemeinde, or by turning up on the day. They've also experimented with SMS-based voting with apparenly good success (although I'm skeptical of the auditability). Strangely, this disastrous (by your standards) system is often considered to be the heart of the best implementation of democracy going today.

Indeed, if you look around the world, you'll find precious few voting systems which implement this alleged absolute requirement or any other.

Now, this says one of two things to me.

1) Its not an absolute requirement.
2) There isn't a functional democracy on the planet, including the current Irish system. Thus, the need for it to become an absolute requirement is questionable.

And thats all I'm doing. I'm questioning the assertion that the need for total privacy is absolute as opposed to there being a need for sufficient levels of privacy. I believe the reality is that the latter is what is needed, and I haven't heard a compelling argument to show that this fuzzier definition is still unsatisfied.

Our constitution requires that such not be the case in an election.
...
If you're concerned that your vote accurately reflects your intentions, then the question changes.

Please bear in mind that I am not suggesting eVoting (i.e. remote voting) be in any way mandatory, simply optional. Young Johnny can always say "I will go and vote at the voting office" if he's worried about mom pressuring him whilst voting and/or that the system is less than perfect.

Ideally, I'd allow him to vote in both places and ensure the voting-office vote supercedes the online one. Coercion problem solved...unless he's gonna be locked up etc. Course, if someone did that, they can already prevent him voting one way, if not coerce him into voting the other, so its still just a reiteration of an existant problem.

Also, if our constitution requires that you cannot audit your vote, then our constitution requires that it be impossible for you to have 100% faith that your vote was accurately reflected. Either you can track it from start to finish, or you can't. If you can't then you can't have absolute faith that something isn't gone awry...simply reasonably good faith that it is so.
If you can track it, then it would seem that the current system is unconstitutional.

If this level of "reasonably good faith" is acceptable in the current sytem, why is the bar raised to an absolute for any future systems?

The only safe assumption should be that if coercion is possible, it will happen, and that therefore opportunities for coercion should be strictly limited.

But you can't limit them. You can limit one tiny set of conditions, which - in the era of portable cameras - are long obsolete. You can't prove that someone isn't coerced into voting a particular way, and the means for someone to effectively prove how they voted are now utterly commonplace in the form of digital cameras.

A paper vote is no freer from coercion possibility than any other. We just like to consider it so because its comforting.

I agree completely that our voting system has potential flaws.

They're not potential flaws, OB. They're very real and they show beyond question that we are more than willing and able to live with a less-than-perfect system. This, above everything else is what I'm trying to show - that the new system is being held to a standard we don't currently meet and don't (in general) seem to have a problem with not meeting.

Just as JoeQ Public was quite happy to hand his card over to the waiter and have it swiped out of sight, JoeQ Public should have had no problem sending it over the internet in encrypted form. But JoeQ did have a problem, because so many nay-sayers shouted out how unsafe this whole internet doohickey malarkey was. Meanwhile, the waiter down the local restaurant continued to rip him off through a sytem he was perfectly happy with.

Just like with online CC transactions, the critics re: remote voting say "its not perfect" and the implementors respond "neither is what you're already happy to live with so whats your point". What I'm saying is that a lack of perfection is not in and of itself the problem, but rather that one should be able to quantify the risk from a flaw and make an informed decision on it.

Once one accepts that perfection is not a requirement, and accepts that absolute requirements cannot be absolute if their current implementation is flawed, then one can look more objectively at what the real level of quality required is going to be. I'm not saying there are no problems, I'm saying that straightforward imperfection or a failure to meet absolutes is not automatically amongst them.

I have always had reservations about postal voting, but as I understand it a postal vote is very difficult to get.
I wasn't aware that the categories you listed were eligible; I thought that only police and armed forces and certain others could vote by post. I'm open to correction.

I pulled them off oasis.gov.ie after a quick google. Blame them.

Again, though, the question isn't how difficult it is. The point is that the existence of the postal vote at all shows that what you allege to be absolute requirements cannot be absolute.

A phone-camera is a recent threat model that's been introduced to the security of our existing system.

Its not that recent. Its a progression from the film-based camera which predates democracy in our nation. I remember as a kid in the 70s playing with a 110-format of my dads that would fit pretty-much invisibly in a jacket pocket, so anecdotally I can say this is a threat thats been real for at least 30 years.

The real question is: how serious a threat is it? The answer, I would guess, is "almost entirely negligible". I know a guess isn't good enough, but I've seen little if anything better from anyone else. No-one seems interested in quantifying risks, just pointing out that they theoretically exist and that this therefore is enough to disqualify.

Rather than shrug it off and resignedly accept that voting security is impossible, I'd rather see precautions taken to tackle such threats.

I think people should establish them to be threats in the first place. and quantify the risk.
I'm not shrugging anythign off other than untenable demands for perfection. There is, as with everything, a balance to be found. This will be a trade-off of ensuring people get to exercise their vote, ensuring the vote is inviolable, cost, and a number of other facts.

If people were willing to pay a fortune, put up with massive diosruption, and take huge amounts of time...I'm pretty sure a tamper-proof system could be implemetned using any technology. It might involve strip-searches, DNA-printnig and the likes, but its notionally doable at massive cost. Do we want that? No, because its the wrong balance.

OT: the C S Lewis quote in your sig has been one of my favourites ever since I first read Dawn Treader about 25 years ago.

Re-read it the other day and came across this just after reading Sceptre's post on the Israel thread. Thought it appropriate.

Diaspora

I like the sound of the Swiss system which wouldn't cost anymore than the current system if the ballot paper replaced the polling card.

The original project was typical Martin Cullen and to think that instead of demotion they charged him with directing how we will all travel for the next 20years.

Akrasia

Bards wrote:

Very same way I transfer funds between bank accounts from home. No intimidation there. More chance of intimidation from polstres up the strret from polling stations.

As far as I am aware my own house has enough privacy.

Even in the paper based system You can get intimidation... Sinn Fein driving people to Polling stations is intimidation/vore buyinig in my mind

no matter how many people sinn fein drive to the polling stations, they can't force them to vote for sinn fein, once they get to the polling booth they're on their own. If you vote from home via the internet, what's to stop the Daddy, who's a big Fianna Fail or Sinn Fein supporter from standing over his wife/mother/son/daughter as they cast their ballot to make sure they vote for the right candidate?
What's to stop parents opening their childrens ballot information (containing their pin) and voting on their behalf?

And more importantly, what's to stop a corrupt government from just making up their own election result and passing it off as the true vote? There would be no paper trail or exit polls or transparancy of any kind. We all know about Bank officials who embezzled small amounts of money from each money transfer. If that can happen in the secure banking system, it can happen in a voting system, especially seeing as politics tends to bring out the very worst in some people.

Akrasia

Without a secure paper trail, all electronic voting is subject to massive fraud. Look at what happened in america in 2004. Touchscreen voting machines without an audit trail were used, and very suspicious results were returned (in many voting centers, the exit poll results gave kerry the lead, but the recorded votes gave bush a significant victory (it never happened the other way around, and in some case, the margin of error of the exit polls was in the region of 9%, a figure unheard of in statistical analysis of exit polls anywhere else in the world)

John_C

Aren't blind people allowed to have someone come into the voting booth to help them? What's to stop that person from intimidating the blind person?

The 'potential threat' already exists in a number of forms and the sky hasn't fallen in.

oscarBravo

bonkey wrote:

And thats all I'm doing. I'm questioning the assertion that the need for total privacy is absolute as opposed to there being a need for sufficient levels of privacy. I believe the reality is that the latter is what is needed, and I haven't heard a compelling argument to show that this fuzzier definition is still unsatisfied.

OK, fair point. Allow me to restate my objection to electronic voting in general, and remote voting in particular: it introduces a whole bunch of new failure modes, and further undermines the level of confidence that it's possible to have in the validity of an election result.

The problem with a concept like sufficient level of privacy is that it's impossible to define. At least absolute privacy - while, you're right, unattainably - is a goal worthy of working towards. It's also a goal that can be legislated for, such as by making photographic devices illegal in polling stations.

bonkey wrote:

Also, if our constitution requires that you cannot audit your vote, then our constitution requires that it be impossible for you to have 100% faith that your vote was accurately reflected. Either you can track it from start to finish, or you can't. If you can't then you can't have absolute faith that something isn't gone awry...simply reasonably good faith that it is so.

OK, but there's a fundamental difference in the level of faith that it's possible to have in a well-managed paper-based system, and in a black-box voting system.

Up until now I have folded a paper ballot and inserted it into a locked box. That box is kept locked and under constant supervision until it is opened, in public, and the contents publicly and visibly checked. There are very, very few possible failure modes.

Now I'm being asked to have the same level of faith in an electronic system where I push a few buttons and walk away. Sorry: not going to happen.

bonkey wrote:

Just like with online CC transactions, the critics re: remote voting say "its not perfect" and the implementors respond "neither is what you're already happy to live with so whats your point". What I'm saying is that a lack of perfection is not in and of itself the problem, but rather that one should be able to quantify the risk from a flaw and make an informed decision on it.

Right, and I'm saying that if a new system introduces a whole new raft of failure modes, and doesn't address any of the existing problems, then it's automatically a bad idea.

Bards

Diaspora wrote:

I like the sound of the Swiss system which wouldn't cost anymore than the current system if the ballot paper replaced the polling card.

The original project was typical Martin Cullen and to think that instead of demotion they charged him with directing how we will all travel for the next 20years.

Wrong.. The original project was Noel Dempsey...

Bards

oscarBravo wrote:

Now I'm being asked to have the same level of faith in an electronic system where I push a few buttons and walk away. Sorry: not going to happen. .

I'm glad ATM's were invented before E-voting otherwise we would still be going to the Teller inside the Bank

oscarBravo

Bards wrote:

I'm glad ATM's were invented before E-voting otherwise we would still be going to the Teller inside the Bank

Paper trail. Auditability. Try to keep up.

Bards

Actually when ATM's were first introduced the same level of hostitlity and fear was used as an argument not to use them... ring a bell

bonkey

Diaspora wrote:

I like the sound of the Swiss system which wouldn't cost anymore than the current system if the ballot paper replaced the polling card.

One important factor of the Swiss system is that everyone's address is registered.

This might sound like Ireland, but in Switzerland, if you change address, your old community must be notified of your new address, so any and all correspondance can be forwarded. The fines for not doing this are seriously unfunny.

My fiancee used to work in a business management company, and part of her job involved tracking debt-dodgers through this system, often through 4 or 5 address changes.

The entire postal-voting system rests on the already-tight integration of postal and social services. I can see a lot of Irish people complaining that such "draconian" requirements would be an unacceptable invasion of privacy...

bonkey

oscarBravo wrote:

Paper trail. Auditability.

BTW, what part of the constitution expressly forbids the possibility of VVAT?

Also, what would prevent a referendum from changing that if this were agreed to be the only significant obstacle?

jc

oscarBravo

bonkey wrote:

BTW, what part of the constitution expressly forbids the possibility of VVAT?

I don't think it does. I didn't think I had suggested it did - if I did, apologies.

bonkey wrote:

Also, what would prevent a referendum from changing that if this were agreed to be the only significant obstacle?

A paper audit trail would certainly help, but only if correctly implemented. There are many potential pitfalls associated with the idea: first, the audit trail would have to be recorded in such a way as to prevent an individual's vote from being identified, so a continuous paper roll couldn't be used. Second, the voter would have to be given the opportunity to verify that the paper version corresponded exactly to the ballot as cast - and what's the procedure if it doesn't? Third, the voter must be prevented from removing the paper ballot from the polling station - this complicates the previous requirement. Fourth, under what circumstances are the paper votes counted? Fifth, if there's a discrepancy between the paper votes and the electronic votes, which version is authoritative?

Those are just off the top of my head. Given the huge increase in complexity all this adds to the electoral process, I find myself wondering exactly what the benefits are that justify all this?

Victor

oscarBravo wrote:

Auditability.

I'm sure he can hear fine.

Calling Sierra Papa Oscar Oscar Foxtrot ...

dahamsta

It's naughty to call someone a tango romeo oscar lima lima in here Victor, I've been banned for less in the past, while the aforementioned remain in-place. It's the Oirish Way loike.

adam

bonkey

oscarBravo wrote:

I don't think it does. I didn't think I had suggested it did - if I did, apologies.

If you didn't, then I completely misread this bit:

Whether you're talking about a credit card payment on online banking transaction secured by TLS, you're still looking at a scenario where the potential victim can check a paper trail and become aware of any fraud.
Our constitution requires that such not be the case in an election.

A paper audit trail would certainly help, but only if correctly implemented

I think its a given that only proper and correct implementations will be of benefit regardless of what aspect we're talking about.

I find myself wondering exactly what the benefits are that justify all this

Electronic voting, if correctly imlpemented, should lead to a more cost-effective system. (Please note the use of the words lead to[/] instead of produce is entirely deliberate.) Having said that, I'm not entirely convinced of this argument. I'm also not convinced of all the "more reliable results" arguments, but I guess that depends on what you're moving from. The "hanging chad" fiasco in teh US shows just how dodgy mechanical systems could be, but its hard to beat good ol' pen and paper.

Ultimately, the goal should be to have properly decentralised, reliable voting. Its not an easy thing to accomplish, I accept, but I don't see that as a reason to decide its not worth persuing.

The Swiss went down the "postal vote" path, and having gained widespread acceptance for that are now looking at other options. Their aim was simple - to increase participation. Their solution was simple - make it easier to vote, and more people will do so. The results? Exactly as planned - higher participation. Having achieved that goal, they're now looking at SMS (as mentioned before), internet, and god-knows what else. The reason - to keep participation high by making sure people have enough options that about the only ermaining reasons for not voting are "I didn't want to" or "I forgot".

oscarBravo

bonkey wrote:

If you didn't, then I completely misread this bit:

Whether you're talking about a credit card payment on online banking transaction secured by TLS, you're still looking at a scenario where the potential victim can check a paper trail and become aware of any fraud.
Our constitution requires that such not be the case in an election.

Not misread so much as missed the point.

With online banking, credit cards or whatever, there's a paper trail that can, of necessity, be associated with an individual. In other words, when I transact business using a secure online system, I expect to be able to find a record of it afterwards.

If I cast a vote electronically, to be able to check the value of my vote afterwards would violate the secrecy of the ballot. Any paper trail resulting from an electronic vote must be implemented in such a way as to prevent a given paper record being associate with a specific voter.

This is the point that's missed when comparing electronic voting to ATMs and online CC purchases - it introduces a completely new set of challenges.

Bards

Need a paper trail but if I can look it up then yes the paper trail works but gone is the secrecey. I think they are both mutually exclusive. unless

Why not have an in-between system. Voter enters preference on system A with valid userid and pin known only to themselves. system A passes the votes to system B (The count system) in a jumbled up and encrypted fashion with a totel number of votes check that is the same on both systems. User can check later by logging on that his vote is still the same on system A.

Now in my mind the secrecey and audit trail is valid unless someone can tell me why this will not work.

oscarBravo

Bards wrote:

User can check later by logging on that his vote is still the same on system A.

Now in my mind the secrecey and audit trail is valid unless someone can tell me why this will not work.

It won't work because it provides an audit trail at the expense of secrecy. If I can check my vote when I get home, then someone can force me to check my vote when I get home.