pageok
pageok
pageok
"Estonia To Hold First National Internet Election":

c|net news reports:

E-voting will be introduced for a parliamentary election on March 4, for the first time after it was used in more limited local elections in 2005....

The e-voting system was tested earlier this week, including the chance to choose the "king of the forest". Voters could pick an animal from 10 candidates, including moose, deer and boars....

But who won? In any case,

Just under 10,000 people voted via the Internet in local elections in October 2005. Computer specialists have estimated 20,000 to 40,000 of 940,000 registered voters will vote via the Internet from February 26 to 28, ahead of the March 4 election day....

The voting will take place by people putting their state-issued ID card, which has an electronic chip on it, into a reader attached to a computer and then entering two passwords....

Alan K. Henderson (mail) (www):
What are the odds that hackers will rig the system so that the winner is Clay Aiken?
2.23.2007 12:25am
Fearmonger:
"The voting will take place by people putting their state-issued ID card, which has an electronic chip on it"

If that's the price of internet voting, count me out.
2.23.2007 1:15am
Eugene Volokh (www):
Fearmonger: Having a state-issued ID is the price of driving, and somehow we make do. Is the concern that this will compromise the secret ballot? (Would auditable open-source software prevent that?) Is it that the ID is fine, but the chip isn't? Or is it something else?
2.23.2007 1:35am
logicnazi (mail) (www):
I'd like to point out that internet voting schemes are not necessarily insecure or vulnerable to manipulation. In fact there is some really interesting research in encryption about schemes that allow secure secret voting (usually with the property that some large fraction of the trustees, i.e., government/private servers recording the votes, must collude to defraud the vote or undermine secrecy). Some of the better schemes even allow receipt freeness (preventing the sale of votes) and have other nice properties.

Do a search for 'homomorphic encryption' and 'voting' and a bunch of papers will pop up about the subject. There are other approaches as well but I don't remember the names of those.

Of course these usually require some kind of underlying means of identification but a smart card plus passphrase system could certainly provide better security than either bank PINs or the current election system.

Anyway I have every confidence a good internet voting system COULD be built but, based on the insecure crap we use for voting machines now, great doubt that any such system will be implemented soon by anyone.
2.23.2007 2:06am
Fearmonger:
EV,

Is the concern that this will compromise the secret ballot?

Yes.

Would auditable open-source software prevent that?

Possibly. Possibly not. I'm not really tech savvy enough to address this.


Is it that the ID is fine, but the chip isn't?

Well, yes. I suppose if the only purpose of the ID card was to vote, and you did not have to have one if you chose not to vote, and you could destroy it immediately after voting, and the chip did not keep tabs on you by any sort of clandestine method and did not not process or retain more information on you than necessary to vote, I would be fine with it. Not to sound paranoid, but the chip seems a little unnecessary. Why wouldn't a password protected system alone be enough?

Having a state-issued ID is the price of driving, and somehow we make do.

True enough. But driving raises a whole lot of liability issues not associated with voting. You also don't have to pass a test to vote. And it seems a little more like a fundamental concern of citizenship.
2.23.2007 2:36am
Freddy Hill (mail):
Internet voting cannot be made secure with identification schemes as described, which are of the form "something you have (a card) + something you know (a password)". If I choose to give you my card and my password in exchange for a couple of beers the integrity of the system breaks down. The government would have to give out an additional means of positive identification (face recognition, retinal scans, fingerprint readers) if we want to approach the integrity of current manual identification systems.

Oh but wait, that's why some people are opposed to requiring any form of positive identification, isn't it. NOW I get it.
2.23.2007 7:46am
MikeM (mail):
I see three problems with this scheme. First, the voters have to have access to a system that will read the card. Second, as noted above, there's no way to guard against the fraud of someone collecting multiple cards and passwords and casting multiple ballots. And third, there is no way to verify that the votes are tabulated correctly because there is no paper trail that can be secured.
2.23.2007 8:37am
markm (mail):
Voters could pick an animal from 10 candidates, including moose, deer and boars....

But who won?

(In thick middle-Europe accent) Moose and squirrel!
2.23.2007 8:59am
dan b:
It is likely the card with a chip is a form of smart card. They are not common here in the US, but are fairly ubiquitous in Europe.

I think Internet voting has as much chance of abuse as the absentee voter scheme used in the US, and possibly less if the smart card is their government ID and other government services are accessible using the ID and one of the passwords.
2.23.2007 11:23am
Jeff Shultz (mail):
I suspect that the chip card is similar to the CAC card... which everyone in the military now has as their ID card.

This isn't something that particularly bothers me.
2.23.2007 1:30pm
logicnazi (mail) (www):
fearmonger,

As I said above it is possible to run a secret but verifiable internet voting system. Open source software isn't really the issue but the design of the voting system itself. For instance consider this paper. Apparently, to my surprise, some people are trying to use sophisticated voting schemes like this.

As far as IDs go, yes it is always possible to give away your ID (and biometrics are no solution unless you use the government's computers since you could just copy the digital info of someone's finger/eye) but this is possible now and in a truly receipt free system even if you give away your identifying info you could still vote yourself rendering the vote of whoever you gave the info to invalid, i.e., it would either just not count either vote or whoever voted first. This is still a lot better than the current system.
2.23.2007 2:06pm
Robert West (mail) (www):
As someone who has worked in a polling place during every election for the last fifteen years, I'd like to add:

The identity-security of the existing system is vastly overrated. In California, unless someone challenges a voter, I'm not allowed to ask them for identification ... and since it's not possible for me to know all of the voters in my precinct by sight (especially as I've almost never been assigned to work in the precinct where I live), there is enormous scope for people to come in and fraudulently vote as other people.

I'm no fan of electronic voting, but I do think that a lot of the things people are worried being problems with electronic voting are also problems with the existing system. Voter impersonation is easy now; all that moving to the internet would do is make it easy on a mass scale.
2.23.2007 2:59pm
Fearmonger:
Logicnazi, thanks for the link and sorry for neglected your earlier post.

Oh but wait, that's why some people are opposed to requiring any form of positive identification, isn't it. NOW I get it.

Not sure if this is directed at me, but I'm no fan of voter fraud. Clearly there needs to be some sort of verication of identity in order to vote. The issue is whether internet voting will compromise the secret ballot and whether is necessary to carry a computer chip (which raises some questions of potential abuse) in order to vote.

On the other hand, as to the issue of giving someone else your password/voting card over beers, I'm not sure this really bothers me as long as the "one person, one vote" principal is still in effect and there is no fraud. Essentially, this is not much different than proxy voting in the corporate setting.
2.23.2007 3:04pm
Robert West (mail) (www):
Fearmonger: I think there's a legitimate concern that if votes are sellable, elections become a contest over who has the most money to buy votes.

One of the nice things about the current system is that, while you can sell your vote, it is impossible for the buyer to ascertain whether or not you voted as promised. A system which allows you to sell the ability to cast the vote would be much more problematic.
2.23.2007 3:59pm
Jaime non-Lawyer:
I believe that Estonia is a special case, but there is a number of barriers that would make this system difficult to replicate here.

1) Estonia is a small country which makes the likelihood of problems smaller.
2) Everyone has a national ID card already.
3) The population is not very mobile which makes voter list easier to maintain.
4) It is probably easier to purge the names of dead people from the lists since they probably have a single centralized database and unique ID numbers on their national ID cards.
2.23.2007 4:01pm
Fearmonger:
while you can [presently] sell your vote

Are you speaking practically or legally? Is it now a crime to sell your vote?
2.23.2007 4:12pm
Fearmonger:
it is impossible for the buyer to ascertain whether or not you voted as promised.

More difficult, for sure. Impossible, no. In the age of video/camera phones, I'd think it be rather easy to prove to the buyer you voted in a certain way.
2.23.2007 4:37pm
Robert West (mail) (www):
Fearmonger: I'm speaking practically, of course. I have no idea whether or not it would be legal to sell your vote, but in California it would be illegal to *buy* someone's vote.

Point taken about video/camera phones. This is a recent development, however.
2.23.2007 5:07pm
Robert West (mail) (www):
Jaime: surely there are states within the US in which the same criteria could be met.
2.23.2007 5:08pm