Evil One, you must be new here. We’ve thoroughly hashed out the 2000 election results, and although some people accept them and some don’t, there’s a near-unanimous consensus that enough shit happened in Florida and elsewhere that it’s reasonable to feel the election is dubious – whether or not you personally agree with that proposition. Your contention that doubts about the elecitons are the product of fantasies, etc., simply will not fly here.
“Accountability” is an irrelevant buzzword, having no connection to the fact that the preservation of the secret ballot precludes any mechanism for after-the-fact verification that an individual’s vote was counted as intended.
I’m familiar with the technology. That’s why I realize that it needs a backup to 1)insure that there’s still a system in place if the mathematics behind public-key cryptography turns out to have an easy solution for deriving the reverse function and 2)provide a backstop for when (not if) the question arises of whether the code running in the machines is actually the same as the code that was advertised.
I guess I’m not understanding your issue here. I don’t oppose secret ballots, and the only reason to allow even voluntary tracking is to offer the unnecessary confirmation to a voter that their vote has been recorded. You keep trying to make an argument out of this where there is none. If you don’t want individual accountability, you issue the keysets anonymously, preferably randomly (well, pseudorandomly) generated at the time that voting occurs.
If “the mathematics behind public-key cryptography turns out to have an easy solution for deriving the reverse function” then we’re in a world of hurt, as public key cryptography is used widely to secure transactions. The method has been studied extensively, and even with access to a supercomputer and the most advanced crypto techniques availble reversing the function or determining the private key is computationally prohibitive, to a point of being a virtual impossibility on any reasonable timespan. There’s no reason we couldn’t generate keys with a length that would take longer to resolve than the lifetime of the universe, and if you want truely random numbers (as opposed to the pseudorandom numbers generated by a processor and which are the linchpin of cryptography) then you can record atmospheric noise and use it to create a one-time pad for the keycodes.
As for verifying that the code running on the machines is the same as that is advertised, go back to my first post on the issue. You’d make the software (both the encryption engine and the front end) open source, with source code and checksums for both the raw code and the binaries available and run from CD or DVD, eliminating any chance of a hack of the voting machines. You could have this overseen by an indepenent body–hell, the FSF would be ideal–and no information about the ballot would ever be recorded anywhere except on a central server. The key is to make the system transparent, so that anyone can monitor any part of the process without being able to corrupt it…which, of course, is the point of encryption.
The problem I have with hardcopy ballots is this; they introduce many more steps, including several manual handling steps, into the process, which allows for much greater error and the possibility of deliberate tampering. Consider the possibly errors that could result in the Mercuri proposal outline above, for instance; the machine needs to generate a paper ballot (printing problems), it needs to handle and display the ballot to the voter (paper jamming), it needs to place it in a secured box (potential for tampering or theft), the box has to be transported to a counting facility (possibility of theft or loss), the box has to be opened, ballots removed, collated for automatic counting (damage, loss, tampering), then archieved somewhere (damage, tampering) for future confirmation. And what happens when someone drops a folder of ballots behind a filing cabinet, or the storage facility has a water leak or a fire?
A secure electronic system, one in which each vote is individually keyed and correlated to an (anonymous) list of keysets issued, has much fewer chances for damage or tampering, and you can duplicate the data as much as you like without corrupting the database. No system is perfect, of course, and there are security holes (for instance, the issuing authority could just make up a bunch of keysets and assign them to counterfeit voters) but this is true with conventional systems as well. It also permits secure voting for people who are not able to vote on-site the day of the election. Considering the continuing issues with verifying absentee ballots this is an important capability.
Again, the anominity point is a non-issue; if you want the system to be anonymous and untraceable to the level of the individual voter, you simple the issuance of keysets anonymous.
Stranger
If the only thing it does is allow a voter to confirm “yep, you cast a vote” but does not enable confirmation that “your vote was counted as a vote for Dudley Do-Right and not as a vote for Snidely Whiplash”, then it is useless and might as well be completely dispensed with.
All the more reason not to drop another egg in that basket, given that there’s no real need for it (an event that happens, at most, twice a year simply doesn’t require the sort of rapid-fire processing as an event that happens every minute of every day).
I am referring to the fact that we have only empirical evidence (i.e. nobody has figured out a computationally feasable reverse function), but not hard mathematical proof, that the functions are one-way trapdoors.
I am aware of the fact that a true random one-time pad is unbreakable (this is mathematically bulletproof). I am not familiar with any method of creating a publicly verifiable and unforgeable digital signature using only a one-time random pad.
OK, so paper ballots are untrustworthy because they require “manual handling”. I presume that the CDs and DVDs in your system are delivered by the Digital Media Fairy.
Secret ballots are a secret to everyone except the voter. And the only reason the voter knows how they voted is because they cast the vote.
It doesn’t matter how keysets are issued. Once the key is issued, it forges links between a vote/key and a key/voter. It is then possible for anyone to coerce the key from the voter and link a voter the their vote. Goodbye secret ballot.
Oh, sure, the election software/official may not know who cast what vote… but if that’s what you think secret ballot means, you’ve missed the point.
I blame tabbed browsing on this thread resurrection.
At least it’s only a couple weeks old…