"E-balloting", secrecy, and trust.

J. Johnson jj at scn.org
Sat Dec 19 01:00:05 PST 1998 

Barb's concern about the vulnerability of electronic voting to "root"
access is somewhat naive:  it is the nature of all extant computer 
operating systems that there is a "superuser"--"root", or its non-Unix
equivalent--that can do anything on the system.  Which is why
computers used in public elections are very stringently secured--and
definitely _not_ networked.  And why the mere concept of running a
_secure_ voting system on SCN is not only contraindicated, but also
contradictive.

But that concern is also profoundly significant for _voting_ systems.
For example, consider a simple ("classic"?) system of paper ballots
stuffed (?!) into a ballot box, and then tallied by hand:  explicit,
and _trusted_, supervision of the system is necessary to prevent all
sorts of abuse.  The various methods of protection--prior registration
of voters, marking voters with indelible ink, having witnesses monitor
the processes, etc.--can diffuse the trust required, even make it more
accountable, but cannot eliminate it.  It's much like entropy:  you can
push it around into a more convenient place or form, but you cannot
avoid it.  Same thing with voting systems:  slice it, dice it,
out-source it, but in the end even the cleverest schemes depend on
some kind of trust. 
 
Well, sort of.  It turns out that trust--more precisely, trusting that
someone is doing the "right" thing without opportunity to confirm it
with direct observation--is a characteristic of systems with _secret_
elements (like secret balloting).  Consider a group where members must
cast votes publicly:  once the votes are publicly recorded, the
results are a "simple matter of arithmetic".  _Every_ step is
verifiable, so there is no place for the process to be secretly
subverted.  (And no one need depend on "the government" for the
results.)  

To summarize:  any voting system that has a "secret" part, and is
therefore not publicly verifiable, must, at some level, rely on trust.
And is therefore vulnerable to malfeasance and subversion, regardless
of how it is implemented.

=== JJ =================================================================

* * * * * * * * * * * * * *  From the Listowner  * * * * * * * * * * * *
.	To unsubscribe from this list, send a message to:
majordomo at scn.org		In the body of the message, type:
unsubscribe scn
==== Messages posted on this list are also available on the web at: ====
* * * * * * *     http://www.scn.org/volunteers/scn-l/     * * * * * * *

More information about the scn mailing list