Hint: the MIT prof referenced in the headline is Ron Rivest, the R in RSA.
While the description ("MIT prof") is factually correct, that's like describing Donald Knuth as a "Stanford prof". Both place the focus on the affiliation, whereas (at least with this crowd) the identity of the professor is more interesting and eye-catching.
The article fails to mention the principle driver of this technology, David Chaum. The system is a descendant of Chaum's prior voting works with broader participation.
This combines much of what I've wanted in a voting system:
o Physical Tokens - Something people can see and touch. Something that human beings can physically recount if they have to and will (at random) to confirm that the automated system has not been compromised.
o Cryptographic Verification - I can check after the fact to determine if my vote was counted. Supposedly only 2% of the population needs to check to determine if there was a compromise.
o Simple Counting system - The computer code required to count how many votes were cast for each party should be relatively straight forward and easy to verify.
After thinking about this for a while I'm not sure what happens with the False Positives - what if I write my number down incorrectly and can't find it after voting. I suspect that a certain number (0.5%?) will do so and now be convinced that there was fraud with the new system. Possible downside. Of course, the electoral commissioner will be able to take this into account - Let's say we have 100 Million people voting, and that 4% of those check their votes, and that 0.5 % of the people who checked their votes wrote the number down incorrectly, and 10% of those people report it to the electoral commissioner, there should be about 2,000 reports, on average, of Fraud.
Now - what about DELIBERATE false positive - an attack on this system is now to have the losing party overwhelm the electoral commissioner with reports of fraud.
The great thing about a system with Physical Tokens (Paper) is you can have scrutineers from both parties, in the presence of independent observers, _physically watch people count tokens and challenge_
Physical Ballot Box stuffing in a first world country is next to impossible, as long as you have strong representation from the population during the casting of votes and counting.
I hate the idea of purely electronic voting for things where the incentive to cheat is huge, and the recourse for the ordinary citizen to help ensure that the count is fair is absent.
Let's hope that this system (or something like it) takes off.
I write my number down incorrectly and can't find it after voting.
Straightforward error correction techniques would help identify and compensate for minor errors and simple adding machine style recipt printers incorporating such logic could be made available within voting booths. Voters who want a recipt would just type the revealed code into the printer.
Here are two rules I discovered about voting that are quite non-obvious:
You can not print out a receipt of the votes, in order. Because in a small town, someone could write down the order that people show up, and then correlate it with the order of votes on the receipt. (This is why paper trails of electronic votes were never implemented.)
The voter must never be given a receipt that allows a third party to verify who they voted for. This is because it allows vote buying: I buy votes, and you show me your receipt and prove you voted for who I want before getting paid.
This system fails the second rule, and thus will never be implemented widely.
But there's a difference between "not being published" and not existing. Unpublished information is still available to some group of people, stored on disks etc. It could be accidentally or deliberately released. Given the amount of confidential information that does get inappropriately released I would expect this information to, at some point, be seen by people who shouldn't have access to it. Better that the files don't exist in the first place. Maybe it could be a probablistic correlation set at a level which would require a number of votes to obtain sufficient certainty.
One problem is that voter turnout is generally low. And as far as I can tell, there is nothing in the system to stop a lot of fake ballots from being counted. And it's not possible to claim that a turnout of 75% is fraud, even if the usual turnout is around 50. Russian elections routinely get 95% turnout with almost no one going to the booths.
There needs to be a way to verify whether a person has not voted. Could be based on SSN in some way. But it also has to be simple to use.
Oh, oh why someone like Ron Rivest allows himself to be associated with a name like "Scantegrity". It's a name I could expect to see in the title of the next Doghouse on Bruce Scheier's blog. And it almost reads like Scam-tegrity. D'uh.
I've read the details of this system. It's quite clever, but it won't work.
The problem is not people "hacking" elections. Actual instances of voter fraud or attemted voter fraud are extremely rare in this country.
The problem is the perception of fraud. And this system is WAY too complicated for anyone to understand. Sure, it's great and I hope it gets adopted all over, but actual security at the polls was never really the issue.
From the voters perspective I fail to see how this is in any way more complex than what they currently do. Fill in a bubble. (Hell, some of them used a pen anyway, so it was literally the same as they were doing before.)
The only extra complexity is an optional post-vote verification of your vote online.
I don't see how one can be so sure of the low frequency of voter fraud when the whole point of this system is to make it something that's actually possible to detect.
Being able to confirm your vote later using a serial number may be convenient, but it makes it possible to sell your vote. I could offer my vote for sale and then give the serial number to the buyer so that he makes sure I voted the way I was supposed to.
That is false. The purpose of the code business is to make votes anonymous.
The key to the system is that before the election, the election commission prepares a set of tables that, taken together, link the ballot codes and the candidates’ names; but that link can’t be deduced from any one table by itself.
Since that's also possible with the current voting system, it can't be considered a strike against this proposal.
Absentee voting is possible in every state, usually without any reason given, and any absentee voter can just hand the incomplete ballot over to the attacker in exchange for whatever compensation.
Since offering your vote for sale is illegal in any case, this has to be considered a threat that is so minor as to be nonexistent.
It says that the ballots have serial numbers. In any transparent election, ballots are made public on request -- I think it was a TV station that did a 100% recount in Florida after 2000?
If I take home a ballot serial number, a vote-buyer would be able to look up my ballot later and confirm my vote.
But as I understand it, vote buying barely registers as a source of fraud -- it's stuffing voter registration lists, keeping voters from going to the polls and stuffing blank ballots.
While the description ("MIT prof") is factually correct, that's like describing Donald Knuth as a "Stanford prof". Both place the focus on the affiliation, whereas (at least with this crowd) the identity of the professor is more interesting and eye-catching.