My note arXiv:1305.5359 on a protocol for conducting elections by telephone is on the arXiv today. This one should be broadly accessible. It has no math in it, and no technical background is necessary to be able to read it. #spnetwork #byAuthor #security #cryptography
I really liked the idea. It will definitely increase the people participating in the election process.
I had a few doubts.
1)What prevents the fake voter from recording the passage read out, and playing it back. Is the passage read out to the voter a modified one?
2)The password, i guess is typed into the phone keypad. Because speaking it loud will give away the password to anybody standing around. Or some bugs implanted in room.
Even with 50% success of a voice forger, since people are allowed to vote multiple times, it will be bad enough.
3)Isn't it easy for phone exchanges to wire trap its users?
For example the local politician can install something in the local telephone exchange to cut into the line as soon as the authentication is over to send his choice.
4)If govt. becomes dystopian, wouldn't it be easier for them to recognise who voted for whom and punish, by getting acces to Electorial comission's servers? (In tradiatinal paper method, dystopian govt can still manipulate the results. but still there wouldn't be any way to trace back who voted for whom.)May 24, 2013
Hi Joe, thanks for your comments!
1) The passage has to be repeated in the voter's voice. The recording will not be in the voter's voice.
2) Yes, typing in the password is one way, but then the phone may need a touch-tone. If it has to be spoken out, the voter must make sure they are in a secure environment. Perhaps it is too expensive to bug enough people to collect enough passwords to affect an election result.
3) The election authority has to make sure the telephone exchange and wires are secure, or that tampering can be detected. Whether this scheme is practical depends on whether this can be done.
4) Good point. If the election authority is compromised, then the government does not even have to worry about punishing, they will anyway win the election. This is true even with the traditional elections, so we are not worse off with phone voting.May 24, 2013- Thanks.May 24, 2013
Hi Manoj,
Still another doubt.
1. How do I know that my vote has been counted, since the system will respond the same to me whether my vote is accepted or not. ( This extremely crucial for me, else I'll be in an eternally confused state whether I voted or not. I am ready to vote again, if the machine could not authenticate me properly the first time, but I should know that I was not cleared the first time around)Jun 16, 2013- Hi Kshitij,
+ If the system gives immediate feedback about whether a vote is accepted, this can be used against it by voice forgery systems. They can use this as a feedback loop to figure out how to break the system.
+ Our system provides a weaker feedback. The feedback is only available after the elections are over. It does not give information on each attempt at voting, but only on the last successfully authenticated vote cast by the voter.
+ We expect most voters will not be concerned about coercion. They will only vote once, and want to know that the vote they cast was valid. So they will ask for a receipt. In the normal use case, the receipt will be received by them after the elections, confirming that their vote was cast successfully.
+ If they asked for a receipt, and do not receive it, then they know something went wrong. It is too late to fix things in the last election, but they are at least aware there was a problem, and can try to fix things before the next election. If many people have a problem, they can come together, and protest against the system.
+ There are some other details: for example, a voter can ask to not receive a receipt, or to leave the choice the same as that set on the previous authentic vote cast from that voter id. The paper discusses the reasons for these options.Jun 16, 2013 - This is something I'm quite uncomfortable with, because if my vote is not being registered, I will revolt against the system after elections and the elections are technically not fair. But you are right about the feedback loop point. So here's a suggestion:
Can we introduce a gap between when a voter can find out if his/her vote was registered (say of 24 hours). If I cast my vote today at 8 AM, tomorrow morning 8 AM onwards if I call up again to find out, it will indicate that whether or not my vote has been registered, but will also give me an option to recast it in either case.
1. This will make it extremely expensive for exercising any kind of feedback loop to break the system as for each voter, the 'breaker' will have to try doing this only after 24 hours for each vote cast. So if there are 7 days for voting, at max the 'breaker' can try it for 7 times, but this is extremely difficult to follow up for a large number of voters (and quite useless)
2. If I am a non coerced voter, it gives me the satisfaction before voting ends to know that my vote has been registered. This is critical for any individual in any election system. Jun 17, 2013 - Kshitij says: "So if there are 7 days for voting, at max the 'breaker' can try it for 7 times, but this is extremely difficult to follow up for a large number of voters (and quite useless)"
+ I am not convinced about this. It seems to me that on each day, the candidate could try to forge many votes, and on the next day would get feedback on all those votes, and could update his strategy accordingly, to try to break the system. The depth of the feedback will be limited to 7 as you correctly observe. But the amount of information obtained may prove sufficient to manipulate the result of the elections.
+ Your modification as described is not coercion-resistant because someone could coerce a voter to abstain from voting, and confirm after 24 hours that she has not voted. However, with some changes (an option for the voter to ask to not receive a receipt), I believe it can be made coercion-resistant.
+ Your concern is of course very valid. But consider that even today there are many citizens whose names do not appear on the electoral rolls, or who do not have voter ID cards. They go to the polling booth and are not allowed to vote. Sometimes their votes get annulled because of "dimpled chads."
http://en.wikipedia.org/wiki/Chad_(paper)
These people do express their displeasure, and records get corrected, but it does not usually lead to large-scale revolts. There seems to be a realization that holding elections is a complex activity prone to errors. So long as those errors are not a priori biased in favor of one outcome, most people seem to take such errors in their stride. This is a notion of fairness that has been called "envy-freeness" in the literature.
http://en.wikipedia.org/wiki/Envy-free
What you are asking for is a stronger notion of fairness. At least in my analysis, stronger fairness guarantees of the type you wish for come at a cost, that of making the system less secure.
+ There is another very important point you make implicitly about the psychological acceptability and marketability of such protocols. I think that is certainly a huge challenge. There will be many concerns like yours that will be raised. To address those aspects will require much more work.Jun 17, 2013 - Three points:
1. On your point that people might break the system by collecting information of a lot of voters in 7 tries for each voter is highly unlikely because the process for voting for each candidate is highly time consuming - takes like 2-5 mins (putting the voter id, double authenticating etc.). So for doing it with lots of people will need multiple phone lines each being managed by a candidate's person standing next to each voter.
2. I agree with your coercion argument though. But since the voting lines are open for a 200 +rand*200 hour type system, I think this will again be very expensive to keep checking. Because though a candidate might spend 2-5 mins once to check if the coerced voter has actually not voted, he/she cannot devote enough time to keep doing this all the time, and after that the voter can vote anyways.
3. Also, voters can be educated beforehand as to how to fool any coercers, by speaking in a different voice the second time around. Or maybe pressing a key that automatically disregards a current vote. Something that is very difficult to monitor by a coercer.
I seriously hope that as India gets more and more connected, this system is implemented one day. Very important paper I must say.
Because I'm sure we shall be heading to 100% voting with this kind of a system.Jun 17, 2013
