[Fwd: Re: [E-voting] About Estonian e-voting]

Michael McMahon michael at hexmedia.com
Tue Oct 25 10:32:08 IST 2005

Craig Burton wrote:

>>> If A is signed, it does what it is meant to do, it is difficult to 
>>> modify.  One of those things is to correctly encrypt our data.  It 
>>> is far better to protect data than it is to protect machines.  The 
>>> encrypted data are impossible to read.  We then sign the encrypted 
>>> data so they too are difficult to modify.  Then the data can then 
>>> pass through points B,C,D,E,F safely.  The remaining risks are that 
>>> the encrypted votes are either copied or deleted.  Copies are easy 
>>> to detect as they are identical and can be ignored.  Deleted votes 
>>> are harder to detect as we need our sample of voters to use the VVAT 
>>> system to detect a vote has gone missing.  This assumes all other 
>>> processes for preventing deletion have failed.
>> How does the voter know that the vote was encrypted if they have no 
>> way of verifying that fact, at each election?
>> Even if they trust someone who audited the code, and signed it, what 
>> happens at the point where the
>> vote is decrypted? What proof is there, that the counting system is 
>> not changing peoples votes?
> The voters and officials have to trust the auditors.  

Ok. That is the point I was trying to get to. My point is that auditing 
of software
is incapable of providing the kind of assurance that people need. So not 
only do
the voters have to trust the auditors, but they have to trust the 
developers and
anyone else in a position to get near the system.
Auditing of software (for this purpose) is a waste of time and money. It 
is being
offered as an alternative to the open, transparent election systems that 
we have today,
and nobody is being fooled by it.

> The votes can be decrypted by anyone who has the private key for the 
> election and who knows the very long password for it.  The password is 
> protected by having itself been encrypted with passwords made up by 
> all observers at the time the election software is in draft.
> So several officials must provide their passwords to decrypt the 
> votes.  The votes can then be counted on screen, in a spreadsheet or 
> they can be exported and given to any third parties charged to count 
> the votes.  At decrypt time we also check a forward hash of voter 
> credentials that travels with the vote is from the pool of credentials 
> we issued in the election.  Whether these line up with identifying 
> voter records or whether they were shuffled and issued by another 
> auditor depends on whether the election is running in the UK or 
> elsewhere.
These partial/incomplete descriptions of some system(s) are of no use to 
anyone. If you would
like to provide a *complete* description of your voting system, together 
with a list of claims you are prepared
to make with respect to its trustworthiness, I would be only too happy 
to comment on it.


More information about the E-voting mailing list