>The last one is important; you need to be able to prove that you voted
>and have the voting system prove to you that it accepted, understood,
>and counted your vote, but you can't allow people to make lists of who
>voted for who, because this has been abused in the past and has led to
>intimidation of the voters.
>
>Add this all up and it's a very tricky thing to do correctly.
Sounds quite easy actually, stop making excuses for them. If they haven't made it secure it isn't because they can't, its because they don't want to.
>The real challenge for any voting system is to get all of these right:
>
>- Only those allowed to vote can vote
>- Those disallowed from voting can't vote
>- Voters can vote at most once
Voters would need to enrol to vote, as they already must, then be given a unique username and password to log on to the system. Standard operating procedure.
Of course it would be theoretically possible to get around the system by buying votes, that is buying people's username and password so that you could exercise their vote for them. But this isn't worth the trouble or the risk.
>- Votes have to be auditable
The system needs to keep a record of each and every vote by generating a unique transaction number for each vote (as internet bill-paying systems usually do.) The user can keep a record of their transaction number (ideally, print out a receipt which shows how their vote was cast with the receipt number associated with it, at the time of voting) and should be able to go to the system at any time afterwards and inspect the record of the vote they have cast to ensure it is still correctly recorded. Each and every vote could be listed on a publicly accessible electronic database, alongside the transaction number.
>- Voters can't be identified from their votes
because each recorded vote is identified only by a transaction number, the actual voter is not identifiable. Except by the one person who knows who cast that particular ballot, the voter in question.
The system is completely transparent and accountable, each voter knows their own personal transaction number, but the system doesn't record any link between the transaction number and the identity of the voter. The voter can even have the option of printing a receipt at the time of casting a vote, which can be presented to any later audit if there is any funny business (if the vote doesn't show up on the public database of votes, or shows up incorrectly.)
If the receipt is printed out at home on your own computer it isn't much use as proof of how you voted, but if it is printed out on an official receipt issued by an official voting machine it is more use. Nevertheless, the system would still be able to (would need to) record which voters had voted and at what time. The time stamp need not be on the public database, so a receipt with a date stamp that is corroborated by the system records would have some evidentiary value.
In any event, being able to prove beyond doubt whether your vote was correctly recorded isn't the point. The important thing is that you, yourself, would know. Each and every voter would know how they voted and would be able to easily check that the system was recording and counting their own vote correctly.
To rig an election would require millions of votes to be tampered with. So millions of people would know for certain that their own personal vote had been tampered with. Such blatant election rigging would be far too risky an endeavour.
Bill Bartlett Bracknell Tas