White Box Vs Black Box Voting Systems

Posted 9 Jul 2003 at 21:55 UTC by DeepNorth Share This

A recent news article at the Inquirer discusses what I would call 'Black Box' Electronic Voting Schemes and their pitfalls. On our HushVote site, we present what I would call a 'White Box' electronic voting scheme.

I originally signed on to Advogato to reply to a thread about electronic voting and its problems. I had designed what I felt was a simple yet secure system for my company in concert with Canada Post, a Data Services company and some municipalities.

In the news today is an article (link above) that claims there may be a large scale scandal with respect to voting fraud using what I feel are faulty systems.

The faults with these systems are simple ones and I feel they are simply rectified. They are not open to a proper audit by the interested parties in the election. They are 'black boxes' that we are expected to trust and they are administered by a single party. What is needed is a system that is a 'white box' -- open to internal inspection. To preserve privacy and integrity, more than one party must be the custodian of the information. We present such a scheme at our HushVote site.

As in the article on forgery 'counterfeit-proof', there are variations on a theme. We present a scheme that requires trust that two parties (an election sponsor like a government and a third party ballot issuer) do not collude. However, as many parties as you please may be used. You can use as many parties as you require to trust the results. Auditing needs to be done by two parties as well. This is mechanically quite simple, but again requires that you trust the parties not to collude. As with the holding of the election, you may require as many auditors as you please as well.

Our system allows the system to be subjected to a complete audit to ensure that only valid ballots were cast and that ballots were counted as cast. It also allows any individual voter or group of voters to audit that their votes were counted exactly as cast.

Should you wish, our scheme allows a voter to challenge their vote as cast and to re-cast it.

Our system may not be perfect, but it passes audit with the relevant parties in Canada. Like most security systems, a great deal of the 'trust' in the system comes from both simplicity and transparency. Both are completely missing from the 'Black Box' systems discussed in the Inquirer article.

You may now flame on!

More Detail Please, posted 10 Jul 2003 at 10:30 UTC by mirwin » (Master)

I looked over the slide show and clicked around a bit. A white paper would be useful to one considering coding his own vs. hiring Hush Web. The sooner good electronic voting schemes come into common acceptance and understanding the better. Perhaps you could consider making the entire Hush Web approach more fully transparent by GPLing the code and providing utilities to check the installed software. My apologies if I missed the GPL'd code on your web site.

all details, posted 10 Jul 2003 at 14:47 UTC by jerry » (Journeyer)

Electronic voting as any legally binding data processing should definately be done with decentralized and super user free operating systems which tollerate intrusion and byzantine failures.

That's what we are doing Askemos for.

Sorry about that..., posted 10 Jul 2003 at 15:07 UTC by DeepNorth » (Journeyer)

I confess that the site is badly in need of a white paper to explain the nuts and bolts of implementation.

In my defense, I designed the scheme for a trial election and we were suckered by one of the big automated voting companies. This meant that we had to reduce funding for our project.

With respect to the technical details, if you look carefully at the slides, you can see the pieces implied. The system depends upon secure socket layer stuff (gpl'ed code on our systems), secure hashing (gpl'ed md5 in our case) and a database layer. For trial, we use mySQL on our servers, but likely would use Sybase or Oracle in production -- it depends upon the client unfortunately.

The 'HushVote' product is merely the protocol as described in the slides and the necessary services to make it happen.

What are the services? Consulting to the election sponsor (the government or corporate entity holding the election), Internet services (servers, bandwidth, etc), preparation, cleansing and verification of voters lists -- all the service bits and pieces needed to really hold the election. We also provide consulting in partnership with the Post Office and provide the test regime for the electronic postal service. Finally, we would provide some 'glue' and tools, but this would of necessity be GPL'ed, since we build upon GPL'ed code.

Bottom line: you can implement pretty much with off the shelf components. What we really offer is the protocol and the necessary services to actually make it happen. You could do the same, if you had the data centers in place.

I thought it was reasonable to post the article, since the pitfalls of 'Black Box' electronic voting are in the news right now. Our system is 'White Box'.

David Chaum pointed me to a press release and excellent white paper on another 'White Box' system proposed by him:


No doubt, people at advogato are bored to tears with discussions of electronic voting. However, I think it is an important topic and it is incumbent upon geeks such as yourself to understand and explain this stuff to non-geeks. What looks simple to us is very difficult to non-technical people and as has been pointed out in the Inquirer article, they consistently choose the wrong solution. This acts to the detriment of us all as it subverts the electoral process.

mailing lists, posted 16 Jul 2003 at 23:17 UTC by lkcl » (Master)

a _small_ side-track:

cleansing of mailing lists is a non-trivial problem that, without cleansing, can result in well over 30% wastage of a mailing list.

people die, move, change name, sex, age and hair colour. oh - and email address.

p.s. i have some software that does de-duplication. it's not open source. there are several alternative open source de-duplication programs around.

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

Share this page