Henry Baker <hbaker1@pipeline.com> wrote:
I.e., in order to properly test the voting network, it may be necessary to inject a *known* number of 'false' votes into the network, and subsequently subtract these false votes from the totals.
How would that help confirm that the votes are getting through, unless the total number of votes for candidate X were less than the number of test votes for candidate X? Perhaps test votes should be for a non-existent candidate. Hypothetical hacked software can't accept those votes while rejecting votes for a real candidate, unless the name of one or both candidates appears somewhere in the code, which it shouldn't. Of course an encrypted version of one or both names could be hidden in the code. A better approach is to use the live votes as tracers. Every voter is encouraged to make a note of their ballot serial number. The whole database of who everyone voted for is made publicly available online, except for the link between the voter's name and the ballot serial number. Each voter could look up his own ballot and see that it's correct. There are two downsides to that. One downside is shared with absentee voting -- the voter could have been coerced or rewarded to vote in a specific way. The advantage of in-person voting is that that's not possible, at least not unless the coercer or rewarder hooks the voter up to a reliable lie detector. The other downside is that the voter could falsely claim that his vote was missing or wrong. Also, this doesn't address the opposite problem, ballot-box stuffing.
Clearly, there are great dangers in a poorly implemented voting system with 'in-band' signaling. However, there are also great dangers in *not testing* a voting system for link failures and active hacking attacks.
Re hacking, who says voting has to rely on computers? See https://xkcd.com/2030/ Of course non-computerized voting systems are also subject to hacking. But it's harder to automate, and harder to hide, just as before computers spies could steal secret information, but couldn't steal millions of pages of it at once.
Has anyone else considered these kinds of problems?
Of course. For instance it's a perennial topic on the Risks Digest, which has been running for 35 years, making it perhaps the oldest still extant email list. Note that even if there's an easy and foolproof solution, that doesn't mean that it will be implemented if those in charge prefer the flaws in the current system. For instance they've been simultaneously making government-issued ID harder to get, and required for voting. Here in Virginia, the ID requirement was recently abolished, but the online portal for requesting an absentee ballot won't let you submit the request unless you provide the serial number on your current ID. Analogously, there's an obvious solution to the many forensic lab scandals: Double-blind testing. Never tell the techs what samples the prosecutors want to match what other samples. But since prosecutors run the system, that will never happen. Some labs are actually paid per conviction, which is an enormous conflict of interest. And some are overworked to the point where it's physically impossible to actually run all the tests.