Yesterday there was an interesting talk on e-voting @metalab by Goesta Smekal. In the discussion, the audience mostly agreed that e-voting shouldn’t be used because we can never be sure that a machine isn’t modified to do something different from correctly counting votes.

That there may be an incentive to win an election by cheating was pointed out by Bruce Schneier in “Stealing an election” in a 2004 Cryptogram newsletter. Now it’s an old hat that it is possible to hide rogue code that won’t be found by inspecting the source-code since in 1984 Ken Thompson published the computer science classic Reflections on Trusting Trust. Recently it has even been possible for researchers to build malicious hardware — with the budget of a university research lab. Open Source in this case is not an answer to the problem: We can’t be sure that the machine is running our software.

So the question is really: How can each voter be sure that the election is carried out correctly. For inspecting a voting machine — even if this would be theoretically possible and the papers cited above indicate that it’s probably not possible — we need an expert — who can be bribed. With paper ballots an untrained observer can convince himself that the election process is correct. Attacks on the system come at high costs and are detectable with a high probability. So let’s stick to the proven distributed algorithm of casting paper ballots.