> If a vendor did a proper job of constructing a machine that conformed to > the VVAT spec, then open source would not be required *at all*. The > voter gets to verify the paper ballot before it is deposted in the > ballot box, and external oververs can physically inspect the ballot box > and the discard box to ensure that the right number of ballots are > deposited into each box. But surely a paper trail is inferior to a cryptographically secure voting system? It's easier to verify millions of crptographic signatures than millions of pieces of paper. > OTOH, if the machine does *not* conform to the VVAT spec, then open > source is no where near sufficient to assure fair balloting, because the > vendor could supply source code all over the place, and then just > install trojan code at the last moment. So long as the mathematical scheme by which the votes were entered and counted was itself secure, it matters not what the machine does. It will either produce valid results or obviously invalid results. All you have to do is devise the scheme so that it is computationally infeasible to produce invalid, but valid looking, results. This is not a difficult mathematical problem. > And that is the fundamental problem with all-electronic (no paper trail) > voting: a human observer on the outside cannot tell what is going on in > the chips and disks. Doesn't matter. You can't tell what's going on in the chips and disks when you connect to 'https://www.amazon.com', but you can tell whether you reached the Amazon server or not (assuming you trust the certificate issuers). Similary, one can develop voting schemes (it isn't even difficult) where it is not possible for the chips and disks to produce invalid results that would pass automated inspections that anyone could do. > You can get all the tripwire/opensource/checksum > report crap you want, but if a bad guy got access to the machine and > installed a trojan, then your reports are all a pack of lies, and no > amout of election observing by anyone will help. Exactly. > That is why the VVAT isn the one and only answer to fair digital voting. > Open source is a distraction. I think the solution is mathematical. Devise schemes such that it's not possible for a machine to produce valid-looking, but not valid, results. This is not only not difficult, but already done. Even apparently contradictory requirements are not really contradictory. For example, there are schemes in which a person cannot prove how they voted, yet can prove that their vote was not counted for the correct candidate if it in fact was not. DS