Well the term e2e has a bit of a sordid history. We (parts of the research community) picked it up after the EAC introduced it in the 2005 Draft VVSG. We were glad to have a proposal for a common term to encapsulate the notion, though EAC’s definition was a sort of an information system design framework.

The academic literature distilled out the three integrity properties (the ones you list) later. So in that sense, the term has evolved into something more general.

Then in the 2007 draft VVSG, the term was completely removed, which I found frustrating. I understand they just couldn’t arrive at solid enough definition. Now I hear that in light of the various research successes, they’re taking an interest in the term once again, so they may resurrect it.

We’ve pondered many replacement terms, but have sort of just stuck with it partly due to precedent.

Thank you also for the cite to your paper. I’ll read it soon.

Transparency of election systems natural analogous to the concepts of self-government. As we elect representatives to conduct our business, and hold them accountable via elections (and by writing letters, and engaging in protests, and acting as jurors, and…), we also implicitly “elect” voting systems. Or, rather, our representatives (or people appointed by our representatives, or people who lobby our representatives…) choose them. But, unless those systems are transparent, we have no analogous way to hold them accountable; yet those systems control the outcomes of elections — the most important means of holding our representatives accountable; you see the Gordian Knot.

At present, we push around (instead of cut) this knot largely by delegating supervision of our elections systems to public officials and, especially with electronic systems, to vendors, “test labs” and other experts. But that’s effectively delegating to a small group of experts the ability to determine our elections’ outcomes. Human nature being what it is, I think that this is certain eventually to cause (big) problems, if indeed it hasn’t already. We need some real checks and balances on our elections systems, and I believe the only way we can get them is to use transparent systems, and to encourage the general public assiduously to supervise them.

One of the problems with computational systems is that only a tiny sliver of the general public can effectively supervise them. Some crypto techniques attempt to improve this situation by providing a receipt that a voter can use to determine whether her votes were recorded as cast [1], and other data that a observer can use independently to collate the election. But, as I noted earlier, these techniques do not prevent an attacker from using a variety of other methods to corrupt an election, some of which are created by the crypto techniques themselves. Crypto thus gives the appearance of transparency, but only a modest portion of its substance; there’s still plenty of hidden machinery whose proper operation is required for elections’ integrity, but which ordinary citizens can’t possibly supervise.

Backing up a little, we should think long and hard before doing things that encourage the public to delegate the conduct of elections to experts. As with the jury, but even more so, I think Liberty rests upon the general public’s effective supervision of elections.

[1] (But that she can’t use to prove how she voted to a third party).

You mention non-computational alternatives. I just want to take the opportunity to point out that the notion of end-to-end verification is something that is bigger than the technology that implements it.

ThreeBallot for example—e2e, no computers (well mostly). At little cumbersome for the voter. I wrote a paper recently that gives another example:
http://www.site.uottawa.ca/~aesse083/papers/aperio-WOTE.pdf

Again, E2E, no computers. Are there more procedures to follow? Yes. I just wanted to make the point that e2e is an integrity standard, and “crypto voting” is just one way to realize it.

“There is a common perception — particularly among the general public — that cryptographic voting systems are “secure”, full stop”

I’d love to meet these people! As someone working on said systems, my personal experience has been staunchly the reverse!

Jon:

Hard to talk about a weakest link. There are many aspects, and certainly I don’t favor basic electronic systems either. I like paper ballots… I’ve been a returning officer in these kinds of elections. They’re pretty good.

However the weak link that I’ve taken an interest in is the notion that somehow the development of the democratic process climaxed in the 1870’s and that there’s really no new directions to explore, no new properties that could be desirable, and no solutions solutions can be found, thank ye very much.

I’m not referencing present company of course, but rather the other side of coin to the folks Ronald was mentioning—that paper ballot systems are “secure”, full stop.

Voter confidence is another matter altogether, and too often is perceived as a goal in itself (or even the primary goal of elections), rather than as an effect arising from the use of the most secure and transparent election systems and procedures. Voters too easily become confident in bad systems (e.g., the initial reactions to touchscreens), and too easily lose confidence in basically good systems (e.g., the reactions to Florida’s punchcard ballots), depending upon the prevailing rhetoric.

I do not believe that cryptographic methods can rescue computational vote presentation, selection, and recording systems; I think, instead, that they open up new avenues of attack (e.g., social engineering of the voter-machine protocol) while giving the false impression that crypto-assisted computational systems are “secure” (full stop).

Cryptographic methods might be able to practically enhance the security of hand-filled paper ballot systems (e.g., Punchscan). Though, as with computational systems, crypto methods open hand-filled paper to social-engineering attacks, such attacks probably will be less effective than those against computational systems, because the paper can’t interactively mislead the voter, and it can (maybe) effectively be audited before use.

I think the incoming administration should focus on improving election security and transparency by developing proper oversight procedures for administering hand-filled paper ballot systems. This oversight should include, at a minimum, precinct counts, general-public supervision of ballot handling, and statistically-supported hand audits. The administration should actively discourage the use of computational ballot presentation, selection, and recording systems except when needed to permit disabled voters to vote independently. Even then, the administration should prefer non-computational alternatives, e.g., the Vote-PAD, http://www.vote-pad.us .

There is no confusion. The issue is what crypto systems do for overall security in actual general-public elections for governmental offices, not how crypto systems implement a protocol that is theoretically secure under a highly-restricted set of conditions. Unfortunately, there is a common perception — particularly among the general public — that cryptographic voting systems are “secure”, full stop. [1] My post aimed to dispel this perception by describing some of the ways an attacker might sidestep a crypto system’s security guarantees — and, not coincidentally — avoid bumping the weather-vane while she does so.

[1] It doesn’t help matters that some crypto-voting practitioners, e.g., http://www.votehere.net/old/default.php , use rhetoric that promotes this kind of thinking (”VoteHere has developed election technology that let’s [sic] you prove that your vote was counted as you intended, while allowing anyone to audit the election results. This unique, groundbreaking technology meets the same audit standards of banking, express shipping, e-commerce, and other transactions people trust every day.”)

Not clear what your criteria is here, but Punchscan, Bingo Voting and Pret-a-Voter have all be used in small-scale binding elections.

With respect to end-to-end verification, some of the comments seem to be confusing physical security and robustness aspects with the notion of verifiability. Clearly cryptography does not prevent shoulder surfing and DoS, nor does it claim to.

Just as digital signatures are not “tamper proof” (they are merely tamper evident), let us not over state the purpose of e2e: as a weather vein of integrity, not a breakwater. It is not offered as a substitute to policy–merely a tool thereof.