I'm replying since you seem interested, but this most likely is my last entry in this thread. Mine, too. It occurs to me now that you may think that the main point of my critique was directed at your actual election practices, as opposed to the theoretical design problem we were originally offered. I apologize if that was the case, as no critism was intended.

The fewer ballots that are spoiled, the greater the odds that they can be used to identify a voter. In the theoretical framework I had outlined, a ballot is only ever spoiled if the ballot printing machine makes an error: the verifier is designed to catch that. This impact is lessened in a paper ballot scenario, where more ballots are probably spoiled.

I made and make no such guarantee. Like most human endeavors, voting is conducted with finite resources: time, money, space, honesty. We have to do the best we can with the resources at our disposal.

Certainly. When designing a voting system, one needs to be very concious of every possible flaw, in an attempt to build in as much security as possible. When implementing an existing system, you just have to do the best you can. Again, my point was one of electoral design, and not intended as a commentary on how your election was actually run.

Ytrew:Voter anonymity is more important to the voter than to any given party. Trammel:That's an interesting assertion.

The voter is the one who risks the physical damage by the bad people with big, nasty objects if his vote isn't anonymous. Or so the voter intimidation rationalle in support of anonymity runs... If the election is already decided, it may be that none of the party members have a personal stake in the matter, if Joe Voter risks gettings his legs broken for having voted wrong. Joe Voter, on the other hand, certainly does have an interest in preventing this. Again, this is analysis, not commentary: the best solution is just not to have Bad People(TM) around, and if that's the case, you're fine.

If you feel so strongly about it, you might decide to contact your local representative to try to enact these changes. I don't. I stand by my design principle, but I certainly wasn't trying to tell you how to run your actual elections. I don't even live in the same country as you do. I'd have to find out exactly what my area's electoral rules are before I start telling people to change them. :-)

Just to underscore the theoretical aspects, here's my most secure design concept yet. Hopefully, it will not become the wave of the future! Consider this:

Every voter removes all their clothing and personal effects, and locks them in a locker. He is taken to a screening room, and a full body cavity search is done. He is then escorted to the next room, where he is issued a single voting token. Each voting token is an uniform size, shape, and weight. The weight of the token is verified on a carefully calibrated scale before it is handed to the voter. He then carries his token into the voting room. Behind a screen, he finds drop boxes labeled with candidate names. Each box has a slot which he can drop his token into to vote for that candidate. All of the boxes rest on a platform, which rests on a very accurate scale, set to zero when the election starts. If the scale doesn't go up by exactly one unit when the voter drops his token in, the voter is held for police questioning, and everyone involved in running the election must give police statements in an attempt to track down any electoral fraud attempts. The whole election is called again, once the flaw in the process is discovered. After successfully casting his ballot, the voter moves into the branding room, where a unique permanent identifer is added to his body, indicating that he has voted. The identifier is recorded in the logs to prevent any re-voting attempt. The voter then proceeds to the holding area, where he remains until the polls close. He may then collect his clothing and personal effects, and leave. At the end of the election, the boxes are weighed, and the candidate with the heaviest box wins. The tokens are then manually recounted. The boxes and scales are carefully examined by scrutineers before the election, and after.

If the election is declared to be in order, a perl program is used to publish the results to the Internet. :-)

People keep telling me that I want freedom at any price, but so far, I don't believe them. :-) This is the most physically secure voting system I can think of, (ballot stuffing through sleight of hand becomes *very* difficult, for instance ) but it has severe user-acceptance issues, starting with me, it's creator. I certainly don't advocate it's actual usage, though it would be hard to find a less draconian system that is secure against the same sorts of attacks.

In all seriousness, thanks for the discussion, trammell, and hopefully I didn't cause any offense. None whatsoever was intended.

--
Ytrew