Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Greenland Squid Balls |
| Privacy and Google »
October 30, 2006
A Better Voting Machine
David Wagner and Ed Felten design a better voting machine.
Posted on October 30, 2006 at 8:36 AM
• 56 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I've always wondered why everybody assumes that electronic voting machines need to be computers loaded with software. While the process of creating a secure voting system is difficult, the task of an individal voting machine is relatively simple. Present the user with clear choices, and record one of those choices (in a verifiable manner). It seems to me that you could build a good voting machine from a set of one-time-programmable ICs. Such a machine would immune to software tampering, and could be made immune to hardware tampering, at the cost of the ability to make repairs to it. It might even be cheaper to manufacture.
Has anyone produced a set of "better election laws" to go with this ?
"Cryptographer David Chaum has proposed one solution (.pdf) that involves voters receiving encrypted receipts that they would compare to final results posted on a website after the election. But the scheme is too technical for election officials to understand and follow, say Felten and Wagner, and too burdensome for voters to bother with."
This is exactly what is available to me as a Dutch expat performing Internet Voting in the upcoming Dutch general elections this November.
The internet voter gets receipt with a MAC one-way hash computed from his actual vote and his identity (voter reg ID), and he will be able to check on a website that lists all votes (hashes) after the elections whether his vote has been counted. This allows the voter himself to verify his vote, as well as 3rd parties to observe all votes.
Dutch language link to FAQ: http://lnk.nu/kiezenuithetbuitenland.nl/brc.asp
(Babelfish knows Dutch, but seems to choke on the page.)
English language link to technical paper on the system: http://www.cs.ru.nl/icis/Research/reports/full/...
The system won the United Nations Public Service Award in the category 'Improving transparency, accountability and responsiveness in the Public Service'.
I'm almost inclined to go with a system that only has a single lockable CD drive. No hard drive or other external ports that aren't required for voting. The OS and voting software is all on the CD and the CD-ROM drive won't operate until locked.
It would even be possible to burn each CD with a code that would only allow it to run on a specific voting system.
The boot process requires the entry of a key sequence that is provided to the poll workers on the voting day via a separate production channel. (again, more checks)
The paper ballots should be a jam-proof stock/weight. I do not think the ballots need to be 'regulation size', since they could be narrowed and elongated. I'm inclined to recommend large rolls of perforated ballots, rather than single sheets. Again, some verifiable process should audit the preprinted ballots before they are sealed and delivered, preventing some voting marks to be introduced by the printing process.
I like the idea of a large hash given to each voter to allow them to verify that their votes were counted correctly. Anonymity is critical. Maybe a GUID/UUID sticker would suffice for this and be generated during registration/check-in.
I keep coming back to "what problem are we trying to solve?"
It mostly seems to be getting results out faster. It cannot be hanging chad because there are cheaper ways (e.g. optical scanners). Maybe accessibility, but there must be cheaper ways (e.g. braille ballots for optical scanners). We are placing the whole system in jeopardy at great expense for little reason (except to line someone's pockets).
I'm still not convinced that EVMs are the way to solve the problem. I've been hearing anecdotal stories of folks in heavily populated areas doing hand counts of ballots and getting results out quickly.
It's a question of having enough people to tally votes. For all the money we're spending on EVMs, we can hire some of the 4.6% who are unemployed to count votes.
The voting machine is only part of the problem. Elections are won by the totals, not the ballots. If 40% of the electorate turns out to vote for Frick and 41% turns out to vote for Frack, we can still have Frank win by 200% of the vote.
While everyone worries about ballots not being faithful, they seem to take the transfer of totals as not vulnerable to cheating. The 'end game' is obviously the best place to cheat, since the winners get into office and can then stall the investigation into election rigging until the public loses interest and gives up. Until the next election rolls around.
I'm not sure why you consider accounts of hand counts in a speedy manner as "anecdotal evidence".
In the UK voting is done by marking an X on a piece of paper and placing it in a ballot box.
At the close of the polls all of the ballot boxes are taken to central counting locations where they are manually counted.
The UK has a Population of around 60 Million, and while the final counts may take a few days to complete the majority of districts declare their results overnight.
Given that this can be done in the UK I don't see why this can't be done in the US. In some areas it might need to be more distributed with more local counting results being aggregated at a higher level.
I feel the e-voting issue is moot already and is being outstripped by events. Where I live in Washington State, elections are going to be very soon done on all mail-in ballots. I won't have the option to vote on a machine anyway. That may not be the trend out on the East Coast. So what is the security/fraud protection that I can count on for that? Local governments apparently are saving money on this too. Seems like an unstoppable trend.
it sounds to me like the system you are describing enables coercion and vote selling, because you can prove to somebody else how you voted. This should not be possible.
AFAIR Chaum's scheme prevents this. Can somebody verify this please?
Sorry, sort of meant that I wasn't doing the legwork and finding references.
Thanks for setting me straight!
I would point everyone to two things. First, India has an electronic voting system that is simple and fairly robust. Their system could not have many of the issues that we are now faced with: http://en.wikipedia.org/wiki/...
Second, some of the potential solutions mentioned in the article, such as audits, nonremovable software, and simplification, have been implemented in a somewhat different arena: gambling. If you want to learn how to enforce standards on this kind of system, the Nevada Gaming Commission is probably a good place to start.
From the article: "Why can't the voting machine companies get it right?"
Because these companies are paid to control the election, not deliver what the voters choose.
"I keep coming back to 'what problem are we trying to solve?' It mostly seems to be getting results out faster."
Not in my jurisdiction, at least. We have been told that we will not be getting election results any faster with the new system.
"We are placing the whole system in jeopardy at great expense for little reason (except to line someone's pockets)."
Bingo. The problem actually being solved is "Voting machine manufacturers do not have enough money." At least on a federal level. On the local level, the problem being solved seems to be "We need to find somebody else to pay for this."
There are a dozen other reasons to do this, of course, but as far as I can tell all of them have a simpler and better solution.
Electronic voting is needlessly complicated, even when it's designed with security in mind. My favorite voting system has paper ballots (which are scanned and posted on a Web site) and anonymous receipts which must be traded with someone else before leaving the polling station. This prevents votes from being deleted or changed en masse, and also ensures that the totals are accurate and verifiable. There's no need for computers, cryptography, trusted independent observers, or any other complex subsystem which could be subverted.
aikimark / anonymous,
The point I wanted to make in my earier comment was that voting machines don't need to have an OS. They don't even need to have software. Electronic != Computer. Electronic devices operate using the laws of physics just like punch machines, just like pen and paper. They can be manufactured such that they will do one thing, and only that thing whenever they are used. Thus, there is no inherent problem with electronic voting machines. What is a problem is trying to turn a general-purpose computer into a voting machine.
I agree with your second point; many of the issues with voting terminals were solved in VLT (slots owned by a government) industry a decade or more ago. Of the issues that aren't directly addressed, many are very similar (for example, you don't want the wrong person changing the value of a coin, just as you don't want the wrong person entering in the ballot).
> Has anyone produced a set of "better
> election laws" to go with this ?
No... The properties which academia would like to ensure are incredibly strong. For example Kremer & and Ryan  define ``Privacy: the fact that a particular [voter] voted in a particular way is not revealed to anyone." This of course conflicts with the UK requirement that dictates all ballots must be linkable (in a court of law [but also by corrupt officials]) to a voter. This is an odd legal requirement, but it does exist in UK law (and to the best of my knowledge, no where else).
 Steve Kremer and Mark D. Ryan. (2005) ``Analysis of an Electronic Voting Protocol in the Applied Pi Calculus." In Proceedings of the European Symposium on Programming (ESOP'05), Lecture Notes in Computer Science series, Springer Verlag. ftp://ftp.cs.bham.ac.uk/pub/authors/M.D.Ryan/04-eVoting.pdf
My son in Pittsburgh sent me the link:
Oddly enough, this is not a Dave Barry article.
And, yeah, maybe these machines are too damn complicated. We should go back to rocks, perhaps throwing them at the person we DON'T want elected.
I too like David Chaum solution that "involves voters receiving encrypted receipts that they would compare to final results posted on a website after the election."
But I do not understand, the following statement:
"But the scheme is too technical for election officials to understand and follow, say Felten and Wagner, and too burdensome for voters to bother with."
One would think that by this time, humans would stop engaging in the silly tradition alltogether, instead they focus all their attention on making sure the theft is done as efficiently as possible.
"He says a machine that would recognize the hash of a software program could prevent a program from running on the machine if its hash doesn't match the approved one."
Why does he propose using hashes for something that digital signatures are designed to solve?
How about: "the machine would only run code signed by the voting company, and the state election official."
The argument that the code-base must be small is a non-starter. It's long for a reason. Those lines correlate to features. Some are the GUI, some are tallying votes, some are auditing, some are security, some are communication, some are "click here to change languages", etc.
In fact, if the code-base is forced to be kept small, but the feature list grows, you will find developers taking design short-cuts to keep the LOCs down and you will get messier spaghetti-code which will be harder to verify [remember all the tricks from back when memory was short -- self-modifying code, anyone?].
The argument should be: feature lists are kept small, and programs are modularized and robustly designed.
What's wrong with paper?
Election systems have been getting hacked at least since ancient Romans sewed secret pockets in their togas to hold extra black or white stones to drop in the jars used for elections at the time.
No fancy machine or algorithm is going to fix what is fundamentally a human problem. It seems to me the keys are simplicity, transparency, and plenty of witnesses who understand the process -- all conspicuously missing from any possible electronic voting machine.
I propose simple paper ballots counted by hand. The hand counting process is simple. Children can master it. I think 5th graders would do nicely.
Let's have school children count the ballots as soon as the polls close, and post the counts on large charts on the wall as they are completed.
Kids could become active participants in the democratic process from an early age. There would be plenty of witnesses, for what parent could fail to watch their child perform such an important civic duty? And, as long as they were already at the polls, those parents might actually vote (their children would be watching, how could they not?)
Design? This is a wish list. Why not add "It should be pretty and give every voter a free pony!" at the end?
Seriously. Wagner and Felton are bright guys capable of coming up with specifics.
I see no design in the article.
I see some requirements, but I see neither a specification nor a design.
Requirements are necessary, and Wagner and Felten may have a design, but there's a lot of work between requirements and design.
While I agree with you on the basic idea that an "electronic voting machine" need not be a traditional PC derivative (or for that matter even a "computing device"), I do believe that you'd be hard pressed to keep the "whiz-bang" factor of fully networked PCs out of the decision room.
In point of fact, even if you wanted a "gee-whiz" display you could just use a simple mircocontroller with publically audited firmware and some simple storage (proper fail-safe power supply, etc) attached. The only reason that you don't see this all over the place isn't cost or effectiveness--it is that a couple of conditions haven't been met (which are all to important to the politicos):
1. It doesn't stand to make somebody filthy rich (by charging oodles of money for things which the client couldn't possibly understand long enough to demand their removal from the bill);
2. It doesn't LOOK COOL (yet);
3. It isn't made by some (already existing) company which has friends in high places;
4. It isn't being sold by somebody whom doesn't know jack about microcomputers but could sell a Volvo to a tuna.
(I have some experience in programming microcontrollers, so perhaps it would be a fun experiment to build a small voting device--it'd take a little while, and wouldn't be really in my current budget, but why not.......I could do much worse.....)
I propose simple paper ballots counted by hand. The hand counting process is simple. Children can master it. I think 5th graders would do nicely.
Actually it's not simple. In practice, counts never come out the same twice, especially when there are a range of things on the ballot and voters may or may not vote all of them.
There was an article about these issues in Scientific American in Oct 04, you can download it if you subscribe to the digital edition.
Voting may seem like a simple activity—cast ballots, then count them. Complexity arises, however,
because voters must be registered and votes must be recorded in secrecy, transferred securely
and counted accurately. One race between two candidates is easy. Half a dozen races, each between several candidates, and ballot measures besides—that’s harder... The infamous 2000 U.S. presidential election dramatized some very basic, yet systemic, flaws concerning who got to vote and
how the votes were counted. An estimated four million to six million ballots were not counted or were prevented
from being cast at all
I'm reminded of the old joke about election evening counting in a conservative New Hampshire town. About a half hour into the count someone encountered a ballot voting Democrat, a few puzzled looks and everyone went back to counting. An hour later, they hit another one and the counter exclaimed "the bastard, he voted twice"
Your joke reminds me of the time when I was on a team that recounted the primary presidential election of 1980 in NH. We sat at tables in a room and counted the state by hand. Each table had a representative from each candidate on the ballot to observe the recount. It was an interesting experience. No previous experience was necessary -- I think that everyone counting has passed 5th grade so we satified jayh's minimal qualifications. :-)
Totally agree with you. Here's what I would really like to see:
Get the head of a VLT/slot machine/etc. manufacturer & a retired head of one of the big gaming regulators together. Ask them about the kinds of vulnerabilities that arise and how they would design a voting system. I haven't seen an interview like this, and it's a shame. I would like to hear their perspective. They have the right kind of experience and knowledge to really contribute. I mean, they deal with major monetary incentives to cheat the system (casino modifying payout chips, for instance). Elections seem almost easy by comparison.
I've done some microcontroller programming / electronics design as well, so I know it's certainly feasible.
1. Hell, I'd be happy to build 'em and charge an arm and a leg for them.
2. You could make it look nice. It's not gonna be themable or anything, but it could be nice.
3, 4. Yeah getting people to buy 'em is a whole different matter. I'm just saying it can be done.
I fully understand that voting as a system is complex and difficult, and I'm not trying to suggest an answer to every problem. I'm simply saying that it's possible to have electronic devices for recording votes that are tamper-proof, short of physical damage as denial-of-service.
Elections Canada does a terrific job with a PAPER based system every 4 to 4.5 years. The votes are tallied and out before the next morning.
It works well, is simple and I pray to god that they NEVER, NEVER, NEVER even think of adopting anything like the systems in use down south of us.
In Finland we count votes by hand. We get results in few hours. The procedure is totallt scalable to any number of voters, fool proof, secure and allows any number of recounts.
No need for computers or other machines.
Good grief. One requirement is that you not be able to sell your vote by proving to yourself or someone else that you voted a certain way. Sure, this is mentioned as a side-point.
Quote from Article:
Cryptographer David Chaum has proposed one solution (.pdf) that involves voters receiving encrypted receipts that they would compare to final results posted on a website after the election.
There's another point about election systems that I don't think I've seen discussed (it is outside of the scope of the linked article.)
Eligibility to vote: any person who claims eligibility to vote, but for who is not on the roll for some reason, should be able to record a vote, and have the vote later counted or not, based on a review of their eligibility. (Possibly one wouldn't bother, if the contested votes were insufficient in number to change the result.)
E.g. the contested voter fills in a ballot, which is placed in a sealed envelope with identifying information on it. All the contested votes are collected, eligibility determined (done purely on what is on the outside of the envelope plus external evidence.) Then the rejected votes are burned (never opened) and the accepted votes are all opened without looking at them, mixed in a big pile, then counted.
This isn't perfect, but it is much better than where many legitimate voters are disenfranchised because they were "accidentally" removed from the electoral roll.
Bruce - You are an expert in this area and most likely doing pretty well considering recent events. Why not start a company and make an appropriate voting machine and vote counting system. You have the credibility to get it to market.
Counter-pane Vote Counting??
Better than a voting machine:
Keep using paper ballots. Keep using optical scan if you want to, or hand-count. Ballot-marking machines (the original was the AutoMARK, ES&S's came later) are okay, but why spend the money?
I've interviewed town clerks whose entire annual election budget is a few thousand dollars, in handcount towns in rural parts of Massachusetts, who are very worried they'll be forced to buy voting machines. It's not just the initial expense, it's having to reprogram them for every election, upgrade the software, and get people with computer skills to service them. It could literally double, triple, or more, their annual spending on elections.
We don't need a better voting machine as much as we need fewer voting machines.
The secrecy of the voting procedure is indeed an important aspect. The wish list strangely omits to state that the electronic voting process should not produce EM radiation that can be exploited to remotely monitor the voting process.
The Netherlands just dismissed electonic voting machines for their upcoming elections based on EMC radiation emitted by ordinary touch screens.
Just to be clear, this is Wired's voting machine wishlist, written after talking to David Wagner and me. There's not a complete design here because Wired didn't ask us for one; nor would a full design have fit in a short article written for a general audience.
While reading a thread elsewhere on 'Mercan paper ballots, I came across an image of a ballot where the "fill in the arrow so the machine can count the vote" printing wasn't lined up with the candidates. I'm sure most of you have seen it or something like it. There's no excuse for that.
There were some issues here in Canada about ballots being unnecessarily (manipulatively?) rejected because of: writing the word "yes" or a checkmark rather than an 'X', or lines that travelled outside the circle where you're supposed to mark your choice, etc. It left too much discretion to the local elections officer.
This last standard ballot form from Elections Canada is quite good. You can write what you want in the circle, as long as it's clear what your intention was. You can even fill the circle in completely, write a checkmark, a "Yes!", a "Go Habs Go!", draw a line across the circle, whatever. The black areas were part of the latest redesign.
The detacheable stub has a serial number - it's not on the ballot part of the, um, ballot. It's to ensure that only the piece of paper that was given to the voter is dropped into the ballot box. After marking your ballot, you return to the scrutineers and you remove the stub from your folded-over-to-keep-it-secret ballot and give it to the election officers. Then you can drop the ballot into the ballot box. You HAVE to use the pencil they supply - no preprinted/prevoted ballot forms are accepted.
It's been said here often enough: It's not the technology, or lack thereof that's the issue. It's the implementation.
The results start to come from the polls within a half-hour after their closing - they're counted by people sitting around a table. In fact, in federal elections, the election's winner is often called/declared by the media before the polls close on the West coast, because the count's so fast.
Pencil and paper. What it won't do, eh?
ps.: in Canada, have to work to make it illegal/very-difficult for corporations to make political donations in all jurisdictions.
Federally, parties are given monies by the government based on the number of votes they had in the previous elections (Around a dollar per vote, I think.) to reduce their dependence on corporate donors.
Ed: In other words, "I have a design for a voting machine which meets these requirements, but the margin of this Wired article is too small to contain it" ;)
Just keep in mind: recounts (other than very small elections) are almost ALWAYS different than the original count. This must say something. (what would one say about a database query that gave slightly different results each time it is run?)
not clear from my post above, I was referring to paper ballot elections.
> The hand counting process is simple. Children can master it.
In Switzerland citizens are conscripted to count votes. I had to do it and it was a lot of fun. Although there aredefinately ways to cheat (I actually slipped in a vote after closing), there were so many eyes watching during this manual process, that manipulation or mistakes are almost impossible.
My "Dream" voting system:
1) Voter is handed a blank ballot by an election worker.
2) Voter takes ballot to booth with large LED counter over entryway.
3) In the booth there is a touchscreen which allows voter to easily select candidates.
4) After voting, voter puts ballot into machine slot. Machine stamps the precinct number, machine number, and vote onto the ballot, then feeds it back out to the voter.
5) Voter verifies information, requesting a new ballot if any mistakes are noticed.
6) Voter feeds ballot back into machine, where a mechanism behind a transparent window
(A) Stamps it with a unique-per-machine hidden random number, termed the "Fingerprint" - should be at least 12 digits.
(B) scans the ballot.
(C) puts it at a random place in a stack of 20 ballots
(D) retrieves the topmost ballot from the stack
(E) increments the large LED counter above the booth
(F) stamps the current time and LED counter number on the ballot and
(G) returns this ballot to the voter to take home.
Voter can exit the booth and, if desired, compare the counter # on their ballot to the LED counter over the booth, ensuring that both are 1 higher than when the voter first entered the booth.
When voter gets home, she goes to a website* and enters the precinct number, machine number, and Fingerprint of her take-home ballot. She is presented with the:
1: Digital scan of the ballot
2: Interpretation of the vote
3: Chart of # votes cast / time of day for her machine.
4: Chart of # votes cast / time of day for her precinct.
*There would also be a 800 phone number which allows her to get #2 given the information she entered.
Side note: each machine is originally seeded with 20 blank ballots, having only precinct and machine information, but a large "VOID" over the voting area. Early voters who receive one of these need not verify much more than vote counts. At the end of the day, election officials will be responsible for verifying the remaining 20 ballots per booth.
Election officials can also verify that at the precinct level, the total recorded votes is the same as the votes per booth.
My early comment was that locally our election officials are saying all mail-in ballots are more secure. The main issue is not the security of the ballot or the machine, but the validity of the voter:
Why not make a completely electronic touch-screen-voting-machine which (using an "old style" pin-printer, not a heat-sensitive-paper system!) prints out the vote on a paper-scroll that passes and stops behind a control window, so the voters have to acknowledge that the right vote is being recorded (It should therefore, as a special security-feature, have a separately built-in hardware-function that scrolls the roll back into the printer and overprints the lines with XXXXX, working *independently* from the OS software of the machine. Well, the voting machine constructors should, in purpose of the security of their systems, anyway get away from just plugging standard-components togeter and do some own developments instead...) After the vote is being acknowledged by the voter, it prints out the verification ticket with the number of the vote using a separate printer and scrolls the paperscroll on into a sealed box, where the "hard-copy" of the vote conclusion is stored for the maybe-purpose of further post-election control, which can be done by humans, in open public (which would be the "most democratic" way), or optionally even by a machine (thinking of OCR systems...when they can scan a whole book in less than 2 minutes, they should be able to scan a printed paper scroll as well...but machine-readability is optional anyway). In best case, the OS and voting application software of the voting machine should be open source software, so everyone who is able to do so, can check it for inconsistencies in its source code. There should also be the possibility of comparing SHA1-checksums of both the software-in-use on each voting machine and the compiled package of the available open source software in its finally acknowledged version. And: If there is an OCR scanning system being used for the hardcopy scrolls, this also should partially be open source: From the point of the computation of the RAW data scanned until the final OCR-output is converted into a database of counted votes for each candidate/party/whatever-to-vote-for, this also needs to be a transparent system.
Assuming I understood you right:
Turn up with > 20 people (ideally about 100 with about 20 really trusted people) each equipped with a specific identifiable (different) pattern to vote for. You will vary the coding of various minor (unimportant to you) ballots between each.
Put through the untrusted people first and collect take home ballots from each. Then the "trusted" (trustworthy ? :-) people next.
Pay your bribe to each person who's specific ballot pattern comes out on the take home ballots in your group. Congratulations, you have just bought a large number of votes.
a) wait for people to forget to acknowledge votes. Go in immediately afterwards and press the reject button if you don't like the way they voted.
b) If it's on a paper scroll then it should be possible to get it to back out a bit and then either read people's votes (vote buying) or simply change them. Modifying the machine to enable this should probably not be too hard.
@ John B.
> Good grief. One requirement is that you not be able to sell your vote by
> proving to yourself or someone else that you voted a certain way. Sure,
> this is mentioned as a side-point.
> Quote from Article:
> involves voters receiving encrypted receipts that they would compare to final
> results posted on a website after the election.
This is fine, in fact its a good thing. As long as, only the voter can be convinced that she voted in a certain way. This combines two properties from Kremer & Ryan:
* Individual verifiability: a voter can verify that her vote was really counted.
* Receipt-freeness: a voter cannot prove that she voted in a certain way (this is important
to protect voters from coercion).
This was on the news last week here in Quebec, "Report on the Evaluation of New Methods of Voting" http://www.electionsquebec.qc.ca/en/...
The report focuses on the last municipal elections and analyses mail-in ballots, electronic ballot boxes and electronic voting machines. You can read the major findings and recommendations in the press releases.
The scary conclusion, in a nutshell:
"Sorry folks, in it's current state, I can't guarantee the results. Don't use this until it's fixed"
The report itself (in French) is interesting with details of each systems, stats on rejected ballots, recounts results, etc. This is quite thorough and done by the DGEQ, "Chief Electoral Officer of Quebec". Quoted from their website: "The mission of the Chief Electoral Officer consists of overseeing the administration of the electoral system in order to ensure the election of members of the National Assembly (MNAs) and, to a lesser extent, that of members of municipal councils and school boards, by guaranteeing the free exercise of the right to vote for Québec’s electors."
As for my point of view on this, I've voted every time since I'm old enough to vote. A pencil and paper is fine with me and I don't mind waiting half an hour after the closing of the poles to hear Bernard Derome trademarked: "Si la tendance se maintient,à 8h32 EST, Radio-Canada prédit..." http://www.thecanadianencyclopedia.com/index.cfm?...
I always have the feeling that these things could be pretty easy by answering a few questions:
a) Is an election possible? Yes.
b) Can the election process be captured formally? Yes.
OK, it must be possible to programm it.
What do we need?
1. Public wittness. Everyone must be able to understand and verify the process.
2. Intrusion resistance. No single point of failure. That is no single machine or person must be able to tamper with the election process. And it must not be tied to particular matter.
3. Incorruptibility. No administrative power must be able to tamper with the process.
4. No process reconstruction. The process must not record the accociation of voters and votes.
This can be done. I know: http://www.askemos.org
(full disclosure: I'm the principal author)
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.