Re: Security issues beyond ballots

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Wed Apr 14 2004 - 13:27:43 CDT

> It would be useful for debugging and in testing for fraud, and doesn't
> seem like a loss of privacy to me, if the VES (vote entry station)
> logged every user interaction as a sequence with only relative
> timestamps from the first interaction in a voting session.

Sequence==Loss of Anonymity

It really does... I wouldn't keep insisting on this if the
"naturalness" of logging sequential events didn't keep occurring to
developers. Anonymous voting is a very special constraint from a
security perspective.

For the basic attack, imagine hiding in the building across the street
from a polling place with a video camera, and taping every voter who
enters (in order). That's a base-line sequence. Now I recognize that
if there are multiple VESs, the correlation between polling place entry
and VES sequence isn't complete, but it can narrow things down.

While every voter can choose a machine of her choice, a voter will
almost certainly choose an unoccupied machine rather than wait for an
occupied one to open up. Comparing the sequences on machines gives you
a pretty good sense of what happened. It's not just a random
distribution, probably; Machine #1 might have the most votes, and
Machine #2 only gets overflow. But the video camera outside lets you
see when busy times with overflow probably occur.

Going beyond the basics, you can reconstruct individual votes much more
accurately with by using voter-collaborators. Suppose you send in a
voter each hour of voting, and that voter votes in a -distinct- fashion
that is easy to recognize (maybe a pattern of choices, maybe just use
of a write-in vote, which is infrequent among voters in general... and
if you know an exact write-in name, probably unique). Maybe your
collaborator votes on a specific VES, or on a VES determined by an
algorithm (if there are X people in line..). This on-the-hour vote
partitions the sequence problem into, say 12 distinct simpler problems
(if there are 12 hours of voting). Moreover, your video camera has a
time display too, so you've narrowed entry times.

There's more you can do if you get sneaky, and use some probability.
But the starting point should be the assumption that sequence
information is an unacceptable compromise to anonymity.

Yours, David...
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Fri Apr 30 23:17:06 2004

This archive was generated by hypermail 2.1.8 : Fri Apr 30 2004 - 23:17:29 CDT