Re: Proposed Electronic Ballot Image Format

From: Dennis Paull <dpaull_at_svpal_dot_org>
Date: Mon Aug 25 2003 - 02:53:48 CDT

Hi David et al,

I see the point you make and I don't have any problem with it.

But I would like to point out that poll workers can always forge
voter records and cast 'extra' ballots, EXCEPT that:

a. independent election observers may be present.

b. the several poll workers are supposed to each be a check on
    the others. That is one reason that why there are as many
    poll workers as there are. Poll workers are supposed to be
    from several political parties, but poll workers are so hard
    to find that counties take what they can get.

c. So the senario you propose requires that all poll workers be
    in on the fraud. This is less likely but still possible.

d. There are many ways that poll workers can screw up an election.
    That is why Inspectors (head poll workers) are given extra
    training and are replaced if they screw up.

Although it may be nice to build-in protections against elections staff
fraud, there are so many ways it could be done that it may be a losing
cause. Protection against outsider attacks seem to me to be MUCH more
important. Outsiders include voters.

Dennis

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

At 12:07 AM 8/25/2003 Monday , David wrote:
>Arthur Keller wrote:
>|>What, if any, digital signatures of ballot bar codes are needed to
>|>help prevent forgeries?
>
>Last month I wrote what I still strongly believe is the correct approach
>to cryptographic security of ballots (and equally of electronically
>transmitted voting results--the same method applies in both cases, and
>consistency between the two can be checked). See:
>
> http://gnosis.python-hosting.com/voting-project/initial-digests/0109.html
>
>There were some clarifying followup questions, but I believe a careful
>reading of the original post shows it remains correct.
>
>Dennis Paull <dpaull@svpal.org> wrote:
>|Since ballots are secret, how and for what purpose would a forgery
>|be created? A voter only gets to cast a single ballot, so it might
>|as well be the correct one.
>
>Here is one extremely plausible attack scenario for an EVM+Paper system;
>one that the security meausre I point to will guard against.
>
>An inside attacker, Mallory, wishes for a precinct to cast extra
>(fictictious) votes for Zachary. For example, Mallory might be a poll
>worker (approximately that degree of inside access would suffice).
>Mallory creates a number of false Zachary paper ballots, specifically
>ones that purport to have been cast on Machine One. Before the close of
>voting, Mallory inserts those false paper ballots into the ballot box;
>AND Mallory damages Machine One to a degree sufficient that its accuracy
>cannot not trusted. The attach on the EVM may be electronic, or it may
>simply be physical (e.g., acid spilled on the HDD).
>
>During tabulation, electronic records from Machine One can no longer be
>trusted. Therefore, tabulators must resort to counting the paper
>ballots (allegedly) produced by Machine One. However, since Mallory has
>also inserted overvotes into the ballot box, the polling place contains
>a surplus of votes for Zachary by every reproducible count.
>
>...unless, of course, the cryptographic procedure I recommend was used.
>Then Mallory is entirely thwarted.
>
>Yours, David...
>
>--
> _/_/_/ THIS MESSAGE WAS BROUGHT TO YOU BY: Postmodern Enterprises _/_/_/
> _/_/ ~~~~~~~~~~~~~~~~~~~~[mertz@gnosis.cx]~~~~~~~~~~~~~~~~~~~~~ _/_/
> _/_/ The opinions expressed here must be those of my employer... _/_/
> _/_/_/_/_/_/_/_/_/_/ Surely you don't think that *I* believe them! _/_/
>
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Sun Aug 31 23:17:15 2003

This archive was generated by hypermail 2.1.8 : Sun Aug 31 2003 - 23:17:18 CDT