Re: Ballot Reconciliation Procedure

From: Alan Dechert <alan_at_openvotingconsortium_dot_org>
Date: Mon Dec 01 2003 - 11:49:55 CST

Lou,
>
> In order to survive power outages and system crashes, you will need to
> save the ballots as they are cast. I think the security of the machines
> would be much easier to verify if they didn't have hard drives at all,
> so what about using external flash memory writers. A USB flash memory
> reader costs around $10 and the flash cards could be pre-verified and
> inserted on the day of the election. You could then remove the flash
> cards, flip the write protect and cover it with a tamper proof seal and
> send them to the election center. The flash writers themselves could
> be physically secured by routing all the cables into a locked box. In
> the future, if you wanted to get fancy you could get write once flash
> cards that allow data to be written and read but not modified.
>
Nice to hear from you, Lou.

I don't think we've decided on the harddrive/no harddrive issue. It's a
fair question. We plan to boot from CD ROM and write out the results to the
CD when the polls close.

The Australians use the harddrive, which gets formatted on startup.

You are absolutely correct that interim results must be recorded somewhere.
Some rules about DREs suggest that multiple copies have to be kept. There
are lots of issues here -- some having to do with privacy as well as
security. That is, if we keep a log file where every event is logged, we
raise the possibility that someone's vote could be revealed by knowing the
order of events logged.

The final results will be sorted by ballot number (a randomly generated but
unique 4-digit number). This way, the order of the votes will not be
revealed.

For this reason, the write once flash card probably can't be used. That is,
if you had to resort to getting the data from there, it would be possible to
reveal someone's vote.

We have to save interim results. Keep in mind that we are introducing a
really new voting machine. Some rules that apply to DREs may not be
applicable (our system is NOT a DRE). As Doug Jones has pointed out, the
printed ballot may serve as a substitute for at least one of the extra
copies that the rules require.

Alan D.

==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Wed Dec 31 23:17:03 2003

This archive was generated by hypermail 2.1.8 : Wed Dec 31 2003 - 23:17:18 CST