Re: Critical analysis of VoteHere

From: Dennis <dpaull_at_svpal_dot_org>
Date: Sat Dec 13 2003 - 03:48:57 CST

Hi Charlie et al,

I'm a bit confused. If I call up the 800 number and it spits out
the code for Joe, how do I know that my vote was recorded for Joe
and not Sam?

In other words, is there a voter-verified paper ballot that can be
used for a manual ballot recount as required in California? If not,
their scheme fails the reliability test.

In general, receipts are not required although if there was a way
for voters to validate their votes from the county, it would be nice
to be able to do that. However, the critical requirement is the
availability to do the manual recount and that means a recount that
is not dependent on a computer to interpret the voters' intent.

Your description didn't explain how that is being done here.

Dennis Paull

At 11:56 PM 12/12/2003 -0700, you wrote:
>Has there been a critical analysis of the VoteHere technology on this
>forum or published elsewhere? If so please point me to it so I dont
>waste your time.
>Assuming there has not been I'd like to start a discussion on VoteHere.
>the question is what are the problems with the VoteHere Scheme? So far
>I see two flaws but perhaps they can be remedied. It does add a layer
>of complexity but it may not be too bad since it does not require that
>every voter actually check their receipt just some.
>Here is a nutshell summary of how VoteHere Works for those that dont
>"receipts don't work or allow coercion".
>After selecting his votes on the touch screen the voter is presented
>with a final summary of his choices and a "cast ballot" button.
>But BEFORE the voter presses this button he is also given a paper
>receipt which shows his choices in an easy-to-read code. THe voter
>will take home the receipt, the vote is recorded electronically after
>being cast.
>When you were deciding who to vote for the ballot question looked like
>"who do you want for president?"
>Joe Blow (56)
>Sam Jones (63)
>Hilbert Holler (13)
>Your final summary on screen looks like this:
>Ballot ID: 5444321
>president: 56 joe blow
>senator: 32 jane doe
>The receipt does not show the names just the numbers
>Ballot ID: 5444321
>president: 56
>senator: 32
>Before pressing the "cast ballot" button, the voter can if he wants to
>verify the numbers on screen and receipt match.
>The clever part here is that the relationships between the numbers and
>the candidates names are different for every ballot. That for ballot
>5444321, joe blow corresonded to the number 56, but on ballot 544321
>joe blow might correspond to, say 15.
>thus by not knowing how the mapping was randomly chosen, no one can
>know by looking at your receipt who you voted for.
>Now after the election is over, you decide you want to check your
>ballot. You call the 800 number and punch in your ballot Id and it
>gives you back the numbers and you can check them against your receipt.
> This way you know your ballot was counted as cast.
>the final ingredient is this. the actual mappings between candidate
>names and numbers for each ballot is known by the election officers is
>publicly published in an encrypted form before the election.
>--- that's mostly it---
>So lets work a scenarios:
>On the vote selection menu, the machine shows you that Joe Blow is 56
>and sam Jones is 63 before you have voted, so it might seem that there
>would be no incentive at this point to swap the numbers. (more on this
>At the summary screen, but before you cast the vote you can verify the
>receipt matches the number. And the machine cant change your number
>after your vote since it could get caught by your phone call later.
>So are there flaws. I can think of two, but maybe there are more.
>1) suppose its known with virtual certainty that joe blow wil win.
>Then if the machines simply swaps sam and joes numbers right from the
>start then even though it does no know how an individual voter will
>vote, it will reveres all the results giving Joes win to Sam.
> Solutions: the mapping is also printed out on a separate receipt
>for the voter to check but not take home. THe mapping could be dropped
>in a box for later spot checking by election officials.
>2) How can you prove your receipt is a valid one. The votehere sytem
>has the machine print a digital signature on the receipt to allow you
>to prove the receiot is real. But suppose that when it wants to change
>your vote it simply munges the digital signature so that you cant later
>prove its a real receipt.
> Solutions: well if a lot of munged receipts turn up you know
>something is wrong. But you could also simply pre-print all the
>receipts with a watermark and skip the digital signature.
>3) one might complain that this code stuff causes headaches for the
>voter. But to work not every voter has to check every vote. Just some
>spot checking by some voters is all that is required.
>their solutions to ballot stuffing is to publish the voter rolls.
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Wed Dec 31 23:17:09 2003

This archive was generated by hypermail 2.1.8 : Wed Dec 31 2003 - 23:17:18 CST