Re: Critical analysis of VoteHere

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Sat Dec 13 2003 - 11:14:08 CST

charlie strauss <cems@earthlink.net> wrote:
|Has there been a critical analysis of the VoteHere technology

First note: Why don't we move most of this discussion over to our Wiki,
which is currently at:

    http://www.openvoting.com/cgi/wiki.pl?SecurityDiscussion

We are not currently happy with that web host and software, but any
content posted will be copied to the appropriate new server once Laird
is happy with the installation (probably we'll use MoinMoin). Note that
you'll probably have to reload after you make a change and see an error
screen; but then it posts OK.

Maybe Charlie can start a new category and a new page, called something
like "OtherSecuritySystems".

***

Now in terms of details of VoteHere, I see quite a few problems. The
biggest issue is that it solves a problem we do not actually have.
There IS NOT legal requirement that voters be able to individually
verify that their vote is included, from outside the polling place (and
later on). Rather, the inclusion of all the ballots is handled by
procedural checks: secured ballot boxes, poll watchers, signed
chain-of-custody, etc. Personally, I don't see any compelling reason
why it is even DESIRABLE to allow individual, rather than procedural,
assurances. Sure, it would be "kinda cool" if that could happen; but
it's not the law, and it probably shouldn't be.

A keyed mapping is also kinda a cool idea. But either the mapping is
revealed or it isn't.

In the first case (revealed mapping), we cannot REALLY stop voters from
taking it with them. A paper they're not -supposed- to remove from the
polling place doesn't effectively stop it in practice. And even if the
mapping is only displayed on a screen, digital cameras are now embedded
in cell phones, pens, etc... and pencil-and-paper is an even more
widespread technology.

But if the mapping remains a bit hidden, then there's not a lot of
meaning to the 1-800 "verification". It shows that the ballot->vote
mapping is stored, sure; but how does a voter know that really gets
counted as the candidate they want. Basically, the only assurance given
at this point is procedural, not individual: The computer systems,
chain-of-custody, etc. are configured properly--and checked by poll
watchers--to assure the 1-800 system works correctly. It just pushes
the procedural reliance back a step, rather than increase the individual
verifiability.

Yours, David...

--
 mertz@  _/_/_/_/ THIS MESSAGE WAS BROUGHT TO YOU BY: \_\_\_\_    n o
gnosis  _/_/             Postmodern Enterprises            \_\_
.cx    _/_/                                                 \_\_  d o
      _/_/_/ IN A WORLD W/O WALLS, THERE WOULD BE NO GATES \_\_\_ z e
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Wed Dec 31 23:17:09 2003

This archive was generated by hypermail 2.1.8 : Wed Dec 31 2003 - 23:17:18 CST