Re: Critical analysis of VoteHere

From: David Mertz, Ph.D. <voting-project_at_gnosis_dot_cx>
Date: Sat Dec 13 2003 - 18:25:47 CST

> Thinking more about this ..... I like this idea so much I think I want
> to
> add it to the proposed OVC system... Anyone can
> then go into the voting booth and browse all of the ballot images and
> print
> which ever one(s) they want. If they've made a note of their own
> ballot
> they can print a copy of that and/or they could print others.

I think this is PROBABLY a good idea. But I don't want OVC/EVM2003 to
commit to it yet, not until the security document has more eyes on
it--especially experienced ones like those of Amit and David Jefferson.
  It is not entirely decided whether and when the XML ballot images will
be disclosed; and therefore the merit of this browse-and-print
capability is premature IMO.

A couple -potential- weaknesses jump out at me. These might well be
answerable, but I'm not sure of the implications:

(1) The FIRST voter at a polling place only has ONE archived ballot to
choose from (and therefore, something printed is provably theirs rather
than someone else's--maybe the guys with the brass knuckles make their
demand of this first voter). And even during the early voting, the set
of ballots to choose from is smaller than at the end of the day.
Conceivably some statistical attack based on sampled coerced disclosure
of printed ballots would allow overall coercion.

(2) If the write-in candidates appear in the disclosed XML files, the
Coercers could demand that a voter both vote a certain way on race A,
and write-in a specific value "Foobar57" on race X (whose outcome
Coercers are indifferent too). In other words, a voter is ordered to
produce a printed ballot like (not for a specific ballot #, but for
some ballot with commanded values):

        Ballot #: 1234
     Prez: GW Bush
     Cat Catcher: WRITE-IN

The voter can print out a ballot from a previous voter, even one that
contains a vote for GW Bush (and maybe even a cat catcher write-in).
But when the voter shows purported ballot #1234 to the Coercers, the
Coercers will check the election website at the end of the day, and
discover that ballot #1234 had a write-in of "Baz17" instead. Hence
the non-compliance of the voter with Coercers is exposed.

I would ask that Alan add this suggestion to the Security Wiki, and we
discuss this there--including any annotations of attacks we notice (and
responses to them, if applicable).

Yours, David...
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Wed Dec 31 23:17:10 2003

This archive was generated by hypermail 2.1.8 : Wed Dec 31 2003 - 23:17:18 CST