Re: FAQ # 25

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Mon Dec 15 2003 - 18:28:47 CST

> I think that if the chance of a barcode error being accepted is lower
> than of an MD5 hash or a x.309v3 certificate randomly matching, we're
> OK. :-)

I don't think anyone is worrying about random errors in the barcodes.
Indeed the error correction is excellent; and if we add a cryptographic
layer, it might wind up even better.

The issues that Doug has in mind have to do with encoding a valid vote,
but not the vote the voter intended. Potentially, a programming
error--or a malicious hacker--might cause the vote chosen in the
interface not to be reflected in the barcode. In the worst case, the
votes displayed in readable form would indicate a different vote than
that (validly) encoded on the barcode.

In fact, pursuing the malice angle, one could imagine that only the GUI
interface was so corrupted; while the blind-accessible interface
encoded votes accurately in the barcode. Since very few of the sighted
voters would bother using the BVA verification station, such tampering
might escape notice. In fact, if we imagine a clever tamperer, the XML
stored on the GUI voting machine might match the barcode entirely (but
not match the readable data on the ballot).

The above tampering is NOT totally undetectable. All it takes, really,
is a spot check of X% of ballots to make sure the printed votes match
the barcodes. Statisticians on the list can help me fill in "X". But
detection -is- doable. The problem is that voters might have
diminished confidence that such statistical validation is really
adequate and/or performed correctly. A lot of voters don't understand
sample sizes and confidence intervals, after all.

The other danger isn't so much in the system itself, as one of
perceptions. A voter might well worry that the barcode encodes
something they don't want there. That is: it might have their
identity, or something correlated with their identity.

For example, I have pointed out (to several naive newcomers to this
list, over time) that timestamps/sequences on ballots would compromise
anonymity. I think that point is well enough understood now by list
members. But how do you prove to a voter that the barcode doesn't
contain a covert timestamp?! It is far from obvious exactly how many
bits of information are encoded by each inch of barcode, and how much
extra information might have snuck in there. Even if the BVA station
reads back votes entirely accurately for a ballot, that does not
establish the absence of EXTRA information in the barcode.

Overall, I am still more "pro-barcode" than Doug is. But I don't see
the decision to use them (versus OCR on the printed ballot) as the
slam-dunk that Alan does.

Yours, David...
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Wed Dec 31 23:17:13 2003

This archive was generated by hypermail 2.1.8 : Wed Dec 31 2003 - 23:17:19 CST