RE: FAQ # 25

From: Popkin, Laird (WMG Corp) <"Popkin,>
Date: Mon Dec 15 2003 - 19:22:14 CST

I'm pretty sure that the original email was addressing whether "barcode
errors could pass undetected" and that "it might help if we could compute
the odds of a barcode error (writing or reading) could get through the
ballot reconciliation procedure without throwing an error" you were talking
about an error in either reading or writing the barcode that somehow
generated a valid barcode. The historical error rate for barcodes is about 1
per million characters (of a successful read returning an incorrect
character). That error rate includes the barcode's built in ECC detecting
read errors and forcing a re-scan. And, as we've both pointed out,
application level ECC could improve the rate to a level that is essentially
perfect.

If people are concerned about barcodes being forged, or containing votes
that aren't what the person voted, or containing additional information,
that really has nothing to do with the barcodes (any opaque encoding
technology would have those issues), or errors in writing or reading
barcodes. I'd suggest therefore that we use a different term than "barcode
error." How about "vote tampering"?

In terms of detecting vote tampering, I'd agree what OCR might be better in
that respect, since it's human readable so that incorrectly recorded votes
could be noticed by the naked eye. Unfortunately, OCR scanners cost more and
the scan error rates are higher, and privacy issues come with making the
digital vote human readable. I'm also not sure if OCR's data density is high
enough to encode a vote in a reasonable amount of space.

For those reasons, I agree with you that using barcodes makes more sense. If
anyone doesn't trust the system they can easily check it any number of ways.
For example:
- Read the barcode using any barcode reader. Barcodes are easily readable,
requiring no special knowledge or expensive equipment. Unless the ballot
data is encrypted, and not just signed, that would show that it contains the
real votes, and no hidden personal data.
- Scan the ballots using a stand-alone OVC barcode reader and compare its
display to the votes printed on the ballot. This wouldn't reveal hidden
data, but would verify the votes as recorded in the barcode. Perhaps we
should make re-scanning and visually verifying a percentage of the votes a
part of the training process for poll workers? So long as the voting system
and the reading system come from different sources, this should give a good
confidence level (since the two sources could presumably not be able to
cheat identically, or would be caught in security audits).
- If you're really paranoid, download, read, and run your own copy of the
OVC software, and re-scan your ballots to prove to yourself that the barcode
matches the human readable printed values.

Of course, all of the above could (should?) be done as a part of an audit of
the system.

The percentage of ballots that would need to be sampled varies depending on
the total number of ballot cast and the degree of confidence that you want
to have in the results. For example, if you had 100,000 votes, and wanted to
have a 99% confidence level of measuring the level of vote tampering to
+/-1% you'd have to sample 14,267 ballots to make sure that the barcodes
matched the printed votes. If you only wanted a 95% confidence level of
measuring the level of vote tampering to +/-3% you'd only have to sample
1,056 ballots. Of course, you'd have to make sure that the sampled votes
were truly selected randomly (i.e. not every 100th ballot) and that you
could trust the auditing process, etc. :-) Yes, people might not understand
the details, but if they can watch a bunch of people re-scan 15K ballots
with zero errors, they'll figure out that the system works.

Man, it's tiring being this paranoid!

- LP
-----Original Message-----
From: owner-voting-project@afterburner.sonic.net
[mailto:owner-voting-project@afterburner.sonic.net]On Behalf Of David
Mertz
Sent: Monday, December 15, 2003 7:29 PM
To: voting-project@lists.sonic.net
Cc: David Mertz
Subject: Re: [voting-project] FAQ # 25

> I think that if the chance of a barcode error being accepted is lower
> than of an MD5 hash or a x.309v3 certificate randomly matching, we're
> OK. :-)

I don't think anyone is worrying about random errors in the barcodes.
Indeed the error correction is excellent; and if we add a cryptographic
layer, it might wind up even better.

The issues that Doug has in mind have to do with encoding a valid vote,
but not the vote the voter intended. Potentially, a programming
error--or a malicious hacker--might cause the vote chosen in the
interface not to be reflected in the barcode. In the worst case, the
votes displayed in readable form would indicate a different vote than
that (validly) encoded on the barcode.

In fact, pursuing the malice angle, one could imagine that only the GUI
interface was so corrupted; while the blind-accessible interface
encoded votes accurately in the barcode. Since very few of the sighted
voters would bother using the BVA verification station, such tampering
might escape notice. In fact, if we imagine a clever tamperer, the XML
stored on the GUI voting machine might match the barcode entirely (but
not match the readable data on the ballot).

The above tampering is NOT totally undetectable. All it takes, really,
is a spot check of X% of ballots to make sure the printed votes match
the barcodes. Statisticians on the list can help me fill in "X". But
detection -is- doable. The problem is that voters might have
diminished confidence that such statistical validation is really
adequate and/or performed correctly. A lot of voters don't understand
sample sizes and confidence intervals, after all.

The other danger isn't so much in the system itself, as one of
perceptions. A voter might well worry that the barcode encodes
something they don't want there. That is: it might have their
identity, or something correlated with their identity.

For example, I have pointed out (to several naive newcomers to this
list, over time) that timestamps/sequences on ballots would compromise
anonymity. I think that point is well enough understood now by list
members. But how do you prove to a voter that the barcode doesn't
contain a covert timestamp?! It is far from obvious exactly how many
bits of information are encoded by each inch of barcode, and how much
extra information might have snuck in there. Even if the BVA station
reads back votes entirely accurately for a ballot, that does not
establish the absence of EXTRA information in the barcode.

Overall, I am still more "pro-barcode" than Doug is. But I don't see
the decision to use them (versus OCR on the printed ballot) as the
slam-dunk that Alan does.

Yours, David...

==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Wed Dec 31 23:17:13 2003

This archive was generated by hypermail 2.1.8 : Wed Dec 31 2003 - 23:17:19 CST