Re: Critical analysis of VoteHere

From: Clay Lenhart <clay_at_lenharts_dot_net>
Date: Wed Dec 17 2003 - 20:38:13 CST

On Sun, 2003-12-14 at 19:43, Arthur Keller wrote:
> That's why we need to have an FAQ, as I have proposed, on the
> differences between a voter-verified RECEIPT and a voter-verified
> BALLOT. Even a receipt does NOT ensure that the vote recorded in the
> computer is correct, and it does not ensure the ability to do manual
> recounts. Only voter verified BALLOTS do that. This is, in fact, a
> most important lesson from our demo, a point we need to make loud and
> clear. It is an important distinguishing factor between us and DREs
> with printers. Unless the receipts are themselves counted, the
> computer could print what the user wanted and the user's ballot
> recorded on the computer could still be wrong.

I agree too, that receipts are not very useful. The verification *data*
(the reciepts) is dispersed among millions of people. It would be
difficult to prove that something might be wrong with the electronic
copies to force a count of the real (paper) ballots since a group of
lawyers would not have all the verification data in their hands to prove
the electronic ballots are wrong. The receipts only give a warm and
fuzzy feeling for voters, but do not prove that their ballot was counted
-- just that their ballot is in a pool of ballots *claimed* to be
counted correctly. It also does not detect if extra illegal electronic
ballots are in the pool of ballots.

It would be better to have all verification data accessible. To give an
example, if the electronic ballots are signed with public/private keys,
then the public keys, signatures and ballots would be available for
anyone to download, verify the signatures, and count the ballots

Having voter-verified receipts is not bad, just less useful than
verification schemes that can verify the *whole* process. If they can
be included without conflicts, sure.


* The simple pub/priv key scheme is not very good: it doesn't detect
inserts or deletes, but you could add to the verification data a signed
list of ballot numbers printed by the voting machine -- but then you
have the paper jam issue where you will have signed ballot numbers but
the ballots legitimately should not be in the count.
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Wed Dec 31 23:17:14 2003

This archive was generated by hypermail 2.1.8 : Wed Dec 31 2003 - 23:17:19 CST