Re: Hand-marked paper ballots [ OVC-discuss Digest, Vol 28, Issue 32]

From: Hamilton Richards <hrichrds_at_swbell_dot_net>
Date: Sat Feb 17 2007 - 17:29:16 CST

At 11:53 AM -0800 2007/2/17, ovc-discuss-request@listman.sonic.net wrote:
>
>Message: 2
>Date: Sat, 17 Feb 2007 08:52:50 -0800
>From: Ronald Crane <voting@lastland.net>
>Subject: Re: [OVC-discuss] Hand-marked paper ballots [OVC-discuss
> Digest, Vol 28, Issue 29]
>To: Open Voting Consortium discussion list
> <ovc-discuss@listman.sonic.net>
>Message-ID: <45D732E2.5090904@lastland.net>
>Content-Type: text/plain; charset="us-ascii"
>
>An HTML attachment was scrubbed...
>URL:
>http://lists.sonic.net/mailman/private/ovc-discuss/attachments/20070217/0578ff4e/attachment-0001.html
>
>------------------------------
>

[A technical question: Can the way listman.sonic.net handles html be
fixed? The page to which the URL above links is not the original html
but a "lifted" version of it which browsers display as html source.
It is most disagreeable to read.]

After conversion from meta-html to html, Mr Crane's email reads as
follows (my responses are interspersed):

>Hamilton Richards wrote:
>At 4:20 PM -0800 2007/2/15, ovc-discuss-request@listman.sonic.net wrote:
>
>Message: 1
>Date: Thu, 15 Feb 2007 13:31:59 -0800
>From: Ronald Crane <voting@lastland.net>
>Subject: Re: [OVC-discuss] Hand-marked ballots [Re: OVC-discuss
> &nbspDigest, Vol 28, Issue 26]
>To: Open Voting Consortium discussion list
> <ovc-discuss@listman.sonic.net>
>Message-ID: <45D4D14F.5030400@lastland.net>
>Content-Type: text/plain; charset="us-ascii"
>
>An HTML attachment was scrubbed...
>URL:
>http://lists.sonic.net/mailman/private/ovc-discuss/attachments/20070215/aa4117dc/attachment-0001.html
>
> The attachment included the following:
>
>
> Hand-marked ballots are not a panacea, just more transparent and more
> secure -- overall -- than machine-marked ballots. While both HMB and
> MMB are susceptible to local attacks, such that you describe,
>
> No, my point was that MMB are NOT susceptible to these attacks.
>
>That's just incorrect. Local officials can -- intentionally or
>inadvertently -- load an attacker's software into their machines. Or
>perhaps a single pollworker does it, and perhaps it spreads to the
>remaining machines via a mechanism like that the Princeton team
>demonstrated. http://itpolicy.princeton.edu/voting/summary.html .
>The kinds of attacks that can thus be waged locally are just like
>the attacks, below, that can be waged globally.

Sure, but given that each voter would physically transport her ballot
from the printer to the ballot box, fraudulent software would be much
more likely to be detected than it is in paperless DREs. No one can
guarantee that every case will be detected, but the high risk of
detection reduces fraud's expected payoff, and makes it
correspondingly less likely.

> MMB are
> also susceptible to global attacks emanating from a few people at a
> vendor, testing lab, or state elections supervisor [1]. These attacks
> can affect many states at a time, instead of only a precinct or a
> county at a time. Some potential attacks on MMB are (1) presentation
> attacks (dropping candidates from ballot, rearranging ballot,
> modulating sensitivity of touch-screen depending on candidate, etc.);
> (2) denial- (or delay-) of-service attacks (which lengthen lines,
> causing selective vote loss); (3) ordinary misprint attacks (misprint
> ballot and bet on voter not verifying it, like most voters won't); and
> (4) ballot spoofing attacks (print ballot that looks fine to humans,
> but that is, e.g., registered so that it scans incorrectly).<br>
>
> Machines just shift the manipulation of voter intent from places that
> can be made relatively visible (like election judges' handling of
> "pregnant chads") to places that are almost entirely opaque -- the
> innards of the voting machines.
>
> But every single one of the global attacks described above depend for
> their success on escaping detection, and every one of them reveals
> itself in ways that are bound to be detected-- not every time, but
> often enough to make the fraud infeasible.
>
>
>Every one of these attacks, even if noticed and reported by a
>dedicated, persistent voter (not likely), will get attributed to
>"voter error," a "glitch," or (at worst) a "single defective
>machine." Please see the excuses flying over the 18,000 mystery
>undervotes in Sarasota. Yes, that's a pure DRE -- but voters noticed
>all kinds of problems, and officials basically dismissed all of
>them.
>http://heraldtribune.com/apps/pbcs.dll/article?AID=/20061108/NEWS/611080885/-1/NEWS0521
>;
>http://heraldtribune.com/apps/pbcs.dll/article?AID=/20061114/NEWS/611140661/-1/NEWS0521E
>.
>
> Contrast this with the threat of paperless DREs, in which vote counts
> can be altered with absolutely no chance of detection.
>
>Paperless DREs are worse, but ballot printers are also badly problematic.
>
-R

Claims that voters don't check their printed ballots are based on
observations of machines that printed tiny audit-trail images and
displayed them under glass. The OVC voting station prints ballots on
letter-size paper, and delivers them into the voter's hands.
Conclusions based on obviously inferior designs just don't apply.
    Actual evidence that voters do check their ballots is found in the
first of the two HeraldTribune accounts (helpfully linked in Mr.
Crane's email) of the 18,000-vote glitch in Florida's 13th. The story
says that "Throughout the day, dozens of people complained that their
votes in the 13th Congressional District were not recorded properly."
Surely those dozens of voters would have noticed, and complained
about, discrepancies in printed ballots. Perpetrators of attacks
that produce incorrect ballots have to believe that of the 100 or so
voters that use a machine during a typical election day not a single
one will notice and report an error.
    Furthermore, there's a world of difference between a voter
claiming an error on a paperless DRE and a voter with printed
evidence in hand. The latter will be much harder for election
officials to ignore, especially when observers from several parties
are on hand to watch for anomalies and document them.

I concede that denial of service attacks are harder to defend
against, but they are hardly limited to e-voting machines. Any
polling place can be shut down by interruption of its lighting,
heating, or plumbing facilities --or by a bomb threat. DOS attacks
targeted specifically at voting machines could be handled by
supplying each polling place with one copy of each ballot image, an
ordinary photocopier, and a good supply of marking pens.

Best wishes to all,

--Ham

-- 
------------------------------------------------------------------
Hamilton Richards, PhD           Department of Computer Sciences
Senior Lecturer (retired)        The University of Texas at Austin
ham@cs.utexas.edu                hrichrds@swbell.net
http://www.cs.utexas.edu/users/ham/richards
------------------------------------------------------------------
_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Wed Feb 28 23:17:21 2007

This archive was generated by hypermail 2.1.8 : Wed Feb 28 2007 - 23:17:27 CST