Re: Renewed anonymity concern in OVC design

From: charlie strauss <cems_at_earthlink_dot_net>
Date: Thu Jul 08 2004 - 15:54:28 CDT

I'm puzzled over david mertz suggestion of using hash of the ballot plus a seed as the UID. I dont think he solved his own proposed problem.

by way the word you are seeking is "confederate" not colluder.

first does this hash solve the problem he posed? No it actually makes it worse if I understand his scheme correctly.
First the original problem was that if you were forced to reveal your UID then a confederate with access to the paper ballots could fish your ballot out of the stack. The same is true of the Hashed UID. it is still a UID to your ballot regardless of how it is derived. Second the problem is worse now because if you know the seed then you dont even the colluder, the hash plus seed is all you need to know to invert the hash to the ballot. (either enumeratively or by going here http://passcracking.com/).

Alan pointed out the old camera issue. Dave suggested that taking a picture of a ballot then spoinling it and voting again would solve Alans's issue. Not so. Under Dave's confederate scenario, the UID of the spoiled ballot will be missing from the stack if the UID is a hash of the (now changed) contents. And the Confederate will report this. Alternately If, instead of the content based hash, the UID is the same for whole voter session so that the spoiled and real ballots have the same UID then when the confederate pulls the ballot from the stack he will know the true vote (and that you faked a photo--so you get both knees broken).

So anyhow I dont see how Dave is solving his own posed problem here.

It seems to me that the suggestion of obfuscating the UID, so that joe average voter could not possibly even write it down successfully, is sufficient against anything short of the combined use of a camera and a confederate. Going beyond this starts to get silly since now we could just imagine a hidden web cam stuck in the ceiling or a tap on the video display as much simpler engineering attacks.

For obfuscation, I dont like the 20 digit approach, as that can be written down. Instead bury it in the barcode, or use klingon font; anything that most people could reasonably claim that they would not be able to write down successfully, and thus foil Mr knee breaker.

==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Sat Jul 31 23:17:07 2004

This archive was generated by hypermail 2.1.8 : Sat Jul 31 2004 - 23:17:15 CDT