Open Voting Consortium Press Release

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Wed Mar 24 2004 - 17:31:37 CST

Eron Lloyd <> wrote:
|A press kit is exactly what I was talking about the other evening on the
|phone. I have some experience with this from political campaigns and other
|activities I've worked on in the past, and can offer help here.

I'll second this. Apart from the logos and photos and stuff, there a
couple particular security/design Q&A issues I'd like to get included.

I talked with Alan, and he suggested I might produce a page flyer on
security matters. Maybe Eron can include such a thing in a press kit.

Karl's FAQ at:

Is great, and I think it should be cited in a press package. But it
doesn't look at these security issues specifically. Our Wiki at:

Contains some good security stuff, but I don't think we want to invite
just everyone to join a Wiki discussion (but I *did* update today the
link at which had pointed to the earlier Wiki

Based on the /. discussion, and also on some other recent articles that
may or may not mention OVC itself, a couple possible misunderstandings
(by reporters) come to my mind).

  Q: What is the difference between a paper receipt and a paper ballot?

  A: We speak of OVC creating a paper BALLOT, not a receipt, nor simply
     a "paper trail." That is, for OVC machines, the printout from a
     voting station is the primary and official record of votes cast by
     a voter. Electronic records may be used for generating preliminary
     results more rapidly, but the paper is the vote.

     Some writers discuss producing a paper receipt, which a voter might
     carry home with them, as they do an ATM receipt. There are two
     significant problems with this approach. In the first place, if we
     suppose that a voting station might have been tampered with and/or
     simply contain a programming error, it is not great jump to imagine
     that it may print out a record that differs from what it records
     electronically. A receipt is a "feel good" approach that fails to
     correct the flaws of DREs.

     But the second problem with receipts is even more fundamental. A
     voting receipt that can be carried away by a voter enables vote
     buying and vote coercion. An interested third party--even someone
     as seemingly innocuous as an overbearing family member--could
     demand to see a receipt for voting in a manner desired. With OVC
     systems, ballots must be placed into a sealed ballot-box to count
     as votes. If a voter leaves with an uncast ballot, even if she
     went through the motions of printing it at a vote station, that
     simply does not represent a vote that may be "proven" to a third

     What some vendors refer to as a paper trail suffers from a weakness
     similar to the first problem paper receipts suffer. Under some
     such models, a DRE voting station might print out a summary of
     votes cast at the end of the day (or at some other interval). But
     such a printout is also just a "feel good" measure. If a machine
     software or hardware can be flawed out of malice or error, it can
     very well print a tally that fails to accurately reflect the votes
     cast on it. It is not paper that is crucial, but

  Q: Some voting systems I have heard about use a system where a paper
     ballot is displayed under glass, but not handled directly by a
     voter. It seems like those systems would prevent ballot-stuffing,
     since voters do not have direct access to ballot-boxes. Why
     doesn't OVC use that approach?

  A: There are several narrowly technical problems with "ballot under
     glass" systems. For one thing, such a system will almost
     inevitably be more expensive than one like ours that can use
     commodity printers and paper stock. But voting is too important to
     be decided on cost, so that is an incidental issue. Along a
     similar line, a "ballot under glass" system has some extra
     mechanical problems with allowing rejection of incorrect ballots;
     some sort of mechanism for sending a spoiled ballot to a shredder
     rather than to the ballot-box is needed. Again, this adds cost and
     more points of physical failure.

     A more significant issue for "ballot under glass" systems is their
     failure to provide the quality of accessibility to vision- or
     reading-impared voters that OVC's design does. Ordinary sighted
     voters who happen to need reading glasses are likely to find
     "ballot under glass" systems more difficult to check than are OVC
     printed ballots. Even if these machines add provisions for audio
     feedback on final ballots, users are dependent on the very same
     machine to provide such audio feedback. Potentially, a
     tampered-with machine could bias votes, but only for blind voters
     (still perhaps enough to change close elections). In contrast, OVC
     positively encourages third parties to develop software to assure
     the barcode encoding of votes matches the visibly printed
     votes--every voter is treated equally, and all can verify ballots.

     From a more sophisticated cryptology perspective, "ballot under
     glass" systems are likely to compromise voter anonymity in subtle
     ways. One of the issues the world-class security researchers with
     OVC have considered is the possibility that sequential or
     time-stamp information on ballots could be correlated with the
     activity of individual voters. Even covert videotaping of the
     order in which voters enter a polling place might be used for such
     a compromise. Security experts are folks who get paid to think
     about even the most nefarious attacks on systems, and voting is
     important enough to merit such paranoia.

     While "ballot under glass" does indeed do a pretty good job of
     preventing ballot-box stuffing with forged physical ballots, this
     approach is not the only--nor even the best--technique to
     accomplish this goal. We plan for OVC systems to incorporate
     cryptographic signatures and precinct-level customization of
     ballots that can convincingly prove a ballot is produced on
     authorized machines, at the voting place, rather than forged
     elsewhere. A simple customization of ballots is a variation of the
     page position of our ballot watermarks in a manner that a tamperer
     cannot produce in advance. Surprisingly much information can be
     subtlely coded by moving two background images a few millimeters in
     various directions. Another option is to encode a cryptographic
     signature within the barcode on a ballot--in a manner that can be
     mathematically proven not to disclose anything about the individual
     voter who cast that vote, but simultaneously that cannot be forged
     without knowledge of a secret key. There is a lot you can do with
     fancy math.
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Wed Mar 31 23:17:09 2004

This archive was generated by hypermail 2.1.8 : Wed Mar 31 2004 - 23:17:12 CST