Re: Open Voting Consortium Press Release

From: Arthur Keller <arthur_at_kellers_dot_org>
Date: Wed Mar 24 2004 - 23:41:54 CST

At 6:31 PM -0500 3/24/04, David Mertz wrote:
>Eron Lloyd <> wrote:
>|A press kit is exactly what I was talking about the other evening on the
>|phone. I have some experience with this from political campaigns and other
>|activities I've worked on in the past, and can offer help here.
>I'll second this. Apart from the logos and photos and stuff, there a
>couple particular security/design Q&A issues I'd like to get included.
>I talked with Alan, and he suggested I might produce a page flyer on
>security matters. Maybe Eron can include such a thing in a press kit.
>Karl's FAQ at:
>Is great, and I think it should be cited in a press package. But it
>doesn't look at these security issues specifically. Our Wiki at:
>Contains some good security stuff, but I don't think we want to invite
>just everyone to join a Wiki discussion (but I *did* update today the
>link at which had pointed to the earlier Wiki
>Based on the /. discussion, and also on some other recent articles that
>may or may not mention OVC itself, a couple possible misunderstandings
>(by reporters) come to my mind).
> Q: What is the difference between a paper receipt and a paper ballot?
> A: We speak of OVC creating a paper BALLOT, not a receipt, nor simply
> a "paper trail." That is, for OVC machines, the printout from a
> voting station is the primary and official record of votes cast by
> a voter. Electronic records may be used for generating preliminary
> results more rapidly, but the paper is the vote.
> Some writers discuss producing a paper receipt, which a voter might
> carry home with them, as they do an ATM receipt. There are two
> significant problems with this approach. In the first place, if we
> suppose that a voting station might have been tampered with and/or
> simply contain a programming error, it is not great jump to imagine
> that it may print out a record that differs from what it records
> electronically. A receipt is a "feel good" approach that fails to
> correct the flaws of DREs.
> But the second problem with receipts is even more fundamental. A
> voting receipt that can be carried away by a voter enables vote
> buying and vote coercion. An interested third party--even someone
> as seemingly innocuous as an overbearing family member--could
> demand to see a receipt for voting in a manner desired. With OVC
> systems, ballots must be placed into a sealed ballot-box to count
> as votes. If a voter leaves with an uncast ballot, even if she
> went through the motions of printing it at a vote station, that
> simply does not represent a vote that may be "proven" to a third
> party.
> What some vendors refer to as a paper trail suffers from a weakness
> similar to the first problem paper receipts suffer. Under some
> such models, a DRE voting station might print out a summary of
> votes cast at the end of the day (or at some other interval). But
> such a printout is also just a "feel good" measure. If a machine
> software or hardware can be flawed out of malice or error, it can
> very well print a tally that fails to accurately reflect the votes
> cast on it. It is not paper that is crucial, but
> *voter-verifiability*.
> Q: Some voting systems I have heard about use a system where a paper
> ballot is displayed under glass, but not handled directly by a
> voter. It seems like those systems would prevent ballot-stuffing,
> since voters do not have direct access to ballot-boxes. Why
> doesn't OVC use that approach?
> A: There are several narrowly technical problems with "ballot under
> glass" systems. For one thing, such a system will almost
> inevitably be more expensive than one like ours that can use
> commodity printers and paper stock. But voting is too important to
> be decided on cost, so that is an incidental issue. Along a
> similar line, a "ballot under glass" system has some extra
> mechanical problems with allowing rejection of incorrect ballots;
> some sort of mechanism for sending a spoiled ballot to a shredder
> rather than to the ballot-box is needed. Again, this adds cost and
> more points of physical failure.
> A more significant issue for "ballot under glass" systems is their
> failure to provide the quality of accessibility to vision- or
> reading-impared voters that OVC's design does. Ordinary sighted
> voters who happen to need reading glasses are likely to find
> "ballot under glass" systems more difficult to check than are OVC
> printed ballots. Even if these machines add provisions for audio
> feedback on final ballots, users are dependent on the very same
> machine to provide such audio feedback. Potentially, a
> tampered-with machine could bias votes, but only for blind voters
> (still perhaps enough to change close elections). In contrast, OVC
> positively encourages third parties to develop software to assure
> the barcode encoding of votes matches the visibly printed
> votes--every voter is treated equally, and all can verify ballots.
> From a more sophisticated cryptology perspective, "ballot under
> glass" systems are likely to compromise voter anonymity in subtle
> ways. One of the issues the world-class security researchers with
> OVC have considered is the possibility that sequential or
> time-stamp information on ballots could be correlated with the
> activity of individual voters. Even covert videotaping of the
> order in which voters enter a polling place might be used for such
> a compromise. Security experts are folks who get paid to think
> about even the most nefarious attacks on systems, and voting is
> important enough to merit such paranoia.
> While "ballot under glass" does indeed do a pretty good job of
> preventing ballot-box stuffing with forged physical ballots, this
> approach is not the only--nor even the best--technique to
> accomplish this goal. We plan for OVC systems to incorporate
> cryptographic signatures and precinct-level customization of
> ballots that can convincingly prove a ballot is produced on
> authorized machines, at the voting place, rather than forged
> elsewhere. A simple customization of ballots is a variation of the
> page position of our ballot watermarks in a manner that a tamperer
> cannot produce in advance. Surprisingly much information can be
> subtlely coded by moving two background images a few millimeters in
> various directions. Another option is to encode a cryptographic
> signature within the barcode on a ballot--in a manner that can be
> mathematically proven not to disclose anything about the individual
> voter who cast that vote, but simultaneously that cannot be forged
> without knowledge of a secret key. There is a lot you can do with
> fancy math.

Finally, what do the "ballot under glass" systems do if the printed
ballot is WRONG, possibly because the voter made a mistake? In our
system, you start over and print another one and submit that one
instead. (We really need a better solution to that problem, though.)

Best regards,

Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Wed Mar 31 23:17:09 2004

This archive was generated by hypermail 2.1.8 : Wed Mar 31 2004 - 23:17:12 CST