Re: MORE Questions from election officials

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Tue May 04 2004 - 01:35:39 CDT

Excellent responses, James. Welcome on board.

On May 4, 2004, at 2:03 AM, james_in_denver wrote:
> 2.3 "The simplest form of paper ballot manipulation is ballot-box
> stuffing, that is, inserting extra ballots, usually genuine ones that
> have been pre-marked, into the container meant to hold only those voted
> by registered voters"

I would add here that Shamos assumes OVC systems will NOT have
cryptographic signatures incorporated into the paper ballots, nor other
fraud-protection counter-measures. Signatures, of course, are
associated with individual machines or with polling places, not with
individual voters (preserving anonymity).

Even the demo used a basic watermarking with background images; the OVC
discussion has always assumed cryptographic protections will be
incorporated to the production system. Me and other members have
discussed some of the details of exactly how they will be used. But
generally, it is quite possible to make pre-marked ballots
computationally infeasible (as in, e.g., it might take a million
machines working for a year to figure out how to forge ballots matching
one individual polling place).

> This is no small accomplishment, but it can be achieved in numerous
> other ways, as explained below. That is the only voter-verified part.
> The paper trail provides no assurance at all that her vote will ever
> be counted or will be counted correctly. The reason simply is that
> the paper trail itself becomes insecure at the moment of its creation"

Every system relies to some degree on procedural protections. It's
true that if the poll workers torch the polling place (taking both
paper and smart cards or CD-Rs with it) before polls close, votes will
be lost. That's true under every system.

But OVC-style systems at least guarantee to a voter that an verified
paper makes it as far as a poll workers hands (or rather to the ballot
box, available for counting at the end of the day). A DRE might
corrupt a vote before even the most saintly and well-meaning poll
worker has the opportunity to carry out mandated procedures.

> 2.4 "First, if the machine cannot be trusted, which is the working
> hypothesis of paper trail proponents, then it cannot be trusted to deal
> with the paper trail safely. After the voter leaves the voting booth,
> it can mark her ballot as void and print a different one.

This does not apply to OVC designs, though it does to a certain degree
to the Mercuri method (ballot-under-glass). See the document I wrote
under Security on the EVM2003 site for a discussion of why OVC is
better than ballot-under-glass (also incorporated with slight edits
into Karl's FAQ).

> This presupposes that a voter does not maintain a verifiable "receipt"
> of their voting record.

Watch out James! Yours is a lot of people's intuition. But it's also
an invitation to compromise anonymity, and enable vote coercion or vote
buying. OVC designs don't create -receipts-. See the same
above-referenced Security document for a discussion of this.

> In Brazil in 2003, where a small number of precincts had installed
> paper trails, failure of the
> printers delayed voters by as much as 12 hours, a figure that would be
> catastrophic in the U.S.[32]"

This is, in brief, a lie. Doug Jones recently posted a useful critique
of the Brazilian DRE system, written by critics in Brazil. Basically,
the test of paper records was rigged to fail, so that DRE-proponents
could claim "We told you so."

> Can a piece of paper be a ballot if it is neither marked nor touched
> by the voter?"

Again, this is only ballot-under-glass, nothing to do with OVC.

> I am newly arrived on this project, however, after several hours of
> thought on this matter, PPVB will require that the voter maintain a
> "receipt"

No, no, no! See above. Ballot, yes. Receipt, no.

But it's possible you're thinking of something like the Chaum method.
It's cryptographically OK, but way too complicated for real life voters
to ever understand or trust.

> Thus paper recount will become the default method of vote counting,
> mitigated only by the high cost of
> such recounts. If this is to be the case, why use voting machines in
> the first place?"

More sophistry. The answers are obvious (and well documented in OVC
materials): Increase voter-intent accuracy; enable disabled
accessibility; allow multi-lingual voting; provide redundant checks of
integrity; etc.

Yours, David..
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Mon May 31 23:17:08 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:15 CDT