RE: Another proposal (was MORE Questions from election officials)

From: John Payson <jpayson_at_circad_dot_com>
Date: Tue May 04 2004 - 20:03:48 CDT

I admit this does nothing to secure the central tabulation mechanism, but it
gives the voter, at a minimum, the knowledge that yes, their vote is in there
somewhere. The security of the tabulation mechanism is therefore highly
critical, but certainly no more so than in DRE, or receipt-less PPVB.

What is necessary is that voters see their votes indelibly recorded in an
alteration-resistant and substitution-resistant medium. IMHO, if this is
combined with the ability to randomly select ballots for inspection and confirm
that those particular ballots had their votes recorded correctly, the only
meaningful attacks on the system will be (1) altering ballots, if possible; (2)
substituting fake ballots for real ones; or (3) using fake voters to cast
"real" ballots. A proper method of using paper ballots can pretty well take
care of #1; proper inventory control of counterfeit-resistant ballot stocks
should be able to take care of #2.

What I would like to see would be for every ballot to be marked with a uniqueID
for each race, in such a way that the uniqueIDs are not available to the voter.
After an election, the uniqueID's for all the ballots in each race would be
published along with how they voted. The counting equipment would keep track
of the approximate phyiscal location of each uniqueID, such that finding the
paper ballot for a particular uniqueID would not be overly difficult.

To use a simplified example, suppose there are two races, one between Alice and
Bob; the other between Yvette and Zack. There are six voters whose ballots get
marked as follows (shown in order cast). Note that each race's uniqueID may
consist of two parts--one which is global to the ballot as a whole and one
which is unique to that race. The combination of the whole-ballot part and the
race-specific part will be globally unique for that race, though the
whole-ballot part may (and in most cases will) be shared by many ballots.

  1436-23-10 (Alice) (Yvette)
  2930-59-29 (Bob) (Yvette)
  4202-49-29 (Alice) (Yvette)
  1436-94-54 (Alice) (Zack)
  1436-20-50 (Bob) (Zack)
  2930-19-67 (Alice) (Yvette)

Following the election, two lists would be published (sorted by uniqueID)

  1436-23 Alice
  1436-20 Bob
  1436-94 Alice
  2930-19 Alice
  2930-59 Bob
  4202-49 Alice


  1436-10 Yvette
  1436-50 Zack
  1436-54 Zack
  2930-29 Yvette
  2930-59 Yvette
  4202-29 Yvette

Anyone with an old IBM XT and a copy of BASIC could easily process those data
files and confirm the published vote totals (Alice 4 Bob 2; Yvette 4 Zack 2),
so the possibility of fraud in the tabulation software would be basically nil.
The scanning hardware and software could be checked by selecting a few ballots
at random from each race and comparing the recorded result with the actual
paper ballot.

One of the very powerful features of this approach is that even if one does not
trust the scanning hardware or software, one need only check a fairly small
number of ballots, chosen at random, to validate a much larger number. For
example, in an election with 2,000,000 ballots cast, inspecting 200 of them
chosen at random (i.e. 0.01%) would allow one to be fairly confident that at
least 99% were counted correctly and legitimately.

If someone decides to cheat the election by causing 1% of the ballots to be
misrecorded, no matter how cleverly the cheater tries to hide his fraud,
there's an 85% chance that someone who pulls 200 ballots at random will stumble
upon one of the missrecorded ones. If that happens, then all the ballots that
were scanned by that equipment can be run through another machine (perhaps
produced by a different vendor) to see if it records every ballot exactly the
same way as the first one. Any discrepancies can be used to guide further

Has anyone here looked at the notion of allowing individual ballots to be
tracked? It would seem to add a huge amount of additional security to the
system at comparatively low cost. If uniqueID's were assigned on a per-race
basis as above, that would avoid the possibility of someone being able to
determine whether anyone voted for some specific combination of offices. One
could tell that in some set of 50-500 ballots (depending upon how the uniqueID
fields are divided) 75% of people voted for candidate A in one race, 70% for
candidate B in another, and 60% for candidate C in a third race, but that
wouldn't let one know how many people voted for A, B, and C (with the numbers
given, it could be anywhere from 5% to 60%). Voter confidentiality would thus
be preserved.
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Mon May 31 23:17:13 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:15 CDT