Re: Ballot box stuffing prevention

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Sat May 15 2004 - 22:32:52 CDT

On May 15, 2004, at 8:03 PM, Alan Dechert wrote:
> There will be no certified system until we get funding to do the work.
> Part
> of the study will be to set up trials to work this out--along with many
> other issues that have to be tested. Different people have different
> ideas
> on the best way to do this. We will find this out. We don't go into a
> funded scientific study claiming to know all the answers in advance.

This seems like a good attitude. I do hope that such agnosticism
applies even to the idea that Alan has had for several years.

I think there are four approaches put out there, at this point:

Ed: No token, machine activated each time by poll worker. Poll worker
knows just one secret (i.e. PIN), or maybe one per party/ballot.
Minimal points of software failure; but possible security issue with
disclosure/leak of the secret.

Alan: Extremely dumb token, i.e. just a digit for party/ballot.
Requires more physical monitoring than other systems (poll workers
watch for printer actions; check envelope for extra ballots; etc).
Nothing is kept secret, so no disclosure danger at all. Absolute
minimum of software failure points.

David: Moderately dumb token, i.e. 3-4 digits of PIN and 1-2 digits of
randomized party/ballot specifier. Token is unique for each voter, so
more information needs to be maintained/conveyed than in the Ed or Alan
approaches. Disclosure risk limited by avoiding any global secret
(such as Ed's master PIN), but possible leak of next few valid tokens.
More software failure points than Ed/Alan, but still not that many.

Arthur: Really smart token, i.e. a little electronic card with a CPU
and a bunch of crypto codes. Lots of global secret information, but
tied to a physical object and not easily disclosable (but perhaps
capturable to cause disruption/fraud). Whole lot of extra points for
software failure.

> This is not a "trust us" procedure. If there are 501 signatures on the
> roster, then there better be 501 ballots in the ballot box.

Well... there BETTER be NO MORE THAN 501 ballots in the box. While not
desirable, it is likely that a small fraction of voters will leave the
polling place without casting their ballot into the box. Poll workers
cannot themselves fully avoid this by following procedures, untrained
voters also have a role.
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Mon May 31 23:17:45 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:16 CDT