Re: Why PIN or smartcard is REQUIRED

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Sun May 16 2004 - 15:09:40 CDT

On May 16, 2004, at 3:07 PM, Arthur Keller wrote:
> I'd like to figure out a way to make Ellen's system work. It is
> cheaper than smart cards and has other benefits too. One thing that
> hasn't been mentioned, I think, with Ellen's system is that it is
> important to get the orientation of the ballot paper right when
> depositing it into the printer. Perhaps this could be made easier by
> having one corner of the paper cut

I think the most obvious way to make Ellen's system address this
concern is to simply make all four orientations permissible. You
pre-print the party number (or party name even) face-up at top-right,
and face-down at bottom-left; and do it on both sides of the paper. No
matter how the voter inserts the paper, the party name/number is at top
right relative to the printed votes.

My concern here is with forgery of pre-printed ballots. If the whole
pre-printing consists of a couple numbers in Times Roman, it's not hard
for someone to go do the same thing at home. And then maybe hand out a
stack of "Democratic" ballots to their Republican friends (or
vice-versa) in a closed-primary state.

But special watermarks on the paper, perhaps customized per polling
place, would address this. Customization could be by moving images
around a little bit on the page, as we discussed a number of months
ago. Or maybe by Karl's clever idea from WellsFargo of putting random
seeming dots scattered over the page, but actually in specific
positions. It would take some effort to copy that (I can think of some
ways to make it even harder to copy, e.g. diversion pixels, but that's
for later).

> There are two problems I see with Ed's approach (poll worker sign in
> all voters). One is labor intensive.

I don't see this as nearly so much an issue. If there are lines, they
will be mostly caused by voting times, not by initialization times.
E.g. if each voter takes 5 minutes to vote, and a poll worker takes 20
seconds to walk to a machine and enter a PIN, the addition of the PIN
step has little effect on total wait times.

> They can also get problematic with David's (PIN) approach for those
> who pick the wrong voting machine line to wait in. Ellen's (ballot
> form) and the smart card approaches allows for a shared queue to all
> the polling machines and usually without extra poll worker labor at
> that point.

The shared queue thing might be important. I recognize that my
proposal (in the first pass) requires separate queues for each machine.
  In the places I've voted, that's always been the case anyway
(actually, there's usually little line at all). But places no doubt
vary more widely than my experience.

Thinking about it, it wouldn't be terribly difficult to use a common
PIN list for multiple machines (even with no networking). You'd have
to either put the list on the EVMix CDs before delivery, or transfer it
to each machine at the beginning of the day though. After that,
machines would accept not just the very NEXT PIN, but would search
forward for N PINs. If a matching PIN was found, say, 10 slots
forward, it could still be accepted, and the intervening 9 "crossed
off" in memory. The assumption would be that 9 votes had happened on
other machines since the time this machine was last used. Each
machine, in this scenario, would need a list long enough to accommodate
all the voters at a given polling place, not only the number of voters
expected for an individual machine.

Using the above variation prevents reuse of a prior PIN by
collaborators later in the day, so there is no real disclosure risk.
An attack that might be possible is to share a PIN for nearly
simultaneous votes, hence conceivably allowing a very small number of
malicious collaborators to vote in improper party ballots (they'd still
have to be actual registered voters affiliated with other parties; and
the attack only works if the several queues move at the right rate).

Compared to the hundreds of attacks that "black box" smartcards are
susceptible to, I still like vulnerability better. And Alan's and
Ellen's ideas seem vulnerable to forgery still (but maybe addressable).
  I don't worry about the labor of Ed's idea, but I do worry about
disclosure of the master PIN, which potentially endangers a whole day
of voting. Disclosure of my PINs is inherently self-limiting in the
fraud potential. That's not true of any of the other four ideas, in
all of them, attacks can be global.
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Mon May 31 23:17:47 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:16 CDT