Re: Why PIN or smartcard is REQUIRED

From: Arthur Keller <arthur_at_kellers_dot_org>
Date: Sun May 16 2004 - 22:55:50 CDT

At 4:09 PM -0400 5/16/04, David Mertz wrote:
>On May 16, 2004, at 3:07 PM, Arthur Keller wrote:
>>I'd like to figure out a way to make Ellen's system work. It is
>>cheaper than smart cards and has other benefits too. One thing
>>that hasn't been mentioned, I think, with Ellen's system is that it
>>is important to get the orientation of the ballot paper right when
>>depositing it into the printer. Perhaps this could be made easier
>>by having one corner of the paper cut
>
>I think the most obvious way to make Ellen's system address this
>concern is to simply make all four orientations permissible. You
>pre-print the party number (or party name even) face-up at
>top-right, and face-down at bottom-left; and do it on both sides of
>the paper. No matter how the voter inserts the paper, the party
>name/number is at top right relative to the printed votes.

Earlier, I had the suggestion of preprinting ballot stock so that the
BVA would know if it was looking at the correct side of the ballot or
the reverse side. I also like numbered ballots with a tearoff strip
that is handed back to the voter.

>My concern here is with forgery of pre-printed ballots. If the
>whole pre-printing consists of a couple numbers in Times Roman, it's
>not hard for someone to go do the same thing at home. And then
>maybe hand out a stack of "Democratic" ballots to their Republican
>friends (or vice-versa) in a closed-primary state.
>
>But special watermarks on the paper, perhaps customized per polling
>place, would address this. Customization could be by moving images
>around a little bit on the page, as we discussed a number of months
>ago. Or maybe by Karl's clever idea from WellsFargo of putting
>random seeming dots scattered over the page, but actually in
>specific positions. It would take some effort to copy that (I can
>think of some ways to make it even harder to copy, e.g. diversion
>pixels, but that's for later).

The numbered strip approach helps to reduce this problem. Also, this
didn't seem to be a problem in the old punch card days.

>>There are two problems I see with Ed's approach (poll worker sign
>>in all voters). One is labor intensive.
>
>I don't see this as nearly so much an issue. If there are lines,
>they will be mostly caused by voting times, not by initialization
>times. E.g. if each voter takes 5 minutes to vote, and a poll
>worker takes 20 seconds to walk to a machine and enter a PIN, the
>addition of the PIN step has little effect on total wait times.
>
>>They can also get problematic with David's (PIN) approach for
>>those who pick the wrong voting machine line to wait in. Ellen's
>>(ballot form) and the smart card approaches allows for a shared
>>queue to all the polling machines and usually without extra poll
>>worker labor at that point.
>
>The shared queue thing might be important. I recognize that my
>proposal (in the first pass) requires separate queues for each
>machine. In the places I've voted, that's always been the case
>anyway (actually, there's usually little line at all). But places
>no doubt vary more widely than my experience.
>
>Thinking about it, it wouldn't be terribly difficult to use a common
>PIN list for multiple machines (even with no networking). You'd
>have to either put the list on the EVMix CDs before delivery, or
>transfer it to each machine at the beginning of the day though.
>After that, machines would accept not just the very NEXT PIN, but
>would search forward for N PINs. If a matching PIN was found, say,
>10 slots forward, it could still be accepted, and the intervening 9
>"crossed off" in memory. The assumption would be that 9 votes had
>happened on other machines since the time this machine was last
>used. Each machine, in this scenario, would need a list long enough
>to accommodate all the voters at a given polling place, not only the
>number of voters expected for an individual machine.
>
>Using the above variation prevents reuse of a prior PIN by
>collaborators later in the day, so there is no real disclosure risk.
>An attack that might be possible is to share a PIN for nearly
>simultaneous votes, hence conceivably allowing a very small number
>of malicious collaborators to vote in improper party ballots (they'd
>still have to be actual registered voters affiliated with other
>parties; and the attack only works if the several queues move at the
>right rate).

Actually the risk is to have multiple ballots cast on multiple
machines around the same time by several conspirators.

>Compared to the hundreds of attacks that "black box" smartcards are
>susceptible to, I still like vulnerability better. And Alan's and
>Ellen's ideas seem vulnerable to forgery still (but maybe
>addressable). I don't worry about the labor of Ed's idea, but I do
>worry about disclosure of the master PIN, which potentially
>endangers a whole day of voting. Disclosure of my PINs is
>inherently self-limiting in the fraud potential. That's not true
>of any of the other four ideas, in all of them, attacks can be
>global.

-- 
-------------------------------------------------------------------------------
Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Mon May 31 23:17:47 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:16 CDT