RE: Why PIN or smartcard is REQUIRED

From: Popkin, Laird (WMG Corp) <"Popkin,>
Date: Mon May 17 2004 - 13:15:11 CDT

Comments below.

-----Original Message-----
From: owner-voting-project_at_afterburner_dot_sonic_dot_net
[]On Behalf Of Arthur
Sent: Monday, May 17, 2004 1:35 PM
Cc: ''
Subject: RE: [voting-project] Why PIN or smartcard is REQUIRED

At 10:19 AM -0400 5/17/04, Popkin, Laird (WMG Corp) wrote:
>There are also double-sided printers. It's probably easier to have
>the printer handle both sides than to deal with the issues of people
>putting paper into the printers the right way. :-)

Double-sided printers usually turn the paper over, have complex paper
feeding mechanisms, and have limitations in paper weight.
Inexpensive printers don't print on both sides of the paper at once,
but print on one side at a time. Also, how would the printer know
which side of the paper was the "right" one. Would you merely print
everything on both sides?

I don't know that there's that much advantage to printing on both sides
(poll workers only need to figure out which side to scan once), but if
there's a reason to do it, I think that there will be user issues if they
have to put paper in "the right way" for the system to work.
If the printer prints on both sides, it defines which side is "the right
one" because the only difference between the two sides is what's printed on
them. One side would have the ballot, and the other side would have a
barcode saying "turn the paper over".
>To ask a naive question, why are pre-printed ballots a concern? 
>People who want to vote a particular way can vote that way manually, 
>so pre-printing by itself doesm't do any harm, and anyone being 
>coerced (and watched) can simply enter the polling station with the 
>pre-printed ballot, then print a real ballot and vote it (and 
>discard the pre-printed ballot). Of course, pre-printing could slant 
>elections anyway (give people a ride to the poll and a pre-printed 
>ballot, and that'll probably be a bit more effective than if you 
>gave people a ride and told them how to vote).
There's a difference between "slate cards" (which are often brought 
into polling places and then taken out and discarded *away from the 
polling place*) and "pre-printed ballots" (which may be attempts at 
forgery or ballot stuffing).  There's also "pre-printed ballot stock" 
(which is a paper ballot form given to a voter to insert into the 
printer, or is already in the printer, onto which the EVM prints the 
official ballot).  Which do you mean?
I was referring to previous discussions about how to prevent people from
bringing pre-printed ballots into the polling place. I'm assuming that
people were referring to ballots that could be voted with, not a guide
telling you who to vote for.
So my question is -- why do we want to prevent voters from coming in with
pre-printed ballots to cast? I can imagine some abusive scenarios, but I'm
curious about what the major concern is.
>We've discussed means that could be used to make the pre-printed 
>ballot could be made difficult to generate (it'd need to have the 
>watermark that's never publicly released, would need to be singled 
>with a private key that's carefully controlled, the ballot is 
>printed on special paper, etc.). And, of course, poll workers could 
>keep an eye out for pre-printed ballots...
See previous paragraph.
Best regards,
>- LP
>-----Original Message-----
>Behalf Of Arthur
>Sent: Sunday, May 16, 2004 11:56 PM
>Subject: Re: [voting-project] Why PIN or smartcard is REQUIRED
>At 4:09 PM -0400 5/16/04, David Mertz wrote:
>>On May 16, 2004, at 3:07 PM, Arthur Keller wrote:
>>>I'd like to figure out a way to make Ellen's system work.  It is
>>>cheaper than smart cards and has other benefits too.  One thing
>>>that hasn't been mentioned, I think, with Ellen's system is that it
>>>is important to get the orientation of the ballot paper right when
>>>depositing it into the printer.  Perhaps this could be made easier
>>>by having one corner of the paper cut
>>I think the most obvious way to make Ellen's system address this
>>concern is to simply make all four orientations permissible.  You
>>pre-print the party number (or party name even) face-up at
>>top-right, and face-down at bottom-left; and do it on both sides of
>>the paper.  No matter how the voter inserts the paper, the party
>>name/number is at top right relative to the printed votes.
>Earlier, I had the suggestion of preprinting ballot stock so that the
>BVA would know if it was looking at the correct side of the ballot or
>the reverse side.  I also like numbered ballots with a tearoff strip
>that is handed back to the voter.
>  >My concern here is with forgery of pre-printed ballots.  If the
>>whole pre-printing consists of a couple numbers in Times Roman, it's
>>not hard for someone to go do the same thing at home.  And then
>>maybe hand out a stack of "Democratic" ballots to their Republican
>>friends (or vice-versa) in a closed-primary state.
>  >
>>But special watermarks on the paper, perhaps customized per polling
>>place, would address this.  Customization could be by moving images
>>around a little bit on the page, as we discussed a number of months
>>ago.  Or maybe by Karl's clever idea from WellsFargo of putting
>>random seeming dots scattered over the page, but actually in
>>specific positions.  It would take some effort to copy that (I can
>>think of some ways to make it even harder to copy, e.g. diversion
>>pixels, but that's for later).
>The numbered strip approach helps to reduce this problem.  Also, this
>didn't seem to be a problem in the old punch card days.
>  >>There are two problems I see with Ed's approach (poll worker sign
>>>in all voters).  One is labor intensive.
>>I don't see this as nearly so much an issue.  If there are lines,
>>they will be mostly caused by voting times, not by initialization
>>times.  E.g. if each voter takes 5 minutes to vote, and a poll
>>worker takes 20 seconds to walk to a machine and enter a PIN, the
>>addition of the PIN step has little effect on total wait times.
>>>They can also get problematic with David's  (PIN) approach for
>>>those who pick the wrong voting machine line to wait in.  Ellen's
>>>(ballot form) and the smart card approaches allows for a shared
>>>queue to all the polling machines and usually without extra poll
>>>worker labor at that point.
>>The shared queue thing might be important.  I recognize that my
>>proposal (in the first pass) requires separate queues for each
>>machine.  In the places I've voted, that's always been the case
>>anyway (actually, there's usually little line at all).  But places
>>no doubt vary more widely than my experience.
>>Thinking about it, it wouldn't be terribly difficult to use a common
>>PIN list for multiple machines (even with no networking).  You'd
>>have to either put the list on the EVMix CDs before delivery, or
>>transfer it to each machine at the beginning of the day though.
>>After that, machines would accept not just the very NEXT PIN, but
>>would search forward for N PINs.  If a matching PIN was found, say,
>>10 slots forward, it could still be accepted, and the intervening 9
>>"crossed off" in memory.  The assumption would be that 9 votes had
>>happened on other machines since the time this machine was last
>>used.  Each machine, in this scenario, would need a list long enough
>>to accommodate all the voters at a given polling place, not only the
>>number of voters expected for an individual machine.
>>Using the above variation prevents reuse of a prior PIN by
>>collaborators later in the day, so there is no real disclosure risk.
>>An attack that might be possible is to share a PIN for nearly
>>simultaneous votes, hence conceivably allowing a very small number
>>of malicious collaborators to vote in improper party ballots (they'd
>>still have to be actual registered voters affiliated with other
>>parties; and the attack only works if the several queues move at the
>>right rate).
>Actually the risk is to have multiple ballots cast on multiple
>machines around the same time by several conspirators.
>  >Compared to the hundreds of attacks that "black box" smartcards are
>>susceptible to, I still like vulnerability better.  And Alan's and
>>Ellen's ideas seem vulnerable to forgery still (but maybe
>>addressable).  I don't worry about the labor of Ed's idea, but I do
>>worry about disclosure of the master PIN, which potentially
>>endangers a whole day of voting.  Disclosure of my PINs is
>>inherently self-limiting in the fraud potential.   That's not true
>>of any of the other four ideas, in all of them, attacks can be
>Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
>tel +1(650)424-0202, fax +1(650)424-0424
Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Mon May 31 23:17:50 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:16 CDT