RE: Why PIN or smartcard is REQUIRED

From: Arthur Keller <arthur_at_kellers_dot_org>
Date: Mon May 17 2004 - 13:46:11 CDT

At 11:15 AM -0700 5/17/04, Popkin, Laird (WMG Corp) wrote:
>Comments below.
>-----Original Message-----
>Behalf Of Arthur
>Sent: Monday, May 17, 2004 1:35 PM
>Cc: ''
>Subject: RE: [voting-project] Why PIN or smartcard is REQUIRED
>At 10:19 AM -0400 5/17/04, Popkin, Laird (WMG Corp) wrote:
>>There are also double-sided printers. It's probably easier to have
>>the printer handle both sides than to deal with the issues of people
>>putting paper into the printers the right way. :-)
>Double-sided printers usually turn the paper over, have complex paper
>feeding mechanisms, and have limitations in paper weight.
>Inexpensive printers don't print on both sides of the paper at once,
>but print on one side at a time. Also, how would the printer know
>which side of the paper was the "right" one. Would you merely print
>everything on both sides?
>I don't know that there's that much advantage to printing on both
>sides (poll workers only need to figure out which side to scan
>once), but if there's a reason to do it, I think that there will be
>user issues if they have to put paper in "the right way" for the
>system to work.
>If the printer prints on both sides, it defines which side is "the
>right one" because the only difference between the two sides is
>what's printed on them. One side would have the ballot, and the
>other side would have a barcode saying "turn the paper over".

It's hard to understand what problem you're trying to fix with
double-sided printing. How does double-sided printing deal with the
orientation of "official" preprinted ballots? What if the "please
turn paper over" side is where the "democratic party" ballot was

Double sided printers are more expensive. I'd rather spend the money
on a scanner to check that the ballot was facing the right way, and
to obtain the correct ballot type.

>>To ask a naive question, why are pre-printed ballots a concern?
>>People who want to vote a particular way can vote that way manually,
>>so pre-printing by itself doesm't do any harm, and anyone being
>>coerced (and watched) can simply enter the polling station with the
>>pre-printed ballot, then print a real ballot and vote it (and
>>discard the pre-printed ballot). Of course, pre-printing could slant
>>elections anyway (give people a ride to the poll and a pre-printed
>>ballot, and that'll probably be a bit more effective than if you
>>gave people a ride and told them how to vote).
>There's a difference between "slate cards" (which are often brought
>into polling places and then taken out and discarded *away from the
>polling place*) and "pre-printed ballots" (which may be attempts at
>forgery or ballot stuffing). There's also "pre-printed ballot stock"
>(which is a paper ballot form given to a voter to insert into the
>printer, or is already in the printer, onto which the EVM prints the
>official ballot). Which do you mean?
>I was referring to previous discussions about how to prevent people
>from bringing pre-printed ballots into the polling place. I'm
>assuming that people were referring to ballots that could be voted
>with, not a guide telling you who to vote for.
>So my question is -- why do we want to prevent voters from coming in
>with pre-printed ballots to cast? I can imagine some abusive
>scenarios, but I'm curious about what the major concern is.

Forgery and ballot stuffing. Plus no computerized record, therefore
no redundancy.

Voters bringing in slate cards - ok.
Voters bringing in pre-printed ballots - bad.

Best regards,

> >We've discussed means that could be used to make the pre-printed
>>ballot could be made difficult to generate (it'd need to have the
>>watermark that's never publicly released, would need to be singled
> >with a private key that's carefully controlled, the ballot is
>>printed on special paper, etc.). And, of course, poll workers could
>>keep an eye out for pre-printed ballots...
>See previous paragraph.
>Best regards,
> >- LP
>>-----Original Message-----
>>Behalf Of Arthur
>>Sent: Sunday, May 16, 2004 11:56 PM
>>Subject: Re: [voting-project] Why PIN or smartcard is REQUIRED
>>At 4:09 PM -0400 5/16/04, David Mertz wrote:
>>>On May 16, 2004, at 3:07 PM, Arthur Keller wrote:
>>>>I'd like to figure out a way to make Ellen's system work. It is
>>>>cheaper than smart cards and has other benefits too. One thing
>>>>that hasn't been mentioned, I think, with Ellen's system is that it
>>>>is important to get the orientation of the ballot paper right when
>>>>depositing it into the printer. Perhaps this could be made easier
>>>>by having one corner of the paper cut
>>>I think the most obvious way to make Ellen's system address this
>>>concern is to simply make all four orientations permissible. You
>>>pre-print the party number (or party name even) face-up at
>>>top-right, and face-down at bottom-left; and do it on both sides of
>>>the paper. No matter how the voter inserts the paper, the party
>>>name/number is at top right relative to the printed votes.
>>Earlier, I had the suggestion of preprinting ballot stock so that the
>>BVA would know if it was looking at the correct side of the ballot or
>>the reverse side. I also like numbered ballots with a tearoff strip
>>that is handed back to the voter.
>> >My concern here is with forgery of pre-printed ballots. If the
>>>whole pre-printing consists of a couple numbers in Times Roman, it's
>>>not hard for someone to go do the same thing at home. And then
>>>maybe hand out a stack of "Democratic" ballots to their Republican
>>>friends (or vice-versa) in a closed-primary state.
>> >
>>>But special watermarks on the paper, perhaps customized per polling
>>>place, would address this. Customization could be by moving images
>>>around a little bit on the page, as we discussed a number of months
>>>ago. Or maybe by Karl's clever idea from WellsFargo of putting
>>>random seeming dots scattered over the page, but actually in
>>>specific positions. It would take some effort to copy that (I can
>>>think of some ways to make it even harder to copy, e.g. diversion
>>>pixels, but that's for later).
>>The numbered strip approach helps to reduce this problem. Also, this
>>didn't seem to be a problem in the old punch card days.
>> >>There are two problems I see with Ed's approach (poll worker sign
>>>>in all voters). One is labor intensive.
>>>I don't see this as nearly so much an issue. If there are lines,
>>>they will be mostly caused by voting times, not by initialization
>>>times. E.g. if each voter takes 5 minutes to vote, and a poll
>>>worker takes 20 seconds to walk to a machine and enter a PIN, the
>>>addition of the PIN step has little effect on total wait times.
>>>>They can also get problematic with David's (PIN) approach for
>>>>those who pick the wrong voting machine line to wait in. Ellen's
>>>>(ballot form) and the smart card approaches allows for a shared
>>>>queue to all the polling machines and usually without extra poll
>>>>worker labor at that point.
>>>The shared queue thing might be important. I recognize that my
>>>proposal (in the first pass) requires separate queues for each
>>>machine. In the places I've voted, that's always been the case
>>>anyway (actually, there's usually little line at all). But places
>>>no doubt vary more widely than my experience.
>>>Thinking about it, it wouldn't be terribly difficult to use a common
>>>PIN list for multiple machines (even with no networking). You'd
>>>have to either put the list on the EVMix CDs before delivery, or
> >>transfer it to each machine at the beginning of the day though.
>>>After that, machines would accept not just the very NEXT PIN, but
>>>would search forward for N PINs. If a matching PIN was found, say,
>>>10 slots forward, it could still be accepted, and the intervening 9
>>>"crossed off" in memory. The assumption would be that 9 votes had
>>>happened on other machines since the time this machine was last
>>>used. Each machine, in this scenario, would need a list long enough
>>>to accommodate all the voters at a given polling place, not only the
>>>number of voters expected for an individual machine.
>>>Using the above variation prevents reuse of a prior PIN by
>>>collaborators later in the day, so there is no real disclosure risk.
>>>An attack that might be possible is to share a PIN for nearly
>>>simultaneous votes, hence conceivably allowing a very small number
>>>of malicious collaborators to vote in improper party ballots (they'd
>>>still have to be actual registered voters affiliated with other
>>>parties; and the attack only works if the several queues move at the
>>>right rate).
>>Actually the risk is to have multiple ballots cast on multiple
>>machines around the same time by several conspirators.
>> >Compared to the hundreds of attacks that "black box" smartcards are
>>>susceptible to, I still like vulnerability better. And Alan's and
>>>Ellen's ideas seem vulnerable to forgery still (but maybe
>>>addressable). I don't worry about the labor of Ed's idea, but I do
>>>worry about disclosure of the master PIN, which potentially
>>>endangers a whole day of voting. Disclosure of my PINs is
>>>inherently self-limiting in the fraud potential. That's not true
>>>of any of the other four ideas, in all of them, attacks can be
>>Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA 94303-4507
>>tel +1(650)424-0202, fax +1(650)424-0424
>Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA 94303-4507
>tel +1(650)424-0202, fax +1(650)424-0424

Arthur M. Keller, Ph.D., 3881 Corina Way, Palo Alto, CA  94303-4507
tel +1(650)424-0202, fax +1(650)424-0424
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Mon May 31 23:17:51 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:16 CDT