Re: Re: Request for technical opinion on EBIs

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Mon May 24 2004 - 19:41:08 CDT

On May 24, 2004, at 4:39 PM, Arthur Keller wrote:
> One problem in using EBI's is that knowing the time of the vote can be
> used to reconstruct the votes cast by individual voters.

I also think that Arthur did a good job in summing up design issues
around EBIs and paper ballots.

The timestamp/anonymity issue is one that I particularly want to state
my agreement on. A lot of quite intelligent people coming to the
design of voting systems really underplay the anonymity issues. In
most of the computer systems we programmers create, security is served
by all kinds of logs, information tagging, unique record-ids, and the
like. For most databases and transactional systems, the more
information we can keep in hand, the more likely we are to be able to
debug and correct wrong behavior.

But voting has a fundamental concern that mostly pulls in a very
different direction than the conveniences provided by logs, sequences,
and transactional histories. Voter anonymity must be protected
absolutely and rigorously. Since an attacker can covertly record the
order of votes (even if with some statistical fuzziness), nothing in
vote records may include sequence or timestamp information, nor allow
any way to reconstruct that. Almost the opposite principle as sensible
log files for most computer systems.

Anyway, Arthur already noted this. But it's something of a particular
bette noir for me, in my contribution to the design process. There are
many integrity and security features that might seem natural to add to
EBIs and/or to printed ballots that are really not permissible. OVC
have gone through numerous rounds of new engineers joining, with lots
of good ideas, but without a proper appreciation of the anonymity
constraints.
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Mon May 31 23:18:03 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:17 CDT