"Using Tech To Fix Elections"

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Thu May 27 2004 - 13:08:43 CDT

On May 27, 2004, at 1:37 PM, Alan Dechert wrote:
>> <http://www.linuxinsider.com/story/34032.html>
> He's got some good commentary until he arrives at his proposed
> solution,
> which suffers from the "pretend politics doesn't matter and everyone
> just
> does as I say" syndrome.

Paul Murphy also gets some technical details wrong. In the same ways
some very smart people have, so there's no shame in that. I don't
really get the fixation on Sun, maybe he owns stock in them. But if
Sunray's with 17" touchscreens really are $650, that's a nice price
compared to those people have mentioned recently.

He's also a little too sanguine about local for my tastes, but that's
not wrong per se. Well, maybe more than just a little too much. And
why he always refers to the interface as a "web page" is mysterious,
since it isn't on "the Web." Probably HTML is the wrong display
technology, as list readers know, but even if it weren't, the casual
mention of "web page" conflates issues.

Where Murphy really goes wrong is in not understanding the anonymity
constraints:

> Election officials at the polling place login each smart display using
> an assigned ID that identifies the device. Both the Sunray and local
> Web services are handled by a nearby server, but ballot submissions
> are automatically routed to state servers, where they are added to
> transaction tables defined by unique ballots. As will be noted in next
> week's column on the software for this, serialization will replace the
> timestamp for audit purposes to break the link between the time the
> voter leaves the booth and the voting record compiled at the state
> level.

I've discussed the "covert-videotaping-voters" attack many times.
Sequence information still compromises anonymity. I think Murphy
intends to address that by having an elaborately networked (i.e.
crackable/interceptible) scheme to dump everything in central
databases, thereby making the sequence attack more difficult. It just
screams "fragile" at so very many levels. But even apart from that,
the sequence masking doesn't really work if ballots can be reassociated
to particular precincts, which is very often the case because of
per-precinct ballot customization (different places have different
collections of contests).

It's kinda the "fresh faced engineer" approach, even if his picture
suggests he's a bit older than "fresh faced" suggests :-). As Alan is
often good at pointing out, the problem isn't one for engineers (at
least not in isolation).

Apart from the anonymity attack, Murphy runs afoul of the law. In a
way I did not know until Doug Jones recently pointed it out on the
list. Vote timestamps are REQUIRED, but as the time of casting a vote
only, not the vote content. Murphy's idea isn't entirely inconsistent
with this, he just needs to quickly start adding more layers to address
the law, once he finds out about it. There would be lots more layers
he'd discover if he started following the OVC list, until eventually he
arrived at a Sun-powered Rube Goldberg voting station.

I do want to compliment Alan, yet again, for managing to strip away
complexities, and get at the core issues. I have a set of minor
divergences from Alan on OVC design--as Karl or Arthur has slightly
different ones--but at heart it's a remarkably elegant concept.
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Mon May 31 23:18:09 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:17 CDT