Re: On privacy v Accuracy

From: Edward Cherlin <cherlin_at_pacbell_dot_net>
Date: Tue May 24 2005 - 09:12:56 CDT

On Monday 23 May 2005 12:09, Teresa Hommel wrote:
> Wrong.

I believe you mean to say something more like, "That turns out
not to be the case."--TTONTBTC (Yes, don't tell me, you who know
who you are, I'll do it too.) However, your claim turns out not
to be the case.

> The difference between electronic banking and
> electronic voting is that banking systems are audited and
> voting systems are not.

Please, let us not try to deal in absolutes, especially
concerning analogies. This is *one* of the differences. Another
is that tying the customer ID to the account is fundamental to
banking, while tying voter ID to votes cast is anathema to the
republican form of government.

I can cite other essential differences at length if need be, such
as the difference between banking and voting law, and who gets
to manage banks and precincts. Or armed intimidation of
voters--I haven't heard of anybody chasing customers away from a
bank by shooting at them lately. And on the other side, armed
robberies tend to occur in banks and other sources of cash, and
are quite rare in elections, except apparently in Albania and
one or two other countries that aren't at all sure whether they
are democratic republics to begin with.

> The concept of the VVPB allows each
> voter to view their ballot. If the VVPB once cast were
> handled, stored, and counted before multipartisan observers,
> that would constitute an appropriate auditing mechanism and
> you would have a secure system.

Doing all of this in front of a live audience isn't good enough,
as others on this list have noted. They are not actually
*observers* unless they are close enough to verify each step
taken. Other security measures remain necessary, even if
observers are permitted to observe.

> The electronic vote tallies
> could help by providing a second level of audit to point up
> instances where, due to discrepancies, either the electronic
> or paper ballots were not correctly handled or counted.

TTONTBTC. The electronic tallies and digital check data are the
first level of audit. Observation by the public, important
though it is, runs a distant third, well after analysis by

> Teresa Hommel
> David Webber (XML) wrote:
> >Edward,
> >
> >Good points. To me this is the crux of what we are working
> > on.
> >
> >I.e. the difference

*A* difference.

> >between electronic banking and its
> > accuracy and electronic voting and accurate counts is the
> > fact that we absolutely require secret ballots, unlike
> > banking systems where the transactions are exposed.
> >So - to remediate this we need to have a system that provides
> >accounting levels of reconcilation by induction,

This is a usage of "induction" that I am not familiar with.

> >while at
> >the same time retaining absolute separation between counting
> >sources so they represent independently gathered totals.
> >These three sources are - electoral roll counts, paper
> > ballots, and electronic entry records. Crosschecking
> > between the three then provides the ability to diagnose and
> > track the process itself.

Crosschecking well-designed constraint mechanisms embedded in all
three, including digital check data.

> >Another fundamental accounting principle is the one
> >involving crosschecking between two or more actors
> >in the process.

Buyer and seller, lessor and lessee, lender and debtor...voter,
election staff, and politicians (would they were three separate

> >Again - by linking citizens and election
> > staff physically into the process

into a second data channel

> > - we ensure that
> > opportunities for solely machine directed fraud are
> > minimized. This is why it is so important for voters to
> > directly verify voting on multiple levels - not delegate it
> > to machines.

Especially to verify their own votes on their own ballots, since
nobody else can be permitted the opportunity to do so.

> >This is one key factor I see in enforcing cast paper ballots.
> >A machine cannot "walk" ballots into a ballot box - it has
> >to have a human intermediary.

Actually, this turns out not to be the case. We have seen
"ballots under glass" systems, and systems that record all votes
on paper but do not permit voters to see the printed record.

> >Conversely - if humans manipulate the paper ballots in the
> >ballot box, you have to have the machine "know" about
> >those manipulations too.
> >
> >And providing a 100% built-in audit system that requires
> >every vote to be counted and those totals crosschecked
> >between the three counting sources as a matter of course,
> >not as an occasional exception.
> >
> >All this is woven into the fabric of the TLV approach.

We agree on the principles. What remains is primarily engineering
detail under the constraints of law, where we can discuss
possible changes to the law. But they say the Devil is in the

> >Nothing is ever 100% - but certainly my hope is that it
> >represents a vastly better improvement compared to
> >today's systems that lack these fundamental pillars
> >of trust.

All of us here agree that we are well beyond that level, even if
it sometimes seems that we agree on nothing else. :-)

> >Cheers, DW
> >
> >>>What we need is more facts. Perhaps someday we can secure
> >>>ballots, using open software and a robust audit capability,
> >>> to the point where the results are not routinely called
> >>> into question, without having to provide for routine
> >>> outside analysis.

Edward Cherlin
Generalist & activist--Linux, languages, literacy and more
"A knot! Oh, do let me help to undo it!"
--Alice in Wonderland
OVC discuss mailing lists
Send requests to subscribe or unsubscribe to
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
Received on Tue May 31 23:17:47 2005

This archive was generated by hypermail 2.1.8 : Tue May 31 2005 - 23:17:53 CDT