Re: securing electronic ballots

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Tue Nov 25 2003 - 12:16:05 CST

|I found [the Chaum paper] here in case anyone wants to read it.
|http://www.vreceipt.com/

Thanks Clay, for looking up this paper. It is consistent with what
Mercuri described more briefly, but I found reading the white paper to
contain additional interesting details. Btw. for other readers: the
press release at that URL is fine for a summary, but look at the linked
white paper for real information.

Reading the paper, I see that Chaum's system really is flawed in
practice. The reason it is flawed is precisely because Chaum is TOO
smart--he's great at math, but misses the real world of elections.

One weakness of the system is the one I've raised a couple times.
Voters cannot understand how the system works (in any meaningful
detail). For example, imagine I were a voter who did not have any
graduate-level mathematics training (a large majority of voters, I
think... probably a majority of this list, in fact). Now imagine that I
was not entirely trustful of "the experts", and worry that someone can
puncture the anonymity of my vote by properly analyzing my receipt.
Sure it doesn't contain a visually readable vote, but I know in a
general way that there are barcode scanners, and clever things that
mathematicians and CS people do.

In answer to my concern, all I really get back is the Diebold-style
answer: "Trust us, we're very smart, and we wouldn't let any errors
exist in our voting system." I don't think this answer inspires general
voter confidence. I personally happened to have already known about
Chaum before hearing about this system, and basically trust his motives
and intelligence... but how many voters can say that; how many LIST
MEMBERS can say that, even?

The second weakness is the real world of voting places--typically a
hastily arranged room in a church or a community center, staffed by
well-meaning, but amateur volunteers. Imagine that prior to the
election some guys with brass knuckles stop by my house, and let me know
that they would appreciate a vote for their candidate (or equally, for
example, a coercive or manipulative spouse or relative). As a gesture
of good faith, they suggest, I should keep both layers of the voting
receipt so that it remains clear how I voted.

According to Chaum's system, the poll workers are SUPPOSED TO shred one
layer on my way out. Anyone who has been to a polling place knows that
it would not be of great practical difficulty to "forget" to place a
layer in the shredder prior to leaving the building. Even should I make
such an omission, the electronic vote was already recorded when the
receipts were printed.

+++

Btw. With the EVM2003 system, a related forgetfullness is possible.
Voters might forget to place the printed ballot in the ballot box.
Their electronic ballot is still recorded on the machine, but only a
subset of electronic ballots will be matched by corresponding printed
ballots in the ballot boxes. Hopefully, this will generally be a large
subset (98%+ say), but a certain discrepency rate must be expected.

Placing cryptographic codes on the printed ballots allows us to assure
that every such ballot is -legitimate-, hence preventing pre-printing of
false ballots, and ballot-stuffing. But nothing -on- the sheet of paper
can specifically document the fate of those pieces of paper we DO NOT
have.

The question remains open on how we handle the gap between electronic
and printed ballots. I do not think WE (EVM2003) can merely decide an
approach; what might be done in a particular situation is subject to
jurisdictional law and court challenges to outcomes. Perhaps, however,
the OVC can provide *recommendations* for how to handle these
anticipated gaps.

To my mind, what makes this question complicated is the same coercion
issue mentioned above. If we really did think that any voter who failed
to place a printed ballot in the box was simply forgetful, it would
usually make sense to simply rely on the electronic records. However,
if the well known procedure is to rely on electronic records in every
case of a gap, then those abovementioned gentlemen with the brass
knuckles might suggest that my gesture of good faith consists of
bringing home the printed ballot rather than placing it in the ballot
box. They can make this suggestion with the knowledge that the missing
printed ballot from the ballot box will not change the candidate
tallies.

Yours, David...

--
---[ to our friends at TLAs (spread the word) ]--------------------------
Iran nuclear neocon POTUS patriot Pakistan weaponized uranium invasion UN
smallpox Gitmo Castro Tikrit armed revolution Carnivore al-Qaeda sarin
---[ Gnosis Software ("We know stuff") <mertz@gnosis.cx> ]---------------
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Sun Nov 30 23:17:08 2003

This archive was generated by hypermail 2.1.8 : Sun Nov 30 2003 - 23:17:13 CST