Re: securing electronic ballots

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Wed Nov 26 2003 - 08:55:23 CST

|> Lori Flynn <lori@soe.ucsc.edu> wrote:
|> |I am curious why voters need to physically touch the ballot at all.
|> |...a paper ballot is printed which is visible behind glass to the voter.

First thing, I want to dismiss Rick Gideon's rejoinder about paper jams.
Mercuri makes a point of the irony that Diebold, maker of ATM machines
that spit out billions of receipts every day, suddenly becoming
overwhelmed by paper jams when it comes to voting machines. In fact,
nowadays, it is only the very cheapest commodity printers that jam--if
you spend just a little more, you can get machines that effectively
-never- jam (whether behind glass or not). The ones in ATMs, for
example, use paper rolls and cutters, rather than feed pre-cut sheets.

|> However, one thing that EVM2003's approach handles quite well is blind
|> accessibility. A blind voter can carry the printed ballot (with only
|> the obfuscated barcode showing out of the envelope) over to a
|> non-connected reading-station.

I agree with the desirability of this, of course. However, it is not
overwhelming to me. If the original voting machine (with
paper-behind-glass) is verifiable by all sighted voters, as a matter of
statistics, any error in what gets printed is going to be caught by the
98% of voters who are sighted.

It's not a *good* thing if blind voters have to put a greater faith in
the accuracy of the machine than do other voters; but the limitation
affects only the individual blind voters, not the overall
reliability/integrity of the system (and it still lets blind voters
VOTE, just not perform as much verification).

|The printer under glass thing is highly problematic. It's hardly worth
|discussing. One problem is the paper handling. You have to be able to
|cancel your ballot if you don't like what you see. These ballots have to be
|marked in some way or destroyed without the voter touching the ballot.

I agree there are technical issues with marking an untouched ballot as
invalid. But the matter is certainly "worth discussing"--after all,
Mercuri and Neuman are no fools, and neither are the Brazillians.

|I've never been convinced of any problem with missing ballots. If you want
|to vote, you turn your ballot in. If you don't want to vote, you don't turn
|a ballot in. A scheme to prevent these "missing ballots" is a solution to a
|non-problem.

I can 100% guarantee, in advance, that when OVC machines are used in
real elections, there WILL BE a gap between the votes recorded
electronically and those actually found in ballot boxes. If it's a 10%
gap, that's a big problem. If it's a 1% gap, it probably only matters
in rare elections. If it's a 0.1% gap, we can almost dismiss it. But
it is a CERTAINTY that there will be SOME gap.

Again contrary to Rick Gideon, it is really, really not hard to leave a
polling place with a piece of paper that's supposed to be turned in.
The "won't be allowed to" is just silly. Three busy 70 y.o.s working in
a converted room that has two improper exits marked with handwritten
notes saying "please exit at front" don't a "crack security force" make
(nor should they). If somebody *wants* to leave with a ballot, they're
going to be able to (at least very much of the time)... for that matter,
I don't think these busy 70 y.o.s have a legal right to -compel- a
reluctant voter to turn over a ballot, even if they had the physical
ability to do so (only, perhaps, to record the fact the voter declined
to turn over the ballot).

So given that there WILL be a gap, we have to determine what a voter in
the gap INTENDED. What we have to work with is an XML file on a
harddisk (with proper crypto codes and so on), but no corresponding
piece of paper. Given that brute fact, what was the voter intention?!

It appears that Alan's answer would be: "An electronic record without a
corrersponding paper ballot DOES NOT express an intention to vote." The
answer is simple, and categorical. But I'm not sure it's right (either
legally or "psychologically").

I can think of several scenarios that WILL cause a gap (these are not
exhaustive, just ones that occur to me):

 (1) A voter genuinely forgets or misunderstands the need to place
     the paper ballot in a box. Maybe, for example, they think the
     paper is their "receipt" of a vote--it wouldn't be the dumbest
     thing anyone ever imagined.

 (2) A voter deliberately destroys the paper ballot rather than place it
     in the box, with a last minute thought that they just simply do not
     want to vote for any of the listed candidates (and a belief [true?
     false?] that there is no vote without the paper ballot).

 (3) A voter deliberately leaves the polling place with the paper
     ballot, even while understanding that the "proper" procedure is to
     submit it to the ballot box. Several motives can be imagined here:

    (a) A reporter or collector who wants a printed ballot for
        "demonstration" purposes.

    (b) Someone who -wants- to create a gap--for example, to discredit
        the election process.

    (c) Someone acting under coercion to produce the ballot record, of
        the sort I described in my other note.

 (4) Mice sneak into a ballot box, and eat the ballots (or pipes drip,
     chemicals leak in, they catch fire, etc).

Some of these scenarios seem to contain a voter intent, others do not.
Some are fuzzy even when if we know the details: e.g. do (3a) and (3c)
express voter intent or not? (I honestly do not know).

Yours, David...

--
Keeping medicines from the bloodstreams of the sick; food from the bellies
of the hungry; books from the hands of the uneducated; technology from the
underdeveloped; and putting advocates of freedom in prisons.  Intellectual
property is to the 21st century what the slave trade was to the 16th.
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Sun Nov 30 23:17:09 2003

This archive was generated by hypermail 2.1.8 : Sun Nov 30 2003 - 23:17:13 CST