Polling Station BRP

From: Keith Copenhagen <k_at_copetech_dot_com>
Date: Fri Nov 12 2004 - 13:18:40 CST

Balancing privacy at moment of casting vs. the risk of loss.

As uncounted ballots collect in the ballot box, the anonymity increases
and the magnitude of possible vote loss also increases. This is true for
both physical and virtual ballots. I understand that the physical
insecurity of the ballot box is a key issue pushing eVoting.

The argument I’ve heard against counting votes as they are cast is if
you can take a video at the polling station and reverse out the order of
voters and you have an ordered log of votes cast, you can match the
voter with the votes. This concern does not expand beyond a single
precinct, where a few hundred voters are gathered and reported in the
aggregate.

We can obscure the match between voter order and ballots by
1. Mixing the order of the ballots (shaking the ballot box prior to
counting, or adding out of order to the record). Or only auditing the
aggregate (possibly risky)….
2. Shifting the start point. For example if the BRP tally always
includes a series of test ballots, adding a “random” subset of test
ballots at the beginning and the balance at the end of voting,
subsequently subtracting the known test votes from the aggregate total.
This would require hideing the original subset seed and may fail the
sunshine requirement.

It appeals to me that we can balance privacy and loss exposure in Poll
Station BRP by posting votes to the record in periodic bursts.

Poll station BRP Use Case :
        Voter1 approaches the “ballot box” and verifies to the registrar
that it is ok for them to cast. (possibly add a provisional tag if it is
a provisional ballot).
        The ballot is scanned when cast, and the votes are collected in a
local temporary buffer, the ballot becomes the “Voter Verified Paper
Audit Trail” and ends up in the ballot box.
        When there are N (say 5) sets of votes in the virtual buffer those
votes are posted to the Vote Count of record and redundantly audit
logged (to physically separate locations, via local isolated network).
        At the close of polls, The digitally signed Audit logs, and the
vote counts are ended and uploaded electronically (secure net or sneaker
net), the Ballot Box is archived.

One of the niceties of this system is the paper handling equipment runs
at a much slower rate, having many seconds to scan the ballot. Allowing
a single transport design to support all the paper handling in the poll
station. (A recount would require high speed transports still).
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Tue Nov 30 23:17:29 2004

This archive was generated by hypermail 2.1.8 : Tue Nov 30 2004 - 23:17:44 CST