From: Ron Crane <voting_at_lastland_dot_net>

Date: Wed Nov 22 2006 - 13:53:44 CST

Date: Wed Nov 22 2006 - 13:53:44 CST

Charlie Strauss wrote:

*> Well guess it's all relative. I don't see it as that complicated.
*

*> Maybe I'm missing something.
*

*>
*

*> As I see it the axiomatic starting point is that there is some size
*

*> vote shift in a precinct that would be plainly wrong. It's an axiom
*

*> so it's not defensible from the context of the consequent
*

*> statistics. So pick a number maybe 15%, maybe 30%. That's the
*

*> ceiling on the vote shift that would pass by unquestioned on a given
*

*> machine. Once we have that it's all down hill. For a given election
*

*> margin you can compute how many machines would have to have a vote
*

*> shift. The worst cast for detection by sampling is if the fewest
*

*> number of machines are altering votes, so that means they would all
*

*> be at the maximum vote shift. So now we can simply computer how many
*

*> machines in the total population you would have to sample to have a
*

*> XXX % chance (say 90%) of your sample containing at least one of
*

*> those machines.
*

*>
*

*>
*

I have done this using a binomial approach. Page 140 of the Brennan

Center's report contains a formula for determining the number N machines

you need to recount to have probability D of detecting at least one

compromised machine, where fraction C of the machines are compromised:

N = log(1-D) / log(1-C)

Solving this formula for C and using D=0.9 and N=33 (from your previous

email), I found that the legislation appears to envision that an

attacker will compromise no fewer than 6.7% of machines. That seems too

large.

This approach also assumes that the attacker will not exceed the

axiomatic maximum per-machine shift because doing so would trigger

recounts through some mechanism independent of the random sampling

recounts. But does that mechanism exist? Probably the targeted recounts

would cover many such cases, especially if the commission has sufficient

authority to expand the recounts via additional random sampling. But

probably the legislation should mandate a recount on any machine that

appears to have produced a grossly-outsized vote shift. The question

then becomes what baseline to use to determine whether a machine

exhibits such a shift. Do you use exit polls (if they exist), an average

of opinion polls, or some other stat?

Finally, I am not sure that the detection of a single bad machine will

produce the right kind of response. Many officials have tended to write

off malfunctions as "glitches" or "human error," particularly where they

seem to affect only one or a few machines. The legislation needs to

mandate an effective response even when only one machine appears to be

affected. And perhaps it should sample enough machines to give P=0.9 of

finding at least two such machines (if they exist) instead of at least one.

Would you be so kind as to post the proposed legislation, or to email it

to me?

*> ...
*

*> The glaring problem is the axiomatic assumption of the worst case scenario that
*

*> would be considered undetectable: maybe 30% is better than 15%. If
*

*> it were 30% and we assumed 15% then the number of machines we need to
*

*> audit is much larger. Maybe one has a prior distribution for this
*

*> detection probability? okay let's use that. But then that's still
*

*> not enough since you then need a some sort of cost function to use
*

*> for your decision. And we've never stated one in the model.
*

*>
*

Yes. In particular you need a larger sample if there's no other way to

detect most of the worst-case machines.

*> As a relevant aside I note that one of hidden beauties of tossing in
*

*> a limited Targeted (TAR) selection is to helps us determine if 15% or
*

*> 30% is the worst case bounds by cherry picking the machines that
*

*> other prior information outside the model tells us are the likely
*

*> worst cases. ...
*

*>
*

Not really. To paraphrase Rumsfeld, you have a difficult time knowing

what you don't know. The TAR increases the chances of finding the worst

machines, and of finding out just how bad they are, but it doesn't tell

you how bad they might become. Also, attackers aren't sitting still.

They're looking at your audits and are devising new ways to sidestep them.

Thanks for the explanation.

-R

_______________________________________________

OVC-discuss mailing list

OVC-discuss@listman.sonic.net

http://lists.sonic.net/mailman/listinfo/ovc-discuss

==================================================================

= The content of this message, with the exception of any external

= quotations under fair use, are released to the Public Domain

==================================================================

Received on Thu Nov 30 23:17:11 2006

*
This archive was generated by hypermail 2.1.8
: Thu Nov 30 2006 - 23:17:19 CST
*