Re: Election Theory - How to assure a fair

From: David Mertz <voting-project_at_gnosis_dot_cx>
Date: Sat Sep 27 2003 - 11:17:51 CDT

Clay Lenhart <clay@lenharts.net> wrote:
|I'm pretty serious about security and tampering of votes.

There are two categories of issues. A more minor one is arguments about
our personal opinions of the merits of various designs.

The major category of issue is that EVM2003 is simply not in a position
to make major legislative changes in USA election law. We quite simply
cannot predicate anything we do on sweeping legal changes to allow
EVM2003 to work. On this major grounds, Clay's proposal CANNOT be part
of EVM2003.

I have nothing against Clay starting another organization to lobby
congress, or whatever. But it's just plainly not our purpose. This is
similar to the idea raised by a few other posters that Condorcet, or
Instant Runoff, or proportional representation, or whatever, would be
more fair electoral systems. EVM2003 can have no opinion about those
claims, since they are simply outside our scope. Members are welcome to
lobby their legislative bodies for IRV, but that's not part of EVM2003.

On the minor issue, I would oppose Clay's system in the abstract. If I
were to magically wake up tomorrow as a US Senator, I would vote against
it for the reasons I listed before. But that's not going to happen, so
I need not worry about it further.

|The problem with David's plan is the MACHINE-ID can be thrown out and
|replaced with a different one by election officials. Then they can
|create fake ballots.

This analysis is incorrect. I will write up the security system I
propose in a separate document, but read the existing note careful to
see why forgery is prevented.

The Machine-ID's are published in advance of the voting period, so new
ones cannot be invented later. If you were to replace an actual
Machine-ID with a different one, the hash would no longer match. A
central counting authority cannot forge votes later because the raw
voting data is published AT THE SAME MOMENT the key E{priv} is
revealed[*]. Any spurious vote introduced later will not match the
published voting data.

[*] In practice, "published" may mean: "Transferred to a removable
media whose chain of control is assured by parties with contrary
interests; pending wider distribution (i.e. a scale of hours, not
weeks)." Paper is "removable" too, btw.

|"The stored hash still provides protection against simple data
|corruption of the ballot, but not against insertion of malicious
|ballots."

Here you need to read the paragraph the phrase occurs in. ONLY if the
machine is damaged DURING the voting period in such a way as to prevent
revelation of the private (symmetric) key is this sentence germane.

However, the danger of such damage applies to ANY voting machine,
including those under Clay's plan. The above sentence only describes
the reduced fallback protection encoded in the paper ballot in such an
event. In the case of Diebold or "Lenhart" machines, damage of this
sort results in complete loss of the votes, not clearly identifiable
reduction of assurance.

In my proposal, EVM2003 remains neutral about the proper course of
action should such damage occur to a machine. That's a matter for
courts and laws, not for us. Most likely, the retained paper ballots
would be used under the assurances given by their physical security; but
a judge could instead order a precint-wide (or larger) re-vote. The
exact character of each vote can be determined for the court, as part of
its consideration.

|The number of parties doesn't matter. You could sign ballots with 3
|keys. To prevent fraud, you would need at least 2 parties.

And you could sign each ballot with a different number of keys, coming
from a different set of parties, in every electoral district of the USA.
In other words, an indecipherable nightmare for voters, guaranteed to
cause widespread--even ubiquitous--confusion.

|Fraud, coersion? This is always there, even in paper ballots.

But with a paper ballot, there is no point other than the voting
precinct itself, where a voter relies on obtaining permission/
authorization from a highly interested Party. For example, under Clay's
plan, the Republican party might experience widespread "technical
glitches" in signing the smartcards of black voters.

|Constitutional change? I'm not a constitutional lawyer. I obserived
|elections in El Salvador in '99 and found that the political parties
|play a part in making sure the elections are done correctly.

As they do in the USA. But the USAian constitution is old, and the
relation between state and federal authorities quite different than that
in El Salvador. I'm not a lawyer either, but I've read enough
constitutional law to know that Clay's system is--at very least--prone
to many challenges.

|Don't get lost in the smartcard. It could be be floppy disk.

Floppy disks can also be lost or stolen. Probably floppy disks are even
more likely than smartcards to lose data through electrical corruption
(malicious or accidental).

Yours, David...

--
---[ to our friends at TLAs (spread the word) ]--------------------------
Echelon North Korea Nazi cracking spy smuggle Columbia fissionable Stego
White Water strategic Clinton Delta Force militia TEMPEST Libya Mossad
---[ Postmodern Enterprises <mertz@gnosis.cx> ]--------------------------
==================================================================
= The content of this message, with the exception of any external 
= quotations under fair use, are released to the Public Domain    
==================================================================
Received on Tue Sep 30 23:17:09 2003

This archive was generated by hypermail 2.1.8 : Tue Sep 30 2003 - 23:17:09 CDT