[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: Voting Methods

To: Nicholas Bernstein <bernsten@xxxxxxxxxxxx>
Subject: Re: Fwd: Voting Methods
From: Paul Walmsley <paul@xxxxxxxxxxx>
Date: Fri, 9 Jan 2004 14:56:46 -0700 (MST)
Cc: bcv@xxxxxxxxxxx
Delivered-to: mailing list bcv@booyaka.com
In-reply-to: <3FE8724D.7000208@colorado.edu>
List-help: <mailto:bcv-help@booyaka.com>
List-post: <mailto:bcv@booyaka.com>
List-subscribe: <mailto:bcv-subscribe@booyaka.com>
List-unsubscribe: <mailto:bcv-unsubscribe@booyaka.com>
Mailing-list: contact bcv-help@booyaka.com; run by ezmlm

On Tue, 23 Dec 2003, Nicholas Bernstein wrote:

> I've written up a brief explanation and put it on
> 
> http://osl-www.colorado.edu/~bernsten/DRE-r2.html
> 
> I'll be filling out the last two sections later. Work calls. Let me know 
> what you think.

Hello Nicholas,

Thanks for posting your summary above.  Some thoughts follow.

The security of your system is based on the citizens' ability to detect an
attack against your system, and to do a voter-verifiable paper-receipt
recount if that attack is detected.  So ultimately, if attacked -- and
detected -- the security of your system degenerates to that of a paper
receipt system.  The security of your paper receipts must be safeguarded
similarly to any paper ballot system.  Given this dependency, why not
focus one's security efforts on a voter-verifiable paper ballot system,
rather than having two separate means of counting, one DRE-based and one
paper-based?  

Put differently: your system uses vote-recording machines, which have the
advantage of returning election results quickly, but have the disadvantage
that those election results could be completely bogus.  Why not use 
vote-marking machines instead?

Additionally, I share Neal's concerns -- the receipt-validation system
that you describe is susceptible to vote-buying attacks.  Reading some of
your other posts, you don't seem to be too worried about this, since the
current process of absentee voting can also facilitate vote-buying.  
This, however, does not lead me to the conclusion that we should expand
the potential for vote-buying to the entire electorate.  A better response
would be to fix the problem with absentee voting, rather than adopt a
primary voting mechanism which makes the problem worse.

I have a few other concerns with your system as it's currently described 
-- some of these problems might be resolvable with further detail in your
exposition.

For example, unless particular care is taken by pollworkers to note the
voters who successfully cast ballots, your system is open to electronic
ballot-stuffing attacks.  This is because the DREs you describe could cast
bogus ballots simply by generating and storing random ballot IDs and
ballot choices.  This list of voters who successfully cast ballots must be
published along with the list of ballot IDs and choices, so that members
of the community can verify that the two counts match.

Similarly, pollworkers must take particular care to ensure that voters do
not forget to deposit their receipt copy into the recount box.  
Otherwise, vote totals from a recount will not match the digital totals, 
which will certainly lower voters' confidence in your system.

...

You also mention a revised system, intended to address vote-buying
concerns, in a later post to the list:

> 3. If you really don't like the concept of having voters validate their
> receipt, you could have a system where the public lists and the voter
> receipts just have the ballot ID. This way, voters could check that at
> least their vote has been counted. 

As a voter, if my ballot choices are not printed, how does this system
assure me that my ballot choices were counted?  It is not useful to know
that my ballot was "counted" if the DRE, through a bug or security hole,
surreptiously changed my ballot choices.  This modified method seems to 
cause showstopping security problems that were not present in your 
original system.

...

Thanks for posting details of your system, Nicholas.  

Ultimately, like Neal, I feel that voter-verifiable paper ballot systems,
possibly using vote-marking machines, provide a less-complicated solution
that is not susceptible to vote-buying concerns.

- Paul

Follow-Ups:
- Re: Fwd: Voting Methods
  - From: Nicholas Bernstein

References:
- Re: Fwd: Voting Methods
  - From: Nicholas Bernstein

Prev by Date: Boulder County sets voting system public hearing
Next by Date: How Elections Are Rigged...Two Good Articles
Previous by thread: Re: Fwd: Voting Methods
Next by thread: Re: Fwd: Voting Methods
Index(es):
- Date
- Thread