[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: Voting Methods

To: Paul Walmsley <paul@xxxxxxxxxxx>
Subject: Re: Fwd: Voting Methods
From: Nicholas Bernstein <nicholas.bernstein@xxxxxxxxxxxx>
Date: Mon, 12 Jan 2004 08:45:26 -0700
Cc: Nicholas Bernstein <bernsten@xxxxxxxxxxxx>, bcv@xxxxxxxxxxx
Delivered-to: mailing list bcv@booyaka.com
In-reply-to: <Pine.LNX.4.44.0401091155360.8773-100000@utopia.booyaka.com>
List-help: <mailto:bcv-help@booyaka.com>
List-post: <mailto:bcv@booyaka.com>
List-subscribe: <mailto:bcv-subscribe@booyaka.com>
List-unsubscribe: <mailto:bcv-unsubscribe@booyaka.com>
Mailing-list: contact bcv-help@booyaka.com; run by ezmlm
References: <Pine.LNX.4.44.0401091155360.8773-100000@utopia.booyaka.com>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007

Paul Walmsley wrote:

Hello Nicholas,

Thanks for posting your summary above. Some thoughts follow.

The security of your system is based on the citizens' ability to detect an attack against your system, and to do a voter-verifiable paper-receipt recount if that attack is detected. So ultimately, if attacked -- and detected -- the security of your system degenerates to that of a paper receipt system. The security of your paper receipts must be safeguarded similarly to any paper ballot system. Given this dependency, why not focus one's security efforts on a voter-verifiable paper ballot system, rather than having two separate means of counting, one DRE-based and one paper-based?

Put differently: your system uses vote-recording machines, which have the advantage of returning election results quickly, but have the disadvantage that those election results could be completely bogus. Why not use vote-marking machines instead?

In the field of engineering this is called a doubly-redundant system. Having two different methods is a GOOD thing as it guards against single point failure. If you maintain the votes in two (or more) locations it is much tougher to defraud the system. In a purely paper ballot system, there are several steps succeptable to single-point failure: for example, if a single ballot is "lost" for any reason you have a failure. I could talk about redundancy and robustness for hours, so if you're interested...

Additionally, I share Neal's concerns -- the receipt-validation system that you describe is susceptible to vote-buying attacks. Reading some of your other posts, you don't seem to be too worried about this, since the current process of absentee voting can also facilitate vote-buying. This, however, does not lead me to the conclusion that we should expand the potential for vote-buying to the entire electorate. A better response would be to fix the problem with absentee voting, rather than adopt a primary voting mechanism which makes the problem worse.

OK fine. As you mentioned, I like the voter-receipt concept because I think that inaccurate counting is a bigger problem than vote buying. But I'm willing to compromise on this. There are several possible work-arounds. 1. Don't publish the content of the vote, just the existance. I.e. your receipt only shows THAT you voted, not HOW you voted. (see below) 2. Allow the voting machine to publish a bogus receipt. Such a receipt would have an invalid ballot id. Voting officials could detect this, but the average guy-on-the-street vote-buyer wouldn't know this. (I could describe such a scheme if you really wanted). 3. Encode the receipts with a user-generate password, decryptable only if the password is known. Bogus passwords would produce bogus ballots.

The short story is, if your biggest concern is vote-buying, there are ways to modify a voter receipt to prevent this.

...unless particular care is taken by pollworkers to note the voters who successfully cast ballots, your system is open to electronic ballot-stuffing attacks. This is because the DREs you describe could cast bogus ballots simply by generating and storing random ballot IDs and ballot choices. This list of voters who successfully cast ballots must be published along with the list of ballot IDs and choices, so that members of the community can verify that the two counts match.

Two responses: 1. It would be EXTREMELY unlikely that such a "feature" could be built into an open source code base undetected. 2. The names of the voters do not need to be published. Each voting place would still keep a paper list of the registered voters. As they come in the door, their attendance is noted. All the voting officials need to do is verify that the number of electronic votes cast is equal to the number of people who came to the polling place. This is the same security measure that is currently in place.

Similarly, pollworkers must take particular care to ensure that voters do not forget to deposit their receipt copy into the recount box. Otherwise, vote totals from a recount will not match the digital totals, which will certainly lower voters' confidence in your system.

True. Although there are many easy fixes to this problem.

You also mention a revised system, intended to address vote-buying
concerns, in a later post to the list:
3. If you really don't like the concept of having voters validate their receipt, you could have a system where the public lists and the voter receipts just have the ballot ID. This way, voters could check that at least their vote has been counted.

As a voter, if my ballot choices are not printed, how does this system assure me that my ballot choices were counted? It is not useful to know that my ballot was "counted" if the DRE, through a bug or security hole, surreptiously changed my ballot choices. This modified method seems to cause showstopping security problems that were not present in your original system.

Whoa there!! Remember that the voter receipts were a security measure above and beyond anything that exists today. Any implementation of this system is better than none. It doesn't cause ANY security problems since the only possible effect of using such a system is mandating a hand recount. It is just an additional safety measure. To say that it causes showstopping security problems is like saying that a burglar alarm is a home security threat because it could be disabled. An alarm is no substitute for locking your doors, but having one doesn't make your house any LESS safe

I agree with you that it is more useful to have the voters choices indicated on the receipt, but even if they are absent, there is some utility provided by just being able to note that your ballot was received. Think about the post office. People often send registered mail so that they are notified that their letter has been delivered. But actually, you have no proof that it was your letter that was delivered. Someone at the post office could have opened the envelope, replaced the contents, and then delivered the bogus contents in the original envelope. Yes, this is VERY unlikely. Why? Because normal security measures like sealing your envelope are usually enough to ensure that this doesn't happen. Similarly, normal security measures in voting--like well written, open source code, and the possibility of a hand recount--are essential to voting security. The voter receipt simply provides a modicum of additional security. And like a piece of registered mail, the important feature is that you are guaranteed to be apprised in case of the absence of delivery.

References:
- Re: Fwd: Voting Methods
  - From: Paul Walmsley

Prev by Date: Re: Boulder County sets voting system public hearing
Next by Date: Re: Boulder County sets voting system public hearing
Previous by thread: Re: Fwd: Voting Methods
Next by thread: Mark Your Calendars: Upcoming Coloradoans for Voting Integrity Events
Index(es):
- Date
- Thread