[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Humboldt County plans to make ballot images public

To: <cvv-discuss@xxxxxxxxxxxxxxxxx>, "stevepom335" <stevepom335@xxxxxxxxxxx>
Subject: Re: Humboldt County plans to make ballot images public
From: Ralph Shnelvar <ralphs@xxxxxxxxx>
Date: Sun, 24 Dec 2006 20:59:18 -0700
Cc: <PKlammer@xxxxxxx>, "'Paul E Condon'" <pecondon@xxxxxxxxxxxxxxxx>
Delivered-to: mailing list cvv-discuss@xxxxxxxxxxxxxxxxx
In-reply-to: <002a01c727a4$eab79c90$6401a8c0@stephen>
List-help: <mailto:cvv-discuss-help@coloradovoter.net>
List-post: <mailto:cvv-discuss@coloradovoter.net>
List-subscribe: <mailto:cvv-discuss-subscribe@coloradovoter.net>
List-unsubscribe: <mailto:cvv-discuss-unsubscribe@coloradovoter.net>
Mailing-list: contact cvv-discuss-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20061220195408.GD8789@xxxxxxxxxxx> <005401c7247c$9a366830$6606a8c0@Reservoir> <67fjo2h36nopdsh3mqqptk648c7bqpq4mt@xxxxxxx> <002a01c727a4$eab79c90$6401a8c0@stephen>
Reply-to: ralphs@xxxxxxxxx
On Sun, 24 Dec 2006 14:45:59 -0700, you wrote:

[snip]
>
> 
>
>  1.. no one can know how I voted without my consent;

nless you are severely disabled, no one should know how you voted even with
your consent.

>  2.. I can check to see that my vote was recorded correctly;

This is irrelevant if (3) is correct.

On the other hand, if a computer generates a ballot, you can inspect the
automatically filled-in ballot to see that what was marked on the ballot was
your intent.  In my world, any other marks on the ballot would invalidate
the ballot.

>  3.. I can check to see that all votes were counted correctly;

Well, at least a trusted 3rd party should be able to verify that all votes
were counted correctly.

>  4.. no one can verify how I voted, so no one can coerce me to vote in a particular way;

Which is why I made my comment to (1).

>  5.. no one can verify how I voted, so that no one would bother to pay me to vote a particular way;

Right.

>  6.. no one can add or remove ballots to or from the collection of cast ballots or add or remove records from the data base that recorded the votes; in other words, the data cannot be altered so as to change the results without realistic fear of detection;
>  7.. no one can alter any cast ballots/data base records so as to change the results without realistic fear of detection;
>  8.. no one can alter the true total of the votes for any race in a way that is undetectable, and the totals can be publicly verified; the concern here is different than the concern over changing, adding or removing ballots or records; it is a concern that the software that adds up the totals has been highjacked.

6,7,8 are a replay of (3).

>  9.. all qualified voters can vote in privacy, in particular disabled people.

Not possible beause a sufficiently disabled person will never be able to
cast a ballot unless we invent mind-reading machines.



But there are other considerations:

10. Only eligible voters should be able to vote.

11. Voting should be acceessible to all.  The kind of fiasco in 2006 in
Denver is as bad as rigging an election.

12. The recording medium should be cheap and permanent and protected so that
the votes are not destroyed accidentally.  This is different than going in
and changing records in a database.

13. The balloting should be "chuncked up" so that if there is fraud or other
defects, the fraud can be isolated.

> 
>
>PRELIMINARY CONCLUSIONS
>
> 
>
>  1.. Objective 1 should be solvable without adding any complexity. Realistically, printing random numbers on ballots doesn't compromise this objective, since tracking what voter used what ballot when hundreds are voting seems difficult to impossible if the numbers are not recorded in any way that associates the number with any voter. And if voters get to pick ballots from multiple piles, tracking numbers is essentially impossible. So allowing the voter to take a receipt with his/her random number on it doesn't seem to me to be a major problem, even if some state laws don't allow it.
>  2.. Objectives 2 and 3 seem to require that there be a public data base with all the ballots/records that cannot be altered once it is created and made public, so that it is possible to independently verify that a particular ballot/record is in the same data base that is counted to come up with the totals.
>  3.. Objectives 4 and 5 appear to conflict with Objectives 2 and 3, since if a voter can verify their ballot/record (however encrypted) from an uncontrolled environment (like from a remote computer in their home or work place or public space), then someone else could coerce or pay this voter to show them his/her ballot/record. And if the environment has to be controlled to prevent two people looking at the same ballot/record at the same time (for example, at the Clerks office), then there appears to be no good way that the voter can verify that what they are seeing when they check their ballot/record is what is being counted because it is no longer certain that the data they're reviewing is the same as that being counted to determine who won. Also, this appears to destroy some of the value of this public data base approach because the access is no longer convenient, so not enough voters will check, which limits its value in achieving Objectives 2 and 3. However, one option!
  might be
>to give hard copies of the data base to a limited number of independent parties that agree to control access so that only one person has access at one time and is thus protected from coercion or vote selling. This would require some on-site enforcement, but would solve the coercion/vote-buying issues, as these independent parties could also check the tallies. Of course, this opens up the issue of keystroke recording, etc., but, as I said, I suspect there is no perfect solution.
>  4.. Objective 6 is relatively easy to ensure, as existing methods, such as doing multiple counts of ballots and auditing the cast, discarded and blank ballots with independent election judges present can solve this.
>  5.. Objectives 7 and 8 are solved by making the data base and/or ballot images public, but only so long as any voter can verify that their individual ballot or image or record is accurate and can add up the totals themselves.
>  6.. Objective 9 may alter the technology used or available, but it shouldn't affect the other objectives or solutions.
> 
>
> 
>
>
>
>
>
>----- Original Message ----- 
>From: "Ralph Shnelvar" <ralphs@xxxxxxxxx>
>To: <PKlammer@xxxxxxx>; "stevepom335" <stevepom335@xxxxxxxxxxx>
>Cc: "'Paul E Condon'" <pecondon@xxxxxxxxxxxxxxxx>; <cvv-discuss@xxxxxxxxxxxxxxxxx>
>Sent: Wednesday, December 20, 2006 3:52 PM
>Subject: Re: Humboldt County plans to make ballot images public
>
>
>>I like this a lot.  It beefs up Mr. Steve Pomerance's insights.
>> 
>> BTW, not to burst your bubble, Steve, but Al Kolwicz and I were discussing
>> this (It was Al's idea) about two years ago.  I'm sure that Al was not the
>> first to contemplate such a public ballot imaging system.
>> 
>> Nonetheless, Steve, it's good to have someone with your influence pushing
>> for this.
>> 
>> 
>> To answer Mr. Paul Condon's objections, elsewhere.  The public has accepted
>> encryption without fuss.  All that need be done is to tell the public that
>> the ballots have been modified using the same techniques used to keep their
>> checking accounts secure when making an ATM withdrawal.
>> 
>> Anyway, I think we're making progress.  I like this.
>> 
>> Now if we can only get the Powers That Be to accept this stuff.  Sigh.
>> 
>> Ralph Shnelvar
>> 
>> 
>> On Wed, 20 Dec 2006 14:19:49 -0700, you wrote:
>> 
>>>We have, in past discussions, proposed that the published images be masked
>>>or obfuscated, within a public transparency protocol which provides a
>>>verifiable, or provable, chain of authenticity between the published
>>>material and the original articles (ballots).
>>>
>>>We wholeheartedly agree that public exposure of naked ballot images would
>>>violate a crucial principal of secure elections, namely ballot secrecy.
>>>
>>>But we believe that it would be feasible and worthwhile to publish
>>>obfuscated image sets, in which the balloted marks are made available for
>>>any and all to interpret and count with their own methods; but yet in which
>>>the extraneous areas of the ballot are masked in a special, cryptological,
>>>way; furthermore the balloted marks themselves could be reordered, also in a
>>>special, cryptological, way, to prevent correlation of different races or
>>>issues per ballot.
>>>
>>>Imagine, if you will, that the published file has a grey mask over every
>>>image, with apertures around just the ballot-marking zones (boxes, circles,
>>>ovals).  Imagine further that the images are sliced and diced so that each
>>>image is a composite of several other originals, but all the slices and
>>>dices are recombined in the file, with none added or deleted -- so you could
>>>count how many marks were for this president, and how many marks were for
>>>that dogcatcher, without being able to count how many this-president voters
>>>were also that-dogcatcher voters.
>>>
>>>By "special, cryptological" ways, I mean a deterministic or algorithmic
>>>obfuscation which has two essential features: 1) it cannot be undone and its
>>>reversal is cryptologically secure; 2) it can be replicated or repeated to
>>>demonstrated its authenticity to the satisfaction of any challenger.
>>>
>>>The second essential feature is harder to explain, so I address it first.
>>>We expect the election administration to develop and hold a file of original
>>>ballot images, not to be published, but to be made available for tests by
>>>the public.  The prescribed arrangement for these test would as follows: the
>>>equipment for running the tests remains in the possession and control of the
>>>election administration, but is of a common and publicly-documented design,
>>>e.g., a PC.  The challenger may bring any test programs and data to this PC,
>>>but cannot take files away.  The intent of this testing arrangement is to
>>>allow the challenger to verify the authenticity of correspondence between
>>>the original ballot image file and the published obfuscated file, without
>>>disclosing any other information from the original ballot images.  For
>>>example, we might allow a challenger to run the same ballot-mark-counting
>>>algorithm on both original and obfuscated files, or even count the total of
>>>black and white pixels within ballot mark areas in both files, etc.
>>>
>>>The first essential feature relies upon modern computerized cryptography,
>>>which offers assurances of computational difficulty depending upon digital
>>>keys and one-way algorithms.  For example, we can estimate what size of
>>>digital key it would require to push the "cracking" of the key beyond the
>>>reach of thousands of computers running for thousands of years by all known
>>>or practically foreseeable methods.  A reasonable tradeoff of strength vs.
>>>cost of encryption can yield a practical value for an election
>>>administration to employ.
>>>
>>>This protocol requires verifiable authenticity of the full chain, but the
>>>description here presumes some other means of verifying the fidelity of the
>>>file of original ballot scans.  I would assume that to be accomplished by
>>>some kind of audit protocol, in which certain persons are able to compare
>>>some representative original ballot artifacts with their images in the file,
>>>under controlled circumstances that avoid or prevent vote-selling
>>>disclosures.
>>>
>>>--
>>>Pete Klammer, P.E. / ACM(1970), IEEE, ICCP(CCP), NSPE(PE), NACSE(NSNE)
>>>3200 Routt Street / Wheat Ridge, Colorado 80033-5452
>>>(303)233-9485 / Fax:(303)274-6182 / Mailto:PKlammer@xxxxxxx
>>> "Idealism doesn't win every contest; but that's not what I choose it for."
>>>
>>>
>>>-----Original Message-----
>>>From: Paul E Condon [mailto:pecondon@xxxxxxxxxxxxxxxx] 
>>>Sent: Wednesday, December 20, 2006 12:54 PM
>>>To: cvv-discuss@xxxxxxxxxxxxxxxxx
>>>Subject: Re: Humboldt County plans to make ballot images public
>>>
>>>I looked at Paul W's document. It is important. Without the Ballot
>>>Interpretation Report, the collection of images would be very hard to
>>>interpret. It's been a while since I read the ERC Report, and my mind
>>>has largely shut off remembering the crazy rhetoric of the Hart people
>>>(and the rational suggestions that were intended to deal with it). 
>>>
>>>Yes, to Ballot Interpretation Reports. And, they should be attached to
>>>each ballot image that is published on the web. 
>>>
>>>Then anyone can check the data, and decide whether or not to trust the
>>>election. In very short order under such a system, the election
>>>officials will clean up their act so that they actually are worthy of
>>>'trust'. As #40 said, "Trust --- but verify."
>>>
>>>On Mon, Dec 18, 2006 at 12:51:15PM -0700, Paul Walmsley wrote:
>>>> 
>>>> Just to clarify, that audit method didn't rely on making scanned ballot 
>>>> images public.  I did have a proposal to post the CVRs without any 
>>>> identification numbers, so that anyone could conduct the tabulation 
>>>> portion of the audit.  I don't believe that such a system would incur any 
>>>> risks of voter deanonymization in Boulder County, where write-in 
>>>> candidates have to be pre-approved.
>>>> 
>>>> Maybe some of the confusion is due to the term 'ballot images.' Veterans 
>>>> of the 2003 voting system presentations may recall that some vendors used 
>>>> that term -- deceptively, in my opinion -- to mean 'electronic cast vote 
>>>> records', rather than 'the scanned bitmap image of the paper ballot'.
>>>> 
>>>> 
>>>> - Paul
>>>> 
>>>> On Sun, 17 Dec 2006, Margit Johansson wrote:
>>>> 
>>>> >Hi Paul,
>>>> >   Did you see Paul Walmsley's presentation of his ballot-by-ballot
>>>> >statistically-valid audit method to the Boulder Election Commission (or
>>>> >whatever it was called.)  I've attached some info on this audit method.
>>>He
>>>> >uses the idea of posting ballot images after the count, if the audit of
>>>the
>>>> >ballot images proves they are accurate.  If we can try the audit in
>>>Boulder
>>>> >County successfully, it could be a model for other counties and states.
>>>It
>>>> >seems like it might happen, finally. But Paul W. can explain it better
>>>than
>>>> >I.
>>>> >Cheers,
>>>> >Margit
>>>> >
>>>> >On 12/17/06, Paul E Condon <pecondon@xxxxxxxxxxxxxxxx> wrote:
>>>> >>
>>>> >>This is a very good idea! I had thought that the Hart ballot scanning
>>>> >>system could be made to do something like this for Boulder County, but
>>>> >>neither Hart nor the County seemed to comprehend the possibility. Now,
>>>> >>with a new Clerk and with somebody else being first, maybe Boulder can
>>>> >>to it, too.
>>>> >>
>>>> >>But can we arrange a way to have the scanning done so that even the
>>>> >>most suspicious conspiracy theorist can accept the scanned images as
>>>> >>a true representation of the physical ballots? Maybe, I hope.
>>>> >>
>>>> >>I can envision public discussions of voter intent for ballots having
>>>> >>non-standard marking --- On-line web 'voting' about the interpretation
>>>> >>of particularly difficult to interpret images. For a while there would
>>>> >>be chaos, but I'm sure things would settle down, and in the long run,
>>>> >>election administration would be much better done, and public
>>>> >>perception of honesty would be much higher.
>>>> >>
>>>> >>On Sun, Dec 17, 2006 at 10:34:22AM -0700, Margit Johansson wrote:
>>>> >>> *In the name of transparency*
>>>> >>>
>>>> >>> James Faulk / The Times-Standard
>>>> >>>
>>>> >>> Article Launched:12/15/2006 04:22:18 AM PST
>>>> >>>
>>>> >>>
>>>> >>>
>>>> >>> County pursues project to make ballot images available to all
>>>> >>>
>>>> >>> EUREKA -- Humboldt County may be setting the bar as far as election
>>>> >>> transparency is concerned.
>>>> >>>
>>>> >>> Humboldt County Clerk and Registrar of Voters Carolyn Crnich is
>>>working
>>>> >>to
>>>> >>> develop and implement a system that would have made actual scanned
>>>> >>images of
>>>> >>> every ballot cast in the county's elections available online or on
>>>disk.
>>>> >>>
>>>> >>> The program is meant to increase transparency and help to ease
>>>people's
>>>> >>> minds about the election process.
>>>> >>>
>>>> >>> "This is Humboldt County only," said Crnich.
>>>> >>>
>>>> >>> Crnich was in Sacramento last week talking to staff members from
>>>> >>Secretary
>>>> >>> of State Debra Bowen's office about getting the program off the
>>>ground.
>>>> >>> Bowen is looking to help Crnich and her staff get a pilot project
>>>ready
>>>> >>for
>>>> >>> the upcoming November special district elections. They're working to
>>>put
>>>> >>> together a request for Proposition 41 funds to pay for equipment --
>>>> >>likely
>>>> >>> two high-speed scanners.
>>>> >>>
>>>> >>> The ultimate vision is that the ballots could be seen and counted by
>>>> >>anyone
>>>> >>> who has an interest.
>>>> >>>
>>>> >>> "Then they could go about counting it any way they want," said Crnich.
>>>> >>>
>>>> >>> It could allow people who favor hand counts to count ballots
>>>themselves
>>>> >>and
>>>> >>> comparethe total against the local machine counts, and it could help
>>>> >>people
>>>> >>> developing open-source voting software.
>>>> >>>
>>>> >>> The idea, created by Crnich and Humboldt County elections advocate
>>>Kevin
>>>> >>> Collins, has generated excitement among everyone from statisticians to
>>>> >>> election observers and bloggers. Even Harry Hursti, who famously
>>>hacked
>>>> >>> Diebold voting machines, has got the bug -- he' s designed software
>>>for
>>>> >>> Humboldt County to count the digital images, thereby generating
>>>another
>>>> >>vote
>>>> >>> total for public consumption.
>>>> >>>
>>>> >>> The issue was scheduled to be discussed at the Humboldt County
>>>Elections
>>>> >>> Advisory Committee Thursday.
>>>> >>>
>>>> >>> "It's not off the ground yet, but I'm really excited about it," said
>>>> >>Crnich.
>>>> >>>
>>>> >>>
>>>> >>> A call to Collins was not returned by deadline.
>>>> >>
>>>> >>--
>>>> >>Paul E Condon
>>>> >>pecondon@xxxxxxxxxxxxxxxx
>>>> >>
>>>> >
>>>> 
>>>> 
>>>> - Paul
>>
References:
- Re: Humboldt County plans to make ballot images public
  - From: Paul E Condon
- RE: Humboldt County plans to make ballot images public
  - From: Pete Klammer
- Re: Humboldt County plans to make ballot images public
  - From: Ralph Shnelvar
Prev by Date: Re: Humboldt County plans to make ballot images public
Next by Date: Holt bill amendments - Black Box Voting "Request by Voters"
Previous by thread: Re: Humboldt County plans to make ballot images public
Next by thread: Re: Humboldt County plans to make ballot images public
Index(es):
- Date
- Thread