[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Humboldt County plans to make ballot images public

To: cvv-discuss@xxxxxxxxxxxxxxxxx
Subject: Re: Humboldt County plans to make ballot images public
From: Paul E Condon <pecondon@xxxxxxxxxxxxxxxx>
Date: Sun, 31 Dec 2006 22:40:50 -0700
Delivered-to: mailing list cvv-discuss@xxxxxxxxxxxxxxxxx
In-reply-to: <002a01c727a4$eab79c90$6401a8c0@stephen>
List-help: <mailto:cvv-discuss-help@coloradovoter.net>
List-post: <mailto:cvv-discuss@coloradovoter.net>
List-subscribe: <mailto:cvv-discuss-subscribe@coloradovoter.net>
List-unsubscribe: <mailto:cvv-discuss-unsubscribe@coloradovoter.net>
Mail-followup-to: cvv-discuss@xxxxxxxxxxxxxxxxx
Mailing-list: contact cvv-discuss-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20061220195408.GD8789@xxxxxxxxxxx> <005401c7247c$9a366830$6606a8c0@Reservoir> <67fjo2h36nopdsh3mqqptk648c7bqpq4mt@xxxxxxx> <002a01c727a4$eab79c90$6401a8c0@stephen>
User-agent: Mutt/1.5.13 (2006-08-11)
I've inserted some comments into stevepom335's discussion. I like 
his top-down approach. Any comment that seems to be criticism 
should be taken as an issue that need clarification in a next draft.

On Sun, Dec 24, 2006 at 02:45:59PM -0700, stevepom335 wrote: 
> To all the folks on this list: 
> 
> I appreciate the feedback on the ideas I proposed. And it's totally
ok with me that I'm not the first to propose this, and that some of
you might not like some of the ideas. I certainly would not want to
waste my time on something that's got real problems that haven't been
evaluated and fixed to the extent that they can be. Further, the
discussions about encrypted systems were very interesting, and helped
me think through some of the issues.
> 
> So ... I thought it would be worthwhile to step back from this (and
other) "good ideas", and look at the objectives that one might have
for a "perfect" voting system, and see if there are any fundamental
conflicts. So I wrote the following up, and would appreciate any
feedback.
> 
> To summarize, as I see it, there is a fundamental conflict between
the objective of preventing vote buying/coercion and the objective of
every voter being able to totally independently verify both that their
ballot was properly recorded and that the totals were properly added
up. Clearly, some of you have seen this conflict also. But I do see a
less than perfect but possibly acceptable solution if a limited number
of "trusted" independent parties are given hard copies of the data
base and one-person-at-a-time access to the data base is enforced and
there are severe penalties for any form of keystroke recording,
etc. See below for the discussion of the details, which parallel some
of what others have written.
> 
> I guess for me, any policy issue worth discussing has inherent
tradeoffs, and that what is the best balance for one point in time may
not be the best for another. That's what makes this interesting.
> 
> One point that is clear is that allowing the voter to take a receipt
with all their votes on it, however encrypted, does enhance the risk
of coercion or vote buying, since whatever the voter can decode, so
can another person with adequate influence over that voter (like
putting a gun to their head or offering them big bucks). So the idea
of a full receipt that the voter can take out of the voting place may
not be the best one. But taking a number that allows the voter to find
their own ballot using a computer in a controlled environment may be
acceptable, as some of you suggest.
> 
> And again, I appreciate any feedback, and realize that I may be
re-plowing old ground for some of you, but it's educational for me.
>
> Steve Pomerance 
> 
>
> DRAFT OBJECTIVES FOR ANY VOTING SYSTEM
> 
> Steve Pomerance, December 24, 2006; draft 1
> 
>  
> 
> 1.. no one can know how I voted without my consent;
> 2.. I can check to see that my vote was recorded correctly;
> 3.. I can check to see that all votes were counted correctly;
> 4.. no one can verify how I voted, so no one can coerce me to vote
in a particular way;
> 5.. no one can verify how I voted, so that no one would bother to
pay me to vote a particular way;
>   6.. no one can add or remove ballots to or from the collection of
>   cast ballots or add or remove records from the data base that
>   recorded the votes; in other words, the data cannot be altered so
>   as to change the results without realistic fear of detection;
>   7.. no one can alter any cast ballots/data base records so as to
>   change the results without realistic fear of detection;
> 8.. no one can alter the true total of the votes for any race in a
way that is undetectable, and the totals can be publicly verified; the
concern here is different than the concern over changing, adding or
removing ballots or records; it is a concern that the software that
adds up the totals has been highjacked.
> 9.. all qualified voters can vote in privacy, in particular disabled
people.
>  
> 
> PRELIMINARY CONCLUSIONS
> 
>  
> 
> 1.. Objective 1 should be solvable without adding any
complexity. Realistically, printing random numbers on ballots doesn't
compromise this objective, since tracking what voter used what ballot
when hundreds are voting seems difficult to impossible if the numbers
are not recorded in any way that associates the number with any
voter. And if voters get to pick ballots from multiple piles, tracking
numbers is essentially impossible. So allowing the voter to take a
receipt with his/her random number on it doesn't seem to me to be a
major problem, even if some state laws don't allow it.

1a) It appears that you are assuming that the vote will be by 'Australian' 
ballot. This is very common in the US, but is not universal. Are you
assuming a paper Australian ballot?

1b) A randomly generated ID number on each ballot does not address
keeping your vote unknown. If well done, it may not have any negative
effect on objective 1, but it is not obvious to me that it can be well
done.

1c) There are serious operational reasons why there need to be ID numbers
on ballots, if they are to be processed using electronic data processing.
These reasons have nothing to do with a voter keeping his particular
vote private, and a lot to do with professional data processing best
practice. So the random number may be there in the future whether or not
it is part of this proposal.
 
> 2.. Objectives 2 and 3 seem to require that there be a public data
base with all the ballots/records that cannot be altered once it is
created and made public, so that it is possible to independently
verify that a particular ballot/record is in the same data base that
is counted to come up with the totals.

2a) Of course, the ballots themselves cannot be made public because the
first person to gain access to them could change the marks on some of
them and thus invalidate the whole election. So, it must be some sort
of 'copy' of the ballots, or some sort of 'record of intent' of the
voter that is made public.

2b) The only form of public access that I can imagine working is via
the web, but perhaps this is just a failure of my imagination.

2c) Whether the public information is an image of the marked ballot or
an data record of what was found on the ballot when it was
electronically processed is a open question that has already been
raised on this list. There are objections to both. 

2c1) for a scanned image there is a concern that the voter can make
some pre-arranged special mark on his ballot outside the boxes for
votes that indicates it is, indeed, a bought and paid for vote. 

2c2) for a data record of an electronic scan there is a question as to
how well the scanning equipment works, how correctly it was configured,
whether the process is adequately supervised, whether the process is
'transparent' to the electorate, etc.

2d) The public record should contain more than just the raw votes. It
should also contain redundant information that can be used to verify
that the votes are, in fact, the real votes and not just some fancy
simulation of how Karl Rove or Howard Dean would like to have the 
results come out.

> 3.. Objectives 4 and 5 appear to conflict with Objectives 2 and 3,
since if a voter can verify their ballot/record (however encrypted)

3a) Why encrypt at all? I don't understand what problem encryption of
these records would address.

from an uncontrolled environment (like from a remote computer in their
home or work place or public space), then someone else could coerce or
pay this voter to show them his/her ballot/record. And if the
environment has to be controlled to prevent two people looking at the
same ballot/record at the same time (for example, at the Clerks
office), then there appears to be no good way that the voter can
verify that what they are seeing when they check their ballot/record
is what is being counted because it is no longer certain that the data
they're reviewing is the same as that being counted to determine who
won. Also, this appears to destroy some of the value of this public
data base approach because the access is no longer convenient, so not
enough voters will check, which limits its value in achieving
Objectives 2 and 3. However, one option might be to give hard copies
of the data base to a limited number of independent parties that agree
to control access so that only one person has access at one time and
is thus protected from coercion or vote selling. This would require
some on-site enforcement, but would solve the coercion/vote-buying
issues, as these independent parties could also check the tallies. Of
course, this opens up the issue of keystroke recording, etc., but, as
I said, I suspect there is no perfect solution.

3b) I don't understand how allowing concurrent access by two or more
people would compromise any of the stated objectives. What is the
worry?

> 4.. Objective 6 is relatively easy to ensure, as existing methods,
such as doing multiple counts of ballots and auditing the cast,
discarded and blank ballots with independent election judges present
can solve this.

4a) Does Objective 6 mean that no one can add or remove ballots for
the collection of ballots that are stored in boxes in a vault
somewhere, or add or remove records from an electronic database? If
the latter, there are very well understood methods of computing a
'message digest' for the whole database. Any change in the database
results in it having a different value of its message digest. This
is universally used to check the validity of any download of software
from the web. 

> 5.. Objectives 7 and 8 are solved by making the data base and/or
ballot images public, but only so long as any voter can verify that
their individual ballot or image or record is accurate and can add up
the totals themselves.

5a) But is it 'data' or 'images' that are public? Each has problems. 
Personally, I think both should be available, but I recognize that
others have other views.

> 6.. Objective 9 may alter the technology used or available, but it
shouldn't affect the other objectives or solutions.

Current equipment for persons with disabilities seems to be more
directed at meeting legal mandates than at actually accommodating
persons with disabilities in ways that are realistic for the disabled
person.

The current discussion of verified voting is largely driven by a
serious distrust of persons in authority (with good reason). 

Unfortunately, most persons with disabilities must, by reason of their
disability, accept as true statements by others in all sorts of
situations where most people can and do verify. 

The discussion of how to include ALL disabled people in voting goes
well beyond ideas about images and databases and the web. Off hand,
I'm pretty sure there is no one way of verifying ones vote that works
for all disabled people. It is another different problem waiting to be
solved. But as with other problems for the disabled, the multiple
different solutions will be cobbled together AFTER we have an 
agreed upon solution to verification for people without disabilities.







>  
> 
>  
> 
> 
> 
> 
> 
> ----- Original Message ----- 
> From: "Ralph Shnelvar" <ralphs@xxxxxxxxx>
> To: <PKlammer@xxxxxxx>; "stevepom335" <stevepom335@xxxxxxxxxxx>
> Cc: "'Paul E Condon'" <pecondon@xxxxxxxxxxxxxxxx>; <cvv-discuss@xxxxxxxxxxxxxxxxx>
> Sent: Wednesday, December 20, 2006 3:52 PM
> Subject: Re: Humboldt County plans to make ballot images public
> 
> 
> >I like this a lot.  It beefs up Mr. Steve Pomerance's insights.
> > 
> > BTW, not to burst your bubble, Steve, but Al Kolwicz and I were discussing
> > this (It was Al's idea) about two years ago.  I'm sure that Al was not the
> > first to contemplate such a public ballot imaging system.
> > 
> > Nonetheless, Steve, it's good to have someone with your influence pushing
> > for this.
> > 
> > 
> > To answer Mr. Paul Condon's objections, elsewhere.  The public has accepted
> > encryption without fuss.  All that need be done is to tell the public that
> > the ballots have been modified using the same techniques used to keep their
> > checking accounts secure when making an ATM withdrawal.
> > 
> > Anyway, I think we're making progress.  I like this.
> > 
> > Now if we can only get the Powers That Be to accept this stuff.  Sigh.
> > 
> > Ralph Shnelvar
> > 
> > 
> > On Wed, 20 Dec 2006 14:19:49 -0700, you wrote:
> > 
> >>We have, in past discussions, proposed that the published images be masked
> >>or obfuscated, within a public transparency protocol which provides a
> >>verifiable, or provable, chain of authenticity between the published
> >>material and the original articles (ballots).
> >>
> >>We wholeheartedly agree that public exposure of naked ballot images would
> >>violate a crucial principal of secure elections, namely ballot secrecy.
> >>
> >>But we believe that it would be feasible and worthwhile to publish
> >>obfuscated image sets, in which the balloted marks are made available for
> >>any and all to interpret and count with their own methods; but yet in which
> >>the extraneous areas of the ballot are masked in a special, cryptological,
> >>way; furthermore the balloted marks themselves could be reordered, also in a
> >>special, cryptological, way, to prevent correlation of different races or
> >>issues per ballot.
> >>
> >>Imagine, if you will, that the published file has a grey mask over every
> >>image, with apertures around just the ballot-marking zones (boxes, circles,
> >>ovals).  Imagine further that the images are sliced and diced so that each
> >>image is a composite of several other originals, but all the slices and
> >>dices are recombined in the file, with none added or deleted -- so you could
> >>count how many marks were for this president, and how many marks were for
> >>that dogcatcher, without being able to count how many this-president voters
> >>were also that-dogcatcher voters.
> >>
> >>By "special, cryptological" ways, I mean a deterministic or algorithmic
> >>obfuscation which has two essential features: 1) it cannot be undone and its
> >>reversal is cryptologically secure; 2) it can be replicated or repeated to
> >>demonstrated its authenticity to the satisfaction of any challenger.
> >>
> >>The second essential feature is harder to explain, so I address it first.
> >>We expect the election administration to develop and hold a file of original
> >>ballot images, not to be published, but to be made available for tests by
> >>the public.  The prescribed arrangement for these test would as follows: the
> >>equipment for running the tests remains in the possession and control of the
> >>election administration, but is of a common and publicly-documented design,
> >>e.g., a PC.  The challenger may bring any test programs and data to this PC,
> >>but cannot take files away.  The intent of this testing arrangement is to
> >>allow the challenger to verify the authenticity of correspondence between
> >>the original ballot image file and the published obfuscated file, without
> >>disclosing any other information from the original ballot images.  For
> >>example, we might allow a challenger to run the same ballot-mark-counting
> >>algorithm on both original and obfuscated files, or even count the total of
> >>black and white pixels within ballot mark areas in both files, etc.
> >>
> >>The first essential feature relies upon modern computerized cryptography,
> >>which offers assurances of computational difficulty depending upon digital
> >>keys and one-way algorithms.  For example, we can estimate what size of
> >>digital key it would require to push the "cracking" of the key beyond the
> >>reach of thousands of computers running for thousands of years by all known
> >>or practically foreseeable methods.  A reasonable tradeoff of strength vs.
> >>cost of encryption can yield a practical value for an election
> >>administration to employ.
> >>
> >>This protocol requires verifiable authenticity of the full chain, but the
> >>description here presumes some other means of verifying the fidelity of the
> >>file of original ballot scans.  I would assume that to be accomplished by
> >>some kind of audit protocol, in which certain persons are able to compare
> >>some representative original ballot artifacts with their images in the file,
> >>under controlled circumstances that avoid or prevent vote-selling
> >>disclosures.
> >>
> >>--
> >>Pete Klammer, P.E. / ACM(1970), IEEE, ICCP(CCP), NSPE(PE), NACSE(NSNE)
> >>3200 Routt Street / Wheat Ridge, Colorado 80033-5452
> >>(303)233-9485 / Fax:(303)274-6182 / Mailto:PKlammer@xxxxxxx
> >> "Idealism doesn't win every contest; but that's not what I choose it for."
> >>
> >>
> >>-----Original Message-----
> >>From: Paul E Condon [mailto:pecondon@xxxxxxxxxxxxxxxx] 
> >>Sent: Wednesday, December 20, 2006 12:54 PM
> >>To: cvv-discuss@xxxxxxxxxxxxxxxxx
> >>Subject: Re: Humboldt County plans to make ballot images public
> >>
> >>I looked at Paul W's document. It is important. Without the Ballot
> >>Interpretation Report, the collection of images would be very hard to
> >>interpret. It's been a while since I read the ERC Report, and my mind
> >>has largely shut off remembering the crazy rhetoric of the Hart people
> >>(and the rational suggestions that were intended to deal with it). 
> >>
> >>Yes, to Ballot Interpretation Reports. And, they should be attached to
> >>each ballot image that is published on the web. 
> >>
> >>Then anyone can check the data, and decide whether or not to trust the
> >>election. In very short order under such a system, the election
> >>officials will clean up their act so that they actually are worthy of
> >>'trust'. As #40 said, "Trust --- but verify."
> >>
> >>On Mon, Dec 18, 2006 at 12:51:15PM -0700, Paul Walmsley wrote:
> >>> 
> >>> Just to clarify, that audit method didn't rely on making scanned ballot 
> >>> images public.  I did have a proposal to post the CVRs without any 
> >>> identification numbers, so that anyone could conduct the tabulation 
> >>> portion of the audit.  I don't believe that such a system would incur any 
> >>> risks of voter deanonymization in Boulder County, where write-in 
> >>> candidates have to be pre-approved.
> >>> 
> >>> Maybe some of the confusion is due to the term 'ballot images.' Veterans 
> >>> of the 2003 voting system presentations may recall that some vendors used 
> >>> that term -- deceptively, in my opinion -- to mean 'electronic cast vote 
> >>> records', rather than 'the scanned bitmap image of the paper ballot'.
> >>> 
> >>> 
> >>> - Paul
> >>> 
> >>> On Sun, 17 Dec 2006, Margit Johansson wrote:
> >>> 
> >>> >Hi Paul,
> >>> >   Did you see Paul Walmsley's presentation of his ballot-by-ballot
> >>> >statistically-valid audit method to the Boulder Election Commission (or
> >>> >whatever it was called.)  I've attached some info on this audit method.
> >>He
> >>> >uses the idea of posting ballot images after the count, if the audit of
> >>the
> >>> >ballot images proves they are accurate.  If we can try the audit in
> >>Boulder
> >>> >County successfully, it could be a model for other counties and states.
> >>It
> >>> >seems like it might happen, finally. But Paul W. can explain it better
> >>than
> >>> >I.
> >>> >Cheers,
> >>> >Margit
> >>> >
> >>> >On 12/17/06, Paul E Condon <pecondon@xxxxxxxxxxxxxxxx> wrote:
> >>> >>
> >>> >>This is a very good idea! I had thought that the Hart ballot scanning
> >>> >>system could be made to do something like this for Boulder County, but
> >>> >>neither Hart nor the County seemed to comprehend the possibility. Now,
> >>> >>with a new Clerk and with somebody else being first, maybe Boulder can
> >>> >>to it, too.
> >>> >>
> >>> >>But can we arrange a way to have the scanning done so that even the
> >>> >>most suspicious conspiracy theorist can accept the scanned images as
> >>> >>a true representation of the physical ballots? Maybe, I hope.
> >>> >>
> >>> >>I can envision public discussions of voter intent for ballots having
> >>> >>non-standard marking --- On-line web 'voting' about the interpretation
> >>> >>of particularly difficult to interpret images. For a while there would
> >>> >>be chaos, but I'm sure things would settle down, and in the long run,
> >>> >>election administration would be much better done, and public
> >>> >>perception of honesty would be much higher.
> >>> >>
> >>> >>On Sun, Dec 17, 2006 at 10:34:22AM -0700, Margit Johansson wrote:
> >>> >>> *In the name of transparency*
> >>> >>>
> >>> >>> James Faulk / The Times-Standard
> >>> >>>
> >>> >>> Article Launched:12/15/2006 04:22:18 AM PST
> >>> >>>
> >>> >>>
> >>> >>>
> >>> >>> County pursues project to make ballot images available to all
> >>> >>>
> >>> >>> EUREKA -- Humboldt County may be setting the bar as far as election
> >>> >>> transparency is concerned.
> >>> >>>
> >>> >>> Humboldt County Clerk and Registrar of Voters Carolyn Crnich is
> >>working
> >>> >>to
> >>> >>> develop and implement a system that would have made actual scanned
> >>> >>images of
> >>> >>> every ballot cast in the county's elections available online or on
> >>disk.
> >>> >>>
> >>> >>> The program is meant to increase transparency and help to ease
> >>people's
> >>> >>> minds about the election process.
> >>> >>>
> >>> >>> "This is Humboldt County only," said Crnich.
> >>> >>>
> >>> >>> Crnich was in Sacramento last week talking to staff members from
> >>> >>Secretary
> >>> >>> of State Debra Bowen's office about getting the program off the
> >>ground.
> >>> >>> Bowen is looking to help Crnich and her staff get a pilot project
> >>ready
> >>> >>for
> >>> >>> the upcoming November special district elections. They're working to
> >>put
> >>> >>> together a request for Proposition 41 funds to pay for equipment --
> >>> >>likely
> >>> >>> two high-speed scanners.
> >>> >>>
> >>> >>> The ultimate vision is that the ballots could be seen and counted by
> >>> >>anyone
> >>> >>> who has an interest.
> >>> >>>
> >>> >>> "Then they could go about counting it any way they want," said Crnich.
> >>> >>>
> >>> >>> It could allow people who favor hand counts to count ballots
> >>themselves
> >>> >>and
> >>> >>> comparethe total against the local machine counts, and it could help
> >>> >>people
> >>> >>> developing open-source voting software.
> >>> >>>
> >>> >>> The idea, created by Crnich and Humboldt County elections advocate
> >>Kevin
> >>> >>> Collins, has generated excitement among everyone from statisticians to
> >>> >>> election observers and bloggers. Even Harry Hursti, who famously
> >>hacked
> >>> >>> Diebold voting machines, has got the bug -- he' s designed software
> >>for
> >>> >>> Humboldt County to count the digital images, thereby generating
> >>another
> >>> >>vote
> >>> >>> total for public consumption.
> >>> >>>
> >>> >>> The issue was scheduled to be discussed at the Humboldt County
> >>Elections
> >>> >>> Advisory Committee Thursday.
> >>> >>>
> >>> >>> "It's not off the ground yet, but I'm really excited about it," said
> >>> >>Crnich.
> >>> >>>
> >>> >>>
> >>> >>> A call to Collins was not returned by deadline.
> >>> >>
> >>> >>--
> >>> >>Paul E Condon
> >>> >>pecondon@xxxxxxxxxxxxxxxx
> >>> >>
> >>> >
> >>> 
> >>> 
> >>> - Paul
> >
-- 
Paul E Condon           
pecondon@xxxxxxxxxxxxxxxx
References:
- Re: Humboldt County plans to make ballot images public
  - From: Paul E Condon
- RE: Humboldt County plans to make ballot images public
  - From: Pete Klammer
- Re: Humboldt County plans to make ballot images public
  - From: Ralph Shnelvar
Prev by Date: Holt bill amendments - Black Box Voting "Request by Voters"
Next by Date: CO lab Ciber disqualified
Previous by thread: Re: Humboldt County plans to make ballot images public
Next by thread: Re: Humboldt County plans to make ballot images public
Index(es):
- Date
- Thread