voting

[Arnold G. Reinhold]

At 8:24 AM -0400 4/8/04, Perry E. Metzger wrote:
>"Trei, Peter" <ptrei at rsasecurity.com> writes:
>>  I think Perry has hit it on the head, with the one exception that
>>  the voter should never have the receipt in his hand - that opens
>>  the way for serial voting fraud.
>>
>>  The receipt should be exposed to the voter behind glass, and
>>  when he/she presses the 'accept' button, it visibly drops into
>>  the sealed, opaque ballot box.
>
>Seems fine by me, except I'd make the ballot box only lightly frosted
>-- enough that you can't read the contents, but light enough that poll
>inspectors can visually assure themselves that the contents aren't
>mysteriously altered during the course of the day.

I can see one potential problem with having the machine produce the 
receipts. Let's say the system is well designed and completely fair. 
There will be a certain percentage of voters who will complain that 
the receipt recorded the wrong vote because they in fact 
inadvertently pressed the wrong button.  Over time, that percentage 
and its variance will become well known.  Call that rate "r.' A party 
with the ability to make surreptitious changes to the voting software 
can then have it occasionally record a vote and print a receipt 
contrary to what the voter chose as long as the number of such bogus 
votes is small enough relative r and its variance to escape notice. 
They can then determine what fraction, f, of voters who get wrong 
receipts  report them. They can then increase the fraction of bogus 
votes by 1/f.  Over the course of several elections they can slowly 
grow the fraction of bogus votes, claiming that voters are getting 
sloppy. Since major elections are often decided by less than one 
percent of the vote, this attack can be significant.

We have a system now in Cambridge, Massachusetts where we are given a 
paper mark sense ballot and fill in little ovals, like those on 
standardized tests. We then carry our ballot to a machine that sucks 
it in and reads it. The totals are reported after the polls close, 
but the mark sense ballots are saved inside the machine (which I 
assume is inspected before the voting starts and then locked) can 
easily be recounted at any time. This system seems ideal to me.

>
>By the way, I should mention that an important part of such a system
>is the principle that representatives from the candidates on each side
>get to oversee the entire process, assuring that the ballot boxes
>start empty and stay untampered with all day, and that no one tampers
>with the ballots as they're read. The inspectors also serve to assure
>that the clerks are properly checking who can and can't vote, and can
>do things like hand-recording the final counts from the readers,
>providing a check against the totals reported centrally.
>
>The adversarial method does wonders for assuring that tampering is
>difficult at all stages of a voting system.
>

A important thing to remember is that these poll watchers, along with 
the workers running the voting for the election authorities are often 
retired people who have very little computer skills. It is much 
easier for them to understand and safeguard systems based on paper 
and mechanical locks.

Arnold Reinhold

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com