Firm invites experts to punch holes in ballot software
Trei, Peter
ptrei at rsasecurity.com
Wed Apr 7 10:17:53 EDT 2004
>Firm invites experts to punch holes in ballot software
> The company's software is designed to let voters verify that their ballots
>were properly handled. It assigns random identification numbers to ballots
>and candidates. After people vote, they get a receipt that shows which
>candidates they chose--listed as numbers, not names. Voters can then use
>the Internet and their ballot identification number to check that their
>votes were correctly counted.
This is kind of broken. Allowing the voter to get a receipt which
they take away with them for verification may allow the voter to verify
that their vote was recorded as cast, but also allows coercion and
vote buying.
To their credit, the creators thought of this, and suggest a
partial procedural fix in the threat analysis document:
P4. Let voters discard verification receipts in poll site trash
can and let any voter take them
Result: Buyer/coercer can't be sure voter generated verification
receipt
P5. Have stacks of random printed codebooks freely available in poll
site
Result: Vote buyer/coercer can't be sure captured codebook was used
P6. Have photos of on-screen codebooks freely available on-line
Result: Vote buyer/coercer can't be sure captured codebook was used
The first problem, or course, is that a person under threat of
coercion will need to present the coercer with a receipt showing
exactly the mix of votes the coercer required. This is leads
to a combinatorial explosion of fake receipts that need to be available.
Having only one vote on each receipt might mitigate this, but it still
gets really messy.
Second, it's not clear how this protects against the coercer checking the
ballot online - will every fake also be recorded in the system, so
it passes the online check? Having both real and fake ballots in
the verification server makes me very nervous.
Its possible I've missed something - this is based on a quick glance
through the online documents, but I don't see any advantage this
system has over the much more discussed one where the reciept is
printed in a human readable way, shown to the voter, but retained
inside the machine as a backup for recounts.
Just my private, personal opinion.
Peter Trei
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list