voting

Ed Gerck egerck at nma.com
Thu Apr 8 12:17:39 EDT 2004


a counterpoint...

"Perry E. Metzger" wrote:
> 
> I'm a believer in the KISS principle.

:-) that's one S too many. For true believers, KIS is enough.
 
> A ballot that is both machine and human readable and is constructed by
> machine seems ideal. You enter your votes, a card drops down, you
> verify it and drop it in a slot. Ideally, the cards would be marked
> with something like OCR-B so that the correspondence between machine
> marking and human marking is trivial.

If the real vote (the thing that gets counted) is machine-read
from the OCR-B, and the voter is verifying the human-readable 
OCR-B text on the ballot, then how can one say the vote is really 
verified?

You end up trusting the machines after all, both for scanning as 
well as for tallying. In addition, the paper ballots could also be 
falsified and the totals would be wrong even if someone would have us 
believe that their machines are infallible.

> You can't have "hanging chads" or mismarks on optical cards because a
> machine marks it for you. You can always do a recount, just by running
> the cards through the reader again. 

Machines are not 100% efficient when counting paper ballots. There
are misreads, rejections, jamming, etc. The usual procedure is to feed
the ballots twice in the machine, for verification. What happens
if the result differs? Since you don't know which paper ballots were 
misread, you MUST end up having to count them ALL manually. Florida law,
for example, unequivocally requires a manual recount in a close election
-- even if no one complains. This is the same scenario, btw, as the
November 2000 election.

> You can prevent ballot stuffing by
> having representatives of several parties physically present during
> the handling of the ballot boxes -- just like now. 

Just like now, ballot boxes are "lost", some ballots are not counted,
some ballots can be changed.

For 200 years, fraud has been endemic fraud in paper ballots in the
US. This is exactly one of the reasons that is driving this society 
to develop better solutions. 

Better solutions, IMO, should include independent representations of 
the ballot data, witnesses of the ballot as cast by the voter. When 
these witnesses exist, they must all be audited for consistency. 
This can be done efficiently with a proper random sampling. Further, 
as it is already legal today in the U.S., I think that voters should 
be able to cast their ballots at a poll precinct as well as at home, 
at work, and abroad. 

Moreover, election systems need to eliminate all physical connections 
between production system (the election) and development (the vendor).
This is a lesson from the banking sector. Vendors must not be allowed 
to operate their machines during an election, as it is routinely done 
today in the US. This current (bad) practice also contains a conflict of 
interest, as the vendor has an interest in selling a machine that is hard
to operate.

> You can verify that
> the counting mechanisms are working right by manually counting if
> needed.

There are at least three problems with this statement.

Manually counting? If someone even suggests that a city like Los 
Angeles (1.9M voters) is going to HAND COUNT all of it's ballots, 
they won't go very far. It is humanly impossible to do this without 
mistakes creeping in, in addition to time and costs. 

Working right? Contrary to banking, a ballot (ie, a transaction in bank 
terms) must be not be linkable to whoever did it. A voter should not be 
able to prove, not even to himself, how he voted.  Nonetheless, voters 
are not anonymous (they have to be well-identified). Compare this with 
"working right" in banking: if there is a debit of $10,000.00 in our 
account, how would you feel if no one (not even you) could prove that 
the debit is not yours?

Counting mechanisms? There is no way to know with current paper ballots 
if they are in fact "counted right" from an auditing viewpoint, which
depends whether what is counted is what was cast by a voter or just 
stuffed in, or changed. 

> Complicated systems are the bane of security. Systems like this are
> simple to understand, simple to audit, simple to guard.

Simple to defraud too, as has been done here for 200 years.

Cheers,
Ed Gerck

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list