voting
Arnold G. Reinhold
reinhold at world.std.com
Thu Apr 8 13:35:57 EDT 2004
At 8:24 AM -0400 4/8/04, Perry E. Metzger wrote:
>"Trei, Peter" <ptrei at rsasecurity.com> writes:
>> I think Perry has hit it on the head, with the one exception that
>> the voter should never have the receipt in his hand - that opens
>> the way for serial voting fraud.
>>
>> The receipt should be exposed to the voter behind glass, and
>> when he/she presses the 'accept' button, it visibly drops into
>> the sealed, opaque ballot box.
>
>Seems fine by me, except I'd make the ballot box only lightly frosted
>-- enough that you can't read the contents, but light enough that poll
>inspectors can visually assure themselves that the contents aren't
>mysteriously altered during the course of the day.
I can see one potential problem with having the machine produce the
receipts. Let's say the system is well designed and completely fair.
There will be a certain percentage of voters who will complain that
the receipt recorded the wrong vote because they in fact
inadvertently pressed the wrong button. Over time, that percentage
and its variance will become well known. Call that rate "r.' A party
with the ability to make surreptitious changes to the voting software
can then have it occasionally record a vote and print a receipt
contrary to what the voter chose as long as the number of such bogus
votes is small enough relative r and its variance to escape notice.
They can then determine what fraction, f, of voters who get wrong
receipts report them. They can then increase the fraction of bogus
votes by 1/f. Over the course of several elections they can slowly
grow the fraction of bogus votes, claiming that voters are getting
sloppy. Since major elections are often decided by less than one
percent of the vote, this attack can be significant.
We have a system now in Cambridge, Massachusetts where we are given a
paper mark sense ballot and fill in little ovals, like those on
standardized tests. We then carry our ballot to a machine that sucks
it in and reads it. The totals are reported after the polls close,
but the mark sense ballots are saved inside the machine (which I
assume is inspected before the voting starts and then locked) can
easily be recounted at any time. This system seems ideal to me.
>
>By the way, I should mention that an important part of such a system
>is the principle that representatives from the candidates on each side
>get to oversee the entire process, assuring that the ballot boxes
>start empty and stay untampered with all day, and that no one tampers
>with the ballots as they're read. The inspectors also serve to assure
>that the clerks are properly checking who can and can't vote, and can
>do things like hand-recording the final counts from the readers,
>providing a check against the totals reported centrally.
>
>The adversarial method does wonders for assuring that tampering is
>difficult at all stages of a voting system.
>
A important thing to remember is that these poll watchers, along with
the workers running the voting for the election authorities are often
retired people who have very little computer skills. It is much
easier for them to understand and safeguard systems based on paper
and mechanical locks.
Arnold Reinhold
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list