[Cryptography] practical verifiable systems -- forensic and otherwise, cheap and otherwise
Ben Laurie
benl at google.com
Wed Mar 4 08:39:34 EST 2015
On 3 March 2015 at 23:18, Bill Frantz <frantz at pwpconsult.com> wrote:
> On 3/3/15 at 1:14 PM, jthorn at astro.indiana.edu (Jonathan Thornburg) wrote:
>
> On Mon, Mar 02, 2015 at 01:09:57PM -0700, John Denker wrote:
>>
>>> Here's another example dear to my heart: Vote-counting
>>> equipment. ...
>>>
>>
>> It seems to me that any system involving a scanner and software is
>> much *less* secure than an all-paper scheme (with humans counting the
>> ballots at the polling site after polling closes, watched by multiple
>> other humans from different parties) (multiple other humans have of
>> course also checked that the ballot boxes were empty at the start of
>> polling, and have watched the ballot boxes all day):
>> * scanner+software --> vulnerable to a variety of software attacks
>> --> a single software attack can potentially
>> compromise the count at every polling place
>> across the country
>> * all-paper + human watchers/counters
>> --> vulnerable to "up-the-sleeve" and other
>> "stage-magician" tricks
>> --> those attacks require a trained/skilled attacker
>> at the (each) polling place, and hence are very
>> hard to run -- and keep secret -- at a big enough
>> scale to affect national results
>>
>
> Verified Voting <http://verifiedvoting.org/> has spend a lot of time and
> effort in this issue. It is much more complex than appears at first.
>
> My favorite attack on paper systems was a piece of pencil "lead" glued
> under a finger nail on one of the vote counters. If he encountered an
> ballot voting for the "wrong" candidate, he simply used the pencil lead to
> add a vote for another candidate, making the ballot a spoiled ballot and
> negating the vote for the wrong candidate.
>
> I like the system that uses a scanner, but takes between 1 and 5 percent
> of the precincts and does a full manual audit of their paper ballots and
> electronic results.
>
I observed the London Mayoral Elections. This was does using scanners (a
_lot_ of them). London Elects, who ran it, flatly refused to do an audit.
Their grounds for doing so is that any recount always has a small
discrepancy from the previous count and this discrepancy would introduce
doubt in the minds of the voters. Restraining myself from physical violence
was ... difficult.
Incidentally, on fixing the results: candidates were not allowed to
observe, but their representatives could. A screen was provided showing any
ballots that had been referred by the system for manual adjudication. Some
of the reps soon learnt that the adjudicator was quite easily swayed
towards their candidate given any chance mark in the right area.
All in all, observing was quite interesting. My two favourite parts:
1. The count was done by a machine provided by a Spanish company. Staff
from that company were sitting behind a desk with direct access to that
machine, their screens not visible. I was _not_ permitted to observe what
they were doing. Every other machine (except a couple that showed interim
counts) had a duplicate screen observers could view. What could possibly go
wrong?
2. I realised after a while that following the maintenance staff around was
instructive. Doing so led to some screens with interesting errors - in
particular, SQL integrity constraint violations on vote counting tables.
Again, how could this possibly be a problem?
BTW, after a while the maintenance guys realised what I was doing and tried
to take routes that were hard for me to follow (we were on opposite sides
of barriers).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20150304/c0a5e226/attachment.html>
More information about the cryptography
mailing list