In comp.os.linux.advocacy, Roy Schestowitz
<newsgroups@xxxxxxxxxxxxxxx>
wrote
on Wed, 05 Sep 2007 05:23:51 +0100
<1822401.5qrppbjMx2@xxxxxxxxxxxxxxx>:
> ____/ alt on Wednesday 05 September 2007 04:29 : \____
>
>> On Wed, 05 Sep 2007 02:58:47 +0100, Roy Schestowitz wrote:
>>
>>> ____/ alt on Tuesday 04 September 2007 22:18 : \____
>>>
>>>> On Tue, 04 Sep 2007 13:02:56 +0100, Roy Schestowitz wrote:
>>>>
>>>>> Voting machines ditch ballots in Scotland
>>>>>
>>>>> ,----[ Quote ]
>>>>> | In total, 140,000 ballots were logged as spoilt. The BBC says more than
>>>>> | half of these were rejected by the machines, with no chance for a person
>>>>> | to judge whether or not the ballot was actually spoilt.
>>>>> `----
>>>>>
>>>>> http://www.theregister.co.uk/2007/09/03/scotland_votes/
>>>>>
>>>>> That's quite a fiasco.
>>>>
>>>> Everybody say after me:
>>>>
>>>> Paper trail, paper trail, paper trail, paper trail... (ad nauseum).
>>>
>>> You can have digital 'paper trail', provided your machines and system is
>>> reliable.
>>>
>>
>> Voting is one of the few things that I feel are too sensitive to trust
>> anything but a piece of paper.
>>
>> I've posted this here before, but I'll post it again.
>>
>> All voting machines should print out a ballot that has a human readable
>> section as well as a machine (barcode) readable section. This allows for
>> an easy to tabulate voting system but ensures that abuses cannot occur.
>
> If it prints out paper, how would you know the machine itself
> printed the right thing? Let's assume that you can let the
> voter have a copy of that paper, or at least give verification.
>
If I can't verify what goes into the tally box, how can
I verify the franchise? There's a fundamental disconnect
there.
I see the following vote systems as possibilities,
with varying amounts of accurancy in tallying what the
people want. Note that most of these considerations
are orthogonal to the openness of the source code used
in the voting machine proper, though an audit of the code
certainly isn't harmful. I'm just not sure it's as helpful
as it should be.
Categories:
- Easy to use: General ease of use of the system.
- Verifiable: Can the votere ensure that my vote counts properly?
- Recountable: Can poll workers go through the ballots and
recount them, by hand if necessary?
- Identifable voter: If some evil sort got hold of a valid ballot,
can he find the voter who cast it?
- Rankable: "Instant runoff" systems are all the rage, saving
a trip to the ballot box. The general idea is to have the
voter assign each candidate a number; if a candidate
get a plurality but not a majority, the numbers can be used
to indicate which of the top two wins. The system is
still experimental but possible in some of the following.
- Complete vote check: If the user fails to mark a YES or NO,
or doesn't vote for a candidate in a cluster, can the system
check?
- Valid vote check: If the user marks both YES and NO, or
votes for too many candidates, can the system check?
- Stuffable: Can someone dump in extra ballots, modifying
the results?
[1] Mark-sense. User fills in circles or otherwise
scribbles on a piece of paper. Vote is hand- or
machine-counted.
Easy to use: Yes.
Verifiable: Yes, if one doesn't shred the ballots.
Recountable: Yes.
Identifiable voter: No. This is a good thing, generally;
blackmailing voters for voting "the wrong way" is an
evil thing.
Rankable: With some difficulty.
Complete vote check: No.
Valid vote check: Deferred.
Stuffable: Definitely.
[2] Punch. User uses a device to punch already-formed
holes in a Hollerith-cardlike ballot. Vote is
machine-counted. (A variant of this system was used
in Santa Clara, California for many uears until the
advent of touchscreen voting units.)
Easy to use: Yes, for the most part; some may have
problems handling the awl (California) or depressing
the machine's lever.
Verifiable: To some extent. The issues with "pregnant"
and "dimpled" chads were well publicized in Florida's
2000 election, and unpunched chads can fall out if
the ballots are too roughly handled.
Recountable: Yes.
Identifiable voter: It would take a lot of work, and
is probably not worth the trouble. A code number
might be prepunched on the card, though, but there's
no requirement in the actual vote for that number to
be anywhere else.
Rankable: With great difficulty.
Complete vote check: No.
Valid vote check: Deferred.
Stuffable: The sequence number may deflect the most
obvious attempts.
[3] Sequoia system. User receives a vote card from a pool
of cards sitting at the poll worker's elbow, and
inserts a card into machine's face, uses touch screen
to set up and ultimately cast the ballot. Card goes
back to poll worker who feeds it into tally box,
then returns it to pool.
Easy to use: Yes, if the machine is functioning correctly;
touchscreens can have "offset" problems.
Verifiable: No. What goes on the card? How do I,
the voter, see it? What software goes in the computer,
and does it match the user-readable source code?
Recountable: Not unless the tally box is a lot smarter
than I give it credit for.
Identifiable Voter: No.
Rankable: I think so.
Complete vote check: Immediate. The machine can
identify what the user needs to complete at the time
of voting.
Valid vote check: Immediate. The machine can enforce
choices such as "vote for at most 3" or "choose yes
or no".
Stuffable: Unknown. Probably depends on the safeguards
surrounding the card, and the machine handling it; an
elementary check is possible to ensure the prior user's
vote is cleared before a new vote is attempted, and
the tally box might clear the card while registering
the vote. However, if the tally box is compromised
things get very interesting.
[4] Diebold system (hypothetical). As I understand it,
user walks up to machine and votes; the vote is
encrypted and sent to an uplink either through a wire
or wireless.
Easy to use: Yes, if the machine is functioning correctly;
touchscreens can have "offset" problems.
Verifiable: No. What goes over the network? Is packet
jamming possible? What software goes in the computer,
and does it match the user-readable source code?
Recountable: No. Apparently, this is by design.
Identifiable Voter: No.
Rankable: I think so.
Complete vote check: Immediate. The machine can
identify what the user needs to complete at the time
of voting.
Valid vote check: Immediate. The machine can enforce
choices such as "vote for at most 3" or "choose yes
or no".
Stuffable: Unknown; it depends on details regarding
the packet encryption. The most likely attack is an
impersonator machine injecting faux votes into the
uplink system, and that can be countered by requiring
a certificate on each machine, which the uplink checks.
[5] Manual multivote system (hypothetical). User casts
5 (actually, any odd number will do but 3 or 5 is
probably a reasonable balance) ballots, in a very
interesting way, using paper ballots similar to [1]
or [2]. Taken in total, the 5 ballots will have each
vote either 2 for no or 3 for yes, scrambled in such
a way that an individual ballot is next to useless
for determining the individual vote. Ballots might
be sequenced 1-5 to ensure a complete set at casting,
or the poll worker simply counts the number of ballots
the user is holding.
Easy to use: Hard.
Verifiable: Difficult, but possible.
Recountable: Yes.
Identifiable Voter: No.
Rankable: With great difficulty, exacerbated by the manual
randomizing process.
Complete vote check: Deferred.
Valid vote check: Deferred.
Stuffable: Definitely.
[6] Auto multivote system (hypothetical). User walks up to
a machine, uses touchscreen. Machine punches out
5 ballots on punchcards similar to [2]. The votes
are internally randomized and scattered on the 5
punchcards, in a way similar to [5].
Easy to use: Yes, if the machine's functioning correctly.
Verifiable: Difficult, but possible.
Recountable: Yes.
Identifiable Voter: No.
Rankable: Possible.
Complete Vote Check: Immediate.
Valid Vote Check: Immediate.
Stuffable: Definitely.
[7] Markable Identified-Vote System (hypothetical, though
a variant of this is already used in many counties
for absentee voting). User registers and is issued a
blank ballot with a secret code number, through the US
Postal Service. User marks and mails in his ballot.
The secret code number is checked against a master
registration database.
Easy to use: For the most part. Homeless people might
have a problem casting a ballot.
Verifiable: Yes.
Recountable: Yes.
Identifiable Voter: Yes, though the procedures during
actual ballot handling might mitigate that by shredding
the envelopes as soon as possible (the USPS requires
a valid return address), and not printing the user's
address on the ballot proper, just the secret code
number.
Rankable: With some difficulty.
Complete Vote Check: Deferred.
Valid Vote Check: Deferred.
Stuffable: The database would have to be hacked to
generate a lot of extra secret code numbers.
[8] Digital Identified-Vote System (hypothetical),
Manual Edit/Resubmit. User registers on a secure
website, with a valid email address. The email address
receives a digitally signed document (the signature is
similar to GPG or other such). The document contains
a secret code number. The user replies to the message
by manually editing it in some form.
Easy to use: For the most part. Homeless people and
people without Internet capability might have a problem
casting a ballot. There might be some issues regarding
how the user is expected to edit the form.
Verifiable: Maybe. The user can't see where his vote
is stored, unless he uses the secret code number, which
might render the system vulnerable to a scan attack.
Recountable: Yes, if each vote is stored.
Identifiable Voter: Yes. Since Email is unsecure and
store-and-forward, there are some issues with eavesdropping
here.
Rankable: Not too hard, especially if there are fewer
than 10 candidates.
Complete Vote Check: Deferred.
Valid Vote Check: Deferred.
Stuffable: Hard to say; it depends on the details
of the registration procedure. Most likely yes,
especially if the system keys on email address (a
person can sign up for many accounts on systems such
as Gmail, Yahoo, and Hotmail).
[9] Digital Identified-Vote System (hypothetical),
Generalized Fat Client. User registers on a website,
and is taken to a "secure" voting page [*]. The voting
page presents a form containing a hidden code field.
User submits the form to vote. Javascript can check
the vote prior to final submission; the webserver can
also check.
Easy to use: Yes.
Verifiable: Maybe. The user can't see where his vote
is stored. If the user can see the secret code number
the system is vulnerable to a scan attack, but at least
the user can verify his vote. If the user cannot see
the secret code number the user can't see his vote,
though View Source is supported by all HTML-capable
browsers in a pinch; the user then gets to hunt through
the HTML markup for the code, and will probably get
it wrong. It is possible to use two code numbers,
one public, one semi-secret, but that doesn't really do
all that much.
Recountable: Yes, if each vote is stored.
Identifiable Voter: Yes, though it would take a database
hack to actually get at the information.
Rankable: Yes.
Complete Vote Check: Immediate for Javascript-aware,
at ballot submission/casting for non-Javascript.
Valid Vote Check: Immediate for Javascript-aware,
at ballot submission/casting for non-Javascript.
Stuffable: Hard to say. The secret code number(s)
will at least prevent the form from being submitted
more than once, and if the secret code number is
generated from the user's input, the risk of stuffing
is lessened. However, the system would have to be
pretty smart to make sure only the valid ones of the
following addresses are allowed to vote (XX indicates
a two-letter state code e.g. CA for Calfornia, TX for
Texas, NY for New York):
Fred Voter
123 Anystreet #4, Anytown, XX USA 56789
June Voter
123 Anystreet #4, Anytown, XX USA 56789
(Fred's wife)
Billy Voter
123 Anystreet #4, Anytown, XX USA 56789
(Fred and June's underage son)
Fido Voter
123 Anystreet #4, Anytown, XX USA 56789
(the family pet)
Evil H. Voter Number 1
123 Anystreet #4, Anytown, XX USA 56789
...
Evil H. Voter Number 999999
123 Anystreet #4, Anytown, XX USA 56789
(somebody got cute)
Fred Voter
123 Anystreet #4, Anytown, USA 56789
(missing state problem)
Fred Voter
123 Anystreet #4, Neighbortown, XX USA 56789
(Fred misidentifies his town -- an issue
in some locales)
Fred Voter
123 Anystreet #4, Anytown, XX USA 56789-0123
(Zip Plus 4 problem)
Fred Voter
123 Anystreet #4, Anytown, XX USA
(missing zipcode problem)
Fred Voter
One Two Three Anystreet Number 4,
Anytown, XX USA 56789
(address spelled out digit by digit)
Fred Voter
One Hundred Twenty Three Anystreet Number Four,
Anytown, XX USA 56789
(address spelled out numerically)
Fred Voter
123 Anystreet #4,
Anytown, XX
USA
56789
(reformatted)
Fred Voter
PO Box 123456
Anytown, XX USA 78901
(Fred might use a PO box for most correspondence)
Fred Voter
c/o Amalgamated Ersatz
2345 Somestreet
IndustrialTown, XX USA 67890
(Fred works here and sends Amalgamated's info instead,
possibly because he's new in town)
The last one is especially troublesome.
I'll admit [1] and [2] are looking better and better, though
they're harder to count. [6] has possibilities. I don't
really like any of the others.
[*] the issues regarding TLS (RFC4346) are beyond the
scope of this document. TLS is very secure if the
system is configured properly; however, a 40-bit
encryption key has been broken by a brute force attack,
and session hijacking is theoretically possible, if
one is willing to wait many times the age of the Universe...
--
#191, ewill3@xxxxxxxxxxxxx
Murphy was an optimist.
--
Posted via a free Usenet account from http://www.teranews.com
|
|
