-----BEGIN PGP SIGNED MESSAGE-----
David Honig wrote:
> From "Ballot Proposal" version 1.3
>
> 10 B DISPLAY
> (5) Election software shall print the selected choices on a fixed
> visible medium (such as paper), and shall require the voter to
> affirm those choices prior to electronic registration of the
> completed ballot.
>
> I took this to mean that "what the machine thinks the voter chose
> is printed on paper" (for feedback/trust reasons). Am I totally off?
>
That's correct. All the considered systems require some permanent
audit record of the ballots. This draft requires that the voter
approve the record. Thus, the printed record is primary, since the
voter actually sees it and approves it. Any electronic fudging can be
detected and eliminated.
But, nobody is suggesting that the voter takes home the paper. On the
contrary, designs mentioned in meetings have the paper behind glass,
not even touchable by voters.
> I wasn't clear on the architecture you have in mind ---I eventually
> figured out that you're requiring an online system with local and
> central real time reporting (mirroring) of votes.
>
The Internet is big in legislators' eyes these days. The network
connection to a central (state) system is really the main motivation,
as it allows the eRate funds to be used to run elections.
Also, central state servers are needed to allow overseas electronic
voting. Too many trust relationships to have each base/embassy try
to interact with every city or precinct.
And the mirroring keeps the locals from fudging the ballot counts.
Basically, I was asked, "Can the Internet be used to carry the votes,
while still remaining secret?" My answer is, "Yes, we already have
SSL/TLS for confidentiality." "What about ensuring votes only come
from authorized places?" "Easy, issue credentials for each machine,
and use digital signatures on the ballots." Etc, etc.
I've found a lot of support for open source software, because the
politicians don't trust vendors or clerks. They want lots of review.
Especially with machines programmed by clerks. And especially with all
the campaign money that came in this cycle from so-called high-tech
firms. A compromised vendor would be a real problem for one party or
another....
> (Other architectures include standalone or LAN-only machines acting only as
> better voting-acquisition-machines; or a pure central server scheme like
> home internet voting.)
>
There have been a lot of problems with stand-alone machines. For
example, in Florida, the recounts were supposed to actually re-run
the ballots. Instead, many places just looked at the counters without
doing any real counting. Also, elsewhere, machines have been found to
be mis-programmed. Etc, etc.
Home internet voting has a lot of problems, too, and is not being
considered. Just incremental improvements on the existing polling
places and absentee ballots. As you say, better vote acquisition --
evolution, not revolution.
The other thing is cost, cost, cost....
Anyway, I've basically been answering a lot of questions for free,
just as most of you are doing. Admittedly, I've been given access to
some reports and internal committee documents, but mostly I'm just
trying to help them add security language.
I really think we've gone pretty far afield for this list. Just send
messages to me privately, and I'll reply as I have time and interest.
Thanks again.
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1
iQCVAwUBOn4xmtm/qMj6R+sxAQElswQAwoZh8ZJ1sJFeQvpagdh2hJijtRNIONzD
Pae1EeCndFJwFfNHQFR87tOoNMNHCw+0Hf/IgUnYNrJVTr4WP8UJ1DAqdKS6Fw19
oLZ05hsaLvLgSwcGoR8WTkcr2emlkRzQ3vczGViPjlbNVPSptklN9nopQxFKe8HO
pGV9vquALz4=
=lZRn
-----END PGP SIGNATURE-----