Okay, I see your point. If means exist for verifying my particular vote then vote buying or coersion becomes possible.
Obvious but clearly stated (better than all my attempt).
Perhaps a reasonable alternative would be for the voting machine to generate printed ballots
Paper audit trail is a MUST.
The voter must have visible access to it to and an option to complain if what he see printed is not what he wanted. (I voted X and it is printed Y).
Maybe more important if those "ticket" are there only for verification and not for the full manual recount... then we need to make sure the voter can not touch the ticket, nor can next voter see previous ticket.
We tested this known as "Ticketting" in Belgium and there is a theoretical Denial of Service attack on the election process. If a set of voter complain that the ticket (or the screen or both) does not display what they wanted to vote for. Since there is no way to know what they wanted to vote... we have a problem. Since it could be true... maybe election should be stopped!
To deal with this, in Belgium by law, if the printed vote is not what you like, you call the president of the voting burreau and you vote again in front of him. And sorry for the secrecy of your vote. He will click on "OK vote match" for you. ;-)
that have randomly-generated ballot ID's, but which are not retained by the voter and do not have any voter
We need to make sure the voter is having no access to that ID. Else he could be asked to remember it to verify his vote.
identification information.
Obviously one should never identify himself to the voting machine.
Voter identification should be done separately (preferably by human) with no possible communication with the voting machine (nor explicit like a magnetic card, nor implicit like timing information).
In Belgium where a new electronic ID card will be introduced (replacing the old plastic ID card we practicaly all have to keep on us). In order to avoid problem with the test periode of that new card and the election of Mai 2003, the introduction of the electronic ID card was delayed...
There is a likely chance that the e-Government will want to identify voter with the "e" of the eID card. Of course the secret goal is to vote electronicaly accross the internet and the IDcard will garantee you do not vote twice, you are who you say you are and we know what you vote once and for all.
After the election, a random selection of ballots are manually cross-checked against the database.
It is easy for the computer to always show the right answer when asked while keeping the election result altered.
As long as not all the vote (or a majority of them) have been verified, it is possible to trick the one that try to verify.
Partial recount are useless... How do you know the computer was not just showing what you wanted to see?
In Belgium, we vote with magnetic card... once your vote is finish, you are autorised to reintroduce your magnetic card IN THE SAME voting machine in order to verify what you voted. There is no garantee that what you see is what is really recorded on the card or what will be counted from that magnetic card.
That way, the election can be verified without having to actually do a full manual count.
To garantee you do verify the real thing, you need to ask the computer to print all the recorded vote on paper... then you can make your partial verification of the process by checking random ballots
David GLAUDE
---- Election-methods mailing list - see http://electorama.com/em for list info
