I did not reply to your DVD solution... One reason that it was technologicaly confusing. ;-)
Here are some attempt to define the best option:
* The "booting" media must be read-only.
* This media should be unique to that voting place and activated by a key. The key and the media should take separate path to the voting place and only put together on the day of the election. Guessing the key from the media should be as hard as possible.
* The recording (vote result) should be done on a write-once media.
* Backup copies (of the vote) should be taken and keeped safe and separately from the orignal.
Now there is always a technical problem with:
1* Power loss
2* Cosmic ray (memory glitch)
3* Tempest (watching remotely a screen using electro magnetic field generated)
1) Your DVD solution assume it is possible to write at random position one vote at a time. I am affraid this is not possible. On a recordable DVD or CD, you can only append information at the end. Also writing on the media every time someone vote is not really efficient (maybe not even practical.
Also I guess CD writer (why do you want DVD?) might cost too much when multiplyed by the number of voting machine. It is mecanical so risk of problem are high.
So solving the power loss is not easy.
With Paper Audit Trail, in case of electrical/technical problem we can work in downgraded mode where paper must be counted (as our only backup). This is similar to the Belgian: "Let's recount the magnetic card."
2) Now you also have to fight Cosmic ray
Practicaly I don't think it is not possible to shield against cosmic ray. So the same solution that are used in space exploration should be used.
This might mean using "old" and "reliable" technology (like Z80 designed for space). Using ECC or better memory.
Making all the computation in triple might help but if it is processor having one bit value inverting, triple computation does not solve anything.
3) Some screen technology might be better than other... Otherwise you need to go for Tempest proof equipment that cost a lot.
David GLAUDE
A bit more on our Belgian experience...
In one of the voting system we use...
We are using floppy disk (3 1/4'').
The president of the voting burreau receave the key and the floppy (two copies).
The voting machine are booted with the master floppy.
The key is used to start the system.
[...]
At the end of the day, the vote result are recorded on ... the same floppy that was used to boot the system.
It mean that if the floppy at the begining of the day was not the official expected floppy but a fake that does record vote different from the intent of the voter...
Then at the end of the day, all trace can be removed by rewriting the official expected content of the floppy with the vote our your choice.
So any verification of the floppy after the election can not reveal anything. The only thing that can be done is to take a copy of the floppy before it is used and after all the voting machine are started... but this is not done!!!
I assume it would have cost too much to have two set of copies. ;-)
David GLAUDE
Dave Ketchum wrote:
1. MUST enable potential recounts
In my DVD post I specified recording each ballot on the CD or DVD so that they could be recounted if anyone chose. I specified with that that they should be in random order to preserve secrecy.
It is important to know what a recount mean. In Belgium we do recount the magnetic card (in case power is lost in the computerised magnetic card ballot box)... or we get impossible result. But this give us no garantee since we have no proof that what is on the magnetic card is the voter intent.
Seems worthwhile to make voting machines immune to power problems. In my DVD post specify recording the ballots on disc, after which they do not require power to protect them.
---- Election-methods mailing list - see http://electorama.com/em for list info
