Re: smartcards, electronic ballots
This would seem relevant ... http://dailynews.yahoo.com/h/nm/20010206/ts/voting_systems_dc_1.html Tuesday February 6 12:23 PM ET Study: Old Voting Systems May Work Best By Deborah Zabarenko WASHINGTON (Reuters) - Looking back at Florida's election mess, scientists say the old ways of casting a vote may work best: paper ballots and lever machines give more accurate counts than punch cards or electronic devices. Another key message in a study of U.S. voting technology, released late on Monday, seems to be that the machines are not always the problem. ``We believe that human factors drive much of the 'error' in voting,'' scientists from the California Institute of Technology and the Massachusetts Institute of Technology (news - web sites) said in a Feb. 1 report to a task force that is studying voting problems in Florida. Florida was the final battleground state in the hotly contested 2000 presidential race, with the outcome ultimately decided by the U.S. Supreme Court (news - web sites) more than a month after the Nov. 7 Election Day. There were questions about voting equipment that may have hindered the accurate counting of thousands of Florida votes, notably Palm Beach County's controversial ``butterfly ballot,'' a two-column punch card ballot that confused many voters. Without mentioning the ``butterfly ballot'' specifically in this preliminary report, the scientists wrote, ``Some technologies seem to be particularly prone to over-voting (voting for more than one candidate for a single office), such as the punch card systems implemented in Florida in the 2000 election.'' Wide Range Of Equipment Part of the problem is the wide range of voting equipment used across the United States, starting with the simple paper ballots that were common in much of the country in the 19th century and ending with the direct-recording electronic devices (DREs) that were introduced in some areas in 2000. In between are punch card ballots, lever machines -- in which voters enter a booth and flick switches by their preferred candidates, then finally record their votes by pulling a large lever -- and optically scanned ballots, where voters use pencils to fill in circles beside the candidates they choose. Examining data on election returns and machines from about two-thirds of all U.S. counties over four presidential elections starting in 1988, the scientists found that manually counted paper ballots ``have the lowest average incidence of spoiled, uncounted and unmarked ballots.'' Lever machines and optically scanned ballots were most accurate after paper ballots, the report said, while punch card methods and DREs, which look and operate a bit like automatic teller machines, had ``significantly'' higher error rates. The difference in reliability between the best and worst systems was 1.5 percent, the report said. Part of the difficulty may lie in voters' unfamiliarity with new technology, said the group of social scientists that included experts on computers, politics and economics. ``We don't want to give the impression that electronic systems are necessarily inaccurate, but there is much room for improvement,'' the California institute's Thomas Palfrey said in a statement.
Re: smartcards, electronic ballots
To pick nits, this is not completely accurate. What is at odds with non-coercibility is the ability to demonstrate to a third party how one voted. But there are techniques that allow a voter to verify that his/her vote was counted correctly without being able to prove this to others. (Not that these are necessarily practical for a real-world voting system.) > Date: Sun, 04 Feb 2001 17:49:02 -0500 > From: Dan Geer <[EMAIL PROTECTED]> > > > > As seems universally the case in security design, there must > be ugly tradeoffs. In particular (and without quoting acres > of prior material), the proposed requirements for verifiability > and non-coercibility are at odds and one must yield to the > other. Paper systems make this tradeoff by, on the one hand, > the polling booth (non-coercibility once within) and, on the > other hand, the supervision of the counting process by opponents > (verifiability by proxy), at a cost of zero technology. Bettering > this in the real world is challenging. > > --dan > > == > as used here > > verfiability > -- voter may verify that his vote counted as he intended it to count > non-coercibility > -- voter cannot be compelled to show how he voted, during or after > > proposition: > If the voter can verify, then he can be coerced to do so. > contrapositive: > If voter cannot be coerced, then he cannot verify. > > == > > >
Re: smartcards, electronic ballots
Why unfair? The rules are published and people get to choose when they vote. Cambridge is the home of Harvard and other institutions of higher education, so the populace is certainly not all peons. I believe there have been legal challenges to the system before which failed. The system is used for electing the city governing body. As I understand it, usuing the usual definition of a quota of (V/n+1)+1 votes out of V to elect to one of n seats, among other things the first quota of ballots cast for someone elected are considered exhausted and additional later ballots for that candidate are distributed to their 2nd or lower preference. To get the same effect with order independence requires doing at least fixed point fractional arithmetic if not floating point and is a lot more complex, although apparently such complexities are performed routinely in preferential elections in Australia. Donald (Not at lot to do with cryptography in this message, is there?) From: Ed Gerck <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> Date: Sun, 04 Feb 2001 21:23:56 -0800 To: "Donald E. Eastlake 3rd" <[EMAIL PROTECTED]> CC: [EMAIL PROTECTED] References: <[EMAIL PROTECTED]> >"Donald E. Eastlake 3rd" wrote: > >> In Cambridge, Massachusetts, a preferential voting system is used >> which is voting order depenent. This requires that all ballots be >> numbered so that they can be processed in the same order on a recount >> or else different results could occur because of the change in order. > >Even if this is used for local elections, it looks like an unfair voting >system. Simply by delaying some voters, the results would vary. >Further, election results should not depend on who votes first, or last, >because not all can vote first -- or last. > >Moreover, I think the Supreme Court would find this system at odds with >equal protection, don't you think so? > >Cheers, > >Ed Gerck
Re: smartcards, electronic ballots
-BEGIN PGP SIGNED MESSAGE- David Honig wrote: > From "Ballot Proposal" version 1.3 > > 10 B DISPLAY > (5) Election software shall print the selected choices on a fixed > visible medium (such as paper), and shall require the voter to > affirm those choices prior to electronic registration of the > completed ballot. > > I took this to mean that "what the machine thinks the voter chose > is printed on paper" (for feedback/trust reasons). Am I totally off? > That's correct. All the considered systems require some permanent audit record of the ballots. This draft requires that the voter approve the record. Thus, the printed record is primary, since the voter actually sees it and approves it. Any electronic fudging can be detected and eliminated. But, nobody is suggesting that the voter takes home the paper. On the contrary, designs mentioned in meetings have the paper behind glass, not even touchable by voters. > I wasn't clear on the architecture you have in mind ---I eventually > figured out that you're requiring an online system with local and > central real time reporting (mirroring) of votes. > The Internet is big in legislators' eyes these days. The network connection to a central (state) system is really the main motivation, as it allows the eRate funds to be used to run elections. Also, central state servers are needed to allow overseas electronic voting. Too many trust relationships to have each base/embassy try to interact with every city or precinct. And the mirroring keeps the locals from fudging the ballot counts. Basically, I was asked, "Can the Internet be used to carry the votes, while still remaining secret?" My answer is, "Yes, we already have SSL/TLS for confidentiality." "What about ensuring votes only come from authorized places?" "Easy, issue credentials for each machine, and use digital signatures on the ballots." Etc, etc. I've found a lot of support for open source software, because the politicians don't trust vendors or clerks. They want lots of review. Especially with machines programmed by clerks. And especially with all the campaign money that came in this cycle from so-called high-tech firms. A compromised vendor would be a real problem for one party or another > (Other architectures include standalone or LAN-only machines acting only as > better voting-acquisition-machines; or a pure central server scheme like > home internet voting.) > There have been a lot of problems with stand-alone machines. For example, in Florida, the recounts were supposed to actually re-run the ballots. Instead, many places just looked at the counters without doing any real counting. Also, elsewhere, machines have been found to be mis-programmed. Etc, etc. Home internet voting has a lot of problems, too, and is not being considered. Just incremental improvements on the existing polling places and absentee ballots. As you say, better vote acquisition -- evolution, not revolution. The other thing is cost, cost, cost Anyway, I've basically been answering a lot of questions for free, just as most of you are doing. Admittedly, I've been given access to some reports and internal committee documents, but mostly I'm just trying to help them add security language. I really think we've gone pretty far afield for this list. Just send messages to me privately, and I'll reply as I have time and interest. Thanks again. -BEGIN PGP SIGNATURE- Version: PGP 6.5.1 iQCVAwUBOn4xmtm/qMj6R+sxAQElswQAwoZh8ZJ1sJFeQvpagdh2hJijtRNIONzD Pae1EeCndFJwFfNHQFR87tOoNMNHCw+0Hf/IgUnYNrJVTr4WP8UJ1DAqdKS6Fw19 oLZ05hsaLvLgSwcGoR8WTkcr2emlkRzQ3vczGViPjlbNVPSptklN9nopQxFKe8HO pGV9vquALz4= =lZRn -END PGP SIGNATURE-
Re: smartcards, electronic ballots
From: Ed Gerck <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> Date: Sun, 04 Feb 2001 11:43:19 -0800 To: David Honig <[EMAIL PROTECTED]> Cc: William Allen Simpson <[EMAIL PROTECTED]>, [EMAIL PROTECTED], "John R. Levine" <[EMAIL PROTECTED]>, Ed Gerck <[EMAIL PROTECTED]> References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> >.>... >> The voting apparatus may keep a serial record of each vote, in order, for >> auditing purposes. > >No, it MUST not. See the FEC standards on voting. The FEC standards also >demand "storage alocation scrambling" in order to avoid even a serial order >of storage. In Cambridge, Massachusetts, a preferential voting system is used which is voting order depenent. This requires that all ballots be numbered so that can be processed in the same order on a recount or else different results could occur because of the change in order. >.>...
Re: smartcards, electronic ballots
At 05:51 PM 2/4/01 -0500, William Allen Simpson wrote: >-BEGIN PGP SIGNED MESSAGE- > >David Honig wrote: >> >> If you give people a paper receipt with their votes on it >> (as WAS's scheme mentions) then their votes can be bought or blackmailed. > >I'm unaware of how that interpretation might have arisen? I don't see >anything in the proposed text that calls for a receipt to be given to >any voter, let alone a copy of their votes? >From "Ballot Proposal" version 1.3 10 B DISPLAY (5) Election software shall print the selected choices on a fixed visible medium (such as paper), and shall require the voter to affirm those choices prior to electronic registration of the completed ballot. I took this to mean that "what the machine thinks the voter chose is printed on paper" (for feedback/trust reasons). Am I totally off? I wasn't clear on the architecture you have in mind ---I eventually figured out that you're requiring an online system with local and central real time reporting (mirroring) of votes. (Other architectures include standalone or LAN-only machines acting only as better voting-acquisition-machines; or a pure central server scheme like home internet voting.) ... "What company did you say you were from, Mr. Hewlett?" ---Walt Disney to Bill Hewlett eetimes 22.01.01 p 32
Re: smartcards, electronic ballots
William Allen Simpson wrote: > -BEGIN PGP SIGNED MESSAGE- > > I'm sorry for the second message, but I could not let the egregious > error pass uncorrected: :-) egregious ... > Ed Gerck wrote: > > The law does not allow it, and for good reasons as you mention. > >... > > > The voting apparatus may keep a serial record of each vote, in order, for > > > auditing purposes. > > > > No, it MUST not. See the FEC standards on voting. The FEC standards also > > demand "storage alocation scrambling" in order to avoid even a serial order > > of storage. > > > > > This is also mentioned in WAS's legislative text. > > > > which is a miconception, albeit a common one > > > Mr Gerck would do well to precisely specify the "law" which does not > allow this? California Election Code, for example. In the US, there is NO federal jurisdiction on election code -- as it became clear to Joe Doe after Florida. Pls also read about it in Eva Waskell's article in The Bell, page 7, November 2000 issue, and also in Jim Hurd's article in The Bell,page 6, July 2000 issue (both issues available at www.thebell.net in the archives section), > Mr Gerck would also do well to specify which FEC "standards" have the > force and effect of law? None -- and I never said so. They are voluntary standards, but 40+ states have decided to follow them and incorporate them in their laws. > As to the matter of "law", the Congress is granted the power to set > standards for its own election (Const Article I, Sections 4 and 5). > The FEC isn't mentioned. Indeed, this is what Article I, Section 4 says: The times, places, and manner of holding elections for Senators and Representatives shall be prescribed in each State by the Legislature thereof; but Congress may at any time by law make or alter such Regulations, except as to the Places of chusing Senators. Thus, each individual state has exercised its right to administer elections in a manner reflecting that states political, social and cultural make-up. Although the Constitution clearly gives Congress the authority to make or alter such state regulations, Congress has been very reluctant to do so. However, Congress has intervened in state election procedures when, for example, they gave women the right to vote and when they passed the Voting Rights Act. Nonetheless, states rights have taken precedence when it comes to conducting elections. (sections above by Eva Waskell, ibid.) > But the FEC proposed standards don't even consider networks, database > replication with offsite storage, and as mentioned earlier, cryptographic security. read the new drafts, already past first public meetings. Read also the state documents. Cheers, Ed Gerck
Re: smartcards, electronic ballots
-BEGIN PGP SIGNED MESSAGE- I'm sorry for the second message, but I could not let the egregious error pass uncorrected: Ed Gerck wrote: > The law does not allow it, and for good reasons as you mention. >... > > The voting apparatus may keep a serial record of each vote, in order, for > > auditing purposes. > > No, it MUST not. See the FEC standards on voting. The FEC standards also > demand "storage alocation scrambling" in order to avoid even a serial order > of storage. > > > This is also mentioned in WAS's legislative text. > > which is a miconception, albeit a common one > Mr Gerck would do well to precisely specify the "law" which does not allow this? Mr Gerck would also do well to specify which FEC "standards" have the force and effect of law? The only document of which I am aware is the very old FEC "performance and test standards for punchcard, marksense, and direct recording electronic voting systems", january, 1990. Never mandated, and no congressional appropriation for implementation. He might be referring to chapter 4, section 4.5, page 47, where "parity and checksums" are required for integrity, and "the unit must incorporate multiple memories in the machine itself and in its programmable memory devices," and these "stored images of each ballot must protect the integrity of the data and the anonymity of each voter, by such means as storage location scrambling." He might note that the subject of cryptography does not seem to be mentioned. He might also note that for punchcards and marksense, no "scrambling" occurs. Moreover, he might note that the system audit requirements later in the same chapter (page 49) require "a complete, indestructable archival record of all system activity related to the vote tally." That is to accomplish a "reconstruction" of the election process (repeated several times). Audit data is to be serialized by a "date-and-time stamp" and "preserved during any interruption of power" (page 50). As to the matter of "law", the Congress is granted the power to set standards for its own election (Const Article I, Sections 4 and 5). The FEC isn't mentioned. But the FEC proposed standards don't even consider networks, database replication with offsite storage, and as mentioned earlier, cryptographic security. 'nuff said. -BEGIN PGP SIGNATURE- Version: PGP 6.5.1 iQCVAwUBOn37BNm/qMj6R+sxAQGgeAQAm/nj4Ro4zcLALFhIdyggFCSQphIZ3NhH xunAksi9GyDghK7uQh8KcOZ2b16t3KEsheenmFDmx6ZDUENgnUeY7SCfyH0Egen6 2A8WS5VApivaFcV3PPCQx4/voPamaS8b5NcnDCz7ow8PYWl/bTp5vicxibjnEGpB VuQeAms8cUY= =njYh -END PGP SIGNATURE-
Re: smartcards, electronic ballots
-BEGIN PGP SIGNED MESSAGE- David Honig wrote: > > If you give people a paper receipt with their votes on it > (as WAS's scheme mentions) then their votes can be bought or blackmailed. I'm unaware of how that interpretation might have arisen? I don't see anything in the proposed text that calls for a receipt to be given to any voter, let alone a copy of their votes? Perhaps there is some confusion in the interoperability requirement that electronic ballots be stored in a printable US-ASCII format. Why? Because nobody (other than mathematicians) trusts the machines! The threat model is (1) the machines won't work correctly, and then (2) the clerks will try to steal the election, and nobody will be able to tell for sure, because the machines are unreliable. Specifying the interface also promotes competition for different components of the systems. The requirement arises from the need for "transparency" -- the votes need to look like votes to humans. The auditors need to compare the recorded votes. Everything points to a simple textual requirement. For some odd reason, the legislative staff seems to intuitively understand the trust paradigm that we often struggle to elucidate: machines don't vote/spend/publish, people do. The use of digital signatures is to ensure that the MACHINE is authorized, not the humans. The use of human readable text is to ensure that HUMANS can audit the result. That means that blinded signature schemes and smartcards and fancy unauditable and/or uninspectable equipment are not on the table. Anyway, this thread has gone off into rampant speculation. I asked for assistance in review of the technical cryptographic terminology. I've received that, and I've passed the recommendations on to the appropriate parties. Thank you very much. -BEGIN PGP SIGNATURE- Version: PGP 6.5.1 iQCVAwUBOn3cf9m/qMj6R+sxAQEChQP+MT1queIoc8YSlkCvmDMyTMRKO2Hz4pQ9 xgj6T0roFy5MRIExj0wLzO/DUtb8T+nsZeeHPADmQCM7u6dIqSWFYD+I3DiiAyJc goICR8j9phqUESkeu2S5bl7uRySr/KxROBBUMLjfxtbYQFCpwLVfnEVg/I+DTorH CWeI7K5WIm0= =2Dkb -END PGP SIGNATURE-
Re: smartcards, electronic ballots
As seems universally the case in security design, there must be ugly tradeoffs. In particular (and without quoting acres of prior material), the proposed requirements for verifiability and non-coercibility are at odds and one must yield to the other. Paper systems make this tradeoff by, on the one hand, the polling booth (non-coercibility once within) and, on the other hand, the supervision of the counting process by opponents (verifiability by proxy), at a cost of zero technology. Bettering this in the real world is challenging. --dan == as used here verfiability -- voter may verify that his vote counted as he intended it to count non-coercibility -- voter cannot be compelled to show how he voted, during or after proposition: If the voter can verify, then he can be coerced to do so. contrapositive: If voter cannot be coerced, then he cannot verify. ==
Re: smartcards, electronic ballots
> The voting apparatus may keep a serial record of each vote, in > order, for auditing purposes. This is also mentioned in WAS's > legislative text. Good lord no. Here in NY, the inspectors write down each voter's name on a log sheet with the names numbered in order, and write down the numbers in the voter book to make it easier to cross-check who voted. The log sheet has four or five NCR copies so that party poll watches can have copies. (The poll watchers use them to cross-check their list of registered voters so they know hasn't voted and so know who to call and remind them.) Obviously, the ballot is only secret because the equipment does NOT track the order in which votes were cast. Call me a sort of a Luddite, but I would like a system where you vote by pushing buttons of some sort, then the machine prints up a paper ballot with your choices on it in an OCR font or something else that is easily readable by both people and machines, and you can either release the ballot into the box if it's right, or put it into a discard pile and try again. Then the machine forgets everything, and they count the paper ballots to see who won. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
Re: smartcards, electronic ballots
David Honig wrote: > >First of all, that's not "privacy", that's "anonymity". > > > >We have voter registration precisely so that we know who the voters > >are! We are not changing voter registration > > > > Ed Gerck wrote: > >>4. Fail-safe privacy in universal verifiability. If the > >> encrypted ballots are successfully attacked, even with > >>court order, the voters name must not be revealed. In > > On Keeping Votes Secret > > If you give people a paper receipt with their votes on it > (as WAS's scheme mentions) then their votes can be bought or blackmailed. > Now, this may be an acceptable *tradeoff* (trust gained from paper trail > vs. increased succeptability to coercion), that's not for me to decide. The law does not allow it, and for good reasons as you mention. Also, proposals to print the vote usually advance it as the "silver bullet" solution. This is a fatal mistake because to increase realibility in communications it is much better to have a number of independent channels than one "strong" channel (Shannon, tenth theorem). > One potential solution is to make the 'receipts' readily forgable --something > anyone could print up at home, on ordinary commercial blank paper. Such > ready counterfeiting would deter vote buying and blackmail. Not really. The buyer might be waiting outside the precinct, the seller might not be able to fake it (technically -- think about the "digital divide" issues just to have a computer), the election official might also get in collusion, etc. > On Banning Video Cameras From Voting Places > > The voting apparatus may keep a serial record of each vote, in order, for > auditing purposes. No, it MUST not. See the FEC standards on voting. The FEC standards also demand "storage alocation scrambling" in order to avoid even a serial order of storage. > This is also mentioned in WAS's legislative text. which is a miconception, albeit a common one > Now, > if an evil vote buyer had someone recording who entered which booth > and also had access to the audit records, the correlation lets them > buy or blackmail votes. Note that this requires only *one* conspirator if > that conspirator is a poll worker with a concealed camera. Yes, this is one of the reasons. It could also be the election official. Cheers, Ed Gerck
Re: smartcards, electronic ballots
>First of all, that's not "privacy", that's "anonymity". > >We have voter registration precisely so that we know who the voters >are! We are not changing voter registration > >4. Fail-safe privacy in universal verifiability. If the >encrypted ballots are successfully attacked, even with >court order, the voters name must not be revealed. In On Keeping Votes Secret If you give people a paper receipt with their votes on it (as WAS's scheme mentions) then their votes can be bought or blackmailed. Now, this may be an acceptable *tradeoff* (trust gained from paper trail vs. increased succeptability to coercion), that's not for me to decide. One potential solution is to make the 'receipts' readily forgable --something anyone could print up at home, on ordinary commercial blank paper. Such ready counterfeiting would deter vote buying and blackmail. On Banning Video Cameras From Voting Places The voting apparatus may keep a serial record of each vote, in order, for auditing purposes. This is also mentioned in WAS's legislative text. Now, if an evil vote buyer had someone recording who entered which booth and also had access to the audit records, the correlation lets them buy or blackmail votes. Note that this requires only *one* conspirator if that conspirator is a poll worker with a concealed camera. There should be little free-speech problem with this; political signs are already banned within X feet of polling places. David Honig ... "What company did you say you were from, Mr. Hewlett?" ---Walt Disney to Bill Hewlett eetimes 22.01.01 p 32
Re: smartcards, electronic ballots
-BEGIN PGP SIGNED MESSAGE- "John R. Levine" wrote: > The current election system, for all its faults, is the result of two > centuries of effort by people not all of whom were completely stupid, > and has a complex and not always set of features to defend against all > sorts of schemes to corrupt an election. The punch card ballot > happens to be a uniquely bad technology for reasons we all know, but > most of the surrounding infrastructure is old and kludgy but not > broken. We need to keep this in mind when designing something new and > zoomy that's supposed to replace it. > I could not agree more! The purpose of the legislation is to assist the existing election processes, not replace them out of whole cloth! In fact, the latest #1.3 draft changed the short title to ``Electronically Assisted Federal Election Requirements Act''. This discussion has digressed onto smartcards. That's not helpful, as no legislator (that I'm aware of) is proposing use of smartcards, nor a national voting ID. As some have noted, the specifics of this bill would create single use public/private key certificates, that would expire at the closing of the polls. However, if there is any language that would prohibit smartcards, please let me know. We are trying to be technology neutral. And in the same vein, I forwarded Ed Gerck's list of published 'requirements' to Lynn. She intends to use them as a perfect example of what we DO NOT want! Ed Gerck wrote: > 1. Sixteen requirements for voting. The requirements are technologically > neutral and can be applied to paper, electronic or Internet systems. There > is an extensive discussion of alternatives, before the requirements are > summarized. Available at http://www.thebell.net/archives/thebell1.7.pdf , > page 3. > There are some requirements that are nearly identical to those that we've selected. And I like the kudos to IETF, and open systems. However, the first half dozen are based on the bad presumption that: 1. Fail-safe voter privacy. Define: voter privacy is the inability to know who the voter is. Assure voter privacy even if everything fails and everyone colludes. First of all, that's not "privacy", that's "anonymity". We have voter registration precisely so that we know who the voters are! We are not changing voter registration 4. Fail-safe privacy in universal verifiability. If the encrypted ballots are successfully attacked, even with court order, the voters name must not be revealed. In addition, the system must provide for information-theoretic privacy (i.e., privacy which cannot be broken by computation, even with unbounded time and resources) in contrast to systems that would only provide for computational privacy (i.e., privacy which could be broken by computation, given time and resources). I cannot believe any security analyst worth his salt could 'specify' such as requirement. When I specified computational infeasibility of 100 years, the Science staff came back and asked how NIST would test that? We reduced it to 10 years, something that might be achievable. -BEGIN PGP SIGNATURE- Version: PGP 6.5.1 iQCVAwUBOnq+M9m/qMj6R+sxAQFEHQP+PCAyzyyrt/AbJ/yYI+VEm00anTOqvp4J svSrUhl70xqHaoJ3xwl4quRZeIyjithfsLjc7L1+UsZtwBe0owSvSOeIRIUmgqD6 lmm7YH+Z5yvu1XFdHlPqNI79dUAMnz/sMDkQuQBrkD897A/GST8AeG78rA6rPGlM HjqPSLmUldw= =GwNT -END PGP SIGNATURE-
Re: smartcards, electronic ballots
William Allen Simpson wrote: > And in the same vein, I forwarded Ed Gerck's list of published > 'requirements' to Lynn. She intends to use them as a perfect example > of what we DO NOT want! see below, before you set yourself to re-invent the wheel. > Ed Gerck wrote: > > 1. Sixteen requirements for voting. The requirements are technologically > > neutral and can be applied to paper, electronic or Internet systems. There > > is an extensive discussion of alternatives, before the requirements are > > summarized. Available at http://www.thebell.net/archives/thebell1.7.pdf , > > page 3. > > > There are some requirements that are nearly identical to those that > we've selected. The 16 requirements include many that are either a recommended standard by the FEC or are being considered for recommended standards. I did not re-invent the wheel. > And I like the kudos to IETF, and open systems. > > However, the first half dozen are based on the bad presumption that: > > 1. Fail-safe voter privacy. Define: voter privacy is the > inability to know who the voter is. Assure voter privacy > even if everything fails and everyone colludes. > > First of all, that's not "privacy", that's "anonymity". Just for you. See the technical papers in http://www.safevote.com/information.htm, especially ftp://ftp.inf.ethz.ch/pub/publications/papers/ti/isc/wwwisc/HirSak00.pdf and its references. See Gennaro's paper quoted at the end, as well. Further, see also my posting here of Oct/99, in which I wrote: The current useful voting properties as proposed by Fujioka, Okamoto and Ohta, 1992, and Benaloh and Tuinstra, 1994, are: 1. Completeness: All valid votes are counted correctly, if all participants are honest. 2. Robustness: Dishonest voters, other participants or outsiders can't disturb or disrupt an election. 3. Privacy: The votes are casted anonymously. 4. Unreusability: Every voter can vote only once. 5. Eligibility: Only legitimate voters can vote. 6. Fairness: A voter casts his vote independently and is not influenced (e.g. by publishing intermediate results of the election, copying and casting of the encrypted vote slip of another voter as his own vote). 7. Verifiability: The tally can not be forged, as it can be verified by every voter. The verifiability is locally, if a voter can only check if his own vote if counted correctly. If it is verifiable whether all votes are counted correctly, then the verifiability is universally. 8. Receiptfreeness: A voter can't prove to a coercer, how he has voted. As a result, verifiable vote buying is impossible. > We have voter registration precisely so that we know who the voters > are! We are not changing voter registration You are mixing apples with speedboats. The 16 requirements apply especifically to voting, as it says. Of course, in voter registration the election officials must know who the voter is (and more -- where the voter lives, etc.). BTW, there are other requirements being discussed especifically to voter registration, and here privacy will also be a BIG issue. One that is being infringed today by third-party voter registration services that transfer the voter data to the state but keep copies, which copies they are legally allowed to share with their 'affiliates' (read: anyone that signs a contract with them). > 4. Fail-safe privacy in universal verifiability. If the > encrypted ballots are successfully attacked, even with > court order, the voters name must not be revealed. In > addition, the system must provide for information-theoretic > privacy (i.e., privacy which cannot be broken > by computation, even with unbounded time and > resources) in contrast to systems that would only provide > for computational privacy (i.e., privacy which could be > broken by computation, given time and resources). > > I cannot believe any security analyst worth his salt could 'specify' > such as requirement. When I specified computational infeasibility of > 100 years, the Science staff came back and asked how NIST would test > that? We reduced it to 10 years, something that might be achievable. You are, again, mistaken. See the classical paper by Rosario Gennaro and others, at http://www.research.ibm.com/security/election.ps BTW, this is their remark on this (and, voter privacy): Privacy of an individual vote is assured against any reasonably sized coalition of parties (not including the voter herself). That is, unless the number of colluding parties exceeds a certain threshold, different ballots are indistinguishable irrespective of the contained votes. We say that informationtheoretic privacy is achieved when the ballots are indistinguishable indepen dent of any cryptographic assumption; otherwise we will say that computational privacy is achieved. BTW, my replies above might also indicate that the US election process would be much improved if proper attention is g
Re: smartcards, electronic ballots
>>Hmmm, I have a "voter registration card" and I believe that is the case >>across the USA. Here in New York, the county sends you a card when you register, which all but the most anal then lose. I used to be an election inspector, and I can report that we never asked for the cards, and I can't ever recall anyone offering one. The ID process was, basically, voters said who they were, we looked them up in the book, they signed next to their name and we looked to see if the signature matched the one on file. When you register the form requests but does not require info like height, age, and eye color which was in our book and we also checked if available. In the event that someone's signature or other info didn't look right, we could ask for more ID but I can't recall that we ever did. Equally important, most of the inspectors were retired folks who'd lived in the area for a long time and knew many of the voters by sight. The current election system, for all its faults, is the result of two centuries of effort by people not all of whom were completely stupid, and has a complex and not always set of features to defend against all sorts of schemes to corrupt an election. The punch card ballot happens to be a uniquely bad technology for reasons we all know, but most of the surrounding infrastructure is old and kludgy but not broken. We need to keep this in mind when designing something new and zoomy that's supposed to replace it. -- John R. Levine, IECC, POB 727, Trumansburg NY 14886 +1 607 387 6869 [EMAIL PROTECTED], Village Trustee and Sewer Commissioner, http://iecc.com/johnl, Member, Provisional board, Coalition Against Unsolicited Commercial E-mail
