[EM] Voting debate - missing the target

Dave Ketchum davek at clarityconnect.com
Mon Jul 28 08:49:00 PDT 2003

On Sun, 27 Jul 2003 15:22:56 -0700 (PDT) Alex Small wrote:

> Dave Ketchum said:
>>Computers have been around for decades and we have learned to build and
>>program them such that they DEPENDABLY do what they are told.  If not,
>>would banks dare use ATMs?  Would we dare enter a hospital, where much
>>of  the more complex activities depend on computers fulfilling their
>>responsibility?  There is MUCH around us for which we now depend on
>>computers being DEPENDABLE.
> You make a good point, and perhaps worries about electronic voting are to
> some extent technophobia.  However, the integrity of a voting process
> isn't just a technical matter.  It's also a security matter, and some
> security concerns transcend any technological development.
> A well-guarded and anonymous paper ballot is impossible to alter without
> leaving behind some sort of physical mark (erasure, white-out, whatever). 
> A voter can determine with absolute certainty that his paper ballot is an
> accurate record of his vote, he doesn't have to trust anybody else's
> expert analysis.  He still has to trust the integrity of the people
> guarding his ballot, but the need for integrity is one aspect of a
> democratic election that will never, ever change.
> Now, the transparency afforded by a paper ballot may not be technically
> necessary, but transparency is a virtue in its own right.  I'm agnostic on
> whether the paper ballot is the original, or instead a backup generated
> from the voter's input.  In any case, I still believe in the importance of
> a paper ballot that the voter can verify.

I said that IF there is a paper ballot it shall be treated as the master - 
this should inspire more attention to getting them all in the ballot box 
and cared for carefully.

Would not bother me to have a paper copy of the computer ballot printed if 
this pleases the voter enough, PROVIDED it is nothing more than that, and 
the same thing could have been printed elsewhere.

The point here is IMPORTANT - the voter MUST NOT LEAVE the polling place 
with anything that proves how he voted - to preserve secrecy and prevent:
      Collecting for voting "right";
      Getting punished for voting "wrong".

Doesn't turn me on that a paper could be printed for you or me to look at 
- I would not expect the average voter to really do that much looking.

Further, those pieces of paper do not, by themselves, prevent fraud. 
Unless there is continuous monitoring, they can evaporate and/or 
replacements can wander in.

THEREFORE, seeing to it that the computers get told to do it RIGHT is BOTH 
necessary and sufficient.  A bit of thought:
      I can buy a box to copy CDs for $200.  I do not actually want that 
box, but it gives us a clue as to costs - it has all the exotic smarts 
needed to read and to write CDs.
      I can buy a blank CDR for <$.99 - room for about 700MB of data and 
has something I WANT - CDRs are write ONCE; read many.  A CDW would 
tolerate rewriting.

That CDR should be big enough for:
      The program to run the voting machine (if Windows will not fit I am 
delighted - should not be that much programming NEAR a voting machine).
      Tailoring with the ballot definition for the precinct where this CDR 
is to be used.
      Diary of EVERYTHING that this machine knows about from polls open 
thru polls close (except ballots).
      Copy of every ballot voted.  This information must have been stored 
elsewhere while the polls were open, and written after they close, for the 
order must be random to preserve secrecy, and this is a CDR.
      Note that this CDR is a complete record for its precinct for this 
single voting day.

>>      We do recognize desire to protect trade secrets - fine, BUT let it
>>be done in some way that does not interfere with validation.
>>      Some machines have been bought, with trade secret clauses
>>and I understand that judges have agreed that those who signed such
>>clauses have made the sellers immune to checking as to quality of the
>>equipment.  Seems like this should be a black mark against those who
>>failed to protect their voters.
>>      Some are still considering buying equipment.  We, the public,
> Trade secrets concerns are simple:  We can purchase the rights to those
> trade secrets as part of the contract for purchasing the equipment.  Once
> the public purchases those secrets they will of course be available to
> other companies, but we have a vested interest in making this information
> public so that others can improve on previous designs.

Not that simple for the topic is $$$$$$ - but ESSENTIAL.

> Even though I'm a fan of less government spending, I'm willing to open up
> the coffers to ensure the integrity of the voting machines, and to promote
> further innovations in voting technology.  If we have to pay a ton of cash
> to get people to divulge their trade secrets, so be it.  The health of our
> democracy demands it.

I am convinced Sequoia has thought this out.  They have been around a long 
time and I LIKED what i found on their web site a few years ago - seems 
not to be so public any more.

>>As to the internet:  Seems to me that a voting machine SHOULD NEVER be
>>connected to the internet from the time preparation for opening the
>>polls  starts until the polls close and the results are documented.
>>Would not  bother me to have it connected later for convenient reporting
>>results to  wherever, but this is simply reporting the already
>>documented results.
> I would go further than this:  Before the machine is connected to any
> network for the purpose of reporting results, a copy of the results should
> be placed on an external hard drive or some other recording device, and
> the recording device should be physically disconnected from the voting
> machine.
> It may or may not be paranoid to worry that the machine could be corrupted
> by a hacker when it's trying to report results, but having worked at the
> polls I would say that the 2 essential methods for ensuring the integrity
> of results are transparency and redundancy.  Obviously this precaution
> ensures redundancy.  It also ensures transparency, because everybody can
> see that the copy was secured before the machine was connected to the
> outside world.  Transparent methods may be far more stringent than an
> expert technical analysis would conclude, but the point of transparency is
> that the integrity of the process should be clear to ANY observer beyond
> any doubt.

You are saying about what I said, but the emphasis is appropriate.

The CDR counts as a recording device, though the results ought to be on 
paper to make sure.

> Alex

Jan Kok refers to http://www.vreceipt.com/  for coded receipts - I have not 
studied its merits.

davek at clarityconnect.com  http://www.clarityconnect.com/webpages3/davek
  Dave Ketchum   108 Halstead Ave, Owego, NY  13827-1708   607-687-5026
            Do to no one what you would not want done to you.
                  If you want peace, work for justice.

More information about the Election-Methods mailing list