[EM] Re: touch screen voting machines

Eron Lloyd elloyd at lancaster.lib.pa.us
Tue Nov 11 08:12:03 PST 2003

On Tuesday November 11 2003 2:52 am, Ken Johnson wrote:
> Eron - I share your enthusiasm for open, secure, and fair elections, but
> I don't think open-source software is necessarily the solution.

I probably wasn't detailed enough in my idea, but I think what you'd like is 
exactly what I do, too. Have an open code-base isn't enough though, as 
everything from Apache, BIND, and SSH have been maliciously patched with 
secret back doors. But it would be another line of defense. Regardless of how 
you feel about privitization, I think elections are too important a function 
of society to be handled by commercial interests. But even open code is 
tricky...whats to stop someone from altering a compiler or byte-code 
interpreter from taking pristine and fully-audited source and modifying the 
mechanics in the binary or at run-time? However, the more eyes, the better. 
Producing multiple binaries or byte-code sets and ensuring each contains the 
proper checksums would help.

> After making my vote, the voting machine gives me a receipt - much like
> a bank teller machine - containing a record of my vote and a
> randomly-generated vote ID number. I check the printed receipt for
> correctness, seal it, and have a polling agent stamp it with a unique
> serialization number that is assigned to me and recorded, along with my
> name and address, as evidence of my vote. The voting machine has no
> information about the serialization number or about my identity, and
> there is no record - other than my stamped voting receipt - identifying
> me with the computer-generated vote ID. In essence, there are two
> completely autonomous, non-communicating information systems - a
> computer database associating vote ID's with votes, and a second system
> (perhaps comprising only written records) associating vote serialization
> numbers with voters.

An interesting idea for sure. I think computer ballots would be a great way to 
produce an error-free paper tally, and your above ideas relating to a serial 
ID (randomly generated) could be useful, perhaps in addition to a hardware 
key. I think the biggest difference that "E-voting" has that makes it more 
challenging than on-line banking or ATMs is that it has to remain fully 
anonomous yet just as accountable and auditable as financial transactions. 
While we don't want registered voters being associated with their votes, we 
still need to make sure that indeed registered voters were the only ones 
voting. Very challenging.

> The votes are counted by the computer, and the entire database of votes
> and vote ID's is placed on the Internet so that any voter can log on and
> verify that their vote was properly recorded. Independent auditors can
> also download the entire database to verify the tally. Authorized
> parties (e.g. law enforcement) may access the vote serialization data to
> verify that only legally-registered voters have voted. If any
> discrepancy is sufficient to potentially affect the outcome of the
> election, then the election is nullified. Furthermore, if sufficiently
> many people claim that their votes were not properly recorded, they
> would present their voting receipts to a judge to be reviewed in
> confidence (this is the only situation in which the association between
> a voter and thier vote might become known to another party), and if the
> discrepancy is confirmed the election is nullified.

Interesting perspective. I'll take this in and process it for a while, and see 
if I can draw out a workflow. The Internet verification would be *very* 
tricky, however.

> With this type of process there is no problem using "black-box",
> proprietary voting software, because it gives the voters themselves (not
> just a few compter experts) the ability to confirm correctness of the
> result.

As I mentioned above, there is *always* a problem using "black-box" 
proprietary software, and hardware too. I can think of over 100 points from 
the keyboard or touch-screen down to variable assignment and loops where 
failure or hijacking could occur. Relying on voters to audit their votes is 
unacceptable, if people would treat the reciept like they do any other (ATM, 
credit card, etc.). They just don't pay attention enough. You have to attempt 
to engineer away risk factors first. That might just mean pen and paper for a 
long time.



Eron Lloyd
Technology Coordinator
Lancaster County Library
elloyd at lancaster.lib.pa.us
Phone: 717-239-2116
Fax: 717-394-3083

[This E-mail scanned for viruses by Declude Virus]

More information about the Election-Methods mailing list