[EM] Re: Election-methods digest, Vol 1 #344 - 7 msgs
dglaude at gmx.net
Fri Nov 14 13:36:11 PST 2003
Ken Johnson wrote:
> Okay, I see your point. If means exist for verifying my particular vote
> then vote buying or coersion becomes possible.
Obvious but clearly stated (better than all my attempt).
> Perhaps a reasonable alternative would be for the voting machine to
> generate printed ballots
Paper audit trail is a MUST.
The voter must have visible access to it to and an option to complain if
what he see printed is not what he wanted. (I voted X and it is printed Y).
Maybe more important if those "ticket" are there only for verification
and not for the full manual recount... then we need to make sure the
voter can not touch the ticket, nor can next voter see previous ticket.
We tested this known as "Ticketting" in Belgium and there is a
theoretical Denial of Service attack on the election process. If a set
of voter complain that the ticket (or the screen or both) does not
display what they wanted to vote for. Since there is no way to know what
they wanted to vote... we have a problem. Since it could be true...
maybe election should be stopped!
To deal with this, in Belgium by law, if the printed vote is not what
you like, you call the president of the voting burreau and you vote
again in front of him. And sorry for the secrecy of your vote. He will
click on "OK vote match" for you. ;-)
> that have randomly-generated ballot ID's, but
> which are not retained by the voter and do not have any voter
We need to make sure the voter is having no access to that ID.
Else he could be asked to remember it to verify his vote.
> identification information.
Obviously one should never identify himself to the voting machine.
Voter identification should be done separately (preferably by human)
with no possible communication with the voting machine (nor explicit
like a magnetic card, nor implicit like timing information).
In Belgium where a new electronic ID card will be introduced (replacing
the old plastic ID card we practicaly all have to keep on us). In order
to avoid problem with the test periode of that new card and the election
of Mai 2003, the introduction of the electronic ID card was delayed...
There is a likely chance that the e-Government will want to identify
voter with the "e" of the eID card. Of course the secret goal is to vote
electronicaly accross the internet and the IDcard will garantee you do
not vote twice, you are who you say you are and we know what you vote
once and for all.
> After the election, a random selection of ballots are manually cross-checked against the database.
It is easy for the computer to always show the right answer when asked
while keeping the election result altered.
As long as not all the vote (or a majority of them) have been verified,
it is possible to trick the one that try to verify.
Partial recount are useless... How do you know the computer was not just
showing what you wanted to see?
In Belgium, we vote with magnetic card... once your vote is finish, you
are autorised to reintroduce your magnetic card IN THE SAME voting
machine in order to verify what you voted. There is no garantee that
what you see is what is really recorded on the card or what will be
counted from that magnetic card.
> That way, the election can be verified without having to actually do a full manual count.
To garantee you do verify the real thing, you need to ask the computer
to print all the recorded vote on paper... then you can make your
partial verification of the process by checking random ballots
More information about the Election-Methods