[EM] Re: Election-methods digest, Vol 1 #344 - 7 msgs

Fri Nov 14 13:36:11 PST 2003

Ken Johnson wrote:

> Okay, I see your point. If means exist for verifying my particular vote 
> then vote buying or coersion becomes possible.

Obvious but clearly stated (better than all my attempt).

> Perhaps a reasonable alternative would be for the voting machine to 
> generate printed ballots

Paper audit trail is a MUST.
The voter must have visible access to it to and an option to complain if 
what he see printed is not what he wanted. (I voted X and it is printed Y).

Maybe more important if those "ticket" are there only for verification 
and not for the full manual recount... then we need to make sure the 
voter can not touch the ticket, nor can next voter see previous ticket.

We tested this known as "Ticketting" in Belgium and there is a 
theoretical Denial of Service attack on the election process. If a set 
of voter complain that the ticket (or the screen or both) does not 
display what they wanted to vote for. Since there is no way to know what 
they wanted to vote... we have a problem. Since it could be true... 
maybe election should be stopped!

To deal with this, in Belgium by law, if the printed vote is not what 
you like, you call the president of the voting burreau and you vote 
again in front of him. And sorry for the secrecy of your vote. He will 
click on "OK vote match" for you. ;-)

> that have randomly-generated ballot ID's, but 
> which are not retained by the voter and do not have any voter 

We need to make sure the voter is having no access to that ID.
Else he could be asked to remember it to verify his vote.

> identification information.

Obviously one should never identify himself to the voting machine.
Voter identification should be done separately (preferably by human) 
with no possible communication with the voting machine (nor explicit 
like a magnetic card, nor implicit like timing information).

In Belgium where a new electronic ID card will be introduced (replacing 
the old plastic ID card we practicaly all have to keep on us). In order 
to avoid problem with the test periode of that new card and the election 
of Mai 2003, the introduction of the electronic ID card was delayed...
There is a likely chance that the e-Government will want to identify 
voter with the "e" of the eID card. Of course the secret goal is to vote 
  electronicaly accross the internet and the IDcard will garantee you do 
not vote twice, you are who you say you are and we know what you vote 
once and for all.

> After the election, a random selection of ballots are manually cross-checked against the database.

It is easy for the computer to always show the right answer when asked 
while keeping the election result altered.
As long as not all the vote (or a majority of them) have been verified, 
it is possible to trick the one that try to verify.

Partial recount are useless... How do you know the computer was not just 
showing what you wanted to see?

In Belgium, we vote with magnetic card... once your vote is finish, you 
are autorised to reintroduce your magnetic card IN THE SAME voting 
machine in order to verify what you voted. There is no garantee that 
what you see is what is really recorded on the card or what will be 
counted from that magnetic card.

> That way, the election can be verified without having to actually do a full manual count.

To garantee you do verify the real thing, you need to ask the computer 
to print all the recorded vote on paper... then you can make your 
partial verification of the process by checking random ballots

David GLAUDE