[EM] Electronic Voting Bill of Rights?

[David GLAUDE]

I did not reply to your DVD solution...
One reason that it was technologicaly confusing. ;-)

Here are some attempt to define the best option:
* The "booting" media must be read-only.
* This media should be unique to that voting place and activated by a 
key. The key and the media should take separate path to the voting place 
and only put together on the day of the election. Guessing the key from 
the media should be as hard as possible.
* The recording (vote result) should be done on a write-once media.
* Backup copies (of the vote) should be taken and keeped safe and 
separately from the orignal.

Now there is always a technical problem with:
1* Power loss
2* Cosmic ray (memory glitch)
3* Tempest (watching remotely a screen using electro magnetic field 
generated)

1) Your DVD solution assume it is possible to write at random position 
one vote at a time. I am affraid this is not possible. On a recordable 
DVD or CD, you can only append information at the end. Also writing on 
the media every time someone vote is not really efficient (maybe not 
even practical.

Also I guess CD writer (why do you want DVD?) might cost too much when 
multiplyed by the number of voting machine. It is mecanical so risk of 
problem are high.

So solving the power loss is not easy.
With Paper Audit Trail, in case of electrical/technical problem we can 
work in downgraded mode where paper must be counted (as our only 
backup). This is similar to the Belgian: "Let's recount the magnetic card."

2) Now you also have to fight Cosmic ray

Practicaly I don't think it is not possible to shield against cosmic 
ray. So the same solution that are used in space exploration should be used.

This might mean using "old" and "reliable" technology (like Z80 designed 
for space). Using ECC or better memory.

Making all the computation in triple might help but if it is processor 
having one bit value inverting, triple computation does not solve anything.

3) Some screen technology might be better than other...
Otherwise you need to go for Tempest proof equipment that cost a lot.

David GLAUDE

A bit more on our Belgian experience...

In one of the voting system we use...

We are using floppy disk (3 1/4'').
The president of the voting burreau receave the key and the floppy (two 
copies).
The voting machine are booted with the master floppy.
The key is used to start the system.
[...]
At the end of the day, the vote result are recorded on ... the same 
floppy that was used to boot the system.

It mean that if the floppy at the begining of the day was not the 
official expected floppy but a fake that does record vote different from 
the intent of the voter...

Then at the end of the day, all trace can be removed by rewriting the 
official expected content of the floppy with the vote our your choice.

So any verification of the floppy after the election can not reveal 
anything. The only thing that can be done is to take a copy of the 
floppy before it is used and after all the voting machine are started... 
but this is not done!!!

I assume it would have cost too much to have two set of copies. ;-)

David GLAUDE

Dave Ketchum wrote:

>>> 1.  MUST enable potential recounts
> 
> In my DVD post I specified recording each ballot on the CD or DVD so 
> that they could be recounted if anyone chose.  I specified with that 
> that they should be in random order to preserve secrecy.

>> It is important to know what a recount mean. In Belgium we do recount 
>> the magnetic card (in case power is lost in the computerised magnetic 
>> card ballot box)... or we get impossible result. But this give us no 
>> garantee since we have no proof that what is on the magnetic card is 
>> the voter intent.

> Seems worthwhile to make voting machines immune to power problems.  In 
> my DVD post specify recording the ballots on disc, after which they do 
> not require power to protect them.