[EM] Electronic Voting Bill of Rights?
dglaude at gmx.net
Sat Nov 15 14:43:25 PST 2003
I did not reply to your DVD solution...
One reason that it was technologicaly confusing. ;-)
Here are some attempt to define the best option:
* The "booting" media must be read-only.
* This media should be unique to that voting place and activated by a
key. The key and the media should take separate path to the voting place
and only put together on the day of the election. Guessing the key from
the media should be as hard as possible.
* The recording (vote result) should be done on a write-once media.
* Backup copies (of the vote) should be taken and keeped safe and
separately from the orignal.
Now there is always a technical problem with:
1* Power loss
2* Cosmic ray (memory glitch)
3* Tempest (watching remotely a screen using electro magnetic field
1) Your DVD solution assume it is possible to write at random position
one vote at a time. I am affraid this is not possible. On a recordable
DVD or CD, you can only append information at the end. Also writing on
the media every time someone vote is not really efficient (maybe not
Also I guess CD writer (why do you want DVD?) might cost too much when
multiplyed by the number of voting machine. It is mecanical so risk of
problem are high.
So solving the power loss is not easy.
With Paper Audit Trail, in case of electrical/technical problem we can
work in downgraded mode where paper must be counted (as our only
backup). This is similar to the Belgian: "Let's recount the magnetic card."
2) Now you also have to fight Cosmic ray
Practicaly I don't think it is not possible to shield against cosmic
ray. So the same solution that are used in space exploration should be used.
This might mean using "old" and "reliable" technology (like Z80 designed
for space). Using ECC or better memory.
Making all the computation in triple might help but if it is processor
having one bit value inverting, triple computation does not solve anything.
3) Some screen technology might be better than other...
Otherwise you need to go for Tempest proof equipment that cost a lot.
A bit more on our Belgian experience...
In one of the voting system we use...
We are using floppy disk (3 1/4'').
The president of the voting burreau receave the key and the floppy (two
The voting machine are booted with the master floppy.
The key is used to start the system.
At the end of the day, the vote result are recorded on ... the same
floppy that was used to boot the system.
It mean that if the floppy at the begining of the day was not the
official expected floppy but a fake that does record vote different from
the intent of the voter...
Then at the end of the day, all trace can be removed by rewriting the
official expected content of the floppy with the vote our your choice.
So any verification of the floppy after the election can not reveal
anything. The only thing that can be done is to take a copy of the
floppy before it is used and after all the voting machine are started...
but this is not done!!!
I assume it would have cost too much to have two set of copies. ;-)
Dave Ketchum wrote:
>>> 1. MUST enable potential recounts
> In my DVD post I specified recording each ballot on the CD or DVD so
> that they could be recounted if anyone chose. I specified with that
> that they should be in random order to preserve secrecy.
>> It is important to know what a recount mean. In Belgium we do recount
>> the magnetic card (in case power is lost in the computerised magnetic
>> card ballot box)... or we get impossible result. But this give us no
>> garantee since we have no proof that what is on the magnetic card is
>> the voter intent.
> Seems worthwhile to make voting machines immune to power problems. In
> my DVD post specify recording the ballots on disc, after which they do
> not require power to protect them.
More information about the Election-Methods