[EM] Electronic Voting Bill of Rights?

Dave Ketchum davek at clarityconnect.com
Sat Nov 15 21:24:01 PST 2003


On Sat, 15 Nov 2003 23:42:21 +0100 David GLAUDE wrote:

> I did not reply to your DVD solution...
> One reason that it was technologicaly confusing. ;-)

But thanks for coming in now.  There is a limit to how big the original 
draft should be (else no one reads it all).
> 
> Here are some attempt to define the best option:
> * The "booting" media must be read-only.

I do not even want that.
     The earliest CDs were made with a reflective surface, such that the 
shape of the surface would reflect a laser beam to be seen or not seen 
(zero vs one).  Then the whole CD is read-only - meaning ballot 
definition cannot be added.  I want ONE CD for each polling station,
office districts may be different for each.  Would be possible to make 
CDs with one or a few copies of each, but I think not affordable and 
would have to be done before election people had resolved who all the 
candidates would be.
     Writing on a CD requires a layer of material that either reflects 
or absorbs light (zero vs one), and either:
          Fully rewriteable like your floppy - I DO NOT want this - part 
of this technique is to erase, a capability I do not want in a voting machine.
          Write once only.  This is what I want, with the vendor 
loading the program, election officials adding ballot definitions, and the 
voting machine keeping a diary here.

So, I do want logically read-only so far as the boot content is 
concerned, for I do not want this changeable.

> * This media should be unique to that voting place and activated by a 
> key. The key and the media should take separate path to the voting place 
> and only put together on the day of the election. Guessing the key from 
> the media should be as hard as possible.

You lost me on this one, for we are agreed no one should be able to change 
content of the boot data, and therefore who cares whether it gets seen:
     The program came from the vendor, and there are a zillion identical copies.
     The ballot definitions are based on public requirements for the election.

Do need protection against substitution by a wrong disc - perhaps this helps 
on that problem.

> * The recording (vote result) should be done on a write-once media.

And I am there -  the part of the CD that has not been written on will 
tolerate EXACTLY write-once.

> * Backup copies (of the vote) should be taken and keeped safe and 
> separately from the orignal.

Worth thought.  I am ALL FOR copying that CD - as many copies as desired - 
doable in a PC equipped for this, but I question putting this capability in 
the voting machine.

Besides official backuo copies, I am happy to make copies for anyone who 
wants one - perhaps to do their own validation - and perhaps charge them a 
small fee.
> 
> Now there is always a technical problem with:
> 1* Power loss

Voting machines MUST tolerate short term public power loss - and should be 
buildable with self power included.  Doubtful whether this latter is worth 
general use.

> 2* Cosmic ray (memory glitch)

Not sure what you mean here.  Certainly computers can and do get defended 
against expectable environmental problems, and the vendors should get told 
not to cheat on this detail.

> 3* Tempest (watching remotely a screen using electro magnetic field 
> generated)

Another item in the list of those that designers, builders, and election 
officials must take defensive action for defense.
> 
> 1) Your DVD solution assume it is possible to write at random position 
> one vote at a time. I am affraid this is not possible. On a recordable 
> DVD or CD, you can only append information at the end. Also writing on 
> the media every time someone vote is not really efficient (maybe not 
> even practical.

Not quite:
     Recording ONLY at the end was my assumption.
     Each record of votes is required to contain votes in random order - 
enough to make it impossible to be sure which belongs to a particular voter.
     This requires temporary storage, in random order, on a hard disk or
floppy or magnetic card ...
     Agreed putting single votes on a CD is not practical, for this means 
more records than should fit, considering required gaps between records.
> 
> Also I guess CD writer (why do you want DVD?) might cost too much when 
> multiplyed by the number of voting machine. It is mecanical so risk of 
> problem are high.
> 
It is too early in this game to be sure whether a CD has enough capacity.
I do not know available reliability - even installing double sets of drives 
is among the design possibilities.

> So solving the power loss is not easy.

Certainly doable - and I believe at least some current vendors are into this.

> With Paper Audit Trail, in case of electrical/technical problem we can 
> work in downgraded mode where paper must be counted (as our only 
> backup). This is similar to the Belgian: "Let's recount the magnetic card."

As to paper trail - I am not against this, provided it is done in a way to 
protect secrecy - I am against over dependence on it, for it has it own 
problems.
> 
> 2) Now you also have to fight Cosmic ray
> 
> Practicaly I don't think it is not possible to shield against cosmic 
> ray. So the same solution that are used in space exploration should be used.
> 
> This might mean using "old" and "reliable" technology (like Z80 designed 
> for space). Using ECC or better memory.

Sequoia used to (maybe still does) like Z80s.  Good points:
     Less chance for vendor to hide something ugly in hardware.
     Cannot run Windows (I think) - therefore no need to validate whether 
there is something funny in a copy of Windows.
     Has all the speed voting needs (but I do not know about a Z80 
controlling CD or DVD drives).

Anyway, computers can and do get built to survive noisy environments such as 
you suggest.
> 
> Making all the computation in triple might help but if it is processor 
> having one bit value inverting, triple computation does not solve anything.
> 
> 3) Some screen technology might be better than other...
> Otherwise you need to go for Tempest proof equipment that cost a lot.

Agreed this is a concern - need to consider voting environment, which may not 
have to be as difficult as what Tempest gets involved in.
> 
> David GLAUDE
> 
> A bit more on our Belgian experience...
> 
> In one of the voting system we use...
> 
> We are using floppy disk (3 1/4'').
> The president of the voting burreau receave the key and the floppy (two 
> copies).
> The voting machine are booted with the master floppy.
> The key is used to start the system.
> [...]
> At the end of the day, the vote result are recorded on ... the same 
> floppy that was used to boot the system.
> 
> It mean that if the floppy at the begining of the day was not the 
> official expected floppy but a fake that does record vote different from 
> the intent of the voter...
> 
> Then at the end of the day, all trace can be removed by rewriting the 
> official expected content of the floppy with the vote our your choice.
> 
> So any verification of the floppy after the election can not reveal 
> anything. The only thing that can be done is to take a copy of the 
> floppy before it is used and after all the voting machine are started... 
> but this is not done!!!
> 
> I assume it would have cost too much to have two set of copies. ;-)
> 
> David GLAUDE
> 
> Dave Ketchum wrote:
> 
>>>> 1.  MUST enable potential recounts
>>>
>>
>> In my DVD post I specified recording each ballot on the CD or DVD so 
>> that they could be recounted if anyone chose.  I specified with that 
>> that they should be in random order to preserve secrecy.
> 
> 
>>> It is important to know what a recount mean. In Belgium we do recount 
>>> the magnetic card (in case power is lost in the computerised magnetic 
>>> card ballot box)... or we get impossible result. But this give us no 
>>> garantee since we have no proof that what is on the magnetic card is 
>>> the voter intent.
>>
> 
>> Seems worthwhile to make voting machines immune to power problems.  In 
>> my DVD post specify recording the ballots on disc, after which they do 
>> not require power to protect them.

-- 
  davek at clarityconnect.com    people.clarityconnect.com/webpages3/davek
  Dave Ketchum   108 Halstead Ave, Owego, NY  13827-1708   607-687-5026
            Do to no one what you would not want done to you.
                  If you want peace, work for justice.




More information about the Election-Methods mailing list