Re: smartcards, electronic ballots

[William Allen Simpson]

-----BEGIN PGP SIGNED MESSAGE-----

"John R. Levine" wrote:
> The current election system, for all its faults, is the result of two
> centuries of effort by people not all of whom were completely stupid,
> and has a complex and not always set of features to defend against all
> sorts of schemes to corrupt an election.  The punch card ballot
> happens to be a uniquely bad technology for reasons we all know, but
> most of the surrounding infrastructure is old and kludgy but not
> broken.  We need to keep this in mind when designing something new and
> zoomy that's supposed to replace it.
> 
I could not agree more!  The purpose of the legislation is to assist 
the existing election processes, not replace them out of whole cloth!

In fact, the latest #1.3 draft changed the short title to 
``Electronically Assisted Federal Election Requirements Act''.

This discussion has digressed onto smartcards.  That's not helpful, as 
no legislator (that I'm aware of) is proposing use of smartcards, nor 
a national voting ID.  As some have noted, the specifics of this bill 
would create single use public/private key certificates, that would 
expire at the closing of the polls.

However, if there is any language that would prohibit smartcards, 
please let me know.  We are trying to be technology neutral.

And in the same vein, I forwarded Ed Gerck's list of published 
'requirements' to Lynn.  She intends to use them as a perfect example 
of what we DO NOT want!


Ed Gerck wrote:
> 1. Sixteen requirements for voting. The requirements are technologically
> neutral and can be applied to paper, electronic or Internet systems.  There
> is an extensive discussion of alternatives, before the requirements are
> summarized. Available at http://www.thebell.net/archives/thebell1.7.pdf ,
> page 3. 
> 
There are some requirements that are nearly identical to those that 
we've selected.  And I like the kudos to IETF, and open systems.

However, the first half dozen are based on the bad presumption that:

    1. Fail-safe voter privacy. Define: “voter privacy is the
    inability to know who the voter is.” Assure voter privacy
    even if everything fails and everyone colludes.

First of all, that's not "privacy", that's "anonymity". 

We have voter registration precisely so that we know who the voters 
are!  We are not changing voter registration....

    4. Fail-safe privacy in universal verifiability. If the
    encrypted ballots are successfully attacked, even with
    court order, the voter’s name must not be revealed. In
    addition, the system must provide for “information-theoretic
    privacy” (i.e., privacy which cannot be broken
    by computation, even with unbounded time and
    resources) in contrast to systems that would only provide
    for “computational privacy” (i.e., privacy which could be
    broken by computation, given time and resources).

I cannot believe any security analyst worth his salt could 'specify' 
such as requirement.  When I specified computational infeasibility of 
100 years, the Science staff came back and asked how NIST would test 
that?  We reduced it to 10 years, something that might be achievable.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.1

iQCVAwUBOnq+M9m/qMj6R+sxAQFEHQP+PCAyzyyrt/AbJ/yYI+VEm00anTOqvp4J
svSrUhl70xqHaoJ3xwl4quRZeIyjithfsLjc7L1+UsZtwBe0owSvSOeIRIUmgqD6
lmm7YH+Z5yvu1XFdHlPqNI79dUAMnz/sMDkQuQBrkD897A/GST8AeG78rA6rPGlM
HjqPSLmUldw=
=GwNT
-----END PGP SIGNATURE-----