William Allen Simpson
Sun, 04 Feb 2001 21:18:26 -0800
-----BEGIN PGP SIGNED MESSAGE----- David Honig wrote: > From "Ballot Proposal" version 1.3 > > 10 B DISPLAY > (5) Election software shall print the selected choices on a fixed > visible medium (such as paper), and shall require the voter to > affirm those choices prior to electronic registration of the > completed ballot. > > I took this to mean that "what the machine thinks the voter chose > is printed on paper" (for feedback/trust reasons). Am I totally off? > That's correct. All the considered systems require some permanent audit record of the ballots. This draft requires that the voter approve the record. Thus, the printed record is primary, since the voter actually sees it and approves it. Any electronic fudging can be detected and eliminated. But, nobody is suggesting that the voter takes home the paper. On the contrary, designs mentioned in meetings have the paper behind glass, not even touchable by voters. > I wasn't clear on the architecture you have in mind ---I eventually > figured out that you're requiring an online system with local and > central real time reporting (mirroring) of votes. > The Internet is big in legislators' eyes these days. The network connection to a central (state) system is really the main motivation, as it allows the eRate funds to be used to run elections. Also, central state servers are needed to allow overseas electronic voting. Too many trust relationships to have each base/embassy try to interact with every city or precinct. And the mirroring keeps the locals from fudging the ballot counts. Basically, I was asked, "Can the Internet be used to carry the votes, while still remaining secret?" My answer is, "Yes, we already have SSL/TLS for confidentiality." "What about ensuring votes only come from authorized places?" "Easy, issue credentials for each machine, and use digital signatures on the ballots." Etc, etc. I've found a lot of support for open source software, because the politicians don't trust vendors or clerks. They want lots of review. Especially with machines programmed by clerks. And especially with all the campaign money that came in this cycle from so-called high-tech firms. A compromised vendor would be a real problem for one party or another.... > (Other architectures include standalone or LAN-only machines acting only as > better voting-acquisition-machines; or a pure central server scheme like > home internet voting.) > There have been a lot of problems with stand-alone machines. For example, in Florida, the recounts were supposed to actually re-run the ballots. Instead, many places just looked at the counters without doing any real counting. Also, elsewhere, machines have been found to be mis-programmed. Etc, etc. Home internet voting has a lot of problems, too, and is not being considered. Just incremental improvements on the existing polling places and absentee ballots. As you say, better vote acquisition -- evolution, not revolution. The other thing is cost, cost, cost.... Anyway, I've basically been answering a lot of questions for free, just as most of you are doing. Admittedly, I've been given access to some reports and internal committee documents, but mostly I'm just trying to help them add security language. I really think we've gone pretty far afield for this list. Just send messages to me privately, and I'll reply as I have time and interest. Thanks again. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1 iQCVAwUBOn4xmtm/qMj6R+sxAQElswQAwoZh8ZJ1sJFeQvpagdh2hJijtRNIONzD Pae1EeCndFJwFfNHQFR87tOoNMNHCw+0Hf/IgUnYNrJVTr4WP8UJ1DAqdKS6Fw19 oLZ05hsaLvLgSwcGoR8WTkcr2emlkRzQ3vczGViPjlbNVPSptklN9nopQxFKe8HO pGV9vquALz4= =lZRn -----END PGP SIGNATURE-----