>Firm invites experts to punch holes in ballot software

> The company's software is designed to let voters verify that their ballots
>were properly handled. It assigns random identification numbers to ballots
>and candidates. After people vote, they get a receipt that shows which
>candidates they chose--listed as numbers, not names. Voters can then use
>the Internet and their ballot identification number to check that their
>votes were correctly counted.

This is kind of broken. Allowing the voter to get a receipt which
they take away with them for verification may allow the voter to verify
that their vote was recorded as cast, but also allows coercion and 
vote buying.

To their credit, the creators thought of this, and suggest a
partial procedural fix in the threat analysis document:

        P4. Let voters discard verification receipts in poll site trash 
        can and let any voter take them
        Result: Buyer/coercer can't be sure voter generated verification

        P5. Have stacks of random printed codebooks freely available in poll
        Result: Vote buyer/coercer can't be sure captured codebook was used

        P6. Have photos of on-screen codebooks freely available on-line
        Result: Vote buyer/coercer can't be sure captured codebook was used

The first problem, or course, is that a person under threat of 
coercion will need to present the coercer with a receipt showing 
exactly the mix of votes the coercer required. This is leads 
to a combinatorial explosion of fake receipts that need to be available.

Having only one vote on each receipt might mitigate this, but it still
gets really messy.

Second, it's not clear how this protects against the coercer checking the
ballot online - will every fake also be recorded in the system, so
it passes the online check? Having both real and fake ballots in
the verification server makes me very nervous.

Its possible I've missed something - this is based on a quick glance
through the online documents, but I don't see any advantage this 
system has over the much more discussed one where the reciept is
printed in a human readable way, shown to the voter, but retained 
inside the machine as a backup for recounts.

Just my private, personal opinion.

Peter Trei

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to