Firm invites experts to punch holes in ballot software
The company's software is designed to let voters verify that their ballots were properly handled. It assigns random identification numbers to ballots and candidates. After people vote, they get a receipt that shows which candidates they chose--listed as numbers, not names. Voters can then use the Internet and their ballot identification number to check that their votes were correctly counted.
This is kind of broken. Allowing the voter to get a receipt which they take away with them for verification may allow the voter to verify that their vote was recorded as cast, but also allows coercion and vote buying. To their credit, the creators thought of this, and suggest a partial procedural fix in the threat analysis document: P4. Let voters discard verification receipts in poll site trash can and let any voter take them Result: Buyer/coercer can't be sure voter generated verification receipt P5. Have stacks of random printed codebooks freely available in poll site Result: Vote buyer/coercer can't be sure captured codebook was used P6. Have photos of on-screen codebooks freely available on-line Result: Vote buyer/coercer can't be sure captured codebook was used The first problem, or course, is that a person under threat of coercion will need to present the coercer with a receipt showing exactly the mix of votes the coercer required. This is leads to a combinatorial explosion of fake receipts that need to be available. Having only one vote on each receipt might mitigate this, but it still gets really messy. Second, it's not clear how this protects against the coercer checking the ballot online - will every fake also be recorded in the system, so it passes the online check? Having both real and fake ballots in the verification server makes me very nervous. Its possible I've missed something - this is based on a quick glance through the online documents, but I don't see any advantage this system has over the much more discussed one where the reciept is printed in a human readable way, shown to the voter, but retained inside the machine as a backup for recounts. Just my private, personal opinion. Peter Trei