Firm invites experts to punch holes in ballot software

Major Variola (ret) mv at cdc.gov
Wed Apr 7 08:56:16 PDT 2004


Peter, what would be wrong with having a machine in the booth that
prints
any valid receipt BUT is not connected to the voting system.  "To vote
use the red machine; if you're being coerced you can use the blue
machine
to print as many receipts as intimidators."

A trade off between (mild) user complexity and the desire for receipts
(without coercion).




At 10:17 AM 4/7/04 -0400, Trei, Peter wrote:
>This is kind of broken. Allowing the voter to get a receipt which
>they take away with them for verification may allow the voter to verify

>that their vote was recorded as cast, but also allows coercion and
>vote buying.
>
>To their credit, the creators thought of this, and suggest a
>partial procedural fix in the threat analysis document:
>
> P4. Let voters discard verification receipts in poll site trash
> can and let any voter take them
> Result: Buyer/coercer can't be sure voter generated verification
>receipt
>
> P5. Have stacks of random printed codebooks freely available in poll
>site
> Result: Vote buyer/coercer can't be sure captured codebook was used
>
> P6. Have photos of on-screen codebooks freely available on-line
> Result: Vote buyer/coercer can't be sure captured codebook was used
>
>The first problem, or course, is that a person under threat of
>coercion will need to present the coercer with a receipt showing
>exactly the mix of votes the coercer required. This is leads
>to a combinatorial explosion of fake receipts that need to be
available.
>
>Having only one vote on each receipt might mitigate this, but it still
>gets really messy.
>
>Second, it's not clear how this protects against the coercer checking
the
>ballot online - will every fake also be recorded in the system, so
>it passes the online check? Having both real and fake ballots in
>the verification server makes me very nervous.
>
>Its possible I've missed something - this is based on a quick glance
>through the online documents, but I don't see any advantage this
>system has over the much more discussed one where the reciept is
>printed in a human readable way, shown to the voter, but retained
>inside the machine as a backup for recounts.
>
>Just my private, personal opinion.
>
>Peter Trei





More information about the cypherpunks-legacy mailing list