Firm invites experts to punch holes in ballot software

Trei, Peter ptrei at rsasecurity.com
Wed Apr 7 07:17:53 PDT 2004 

>Firm invites experts to punch holes in ballot software

> The company's software is designed to let voters verify that their ballots
>were properly handled. It assigns random identification numbers to ballots
>and candidates. After people vote, they get a receipt that shows which
>candidates they chose--listed as numbers, not names. Voters can then use
>the Internet and their ballot identification number to check that their
>votes were correctly counted.

This is kind of broken. Allowing the voter to get a receipt which
they take away with them for verification may allow the voter to verify
that their vote was recorded as cast, but also allows coercion and 
vote buying.

To their credit, the creators thought of this, and suggest a
partial procedural fix in the threat analysis document:

	P4. Let voters discard verification receipts in poll site trash 
	can and let any voter take them
	Result: Buyer/coercer can't be sure voter generated verification
receipt

	P5. Have stacks of random printed codebooks freely available in poll
site
	Result: Vote buyer/coercer can't be sure captured codebook was used

	P6. Have photos of on-screen codebooks freely available on-line
	Result: Vote buyer/coercer can't be sure captured codebook was used

The first problem, or course, is that a person under threat of 
coercion will need to present the coercer with a receipt showing 
exactly the mix of votes the coercer required. This is leads 
to a combinatorial explosion of fake receipts that need to be available.

Having only one vote on each receipt might mitigate this, but it still
gets really messy.

Second, it's not clear how this protects against the coercer checking the
ballot online - will every fake also be recorded in the system, so
it passes the online check? Having both real and fake ballots in
the verification server makes me very nervous.

Its possible I've missed something - this is based on a quick glance
through the online documents, but I don't see any advantage this 
system has over the much more discussed one where the reciept is
printed in a human readable way, shown to the voter, but retained 
inside the machine as a backup for recounts.

Just my private, personal opinion.

Peter Trei

More information about the cypherpunks-legacy mailing list