Discussion:
touch screen voting machines
Forest Simmons
2003-11-08 01:44:34 UTC
Permalink
The latest issue of "Hightower's Low Down" talks about the various private
companies (and their conflicts of interest) that have been supplying the
touch screen voting machines, along with some of the hanky panky that has
already taken place.

Besides the outright scandals there are the suspicious results:

For example, three Republican candidates in three separate elections
counted by machines supplied by the same company with tight Republican
connections win by the exact same margin of votes, some improbable number
like 10,800.

When authorities requested permission to audit the voting records, the
company explained that they didn't have room to save them so they had
erased them.

Do you trust these guys?

So far there are no laws that require these companies to reveal the
internal workings of their machines.

It looks like Bush won't need a boost from the supreme court this time
around.


Forest

----
Election-methods mailing list - see http://electorama.com/em for list info
David GLAUDE
2003-11-08 22:59:45 UTC
Permalink
In Belgium, there are law that say the administration must be transparent.

So we asked the belgian administration for the code and all detail of
the voting system in use.
It was refused to us saying it would not be secure and all...
Then we went to court... it took a bit of time.
The first step was that they release source code less some security
feature (hashing, checksum, crypto, ...).
Then we won in court and this year the full source code was made
available (no documentation, not a sample floppy image used or
description of the hardware)... just the code.

And one of the program was written in a non standard company specific
language!

I believe it is likely that some law or something in the constitution
say the administration and the election process should be transparent.

But please remember that having the code does not garantee anything
since it can be different from the one running at election day. Also you
have the bios, the OS, the hardware, ...

Good luck.

David GLAUDE
Post by Forest Simmons
So far there are no laws that require these companies to reveal the
internal workings of their machines.
----
Election-methods mailing list - see http://electorama.com/em for list info
Eron Lloyd
2003-11-10 17:04:59 UTC
Permalink
Yes, this is a very interesting subject. Is this the proper mailing list to
also discuss the development and design of the actual voting systems
themselves, because I sure would like to be in that discussion. One of my
biggest questions is whether these "modern" voting systems being purchased
across the country thanks to HAVA et. al. can easily be modified to support
IRV, etc. should the states/counties move to such an election method. Also,
the security issues alone deserve much debate...I've pretty much come to the
point that an electronic system would be good only to ultimately produce a
paper ballot which was then counted, not the other way around.

If anyone is interested, I'm starting a project to develop an "Adaptable
Voting System" using Python and the application framework Qt to produce an
open-source, fully auditable election system that can be used at terminals,
on-line, or other flexible ways to hold elections, and uses generic, open
(XML) formats for the ballot (I'm currently looking at OASIS EML), vote
results, and statistics to then apply different election methods to it
(Approval, IRV, etc.) to watch the different outcomes. Though it will mainly
be a prototype, perhaps something more could come of it.

I feel passionately that open, secure, and fair election systems are the only
way to protect the integrity of modern democracies.

Eron
Post by Forest Simmons
The latest issue of "Hightower's Low Down" talks about the various private
companies (and their conflicts of interest) that have been supplying the
touch screen voting machines, along with some of the hanky panky that has
already taken place.
For example, three Republican candidates in three separate elections
counted by machines supplied by the same company with tight Republican
connections win by the exact same margin of votes, some improbable number
like 10,800.
When authorities requested permission to audit the voting records, the
company explained that they didn't have room to save them so they had
erased them.
Do you trust these guys?
So far there are no laws that require these companies to reveal the
internal workings of their machines.
It looks like Bush won't need a boost from the supreme court this time
around.
Forest
----
Election-methods mailing list - see http://electorama.com/em for list info
---
[This E-mail scanned for viruses by Declude Virus]
--
Eron Lloyd
Technology Coordinator
Lancaster County Library
***@lancaster.lib.pa.us
Phone: 717-239-2116
Fax: 717-394-3083

---
[This E-mail scanned for viruses by Declude Virus]

----
Election-methods mailing list - see http://electorama.com/em for list info
Ken Johnson
2003-11-11 07:52:47 UTC
Permalink
Eron - I share your enthusiasm for open, secure, and fair elections, but
I don't think open-source software is necessarily the solution. What is
more important is that the process be transparent and independently
verifiable by anyone - not just by a few computer specialists. Following
is a rough idea of how I would like to see the process operate:

After making my vote, the voting machine gives me a receipt - much like
a bank teller machine - containing a record of my vote and a
randomly-generated vote ID number. I check the printed receipt for
correctness, seal it, and have a polling agent stamp it with a unique
serialization number that is assigned to me and recorded, along with my
name and address, as evidence of my vote. The voting machine has no
information about the serialization number or about my identity, and
there is no record - other than my stamped voting receipt - identifying
me with the computer-generated vote ID. In essence, there are two
completely autonomous, non-communicating information systems - a
computer database associating vote ID's with votes, and a second system
(perhaps comprising only written records) associating vote serialization
numbers with voters.

The votes are counted by the computer, and the entire database of votes
and vote ID's is placed on the Internet so that any voter can log on and
verify that their vote was properly recorded. Independent auditors can
also download the entire database to verify the tally. Authorized
parties (e.g. law enforcement) may access the vote serialization data to
verify that only legally-registered voters have voted. If any
discrepancy is sufficient to potentially affect the outcome of the
election, then the election is nullified. Furthermore, if sufficiently
many people claim that their votes were not properly recorded, they
would present their voting receipts to a judge to be reviewed in
confidence (this is the only situation in which the association between
a voter and thier vote might become known to another party), and if the
discrepancy is confirmed the election is nullified.

With this type of process there is no problem using "black-box",
proprietary voting software, because it gives the voters themselves (not
just a few compter experts) the ability to confirm correctness of the
result.

Ken Johnson
Message: 1
Organization: Lancaster County Library
Subject: Re: [EM] touch screen voting machines
Date: Mon, 10 Nov 2003 12:04:59 -0500
Yes, this is a very interesting subject. Is this the proper mailing list to
also discuss the development and design of the actual voting systems
themselves, because I sure would like to be in that discussion. One of my
biggest questions is whether these "modern" voting systems being purchased
across the country thanks to HAVA et. al. can easily be modified to support
IRV, etc. should the states/counties move to such an election method. Also,
the security issues alone deserve much debate...I've pretty much come to the
point that an electronic system would be good only to ultimately produce a
paper ballot which was then counted, not the other way around.
If anyone is interested, I'm starting a project to develop an "Adaptable
Voting System" using Python and the application framework Qt to produce an
open-source, fully auditable election system that can be used at terminals,
on-line, or other flexible ways to hold elections, and uses generic, open
(XML) formats for the ballot (I'm currently looking at OASIS EML), vote
results, and statistics to then apply different election methods to it
(Approval, IRV, etc.) to watch the different outcomes. Though it will mainly
be a prototype, perhaps something more could come of it.
I feel passionately that open, secure, and fair election systems are the only
way to protect the integrity of modern democracies.
Eron
Post by Forest Simmons
The latest issue of "Hightower's Low Down" talks about the various private
companies (and their conflicts of interest) that have been supplying the
touch screen voting machines, along with some of the hanky panky that has
already taken place.
For example, three Republican candidates in three separate elections
counted by machines supplied by the same company with tight Republican
connections win by the exact same margin of votes, some improbable number
like 10,800.
When authorities requested permission to audit the voting records, the
company explained that they didn't have room to save them so they had
erased them.
Do you trust these guys?
So far there are no laws that require these companies to reveal the
internal workings of their machines.
It looks like Bush won't need a boost from the supreme court this time
around.
Forest
----
Election-methods mailing list - see http://electorama.com/em for list info
e***@ericgorr.net
2003-11-11 15:06:37 UTC
Permalink
Post by Ken Johnson
Eron - I share your enthusiasm for open, secure, and fair elections,
but I don't The votes are counted by the computer, and the entire
database of votes and vote ID's is placed on the Internet so that
any voter can log on and verify that their vote was properly
recorded.
Personally, I think it is a really bad idea if there was any way for
a third party to know for certain how anyone voted. If an individual
can verify their vote, others can know how they voted.

Election fraud has always been a problem and will always be a
problem. The only thing the matters is how committed those involved
in the election are to run it honestly. If enough of these honest
people do not exist, no controls, procedures or policies will create
an honest election.
--
== Eric Gorr ========= http://www.ericgorr.net ========= ICQ:9293199 ===
"Therefore the considerations of the intelligent always include both
benefit and harm." - Sun Tzu
== Insults, like violence, are the last refuge of the incompetent... ===
----
Election-methods mailing list - see http://electorama.com/em for list info
Eron Lloyd
2003-11-11 15:58:30 UTC
Permalink
Post by Ken Johnson
Eron - I share your enthusiasm for open, secure, and fair elections, but
I don't think open-source software is necessarily the solution.
I probably wasn't detailed enough in my idea, but I think what you'd like is
exactly what I do, too. Have an open code-base isn't enough though, as
everything from Apache, BIND, and SSH have been maliciously patched with
secret back doors. But it would be another line of defense. Regardless of how
you feel about privitization, I think elections are too important a function
of society to be handled by commercial interests. But even open code is
tricky...whats to stop someone from altering a compiler or byte-code
interpreter from taking pristine and fully-audited source and modifying the
mechanics in the binary or at run-time? However, the more eyes, the better.
Producing multiple binaries or byte-code sets and ensuring each contains the
proper checksums would help.
Post by Ken Johnson
After making my vote, the voting machine gives me a receipt - much like
a bank teller machine - containing a record of my vote and a
randomly-generated vote ID number. I check the printed receipt for
correctness, seal it, and have a polling agent stamp it with a unique
serialization number that is assigned to me and recorded, along with my
name and address, as evidence of my vote. The voting machine has no
information about the serialization number or about my identity, and
there is no record - other than my stamped voting receipt - identifying
me with the computer-generated vote ID. In essence, there are two
completely autonomous, non-communicating information systems - a
computer database associating vote ID's with votes, and a second system
(perhaps comprising only written records) associating vote serialization
numbers with voters.
An interesting idea for sure. I think computer ballots would be a great way to
produce an error-free paper tally, and your above ideas relating to a serial
ID (randomly generated) could be useful, perhaps in addition to a hardware
key. I think the biggest difference that "E-voting" has that makes it more
challenging than on-line banking or ATMs is that it has to remain fully
anonomous yet just as accountable and auditable as financial transactions.
While we don't want registered voters being associated with their votes, we
still need to make sure that indeed registered voters were the only ones
voting. Very challenging.
Post by Ken Johnson
The votes are counted by the computer, and the entire database of votes
and vote ID's is placed on the Internet so that any voter can log on and
verify that their vote was properly recorded. Independent auditors can
also download the entire database to verify the tally. Authorized
parties (e.g. law enforcement) may access the vote serialization data to
verify that only legally-registered voters have voted. If any
discrepancy is sufficient to potentially affect the outcome of the
election, then the election is nullified. Furthermore, if sufficiently
many people claim that their votes were not properly recorded, they
would present their voting receipts to a judge to be reviewed in
confidence (this is the only situation in which the association between
a voter and thier vote might become known to another party), and if the
discrepancy is confirmed the election is nullified.
Interesting perspective. I'll take this in and process it for a while, and see
if I can draw out a workflow. The Internet verification would be *very*
tricky, however.
Post by Ken Johnson
With this type of process there is no problem using "black-box",
proprietary voting software, because it gives the voters themselves (not
just a few compter experts) the ability to confirm correctness of the
result.
As I mentioned above, there is *always* a problem using "black-box"
proprietary software, and hardware too. I can think of over 100 points from
the keyboard or touch-screen down to variable assignment and loops where
failure or hijacking could occur. Relying on voters to audit their votes is
unacceptable, if people would treat the reciept like they do any other (ATM,
credit card, etc.). They just don't pay attention enough. You have to attempt
to engineer away risk factors first. That might just mean pen and paper for a
long time.

Regards,

Eron
--
Eron Lloyd
Technology Coordinator
Lancaster County Library
***@lancaster.lib.pa.us
Phone: 717-239-2116
Fax: 717-394-3083

---
[This E-mail scanned for viruses by Declude Virus]

----
Election-methods mailing list - see http://electorama.com/em for list info
R.G.'Stumpy' Marsh
2003-11-11 22:58:01 UTC
Permalink
Post by Eron Lloyd
Relying on voters to audit their votes is
unacceptable, if people would treat the reciept like they do any other (ATM,
credit card, etc.). They just don't pay attention enough. You have to attempt
to engineer away risk factors first. That might just mean pen and paper for a
long time.
I disagree. As far as auditing is concerned, I think this sort of mass
near-random testing is ideal. Sure the vast majority may not check
their votes, but enough people on all sides of the election would
check to make systematic fraud nigh on certain to be detected.

The only problem I see is with privacy, particularly the
afore-mentioned stand-over problem. One way to get around that would
be to provide the option of creating false receipts as well as the
real one. The false receipt would be identical to the real one in
every respect, except that the fake one has a false random ID and a
false checksum.

That would mean either displaying false as well as real IDs in the
audit list (which would screw up the counts, but still provide genuine
verification) or producing the falsified receipts with numbers
assigned for real to someone who really did vote the way the fake
ticket is meant to show.

It would rather complicate things for the user too. Perhaps too much
for those most likely to be under duress. They'd essentially have to
vote twice; once for real, and once to indicate what they want shown
on their stand-over receipt. Too many people have enough trouble
voting once.

Stumpy.
--
R.G. "Stumpy" Marsh Timaru, New Zealand
<http://marsh.orcon.net.nz/>
----
Election-methods mailing list - see http://electorama.com/em for list info
Alex Small
2003-11-11 23:19:43 UTC
Permalink
Lost in all this discussion is the incredible ease of the ballots which
you fill in with a pen. They aren't easily degraded the way punch-cards
are. The "chads" can't fall out accidentally. There's a paper backup
kept in the custody of election officials for the purpose of recounts.
The technology is used millions of times every year for standardized
tests, including such high stakes tests as the SAT, ACT, AP tests, GRE,
etc. It's much harder to manipulate the result because there's a hard
copy backup.

I recall controversy over the chads, and over poorly designed layouts on
pen and paper ballots, but I don't recall any intrinsic difficulties with
filling in the ovals. The only problem was that the ovals were laid out
in a confusing manner in one county. That's different from the chads,
which some people found intrinsically difficult.

Since tampering with the machine can be detected by a visual inspection of
the pen and paper ballots, the only way to manipulate the outcome is by
having dead people vote, having corrupt precinct workers wink at "stuffing
of the ballot box", etc. And these problems ultimately come down to human
honesty, a factor that no technology can remedy. Even if we used better
database software to remove dead people from voter rosters and put
surveillance cameras at the polls to monitor possibly corrupt poll
workers, a human has to examine the video recording of the polls and a
human has to supply the data for the roster.

So my vote is for pen-and-paper ballots like on the SAT. I just hope this
vote is counted ;)



Alex


----
Election-methods mailing list - see http://electorama.com/em for list info
Eric Gorr
2003-11-11 23:27:14 UTC
Permalink
Post by Alex Small
Lost in all this discussion is the incredible ease of the ballots which
you fill in with a pen.
People are still quite error prone with this method as well, unfortunately.

It would not be uncommon to find more then one alternative selected
when only one is expected...of course, along with this would likely
be some kind of attempt by the voter to correct the mistake which
would then likely end up in front of a judge.

Personally, I believe the greatest opportunity for error proof voting
is use computer based voting.
--
== Eric Gorr ========= http://www.ericgorr.net ========= ICQ:9293199 ===
"Therefore the considerations of the intelligent always include both
benefit and harm." - Sun Tzu
== Insults, like violence, are the last refuge of the incompetent... ===
----
Election-methods mailing list - see http://electorama.com/em for list info
David GLAUDE
2003-11-11 23:59:48 UTC
Permalink
Post by Eric Gorr
Post by Alex Small
Lost in all this discussion is the incredible ease of the ballots which
you fill in with a pen.
People are still quite error prone with this method as well, unfortunately.
It would not be uncommon to find more then one alternative selected when
only one is expected...
It is not uncommon to find invalid vote... but there is no way to know
if this was or not the intent of the voter.
Post by Eric Gorr
of course, along with this would likely be some
kind of attempt by the voter to correct the mistake which would then
likely end up in front of a judge.
It is very easy to provide the voter with a second chance to vote if the
pen slipped or the voter did check the wrong oval.

Just get out, say you made a mistake and ask for another virgin ballot.
Your mistaken ballot get counted and distroy, you get a second chance to
vote. However we need to make sure you don't do that trick too many
time... so no 3rd chance!
Post by Eric Gorr
Personally, I believe the greatest opportunity for error proof voting is
use computer based voting.
Error proof is not the goal. Democracy is the goal (but I might be wrong
on that one).

David GLAUDE




----
Election-methods mailing list - see http://electorama.com/em for list info
Eron Lloyd
2003-11-11 23:35:43 UTC
Permalink
Hi Alex,
Post by Alex Small
Lost in all this discussion is the incredible ease of the ballots which
you fill in with a pen. They aren't easily degraded the way punch-cards
are. The "chads" can't fall out accidentally. There's a paper backup
kept in the custody of election officials for the purpose of recounts.
The technology is used millions of times every year for standardized
tests, including such high stakes tests as the SAT, ACT, AP tests, GRE,
etc. It's much harder to manipulate the result because there's a hard
copy backup.
I agree there is quite an amount of value in this traditional method. What I
was proposing was to use an electronic interface to produce a marked paper
ballot. This way, you have the multiple benefits of computer technology
(error correction, language selection, accessibility support, etc.) and the
confidence of a paper ballot result.
Post by Alex Small
I recall controversy over the chads, and over poorly designed layouts on
pen and paper ballots, but I don't recall any intrinsic difficulties with
filling in the ovals. The only problem was that the ovals were laid out
in a confusing manner in one county. That's different from the chads,
which some people found intrinsically difficult.
One of the biggest problems with *any* ballot is that often-times not much
usability research goes into it's design (like the recent Florida ballot).
One interesting offering a computer interface could provide is multiple ways
of displaying and inputing information about the ballot, based on the
preference of the user.
Post by Alex Small
Since tampering with the machine can be detected by a visual inspection of
the pen and paper ballots, the only way to manipulate the outcome is by
having dead people vote, having corrupt precinct workers wink at "stuffing
of the ballot box", etc. And these problems ultimately come down to human
honesty, a factor that no technology can remedy. Even if we used better
database software to remove dead people from voter rosters and put
surveillance cameras at the polls to monitor possibly corrupt poll
workers, a human has to examine the video recording of the polls and a
human has to supply the data for the roster.
Indeed there are many problems...I suppose what it boils down to is attempting
to reduce to ratio of correct to corrupt votes, so it can't swing an
election. And all of us volunteering at the polls as observers.
Post by Alex Small
So my vote is for pen-and-paper ballots like on the SAT. I just hope this
vote is counted ;)
Is the SAT still administered on paper? I though most are moving to
computer-based, with paper as an option. I know the GREs are.
Post by Alex Small
Alex
----
Election-methods mailing list - see http://electorama.com/em for list info
---
[This E-mail scanned for viruses by Declude Virus]
--
Eron Lloyd
Technology Coordinator
Lancaster County Library
***@lancaster.lib.pa.us
Phone: 717-239-2116
Fax: 717-394-3083

---
[This E-mail scanned for viruses by Declude Virus]

----
Election-methods mailing list - see http://electorama.com/em for list info
David GLAUDE
2003-11-12 00:08:59 UTC
Permalink
Post by Eron Lloyd
I agree there is quite an amount of value in this traditional method. What I
was proposing was to use an electronic interface to produce a marked paper
ballot. This way, you have the multiple benefits of computer technology
(error correction, language selection, accessibility support, etc.) and the
confidence of a paper ballot result.
Error correction => Ask another ballot.
Language Selection => Provide translation in the voting area and for
names, there is no need for translation.
Accessibility => Those that need help can choose someone to help or use
proxy-vote.
Post by Eron Lloyd
One of the biggest problems with *any* ballot is that often-times not much
usability research goes into it's design (like the recent Florida ballot).
One interesting offering a computer interface could provide is multiple ways
of displaying and inputing information about the ballot, based on the
preference of the user.
YES:
* make it more user friendly than paper.
* Let me choose my user interface (with random default):
** Win 3.1
** Win 95
** Win XP
** Gnome
** KDE
** X11
** Mac OS

Then do not forget to remember my preference for next election so that I
don't have to setup the voting machine at each election. LoL
Post by Eron Lloyd
Indeed there are many problems...I suppose what it boils down to is attempting
to reduce to ratio of correct to corrupt votes, so it can't swing an
election. And all of us volunteering at the polls as observers.
The nice thing about manual voting system (paper and pen) is that
corrupt votes are also done at human scale and they go in every
direction. Also it can be detected by witness.

The problem with e-voting is that e-fraud goes in a single direction at
a computer scale with no possible proof or witness.

Being an observer durring an e-election is really not fun. I spended the
day watching machine "faking"(?) to count the vote of the elector with
no way to verify. I was just following the "procedure".

David GLAUDE




----
Election-methods mailing list - see http://electorama.com/em for list info
Eron Lloyd
2003-11-12 00:25:11 UTC
Permalink
Post by David GLAUDE
Post by Eron Lloyd
I agree there is quite an amount of value in this traditional method.
What I was proposing was to use an electronic interface to produce a
marked paper ballot. This way, you have the multiple benefits of computer
technology (error correction, language selection, accessibility support,
etc.) and the confidence of a paper ballot result.
Error correction => Ask another ballot.
Language Selection => Provide translation in the voting area and for
names, there is no need for translation.
Accessibility => Those that need help can choose someone to help or use
proxy-vote.
I'd interested in how easily you could get multiple ballots to correct
mistakes. This presents a way to either add a duplicate ballot or risk
privacy by the person you hand your bad ballot to associating your face with
the votes on your ballot. As far as language translation, perhaps in Belgium
it is much more homogenous than here in the US, where we have over half a
dozen distinct languages spoke right here in my community. To say there is
nothing to translate is absurd...what about the instructions? Who determines
what languages to print ballots for? If I speak Hindi, am a registered
citizen, and can vote but can't read the ballot, it that OK? A computer
system could provide internationalization for many languages, and shift on
the fly. Another interesting idea, is that the screen could describe the
purpose and function of each office voted for. Many people skip ballot items
because they don't know what the job is for. The ballot could explain this in
plain terminology. As far as for accessibility, if we just told people with
disabilities to have someone help them do everything, we wouldn't need any
accomodations! If I become disabled and can't vote and my wife secretly wants
me to vote Republican instead of Green as my proxy, is that OK? They deserve
the same amount of freedom and privacy as the rest of us.
Post by David GLAUDE
Post by Eron Lloyd
One of the biggest problems with *any* ballot is that often-times not
much usability research goes into it's design (like the recent Florida
ballot). One interesting offering a computer interface could provide is
multiple ways of displaying and inputing information about the ballot,
based on the preference of the user.
* make it more user friendly than paper.
** Win 3.1
** Win 95
** Win XP
** Gnome
** KDE
** X11
** Mac OS
Then do not forget to remember my preference for next election so that I
don't have to setup the voting machine at each election. LoL
Okay, well we don't have to go that far but I think you get my drift ;-)
Post by David GLAUDE
Post by Eron Lloyd
Indeed there are many problems...I suppose what it boils down to is
attempting to reduce to ratio of correct to corrupt votes, so it can't
swing an election. And all of us volunteering at the polls as observers.
The nice thing about manual voting system (paper and pen) is that
corrupt votes are also done at human scale and they go in every
direction. Also it can be detected by witness.
How? Don't you get privacy when filling out the ballot? If you can't inspect
ballots until the election is over and counting begins how will you know?
Post by David GLAUDE
The problem with e-voting is that e-fraud goes in a single direction at
a computer scale with no possible proof or witness.
I'm not sure I agree. What I'm proposing is not a complete DRE system; it
still ultimately produces a paper ballot that gets counted by hand, by a
person. The computer would only aid in filling it out. Mechanisms between the
computer tally and the individual ballots would ensure they are correct. A
two-way audit if you will.
Post by David GLAUDE
Being an observer durring an e-election is really not fun. I spended the
day watching machine "faking"(?) to count the vote of the elector with
no way to verify. I was just following the "procedure".
Not much about elections is fun. But it's something we have to do. It is
better to have knowledgeable, cautious officials, however.
Post by David GLAUDE
David GLAUDE
Eron
Post by David GLAUDE
----
Election-methods mailing list - see http://electorama.com/em for list info
---
[This E-mail scanned for viruses by Declude Virus]
--
Eron Lloyd
Technology Coordinator
Lancaster County Library
***@lancaster.lib.pa.us
Phone: 717-239-2116
Fax: 717-394-3083

---
[This E-mail scanned for viruses by Declude Virus]

----
Election-methods mailing list - see http://electorama.com/em for list info
David GLAUDE
2003-11-12 01:31:51 UTC
Permalink
Post by Eron Lloyd
I'd interested in how easily you could get multiple ballots to correct
mistakes. This presents a way to either add a duplicate ballot or risk
privacy by the person you hand your bad ballot to associating your face with
the votes on your ballot.
Easy.
You can only make one mistake (no 3rd chance).
Your ballot is destructed in front of you... It does not contain your
real vote (it was a mistake) you can always make your vote invalid
(impossible choice) to make sure it is not reused and if inspected you
do not reveal your vote.
Post by Eron Lloyd
As far as language translation, perhaps in Belgium
it is much more homogenous than here in the US, where we have over half a
dozen distinct languages spoke right here in my community.
In Belgium we have 3 officials language (with maximum 2 in use at one
location). But rules on the usage of language are very strict...
We will not indicate instruction in english because it is not an
official language!!!
Post by Eron Lloyd
To say there is nothing to translate is absurd...
In Belgium it is not absure because we only vote for Senator,
Parlementarian, and local/regional representative. Almost everybody can
read a party name/logo and/or a candidate name.
Post by Eron Lloyd
what about the instructions?
Instruction can be given in advance... maybe translated in as many
language, ...
Post by Eron Lloyd
Who determines what languages to print ballots for?
Official language of the country = language of the administration.
Post by Eron Lloyd
If I speak Hindi, am a registered
citizen, and can vote but can't read the ballot, it that OK?
It is OK for me... maybe not for you.
Post by Eron Lloyd
A computer system could provide internationalization for many languages, and shift on
the fly. Another interesting idea, is that the screen could describe the
purpose and function of each office voted for.
I don't think the pooling station is the right place to learn what you
vote for. I had many voter asking me the difference between the Senate
and the Parliament... ("It is just another election, sorry you have not
finish yet, you will not get your magnetic card back if you don't finish
and we will not give you your id card if you do not return the magnetic
card.").
Post by Eron Lloyd
Many people skip ballot items because they don't know what the job is for.
The ballot could explain this in plain terminology.
Be carefull with the explanation... and translation!
Post by Eron Lloyd
As far as for accessibility, if we just told people with
disabilities to have someone help them do everything, we wouldn't need any
accomodations!
What percentage of the population need help to vote?

What percentage of those do not have someone they trust to proxy-vote
for them?

What percentage of the population that need help to vote will not need
help to vote with an "improved system"?

I have seen many proxy-voter with a list of what they should vote.
Post by Eron Lloyd
If I become disabled and can't vote and my wife secretly wants
me to vote Republican instead of Green as my proxy, is that OK?
It is OK...
Do you trust your wife?
If you don't, then someone at the pooling station can help you (if you
can get there). They can sign a paper saying they will not reveal your
secret... and you can trust (honest citizen choosen as election worker)
them to do as you say.
Post by Eron Lloyd
They deserve the same amount of freedom and privacy as the rest of us.
Check your number... (see questions above).

How many currenty are unable to vote themself?
What disabilities they have that make them unable to vote?
What would solve their problem?
How many left without a solution?

I don't think the risk introduced by e-voting to the democracy is
acceptable... even to help those with disabilities.
Post by Eron Lloyd
Post by David GLAUDE
Post by Eron Lloyd
Indeed there are many problems...I suppose what it boils down to is
attempting to reduce to ratio of correct to corrupt votes, so it can't
swing an election. And all of us volunteering at the polls as observers.
The nice thing about manual voting system (paper and pen) is that
corrupt votes are also done at human scale and they go in every
direction. Also it can be detected by witness.
How? Don't you get privacy when filling out the ballot? If you can't inspect
ballots until the election is over and counting begins how will you know?
By corrupt votes I was thinking about vote wich are not the voter intent
= fraud! (!=not mistake)
Post by Eron Lloyd
Post by David GLAUDE
The problem with e-voting is that e-fraud goes in a single direction at
a computer scale with no possible proof or witness.
I'm not sure I agree. What I'm proposing is not a complete DRE system; it
still ultimately produces a paper ballot that gets counted by hand, by a
person. The computer would only aid in filling it out. Mechanisms between the
computer tally and the individual ballots would ensure they are correct. A
two-way audit if you will.
I still believe that cost/benefit of using a computer to produce a paper
ballot is not interesting.

Please when you check your number... try to find out how many will be
excluded from the election process because they are affraid of computer,
do not know how to "touch the screen", ... where for those peaple paper
and pen was OK.

David GLAUDE




----
Election-methods mailing list - see http://electorama.com/em for list info
Rob Speer
2003-11-12 00:46:07 UTC
Permalink
Post by R.G.'Stumpy' Marsh
I disagree. As far as auditing is concerned, I think this sort of mass
near-random testing is ideal. Sure the vast majority may not check
their votes, but enough people on all sides of the election would
check to make systematic fraud nigh on certain to be detected.
The only problem I see is with privacy, particularly the
afore-mentioned stand-over problem. One way to get around that would
be to provide the option of creating false receipts as well as the
real one. The false receipt would be identical to the real one in
every respect, except that the fake one has a false random ID and a
false checksum.
Everyone gets this idea as a solution to vote coercion. But you (most
likely) can't have anonymity, verifiability, and freedom from coercion
at the same time.

(No, I haven't seen a proof of this, but I'd like to; it would be a sort
of "Arrow's Theorem" for voting mechanisms.)

The "fake votes" method breaks verifiability, because you have no way to
verify that YOUR vote was not marked as "fake". If there is such a way,
then the thug demanding your vote can verify the same thing.
--
Rob Speer

----
Election-methods mailing list - see http://electorama.com/em for list info
David GLAUDE
2003-11-11 23:44:02 UTC
Permalink
Post by Eron Lloyd
An interesting idea for sure. I think computer ballots would be a great way to
produce an error-free paper tally,
Why do you want error-free paper tally?

In Belgium when paper voting, I have the right to draw a little house or
a mickey mouse (without beeing affraid of Disney corporation for
copyright violation since my vote is anonymous). Of course my vote is
not valid... but I expressed my fealing. This is important in a country
where voting is mandatory.

In Belgium when e-voting (magnetic card), it is not possible to draw
anything or vote in an invalid way. Actually you can only vote blanc
(wich is technicaly the same but not from a psychological point of view).
Post by Eron Lloyd
I think the biggest difference that "E-voting" has that makes it more
challenging than on-line banking or ATMs is that it has to remain fully
anonomous yet just as accountable and auditable as financial transactions.
While we don't want registered voters being associated with their votes, we
still need to make sure that indeed registered voters were the only ones
voting. Very challenging.
So challenging that I believe it is impossible.

I believe that when you vote and there is something (a computer) between
my vote (in my mind) and the expression of my vote (the "recording" of
my vote), then the secrecy of my vote is lost. I am forced to share my
secret with the computer, the author of the program, ...

Even if they don't have my name and other information about me (that
should be keeped completely separated with no way to correlate the data
[not even by timestamping]) it is not my vote anymore... but our vote
(shared with the author of the program) and not secret anymore.
Post by Eron Lloyd
Interesting perspective. I'll take this in and process it for a while, and see
if I can draw out a workflow. The Internet verification would be *very*
tricky, however.
In some country, "dead can vote". This is hard to do since you need them
to come to the pooling station to register and vote. But it exist.

With internet voting, it is a lot easyer to make our dead vote since
they don't have to show up durring the election day and they can vote
from where they are (in heaven I hope).

So think twice, when I go voting (physicaly) my ID is checked, my face
is compare to the picture on my id card.
Post by Eron Lloyd
As I mentioned above, there is *always* a problem using "black-box"
proprietary software, and hardware too.
And also using open source software writen in proprietary language with
no reference open source implementation. The whole thing running on a
proprietary operating system.
Post by Eron Lloyd
Relying on voters to audit their votes is unacceptable,
Who else can audit their vote???
Expert? Whitness? Big Brother?
Post by Eron Lloyd
That might just mean pen and paper for a long time.
PAPER RULES.

David GLAUDE
http://www.poureva.be/



----
Election-methods mailing list - see http://electorama.com/em for list info
Eron Lloyd
2003-11-12 00:00:47 UTC
Permalink
Hi David,
Post by David GLAUDE
Post by Eron Lloyd
An interesting idea for sure. I think computer ballots would be a great
way to produce an error-free paper tally,
Why do you want error-free paper tally?
In Belgium when paper voting, I have the right to draw a little house or
a mickey mouse (without beeing affraid of Disney corporation for
copyright violation since my vote is anonymous). Of course my vote is
not valid... but I expressed my fealing. This is important in a country
where voting is mandatory.
In Belgium when e-voting (magnetic card), it is not possible to draw
anything or vote in an invalid way. Actually you can only vote blanc
(wich is technicaly the same but not from a psychological point of view).
Error-free simply meaning it should accurately reflect the voter's intent.
There should still be mechanisms to voice dissent, which can come in the form
of write-ins (also easy using a computer interface) or what should be
required on every ballot line, the "None of the Above" option. This also
would be recorded on the resulting paper reciept. If you have other ideas,
like walking up to an official and putting a lighter to your ballot, that's
fine by me.

You mentioned that voting is mandatory. This is very interesting. What
penalties apply if you don't vote, and what is the resulting turnout
percentile?
Post by David GLAUDE
Post by Eron Lloyd
I think the biggest difference that "E-voting" has that makes it more
challenging than on-line banking or ATMs is that it has to remain fully
anonomous yet just as accountable and auditable as financial
transactions. While we don't want registered voters being associated with
their votes, we still need to make sure that indeed registered voters
were the only ones voting. Very challenging.
So challenging that I believe it is impossible.
I believe that when you vote and there is something (a computer) between
my vote (in my mind) and the expression of my vote (the "recording" of
my vote), then the secrecy of my vote is lost. I am forced to share my
secret with the computer, the author of the program, ...
Even if they don't have my name and other information about me (that
should be keeped completely separated with no way to correlate the data
[not even by timestamping]) it is not my vote anymore... but our vote
(shared with the author of the program) and not secret anymore.
Yes, along with banking, grocery shopping and automated telephone systems,
things are getting more impersonal. There are still issues that need to be
addressed, regardless of the system being used.
Post by David GLAUDE
Post by Eron Lloyd
Interesting perspective. I'll take this in and process it for a while,
and see if I can draw out a workflow. The Internet verification would be
*very* tricky, however.
In some country, "dead can vote". This is hard to do since you need them
to come to the pooling station to register and vote. But it exist.
With internet voting, it is a lot easyer to make our dead vote since
they don't have to show up durring the election day and they can vote
from where they are (in heaven I hope).
So think twice, when I go voting (physicaly) my ID is checked, my face
is compare to the picture on my id card.
There are a variety of software and hardware solutions that can aid in this
area.
Post by David GLAUDE
Post by Eron Lloyd
As I mentioned above, there is *always* a problem using "black-box"
proprietary software, and hardware too.
And also using open source software writen in proprietary language with
no reference open source implementation. The whole thing running on a
proprietary operating system.
Not in my system. Python (and C) is the language, Linux is the operating
system, Qt is the GUI toolkit, MySQL is the database backend. All are
available in GPL or looser licenses, and could be built against reference
sources. Short of consumer PC hardware used, the entire system would be
completely transparent.
Post by David GLAUDE
Post by Eron Lloyd
Relying on voters to audit their votes is unacceptable,
Who else can audit their vote???
Expert? Whitness? Big Brother?
The machine would keep an electronic tally as well.
Post by David GLAUDE
Post by Eron Lloyd
That might just mean pen and paper for a long time.
PAPER RULES.
Unfortunately, we don't use paper now. We use lever machines with a mechanical
counter. The county is looking at DRE machines for 2005, and we really can't
turn back. We have to only hope for as open a DRE system as possible. One
last though, a computer interface would be able to assist voters in casting
STVs, like Approval, IRV, or Condorcet. People don't properly read paper
ballots. You should see how many mistakes happen on voter registration cards!
I'd be very interested in any studies looking at the usability issues of
purality-majority vs. STV or other types of paper ballots. For advanced
voting methods I'm not sure paper would succeed well.
Post by David GLAUDE
David GLAUDE
http://www.poureva.be/
In democracy,

Eron
Post by David GLAUDE
----
Election-methods mailing list - see http://electorama.com/em for list info
---
[This E-mail scanned for viruses by Declude Virus]
--
Eron Lloyd
Technology Coordinator
Lancaster County Library
***@lancaster.lib.pa.us
Phone: 717-239-2116
Fax: 717-394-3083

---
[This E-mail scanned for viruses by Declude Virus]

----
Election-methods mailing list - see http://electorama.com/em for list info
David GLAUDE
2003-11-12 01:00:50 UTC
Permalink
This list is about "advance voting technique"...

My question to this list is wich of those technique can be used in large
scale election using only manual counting and computing of the result.

I see too many peaple that push e-voting in order to introduce "complex"
counting system. Where I think for election complexity is the opponent
of transparency, security and clear understanding on the effect of my
vote on the potential result.
Post by Eron Lloyd
Post by David GLAUDE
In Belgium when paper voting, I have the right to draw a little house or
a mickey mouse (without beeing affraid of Disney corporation for
copyright violation since my vote is anonymous). Of course my vote is
not valid... but I expressed my fealing. This is important in a country
where voting is mandatory.
In Belgium when e-voting (magnetic card), it is not possible to draw
anything or vote in an invalid way. Actually you can only vote blanc
(wich is technicaly the same but not from a psychological point of view).
Error-free simply meaning it should accurately reflect the voter's intent.
If my intent is to fill every option (even if they contradict each
other)... You want to use ratio button where only one choice is
possible... I want check-box for all option (actually I want paper and pen).
Post by Eron Lloyd
There should still be mechanisms to voice dissent, which can come in the form
of write-ins (also easy using a computer interface) or what should be
required on every ballot line, the "None of the Above" option.
"None of the Above" is "White" or "Blanc" voting.
Post by Eron Lloyd
This also
would be recorded on the resulting paper reciept. If you have other ideas,
like walking up to an official and putting a lighter to your ballot, that's
fine by me.
This actually one of the only way in Belgium to make your vote counted
as NULL. You have to make it not anonymous (like writing your name on it).

I was working at the pooling station where 1100 peaple had to vote. One
hangry computer aware citizen did not want to vote... and I gave him the
only possible solution to his problem (He wanted to vote NULL to protest
against the use of computer for election).

I was the second one to protest... but I had a formal lettre with me and
a carbon copy to keep a trace. ;-)

Now out of the 1100 to come, only 1000 came.
So it is actually 0,2% that were against e-voting!
Post by Eron Lloyd
You mentioned that voting is mandatory. This is very interesting. What
penalties apply if you don't vote, and what is the resulting turnout
percentile?
For the exact number of peaple voting... please check (in french):
<<Pascal DELWIT, Des élections sans électeurs ? Causes et conséquences
de l'abstention aux élections européennes de juin 1999, Les Cahiers du
Cevipol, vol. 99, n°3, 1999. en format PDF, en format ZIP (405 Ko)>>
http://www.ulb.ac.be/soco/cevipol/cahiers/cahier99-3.pdf

Belgium, Grece, Luxembourg have mandatory voting.
[In Italy it is "almost mandatory"(???).]

1979 1984 1989 1994 1999
CE-UE (vote non obligatoire) 61,29 58,99 54,19 55,19 48,00
CE-UE(vote obligatoire) 91,23 86,21 84,94 79,71 79,36

EU 1999 election % of vote / citizen supposed to vote
Belgique 91,29 92,19 90,73 90,56 90,96
Grèce 80,54 79,97 71,24 70,27
Luxembourg 88,90 88,80 87,60 88,54 86,63

EU 1999 election % of valid vote / citizen supposed to vote
Belgique 80,04 82,09 83,13 82,74 84,74
Grèce 80,54 79,97 71,24 70,27
Luxembourg 80,30 80,60 78,60 79,74 79,13

For Belgium I think.
Arround 10% of the citizen do not present themself to vote.
Arround 5% of the citizen voting do vote 'blanc' or 'NULL'.

In Belgium (and in Greece) no penalty are practicaly applyed...

But in Belgium penalty are as far as I know...
If you get notified that you did not vote for the 3rd time, then
financial and potential prison. I think that if you continue not to
vote... then you loose your citizen right to vote. ;-) LoL.

It is like punishing tentative scuicide by death penalty.
Post by Eron Lloyd
Yes, along with banking, grocery shopping and automated telephone systems,
things are getting more impersonal. There are still issues that need to be
addressed, regardless of the system being used.
There is no secrecy between me and my bank.
The know how much is in my account and I have paper copies of every
transaction. (Paper audit trail).

Same for my shopping list and my telephone call. In order to pay the
bill, they need to know what I consume...

It is not the same for election where secrecy is the internationnal rule.
Post by Eron Lloyd
Post by David GLAUDE
So think twice, when I go voting (physicaly) my ID is checked, my face
is compare to the picture on my id card.
There are a variety of software and hardware solutions that can aid in this
area.
Give me biometrics and ADN test to make sure my vote is anonymous and my
twin will have no right to vote after me. (all of that remotely)

There are well known, well tested procedure and technique available
since ever to do that. Paper, Pen, Printed ballot, ID card, printed
elector list, witness, ...
Post by Eron Lloyd
Not in my system. Python (and C) is the language, Linux is the operating
system, Qt is the GUI toolkit, MySQL is the database backend. All are
available in GPL or looser licenses, and could be built against reference
sources. Short of consumer PC hardware used, the entire system would be
completely transparent.
How do I check that the binary code running is the compilation of those
reference source code? (without interupting the system).
How do you make a security/logic analyse of so many lines of code?
How does a normal citizen trust the system??? trust an expert?
Post by Eron Lloyd
Post by David GLAUDE
Post by Eron Lloyd
Relying on voters to audit their votes is unacceptable,
Who else can audit their vote???
Expert? Whitness? Big Brother?
The machine would keep an electronic tally as well.
Now you get 2 differents result... the paper result and the electronic
result... what do you do? Cancel election? Use the paper everywhere? Use
electronic everywhere?

Also if what is on paper and what is on the screen (or where I did
click) is not the same... what do you do?
Post by Eron Lloyd
Post by David GLAUDE
Post by Eron Lloyd
That might just mean pen and paper for a long time.
PAPER RULES.
Unfortunately, we don't use paper now. We use lever machines with a mechanical
counter. The county is looking at DRE machines for 2005, and we really can't
turn back. We have to only hope for as open a DRE system as possible. One
Your only hope is to print a paper audit trail and to count those paper.
The push for DRE was made to avoid recount like in Florida...
Where the use of DRE make it even more important to have recount
(including full recount at random place)...
Post by Eron Lloyd
last though, a computer interface would be able to assist voters in casting
STVs, like Approval, IRV, or Condorcet. People don't properly read paper
ballots. You should see how many mistakes happen on voter registration cards!
I'd be very interested in any studies looking at the usability issues of
purality-majority vs. STV or other types of paper ballots. For advanced
voting methods I'm not sure paper would succeed well.
If it is not applicable on paper... then do not call them "advenced
voting methods". You are going backward I am affraid.

David GLAUDE



----
Election-methods mailing list - see http://electorama.com/em for list info
Stephane Rouillon
2003-11-12 01:30:43 UTC
Permalink
Post by David GLAUDE
Post by Eron Lloyd
There should still be mechanisms to voice dissent, which can come in the form
of write-ins (also easy using a computer interface) or what should be
required on every ballot line, the "None of the Above" option.
"None of the Above" is "White" or "Blanc" voting.
For single-winner methods there is no difference between a blank ballot
or a "none of the above" ballot.

However, for multiple-winner (a legislative chamber) elections, that
difference
can be treated to produce different consequences. As an example,
the model I promote on Fair Vote Canada's site uses that information,
"A Preferential, Totally Proportional Electoral System" (SPPA),
http://www.fairvotecanada.org/phpBB/viewforum.php?forum=1&511
As a consequence, if voters express that choice, they can choose to
be represented by a good loser from another district instead of the less
bad
candidate in their district.

Please, you are welcome to comment.

Stéphane
Eron Lloyd
2003-11-12 03:26:38 UTC
Permalink
Post by David GLAUDE
This list is about "advance voting technique"...
My question to this list is wich of those technique can be used in large
scale election using only manual counting and computing of the result.
A very good question. For the most part any advanced voting method can be
captured on paper, but how it *scales* is indeed something to look into.
Post by David GLAUDE
I see too many peaple that push e-voting in order to introduce "complex"
counting system. Where I think for election complexity is the opponent
of transparency, security and clear understanding on the effect of my
vote on the potential result.
Post by Eron Lloyd
Post by David GLAUDE
In Belgium when paper voting, I have the right to draw a little house or
a mickey mouse (without beeing affraid of Disney corporation for
copyright violation since my vote is anonymous). Of course my vote is
not valid... but I expressed my fealing. This is important in a country
where voting is mandatory.
In Belgium when e-voting (magnetic card), it is not possible to draw
anything or vote in an invalid way. Actually you can only vote blanc
(wich is technicaly the same but not from a psychological point of view).
Error-free simply meaning it should accurately reflect the voter's intent.
If my intent is to fill every option (even if they contradict each
other)... You want to use ratio button where only one choice is
possible... I want check-box for all option (actually I want paper and pen).
Post by Eron Lloyd
There should still be mechanisms to voice dissent, which can come in the
form of write-ins (also easy using a computer interface) or what should
be required on every ballot line, the "None of the Above" option.
"None of the Above" is "White" or "Blanc" voting.
Not true. When a ballot item is left blank, it can be interpreted several
ways. One is the way you mentioned, but it could also mean that they either
missed that item or were unsure. By explicitly selecting "None of the Above",
it sends a clear message. In a three way single-seat winner-take-all race, if
the winner wins (with say 37%) but more votes are cast for NOTA, it sends a
clear message to the candidate that they will be operating without the will
or mandate of the majority, which could only be inferred otherwise (like here
in the US, where Bush won without a majority vote or clear lead).
Post by David GLAUDE
Post by Eron Lloyd
This also
would be recorded on the resulting paper reciept. If you have other
ideas, like walking up to an official and putting a lighter to your
ballot, that's fine by me.
This actually one of the only way in Belgium to make your vote counted
as NULL. You have to make it not anonymous (like writing your name on it).
I was working at the pooling station where 1100 peaple had to vote. One
hangry computer aware citizen did not want to vote... and I gave him the
only possible solution to his problem (He wanted to vote NULL to protest
against the use of computer for election).
I was the second one to protest... but I had a formal lettre with me and
a carbon copy to keep a trace. ;-)
Now out of the 1100 to come, only 1000 came.
So it is actually 0,2% that were against e-voting!
Interesting.
Post by David GLAUDE
Post by Eron Lloyd
You mentioned that voting is mandatory. This is very interesting. What
penalties apply if you don't vote, and what is the resulting turnout
percentile?
<<Pascal DELWIT, Des élections sans électeurs ? Causes et conséquences
de l'abstention aux élections européennes de juin 1999, Les Cahiers du
Cevipol, vol. 99, n°3, 1999. en format PDF, en format ZIP (405 Ko)>>
http://www.ulb.ac.be/soco/cevipol/cahiers/cahier99-3.pdf
Belgium, Grece, Luxembourg have mandatory voting.
[In Italy it is "almost mandatory"(???).]
1979 1984 1989 1994 1999
CE-UE (vote non obligatoire) 61,29 58,99 54,19 55,19 48,00
CE-UE(vote obligatoire) 91,23 86,21 84,94 79,71 79,36
EU 1999 election % of vote / citizen supposed to vote
Belgique 91,29 92,19 90,73 90,56 90,96
Grèce 80,54 79,97 71,24 70,27
Luxembourg 88,90 88,80 87,60 88,54 86,63
EU 1999 election % of valid vote / citizen supposed to vote
Belgique 80,04 82,09 83,13 82,74 84,74
Grèce 80,54 79,97 71,24 70,27
Luxembourg 80,30 80,60 78,60 79,74 79,13
For Belgium I think.
Arround 10% of the citizen do not present themself to vote.
Arround 5% of the citizen voting do vote 'blanc' or 'NULL'.
In Belgium (and in Greece) no penalty are practicaly applyed...
But in Belgium penalty are as far as I know...
If you get notified that you did not vote for the 3rd time, then
financial and potential prison. I think that if you continue not to
vote... then you loose your citizen right to vote. ;-) LoL.
It is like punishing tentative scuicide by death penalty.
Good analogy. Thanks for the stats, as well.
Post by David GLAUDE
Post by Eron Lloyd
Yes, along with banking, grocery shopping and automated telephone
systems, things are getting more impersonal. There are still issues that
need to be addressed, regardless of the system being used.
There is no secrecy between me and my bank.
The know how much is in my account and I have paper copies of every
transaction. (Paper audit trail).
Same for my shopping list and my telephone call. In order to pay the
bill, they need to know what I consume...
It is not the same for election where secrecy is the internationnal rule.
Post by Eron Lloyd
Post by David GLAUDE
So think twice, when I go voting (physicaly) my ID is checked, my face
is compare to the picture on my id card.
There are a variety of software and hardware solutions that can aid in
this area.
Give me biometrics and ADN test to make sure my vote is anonymous and my
twin will have no right to vote after me. (all of that remotely)
There are well known, well tested procedure and technique available
since ever to do that. Paper, Pen, Printed ballot, ID card, printed
elector list, witness, ...
Post by Eron Lloyd
Not in my system. Python (and C) is the language, Linux is the operating
system, Qt is the GUI toolkit, MySQL is the database backend. All are
available in GPL or looser licenses, and could be built against reference
sources. Short of consumer PC hardware used, the entire system would be
completely transparent.
How do I check that the binary code running is the compilation of those
reference source code? (without interupting the system).
How do you make a security/logic analyse of so many lines of code?
How does a normal citizen trust the system??? trust an expert?
It would be quite hard to do (see my previous post). However, these issues
must be addressed, as such systems are being deployed all over the place. By
developing an open alternative will at least serve as a good reference model.
Post by David GLAUDE
Post by Eron Lloyd
Post by David GLAUDE
Post by Eron Lloyd
Relying on voters to audit their votes is unacceptable,
Who else can audit their vote???
Expert? Whitness? Big Brother?
The machine would keep an electronic tally as well.
Now you get 2 differents result... the paper result and the electronic
result... what do you do? Cancel election? Use the paper everywhere? Use
electronic everywhere?
No...both are used to cross-validate the other. A random ID on the ballot and
in the database will retain the same votes, so if a recount is called, both
are there for auditing.
Post by David GLAUDE
Also if what is on paper and what is on the screen (or where I did
click) is not the same... what do you do?
Post by Eron Lloyd
Post by David GLAUDE
Post by Eron Lloyd
That might just mean pen and paper for a long time.
PAPER RULES.
Unfortunately, we don't use paper now. We use lever machines with a
mechanical counter. The county is looking at DRE machines for 2005, and
we really can't turn back. We have to only hope for as open a DRE system
as possible. One
Your only hope is to print a paper audit trail and to count those paper.
The push for DRE was made to avoid recount like in Florida...
Where the use of DRE make it even more important to have recount
(including full recount at random place)...
DREs aren't designed to avoid recounts. Recounts can and must be possible in
any voting system. Agreed.
Post by David GLAUDE
Post by Eron Lloyd
last though, a computer interface would be able to assist voters in
casting STVs, like Approval, IRV, or Condorcet. People don't properly
read paper ballots. You should see how many mistakes happen on voter
registration cards! I'd be very interested in any studies looking at the
usability issues of purality-majority vs. STV or other types of paper
ballots. For advanced voting methods I'm not sure paper would succeed
well.
If it is not applicable on paper... then do not call them "advenced
voting methods". You are going backward I am affraid.
It's not me, just my government ;-)

Eron
Post by David GLAUDE
David GLAUDE
---
[This E-mail scanned for viruses by Declude Virus]
---
[This E-mail scanned for viruses by Declude Virus]

----
Election-methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2003-11-12 20:09:51 UTC
Permalink
On Tue, 11 Nov 2003 22:26:38 -0500 Eron Lloyd wrote:

There were a zillion posts yesterday on this thread - and I offer ONE
response to all - the above is simply the newest I read.

I also reviewed: Re: [EM] Securing electronic elections

VALIDATING DRE VOTING MACHINES (MY thoughts and proposal):

A CD (or DVD) will be used for this - one that can record everything of
interest that occurs for this machine for this election, but does not
allow for rewriting to change what has been written. All references to
"CD" below are to this single disc. Seems there are different techniques
for making CDs:
Manufacture them with fixed, unchangeable, content.
Permit erasing and rewriting.
Permit writing ONE time, with no provision in the CD or the "burner"
that does the writing to change content once written - what I WANT.

Program written on CD - likely by vendor, for this is identical for all in
state, or even nation. Program compiled from open source such as Linux,
such that anyone interested and capable can have done validation. Here we
are talking of COMPLETE program, including whatever may be labeled
"operating system", etc.

Ballot definitions written on CD. Likely in multiple records such as
state info and county info.

CD mounted in DRE. BTW - computer in DRE must be standard, for closed
design computer can include gimmicks we are trying to avoid. At one time
Sequoia was using Z80s - zillions of those have been made so buying them
off the shelf should avoid any funny stuff.

Program and ballot definitions loaded from CD.

Test voting permitted at this point? Anyway nothing recorded. Also, test
voting could be done with this CD on any DRE at this point to verify
whether ballot is correct, as well as on precinct DRE before polls open.

DRE locked to prevent modifications during voting.

DRE adds anything of interest to memory.

Inspectors provide unique identification as part of above.

DRE SHALL NOT be connected or connectable to the internet, for connecting
makes the internet part of the DRE and there is no way to validate that.

Record complete memory content on CD. This record can only be produced at
this time - includes inspector identification and vote totals (which
better be all zeroes).

Polls open and voting proceeds.

Polls close and vote counts and ballots recorded on CD (permissible to
record ballots on CD while polls open, but NO record of ballots containing
less than 100? ballots unless record is ALL votes cast on this DRE -
purpose of minimum size records is maintaining voter secrecy).

Machine unlocked and CD filed as record. Content can be validated against
a master compiled from the official source with this DRE's ballot
definitions included.

BTW - with the open source validated and actual DRE content recorded,
there will be little need to actually do the final validation mentioned
above - few will want to get caught having done something illegal.

BTW - also little need for recounts, but they are doable from the ballots
recorded on the CD.

VALIDATION RECORD

MUCH LESS need for this than with closed and secret program source.

If it is done, it BETTER maintain voter secrecy: These printed ballot
copies may be LOOKED at, but NOT TOUCHED by voter - they go in s ballot
box and inspectors are directed to shuffle them when polls close (so that
it is not possible to look at top ballot in box and know this was voted by
the last voter).

VOTING DETAILS:

Whether the person claiming to be a proper voter, voting the permitted
once, is valid - is of interest but I see no need for my getting involved
in this post.

DRE should be prepared to offer help in whatever languages are used
significantly in the precinct. Major uses are to describe voting methods
when you get past Plurality; also to present referenda and other topics
readably. To clarify - a welcome page can say "welcome" in every language
supported, and the DRE can then use whichever the voter chooses.

Also, DRE should be helping verify that voter intent is recorded,
including that ballot is valid and complete (but I would permit
incompleteness when that is clearly voter intent).

BTW - DREs BETTER provide better description of referenda (ballot
questions) than what I just saw on New York ballots this month - they
abbreviate to what will fit in allotted space on the ballot - sometimes
shrinking the understandability out.

New York demands a full face ballot - not acceptable, for the full face
gets cramped when there are many candidates.

One problem Florida got into in 2000 was bad choice as to arrangement when
number of candidates made a ballot too crowded. That was paper, but the
same thing could happen with full face DREs.

Perhaps should demand that voter look at each face at least once.

If there are validation records, they need printing AFTER voter has
completed selection - voter is looking at them only to verify between:
They look right, as expected.
The DRE has failed, for they do not match the voters selections.

Another post wants these validation records to be the actual ballots to be
counted, rather than the machine being a complete DRE. I would still want
the machine to obey everything else I state, for too many voters are NOT
going to inspect these records carefully. Another thought would be for
DRE to be complete but these validation records be the official count.

I have the ballots being recorded in memory and copied to the CD for
recount purposes. Even the recording in memory step requires random
ordering to preserve secrecy.

DREs must permit write-ins.

While voters should have less need for assistance with DREs, voter should
control who does any needed helping (except if election personnel get
involved, it should be personnel from more than one party - NEEDED, for a
single person can be corruptly partisan even if an election worker).

BTW - many with disabilities HATE to have to ask for assistance - it is
REASONABLE for DRE construction and ballot design and content to let as
many of these as practical vote without assistance.

A post mentioned voters being afraid to use a DRE. In New York we permit
what we call an affidavit ballot - a paper ballot for someone who CLAIMS
to be a proper voter but for whom there is no record. We let them vote
with paper ballots and validate these for proper voter identity afterwards
(these paper ballots go in envelopes like absentee ballots to preserve
secrecy). Someone afraid to use the DRE could be allowed to use this form
of paper ballot, marked to be counted without requiring later voter
validation.
Post by Eron Lloyd
Post by David GLAUDE
This list is about "advance voting technique"...
My question to this list is wich of those technique can be used in large
scale election using only manual counting and computing of the result.
A very good question. For the most part any advanced voting method can be
captured on paper, but how it *scales* is indeed something to look into.
EM is into BOTH methods that could be implemented with manual counting,
and methods worth discussing for theory, but very unlikely to suit Glaube
or myself for public elections.

Plurality is countable manually, but has problems we should DEMAND escape
from.

Condorcet, which is the method of counting ranked choice ballots that
I see as better than IRV, is a bit more complex for manual counting, yet
is simple enough that people should have little trouble understanding it.
Post by Eron Lloyd
Post by David GLAUDE
I see too many peaple that push e-voting in order to introduce "complex"
counting system. Where I think for election complexity is the opponent
of transparency, security and clear understanding on the effect of my
vote on the potential result.
Eron Lloyd complained that, while he could express unhappiness by marking

up a paper ballot, e-voting would not tolerate anything similar.


He could vote blanc (blank), but is not satisfied by that.

Paper or e-vote CAN permit none-of-the-above (NOTA). This is a COUNTABLE
expression of unhappiness with choices offered:
Can simply embarrass the candidates if they are disliked enough.
Or, NOTA can get elected if there is enough unhappiness (unable to
serve, but that doe not require special substitution provisions in law,
for it can happen to live candidates).


Of course, if he is required to vote (as Belgium seems to demand) and
objects to e-voting, the most I would agree to is whatever could easily be
provided for (to just not vote for any candidate is not enough, for voters
can do that in error and the DRE should warn that it is a possible error).

BTW - on 11/10 I mentioned to EM about DRE: having source for a DRE voting
system, on MY disk, in Linux and in use in Canberra (Australian Capital
Territory),
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.

----
Election-methods mailing list - see http://electorama.com/em for list info
David GLAUDE
2003-11-11 23:25:52 UTC
Permalink
Post by Ken Johnson
Eron - I share your enthusiasm for open, secure, and fair elections, but
I don't think open-source software is necessarily the solution. What is
more important is that the process be transparent and independently
verifiable by anyone - not just by a few computer specialists.
Open source is not the solution... but all computer program used for the
election should be Open source to be transparent.
Post by Ken Johnson
After making my vote, the voting machine gives me a receipt - much like
a bank teller machine - containing a record of my vote and a
randomly-generated vote ID number. I check the printed receipt for
correctness, seal it, and have a polling agent stamp it with a unique
serialization number that is assigned to me and recorded, along with my
name and address, as evidence of my vote. The voting machine has no
information about the serialization number or about my identity, and
there is no record - other than my stamped voting receipt - identifying
me with the computer-generated vote ID. In essence, there are two
completely autonomous, non-communicating information systems - a
computer database associating vote ID's with votes, and a second system
(perhaps comprising only written records) associating vote serialization
numbers with voters.
The votes are counted by the computer, and the entire database of votes
and vote ID's is placed on the Internet so that any voter can log on and
verify that their vote was properly recorded. Independent auditors can
also download the entire database to verify the tally. Authorized
parties (e.g. law enforcement) may access the vote serialization data to
verify that only legally-registered voters have voted. If any
discrepancy is sufficient to potentially affect the outcome of the
election, then the election is nullified. Furthermore, if sufficiently
many people claim that their votes were not properly recorded, they
would present their voting receipts to a judge to be reviewed in
confidence (this is the only situation in which the association between
a voter and thier vote might become known to another party), and if the
discrepancy is confirmed the election is nullified.
NO

It is not acceptable for the voter to run out of the voting location
with a receipt. This mean I have something that proof my vote. I could
be forced to show my receipt and if I did not vote as I was asked...
face the consequence.

The secrecy of the vote make it impossible to have a hardcopy you take
at home!!! Not even a magic number secretly encoded or else.
Post by Ken Johnson
With this type of process there is no problem using "black-box",
proprietary voting software, because it gives the voters themselves (not
just a few compter experts) the ability to confirm correctness of the
result.
There is always a problem using "black-box".
Even if you find another way (not the one above) to make it acceptable
to use "black-box", you are still wrong and open-source is a MUST.

In Belgium we went to court (and win) to have access to the code of the
election.

David GLAUDE




----
Election-methods mailing list - see http://electorama.com/em for list info
Forest Simmons
2003-11-12 21:35:17 UTC
Permalink
Post by David GLAUDE
It is not acceptable for the voter to run out of the voting location
with a receipt. This mean I have something that proof my vote. I could
be forced to show my receipt and if I did not vote as I was asked...
face the consequence.
The secrecy of the vote make it impossible to have a hardcopy you take
at home!!! Not even a magic number secretly encoded or else.
What if you were given several receipts, and only you know which is the
real one. One of the fake receipts could be used to satisfy the mafia.

Forest

----
Election-methods mailing list - see http://electorama.com/em for list info
Eric Gorr
2003-11-12 21:47:53 UTC
Permalink
Post by Forest Simmons
What if you were given several receipts, and only you know which is the
real one. One of the fake receipts could be used to satisfy the mafia.
Don't think this would work.

For election verification purposes, should you complain that your
specific vote was not recorded properly, a third party would need to
be able to verify that the receipt you gave them was valid.


I was also interested in attempting to verify the information you
provided in an earlier message:

Besides the outright scandals there are the suspicious results:
For example, three Republican candidates in three separate elections
counted by machines supplied by the same company with tight Republican
connections win by the exact same margin of votes, some improbable number
like 10,800.

I have checked hightowers lowdown...is the the article you grabbed
that information from:

http://www.hightowerlowdown.org/articles/oct03_v5_n10/oct03_v5_n10_1.cfm

but was unable to read the entire article as I am uncertain whether I
want to subscribe.

Does anyone happen to have URLs to newspaper reports on these
incidents and numbers?
--
== Eric Gorr ========= http://www.ericgorr.net ========= ICQ:9293199 ===
"Therefore the considerations of the intelligent always include both
benefit and harm." - Sun Tzu
== Insults, like violence, are the last refuge of the incompetent... ===
----
Election-methods mailing list - see http://electorama.com/em for list info
Forest Simmons
2003-11-12 22:22:34 UTC
Permalink
The incident I referred to is described on page four of the October
"Lowdown."

It says, "In Canal County, Texas, three Republican candidates experienced
an astonishing coincidence when the electronic machines declared them
victors in their respective races by the exact same margin of 18,181
votes."

Hightower credits the grist for this article to Bev Harris, David Allen,
and "a supportive group of programmers, engineers, and academics" who have
put together a website at blackboxvoting.org.
Post by Eric Gorr
Post by Forest Simmons
What if you were given several receipts, and only you know which is the
real one. One of the fake receipts could be used to satisfy the mafia.
Don't think this would work.
For election verification purposes, should you complain that your
specific vote was not recorded properly, a third party would need to
be able to verify that the receipt you gave them was valid.
I think the real solution is the proposal by Eron LLoyd and Dave Ketchum
of paper ballots output by the machine, and verified on the spot by the
voter, no receipt necessary. It would be at least as secure as current
vote by mail system that we have here in Oregon.

Forest




----
Election-methods mailing list - see http://electorama.com/em for list info
David GLAUDE
2003-11-13 00:02:03 UTC
Permalink
Post by Forest Simmons
Post by David GLAUDE
It is not acceptable for the voter to run out of the voting location
with a receipt. This mean I have something that proof my vote. I could
be forced to show my receipt and if I did not vote as I was asked...
face the consequence.
The secrecy of the vote make it impossible to have a hardcopy you take
at home!!! Not even a magic number secretly encoded or else.
What if you were given several receipts, and only you know which is the
real one. One of the fake receipts could be used to satisfy the mafia.
What was the goal of that receipts???
1) To remember who you voted for?
or
2) To verify your vote was counted?

1) is silly.
If 2) is possible for you, it is possible for the mafia too. ;-)

David GLAUDE



----
Election-methods mailing list - see http://electorama.com/em for list info
Ernest Prabhakar
2003-11-13 00:38:07 UTC
Permalink
Post by David GLAUDE
Post by Forest Simmons
Post by David GLAUDE
It is not acceptable for the voter to run out of the voting location
with a receipt. This mean I have something that proof my vote. I could
be forced to show my receipt and if I did not vote as I was asked...
face the consequence.
The secrecy of the vote make it impossible to have a hardcopy you take
at home!!! Not even a magic number secretly encoded or else.
What if you were given several receipts, and only you know which is the
real one. One of the fake receipts could be used to satisfy the mafia.
What was the goal of that receipts???
1) To remember who you voted for?
or
2) To verify your vote was counted?
1) is silly.
If 2) is possible for you, it is possible for the mafia too. ;-)
I don't get #2 at all. I've actually been confused by this. If by
receipt we mean a full plaintext list of all the votes you made, then I
can see how it would be a security risk. However, it would think it
would be fairly trivial to create an ecrypted receipt that could
-verify- a vote without actually revealing the vote (at least without
massive conspiracy).

For example, each vote could be used to create a 'private key - public
key' pair, as in public key infrastructures (PKI). The private key
would be used to hash a cumulative vote tally, and the public key would
be given to the voter (along with: you are the 1523rd voter). It
should be mathematically possible to audit the vote tallies, and for
the voter to confirm that his private key was used at a given step,
without revealing any information about the private key. The first
voter would hash a random seed, so that even his/her vote would not be
decipherable.

I may not have all the details right, but given the asymmetry of
knowledge in PKI there should be some mechanism for separating
validation from exposure.

-- Ernie P.

-----------
RadicalCentrism.org is an anti-partisan think tank near Sacramento,
California, dedicated to developing and promoting the ideals of
Reality, Character, Community and Humility as expressed in our Radical
Centrist Manifesto: Ground Rules of Civil Society
<http://RadicalCentrism.org/manifesto.html>

----
Election-methods mailing list - see http://electorama.com/em for list info
Rob Speer
2003-11-13 01:08:42 UTC
Permalink
Post by Ernest Prabhakar
Post by David GLAUDE
What was the goal of that receipts???
1) To remember who you voted for?
or
2) To verify your vote was counted?
1) is silly.
If 2) is possible for you, it is possible for the mafia too. ;-)
I don't get #2 at all. I've actually been confused by this. If by
receipt we mean a full plaintext list of all the votes you made, then I
can see how it would be a security risk. However, it would think it
would be fairly trivial to create an ecrypted receipt that could
-verify- a vote without actually revealing the vote (at least without
massive conspiracy).
For example, each vote could be used to create a 'private key - public
key' pair, as in public key infrastructures (PKI). The private key
would be used to hash a cumulative vote tally, and the public key would
be given to the voter (along with: you are the 1523rd voter). It
should be mathematically possible to audit the vote tallies, and for
the voter to confirm that his private key was used at a given step,
without revealing any information about the private key. The first
voter would hash a random seed, so that even his/her vote would not be
decipherable.
So you get to confirm that you voted, but not that your vote went to the
person you wanted to vote for?

I don't think that's what people are looking for in verifiability.

Then again, it's probably the best kind of verifiablity you can get
without enabling coercion. But that's a really complicated system for
such a small gain.
--
Rob Speer

----
Election-methods mailing list - see http://electorama.com/em for list info
Ernest Prabhakar
2003-11-13 01:37:07 UTC
Permalink
Hi Rob,
Post by Rob Speer
So you get to confirm that you voted, but not that your vote went to the
person you wanted to vote for?
I don't think that's what people are looking for in verifiability.
Okay, I wasn't entirely clear.
Post by Rob Speer
Then again, it's probably the best kind of verifiablity you can get
without enabling coercion. But that's a really complicated system for
such a small gain.
Well, the only other option I can think of is to have a 'trusted third
party' "C". Each voters 'seed' would be encrypted by C public key, and
can only be decrypted by C. If C was a completely distinct system,
then voter V could go to a secure location, where their identity would
be verified by other means (e.g., photo ID), and then view the results
of their vote in a secure environment.

This isn't totally anonymous, but it would allow spot-checking in an
environment completely independent of that used by the voting system.

-- Ernie P.
Post by Rob Speer
Post by Ernest Prabhakar
Post by David GLAUDE
What was the goal of that receipts???
1) To remember who you voted for?
or
2) To verify your vote was counted?
1) is silly.
If 2) is possible for you, it is possible for the mafia too. ;-)
I don't get #2 at all. I've actually been confused by this. If by
receipt we mean a full plaintext list of all the votes you made, then I
can see how it would be a security risk. However, it would think it
would be fairly trivial to create an ecrypted receipt that could
-verify- a vote without actually revealing the vote (at least without
massive conspiracy).
For example, each vote could be used to create a 'private key - public
key' pair, as in public key infrastructures (PKI). The private key
would be used to hash a cumulative vote tally, and the public key would
be given to the voter (along with: you are the 1523rd voter). It
should be mathematically possible to audit the vote tallies, and for
the voter to confirm that his private key was used at a given step,
without revealing any information about the private key. The first
voter would hash a random seed, so that even his/her vote would not be
decipherable.
So you get to confirm that you voted, but not that your vote went to the
person you wanted to vote for?
I don't think that's what people are looking for in verifiability.
Then again, it's probably the best kind of verifiablity you can get
without enabling coercion. But that's a really complicated system for
such a small gain.
--
Rob Speer
----
Election-methods mailing list - see http://electorama.com/em for list info
----
Election-methods mailing list - see http://electorama.com/em for list info
Alex Small
2003-11-13 01:43:31 UTC
Permalink
Post by Rob Speer
So you get to confirm that you voted, but not that your vote went to the
person you wanted to vote for?
I don't think that's what people are looking for in verifiability.
Then again, it's probably the best kind of verifiablity you can get
without enabling coercion. But that's a really complicated system for
such a small gain.
I believe that George Will once proposed eliminating the anonymous ballot.
The rationale was that if people are voting illegally, it should be
possible to delete those illegal votes when the crime is discovered.
Forgive me if I'm mistaken in my recollection.

It's always interesting how conservatives are convinced that massive
numbers of illegal immigrants and felons are swarming American voting
booths. I've worked at a polling place 3 times now, and I have yet to see
all that many people of any type showing up. If there is in fact a steady
stream of voters crossing the Rio Grande illegally, they sure aren't going
to my polling place, nor are many other voters.



Alex


----
Election-methods mailing list - see http://electorama.com/em for list info
David GLAUDE
2003-11-13 11:48:07 UTC
Permalink
Post by Alex Small
I believe that George Will once proposed eliminating the anonymous ballot.
I don't know if US do respect international treaty...
But they all say the vote should be anonymous for general election (they
don't talk about local election).
Post by Alex Small
The rationale was that if people are voting illegally, it should be
possible to delete those illegal votes when the crime is discovered.
Forgive me if I'm mistaken in my recollection.
The legality of a persone comming to vote must be verified on the day of
the election...

List of valid voter should be produce in advance with a chance for the
elector to verify them and check if he is present and his dead father is
not present anymore.

I am not familiar with US way of voting... but this is the way it work
in Belgium. Remember voting is mendatory in my country.
Post by Alex Small
It's always interesting how conservatives are convinced that massive
numbers of illegal immigrants and felons are swarming American voting
booths. I've worked at a polling place 3 times now, and I have yet to see
all that many people of any type showing up. If there is in fact a steady
stream of voters crossing the Rio Grande illegally, they sure aren't going
to my polling place, nor are many other voters.
Remember that with remote e-voting they will be able to vote from the
internet without having to cross the Rio Grande. ;-)

David GLAUDE



----
Election-methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2003-11-14 03:17:30 UTC
Permalink
Post by David GLAUDE
Post by Alex Small
I believe that George Will once proposed eliminating the anonymous ballot.
I don't know if US do respect international treaty...
But they all say the vote should be anonymous for general election (they
don't talk about local election).
Those of us thinking seriously on this topic want anonymity across the
board (partly, we vote for most offices on the same day - national thru
local).
Post by David GLAUDE
Post by Alex Small
The rationale was that if people are voting illegally, it should be
possible to delete those illegal votes when the crime is discovered.
Forgive me if I'm mistaken in my recollection.
The legality of a persone comming to vote must be verified on the day of
the election...
Oops:
I can turn up at the polls at 8:59 pm in New York State. I can mail
in an absentee ballot the day before election day (meaning noone knows of
it til days later).

In other words, we need a bit of flexibility.

When I turn up at the polls and, for whatever reason, I am not recognized
as legitimate, I file a paper affidavit ballot - something that goes in an
envelope like an absentee ballot, so no one sees my vote until the
envelope is opened (and then all these paper ballots go in a ballot box so
that no one is sure which of them is mine). Before opening, the
affidavits on those envelopes get approved or rejected.

If the election is close and the debating is bitter, it can take days to
make the decisions and be able to complete counting the votes.
Post by David GLAUDE
List of valid voter should be produce in advance with a chance for the
elector to verify them and check if he is present and his dead father is
not present anymore.
One thing we do in New York is mail a card to each voter telling them
where the polling place is (such can move, for getting too many voters for
a single polling place, and for other reasons). The Post Office
returns undeliverable cards (not perfect, for the postman may not know
that Joe is dead or moved out, and whoever is still there may discard the
card, but we try).
Post by David GLAUDE
I am not familiar with US way of voting... but this is the way it work
in Belgium. Remember voting is mendatory in my country.
Post by Alex Small
It's always interesting how conservatives are convinced that massive
numbers of illegal immigrants and felons are swarming American voting
booths. I've worked at a polling place 3 times now, and I have yet to see
all that many people of any type showing up. If there is in fact a steady
stream of voters crossing the Rio Grande illegally, they sure aren't going
to my polling place, nor are many other voters.
Remember that with remote e-voting they will be able to vote from the
internet without having to cross the Rio Grande. ;-)
Some of us reject internet voting for being uncontrollable in many other ways.
Post by David GLAUDE
David GLAUDE
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.

----
Election-methods mailing list - see http://electorama.com/em for list info
Ken Johnson
2003-11-13 12:45:36 UTC
Permalink
Post by David GLAUDE
It is not acceptable for the voter to run out of the voting location
with a receipt. This mean I have something that proof my vote. I could
be forced to show my receipt and if I did not vote as I was asked...
face the consequence.
The secrecy of the vote make it impossible to have a hardcopy you take
at home!!! Not even a magic number secretly encoded or else.
I agree that it is not acceptable for the voter to be given a voting
receipt if they don't want one. The voting machine can ask "Do you want
an auditable voting receipt?"; if not you just click "No". But I feel
strongly that I should have the OPTION of being able to verify that my
particular ballot was counted the way I voted, and no one but me should
have access to the information identifying me with my vote.

I see no reason why elections cannot be run with degree of accuracy,
reliability, and professionalism as financial transactions. The kinds of
errors and general sloppiness that typify election processes would be
absoutely intolerable in the financial industry. Computerized financial
transactions are reliable because they are traceable and auditable;
elections are not. The individual voter has no way to confirm that their
vote has been properly counted. The idea that we should fully entrust
the security of our electoral process to a few whiz-bang computer
experts just seems a little too "Big-Brotherish" to me, and I would like
to be able to verify for myself that my vote got counted.

Ken Johnson



----
Election-methods mailing list - see http://electorama.com/em for list info
Rob Speer
2003-11-13 14:43:18 UTC
Permalink
Post by Ken Johnson
I agree that it is not acceptable for the voter to be given a voting
receipt if they don't want one. The voting machine can ask "Do you want
an auditable voting receipt?"; if not you just click "No". But I feel
strongly that I should have the OPTION of being able to verify that my
particular ballot was counted the way I voted, and no one but me should
have access to the information identifying me with my vote.
But they will, and making it optional doesn't help.

If you have the option of verifying your ballot, then someone has the
option of paying you $20 for your verifiable vote receipt. Or
threatening you if you don't get a receipt and give it to them.

As far as I can tell, there are two reasonable ways to handle
verification:

* Give everyone a number to verify their vote; post all the votes along
with the voter numbers. Then anyone can hypothetically check that the
votes have been counted correctly. You must realize that if you do
this in a large election, you are creating an open (or black) market
for votes.
* Don't do it. This is the only option for public elections.
--
Rob Speer

----
Election-methods mailing list - see http://electorama.com/em for list info
Forest Simmons
2003-11-13 22:03:57 UTC
Permalink
Post by Rob Speer
Post by Ken Johnson
I agree that it is not acceptable for the voter to be given a voting
receipt if they don't want one. The voting machine can ask "Do you want
an auditable voting receipt?"; if not you just click "No". But I feel
strongly that I should have the OPTION of being able to verify that my
particular ballot was counted the way I voted, and no one but me should
have access to the information identifying me with my vote.
But they will, and making it optional doesn't help.
If you have the option of verifying your ballot, then someone has the
option of paying you $20 for your verifiable vote receipt. Or
threatening you if you don't get a receipt and give it to them.
As far as I can tell, there are two reasonable ways to handle
* Give everyone a number to verify their vote; post all the votes along
with the voter numbers. Then anyone can hypothetically check that the
votes have been counted correctly. You must realize that if you do
this in a large election, you are creating an open (or black) market
for votes.
* Don't do it. This is the only option for public elections.
--
Here in Oregon almost all voters vote by mail, just like voting absentee,
except from home.

This is for all elections, including the presidential election.

The hardest part about this is the ease of losing your ballot before
getting around to filling it out.

So far nobody has come over and tried to bribe me or coerce me into voting
one way or another.

There is a statement about the penalty for election fraud on the envelope
that you sign (the outside envelope).

The inside envelope is called the "ballot secrecy envelope."

I believe that the systems proposed by Dave Ketchum and Eron Lloyd are
much more fool proof than this Oregon system, but the e systems currently
used in some parts of this country are vastly inferior, so it appears that
we are moving backwards rather than forwards in this area.

I hope this isn't part of the democracy education that Bush is so
graciously scattering abroad to all of the backward countries that don't
seem to understand who's really supposed to be in charge of resource
distribution, etc.

Forest

----
Election-methods mailing list - see http://electorama.com/em for list info
Eron Lloyd
2003-11-13 22:25:44 UTC
Permalink
Post by Forest Simmons
Post by Rob Speer
Post by Ken Johnson
I agree that it is not acceptable for the voter to be given a voting
receipt if they don't want one. The voting machine can ask "Do you want
an auditable voting receipt?"; if not you just click "No". But I feel
strongly that I should have the OPTION of being able to verify that my
particular ballot was counted the way I voted, and no one but me should
have access to the information identifying me with my vote.
But they will, and making it optional doesn't help.
If you have the option of verifying your ballot, then someone has the
option of paying you $20 for your verifiable vote receipt. Or
threatening you if you don't get a receipt and give it to them.
As far as I can tell, there are two reasonable ways to handle
* Give everyone a number to verify their vote; post all the votes along
with the voter numbers. Then anyone can hypothetically check that the
votes have been counted correctly. You must realize that if you do
this in a large election, you are creating an open (or black) market
for votes.
* Don't do it. This is the only option for public elections.
--
Here in Oregon almost all voters vote by mail, just like voting absentee,
except from home.
This is for all elections, including the presidential election.
The hardest part about this is the ease of losing your ballot before
getting around to filling it out.
Vote by mail, huh? I need some more info on the pros/cons of this. Especially
ensuring votes get to the election bureau. Do you get a return receipt? The
problem I see with this is just the same I witness with voter registration
cards...people just don't follow instructions properly. I think that is one
of my biggest reasons for supporting e-voting.
Post by Forest Simmons
So far nobody has come over and tried to bribe me or coerce me into voting
one way or another.
There is a statement about the penalty for election fraud on the envelope
that you sign (the outside envelope).
The inside envelope is called the "ballot secrecy envelope."
I believe that the systems proposed by Dave Ketchum and Eron Lloyd are
much more fool proof than this Oregon system, but the e systems currently
used in some parts of this country are vastly inferior, so it appears that
we are moving backwards rather than forwards in this area.
I hope this isn't part of the democracy education that Bush is so
graciously scattering abroad to all of the backward countries that don't
seem to understand who's really supposed to be in charge of resource
distribution, etc.
Heh. If anyone hasn't already, be sure to check out the UN's ACE project,
available @ www.aceproject.org. There is a ton of information on holding and
administering elections. I am curious as to the best practices in protecting
electoral integrity in developing democracies, especially those rife with
violent internal conflict (South America, for instance).

Also, if everyone hasn't already, *PLEASE* head over to www.blackboxvoting.com
and print out the full-text to Black Box Voting, the book. The final 3
chapters just appeared on-line, and the hard-copy should be out shortly. I
think we really have a crisis on our hands, and with the right promotion,
this book could become the next "Unsafe at Any Speed". All other election
issues aside, this should deserve our full attention.
Post by Forest Simmons
Forest
Eron
Post by Forest Simmons
----
Election-methods mailing list - see http://electorama.com/em for list info
---
[This E-mail scanned for viruses by Declude Virus]
--
Eron Lloyd
Technology Coordinator
Lancaster County Library
***@lancaster.lib.pa.us
Phone: 717-239-2116
Fax: 717-394-3083

---
[This E-mail scanned for viruses by Declude Virus]

----
Election-methods mailing list - see http://electorama.com/em for list info
Richard Moore
2003-11-13 02:53:38 UTC
Permalink
Post by David GLAUDE
Post by Forest Simmons
Post by David GLAUDE
It is not acceptable for the voter to run out of the voting location
with a receipt. This mean I have something that proof my vote. I
could
Post by David GLAUDE
Post by Forest Simmons
Post by David GLAUDE
be forced to show my receipt and if I did not vote as I was asked...
face the consequence.
The secrecy of the vote make it impossible to have a hardcopy you
take
Post by David GLAUDE
Post by Forest Simmons
Post by David GLAUDE
at home!!! Not even a magic number secretly encoded or else.
What if you were given several receipts, and only you know which
is the
Post by David GLAUDE
Post by Forest Simmons
real one. One of the fake receipts could be used to satisfy the
mafia.
Post by David GLAUDE
What was the goal of that receipts???
1) To remember who you voted for?
or
2) To verify your vote was counted?
1) is silly.
If 2) is possible for you, it is possible for the mafia too. ;-)
As Ernest pointed out, public key cryptography could make (2) possible
without the need for a plaintext receipt. However, it would still be
possible for shady characters to coerce your vote, and ask you for
your private key to decrypt the receipt in order for you to avoid
punishment. Which is where Forest's idea comes in.

In fact each receipt could be a fairly large file that has multiple
ballots encrypted in it, and you could choose the one you would want
to display to the criminals. For the intended verification purposes,
the *real* ballot would have a digital signature that could only be
verified by the election authorities. And you can verify which of the
many is really yours by means of a second digital signature, or a code
word that you designate or remember (e.g., each displayable ballot
could also display a random dictionary word, and you would remember
the word associated with your designated ballot).

All this seems too complicated to be practical. Just think of having
to go in and specify your real vote *plus* the fake one for the crime
lords. And to keep straight which is which when providing the
information to the voting machine.

Finally, the "fake receipt with digital signature" scheme falls apart
when you realize that a clever programmer could have his software sign
the ballot on your receipt that he/she likes best.

-- Richard

----
Election-methods mailing list - see http://electorama.com/em for list info
Ken Johnson
2003-11-16 18:46:10 UTC
Permalink
We tested this known as "Ticketting" in Belgium and there is a
theoretical Denial of Service attack on the election process. If a set
of voter complain that the ticket (or the screen or both) does not
display what they wanted to vote for. Since there is no way to know what
they wanted to vote... we have a problem. Since it could be true...
maybe election should be stopped!
To deal with this, in Belgium by law, if the printed vote is not what
you like, you call the president of the voting burreau and you vote
again in front of him. And sorry for the secrecy of your vote. He will
click on "OK vote match" for you. ;-)
Another possible approach - The voting machine should query the user to
verify that the displayed and printed results are correct, and press
"Accept" BEFORE the result is posted. If the user rejects the vote, the
machine gives them a cancellation receipt as evidence that their vote
has not yet been entered in the system.
It is easy for the computer to always show the right answer when asked
while keeping the election result altered.
As long as not all the vote (or a majority of them) have been verified,
it is possible to trick the one that try to verify.
Partial recount are useless... How do you know the computer was not just
showing what you wanted to see?
The computer doesn't need to know what you want to see. Rather than
querying the computer to validate a specific vote, you just download the
entire vote database, sorted by vote serialization ID, and inspect it
directly.
David GLAUDE
--__--__--
Message: 5
REQUIREMENTS FOR ELECTRONIC VOTING SYSTEMS (EVSs)
1. MUST enable potential recounts
Why is that a necessity? If the election result is invalidated, just
hold another election. Computerization, combined with robust
verification means, should make voting processes and software as
efficient and reliable as commercial financial systems, so this should
be an exceptionally rare occurence.

Ken Johnson



----
Election-methods mailing list - see http://electorama.com/em for list info
David GLAUDE
2003-11-16 20:23:07 UTC
Permalink
Post by Ken Johnson
To deal with this, in Belgium by law, if the printed vote is not what
you like, you call the president of the voting burreau and you vote
again in front of him. And sorry for the secrecy of your vote. He will
click on "OK vote match" for you. ;-)
Another possible approach - The voting machine should query the user to
verify that the displayed and printed results are correct, and press
"Accept" BEFORE the result is posted. If the user rejects the vote, the
machine gives them a cancellation receipt as evidence that their vote
has not yet been entered in the system.
This is exactly what we do.
The ticket is printed.
The user is prompted to verify if the printed vote and the on-screen
vote are the same. [Please take note that what is on screen might be
different from the voter intent. Let say I click A and the computer
display B and print B!!! How do I complain?]
* If you accept, the ticket is "CUT" and fall inside the ballot box
(this mean there is a printer and ballot box attach to each voting
machine). The voter can only see one vote (the last one, his own vote)
and has no physical access to the ticket/printer/ballot box.
* If you do not accept, then a CANCEL LINE is printed on the ticket
(paper) as to remind that this paper ballot should not be counted during
the manual recount. But there come the president of the voting place.
Some kind of an alarm ring and he get to help you vote and verify the
behaviour of the machine. This is where you loose the secrecy of your
vote...

I don't know how practicaly it take place because this was experimented
on two location only. I only have the law (and source code) to read in
order to understand what are the possible scenario.

But we have too many vote representation to deal with:
* Voter intent
* On screen vote
* On paper vote (our ticket)
* On the magnetic card vote
* Vote as readed by ballot box
* Vote as counted at the end of the day
* Vote as counted on the ticket at the end of the day

Making sure all those match and will match is difficult.
Post by Ken Johnson
Partial recount are useless... How do you know the computer was not
just showing what you wanted to see?
The computer doesn't need to know what you want to see. Rather than
querying the computer to validate a specific vote, you just download the
entire vote database, sorted by vote serialization ID, and inspect it
directly.
Should I stress one more time to PRINT the database and then verify
whatever you want to verify.
Post by Ken Johnson
1. MUST enable potential recounts
Why is that a necessity? If the election result is invalidated, just
hold another election. Computerization, combined with robust
The point is that in most election we want all the citizen of the state
to vote at the same time without influance of the result of other
location. That's why in my country and other european country, no poll
result can be given in the few days bevore the vote and until all had a
chance to vote.

It would be easy to influance the vote by announcing some partial result
before the end. (Remember Florida). So
Post by Ken Johnson
verification means, should make voting processes and software as
efficient and reliable as commercial financial systems,
I would prefere no software, if software there is then I don't care
about efficiency, but I want reliability of software for spaceship and
nuclear power station. All written in very secure language like ADA and
with pre- and post- condition raising exception is parameter or result
are outside of scope or do not pass some sanity test... I want the code
to be free software or open source for peer review...
Post by Ken Johnson
so this should be an exceptionally rare occurence.
Believe me, shit happen. In 12 years of electronic election in Belgium,
there was no single election without technical problem... be it hardware
or software.

Confidence in the result and user acceptance of electronic voting
decrease each time. ;-)

David GLAUDE




----
Election-methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2003-11-17 00:24:39 UTC
Permalink
Post by David GLAUDE
Post by Ken Johnson
To deal with this, in Belgium by law, if the printed vote is not what
you like, you call the president of the voting burreau and you vote
again in front of him. And sorry for the secrecy of your vote. He
will click on "OK vote match" for you. ;-)
Another possible approach - The voting machine should query the user
to verify that the displayed and printed results are correct, and
press "Accept" BEFORE the result is posted. If the user rejects the
vote, the machine gives them a cancellation receipt as evidence that
their vote has not yet been entered in the system.
This is exactly what we do.
The ticket is printed.
The user is prompted to verify if the printed vote and the on-screen
vote are the same. [Please take note that what is on screen might be
different from the voter intent. Let say I click A and the computer
display B and print B!!! How do I complain?]
If it displays B AND prints B, you have ZERO cause for complaint - the
printing is EXACTLY CORRECT.

Stepping back, if you intended to click A and managed to get B, THAT
is the time to consider:
Likely your finger slipped - time to go back and correct your
clicking.
The machine is broken, so get this attended to. If there is
refusal to respond to demonstration that machine is broken, time to
declare war.

BTW - the machine - hardware and software - should have been open
source, so we should not be in this path without an unlikely failure
of this sort.

Setup of the ballot definition looks like an easier path to failure here.
Could be design makes it too easy to make mistakes here. Could be
carelessness in setup.
Post by David GLAUDE
* If you accept, the ticket is "CUT" and fall inside the ballot box
(this mean there is a printer and ballot box attach to each voting
machine). The voter can only see one vote (the last one, his own vote)
and has no physical access to the ticket/printer/ballot box.
Agreed.
Post by David GLAUDE
* If you do not accept, then a CANCEL LINE is printed on the ticket
(paper) as to remind that this paper ballot should not be counted during
the manual recount. But there come the president of the voting place.
Some kind of an alarm ring and he get to help you vote and verify the
behaviour of the machine. This is where you loose the secrecy of your
vote...
I am back to broken machine or careless voter. Certainly no reasonable
provision for getting that printed ballot near a printer.
BUT - inspector could be given a way to tell the machine to print a
second copy of the ballot, with this copy canceling the first copy.
Post by David GLAUDE
I don't know how practicaly it take place because this was experimented
on two location only. I only have the law (and source code) to read in
order to understand what are the possible scenario.
* Voter intent
* On screen vote
* On paper vote (our ticket)
* On the magnetic card vote
* Vote as readed by ballot box
* Vote as counted at the end of the day
* Vote as counted on the ticket at the end of the day
Making sure all those match and will match is difficult.
Most of this is simply seeing to proper design such as making it easy
for voter to express intent and minimizing chance of machine failure.
Post by David GLAUDE
Post by Ken Johnson
Partial recount are useless... How do you know the computer was not
just showing what you wanted to see?
The computer doesn't need to know what you want to see. Rather than
querying the computer to validate a specific vote, you just download
the entire vote database, sorted by vote serialization ID, and inspect
it directly.
WRONG - secrecy PROHIBITS attaching an identifying ID to the recorded ballot.
Post by David GLAUDE
Should I stress one more time to PRINT the database and then verify
whatever you want to verify.
The printing is doable - and if it SAYS NO ONE voted as you SAY YOU DID,
then we have finger pointing to sort out.
Post by David GLAUDE
Post by Ken Johnson
1. MUST enable potential recounts
Why is that a necessity? If the election result is invalidated, just
hold another election. Computerization, combined with robust
The point is that in most election we want all the citizen of the state
to vote at the same time without influance of the result of other
location. That's why in my country and other european country, no poll
result can be given in the few days bevore the vote and until all had a
chance to vote.
Your topic makes sense, except I do not see it fitting here.
Post by David GLAUDE
It would be easy to influance the vote by announcing some partial result
before the end. (Remember Florida). So
Ditto.
Post by David GLAUDE
Post by Ken Johnson
verification means, should make voting processes and software as
efficient and reliable as commercial financial systems,
Certainly we NEED more attention to quality than seems to be happening in
the US.

Fact that "commercial financial systems" are acceptably "efficient and
reliable" makes it clear that our first need is to get vendors interested
in doing likewise before they propose getting involved in voting machines.
Post by David GLAUDE
I would prefere no software, if software there is then I don't care
about efficiency, but I want reliability of software for spaceship and
nuclear power station. All written in very secure language like ADA and
with pre- and post- condition raising exception is parameter or result
are outside of scope or do not pass some sanity test... I want the code
to be free software or open source for peer review...
Agreed that efficiency in processing time is of little interest for
the required processing is simple.

Efficiency in program design is IMPORTANT, for design can be made so
stupidly complex as to be impossible to validate.

I was around when Ada (the language) was born and, unless it has
improved A LOT, better if it had died YOUNG. I would have more hope for
Java or Linux.

"Open source" is something we can agree on and EMPHASIZE.
Post by David GLAUDE
Post by Ken Johnson
so this should be an exceptionally rare occurence.
Believe me, shit happen. In 12 years of electronic election in Belgium,
there was no single election without technical problem... be it hardware
or software.
Confidence in the result and user acceptance of electronic voting
decrease each time. ;-)
David GLAUDE
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.

----
Election-methods mailing list - see http://electorama.com/em for list info
David GLAUDE
2003-11-17 01:28:12 UTC
Permalink
Post by Dave Ketchum
I was around when Ada (the language) was born and, unless it has
improved A LOT, better if it had died YOUNG. I would have more hope for
Java or Linux.
Ada did reborn in 93 when the X of ADA 9X became 3.

Ada is typicaly a language where type checking is very strong.
It mean many mistake commonly done in other language and only detected
(when it is detected) at runtime will be stop at compilation time.

If you specify that the number of vote for a candidate must be a
positive value, any attempt to turn that number negative will fail!
(including 127+1=-127).

Also Ada is a standardized language with many implementation including
free-software one. So you are not lock with the vendor of the compilator.

Ada is used for many DoD project, if it is good for controling
missile/train/airplane, it should be OK for election. The only risk is
that some company close to military develop the code. ;-)

Anybody attempting to program in Ada must be serious about it (or
creasy). This make sure that startup writing in Visual Basic do not
attempt to write software for election.

Java require a virtual machine that need to be inspected too. And Open
Source JVM are hard to find. The only nice thing about Java is that it
can run inside the chip of a credit card if you have any plan to use
that for election.

Linux is just a kernel, at least it is Free Software.

David GLAUDE




----
Election-methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2003-11-17 02:45:46 UTC
Permalink
Post by David GLAUDE
Post by Dave Ketchum
I was around when Ada (the language) was born and, unless it has
improved A LOT, better if it had died YOUNG. I would have more hope
for Java or Linux.
Ada did reborn in 93 when the X of ADA 9X became 3.
Could be, for this was after my time.
Post by David GLAUDE
Ada is typicaly a language where type checking is very strong.
It mean many mistake commonly done in other language and only detected
(when it is detected) at runtime will be stop at compilation time.
Strong type checking is a great idea, WHEN done intelligently (if I
remember right, used to be it could get in the way enough that you respond
with conversions that effectively disable it. Get in the habit of that
and you disable it when it might have been useful).

Likewise doing checks at compile time is proper, and Ada WAS NOT the
inventor of that idea.
Post by David GLAUDE
If you specify that the number of vote for a candidate must be a
positive value, any attempt to turn that number negative will fail!
(including 127+1=-127).
Also Ada is a standardized language with many implementation including
free-software one. So you are not lock with the vendor of the compilator.
Agreed you do not want any private language for this purpose, but this
does not restrict us to Ada.
Post by David GLAUDE
Ada is used for many DoD project, if it is good for controling
missile/train/airplane, it should be OK for election. The only risk is
that some company close to military develop the code. ;-)
My bad memories say it did not HAVE to be good to get used on DoD
projects. JOVIAL was a GOOD language, but could not survive the politics
that said Ada must kill it.
Post by David GLAUDE
Anybody attempting to program in Ada must be serious about it (or
creasy). This make sure that startup writing in Visual Basic do not
attempt to write software for election.
Being that election requirements are relatively simple, not clear why this
should push me to Ada.
Post by David GLAUDE
Java require a virtual machine that need to be inspected too. And Open
Source JVM are hard to find. The only nice thing about Java is that it
can run inside the chip of a credit card if you have any plan to use
that for election.
I have trouble visualizing a JVM that could fit in a credit card being a
big deal for either doing an open source version or doing an inspection.
Post by David GLAUDE
Linux is just a kernel, at least it is Free Software.
So I did not get my words right. Still, if I do not do Linux or a JVM, do
I not have a BIG operating system to validate?
Post by David GLAUDE
David GLAUDE
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.

----
Election-methods mailing list - see http://electorama.com/em for list info
Ken Johnson
2003-11-19 08:53:23 UTC
Permalink
Sorry, I haven't been paying that much attention to your discussion
about CD ballot recording, but a basic question I have is what
constitues the official, legal record of the votes - the printed
ballots, or the master CD? Which is used to validate the election if a
recount is necessary? In either case, the information in the original
ballots (either paper or CD-recorded) is going to be collected and
aggregated into a secondary record - the ballot database - from which
the election result will be computed. How can it be independently
verified that the secondary record is an accurate representation of the
original ballots? Yes, you can to a full recount of all the original
ballots, but that would only be done under exceptional circumstances if
the courts determine that there is sufficient evidence of election fraud
(with the burden of proof being on the party requesting the recount).
The problem is how can the accuracy of the database be validated as a
matter of routine certification procedures, without having to do a full
recount? My proposal is to put some kind of unique marker or identifier
on the original ballots to indicate where their image is in the
secondary database. After inspecting a small number of randomly-selected
ballots and verifying that they have been recorded properly in the
database (and performing a couple of other simple consistency tests, as
outlined in my last message), the probablility of error will be
vanishingly small.

Are there any statisticians out there? Here's a question: Suppose you
have a two-candidate election with 10,000,000 voters, and the computer
says that candidate A beats candidate B 51% to 49%. How many
randomly-selected ballots would you need to inspect and correlate to the
ballot database to confirm the election result with 99.99% confidence?
On the other hand, if the ballots had no information associating them
with their corresponding database records, how many randomly-selected
ballots would you need to count to achieve the same 99.99% confidence
level? (Maybe a partial recount based on a small random sampling of the
ballots would be a viable alternative to ballot serialization.)

Ken Johnson
After the election each ballot has a home on the CD, with a fixed
position.
This position must get decided before the ballot gets recorded.
It could get decided before the backup copy gets printed.
Thus it could get printed on the backup copy.
BUT, it is NOT ACCEPTABLE for this value to be knowable. So,
find a way to print it without it being seen before polls close and
ballot box gets shuffled, and I have no complaints.
Note that this is an addendum, done after I drafted what follows.
There is information in attaching this serial number to a ballot,
in which case I object, or
There is no such information, in which case I cannot imagine why
you would care.
There is no information connecting the ballot with the voter. The
ballot
serialization is analogous to storing the ballot storage location with
each database record, and it serves no purpose other than enabling
election officials to confirm that individual ballots are correctly
recorded in the database.
If "There is no information" you have not explained why you need the
serials.
If there is information that people can use, we can plan on the wrong
people using it sooner or later.
What is needed is more effort than we have had as to getting it done
right - especially getting vendors to WANT to get it done right -
which present vendor secrecy weakens.
No one talks seriously of shuffling 10,000,000 paper ballots, but New
York law does demand that the few hundred that accumulate in a day at
a polling station SHALL be shuffled BEFORE looking at content.
If only 10 people voted at the station, and they all voted Green Party,
the shuffling won't do much good :) On the other hand, ballot
serialization would be fully randomized so you can't tell from the
database where the votes came from.
Agreed there will be cases where there is no secrecy - such as a
single paper ballot for a precinct where most voting is done via lever
or electronic machines. This has always existed. It also seems less
Election is far from a tie, so the evil doers have problems other
than this one, or
There are other voters who also pleased or displeased the evil
doers, so this one or few non-secret votes matter little.
On this reflector I have been specifying that electronic ballots SHALL
be stored randomly, such that you cannot tell by storage position
where the first or last ballot of the election got stored. The only
detail I am willing to concede is that, if there are too many ballots
at a polling station to all be stored in a "reasonable" sized area,
make the area big enough for reasonable randomizing, and write an
area's worth each time it fills up.
I have also specified that if a paper backup ballot gets printed,
those SHALL go in a ballot box, and the content SHALL get shuffled
just as would have been done with paper ballots without computers.
I do know, from having voted this month, that there is a record made
as to my being the nth voter (and there was ZERO secrecy as to my
being the nth voter). If my ballot automatically ended up in the nth
position in an electronic file there would be ZERO secrecy.
I see no reason why "n" needs to be stored anywhere. Why should anyone
care that you were the n-th voter? All that matters is that there is a
certified record that (1) you are legally registered to vote, (2) you
voted, and (3) you did not vote more than once.
And we have that without your serialization.
We have a serial of sorts - the ballot's position in the records - I
just want ZERO relation of that to voter ID.
Helps nothing if the information is distributed such that the computer
storing the voted ballots knows nothing of voter IDs, and the people
and/or computers recording which voter was nth in line are different.
Troublemakers would have no trouble correlating these two databases.
n should not be stored and the two databases should be entirely
separate
with no way of cross-correlating them. Moreover, I don't think the
second database (the one recording the fact that you voted) need be nor
should be machine-readable. All they need to do is mark off (e.g.
initial, stamp, or red-line) your name on a printed list of registered
voters.
Machine readability is not that important. If the information is
readable by machine for humans, or directly readable by humans, the
wrong humans can do the reading.
The ballot ID is is only used to correlate database ballot records with
paper ballots. This is necessary because the paper ballots - not the
database - constitute the official, legal record of the votes. Any
challenge to the election validity is resolved by inspecting the paper
ballots, not the database, so the computer-generated election result
should not be certified unless and until it is confirmed that the
database correlates to the paper ballots.
There are the same quantity of ballots both places.
And, for each voting pattern, the same quantity both places.
I agree that voter secrecy is a concern, but I think ballot
serialization can be implemented without compromising secrecy. My
greater concern is the possibility that a clever hacker might find a
way
to alter the election results. Security concerns can be partially
alleviated my mandating the use of open-source election software, but I
think it's even more important that the raw data on which the software
operates be freely available and subject to independent verification.
As to the hackers - DO NOT open the door when they knock. This is why
I do not want to involve the internet.
The verification means should be simple, transparent, and should not
require an high level of computer expertise or training to understand
(1) Every printed ballot corresponds to a database ballot record
containing the same vote selections.
As noted above, you can get this far by counting how many of each
pattern exist.
But how do you do it without doing a full manual recount?
(2) No two database records correspond to the same printed ballot.
Needs saying more carefully - defense against errors can include
recording multiple copies of each ballot.
(3) The number of printed ballots equals the number of database
records.
Agreed - though there could be more problems making sure nothing
destructive happened to the printed ballots.
(4) The voting tallies generated from the database agree with the
reported results.
Without unique ballot ID's there is no way to confirm #1 and #2 without
essentially doing a full manual recount and re-creating the full
database. With ballot ID's #2 is a simple uniqueness test. #1 still
requires inspection of the paper ballots, but a small random sample can
be inspected to confirm #1 with very high statistical confidence. (Even
if you counted all the ballots, statistical confidence would not
improve
because people make counting errors.) To fully validate the
election, it
also needs to be confirmed that
(5) Only legally registered voters voted.
(6) No one voted more than once.
(7) The number of voters matches the number of ballots.
These confirmations are made using records (preferably written) having
no relation to the ballot database, except for the total ballot count.
Agreed that 5/6/7 are needed work, but they are outside current
discussion.
Except to the extent that they relate to concerns about voter secrecy,
and the problem of provably certifying accuracy of the election result
without compromising secrecy.
Ken Johnson
----
Election-methods mailing list - see http://electorama.com/em for list info
Dave Ketchum
2003-11-19 17:56:24 UTC
Permalink
Post by Ken Johnson
Sorry, I haven't been paying that much attention to your discussion
about CD ballot recording, but a basic question I have is what
constitues the official, legal record of the votes - the printed
ballots, or the master CD? Which is used to validate the election if a
recount is necessary? In either case, the information in the original
ballots (either paper or CD-recorded) is going to be collected and
aggregated into a secondary record - the ballot database - from which
the election result will be computed. How can it be independently
verified that the secondary record is an accurate representation of the
original ballots? Yes, you can to a full recount of all the original
ballots, but that would only be done under exceptional circumstances if
the courts determine that there is sufficient evidence of election fraud
(with the burden of proof being on the party requesting the recount).
The problem is how can the accuracy of the database be validated as a
matter of routine certification procedures, without having to do a full
recount? My proposal is to put some kind of unique marker or identifier
on the original ballots to indicate where their image is in the
secondary database. After inspecting a small number of randomly-selected
ballots and verifying that they have been recorded properly in the
database (and performing a couple of other simple consistency tests, as
outlined in my last message), the probablility of error will be
vanishingly small.
There seems to be some unnecessary disagreement.

I think of a voting machine as a unit that supports a single voter at a time,
doing NO communication outside the room that contains it. After polls close
and it completes recording the day's activity on its CD, it reports totals
for publication and for summing for larger districts.

I can picture a voting machine with multiple terminals to permit more than
one voter at a time, as seems to be being done by some current vendors.
These terminals MUST be local, for the connections must not go into walls,
etc., that would permit invisible connections to destroy secrecy. Thus
we have, at most, a few thousand votes for matching CD content with
paper ballots.

Should there be disagreements between the two records, we investigate
which to blame for:
Via open source, etc., we should have great confidence in the CD record.
Paper records ARE NOT IMMUNE to errors, accidental or deliberate.

As to secrecy goals:
I am sensitive to vendor trade secrecy claims, but consider that
unaffordable for this election use.
Administration has NO right to secrecy.
Past sad history has demonstrated that voter secrecy protection is essential.

As to voter secrecy, it has been mentioned that there is little when there
are only a few voters. In fact it disappears when there is a single voter in
a count. We only demand that administration not aggravate this problem.
Post by Ken Johnson
Are there any statisticians out there? Here's a question: Suppose you
have a two-candidate election with 10,000,000 voters, and the computer
says that candidate A beats candidate B 51% to 49%. How many
randomly-selected ballots would you need to inspect and correlate to the
ballot database to confirm the election result with 99.99% confidence?
On the other hand, if the ballots had no information associating them
with their corresponding database records, how many randomly-selected
ballots would you need to count to achieve the same 99.99% confidence
level? (Maybe a partial recount based on a small random sampling of the
ballots would be a viable alternative to ballot serialization.)
The statistics problem is not that simple, for you do partial or complete
recounts of precincts, plus validation of central reporting and arithmetic.
Post by Ken Johnson
Ken Johnson
After the election each ballot has a home on the CD, with a fixed
position.
This position must get decided before the ballot gets recorded.
It could get decided before the backup copy gets printed.
Thus it could get printed on the backup copy.
BUT, it is NOT ACCEPTABLE for this value to be knowable. So,
find a way to print it without it being seen before polls close and
ballot box gets shuffled, and I have no complaints.
The above statement could be worth a response for:
If you can do it, we have no problem.
If you cannot, but still insist on these identifications, you are
saying you are NOT for protecting voter secrecy.
Post by Ken Johnson
Note that this is an addendum, done after I drafted what follows.
There is information in attaching this serial number to a ballot,
in which case I object, or
There is no such information, in which case I cannot imagine why
you would care.
There is no information connecting the ballot with the voter. The ballot
serialization is analogous to storing the ballot storage location with
each database record, and it serves no purpose other than enabling
election officials to confirm that individual ballots are correctly
recorded in the database.
If "There is no information" you have not explained why you need the
serials.
If there is information that people can use, we can plan on the wrong
people using it sooner or later.
What is needed is more effort than we have had as to getting it done
right - especially getting vendors to WANT to get it done right -
which present vendor secrecy weakens.
No one talks seriously of shuffling 10,000,000 paper ballots, but New
York law does demand that the few hundred that accumulate in a day at
a polling station SHALL be shuffled BEFORE looking at content.
If only 10 people voted at the station, and they all voted Green Party,
the shuffling won't do much good :) On the other hand, ballot
serialization would be fully randomized so you can't tell from the
database where the votes came from.
Agreed there will be cases where there is no secrecy - such as a
single paper ballot for a precinct where most voting is done via lever
or electronic machines. This has always existed. It also seems less
Election is far from a tie, so the evil doers have problems other
than this one, or
There are other voters who also pleased or displeased the evil
doers, so this one or few non-secret votes matter little.
On this reflector I have been specifying that electronic ballots SHALL
be stored randomly, such that you cannot tell by storage position
where the first or last ballot of the election got stored. The only
detail I am willing to concede is that, if there are too many ballots
at a polling station to all be stored in a "reasonable" sized area,
make the area big enough for reasonable randomizing, and write an
area's worth each time it fills up.
I have also specified that if a paper backup ballot gets printed,
those SHALL go in a ballot box, and the content SHALL get shuffled
just as would have been done with paper ballots without computers.
I do know, from having voted this month, that there is a record made
as to my being the nth voter (and there was ZERO secrecy as to my
being the nth voter). If my ballot automatically ended up in the nth
position in an electronic file there would be ZERO secrecy.
I see no reason why "n" needs to be stored anywhere. Why should anyone
care that you were the n-th voter? All that matters is that there is a
certified record that (1) you are legally registered to vote, (2) you
voted, and (3) you did not vote more than once.
And we have that without your serialization.
We have a serial of sorts - the ballot's position in the records - I
just want ZERO relation of that to voter ID.
Helps nothing if the information is distributed such that the computer
storing the voted ballots knows nothing of voter IDs, and the people
and/or computers recording which voter was nth in line are different.
Troublemakers would have no trouble correlating these two databases.
n should not be stored and the two databases should be entirely separate
with no way of cross-correlating them. Moreover, I don't think the
second database (the one recording the fact that you voted) need be nor
should be machine-readable. All they need to do is mark off (e.g.
initial, stamp, or red-line) your name on a printed list of registered
voters.
Machine readability is not that important. If the information is
readable by machine for humans, or directly readable by humans, the
wrong humans can do the reading.
The ballot ID is is only used to correlate database ballot records with
paper ballots. This is necessary because the paper ballots - not the
database - constitute the official, legal record of the votes. Any
challenge to the election validity is resolved by inspecting the paper
ballots, not the database, so the computer-generated election result
should not be certified unless and until it is confirmed that the
database correlates to the paper ballots.
There are the same quantity of ballots both places.
And, for each voting pattern, the same quantity both places.
I agree that voter secrecy is a concern, but I think ballot
serialization can be implemented without compromising secrecy. My
greater concern is the possibility that a clever hacker might find a way
to alter the election results. Security concerns can be partially
alleviated my mandating the use of open-source election software, but I
think it's even more important that the raw data on which the software
operates be freely available and subject to independent verification.
As to the hackers - DO NOT open the door when they knock. This is why
I do not want to involve the internet.
The verification means should be simple, transparent, and should not
require an high level of computer expertise or training to understand
(1) Every printed ballot corresponds to a database ballot record
containing the same vote selections.
As noted above, you can get this far by counting how many of each
pattern exist.
But how do you do it without doing a full manual recount?
As noted above, this can be done for one or more precincts, not necessarily
the whole district.

Also, those demanding a recount are usually only interested in a single race,
for which doing a recount for a precinct is not a major effort (sort the
paper ballots, count, and compare with reported totals).
Post by Ken Johnson
(2) No two database records correspond to the same printed ballot.
Needs saying more carefully - defense against errors can include
recording multiple copies of each ballot.
(3) The number of printed ballots equals the number of database
records.
Agreed - though there could be more problems making sure nothing
destructive happened to the printed ballots.
(4) The voting tallies generated from the database agree with the
reported results.
Without unique ballot ID's there is no way to confirm #1 and #2 without
essentially doing a full manual recount and re-creating the full
database. With ballot ID's #2 is a simple uniqueness test. #1 still
requires inspection of the paper ballots, but a small random sample can
be inspected to confirm #1 with very high statistical confidence. (Even
if you counted all the ballots, statistical confidence would not improve
because people make counting errors.) To fully validate the election, it
also needs to be confirmed that
(5) Only legally registered voters voted.
(6) No one voted more than once.
(7) The number of voters matches the number of ballots.
These confirmations are made using records (preferably written) having
no relation to the ballot database, except for the total ballot count.
Agreed that 5/6/7 are needed work, but they are outside current
discussion.
Except to the extent that they relate to concerns about voter secrecy,
and the problem of provably certifying accuracy of the election result
without compromising secrecy.
Except, the voting machine effort is only concerned with whatever humans get
presented as voters - and is not concerned as to how validation of these
humans as voters is conducted.
Post by Ken Johnson
Ken Johnson
--
***@clarityconnect.com people.clarityconnect.com/webpages3/davek
Dave Ketchum 108 Halstead Ave, Owego, NY 13827-1708 607-687-5026
Do to no one what you would not want done to you.
If you want peace, work for justice.

----
Election-methods mailing list - see http://electorama.com/em for list info
Ken Johnson
2003-11-24 02:20:03 UTC
Permalink
This is a follow-up to EM Vol 1, #355, Message 1, Re: touch screen
voting machines
Post by Dave Ketchum
...
I think of a voting machine as a unit that supports a single voter at
a time, doing NO communication outside the room that contains it.
After polls close and it completes recording the day's activity on its
CD, it reports totals for publication and for summing for larger
districts.
...
As to voter secrecy, it has been mentioned that there is little when
there are only a few voters. In fact it disappears when there is a
single voter in a count. We only demand that administration not
aggravate this problem.
The summing and publication of vote subtotals for specific geographic
regions (e.g. precincts or districts) is, in my view, a violation of
voter secrecy. For example, someone might say "Oh - you live in that
district that voted 80% Nazi, so you're most probably a Nazi." What's
worse - having someone see my ballot, showing that I voted "Peace and
Freedom", or having someone conclude that I voted Nazi and my not having
any way to prove otherwise? Or maybe an elected governor might think
"that's the district that always votes overwhelmingly against my party,
so I'm not going to fund their much-needed road improvement project -
why bother?" In a sense, reporting district-level election tallies might
be considered a greater violation of privacy than revealing my
individual vote, because no one's going to care much how a particular
individual voted, whereas knowledge of district-level results might
significantly influence governmental decisions. (Granted, such
information can be obtained from independent polls, but polling
information is obtained voluntarily, and there's nothing to prevent me
from lying to pollsters.) Nobody keeps track of my religion, race,
gender, etc. as part of the vote tallying process, and in my view they
shouldn't track my voting locale either.

I would propose the following refinement of the Voter Secrecy provision
of the "Electronic Voting Bill of Rights":

SECRECY:
(1) INDIVIDUAL BALLOTS SHOULD NOT BE TRACEABLE TO SPECIFIC VOTERS.
(2) ELECTION RESULT SUBTOTALS SHOULD NOT BE PUBLISHED OR GENERATED FOR
SPECIFIC KNOWN GROUPS OF VOTERS (SUCH AS GEOGRAPHIC OR SOCIO-ECONOMIC
CLASSES).

To ensure #2 I think it would make sense to send a record of every
ballot (perhaps encrypted) to a central computer, which combines ALL the
ballot records into a SINGLE randomly-indexed database before any vote
tallying is done. If the counting is done manually, or if a manual
recount is required, the process should ensure that the counters do not
know where the votes they are counting come from and that the
intermediate subtotals are not associated with identifiable voter
subgroups. It may be necessary to store original (paper or possibly
CD-recorded) ballots separately for each precinct so that any
discrepancy between the number of voters and the total ballot count can
be traced to the precinct level. However, the original ballots, which
constitute the official, legal record of the vote, could not be viewed
except by appointed election officials or judges under specific
conditions: (1) To corroborate the number of voters to the number of
ballots for a particular precinct, the ballots would be taken out of
storage and counted face down (so that no information about the
precinct's voting preference is viewable). (2) To correlate the official
ballots to the ballot database, or to perform a manual recount, some or
all of the ballots may be viewed by a process in which the people
viewing the ballots do not know where the ballots come from.

In a well-designed process it should rarely, if ever, be necessary to
inspect more than a small statistical sampling of the official ballots
to validate an election result. Regarding Validation, I would also
propose the following Voting Rights provision:

VALIDATION:
(1) IT SHOULD BE POSSIBLE TO PERFORM A FULL RECOUNT BASED ON THE
OFFICIAL BALLOTS, IF NECESSARY.
(2) IT SHOULD BE POSSIBLE TO ROUTINELY AND INDEPENDENTLY VALIDADATE THE
ELECTION (AT LEAST WITHIN SOME REASONABLE STATISTICAL UNCERTAINTY LEVEL)
WITHOUT DOING A FULL RECOUNT.

The validation process #2 should be simple, transparent, and preferably
not require a great deal of technical expertise (e.g. in computers or
statistics) to understand or implement, and the validation should be
applied routinely as part of election certification. Furthermore,
ANYONE should have the right to challenge the election and apply the
validation test independently. As a practical matter, the challenging
party may need to pay a nominal fee to cover inspection-related
expenses, and if multiple validation requests are made then election
officials would have the option of combining them into a single
inspection. Provided that the size of the statistical sampling required
to validate the election is quite small, the validation process would be
fairly simple and inexpensive.

Ken Johnson






----
Election-methods mailing list - see http://electorama.com/em for list info
Eron Lloyd
2003-11-24 16:55:27 UTC
Permalink
Post by Ken Johnson
This is a follow-up to EM Vol 1, #355, Message 1, Re: touch screen
voting machines
Post by Dave Ketchum
...
I think of a voting machine as a unit that supports a single voter at
a time, doing NO communication outside the room that contains it.
After polls close and it completes recording the day's activity on its
CD, it reports totals for publication and for summing for larger
districts.
...
As to voter secrecy, it has been mentioned that there is little when
there are only a few voters. In fact it disappears when there is a
single voter in a count. We only demand that administration not
aggravate this problem.
The summing and publication of vote subtotals for specific geographic
regions (e.g. precincts or districts) is, in my view, a violation of
voter secrecy. For example, someone might say "Oh - you live in that
district that voted 80% Nazi, so you're most probably a Nazi." What's
worse - having someone see my ballot, showing that I voted "Peace and
Freedom", or having someone conclude that I voted Nazi and my not having
any way to prove otherwise? Or maybe an elected governor might think
"that's the district that always votes overwhelmingly against my party,
so I'm not going to fund their much-needed road improvement project -
why bother?" In a sense, reporting district-level election tallies might
be considered a greater violation of privacy than revealing my
individual vote, because no one's going to care much how a particular
individual voted, whereas knowledge of district-level results might
significantly influence governmental decisions. (Granted, such
information can be obtained from independent polls, but polling
information is obtained voluntarily, and there's nothing to prevent me
from lying to pollsters.)
An interesting idea, however it would be tough to approve because (1) Many
states mandate posting poll-level results after closing in their election
code already, and (2) many see poll-level results as another safeguard
against tally tampering between the time the polls close and the time the
full tabulation area recieves the figures. Besides that, as a somewhat
expansion on #2, if you fully take away precinct-level totals, all
custody-transfer tracking disappears, so for instance, my single write-in
cannot be detected when I look at the election results before they are
certified. Sure I voted for that office, but for *which* person? A very
interesting though, indeed. It brings up the question of how important is
anonymity over everything else, especially vs. having another checkpoint.
Besides, you can already gain enough information to decide on an area's
political leanings from the voter registrations.
Post by Ken Johnson
Nobody keeps track of my religion, race,
gender, etc. as part of the vote tallying process, and in my view they
shouldn't track my voting locale either.
This is where I think we would have the most trouble. If I understand you, I
think you are referring to removing all geo-political boundry associations,
which if is the case, will invalidate this idea. No matter how you look at
it, unfortunately geo-political boundaries will always be a problem,
expecially congressional districts. You don't need to look at poll results to
figure out that San Francisco and Madison are liberal hotbeds. This doesn't
even begin to then address the issue of the Electoral College. I'm sure that
mentality of "oh, that district doesn't vote my way, so cut them out of this
appropriations package" exists, but that's why we are (supposed) to have good
representatives to fight for local interests. If that is your concern, it
will not disappear by removing poll-level reporting. Now, removing the locale
associations from legislative bodies and moving to political association
through a PR-type system...is a different story. I think perhaps this more
effectively addresses your concern, which is death by minority party
association. Having representatives selected based on party percentages and
political interests instead of geographic proximity (which really doesn't
matter more) would *force* coalition governments, assuring a truly democratic
structure, which is majority-rule with minority protections.
Post by Ken Johnson
I would propose the following refinement of the Voter Secrecy provision
(1) INDIVIDUAL BALLOTS SHOULD NOT BE TRACEABLE TO SPECIFIC VOTERS.
(2) ELECTION RESULT SUBTOTALS SHOULD NOT BE PUBLISHED OR GENERATED FOR
SPECIFIC KNOWN GROUPS OF VOTERS (SUCH AS GEOGRAPHIC OR SOCIO-ECONOMIC
CLASSES).
To ensure #2 I think it would make sense to send a record of every
ballot (perhaps encrypted) to a central computer, which combines ALL the
ballot records into a SINGLE randomly-indexed database before any vote
tallying is done. If the counting is done manually, or if a manual
recount is required, the process should ensure that the counters do not
know where the votes they are counting come from and that the
intermediate subtotals are not associated with identifiable voter
subgroups. It may be necessary to store original (paper or possibly
CD-recorded) ballots separately for each precinct so that any
discrepancy between the number of voters and the total ballot count can
be traced to the precinct level. However, the original ballots, which
constitute the official, legal record of the vote, could not be viewed
except by appointed election officials or judges under specific
conditions: (1) To corroborate the number of voters to the number of
ballots for a particular precinct, the ballots would be taken out of
storage and counted face down (so that no information about the
precinct's voting preference is viewable). (2) To correlate the official
ballots to the ballot database, or to perform a manual recount, some or
all of the ballots may be viewed by a process in which the people
viewing the ballots do not know where the ballots come from.
In a well-designed process it should rarely, if ever, be necessary to
inspect more than a small statistical sampling of the official ballots
to validate an election result. Regarding Validation, I would also
(1) IT SHOULD BE POSSIBLE TO PERFORM A FULL RECOUNT BASED ON THE
OFFICIAL BALLOTS, IF NECESSARY.
(2) IT SHOULD BE POSSIBLE TO ROUTINELY AND INDEPENDENTLY VALIDADATE THE
ELECTION (AT LEAST WITHIN SOME REASONABLE STATISTICAL UNCERTAINTY LEVEL)
WITHOUT DOING A FULL RECOUNT.
The validation process #2 should be simple, transparent, and preferably
not require a great deal of technical expertise (e.g. in computers or
statistics) to understand or implement, and the validation should be
applied routinely as part of election certification. Furthermore,
ANYONE should have the right to challenge the election and apply the
validation test independently. As a practical matter, the challenging
party may need to pay a nominal fee to cover inspection-related
expenses, and if multiple validation requests are made then election
officials would have the option of combining them into a single
inspection. Provided that the size of the statistical sampling required
to validate the election is quite small, the validation process would be
fairly simple and inexpensive.
In regards to your ideas of validation, I really have to think this over and
see how it would work. One thing I'm concerned about is the fact that ballots
can have 30+ "votes" on each, and in a county muncipal race like mine with 62
municipalities (each having it's own ballot in addition to any county races/
referendums) and over 220 polling places amongst them, a lot rides on where
the votes come from.
Post by Ken Johnson
Ken Johnson
Regards,

Eron
--
Eron Lloyd
Technology Coordinator
Lancaster County Library
***@lancaster.lib.pa.us
Phone: 717-239-2116
Fax: 717-394-3083

---
[This E-mail scanned for viruses by Declude Virus]

----
Election-methods mailing list - see http://electorama.com/em for list info
David GLAUDE
2003-11-24 21:32:19 UTC
Permalink
Post by Eron Lloyd
Post by Ken Johnson
The summing and publication of vote subtotals for specific geographic
regions (e.g. precincts or districts) is, in my view, a violation of
voter secrecy.
In Belgium, we are suppose to mix a minimum of 3 burreau before hand
counting. The same way, with e-voting we need a minimum of 3 floppy
before we count the vote.

One there was a problem with the electronic result of one burreau, they
had to analyse (typical, you get expert, they discuss a bit, "analyse"
and give you THE result that only them can invent). So they published
the result of the city of Antwerpen for all burreau... except 1 (the one
with "technical" problem!

Then a few days later they published the full result, as required by
law!!! And that was it for the secrecy of the vote of those 1000
citizen. So for the first time in Belgian history we knew that at that
specific location in the city, there were X% voting for that "extreme
right and populist party". It was a choc because apparently most peaple
were thinking that in that area the number would be much lower.

So computerized election and e-voting are the ennemy of vote secrecy.
This is already obvious since you give your vote to the computer and the
one controling the machine and the compute programer that wrote the
program. Anybody between me and my vote is a breach of the secrecy of my
vote.
Post by Eron Lloyd
Post by Ken Johnson
For example, someone might say "Oh - you live in that
district that voted 80% Nazi, so you're most probably a Nazi." What's
worse - having someone see my ballot, showing that I voted "Peace and
Freedom", or having someone conclude that I voted Nazi and my not having
any way to prove otherwise?
There is nothing to prove, vote is secret... but if 100% voted that way,
you are in deep trouble with your secret. Actually if 5% vote like that
you are already in trouble.
Post by Eron Lloyd
An interesting idea, however it would be tough to approve because (1) Many
states mandate posting poll-level results after closing in their election
code already, and (2) many see poll-level results as another safeguard
against tally tampering between the time the polls close and the time the
full tabulation area recieves the figures.
I think it is very important to have some kind of partial result that
can be hand recorded by election witness. In Belgium the interior
minister is very happy to explain how we use téléphone, fax, and data
communication to collect partial result. Actually in the election source
code there is some code for X.25 communication (a european standard for
connection oriented packet per packet data communication). But as far as
I know it has been never used.

Now don't forget about local election... At the end of the day you will
vote for your local council. So it is easy to know wich location is
mostly on the left or the right side.
Post by Eron Lloyd
Post by Ken Johnson
Nobody keeps track of my religion, race,
gender, etc. as part of the vote tallying process, and in my view they
shouldn't track my voting locale either.
Did you know that in Greece you have to vote (mandatory) at your place
of birth (this could mean traveling more than 300KM, sometime by boot
then train... and all of that with your own money.

At least in that country, it is possible to follow the voting habit of a
population from birth to death... From a sociological point of view it
might be interesting.
Post by Eron Lloyd
In regards to your ideas of validation, I really have to think this over and
see how it would work. One thing I'm concerned about is the fact that ballots
can have 30+ "votes" on each, and in a county muncipal race like mine with 62
municipalities (each having it's own ballot in addition to any county races/
referendums) and over 220 polling places amongst them, a lot rides on where
the votes come from.
There was a discussion about the need to publish the database of all the
vote before publishing the vote result. That way it is possible to
compute the election result independantly.

If I understand correctly the US election process, you have many (let
say 100) question being asked durring the election day. Let say I want
to be judge... but no one but me vote for me being judge... Obviously
everybody will know I voted for me. If the database of vote is
published, then all of my other secret will be also publish.

So publication of the database seems to be a big no-no. It might mean
"no advanced voting methods".

David GLAUDE



----
Election-methods mailing list - see http://electorama.com/em for list info
Continue reading on narkive:
Loading...