Re: OVC-discuss Digest, Vol 37, Issue 10

From: Ronald Crane <voting_at_lastland_dot_net>
Date: Sun Nov 04 2007 - 17:54:28 CST
Hamilton Richards wrote: 
In the open-election-source controversy, the truth (as I see it) is 
pretty simple:...

3. security comes from voter-verified paper ballots
"Voter verified" is an inaccurate and unscientific term because (a) it presumes (b) a sufficient participation rate by (c) a set of participants who have a sufficient error-detection rate in (d) a procedure that, even if executed perfectly, is insufficient to produce "security". As far as I can tell from the (rather sparse) literature, voter "verification" is spotty at best and voters who do it fail to detect most defects. I have never seen a study showing the converse. Thus, a paper ballot handled under this procedure should be called, at best, a "voter-verifiable paper ballot."

Further, as I mentioned earlier, "voter verification" does not in any way impede (a) delay- or denial-of-service attacks; (b) attacks that move candidates about the ballot or drop them from it; (c) attacks that change the presentation of the ballot so as to emphasize or de-emphasize particular objects (remember what happened in Sarasota when some official omitted a header?); or (d) attacks that make it easier (or more difficult) to select a candidate. All of these attacks influence the voter's actual choices, so they do not create the inconsistency between the voter's ballot and her recollection that "voter verification" aims to detect.
This simply disentangles the issue of security from the issue of 
whether source code is open.

If we're not basing our hopes for secure elections on the openness of 
the source code, then

1. whether the typical voter can read the code and understand it 
doesn't  matter

2. whether the code has been tested to the standards of 
flight-control software doesn't matter

3. whether the compiler used to generate the object code is secure 
doesn't matter

4. whether the loader used to install the code in the voting stations 
is secure doesn't matter

5. whether <the code that checks whether the code in the voting 
stations is the correct code> is secure doesn't matter

This is a wonderful example of separation of concerns paying off big-time!
Except that it doesn't because of the above attacks.

BTW, this isn't an argument for general use of open-source vote-casting devices. It's an argument for doing away with such devices except for the tiny proportion of voters who cannot otherwise vote independently. Those devices should, of course, be open source, as should the tabulators (if any) used to count the general population's hand-filled paper ballots.

-R

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
By sending email to the OVC-discuss list, you thereby agree to release the content of your posts to the Public Domain--with the exception of copyrighted material quoted according to fair use, including publicly archiving at http://gnosis.python-hosting.com/voting-project/
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Fri Nov 30 23:17:10 2007

This archive was generated by hypermail 2.1.8 : Fri Nov 30 2007 - 23:17:31 CST