RISKS@SRI-CSL.ARPA (RISKS FORUM, Peter G. Neumann, Coordinator) (03/06/86)
RISKS-LIST: RISKS-FORUM Digest,  Wednesday, 5 Mar 1986  Volume 2 : Issue 22
           FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS 
   ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator
Contents:
  Voting receipt (Mike McLaughlin)
  Voting booths (Jim McGrath)
  Computerized Voting (Tom Benson)
  Replacing humans with computers (Alan M. Marcum)
  Electricity's power (Marianne Mueller)
The RISKS Forum is moderated.  Contributions should be relevant, sound, in good
taste, objective, coherent, concise, nonrepetitious.  Diversity is welcome. 
(Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA.)
(Back issues Vol i Issue j stored in SRI-CSL:<RISKS>RISKS-i.j.  Vol 1: MAXj=45)
----------------------------------------------------------------------
Date: Tue, 4 Mar 86 09:47:20 est
From: mikemcl@nrl-csr (Mike McLaughlin)
To: risks@sri-csl
Subject: Voting receipt
Pardon my paranoia, but I would rather not agree, in advance, or afterwards,
to have my vote audited for whatever good purpose.  Absentee ballots are a
problem that I don't worry about too much today... but I might tomorrow.
Besides privacy/secrecy/retribution concerns, I might just forget... or lie... 
about how I voted.  I don't want to be asked to have my vote audited.  The 
fact that I accept or reject the request tells Big Brother something about
how I voted.  
Therefore, I suggest that the magic voting machine *offer* me a voting
"receipt" as soon as I complete my manipulation of its levers or buttons.
The "receipt" would contain the date, time, machine number, serial number of
the vote, and name the candidates and issues for or against whom/which I
voted.  It would NOT list my name.  The precinct voting records would show
only that I voted, in such a fashion as to prohibit tracking of my name to
my receipt number.
If I rejected the receipt, it would fall into a locked hopper, openable only 
upon completion of the voting period.  
If I accepted the receipt, I could check it immediately for accuracy, and ask
for a corrective procedure.  If it was OK, I could save it for a possible
recount; or trash it/burn it/shred and eat with milk & prunes, whatever.  
Machine-retained receipts could be sampled against the retained electronic 
record by voting authorities.  
In the event of a recount, I could return my receipt to the voting organiza-
tion directly, or through a third party/blind drop/cutout or whatever.  
My receipt should probably also carry a checksum or other method of making it
difficult to tamper with the receipts.  
This proposal is neither fool- nor dictator-proof.  It does provide a method
for personal vote checking, a recount method, and preserves personal 
anonymity.  
	- Mike McLaughlin
------------------------------
Date: Tue 4 Mar 86 22:44:16-EST
From: "Jim McGrath" <MCGRATH%OZ.AI.MIT.EDU@XX.LCS.MIT.EDU>
Subject: Re: Voting booths
To: Dave-Platt%LADC@CISL-SERVICE-MULTICS.ARPA
cc: risks@SRI-CSL.ARPA
Reply-to: mcgrath%mit-oz@mit-mc.arpa
    From: Dave Platt <Dave-Platt%LADC@CISL-SERVICE-MULTICS.ARPA>
    ....  There is a longstanding tradition in this country of
    guaranteeing that an individual can vote his or her conscience,
    without being identified afterwards as "the person who voted for
    Smidget for Congress".
Actually, the "longstanding tradition" is less than a century old (quite
short when you consider our history as spreading back hundreds of years into
colonial times).  Until a wave of reform around the turn of the century, it
was quite usual for the state not to provide any ballots at all.  Instead,
individual voters or local officials would provide the necessary paper.  As
time went on, it became common practive for the political parties to provide
the ballots used in the election.  Since ticket splitting was difficult, and
these ballots were quite distinctive, voting was hardly secret (I recall
that in the El Salvador Presidential election a few years ago the ballots
were of a different color, and the box was clear, making voting an open act).
All this information from my reading a few years back of the 3 election
volumes of the California State Code.
Jim
------------------------------
Date:    Tue, 4 Mar 86 16:27 EST
From: <T3B%PSUVM.BITNET@WISCVM.WISC.EDU>  (Tom Benson)
Subject: Computerized Voting
To:  RISKS@SRI-CSL.ARPA
Larry Polnicky and others have recently been discussing the risks of
computerized voting.  Surely the first principle ought to be the protection
of secret balloting rather than the promotion of the possible convenience of
computerized vote-counting.  There is a (perhaps slightly cumbersome)
solution to the problem of checking accuracy.  Suppose an electronic voting
booth, with a screen and some sort of simple keyboard.  In effect, a
menu-driven ballot on the screen.  The voter fills in his or her choices and
has a chance to go back and correct errors.  At that point, the voter pushes
a button to confirm the ballot, and a printer prints card ballot, which it
retains behind a transparent screen (it can be read but not altered).  Voter
scans the printed card and is asked whether it is accurate.  At this point,
if it is not, a REVISE or CANCEL button is pushed and the process starts
over with nothing having been recorded (the card is shredded).  When the
screen and card match the voter's intentions, a second CONFIRM button is
pushed and the card is ejected, while the vote is electronically forwarded.
The voter takes the card out of the booth and drops it in a ballot box.
This system would permit absolute secrecy for the individual voter, who
could not be traced to the card or the electronic vote.  But the cards would
be in a ballot box, where they could be counted by hand.  After the election, 
a representative random sample of precinct boxes would be counted by hand,
and matched to the electronic tally, just to audit accuracy.  And in the
case of a re-count, the entire election result could be counted by hand.
   Tom Benson, Department of Speech Communication,
   The Pennsylvania State University, 227 Sparks Building
   University Park, PA 16802           phone 814-238-5277
     {akgua,allegra,ihnp4,cbosgd}!psuvax1!psuvm.bitnet!t3b   (UUCP)
     t3b%psuvm.bitnet@wiscvm.arpa (ARPA)
     T3B@PSUVM    (BITNET)
------------------------------
Date: Mon, 3 Mar 86 19:57:58 PST
From: sun!nescorna!marcum@ucbvax.berkeley.edu (Alan M. Marcum, Consulting)
Subject: Re: Replacing humans with computers
To: ucbvax!risks
In Risks-2.17, Nancy Leveson comments that
	There are reports that commercial pilots are becoming so
	complacent about automatic flight control systems that they are
	averse to intervene when failures do occur and are not reacting
	fast enough (because of the assumption that the computer must
	be right).
While that may be true, one of the things I learned very early during
flight training (I have a private pilot's license with an instrument
rating) is to constantly cross-check indications or directives from an
autopilot, navigation system, or flight control system.  If I have any
reason to suspect the autopilot or the navigation instruments (whether
it be a fault, or a low vacuum indication for vacuum-driven flight
instruments), I take corrective action.  It's my life up there, and
those of my passengers.
------------------------------
Date: Tue 4 Mar 86 20:45:07-PST
From: Marianne Mueller <MASHA@WASHINGTON.ARPA>
Subject: Electricity's power
To: risks@SRI-CSL.ARPA
Monday saw the complete silencing of the cs lab at the Univ of Washington.
"A 13,000-volt feeder cable broke down from 1 a.m. till 4 a.m. but some
buildings on the east side of campus were without power till late in the
morning." (UW Daily, campus rag.)
Although the U's electric system is separate from the city's, "The blackout
in (60 surrounding blocks) occurred when the surge from the University
shutdown `jumped' the City Light circuit breakers that would normally
prevent the spread of a blackout.  Three major City Light circuits were
overloaded," the Daily notes.
So no one could do anything on Monday, the terminals were mercifully blank,
the halls deserted.  The hospital, however, ran on emergency power for three
hours, and they got plenty worried about it.  Our computers died since 3
hours without air conditioning was more than they could take.
Just for the record.
Marianne
------------------------------
End of RISKS-FORUM Digest
************************
-------