5-Mar-86 17:32:04-PST,8912;000000000000 Mail-From: NEUMANN created at 5-Mar-86 17:29:59 Date: Wed 5 Mar 86 17:29:59-PST From: RISKS FORUM (Peter G. Neumann, Coordinator) Subject: RISKS-2.22 Sender: NEUMANN@SRI-CSL.ARPA To: RISKS-LIST@SRI-CSL.ARPA RISKS-LIST: RISKS-FORUM Digest, Wednesday, 5 Mar 1986 Volume 2 : Issue 22 FORUM ON RISKS TO THE PUBLIC IN COMPUTER SYSTEMS ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator Contents: Voting receipt (Mike McLaughlin) Voting booths (Jim McGrath) Computerized Voting (Tom Benson) Replacing humans with computers (Alan M. Marcum) Electricity's power (Marianne Mueller) The RISKS Forum is moderated. Contributions should be relevant, sound, in good taste, objective, coherent, concise, nonrepetitious. Diversity is welcome. (Contributions to RISKS@SRI-CSL.ARPA, Requests to RISKS-Request@SRI-CSL.ARPA.) (Back issues Vol i Issue j stored in SRI-CSL:RISKS-i.j. Vol 1: MAXj=45) ---------------------------------------------------------------------- Date: Tue, 4 Mar 86 09:47:20 est From: mikemcl@nrl-csr (Mike McLaughlin) To: risks@sri-csl Subject: Voting receipt Pardon my paranoia, but I would rather not agree, in advance, or afterwards, to have my vote audited for whatever good purpose. Absentee ballots are a problem that I don't worry about too much today... but I might tomorrow. Besides privacy/secrecy/retribution concerns, I might just forget... or lie... about how I voted. I don't want to be asked to have my vote audited. The fact that I accept or reject the request tells Big Brother something about how I voted. Therefore, I suggest that the magic voting machine *offer* me a voting "receipt" as soon as I complete my manipulation of its levers or buttons. The "receipt" would contain the date, time, machine number, serial number of the vote, and name the candidates and issues for or against whom/which I voted. It would NOT list my name. The precinct voting records would show only that I voted, in such a fashion as to prohibit tracking of my name to my receipt number. If I rejected the receipt, it would fall into a locked hopper, openable only upon completion of the voting period. If I accepted the receipt, I could check it immediately for accuracy, and ask for a corrective procedure. If it was OK, I could save it for a possible recount; or trash it/burn it/shred and eat with milk & prunes, whatever. Machine-retained receipts could be sampled against the retained electronic record by voting authorities. In the event of a recount, I could return my receipt to the voting organiza- tion directly, or through a third party/blind drop/cutout or whatever. My receipt should probably also carry a checksum or other method of making it difficult to tamper with the receipts. This proposal is neither fool- nor dictator-proof. It does provide a method for personal vote checking, a recount method, and preserves personal anonymity. - Mike McLaughlin ------------------------------ Date: Tue 4 Mar 86 22:44:16-EST From: "Jim McGrath" Subject: Re: Voting booths To: Dave-Platt%LADC@CISL-SERVICE-MULTICS.ARPA cc: risks@SRI-CSL.ARPA Reply-to: mcgrath%mit-oz@mit-mc.arpa From: Dave Platt .... There is a longstanding tradition in this country of guaranteeing that an individual can vote his or her conscience, without being identified afterwards as "the person who voted for Smidget for Congress". Actually, the "longstanding tradition" is less than a century old (quite short when you consider our history as spreading back hundreds of years into colonial times). Until a wave of reform around the turn of the century, it was quite usual for the state not to provide any ballots at all. Instead, individual voters or local officials would provide the necessary paper. As time went on, it became common practive for the political parties to provide the ballots used in the election. Since ticket splitting was difficult, and these ballots were quite distinctive, voting was hardly secret (I recall that in the El Salvador Presidential election a few years ago the ballots were of a different color, and the box was clear, making voting an open act). All this information from my reading a few years back of the 3 election volumes of the California State Code. Jim ------------------------------ Date: Tue, 4 Mar 86 16:27 EST From: (Tom Benson) Subject: Computerized Voting To: RISKS@SRI-CSL.ARPA Larry Polnicky and others have recently been discussing the risks of computerized voting. Surely the first principle ought to be the protection of secret balloting rather than the promotion of the possible convenience of computerized vote-counting. There is a (perhaps slightly cumbersome) solution to the problem of checking accuracy. Suppose an electronic voting booth, with a screen and some sort of simple keyboard. In effect, a menu-driven ballot on the screen. The voter fills in his or her choices and has a chance to go back and correct errors. At that point, the voter pushes a button to confirm the ballot, and a printer prints card ballot, which it retains behind a transparent screen (it can be read but not altered). Voter scans the printed card and is asked whether it is accurate. At this point, if it is not, a REVISE or CANCEL button is pushed and the process starts over with nothing having been recorded (the card is shredded). When the screen and card match the voter's intentions, a second CONFIRM button is pushed and the card is ejected, while the vote is electronically forwarded. The voter takes the card out of the booth and drops it in a ballot box. This system would permit absolute secrecy for the individual voter, who could not be traced to the card or the electronic vote. But the cards would be in a ballot box, where they could be counted by hand. After the election, a representative random sample of precinct boxes would be counted by hand, and matched to the electronic tally, just to audit accuracy. And in the case of a re-count, the entire election result could be counted by hand. Tom Benson, Department of Speech Communication, The Pennsylvania State University, 227 Sparks Building University Park, PA 16802 phone 814-238-5277 {akgua,allegra,ihnp4,cbosgd}!psuvax1!psuvm.bitnet!t3b (UUCP) t3b%psuvm.bitnet@wiscvm.arpa (ARPA) T3B@PSUVM (BITNET) ------------------------------ Date: Mon, 3 Mar 86 19:57:58 PST From: sun!nescorna!marcum@ucbvax.berkeley.edu (Alan M. Marcum, Consulting) Subject: Re: Replacing humans with computers To: ucbvax!risks In Risks-2.17, Nancy Leveson comments that There are reports that commercial pilots are becoming so complacent about automatic flight control systems that they are averse to intervene when failures do occur and are not reacting fast enough (because of the assumption that the computer must be right). While that may be true, one of the things I learned very early during flight training (I have a private pilot's license with an instrument rating) is to constantly cross-check indications or directives from an autopilot, navigation system, or flight control system. If I have any reason to suspect the autopilot or the navigation instruments (whether it be a fault, or a low vacuum indication for vacuum-driven flight instruments), I take corrective action. It's my life up there, and those of my passengers. ------------------------------ Date: Tue 4 Mar 86 20:45:07-PST From: Marianne Mueller Subject: Electricity's power To: risks@SRI-CSL.ARPA Monday saw the complete silencing of the cs lab at the Univ of Washington. "A 13,000-volt feeder cable broke down from 1 a.m. till 4 a.m. but some buildings on the east side of campus were without power till late in the morning." (UW Daily, campus rag.) Although the U's electric system is separate from the city's, "The blackout in (60 surrounding blocks) occurred when the surge from the University shutdown `jumped' the City Light circuit breakers that would normally prevent the spread of a blackout. Three major City Light circuits were overloaded," the Daily notes. So no one could do anything on Monday, the terminals were mercifully blank, the halls deserted. The hospital, however, ran on emergency power for three hours, and they got plenty worried about it. Our computers died since 3 hours without air conditioning was more than they could take. Just for the record. Marianne ------------------------------ End of RISKS-FORUM Digest ************************ -------