Page 22 - Towards Trustworthy Elections New Directions in Electronic Voting by Ed Gerck (auth.), David Chaum, Markus Jakobsson, Ronald L. Rivest, Peter Y. A. Ryan, Josh Benaloh, Miroslaw Kutylowski, Ben Adida ( (z-lib.org (1)
P. 22
14
E. Gerck
A second boundary (which contains the first) comprises the voting system with
the voting means, voters, election operators, and ancillary machines such as
those used for voter registration. A third boundary (which contains the second)
is open and includes anything else that lies outside the second boundary.
The VITM and the Requirement operate in the third boundary and define
how, inside the first boundary, a conforming voting means (e.g., the WVS)
operates.
Inside the first boundary (the WVS), interference prevention must be limited,
of course, by physical signals. This may seem at first sight to present a basic
security limitation for the VITM design, as interference sources from outside the
first boundary may still perturb the voting means operation.
For example, outside the first boundary but still inside the second bound-
ary, lie physical and conceptual interference sources that do not seem to be pre-
ventable by the voting means (e.g., collusion between election operators; physical
threats against voters who do not vote as ordered; malicious code inserted into
the voting means by an adversary).
Moreover, significant interference sources lie even outside the second bound-
ary. For example, gerrymandering 20 and selective “voter roll purging”, or just
conveniently ignoring an existing imbalance of natural factors (e.g., illiteracy,
language differences, economical handicap, and physical handicap) that can
block undesired voters or favor participation of desired voters.
However, contrary to our concern at first sight, it is easy to show that con-
ceptual interference can be physically prevented by a conforming voting means
(the WVS). For example, an attempt by a voter to sell the vote cast (concep-
tual interference) can be physically prevented if the voting means conforms to a
requirement to be receipt-free (the voter cannot prove to others how she voted).
Conversely, a physical control vulnerability at the voting means may open the
possibility of conceptual interference. Even if a voter just fears that voter privacy
can be compromised by some characteristic of the voting means (e.g., perceived
lack of a physical control preventing “voter pattern fingerprinting”, see Section
7.1), the voter may not vote freely (conceptual interference).
More generally, we argue that a conceptual influence must eventually create
a physical influence in order to be an interference source. 21 Thus, the respective
pairs of conceptual and physical influence are not independent and can, if de-
sirable, be controlled (denied or allowed) physically. Conversely, ignoring such
considerations in the voting system design could create conditions for unintended
conceptual and physical interference.
20
This term describes the deliberate rearrangement of geographical limits of congres-
sional districts to influence the outcome of elections. Its purpose is to concentrate
opposition votes into a few districts to gain more seats for the majority in sur-
rounding districts (packing), or to diffuse minority strength across many districts
(dilution).
21
In other words, it must be observable. If no physical influence is created (i.e., if
there is no change of election outcome), by definition the interference does not
exist.
