The RISKS Digest
Volume 2 Issue 22

Wednesday, 5th March 1986

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


o Voting receipt
Mike McLaughlin
o Voting booths
Jim McGrath
o Computerized Voting
Tom Benson
o Replacing humans with computers
Alan M. Marcum
o Electricity's power
Marianne Mueller
o Info on RISKS (comp.risks)

Voting receipt

Mike McLaughlin <mikemcl@nrl-csr>
Tue, 4 Mar 86 09:47:20 est
Pardon my paranoia, but I would rather not agree, in advance, or afterwards,
to have my vote audited for whatever good purpose.  Absentee ballots are a
problem that I don't worry about too much today... but I might tomorrow.

Besides privacy/secrecy/retribution concerns, I might just forget... or lie...
about how I voted.  I don't want to be asked to have my vote audited.  The
fact that I accept or reject the request tells Big Brother something about
how I voted.

Therefore, I suggest that the magic voting machine *offer* me a voting
"receipt" as soon as I complete my manipulation of its levers or buttons.
The "receipt" would contain the date, time, machine number, serial number of
the vote, and name the candidates and issues for or against whom/which I
voted.  It would NOT list my name.  The precinct voting records would show
only that I voted, in such a fashion as to prohibit tracking of my name to
my receipt number.

If I rejected the receipt, it would fall into a locked hopper, openable only
upon completion of the voting period.

If I accepted the receipt, I could check it immediately for accuracy, and ask
for a corrective procedure.  If it was OK, I could save it for a possible
recount; or trash it/burn it/shred and eat with milk & prunes, whatever.

Machine-retained receipts could be sampled against the retained electronic
record by voting authorities.

In the event of a recount, I could return my receipt to the voting organiza-
tion directly, or through a third party/blind drop/cutout or whatever.

My receipt should probably also carry a checksum or other method of making it
difficult to tamper with the receipts.

This proposal is neither fool- nor dictator-proof.  It does provide a method
for personal vote checking, a recount method, and preserves personal

    - Mike McLaughlin

Re: Voting booths

Tue 4 Mar 86 22:44:16-EST
    From: Dave Platt <Dave-Platt%LADC@CISL-SERVICE-MULTICS.ARPA>
    ....  There is a longstanding tradition in this country of
    guaranteeing that an individual can vote his or her conscience,
    without being identified afterwards as "the person who voted for
    Smidget for Congress".

Actually, the "longstanding tradition" is less than a century old (quite
short when you consider our history as spreading back hundreds of years into
colonial times).  Until a wave of reform around the turn of the century, it
was quite usual for the state not to provide any ballots at all.  Instead,
individual voters or local officials would provide the necessary paper.  As
time went on, it became common practive for the political parties to provide
the ballots used in the election.  Since ticket splitting was difficult, and
these ballots were quite distinctive, voting was hardly secret (I recall
that in the El Salvador Presidential election a few years ago the ballots
were of a different color, and the box was clear, making voting an open act).

All this information from my reading a few years back of the 3 election
volumes of the California State Code.


Computerized Voting

Tue, 4 Mar 86 16:27 EST
Larry Polnicky and others have recently been discussing the risks of
computerized voting.  Surely the first principle ought to be the protection
of secret balloting rather than the promotion of the possible convenience of
computerized vote-counting.  There is a (perhaps slightly cumbersome)
solution to the problem of checking accuracy.  Suppose an electronic voting
booth, with a screen and some sort of simple keyboard.  In effect, a
menu-driven ballot on the screen.  The voter fills in his or her choices and
has a chance to go back and correct errors.  At that point, the voter pushes
a button to confirm the ballot, and a printer prints card ballot, which it
retains behind a transparent screen (it can be read but not altered).  Voter
scans the printed card and is asked whether it is accurate.  At this point,
if it is not, a REVISE or CANCEL button is pushed and the process starts
over with nothing having been recorded (the card is shredded).  When the
screen and card match the voter's intentions, a second CONFIRM button is
pushed and the card is ejected, while the vote is electronically forwarded.
The voter takes the card out of the booth and drops it in a ballot box.

This system would permit absolute secrecy for the individual voter, who
could not be traced to the card or the electronic vote.  But the cards would
be in a ballot box, where they could be counted by hand.  After the election,
a representative random sample of precinct boxes would be counted by hand,
and matched to the electronic tally, just to audit accuracy.  And in the
case of a re-count, the entire election result could be counted by hand.

   Tom Benson, Department of Speech Communication,
   The Pennsylvania State University, 227 Sparks Building
   University Park, PA 16802           phone 814-238-5277

     {akgua,allegra,ihnp4,cbosgd}!psuvax1!psuvm.bitnet!t3b   (UUCP) (ARPA)
     T3B@PSUVM    (BITNET)

Re: Replacing humans with computers

Alan M. Marcum, Consulting <sun!nescorna!>
Mon, 3 Mar 86 19:57:58 PST
In Risks-2.17, Nancy Leveson comments that

    There are reports that commercial pilots are becoming so
    complacent about automatic flight control systems that they are
    averse to intervene when failures do occur and are not reacting
    fast enough (because of the assumption that the computer must
    be right).

While that may be true, one of the things I learned very early during
flight training (I have a private pilot's license with an instrument
rating) is to constantly cross-check indications or directives from an
autopilot, navigation system, or flight control system.  If I have any
reason to suspect the autopilot or the navigation instruments (whether
it be a fault, or a low vacuum indication for vacuum-driven flight
instruments), I take corrective action.  It's my life up there, and
those of my passengers.

Electricity's power

Tue 4 Mar 86 20:45:07-PST
Monday saw the complete silencing of the cs lab at the Univ of Washington.
"A 13,000-volt feeder cable broke down from 1 a.m. till 4 a.m. but some
buildings on the east side of campus were without power till late in the
morning." (UW Daily, campus rag.)

Although the U's electric system is separate from the city's, "The blackout
in (60 surrounding blocks) occurred when the surge from the University
shutdown `jumped' the City Light circuit breakers that would normally
prevent the spread of a blackout.  Three major City Light circuits were
overloaded," the Daily notes.

So no one could do anything on Monday, the terminals were mercifully blank,
the halls deserted.  The hospital, however, ran on emergency power for three
hours, and they got plenty worried about it.  Our computers died since 3
hours without air conditioning was more than they could take.

Just for the record.


Please report problems with the web pages to the maintainer