> >Did any of you see this
> >http://www.votehere.net/content/Products.asp#InternetVotingSystems
> >
> >that proposes to authenticate the voter by asking for his/her/its SSN#?
>
> It looked like the idea for this part was to prevent double voting,
> plus make sure that only authorized people could vote. It wasn't
> necessarily SSN, it could be name/address/date of birth or whatever.
> Similar to what is done when you go and vote in person.
It's not similar at all. Here in New York, for example, where I used to be
an election inspector, the voter list includes your signature, age, sex, and
usually (if you gave them when you registered) your height and eye and hair
color. Each voter has to sign, and if the signature isn't similar enough or
the other items looked wrong, we'd ask for better ID. Each polling place has
both Democrat and Republican inspectors, the inspectors for one party have an
incentive to challenge dubious voters of the other party. This is a
reasonable level of validation given that voters have to show up in person,
making mass vote fraud a lot of work to organize. (For absentee ballots,
your entry in the book is marked as absentee, so if someone got a fake ballot
for you, you'd know when you tried to vote.) The combination of biometric
info and personal appearance makes it fairly difficult to vote fraudulently.
The SSN has become a pseudo-secret identifier. That is, the reality is that
your SSN is widely available, but many organizations pretend that it's secret
and will believe that anyone who presents your SSN is you. Given that the
SSN is not secret, the lack of biometric data, and the reality that it's a
whole lot easier to fake network transactions than to fake voting in person,
this scheme screams "defraud me".
Any security system needs a threat model. I can't figure out what the threat
model for this system is other than "whip up something quick and easy".
Regards,
John Levine, [EMAIL PROTECTED], Primary Perpetrator of "The Internet for Dummies",
Information Superhighwayman wanna-be, http://iecc.com/johnl, Sewer Commissioner
Finger for PGP key, f'print = 3A 5B D0 3F D9 A0 6A A4 2D AC 1E 9E A6 36 A3 47
