Talk:Voter-verified paper audit trail

From Wikipedia, the free encyclopedia
Jump to: navigation, search
WikiProject Elections and Referendums  
WikiProject icon This article is within the scope of WikiProject Elections and Referendums, an ongoing effort to improve the quality of, expand upon and create new articles relating to elections, electoral reform and other aspects of democratic decision-making. For more information, visit our project page.
 ???  This article has not yet received a rating on the quality scale.
WikiProject Politics  
WikiProject icon This article is within the scope of WikiProject Politics, a collaborative effort to improve the coverage of politics on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks.
 ???  This article has not yet received a rating on the project's quality scale.
 ???  This article has not yet received a rating on the project's importance scale.


I have reverted to my more detailed entry. Discussions regarding voting equipment that ignore the election process and the duties of the election official are not useful to anyone. Please expand the technical portions as necessary but please do so within the context of election processes and laws, thank you.

Who wrote this? It seems incredibly naive to think that the 'election process' is sufficient to prevent against vote rigging and fraud. Poll workers and election officials have been at times been found to be clueless and not entirely impartial, sometimes even disregarding electoral statutes altogether. Many countries, the US most certainly included, have a history of electoral fraud perpetrated with preventive regulations in place. In the case of electronic voting, when there is no paper trail, and in which voting machine companies have a vested interest in errors not being discovered, the stakes are even higher.
Election fraud has happened and will happen again even under near-ideal circumstances. Right now we're not even close. LeoTrottier 00:19, 24 October 2006 (UTC)

You're right. The process and the people are not suffieicnet to prevent fraud. My comments strive only to add the people and the process to the discussion. Just like the process alone cannot prevent fraud, neither can technology alone prevent fraud.

VVPAT vs. VVAT[edit]

I'm not so sure I agree with the collapsing of the VVPAT page and the VVAT page. The latter is a super-set of the former and many of us (for example, in the ACCURATE group) see VVPAT as one possible solution that is particularly appropriate for the short-term. -- Joebeone (Talk) 16:55, 21 March 2006 (UTC)

extensive changes[edit]

I just reverted extensive changes [1] to this page that should be discussed here and cited thoroughly. -- Joebeone (Talk) 19:40, 4 August 2006 (UTC)

I have reverted to my more detailed entry. Discussions regarding voting equipment that ignore the election process and the duties of the election official are not useful to anyone. Please expand the technical portions as necessary but please do so within the context of election processes and laws, thank you.


I'm going to review this page and make some changes (that I'll cite sources for). Let me know if you'd like to help. -- Joebeone (Talk) 18:10, 5 September 2006 (UTC)

This article sounds much like an excuse for why VVPAT aren't being used. The second paragraph of the overview immediately casts into doubt the necessity and feasibility of VVPAT in a way that completely disregards expert opinion that VVPAT are necessary for assuring the soundness of electronic elections. It seems to have been implicitly assumed that electronic voting is the way things have always gone, and that there could/should never be a return to (recountable) paper ballots. Nothing, of course, could be further from the truth. VVPAT is what legitimizes and makes accountable an optional electronic voting system that is meant as an improvement. LeoTrottier 00:49, 24 October 2006 (UTC)

Article title[edit]

Is it Verified or Verifiable? I really think verifiable is more accurate and in general makes more sense. Anyone agree? --Electiontechnology 00:39, 11 September 2006 (UTC)

My impression is that 'verifiable' does not necessitate that the voter actually do any verifying. Verified means that they do. 'Verified' is more secure, in my view. LeoTrottier 22:59, 23 October 2006 (UTC)

"The Ballot" Section[edit]

Why is this here? There is arleady a ballot article, and it doesn't seem to have anything to do with the VVPAT. --Electiontechnology 00:39, 11 September 2006 (UTC) I moved this to ballot, it seems to make more sense there. -- Electiontechnology 02:05, 16 November 2006 (UTC)

Overview caveats[edit]

It seems that putting caveats in the overview regarding why or how VVPATs are difficult implement is like explaining how backup parachutes are good, but an expensive and complicated addition to existing parachute technology. The point is that, in a voting system that is optional to begin with, it doesn't matter how costly and difficult it is to make it sound and secure. The system is worse than useless unless we can be sure it's working as intended.

For this reason I think caveats should be moved elsewhere in the article, and not put in the overview. If you think different, please discuss the proposed changes here. LeoTrottier 17:53, 26 October 2006 (UTC)

Leo, are you taking issue with the entire Implementation Challenges of VVPAT section? If so, the point of the section isn't that backup parachutes are a bad idea. To continue with your analogy, let's say you (a county) were told were told you were legally required to jump out of a plane (hold an election). Of course you would want to find a parachute (voting system) and backup parachute (independent audit system). Now you're told you have to have a specific kind of backup chute (paper), but those chutes are very expensive and you have to buy the only chute you can find the qualifies, and that chute isn't very good. Would you have liked to have known before they passed a law requiring you to have that type of chute that you would be stuck with the cheap crappy chute?
More importantly, you just learned that the Parachute Assistance Commission (EAC) was finally appropriated the tens of millons of Help America Parachute Act dollars it guaranteed in 2003 and it releases a new and improved technology for parachutes at a fraction of the cost. But oh wait! You can't use them.
Obviously that analogy is a bit drawn out, and I'm not telling you that VVPATs are bad or that they shouldn't be there. I just think that the problems associated with the VVPATs both as an integrated function and as an after-the-fact feature are part of the picture and relevant to the discussion. Even if they are the best technology we got they're still no holy grail.
If you just were talking about the one sentence I changed, I think It can be significantly more difficult to implement a VVPAT as an after-the-fact feature is pretty direct. I just thought most was a little inappropriate, becuase the quantity shouldn't be the measure it should be the frequency.
Electiontechnology 22:05, 26 October 2006 (UTC)



  1. Please stop deleting the explanation of the fundamental aspect of the VVPAT. (Verifying voter intent)
  2. You just cannot say that a corrupt machine cannot alter paper. If you are going to stipulate that the machine is corrupt, you have to understand that the VVPAT could be equally corrupted. Many VVPATs list each individual action by the voter (i.e. Candidate A selected, Candidate A deselected, Candidate B selected) Once the VVPAT is out of the voter view, if the machine is corrupt, how can you say it could not make changes to the paper? That is just a garauntee you cannot make. It absolutely is a "barrier," but you cannot say " At this point the only risks of election fraud remaining are the same as with a classical poll using paper and ballot boxes like destroyed ballots" because it is just not correct. At minimum the machine could intentionally make certain votes illegible. You simply cannot say that the machine tampering with paper is impossible.

P.S. If you have comments for me, please leave them here or on my talk page. --Electiontechnology 02:28, 16 November 2006 (UTC)

  1. no, the really fundamental aspect of paper are, that they're readable by humans and not alterable my voting machines. the "verifying voter intent" is a consequence of that.
  2. please cite a reference of a voting machine that's able to alter or destroy the VVPAT once it's seen by the voter.

and no, i will not leave Your diebold-version there and talk someplace else. --Taintain 22:01, 16 November 2006 (UTC)

You misunderstand, I said "stop deleting the explanation of the fundamental aspect of the VVPAT." I didn't say anything about the fundamental aspect of paper. You also seem to have a fundamental misunederstading of the VVPAT, if it doesn't verify the voter's intent, then it is useless, that's why the first two V's stand for Voter Verfied. You can't just brush it off as a consequence. To the second point, since you seem to think that you must provide sourcing for all possible options, then can you provide an example of a corrupt voting machine? If not, your logic says that you have to remove every reference to "corupt" voting machines. I in no way advocate that. Corruption and tampering are serious concerns with all parts of a voting system. Lastly, to your nonsensical final comment, A) what does Diebold have to do with anything? Please don't think I in any way support them or any of their election systems products; B) Again, I think you misunderstood, I was just saying if you had comments for me specifically, you should leave them on my talk page. Hope we can clear this up. --Electiontechnology 22:57, 16 November 2006 (UTC)
P.S. You should read this. "9.6% [of VVPATs] were either destroyed, blank, illegible, missing, taped together or compromised in some way. 1.4 percent of the VVPATs were missing ballots." Please understand that these are serious concerns. --Electiontechnology 23:03, 16 November 2006 (UTC)
the fundamental aspect of a VVPAT derives from the material paper. anyway, i included your sentence. there are enough demonstrations of corrupted voting machines, princton, nedap-hack, accuvote, ... but show me one where the voting machine is able to change the paper after being verified by the voter? those 1,4% of the ballots missing some percent of their votes where accidentally, so please put that into the section of technical problems. the intro is for explaining what VVPATs are all about. --Taintain 00:02, 17 November 2006 (UTC)
I'm not at all sure what you are trying to say with that last response. Regardless, it is factually incorrect to say a corrupt machine cannot alter a VVPAT. I do not think I can be more clear. This is a question of potential.--Electiontechnology 00:14, 17 November 2006 (UTC)
ok, i clarified that. if You have a reference of a corrupted voting machine being able to alter the VVPAT after the voter has verified it, please post it. then we can go on in this discussion. if not, please leave the section as it is. --Taintain 00:45, 17 November 2006 (UTC)

You most certainly did not clarify that. Please stop reverting the article. This is a violation of wikipedia policy:Wikipedia:Three-revert rule. I am not sure if this is a language barrier that is contributing to this lack of understanding, I truly want this conversation to be in good faith, but you insist on ignoring my comments and inserting incorrect information into this article. Your edit, "...he can be sure that even a corrupted voting machine will not be able to tamper with it", is absolutely false, and at best misleading. As I've tried to explain to you repeatedly, you cannot say this is an impossible task. I again have done my best to remove only the factually incorrect information and incorporate your changes. Please take a moment to reread my comments and the source I recommended.--Electiontechnology

stating that You have repeated Yourself does not make a point. it's very nice that you say that you are in good faith and that i'm not a native english speaker, but we should be talking about the subject. please finally disclose the reference of a corrupted voting machine being able to intentionally modify a printed paper trail (i'm asking for the 3rd time!) the link You gave describes technical problems which You are free to include in a technical problems section. it does not belong in the intro of a VVPAT, the intro of cars does also not include that its breaks might fail. i've now inserted my sentence again, please don't remove it again without a reference. --Taintain 13:39, 17 November 2006 (UTC)
The most important part to me was that you stop deleting the postion about verifiability. Your missunderstanding of the editable paper is less important though still unfortuantely incorrect. Your example about cars does not match this situation. I'm not trying to put in the intro that it is changable, I just want to remove the incorrect information that says it is not changeable. A more accurate explanation would be that the car article doesn't incorrectly say that the breaks can't fail. You are simply incorrect is saying that it is impossible. You are stipulating (agree to the fact) that the machine is corrupt. How can you say it is still impossible? That aside, I think this is the most accurate version we've worked on so far and I want to thank you for continuing the coversation. I'm going to invite another user, who if you review his contributions you will see his views on electronic voting are much more similar to yours than mine, to comment. (User:Joebeone) I think an outside view might benefit the both of us as well as the article. --Electiontechnology 16:42, 17 November 2006 (UTC)
As a researcher in the field, it is imprecise to say that VVPATs are not changeable by voting machines. We can't prove that the machines can't change the VVPATs. In fact. the iVotronic VVPAT (called a Real-Time Audit Log, RTAL) is able to both advance and reverse the paper feed. If a VVPAT printer can reverse the paper feed, it would be trivial to do either a denial of service attack (where the paper is reversed and then a VVPAT voided or written over with gibberish) or a substitution attack (such as clever changing of the characters in a name to reflect a different vote). Also, not directly related to the issue at hand, if left unattended VVPAT printers could print willy-nilly more VVPATs. These are real possibilities. One thing that is for sure is that no reliable source has demonstrated either what I talk about above or that VVPATs are unmodifiable by the machine, so this wording should be changed. (I'll wait for responses before changing the language) -- Joebeone (Talk) 19:41, 27 November 2006 (UTC)
if voting machines can change the VVPAT it's caused by implementation problems. it's quite easy to use a printer which cannot rewind and mechanically block the printer when no voter-card is present. i included it in the implemenation section. --Taintain 14:26, 28 November 2006 (UTC)
Well, implementation problems are what we have on the market. Let me be more specific. The intro currently[2] has the following sentence:
Also a printed vote on paper is not changeable by the voting machine opposed to a stored vote in computer memory.
This is imprecise, at best, and likely incorrect. It may be under the ideal VVPAT implementation that this statement is correct, but then that should be qualified by a phrase such as, "In theory, ...". Currently, many security experts (and I can cite this) believe that changing the contents of a VVPAT or otherwise adding or subtracting votes is an attack we have to worry about with all major VVPAT implementations (via extra printing or modification of previously-recorded VVPAT records). I'll take a stab at making the intro more precise without destroying its spirit. OK? -- Joebeone (Talk) 19:04, 28 November 2006 (UTC)
I just took a shot at it and added a cite to the Brennan work that has such VVPAT attacks cataloged. Let me know what you think of this change guys. -- Joebeone (Talk) 20:23, 28 November 2006 (UTC)

what kind of "scientist" made this study? in the attacks on "DRE with VVPAT" it misses an obvious case: the paper reads "Adams", the display shows "Jefferson". this happens once, an election official is called by the voter and the machine goes straight to the FBI. if You know the people who made the study, please tell them to fix this error. i changed the "cannot be changed" to "hard to change" to credit all the theoretical attacks of appending and rewinding. --Taintain 00:02, 30 November 2006 (UTC)

If we cannot solve this, we might have to go to arbitration. The scientists on the Brennan Center Security Task Force include scientists renowned in the United States for both computer security and system security. The attack you describe is listed in their study along with 200+ other attacks. This is cited, peer-reviewed research an you have no reason to be reverting such an addition to this page. -- Joebeone (Talk) 19:35, 1 December 2006 (UTC)
before arbitration we should try to solve this out by ourselves (otherwise they won't accept it anyway.) since you didn't say the page i assumed that you mean with "practical attack ob the VVPAT" page 65 with attack #6 ? (do you have a clue how to get this "DRE attack catalog" which is cited throughout the study, it's not on as claimed?). attack #6 wouldn't work as described in the study because voters can easily compare the screen to the paper trail and call an election official. so unless you can explain what's wrong in my arguing or come up with a practical attack on the VVPAT i will revert to my version (which btw wasn't a revert but a rewrite).--Taintain 23:01, 4 December 2006 (UTC)
Unfortunately, I don't have time to fight this fight. If you're satisfied with an inferior page, so be it. If you'd like to collaborate together to produce something that is superior but also addresses your criticisms, then let me know. The academic community, I should say, has arrived at a consensus about the vulnerability of VVPAT to a few narrow classes of attacks. In my book, as an academic associated with the NSF ACCURATE Center, that omission is a serious one on this page. With the holidays coming around, I'll have more time to devote to these pieces of Wikipedia. Please join me in making these articles the best they can be. best, -- Joebeone (Talk) 16:30, 12 December 2006 (UTC)

would You believe me that i'm michael jackson ? why not ? why should i believe that You are an academic with a book ? citing the personal resume doesn't help in the internet, arguing on the facts does.

now on these facts (3rd try, and it really takes only 3 minutes): imagine You are a voter, the screen shows Jefferson, the VVPAT shows Adams. do You:

  1. believe that it must be Your mistake, press "cancel" and retry to vote
  2. call an election official and show him the difference between screen and VVPAT

now after answering that question please read the brennan attack #6, page 65. yes, the brennan study doesn't even consider Your answer, there might be something wrong with the study. <-- please answer to this and we might get ahead to make this article the best possible. --Taintain 21:41, 4 January 2007 (UTC)

I like facts too. I'm not sure what questions you're asking here... if you could phrase it as a question, that would help. I'll try and phrase the above as a question: If a voter sees the VVPAT is printed differently than their choices or what is displayed on the screen, what do they do? I think the two options you point out above are reasonable ones (modulo that it would compromise the voter's privacy to do option 2. (call over the election official), which is not something that voters do lightly). However, the attack I describe and the one that the Brennan center mentions in passing relies on many voters to not inspect the VVPAT. In fact, some preliminary research that has looked into how often voters examine the VVPAT records shows that few actually do look at the VVPATs and even fewer will notice errors planted in the VVPAT (see, for example, Ted Selker and Sarah Cohen's work on Audio Verification: ).
At the National Institute of Standards and Technology "Threats to Voting Systems" Workshop [3], there were no less than 6 attacks that current VVPAT systems are likely vulnerable to:
Most pertinent to our discussion it Dill's misprinting attack. This is the one that keeps us all up late at night... and when we learned that certain voting systems' VVPAT mechanisms could reverse themselves, we were aghast as that could make this kind of attack even more acute.
So, my position is this: current VVPATs are vulnerable to a number of attacks, not to mention outright malfunction and error. I think the article should reflect this if it's going to be an encyclopedic and NPOV article. The part of the current article that I take issue with is the following: "Also a printed vote on paper would be very hard to change by the voting machine ...". First, I don't think it is correct as we know that VVPATs can be changed, and it appears that it could be quite easy (i.e., done with a change to software in some systems). Second, we don't really have evidence one way or another that VVPATs have been changed maliciously in an election, so we don't really know to what extent attackers have to go to in order to pull one of these attacks off. Since VVPATs are as poorly designed as the rest of most voting systems (which are largely poorly designed), we expect there to be just as many ways to subvert VVPAT. Let's continue the discussion until we've come to an understanding of some sort. -- Joebeone (Talk) 16:54, 6 January 2007 (UTC)
ok, so after seeing the difference between screen & VVPAT some people might call an election official (which is not even considered in the brennan study which states "These voters would cancel the paper record and vote again. The second time, the paper would record their votes correctly.". calling an official isn't even such a big privacy problem since the voter wouldn't have to tell if he pressed the name on the screen or no the VVPAT ;) now let's go one step further: what would happen after the election official sees the VVPAT and the screen showing two different candidates ? yes, there might be some concern about the integrity of the machine and software in use and the whole fraud might fail. this is also not mentioned in the brennan study. and so the brennan study concludes on page 75:
"Assuming that only 20% of voters review their voter-verified paper trail, a minimum of one to three informed participants173 will be needed to successfully execute DRE w/VVPT Attack Number 6 (Memory and Paper Misrecord Vote Due to Trojan Horse Inserted in Ballot Definition File) and change the result of the Pennasota governor’s race."
i think it's safe to say this study has a big flaw, since probably a single voter pointing out the difference between screen and VVPAT is enough to spoil the fraud (unless the machine also alters the display, which the study doesn't claim and which raises other issues).
speaking about the 3% from the caltech study: have You actually read it ? those were 36 paid people which had just one goal: get out of the lab as quick as possible to get their 20 bucks, they probably didn't even read which candidate they clicked on. opposed to real voters which care about their vote, otherwise they wouldn't take the time to go to the election place at all. this "study" is like handing out 100 monopoly bills to paid subjects and if they don't recount them to conclude nobody would recount cash from a used car dealer. which reasonable researcher would compare lab-votes to presidential-election-votes ? also it doesn't say if the voting-program had a message on the screen which asked to check the VVPAT which might change the outcome considerably. but You said this was just one example, do have know a more reasonable study about this subject ?
on the 6 attacks:
  1. is not about changing the VVPAT
  2. is very hard to carry out. and if it would be possible, it still would be a hundred times harder than doing the ::same on a DRE without VVPAT. how do You sleep about DRE's ?
  3. would work against any kind of voting machine
  4. can be easily avoided by using a printer which can't reverse and has a mechanical switch to not print if there's no voter card present. also this attacks says itself that it relies on a bad implementation. that's in implementation-issue.
  5. see above + assumes that there's nothing printed like "voter confiremed this vote", or "voter card removed".
  6. see above
since even You as a researcher cite the short NIST-list of 34 attacks on voting machines and not the long list which the brennan claims to have published, is it true that this list doesn't exist ? (which would make the brennan study even more a piece of hot air since it cites this list repeatedly.)
on "Also a printed vote on paper would be very hard to change by the voting machine ...".: as i think about it, this has a double meaning. what i meant is "after the fact". (it's physically impossible if the printer can't reverse. it's logically impossible of each vote ends with a statement like "voter confirmed this vote", another message: "voter removed card" and even harder if the printer can't print without any voter card inserted.) the other meaning being "changing at printing", which is in fact as easy as changing a DRE, but might get noticed by the voter. i'll change that in the article.
--Taintain 17:28, 7 January 2007 (UTC)
Sorry, I refuse to spend anymore time on this. The Brennan Study is a well-respected piece of academic inquiry from most of the biggest minds in academic research on electronic voting. Compare reliable sources that criticize the study to those that laud it as the first of it's kind ever and very important to the evolution of electronic voting. I believe you'll find the balance is on the side of the Study. Anyway, I was just posing the above to show that there are reliable, cited sources that show there are possible attacks on VVPAT that you don't consider. You seem to be content instead in evaluating the claims of this published research... recall that it is not an encyclopedia's point to do research and what you've done here is come very close if not crossed the line into original research (WP:OR). I do not come to Wikipedia to fight, but to improve content. I urge you to reconsider your actions and instead be content in reporting what reliable sources have to say about the matter in an encyclopedia manner. I will not respond further. -- Joebeone (Talk) 20:11, 8 January 2007 (UTC)
i have now several times pointed out the flaws in the brennan study (1. no mentioning of voters proving the fraud by pointing on display and VVPAT, 2. the list which explains all the attacks in the study is not publicly available, 3. citing the inappropriate 3%-caltech audio-trail study). You didn't respond to any of these and Your only point is, just that it's a "respected study". i'm very open to hear about a practical attack to change a VVPAT after it is printed which is not an implementation problem. and i wouldn't call all this original research, rather common sense, missing sources and inappropriate citing. --Taintain 22:42, 8 January 2007 (UTC)
These don't look like flaws. (1) This is not relevant because they did not assume that the DRE would display a summary page after the vote is printed and it is not as effective as the machine consistently printing and displaying the same wrong name. Also, if this were to happen the VVPAT system would actually be working, and therefore may not be considered a threat unless the voter or election official chooses "no" it acts as if the vote were counted. The Brennan center's study "looks at the ability of persons to successfully execute an attack without detection" and tries to limit itself only to talking about the path of least resistance an attacker might take and mitigation of that. Something that gets the attacker caught is obviously out of scope for the document. The problem is even addressed several times while describing the attack: "Would not this mean that the attack would be detected? Not necessarily.", and "This might lead her to believe she had accidentally pressed the wrong candidate the first time. In any event, it might make her less likely to tell anyone that the machine made a mistake". (2) It is unclear why this is of importance when it has nothing to do with the issue of citing the published work. The attacks that are listed in the report are well-explained and relevant. (3) The brennan document is up-front about this in the first paragraph: "In a recent study, Professor Ted Selker and Sharon Cohen of MIT paid 36 subjects to vote on DRE w/VVPT machines.152 They reported that “[o]ut of 108 elections that contained errors ...only 3 [errors were recognized] while using the VVPT system.”153". In any case, the threat still exists even if the analysis were later shown to be incorrect. Your opinion does not count as empirical evidence, and given that many people say it is irrational to even vote, it would be even more so to spend extra time checking your vote on the paper audit trail. --Toshardin 00:02, 30 January 2007 (UTC)
of course they're flaws. (1) how can a study look at "the ability to successfully execute an attack" without considering being caught ??? You're also wrong about the wrong name displayed, it says on p65: "When a targeted voter chooses Tom Jefferson, the screen would indicate that

she has voted for Tom Jefferson.". that's the attack this thread is about. (2) attacks are usually described in more detail, see for example: (3) the brennan document doesn't mention that this study wasn't even trying to find out how many people in a real life election would find an error in a VVPAT but to compare paper to audio trail. citing this study is like comparing a lab-study (without real money) about "do people read their credit-card-recipt before signing" to the real world, where people loose real money if they sign a wrong recipt. and yes, a lot of people consider voting irrational, that's the 75% which stay home. the people which care about their vote are the 25% which take the time to register, go there and sometimes wait for hours in lines to cast their vote. --Taintain

To make this more constructive, please point to a published research paper that indicates flaws with the Brennan Center Report or write your own and get it published. (1) I was pointing out that if you got caught, the attack wouldn't be considered successful, and is therefore not really something they were considering. You are pointing to when the voter "selects" the candidate, this is entirely different from the end of the voting process. You believe that there is a kind of review screen on the DRE and that a printout is made, and the voter gets the chance to compare and cast or not cast their ballot. The Brennan center clearly does not make such a suggestion, instead saying that the machine instructs the voter to look at the receipt and make sure their choices are correct, which is what existing systems they looked at do (they do *not* show a review screen on the DRE in the system described by the report). Obviously, if it worked the way you say, the review screen matching the receipt would be an equivalent attack to the one described. (2) Again, this is your opinion, and you aren't being specific about what is missing. (3) As I said, there is no empirical evidence to suggest they are wrong, and they even went so far as to raise the number from 3% to 20% to show the changes . Even if it is shown that over 90% of the people can correctly check their ballot, the analysis they did is still relevant, you just change all instances of 3 or 20 to 90 and recalculate the numbers. --Toshardin 16:53, 30 January 2007 (UTC)

not a research paper put a good summary of the brennan-flaws:

(1) the problem is, that the brennan study considers an attack as successful which wouldn't be successful because anybody can point out the difference between screen and paper.

the study doesn't say there is a review screen, but it neither says the opposite, and it rather sounds like it still is on the screen:

brennan study, page 65:

  • When a targeted voter chooses Tom Jefferson, the screen would indicate that

she has voted for Tom Jefferson.

  • After she has completed voting in all other races, the DRE would print a

paper record that lists her choices for every race, except for governor. Under the governor’s race, it would state that she has selected Johnny Adams.

maybe this is more clear in the mysterious missing attack catalog which the study says describes all attacks. maybe that includes such details, who knows ? so much about (2). it's anyway bad scientific practice to rely on an unpublished second document (and say it is published).

(3) after You change the number to 90% the current conclusion of the study ("the election can be rigged with attack 6") wouldn't be valid anymore (the study says this itself for 80%, see p75). then we don't need to argue anymore since this whole discussion started about if attack #6 could be successful. --Taintain 22:08, 30 January 2007 (UTC)

That whole page seems to hang on the same misunderstanding of the report. The attack is about you voting a certain way and then it being different at the end. You can't assume what is not specified to be there. Even if there were a review screen changing the vote on both the printout and the review screen is an equivalent attack (if you don't agree, please explain why). Depending on how you change the numbers, it could be effective. There's no empirical evidence to show it to be a flawed assumption or not, but I think we can agree that it *can* change votes in a consistently undetectable way and is a problem. --Toshardin 22:34, 30 January 2007 (UTC)
you can neither assume the opposite, and if you read it word by word jeff is still on the screen. changing both screen and paper is of course not equivalent because it's a lot more obvious to the voter. you're right that it depends on the numbers, but this number definitely isn't 3% and unless you find a more reasonable study about this number it's safe to assume that most people which make the effort to go voting care about it. --Taintain 20:34, 1 February 2007 (UTC)

Bad Examples and Confusion with E2E Receipt-Based Systems[edit]

The examples listed are not ballotless, do not rely on DREs, and do not really rely on an audit in the traditional sense of the word. In fact, they are fundamentally different as voters take a receipt home with them. Better examples would be the VVPAT add-ons from Diebold, Seqouia, ES&S and other vendors. --Toshardin 00:02, 30 January 2007 (UTC)

I should add that NIST calls Punchscan et al. E2E systems, or End-to-end auditable voting systems: [4]. The discussion of receipts under "Implementation Challenges of VVPAT" is misleading, no proposed so-called "receipt-based" systems advocate giving the voter a receipt which actually allows them to show to themselves or others what their intention was when they cast their vote. Additionally, these systems generally use proofs to show that the encrypted ballots were counted correctly. So the voter knows that their vote made it into the votes that were tallied, and that the tallied votes were properly decrypted due to the proof (this is much easier to see in ThreeBallot than the other systems, as the proof is "count the public ballots"). --Toshardin 00:24, 30 January 2007 (UTC)

Under VVPAT Application, read the last paragraph which starts with "There are cryptographic solutions that can assure voters their votes are correctly tabulated." Are all the solutions in this paragraph E2E? If so, let's start an E2E article and move that paragraph to it. --Pulpspy 19:12, 30 January 2007 (UTC)

Okay, i've moved it to End-to-end auditable voting systems and slightly edited it. Please add when you can. --Toshardin 21:36, 30 January 2007 (UTC)


  • Saying electronic records can be changed "in an instant without a trace" is POV and just plain false.
  • physical ballot -> tangible ballot
  • removed self-links
  • explaining crypto systems have not been used in US elections
  • added witness system
  • replaced: "Systems that allow the voter to prove how they voted are never used in U.S. public elections, and are outlawed by most state constitutions. The primary concerns with this solution are voter intimidation and vote selling." I think it is still relevant and needed. I think it's more clear now though.
  • "Implementation Challenges of VVPAT" -> "Implementation Challenges and Concerns with VVPAT" similar to the parallel DRE section
  • Wikipedia cannot declare what people "should" do, it can however point out potential concerns
  • better explaining concerns over anonymity
  • "unless every voter participates." = innacurate
  • added accessibility concerns
  • added reliability concerns
  • removed duplicate wiki links
  • "assure voters" -> voter confidence
  • added reflist
  • [[Category:Electronic voting]] is a subcategory of [[Category:Politics and technology]]

--Electiontechnology 07:15, 4 February 2007 (UTC)

  • Saying electronic records can be changed "in an instant without a trace" is POV and just plain false.
instead of making a very long sentence about logic methods like vote encryption which might make it harder to change the vote i reduced it to paper vs. memory (since the paper is the main feature in a VVPAT, a "voter verified flash-memory trail" would be as insecure as a DRE). see Flash memory, DRAM and SRAM for how quick and traceless it is changed.
  • voters order
do You have a source for "many jurisdictions keep track of voter order" ? haven't heard that before, it would be error prone (just one wrong record would spoil the matching of list to VVPAT) and anyway not much use with multiple voting computers.

--Taintain 14:39, 5 February 2007 (UTC)

  • reducing it to paper vs. memory does not make saying electronic records can be changed "in an instant without a trace" accurate or NPOV. In the spirit of your making it a simple comparison I made it more accurately say "Printed paper would be harder to change after the fact by the voting machine than computer memory."
  • "This can be accomplished by a switch which deactivates the printer, as long as there is voter card inserted." There are lots of ways to make VVPATs better. There are lots of ways to improve voting machines in general. The problem is it has not been accomplished.
  • "which should have been realized by every voter" Wikipedia can not make judgements. "Should" is the definition of POV. Regardless, they didn't realize
  • I will try to find a cite for you regarding jurisdictions recording order of voters. I guess my US-centric bias is showing; it's very common here. The state of Maryland is required by state code to even record which voting machine a voter votes on.
  • "unless there is more than one voting machine which would make the matching between list and the VVPATs very hard." "Very hard" is still very possible, which is why I said "possibly compromising." It is a serious concern in some US states as there are state constitutions that guarantee the secrecy of the ballot in the state constitution and have not implement continuous role VVPATs for fear of them being rules unconstitutional.
  • "This drops the voter confidence of these disabled voters to the same level as when using a DRE voting machine where they can neither verify their vote." The concern isn't voter confidence, but rather equal protection. The idea is that it is discriminating against disabled voters to provide and additional benefit to non-disabled voters.
  • "The League of Women Voters (LWV) didn't see a need for VVPATs for a long time." Can you source this? And can we find a better way to say it?

--Electiontechnology 19:17, 5 February 2007 (UTC)

  • to be POV it must be wrong or controversial. what's wrong about "computer memory can be changed in an instant without a trace" ? after all, this is the article about the voter verified PAPER audit trail, so it's quite needed to explain the two benefits of paper over computer memory (wrote only once, human readable).
  • that nobody sells it doesn't make it wrong. but i included it's not on the market.
  • included the opaque doors in front of the VVPAT
  • just called it "difficult" now and please leave it in there. there is no perfect match between one list and e.g. three vvpats.
  • i would rather leave the sentence in there unless some court has decided about that. which i very much doubt because there are a lot of security measures which depend on seeing: holographs on credit cards, passport pictures, warning signs, watermarks, paper seals, .... those won't either be removed because of equal protection.
  • finally found it on the LWV page (which makes it rather useless to make a full cite of the old 2004 testimony.)
--Taintain 11:31, 11 February 2007 (UTC)
  • It is inaccurate to say "computer memory can be changed in an instant without a trace"
  • "This can be accomplished by a switch which deactivates the printer, as long as there is voter card inserted." You do know this can be accomplished. No one knows if this can be accomplished. This is an invention of your own mind and not reality. Find a source or stop reverting. At best this is original research and not allowed in Wikipedia.
  • Nice edit on the Cuyahoga study.
  • I tried to reword it so it is at least accurate. The idea is that any voter who can be identified compromised the secrecy of the vote.
  • Disability Discrimination Act 1995, Americans with Disabilities Act of 1990, Ontarians with Disabilities Act... Regardless, you don't know what their confidence level is, again find a source or stop adding it.
  • I think that there is a difference between what the full organization passes as policy, and what the then President testified. It doesn't change the facts in her testimony either. I think that both pieces of info is enough to explain the situation and that the "long time" line is arbitrary and unnecessary.

--Electiontechnology 19:29, 11 February 2007 (UTC)

    • why ? the access time of computer memory is measured in nano-seconds (which can be named "instant" regarding voting machines), once it's changed it can't be recovered.
    • common sense isn't original research. do i really have to find a source saying their printers can be switched of with a switch ?
    • these acts don't rule, that seeing people have to use inferior stuff because some people can't see it. traffic lights make get a sound-device for the blind, they are not removed because blind can't see them. houses get ramps for wheel-chairs, the stairs aren't removed. but You want to remove the VVPAT because some people can't read it ? please show me a similar example. anyway, with a DRE the blind need to trust the software, with a VVPAT it's the same.
    • yes, if the president follows the new policy, she wouldn't make the same statement after that motion was passed. the motion also sees the blind-problem as solvable: "2. the voter can verify, either by eye or with the aid of suitable devices for those who have impaired vision, that the paper ballot/record accurately reflects his or her intent;"

--Taintain 23:32, 12 February 2007 (UTC)

Taintain, no one is blind reverting anything but you. I think the issue is you have a very limited understanding of voting systems and make claims well beyond your level of knowledge. In my opinion you also have an personal agenda and generally like opinion much more than fact. You are attempting to imply that voting system computer memory can be changed in an instant without a trace. You don't know that, and have no sources to support you.

The fundamental problem with your "common sense" solution isn't the technical constraint of printers and switches, it is that you need to understand that what you think is so easy is not. Your example uses "voter card"s, many voting systems do not use voter cards. Could someone manually flip that switch? Could software or tampering override the switch? Please read the original research page. Hopefully it will give you a better understanding.

I sincerely appreciate all the efforts you have put into improving Wikipedia and on the election related articles. I hope that you continue to do so. I also hope that those continuing edits can be free of any personal beliefs you may have.

-- Electiontechnology 16:59, 14 February 2007 (UTC)

so why did You 2 times reintroduce "proficiencey" ? and again: stop getting personal, leads us nowhere.
about fact and opinions: i've said already that You might want to read computer memory if You don't believe how fast traceless it can be changed. i also asked You 2 times to argue why that it's not the case. so unless You come up with a reason, please read computer memory and leave that section alone.
i also found a quote in the princeton study:
In the Diebold DRE we studied, these records are stored in ordinary flash memory, so they are freely modifiable by malicious software.
every system has some way to block unapproved votes which could always also block the printer. with manually flipping it would be nearly impossible to successfully commit fraud. and of course it would be only useful with a mechanical switch without software interference.
--Taintain 21:53, 15 February 2007 (UTC)

I am discussing your limited knowledge. If you find that personal I apologize, but it is a serious issue. You can't grasp the idea that your edits imply that all voting machine memory can be changed instantly without a trace, or you are trying to imply something you know to be falso. Thank you for stopping your blind reverts of your original research. --Electiontechnology 22:39, 15 February 2007 (UTC)

Taintain, editing is a collaborative endeavor. Blind reverts are not collaborative. This conflicts with the Wikipedia policy about "owning" a page (WP:OWN).
Since working on an article does not entitle you to "own" the article, it is still important to respect the work of your fellow contributors. When making large scale removals of content, particularly content contributed by one editor, it is important to consider whether a desirable result could be obtained by working with the editor, instead of against him or her—regardless of whether he or she "owns" the article or not.
If you care as much about this article as you seem to imply, we should have an open, non-confrontational discussion that might result in you being incorrect instead of that not being a possibility. -- Joebeone (Talk) 20:27, 25 March 2007 (UTC)


there should be no "conclusion" at the end of an encyclopedic article as it's no research. this one is anyway wrong since even the brennan study says, that election fraud is not possible if enough people check the VVPAT. so it does a lot more than just raise voter confidence (if implemented properly).

A VVPAT component of a DRE is not a prophylactic against equipment malfunction or every form of election fraud but it may help improve voter confidence. It is a usable way to enable a recount of the intended votes, without VVPAT only the stored votes might be recounted. In case of a manipulation that might not be the same. —The preceding unsigned comment was added by Taintain (talkcontribs) 11:53, 11 February 2007 (UTC).
I totally agree with removing the conclusion. --Electiontechnology 19:29, 11 February 2007 (UTC)

Accuracy update[edit]

  • disingenious -> disingenuous
  • Readable by the human eye does not conclude "more secure" or "trustable"
  • Software is need not always be Proprietary.
  • source doesn't support every voting machine, changed to "Insecure voting machine".
  • "Corrupt or malfunctioning voting machines that do not have VVPAT capabilities might store votes other than as intended by the voter unnoticed" regardless of VVPATs.

--Electiontechnology 04:04, 23 June 2007 (UTC)

Anonymous user Edits[edit]

Please understand that your edits are incorrect. You have been notified of this.

  1. Your edits are in the wrong place. Eliminating the header of the article does not improve the article.
  2. Your edits are not exactly correct. There are a number of different types of VVPATs and they do not all follow your description.
  3. Your edits are largely duplicated in the "VVPAT Application" section.
  4. Your edit "VVPAT is not a substitute for any type of paper ballot." is commentary and not suitable for an encyclopedia.

You are in violation of the Wikipedia Three-revert rule as you have be notified and ignored. I am referring you to an administrator who can hopefully solve this problem. --Electiontechnology 19:34, 7 November 2007 (UTC)

Mercuri Method???[edit]

I eliminated the reference to the VVPAT under glass being known as "the Mercuri method" since there is no reliable reference indicating that it is called or known as this anywhere in the world, other that at Wikipedia. While I don't doubt that Mercuri may have discussed this configuration in her thesis, I doubt even she called it the Mercuri Method in her thesis. (Can you imagine the eye rolling that would have caused among her professors?!) Without any references showing that this attribution is a common one, it smacks of someone either self-promoting or trying to push an unaccepted term and attribution into use. --Fixn (talk) 20:08, 13 July 2009 (UTC)

External links modified[edit]

Hello fellow Wikipedians,

I have just added archive links to 5 external links on Voter-verified paper audit trail. Please take a moment to review my edit. If necessary, add {{cbignore}} after the link to keep me from modifying it. Alternatively, you can add {{nobots|deny=InternetArchiveBot}} to keep me off the page altogether. I made the following changes:

When you have finished reviewing my changes, please set the checked parameter below to true to let others know.

You may set the |checked=, on this template, to true or failed to let other editors know you reviewed the change. If you find any errors, please use the tools below to fix them or call an editor by setting |needhelp= to your help request.

  • If you have discovered URLs which were erroneously considered dead by the bot, you can report them with this tool.
  • If you found an error with any archives or the URLs themselves, you can fix them with this tool.

If you are unable to use these tools, you may set |needhelp=<your help request> on this template to request help from an experienced user. Please include details about your problem, to help other editors.

Cheers.—cyberbot IITalk to my owner:Online 19:32, 11 February 2016 (UTC)

Proposed merge with Mercuri method[edit]

This article refers to the "Mercuri method" as another term for VVPAT, her method does not appear to diverge from the described version so much as to require a separate article GorillaWarfare (talk) 01:11, 31 August 2016 (UTC)