If it is hard to get wrong, is it still dumb? Being able to verify with your own eyes that the redacted parts are indeed redacted is a pretty strong benefit to that process. You'll need to train staff to properly black out stuff (no idea what they do, heavy cardboard cut-outs or cutting out the censored content and using a black background for the scan?), but once that process is in place, it works.
With software you either need vetted and approved, very expensive software, or you have to accept a much higher error rate, because the operator cannot verify the results of the process with certainty.
I think the correct solution is a machine that prints out both a human- and machine-readable representation of the vote. The voter can confirm that the human-readable representation is correct, and you can randomly hand-count a few boxes of ballots to check that the hand-count matches the machine-count.
An election doesn't need to be tamper-proof we just need to be able to detect tampering well enough to make tampering a loser's game.
You could do such a hybrid system, but honestly purely paper based systems seem to work well enough in practice. Eg Germany uses paper and human counting, and the results are usually available fairly quickly.
The problem with randomly hand-counting a few boxes of ballots is that you then need to convince people that the random selection was uniform and fair and actually random.
There are methods to do that, but there are at least as complicated and full of cryptographic finesse, that they ain't simpler than vetting an electronic voting system in the first place.
Having said that: human counting isn't fool proof and is still open to abuse and tampering.
It's mainly that any village idiot can in-theory audit the human-run system, and that it would take a conspiracy with lots of people to engage in wide spread tampering.
The more people involved, the harder it is to prevent leaks.
Right, otherwise the problem would be trivial. If it wasn't clear, the plan was the printed ballot would anonymously go in a box to be machine counted.
Yup, but they can do so with old-fashioned paper ballots too. Any security measures for paper ballots will also work with my idea, and the machine could also do fancier things like printing out a timestamp and signature of the timestamp . I really want things to be simple though: if the system of voting is too complex, then it will be distrusted, and distrust in the voting system is toxic to democracy.
What they can't trivially do with any system including paper ballots is remove ballots, compared to digital voting machines where you can add e.g. -100 votes to candidtate A, 100 votes to candidate B, thus ensuring that the total-votes field is correct while advantaging candidate B -- this was actually demonstrated by a security researcher on a Diebold touch-screen machine.
FOIA reports usually have a small textbox over the redacted information with a reference to the reason for redaction, likely made in Adobe PDF. Then the docs are either printed and scanned or just converted to an image only PDF.
Then they use the big multifunction networked printer’s built in scanner, which saves a copy to the “little” hard drive they all tend to have in them now, and forget to ensure these things get wiped/destroyed... years later they sell the printer once the lease ends and the surprise inside is months to years of raw scanned documents the new owner gets access to with very little effort.
Why don't they convert the PDF to image and convert back? This approach seems to be a lot more efficient, and less prone to other type of human errors (e.g. missing page). Is there still an attack vector?
The Japanese train system utilizes similar concepts IIRC. When I first read about this I was astonished about how effective it was [0](up to 85% error reductions)!
If you do that, look at the document, hit CTRL+Z, then look at the document again, it will likely look identical, thanks to the fact that rendering a PDF to a JPEG with 70-90% quality... at ~600DPI... then scaling it back out to a 75-150DPI screen... is going to look visually lossless.
So, not only do you have the energy-investment thing noted in the/a sibling comment, you have the issue that there's no giant "THIS IS AN IMAGE" or "THIS HAS TEXT IN IT" that you can just Look At and know that yeah the document is okay. There's no lowest-common-denominator provability thing. You have to hyperspecifically know what to look for (render to image) then know how to verify whether it's an image or not.
And... how do you verify if it's an image? I don't have any PDF authoring/editing software on this machine, so the only thing I can think of is checking the Undo menu for "convert to image" or similar.
There will be no CTRL + Z, as it can only be used to save to a new document (just like scanning).
Under the hood, you created a new document, rasterize the original document page by page as JPEG, and insert the JPEGs back to the new document.
You can even create a fake "printer", that outputs a PDF with rasterized images as pages, so you don't have to teach the office clerks to anything extra.
To me, it seems to be indistinguishable from printing and scanning.
PS: It's pretty easy to verify if the page contains nothing but an image, programmically, especially if you also wrote the software that rasterize it in the first place.
> It's pretty easy to verify if the page contains nothing but an image, programmically, especially if you also wrote the software that rasterize it in the first place.
It's pretty easy for a computer to verify any of this, the point is making it idiot proof. You don't have to be much of an idiot, if you process hundreds of documents a year where there's no way to visually verify the difference between a badly redacted document and a well redacted document, to screw up once. Especially when the difference between them is that you remembered to push the "redact correctly button", and if you forgot that, remembered to push the "verify if is redacted correctly programmatically" button before hitting send.
What you do is create a ritual where you have to walk across the room and use a physical machine. You'll remember doing that. And if you don't, since the output will look a bit crap, you can confirm it trivially.
Creating a process that has to be done perfectly every time or it fails catastrophically, and has few indications of failure during the process, is worse than having no process at all.
Both MS Word and PDF have leaked redacted/removed information in the past. Wasting paper given the severity of some of these leaks is minimal cost.