November 17, 2018

Continuous-roll VVPAT under glass: an idea whose time has passed

States and counties should not adopt DRE+VVPAT voting machines such as the Dominion ImageCast X and the ES&S ExpressVote.  Here’s why.

Touchscreen voting machines (direct-recording electronic, DRE) cannot be trusted to count votes, because (like any voting computer) a hacker may have installed fraudulent software that steals votes from one candidate and gives them to another.  The best solution is to vote on hand-marked paper ballots, counted by optical scanners.  Those opscan computers can be hacked too, of course, but we can recount or random-sample (“risk-limiting audit”) the paper ballots, by human inspection of the paper that the voter marked, to make sure.

Fifteen years ago in the early 2000s, we computer scientists proposed another solution: equip the touchscreen DREs with a “voter verified paper audit trail” (VVPAT).  The voter would select candidates on a touchscreen, the DRE would print those choices on a cash-register tape under glass, the voter would inspect the paper to make sure the machine wasn’t cheating, the printed ballot would drop into a sealed ballot box, and the DRE would count the vote electronically.  If the DRE had been hacked to cheat, it could report fraudulent vote totals for the candidates, but a recount of the paper VVPAT ballots in the ballot box would detect (and correct) the fraud.

By the year 2009, this idea was already considered obsolete.  The problem is, no one has any confidence that the VVPAT is actually “voter verified,” for many reasons:

  1. The VVPAT is printed in small type on a narrow cash-register tape under glass, difficult for the voter to read.
  2. The voter is not well informed about the purpose of the VVPAT.  (For example, in 2016 an instructional video from Buncombe County, NC showed how to use the machine; the VVPAT-under-glass was clearly visible at times, but the narrator didn’t even mention that it was there, let alone explain what it’s for and why it’s important for the voter to look at it.)
  3. It’s not clear to the voter, or to the pollworker, what to do if the VVPAT shows the wrong selections.  Yes, the voter can alert the pollworker, the ballot will be voided, and the voter can start afresh.  But think about the “threat model.”  Suppose the hacked/cheating DRE changes a vote, and prints the changed vote in the VVPAT.  If the voter doesn’t notice, then the DRE has successfully stolen a vote, and this theft will survive the recount.  If the voter does notice, then the DRE is caught red-handed, except that nothing happens other than the voter tries again (and the DRE doesn’t cheat this time).   You might think, if the wrong candidate is printed on the VVPAT then this is strong evidence that the machine is hacked, alarm bells should ring– but what if the voter misremembers what he entered in the touch screen?  There’s no way to know whose fault it is.
  4. Voters are not very good at correlating their VVPAT-in-tiny-type-under-glass to the selections they made on the touch screen.  They can remember who they selected for president, but do they really remember the name of their selection for county commissioner?  And yet, historically in American elections, it’s as often the local and legislative offices where ballot-box-counting (insider) fraud has occurred.
  5. “Continuous-roll” VVPATs, which don’t cut the tape into individual ballots, compromise the secrecy of the ballot.  Since any of the political-party-designated pollwatchers can see (and write down) what order people vote on the machine, and know the names of all the voters who announce themselves when signing in, they can (during a recount) correlate voters to ballots.  (During a 2006 trial in the Superior Court of New Jersey, I was testifying about this issue; Judge Linda Feinberg saw this point immediately, she said it was obvious that continuous-roll VVPATs compromise the secret ballot and should not be acceptable under New Jersey law. )

For all these reasons, many states that adopted DRE+VVPAT in the period 2003-2008 have abandoned them, switching over to optical-scan voting with hand-marked (“fill in the opscan bubbles”) paper ballots, with Ballot-Marking Devices (BMDs) available for voters who can’t easily read or handle the paper.  Buncombe County switched to optical scan between 2016 and 2018, because the state of North Caroline outlawed continuous-roll VVPATs).

In the 2018 election, approximately* 42 states will use optical-scan, 3 states will use DRE+VVPAT, and 5 states will use paperless DREs (touchscreens).  Between 2002 and 2018, many states switched from DRE to opscan, from mechanical lever machines to opscan, from punchcard to opscan, from DRE+VVPAT to opscan; but not one state that I know of switched to DRE+VVPAT.  It’s not a good technology; it’s too easy for the computer (if hacked) to manipulate what appears on the paper record.

New Jersey is one of those 5 states that use paperless DREs.  There’s no excuse for that; if the DREs are hacked, elections can be stolen with no detection and no recourse.  (Or if the DREs “make a mistake“, no recount is possible.)  New Jersey should switch to voter-marked optical-scan ballots, like the rest of the country.

But I am informed** that three New Jersey counties (Gloucester, Essex, and Union) are considering the purchase of new voting machines, and they’re considering only the ES&S ExpressVote and the Dominion ImageCast X.  I’ve already explained why the ExpressVote is a bad idea.

New Jersey (or any state) should not adopt Dominion ImageCast X DRE+VVPAT voting machine.  The ImageCast X comes in several configurations, and one of them is basically a DRE+VVPAT, with a continuous-roll cash-register tape under glass.  Kevin Skoglund, a software engineer in Pennsylvania, had an opportunity to examine one at a demonstration in Harrisburg, PA.  He reports that it’s quite difficult to read the VVPAT-under-glass:  the printing was gray (not black) on the thermal paper, the font was small, the glass window in the machine was small.  Even though he has 20/20 vision, he had difficulty reading it.

The ImageCast X is advertised as an optical scanner, not a DRE, because, technically, this configuration prints a QR barcode onto the VVPAT tape, then an integrated scanner immediately reads this QR code before counting the vote.  This is a distinction without a difference.  All the disadvantages 1,2,3,4,5 (above) apply to this format.  Sure, a DRE+VVPAT is marginally better than a DRE; but that’s not the technology to adopt in 2018.

New Jersey should buy optical-scan voting machines for hand-marked optical-scan ballots.  Dominion makes reasonable optical-scan voting machines:  the ImageCast Precinct and the ImageCast Central.  ES&S makes reasonable optical-scan voting machines: the DS200, the DS450, and the DS850.   Three other companies make EAC-certified optical-scan voting machines: Clearballot, Hart, and Unisyn.  New Jersey (and the few other states still using paperless DREs)  should buy optical-scan voting machines from any of these 5 companies.

*I say “approximately” because some states use different machines in different counties.

**e-mail from Robert Giles, Director of the NJ Division of Elections, to Stephanie Harris, October 11, 2018.

Photo of ImageCast X VVPAT window:  Kevin Skoglund, June 2018.

Comments

  1. David Jefferson says:

    The voting concept that could be described as “VVPAT under glass” was indeed invented by a computer scientist, Rebecca Mercuri, about 20 years ago. But the design she had in mind, and those others of us had in mind much later, were nothing like the narrow gas-station-receipt-tape-on-a-roll design that came into wide use.

    The current designs came about as add-ons to pure DRE systems that had no paper trail. The California Secretary of State’s Task Force on Touchscreen Voting (of which David Dill, Kim Alexander and I were members) produced a report that convinced SoS Kevin Shelley to require voter-verified paper trails on machines certified for use in California. DREs without paper trails were viewed as defective, and rather than requiring entirely new systems to be purchased (for which there was no money) adding a paper trail device to current DREs was at least a vast improvement in what we would now call “auditability”. We of course did not offer any design guidance, since that was not our role.

    The big vendors at the time (Diebold, ES&S, Sequoia, and Hart Intercivic), who had been active in trying to influence the Task Force, bitterly fought the regulation. They claimed that the malicious software scenarios we described — the same ones you described — were “science fiction” and basically treated the entire concept as an attack on their honesty and integrity as companies and on the accuracy of their DRE products. They all teamed up and sued the CA SoS over it, but eventually lost. The regulation went into effect in CA and spread widely to other states in the next few years.

    When the vendors eventually produced VVPAT systems for certification in California, we were horrified by the designs. They were all uniformly terrible in every way. It was clear that the vendors were trying to produce the absolute cheapest design possible with the use of cheap dot-matrix thermal printers and 2-inch wide paper rolls with no tape cutters. But they seemed also to go out of their way to give the finger to the public but putting a hinged opaque door over the VVPAT tape so a voter by default could not see the tape at all, completely defeating the purpose of voter verification. Sadly, most election officials opposed the idea of VVPATs and grudgingly tolerated them, without any attempt to train the public about them (as you point out is still the case fifteen years later) and without introducing any procedures to use the VVPAT tapes for any post-election processing, in spite of the fact that that was the whole point.

    Later when these systems were presented for certification in CA I was a member of the panel that was charged with studying them and advising the SoS on certification. At a public hearing I cast the lone NO vote against certification — as far as I know the only time that ever happened in the U.S.

    It is certainly true that the VVPATs as implemented and used were completely ineffective for their intended purpose. But had the idea of VVPATs been embraced by the industry and implemented in a way that many of us intended, the systems could have been much more like the ballot marking devices (BMDs) being sold today. They would still be imperfect, inferior in my view to voter-marked paper ballots, but they would not have been the embarrassing blight on the voting process they became.

Speak Your Mind