November 25, 2020

Ballot-level comparison audits: precinct-count

Special bonus: This article contains two puzzles for the reader, marked in green. Try to solve them yourself before reading the solutions in a future post!

In my last post I described a particularly efficient kind of risk-limiting audit (RLA) of election results: ballot-level comparison audits, which rely on a unique serial number on every ballot. The serial number should not be preprinted on the ballot where the voter can learn it, otherwise the voter could sell their vote, or be coerced to vote a certain way, and the buyer or coercer could learn the vote from the file of cast-vote records (CVRs). The solution, when central-count optical scan (CCOS) is used, is that the central-count optical-scan voting machine can print the serial number onto the ballot, as it scans and counts the ballot.

But many jurisdictions use precinct-count optical scan (PCOS): the voter marks a ballot, and feeds it directly into the PCOS voting machine, where it is scanned, counted, and preserved in a ballot box. This has three advantages over CCOS:

  1. PCOS machines can alert the voter about overvotes, undervotes, or blank ballots, which gives the voter a chance to correct their ballot.
  2. PCOS tabulations are ready immediately at the close of the polls, which gives faster election-night reporting.
  3. PCOS tabulations give an additional safeguard against low-tech paper-ballot tampering: if the hand-to-eye recount of this batch does not match the results claimed by the optical-scanner, then one of them is wrong. The paper ballots themselves are the presumed ballot of record; State statutes should say that in case of disagreement we trust the paper by default, not the (possibly hacked or buggy) computers; but even so, a disagreement is important evidence of possible tampering that could be worth a forensic investigation. We don’t get this safeguard with central-count scanning of precinct-marked ballots.

But PCOS machines are not equipped with serial-number printers. Why is that? It would be straightforward to add one to a standard PCOS design, and it wouldn’t much affect the price of the product (so I’ve been told by the vice president of a major voting-machine company). The reason is not that the vendors can’t or won’t make the product; it’s that PCOS-ballot serial numbers are not so straightforward to use in RLAs.

When CCOS machines print serial numbers, they do so in consecutive order. Then, during a ballot-level comparison audit, when a person has to find ballot number 806.573 in a batch of 1000 ballots numbered from 806.000 to 806.999, it’s easy: just like finding page 573 in a 1000-page book.

But PCOS machines must not print serial-numbers in consecutive order. In the polling place, the public (and political-party pollwatchers) can observe the order in which voters insert their ballots; so if the serial numbers are consecutive, they could use the CVR file to reconstruct who voted which way. Furthermore, even if they did print consecutive serial numbers, when the ballots drop into the ballot box they don’t fall in perfect order; they get mixed up, which helps to preserve the secret ballot. (Some manufacturers’ PCOS machines do stack ballots in perfect order, which can be viewed as a problem for voter privacy.)

One solution would be to have the PCOS print the serial numbers in random order. That solves the ballot-privacy problem, and it does allow ballot-level comparison audits, but: now the human auditor has to find ballot 806.573 in a batch of 1000 randomly ordered sheets of paper, and that is extremely time-consuming. It negates the efficiency of ballot-comparison audits; you might as well use a ballot-polling audit, which does not require serial numbers at all.

My previous article explained that CCOS machines can support ballot-comparison audits even without printing serial numbers: the keep the stack of ballots in order. With PCOS, we cannot use the “keep the ballots in order” trick, for two reasons: first, many PCOS machines do not stack the ballots neatly in the ballot box–this is on purpose, to preserve the privacy of the secret ballot. And even the ones that do stack ballots neatly, randomize the order of the CVR file; this is also to preserve the privacy of the secret ballot. So therefore, “keep the ballots in order” is not a solution for PCOS.


Here’s a brilliant solution, which many smart people (including myself) have developed independently, and which is wrong. Instead of picking a random entry from the CVR file, and then finding that serial number in a batch of ballots, do this: pick a random sheet of paper from the batch of ballots, then look up its serial number in the CVR file. The reason this doesn’t work is that a hacked PCOS machine could cheat by printing the same (duplicate) serial number onto many ballots; and therefore, many entries in the CVR file would have no corresponding physical paper ballot.

I leave it as a puzzle for the reader for how this permits cheating–in a way that would not be noticed in a ballot-comparison audit. I’ll provide the solution to this puzzle in a future article.

Here’s a different solution, invented at Princeton and now a standard method: Take the batch of PCOS ballots, run it through a CCOS scanner that can print (consecutive) serial numbers, make sure the CCOS tabulation agrees with the PCOS tabulation, and then do ballot-level comparison audit using the CVR file produced by the CCOS machine. In RLA parlance, this is now called a transitive audit. It’s sound, it really does work, but it’s clumsy and laborious.

The (excellent) September 2019 report by the Rhode Island RLA Working Group explains and measures in practice the pros and cons of three different RLA methods for PCOS voting: Standard ballot-comparison audits can’t be used with PCOS machines because the PCOS doesn’t print serial numbers (and if it did print serial numbers, they shouldn’t be in consecutive order); one workaround is to do a ballot-polling audit instead; another workaround is to do a batch-level comparison audit (see the report) instead; another workaround is to do a transitive audit.

In summary: the most efficient RLA methods don’t work well with precinct-count optical scan voting. There ought to be a better way. I leave this as my second puzzle for the reader. In a future post, I’ll discuss a “solution” to this puzzle, but (as I’ll explain) I don’t have solid evidence that it’s really better.

BMDs: In a future post I’ll discuss how these issues relate to ballot-marking devices (BMDs).

Comments

  1. Anonymous says:

    Use an old school physical radix sort algorithm to sort the ballots after printing. Each ballot should have a serial number physically encoded on its top row upon insertion. Then, after voting, quickly sort them using the same technique people used for punch cards. https://en.m.wikipedia.org/wiki/IBM_card_sorter

  2. Karen McKim says:

    Answer to the Second Puzzle: Last November, the chair of the Wisconsin Elections Commission (WEC) asked me to describe how RLAs could work in Wisconsin, given our statewide mix of PCOS equipment, none of which prints numbers on ballots.
    I sketched out for him a ballot-polling process. Municipal clerks could rapidly report the prelim results, plus info for a statewide manifest to WEC or the state audit bureau. That info would be: the # of ballot bags in each ward and the # of ballots in each bag. (Poll workers could easily report that info to the muni clerks on Election Night.) Ind’l wards have fewer than 10 ballots up to 2,000 ballots, with 300 ballots in a bag, so 7 bags in one ward is probably the max.

    Using that ballot manifest, WEC could then identify the random sample and have the municipalities fax (or scan and transmit) the sampled ballots to Madison. Example: WEC would notify the City of Adams to use K-Cut process, in a public drawing, to randomly select one ballot from the second bag from the 3rd Ward, photograph it; upload the digital image to a state website (or something like that); and then place the ballot back in the bag.
    The WEC would then conduct the public manual count of the votes, using those images (project them on a screen; we did that for a handcount in Racine and it worked well), and complete the verification of the results. A decision would need to be made about how to expand the sample if necessary–select a bigger-than-needed sample in the first place? Repeat the process? That would have to be decided, but I cannot see that rescanning every ballot in the state would not be multiples of the amount of work needed for this method.

    I’ll add pdf of the memo I sent to the WEC to my blog post on this topic at https://wisconsinelectionintegrity.org/2019/11/09/election-audits-are-easy-and-cheap/

    Comments welcome! (Please!)