October 18, 2021

Juan Gilbert’s Transparent BMD

Princeton’s Center for Information Technology Policy recently hosted a talk by Professor Juan Gilbert of the University of Florida, in which he demonstrated his interesting new invention and presented results from user studies.

What’s the problem with ballot-marking devices?

It’s well known that a voting system must use paper ballots to be trustworthy (at least with any known or foreseeable technology). But how should voters mark their ballots? Hand-marked paper ballots (HMPB) allow voters to fill in ovals with a pen, to be counted by an optical scanner. Ballot-marking devices (BMDs) allow voters to use a touchscreen (or other assistive device) and then print out a ballot card listing the voter’s choices.

The biggest problem with BMDs is that most voters don’t check the ballot card carefully, so that if the BMD were hacked and misrepresenting votes on the paper, the voters wouldn’t notice–and even if a few voters did notice, the BMDs would have successfully stolen the votes of many other voters.

One scientific study (not in a real election) showed that some process interventions–such as, “remind voters to check their ballots”–might improve the rate at which voters check their ballots. I am skeptical that those kinds of interventions will be consistently applied in thousands of polling places, or that voters will stay vigilant year after year. And even if the rate of checking can be improved from 6.6% to 50%, there’s still no clear remedy that can protect the outcome of the election as a whole.

The transparent BMD

Instead of reminding the voter, Professor Gilbert’s solution is to force them to look directly at the printout, immediately after voting each contest. In this video, at 0:36, see how the voter is asked to touch the screen directly in front of the spot on the paper where the vote was just printed.

Voter’s finger confirming a printed-on-paper vote by touching the screen directly in front of where the vote was printed.

He explains more in the CITP seminar he presented at Princeton. He also explains his user studies. When the BMD deliberately printed one vote wrong on the paper ballot (out of 12 contests on the ballot), 36% of voters noticed and said something about it–and another 41% noticed but didn’t say anything until asked. This is a significantly higher rate of detection than when using conventional BMDs. Hypothetically, if those 41% could somehow be prompted to speak up, then there’d be a 77% rate at which voters would detect and correct fraudulent vote-flipping.

Somehow, this physically embodied intervention seems more consistently effective than one that requires sustained cooperation from election administrators, poll workers, and voters–all of whom are only human.

Would this make BMDs safe to use?

Recall what the problem is: If the BMD cheats on X% of the votes in a certain contest, and only Y% of the voters check their ballot carefully, and only Z% of those will actually speak up, then only X*Y*Z% voters will speak up. In a very close election, X might be 1/100, Y has been measured as 1/15, and Z might be 1/2, so XYZ=1/3000. Professor Gilbert has demonstrated that (with the right technology) X can be improved to 76% (or 3/4) but Z is still about 1/2. Suppose further tinkering could improve Z to 3/4, then XYZ would be 1/178. That is, if the hacked BMD attempted to steal 1% of the votes, then 9/16 of those voters would notice (and ask the pollworkers for a do-over), so the net rate of theft would be only 7/16 of 1%, or about half a percent.

And in that hypothetical scenario, one voter out of every 178 would have asked for a do-over, saying “what printed on the paper isn’t what I selected on the touchscreen.” That’s (perhaps) two or three in every medium-size polling place–or, in a statewide election with 3 million voters, that’s more than 16,000 voters speaking up. If that happened, and if the margin of victory is less than half-a-percent, then what should the Secretary of State do?

The answer is still not clear. You can read this to see the difficulty.

So, the Transparent BMD is a really interesting research advance; it is a really good design idea; and Professor Gilbert’s user-studies are professionally done. But further research is needed to figure out how such machines could (safely) be used in real elections.

And there’s still no excuse for using conventional BMDs, with their abysmal rate at which voters check their ballot papers, as the default mode for all voters in a public election.


Further caveats. These are considerations for the evaluation of the practical security of “transparent BMDs” in elections, worth further study.

  1. If a voter speaks up and says “the machine changed my vote”, will the local pollworkers respond appropriately? Suppose there have been many elections in a row where the voting machines haven’t been hacked (which we certainly hope is the case!); then whatever training the pollworkers are supposed to have may have been omitted or forgotten.
  2. When analyzing whether a new physical design is more secure, one must be careful to assume that the hacker can install software that can behave any way that the hardware is capable of. Just to take one example, suppose the hacked BMD software is designed to behave like a conventional BMD: first accept all the voter’s choices, then print (without forcing the voter to touch the screen where the gaze is directed to the just-printed candidate). This gives the opportunity to deliberately misprint in a way that we know voters don’t detect very well. But would voters know that the BMD is not supposed to behave this way? I pose this just as an example of how to think about the “threat model” of voting machines.
  3. Those voters who noticed the machine cheating but didn’t speak up in the study, then claimed that if it were a real polling place they would speak up– really? In real life, there are many occurrences of voters seeing something they feel is wrong at the polling place, but waiting until they get home before calling someone to talk about it. Many people feel a bit intimidated in situations like this. So it’s difficult to translate what people say they will do, into what really they will do.
  4. Professor Gilbert suggests (in his talk) that he’ll change the prompt from “Please review your selection below. Touch your selection to continue.” to something like “Please review your selection below. If it is correct, touch it. If it is wrong, please notify a pollworker.” This does seem like it would improve the rate at which voters would report errors. It will be interesting to see.

Comments

  1. David Jefferson says:

    If I understand this correctly, when a voter fails to touch the candidate during the verification step that matches the choice printed on the ballot, nothing happens. The onus is on the voter to notice that the printed ballot does not reflect her preference and spoil the ballot ,and maybe notify a poll worker.

    But what if look at this a little differently and modify the process so it is not about the the voter checking the machine, but about the machine checking the voter? While the printed vote is visible behind the touch screen the machine can in effect require the voter to “vote” a second time during the verification process the same way she did the first time. The order of the candidates might be changed on the verification screen so that it requires a small cognitive effort for the voter to choose the same candidate the second time as the first time. Whenever the voter chooses a candidate during the verification process that does not match the one chosen the first time when the vote was printed, the BMD should offers an audible beep and a message *requiring* the voter either to touch the “correct” candidate (i.e. the one printed on the ballot,) thereby verifying that vote, or else to spoil the ballot and start over, in which case a double beep sounds. This way the responsibility is not on the voter to notice that the printed vote is wrong; the machine detects the discrepancy and notifies the voter to correctly verify or spoil the ballot.

    Malicious software might deliberately print the wrong vote on the ballot and then fail to notify the voter with a beep when there is a mismatch during verification. Some incorrect votes may get through that way on the printed ballot, but only if the machine maliciously prints the wrong choice on the paper ballot AND the voter mistakenly validates it during the verification process AND the voter does not notice that and spoil the ballot.

    A separate device attached to each BMD (not controlled by it or produced by the same vendor) counts the audible beeps and double beeps on each machine, which may help provide statistical evidence for which machines are misbehaving.

    • Andrew Appel says:

      The voter is asked to touch the screen, not at the place where they voted for a candidate, but over the spot where the printout has just printed on the paper. There’s not another “choice” of where to touch; instead, the voter is forced to direct attention to the printed name that has just appeared. If the voter fails to touch that spot, “nothing happens” in the sense that the machine keeps waiting for the voter to touch there.
      The voter does not have to “choose the same candidate the second time”, they just have to touch the screen just over the printout.

      Now, what happens if the printout doesn’t match the voter’s expectation?
      (1) There’s a better chance that the voter will notice, than there is with a conventional BMD
      (2) In the version-1 prototype on which the user studies were done, the machine doesn’t explicitly say what to do in that case.
      (3) Professor Gilbert proposes that in the version-2 prototype, the instructions should more clearly say “if the printed vote doesn’t match your selection, alert a pollworker”. This might help . . .
      (4) . . . but, of course, if the machine is hacked, then it might not give the standard (legitimate) instructions.