June 25, 2019

Cheating with paper ballots

In my previous article, I discussed 10 ways that voting machines could cheat, in ballot-marking, ballot-scanning, and ballot tabulating; and I discussed which of these cheats could be caught and corrected during risk-limiting audits and recounts of the paper ballots.  In particular, cheat-methods 1, 2, 5, and 7 will be detected/corrected by audits/recounts; methods 3,4,6,8,9,10 will likely not be detected/corrected.  Therefore I argued for hand-marked optical-scan ballots (which can’t be cheated by methods 3,4,6,8,9,10).

Now let me discuss cheat methods 11 and 12:

How to cheat, method 11:  Hack the software that is used in the audit/recount process to make it cheat.

Solution 1:  Don’t use computers in the audit/recount process.  This solution is extreme and, for some audit methods, impractical.  For example, we may have print a spreadsheet listing the “manifest” of ballot-batches, how many ballots are in each batch; we may use a spreadsheet to record and sum the tallies of our audit or recount.  How much of a nontrivial “business method” such as an audit, can we really run entirely without computers?

Solution 2:  Use computers during the audit/recount, but in a limited, software-independent way.  That means, any time a computer program is used in some part of the process, the inputs, algorithm, and outputs of that program should be public and transparent.  Any member of the public should be able to recalculate the results of the program, independently.  For example, if a spreadsheet is used to sum up the vote totals in the precincts, print out the spreadsheet, and anyone can add it up themselves using a pencil, a mechanical calculator, or their own computer with their own computer program.  (In the June 2018 risk-limiting (ballot polling) audit performed in Orange County, CA, audit teams-of-four entered all their observations onto paper spreadsheet forms, for tabulation by computer but which could be independently tallied by anyone.)

How to cheat, method 12:  Steal the entire ballot box and replace the paper ballots with fraudulent ballots marked differently.  Or just ignore the paper ballots entirely.

This used to happen on a regular basis.  In Duval County Texas, 1948, “Parr was the Godfather.  He had life-or-death control.  We could tell any election judge, `give us 80 percent of the vote and the other guy 20 percent.'” [Campbell, Deliver the Vote, 2005, p. 224]  That is, in some counties, the party bosses who controlled the polling places and ballot boxes would just report whatever counts they wanted, regardless of the ballots. [See also: Robert Caro, Means of Ascent, 1991, Chapter 13]  In the 19th and early 20th century, insider election fraud was widespread in the U.S. [Saltman, The History and Politics of Voting Technology, 2006]

Solution 1:  Pollwatchers from both (or all) political parties present at the polls and during the vote counting, as witnesses.  Definitely a good idea.  But it wouldn’t have worked in Duval County 1948, or Jersey City 1968, where physical intimidation kept the opposition party away; and where the most important elections were primary elections, not general elections.

Solution 2:  Supervision of elections by the State government, or by the Federal government, or indictments by Federal prosecutors, to restore democracy to the process.  In 1870-76, there averaged ten indictments per week nationwide for election fraud.

Solution 3:  Professionalization.  Over the past 150 years, as election administration has developed into a profession with best practices, standards, codes of ethics, and so on, we could hope that gross frauds (with everyone “in the know”) would no longer be tolerated.

Solution 4:  Shorten the “chain of custody” of the ballot box to an absolute minimum.  Immediately after the polls close, in the presence of witnesses, open the ballot box, count the ballots by hand, and make the results known.  The ballot box, and the ballots, are never out of sight of the witnesses.   (This is standard procedure in many countries that use hand-counted paper ballots–but in those countries, hand counting works well because there’s only one contest on each ballot.)

How to cheat, method 13:  While working in a recount (or audit) of paper ballots, hide a bit of pencil lead under your fingernail.  Surreptitiously mark overvotes on ballots marked for the candidate you don’t like.  (A traditional American method.)

What this all illustrates is that paper ballots with audits and recounts, by themselves, are not a panacea.  They need careful and transparent chain-of-custody procedures, and some basic degree of honesty and civic trust.

Solution 5:  Precinct-count optical scan.  Votes are recorded and tabulated by the voting machine immediately as they are cast; paper ballots are saved in a sealed ballot box for later audit or recount.   In case of disagreement, the paper ballots are considered the official ballot of record.  But still, the disagreement, all by itself, is strong evidence that something went wrong: either the machines are cheating, or the machines are miscalibrated, or the paper ballots were altered.  The election fraudster will find it more difficult to make fraudulent paper ballots that exactly match a fraudulent voting machine’s report, than to hack just the voting machine or just the paper ballots.  Although the paper ballots are the default ballot of record, serious discrepancies can lead to investigations.  Once it ends up in court, the judge can hear evidence; perhaps there will be reason to rule that the machine counts are trustworthy where the paper ballots are not.

Notice that central-count optical scan, where the paper ballots go through a nontrivial chain of custody before the first time they are scanned, does not permit Solution 5.

All the solutions I described here take the form, we can never fully trust that the computerized voting machines haven’t been hacked to cheat, so we must have trustworthy human processes to make sure that the paper ballots, marked by the voter, are preserved unaltered and recounted accurately.  But what if there were a way to audit and trust the election results, independent of trusting the very human process of recounting paper ballots?

Solution 6:  End-to-end-verifiable voting.  In a future article I’ll discuss E2E-verifiable, methods by which each voter can trace his or her own ballot through the process to gain assurance that has been recorded and counted correctly.   Perhaps some of these methods can increase the assurance and efficiency of our elections, especially those E2E-V methods that use paper ballots that can also be audited using random audits by human inspection, providing belt-and-suspenders assurance.

Ten ways to make voting machines cheat with plausible deniability

Summary:  Voting machines can be hacked; risk-limiting audits of paper ballots can detect incorrect outcomes, whether from hacked voting machines or programming inaccuracies; recounts of paper ballots can correct those outcomes; but some methods for producing paper ballots are more auditable and recountable than others.

A now-standard principle of computer-counted public elections is, use a voter-verified paper ballot, so that in case the voting machine cheats in counting the votes, the human doing an audit or recount can see the paper that the voter marked.  Why would the voting machine cheat?  Well, they’re computers, and any computer may have security vulnerabilities that permits an attacker to modify or replace its software.  We must presume that any voting machine might, at any time, be under the complete control of an attacker, an election thief.

There are several ways that voter-verified paper ballots can be implemented:

  1. Voter marks an optical-scan ballot with a pen, deposits into optical-scan voting machine for counting (and for saving in sealed ballot box).
  2. Voter uses a ballot-marking device (BMD), a computer with touchscreen/audio/sip-and-puff interfaces, which prints an optical-scan ballot, deposits into optical-scan voting machine for counting (and saving).
  3. Voter uses a DRE+VVPAT voting machine, that is, a Direct-Recording Electronic  “touchscreen” machine with a Voter-Verified Paper Audit Trail, which saves the VVPAT printouts in a ballot box.
  4. Voter uses an “all-in-one” voting machine: inserts blank paper into slot, voter uses touchscreen interface to mark ballot, machine ejects ballot from slot, voter  inspects printed ballot, voter reinserts printed ballot into same slot, where it is scanned (or is it?) and deposited into ballot box.

There’s also 1a (hand-marked optical-scan ballots, dropped into a precinct ballot box to be centrally counted instead of counted immediately by a precinct-located scanner), 1b (hand-marked optical-scan ballots, sent by mail) and 2a (BMD-marked optical-scan ballots, centrally counted).

In this article I will put on my “adversarial thinking” hat, and try to design ways that the attacker might try to cheat (and get away with it).  You might think that the voter-verified paper ballot will detect cheating, and therefore deter cheating or correct the result–but maybe that depends on which kind of technology is used! [Read more…]

An unverifiability principle for voting machines

In my last three articles I described the ES&S ExpressVote, the Dominion ImageCast Evolution, and the Dominion ImageCast X (in its DRE+VVPAT configuration).  There’s something they all have in common: they all violate a certain principle of voter verifiability.

  • Any voting machine whose physical hardware can print votes onto the ballot after the last time the voter sees the paperis not a voter verified paper ballot system, and is not acceptable.
  • The best way to implement this principle is to physically separate the ballot-marking device from the scanning-and-tabulating device.  The voter marks a paper ballot with a pen or BMD, then after inspecting the paper ballot, the voter inserts the ballot into an optical-scan vote counter that is not physically capable of printing votes onto the ballot.

The ExpressVote, IC-Evolution, and ICX all violate the principle in slightly different ways: The IC-Evolution one machine allows hand-marked paper ballots to be inserted (but then can make more marks), the ExpressVote in one configuration is a ballot-marking device (but after you verify that it marked your ballot, you insert it back into the same slot that can print more votes on the ballot), and IC-X configured as DRE+VVPAT can also print onto the ballot after the voter inspects it.  In fact, almost all DRE+VVPATs can do this:  after the voter inspects the ballot, print VOID on that ballot (hope the voter doesn’t notice), and then print a new one after the voter leaves the booth.

It is to obey this principle that we should separate ballot marking devices from ballot scanning/tabulation devices (better known as “optical scanners”).  Here’s my favorite ballot-marking device:

But here are some other acceptable BMDs (from ClearBallot, ES&S, Hart, Dominion, and Unisyn):


Any of these can mark a paper ballot to be inserted in a separate optical-scanner.  You might notice that the second picture is an ExpressVote, which if used as an all-in-one unit that both marks and scans the ballot,  violates the principle.  But if used as a nonscanning, nontabulating ballot-marking device, and if the tabulating optical scanner cannot mark votes onto the ballot,  then the ExpressVote (and similar machines) can safely be used as a BMD.

“… whose physical hardware …”

I stated the principle as, “Any voting machine whose physical hardware can print votes onto the ballot after the last time…”  That’s quite different from “Any voting machine that can print votes onto the ballot after the last time…”

What’s the difference?  Those two statements might seem equivalent, but they’re not.

All-in-one voting machines such as the Dominion ImageCast Evolution and the ES&S ExpressVote have software that, to the best of our knowledge, doesn’t cheat.  Their software passes inspection by and EAC-certified laboratory, and we hope that such labs would notice if there were a part of the program that printed votes on an already-marked ballot.  So it’s fair to say, as it’s shipped from the manufacturer, neither of these machines can print votes onto an already-marked ballot.

But the problem is, the software can be replaced by unauthorized software that behaves differently.  That unauthorized replacement, we call “hacking.”  The unauthorized software can send instructions to the physical hardware of the machine: motors, scanners, printers, indicator lights, and so on.  Anything that the voting machine’s physical hardware can do, the fraudulent software can tell it to do.

Optical scanners that mark serial numbers on the ballot

I stated the principle as, “Any machine whose physical hardware can print votes onto the ballot after the last time…”  That’s quite differnt from, “Any machine whose physical hardware can print onto the ballot after the last time…”

What’s the difference?    Those two statements might seem equivalent, but they’re not.

Ballot-comparison audits are one form of risk-limiting audit (RLA) that can be particularly efficient.  The idea is: the optical-scan voting machine produces a file of Cast-Vote Records (CVRs) that contains a commitment to the contents and interpretation of each individual paper ballot.  It must be possible to link each CVR to one particular piece of paper, otherwise a ballot-comparison audit is not possible.  One cannot link CVRs to paper ballots unless the paper ballot has some sort of serial number, either preprinted (before it goes through the optical scanner) or printed afterward (perhaps as it goes through the optical scanner).   Because most voting equipment in use today does not have this capability, ballot-comparison audits cannot be used with that equipment, and other RLA methods are used, such as ballot-polling audits or batch-comparison audits.

There’s a problem with putting serial numbers on the ballot that the voter can see: it weakens the secret ballot, because now the voter can remember the serial number, and prove how she voted; thus she can be bribed or coerced to vote a certain way.  Therefore, some jurisdictions may be reluctant to use preprinted serial numbers.

So there are reasons that we might wish to allow optical-scanners to print serial numbers onto the ballot, but the optical scanner must not be physically able to print votes onto the ballot — that would violate the verifiability principle I stated at the beginning.

One solution to this problem  is to equip the optical scanner with a printer that is physically able to print only within 1 centimeter of the edge of the paper.  As long as no vote-marks are expected at the edge of the paper, then the scanner can print onto the ballot but cannot print votes onto the ballot.

Two widely used central-count optical scanners from major voting-machine manufacturers both have this capability: the Dominion ImageCast Central and the ES&S DS850.  Jennifer Morrell informs me, “So far, Dominion’s CVR is the only one I’ve seen where the imprinted ID can be formatted to indicate a specific scanner, batch, and sequence number within the batch.”  That is, the cast-vote record of Dominion’s central-count op-scanner has not just a serial number, but an identifier whose design is particularly helpful in ballot-comparison audits.

“… the voter inserts the ballot …”

Some voters have motor disabilities that make it difficult or impossible for them to physically handle a paper ballot.  Some voters have visual impairments, they can’t see a paper ballot.  For those voters, polling places that use optical-scan voting can (and do) provide ballot-marking devices (such as the ones shown in the pictures above) that have audio interfaces (for blind voters) or sip-and-puff interfaces (for quadriplegic voters).

But after they use the BMD to mark their ballot, some of these disabled voters are physically unable to take the ballot from the BMD and insert it into the optical scanner.  For those voters, an advantage of DRE+VVPAT or all-in-one voting machines is that they don’t have to handle a paper ballot.

When the ballot-marking device is separate from the optical scanner, those voters will need the assistance of a pollworker to insert their ballot into the optical scanner (or, when central-count optical scanning is used, insert it into the ballot box).  This seems necessary: the security hazards of all-in-one voting machines, the unverifiability of scanners that can print more votes onto the ballot, outweigh the convenience factor of an all-in-one voting machine.