You are here

Random audits of ballot generators

Today I attended a session led by Ka-Ping Yee at our Foresight Nanotech unconference on some of his new thinking in voting machines. While Ping was presenting a system to secure the type of voting machines we've been saddled with of late, both he, I and many others like the idea of an open source system which divides the ballot generator from the ballot counter. In such a system you have two machines. One helps the voter prepare a standard ballot that is human readable. In addition, the human readable output is also readable by a machine that scans and counts ballots for quick counting, though the ballots can also be counted by hand.

The idea is that you don't need to work nearly so hard at securing the ballot preparation machine, as what matters is the paper ballot, which a human is able to scrutinize. So you can have it be open source code, on old donated standardized hardware, which means free voting machines.

However, recent studies suggest that voters can be easily fooled and don't inspect their ballots very well. Tests show that when fake voting machines deliberately generated errors in the output ballot, or on a "review your choices" screen, 2/3 of voters didn't notice the errors, and didn't notice even multiple major errors. Yikes. (Figures corrected.)

Now 1/3 of voters do notice the problems, but it is possible to design problems that the voter will conclude were their own mistake. For example, if their ballot doesn't show a vote for senator, their natural assumption may be that they just didn't press the buttons hard enough or otherwise made a mistake, and they should just do it over. However, an attacker can then have 1000 ballots for the wrong senator simply be missing the senator race, and ~320 will go back to fix it, but ~680 will leave it be, depriving said wrong candidate of a large number of votes.

To prevent this, I propose that election officials would regularly, and a random times, run audits of the machines. They would go to a ballot generator and cast a ballot, making a videotape of their session to assure there are no errors. (The voting machine must not be able to tell such a tester from a real voter, so they can't take extra time on the test, for example.) However, after receiving their prepared ballot, they will indeed make a full check for any sorts of errors, and confirm any errors found on the videotape. Any error found will be extremely serious, and result in immediate cessation of operation of that model of machine and software.

Of course, the system which picks the random times and the ballots to try must not be made by the same parties making the ballot generator. And two officials should examine the ballot after the fact to avoid fraud by officials, and of course to assure the ballot is sealed away in a lockbox and not put in the ballot box or scannng machine. Testing scanning machines is more difficult, as one must have a mechanism to void out a ballot after scanning it and examining the scan. Such actions should be watched by several voting officials and partisan scrutineers.

A modest number of such trials should be enough to assure the ballot generators are acting properly almost all the time, as any error introduced enough times to affect an election would be very likely to intersect with a test run.


I think most voters probably don't even know what open source is. Even if your
machines are really secure, that's only half the battle. The other half is
convincing people with a non-technical background that they are secure.

What is wrong with paper ballots? There is a circle next to each candidate or
party, and you mark that circle with an "X" for your vote. No hanging chads,
nothing unclear unless the voter intentionally made it unclear (in which case
the ballot is invalid). In countries with all-paper votes, preliminary results
which are almost as good as the real ones are available within half an hour or
so, and final results usually a few hours later. (Lack of good telecommunications
would make this longer, but that applies for automatic voting machines as well,
if not more so.) Is it really worth the risk of having people lose confidence
in voting altogether simply to have the result a bit earlier?

As far as open source goes, few people would be able to actually a) verify that the
code works properly and b) verify that the proper code was installed at the
important time. So in the end, it's down to taking someone's word for it.

Playing devil's advocate, and noticing that many (most) open-source folks are
of the libertarian persuasion, often extremely so, wouldn't there be a bit
of temptation to skew the votes in that direction, this hidden feature in practice
only visible to those of a similar persuasion? (Was it Mark Twain or Oscar Wilde
who said that he could resist everything except temptation?)

See the New Democracy tag above, in particular the article on goals of voting systems. Plain paper works great in Canada, but is not so workable for the USA which may have 20 or more questions on a ballot. And the questions are different in each ward of each town. And the lobbies for the blind and disabled and non-English-speakers have a strong voice that opposes paper because they think machines which can assist disabled voters are a must.

The public of course would not care about open source, just the verifiers. But in fact, in the two-machine design with intermediate human readable paper ballot, you don't care all that much about the security of the first half so verification is nice but not essential.

Aren't you ditching what most people understand by "electronic voting". In my opinion, there's no way to secure a Diebold-like black box. I agree that we need to produce a paper with the voter's name and their vote on it.

We cannot provide the voter with an ATM receipt because of the vote selling problem -- proof of how you voted makes it easier to sell your vote.

So we produce a piece of paper with the vote that the voter wanted on it, the paper can be human verified . . .

what about Oregon? Are postal mail votes not worth the risk?

Earlier threads in this new democracy tag will point you to other articles about your questions. Actually, we can provide voters with receipts in a way that protects secret ballot and stops vote selling -- but the system is difficult for people to understand, so it is unlikely to happen. In fact, you end up publishing all ballots on the web, and voters can check theirs is there, but can't prove it.

Many people are fighting to stop having black box style voting, and we are winning in a number of areas. Having one machine help generate the paper ballots, and another machine optical scan them allows us to not have to worry nearly so much about the security on the first half, and thus is a good idea.

Okay, so.. I do understand that people want to keep their vote secret, but doesn't that make voter fraud easier to commit and get away with? I would propose allowing people to choose which they prefer to do. If they choose to not vote secretly.. no rights being violated. Shorter lines for those who want to be secretive.

1. Make your decisions from the comfort of your own home. Go online to your voting site, make your selection, and click "Print Form". When you're ready, take your printed ballot along with your drivers license, the person at the voting location will verify you are who is on the drivers license, and you feed the ballot into a machine which confirms your vote.

2. Keep the old fashion way of voting for those who don't have the internet or want to vote more secretively. SSN + Drivers License or even a packet mailed with a special web registration number... so many simple ways... I think...

I think Primaries should change to have people vote on who they do not want in office. Don't you think that might have a better outcome? Lowest score move to Round 2.


Well, we already have that to some extent. It's an interesting idea, but it may drive things even more to the most bland candidate. It's a thin line. We want a candidate who represents the people, but if you try to be all things to all people you do nothing. So we also want a candidate who leads, and explicitly doesn't represent some of the people. Their job is to counterbalance the various wishes and needs of the people and find the right course, not just to do what 51% of them want. And even at times to not do what almost all of them want if it violates the constitution, for example.

As noted, there are two purposes for secret ballot, and we've given up one of them today by allowing arbitrary mail-in (or 100% mail in) in most places. The missing goal is to prohibit ballot buying, selling and coercion. With public ballots, not only can you buy and sell but you may face social pressure in your peer group to check out your ballot and to make sure it's "right."

It's the other way around (roughly 2/3 of voters miss errors). Sarah Everett explains her experiments in detail in her dissertation.

Add new comment

Subscribe to Comments for "Random audits of ballot generators"