# Re: open-audit elections

From: Kathy Dopp <kathy_dot_dopp_at_gmail_dot_com>
Date: Wed Dec 13 2006 - 15:21:47 CST

On 12/12/06, Ben Adida <ben@eecs.harvard.edu> wrote:
>
> Hi Kathy,
> So, the process:

> The main idea is that, if enough voters check their ballots (1% or so),
> then, with overwhelming probability, the vote casting was done

Your mathematical assertion is incorrect. In close races, especially
in those with small numbers of total votes, 1% gives very low
probability of detecting vote miscount that could have altered such a
generalize from it, and other papers on the topic are cited):

>
> The main idea that makes this different from non-open-audit systems is
> that the vote remains tied to the voter, so auditing can be performed
> all the way to the tally. With the encryption layer, the votes remain

Because 100% of voters could "audit" that their own ballots were in
the pile of ballots, and that their encryption key allegedly matches,
and still the votes could be tallied incorrectly, please tell me how:

1. the voter knows that their votes were cast correctly in this system
and that no software error or ballot programming error would ever
occur to create a bunch of incorrectly cast ballots, or

2. if each voter can verify that each vote was cast correctly in a way
that is transparent to the actual nontechnical voter, then how will
that voter be stopped from proving who they voted for to anyone who
observes the voter "audit" their ballot?

> > To the average voter "complexity = lack of transparency".
>
> Except that's incorrect. The average voter can be wrong (the average
> voter thinks DREs are great, so clearly there's a problem). It's
> important to use words that are precise.

"Transparent" to the voter requires that the voter understand. I
assume that you are not claiming that because DREs are not transparent
to the voter that therefore the audits should not be transparent to
the voter either?

I assume that you are not claiming that average voters claim that DREs
are transparent to them - a claim that no computer scientist would
ever claim?

I assme that you are not claiming that because voters are sometimes
wrong, they should not be able to transparently verify the correctness
of elections?

Whether the voter's opinion is right or wrong has little or nothing to
do with whether or not something is transparent to the voter or
whether or not voters want to be able to transparently (to them)
verify the accuracy of vote counts.

>
> I can see why people would think that "complex systems can't be used for
> elections," and we can discuss that statement. But to say that
> complexity implies lack of transparency is not a matter of opinion, it's
> factually wrong.

First, no one here ever said that "complex systems can't be used for
elections".

We said that voters who are not technical should be able to verify
that the votes are counted correctly by transparent (to them) audits.

>
> What I was trying to illustrate is that, when you rely on a perfect
> chain of custody, there is no way to be fully transparent. There are
> ways to be more transparent than, say, the current Boston procedures, of
> course, as you correctly point out.

Chain of custody is not the only thing that verifies that a pile of
paper ballots are the ones actually cast by voters.

Chain of custody practices can be improved.

Electronic ballots also have chain of custody, or transport issues.

>
> But there remain some intractabilities: somehow, the ballot boxes have
> to be transported. Somehow, the ballots have to be handled for counting.

Transportation is a problem, but handled for counting is usually done
in front of an audience.

> You can't always expect every observer to see the entire chain of
> custody. One inconsistency (ballots destroyed, ballots stuffed, etc..),
> and the rest of the auditing becomes useless.

It is possible to design systems that detect ballot box stuffing,
substitution, and destruction. I have not researched all these issues
myself since ballot tracking always interweaves with ballot secrecy
issues.

>
> There are inherent limitations to verifiability when you have the secret
> ballot... limitations that, as far as we know, can only be overcome with
> techniques from cryptography.
>

Electronic ballots introduce a host of other problems, including
lesser transparency for average voters to audit, greater costs, more
susceptibility to targeted denial of service attacks due to machine
malfunction, power outages; longer lines, and so forth.

>
> actually, no, the software doesn't need to be open-source. (Though I
> love open-source and I favor it wherever possible.) The software
> provides a *proof* that it did its work correctly, so you don't need to
> look at its source code.
>
> The software that *verifies* this proof can be written by anyone, so
> while it's nice to have an open-source version of it lying around,
> that's not necessary: any programmer could re-create it easily. You
> would expect political organizations like the ACLU to write their own
> and publish it as open-source, of course, but that's secondary to the
> core idea.

OK. So the format and characteristics of your encrypted electronic
ballots must be openly known instead of the software which creates and
counts them.

However, how am I to trust that the ballots themselves were created
accurately (since voters never got to see the invisible electronic
ballots) unless voters can transparently verify all their votes on
them afterwards (and thus sell their votes by proving to an observor
who they voted for),

and sufficient voters "audit" their ballots and the counts on their
ballots for each race in a way transparent to the voters on each
independent system that audits the count?

i.e. how do we know that the auditing organizations receive the same
set of electronic ballots to audit, unless sufficient voters audit
each race in the pile of electronic ballots that the auditors are
given?

>
> Another way to see it: open-audit voting systems are
> software-INdependent. They use software, but they don't depend on its
> correctness.
>

Yet electronic ballots are also transported from where they are
originally created in the polls to the election offices and the
auditing organizations and after each transfer of the electronic
ballots, to check to see if it is the same set of ballots a sufficient
number of voters for each race in every election would need to be able
to transparently (for themselves) verify that their electronic ballots
were cast correctly including all the races on each ballot.

You claim that there are no transportation issues with electronic
encrypted ballots. I disagree.

>
> > In our proposals, we define
> >
> > Transparent: means that an average non-technical citizen can observe
> > and fully understand the procedures, well enough to determine if they
> > are being done honestly and properly
>
> In that case, I argue that this definition is wrong.
>
> Maybe you mean "accessible to the layman," which is a perfectly arguable
> point. However, by using the words "transparent" and "complex"

No. I am saying that "NON-transparent" and "technically complex" are
equivalent for the average voter, and that audits need to be
transparent to the average voter who wants to be able to transparently
verify the integrity of the vote counts.

The average voter wants to be able to transparently verify the audit.

> interchangeably, you're misleading folks into thinking that making a
> system simple is the same as making it auditable.

You are confounding issues. The entire voting system does not have to
be simple to make it transparently verifiably auditable by the average
voter - but the audit does.

>
> We need to differentiate the two aspects, especially since complexity is
> in the eye of the beholder, while transparency can be measured fairly
> objectively: what kind of special privileged access, if any, do I need
> to be able to directly audit? In open-audit systems, the answer is "none."

transparency to a computer scientist or a mathematician are not the
same thing as transparency to an average voter. Again, voters want a
voting system that is transparent to them according to a recent Zogby
survey where 92% of all those polled of all demographic groups wanted
to be able to transparently verify the accuracy of our vote counts.

>
> > As you know, opscan paper ballots can be manual counted
>
> Assuming this could be done reliably (the Caltech/MIT report says it
> can't), this wouldn't change the problem of a broken chain of custody
> sometime before the counting

I have personally studied several shoddy unscientific studies coming
out of the MIT/Caltech voting project in recent years - several of
which I have personally helped author rebuttals of (here is one
group of us did of another hastily written incorrect study put out by
MIT/Caltech, I would have to hunt for). Citing MIT/Caltech's work
does not impress me in this case - although I know the group has done
good work as well.

I have personally seen an excellent system for accurately hand
counting paper ballot records in action just a few weeks ago where two
persons marked every vote and called out every fifth vote to see if
they matched and where there was a discrepancy, the votes were counted
a second time. I also have knowledge of many accurate counts of
merchandise in retail organizations that are as complex as counting
election races and are done very accurately. Also manual counts are
done very accurately in audits of banks and financial organizations.
Are you also recommending an end to manual audits of paper records for
all financial and accounting organizations?

>
> How can something be transparent if I can't ride in the transport
> vehicle that takes a ballot box from one location to another?

Transport of ballots is an issue that needs attention regardless of
whether the ballots are paper or electronic or encrypted.

The possibilities of paper ballot tampering are why a dual system -
with both paper and electronic counts will detect and deter the most
types of problems.

> How can I
> be sure that the software on the optical scanning machine wasn't
> modified between the open-source audit and the actual election (see the

Of course we know that can be done but is too prohibitively expensive
and time-consuming IMO to apply to voting, and that the hardware of
existing voting systems does not lend itself to such audits.

> UConn VoTeR report from last month regarding the 5-minute compromise of
> an opscan machine)?

We both agree on that, which is why audits are necessary. We only
seem to disagree on whether or not the average voter has the right to
be able to transparently verify the correctness of the audit or not.

> How can I be sure that there weren't extra ballots
> in the box when the voting day began? I have to trust *someone* that
> this was done correctly. That's not transparent, because no matter what,
> I can't verify everything directly.

Same issues must be handled whether paper or electronic ballots in your system.

> In other words, self-evidence is a *really* bad measure of what makes
> for a secure election. If that's the yardstick, then we're putting
> perception above reality. Perception is important, but it's not sufficient.

Perception may not be a sufficient, but it is a necessary condition.

I am sure that you have heard of the saying "perception = reality". A
big part of the job of an election is to convince everyone that the
election outcomes are correct.

>
> Yes, but that's the case with your proposal, too. Not everyone gets
> statistics -- in fact I'd say that if you understand statistics, you're
> not far off from understanding the crypto with a bit of reading. Voters

Well, I admit that the numerical method for determining the minimum
number of machine vote counts that must be audited to ensure a correct
election outcome is not transparent to the average voter - However, I
would be happy to have a 100% manual audit as well as the 100%
electronic count of the paper ballots, and that would certainly be
transparent.

Also, it is easy for any average voter to see that the closer the
margin between candidates in a race, the larger the audit amount must
be and for voters to feel much more comfortable with mathematically
sufficient (and hence greater) manual audits rather than the paltry
insufficient small fixed rate audits of the few states which audit
VVPRs today.

> still have to trust *some* expert. In open-audit schemes, you get to
> pick that expert, not from a pool of pre-approved folks, but from the
> pool of *anyone* who is willing to read and understand the published
> protocol.

But again, you introduce extra expense and complexity and lack of
transparency (to the average voter) to create and audit encrypted
electronic ballots. This seems overboard for elections that only take
place once a year.

> The processes surrounding the handling of the paper ballots, their
> transportation, etc... that's what still needs to be audited. As you
> mention below, voter fraud is still quite rampant with paper ballots.

I agree. The elections industry is the only major industry that has
evaded routine independent auditing. It is rather astounding.

> I'm asking the following question: are folks with OVC also willing to
> explore open-audit solutions that *don't* require the perfect
> maintenance of a chain of custody, and that provide a much higher level
> of auditability? There may be some unfamiliar complexity involved, but
> it's all published and available for anyone to review.

Your encrypted electronic ballots require just as much attention to
the problems caused by transporting them - the solutions are just
different.

I disagree that they provide a higher level of auditability than paper
optical scan ballots.

>
> Opscans have electronic failures and programming errors, too.

Yes. Again that is why manual sufficient, transparent, verifiable
audits are recommended.

>
> Open-audit systems actually do not suffer from programming errors,
> because these show up immediately if an incorrect proof is provided.

And what happens if errors are discovered, including ballot
programming errors? Can you recover the accurate votes in all cases,
or is a new election required?

> Certainly, though, there's the chance of a massive electronics failure,
> which is why you'd want backup machines, just like for the opscan solution.

and denial of service attacks simply by cutting off the electricity to
a building or area.

It is not at all "just like for the opscan solution" because the
election can still go on and ballots be recorded on paper in the event
of power or electronic failures. The counting may have to be delayed
or redone is all.

> > i.e. Why would any able-bodied voter need to have a computer to cast a
> > vote every one or two years?
>
> The use of a computer is not gratuitous, it's for a very specific
> purpose: providing much better auditability. I'm not proposing

Providing much better auditability does not require electronic
ballots, which are more likely to reduce auditability if there are any
errors in programming.

> technology for technology's sake, I'm proposing that we consider much
> better auditability, in exchange for some complexity, though that
> complexity is almost certainly minimized by the fact that anyone willing
> to learn the system can audit it.

Anyone? Even the poor who don't own a computer? Even those who have
never taken a computer program class?

>
> So I'm hoping that this group is willing to consider this issue.
> Importantly, I'm not asking for a blank check here: open-audit systems
> need to be specified, analyzed, explained, and framed in a set of
> recommendations, much like the work currently being done for
> non-open-audit systems. It's just a question of whether folks are
> interested in exploring, or if the decision has already been made that
> open-source + paper is the only way.

Ben,

I notice that you did not respond to some specific ideas in my last
email regarding how the systems you are proposing could possibly be
subverted by programming or electronic ballot tampering. I also do
not understand how the voter can verify that all her votes are
accurately appearing on the electronic ballot and being counted
correctly by any counting program in a way that the voter can
transparently (to the average voter) understand and yet not prove to
anyone else how her votes were cast.

Best,

Kathy
_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Sun Dec 31 23:17:13 2006

This archive was generated by hypermail 2.1.8 : Sun Dec 31 2006 - 23:17:16 CST