Re: open-audit elections

From: Ben Adida <ben_at_eecs_dot_harvard_dot_edu>
Date: Wed Dec 13 2006 - 16:14:10 CST


I've clearly not explained things well, because you're repeating claims
that I thought I'd already rebutted. So I'll stop wasting people's time
for now. I've been working on a white paper that introduces and explains
the concept and techniques of open-audit voting, and it seems like I
should favor that approach rather than continue ad-hoc, incomplete
explanations which have not been very satisfying to anyone :)

That said, I want to restate some of my goals, because they tend to get
lost in these discussions and it's important that folks know where
everyone is coming from:

- I fully support the right of every voter to audit their vote. I
believe that that's best done by end-to-end verification rather than
chain of custody.

- I think current DREs are very problematic. I think current opscans are
significantly better, but still suffer from potential serious breaks. I
think open-audit systems are superior to both of these solutions, even
if I haven't clearly explained why.

- I'm a big fan of open-source software, and if we can't have open-audit
systems, then open-source, or at least disclosed source, is a must. That
said, open-source solves only one of the many problems we have, so we
should be careful not to expect too much from it.

- I think using the argument that the voter must understand every
technical aspect of the audit process is misleading. We live in a world
where people choose whom and what to trust based on their social
network. It's okay to rely on that, as long as we don't impose
artificial trust relationships on people.

I'll send a note to this mailing list when my white paper is ready.
Until then, I feel I've taken up way too much of people's time as is!

Thanks for your comments,


Kathy Dopp wrote:
> On 12/12/06, Ben Adida <> wrote:
>> Hi Kathy,
>> So, the process:
>> The main idea is that, if enough voters check their ballots (1% or so),
>> then, with overwhelming probability, the vote casting was done
> Your mathematical assertion is incorrect. In close races, especially
> in those with small numbers of total votes, 1% gives very low
> probability of detecting vote miscount that could have altered such a
> race. Please read here (although not quite the same, you can
> generalize from it, and other papers on the topic are cited):
>> The main idea that makes this different from non-open-audit systems is
>> that the vote remains tied to the voter, so auditing can be performed
>> all the way to the tally. With the encryption layer, the votes remain
> Because 100% of voters could "audit" that their own ballots were in
> the pile of ballots, and that their encryption key allegedly matches,
> and still the votes could be tallied incorrectly, please tell me how:
> 1. the voter knows that their votes were cast correctly in this system
> and that no software error or ballot programming error would ever
> occur to create a bunch of incorrectly cast ballots, or
> 2. if each voter can verify that each vote was cast correctly in a way
> that is transparent to the actual nontechnical voter, then how will
> that voter be stopped from proving who they voted for to anyone who
> observes the voter "audit" their ballot?
>> > To the average voter "complexity = lack of transparency".
>> Except that's incorrect. The average voter can be wrong (the average
>> voter thinks DREs are great, so clearly there's a problem). It's
>> important to use words that are precise.
> "Transparent" to the voter requires that the voter understand. I
> assume that you are not claiming that because DREs are not transparent
> to the voter that therefore the audits should not be transparent to
> the voter either?
> I assume that you are not claiming that average voters claim that DREs
> are transparent to them - a claim that no computer scientist would
> ever claim?
> I assme that you are not claiming that because voters are sometimes
> wrong, they should not be able to transparently verify the correctness
> of elections?
> i.e. What is your point?
> Whether the voter's opinion is right or wrong has little or nothing to
> do with whether or not something is transparent to the voter or
> whether or not voters want to be able to transparently (to them)
> verify the accuracy of vote counts.
> Again, your statements seem to lack logical relationship to your claims.
>> I can see why people would think that "complex systems can't be used for
>> elections," and we can discuss that statement. But to say that
>> complexity implies lack of transparency is not a matter of opinion, it's
>> factually wrong.
> First, no one here ever said that "complex systems can't be used for
> elections".
> We said that voters who are not technical should be able to verify
> that the votes are counted correctly by transparent (to them) audits.
>> What I was trying to illustrate is that, when you rely on a perfect
>> chain of custody, there is no way to be fully transparent. There are
>> ways to be more transparent than, say, the current Boston procedures, of
>> course, as you correctly point out.
> Chain of custody is not the only thing that verifies that a pile of
> paper ballots are the ones actually cast by voters.
> Chain of custody practices can be improved.
> Electronic ballots also have chain of custody, or transport issues.
>> But there remain some intractabilities: somehow, the ballot boxes have
>> to be transported. Somehow, the ballots have to be handled for counting.
> Transportation is a problem, but handled for counting is usually done
> in front of an audience.
>> You can't always expect every observer to see the entire chain of
>> custody. One inconsistency (ballots destroyed, ballots stuffed, etc..),
>> and the rest of the auditing becomes useless.
> It is possible to design systems that detect ballot box stuffing,
> substitution, and destruction. I have not researched all these issues
> myself since ballot tracking always interweaves with ballot secrecy
> issues.
>> There are inherent limitations to verifiability when you have the secret
>> ballot... limitations that, as far as we know, can only be overcome with
>> techniques from cryptography.
> Electronic ballots introduce a host of other problems, including
> lesser transparency for average voters to audit, greater costs, more
> susceptibility to targeted denial of service attacks due to machine
> malfunction, power outages; longer lines, and so forth.
>> actually, no, the software doesn't need to be open-source. (Though I
>> love open-source and I favor it wherever possible.) The software
>> provides a *proof* that it did its work correctly, so you don't need to
>> look at its source code.
>> The software that *verifies* this proof can be written by anyone, so
>> while it's nice to have an open-source version of it lying around,
>> that's not necessary: any programmer could re-create it easily. You
>> would expect political organizations like the ACLU to write their own
>> and publish it as open-source, of course, but that's secondary to the
>> core idea.
> OK. So the format and characteristics of your encrypted electronic
> ballots must be openly known instead of the software which creates and
> counts them.
> However, how am I to trust that the ballots themselves were created
> accurately (since voters never got to see the invisible electronic
> ballots) unless voters can transparently verify all their votes on
> them afterwards (and thus sell their votes by proving to an observor
> who they voted for),
> and sufficient voters "audit" their ballots and the counts on their
> ballots for each race in a way transparent to the voters on each
> independent system that audits the count?
> i.e. how do we know that the auditing organizations receive the same
> set of electronic ballots to audit, unless sufficient voters audit
> each race in the pile of electronic ballots that the auditors are
> given?
>> Another way to see it: open-audit voting systems are
>> software-INdependent. They use software, but they don't depend on its
>> correctness.
> Yet electronic ballots are also transported from where they are
> originally created in the polls to the election offices and the
> auditing organizations and after each transfer of the electronic
> ballots, to check to see if it is the same set of ballots a sufficient
> number of voters for each race in every election would need to be able
> to transparently (for themselves) verify that their electronic ballots
> were cast correctly including all the races on each ballot.
> You claim that there are no transportation issues with electronic
> encrypted ballots. I disagree.
>> > In our proposals, we define
>> >
>> > Transparent: means that an average non-technical citizen can observe
>> > and fully understand the procedures, well enough to determine if they
>> > are being done honestly and properly
>> In that case, I argue that this definition is wrong.
>> Maybe you mean "accessible to the layman," which is a perfectly arguable
>> point. However, by using the words "transparent" and "complex"
> No. I am saying that "NON-transparent" and "technically complex" are
> equivalent for the average voter, and that audits need to be
> transparent to the average voter who wants to be able to transparently
> verify the integrity of the vote counts.
> The average voter wants to be able to transparently verify the audit.
>> interchangeably, you're misleading folks into thinking that making a
>> system simple is the same as making it auditable.
> You are confounding issues. The entire voting system does not have to
> be simple to make it transparently verifiably auditable by the average
> voter - but the audit does.
>> We need to differentiate the two aspects, especially since complexity is
>> in the eye of the beholder, while transparency can be measured fairly
>> objectively: what kind of special privileged access, if any, do I need
>> to be able to directly audit? In open-audit systems, the answer is
>> "none."
> transparency to a computer scientist or a mathematician are not the
> same thing as transparency to an average voter. Again, voters want a
> voting system that is transparent to them according to a recent Zogby
> survey where 92% of all those polled of all demographic groups wanted
> to be able to transparently verify the accuracy of our vote counts.
>> > As you know, opscan paper ballots can be manual counted
>> Assuming this could be done reliably (the Caltech/MIT report says it
>> can't), this wouldn't change the problem of a broken chain of custody
>> sometime before the counting
> I have personally studied several shoddy unscientific studies coming
> out of the MIT/Caltech voting project in recent years - several of
> which I have personally helped author rebuttals of (here is one
> rebutal: Rebuttals a
> group of us did of another hastily written incorrect study put out by
> MIT/Caltech, I would have to hunt for). Citing MIT/Caltech's work
> does not impress me in this case - although I know the group has done
> good work as well.
> I have personally seen an excellent system for accurately hand
> counting paper ballot records in action just a few weeks ago where two
> persons marked every vote and called out every fifth vote to see if
> they matched and where there was a discrepancy, the votes were counted
> a second time. I also have knowledge of many accurate counts of
> merchandise in retail organizations that are as complex as counting
> election races and are done very accurately. Also manual counts are
> done very accurately in audits of banks and financial organizations.
> Are you also recommending an end to manual audits of paper records for
> all financial and accounting organizations?
>> How can something be transparent if I can't ride in the transport
>> vehicle that takes a ballot box from one location to another?
> Transport of ballots is an issue that needs attention regardless of
> whether the ballots are paper or electronic or encrypted.
> The possibilities of paper ballot tampering are why a dual system -
> with both paper and electronic counts will detect and deter the most
> types of problems.
>> How can I
>> be sure that the software on the optical scanning machine wasn't
>> modified between the open-source audit and the actual election (see the
> Of course we know that can be done but is too prohibitively expensive
> and time-consuming IMO to apply to voting, and that the hardware of
> existing voting systems does not lend itself to such audits.
>> UConn VoTeR report from last month regarding the 5-minute compromise of
>> an opscan machine)?
> We both agree on that, which is why audits are necessary. We only
> seem to disagree on whether or not the average voter has the right to
> be able to transparently verify the correctness of the audit or not.
>> How can I be sure that there weren't extra ballots
>> in the box when the voting day began? I have to trust *someone* that
>> this was done correctly. That's not transparent, because no matter what,
>> I can't verify everything directly.
> Same issues must be handled whether paper or electronic ballots in your
> system.
>> In other words, self-evidence is a *really* bad measure of what makes
>> for a secure election. If that's the yardstick, then we're putting
>> perception above reality. Perception is important, but it's not
>> sufficient.
> Perception may not be a sufficient, but it is a necessary condition.
> I am sure that you have heard of the saying "perception = reality". A
> big part of the job of an election is to convince everyone that the
> election outcomes are correct.
>> Yes, but that's the case with your proposal, too. Not everyone gets
>> statistics -- in fact I'd say that if you understand statistics, you're
>> not far off from understanding the crypto with a bit of reading. Voters
> Well, I admit that the numerical method for determining the minimum
> number of machine vote counts that must be audited to ensure a correct
> election outcome is not transparent to the average voter - However, I
> would be happy to have a 100% manual audit as well as the 100%
> electronic count of the paper ballots, and that would certainly be
> transparent.
> Also, it is easy for any average voter to see that the closer the
> margin between candidates in a race, the larger the audit amount must
> be and for voters to feel much more comfortable with mathematically
> sufficient (and hence greater) manual audits rather than the paltry
> insufficient small fixed rate audits of the few states which audit
> VVPRs today.
>> still have to trust *some* expert. In open-audit schemes, you get to
>> pick that expert, not from a pool of pre-approved folks, but from the
>> pool of *anyone* who is willing to read and understand the published
>> protocol.
> But again, you introduce extra expense and complexity and lack of
> transparency (to the average voter) to create and audit encrypted
> electronic ballots. This seems overboard for elections that only take
> place once a year.
>> The processes surrounding the handling of the paper ballots, their
>> transportation, etc... that's what still needs to be audited. As you
>> mention below, voter fraud is still quite rampant with paper ballots.
> I agree. The elections industry is the only major industry that has
> evaded routine independent auditing. It is rather astounding.
>> I'm asking the following question: are folks with OVC also willing to
>> explore open-audit solutions that *don't* require the perfect
>> maintenance of a chain of custody, and that provide a much higher level
>> of auditability? There may be some unfamiliar complexity involved, but
>> it's all published and available for anyone to review.
> Your encrypted electronic ballots require just as much attention to
> the problems caused by transporting them - the solutions are just
> different.
> I disagree that they provide a higher level of auditability than paper
> optical scan ballots.
>> Opscans have electronic failures and programming errors, too.
> Yes. Again that is why manual sufficient, transparent, verifiable
> audits are recommended.
>> Open-audit systems actually do not suffer from programming errors,
>> because these show up immediately if an incorrect proof is provided.
> And what happens if errors are discovered, including ballot
> programming errors? Can you recover the accurate votes in all cases,
> or is a new election required?
>> Certainly, though, there's the chance of a massive electronics failure,
>> which is why you'd want backup machines, just like for the opscan
>> solution.
> and denial of service attacks simply by cutting off the electricity to
> a building or area.
> It is not at all "just like for the opscan solution" because the
> election can still go on and ballots be recorded on paper in the event
> of power or electronic failures. The counting may have to be delayed
> or redone is all.
>> > i.e. Why would any able-bodied voter need to have a computer to cast a
>> > vote every one or two years?
>> The use of a computer is not gratuitous, it's for a very specific
>> purpose: providing much better auditability. I'm not proposing
> Providing much better auditability does not require electronic
> ballots, which are more likely to reduce auditability if there are any
> errors in programming.
>> technology for technology's sake, I'm proposing that we consider much
>> better auditability, in exchange for some complexity, though that
>> complexity is almost certainly minimized by the fact that anyone willing
>> to learn the system can audit it.
> Anyone? Even the poor who don't own a computer? Even those who have
> never taken a computer program class?
>> So I'm hoping that this group is willing to consider this issue.
>> Importantly, I'm not asking for a blank check here: open-audit systems
>> need to be specified, analyzed, explained, and framed in a set of
>> recommendations, much like the work currently being done for
>> non-open-audit systems. It's just a question of whether folks are
>> interested in exploring, or if the decision has already been made that
>> open-source + paper is the only way.
> Ben,
> I notice that you did not respond to some specific ideas in my last
> email regarding how the systems you are proposing could possibly be
> subverted by programming or electronic ballot tampering. I also do
> not understand how the voter can verify that all her votes are
> accurately appearing on the electronic ballot and being counted
> correctly by any counting program in a way that the voter can
> transparently (to the average voter) understand and yet not prove to
> anyone else how her votes were cast.
> Best,
> Kathy

OVC-discuss mailing list
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Sun Dec 31 23:17:13 2006

This archive was generated by hypermail 2.1.8 : Sun Dec 31 2006 - 23:17:16 CST