Cascading audits (followup)

From: Ronald Crane <voting_at_lastland_dot_net>
Date: Wed Dec 13 2006 - 17:42:18 CST

[Copied from EI-Leg in response to Mr. Lobdill's message]

On Wed, 13 Dec 2006 16:16:52 -0600, Jerry Lobdill wrote
> At 02:38 PM 12/13/2006, you wrote:
>
> Jurisdictions will object strenuously to the idea that the detection of a
single miscounted precinct should trigger a full recount of the entire
affected jurisdiction (e.g., imagine recounting California because something
went wrong in the U.S. Senate race in a single precinct having 300 registered
voters). The cascading audit scheme attempts to address this objection while
still providing an effective audit. I think that jurisdictions will be much
more likely to accept the cascading audit than the
full-recount-on-a-single-miscount scheme that you've proposed.
> >
> > -R
[Stuff that was better not said omitted.]
 
> If a single precinct IN A COUNTY is found corrupted in a sample selected
from the population of ALL precincts in the COUNTY that are voting in the race
being audited, this precipitates a full hand recount of ALL precincts in the
COUNTY that are voting in the race.

Los Angeles County has about 5,000 precincts. Requiring a full recount of that
county when something goes wrong in a single precinct would be massive
overkill. The cascading audit is much more economical, yet still gives us an
excellent (p=0.99) chance of detecting at least one additional miscounted
precinct if any such precincts exist. In consequence, I think that it would be
much more acceptable to officials, and thus more likely actually to make it
into law.

> ...Any corrupted precinct precipitates a full hand recount IN THAT COUNTY.
The reason for this is that a wholesale attack is not spread from county to
county or from the state level to the counties. It is launched independently
in each county in which it appears. <

This is incorrect. A wholesale attack easily can originate at a vendor or at
one of a vendor's suppliers, and can therefore affect any jurisdiction using
the affected machines -- potentially the entire nation.

> There may be a few refinements yet to be made in the procedure for sample
selection, but I assure you they do not involve your cascading audits idea as
expressed below. <

Then please propose an approach that minimizes overkill while still providing
adequate assurance of detecting further miscounts. Or at least tell me what's
wrong with cascading audits. I am more than willing to consider reasonable
objections (e.g., it's not mathematically supportable because..., it's too
clumsy because..., etc.)

...
> As best I can tell, you came up with your cascading audits notion off the
top of your head yesterday. Please read what has been published by myself,
Howard Stanislevic, and Kathy Dopp, and reconsider your idea. <

I have read Kathy's papers (at least the ones that she's cited here), which
recognize that there's a question about what to do when the initial audit
discovers a discrepancy, but say that further research is needed to determine
what to do about it. I have read your audit paper posted at NIST, and I don't
recall it saying anything about this issue. Thank you for clarifying your
position that discovery of a single miscounted precinct should trigger a
countywide recount. I disagree, for the reasons stated above. I have not
(knowlingly) read Mr. Stanislevic, but I'll search for him and see what his
papers have to say.

-R

> On Wed, 13 Dec 2006 09:35:43 -0600, Jerry Lobdill wrote
> > > This is a response to both Arthur and Ron re auditing.
> > >
> > > This business of "further auditing" seems to me to be misguided
thinking. In the audit scheme that I have proposed the kind of miscount and
the race in which it occurs cannot in any reasonable analysis be considered an
ambiguous result that would be cleared up by more auditing. If it occurs once
in a sample that is properly sized and randomly selected it should be
considered sufficient evidence to trigger a full recount. You don't even need
to audit the complete set of precincts in the sample once you've found the
first precinct that satisfies the detection criterion.
> > >
> > > We can discuss this further if you don't agree.
> > >
> > > Jerry Lobdill
> > >
> > > At 02:00 PM 12/12/2006, eileg-request@lists.sonic.net wrote:
> > >
> >
>> From: "Ronald Crane" <voting@lastland.net>
>> > > Precedence: list
>> > > MIME-Version: 1.0
>> > > To: eileg@lists.sonic.net
>> > > Date: Mon, 11 Dec 2006 20:14:31 -0800
>> > > Message-ID: <20061212035633.M61444@lastland.net>
>> > > Content-Type: text/html;
>> > > charset=iso-8859-1
>> > > Subject: [EILeg] Cascading audits
>> > > Message: 12
>> > >
>> > > An important question raised by audits is what further auditing should
we do if we discover precincts that miscounted their votes. It strikes me that
a good approach might be like this:
>> > >
>> > > 1. Reduce the winning candidate's effective margin of victory in accord
with the results of the audit from the miscounted precincts.
>> > >
>> > > 2. Treat the precincts that were not audited the first time around as
if they represent a new election.
>> > >
>> > > 3. Iterate the audit, calculating the number of precincts that we need
to audit to have p=0.99 of discovering at least one miscounted precinct (given
the new margin of victory and the minimum number of precincts that an attacker
would have to flip to gain victory), and randomly selecting the new precincts
to audit.
>> > >
>> > > I haven't carefully analyzed this procedure, but it seems that, when it
terminates, we will have at least p=0.99 assurance that there are not enough
miscounted precincts to flip the election.
>> > >
>> > > It also seems reasonably economical, avoiding the big hit of simply
auditing all the precincts when we discover some number of miscounted ones.
>> > >
>> > > Comments?
>> > >
>> > > -R
>> > > From: "Ronald Crane" <voting@lastland.net>
>> > > Precedence: list
>> > > MIME-Version: 1.0
>> > > To: "Ronald Crane" <voting@lastland.net>, eileg@lists.sonic.net
>> > > References: <20061212035633.M61444@lastland.net>
>> > > In-Reply-To: <20061212035633.M61444@lastland.net>
>> > > Date: Tue, 12 Dec 2006 00:23:53 -0800
>> > > Message-ID: <20061212082107.M25279@lastland.net>
>> > > Content-Type: text/html;
>> > > charset=iso-8859-1
>> > > Subject: Re: [EILeg] Cascading audits
>> > > Message: 13
>> > >
>> > > 1. Reduce the winning candidate's effective margin of victory in accord
with the results of the audit from the miscounted precincts.
>> > >
>> > > 2. Treat the precincts that were not audited the first time around as
if they represent a new election.
>> > >
>> > > 3. Iterate the audit, calculating the number of precincts that we need
to audit to have p=0.99 of discovering at least one miscounted precinct (given
the new margin of victory and the minimum number of precincts that an attacker
would have to flip to gain victory), and randomly selecting the new precincts
to audit.
>> > > To be more explicit:
>> > >
>> > > 4. Repeat 1-3 until either an audit finds no more miscounted precincts
or you've audited all the precincts.
>> > >
>> > > -R
>> > >
>> > > At 8:14 PM -0800 12/11/06, Ronald Crane wrote:
>> > >
>> >
>>> It also seems reasonably economical, avoiding the big hit of simply
auditing all the precincts when we discover some number of miscounted ones.
>>
>> > > There's a big thing missing from the issue of recounting some or
recounting all precincts argument. And that is determining the source of the
problem in the first place. I suggest that some absolute threshold, such as
an error rate exceeding a certain number or percentage of votes result in an
evaluation of the causes of the error. This should be separate from the
decision to recount for the purposes of determining the winner.
>> > >
>> > > Furthermore, this issue is independent of technology. It applies
equally to HCPB, where it might uncover a counting conspiracy among volunteer
counters.
>> > >
>> > > Best regards,
>> > > Arthur
>
> >
> >

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss
==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Sun Dec 31 23:17:13 2006

This archive was generated by hypermail 2.1.8 : Sun Dec 31 2006 - 23:17:16 CST