Re: [EILeg] Cascading Audits

From: Jerry Lobdill <lobdillj_at_charter_dot_net>
Date: Thu Dec 14 2006 - 14:51:17 CST

Ron,

I have been about as patient as most people are on lists like this.
You seem to be quick on the draw with instant responses to people's
posts, offering opinions off the top of your head (it seems). You
seem very contrary, never agreeing completely with anything and
almost always requesting that some very time consuming task be
done. It may be that this is a perception that isn't accurate most
of the time, but the evidence does seem to point in that direction.

Your portrayal of yourself as a math challenged person induced me to
spend the better part of half a day preparing the tutorial you
requested. Then you wanted to kibbitz even the writing style of that.
You haven't responded to that paper in its final form. Now you seem
to be responding to Ben Adida in the manner of someone who has a hell
of a lot more extensive knowledge than you had previously implied.

In order that I may know more about what to expect from you in the
way of technical expertise would you please give me a bit of
background on yourself?

See other comments below

At 12:27 PM 12/14/2006, you wrote:
>On Wed, 13 Dec 2006 21:20:21 -0600, Jerry Lobdill wrote
> > Ron,
> >
> > [snip]Overkill is not present in my proposal. You simply assert
> that it is without any technical argument. Your argument is based
> on what election administrators want, and that is not a proper
> stance to take. <
>
>Every proposal for election reform has both technical and practical
>aspects. While it is certainly technically defensible -- in terms of
>maximizing the likelihood of discovering fraud -- to hand-recount an
>entire county if a single precinct exhibits a miscount, such a
>recount can involve a great deal of effort. This possibility will,
>in turn, motivate some officials to oppose such an audit proposal,
>or to shortcut its execution should it actually become law. Imagine
>you're LA County's ROV, and that the initial audit discovered a
>3-vote miscount in one precinct. Under your plan, you'd be faced
>with hand-recounting over 5,000 other precincts. That's a big,
>expensive, time-consuming job, and it's not clear that it's justified.

As usual, you are suggesting an extreme example. If you are really so
rigid in your thinking that you believe that my proposal would allow
a single 3 vote miscount in one precinct to precipitate a recount of
5000 precincts you are way off base.

Let me use your example in responding. Let's suppose that we are
dealing with a county-wide election in LA so that 5000 precincts are
involved. The margin in the race we are auditing is 2%. Suppose
further that precinct size variability and the assumed maximum vote
switch percent are such that the minimum number of corrupted
precincts that could produce the reversal is 50. Then the audit
sample size would be 438 for a 99% confidence level. If the election
was completely honest there would be no precincts that showed vote
switching in favor of the ostensible winner although there might be a
number of random errors due to causes not necessarily related to
ballot definition files or other software problems. These errors can
be expected to be small in number and unbiased in their effect on the
race. During the audit of the 438 precincts we are looking for at
least one precinct that has on the order of 7.5% to 20% of the votes
switched from the loser to the winner (depending on our assessment of
the audacity and anxiety of the attacker). Clearly, a 3 vote miscount
would not satisfy that criterion.

However, if one such (7.5-20%) corrupted precinct does show up in the
438, the probability that this kind of error is an innocent one is
less than 0.1%. Why do I say that? (I'm sure you'll ask.) What do
you suppose the probability is that only one precinct out of 5000
would have this percent of votes switched from the announced loser to
the announced winner? 1/5000? 1/10,000? You'll have a hard time
arguing that there's a greater than 1/5000 probability of this
happening by random error. So let me admit 1/5000 for this number.
Given that frequency of occurrence of this specific kind of error,
the probability of there being one incidence in the 438 precincts
audited is 438/5000x1/5000. That's 0.00001752 or 0.001752%.

So if at least one such corrupt precinct shows up in an audit of 438
this result is what we'd expect in 99% of the cases if the election
with these parameters has been reversed. This result would occur due
to random error 17.5 times out of a million. Now I think that's
sufficient evidence that a full ballot recount should be ordered in
spite of the arrogant bloviating ignoramuses who would wail and moan
and gnash their teeth at the prospect.

>If there exists an audit scheme that reduces the burden of
>additional recounts while still giving us a high probability of
>discovering fraud, officials would be likely to find it more
>acceptable, leading to less opposition to enactment and greater
>compliance in practice.
>
>That's what I'm trying to do with cascading audits.
>
> > You came up with this cascading audits idea just yesterday and do
> not even have a technical exposition of it published anywhere.
> Please excuse me if I seem a little cranky about your presumptuous
> attitude, but it does annoy me. If you think so highly of it, why
> not publish a complete detailed statistical analysis that justifies
> your idea? Then I promise I will provide a technical critique of
> it devoid of any crankiness. <
>
>I will indeed attempt a detailed paper on it, and publish it here
>when complete. But please consider adopting a less "cranky"
>attitude. This is a forum for the exchange of election reform ideas,
>many of which are not going to be fully-formed when presented. If
>new (but not fully-formed) ideas are met with derision and personal
>attacks, this forum will become much less useful.

Please try to put pencil to paper before disagreeing and asking for
proof of something. If I can see that your objections obviously have
technical merit they will be received with gratitude and given
careful consideration. We are not here to spend our time defending
or disproving half-baked ideas or to modify half baked ideas to meet
objections of those who get sucked into doing the homework that
probably ought to be done before an idea appears here.

>Again, I am more than open to reasonable criticism. It helps us all
>improve our proposals.
>
>-R
>
>
> > At 05:37 PM 12/13/2006, you wrote:
> >
>>On Wed, 13 Dec 2006 16:16:52 -0600, Jerry Lobdill wrote
>> > > At 02:38 PM 12/13/2006, you wrote:
>> > >
>> >
>>>Jurisdictions will object strenuously to the idea that the
>>>detection of a single miscounted precinct should trigger a full
>>>recount of the entire affected jurisdiction (e.g., imagine
>>>recounting California because something went wrong in the U.S.
>>>Senate race in a single precinct having 300 registered voters).
>>>The cascading audit scheme attempts to address this objection
>>>while still providing an effective audit. I think that
>>>jurisdictions will be much more likely to accept the cascading
>>>audit than the full-recount-on-a-single-miscount scheme that you've proposed.
>>> > >
>>> > > -R
>>[Stuff that was better not said omitted.]
>> >
>> > > If a single precinct IN A COUNTY is found corrupted in a
>> sample selected from the population of ALL precincts in the COUNTY
>> that are voting in the race being audited, this precipitates a
>> full hand recount of ALL precincts in the COUNTY that are voting in the race.
>> >
>> > Los Angeles County has about 5,000 precincts. Requiring a full
>> recount of that county when something goes wrong in a single
>> precinct would be massive overkill. The cascading audit is much
>> more economical, yet still gives us an excellent (p=0.99) chance
>> of detecting at least one additional miscounted precinct if any
>> such precincts exist. In consequence, I think that it would be
>> much more acceptable to officials, and thus more likely actually
>> to make it into law.
>
> > As seen through the eyes of officials--who don't ever want to do
> a recount under any circumstances.
> >
> >
>> > ...Any corrupted precinct precipitates a full hand recount IN
>> THAT COUNTY. The reason for this is that a wholesale attack is not
>> spread from county to county or from the state level to the
>> counties. It is launched independently in each county in which it appears. <
>> >
>> > This is incorrect. A wholesale attack easily can originate at a
>> vendor or at one of a vendor's suppliers, and can therefore affect
>> any jurisdiction using the affected machines -- potentially the entire nation.
>
> > Typically it would originate at a county election administration
> office. Most candidates would not have the inside contacts to
> attack through the vendor. They would most likely attack through
> the contacts they have in the election district and that would mean
> that each county's system would have to be attacked independently.
> It's, of course, possible that the trojan horse could be inserted
> into a new version of GEMS software (or its equivalent) certified
> by the SoS for use in the state at the precise time required to
> affect the election, and therefore promulgated to all users of the
> vendors' machines. If that unlikely event happened my audit
> procedure would catch it anyway, so your argument is of no effect.
> >
> >
>> > There may be a few refinements yet to be made in the procedure
>> for sample selection, but I assure you they do not involve your
>> cascading audits idea as expressed below. <
>> >
>> > Then please propose an approach that minimizes overkill while
>> still providing adequate assurance of detecting further miscounts.
>> Or at least tell me what's wrong with cascading audits. I am more
>> than willing to consider reasonable objections (e.g., it's not
>> mathematically supportable because..., it's too clumsy because..., etc.)
>
> > There is no overkill. Why don't you tell us why your idea is
> mathematically supportable.
> >
> >
>>...
>> > > As best I can tell, you came up with your cascading audits
>> notion off the top of your head yesterday. Please read what has
>> been published by myself, Howard Stanislevic, and Kathy Dopp, and
>> reconsider your idea. <
>> >
>> > I have read Kathy's papers (at least the ones that she's cited
>> here), which recognize that there's a question about what to do
>> when the initial audit discovers a discrepancy, but say that
>> further research is needed to determine what to do about it.
>
> > I don't speak for Kathy. Although we do agree in most particulars
> on how to design the audit she apparently has not gone farther and
> decided what to do with the results of the audit.
> >
> >
>> I have read your audit paper posted at NIST, and I don't recall
>> it saying anything about this issue.
>
> > In my paper I did not specifically debunk the idea that the
> hypothesis being tested in my audit plan to a 99% confidence level
> would need further supporting auditing before a sufficient level of
> confidence was reached to order a recount. No one had specifically
> made such a claim at the time I wrote the paper. However I did say
> this: "It is extremely important to avoid legal language that gives
> election officials the power to emasculate the mandatory audit
> process." I said that because Howard Stanislevic had written that
> he thought election officials would want discretion to decide what
> to do when the audit uncovered a corrupt precinct which had errors
> that support the likelihood of a trojan horse attack on the race
> being audited. Howard, Kathy, and I agree on how to design the
> audit, but neither of them, so far as I'm aware, has agreed that
> the audit result should trigger a recount--but neither have they
> said it should not.
> >
> > In my latest paper, written at your suggestion, and I hope by now
> it is available in the files on the EI Leg website, I said,
> >
> >
>"In an audit, enough polling place returns are counted by hand that
>we will find, with 99% confidence, at least one polling place that
>exhibits this kind of error if the election has been successfully
>attacked. If one such discrepancy occurs in the sample audited it
>should trigger action that is mandatory."
>
> > When I said that, I did not mean that maybe 99% confidence isn't
> enough and that the mandatory action should be to audit some more
> precincts, and to keep on doing it until you've audited all the
> precincts (which is what you've said, I believe). The probability
> is extremely small that only one precinct in an election in which
> votes are tabulated in PCOS machines is corrupted by vote switching
> in the direction needed to fraudulently elect the ostensible
> winner. This is not the kind of random error you find that is a
> programming bug. It is the kind of systematic error that has a 99%
> chance of showing up in the audit if the election has been stolen
> by vote switching.
> >
> > If one follows your prescription of cascading audits it appears
> that you end up auditing all precincts. Isn't that a full
> recount? You don't say what would prevent that from happening or
> what the statistics are on each iteration or why whatever the
> confidence level is, it's never enough.
> >
> > Do you think you could flesh out your proposal so that it's clear
> why you're doing each step and how it's all statistically justified?
> >
> >
> >
>> Thank you for clarifying your position that discovery of a single
>> miscounted precinct should trigger a countywide recount. I
>> disagree, for the reasons stated above. I have not (knowlingly)
>> read Mr. Stanislevic, but I'll search for him and see what his
>> papers have to say.
>> >
>> > -R
>> >
>> >
>>>On Wed, 13 Dec 2006 09:35:43 -0600, Jerry Lobdill wrote
>>> > > > This is a response to both Arthur and Ron re auditing.
>>> > > >
>>> > > > This business of "further auditing" seems to me to be
>>> misguided thinking. In the audit scheme that I have proposed the
>>> kind of miscount and the race in which it occurs cannot in any
>>> reasonable analysis be considered an ambiguous result that would
>>> be cleared up by more auditing. If it occurs once in a sample
>>> that is properly sized and randomly selected it should be
>>> considered sufficient evidence to trigger a full recount. You
>>> don't even need to audit the complete set of precincts in the
>>> sample once you've found the first precinct that satisfies the
>>> detection criterion.
>>> > > >
>>> > > > We can discuss this further if you don't agree.
>>> > > >
>>> > > > Jerry Lobdill
>>> > > >
>>> > > > At 02:00 PM 12/12/2006, eileg-request@lists.sonic.net wrote:
>>> > > >
>>> > >
>>> >
>>>>From: "Ronald Crane" <voting@lastland.net>
>>>> > > > Precedence: list
>>>> > > > MIME-Version: 1.0
>>>> > > > To: eileg@lists.sonic.net
>>>> > > > Date: Mon, 11 Dec 2006 20:14:31 -0800
>>>> > > > Message-ID: <20061212035633.M61444@lastland.net>
>>>> > > > Content-Type: text/html;
>>>> > > > charset=iso-8859-1
>>>> > > > Subject: [EILeg] Cascading audits
>>>> > > > Message: 12
>>>> > > >
>>>> > > > An important question raised by audits is what further
>>>> auditing should we do if we discover precincts that miscounted
>>>> their votes. It strikes me that a good approach might be like this:
>>>> > > >
>>>> > > > 1. Reduce the winning candidate's effective margin of
>>>> victory in accord with the results of the audit from the miscounted precincts.
>>>> > > >
>>>> > > > 2. Treat the precincts that were not audited the first
>>>> time around as if they represent a new election.
>>>> > > >
>>>> > > > 3. Iterate the audit, calculating the number of precincts
>>>> that we need to audit to have p=0.99 of discovering at least one
>>>> miscounted precinct (given the new margin of victory and the
>>>> minimum number of precincts that an attacker would have to flip
>>>> to gain victory), and randomly selecting the new precincts to audit.
>>>> > > >
>>>> > > > I haven't carefully analyzed this procedure, but it seems
>>>> that, when it terminates, we will have at least p=0.99 assurance
>>>> that there are not enough miscounted precincts to flip the election.
>>>> > > >
>>>> > > > It also seems reasonably economical, avoiding the big hit
>>>> of simply auditing all the precincts when we discover some
>>>> number of miscounted ones.
>>>> > > >
>>>> > > > Comments?
>>>> > > >
>>>> > > > -R
>>>> > > > From: "Ronald Crane" <voting@lastland.net>
>>>> > > > Precedence: list
>>>> > > > MIME-Version: 1.0
>>>> > > > To: "Ronald Crane" <voting@lastland.net>, eileg@lists.sonic.net
>>>> > > > References: <20061212035633.M61444@lastland.net>
>>>> > > > In-Reply-To: <20061212035633.M61444@lastland.net>
>>>> > > > Date: Tue, 12 Dec 2006 00:23:53 -0800
>>>> > > > Message-ID: <20061212082107.M25279@lastland.net>
>>>> > > > Content-Type: text/html;
>>>> > > > charset=iso-8859-1
>>>> > > > Subject: Re: [EILeg] Cascading audits
>>>> > > > Message: 13
>>>> > > >
>>>> > > > 1. Reduce the winning candidate's effective margin of
>>>> victory in accord with the results of the audit from the miscounted precincts.
>>>> > > >
>>>> > > > 2. Treat the precincts that were not audited the first
>>>> time around as if they represent a new election.
>>>> > > >
>>>> > > > 3. Iterate the audit, calculating the number of precincts
>>>> that we need to audit to have p=0.99 of discovering at least one
>>>> miscounted precinct (given the new margin of victory and the
>>>> minimum number of precincts that an attacker would have to flip
>>>> to gain victory), and randomly selecting the new precincts to audit.
>>>> > > > To be more explicit:
>>>> > > >
>>>> > > > 4. Repeat 1-3 until either an audit finds no more
>>>> miscounted precincts or you've audited all the precincts.
>>>> > > >
>>>> > > > -R
>>>> > > >
>>>> > > > At 8:14 PM -0800 12/11/06, Ronald Crane wrote:
>>>> > > >
>>>> > >
>>>> >
>>>>>It also seems reasonably economical, avoiding the big hit of
>>>>>simply auditing all the precincts when we discover some number
>>>>>of miscounted ones.
>>>>
>>>> > > > There's a big thing missing from the issue of recounting
>>>> some or recounting all precincts argument. And that is
>>>> determining the source of the problem in the first place. I
>>>> suggest that some absolute threshold, such as an error rate
>>>> exceeding a certain number or percentage of votes result in an
>>>> evaluation of the causes of the error. This should be separate
>>>> from the decision to recount for the purposes of determining the winner.
>>>> > > >
>>>> > > > Furthermore, this issue is independent of technology. It
>>>> applies equally to HCPB, where it might uncover a counting
>>>> conspiracy among volunteer counters.
>>>> > > >
>>>> > > > Best regards,
>>>> > > > Arthur
>>>
>>> > >
>>> > >
>>
>> > > (In accordance with Title 17 U.S.C. Section 107, this material
>> is distributed without profit to those who have expressed a prior
>> interest in receiving the included information for research and
>> educational purposes. ProgressiveNews2Use has no affiliation
>> whatsoever with the originator of this article nor is
>> ProgressiveNews2Use endorsed or sponsored by the originator.)
>> > >
>> > > "Go to Original" links are provided as a convenience to our
>> readers and allow for verification of authenticity. However, as
>> originating pages are often updated by their originating host
>> sites, the versions posted on ProgressiveNews2Use may not match
>> the versions our readers view when clicking the "Go to Original" links.
>> > >
>> >
>> >
>
> > (In accordance with Title 17 U.S.C. Section 107, this material is
> distributed without profit to those who have expressed a prior
> interest in receiving the included information for research and
> educational purposes. ProgressiveNews2Use has no affiliation
> whatsoever with the originator of this article nor is
> ProgressiveNews2Use endorsed or sponsored by the originator.)
> >
> > "Go to Original" links are provided as a convenience to our
> readers and allow for verification of authenticity. However, as
> originating pages are often updated by their originating host
> sites, the versions posted on ProgressiveNews2Use may not match the
> versions our readers view when clicking the "Go to Original" links.
> >
>

(In accordance with Title 17 U.S.C. Section 107, this material is
distributed without profit to those who have expressed a prior
interest in receiving the included information for research and
educational purposes. ProgressiveNews2Use has no affiliation
whatsoever with the originator of this article nor is
ProgressiveNews2Use endorsed or sponsored by the originator.)

"Go to Original" links are provided as a convenience to our readers
and allow for verification of authenticity. However, as originating
pages are often updated by their originating host sites, the versions
posted on ProgressiveNews2Use may not match the versions our readers
view when clicking the "Go to Original" links.

_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss

==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Sun Dec 31 23:17:14 2006

This archive was generated by hypermail 2.1.8 : Sun Dec 31 2006 - 23:17:16 CST