Mitigating the Security Flaws in Vote Tallying Procedures

From: Dennis Paull <dpaull_at_svpal_dot_org>
Date: Tue May 04 2004 - 23:34:05 CDT
Hi all,

The following is a message I am about to send to the CA Sec of State and
some of his advisors. I would appreciate any comments from you before I
send it.

I believe that I am covering some of the issues being discussed currently
on this list. The concept of making all the precinct totals public along
with all the data needed for the public to compute the canvass totals
themselves is new to this and other discussions. I believe that it truly
mitigates any concern for hacking the tallying software.

Like the concept of open source, only a few folks need to take advantage
of the ability to do a parallel canvass to make it valuable and a deterrent
to fraud.

Dennis Paull

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Secretary of State Kevin Shelley
Members of the Voting Systems and Procedures Panel
David Jefferson, Member of the VSP and
   Chair of the Technical Advisory Board

Dear Secretary Shelley and David Jefferson,

I would like to propose to the TAB and the VSP methods of overcoming the
documented security flaws in both GEMS and related tallying software from
other vendors and concerns about the transfer of vote totals from polling
places to county central computers.

This is not to say that the concerns about paperless voting machines are not
still of great interest, only that there are ways to overcome some of the
other identified voting systems security weaknesses.

A general observation is that the more the public is involved with any
process, the less likely it will be that be that a small group will be
able to commit massive vote fraud. The larger the group committing fraud,
the less likely that such fraud will remain undetected.

I am also concerned that simple software bugs will cause voting errors
and, again, the more folks with access to the voting details, the less
likely that such bugs will go undetected and unreported.

My suggestions that follow seek to address procedures that can be implemented
rather quickly and at relatively low cost to counties and still have a high
probability of making elections more secure. They also have the advantage
of getting more of the public involved with the election process and thus
more committed to public elections and the sanctity of the vote.

Errors in the Voting Process.

Both software bugs and direct fraud can affect elections at multiple steps
in the election process:

1.  In the voter registration process.

2.  In the attempt to get voters to cast their vote.

3.  In the qualification of voters at polling places.

4.  In the qualification of absentee, mail and provisional ballots.

5.  In the workings of the polling place voting equipment.

6.  In transferring the votes from polling places to county elections central
    computers.

7.  In the tallying of those votes during the official canvass.

8.  In the random manual recount.

I am only going to address steps 6, 7 and 8 in this message. In general, I
am only addressing the detection of error, not how to correct it.

Recommendation 1.

Transferring the votes from polling places to county elections central
computers.

Much has been made of the insecurity in moving votes from polling places to
wherever the votes will be tallied. Many schemes have been proposed or
implemented but there is one thing missing from most of these proposals,
public oversight. So I propose the following:

A.  Allow one or more members of the poll worker staff to take home copies
    of the vote totals. These totals would be the same as those posted
    outside of the polling place following the close of the polls and also
    the totals reported back to the county central office in any of several
    formats, such as printed paper, magnetic tape, memory card or by direct
    electronic communications.

B.  Require that all these reported vote totals be made publicly available
    within 24 hours or less of the close of the polls. This should not be
    hard since all this data will be input into the elections computers in
    order to publish the unofficial canvass results, typically within a few
    hours after the polls close. Publishing the data on line would be the
    most likely means of making the data public but other methods might
    also be used.

C.  Add to the job description of the poll workers, Inspectors and possibly
    others, that they check the published vote totals against the numbers
    they took home with them in step A above. They could then mail a postcard
    to the elections office attesting to whether the numbers are the same.

This procedure would involve adding one or more persons from each precinct
into the vote verifying loop, greatly increasing the number of eyes on the
process and increasing the chances that errors of any type in the transmission of vote totals from the polling place to the central office
computer will be detected.

Recommendation 2.

Tallying of votes during the unofficial and official canvasses.

Once the 'raw vote count', that is the numbers published in step B of
Recommendation 1 above, has been published, anyone can then follow the rest
of the canvassing process if the following steps take place:

a.  In addition to the polling place vote totals, the totals from the rest
    of the vote counting process shall be published as the canvass proceeds.
    This includes the absentee, mail ballot, provisional ballot and write-in
    votes. Each type of vote would be identified as to the precinct it will
    be included with in the final Statement of the Vote.

b.  The database of precinct descriptions, that is range of street address
    that define the precinct, will be made public.

c.  The database of voting districts, that is the list of precincts that
    together constitute the voting district, will be made public.

d.  The list of ballot races and measures that are up for vote in the current
    election, along with the rules governing each race or measure such as
    the number of open seats, whether it is a plurality or majority race, the
    kind of voting procedure like instant runoff, whether there is a "none
    of the above" option, etc., will be made public.

Together, the information from steps a, c and d is enough for anyone to
perform the vote tallying on their own computer. Since all this information
is already supposedly public, no new laws are needed. We need only that the counties make this data publicly available and accessible in a form that is
easy for the public to use.

The data from step b may be needed to allow demographic vote analysis to
detect if any sub-populations appear to be treated differently than others
and thus not provided equal access to the ballot.

Vote tallying is nominally a simple process and should be completely public.
Any need for 'adjustments' by the elections staff need to be documented and
fully explained. All vote totals should be increasing with time.

When the manual recount is performed, the results of the recount, and any
discrepancies, need to be reconciled. If changes to the previously
published count are in order, they need to be clearly presented in public.

We now have a system that purports to conduct recounts, but the process
is so opaque to most voters, even when done under the best of procedures, that suspicions remain.

Recommendation 3.

The Random Manual Recount.

The manual recount procedure is mandated in the CA Elections Code but most
of the details of the recount procedures are left to the discretion of the
counties. I believe that there may be some Registrars who are not trained
in the statistical sampling of variant data analysis and so may quite
innocently use procedures that invalidate the results of the recount and
thus provide no check on the quality of the voting equipment and procedures
that are the justification for the recount in the first place.

The purpose of the random manual recount is to verify the accuracy of the
vote totaling process that takes place at the polling place. This is true
regardless of the means used to compute those vote totals, either by hand
or machine counting. For mailed, provisional and absentee ballots, the
recount serves as a check on the people or machines used to count them.

If the error that the recount is trying to detect is completely random in
nature, whether accidental or purposeful, then simple procedures may be
used to detect it. However, if the purpose of the recount is also to detect purposeful election fraud, the procedures must be designed with that in mind.
Fraud must be assumed to be committed by persons who have complete awareness
of how the elections are conducted in all its details, since such persons
have traditionally been the more likely source of the fraud.

Proper procedures should allow the detection of fraud even under the worst
of conditions. Just making the 'raw data' public is the first step. Next is
to make sure that the testing is conducted by measures taken after the
fraud takes place and in ways that the perpetrator cannot have predicted.

The key to the random manual recount is to select the precincts to be recounted in a truly random manner and by recounting enough ballots so that
there is a high likelihood of detecting any errors or fraud if they exist. Further, the ballots to be recounted must not be known before the vote
totals of those ballots have been made public.

Please note that some of these steps are already in the Elections Code but
may be being ignored.

I.    The ballots to be recounted must represent all the voted ballots. Thus
      provisional, absentee and mailed ballots must be included along with
      the polling place ballots.

II.   The ballots to be recounted must include all of the ballots in any
      precinct, or other ballot group whose totals have been made public.

III.  The precinct or other ballot group must be selected well after the
      ballot totals for that group have been made public.

IV.   The means for selecting the precinct or ballot group must allow all
      such ballots an equal chance of being selected. No such group must be
      either automatically included or excluded.

V.    There should be members of the public viewing the selection process.
      These persons should represent all sides of the political spectrum.
      Further, these members should agree that the method of making the
      random selection is truly random to their satisfaction. It may even
      be desirable to have one or more members of the public actually take
      part in the selections.

VI.   The selected ballots should represent geographically diverse sections
      of the county, even if the random selection at first happens to result
      in a non-diverse choice. The public observers should agree that some
      ballot groups need to be replaced by other newly randomly selected
      groups. Additional precincts might be selected in reserve in case
      discrepancies require expanding the recount.

VII.  Additional precincts must be selected such that every voting district
      have at least one precinct recounted that lies within it. But these
      additional precincts must be selected in the same random manner as the
      previous selections, but limited just to the unrepresented voting
      districts.

VIII. The elections staff may include additional ballot groups for recount to
      satisfy other criteria, such as precincts that had suspect procedures
      or equipment failures.

IX.   All ballots manually recounted must produce the same vote totals as
      the earlier counts. Any discrepancies must be investigated and the
      discrepancies explained. If the recount detects any unexplained
      errors, then additional precincts must be selected for recount using
      the same random selection procedures as the original set. All
      unexplained discrepancies must be assumed to be either random errors
      or evidence of fraud and treated accordingly.

X.    Evidence of fraud should trigger a full manual recount of all ballots
      cast.

XI.   All races and measures should be manually recounted on all selected
      ballots as errors can occur anywhere on the ballot.

XII.  All results of the random manual recount must be made public. If
      discrepancies are not found, that can be reported in the final canvass.
      But if unexplained discrepancies are found, the public must be  
      informed, the sooner the better. The county can then state what they
      are doing to remedy the situation, including expanding the manual
      recount. All results of the random manual recount should appear in the
      Statement of the Vote.

Remember that the random manual recount is there for the purpose of detecting
unanticipated errors and fraud. It is implemented to assure the voters that
the reported election results are valid.

County officials often point out that no evidence of fraud has ever been
reported. But then they also don't want to make discrepancies public if and
when they are found. So of course they are seldom reported. Only extreme
cases seem to be made public. The number of small discrepancies and the
number of recounts which have detected equipment malfunction, or fraud by members of the elections staff, may never be known.   

Dennis Paull
229 Correas Ave
Half Moon Bay, CA 94019
650-712-0498


================================================================== = The content of this message, with the exception of any external = quotations under fair use, are released to the Public Domain ================================================================== Received on Mon May 31 23:17:13 2004

This archive was generated by hypermail 2.1.8 : Mon May 31 2004 - 23:18:15 CDT