The trouble with tripples. (Was Three ballot voting system)

From: Charlie Strauss <cems_at_earthlink_dot_net>
Date: Tue Sep 26 2006 - 22:15:37 CDT

After I gave a negative review of Ron Rivest's paper on Three ballot
voting I got a polite e-mail from him challenging me to provide
details of the problems I alledged. So I sent him the breakdown below.

Something I tried to emphasize to him in other e-mails we exchanged
was that security systems like VoteHERE's counted-as-cast desiderata
should not trump transparency and ease of use. Ron feels mostly the
opposite I believe and thinks counted-as-cast is worth the complexity.

He's reviewing my documentation and will probably have a few words to
rebut mine, or improvements to his system in a few days I expect.
For now here's my quick description of the flaws I see in the Three
ballot system.

The Trouble with Triples:
Defects in the triple ballot (3ballot) scheme.
Charlie Strauss
Verified Voting New Mexico
Los Alamos, NM

A few of the problem types 3ballots create
A major construction fault of the disclosure paper is that it
presents a moving target for criticism; by presenting a myriad of
sometimes mutually exclusive variations in different sub parts, it
fails to hold up any one gold standard schema to deconstruct. So I
will have to critique aspects of it knowing that I cannot address
every possible permutation of the presented options. As a debate
tactic, I will assert it was the author's duty, not mine, to present
one self-consistent unflawed system as a straw man.

1) The schema does not do what it purports:
        a. It allows people to vote multiple times
        b. It actually facilitates vote selling.
        c. It does destroy secret balloting

2) It’s hideously complex for the voter to actually use, let alone
understand how the security is supposed to work.

        a. A modest sized 70 race ballot might need 360 marks to complete
        b. If just one mark is wrong, the entire ballot is must be redone.
                Unlike a conventional ballot system which allows the voter the
option to cast an overvoted or under voted ballot by ignoring the
mismarked race, this is not allowed for the 3ballot because the vote
counter will count overvotes as extra votes and under votes as negative.

3) The complex mechanics required (machines tearing ballots, or the
“shamos” engine) is assured to break down.

4) Unlike conventional paper ballots the voter cannot vote if the
“checker machine” malfunctions, as voting machines have been known to
do. The process stops.

5) It’s got lots of ill-considered issues such as the logic bomb of
write-ins, people escaping with marked but not cast ballots, and
security holes caused by mixing 1ballots with 3 ballots.

I will now give example in these areas.

Technical problems aside, the 3ballot is hideously complex for the

To vote a single 5-person race in a conventional ballot (a.k.a
1Ballot) requires one mark, and the voter can tell at a glance it was
done correctly. Whereas a 3ballot for the same requires six marks and
takes more than a glance to consistency check. A modest sized ballot
with 70 contests and questions, say 10 five-way races, 30 four-way
races, 30 three-way races, and 10 two-way, would require 360 marks
instead of 70. (50+10+120+30+90+30+20+10)

On a conventional 1ballot, a casual observer might guess that it
would be nearly foolproof for a voter to accidentally overvote since
one is makes just a single mark per contest. Yet the reality is that
voters routinely over and undervote. Some trustworthy estimates put
the mean mis-mark rate on the order of 1%.

One can only imagine how difficult it would be not to make a single
mis-mark on the 3ballot. Indeed, even if the 3ballot's mark error
rate were as low as it is on a 1ballot, it would be statistically
unlikely that most people could ever complete a practical 360-mark
3ballot without an error. In reality, I would assume that the mark
error rate with such complex and hard to eyeball patterns would be
drastically higher and thus compounding the problem exponentially
(literally by the factorial, if we assumed mostly uncorrelated errors).

The 3ballot requires complete perfection of every mark
On a conventional 1ballot, in the event the voter overvotes and the
ballot is spit out with a beep, it's a matter of a moment to find the
offending race. Finding the offending logic bomb on a 3ballot would
be a matter of study, quite possibly beyond the grasp of many voters.

Moreover on a 1ballot the voter has the option of simply casting the
over/under marked ballot and simply having the offending race
disqualified. This is not possible on the 3ballot. If the races are
not marked consistently the voter is not allowed to vote ANY of the
ballot since it would allow the voter to vote 3 times for any
candidate. Thus all 360 marks must be made with complete
perfection. That’s a hideous burden.

Likewise if the critical ballot-checker malfunctions no one can vote
with the 3ballot and the election stops. It’s not safe to separate
the ballots before approved by the vote-checker. That would allow
triple voting. If one mixed emergency 1ballots with the 3ballots
security holes appear.

I have not even mentioned the confusion of races where one can vote
for several candidates in a race (e.g. common for choosing county
council races) will cause on the 3ballot. It also pretty much
forecloses any simple method for implementing the most desired forms
of ranked preference voting.

  If it were implemented on current and legacy optical scan machines
confusing technical glitches will ensue. For example, because
current machines only have the ballot layout cannot have multiple
races spread horizontally. This will effectively triple the number
of ballot pages. Anything longer than 2 pages is a serious
complication in practice both for voter complexity, and for simple
accounting in the voting machine (e.g. what happens if page 1 is
accepted but page 3 is rejected). With ballots shredded into 3s
multiplies the confusion. For example, imagine a ballot that has
passed the “checker machine” and is then fed, all 3, 6 or 9 strips,
into the ballot counting machine. However if the ballot counting
machine is slightly more sensitive and it rejects some but not all of
the strips as being over-voted (perhaps induced by stress in the
ripping process), how does one correctly revote?
Why the scheme does not even do what it claims.

The paper asserts that someone cannot sufficiently prove his or her
vote in order to sell it. And the paper asserts that a coercer could
not reconstruct a ballot sufficiently to threaten a person. Both of
those seem to be incorrect

I'm not a big fan of coercer-type arguments since they tend to rely
on what one considers far-fetched or not. But since I live in a
community where it really goes on (indeed folks are charged with it
in just the last election) my threshold is perhaps lower than others.
How to coerce a vote:
To coerce someone’s vote, perfect reconstruction is not necessary; it
only necessary that the vote reconstructed is sufficiently plausible
as to warrant a threat to the voter's ballot secrecy.

Scheme 1
The scheme requires that the ballot must be cast after the red stripe
is painted on it. Therefore a camera-phone photo of such a ballot is
a perfect proof of vote.

Scheme 2
The voter writes down all three ballot-ID numbers. These can then be
looked up on the web to obtain the vote. Note that the voter cannot
simply make up some random numbers because the probability those ID
numbers would form a correct ballot triple is too low. Nor can they
feign forgetting the numbers because they won't get their reward, or
alternatively escape punishment without them.

Scheme 3:
The voter is told the patterns to vote all three ballot channels and
which channel to take home. Since all ballots are public record, the
coercer simply looks up to see if all three parts of the ballot are
present. The voter cannot count on the unlikely coincidence that
another voter will vote in such a way that would supply the missing
pieces in the public record. If they are absent he is punished. The
coercer can up his odds of detecting misbehavior by giving the voter
unusual channel sequences to use, or an unusual race selection in of
major races (like voting both ultra-liberal and ultra-conservative
parties, along with write-ins.) The desired patterns can be made
virtually unique by the coercer.

Scheme 4:
It hardly needs saying that a large quantity voters, who have never
heard of Exclusive-OR logic, will not understand how the logic of the
process works to protect the secrecy of their vote. And indeed those
folks are most likely concentrated in sub populations most prone to
coercion through belief the receipts and web pages will reveal their
vote. Moreover, they might even be right. How do I know that the
printed or stamped ID numbers are not embedded codes linking my
ballots? If stickers or barcodes are used how do I know the counting
machine is not recording the sets?

How to sell votes.
Vote selling can re-cycle the first three methods above. It has the
delicious added benefit that the 3ballot facilitates rather than
hinders vote selling because with the 3ballot it’s not needed to pre-
arrange or even meet with the buyer since all the votes are
published. For example, to sell your vote, just give the three ID
numbers or the three vote patterns. They can be looked up on the web
to see if the ID numbers form a valid vote triplicate or if the
patterns exist. Indeed you don't even need to meet the buyer, just
email the ID numbers to the offshore account in china, and a third
party e-mails you back a gift certificate for the Bruce Springsteen
concert once the votes are published and they can validate your votes
pattern. It's not even illegal for the buyer to offer this--no
Chinese are laws broken.

The paper asserts that someone cannot vote "extra" times. This is
appears to be incorrect.
How to make your vote count twice:
The voter fills out the 3ballot with a normal vote pattern. The
"checker" checks the ballot, finds it good, paints it with a red
stripe, and trisects it. Now the voter then simply fills in one more
oval on each on his preferred candidates (so that now all three
channels contain a vote for those people). These are then inserted
as usual into the ballot counter which, as asserted in the paper,
does not associated the ballots with each other but simply counts
them. (Indeed that designed-in unawareness was the whole point of
trisecting the ballot prior to casting the channels)
How to make your vote count triple:
Somewhat more laboriously, after receiving the red-stripe of
goodness, the voter can also erase one oval from each candidate you
do not wish to vote. Which is the dubious language of the paper would
be recorded as two votes against the opposing candidates, which is
net equivalent to two more votes for your candidate.

Another way to triple your vote
Despite a policy against it, it's going to be a practical
impossibility to prevent people from leaving the polls with Red-
striped but uncast ballots. Once a single one of these is in the
wild, these can be used to triple a vote as follows. Put the
purloined ballots in your jacket. Vote a legitimate ballot and get
it red-striped. Then mix and match your ballot strips with the
purloined one to obtain the desired vote-tripling combination for
your favorite candidate. Take the 3 left over strips, and hand them
to the next guy outside the poll and it's a self-propagating system.
This is similar to chain voting coercion except here it's cooperative.

Round up of other issues:
The complex features of the system require more stringent controls on
many other aspects of the voting and layers further complexity to
provide this. In other cases false assumptions over the degree of
execution of poll policies are assumed and consequently the promised
claims are not deliverable in practice. Here is a sampler.
Vulnerabilities if ballots stocks are not kept in tight control
A large part of the security envisioned vanishes if voters give away
their receipts in large numbers or if even one of the ballot stocks
is in the wild. Since the proposed schema relies on administrative
controls and voter education to control this, it’s important to
question the validity of those assumptions.
Red stripe confusion and poll bolters:
The scheme requires the 3ballot is cast if a red stripe is on it.
("Once the red stripe is there, the multi-ballot must then be cast,
as three separate ballots (This is enforced by procedures at the
poll)". Does anyone seriously think that if the voter spots an
error on a red stripe ballot they would go through with casting it?
Even if offered the enticing chance to mark all 360 choices yet
again, they might simply bolt with ballot in hand. Even with
conventional paper ballots, even though it presents only minimal
hazards, voters are not supposed to leave the polls with an intact
ballot, but in practice this happens all the time. You just can't
stop them. Indeed this happens so frequently that Denise Lamb, the
former head of NASED, used this in our debates exchanges as her
(illogical) "reason" why paper ballots were bad compared to
electronic voting.

Voters giving away their receipts:
A large part of the security envisioned vanishes if voters give away
their receipts in large numbers. To list just one threat modality:
an evil-doer who had the ability to electronically manipulate the
vote, could safely change the votes of people who had turned over
their receipts without fear of detection. With many elections
decided by a handfuls of votes that is not as far fetched a threat as
it might seem. But would voters do it? I would wager that nearly
every voter would hand over his or her ballot copy for a candy-bar,
beer, or lotto ticket. This assertion has been well tested: people
will hand over passwords for candy bars, and will plug USB sticks
found on the floor into computer, even at banks, where presumably
they have been cautioned like the voters were. One could almost
certainly get plenty of ballots by dumpster diving any trash cans
near the polling place.
Write-in complication
The paper says write ins would require the voter to write in the
candidate twice on two of the ballots, and check both write in
bubbles. 3Ballots write-in promotes chaos and legal problems.

First, it allows you to vote 3 times. It's well known that with
1ballots voters routinely forget to check the bubble next to the
write-in candidate. In parts of California there are proposals (if
not the law by now) that will require all ballots to be hand checked
for write-ins missing their checked bubble because the assumption is
that the voter intent is evident from the write-in. This won't work
with the 3ballot since I could simply write-in the candidate 3 times,
(while only marking two-ovals to get my red-stripe); during the hand-
scan my third unchecked ballot would be found without it's bubble
marked and by the voter-intent law I'd get my third vote.

Second, the supposedly simple voting rules (one mark = a negative
vote, and two marks= positive vote) break down for write-ins, where
an exception to the rule must be made. For example, what does one
mark in the write-in 3ballot mean? A single vote or a negative vote?
If you answer it means one positive vote then what happens if someone
writes-in a candidate whose name is also one of the printed ones?
Logically this breaks the pattern of a single vote being negative.
You would have to require some additional logic, like if you vote at
all for a write-in you cannot mark just one oval. Yes you can figure
out a consistent logic--my point was that it breaks the vote pattern
both for the voter and for any hand counting.

Third, it's illegal under present laws. Currently, despite what you
might wish, the law almost everywhere is you vote one full vote or
none; you can't normally split a vote in a single choice race. Yet
the write-in system where you vote on two ballots allows the voter to
write-in different candidates on each channel, breaking this paradigm.

Ballot stuffing immunity is not enhanced

The paper asserts that it is somehow more immune to adding ballots
than normal schema: "An adversary can't increase the number of
ballots on the bulletin board without simultaneously increasing
putting more voter names on the bulletin board, which should be
detected by someone, somehow. (Grandma, did you really vote? Weren't
you sick that day?)" Empirically, this has never been a barrier to
any ballot stuffing.

First, most ordinary elections already maintain a poll book so the
same duplication control is in place, yet ballot stuffing has been
around since forever.

Second even with that poll book. If someone did notice grandma's name
there's no concrete negative proof she did not vote. In real
elections, Poll books contain numerous attribution errors, so even
she could prove it, in all likelihood the vote is valid but the poll
book is simply wrong. Election officials are wary of deleting votes,
so when it occurs that there are more votes cast than entries in the
poll book, they tend to assume the poll book was out of order, as
that happens commonly.

Third, the sad thing is that in practice it's less effective a
control than one might think. Whether it’s true or not, it's commonly
believed that the graveyard sometimes votes: where I live, it appears
that people do vote multiple times by impersonating others and don't
get caught. For example, you can go right now to the New Mexico
secretary of states web site and find multiple precincts with
significantly more votes counted than cast and vice versa. The point
is, not that this shouldn't be a big red flag, but the odd fact is
that it simply isn't in today's world. Yet the paper assumes it may
rely on this approach.

This is not a complete list of the problems. It's just a sample of
the holes it leaves open. No doubt some are plugged by myriad
variants, but then we have to deal with the layered complexity of
those and their burden on the process.

OVC-discuss mailing list

= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
Received on Sat Sep 30 23:17:06 2006

This archive was generated by hypermail 2.1.8 : Sat Sep 30 2006 - 23:17:08 CDT