The trouble with triples. (Was Three ballot voting system)

From: Charlie Strauss <cems_at_earthlink_dot_net>
Date: Tue Sep 26 2006 - 23:27:24 CDT

Sorry about reposting this, I corrected a few typos that reversed my
meaning.

Also I'll take the opportunity to remind folks of how it triple
ballots work:

1) beside each name are 3 bubbles in a row
2) the voter marks one bubble to vote against the candidate
3) the voter makes 2 bubbles to vote for.
4) A checker machine checks to see if every candidate has one or two
marked bubbles and no race has more than one candidate with two
marked bubbles.
5) the checker, adds a red stripe to the bottom, and slices the
ballot into three strips.
6) each separate ballot strip has a different random ID number.
7) the checker gives the voter a copy of one of the strips (her
choice which) to take home.
8) the voter inserts the 3 strips into a dumb optical scan machine
which counts each ballot like it was a regular conventional ballot.
9) All of the ballots cast and their ID numbers are published,
accessible to everyone

The Trouble with Triples:
Defects in the triple ballot (3ballot) scheme.
Charlie Strauss
Verified Voting New Mexico
Los Alamos, NM
cems@vvnm.org

A few of the problem types 3ballots create
A major construction fault of the disclosure paper is that it
presents a moving target for criticism; by presenting a myriad of
sometimes mutually exclusive variations in different sub parts, it
fails to hold up any one gold standard schema to deconstruct. So I
will have to critique aspects of it knowing that I cannot address
every possible permutation of the presented options. As a debate
tactic, I will assert it was the author's duty, not mine, to present
one self-consistent unflawed system as a straw man.

1) The schema does not do what it purports:
        a. It does allow people to triple vote.
        b. It actually facilitates vote selling.
        c. It does destroy secret balloting

2) It’s hideously complex for the voter to actually use, let alone
understand how the security is supposed to work.

        a. A modest sized 70 race ballot might need 360 marks to complete
        b. If just one mark is wrong, the entire ballot is must be redone.
                Unlike a conventional ballot which allows the voter to choose to
cast an overvoted or under voted ballot by ignoring the mismarked
race, this is not allowed for the 3ballot because the counter will
count overvotes as extra votes and under votes as negative.

3) The complex mechanics required (machines tearing ballots, or the
“shamos” engine) is assured to break down.

4) Unlike conventional paper ballots the voter cannot vote if the
“checker machine” malfunctions, as voting machines have been known
to do. The process stops.

5) It’s got lots of ill-considered issues such as the logic bomb of
write-ins, people escaping with marked but not cast ballots, and
security holes caused by mixing 1ballots with 3 ballots.

I will now give example in these areas.

Technical problems aside, the 3ballot is hideously complex for the
voter.

To vote a single 5-person race in a conventional ballot (a.k.a
1Ballot) requires one mark, and the voter can tell at a glance it was
done correctly. Whereas a 3ballot for the same requires six marks and
takes more than a glance to consistency check. A modest sized ballot
with 70 contests and questions, say 10 five-way races, 30 four-way
races, 30 three-way races, and 10 two-way, would require 360 marks
instead of 70. (50+10+120+30+90+30+20+10)

On a conventional 1ballot, a casual observer might guess that it
would be nearly foolproof for a voter to accidentally overvote since
one is makes just a single mark per contest. Yet the reality is that
voters routinely over and undervote. Some trustworthy estimates put
the mean mis-mark rate on the order of 1%.

One can only imagine how difficult it would be not to make a single
mis-mark on the 3ballot. Indeed, even if the 3ballot's mark error
rate were as low as it is on a 1ballot, it would be statistically
unlikely that most people could ever complete a practical 360-mark
3ballot without an error. In reality, I would assume that the mark
error rate with such complex and hard to eyeball patterns would be
drastically higher and thus compounding the problem exponentially
(literally by the factorial, if we assumed mostly uncorrelated errors).

The 3ballot requires complete perfection of every mark
On a conventional 1ballot, in the event the voter overvotes and the
ballot is spit out with a beep, it's a matter of a moment to find the
offending race. Finding the offending logic bomb on a 3ballot would
be a matter of study, quite possibly beyond the grasp of many voters.

Moreover on a 1ballot the voter has the option of simply casting the
over/under marked ballot and simply having the offending race
disqualified. This is not possible on the 3ballot. If the races are
not marked consistently the voter is not allowed to vote ANY of the
ballot since it would allow the voter to vote 3 times for any
candidate. Thus all 360 marks must be made with complete
perfection. That’s a hideous burden.

Likewise if the critical ballot-checker malfunctions no one can vote
with the 3ballot and the election stops. It’s not safe to separate
the ballots before approved by the vote-checker. That would allow
triple voting. If one mixed emergency 1ballots with the 3ballots
security holes appear.

It also pretty much forecloses any simple method for implementing the
most desired forms of ranked preference voting. Likewise I point out
the anticipatable confusion that will arise in races where one can
vote for several candidates in a given race (e.g. common for
choosing county council races).

  If it were implemented on current and legacy optical scan machines
confusing technical glitches will ensue. For example, with the
3ballot layout you cannot have multiple races spread horizontally
since the triplication consumes that ballot real estate. This will
effectively triple the number of ballot pages. With present
machinery, anything longer than 2 pages is a non-trivial increase in
complexity for both the voter , and for the accounting in the voting
machine (e.g. Policies must consider what happens if page 1 is
accepted but page 3 is rejected). With the triple ballot new
daunting problems arrise. For example, imagine a ballot that has
passed the “checker machine” and all 3, 6 or 9 strips are into the
ballot counting machine. If the ballot counting machine is slightly
more sensitive and it rejects some but not all of the strips as being
over-voted (perhaps induced by stress in the ripping process), how
does one correctly revote?
Why the scheme does not even do what it claims.

The paper asserts that someone cannot sufficiently prove his or her
vote in order to sell it. And the paper asserts that a coercer could
not reconstruct a ballot sufficiently to threaten a person. Both of
those seem to be incorrect

I'm not a big fan of coercer-type arguments since they tend to rely
on what one considers far-fetched or not. But since I live in a
community where it really goes on (indeed folks are charged with vote
buying in last election) my threshold is perhaps lower than others.
How to coerce a vote:
To coerce someone’s vote, perfect reconstruction is not necessary;
it only necessary that the vote reconstructed is sufficiently
plausible as to warrant a threat to the voter's ballot secrecy.

Scheme 1
The 3Ballot system security requires that the ballot must be cast
after the red stripe is painted on it by the "checker" machine. Thus
there is a time when the voter still possess the striped but not yet
cast ballot. Therefore a camera-phone photo of such a ballot is a
perfect proof of vote.

Scheme 2
The voter writes down all three ballot-ID numbers. These can then be
looked up on the web by the coercer to obtain the vote. Note that
the voter cannot simply make up some random numbers because the
probability those ID numbers would form a valid self-consistent
ballot triple is too low. Nor can they feign forgetting the numbers
because they won't get their reward, or alternatively escape
punishment without them.

Scheme 3:
The voter is told the patterns to vote all three ballot channels and
which channel to take home. Since all ballots are public record, the
coercer simply looks up to see if all three parts of the ballot are
present. The voter cannot count on the unlikely coincidence that
another voter will vote in such a way that would supply the missing
pieces in the public record. If they are absent he is punished. The
coercer can up his odds of detecting misbehavior by giving the voter
unusual channel sequences to use, or an unusual race selection in of
major races (like voting both ultra-liberal and ultra-conservative
parties, along with write-ins.) The desired patterns can be made
virtually unique by the coercer.

Scheme 4:
It hardly needs saying that a large quantity voters, who have never
heard of Exclusive-OR logic, will not understand how the logic of the
process works to protect the secrecy of their vote. And indeed those
folks are most prone to coercion through the mistaken belief the
receipts, web pages, or a buddy of the coercer at city hall could
reveal their vote. Moreover, they might even be right. How do I
know that the printed or stamped ID numbers are not embedded codes
linking my ballots? If stickers or barcodes are used how do I know
the counting machine is not recording the sets?

How to sell votes.
Vote selling can re-cycle the first three methods above. It has the
delicious added benefit that the 3ballot facilitates rather than
hinders vote selling because with the 3ballot it’s not needed to pre-
arrange or even meet with the buyer since all the ballots will be
published. For example, to sell your vote, just give the three ID
numbers or the three vote patterns. These can be looked up on the
web by the buyer to see if the ID numbers form a valid vote
triplicate or if the patterns exist. Indeed you don't even need to
meet the buyer, just email the ID numbers to the offshore account in
china, and a third party e-mails you back a gift certificate for the
Bruce Springsteen concert once the votes are published and they can
validate your ballot triplicate exists. It's not even illegal for
the buyer to offer this--no Chinese are laws broken.

The paper asserts that someone cannot vote "extra" times. This is
appears to be incorrect.
How to make your vote count twice:
The voter fills out the 3ballot with a normal vote pattern. The
"checker" checks the ballot, finds it good, paints it with a red
stripe, and trisects it. Now the voter then simply fills in one more
oval on each on his preferred candidates (so that now all three
channels contain a vote for those people). These are then inserted
as usual into the ballot counter which, as asserted in the paper,
does not associated the ballots with each other but simply counts
them. (Indeed that designed-in unawareness was the whole point of
trisecting the ballot prior to casting the channels)
How to make your vote count three times:
Somewhat more laboriously, after receiving the red-stripe of
goodness, the voter can also erase one oval from each candidate he
opposes. As a result, in the dubious language of the paper, this
would be recorded as two votes "against" the opposing candidates,
which is net equivalent to two more votes for your candidate.

Another way to triple your vote
Despite a policy against it, it's going to be a practical
impossibility to prevent people from leaving the polls with Red-
striped but uncast ballots. Once a single one of these is in the
wild, these can be used to triple the vote an unlimited number of
ballots as follows. Put the purloined ballots in your jacket. Vote
a legitimate ballot and get it red-striped. Then mix and match your
ballot strips with the purloined one to obtain the desired vote-
tripling combination for your favorite candidate. Take the 3 left
over strips, and hand them to the next guy outside the poll and it's
a self-propagating system. This is similar to chain voting coercion
except here it's cooperative.

Round up of other issues:
The complex features of the system require more stringent controls on
many other aspects of the voting and layers further complexity to
provide this. In other cases overestimates of the degree of
satisfactory execution of poll policy compliance are assumed and
consequently the promised claims are not deliverable in practice.
Here is a sampler.
Vulnerabilities if ballots stocks are not kept in tight control
A large part of the security envisioned vanishes if voters give away
their receipts in large numbers or if even one of the red-striped
ballot stocks is in the wild. Since the proposed schema relies on
administrative controls and voter education to control this, it’s
important to question the validity of those assumptions.
Red stripe confusion and poll bolters:
The 3ballot system requires the 3ballot is cast if a red stripe is
on it. ("Once the red stripe is there, the multi-ballot must then be
cast, as three separate ballots (This is enforced by procedures at
the poll)". Does anyone seriously think that if the voter spots an
unintended vote for the wrong candidate on a red stripe ballot they
would go through with casting it? Even if offered the enticing
chance to mark all 360 choices yet again, they might simply bolt with
ballot in hand. Even with conventional paper ballots, even though it
presents only minimal hazards, voters are not supposed to leave the
polls with an intact ballot, but in practice this happens all the
time. You just can't stop them. Indeed this happens so frequently
that Denise Lamb, the former head of NASED, used this in our debates
exchanges as her (illogical) "reason" why paper ballots were bad
compared to electronic voting.

Voters giving away their receipts:
A large part of the security envisioned vanishes if voters give away
their receipts in large numbers. To list just one threat modality:
an evil-doer who had the ability to electronically manipulate the
vote, could safely change the votes of people who had turned over
their receipts without fear of detection. With many elections
decided by a handfuls of votes that is not as far fetched a threat as
it might seem. But would voters do it? I would wager that nearly
every voter would hand over his or her ballot copy for a candy-bar, a
beer, or lotto ticket. This assertion has been well tested: people
will hand over passwords for candy bars, and will plug USB sticks
found on the floor into computer, even at banks, where presumably
they have been cautioned like the voters were. One could almost
certainly get plenty of receipts by dumpster diving any trash cans
near the polling place.
Write-in complication
The paper says write-ins would require the voter to write in the
candidate twice on two of the ballots, and check both write-in
bubbles. This will create chaos and legal problems.

First, it will allow you to vote twice in some states. It's well
known that with 1ballots voters routinely forget to check the bubble
next to the write-in candidate. In parts of California there are
proposals (if not the law by now) that will require all ballots to be
hand screened for write-ins missing their checked bubble because the
assumption is that the voter's intent is evident from the write-in.
This won't work with the 3ballot since I could simply write-in the
candidate 3 times, (while only marking two-ovals to get my red-
stripe); during the hand-scan my third unchecked ballot would be
found without it's bubble marked and by the voter-intent law I'd get
my extra vote. Conversely if the law were repealed, then many people
would make the very mistake the law seeks to correct, and actually
vote against their candidate.

Second, the supposedly simple voting rules (one mark = a negative
vote, and two marks= positive vote) break down for write-ins, where
an exception to the rule must be made. For example, what does one
mark in the write-in 3ballot mean? A single vote or a negative vote?
If you answer it means one positive vote then what happens if someone
writes-in a candidate whose name is also one of the printed ones?
Logically this breaks the pattern of a single vote being negative.
You would have to require some additional logic, (like if you vote at
all for a write-in you cannot mark just one oval). Yes you can
figure out a consistent logic--my point was that it breaks the
supposedly simple vote pattern logic both for the voter and for any
hand counting.

Third, it's illegal under present laws. Currently, despite what you
might wish, the law almost everywhere is you vote one full vote or
none; you can't normally split a vote between two candidates in a
single choice race. Yet the write-in system where you vote on two
ballots allows the voter to write-in different candidates on each
channel, breaking this paradigm.

Ballot stuffing immunity is not enhanced

The paper asserts that it is somehow more immune to adding ballots
than normal schema: "An adversary can't increase the number of
ballots on the bulletin board without simultaneously increasing
putting more voter names on the bulletin board, which should be
detected by someone, somehow. (Grandma, did you really vote? Weren't
you sick that day?)" Empirically, this has never been a high barrier
to ballot stuffing.

First, most ordinary elections already maintain a poll book so the
same duplication control is in place, yet ballot stuffing has been
around since forever.

Second even with that poll book. If someone did notice grandma's name
there's no concrete negative proof she did not vote. In real
elections, Poll books contain numerous attribution errors, so even
if she could prove she was there, in all likelihood the vote really
is legitimate but the poll book is simply has the wrong name (Granny
Smith instead of Granny Smyth). Election officials are wary of
deleting votes, so when it occurs that there are many more votes cast
than entries in the poll book, they still tend to assume the poll
book was out of order, as that happens commonly.

Third, the sad thing is that in practice it's less effective a
control than one might think. Whether it’s true or not, it's
commonly believed that the graveyard sometimes vote. You can go
right now to the New Mexico secretary of state's web site and find
multiple precincts with significantly more votes counted than cast
and vice versa. The point is, not that this shouldn't be a big red
flag, but the odd fact is that it simply isn't in today's world. Yet
the paper assumes it can rely on this approach.

This is not a complete list of the problems. It's just a sample of
the holes it leaves open. No doubt some are plugged by myriad
variants, but then we have to deal with the layered complexity of
those and their burden on the process.


_______________________________________________
OVC-discuss mailing list
OVC-discuss@listman.sonic.net
http://lists.sonic.net/mailman/listinfo/ovc-discuss

==================================================================
= The content of this message, with the exception of any external
= quotations under fair use, are released to the Public Domain
==================================================================
Received on Sat Sep 30 23:17:06 2006

This archive was generated by hypermail 2.1.8 : Sat Sep 30 2006 - 23:17:08 CDT