Verified Voting Blog: An unverifiability principle for voting machines | Andrew Appel

This article was originally posted at Freedom to Tinker on October 22, 2018.

In my last three articles I described the ES&S ExpressVote, the Dominion ImageCast Evolution, and the Dominion ImageCast X (in its DRE+VVPAT configuration).  There’s something they all have in common: they all violate a certain principle of voter verifiability.

  • Any voting machine whose physical hardware can print votes onto the ballot after the last time the voter sees the paper,  is not a voter verified paper ballot system, and is not acceptable.
  • The best way to implement this principle is to physically separate the ballot-marking device from the scanning-and-tabulating device.  The voter marks a paper ballot with a pen or BMD, then after inspecting the paper ballot, the voter inserts the ballot into an optical-scan vote counter that is not physically capable of printing votes onto the ballot.

The ExpressVote, IC-Evolution, and ICX all violate the principle in slightly different ways: The IC-Evolution one machine allows hand-marked paper ballots to be inserted (but then can make more marks), the ExpressVote in one configuration is a ballot-marking device (but after you verify that it marked your ballot, you insert it back into the same slot that can print more votes on the ballot), and IC-X configured as DRE+VVPAT can also print onto the ballot after the voter inspects it.  In fact, almost all DRE+VVPATs can do this:  after the voter inspects the ballot, print VOID on that ballot (hope the voter doesn’t notice), and then print a new one after the voter leaves the booth.

It is to obey this principle that we should separate ballot marking devices from ballot scanning/tabulation devices (better known as “optical scanners”).  Here’s my favorite ballot-marking device:

But here are some other acceptable BMDs (from ClearBallot, ES&S, Hart, Dominion, and Unisyn):

     

Any of these can mark a paper ballot to be inserted in a separate optical-scanner.  You might notice that the second picture is an ExpressVote, which if used as an all-in-one unit that both marks and scans the ballot,  violates the principle.  But if used as a nonscanning, nontabulating ballot-marking device, and if the tabulating optical scanner cannot mark votes onto the ballot,  then the ExpressVote (and similar machines) can safely be used as a BMD.

“… whose physical hardware …”

I stated the principle as, “Any voting machine whose physical hardware can print votes onto the ballot after the last time…”  That’s quite different from “Any voting machine that can print votes onto the ballot after the last time…”

What’s the difference?  Those two statements might seem equivalent, but they’re not.

All-in-one voting machines such as the Dominion ImageCast Evolution and the ES&S ExpressVote have software that, to the best of our knowledge, doesn’t cheat.  Their software passes inspection by and EAC-certified laboratory, and we hope that such labs would notice if there were a part of the program that printed votes on an already-marked ballot.  So it’s fair to say, as it’s shipped from the manufacturer, neither of these machines can print votes onto an already-marked ballot.

But the problem is, the software can be replaced by unauthorized software that behaves differently.  That unauthorized replacement, we call “hacking.”  The unauthorized software can send instructions to the physical hardware of the machine: motors, scanners, printers, indicator lights, and so on.  Anything that the voting machine’s physical hardware can do, the fraudulent software can tell it to do.

Optical scanners that mark serial numbers on the ballot

I stated the principle as, “Any machine whose physical hardware can print votes onto the ballot after the last time…”  That’s quite differnt from, “Any machine whose physical hardware can print onto the ballot after the last time…”

What’s the difference?    Those two statements might seem equivalent, but they’re not.

Ballot-comparison audits are one form of risk-limiting audit (RLA) that can be particularly efficient.  The idea is: the optical-scan voting machine produces a file of Cast-Vote Records (CVRs) that contains a commitment to the contents and interpretation of each individual paper ballot.  It must be possible to link each CVR to one particular piece of paper, otherwise a ballot-comparison audit is not possible.  One cannot link CVRs to paper ballots unless the paper ballot has some sort of serial number, either preprinted (before it goes through the optical scanner) or printed afterward (perhaps as it goes through the optical scanner).   Because most voting equipment in use today does not have this capability, ballot-comparison audits cannot be used with that equipment, and other RLA methods are used, such as ballot-polling audits or batch-comparison audits.

There’s a problem with putting serial numbers on the ballot that the voter can see: it weakens the secret ballot, because now the voter can remember the serial number, and prove how she voted; thus she can be bribed or coerced to vote a certain way.  Therefore, some jurisdictions may be reluctant to use preprinted serial numbers.

So there are reasons that we might wish to allow optical-scanners to print serial numbers onto the ballot, but the optical scanner must not be physically able to print votes onto the ballot — that would violate the verifiability principle I stated at the beginning.

One solution to this problem  is to equip the optical scanner with a printer that is physically able to print only within 1 centimeter of the edge of the paper.  As long as no vote-marks are expected at the edge of the paper, then the scanner can print onto the ballot but cannot print votes onto the ballot.

Two widely used central-count optical scanners from major voting-machine manufacturers both have this capability: the Dominion ImageCast Central and the ES&S DS850.  Jennifer Morrell informs me, “So far, Dominion’s CVR is the only one I’ve seen where the imprinted ID can be formatted to indicate a specific scanner, batch, and sequence number within the batch.”  That is, the cast-vote record of Dominion’s central-count op-scanner has not just a serial number, but an identifier whose design is particularly helpful in ballot-comparison audits.

“… the voter inserts the ballot …”

Some voters have motor disabilities that make it difficult or impossible for them to physically handle a paper ballot.  Some voters have visual impairments, they can’t see a paper ballot.  For those voters, polling places that use optical-scan voting can (and do) provide ballot-marking devices (such as the ones shown in the pictures above) that have audio interfaces (for blind voters) or sip-and-puff interfaces (for quadriplegic voters).

But after they use the BMD to mark their ballot, some of these disabled voters are physically unable to take the ballot from the BMD and insert it into the optical scanner.  For those voters, an advantage of DRE+VVPAT or all-in-one voting machines is that they don’t have to handle a paper ballot.

When the ballot-marking device is separate from the optical scanner, those voters will need the assistance of a pollworker to insert their ballot into the optical scanner (or, when central-count optical scanning is used, insert it into the ballot box).  This seems necessary: the security hazards of all-in-one voting machines, the unverifiability of scanners that can print more votes onto the ballot, outweigh the convenience factor of an all-in-one voting machine.

Source: An unverifiability principle for voting machines.

Comments are closed.