Question: With respect to voters’ ability to comprehend the process, which voting system was deemed too complicated to understand?

Was it:

a) Ulrich Wiesner’s assessment of Punchscan, ThreeBallot and BingoVoting at the recent Chaos Communication Congress (25C3),

or,

b) Ontario voters’ recent assessment (via referendum) of the proposal to switch electoral systems to one modeled after Ulrich Wiesner’s country’s version of mixed-member proportional representation?

The answer is both.

So, it’s another year and another “my grandma can’t understand your system” debate. Well hopefully, dear reader, you will find some value in pushing back against an argument that underwrites the ignorance of crowds.

With respect to the various e2e systems Wiesner profiles, he concludes that:

Even if cryptography fixes auditability, transparency remains an issue as the methods are too complex.

But who decides what’s too complex, and what’s understandable? I think this is a fair question, because the fact is 60 million Germans somehow manage to understand a voting system that 3 million Ontarians convinced themselves they could not.

Ich werde sagen dass man versteht das was man schon kennt.

Of course I apologize to those readers who do not understand German. I’m sure it’s because its too complex for you, and not that you didn’t just happen to marry a nice German girl like I did.

The point is “understandability” is as much about what you already know as anything. There’s really no Platonic absolute. Often something’s not foreign if you grew up with it. Consider our German friends who are required pay a $10/month tax to be allowed to own an FM radio!

Even so, the “it’s too complicated” argument is not lost on this field and its researchers, as is demonstrated by a clear evolution in the work. Wiesner recounts some of the two year old criticisms, but discounts its progress since. Nevertheless, its evolving. It’s getting simpler. Why, we’re even writing a paper in which we show how to verify an e2e election with nothing but a spreadsheet such as OOo Calc — something we know the German government can understand.

The academic world is where this should remain.

Well prepare to be disappointed! We hope to be seeing some high profile e2e elections this year. Ben Adida and the Louvain team are bringing Helios to 25,000 students. The Scantegrity team will be making an annoucement about an election soon as well.

We can continue to use hand counting and have full transparency of what’s happening

Consider that paper-ballots cannot comprehensively address the needs of visually impaired voters. It’s also not universally verifiable–you cannot personally oversee all chains of custody at all times. I know as well as anyone who’s worked in such an election. It’s a pretty darn good system, but the notion of “full transparency” is a utopian fantasy.

Nevertheless Scantegrity was designed to incorporate a full, hand-countable, paper trail. Something to mention at the upcoming 26C3, I hope!

Methods for performing end-to-end election verification without the use of public key cryptography have existed for several years now: Punchscan, Scantegrity I/II, ThreeBallot, VaV, Twin, Aperio.

Conversely, end-to-end proposals that are based on public key systems remain an active area of research: VoteBox and Helios to name a few.

I have spent many a quiet evening reading such papers and pondering their respective merits. In my experience the public key systems have enjoyed more prominence in the academic setting of conferences as their underlying concepts are rich and interesting in technical detail.

That said, I believe the aforementioned non-public key systems enjoy a fundamental advantage in two key areas:

• Speed
• Simplicity

The former is easy enough to measure. I place the spread in the two to three orders-of-magnitude range for tally verification. To be fair, even the non-public key systems (the ones implemented to date) are not instantaneous in execution—a few hundred ballots takes a few seconds. But when it takes as long to verify as it does to cook a turkey, its hard to imagine the public key approach being used by very many voters in a real-world public election environment.

The latter point is more difficult when it comes to assigning metrics. How can you directly compare two competing ideas for simplicity? Software lines-of-code is a popular metric, but whether doing large-number computations directly in a line of Python, versus making a single call to a Java crypto library, its clear that writing the code and teaching why it works are separate challenges.

As Adida rightly points out, homomorphic tallying isn’t a fundamentally impenetrable idea: it’s merely “tallying under the covers.” The notion is reasonably intuitive. Yet as Dan Wallach points out, a primer on ElGamal is not for the casual listener, and teaching the proofs is another matter altogether. Says he:

My big question is whether we have a research challenge to invent progressively simpler systems that still have the right security properties, or whether we have an education challenge to explain that a certain amount of complexity is worthwhile for the good properties that can be achieved.

If by “good properites” he means (for example) provable security then I would agree. If however we’re willing to forego this particular academic pursuit in order to have a semblance of real-time performance, as well as the abandoment of number theory from the discussion, then we can point to “progressively simpler” systems that have been tabled already.

Over on Freedom to Tinker, Ed has some images of contested ballots from the Minnesota recount. Minneosta Public Radio offers a host of other images.

Minnesota law states:

If a ballot is marked by distinguishing characteristics in a manner making it evident that the voter intended to identify the ballot, the entire ballot is defective.

So the questions surrounding disputes falls down to what constitutes a distinguishing mark, and how can you distinguish intentional versus accidental identifying marks. That’s obviously one for the courts, but as the preliminary voting judge, you get to make the initial call.

Now, I’ve worked as the guy who makes the initial call whether to include or reject a ballot. It’s certainly true it’s not always clear cut. But on the other hand I think it should be incumbent upon the electoral body to clearly communicate to voters the basic ballot approval/rejection heuristic such that they can reasonably be expected to conform to it.

Now most of the ballots below were contested by representatives of the respective campaigns arguing the ambiguously marked ballot should be counted in their candidate’s favor.

To me, most of the challenged Minnesota ballots on the blog are clear cut. Obviously I’m not the one making the ruling, but if I was the voting judge on election night, here’s how I’d rule….

(Of the contested ballots appearing on Freedom To Tinker):

Specimen #1

Ambiguity: Two bubbles clearly marked, but one selection contains the text “NO” suggesting the voter may have meant to ‘cancel’ the mark for this candidate.

If it were mine to count: REJECT. Over vote–two bubbles are filled in. PERIOD.

Specimen #2

Ambiguity: One candidate’s bubble is fully filled in while another’s bubble is partially filled in. If you consider pigmentation density, it appears the voter wanted to vote for the first candidate more than the second.

If it were mine to count: REJECT. What? Pigmentation “Hamming weight”?! It’s an overvote.

Specimen #3

Ambiguity: One candidate is clearly voted for, but the words “Lizard People” are written into the write-in candidate space.

If it were mine to count: A valid vote for the candidate with the clear mark (and NOT for “Lizard People”). Why? Lizard People wasn’t marked. At all. Now some might say “but they made an identifying mark by writing in a name.” My response would be: “we’re soliciting identifying marks in the write-in space!” If it were written outside the write-in space, then it would be grounds for rejection as an identifying marks. But it doesn’t matter, because the voter didn’t make a mark in the BUBBLE. The bubble is where you indicate your intent, not in the bubble SUBURBS. Not in the Greater Bubble Area.

Specimen 4:

Ambiguity: One bubble clearly marked, while another bubble is partially marked with a very clear finger print impression in black ink.

If it were mine count: REJECT. To me the second bubble contains enough pigmentation to be an overvote due to the little dot/smudge in the lower right. For me, the fingerprint would also be a reason to reject it, for its very obvious identifying quality. But someone points out “ but don’t we all leave fingerprints?” Well I would justify it by calling on the notion of “plain sight exception.” This fingerprint is imprinted in ink whereas what we’ll call ‘conventional fingerprints’ are invisible to the naked eye, requiring some kind of extra device/process to see.

In conclusion

Most of these disputed ballots have common themes: there’s a mark in more than one bubble, or a identifiable mark made on the ballot. Frankly, I’m surprised to see they’re disputed at all. But who’s to blame? The hapless voter? The overzealous campaigns?

In my opinion it’s up to the legislative body responsible for elections to define (and publicly communicate) what their standard is for ballot acceptance. While there will always be court cases over ambiguities in marked ballots, I’m sure its within the scope of legislation to codify most of the Minnesota disputes.

They should take a page from tort law. One person spills hot coffee, or sprays gasoline all over themselves, and suddenly there’s a warning label on every cup/pump in the nation and the hole is closed once and for all.

So why are recounts a legal Gong Show year in and year out?

I had meant to post this yesterday, but I woke up not feeling well and spent the day in bed. I see that Ben Adida and Avi Rubin have already posted their experiences. Aleks Essex also posted his experiences a few weeks ago when he was a worker for the most recent Canadian election.

The chief judges invited all the site judges to meet up at the fire house the night before at 6:30 to make room for everything. We also plugged in the DREs, which you can conveniently do without opening the units. I didn’t ask, but the average age was likely in the 40s. We had 1 high school student who was 17, and my guess is that there was an even split between the 20-40 crowd and the 40+ crowd. There were 3 republicans, and the rest were democrats except for the unaffiliated high school student.

After we finished, the Chief Judges explained what would happen in the morning, and asked if there were any questions. The biggest concerns were potential turnout and if we’d get the extra machines we had up in time with the same number of judges as before. They also expressed concern about a technician showing up and staying for the whole day.

Getting Started

I woke up @ 4:30 and arrived a little after 5:30. Myself and another judge set up each DRE while 1-3 judges watched and recorded information. I recall it being a fairly simple process and working pretty well with the exception that the chief judge sometimes had trouble opening the printer compartment. I was a little concerned that the DREs, despite being plugged in all night, all registered only a 60-80% charge.

The electronic poll books were equally easy to set up although some instructions were confusing, telling the user not to plug the poll books into the UPS unit. I think what they meant is to plug a power strip into the UPS unit and then to plug the poll books into that strip, which is what the other judges decided to do.

Voting

Our longest line happened when we first opened the polls, which went all the way out the door and around the corner. People at the end of that line were still cheery, as they only ended up waiting approximately 15-20 minutes. We had a steady stream of people until about 10:30, which picked right up again at 11:00, and stayed mostly steady for the rest of the day with occasional 5-10 minute breaks in flow. Check-in time only took about a minute if you were listed in the poll book. I’m not totally sure, but I believe voting varied from 1-10 minutes, although some voters probably took longer.

I served as a voting unit judge for the whole day, which is all standing (my legs were killing me that night)! This involved taking a voter authority paper, initialing it, writing the unit number you gave the voter, getting the voter started on the machine, explaining how it worked (if necessary), and dropping the the paper into an envelope on the side. The papers are tallied every hour, and the chief judges make rounds to verify the counts match the machine totals so far.

A majority of our 8 machines were in use for almost the whole day, and at the beginning and towards the end, we had periods of about an hour and a half where all of them were constantly in use. No one used the headset or keypad, although we did have a few voters who requested assistance or needed a chair. Many voters used the large text and apparently the button was not big enough as this was our most asked question.

Glitches

We had no major equipment failures during the voting day. The biggest equipment problem was that the smart cards were sometimes difficult for voters to get into the machine, which we solved by starting it in the machine for the voter, and letting him or her push it in until it snapped.

The other problems all involved the electronic poll books, which sported a confusing user interface to navigate. The judges managed and came up with troubleshooting steps. I was later told that a couple voters would not come up on the local polling site search, but when you went to the statewide search, they did and were registered at our local polling site.

I don’t know a specific number, but at least 15 people or so came in and had trouble during the check-in process. About half voted provisionally, and the rest either went to the correct polling place or admitted they knew they were not registered. I believe there might have been one person who walked out on us, which is really unfortunate. There needs to be a better way to deal with registration problems.

Although it mostly worked well for the vast majority of voters, a few voters were tripped up by the interface. At least one person asked me a question after having pressed cast ballot. Another couple asked why the judges question, a vote for 2 race, was red (because they had not voted for two candidates).

Ballot question wording was also an issue, and understandably so due to the legal language. A number of people called us over to ask me the meaning of various passages, and a few even to ask which answer was “yes”, and which was “no.” It would be best if the language were simple and clear.

Early in the day 1 voter complained about the privacy of the machines. We flipped down the screen for him so it faced the ceiling and told him we could angle the machine however he wanted. It turned out to be a more general problem because there was no curtain. That explains what happened later, when we got a call that someone complained that people were being watched as they voted, and someone from the central office came by to check in on us.

Lots of voters complained about the security of the machines. Some were curious why others did not think they were secure. I just tried to stay away from that discussion as much as possible.

Cleaning Up

At the end of the day, we had 1045 DRE voters, and 8 provisional ballot voters. The chief judges told us that the last major election had 300 out of about 1500-1600 registered voters for our precinct overall (about 200 voters per machine), which is a significant improvement in turnout over previous years.

We finished around 9:30. Tearing down was much worse than getting started, as you had to navigate through a bunch of menus that really didn’t need to be there. An “end election” button that printed the necessary information would have sped things up significantly. The accumulator machine did not recognize the modem, so results were phoned in and then the memory cards were driven back by both the chief judges.

Results

Poll-tape Results for our poll site (the English Consul Volunteer Fire Department, 13-8), were recorded by me as follows:

Candidate	Totals
President
Obama/Biden	331
McCain/Palin	684
McKinney/Clemente	5
Barr/Root	2
Nader/Gonzalez	8
Baldwin/Castle	4
Write-In	8
Congressional District 03
Sarbanes	524
Harris	349
Write-In	5
Judicial Circuit 03
Bollinger	662
Stringer	500
Write-In	6
Judge, Court of Appeals, Appellate Circuit 02
Murphy	Yes: 662, No: 152
Judge, Court of Special Appeals At Large
Eyler	Yes: 675, No: 146
Zarnoch	Yes: 627, No: 167
Statewide Ballot Questions
Q1 (Early Voting)	Yes: 497, No: 445
Q2 (Slots)	Yes: 696, No: 321
Local Ballot Questions
QA	Yes: 363, No: 512
QB	Excluded from ballot
QC	Yes: 614, No: 317
QD	Yes: 599, No: 320
QE	Yes: 620, No: 291
QF	Yes: 500, No: 396
QG	Yes: 592, No: 307
QH	Yes: 570, No: 319
QI	Yes: 493, No: 402
QJ	Yes: 535, No: 360
QK	Yes: 597, No: 304

I hope I didn’t make a mistake. You may want to look at the ballot.

You can also download it in PDF. Only 2^44 unique marking patterns this time. Anyone want to determine how many legal patterns there are using my handy guide?

I’m also serving as an election judge. I’m looking forward to it.

Happy voting!

Tomorrow Stefan and Emily will be giving out a Scantegrity-based survey to passers by at their respective universities.  We are hoping to get some interesting information out of this little experiment, as well as more data for testing purposes.

If you’re interested in the results (which will be posted on Wednesday), you may want to check out the website and sample ballot.

Research Officer in E-voting (3.5 years, fully funded)

http://www.jobs.ac.uk/jobs/JT084/Research_Officer/

Department of Computing
University of Surrey, UK

The E-voting group at Surrey is looking for a Research Officer to work on an EPSRC-funded project on Trustworthy Voting Systems (EP/G025797/1), starting in January 2009.

This project, run in conjunction with Birmingham and Newcastle, is, to the best of my knowledge, the first time a public research council has approved funding on this scale to look at secure electronic voting. This is a huge opportunity to be part of a project that could affect how national elections are run in the future.

For more details, please follow the link above. I am more than happy to answer informal enquiries about the post.

James

Source: CBS News

Poorvi and Stefan have been busy bees promoting Scantegrity in the press recently. However some of the more important concepts can’t be captured in sound bytes. This is where the streaming video lecture medium comes into play:

For the general GW press page from this event, visit here.

Presentation slides: [PPT]