Ok so the “even if they failed to follow instructions” part is new to my understanding. Obviously that changes things.

Perhaps then you can explain to me why under Minnesota law the voter, having soiled their ballot, can’t just request a new one.

Speaking as a guy who’s had to count these things: why should we have to play mind reader? This idea of divining voter intent from scrawlings often amounts to exactly that.

I mean who decides what’s obvious? “Sideshow Bob: explain that tattoo on your chest that says ‘Die Bart Die.’” “Oh, why that’s German for ‘the Bart, the.’”

I was at a car dealership last month, and the dealer was telling me an anecdote about how at another dealership, a dealer checked the “used” box in a particular sale contract. But his hand slipped, and some of the check mark spilled over into the “new” box. The buyer then sued that he wasn’t offered a new car at the used price. The intent was intuitively obvious… the contract was for a used car… but it was not legally obvious.

So how do you prevent lawsuits like that in the voting space? One way would be to ditch this law that says “even if they don’t follow instructions”.

If they were to lock it down, and disclaim it clearly, like in tort law, this enormous volume of disputes wouldn’t have to keep recurring every election.

“Under Minnesota law a ballot must be counted if it is possible to determine intent - even if the voter failed to follow instructions.”

When you focus on the bubbles to the point of ignoring a clear intention (e.g. “no” written next the name), you’re not following that rule. The first three you talk about are completely focused on whether the rules of bubble filling were followed without error. If the law says “even if the voter failed to follow instructions” that should mean all instructions. It seems like you’re saying intent trumps instructions, but only if intent is communicated by following the instructions? That doesn’t make sense.

The “identifying mark” issue is driving me up the wall because so many people are trying to take the rule into account without using it the way it was intended; to dissuade bribery. If someone marks a ballot by accident, then no one bribed them to pick a candidate and mark their vote. Of course they could be clever and make it look like a mistake, but the odds of a concerted bribery effort, embarked upon to change the results of the election, where enough people are compromised to make sure that people voted the way they were bribed, are so low, that these odds should be taken into account and the voter should be given the benefit of the doubt. I doubt that a single person marked their ballot because they were bribed or coerced, I just don’t think that method works in modern election systems.

Yes, this is the awful problem space we live in: people want a comprehensive solution with no change.

So we said, ok, most people use optical scanners, so we want to develop a solution to tie into that, without requiring new components, but in so doing, we inherit some of its limitations. What you describe is a limitation of optical scan.

What can we do about it? Well use Punchscan for one thing!!

But seriously though, at an administrative level it may be sufficient to say “if that’s not acceptable to you, you may need to be prepared to change some things.” We have some ideas, but they all require adding something:

-more cryptography
-more physical protection such as:
- -different forensically tagged pen inks
- -an clear adhesive overlay tape for voted ballots
- -over-printing of voter-made marks with digital signature barcodes

We’ll have to think about it some more, and get some feedback as to what people actually want, because as the Germans say, ‘kundin ist Koenig’ (customer is king).

Point taken.

BTW, Scantegrity II is apparently susceptible to unvoted issues (presumably on a multi-issue ballot, which is outside the scope of the paper) being fraudulently marked by a poll worker after the ballot is cast. Would this be addressed by having a required “no vote” bubble, or did you have something else in mind?

Thought I’d chime in on this point:

>> I agree, but in my estimation, the informational mechanism proposed is virtually guaranteed to result in poll workers erroneously releasing large populations of audit ballots with both status authentication codes intact.

Choosing the informational model over the chit-stamping models is definitely a cost-benefit decision. The benefits are convenience for the voter filing the dispute and anonymity. The latter was our main motivation, since we want a model that can be used in hostile voting environments, where a voter may be persecuted for challenging the election authority. The costs of the model, as you point out, are increased complexity for poll workers.

The paper doesn’t conclusively advocate one model or the other for two reasons: (1) the decision is situational and (2) the factors will need to be empirically verified through the kind of extensive usability testing required for certification. I suspect you are thinking primarily of the US election market, where the costs could very well outweigh the benefits.

That said, I also want to challenge your pessimism as to the poll worker’s ability to conduct such a task. This model was designed to be very close to a mechanism that is already used in Canadian elections to prevent chain voting.

Canadian ballots contain two detachable serial numbers (the same number twice). One is detached by the poll worker prior to handing the ballot to the voter. When the voter returns from the booth, they hand the ballot back (folded to protect ballot secrecy) to the poll worker who detaches the second serial number and compares it to the first. If they are the same, the voter is permitted to submit their ballot to the collection.

Our scheme could be added to this mechanism with a small footprint. The codes would be on the back of the detachable serial numbers in invisible ink, for example. The poll worker would detach the serial number and hand the voter the ballot, thus audited ballots and ballots taken to the voting booth to be voted on would be issued identically, which is intuitive if the voter is issued two and gets to choose which one to vote on. When the ballot is returned, the same procedure is followed except the voter gets to take home both detached codes.

I wish I could point to some empirical study for how effective this mechanism is in Canadian elections, as its quite similar in its requirements from a usability perspective.

As I’m sure you will point out, an error in our mechanism has greater consequences than an error in the chain-vote preventing mechanism, and so the costs may still outweigh the benefits. However, I do stand behind the mechanism as being only a modest expectation of poll workers and not out-of-line with existing procedures.

Of course I agree that there are trade-offs to be made. However, a trade-off that is known to enable the additional integrity to be cost-effectively subverted is going to be a tough sell.

>> we ultimately seek an informational mechanism

I agree, but in my estimation, the informational mechanism proposed is virtually guaranteed to result in poll workers erroneously releasing large populations of audit ballots with both status authentication codes intact. I’m sure you can appreciate how problematic this could be.

Well in the million voter election, the fraud represents a 1% shift in the outcome, and meanwhile all you needed is 100,000 dishonest voters working with a dishonest election authority to do it.

“It would prevent such shenanigans from being cost-effective.”

There’s a great saying: “privacy, integrity, usability, choose any two.” Personally, I think 4 characters is fantastic. Heck, make it at least 8–that’s what a self respecting airline e-ticket would do.

We tend to face a pretty tough usability crowd and the two code letter notion was offered with them in mind. But I get the feeling the jury is still out on the best code length.

Oh, did you know our actual version of C is < 36^2 ?

We had to cut down on the alphabet because some letters kind of look the same; 1, I, l for example! O, 0, etc. As we all know, with voting, there’s no room for ambiguity. I’m not even sure what our current C is, but it’s been pretty decimated for this purpose.

Also, keep in mind that the trigger presented in the paper was just one possibility. I know there were at least two considered. I’ll try to get those authors to chime in.

Or 10% of 1,000,000 votes, in conjunction with hacking the optical scanners, in order to get a 2% MOV shift. This is conceivably cost-effective for a political party. If it cannot be reliably detected, than it is really worth the effort to retool elections?

>> Would using 4 alpha-numeric characters really solve such a twisted election?

It would prevent such shenanigans from being cost-effective. If we assume that the cost of filing a bogus dispute is $0.10, then the cost of getting away with stealing each vote is about $20 with 2 characters, but about $20,000 with 4. Historically, the going rate for selling a vote has been about $10-$100 dollars.