How to ensure voter ballot integrity

[John Bartle]

Right now I'm just wondering about national and state serialization of all general and midterm election ballots.

I'm wondering how serialization of voters could be implemented and still maintain anonymity?

In particular, I'm wondering how could one serial number be assigned to exactly one person and still maintain anonymity? Is there a way or should serial numbers be assigned to something else?

 

[russ_watters]

First a warning shot to everyone: keep this non-political. I see a data security question here and nothing more. (not that I'm optomistic, but prove me wrong)

Next, John, could you please define your terms and describe the problem a little better. I'm going to guess, but I'm not sure I understand...

-"Serialization". Do you just mean giving everyone a serial (ID) number?
-"Integrity". Is there a specific security issue or are you mainly interested in maintaining anonymity? Please describe the problem you are trying to solve in more detail.

I actually don't see a problem here to be solved. Currently, voter registration databases are not cross-linked with and share no coincident data with ballot records. So there is no way to determine who cast what ballot. I don't even think electronic voting machines store individual ballots at all, though I'm not certain of that (and certainly paper ballots are all individual).

 

[ZapperZ]

I'm with Russ. I do not see voter anonymity as being an issue during the US elections so far. So I'm not sure why we are trying to solve something that isn't a problem.

Zz.

 

[John Bartle]

-"Serialization". Do you just mean giving everyone a serial (ID) number?
-"Integrity". Is there a specific security issue or are you mainly interested in maintaining anonymity? Please describe the problem you are trying to solve in more detail.

I mean legally binding a federally government issued serial number to some set of things such as a registered voter and a physical ballot or to whatever makes the most sense. One, among other, issues with voting is the possibility that a voter's ballot could be destroyed and replaced with one having alternative cast votes.

I was thinking that a digital (photo?) copy of every ballot, with it's serial number, could be stored in a national and also state database. Also, a physical copy(i.e. receipt) of each cast ballot could be given at the time of the vote. The database would be completely accessible to the public. Every voter would have the ability to compare their physical ballot copy to the digital one online. If they don't match then legal action should be taken.

One problem with legally binding a federally government issued serial number to a registered voter and a physical ballot would be that the government would have an explicit record of both the registered voter and whom they voted for. This, ideally, is supposed to be secret, although, some would argue that it's not secret enough.

 

[ZapperZ]

One, among other, issues with voting is the possibility that a voter's ballot could be destroyed and replaced with one having alternative cast votes.

Is there a documented evidence of this happening here in the States?

Zz.

 

[John Bartle]

Is there a documented evidence of this happening here in the States?

Zz.

Hmmmmmm…… I don't know. But what's stopping criminal election overseers from doing just what I've described?

Also, there are other voting issues that would be addressed, at least in part, by a serialized voting system. I'm concerned about pointing out those problems because some might take issue. I'm trying to be careful about my wording.

 

[ZapperZ]

Hmmmmmm…… I don't know. But what's stopping criminal election overseers from doing just what I've described?

What's stopping outside criminals from invading our country, if you want to be paraniod about it?

You have not sufficiently addressed the issue that I brought up, i.e. is there a problem that exists regarding voters annynomity and such vote change? Your "solution" causes more issues than what you want to solve, and exposes even MORE avenues for tampering. This is before we address the constitutionality of the federal government dictating how each state conducts their election.

Unless you show actual evidence of such a thing, you're trying to solve a non-existent problems. Considering there are many other issues related to US elections, why would one want to tackle a non-existing problem?

Zz.

 

[russ_watters]

One, among other, issues with voting is the possibility that a voter's ballot could be destroyed and replaced with one having alternative cast votes.

I was thinking that a digital (photo?) copy of every ballot, with it's serial number, could be stored in a national and also state database. Also, a physical copy(i.e. receipt) of each cast ballot could be given at the time of the vote. The database would be completely accessible to the public...

One problem with legally binding a federally government issued serial number to a registered voter and a physical ballot would be that the government would have an explicit record of both the registered voter and whom they voted for. This, ideally, is supposed to be secret, although, some would argue that it's not secret enough.

Ok, so you're looking for a way to after-the-fact connect the vote to the voter for the sake of verification in the case of fraud or error (equipment failure), while still maintaining voter anonymity.

To me, these appear to be fundamentally incompatible goals. Similar to the security vs anonymity problem of Bitcoin.

Incidentally, this is an issue I have a lot of interest in and I'm aware of proposals to provide paper receipts to voters for electronic voting, but I haven't seen a nuts-and-bolts description of how exactly they would work (and I've looked). This very issue would appear to me to make receipts pointless.

 

[russ_watters]

Unless you show actual evidence of such a thing, you're trying to solve a non-existent problems. Considering there are many other issues related to US elections, why would one want to tackle a non-existing problem?

Could we please keep this theoretical. Value judgements on the severity of a voting integrity problem are heavily based on political bias and should be avoided for that reason.

 

[ZapperZ]

Could we please keep this theoretical. Value judgements on the severity of a voting integrity problem are heavily based on political bias and should be avoided for that reason.

But that's what I'm trying to do! I'm requesting actual evidence to keep this from simply doing something based on someone's made-up scenario (i.e "value judgements"). Or is asking for evidence too "experimental" that it is no longer "theoretical"?

Zz.

 

[russ_watters]

But that's what I'm trying to do! I'm requesting actual evidence to keep this from simply doing something based on someone's made-up scenario (i.e "value judgements").

No, a "made up scenario" is theoretical and does not involve a value judgement. You identify the problem (inability to verify votes) and propose a solution (vote record with ID).

Weighing evidence to determine IF it should be solved is a value judgement about whether or not the problem is severe enough to warrant fixing.

Or is asking for evidence too "experimental" that it is no longer "theoretical"?

Exactly.

Please note, we get this dilemma in the technical forums all the time. When someone asks: "can we put parachutes on planes to prevent crashes?" and someone replies, "it would not be worth the effort", they are not answering the question being asked.

 

[Vanadium 50]

and someone replies, "it would not be worth the effort", they are not answering the question being asked.

Well, perhaps. But "it wouldn't prevent fatalities" is probably answering the intended question if not the question asked.

Fundamentally, this proposal wants two incompatible things: a system where a vote cannot be changed after it is cast, and a system where one can say "The record is wrong; I voted for Jones, not Smith."

 

[Nugatory]

I saw the first post in this thread before it had attracted any replies - about 30 seconds before I shut my laptop down to get into the car for a long trip, so I had many hours of interstate boredom to think about the question without the benefit of seeing of the subsequent discussion.

My first thought, along with Russ above, is that we have to be clear about what problem we're trying to solve. However, I see that the OP has answered that for us:

One, among other, issues with voting is the possibility that a voter's ballot could be destroyed and replaced with one having alternative cast votes.

That is, we want assurance that valid and legally cast ballots are not altered before they are counted. This is technologically possible (although whether it's worth the effort is a different question, out of scope for this thread). And as OP says, there are other issues, but we'd need something specific to usefully discuss these.

OK, with that said...
1) A non-technical digression: you say " federally government issued". In the USA, the federal government does not run elections (and is constitutionally prohibited from doing so) so whatever process you're thinking of would have to be put in place by one or more states - and if it turns out well, other states may follow suit. This is a non-issue for many other countries; for example, in Mexico the federal government does control voter identification. But for now, if you're thinking USA, you designing a mechanism that a state may choose to use for its elections but not a nationwide panacea.

2) In American elections, many/most jurisdictions already uniquely identify their voters to ensure that no registered voter submits more than one ballot and no unregistered voter submits a ballot, but also protects the anonymity of the voters. Where I live, voting in person at the local precinct is a two-step process: I stop at one desk and identify myself; a records check shows that I'm registered and haven't voted already; so I'm given a piece of paper that I take to a second desk where I'm given an anonymous ballot and the paper from the first desk is turned into record the fact that I voted; I fill my ballot out and submit it to be counted. The ballot records my vote anonymously and the slip of paper from the first desk identifies that I voted by name. (Something similar works with absentee voting; I'm given a ballot and an envelope with my registration record written on it, I fill out the ballot, I submit it in the envelope, and one piece of paper records my votes and the other records that I voted).

3) We could, if we thought it was worth the effort, leverage the #2 process to ensure that my submitted ballot is not altered or substituted. At the first desk I am given a public/private key pair unique to me; the public key is essentially the voter-unique "serial number" that's suggested in the original post. I collect my ballot at the second desk and fill it out. Then, as part of submitting the ballot, I also encrypt a copy using the public key; the result is a completely opaque puddle of bits that the election authority is required to post publicly along with the public key. Now I can verify that my ballot has not been tampered with: look it up by public key, decrypt using my personal private key, verify that it's it's what I submitted. If the election results look bogus, there will be a public outcry leading many people to check their ballots, and any large-scale skullduggery will be detected.

4) By itself, #3 is a complete total waste of effort because any attacker able to alter submitted ballots will also be able to introduce completely bogus ballots into the system, and with no one to check there is no risk of detection. However, there is an effective non-technological defense against this attack, and it's already in place: The "who voted" records produced at the first desk in #2 above can be made a public record - they are in my jurisdiction. A discrepancy between the number of ballots and the number of "who-voted" records will be obvious and can only be hidden by introducing bogus "who-voted" records; but these are public and cannot be hidden.

5) Neither #3 nor #4 provide any protection against a corrupt election authority that won't count the submitted ballots honestly. Making all the counted ballots public allows an after-the-fact audit; and we can require that observers, both neutral and partisan from all sides, are present at all stages. There's also much to be learned from the financial controls and cash-handling procedures of large businesses and government agencies. Again, this is not a technological solution.

6) As #4 and #5 suggest, good security requires looking at the entire system: people, procedures, checks and balances, visibility. Clever technology like unique serial numbers, two-factor authentication, public-key encryption may be essential parts of the solution, but focusing on these is insufficient.

 

[Bystander]

two incompatible things: a system where a vote cannot be changed after it is cast, and a system where one can say "The record is wrong;

..., at which point, "Move that the thread be closed?"

 

[russ_watters]

Well, perhaps. But "it wouldn't prevent fatalities" is probably answering the intended question if not the question asked.

For the airplane one, the answer is really that it would prevent fatalities, but only in very specific scenarios -- and therefore not enough to be worthwhile. Nevertheless, they are being sold for general aviation.

Fundamentally, this proposal wants two incompatible things: a system where a vote cannot be changed after it is cast, and a system where one can say "The record is wrong; I voted for Jones, not Smith."

Agreed, though I would suggest there is a third desire here, not explicitly stated: the ability to back-check and be confident that your vote counted. It may not be as useful of a thing as people think, but people want it nonetheless.

I think it is worth noting that given the current Florida recounts, the question is being answered in the media:
https://www.sun-sentinel.com/news/politics/fl-ne-how-to-check-your-vote-20181109-story.html

...but not correctly. For mail-in ballots, you can check online whether your ballot was received and read, but you cannot verify that your vote was cast as you intended. That's what the OP intended and the articles I've seen imply but don't actually say (because they don't).

 

[Nugatory]

Fundamentally, this proposal wants two incompatible things: a system where a vote cannot be changed after it is cast, and a system where one can say "The record is wrong; I voted for Jones, not Smith."

That's just the non-repudiation problem, solved by public-key encryption (and see #3 of my post above). What you can't have is a system in which I can say "the record is wrong; I voted for Jones, not Smith" and remain anonymous.

 

[russ_watters]

2) In American elections, many/most jurisdictions already uniquely identify their voters to ensure that no registered voter submits more than one ballot and no unregistered voter submits a ballot, but also protects the anonymity of the voters. Where I live, voting in person at the local precinct is a two-step process: I stop at one desk and identify myself; a records check shows that I'm registered and haven't voted already; so I'm given a piece of paper that I take to a second desk where I'm given an anonymous ballot and the paper from the first desk is turned into record the fact that I voted; I fill my ballot out and submit it to be counted. The ballot records my vote anonymously and the slip of paper from the first desk identifies that I voted by name. (Something similar works with absentee voting; I'm given a ballot and an envelope with my registration record, I fill out the ballot, I submit it in the envelope, and one piece of paper records my votes and the other records that I voted).

My state, Pennsylvania, is similar:

I go to a desk where there is a ledger of registered voters, find my name and previously recorded signature, and sign next to it. This can later be used to verify I voted. Then I go to the voting machine and cast my vote -- or not (you aren't actually required to cast a vote when you go to the voting machine). Anyway, as I said before, these two databases; the voter registration ledger and the voting machines are not connected and share no common data, so they cannot be connected after the fact. This is true of yours as well. Anonymity is considered paramount in the design of this process.

3) We could, if we thought it was worth the effort, leverage the #2 process to ensure that my submitted ballot is not altered or substituted. At the first desk I am given a public/private key pair unique to me; the public key is essentially the voter-unique "serial number" that's suggested in the original post. I collect my ballot at the second desk and fill it out. Then, as part of submitting the ballot, I also encrypt a copy using the public key; the result is a completely opaque puddle of bits that the election authority is required to post publicly along with the public key. Now I can verify that my ballot has not been tampered with: look it up by public key, decrypt using my personal private key, verify that it's it's what I submitted. If the election results look bogus, there will be a public outcry leading many people to check their ballots, and any large-scale skullduggery will be detected.

Encryption is an intriguing solution to the OP's question. I had thought of it and think it technically answers the question, but not practically. I don't see that it enables a correction of the voting record except on an individual basis. Let's say a state server crashes and the totals are lost. Do state officials have to go back to every voter to get them to verify their votes?

What you can't have is a system in which I can say "the record is wrong; I voted for Jones, not Smith" and remain anonymous.

Can you if only the computer knows who you are?

 

[John Bartle]

..., at which point, "Move that the thread be closed?"

Why would you want this thread to be closed? So far this thread is nice... Everybody's answers seem fairly nice, I guess.

I'm going through them and thinking of what else I can ask and say next.

 

[John Bartle]

What's stopping outside criminals from invading our country, if you want to be paraniod about it?

I don't think what I've proposed is excessive or exotic at all. Though, as you've mentioned, federally mandated serialization and national and state databases may not be constitutionally supported.

I would like to point out that states and districts are required to report tallies. Well, I suppose, it could be argued that reporting, via digital copy, the vote itself IS reporting the tally - only a better version of it, and, therefore, possibly constitutional.

Your "solution" causes more issues than what you want to solve, and exposes even MORE avenues for tampering.

Aside from the problem of getting all or even some of the states to adopt this system what other problem or avenues of tampering were you thinking of?

 

[Nugatory]

Encryption is an intriguing solution to the OP's question. I had thought of it and think it technically answers the question, but not practically. I don't see that it enables a correction of the voting record except on an individual basis. Let's say a state server crashes and the totals are lost. Do state officials have to go back to every voter to get them to verify their votes?

Outright loss of submitted ballots is a different problem, one that isn't addressed by measures intended to detect tampering, which seems to be what OP had in mind. The possibility of a computer crash losing the totals is only one of many reasons why a robust system has to include paper ballots (or equivalent) that are retained at least until after there is no possibility of a recount.

Can you[have is a system in which I can say "the record is wrong; I voted for Jones, not Smith" and remain anonymous] if only the computer knows who you are?

I don't think so, but perhaps someone more clever than I can come up with a satisfactory protocol? The problem is that a voter cannot prove the error in the record without disclosing their private key - it's needed to compare the ballot of record with the voter's record of how they voted - and that private key is sufficient to expose the voter's identity and the contents of their ballot.
But I also have to ask whether maintaining anonymity in this case is useful. A mismatch between what the voter submitted and the ballot of record is prima facie evidence that the reported counts do not match the submitted ballots; this will trigger a no-kidding serious audit and if necessary a complete manual recount. There are good reasons why these steps cannot be taken on the basis of an anonymous allegation.

 

[Nugatory]

Right now I'm just wondering about national and state serialization of all general and midterm election ballots.

A question for you: Have you tried working for your local election board? If your home state (it's in your profile) is anything like mine, they always need more election workers... And I think that you would find the experience, including exposure to the strengths and weaknesses of existing procedures, to be seriously eye-opening.

 

[John Bartle]

A question for you: Have you tried working for your local election board?

Yeah. I think if I can find time for it I just may do that next election.

 

[Nugatory]

Aside from the problem of getting all or even some of the states to adopt this system what other problem or avenues of tampering were you thinking of?

This question can only be answered in the context of a particular process. Reliable and robust systems - and note that these requirements include but are not limited to security/integrity - aren't designed by looking for points where clever technologies can be applied. They come from doing an end-to-end analysis of the entire process and identifying weaknesses at each step. In practice, the most serious weaknesses are seldom technological problems; they come from human and environmental failures in areas that the system designer considered out of scope. For example, we've had a bunch of posts in this thread discussing what we might do with a unique voter id - and we can do even more if that id is a cryptologically strong public key! So cool! - but all that intellectual energy is wasted and all the coolness is a counterproductive misdirection if the id-issuing agency is not trustworthy.

Let's consider a system that works as Russ and I discussed above because this two stage system is common, well-understood, and when properly implemented is very reliable and robust. The voter proves their eligibility (so only eligible voters can vote) and receives a ballot; this event is recorded (double voting by eligible voters will be detected); the voter fills out their ballot and submits it to the local machine that scans the ballot and tabulates the results; the paper ballot is retained to ensure that the election results can be reconstructed if necessary (recount, tabulation error, ...); the results from the local machines are rolled up into a final election result.

There are many ways that this system can fail to deliver a result that reflects the intent of the voters, or not be trusted to have done so even when it did.
- Voters who are not eligible to vote may be accepted and issued ballots that are then presented to the local machines.
- Voters who are eligible to vote may not be accepted and denied ballots.
- Bogus ballots may be generated and presented to the local machines.
- Ballots may be altered after they've left the voter's hand and before they reach the local machine.
- The local machines, through design error or malicious hacking, may not count some of the submitted ballots.
- The local machines, through design error or malicious hacking, may record a submitted ballot incorrectly.
- The results from one or more local machines may be altered (design error, hacking, or unauthorized access) before they are delivered to whatever central authority is doing the rollup.
- The central authority doing the rollup may alter, ignore, or miscount the results coming in from one or more of the local machines.
- The paper ballots may be prematurely destroyed, making it impossible to validate the integrity of the result if necessary. (A count that is correct but not believed to be correct is just as bad from a legitimacy point of view as an incorrect count).
- and so on...

If your goal is an accurate and credible election with high perceived legitimacy, you'll have to consider all of these issues. A serial-number proposal to address one of them (ballots may be altered after they've left the voter's hand and before they reach the local machine) may be interesting as technological tour-de-force, but it's unlikely to be a good starting point for ensuring the overall integrity of the election. The right starting point is to work through the entire sequence, asking what the most cost-effective and robust method is at each step.

 

[anorlunda]

A number might be seen as a weakness in voter anonymity.

In our history, vote buying and threats of violence were common.

"Vote the way I told you. When you come out, give me the serial number and I'll give you $100. If I find out later that you lied, I'll break your legs."

The only reason voter anonymity is not an issue today is because we have solid anonymity.