Dude, What Is My Ballot, Really?
John Sebes
(Part 2 of 2: What’s My Ballot?)
Today, I’m continuing on from a recent post, which compared my in-person voting experience with one method of Internet-based voting: return of marked ballots by fax or email. Next up is a similar comparison with another form of Internet-based voting: Internet voting from home using a PC’s Web browser.
Let’s briefly recall the result at the end of the day in my polling place:
1. Some paper ballots in a ballot box.
2. Some digital vote totals in a computer, and set of paper rolls that provide a ballot-like paper trail of each voter’s activity that led to those vote totals. The paper trails can be used to check the correctness of the digital vote totals.
Let’s also recall the result at the end of the day with email ballot return:
1. Some printed versions of faxed/emailed ballots, which are treated as ballots for counting purposes.
While we’re at it, let’s recall the results of the old lever machines too:
1. Some mechanical vote totals in one or more machines
2. A hand-recorded paper transcription of the “odometer” readings. (Those machines were a lot harder to move than a computer is! So the transcriptions were the basis for vote totals.)
Now, on to home-based Web i-voting. Before doing the end-of-the-day comparison, let’s start with what the experience looks like — fundamentally, it’s Web pages. You point your browser to a Web site; you type in your voter identification, a bit like the in-person poll-book signing experience; and then you get your ballot: one or more Web pages. Various Internet voting products and services differ, but they are all fundamentally similar to something that I bet many readers have seen already: online surveys. Take a look at this simple election-like survey about music in Cuyahoga County. The web page looks like a simple ballot, with contests for vocalist and guitarist instead of governor and dog-catcher. There are candidates, and you vote by selecting one with a mouse click on a radio button next to the name of your favorite.
So far, so familiar, but when I press that submit button, what happens? Where’s my ballot? Let’s take it step by step.
- The submit button is part of an HTML form, which is part of the Web page. (You can see the HTML form if you “View Page Source” in your browser.)
- Pressing the button tells your browser to collect up the form’s data, which might include Rachel Roberts for Vocalist if you had clicked the radio button next to Rachel.
- These parts of the forms data are something that in election lingo you might call a “vote” (or “contest selection” to be precise.)
- The HTML form data, including the vote-oid data, is sent from your browser to the Web server via an HTTP POST operation.
- The HTTP transaction is typically via an encrypted SSL session, to preserve privacy en route over the Internet.
- The Web server passes the POST parameters to some election-specific Web application software, which interprets the data as votes, and stores the vote data in a database.
Now, let’s be specific about that database stuff. In surveymonkey, there is a database record for each Cleveland Music survey response, and it’s possible (if the survey was set up that way) that the record also includes some information about the person who responded. In actual government voting, though, of course we don’t want that. So even though the i-voting server has a database of voters, and even though you had to log in to the i-voting server, and even though you were only allowed to vote if the voter record said you were allowed to vote, still your vote data shouldn’t be stored with your voter record. So, the vote data is supposed to be anonymously and separately stored, becoming part of vote totals for each candidate in each contest.
Can you say “odometer“? Okay, maybe it’s not that obvious, so let me juxtapose a couple images. As I recounted earlier, a much younger me is standing in the voting booth of a lever machine, looking a big bank of little switches next to candidate names, and thinking that is the ballot. Then the big lever is pulled, the little switches flip back, and it’s like the ballot just evaporated! Though of course I was told that the counter dials in the back of the machine did tick over like the odometer on a car, recording each vote. The votes were stored on the odometers, but the ballot was gone without a trace. Now shift the scene to my first surveymonkey experience. I clicked some radio buttons, clicked submit, and poof! what I thought was a ballot just disappeared. I’m told that the counters in a database somewhere ticked over to record my “votes.” Again, votes were supposedly recorded, but there wasn’t really ever a durable ballot. Home-based web client-server Internet voting is just like that, regardless of varying technical implementation details. There’s no durable ballot document.
So, at the end of the day, we have stored vote totals in a database of a system that also logged the voter logins. At that point I don’t have an answer to “What’s the ballot” anymore than I do for lever machines or the early paper-trail-less DREs. Unlike the (much-more-insecure) email ballot delivery, we don’t really know what or where the ballots are. Recalling my experience in the Middlefield Road fire house, the vote data is similarly stored as bits on a computer, but!!! there is also the paper trail. That paper trail can be used to audit the system and detect errors and fraud, and serves as the durable record of the vote — almost a ballot, except for being on flimsy paper with some ballot information left out. But with i-voting, there is nothing even similar. Any kind of auditing that’s done, is done using data saved on the server computers, rather than looking at a ballot document that the voter also saw.
Is that so terrible? Maybe so, maybe not. A durable ballot is not a holy requirement for U.S. elections — though in some parts of the country it almost is. And a durable ballot may not be a requirement for a voting system that is specifically and only for timely assistance of overseas and military voters. Such requirements are a matter of local election law and decisions of local election officials. But my critical observation here is about voter trust. Trust derives in large measure from comprehension. And for many voters, a voting system is comprehensible if the voter knows what the ballot is, where it goes, and what happens to it. That’s why overseas voters like fax and email return. Despite the security and anonymity problems, the voter understands that ballot, how it pops out of the fax/printer on the other side of the planet, and how its counted as a paper ballot. The same can’t be said for paperless home-based i-voting. As a consequence, I think that it will be harder to build trust, at least in some parts of the country that are paper-centric. However, it may be less of a big deal if limited to overseas and military voters, whose main concern is “get the the ballot home in time to be counted.” The pilots are happening, and time will tell.
— EJS
First, the Hart DRE machines must be at least slightly different than the old mechanical voting machines, as there is allowance to remove votes by provisional voters. Whether the internal difference is large or small, I do not know.
Second, when the voter casts a paper ballot, the voter has no notion what happens later. All later processing is – to the voter – a black box, run by folk the voter does not know and has no reason to trust. Voters have no notion whether that physical ballot was later counted or shredded. Voters have no reason to “trust the vote”.
You can tell stories … but “trust us, we are from the government” is not and should not be universally convincing. Voters need verification.
You are leaving out two problems.
One, voting in private with internet voting might encourage vote buying. I suppose technically the same vote buying could be done with absentee mail-in ballots, and it might happen but it is more physical work and risk involved. In internet voting scheme, you might have some spyware type program that verifies how you voted and then sends you the “check” or whatever.
Other issue is that you cannot have secret ballot AND verifiable elections. It’s fine if you want to promote getting rid of secret ballot, but no crypto anything can make it possible to prove your vote didn’t get hacked/switched/recorded wrong, and with no paper trail and still be a secret ballot. If you can prove how you voted and what was recorded, that means someone else can do it and you have no secret ballot. Internet voting is impossible if we cling to concept of secret ballots.
Yep, both voter fraud and transported ballot integrity are basic issues with any form of remote voting, including the paper vote-by-mail method. We can try to automate parts of paper vote-by-mail (like with current email return of ballot, or better, a much less risky HTTPS transport) and keep the basic concept of ballots. Another option is to completely shift the concept of voting, the model of elections, and go whole-hog on surveytmonkey-style i-voting. In the latter case, there isn’t a clear model of either anonymity or verifiability, as you point out. Crypto-based voting systems like helios and votebox try to strike a balance, where ballot anonymity and voter verifiability both exist in some form. Adoption of these methods for U.S. government elections though … could take quite some time. In the meantime, the TTV project is working on transparent technology for what U.S. election officials are actually doing today.