TheOfficialACM OP t1_itrt8ea wrote

Risk-limiting audits (the topic of this thread) are all about how to improve security with paper ballots. So a reasonable question for someplace that has paper ballots is "when are you going to do RLAs?"

Without paper ballots, we're back in the world of paperless electronic voting systems, which have been shown to have a variety of security vulnerabilities (discussed elsewhere in this Reddit). So a reasonable question for someplace that has paperless electronic voting systems is "when are you going to retire these machines and what's the plan to replace them?"

I'm not aware of any systematic voting machine election interference, at least in any U.S. election in anything resembling the modern era. If you go back far enough in time, you get plenty of well-documented messy elections. The story of "Landslide" Lyndon Johnson's victory in the 1948 Texas Senate Race is pretty amazing.


TheOfficialACM OP t1_itrnxry wrote

It's exceptionally difficult (read: expensive, time consuming) to do a forensic audit of the sort you're describing, and the adversary has an advantage in this game, because they could potentially engineer their malware to erase itself after the election is over.

The goal of RLAs and other kinds of election auditing procedures is to achieve a property called software independence, such that we can gain confidence in the correct outcomes of an election without requiring any confidence that the software is correct.


TheOfficialACM OP t1_itrn7r6 wrote

A Reddit AMA is the wrong place to get into the finer points of blockchains, cryptocurrency, and/or public bulletin boards.

Suffice to say that one of the core features of most blockchains is consensus, while one of the core features of a public bulletin board is maintaining evidence. Those are emphatically not the same thing, even though many of the same cryptographic techniques (zero knowledge proofs, hash data structures, etc.) are used in both settings.


TheOfficialACM OP t1_itrmu5i wrote

The trick with these fancy e2e-verifiable schemes is that they're very good at providing the voter with evidence that everything worked perfectly, but if something goes wrong, and there are a lot of ways for things to go wrong, it's not necessarily easy to pinpoint the problem.

ElectionGuard happens to be open source, but that's not a requirement for security. In fact, the magic of e2e-verifiable schemes is that they create a much more interesting property called software independence, which means that we can verify a correct election outcome without being required to trust any of the software used by the election officials.

Risk limiting audits, by the way, are also a method of achieving software independence, without any cryptography at all.


TheOfficialACM OP t1_itrlcw4 wrote

Here's a more concise way to put it: I would prefer if we did not have trade secrets in elections. Let the vendors copyright and/or patent their stuff, but the source code should be open to public inspection. This isn't about security, per se, as much as it's about transparency. If you want to get nerdier about it, it's also about publicly verifiable reproducible builds, which has ramifications for security and transparency.


TheOfficialACM OP t1_itrgtvz wrote

It's difficult to find evidence of this sort of thing. The most persistent rumors generally involve some form of bundling of vote-by-mail ballots. In the Rio Grande Valley of Texas, for example, they're called "politiqueros" or "politiqueras". It's unclear whether the impact of these sorts of activities are sufficient to change election outcomes, but Texas and other states have chosen to make it harder to vote by mail, claiming it would reduce fraud. Of course, whenever you change a policy like this, you'll have unintended effects, like making it harder for legitimate voters who might prefer to vote without needlessly exposing themselves to the risks of COVID.


TheOfficialACM OP t1_itrf3uv wrote

It's not really that simple. I could tell you that Rhode Island is amazing (try the grilled pizza!), but they face very different needs, never mind operating at a very different scale, from California or Texas. Small town elections are often done with hand-counted ballots, which is fantastic, but that would never work in huge cities, where it's just too slow and too error-prone.


TheOfficialACM OP t1_itreban wrote

The earlier generation of paperless electronic voting systems, adopted in the early 2000's, have been widely studied and have been found to have significant security flaws (examples: California "top to bottom" review in 2007, Ohio EVEREST 2007). (I was one of the co-authors on the California review.)

As a consequence, all the new voting machines involve paper in one form or another. The two most popular forms are ballot marking devices, which have some sort of computer interface and produce a printed ballot, and hand-marked paper ballots, which are typically scanned by a computer, often bolted to the top of the ballot box ("precinct count optical scanner").

The magic of a risk limiting audit (the topic of this thread!) is that it provides an efficient process where a post-election audit can prove, to a desired level of statistical confidence, that any errors in the electronic tabulation are small enough that they don't change the announced winner of a contest.

So, RLAs let us have the efficiency benefits of computers, while still having the security properties that we want from hand tallies, without requiring the slow (and error-prone) process of hand counting.


TheOfficialACM OP t1_itrcskm wrote

I'm not an expert in polling, but polls have margins of error, and pollsters often make corrections to their raw polling to compensate for demographic differences between their sampled population and what they anticipate the actual electorate might look like. So, for any given poll, there are a bunch of assumptions baked into the numbers, any of which might turn out to be false. In other words, when an election disagrees with a poll, that can be a surprise, but it's not an immediate red flag.

That said, many states have laws that allow for automatic recounts when the margin of victory is small enough (typically under 1%). And we recommend that every state adopt risk-limiting audits (the topic of this post!) for all their elections, as a required procedure.

In a high-margin race, a risk limiting audit requires a very small number of samples in order to provide convincing evidence of the correctness of the outcome, so RLAs would be a great thing to adopt.


TheOfficialACM OP t1_itr9kve wrote

Each of our states have their own rules and procedures, but there are only a small number of equipment vendors for the vast majority of votes cast. This means, in practice, that we can't depend on diversity as much of a security mechanism. Instead, we need better process and procedures (like risk limiting audits!) to help mitigate against some of the threats we face.


TheOfficialACM OP t1_itr96ni wrote

The purpose of a risk limiting audit (the topic of this thread!) is to efficiently determine if the tallying process gets the correct outcome. That's an important defense against hacking.

Social engineering / misinformation / disinformation is an important topic as well, but that's outside of the election system, in the sense that we can't fight misinformation by improving how our voting machines work. That said, fighting misinformation is a huge challenge that election officials now face. (Summary of the issues from the Brennan Center.)


TheOfficialACM OP t1_itr7m60 wrote

There are a lot of variations on this, so I'm going to assume we're talking about how Microsoft's ElectionGuard project would work in the context of a ballot marking device. (I've written some of the code being used in ElectionGuard.)

Once the voter finishes specifying their vote, the machine computes an encrypted version of their vote. It's public key encryption, where the voting machine only knows the public key, so only the election official (or a group of election trustees working together, using a technique called threshold cryptography) can do the decryption.

The voting machine can also compute the hash of that encrypted ballot, and then hand it back to the voter, perhaps on a small receipt printer. Now here's the fun part: all the encrypted ballots for the entire election will be posted on some public web server somewhere. And you'll be able to use your receipt and figure out that a ballot matching your hash is right there where it's supposed to be. And now here's the crazy fun part: you can add all the encrypted ballots without first decrypting them. This is called an additive homomorphism. Every election observer can compute this same value, and compare it to the value that's ultimately decrypted by the election official, who provides a cryptographic proof that they did the decryption correctly. So, anybody can validate that their encrypted ballot is part of the big total and that the big total was decrypted correctly. But your receipt doesn't let you sell your vote, since it's the hash of an encrypted ballot, and that ballot is never individually decrypted. (This paragraph summarizes the "counted as cast" property.)

But wait, you ask, why should I believe that my ballot was correctly encrypted in the first place? Turns out, there are a number of independent ways to prove this.

  1. Your paper ballot, which is human readable, includes the hash of your ciphertext below it. A risk-limiting audit would, for each ballot being audited, recompute the encryption of the ballot, based on the human-readable text, and make sure that the hash matches.
  2. Ballots that are spoiled aren't tabulated. That means it's safe for the election official to decrypt those spoiled ballots. So we could create a process where regular voters and/or trained auditors are allowed to keep copies of spoiled ballots, and we'll check later on whether the human-readable text matches up with the ciphertext.

The cool trick here is that the machine doesn't know which ballots will be cast and which will be audited, so if it's going to cheat, it needs to cheat before it knows whether it might be caught. This is called a Benaloh challenge. Josh Benaloh is also, not coincidentally, one of the designers behind Microsoft's ElectionGuard.


TheOfficialACM OP t1_itr167q wrote

U.S. elections are quite unusual relative to most other countries. Of particular note, we're often asked to vote on a huge number of contests. My ballot in Houston, Texas has I think 93 contests or propositions on it. This means that we require automation in order to get timely and accurate results. And therefore we must have computers around, but we need processes like risk limiting audits (the topic of this post!) to mitigate against the risks of malware or tampering with the computers.

Several countries are currently experimenting with Internet voting (Estonia, Switzerland, Canada, and more). This creates a variety of new risks that are harder to mitigate. What do you do to prevent malware on a voter's computer from tampering with their vote? What do you do to protect the servers against denial of service attacks? For contrast, consider that a paper ballot, whether marked by hand or by machine, once it gets into a ballot box, is beyond the reach of even the most sophisticated Internet attacker. There's nothing a foreign nation-state adversary can do over the Internet to modify ink on paper!

Of course, the real world is never quite so simple. I had the chance once to speak with Swiss officials about this, and they pointed out how 40% of Swiss nationals are physically outside the borders of Switzerland at any given time. And they might vote five times per year. Perhaps unsurprisingly, there's a strong demand for Internet voting, and an ongoing challenge to see if they can mitigate against those risks.


TheOfficialACM OP t1_itqywpp wrote

To be absolutely clear, there is no evidence of any tampering with the 2020 presidential election. We have high confidence that the election outcome was correct.

Here's the crazy part: there's nothing inconsistent with the above statement and saying that there are a number of security weaknesses in our election systems that we need to improve. We'd love to see more states adopt risk-limiting audits (the topic of this post!), which would improve our confidence in their elections. Similarly, it's great that the older generation of paperless electronic voting systems are being replaced with newer machines that use paper ballots. This helps mitigate against the worst risks of malware or tampering with voting systems' software.


TheOfficialACM OP t1_itqxyji wrote

For starters, the modern Dominion equipment uses a printed paper ballot. This means that every voter can (and should!) take the time to read the paper ballot that the machine produces and, if something is wrong, they can "spoil" their ballot and do it again. This is an important defense against any hypothetical tampering or malware with the software inside the machines.

After that, you're not being asked to trust machines. You're being asked to trust process. Those paper ballots travel in ballot boxes that are suitably sealed. Election officials tabulate the paper ballots with election observers and the press watching what they do. Georgia also did a risk-limiting audit (the topic of this Reddit post!) during the 2020 election which confirmed the result in the presidential race. (More details: Carter Center report, Georgia SoS's page)

As you might imagine, there's a lot more to it than I can summarize in a few paragraphs, but you should have some comfort that the combination of certification & testing, plus the use of the right kinds of policies & procedures, are where we gain confidence in our election systems.


TheOfficialACM OP t1_itqwe5v wrote

There's an entire academic discipline dedicated to the world of election integrity, and an important technique that's crossing the divide from academia to practice is called "end-to-end verifiable elections". Without getting lost in the technical details of how and why different encryption techniques are used, all of these voting systems generally include a concept called a "public bulletin board". If you squint at it, there isn't all that much difference between a public bulletin board and a blockchain. Both use cryptographic hash functions to build linear chains or tree-like structures.

The essential difference is that blockchains are "decentralized", which means that nobody is in charge. Instead, a series of unrelated parties reach a consensus as to what the blockchain means. In an election, however, all the parties are known in advance, and disputes are generally resolved through administrative processes or lawsuits. This means that public bulletin boards don't need consensus mechanisms. Instead, they're generally about publishing encrypted votes in such a way that a voter can verify that their vote was "counted as cast" (i.e., you get a strong proof that your vote was tabulated exactly as you cast it) as well as "cast as intended" (i.e., the machine didn't misinterpret your vote as you cast it). The exciting part of the cryptography is that we can achieve both of these properties without allowing you, the voter, to have enough evidence to be able to prove to anybody else how you voted (so, we don't enable bribery or coercion).


TheOfficialACM OP t1_itqvcv5 wrote

Physical security (or, if you prefer, "chain of custody") is essential to all elections. Even if we're talking about hand-marked and hand-counted paper ballots, we still need to ensure that ballot boxes were sealed properly, transported properly, and guarded properly. Of course, when you add computers to the mix, physical security is even more important. This is an important reason for having post-election audits, like the RLAs we talk about in the linked article at the top of this post. An efficient post-election audit allows for discrepancies to be discovered before an election result is certified.


TheOfficialACM OP t1_itqusk8 wrote

The current business model of elections is that the vendors have no requirements for open source, but they do have the requirement that their systems are subject to certification and testing. The certification process requires the vendors to share their source code with the testing labs.

For what it's worth, there have been a number of attempts at doing an open source voting system that could be commercially viable in the U.S. market, but none of them have achieved significant market share to date, except perhaps the Los Angeles VSAP system, but the source code isn't actually open yet (article from 2018, but I don't think anything has changed since then).

(I do consulting with another open source vendor, VotingWorks.)