Princeton’s Center for Information Technology Policy recently hosted a talk by Professor Juan Gilbert of the University of Florida, in which he demonstrated his interesting new invention and presented results from user studies.
What’s the problem with ballot-marking devices?
It’s well known that a voting system must use paper ballots to be trustworthy (at least with any known or foreseeable technology). But how should voters mark their ballots? Hand-marked paper ballots (HMPB) allow voters to fill in ovals with a pen, to be counted by an optical scanner. Ballot-marking devices (BMDs) allow voters to use a touchscreen (or other assistive device) and then print out a ballot card listing the voter’s choices.
The biggest problem with BMDs is that most voters don’t check the ballot card carefully, so that if the BMD were hacked and misrepresenting votes on the paper, the voters wouldn’t notice–and even if a few voters did notice, the BMDs would have successfully stolen the votes of many other voters.
One scientific study (not in a real election) showed that some process interventions–such as, “remind voters to check their ballots”–might improve the rate at which voters check their ballots. I am skeptical that those kinds of interventions will be consistently applied in thousands of polling places, or that voters will stay vigilant year after year. And even if the rate of checking can be improved from 6.6% to 50%, there’s still no clear remedy that can protect the outcome of the election as a whole.
The transparent BMD
Instead of reminding the voter, Professor Gilbert’s solution is to force them to look directly at the printout, immediately after voting each contest. In this video, at 0:36, see how the voter is asked to touch the screen directly in front of the spot on the paper where the vote was just printed.
He explains more in the CITP seminar he presented at Princeton. He also explains his user studies. When the BMD deliberately printed one vote wrong on the paper ballot (out of 12 contests on the ballot), 36% of voters noticed and said something about it–and another 41% noticed but didn’t say anything until asked. This is a significantly higher rate of detection than when using conventional BMDs. Hypothetically, if those 41% could somehow be prompted to speak up, then there’d be a 77% rate at which voters would detect and correct fraudulent vote-flipping.
Somehow, this physically embodied intervention seems more consistently effective than one that requires sustained cooperation from election administrators, poll workers, and voters–all of whom are only human.
Would this make BMDs safe to use?
Recall what the problem is: If the BMD cheats on X% of the votes in a certain contest, and only Y% of the voters check their ballot carefully, and only Z% of those will actually speak up, then only X*Y*Z% voters will speak up. In a very close election, X might be 1/100, Y has been measured as 1/15, and Z might be 1/2, so XYZ=1/3000. Professor Gilbert has demonstrated that (with the right technology) X can be improved to 76% (or 3/4) but Z is still about 1/2. Suppose further tinkering could improve Z to 3/4, then XYZ would be 1/178. That is, if the hacked BMD attempted to steal 1% of the votes, then 9/16 of those voters would notice (and ask the pollworkers for a do-over), so the net rate of theft would be only 7/16 of 1%, or about half a percent.
And in that hypothetical scenario, one voter out of every 178 would have asked for a do-over, saying “what printed on the paper isn’t what I selected on the touchscreen.” That’s (perhaps) two or three in every medium-size polling place–or, in a statewide election with 3 million voters, that’s more than 16,000 voters speaking up. If that happened, and if the margin of victory is less than half-a-percent, then what should the Secretary of State do?
The answer is still not clear. You can read this to see the difficulty.
So, the Transparent BMD is a really interesting research advance; it is a really good design idea; and Professor Gilbert’s user-studies are professionally done. But further research is needed to figure out how such machines could (safely) be used in real elections.
And there’s still no excuse for using conventional BMDs, with their abysmal rate at which voters check their ballot papers, as the default mode for all voters in a public election.
Further caveats. These are considerations for the evaluation of the practical security of “transparent BMDs” in elections, worth further study.
- If a voter speaks up and says “the machine changed my vote”, will the local pollworkers respond appropriately? Suppose there have been many elections in a row where the voting machines haven’t been hacked (which we certainly hope is the case!); then whatever training the pollworkers are supposed to have may have been omitted or forgotten.
- When analyzing whether a new physical design is more secure, one must be careful to assume that the hacker can install software that can behave any way that the hardware is capable of. Just to take one example, suppose the hacked BMD software is designed to behave like a conventional BMD: first accept all the voter’s choices, then print (without forcing the voter to touch the screen where the gaze is directed to the just-printed candidate). This gives the opportunity to deliberately misprint in a way that we know voters don’t detect very well. But would voters know that the BMD is not supposed to behave this way? I pose this just as an example of how to think about the “threat model” of voting machines.
- Those voters who noticed the machine cheating but didn’t speak up in the study, then claimed that if it were a real polling place they would speak up– really? In real life, there are many occurrences of voters seeing something they feel is wrong at the polling place, but waiting until they get home before calling someone to talk about it. Many people feel a bit intimidated in situations like this. So it’s difficult to translate what people say they will do, into what really they will do.
- Professor Gilbert suggests (in his talk) that he’ll change the prompt from “Please review your selection below. Touch your selection to continue.” to something like “Please review your selection below. If it is correct, touch it. If it is wrong, please notify a pollworker.” This does seem like it would improve the rate at which voters would report errors. It will be interesting to see.