Sunday, September 19, 2010
Election over. Whew. Did you think your ballot was secret, though?
by Larry Geller
What a memorable evening. Full of potential and portent.
Before we put elections out of our minds for the moment, a comment came in to my November 2009 article, Did you think the ballot you cast in the 2008 election was secret? Think again if you live in Hawaii (11/14/2009), that I’d like to highlight here. The problem with the blog comment system is that even a new comment to an older article gets stuck with the article down there in obscurity.
The November article included a discussion by Maui resident Bob Babson, who has already changed our state’s electoral laws as lead plaintiff in the successful Babson v. Cronin lawsuit. Babson was concerned in November about the lack of secrecy in Hawaii’s voting system.
The new comment supports Babson’s concern for secrecy and the need for legislative change to correct the problem. It was posted anonymously, so I can’t yet follow up. Here it is:
I am a PhD computer scientist (Stanford) and a subject-matter expert. Bob Babson is absolutely correct in concluding that the balloting method used in Hawaii destroys voting secrecy. Unique barcodes on ballots is not in itself a problem: Bart Dame is correct in pointing out that unique barcodes can successfully be used to prevent "ballot box stuffing." The problem is the 1-to-1 correspondence of the unique barcode on the ballot and the number on the stub. Secrecy is broken by the fact that the number on the stub is recoded by election officials.
# posted by Anonymous : 10:05 PM HST 9/18/2010
If Babson is indeed correct, your vote can be traced to you if someone cared to do that.
We should probably verify this and fix it, don’t you think?
Looks like the deterrent from looking up who one voted for is sheer volume. Maybe if we knew the procedure one must go through to even begin to match a number to a name it might make us feel better. I believe the ballot boxes are locked and not accessible to anyone so I am not concerned at the moment but it wouldn't hurt if all procedures were explained to us.
I don't think "sheer volume" would be a problem, depending on how the images are archived and whether they are searchable by their Unique Identifier Number.
Readers should clearly understand the number written down by the poll worker is NOT the same number on the ballot. Are the two numbers traceable in any way, either because there is a master list or because both numbers are in an easy to calulate sequence?
It is right that people have these questions. We all SHOULD be brainstorming about potential vulnerabilities in the voting systems. It sometimes takes "far-fetched" hypotheses to crack mysteries hidden in plain sight by folks who take too many things for granted.
But there is a world of difference between saying such a thing MAY be possible and flat out asserting:
"So your vote cast in 2008 is not secret. It can be easily looked up in a computer."
Really? Can you direct me to that computer?
IF it is a fact that the ballot number can be traced from the polling place logs, that creates a POTENTIAL vulnerability. If someone can gain access to that number and the master list linking the two numbers AND can search a database log tying that number to the votes recorded from a specific ballot, that would be unacceptable.
I think I have been fair in laying out the elements of what someone would have to prove before claiming the votes can be "easily looked up on a computer."
I am VERY open to any evidence in support of the claim. I may have been misled by erroneous understandings of how the process works. Anyone who has worked in the execution of Hawaii's elections understands the complexity of the system, taken as a whole.
From voter registration to mailing of absentee ballots to unexamined proprietary software to security of the vote tally database to auditing the results, there are a LOT of POTENTIAL points of vulnerability. In my comment to the earlier post, I mentioned the danger of ballots being counted twice and how the unique identifier code helped protect against that. That is a rather trivial and easy to overlook way to rig an election. Let's say Candidate A REALLY wants to win the election for Governor. Someone close to him is close to someone in the Counting Center, maybe through bribery. This workers job is to run the ballots through the high volume optical scanner a large stack at a time. When a stack goes through very favorable to candidate A, that stack is set aside and run through again and again during the night, skewing the results and tipping it towards Candidate A.
No fancy software hack, "man in the middle attack," or cracking into the vote tally data base.
The Office of Elections sets up security protocols to prevent that possibility from happening. Election observers watch to make sure everything follows the protocols, but in the busyness of the long night and the rotation of the observers, who knows what escaes notice of tired, poorly-trained eyes?
Let's say I have a theory the ballot boxes were "stuffed" just as I laid it out here? Should I just broadcast may claim, based upon the theoretical possibility? Or am I obliged to investigate what safeguards are in place to prevent such an attack?
Because there ARE safeguards. Are they adequate? Are there unseen vulnerabilities? Again, the standards for developing a HUNCH about a security hole SHOULD be relaxed and encourage brainstorming, out-of-the-box thinking. But if you go beyond that and assert as FACT things based upon far-fetched speculation, you add more "noise" than "signal" to task of safeguarding the integrity of the elections.
I didn't mean that you or I could look up a vote in a computer. But if I bribed someone, could they find out for me how you voted, by looking in the office of elections computer?
I completely agree that these things need to be explored and established, one way or the other. I can raise the question here. The HART scanners we use, at least when they are used elsewhere, do keep scanned images of ballots. The bar code can be read (it would be silly if it couldn't).
As to feeling complacent (I know that's far from what you meant, Bart), remember that Babson won in Babson v. Cronin because the Office of Elections didn't have any administrative rules in place for what they were doing. Now they have rules, but I am not sure that prevention of "man in the middle" attacks happens because you make rules if the rules don't prevent tampering.
At the time the lawsuit was active I did review the administrative rules and discovered that they require testing of each voting machine (if I remember correctly). I learned that instead, the machines were sampled. What's happening today? I don't know. I wrote about a possible bad machine when I went in to vote during the primary. The poll worker showed no interest in keeping an eye on the machine and asserted it was fine, though it had rejected two perfectly good ballots in a row. I had to find someone else who committed to checking on the machine.
And then there is the issue of machines and supplies being delivered to polling places on Maui ahead of time and standing unguarded (Sept. 28, article is here. In that article I linked to another that related to reprogramming of a voting machine at a polling center (Sept. 20, here.
Stuff happens, if no one questions what's going on. It doesn't have to be with nefarious intent. Machine errors could simply cost you your vote, for example, without a cadre of Republicans being behind it.
Oh, again going back in time, when the HART slates were used for the first time, I used one to vote just to try it out. I did detect a programming error in it. I could see the error on the screen, but I wonder if a blind person would have been able to catch it.
You wrote: "I can raise the question here." And the question is: "...if I bribed someone, could they find out for me how you voted, by looking in the Office of Elections computer?"
That is a good question to ask. And I do not mean to say the answer is a definitive "no."
But you didn't ask a question in your earlier posting, you wrote as if it were an established fact that a voter's choices could "be easily looked up in a computer." And your comments got picked up by the Honolulu Weekly and broadcast to a broader audience. That's why I got concerned about your unusual lapse of intellectual rigor.
There are so many conspiracy theories plaguing the election integrity movement, undermining its credibility and confusing folks by failing to distinguish between speculations about vulnerabilities and actual, overlooked vulnerabilities.
If folks are going to ask questions about the voting systems--AND THEY SHOULD-- I am hoping they will learn to distinguish between far-fetched hypotheticals and reasonable concerns.
So for this particular question, let's try to find out:
1) Is it possible to determine the number on the ballot from the number from the stub recorded at the polling place when the ballot was issued? (Good question).
2) Is it possible to retrieve a ballot image if we know its unique identifier number?
3) If the steps to assemble this information are theoretically possible, what steps have been taken to ensure the security of the information?
In any security review, you HAVE to factor in the value of the item (or information) being secured versus the costs of the counter-measures taken to secure it AND the value of the item (info) to a person trying to overcome the safeguards put in place.
Consider my family home. When I leave, I lock all the doors and close the jalousies. If a burglar is determined to get into the house, he can break a window, slit a screen and get inside. What is the value of items he can steal? I guess if he has a huge truck, he can haul away all the furniture, but otherwise, there may be a items worth a couple thousand dollars. At replacement cost to me. If he tries to sell them, he might get a few hundred dollars.
I can spend many thousands of dollars securing the house better. Install an alarm system, pay a monthly fee to an alarm company. Heck, I can hire armed guards. But your question would still be valid: "If I were to bribe a security guard, could I get into Bart's house?"
OTOH, if the unique identifier number on the ballots cannot be used to "easily" determine a specific voter's choices, but are an effective safeguard against the same ballots being read twice, which I assert is a pretty easy way to distort election results either intentionally or through carelessness, then the value of such a number might far outweigh the hypothetical risk for which there appear to be ADEQUATE safeguards.
But let's ask the questions, even the ones which might appear to be "far-fetched" or "hypothetical." Then let's consider the answers before jumping to conclusions. Heck, that's how human knowledge in any field moves forward.
I did check, though not yet with the Chief Elections Officer. The answers I got from people at the polling place (I know, not the best authorities) was along the lines that the ballots are kept locked up, so your vote is secret.
Yes, this can be nailed down and should be. I don't disagree with you.