Voter-verified paper audit trail

Election technology
Terminology
Testing
Technology
Manufacturers

Voter-verified paper audit trail (VVPAT) or verified paper record (VPR) is a method of providing feedback to voters using a ballotless voting system. A VVPAT is intended as an independent verification system for voting machines designed to allow voters to verify that their vote was cast correctly, to detect possible election fraud or malfunction, and to provide a means to audit the stored electronic results.

The VVPAT offers some fundamental differences as a paper, rather than computer memory, recording medium when storing votes. A paper VVPAT is readable by the human eye and voters can directly interpret their vote. Computer memory requires a device and software which potentially is proprietary. Insecure voting machine[1] records could potentially be changed quickly without detection by the voting machine itself. It would be more difficult for voting machines to corrupt records without human intervention. Corrupt or malfunctioning voting machines might store votes other than as intended by the voter unnoticed. A VVPAT allows voters the possibility to verify that their votes are cast as intended and can serve as an additional barrier to changing or destroying votes.

The VVPAT includes a direct recording electronic voting system (DRE), to assure voters that their votes have been recorded as intended. It is intended, and some argue necessary, as a means by which to detect fraud and equipment malfunction. Depending on election laws the paper audit trail may constitute a legal ballot and therefore provide a means by which a manual vote count can be conducted if a recount is necessary. The solution was first demonstrated (New York City, March 2001) and used (Sacramento,CA 2002) by AVANTE International Technology, Inc..

In non-document ballot voting systems – both mechanical voting machines and DRE voting machines – the voter does not have an option to review a tangible ballot to confirm the voting system accurately recorded his or her intent. In addition, an election official is unable to manually recount ballots in the event of a dispute. Because of this, critics claim there is an increased chance for electoral fraud or malfunction and security experts, such as Bruce Schneier, have demanded voter-verifiable paper audit trails.[2] Non-document ballot voting systems allow only a recount of the "stored votes." These "stored votes" might not represent the correct voter intent if the machine has been corrupted or suffered malfunction.

A fundamental hurdle in the implementation of paper audit trails is the performance and authority of the audit. Paper audit systems increase the cost of electronic voting systems, can be difficult to implement, often require specialized external hardware, and can be difficult to use. In the United States, 27 states require a paper audit trail by statute or regulation for all direct recording electronic voting machines used in public elections.[3] Another 18 states do not require them but use them either statewide or in local jurisdictions.[4]

Contents

VVPAT application

Various technologies can be used to implement a paper audit trail.

Systems that allow the voter to prove how they voted are never used in U.S. public elections, and are outlawed by most state constitutions. The primary concerns with this solution are voter intimidation and vote selling.

Dr. Rebecca Mercuri, the creator of the VVPAT concept (as described in her Ph.D. dissertation in October 2000 on the basic voter verifiable ballot system), proposes to answer the auditability question by having the voting machine print a paper ballot or other paper facsimile that can be visually verified by the voter before being entered into a secure location. Subsequently, this is sometimes referred to as the "Mercuri method".

Professor Avi Rubin has testified in front of the United States House Committee on House Administration in favor of voting systems that use a paper ballot and disfavoring systems that use retrofitted VVPAT attachments. He has said on his personal blog that "after four years of studying the issue, I now believe that a DRE with a VVPAT is not a reasonable voting system."[5]

An auditable system, such as that provided with VVPAT, can be used in randomized recounts to detect possible malfunction or fraud. With the VVPAT method, the paper ballot can be treated as the official ballot of record. In this scenario, the ballot is primary and the electronic records are used only for an initial count or, in some cases, if the VVPAT is damaged or otherwise unreadable. In any subsequent recounts or challenges the paper, not the electronic ballot, would be used for tabulation. Whenever a paper record serves as the legal ballot, that system will be subject to the same benefits and concerns of any paper ballot system.

Matt Quinn, the developer of the original Australian DRE system, believes that in the future there should be a, "There's no reason voters should trust a system that doesn't have it, and they shouldn't be asked to. Why on earth should [voters] have to trust me – someone with a vested interest in the project's success? A voter-verified audit trail is the only way to 'prove' the system's integrity to the vast majority of electors, who after all, own the democracy."[6]

Challenges and concerns with VVPAT

Common problems

Commonly VVPAT problems are: 1) Video of voter behavior during an actual election revealed that most voters do not "verify" their choices by reading the VVPAT. 2) A manual VVPAT recount/audit is labor intensive and expensive, and likely unaffordable to most candidates seeking it. 3) And while VVPAT is designed to serve as a check on DRE (Direct Recording Electronic) vote recorders, it relies on the same proprietary programming and electronics to produce the audit trail. Other hurdles in the implementation of paper audit trails include the performance and authority of the audit. Paper audit systems increase the cost of electronic voting systems, can be difficult to implement, often require specialized external hardware, and can be difficult to use. In the United States 27 states require a paper audit trail by statute or regulation for all direct recording electronic voting machines used in public elections.[3] Another 18 States don't require them but use them either statewide or in local jurisdictions.[4]

Security concerns

The introduction of malicious software into a VVPAT system can cause it to intentionally misrecord the voter's selections. This attack could minimize detection by manipulating only a small percentage of the votes or for only lesser known races.[7]

Another security concern is that a VVPAT could print while no voter is observing the paper trail, a form of ballot stuffing.[8] Even if additional votes were discovered through matching to the voters list, it would be impossible to identify legitimate ballots from fraudulent ballots.

Alternatively the printer could invalidate the printed record after the voter leaves and print a new fraudulent ballot. These ballots would be undetectable as invalidated ballots are quite common during elections.[9] Also, VVPAT systems that are technically able to reverse the paper feed could be open to manipulated software overwriting or altering the VVPAT after the voter checks it.

Usability and ergonomic concerns

For the voter the printed record is "in a different format than the ballot, in a different place, is verified at a different time, and has a different graphical layout with different contrast and lighting parameters." [10] In November 2003 in Wilton, CT, virtually all voters had to be prompted to find and verify their receipt, increasing the time required to vote and the work for the pollworkers. The VVPAT adds to the complexity of voting, already a deterrent to voting.[10]

In addition, a VVPAT component may not be easily usable by poll-workers, many of whom are already struggling with DRE maintenance and use and new elections law requirements. In the 2006 primary election in Cuyahoga County, Ohio, a study found that 9.6 percent of the VVPAT tapes were either destroyed, blank, illegible, missing, taped together or otherwise compromised. In one case the thermal paper was loaded into the printer backwards leaving a blank tape [11] [12], which was not realized by voters who couldn't verify the paper trail. The Cuyahoga Election Review Panel proposed in its final report to remove the opaque doors covering the VVPAT except the ones equipped with equipment for blind voters.[13] In general collecting and counting these printed records can be difficult.[10]

Records printed on continuous rolls of paper is more difficult than counting standard paper ballots or even punch cards.[10]

Privacy concerns

DRE VVPAT systems that print the ballot records out in the order in which they were cast (often known as reel-to-reel systems) raise privacy issues, if the order of voting can also be recorded. VVPAT printers that cut the paper after each ballot to form individual ballots can avoid this concern. Many jurisdictions also record the order in which voters vote, thus possibly compromising the secrecy of the vote. If there are multiple voting machines it would be more difficult to match between the full voter list and the VVPATs.

Alternatively, an attacker could watch the order in which people use a particular voting system and note the order of each particular vote he is interested in. If that attacker later obtains the paper ballot records she could compare the two and compromise the privacy of the ballot. This could also lead to vote selling and voter intimidation.[14]

In 2007, Jim Cropcho and James Moyer executed and publicized a proof of concept for this theory. Via a public records request, the two extracted voter identification from pollbooks, and voter preference from VVPATs, for a Delaware County, Ohio precinct with multiple voting machines. Because both sets of records independently established the order of electronic ballots cast, they directly linked a voter's identification to his or her preference.[15] Over 1.4 million registered voters in ten Ohio counties were affected. The situation was resolved before the next election by omitting the consecutive numbers on Authority To Vote slips from pollbook records. However, similar vulnerabilities may still exist in other states.

Effectiveness concerns

Also problematic is that voters are not required to actually check the paper audit before casting a ballot, which is critical to "verifying" the vote. While the option to look at the paper may provide comfort to an individual voter, the VVPAT does not serve as an effective check on malfunction or fraud unless a statistically relevant number of voters participates.

Accessibility concerns

Current VVPAT systems are not usable by some disabled voters. Senator Christopher Dodd (D-CT) testified before the United States Senate Committee on Rules and Administration at a June 2005 hearing on Voter Verification in Federal Elections "The blind cannot verify their choices by means of a piece of paper alone in a manner that is either independent or private. Nor can an individual who has a mobility disability, such as hand limitations, verify a piece of paper alone, if that individual is required to pick up and handle the paper."[16]

Reliability concerns

VVPAT systems can also introduce increased concern over reliability. Professor Michael Shamos points out that "Adding a paper printing device to a DRE machine naturally adds another component that can fail, run out of ink, jam or run out of paper. If DREs are alleged already to be prone to failure, adding a paper trail cannot improve that record."[17] In Brazil in 2003, where a small number of precincts had installed paper trails, failure of the printers delayed voters by as much as 12 hours, a figure that would be catastrophic in the U.S.[18]

Current implementation of VVPAT systems use thermal printers to print their paper ballot records. Ballot records printed on the thermal paper will fade with time. Also, heat applied to the paper before or after the election can destroy the printing.[10]

Implementation concerns

It can be significantly more difficult to implement a VVPAT as an after-the-fact feature. For jurisdictions currently using direct recording electronic voting machines that lack a VVPAT, implementation can be expensive to add and difficult to implement due to the specialized external hardware required. To add a VVPAT component to a DRE machine, a jurisdiction would be required to purchase the system designed by the vendor of the DRE machine with a no bid, sole source purchase contract. That assumes the vendor has designed a component that is compatible with the DRE machine in use. The vendor may not have developed a VVPAT component that is compatible with the DRE machine in use, thus requiring the jurisdiction to purchase an entirely new voting system.

For jurisdictions not currently using direct recording electronic voting machines, the introduction of a new voting system that includes a VVPAT component would have less implementation challenges.

Some implementations of the VVPAT place a high cognitive burden on the voter and are extraordinarily error prone.[19]

Legal questions

One important question of VVPAT systems is when should an audit be performed? Some have suggested that random audits of direct recording electronic voting machines be performed on Election Day to protect against machine malfunction. However, the partial tallying of votes before the polls have closed could create a problem similar to the occurrence in American national elections where a winner is declared based on East Coast results long before polls have closed on the West Coast. In addition, the partial tallying of votes before the polls have closed may be illegal in some jurisdictions. Others have suggested that random audits of direct recording electronic voting machines be performed after the election or only in the event of a dispute.

In the event an audit is performed after the election and a discrepancy is discovered between the ballot count and the audit count it is unclear which count is the authoritative count. Some jurisdictions have statutorily defined the ballot as the authoritative count leaving the role of an audit in question. Because VVPAT is a recent addition to direct record voting systems the authority question remains unclear.

Examples

Several voter verifiable audit trail systems exist. They include:

See also

References

  1. ^ See page 3 of: Ariel J. Feldman, J. Alex Halderman and Edward W. Felten (September 13, 2006) (PDF). Security Analysis of the Diebold AccuVote-TS Voting Machine. Princeton University Center for Information Technology Policy. http://itpolicy.princeton.edu/voting/ts-paper.pdf. 
  2. ^ Schneier, Bruce (November 10, 2004). "The Problem with Electronic Voting Machines". http://www.schneier.com/blog/archives/2004/11/the_problem_wit.html. Retrieved 2006-12-22. 
  3. ^ a b See: "Voter-Verified Paper Record Legislation". Verified Voting Foundation. December 21, 2006. http://www.verifiedvoting.org/article.php?list=type&type=13. Retrieved 2006-12-22. 
  4. ^ a b Forbes.com: Paper Jams a Problem for Electronic Voting
  5. ^ Today's Congressional hearing, March 7, 2007 from Avi Rubin's blog
  6. ^ Zetter, Kim (November 3, 2003). "Aussies Do It Right: E-Voting". Wired News. http://www.wired.com/techbiz/media/news/2003/11/61045. Retrieved 2011-08-17. 
  7. ^ VVPR Attack with Misprinted VVPAT, David L. Dill October 2, 2003
  8. ^ Paper Trail Manipulation I, Professor Michael Ian Shamos October 5, 2005
  9. ^ Paper Trail Manipulation II, Professor Michael Ian Shamos October 5, 2005
  10. ^ a b c d e Selker, Ted; Goler, Jon (April 2004) (PDF), Security Vulnerabilities and Problems with VVP, Caltech/MIT Voting Technology Project / NIST, http://vote.nist.gov/threats/papers/vvpt.pdf, retrieved 17 August 2011 
  11. ^ Hertzberg, Steven, ed. (2006) (PDF), DRE Analysis for May 2006 Primary Cuyahoga County, Ohio, San Francisco, CA: Election Science Institute, http://votingindustry.com/TabulationVendors/1stTier/Diebold/esi_cuyahoga_final.pdf, retrieved 17 August 2011 
  12. ^ Fessler, Pam (September 13, 2006). "Problems Found in Ohio Computer Voting". National Public Radio. http://www.npr.org/templates/story/story.php?storyId=6069712. Retrieved 2007-02-04. 
  13. ^ Cuyahoga Election Review Panel (20 July 2006), Final Report, Cuyahoga County, OH, p. 50, http://urban.csuohio.edu/cei/public_monitor/CERP_Final_Report_20060720.pdf, retrieved 17 August 2011 
  14. ^ Wack, John (2005), Threat to voter privacy with voter verified paper audit trail voting systems using spooled paper rolls, NIST, http://vote.nist.gov/threats/papers/spooledpaper.pdf, retrieved 17 August 2011 
  15. ^ McCullagh, Declan (20 August 2007). "E-voting predicament: Not-so-secret ballots". CNET News. CNET. http://news.cnet.com/E-voting-predicament-Not-so-secret-ballots/2100-1014_3-6203323.html. Retrieved 17 August 2011. 
  16. ^ Hearing on Voter Verification in Federal Elections, 109th Cong. (2005). testimony of Senator Christopher Dodd. Retrieved February 3, 2007, from Senate Rules website.
  17. ^ Michael Shamos (April 2004) (PDF). Paper v. Electronic Voting Records – An Assessment. http://www.cfp2004.org/program/materials/p12-shamos.pdf. Retrieved 2007-02-03. 
  18. ^ Mira, Leslie, "For Brazil Voters, Machines Rule," Wired News, January 24, 2004.
  19. ^ Warren, Stewart. VoteTrustUSA. Eminent Computer Scientist Criticizes ES&S "Real Time Audit Log". June 21, 2006.

External links

Research

Advocacy and commentary