Four ballot privacy concerns

Background

The Humboldt County Election Transparency Project (ETP) is a cooperative effort on the part of the Humboldt County Elections Office and local volunteers. After each election, the ETP volunteers use a high-speed general-purpose office document scanner to scan digital images of all the voted paper ballots. These images are then published and made available on DVD and on the Internet. Public citizens can acquire the images and use publicly available open source software to count the vote. The ETP is considered an election audit technology intended to increase citizen confidence in the election process.

This article introduces and discusses four ballot privacy concerns related to the whole-scale publishing of images of voted ballots. The ETP may be the first ever project to engage in such whole-scale publication. The ETP may therefore introduce ballot privacy concerns that have not been rigorously considered and examined.

Two of the four concerns introduced in this article were discovered by citizens from the Humboldt County Voter Confidence Committee (VCC). The VCC is an independent citizen watchdog group that monitors election integrity issues. According to VCC member Jon Koriagin, the VCC was formed in 2005.

Prior to implementation, the plans for ETP were developed and discussed at the monthly meetings of a group called the "Humboldt Election Advisory Committee" (HEAC). There is no agreed upon, written description of the nature and purpose of the HEAC. It might be accurate to think of the group as an ad-hoc discussion group that functions as a sounding board for County Registrar of Voters, Carolyn Crnich. According to Dave Berman, a former member of the VCC, the HEAC began meeting in January 2006.

I began attending meetings of the VCC in January or February of 2008, around the time of the California Presidential primary elections. In March or April of 2008, Dave Berman, who was at that time a member of the VCC, invited me to attend the meetings of the HEAC. In April or May of 2008 I was invited by the Elections Office and the other ETP volunteers to contribute to the implementation of the ETP. I am also the only person who regularly attends the meetings of both the VCC and the HEAC.

The ETP has now scanned and published ballot images from the June 2008 and November 2008 elections. We expect to scan and publish ballot images from the upcoming May 2009 election.

Four Ballot Privacy Concerns

The four ballot privacy concerns discussed in this article are:

• the Write-In Recognition concern
• the Libertarian Ballot concern
• the Secret Squiggle concern
• the DAU Duplicate concern

Write-In Recognition Concern

A person's hand-writing or hand-printing style can be very distinctive. If Alice votes for a write-in candidate, Alice's friends may be able to manually search through ballot images published by the ETP and identify her ballot by identifying her hand-writing style. Consequently Alice's friends would discover all her votes on that ballot. Many precincts have 300 or fewer ballots, so the set of images that would need to be searched is not unmanageably large.

The Write-In Recognition concern is fairly obvious. I believe I remember the HEAC discussing the concern, together with the possibility of digitally obscuring the hand-written markings of write-in votes. I do not remember the HEAC discussion ever reaching a resolution, and as the HEAC does not keep written records of its proceedings, I cannot report definitely on what if anything was decided. In practice, the ETP published verbatim copies of the hand-written markings of all write-in votes from the November 2008 county supervisor race, in which one of the candidates was a write-in candidate.

Libertarian Ballot Concern

In primary elections there are different ballot types for each party. (There may also be non-partisan ballot types.) In addition to the Republican and Democratic parties, there are also a number of third-parties such as the Libertarian Party. Third-party ballots are (sometimes if not always) clearly labeled as such. Additionally, they may contain party-specific races that would also identify the ballot type.

If only one Libertarian votes in a given precinct, then the ballot images for that precinct will contain only one image of a Libertarian ballot. Anyone who knows the identity of the Libertarian voter will be able find the single Libertarian ballot from that precinct and will therefore be able to determine how that Libertarian voted on all ballot issues - including non-partisan issues. Additionally, anyone who has access to the voter signature roster from that precinct will be able to learn the identity of the Libertarian voter at any point in time after the election, as the voter signature roster states the party affiliation of every voter.

Jon Koriagin of the VCC says the Libertarian Ballot concern is "somewhat severe in Humboldt County" as "a very large number of precincts... contain about 1-4 Libertarians or other 3rd parties, which is almost as bad as having only 1." I believe Jon's figures are for registered third-party voters, not for actual turnout. (I have asked for clarification on this point.) If turnout is low among third-party voters, privacy is obviously decreased, unless of course no third-party voters turn out at all. The June 2008 election was a primary election, with third-party ballot types, and the ETP published images of all the ballots from that election.

The Libertarian Ballot concern was discovered after the November 2008 election by Ernie Stegeman and Jon Koriagin of the VCC and communicated to me in January 2009. To the best of my knowledge, prior to the publication of this article the HEAC was not aware of this concern.

Secret Squiggle Concern

Prior to implementing the ETP, the HEAC considered cases of hidden identifying marks on ballots. As best I can remember, the consensus (as of April or May 2008) was that if Alice wanted to place a mark on her ballot in order to identify the image of her ballot to herself, she was free to do so. The HEAC did not consider such a mark to be a prohibited identifying mark, as it would not necessarily identify Alice's ballot to anyone else.

As the HEAC does keep any written records of its proceedings, it is unknown who, exactly, contributed to this consensus finding. It is also unknown whether or not there were any dissenting opinions regarding the significance of hidden identifying marks.

To the best of my knowledge, the HEAC has never considered cases where some person other than the voter places a covert identifying mark (a "Secret Squiggle") on a voter's ballot. As the HEAC does not keep any written records of its proceedings, I cannot verify that the HEAC has never considered these cases.

Let us look at an example: Consider the case where Alice votes by mail and Bob has access to Alice's ballot before she votes and returns the ballot. Perhaps Alice and Bob live in the same house or apartment. If Bob covertly places a secret squiggle on Alice's ballot before she votes, Bob can later identify the published image of her ballot and thereby learn how Alice voted.

Please note that the Secret Squiggle case is different from the case in which Bob forces Alice to vote according to Bob's preferences. The Secret Squiggle case is also different from other cases in which Alice knows Bob will be able to see her voted ballot, either before or after it is returned via mail. In the case of the Secret Squiggle, Alice believes her vote will be kept secret, and Alice would be surprised to learn that Bob can discover how she voted.

Some have objected that vote counting machines would notice a Secret Squiggle, perhaps considering it to be a stray mark, and would therefore reject any ballot that contained a Secret Squiggle. At least in Humboldt County, this is not the case. As long as the Secret Squiggle is sufficiently far away from any of the voting opportunities, the AccuVote/GEMS system currently used here will accept the ballot, regardless of the presence of the Secret Squiggle.

The Secret Squiggle concern was identified, possibly months or years ago, by Ernie Stegeman of the VCC. Ernie communicated it to me in January 2009.

DAU Duplicate Concern

In Humboldt County, most voters vote on hand-marked paper ballots that are then counted by Diebold/Premier AccuVote/GEMS machines. However, some voters may not be able to mark paper ballots without assistance. Humboldt therefore provides the option of voting on more sophisticated Hart-InterCivic eSlate machines. The eSlate is a Disabled Accessible Unit (DAU). Historically in Humboldt County, very few votes have been cast on eSlate machines. In the average election, most eSlate machines go unused; those eSlates that record votes often record only a single ballot from a single voter.

The VCC has raised the issue of voter privacy with single ballots being cast on eSlate machines. The county Registrar of Voters has responded that:

1. While the Elections Office can see how the votes on the single ballot were cast, the Elections Office has no information regarding the identity of the particular voter who chose to cast his or her ballot via the eSlate. All voters sign the roster, and the roster does not indicate whether the voter chose to vote via paper ballot or via eSlate.


2. The poll workers, who may know the identity of the eSlate voter, are in turn not privy to the ballot cast on the eSlate. This is because the eSlate does not print out a poll tape at the precinct. (The AccuVote machines that count the precinct voted paper ballots do print such a poll tape at the precinct.)

Now consider what happens to the electronic eSlate ballot (which is also recorded privately on a voter verified paper audit trail device). The day after the election, the Elections Office duplicates the electronic eSlate ballot onto a paper AccuVote ballot that can be counted by the AccuVote machines. Standard procedure when making duplicate ballots is to stamp them with the word "duplicate" in red ink.

Now consider the following: Alice votes in Precinct X. Moreover, Alice chooses to vote on the eSlate machine and Alice is the only voter to do so. Bob is a poll worker in Precinct X and Bob knows Alice is the only voter to vote on the eSlate. Alice's ballot is later duplicated and the copy is added to the AccuVote ballots from Precinct X. These AccuVote ballots are then scanned and published by the ETP. Note that Alice's duplicate ballot will be the only precinct-voted ballot from Precinct X with a big red "duplicate" stamped on it. All Bob needs to do to find Alice's ballot is search through the Precinct X ballot images published by the ETP until he finds the one Precinct X ballot with a big red "duplicate" stamp. Bob has learned how Alice voted.

The DAU Duplicate concern raises two additional concerns that have nothing to do with the ETP:

1. Section 15152 of the California Election Code says that "the ballots for all candidates and ballot propositions voted upon... shall be counted and the results of the balloting made public" at the precinct on election night. Not publishing the poll tape from the eSlate therefore appears to be a violation of the California Election Code.


2. Even if the eSlate poll tape is not available to the poll workers at the precinct on election night, a copy of it can probably be subsequently obtained via a public records request.

The DAU Duplicate concern was discovered by your author in March 2009, and to the best of my knowledge has never been considered by the HEAC.

Mitigation Measures

There are several steps that could be taken to mitigate the above concerns. These mitigation measures are provided off-the-cuff, are not intended as recommendations, and may or may not sufficiently address the identified concerns.

The Write-In Recognition concern could possibly be mitigated by obscuring the hand-written text in the digital image prior to publication.

The Libertarian Ballot concern could possibly be mitigated by not publishing third party ballots in primary elections unless they are present in sufficient numbers to ensure ballot privacy.

The Libertarian Ballot concern and the Secret Squiggle concern could possibly be mitigated somewhat by (a) not publishing all the ballots, and/or by (b) digitally cutting the whole ballot images into separate pieces so that each vote in every race would become a separate image. These single race-vote images could then be shuffled and watermarked such that they could later be reassembled and matched with their source whole ballot images, but only if it was determined to be necessary. The exact details of such a mechanism are beyond the scope of this article.

The DAU Duplicate concern could possibly be mitigated somewhat by forcing more voters to vote on eSlate machines. Cutting whole ballot images into single race-vote images could possibly also provide additional mitigation.

Thus far the ETP has published images of every ballot, exactly as scanned. Most of the above possible mitigations would require abandoning the purity of this practice.

Conclusion

This article introduces and discusses four ballot privacy concerns related to the Humboldt County Election Transparency Project (ETP). Three of these concerns were clearly identified only after the ETP had been implemented and had published ballot images from two separate elections. The complexity of the ballot privacy issues created by the ETP may not have been fully appreciated prior to implementation. These concerns may merit additional consideration and possibly unspecified changes to the operational procedures of the ETP.