Four ballot privacy concerns - Kevin Collins responds

i believe carolyn crnich's response at the last heac meeting addressed the dau as a hypothetical privacy problem.
at that meeting she pointed out that duplicate ballots are generated for a variety of reasons other than the disabled voters duplicated ballot, thereby creating multiple ballots that help in protecting the voters anonymity. I believe she has said in the past, that poll workers are instructed to use the e-slate themselves or encourage another voter or two to do so , should they have had only one disabled voter at a precinct by the end of the day. This is an additional protection with regard this issue

a secret squiggle, an extorted or purchased ballot, the single libertarian ballot, et al. are all hypothetical possibilities

but they are also possible with a publicly viewed hand count, or even more readily with absentee balloting
my dad told me that in this life, nothing is 100% ,
nothing is perfect amongst the affairs of mankind

the question is -- what is the cost/ benefit ratio
the question is --how real are these hypothetical bogeymen, and do they necessitate abandoning benefits otherwise derived
where is the evidence that we need a photo id to prevent voter registration fraud?
i am sure it exists, but to what extent?
Apparently, from what I have read, it is extremely rare in the real world
where is the evidence that vote buying and coercion is of such a magnitude that we need to eliminate absentee voting?
is it of such a magnitude that the perceived benefit of increased voter turnout with vote by mail/absentee should be eliminated?
what is the evidence that parke's four privacy concerns necessitate abandoning a methodology that allows for the open and public count of all votes in such a fashion as to make the potential of computer voting fraud on a widespread and undetectable fashion extremely difficult?
it is also a method that would render routine operator errors detectable

the hypothetical problems can accumulate and stack up as high as the empire state building
what if this?
what if that?
what if everyone in the empire state building had to use the bathroom at the same time?
or the elevator?
do we design for those hypotheticals?


I don't think parke's list is near exhaustive enough
I note that in one comment to his blog on this subject another hypothetical bogeyman lurks-that of pattern voting
I followed the link to the description of this problem
After a rather complex mathematical description of the problem
the article concludes that the " only choice for traditional systems is secret counting"

there certainly is no more traditional vote system than a voter hand marked paper ballot


if the answer to all of these concerns is less transparency, more secretive counting
then I feel we will have lost our bearings in the deluge of academic and hypothetical bogeymen


This is, I think, the crux of this issue

If we are to shine a light on the counting of ballots I prefer a bright light by which all can read

ballots that are redacted, blurred, obscured, or in any other way altered I feel is movement in the wrong direction


I believe that in any choice between greater transparency and less transparency
we should always come down on the side of greater transparency

kevin collins

volunteer humboldt county election transparency project

And now, here are Kevin's comments repeated a second time, with my own responses inserted as appropriate.

i believe carolyn crnich's response at the last heac meeting addressed the dau as a hypothetical privacy problem.
at that meeting she pointed out that duplicate ballots are generated for a variety of reasons other than the disabled voters duplicated ballot, thereby creating multiple ballots that help in protecting the voters anonymity.

As I remember it, the "variety of reasons" included primarily that the machines would erroneously reject some ballots that they had previously (successfully?) counted, necessitating that those now rejected ballots be hand duplicated by elections office staff prior to recounting. I believe voter privacy should not depend primarily on a high machine error rate. Nor should it depend on other events that may happen in unlikely circumstances. Voter privacy should be designed into the system.

I believe she has said in the past, that poll workers are instructed to use the e-slate themselves or encourage another voter or two to do so , should they have had only one disabled voter at a precinct by the end of the day. This is an additional protection with regard this issue

Poll workers do not always work and vote at the same precinct. Poll workers do not always wait until the end of the day to vote.

In the past, and possibly only for a single election, poll workers were instructed to suggest to voters that at least 5 vote on each eSlate electronic voting machine. That was the first election the eSlates were used, and I believe the election was in 2006. I became a poll worker in 2004. I worked that election in 2006. I remember the arrival of the eSlates. I worked at Sacred Heart Church just outside of Eureka, there were two precincts at that location and the other precinct had the eSlate machine. The four workers at my precinct were quite happy that the other precinct was responsible for suggesting that its voters not use hand marked paper ballots but instead use the eSlate. I cannot say with 100% certainty that none of my precinct's voters voted on the eSlate, but my suspicion is at most two voters from my precinct did so.

This raises a related concern. Multiple precincts often share a common polling location, and thus they share a common eSlate. If 20 voters from precinct A and only 1 voter from precinct B vote on the same eSlate, the 20 voters provide no privacy to the 1 voter, as duplicate ballots will be generated separately for each precinct, and the precinct of origin will be clearly labeled on the duplicate ballot. Thus, there will be only 1 duplicate ballot from precinct B (barring any of the randomly generated duplicate ballots discussed above).

I believe the "poll tape" results from each eSlate are a public record, obtainable via a public records request. So this privacy concern exists entirely independently of the ETP.

For the February, June and November 2008 elections I was an election observer at the election office as results were being tabulated. I observed that the vast majority (possibly over 90%) of eSlates returned to the election office had zero votes cast on them. I believe those eSlates with cast votes often only had a single vote. So I have trouble believing that it is still current practice to encourage a small number of voters to vote on every eSlate.

In any case, the burden of proof rests with Registrar Crnich. At the ad-hoc Humboldt Election Advisory Committee meeting mentioned by Kevin, I commented that I believed Crnich would have hard numbers documenting the number duplicate ballots created for each precinct, as the ballot duplication process is heavily logged. If Crnich really wants to refute my concern, all she needs do is produce those numbers for the three elections of 2008. I am always happy to receive and consider written documentation backing up any claims made by Registrar Crnich. I am disinclined to issue a series of public records requests to attempt to secure such evidence on the off-chance that it will refute my concern.

a secret squiggle, an extorted or purchased ballot, the single libertarian ballot, et al. are all hypothetical possibilities

At this point in time, the secret squiggle concern is indeed probably only a hypothetical concern. But the public is still largely unaware of the exact nature and operation of the ETP, and therefore also unaware of the secret squiggling opportunities it affords.

I suspect the Libertarian ballot concern is very real, as the June 2008 election was a partisan primary election with Libertarian and other third party ballots. It was also an election with very low turnout.

The extorted or purchased ballot is the result of a privacy attack, not the means of conducting such an attack.

but they are also possible with a publicly viewed hand count,

Such attacks are possible with a publicly viewed hand count, but the attacks would be much more difficult, much more obvious and therefore much riskier to implement. The time window for such an attack during a publicly viewed hand count is also limited and small, instead of indefinite. The government would not assist with the facilitation of such an attack in a public hand count, whereas the ETP allows a single person to conduct such an attack, in relative secrecy and with very little chance of detection.

... or even more readily with absentee balloting

The single Libertarian ballot concern is not enabled by absentee balloting.

my dad told me that in this life, nothing is 100% ,
nothing is perfect amongst the affairs of mankind

the question is -- what is the cost/ benefit ratio
the question is --how real are these hypothetical bogeymen, and do they necessitate abandoning benefits otherwise derived

The question is not only: what is the cost/benefit ratio? The question is much broader. The real question is: what is the metric or metrics you are using to measure the various cost/benefit ratios involved?

Secret ballot elections have inherently conflicting goals. Among them are accuracy, transparency, integrity and privacy. Deciding how to conduct elections is therefore a balancing act between mutually competing goals.

where is the evidence that we need a photo id to prevent voter registration fraud?
i am sure it exists, but to what extent?
Apparently, from what I have read, it is extremely rare in the real world where is the evidence that vote buying and coercion is of such a magnitude that we need to eliminate absentee voting?
is it of such a magnitude that the perceived benefit of increased voter turnout with vote by mail/absentee should be eliminated?

My concerns are not about vote buying and vote coercion. Rather, my concerns are about the identity of voters' ballots being disclosed, thereby violating voters' reasonable expectation of ballot secrecy.

what is the evidence that parke's four privacy concerns necessitate abandoning a methodology that allows for the open and public count of all votes in such a fashion as to make the potential of computer voting fraud on a widespread and undetectable fashion extremely difficult?

First off, I have never proposed "abandoning" the methodology, I have only proposed modifying it. And even that is not my primary purpose. My primary purpose is simply to ask, "how significant are these concerns, and have they been properly considered?"

Additionally, the ETP could be used to publish sham ballot images, and therefore reinforce public confidence in a crooked election. Yes, this would be difficult.

The primary value I see in the ETP is as a second, independent count. Furthermore, the ETP is based on open source technologies which local activists can examine and understand. The ETP can also be easily audited, or made more transparent post-facto in any given election in a controlled manner on an as needed basis. All these benefits exist even without ballot image publication. In my opinion, ballot publication is a relatively minor benefit.

Moving on, whether there is sufficient evidence to merit changes in methodology depends on at least two criteria:

1. Are you willing to consider hypothetical attacks, or only attacks that have been proven to have actually occurred?
   
   
2. What metric or metrics are you using to evaluate the seriousness of the concerns and the various cost/benefit ratios involved?

The entire premise of the Election Transparency Project was based on hypothetical concerns with the integrity of secret, proprietary vote counting machines used around the world, throughout the United States, and in here Humboldt County since at least 1995. Prior to December 2008, Registrar Crnich publicly postured great confidence in the accuracy of the Diebold/Premier GEMS system. In December of 2008, our hypothetical concerns were substantiated. So it seems eminently reasonable to consider both hypothetical concerns and historical ones.

As to the second question, I have already pointed out that secret ballot elections inherently contain mutually competing goals. There is no one objective metric by which to measure the cost/benefit ratio. Choosing a proper balance of metrics is a very complicated decision, one that depends heavily on the judgement of the entity making the decision. As Kevin says below, "I believe that in any choice between greater transparency and less transparency we should always come down on the side of greater transparency." So it is clear how Kevin chooses to balance these multiple competing goals. Kevin's stated preference seems to differ from Article 2, Section 7 of the California Constitution which reads in its entirety: "Voting shall be secret."

This raises a third question.

3. Who, thus far, has made these important decisions?

The decision has been made by a single, independently elected executive official, surrounded by a small number of unelected, unappointed, self-selected, very loyal (and admittedly well-meaning and honest) citizen election activists. To my knowledge, there has never been a formal hearing before any legislative body at which critics of the Election Transparency Project could submit their arguments to an impartial decision maker.

It is unknown how clearly the public at large understands the project and its implications. I myself worked on the project for over six months before any ballot privacy concerns became apparent to me. California Secretary of State Debra Bowen is aware of the project and admits she is not in a position to even endorse it. Bowen's office has not responded to my request for comment on these ballot privacy concerns in light of the "secrecy" clause of the California Constitution. Admittedly, I do not have a good point of contact with Bowen's office and I have not followed up at all on my initial email request.

The question is, even if Kevin Collins is right, and "we should always come down on the side of greater transparency", should Registrar Crnich and the volunteers of the Election Transparency Project be the people to make this decision?

it [the ETP] is also a method that would render routine operator errors detectable

The publishing of the ballot images, however, does not significantly increase the opportunity for detecting routine operator errors. For example, the detection of all 3 of the errors in the November 2008 election (2 due to the Diebold/Premier Deck Zero failure, and 1 due to ETP operator error) were not detected via ballot publication.

the hypothetical problems can accumulate and stack up as high as the empire state building
what if this?
what if that?
what if everyone in the empire state building had to use the bathroom at the same time?
or the elevator?
do we design for those hypotheticals?

(Ah, the hyperbole!)

I suspect the Empire State Building has stairwells, for use in the event of hypothetical fires and hypothetical acts of terrorism.

Some hypothetical attacks can be very easy to implement. We should consider these attacks and pick a design that protects the secrecy of the voting process.

I don't think parke's list is near exhaustive enough

The lack of completeness in no way refutes the severity of any of the concerns I have identified. I never claimed my list was exhaustive.

I note that in one comment to his blog on this subject another hypothetical bogeyman lurks-that of pattern voting
I followed the link to the description of this problem
After a rather complex mathematical description of the problem
the article concludes that the " only choice for traditional systems is secret counting"

As I already pointed out in response to that comment by a third party, the ballot images provided by the ETP enable far simpler attacks that require no maths, simply via filling in only three quarters of the voting oval, or placing other intentional stray marks on the ballot. But pattern voting concerns (and the like) are fundamentally different from the ones I am identifying here. Pattern voting happens when the voter, either voluntarily or via coercion, intentionally places marks on his or her ballot that he or she knows will allow third parties to identify the ballot. The concerns I am identifying here are violations of the voter's reasonable (and constitutional) expectation of ballot secrecy.

In closing, I will point out that Kevin declined to even mention the write-in recognition concern.

I will let Kevin have the last word.

there certainly is no more traditional vote system than a voter hand marked paper ballot


if the answer to all of these concerns is less transparency, more secretive counting
then I feel we will have lost our bearings in the deluge of academic and hypothetical bogeymen


This is, I think, the crux of this issue

If we are to shine a light on the counting of ballots I prefer a bright light by which all can read

ballots that are redacted, blurred, obscured, or in any other way altered I feel is movement in the wrong direction


I believe that in any choice between greater transparency and less transparency
we should always come down on the side of greater transparency

kevin collins

volunteer humboldt county election transparency project