How to Secure Elections and Why We should Adopt Risk-Limiting Audits

The mechanics of how elections work have evolved significantly over time. The US has been transitioning away from insecure, paperless electronic #voting systems, which became popular two decades ago, to newer systems involving paper ballots (either hand-marked or machine-marked), which are then tabulated electronically. What happens if the electronic tabulator has been hacked to produce fraudulent results? That’s where Risk-Limiting Audits (RLAs) can save the day, with an efficient random sampling process to compare the paper ballots to their electronic equivalents. Five US states are requiring RLAs in #election2022 and many more are piloting them.

Recently, ACM’s Technology Policy Council released its latest TechBrief on Election Security and Risk-limiting Audits. On October 25, we invited Dan S. Wallach, co-author of the TechBrief and a Rice Scholar at the Baker Institute for Public Policy at Rice University , to host a Reddit Ask Me Anything on the topic. During the AMA, Wallach answered questions about RLAs and, more broadly, #security in the US elections. Here are a few highlights from the Q&A session. The questions and answers have been edited for brevity and clarity.

Why We Should Adopt Risk-limiting Audits

Question: How do you feel about the overall election security of the 2020 presidential race? Do you think there were any significant security gaps that heavily impacted the result?

Dan Wallach: To be absolutely clear, there is no evidence of any tampering with the 2020 presidential election. We have high confidence that the election outcome was correct.

Here’s the crazy part: there’s nothing inconsistent with the above statement and saying that there are a number of security weaknesses in our election systems that we need to improve. We’d love to see more states adopt risk-limiting audits, which would improve our confidence in their elections. Similarly, it’s great that the older generation of paperless electronic voting systems are being replaced with newer machines that use paper ballots. This helps mitigate against the worst risks of malware or tampering with voting systems’ software.

Q: What about the races that were so far off from the pre-election polling? Wouldn’t it make sense to do some sort of audit in those situations?

DW: I’m not an expert in polling, but polls have margins of error, and pollsters often make corrections to their raw polling to compensate for demographic differences between their sampled population and what they anticipate the actual electorate might look like. So, for any given poll, there are a bunch of assumptions baked into the numbers, any of which might turn out to be false. In other words, when an election disagrees with a poll, that can be a surprise, but it’s not an immediate red flag.

That said, many states have laws that allow for automatic recounts when the margin of victory is small enough (typically under 1%). And we recommend that every state adopt risk-limiting audits for all their elections, as a required procedure. In a high-margin race, a risk-limiting audit requires a very small number of samples in order to provide convincing evidence of the correctness of the outcome, so RLAs would be a great thing to adopt.

Advantages of Paper Ballots and RLAs

Q: Given the perceived vulnerabilities of electronic voting machines to remote bad actors, as well as the scalability for one bad actor to affect a large swath of machines, what are your thoughts on just reverting back to an entirely paper system?

DW: The earlier generation of paperless electronic voting systems, adopted in the early 2000s, have been widely studied and have been found to have significant security flaws (examples: California “top to bottom” review in 2007, Ohio EVEREST 2007).

As a consequence, all the new voting machines involve paper in one form or another. The two most popular forms are ballot marking devices, which have some sort of computer interface and produce a printed ballot, and hand-marked paper ballots, which are typically scanned by a computer, often bolted to the top of the ballot box (“precinct count optical scanner”).

The magic of a risk-limiting audit is that it provides an efficient process where a post-election audit can prove, to a desired level of statistical confidence, that any errors in the electronic tabulation are small enough that they don’t change the announced winner of a contest. So, RLAs let us have the efficiency benefits of computers, while still having the security properties that we want from hand tallies, without requiring the slow (and error-prone) process of hand counting.

Q: Several years ago, when Dominion voting machines were first introduced into Georgia, NPR ran an article that associated them with large donations to the Republican party. Why should we trust/not trust Dominion to deliver unadulterated voting results?

DW: For starters, the modern Dominion equipment uses a printed paper ballot. This means that every voter can (and should) take the time to read the paper ballot that the machine produces and, if something is wrong, they can “spoil” their ballot and do it again. This is an important defense against any hypothetical tampering or malware with the software inside the machines.

After that, you’re not being asked to trust machines. You’re being asked to trust process. Those paper ballots travel in ballot boxes that are suitably sealed. Election officials tabulate the paper ballots with election observers and the press watching what they do. Georgia also did a risk-limiting audit during the 2020 election which confirmed the result in the presidential race. (More details: Carter Center report, Georgia SoS’s page)

As you might imagine, there’s a lot more to it than I can summarize in a few paragraphs, but you should have some comfort that the combination of certification & testing, plus the use of the right kinds of policies & procedures, are where we gain confidence in our election systems.

How RLAs work

Q: How is verification that your vote correctly tabulated your choice achieved without giving you proof another person would recognize?

DW: There are a lot of variations on this, so I’m going to assume we’re talking about how Microsoft’s ElectionGuard project would work in the context of a ballot marking device. (I’ve written some of the code being used in ElectionGuard.)

Once the voter finishes specifying their vote, the machine computes an encrypted version of their vote. It’s public key encryption, where the voting machine only knows the public key, so only the election official (or a group of election trustees working together, using a technique called threshold cryptography) can do the decryption.

The voting machine can also compute the hash of that encrypted ballot, and then hand it back to the voter, perhaps on a small receipt printer. Now here’s the fun part: all the encrypted ballots for the entire election will be posted on some public web server somewhere. And you’ll be able to use your receipt and figure out that a ballot matching your hash is right there where it’s supposed to be. And now here’s the crazy fun part: you can add all the encrypted ballots without first decrypting them. This is called an additive homomorphism. Every election observer can compute this same value and compare it to the value that’s ultimately decrypted by the election official, who provides a cryptographic proof that they did the decryption correctly. So, anybody can validate that their encrypted ballot is part of the big total and that the big total was decrypted correctly. But your receipt doesn’t let you sell your vote, since it’s the hash of an encrypted ballot, and that ballot is never individually decrypted. (This paragraph summarizes the “counted as cast” property.)

But wait, you ask, why should I believe that my ballot was correctly encrypted in the first place? Turns out, there are a number of independent ways to prove this. Your paper ballot, which is human readable, includes the hash of your ciphertext below it. A risk-limiting audit would, for each ballot being audited, recompute the encryption of the ballot, based on the human-readable text, and make sure that the hash matches. Ballots that are spoiled aren’t tabulated. That means it’s safe for the election official to decrypt those spoiled ballots. So we could create a process where regular voters and/or trained auditors are allowed to keep copies of spoiled ballots, and we’ll check later on whether the human-readable text matches up with the ciphertext. The cool trick here is that the machine doesn’t know which ballots will be cast and which will be audited, so if it’s going to cheat, it needs to cheat before it knows whether it might be caught. This is called a Benaloh challenge. Josh Benaloh is also, not coincidentally, one of the designers behind 微软 ’s ElectionGuard.

Q: Are the machines ever randomly subjected to a forensic level audit to ensure the machine operated as it should? Ultimately who is accountable for ensuring the machine operated as it should? Are there any consequences of a machine that didn’t operate as it should for the person or entity responsible for its operation? Are the machines connected to some kind of live operations center for real-time monitoring?

DW: It’s exceptionally difficult (read: expensive, time consuming) to do a forensic audit of the sort you’re describing, and the adversary has an advantage in this game because they could potentially engineer their malware to erase itself after the election is over.

The goal of RLAs and other kinds of election auditing procedures is to achieve a property called software independence, such that we can gain confidence in the correct outcomes of an election without requiring any confidence that the software is correct.

Q: Two questions: first, what reasonable questions about election security can or should be raised for elections with fully paper ballots? What about those without? Second, are there any major real-world known cases of voting machine interference that have affected a democratic outcome, in the U.S. or elsewhere?

DW: Risk-limiting audits (the topic of this thread) are all about how to improve security with paper ballots. So, a reasonable question for someplace that has paper ballots is “when are you going to do RLAs?”

Without paper ballots, we’re back in the world of paperless electronic voting systems, which have been shown to have a variety of security vulnerabilities (discussed elsewhere in this Reddit). So, a reasonable question for someplace that has paperless electronic voting systems is “when are you going to retire these machines and what’s the plan to replace them?”

I’m not aware of any systematic voting machine election interference, at least in any U.S. election in anything resembling the modern era. If you go back far enough in time, you get plenty of well-documented messy elections. The story of “Landslide” Lyndon Johnson’s victory in the 1948 Texas Senate Race is pretty amazing.

Exploring Other Alternatives

Q: Why don’t we require all electronic voting to be done with open-source hardware and software for true end-to-end auditability and transparency?

DW: The current business model of elections is that the vendors have no requirements for open source, but they do have the requirement that their systems are subject to certification and testing. The certification process requires the vendors to share their source code with the testing labs.

For what it’s worth, there have been a number of attempts at doing an open-source voting system that could be commercially viable in the U.S. market, but none of them have achieved significant market share to date, except perhaps the Los Angeles VSAP system. But the source code isn’t actually open yet (article from 2018, but I don’t think anything has changed since then).

Here’s a more concise way to put it: I would prefer if we did not have trade secrets in elections. Let the vendors copyright and/or patent their stuff, but the source code should be open to public inspection. This isn’t about security, per se, as much as it’s about transparency. If you want to get nerdier about it, it’s also about publicly verifiable reproducible builds, which has ramifications for security and transparency.

Q: What do you think of requiring blockchain based audit trails of all processes around elections, voting, tallies, challenges, and recounts?

DW: There’s an entire academic discipline dedicated to the world of election integrity, and an important technique that’s crossing the divide from academia to practice is called “end-to-end verifiable elections.” Without getting lost in the technical details of how and why different encryption techniques are used, all of these voting systems generally include a concept called a “public bulletin board.” If you squint at it, there isn’t all that much difference between a public bulletin board and a blockchain. Both use cryptographic hash functions to build linear chains or tree-like structures.

The essential difference is that blockchains are “decentralized,” which means that nobody is in charge. Instead, a series of unrelated parties reach a consensus as to what the blockchain means. In an election, however, all the parties are known in advance, and disputes are generally resolved through administrative processes or lawsuits. This means that public bulletin boards don’t need consensus mechanisms. Instead, they’re generally about publishing encrypted votes in such a way that a voter can verify that their vote was “counted as cast” (i.e., you get a strong proof that your vote was tabulated exactly as you cast it) as well as “cast as intended” (i.e., the machine didn’t misinterpret your vote as you cast it). The exciting part of the cryptography is that we can achieve both of these properties without allowing you, the voter, to have enough evidence to be able to prove to anybody else how you voted (so, we don’t enable bribery or coercion).

Q: Do you have any national elections system besides the US that might worth your special consideration?

DW: US elections are quite unusual relative to most other countries. Of particular note, we’re often asked to vote on a huge number of contests. My ballot in Houston, Texas has I think 93 contests or propositions on it. This means that we require automation in order to get timely and accurate results. And therefore, we must have computers around, but we need processes like risk-limiting audits to mitigate against the risks of malware or tampering with the computers.

Several countries are currently experimenting with Internet voting (Estonia, Switzerland, Canada, and more). This creates a variety of new risks that are harder to mitigate. What do you do to prevent malware on a voter’s computer from tampering with their vote? What do you do to protect the servers against denial-of-service attacks? For contrast, consider that a paper ballot, whether marked by hand or by machine, once it gets into a ballot box, is beyond the reach of even the most sophisticated internet attacker. There’s nothing a foreign nation-state adversary can do over the internet to modify ink on paper!

Of course, the real world is never quite so simple. I had the chance once to speak with Swiss officials about this, and they pointed out how 40% of Swiss nationals are physically outside the borders of Switzerland at any given time. And they might vote five times per year. Perhaps unsurprisingly, there’s a strong demand for internet voting, and an ongoing challenge to see if they can mitigate against those risks.