May 22, 2023

Overselling digital ballot images

A response to John Brakey’s “Digital Ballot Images: Key to Trustworthy Elections & Bridging Our Great Divide”:

The cross-checking that is cited is between the digital image and the cast vote record (CVR). But the cast vote record is based on the digital image, so they may align, but what if the digital image was corrupted prior to the creation of the CVR? See J. Alex Halderman, “Unclear Ballot: Automated Ballot Image Manipulation,” https://jhalderm.com/pub/papers/unclear-evoteid19.pdf.

John Brakey holds that “even in the very unlikely event that a hacker managed to break through and alter ballot images — a far more difficult exploit than altering vote totals on a voting machine or central tabulator — this manipulation would be exposed immediately simply by spot-checking the ballot images against the originals.” Immediately? What would a statistics expert like Philip Stark recommend in the way of spot-checking? Is spot-checking mandated in the bill?

Voters are again being told to trust technology, that it is “hash-check protected,” which brings to mind Andrew Appel and Susan Greenhalgh’s reporting on “Voting Machine Hashcode Testing: Unsurprisingly insecure, and surprisingly insecure,” https://freedom-to-tinker.com/2021/03/05/voting-machine-hashcode-testing-unsurprisingly-insecure-and-surprisingly-insecure/.

I applaud John Brakey’s fight for transparency. My fear is that overselling what we can learn from ballot images will further diminish the willingness to work for the gold standard of public oversight and verification: hand counting or hand-counted audits of hand-marked paper ballots. Worst case: A hack or rig could go undetected.

John Brakey replied on Facebook: “This system is about redundancy. It is important that the original ballot is married to the ballot image and some form of a risk-limiting audit is done to verify that the ballot images have not been altered.”