Part 1 of a 2-part series. In this part, why just printing ballots on special paper won’t help much. In part 2, how special paper could have a role if the rest of the system were developed to go with it.
How can we best ensure that the ballots tallied are the same ones that the voters marked, and are tallied accurately? These are fundamental questions in election security, and there are some clear answers. Voters should mark paper ballots by hand; those ballots should be tallied by optical-scanners or by hand, and should be audited or recounted by hand.
By insisting that ballots should be marked by hand, we avoid the possibility that hacked computers will fraudulently mismark ballots. By auditing or recounting the same paper ballots that the voters marked we avoid the possibility that hacked computers will miscount the ballots. In large jurisdictions with millions of voters and dozens of offices or questions on the ballot, it’s impractical to count by hand, so we must use optical-scan voting machines but we can check up on them with random audits done by hand.
Chain of custody
But that’s not the whole story. How do we know that the paper ballots counted by hand, or recounted or audited by hand, are the same ballots that the voters marked? We rely on chain of custody procedures: ballot boxes are transferred from polling places in the presence of multiple witnesses, stored securely, counted or audited as soon as possible, and subject to compliance audits to make sure that these procedures are followed. See section IV of our paper, “Evidence-Based Elections: Create a Meaningful Paper Trail, then Audit”.
This focus on the paper trail is important, because from time to time people have been known to cheat in elections by throwing out legitimate ballots or stuffing fraudulent ballots into ballot boxes, or replacing ballot boxes entirely.
Controlling the paper supply
Discussions of “chain of custody” and “paper trail” often focus on the custody of ballots from when they are marked to when they are counted. But we could focus also on the paper that goes into the polling place. Some election-integrity advocates suggest that ballots should be printed on special paper that bad guys cannot duplicate; for example:
“Ballots shall be printed on durable, tamper-evident paper with currency-type security features (e.g., watermarks, embedded ultraviolet reflective flakes, holograms, etc.) to prevent duplication or alteration.”
This is a well-intentioned idea, but I think this version of it won’t add much security. Let me explain why.
Relevant lessons learned from security seals
A few years ago I studied tamper-evident security seals on voting machines. These seals are used for several purposes: assuring that fraudsters don’t open up voting machines and hack the software, protecting ballot boxes while they’re in transit from the polling place to the vault, and so on.
You might think the idea of tamper-evident seals is simple: Apply the seal to the ballot bag, transport and store until ballots are counted, check the seal, open the bag.
What I found out, however, is that these seals don’t provide much meaningful security. See my paper, “Security Seals on Voting Machines: A Case Study”. The problems are: it’s not so hard to remove and replace the seals without evidence of tampering; seals are not logged properly (so election workers don’t know what numbers to look for); election workers don’t know how to examine the seals for evidence of tampering; the seals are often missing and no one cares; an attacker could just cut off the seals and replace them with new ones; an attacker can buy from the same companies that sell them to the states and counties. And more, and more, and more.
The problem is not just in the seals themselves—it’s that the system can’t use them effectively.
Applying those lessons to “security paper”
Now let’s think about “currency-grade paper” with “ultraviolet reflective flakes.” The United States has about 9000 different jurisdictions (states, counties, cities, towns) that conduct elections and purchase supplies. Even if there were only two or three makers of special paper, they’d have to sell to all those counties—or sell to all the local printing companies that contract with those counties to print election ballots. There would be reams of paper all over the place, at county election offices, at printing companies, in warehouses. It would be impossible to control the supply of paper the way that the U.S. Mint controls dollar-bill paper. And even “currency-grade paper” can be counterfeited: “Supernotes are said to be made with the highest quality of ink printed on a cotton/linen blend, and are designed to recreate the various security features of United States currency, such as the red and blue security fibers, the security thread, and the watermark.”
That’s the supply side. Now consider the other side: ballot counting. The idea of special paper is that fraudulent ballots would be detected when the ballots are counted. What security-seal experts can tell you is, it ain’t so. Examining that ballot paper is a specialized task; election workers aren’t trained for it and even with training they won’t have time for it in the press of getting election results.
The lesson from security seals is that the seals themselves don’t magically make things secure, it takes an entire seal use protocol of logging and checking. Special “tamper-evident paper” cannot provide meaningful security without an entire protocol for logging and checking, and it will be impractical to meaningfully control the paper supply if 9000 jurisdictions (and their printing companies) are using it.
In this Part 1, I have focused on security paper with a designed watermark or a specially designed pattern, with or without serial numbers. Any design like that can be copied, with or without the serial numbers. But what if the pattern wasn’t designed, it was in inherent in the manufacture of the paper? In Part 2, I will discuss how that could work.
Andrew Appel is Professor of Computer Science at Princeton University. He has studied election cybersecurity and voting systems for over 20 years. He also does research on program verification (assuring that your program does what it’s supposed to do) and general cybersecurity.
Leave a Reply