In part 1 of this 2-part series I explained: Some election-integrity advocates have suggested that, in addition to good chain-of-custody procedures for ballots between when they’re cast and when they’re counted (or recounted), we should have better control over what paper (and paper ballots) go into the polling place. This way, if fraudulent ballots got stuffed into a ballot box, they could be more clearly identified.
Ultraviolet watermarks seem high-tech, but they can be faked with a custom rubber stamp ($11), a stamp pad ($6), and a bottle of UV ink ($31). The attacker could also just run a standard commercial offset printer loaded with UV phosphorescent ink ($50 per kilogram). More intricate designs can be replicated, with more cost and effort–hologram printers cost as little as $1900. If one printing company can make your special ballots, another printing pro can replicate them.
In analyzing the security of a watermark-based scheme, we have to assume that the attacker can get a supply of the same kind of paper, or print paper with the same design. In Part 1 of this series I pointed out that once you have 9000 U.S. election jurisdictions using special paper, then there will thousands of reams of it in circulation and it won’t be so special anymore.
Random patterns baked into paper fibers can’t be easily replicated
However, some kinds of watermarks can’t be faked so easily: random patterns inherent in the makeup of the paper. Years ago, Clarkson et al. showed that the fibers of ordinary paper form a random pattern unique to every sheet and that an ordinary flatbed scanner could be rigged up to read that “fingerprint.”
More recent is the idea of UV flakes embedded in paper, in a random pattern, forming a fingerprint that (maybe) could be read even more easily.
If each sheet has its own natural random fingerprint that, then maybe it won’t matter that any fraudster can get his own supply of paper. Every sheet of paper is naturally different, and it might be impractical to duplicate a pattern built into the natural random fiber structure of a sheet of paper.
A recent article by Catherine Engelbrecht suggests a way to use this in elections. Let me interpret her suggestion according to my own understanding of how to best integrate it into U.S. election systems.
How to use unique paper-pattern fingerprints to secure elections
In our elections now, most jurisdictions have optical-scan voting machines that scan the ballots, preserve the paper ballots in a ballot box, and produce a cast vote record (CVR) file with one line for each ballot, showing what votes are marked on that ballot. Some also record a PDF or .TIFF image of each ballot. And some optical-scan voting machines also print a serial number onto each physical paper ballot, and record that serial number in the CVR file. This is super-useful for efficient auditing, as I explain here.
We should not put all our trust in the computers (optical scanners). Just because they claim something in a CVR file (or in a TIFF image) doesn’t mean it’s true, if the computers have been hacked. But once the computer is pinned down to a specific claim, “Ballot 81037 has a vote for David Chen”, then we can find the piece of paper marked 81037 and see what’s marked on it.
Here’s how random-UV-flake paper fingerprints could help. Suppose the optical-scan voting machine (either in the polling place or county central) could read the paper’s unique random pattern of fibers or UV flakes or whatever, and convert that into a “fingerprint” number, and write that number into the CVR file. This number could serve the same kind of purpose for auditing as traditional serial numbers do, but in a way that’s much harder to fake. And one wouldn’t need blockchains; as long as the CVR file is made public at the same time the election results are published, that would be enough. But I suppose a blockchain couldn’t hurt as a kind of permanent commitment to a CVR file.
If the paper-fingerprints are first read at the time the voter feeds the marked ballot into the scanner, then this whole idea serves as an enhanced ballot-tracking/chain-of-custody measure. Unlike what I described in Part 1, this measure doesn’t serve as a control over what paper ballots make their way into the system, unless the paper-fingerprints are scanned in advanced and logged. And if you know the fingerprint of the paper you’re handing to a voter, then you lose the secret ballot, because now you can match the choices marked on the ballot to a particular voter.
Problems that would have to be solved before this can be practical
Now let’s examine the difficulties — the issues that would need to be addressed before we could rely on a system like this.
First problem: In any given manufacturing process, is it really true that the “random” pattern of UV flakes is practically impossible to replicate? Maybe so, but a claim like this would have to be scientifically tested, otherwise it’s just product-advertising puffery.
Second problem: What’s to stop a corrupt election worker from opening up a ream of paper in advance, scanning all the sheets to learn their fingerprints, and then keeping track of what order they’re given to specific voters? Because those fingerprint-numbers are published in the CVR file, you can learn how each person voted. Experience has shown, in the United States and elsewhere, that when ballots aren’t secret, voters can be bribed, coerced, or pressured to vote a certain way. Do we put tamper-evident security seals on the wrapper for the packet of paper? Now we’re back to the problem of how to trust those seals.
Third problem: We have to trust the computers that translate the pattern of paper fibers (or UV flakes) into “fingerprint” numbers. Any of those computers could have been hacked; so what happens to our “secure election protocol” if the computer are lying to us about the fingerprint numbers?
With the conventional printed ballot serial numbers I describe above, almost any person can read the serial number and see for themself what it says–you don’t need a computer to tell you. And the “commitment to a particular CVR file” could actually be done on paper: at one line per ballot, 100 lines per page, then for 100,000 ballots you’d just need 1 ream of paper (double-sided). So a “ballot-level comparison audit”, spot-checking that the CVR file isn’t lying, can be done without trusting any computers.
In contrast, no human I know can convert a pattern of UV-illuminated flecks into a number (i.e., a fingerprint hash-code). You have to trust somebody’s computer to do that. That doesn’t mean the idea is no good, but it does mean that the entire protocol for using flaky paper must be carefully designed and assessed.
Fourth problem: The devil is in the details. You need a formal protocol, an implementation in computer hardware and software, and a security analysis of the protocol and the implementation. Then you’d need election administrators to try this out and see what unexpected difficulties arise. As Catherine Engelbrecht wrote, this is a future she believes we’re heading toward, not a technology that we can deploy today.
Is this really any better than the current state of the art, which is to have the optical-scan voting machine print a serial number onto the ballot? With ordinary serial numbers, you can still track the correspondence between individual CVR records and individual sheets of paper; you could still log the CVR files onto a blockchain if you wanted to; you can still find those physical paper ballots and check that the CVR file wasn’t lying about them. Maybe it’s a little better: it prevents the particular fraud of someone changing a physical paper ballot in the chain of custody while taking care to print exactly the same serial number on it. But is it enough better to be worth the trouble?
My conclusion is: it might be interesting to have pilot projects in which early-adopter election officials try out paper-fingerprinting connected to CVR files connected to audits; and where election experts and cybersecurity experts assess whether this has provided meaningful improvements in election security. But right now it’s premature to say that we should all use “security paper” nationwide in our elections, without all the rest of the infrastructure that would have to go with it.
Andrew Appel is Professor of Computer Science at Princeton University. He has studied election cybersecurity and voting systems for over 20 years. He also does research on program verification (assuring that your program does what it’s supposed to do) and general cybersecurity.
Leave a Reply