RE: Humboldt County plans to make ballot images public

["Pete Klammer" <pklammer@xxxxxxxxxxx>]

We have, in past discussions, proposed that the published images be masked
or obfuscated, within a public transparency protocol which provides a
verifiable, or provable, chain of authenticity between the published
material and the original articles (ballots).

We wholeheartedly agree that public exposure of naked ballot images would
violate a crucial principal of secure elections, namely ballot secrecy.

But we believe that it would be feasible and worthwhile to publish
obfuscated image sets, in which the balloted marks are made available for
any and all to interpret and count with their own methods; but yet in which
the extraneous areas of the ballot are masked in a special, cryptological,
way; furthermore the balloted marks themselves could be reordered, also in a
special, cryptological, way, to prevent correlation of different races or
issues per ballot.

Imagine, if you will, that the published file has a grey mask over every
image, with apertures around just the ballot-marking zones (boxes, circles,
ovals).  Imagine further that the images are sliced and diced so that each
image is a composite of several other originals, but all the slices and
dices are recombined in the file, with none added or deleted -- so you could
count how many marks were for this president, and how many marks were for
that dogcatcher, without being able to count how many this-president voters
were also that-dogcatcher voters.

By "special, cryptological" ways, I mean a deterministic or algorithmic
obfuscation which has two essential features: 1) it cannot be undone and its
reversal is cryptologically secure; 2) it can be replicated or repeated to
demonstrated its authenticity to the satisfaction of any challenger.

The second essential feature is harder to explain, so I address it first.
We expect the election administration to develop and hold a file of original
ballot images, not to be published, but to be made available for tests by
the public.  The prescribed arrangement for these test would as follows: the
equipment for running the tests remains in the possession and control of the
election administration, but is of a common and publicly-documented design,
e.g., a PC.  The challenger may bring any test programs and data to this PC,
but cannot take files away.  The intent of this testing arrangement is to
allow the challenger to verify the authenticity of correspondence between
the original ballot image file and the published obfuscated file, without
disclosing any other information from the original ballot images.  For
example, we might allow a challenger to run the same ballot-mark-counting
algorithm on both original and obfuscated files, or even count the total of
black and white pixels within ballot mark areas in both files, etc.

The first essential feature relies upon modern computerized cryptography,
which offers assurances of computational difficulty depending upon digital
keys and one-way algorithms.  For example, we can estimate what size of
digital key it would require to push the "cracking" of the key beyond the
reach of thousands of computers running for thousands of years by all known
or practically foreseeable methods.  A reasonable tradeoff of strength vs.
cost of encryption can yield a practical value for an election
administration to employ.

This protocol requires verifiable authenticity of the full chain, but the
description here presumes some other means of verifying the fidelity of the
file of original ballot scans.  I would assume that to be accomplished by
some kind of audit protocol, in which certain persons are able to compare
some representative original ballot artifacts with their images in the file,
under controlled circumstances that avoid or prevent vote-selling
disclosures.

--
Pete Klammer, P.E. / ACM(1970), IEEE, ICCP(CCP), NSPE(PE), NACSE(NSNE)
3200 Routt Street / Wheat Ridge, Colorado 80033-5452
(303)233-9485 / Fax:(303)274-6182 / Mailto:PKlammer@xxxxxxx
 "Idealism doesn't win every contest; but that's not what I choose it for."


-----Original Message-----
From: Paul E Condon [mailto:pecondon@xxxxxxxxxxxxxxxx] 
Sent: Wednesday, December 20, 2006 12:54 PM
To: cvv-discuss@xxxxxxxxxxxxxxxxx
Subject: Re: Humboldt County plans to make ballot images public

I looked at Paul W's document. It is important. Without the Ballot
Interpretation Report, the collection of images would be very hard to
interpret. It's been a while since I read the ERC Report, and my mind
has largely shut off remembering the crazy rhetoric of the Hart people
(and the rational suggestions that were intended to deal with it). 

Yes, to Ballot Interpretation Reports. And, they should be attached to
each ballot image that is published on the web. 

Then anyone can check the data, and decide whether or not to trust the
election. In very short order under such a system, the election
officials will clean up their act so that they actually are worthy of
'trust'. As #40 said, "Trust --- but verify."

On Mon, Dec 18, 2006 at 12:51:15PM -0700, Paul Walmsley wrote:
> 
> Just to clarify, that audit method didn't rely on making scanned ballot 
> images public.  I did have a proposal to post the CVRs without any 
> identification numbers, so that anyone could conduct the tabulation 
> portion of the audit.  I don't believe that such a system would incur any 
> risks of voter deanonymization in Boulder County, where write-in 
> candidates have to be pre-approved.
> 
> Maybe some of the confusion is due to the term 'ballot images.' Veterans 
> of the 2003 voting system presentations may recall that some vendors used 
> that term -- deceptively, in my opinion -- to mean 'electronic cast vote 
> records', rather than 'the scanned bitmap image of the paper ballot'.
> 
> 
> - Paul
> 
> On Sun, 17 Dec 2006, Margit Johansson wrote:
> 
> >Hi Paul,
> >   Did you see Paul Walmsley's presentation of his ballot-by-ballot
> >statistically-valid audit method to the Boulder Election Commission (or
> >whatever it was called.)  I've attached some info on this audit method.
He
> >uses the idea of posting ballot images after the count, if the audit of
the
> >ballot images proves they are accurate.  If we can try the audit in
Boulder
> >County successfully, it could be a model for other counties and states.
It
> >seems like it might happen, finally. But Paul W. can explain it better
than
> >I.
> >Cheers,
> >Margit
> >
> >On 12/17/06, Paul E Condon <pecondon@xxxxxxxxxxxxxxxx> wrote:
> >>
> >>This is a very good idea! I had thought that the Hart ballot scanning
> >>system could be made to do something like this for Boulder County, but
> >>neither Hart nor the County seemed to comprehend the possibility. Now,
> >>with a new Clerk and with somebody else being first, maybe Boulder can
> >>to it, too.
> >>
> >>But can we arrange a way to have the scanning done so that even the
> >>most suspicious conspiracy theorist can accept the scanned images as
> >>a true representation of the physical ballots? Maybe, I hope.
> >>
> >>I can envision public discussions of voter intent for ballots having
> >>non-standard marking --- On-line web 'voting' about the interpretation
> >>of particularly difficult to interpret images. For a while there would
> >>be chaos, but I'm sure things would settle down, and in the long run,
> >>election administration would be much better done, and public
> >>perception of honesty would be much higher.
> >>
> >>On Sun, Dec 17, 2006 at 10:34:22AM -0700, Margit Johansson wrote:
> >>> *In the name of transparency*
> >>>
> >>> James Faulk / The Times-Standard
> >>>
> >>> Article Launched:12/15/2006 04:22:18 AM PST
> >>>
> >>>
> >>>
> >>> County pursues project to make ballot images available to all
> >>>
> >>> EUREKA -- Humboldt County may be setting the bar as far as election
> >>> transparency is concerned.
> >>>
> >>> Humboldt County Clerk and Registrar of Voters Carolyn Crnich is
working
> >>to
> >>> develop and implement a system that would have made actual scanned
> >>images of
> >>> every ballot cast in the county's elections available online or on
disk.
> >>>
> >>> The program is meant to increase transparency and help to ease
people's
> >>> minds about the election process.
> >>>
> >>> "This is Humboldt County only," said Crnich.
> >>>
> >>> Crnich was in Sacramento last week talking to staff members from
> >>Secretary
> >>> of State Debra Bowen's office about getting the program off the
ground.
> >>> Bowen is looking to help Crnich and her staff get a pilot project
ready
> >>for
> >>> the upcoming November special district elections. They're working to
put
> >>> together a request for Proposition 41 funds to pay for equipment --
> >>likely
> >>> two high-speed scanners.
> >>>
> >>> The ultimate vision is that the ballots could be seen and counted by
> >>anyone
> >>> who has an interest.
> >>>
> >>> "Then they could go about counting it any way they want," said Crnich.
> >>>
> >>> It could allow people who favor hand counts to count ballots
themselves
> >>and
> >>> comparethe total against the local machine counts, and it could help
> >>people
> >>> developing open-source voting software.
> >>>
> >>> The idea, created by Crnich and Humboldt County elections advocate
Kevin
> >>> Collins, has generated excitement among everyone from statisticians to
> >>> election observers and bloggers. Even Harry Hursti, who famously
hacked
> >>> Diebold voting machines, has got the bug -- he' s designed software
for
> >>> Humboldt County to count the digital images, thereby generating
another
> >>vote
> >>> total for public consumption.
> >>>
> >>> The issue was scheduled to be discussed at the Humboldt County
Elections
> >>> Advisory Committee Thursday.
> >>>
> >>> "It's not off the ground yet, but I'm really excited about it," said
> >>Crnich.
> >>>
> >>>
> >>> A call to Collins was not returned by deadline.
> >>
> >>--
> >>Paul E Condon
> >>pecondon@xxxxxxxxxxxxxxxx
> >>
> >
> 
> 
> - Paul

-- 
Paul E Condon           
pecondon@xxxxxxxxxxxxxxxx