Paper Ballots, Photocopiers, and Security
When I heard that New York City had found that a photocopy of a ballot could be successfully scanned by both of the two systems being used in New York State, my first thought was that this is Sun-Rises-in-the-East news. It didn’t surprise me, and the first line of defense against attacks involving any type of fake ballot, photocopied or printed, is well designed and implemented ballot management security procedures. But this is a complex issue which bears some discussion.
Before discussing the security threat, let’s look at a technical question – should a scanner be able to detect a photocopied ballot? One of the challenges posed by modern high resolution copiers and printers is that they are capable of producing all manner of difficult to detect counterfeits. This became an extremely serious problem in the 1990’s as convincing counterfeit currency became easy to produce using the off the shelf copiers. In response, the United States has been replacing currency with new bills containing anti-counterfeiting features. So it’s no surprise that a modern copier can create a ballot that can be successfully scanned.
Is there any way to make a scanner detect a counterfeit ballot? Yes, it could be done. Although it’s a little known fact (and a bit unsettling from a civil liberties perspective), modern copiers and printers create an invisible tracking code in the form of dots viewable only with a special flashlight. The Electronic Frontier Foundation cracked these codes, finding that they contained the printer serial number and date and time the document was printed. In theory, one could use this or a similar technique to print ballots with an invisible code that the scanner could look for, and failing to find it, flag it as a counterfeit. But to do this we’re talking adding new features to the machines, and raising the cost of paper ballots even more than their current exorbitant cost. Would it be worth adding such a counterfeit detection feature? My opinion is no. And the reason is that the place to address fake ballot attacks is not by adding features to the machine and ballots, but implementing proper ballot security procedures and protocols.
Let’s analyze the ways an attacker might use counterfeit ballots, then look at ways to defend against it. There are three points where one might insert counterfeit (and possibly pre-marked) ballots in with real ones – before the election, during voting, and after the election. Before the election, an attacker would need to get their counterfeits mixed into the stack of real ballots, hoping to get them handed out to voters. But here in New York State, we require that ballots come in pads with tear off stubs containing a serial number. These numbered ballot pads become part of the chain of custody record as soon as they are received from the printer. During an election, each ballot is torn off the pad when it is handed to a voter, with a notation made of the number and the voter it was given to (the ballots themselves don’t have serial numbers so a voted ballot can’t be traced back to a specific voter without using specialized paper analysis techniques). So in New York, you can’t just throw in a batch of photocopied ballots with the real ones prior to voting. You’d need to counterfeit an entire pad, tear off serial numbers and all. To produce fakes of NY stubbed and numbered ballots, you pretty much need a print shop, a photocopier just won’t cut it.
Potential attack point two occurs during voting. A voter could hide a photocopied ballot, vote their real ballot, and then attempt to insert one or more fake ballots into the scanner after the first. Of course, it might not be quite that easy to insert two or more ballots without being seen by poll workers, but we should assume that someone practiced could pull it off. Now we’ve got more ballots scanned, counted, and in the ballot box, than were actually handed out. But this attack is easily detected on a scanner. Each machine has a public counter, which notes the number of votes cast on that machine. It increments by one every time a ballot is successfully scanned. The public counter number is noted at the beginning and end of the election, and the difference compared to the number of voters who signed into the polling book. If the public counter matches the number of voters, no extra ballots were cast. If it is greater than the number of voters, you have detected the presence of counterfeit ballots, and response procedures now have to be invoked to determine which ballots were faked and to recount the real ones.
Finally, you could insert counterfeit ballots into the stack of ballots anytime after the close of the election, so that the fakes are included in an audit or recount. The answer to this is good ballot handling security practices – securing ballots with tamper evident seals; proper inspection of those seals to detect tampering; keeping ballots under observation; maintaining detailed and accurate chain of custody records. Ultimately, this is what it comes down to. You must be rigorous about handling ballots in a secure fashion, no ifs, ands or buts.
A final note – these attacks are not specific to ballot scanners, but are possible with any election, whether counted by machine or counted by hand. In a counterfeit ballot attack, the method used to count ballots is not important as long as you can insert the fakes at some point before they are counted or audited. A hand counted election is as vulnerable to counterfeit ballot attacks as one counted by scanners. All voting methods have vulnerabilities. Confidence in the election’s outcome depends on requiring and implementing excellent security procedures no matter what you vote on. In order to preserve the voter’s intent in a verifiable, software independent way, no current system is superior to a paper ballot. But you cannot, must not, skimp on security procedures for handling them – before, during, and after the election.
Thanks for this post Bo.
With the experience of past security related careers I can tell you we have a serious problem with election administration functionaries who do not understand security….who are unable to imagine security risks.
Experts can design security regimens but workers expected to carry out the plan will fail to do so if they don’t understand it or are not committed to it.
As a locksmith most of the bank personnel I dealt with while servicing safe deposit boxes or a vault door failed to enforce dual custody policies (two persons required to enter safe combination for example).
Similarly, DEA regulations requiring a serviceman to be escorted by factory security staff while working in opiate storage areas was never complied with unless I insisted on it.
Functionaries get lazy and careless and a new norm quickly becomes SOP. Well trained people and diligent supervision are necessary. I fear our present partisan appointed election administrators are not up to it.
Wayne
Nice post, Bo.
I have some experience with tamper-evident seals (e.g., IAEA nuclear safeguards), and the only ones I know that have good counterfeit resistance are expensive and not very user friendly.
There are some good padlocks, though. The good ones I know about come from European sources. It might be that they would provide good security of the ballot boxes (assuming good boxes are used) and would be more user friendly. They also last a long time, so should be cheaper in the long run.
A good comparative analysis would be in order.
Another great post Bo. Thank you.
Hi Bo,
Re this story, I would first like to point out that it means ballots should not be difficult or expensive to print. So all the arguments and hand-wringing about why it is so expensive, high-precision expensive printers are needed, etc, are bogus.
Why not just have a B&W printer at each precinct that produces ballots on demand, or BOD as it is known? I am sure that expenses could then be cut enormously.
Re security, here are a couple of ideas.
First, the numbers on the pad should not be consecutive, but rather could be large numbers (say 12 digits for the sake of this example) in random order. The numbers would be encoded so only certain ones would be valid, like credit cards. So it would be hard to produce a pad of fakes.
Second, the number *should* be printed on each ballot, but another number printed on the pad could be a peel-off tape that would be stuck on a blank page kept by the poll workers. This tape would be stuck anywhere on the page in no particular order and not correlated with specific voters. At the end of the day, the numbers could be read from pages with stickers using OCR and checked against the ballot numbers.
This scheme could be carried out either with pre-printed ballots or with BOD. It would certainly substantially increase the difficulty of adding bogus ballots.
Regards,
Bill Edelstein