When I heard that New York City had found that a photocopy of a ballot could be successfully scanned by both of the two systems being used in New York State, my first thought was that this is Sun-Rises-in-the-East news. It didn’t surprise me, and the first line of defense against attacks involving any type of fake ballot, photocopied or printed, is well designed and implemented ballot management security procedures. But this is a complex issue which bears some discussion.
Before discussing the security threat, let’s look at a technical question – should a scanner be able to detect a photocopied ballot? One of the challenges posed by modern high resolution copiers and printers is that they are capable of producing all manner of difficult to detect counterfeits. This became an extremely serious problem in the 1990’s as convincing counterfeit currency became easy to produce using the off the shelf copiers. In response, the United States has been replacing currency with new bills containing anti-counterfeiting features. So it’s no surprise that a modern copier can create a ballot that can be successfully scanned.
Is there any way to make a scanner detect a counterfeit ballot? Yes, it could be done. Although it’s a little known fact (and a bit unsettling from a civil liberties perspective), modern copiers and printers create an invisible tracking code in the form of dots viewable only with a special flashlight. The Electronic Frontier Foundation cracked these codes, finding that they contained the printer serial number and date and time the document was printed. In theory, one could use this or a similar technique to print ballots with an invisible code that the scanner could look for, and failing to find it, flag it as a counterfeit. But to do this we’re talking adding new features to the machines, and raising the cost of paper ballots even more than their current exorbitant cost. Would it be worth adding such a counterfeit detection feature? My opinion is no. And the reason is that the place to address fake ballot attacks is not by adding features to the machine and ballots, but implementing proper ballot security procedures and protocols.
Let’s analyze the ways an attacker might use counterfeit ballots, then look at ways to defend against it. There are three points where one might insert counterfeit (and possibly pre-marked) ballots in with real ones – before the election, during voting, and after the election. Before the election, an attacker would need to get their counterfeits mixed into the stack of real ballots, hoping to get them handed out to voters. But here in New York State, we require that ballots come in pads with tear off stubs containing a serial number. These numbered ballot pads become part of the chain of custody record as soon as they are received from the printer. During an election, each ballot is torn off the pad when it is handed to a voter, with a notation made of the number and the voter it was given to (the ballots themselves don’t have serial numbers so a voted ballot can’t be traced back to a specific voter without using specialized paper analysis techniques). So in New York, you can’t just throw in a batch of photocopied ballots with the real ones prior to voting. You’d need to counterfeit an entire pad, tear off serial numbers and all. To produce fakes of NY stubbed and numbered ballots, you pretty much need a print shop, a photocopier just won’t cut it.
Potential attack point two occurs during voting. A voter could hide a photocopied ballot, vote their real ballot, and then attempt to insert one or more fake ballots into the scanner after the first. Of course, it might not be quite that easy to insert two or more ballots without being seen by poll workers, but we should assume that someone practiced could pull it off. Now we’ve got more ballots scanned, counted, and in the ballot box, than were actually handed out. But this attack is easily detected on a scanner. Each machine has a public counter, which notes the number of votes cast on that machine. It increments by one every time a ballot is successfully scanned. The public counter number is noted at the beginning and end of the election, and the difference compared to the number of voters who signed into the polling book. If the public counter matches the number of voters, no extra ballots were cast. If it is greater than the number of voters, you have detected the presence of counterfeit ballots, and response procedures now have to be invoked to determine which ballots were faked and to recount the real ones.
Finally, you could insert counterfeit ballots into the stack of ballots anytime after the close of the election, so that the fakes are included in an audit or recount. The answer to this is good ballot handling security practices – securing ballots with tamper evident seals; proper inspection of those seals to detect tampering; keeping ballots under observation; maintaining detailed and accurate chain of custody records. Ultimately, this is what it comes down to. You must be rigorous about handling ballots in a secure fashion, no ifs, ands or buts.
A final note – these attacks are not specific to ballot scanners, but are possible with any election, whether counted by machine or counted by hand. In a counterfeit ballot attack, the method used to count ballots is not important as long as you can insert the fakes at some point before they are counted or audited. A hand counted election is as vulnerable to counterfeit ballot attacks as one counted by scanners. All voting methods have vulnerabilities. Confidence in the election’s outcome depends on requiring and implementing excellent security procedures no matter what you vote on. In order to preserve the voter’s intent in a verifiable, software independent way, no current system is superior to a paper ballot. But you cannot, must not, skimp on security procedures for handling them – before, during, and after the election.
This article is cross-posted at Bo Lipari’s Blog.