Voting System and Fraud Prevention Tradeoffs—Revised 10/14/10 (Nevada Voter Registration Experience added)
--By George Edwards, Joe Dugan and Tom Peterson
[April 2013--since what is written here and earlier as to the voting process (nothing newly written on registration) South Carolina has successfully implemented voter photo ID with DOJ approval. And a detailed article on the Most Recommended Voting System--Automated Fingerprint Verification as well as one specifying an Interim Voter Card Management System has been written and incorporated on this Web site. They supersede in specifics what is written here and earlier, although are believed--without detailed re-reading--to otherwise accord as to generalities].
One advantage of a Web site paper is that it can be a work-in-process that can be updated as further information or comments seem applicable. Please e-mail any suggestions you may have to me (email@example.com) for potential inclusion and put GIAC in the subject line to help ensure that your e-mail does not get overlooked.
“Any thing devised by the mind of man can be circumvented by the mind of man.”
There is undoubtedly a better way of saying this, but the thought has to be kept in mind when trying to prevent voter fraud.
Human-machine trade-offs other than long-term/short-term costs include rapidity, accuracy and long-term durability of digital equipment versus human judgment and frailty. Computers can be hacked; people can be corrupted or inattentive. Computers can freeze up, people can fall asleep. The most reliable system would complement these capabilities/frailties by using them in parallel.
Casting Ballots Humans casting paper ballots directly is arguably the cheapest method. A voting machine allows a much more rapid compilation of the votes.
Identification The current human method of voter identification using names
alone is about as inexpensive as you can get with the next obvious step being
comparison of photographs of voters associated with names that are already in
the database. A voter photograph on the registration card itself would cost a
little more and make that card’s presentation alone a more reliable check. A
further improvement could be a "credit card" voter ID with picture, hologram and
other encrypted technology issued by private industry with very severe penalty's
for security violations and huge fines for deliberate fraud. Biometric
voter identification using fingerprint, iris or face recognition can be done
automatically and much more error free.
One Vote per Voter Ensuring one vote per voter can be and is inexpensively done by having only one place to enter a voters name in one common book whenever or wherever the voter has voted.
Insofar as ensuring one vote per voter, the Iraq indelible ink method is inexpensive and reliable without the need for bookkeeping or communication between voting places—as long as all votes are made within the period that the ink indelibility lasts. A variant using an indelible ink mark on the palm of the hand—with different colors for different parties in primaries—is more aesthetically appealing. Unfortunately, it alone does not distinguish between friend and foe let alone other voter eligibility criteria unless you could trust only those eligible would seek to vote—not too far removed from a system that relies on those registering to vote citing their eligibility if not verified by other means.
In general terms, to ensure one vote per voter, the names or other tags associated with individual voters need to be compared and if there are one or more duplications, only one of the associated votes for a particular candidate would be counted. [Later (2013) substitution: This would be done in the most recommended system or the interim system via a unique identifiers on voter cards as described elsewhere on this Web site. Other methods could be used if voting machines throughout a system are electronically connected via the Internet or an intranet although such may make the overall system vulnerable to hacking.]
Backup and Anti-Hacking Protection
A totally manual balloting system yields a permanent record of the ballots as cast. Photocopies of them, perhaps stored off-site to protect against exigencies such as fire offers backup protection.
If a voting machine is used, once a voter has been accurately determined to be eligible and a voter has entered his or her choices into a voting machine, a backup copy of the individual ballot should be made and stored for potential later retrieval to keep votes from being lost by fire or due to machine failure and for recounting if necessary. Electronic storage should be on a separate medium—ideally in a different location—from that which would be lost with a local computer failure. Greater fraud protection, at a little more expense, would be provided if separate ballot printouts of confirmed votes were made and retained in a secure location for later recount if questions were to arise.
Hard copy and independent electronic storage at local polling places for comparison with that at other voting places provides a means of human assisted anti-hacking protection for individual systems or associated Internet/intranet systems.
Registration Database. In any voting system preparation of the voter registration data base is critical. Typically it has only the names and addresses of the voters who meet the eligibility criteria for voting—e.g. a citizen, a resident, at least voting age, mentally competent, and not a convicted felon. The criteria should be verified beyond the, even sworn, signed statement of the people registering to vote.
Other personal characteristics of a person meeting the eligibility requirements than just the person’s name and address such as the person’s photograph, signature or digitized finger/thumb/palm print, digitized retinal pattern, or digitized face detail can be made available in a data base. Digitizing biometric information requires equipment such as scanners and some media to store biometric data taken during registration for later usage.
Voting eligibility criteria verification for individuals’ registration need not be established rapidly on the spot as voter ID in the polling place is. There are potential existing sources of varied availability for establishing such, for instance: the already available automated E-verify system--an Internet-based system operated by U.S. Citizenship and Immigration Services in partnership with the Social Security Administration that provides an automated link to federal databases to check the validity of Social Security numbers. Other sources are naturalization records, drivers license records, tax records, medical records, utility bills, police records, social security records, banking records, credit card records and individual drivers licenses and birth certificates. In addition to E-verify, some of the other records may already be digitized and in existing databases and include photographs, signature samples and fingerprints.
If a credit card voter ID were used with a database prepared by the credit card industry the only data that might have to be added to that database for voting would be biometric.
Rapid determination at a polling place that a potential voter’s personal characteristics match those of some individual in the registration database is typically done by determining that his or her name is in the database, possibly by observing that the voter looks like a photo ID if available or comparing the voters signature with that on a registration card
It could also be buttressed by determining that one or more other individual characteristics are included in a digital data base of those meeting the criteria for voter eligibility with or without involving the individual’s name. This requires some method(s) such as a scanner(s) at the voting place to derive and digitize the personal biometric characteristic of the particular voter, again such as digitized finger/thumb/palm print, digitized retinal pattern, or digitized face detail for comparison with that in the data base to ascertain that a particular person qualifies to vote, is alive and is the one actually casting the vote..
All electronic data bases within the system should be encrypted.
In the "credit card" voter ID system, standard card readers installed in the voting booth could ascertain that the straight or encrypted text on the card corresponded with some distinct individual record in the database. This would be most cost effectively worked out by embracing the experience and technology of commercial credit card company(s) rather than waste taxpayer dollars and probably years in development and implementation. Our whole consumer financial system is based on public confidence in the credit card industry. It continuously and constantly looks for ways to enhance security for years--security is its business.
A more advanced card reader for election purposes would further and importantly enhance fraud protection by software comparison of a digitized photographic impression of such as a photograph or fingerprint on the card with that scanned from the voter in the booth.
Provisional Ballots and Confirmation
In the event a voter does not appear to be qualified due to lack of resemblance to a photo ID or signature sample or is rejected by digital biometric identification and he or she still wants to submit a provisional ballot there is likely already some provision for handling that in place and part of a poll worker’s training walk through. Other than marking the ballot as provisional by hand or by a voting machine entry, a fresh signature or photo may be requested in the voting place to allow subsequent judgment by others. If digital biometric identification is used, other biometric data than that available for comparison with the usual in-person scanned data at the voting place could be available for cross-checking in the primary registration data base. This could include such as hand-print data there on other fingers, another eye’s iris than that initially taken at the voting place and digital voice or signature recognition capabilities not available at the voting place.
If iris or thumb-print scanners, for instance, are already at the voting place, they could obviously be used to get biometric data on another eye’s iris or other fingers and even transmitted back to a server as provisional ballot checking tools against data there but not at the voting place. Other provisions might be considered as a voice recording at the voting place for digitization and use elsewhere than the voting place in the confirmation process.
Comparing such as scanned fingerprints, faces or irises of a voter in a voting booth with those previously scanned and stored in a voter registration data base or a voter card is one of the best assurances that the live voter in the booth is one who originally met the registration criteria. If there is such as a precinct specific biometric data base stored on the voting machine or Internet/intranet communication between the voting machine and a server with the registration data base on it, no voting card would be required except to allow cross checking of a voter with other information on the card e.g.—name, signature, photo.
If the biometric data is stored on a voter card, no other data base is required at the voting station nor would the alternate, voting machine to server Internet or intranet communication be required. The last would leave a voting system open to hacking. Unfortunately, such a card could be counterfeited by someone scanning an unregistered voter’s biometric information onto it. Other anti-counterfeiting measures could be incorporated onto the card although those too could become compromised. It’s a trade-off.
The advantages of biometric voter identification--or more carefully worded--determination that an individual’s personally determined biometric characteristic(s) is/are included in a registration data base are numerous, including:
· Relatively precise identification (e.g. digital fingerprint identification alone is said to generally have an error rate less than 0.2% and in combination with other forms of digital biometric identification such as face, iris, etc. perhaps even lower) without dependence on human inattention for whatever reason. A declared mismatch, if nothing else, should get the attention of a voting official to very carefully compare the observed characteristics of a voter compared to more common identification criteria such as signature and photo matching before allowing a disputed vote to be entered into the system.
· Even without human intervention gives assurance that the voter is a live counterpart of the one registered.
· Is much less, if at all, susceptible to counterfeiting as any token, such as a voting card, alone, or a password which may be entered by anyone who may have acquired it by theft or collusion with a legitimate voter by threats or effectively buying votes.
That is not to say that biometric matching cannot be wrong or fooled. Currently the biometric data is digitally derived by photography and subject to all the potential problems of photography (and with photographers). Even fingerprints can be smudged or improperly taken; Photoshop, wigs, cosmetics, plastic surgery, masks and age can mess up digital as well as human facial recognition and contact lens could be manipulated to defeat iris recognition. Biometric and other anti-voter-fraud measures are similar to locks that make entry difficult although they can be picked or a lock-secured door can be simply broken down.
Sometime in the (far?) distant future DNA swabs could be taken and matched. It is hard to imagine how that could be defeated, but a way might still be found.
Many of the equipment and software requirements and the costs for biometric identification including use of the particular company’s Neurotechnology products are discussed in “Requirements for large scale biometric systems” found at the URL: http://www.neurotechnology.com/download/MegaMatcher_SDK_Brochure_2010-06-21.pdf
Digital biometric and automated systems or sub-systems tend to cost more upfront than their human counter parts. Whether they do in the end is another matter that would need to be looked into. Immediately available funds are in short supply. But there is little that is more important in a representative democracy than ensuring fraud-free voting as much as possible.
Absentee ballots Only in-person absentee ballots should be allowed except for such as those bed-ridden and those unavailable or out of state during the entire absentee ballot voting period without access to voting machines because absentee ballots that are not in-person are almost totally vulnerable to voting manipulation and fraud. The need for not-in-person absentee ballot use could be limited by having voting machines available for an allowed early voting period (and some round-the-clock voting machine availability for those who have to work during the usual voting hours) at polling places
A totally human protection against fraud by those persons physically disabled, bed-ridden or otherwise truly incapable of going to a traditional voting place could be an election official going to the person casting the absentee ballot and verifying his or her vote on the spot and subsequently entering the data in a voting machine.
Alternately, the limited portion of the registration database required for such could be provided on a personal computer transported to that person (or on a flash card or credit card style voting card to a computer already available at a disabled person’s location) to ensure that the voter with characteristics in the eligible voter data base would be the one voting. If biometrics were used, the appropriate scanner(s) would also need to be transported to that person. Such approaches would ensure that the voter with characteristics in the eligible voter data base would be the one voting.
Cost trade-offs depend, among other factors, on the allowable error rates and database size requirements. Error rates with biometric systems, in turn, depend on which biometric system(s) is/are used and the degree of cross-checking among them if more than one biometric identification method is used. The smaller the data base, the smaller its cost between the extremes of precinct-size and state, say South Carolina, size. The size of the needed database decreases with the number of polling places, but the more polling places, the greater the number of scanners necessary at polling places—another cost trade-off. Credit card voter IDs including the portion of the registration data base required for a particular voter could eliminate the need for any eligible voter database at a polling station—but such can be counterfeited by scanning an interloper’s data into them and measures to protect against counterfeiting the cards should be employed..
There are cost trade-offs, short and long term, depending on the comparative degree of human usage and automation.
Obviously re-registration would be required to obtain biometric data with careful verification that the persons involved do indeed meet the voter eligibility requirements—an essential element, especially with organizations such as ACORN potentially working to corrupt the database upon which the reliability of the entire system crucially depends.
In general, automation wherever possible throughout all phases of an election including building up the voter eligibility data base from other larger databases, automatically ensuring that only those with characteristics within the eligibility data base are allowed to vote, counting the vote and delivering the vote count to a central vote result database for reporting is more rapid than human usage in those phases and potentially more error free without the problems associated with human fatigue, inattention, possibly inadequate training and—yes, human dishonesty or bias. Of course, humans have to be in place to ensure that equipment is working properly and to cross-check with such as individual paper ballots produced by machines.
Current systems’ shortcomings may, in many details, be inadequate to protect against political operatives such as those in ACORN, from defrauding the voting system. Click Nevada Voter Registration Experience for an example of what can happen in the best of systems.
The determination that a particular voter meets all the voting requirements is absolutely essential during registration before his name or any of his biometric data should be put into the registration data base. Extreme care must be taken that the potential voter indeed meets the registration requirements during the registration process or no amount of voter identification at the voting place will ensure that a voter does.
As discussed elsewhere, there are many existing databases, e.g. E-verify, which could be used to help verify that a voter meets registration requirement. There are biometric databases also, such as the fingerprint data associated with TWIC—Transportation Workers Identification Credential that is required for Coast Guard-credentialed merchant mariners, port facility employees, long shore workers, truck drivers, and others requiring unescorted access to secure areas of maritime facilities and vessels regulated by MTSA (Maritime Transportation Security Act) that it might be possible to be made available. Fresh biometric data for a particular voter such as a thumbprint needs to be extremely carefully taken and the scanners maintained and periodically tested so that the resulting digitized photograph can be accurately compared with a potential voter at the voting place. Backups and duplicated reading efforts are always desirable.
Given all the voter eligibility determination options at the voting place considered, automatic biometric measurements (finger-printing appearing to be the best single biometric choice) appear to offer the most error-free voting system by comparing measurements at the voting place with those previously taken during registration and stored in a registration database. This should be accompanied with backup ballot printouts (perhaps similar to that printed with a modern cash register receipt) for everyone casting a vote at a polling place or absentee. Finally duplicate votes could either be removed at the final system vote compilation by physically transporting voter tags stored on such as a flash drive to a central vote compilation server or with all voting computers connected via the Internet or an intranet to ensure against duplicate voting at the time ballots were cast—at the risk of the system being hacked. All databases in the system, registration and cast votes, should be encrypted. All voting machines connected via the Internet or an intranet could ensure against duplicate voting
Further assurances that a vote is valid can be derived with the use of counterfeit-protected credit card voting cards and the use of passwords. These latter should not be used however to do more than provisionally over-ride automatic biometric system rejected votes.
A less expensive recommended system to corroborate that a voter is included in the registration data base could simply use counterfeit-protected credit card type voting cards. The use of such with a photograph ID and passwords and would likely provide lesser errors than a system currently in use, especially if further accompanied with careful photo and/or signature identification by humans. Biometric measurements could be later added to offer the most error free voting system.
Including a light or buzzer to come on in a voting place and an over-ride capability when the machine correlation does not match the voter’s identification with that in the registration database could alert a poll worker to allow an apparently proper vote to be provisionally counted as long as it was not a duplicate vote. Presence of a poll worker is also desirable beyond the obvious need to prevent vandalism to watch out that a voter does not provide a photograph to be scanned instead of his face or prints. Other than for these reasons, hard copy manual recounting if needed and possible computer maintenance, the system would be automatic.
Those bed-ridden and currently in true need of an absentee ballot could request a voting official to visit them with the required computer and scanner. Military absentees or others in which a visit by a voting official would be impossible would be the only ones for which written absentee ballots would be accepted for entry into the automated system by an election official.
Nevada Voter Fraud Experience--Tom Peterson, Clark County Nevada Polling Place Team Leader
"During the last election the vast majority of voter fraud occurred because a third party (ACORN) was allowed to register voters. The issue with ACORN in Nevada was the registration of unqualified and imaginary voters (see Vote Fraud in Nevada). The danger there was ACORN collecting and completing those absentee ballots. [Emphasis added.]
"I guess all of this makes me wonder about the use of third parties to register voters. Perhaps if there was a great deal of control over the process (i.e. stringent chain of custody requirements for registration forms) and mandatory jail sentences for those convicted of voter registration fraud the system may be less prone to the temptations to commit fraud.
"Had the Republican Party’s efforts to welcome all new voters not been implemented – which resulted in the discovery of nonexistent addresses, etc. – the fraud may not have come to light until way after the election.
"Another issue was the psychological effect on Republican voters who simply did not vote because of false reports of overwhelming Democratic voter registration – which implies those voters (real or imaginary) will vote.
"P.S. During the primaries, I had several people claim that they thought there was fraud because they could not vote for a particular candidate – until I pointed out that they were voting in a primary and they could only vote for candidates running in the primary registered with their party affiliation.
"Recently I received an email from the Clark County Republican Party that encouraged the members to go online and check their registration because the party received numerous complaints of fraud during the primary. I am certain the “fraud” was based on voters who switched parties without ever notifying the county."
Wherever possible we should let industry implement all or, as much as possible, all voting system hardware and software, so we don't have to establish another empire of bureaucracy to maintain and update the technology that industry does so well.
In this country, the Transportation Workers Identification Credential (TWIC) already uses scanned fingerprints with biometric data bases to allow unescorted access to secure areas of maritime facilities and vessels regulated by MTSA (Maritime Transportation Security Act). Bangladesh is one of several countries that claim to use biometrics in their voting system. Bangladesh at least takes fingerprints in registering voters.
TWIC uses passwords with its fingerprint identification system. The banking industry has extensive experience with PINs as well and the use of additional questions and answers to establish identity over the Internet that provides security that millions accept. In recognition that any code can be broken in time, it typically makes provisions for or requires password changes from time to time as well as the “code book” represented by the additional questions and answers. Any Internet system is susceptible to hacking, but Internet banking has gained extensive public confidence..
Credit card type voting cards
Repeating the words in the Rapid Determination section: In the "credit card" voter ID system, standard card readers installed in the voting booth could ascertain that the straight or encrypted text on the card corresponded with some distinct individual record in the database. This would be most cost effectively worked out by embracing the experience and technology of commercial credit card company(s) rather than waste taxpayer dollars and probably years in development and implementation. Our whole consumer financial system is based on public confidence in the credit card industry. It continuously and constantly looks for ways to enhance security for years--security is its business.
It makes abundant sense to have a "credit card" voter ID with picture, hologram and other encrypted technology, issued by private industry. They already have the technology so why re-invent the wheel? There should be very severe penalties for security violations, like losing a driver’s license and huge fines for deliberate fraud.
A more advanced card reader for election purposes would further and importantly enhance fraud protection by software comparison of a photographic impression of such as a photograph or fingerprint on the card with that scanned from the voter in the booth.
Note that organizations such as Wal-Mart already have automated credit card recognition systems and that very inexpensive free software is available for face recognition today—although, at that cost, undoubtedly not sufficiently sophisticated for low data rate election use.
It would make sense to seek bids from several established credit card companies with their competing claims to supremacy among themselves as to other than the biometric/photo recognition ID aspect in which various companies in that business should also be compared. For security reasons it would be desirable to compartmentalize data access to more than one company. It could make sense to rotate particular company uses between precincts, wards or counties.
Because of short term budget constraints, immediately using a photo ID credit card alone with existing credit card industry card checking methods would provide a considerable fraud protection enhancement over current voting systems, but it would not provide the highly desirable automatic determination that the person’s vote cast is indeed that of a live person corresponding to one originally qualified and registered.
It makes sense to also look at the experiences of the gambling industry technology and their successful decades of fighting cheating and fraud.
The desirability of having hard copy and electronic data backup both on-site and off-site was discussed above. Having such as parallel simultaneously recording hard drives, other backup equipment and an uninterruptible power supply (UPS), always desirable in any system using computer equipment, is especially important in the case of voting machines because of the extreme public importance of not losing votes and having uninterrupted service on voting days.
The following voting-machine-specific security measures are copied and pasted from those used in Clark County Nevada (Las Vegas's county) where stringent gambling security is regularly instituted.
3. The Bangladesh Voter Registration Project registered more than 80 million citizens using biometric face and fingerprint technology. The population of South Carolina is just a little more than 4.5 million.
The Voting System Recommendations paper--Voting System Recommendations--on this Web site was published before some of the revisions in this paper were published. It has specific recommendations which, in some cases represent a subset of those in the Recommended Systems section of this paper. This paper includes a Security section which is not detailed in the Voting Systems Recommendations paper. This paper overall is a more general treatment with a comparison and tradeoffs of various voting methods and systems other than those specifically recommended in the other paper which also includes South Carolina specific recommendations. Also see Ensuring Valid Vote Counts.