Tensions Between Accessibility and Security in US Elections

OutStack Technologies President & Co-Founder Joshua M. Franklin explores election technology's newest third rail: ballot marking devices (BMDs).

In the early 2000s there were a few warring factions in the elections community. Paper versus Touchscreen. Academia versus Election Administrators. Another big one was Computer Scientists versus the Accessibility Community. Many of these flame wars extinguished themselves after a barrage of emails, books, documentaries, and heated arguments eventually yielded some sort of compromise. Everyone got to know each other and understood the other side’s viewpoints. But a compromise usually means everyone feels like they lost—even if it resulted in some improvement. Skeletons are buried, but not laid to rest. At the 2019 Election Verification Network (EVN) conference, these skeletons were once again exhumed in a fiery panel.

EVN is the premiere conference for election security in the United States and people from all backgrounds attend, including election administrators, academics, and activists. They even let lawyers in! I’ve been attending (and presenting) off and on since 2011. Common topics include election audits, security best practices, and newly-proposed legislation. So I was surprised to see a panel on accessibility being featured since the conference is in large part security-centric. The panel was titled Usability and Voter Verification and had three security-focused computer scientists and one accessibility advocate.

The reason for the panel was likely due to the backlash against the use of ballot marking devices in the polling places, also known as BMDs. BMDs are a blend of paper and plastic. They typically sport a touchscreen interface, but create an indelible paper record. People sometimes describe them as an “electronic pencil,” because they can electronically mark a physical paper ballot. But after 2016, there was a renewed push for hand-marked paper ballots, which has once again brought paper’s lack of accessibility to the forefront.

BMDs aren’t new. The original BMD was the AutoMARK, first patented in 2003. And just like my report cards from 2003, the system “had some issues.” Yet many folks in the elections community, including myself, thought that BMDs would be the way forward to create a secure and accessible way for Americans to cast their ballots. Ultimately, I’d say the panel focused on examining the benefits and drawbacks of BMDs, looking toward new voting tech, and discussing practical steps forward. I found the panel acts as a useful frame for the debate the elections community is engaged in about proper BMD usage in the United States. Saddle up!

A joke report card from the author showing grades for candy consumption, heavy metal, Chaucer, respect for authority, and election technology — Josh's Early 90's Report Card

Growing concerns surrounding BMDs

The usage of hand-marked paper ballots was one of the central themes discussed by the panelists. This position generally wanted to minimize the use of technology sitting between voters and their ballots. The nice thing about hand-marking ballots is that voters are able to verify their selections as they mark by hand. This can be an error-laden proposition when there’s 50+ races on a ballot, each with 4 or more options including a write-in. In jurisdictions that tabulate the ballots at the polling place, voters can even see how the scanning machine interpreted their marks. This can be important since some voters bring gel pen to mark a ballot and surprise—the machines aren’t ready for that! Hand-marking with in-precinct verification is also one of the only mitigations we have to help prevent machines infected with malware from showing the voter one results screen, but casting the ballot differently.

Paper is in many ways a low-tech solution to a high-tech problem, and is a necessary, if not pragmatic, solution as there’s no near-term, practical alternative. There’s lots to hate about paper, such as how it negatively affects voters that have difficulty with it, how easily it is destroyed by the environment, and how elections generate so much of it. My bleeding heart also secretly harbors environmental concerns. However, paper provides evidence. There’s a large swathe of nearly-unanimous academic literature available on this topic. In lieu of dropping 15 citations, here’s a wonderful letter from the Brennan Center with a glorious list of computer scientists advocating for paper ballots. If properly counted and audited, which can be a big if, paper can help to convince all parties of the correctness of an election outcome.

So it’s great that BMDs use paper, but they also introduce additional complexity and possibilities for failure into the voting process. Not all BMDs are made equally either: some use barcodes to store voter selections which introduces additional complexity and the need to trust the system. Additionally, some BMDs don’t print an actual ballot card and instead print a subset of selections, sometimes referred to as a “results-only ballot.” These different options or features can lead to different security properties for various types of BMDs.

Unfortunately, there’s a major problem: we don’t know if voters actually check the paper that gets spit out of a BMD. Do voters pay enough attention to the BMD printout to detect if malware is changing votes? It’s important to obtain data in order to analyze whether BMDs are safe AND effective. Another question comes to mind: If voters aren’t really paying attention to printouts, what can we do to raise the rate to detect errors in BMD printouts? Seems like there’s a few PhDs to be minted on these topics in the coming years.

BMDs, who needs ‘em?

BMDs can help a subset of voters with disabilities to cast their ballot privately and independently. This position generally wants to enable voters to cast their ballots without assistance. While paper is good for security, it can be a disaster for certain people. For example, paper doesn’t work for individuals who can’t read and for languages that simply aren’t written down. The solution to these voting barriers in 2002 was the Help America Vote Act (HAVA), which mandated some sort of accessible machine in every polling place in the United States. But as paper ballots and optical scan units supplanted touch screen Direct Record Electronics (DREs) and BMDs, these electronic voting machines have been moved to the back corner. They are rarely used, election workers receive inadequate training on how to operate them, and these units are often too old to properly function.

Voting Technology Usage Graphed Over Time Since 1980 — Changes in ElecTech over time, courtesy of MIT's Election Lab. — *https://electionlab.mit.edu/research/voting-technology*

And the situation is worsening. There are now a few legislative proposals from members of Congress to ban the use of electronic machines except for use by voters that require assistive technology. This could be viewed as a “separate but equal” scenario, and most of us know that isn’t equal. States and jurisdictions already often have one “accessible option” in the corner with a separate line to vote at. In my opinion, having voters declare a disability before being able to vote on the machine sounds terrible. Voters who need assistive technology don’t need everyone else telling them what’s good enough for them and preaching technology requirements for how they need to vote.

Interestingly, the ability to vote privately and independently is something enshrined in law via HAVA. I’m not a lawyer, but just like anyone else I can try and quote sections that I think back up my argument. Section 301(3) states:

(3) ACCESSIBILITY FOR INDIVIDUALS WITH DISABILITIES.— The voting system shall— (A) be accessible for individuals with disabilities, including nonvisual accessibility for the blind and visually impaired, in a manner that provides the same opportunity for access and participation (including privacy and independence) as for other voters;

Because of this law, it’s safe to assume that elections in the US have a fairly stringent accessibility requirements for federal elections. In our current election security frenzy, it’s interesting to note that there’s not an easy statute to point to that’s a hard election security requirement…which is kind of weird. Anyway, here’s a map of the US. The blue parts are subject to a hard accessibility requirements for voting systems in federal elections.

A map of the all 50 states in United States all colored in dark blue, signifying a universal accessibility requirement throughout the nation — States in dark blue signify areas of the US with accessibility requirements

Another kind of proxy voting

This position believes that many of paper’s properties can be reconstructed with cryptography and the internet. Now this puts a smile on my face. It’s a unique perspective for someone in the security community to espouse, essentially stating that paper is a proxy for verifiability. It is but one means to that end. The stringent requirement for paper—and only paper—distract us from our real goal. This viewpoint is fairly uncommon, and puts stock in the power of cryptography, which is really just applied mathematics, to help verify election outcomes. End-to-end (E2E) cryptographic voting protocols have been just around the riverbend for years. When I first heard of systems built around this concept in 2009, many smart people assured me that this technology would exist and be widely employed in 10 years for internet voting. In fact paperless E2E systems solve many issues associated with typical voting scenarios, but they also cause completely new problems for both security and accessibility.

An illustrated image showing a small boat traveling up a river that splits in two. There is an arrow pointing to the smaller, more seemingly difficult-to-navigate river with the caption E2E is somewhere over here. From the Disney movie Pocahontas — E2E is just around the riverbend

Problems facing E2E include some pretty substantial stuff like...understanding how votes are counted. If you think ranked choice voting (RCV) is hard, understanding how encrypted votes are counted and then decrypted is so difficult that probably only 1000 people in the world possess the knowledge to do it. Ironically, this means that voters must put their faith in the mathematical underpinnings of E2E systems. Wasn’t needing to trust in the system one of the main reasons we wanted paper in the first place? E2E also has issues with dispute resolution: what if someone lies and says their return code or receipt wasn’t included in the posted total? Although there’s active research focusing on these problems, we don’t quite have awesome solutions.

Yet E2E has experienced world-wide deployment. It’s been famously used in one of the most star-studded papers in election security with Scantegrity, where it addEd an additional layer of assurance for a handmarked paper ballot system. E2E voting systems have been used in Switzerland and Norway, but sometimes scientists and researchers argue about the definition of E2E and label certain systems as pseudo-E2E. I‘ll stay away from arguing if specific systems are E2E, but E2E tech can provide an enhanced layer of auditability than can augment typical paper-based systems and the old web server-client model.

Conclusion

What are the pragmatic solutions that can be done now to help the situation for 2020? I’m honestly not sure. We need a rich dataset for how often people catch errors on BMD review screens. But that’s long-term thinking. I would venture to say that right now, we should not be focusing on BMD usage for 2020. Instead federal and state dollars should be spent on ensuring a basic level of cyber hygiene for state and local election infrastructure, and on keeping parties and campaigns secure. But this doesn’t help voters who need assistive technology.

Near the end of this talk, the panelists unanimously agreed that the current crop of fielded accessible voting systems is suboptimal at best. There seemed to be universal agreement that in the future, voters may be able to bring their own assistive technology with them to the polling place and use that to vote. Another proposed solution was pre-voting, which allows voters to mark their ballots at home and bring a print-out of their selections to the polling place. That information would be read by a machine and reproduced in a native format in the polling place—ready for a voter to cast. I’m hard pressed to think of what assistive technology would be brought in other than maybe a smartphone, tablet, or bluetooth headphones. Pre-voting is a strong possibility for future deployment to help with accessibility.

This was one of my favorite panels I’ve seen in all my years in elections. While this post is by no means a critique of all the benefits and drawbacks of BMD usage, it encapsulated so many issues currently affecting the United States election community, such as safe usage of ballot marking devices, accessibility taking a backseat to security, and the future of verifiable elections. It did feel as though everyone wanted a solution, but we still don’t have a great answer (yet). We have to keep talking about it, and we should be civil about it. In large part this entire issue is not one of security, science, or engineering. This is a policy debate, and we all love to have them out in the open because we’re from the US of A. It’s one of the things that makes us special and keeps the fire burning under our unique type of representative democracy.

Thank goodness that everyone can generally agree that we hate block chain.

Note: A full video of the presentation is graciously available from George Washington University at this link.