Previously, I explained why precinct optical ballot scanning is the most secure voting system (1 October 2012). However, to take full advantage of this security, the ballots still need to be manually recounted. To make this process more efficient and more scalable, risk-limiting post-election audits can be put in place.

If you have had any lectures on statistics, you may recall that you do not have to check every individual record to be very confident of the results. Based on the desired confidence and certain characteristics of the database, one takes a random sample that has to be checked. Of course, this leaves a small chance that the results of the check are incorrect – namely, the inverse of the confidence-level. Nevertheless, correct application of the statistics makes it possible to make the risks of miscalculation negligible.

Auditing the Precincts
As a starting point, one can perform a risk-limiting audit on the precincts, i.e. the optical ballot scanners and the ballots fed to them. In this case, the statistical theory is applied such that a number of optical scanners needs to be manually recounted. Those scanners are randomly selected and verified against their ballot boxes. By performing a precinct-based risk-limiting audit, the amount of work going to manually recounting is already decreased by multitudes.

However, auditing per ballot box has several problems. First of all, it is harder to build a random sample, as people from certain areas tend to live and vote in comparable ways. Additionally, this requires not only guarding the ballot boxes and scanners, but also the way they are coupled. For these reasons, auditing per ballot would be preferable.

Can We Perform Ballot-Based Audits?
Actually, performing a risk-limiting audit on individual ballots is possible, but it requires a link between digital and paper records. As we already learned, numbering ballots would harm the ballot secrecy. However, there is a solution to this problem, as discussed by Johnson (2004) and Calandrino, Halderman and Felten (2007): serialising ballots after the election.

By introducing an additional optical scanner that is able to print serial numbers on ballots, we can create a link between the records in the database and the paper ballots. Additionally, this provides a recount that has to conform to the original election results. Furthermore, by using the serialised ballots to perform the risk-limiting audit, the added machine does not have to be trusted. Please note that letting the initial optical scanners print serial numbers is not a good idea, as the digital records would be recorded in order, which makes it possible to correlate persons entering the voting booth to the records in order to break ballot secrecy.

How Were Your Statistics Grades?
The only real problem with the statistics involved with risk-limiting audits is their complexity. It most certainly is harder to explain the workings of an audit that uses random samples and confidence-levels than a simple recount. At this point, we should ask ourselves whether it is intelligible to enough citizens that it can be implemented securely.

Another problem lies with the randomness of the selection. Especially with precinct-based audits, there is a risk that the ballots to be audited are not selected randomly, thereby nullifying the results of the audit. With the ballot-based audit, this risk is lower, as all ballots get shuffled in one big pile, which induces a certain amount of randomness. Nevertheless, keeping a close eye on the methods of selection are of great importance to keep the audits trustworthy.

Risk-Limiting Audits: a Novel Method for Recounting Election Results
Statistical auditing procedures make it possible to gravely reduce the amount of work an election audit takes. In such a procedure, the ballots are serialised and recounted by a machine. Afterwards, they need to be audited in random samples until the desired level of confidence is reached. The only vice of risk-limiting audits is the complexity of the involved statistics. Nevertheless, for the future, this may be a wonderful method.

Leave a Reply

Your email address will not be published. Required fields are marked *