A tale of four scanners

The recount in the Coleman-Franken Minnesota Senate race is in full swing and so again as in Florida 2000, we get to observe the spectacle of voting officials trying to figure out just what the heck their fellow citizens were thinking when they marked their ballots. This election was run on optically scanned paper and Minnesota Public Radio has posted a whole set of challenged ballots and a quiz where you can make your own judgement about whether they should be accepted or not. As I've mentioned before, one of the nominal advantages of DRE systems (see for instance, this post by Ed Felten) is that when you do a recount you don't have to do this, or rather one should say you can't do this because the DRE just records whatever choice you think it made. It may be wrong, but it's (almost) never ambiguous. Unfortunately, DREs and opscan ballots are incomparable in a number of other ways so it's sort of hard to decide whether this particular feature is decisive. Instead, let's try a thought experiment. Consider the following four voting systems:

A. Ordinary Precinct Count Optical Scan Ballots
You mark your paper ballots and they're scanned in the precinct and then dropped in a box. The scanner detects under and overvotes and spits out your ballot if it thinks it's invalid, but you can't tell if it's misread your vote. The paper ballots are available for subsequent recounts as usual.

B. PCOS + Confirmation
This is just like system A, but before the system accepts your ballot it shows you a confirmation screen indicating its interpretation of how you voted. If you think it's wrong, you can start over again with a new ballot. This isn't a security feature, really: the machine can always lie; it just detects incorrect reads (assuming voters check the confirmation screen).

C. Disposable PCOS + Confirmation
This system is like system B, except where the ballot box would ordinarily be (underneath the scanner) there's a big crosscut shredder which destroys your ballot as soon as its been recorded. Thus, the only possible recount is re-exporting the vote data from the scanner and re-tabulating at election central.

D. Disposable PCOS + VVPAT
Finally, consider what happens if we take system C but fit it with a VVPAT printer, which records the systems's interpretation of your vote which you can then accept or reject as usual with DREs.

System A is roughly how PCOS elections are run now. As far as I know, System B doesn't exist anywhere You could imagine retrofitting any PCOS scanner with a big enough screen, but even the biggest screens, like those found on the Hart eScan, are pretty small. Systems C and D correspond roughly to DREs with and without VVPATs. The two main differences are that the UI is lousy and that whereas with a DRE it's not really possible to have an independent record of the intent of the voter,¹ with systems C and D we had an independent record, but we systematically destroyed it in order to avoid the ambiguity of being able to go back and second-guess the machine later.

If you buy the argument that it's bad/embarassing/awkward to have people go back and try to revise the machine count, then you ought to think that systems C and D are better than systems A or B. The difficulty with this position is that we know that the scanners do make mistakes and this basically removes our ability to correct a large class of them. Now, you could argue that any scanner errors will be caught by the users in the confirmation phase, but we know that's not true [*], so we're left tolerating the machine error rate with no real way to correct it. The counterargument, here is that the recount has its own error rate, both in terms of ballot interpretation and in terms of ballot handling—it would be one thing if we all agreed on the set of ballots to be audited, but in actual practice the chain of custody of paper ballots can be fairly problematic, so it's not just a matter of deciding the contents of each ballot, but also of making sure you have all the ballots.

Note that while superficially system D seems a lot like system B: in both cases we have an electronic record plus a paper trail. But upon deeper inspection they're really quite different: in system D, what we have is a voter verifiable paper audit trail. I.e., the voter could in principle have checked the paper (though Everett et al.'s research suggests this is unlikely), but the paper just reflects the machine's opinion of the voter's intent. By contrast, in B we have a voter created paper audit trail (I don't think that VCPAT is standard term, but it should be), in which we can independently assess the voter's intent from the paper record. This issue becomes increasingly important the higher the probability that the machine will misrecord people's votes, whether through malice or malfunction.

^1. I should qualify this a little bit. Obviously, we could just videotape the voter voting, but that would utterly destroy ballot secrecy, which is generally considered to be an invariant of such systems. Cordero and Wagner [*] have described a system for privacy preserving audits of DREs, where they record the UI inputs but engage in scrubbing to try to remove sensitive marks. It's not clear how well this works.