Election security under IRV
-
In another thread, @Jack-Waugh says that IRV has 3 problems (*). Here let's concentrate on one of them:
@jack-waugh said in Symmetrical IRV:
Election security -- FPtP is tallied by the precincts and summed over their reports. The tallying point for IRV is a single point of failure and is vulnerable to a secret, scaled-up attack.
Almost all IRV elections (including all that have taken place in my neck of the woods, the Bay Area), produce a full set of ballots and make them available to the public. If that is the case, I would not consider this a real problem, and it certainly isn't a single point of failure that can be attacked. Any member of the public can download the ballot data, and run their own tabulation, including visualizations like this one for the 2018 San Francisco mayor race:
Obviously, no one could make such a visualization without full ballot data. That data can also reveal such things as whether there was a Condorcet winner, and so on.
I can't see how someone making a secret attack at the tabulation phase could avoid it being exposed almost immediately.
The other thing is that IRV elections, since they almost always elect the Condorcet winner (historically, 99.77% of the time), tend toward moderate candidates relative to the electorate. When you are electing moderate candidates, there is less of an incentive to try to cheat. Extremist candidates and factions will be less likely to gain power at all. For example, there were lots of people in San Francisco (including myself) that preferred other candidates to London Breed, but not all that many that felt all that strongly about it. Most of us were just like "whatever, she's fine."
But really, the main point is that, as long as the full ballot data is made available to the public (preferably within a week or so of election day), this security issue should not be a concern.
(while I prefer methods that always elect the Condorcet winner if one exists, that just isn't the hill I want to die on. 99.7% of the time is good enough, especially when you look closely at the one that failed to elect the Condorcet candidate. But that is veering off topic since this is about security.)
* Jack takes the rather extreme position that these problems make IRV worse than even FPTP, which I don't think I could disagree with more. FPTP has polarized the US so much that we are dealing with people trying to overthrow the government, death threats to election workers, and so many other things. Go ahead and make the case for your favorite method, but attacking the one that is making significant progress because you have a fantasy that some other method is going to suddenly take over is, in my opinion, counterproductive to the extreme.
-
@Sass, were you mistaken about security? Even though some people argue that publishing the (anonymous) cast ballots opens the way to coercion of votes, I'm thinking that not enough count of votes could be coerced to make a lot of difference in RCV, because the space available for signalling compliance would saturate pretty quickly.
-
@rob agreed to all points
-
This post is deleted! -
@rob said in Election security under IRV:
Almost all IRV elections (including all that have taken place in my neck of the woods, the Bay Area), produce a full set of ballots and make them available to the public.
Not necessarily on election night. For big cities or states (like Maine), they might not even know the winner, because they had not centralized all of the ballot data, for 3 or 4 days after the election.
If that is the case, I would not consider this a real problem, and it certainly isn't a single point of failure that can be attacked.
Well, if paper ballots are not recounted by hand, an attack corrupting the software at the central tabulation location, that could be a single point of failure.
-
@rb-j said in Election security under IRV:
Not necessarily on election night. For big cities or states (like Maine), they might not even know the winner, because they had not centralized all of the ballot data, for 3 or 4 days after the election.
Right and that's ok, as long as the correct data does get out there. If someone is trying to steal an election by attacking the tabulation phase, the true winner will easily be revealed as soon as the correct data gets out.
If you are saying they could attack it by some other mechanism that actually prevents the true ballot data from getting out there.... well that's a different thing. I don't see IRV Hare as any more vulnerable than other ranked systems to that sort of attack. Wouldn't IRV-BTR be just about as vulnerable?
For expediency, Condorcet systems can just deliver a pairwise matrix on election night. IRV can do the same, which if nothing else is a good indication of who will win (even if not 100%), but also can serve as a sanity check and something to discourage the sort of attack you are suggesting, since, if they somehow modify the ballots, they'll still have to match the pairwise matrices. It would have to be a non-Condorcet winner election for that to work.
@rb-j said in Election security under IRV:
an attack corrupting the software at the central tabulation location, that could be a single point of failure.
Shouldn't each precinct be responsible for delivering all the ballot data from that precinct? If so, wouldn't they be able to notice if the central location got the data wrong due to an attack?
I might be confused as to what is meant by "tabulation". One thing is just collecting/collating the ballot data, and one is actually running the math on it, which could be IRV, IRV-BTR, some other condorcet, etc.
-
@rob When you see the roving gang of ballot-thieves wearing ski masks and brandishing crowbars, all you have to do is say "swiper no swiping" and they will let you conduct your election in peace.
I agree with you that precinct summability is a massively overblown concern. As far as I know there is absolutely zero evidence to suggest this is something to be concerned about. I think using it as a reason to discredit IRV is somewhere between silly and active misinformation / fearmongering.
-
@andy-dienes said in Election security under IRV:
@rob When you see the roving gang of ballot-thieves wearing ski masks and brandishing crowbars, all you have to do is say "swiper no swiping" and they will let you conduct your election in peace.
I agree with you that precinct summability is a massively overblown concern. As far as I know there is absolutely zero evidence to suggest this is something to be concerned about. I think using it as a reason to discredit IRV is somewhere between silly and active misinformation / fearmongering.
With you 100%.
I was at the video meeting tonight with Sass (I won't tag him!), and yeah. Attacks on the trucks carrying ballots in Maine came up. I agree with both Sass and RB-J on a ton of things, but.... some of this just feels like Jewish space lasers and bamboo ballots. I think I've said my peace on it, let's get back to important stuff.
-
@rob said in Election security under IRV:
Not necessarily on election night. For big cities or states (like Maine), they might not even know the winner, because they had not centralized all of the ballot data, for 3 or 4 days after the election.
Right and that's ok, as long as the correct data does get out there.
But you lose one independent and redundant path of getting "the correct data ... out there."
And it's not ok to have to wait 3 or 4 days to get elections results when, with FPTP, we get results on the night of the election, simply by adding the precinct results.
Imagine, right now with FPTP, if they passed a law prohibiting precincts from publishing the vote tallies at each polling location. Wouldn't that be a little fishy?
If someone is trying to steal an election by attacking the tabulation phase, the true winner will easily be revealed as soon as the correct data gets out.
If you are saying they could attack it by some other mechanism that actually prevents the true ballot data from getting out there.... well that's a different thing.or screw up the counting of that "true ballot data" in the opaque central-location computer. The "true ballot data" could be faithfully transported to the central tallying location and the tabulating software there could be corrupted to swing the election.
an attack corrupting the software at the central tabulation location, that could be a single point of failure.
Shouldn't each precinct be responsible for delivering all the ballot data from that precinct?
Yes, but if they publish it first, before transporting it to the central location, it's gonna be pretty hard to nefariously change in on the way there.
If so, wouldn't they be able to notice if the central location got the data wrong due to an attack?
Not if it's opaque. That's the problem. This is the loss of one component of process transparency in elections.
I might be confused as to what is meant by "tabulation".
For each ballot that is processed, votes are tallied. Some vote subtotals are incremented and some are not. That is tabulating a single ballot.
-
@rob said in Election security under IRV:
I agree with you that precinct summability is a massively overblown concern. As far as I know there is absolutely zero evidence to suggest this is something to be concerned about. I think using it as a reason to discredit IRV is somewhere between silly and active misinformation / fearmongering.
With you 100%.
Sad. You guys think people would not find it fishy if they passed a law (assuming FPTP) that changed policy and directed the ward clerks (or whoever is running the election at each polling place) to not reveal and publish information collected at that polling place that can be used to redundantly check on an election?
I think some voting reformers might get excited. We didn't even like the pure electronic voting technology without a natural paper trail.
I was at the video meeting tonight with Sass (I won't tag him!), and yeah. Attacks on the trucks carrying ballots in Maine came up.
What if someone accuses the people charged with transporting the ballots (that have opaque ballot bags of information in them) with changing the data en route? Precinct summability will lay that problem to rest.
And we already have precinct summability with FPTP. Why lose it with RCV when we don't have to?
-
@rb-j said in Election security under IRV:
And we already have precinct summability with FPTP. Why lose it with RCV when we don't have to?
We also have this with FPTP:
I think Hare RCV has momentum. I'd like to eventually help redirect the momentum toward something better (something Condorcet, specifically), yes. I am working toward that, on many fronts. That's the main reason I am exploring methods that I think are close enough to RCV Hare to see if we can find some consensus with all the RCV people out there.
Right now, I live in one of the few places in the US where IRV has been in place for decades now, consistently producing Condorcet winners. It's f*cking wonderful compared to FPTP. Nobody is trying to set city hall on fire when they don't get their way.
I'm quite happy with my representative in Washington that I ranked at the top of my IRV ballot, but also not so happy that she is exposed to this:
If I thought a better system was likely to gain momentum soon, I'd be all in. At the current rate I'll be dead before any improvements along these lines have an impact on national politics. I'm really, really scared my 8 year old will grow up in some kind of banana republic due to the polarization caused by FPTP. I'm embarrassed for my country when she watches the news. I don't want to visit family anymore because I don't want to deal with QAnon crazies who used to be completely normal and reasonable.
So it's hard for me to be so upset that people might have to wait 3 days to have final-final results. Its hard to be upset that Bob Kiss got elected in a tight three way race. I mean, I'm sorry, and I actually am interested in doing some analysis on Burlington, but what is happening now on a national scale is on a completely different level.
So yeah, I've lost patience. We're supposed to be the experts on finding consensus, and yet everybody's got a different freaking hill they want to die on. The one community that could have the most impact seems to be asleep at the wheel.
So we get nowhere, as we watch democracy fall apart.
That's what's sad to me.
-
So it's hard for me to be so upset that Bob Kiss got elected.
Because 43% of the city marked their ballots that Andy Montroll was preferred to Bob while 36% marked their ballots that Bob was preferred to Andy.
BTW I am a poll worker and past election official for the same ward that Bernie is in.
-
@rb-j said in Election security under IRV:
Because 43% of the city marked their ballots that Andy Montroll was preferred to Bob while 36% marked their ballots that Bob was preferred to Andy.
One out of 440 RCV elections. Close 3 way race. Only 9000 voters, meaning quirks are more likely.
No, I don't prefer FPTP to that, and I honestly can't understand how you could. There's no indication Montroll would have won under FPTP. Kiss could have won under approval or STAR as well, we can't know.
But again, I think one minor failure in 440 elections is not even in the same ballpark with the downsides of FPTP. That's all I have to say on it.
-
Maybe some of you are talking past each other. Based on Rob's argument, I'm envisioning that the precincts publish the data from the cast ballots over the Internet where anybody can get those data and replicate the tally. Where's the single point of vulnerability if that is done?
-
@rob said in Election security under IRV:
No, I don't prefer FPTP to that, and I honestly can't understand how you could.
I don't recall ever writing or saying that I preferred FPTP to any RCV. What I said is:
-
FPTP has precinct summability. Hare RCV does not. Condorcet RCV does.
-
Just because I prefer FPTP less than Hare RCV does not mean I should be satisfied with Hare RCV and I am not. We want RCV to (a) guarantee the majority candidate is elected, (b) eliminate the spoiler effect and (c) allow voters to vote non-tactically for the candidate they really want to win. When RCV failed to do that, not because of anything inherent to RCV but solely because of the method of tallying the ballots, we should act to fix these problems that RCV promises to fix. Denial of these problems (which is what FairVote does) is not conducive to fixing them.
There's no indication Montroll would have won under FPTP.
So what? Doesn't change anything regarding the objective failure of Hare RCV to elect the majority candidate and to eliminate the spoiler effect and to disincentivize tactical voting (by punishing 1/6th of the electorate for "voting their hopes rather than their fears", they would have been better off voting their fears).
But again, I think one minor failure in 440 elections is not even in the same ballpark with the downsides of FPTP. That's all I have to say on it.
While this happened only once (that we know of in the United States), it can happen again.
Occasionally we read about surgeons accidentally amputating the wrong limb because of a procedural mixup (just a "minor failure"). When this happens, do we hear hospital officials defending their procedures saying βThese procedures have served us well for decades and hundreds of surgeries, so we see no need to change our procedure at all.β?
Even with a single catastrophic mistake, that is enough to motivate review and make changes in procedure to insure that such an unnecessary failure will not happen again. Now is precisely the time to recognize and correct this failure that occurred in Burlington in 2009 rather than sweeping it under the rug and hoping no one notices.
-
-
@jack-waugh said in Election security under IRV:
Based on Rob's argument, I'm envisioning that the precincts publish the data from the cast ballots over the Internet where anybody can get those data and replicate the tally.
The data for Hare RCV is too much for anyone simply "replicate the tally". You're missing the whole point of precinct summability and what it does for process transparency.
Again, imagine, just with FPTP, if the government passes a law that proscribes polling places from publishing the vote tallies of each candidate in the FPTP race. (Imagine they publish the data from each cast ballot on the internet, instead.) Now what are media organizations or the competing campaigns gonna do on election night to verify the results? Especially if results are not announced until four days after the election?
-
@rb-j said in Election security under IRV:
The data for Hare RCV is too much for anyone simply "replicate the tally".
Anyone with an Internet-connected computer can replicate it. I'm proposing that all the precincts do so as a matter of course. They would all be using the same software, and so should publish identical results unless something is seriously wrong.
(Imagine they publish the data from each cast ballot on the internet, instead.) Now what are media organizations or the competing campaigns gonna do on election night to verify the results?
They are going to run standard computer programs that suck the cast-ballot data across the Internet and do the tally.
-
@rb-j said in Election security under IRV:
Now what are media organizations or the competing campaigns gonna do on election night to verify the results? Especially if results are not announced until four days after the election?
import pandas as pd from usaelections import irv df = pd.read_csv("ballots_from_my_awesome_precinct.csv") projected_winner = "Boe Jiden" actual_winner = irv(df) if not actual_winner == projected_winner: call_the_FBI_immediately()
-
@rb-j said in Election security under IRV:
I don't recall ever writing or saying that I preferred FPTP to any RCV.
I can't claim to know your position on that, all I know is what I I've seen you write online.
And I think the net effect of what you've said, especially if lots of people took your words to heart, is simply to reduce the chance of there being any reform at all. You seem to have put far more words and energy into tearing down ranked-choice, versus advancing anything that actually has a chance of making an impact in our lifetimes.
That's just my observation. I believe I am in your camp on advocating for Condorcet methods. I just think we have different priorities and approaches. For instance, precinct summability, while a positive, is down near the bottom of my list of important things. In terms of getting things implemented, far more important is "has been extensively tested," and "there is existing legislation we can draw from" and "we can use existing voting machines and infrastructure" --- and RCV-Hare has that over any Condorcet method (as well as Score, Approval, etc). Not to mention a large organizations with some funding (Fairvote, Forward Party), public mindshare, etc.
I do think that bottom two runoff, which I learned about from you (thanks!) is potentially a way to "sneak" a better system in. It just seems so similar to RCV-Hare that the RCV people are likely to say "whatever, that's fine too."
But the key is to that is to build up RCV-BTR without spreading fear uncertainly and doubt about RCV-Hare.
-