Election security under IRV
-
@rob When you see the roving gang of ballot-thieves wearing ski masks and brandishing crowbars, all you have to do is say "swiper no swiping" and they will let you conduct your election in peace.
I agree with you that precinct summability is a massively overblown concern. As far as I know there is absolutely zero evidence to suggest this is something to be concerned about. I think using it as a reason to discredit IRV is somewhere between silly and active misinformation / fearmongering.
-
@andy-dienes said in Election security under IRV:
@rob When you see the roving gang of ballot-thieves wearing ski masks and brandishing crowbars, all you have to do is say "swiper no swiping" and they will let you conduct your election in peace.
I agree with you that precinct summability is a massively overblown concern. As far as I know there is absolutely zero evidence to suggest this is something to be concerned about. I think using it as a reason to discredit IRV is somewhere between silly and active misinformation / fearmongering.
With you 100%.
I was at the video meeting tonight with Sass (I won't tag him!), and yeah. Attacks on the trucks carrying ballots in Maine came up. I agree with both Sass and RB-J on a ton of things, but.... some of this just feels like Jewish space lasers and bamboo ballots. I think I've said my peace on it, let's get back to important stuff.
-
@rob said in Election security under IRV:
Not necessarily on election night. For big cities or states (like Maine), they might not even know the winner, because they had not centralized all of the ballot data, for 3 or 4 days after the election.
Right and that's ok, as long as the correct data does get out there.
But you lose one independent and redundant path of getting "the correct data ... out there."
And it's not ok to have to wait 3 or 4 days to get elections results when, with FPTP, we get results on the night of the election, simply by adding the precinct results.
Imagine, right now with FPTP, if they passed a law prohibiting precincts from publishing the vote tallies at each polling location. Wouldn't that be a little fishy?
If someone is trying to steal an election by attacking the tabulation phase, the true winner will easily be revealed as soon as the correct data gets out.
If you are saying they could attack it by some other mechanism that actually prevents the true ballot data from getting out there.... well that's a different thing.or screw up the counting of that "true ballot data" in the opaque central-location computer. The "true ballot data" could be faithfully transported to the central tallying location and the tabulating software there could be corrupted to swing the election.
an attack corrupting the software at the central tabulation location, that could be a single point of failure.
Shouldn't each precinct be responsible for delivering all the ballot data from that precinct?
Yes, but if they publish it first, before transporting it to the central location, it's gonna be pretty hard to nefariously change in on the way there.
If so, wouldn't they be able to notice if the central location got the data wrong due to an attack?
Not if it's opaque. That's the problem. This is the loss of one component of process transparency in elections.
I might be confused as to what is meant by "tabulation".
For each ballot that is processed, votes are tallied. Some vote subtotals are incremented and some are not. That is tabulating a single ballot.
-
@rob said in Election security under IRV:
I agree with you that precinct summability is a massively overblown concern. As far as I know there is absolutely zero evidence to suggest this is something to be concerned about. I think using it as a reason to discredit IRV is somewhere between silly and active misinformation / fearmongering.
With you 100%.
Sad. You guys think people would not find it fishy if they passed a law (assuming FPTP) that changed policy and directed the ward clerks (or whoever is running the election at each polling place) to not reveal and publish information collected at that polling place that can be used to redundantly check on an election?
I think some voting reformers might get excited. We didn't even like the pure electronic voting technology without a natural paper trail.
I was at the video meeting tonight with Sass (I won't tag him!), and yeah. Attacks on the trucks carrying ballots in Maine came up.
What if someone accuses the people charged with transporting the ballots (that have opaque ballot bags of information in them) with changing the data en route? Precinct summability will lay that problem to rest.
And we already have precinct summability with FPTP. Why lose it with RCV when we don't have to?
-
@rb-j said in Election security under IRV:
And we already have precinct summability with FPTP. Why lose it with RCV when we don't have to?
We also have this with FPTP:
I think Hare RCV has momentum. I'd like to eventually help redirect the momentum toward something better (something Condorcet, specifically), yes. I am working toward that, on many fronts. That's the main reason I am exploring methods that I think are close enough to RCV Hare to see if we can find some consensus with all the RCV people out there.
Right now, I live in one of the few places in the US where IRV has been in place for decades now, consistently producing Condorcet winners. It's f*cking wonderful compared to FPTP. Nobody is trying to set city hall on fire when they don't get their way.
I'm quite happy with my representative in Washington that I ranked at the top of my IRV ballot, but also not so happy that she is exposed to this:
If I thought a better system was likely to gain momentum soon, I'd be all in. At the current rate I'll be dead before any improvements along these lines have an impact on national politics. I'm really, really scared my 8 year old will grow up in some kind of banana republic due to the polarization caused by FPTP. I'm embarrassed for my country when she watches the news. I don't want to visit family anymore because I don't want to deal with QAnon crazies who used to be completely normal and reasonable.
So it's hard for me to be so upset that people might have to wait 3 days to have final-final results. Its hard to be upset that Bob Kiss got elected in a tight three way race. I mean, I'm sorry, and I actually am interested in doing some analysis on Burlington, but what is happening now on a national scale is on a completely different level.
So yeah, I've lost patience. We're supposed to be the experts on finding consensus, and yet everybody's got a different freaking hill they want to die on. The one community that could have the most impact seems to be asleep at the wheel.
So we get nowhere, as we watch democracy fall apart.
That's what's sad to me.
-
So it's hard for me to be so upset that Bob Kiss got elected.
Because 43% of the city marked their ballots that Andy Montroll was preferred to Bob while 36% marked their ballots that Bob was preferred to Andy.
BTW I am a poll worker and past election official for the same ward that Bernie is in.
-
@rb-j said in Election security under IRV:
Because 43% of the city marked their ballots that Andy Montroll was preferred to Bob while 36% marked their ballots that Bob was preferred to Andy.
One out of 440 RCV elections. Close 3 way race. Only 9000 voters, meaning quirks are more likely.
No, I don't prefer FPTP to that, and I honestly can't understand how you could. There's no indication Montroll would have won under FPTP. Kiss could have won under approval or STAR as well, we can't know.
But again, I think one minor failure in 440 elections is not even in the same ballpark with the downsides of FPTP. That's all I have to say on it.
-
Maybe some of you are talking past each other. Based on Rob's argument, I'm envisioning that the precincts publish the data from the cast ballots over the Internet where anybody can get those data and replicate the tally. Where's the single point of vulnerability if that is done?
-
@rob said in Election security under IRV:
No, I don't prefer FPTP to that, and I honestly can't understand how you could.
I don't recall ever writing or saying that I preferred FPTP to any RCV. What I said is:
-
FPTP has precinct summability. Hare RCV does not. Condorcet RCV does.
-
Just because I prefer FPTP less than Hare RCV does not mean I should be satisfied with Hare RCV and I am not. We want RCV to (a) guarantee the majority candidate is elected, (b) eliminate the spoiler effect and (c) allow voters to vote non-tactically for the candidate they really want to win. When RCV failed to do that, not because of anything inherent to RCV but solely because of the method of tallying the ballots, we should act to fix these problems that RCV promises to fix. Denial of these problems (which is what FairVote does) is not conducive to fixing them.
There's no indication Montroll would have won under FPTP.
So what? Doesn't change anything regarding the objective failure of Hare RCV to elect the majority candidate and to eliminate the spoiler effect and to disincentivize tactical voting (by punishing 1/6th of the electorate for "voting their hopes rather than their fears", they would have been better off voting their fears).
But again, I think one minor failure in 440 elections is not even in the same ballpark with the downsides of FPTP. That's all I have to say on it.
While this happened only once (that we know of in the United States), it can happen again.
Occasionally we read about surgeons accidentally amputating the wrong limb because of a procedural mixup (just a "minor failure"). When this happens, do we hear hospital officials defending their procedures saying “These procedures have served us well for decades and hundreds of surgeries, so we see no need to change our procedure at all.”?
Even with a single catastrophic mistake, that is enough to motivate review and make changes in procedure to insure that such an unnecessary failure will not happen again. Now is precisely the time to recognize and correct this failure that occurred in Burlington in 2009 rather than sweeping it under the rug and hoping no one notices.
-
-
@jack-waugh said in Election security under IRV:
Based on Rob's argument, I'm envisioning that the precincts publish the data from the cast ballots over the Internet where anybody can get those data and replicate the tally.
The data for Hare RCV is too much for anyone simply "replicate the tally". You're missing the whole point of precinct summability and what it does for process transparency.
Again, imagine, just with FPTP, if the government passes a law that proscribes polling places from publishing the vote tallies of each candidate in the FPTP race. (Imagine they publish the data from each cast ballot on the internet, instead.) Now what are media organizations or the competing campaigns gonna do on election night to verify the results? Especially if results are not announced until four days after the election?
-
@rb-j said in Election security under IRV:
The data for Hare RCV is too much for anyone simply "replicate the tally".
Anyone with an Internet-connected computer can replicate it. I'm proposing that all the precincts do so as a matter of course. They would all be using the same software, and so should publish identical results unless something is seriously wrong.
(Imagine they publish the data from each cast ballot on the internet, instead.) Now what are media organizations or the competing campaigns gonna do on election night to verify the results?
They are going to run standard computer programs that suck the cast-ballot data across the Internet and do the tally.
-
@rb-j said in Election security under IRV:
Now what are media organizations or the competing campaigns gonna do on election night to verify the results? Especially if results are not announced until four days after the election?
import pandas as pd from usaelections import irv df = pd.read_csv("ballots_from_my_awesome_precinct.csv") projected_winner = "Boe Jiden" actual_winner = irv(df) if not actual_winner == projected_winner: call_the_FBI_immediately()
-
@rb-j said in Election security under IRV:
I don't recall ever writing or saying that I preferred FPTP to any RCV.
I can't claim to know your position on that, all I know is what I I've seen you write online.
And I think the net effect of what you've said, especially if lots of people took your words to heart, is simply to reduce the chance of there being any reform at all. You seem to have put far more words and energy into tearing down ranked-choice, versus advancing anything that actually has a chance of making an impact in our lifetimes.
That's just my observation. I believe I am in your camp on advocating for Condorcet methods. I just think we have different priorities and approaches. For instance, precinct summability, while a positive, is down near the bottom of my list of important things. In terms of getting things implemented, far more important is "has been extensively tested," and "there is existing legislation we can draw from" and "we can use existing voting machines and infrastructure" --- and RCV-Hare has that over any Condorcet method (as well as Score, Approval, etc). Not to mention a large organizations with some funding (Fairvote, Forward Party), public mindshare, etc.
I do think that bottom two runoff, which I learned about from you (thanks!) is potentially a way to "sneak" a better system in. It just seems so similar to RCV-Hare that the RCV people are likely to say "whatever, that's fine too."
But the key is to that is to build up RCV-BTR without spreading fear uncertainly and doubt about RCV-Hare.
-
-
@rb-j said in Election security under IRV:
The data for Hare RCV is too much for anyone simply "replicate the tally".
No it isn't. You can do it as simply as putting it into a Codepen and sharing it with the world, letting anyone fork it, make visualizations, etc.
Here is a visualization someone did based on ballot data from a Hare-RCV election. (it wasn't done in a CodePen, but that's something I am working on)
Even for a state-wide election, the actual ballot data can be pretty small, if you just compress it into a format like I've been using, which doesn't list duplicate ballots multiple times, it just says the number of ballots prior to each line.
I would expect precincts could deliver all their results that way in an email. (with official results delivered another way, of course)
e.g.:
a: Mark Leno b: London Breed c: Jane Kim d: Angela Alioto 203453: b>c>d>a 193234: b>d>c>a 123934: b>d>c
(and so on)
-
@jack-waugh said in Election security under IRV:
Anyone with an Internet-connected computer can replicate it.
Opaquely.
I'm proposing that all the precincts do so as a matter of course.
It's still opaque.
They would all be using the same software, and so should publish identical results unless something is seriously wrong.
Please be realistic. What can you expect media organizations and competing campaigns to do?
- Run opaque software on raw data and accept the winner that pops up.
or
- add N(N-1) tallies up (it's 20 tallies using Condorcet or 5 tallies using FPTP for five candidates) and see who beats who.
One of these processes is transparent. The other is not.
For election security that stands beyond suspicion, we want every step in the process to be transparent. Where ordinary people can see, understand, believe, and accept the results.
-
@jack-waugh said in Election security under IRV:
we can use existing voting machines and infrastructure"
I already addressed this for Score with small numbers of options (7, not 100).
You may be right. However, I saw this thread, where choco_pi says otherwise. Based on all the other stuff he has written, and the detail in his answer, I'm inclined to believe he knows what he is talking about.
https://www.reddit.com/r/EndFPTP/comments/w1r6f4/why_is_score_voting_controversial_in_this_sub/
But it's said that current machines can handle score voting. Do you have proof on your statement?
It's hard to respond to claims like this because they're just, super wrong. Like it's so disconnected with the facts on the ground it's difficult to know where to begin.
Voting systems are not just a single machine, but the entire chain of hardware, software, instructions, and protocols covering everything from ballot creation, vote casting, ballot scanning, adjucation, reporting, verification, and auditing. For federal and state elections, the entire system A-Z has to be certified according to law, including equipment testing at designated labs. This includes not just security, but a litany of accessibility concerns.
There are only 11 organizations even registered with the EAC as qualified to even submit a system for certification. (Of these, Vidaloop is just a startup seemingly focused on mobile voting, so it is really 10.)
3 of these, ES&S, Dominion, and Hart, make up over 92% of the US market. All have end-to-end RCV ballot support on their current generation machines. Unisyn and Avante do as well.
The software for Clear Ballot and various legacy systems by the aforementioned vendors (such as Sequoia, who I believe Dominion purchased) do not support ranked ballot tabulation directly, but export ballot-level results that can still be tabulated externally. To plug this gap, RCVRC has invested a lot of resources into supplying an open source version of this missing piece and getting it certified in multiple states. (So that one Clear Ballot machine in Sheboygan Country doesn't block the entire state of Wisconsin) Smartmatic and VotingWorks are probably in a similar boat, but it has not yet come up that such an implementation has needed certification. (VotingWorks is itself open-source, so already certified functionality could just be integrated directly anyhow.)
Conversely, 0 of these 11 vendors support scored ballots. Not the ballots, not the voting machine UI, not the tabulation, not the reporting, not the auditing; none of it. You could try do an externally tabulated workaround, but in this case I think you'd find the reality of that compromise to be unacceptably ugly, 10x worse than the RCVTab stopgap. (A ballot with a question asking which candidates you would like to score 0, a seperate question asking which candidates you would score 1, etc.)
Approval sneaks in because you can take frequently take a plurality systems and just turn off overvoting detection. You still have a lot of work to do--interface software has to support it, accessibility instructions have to still be valid, LEO instructions need to be updated--but this is a realistic, immediately achievable set of changes if state law allows it.
Warren Smith yelling that there is no reason vendors can't make voting machines that support score ballots is like yelling that there's no reason car manufacturers can't make cars that run on vegetable oil. I mean... sure. But, they don't, which is the topic at hand.
-
@rob said in Election security under IRV:
Warren Smith yelling that there is no reason vendors can't make voting machines that support score ballots is like yelling that there's no reason car manufacturers can't make cars that run on vegetable oil. I mean... sure. But, they don't, which is the topic at hand.
Zero vendors have software that does Condorcet. Doesn't mean that it can't be done, and if a state legislature adopts Condorcet, I am quite sure that Dominion will quickly do it to the state's specification. The Imagecast Precinct tabulator machines will have to have their firmware updated (so that pairwise defeat tallies are printed, which makes it precinct summable) and the Democracy Suite software will have another RCV Method added to the menu.
-
@rb-j said in Election security under IRV:
It's still opaque.
I'm being totally transparent with the work I am doing. It will allow anyone to replicate it. If they want to look at the code, they look at the code. If they want to change the code, they can change the code. If they want to re-fetch the ballot data from the source and paste it in, they can do that. If they want to copy the code and run it on their own website, they can do that.
It all runs on a Codepen that is trivial to fork and modify, and you don't need to download a thing because it is just Javascript running in a browser.
And the code isn't complicated at all. I'd certainly welcome anyone with coding chops to dive in and help it be better, cleaner, etc. My wheelhouse is graphics and interactivity, but just doing raw tabulation with text output is really, really easy.
I really don't see the problem here.
-
@rob said in Election security under IRV:
precinct summability, while a positive, is down near the bottom of my list of important things.
Well, I'm glad this guy bumps it up a little farther from the bottom.
In terms of getting things implemented, far more important is "has been extensively tested," and "there is existing legislation we can draw from" and "we can use existing voting machines and infrastructure"
Yeah, I hear that all the time and it's zero justification for violating majority rule (and one-person-one-vote), demonstrating the spoiler effect, punishing voters for voting sincerely, incentivizing tactical voting, and losing process transparency.
Also, remember this election? Can you imagine a large city or statewide RCV election in which Combined Write-In wins? With Hare, it's an awful mess. With precinct summability, it's far simpler and more secure.
"has been extensively tested,"
And the result of that "extensive testing" is that when the Condorcet winner is elected, people generally accept the results and the election is a success. When the "extensive testing" examines real-world elections in which the Condorcet winner exists and is not elected, only failure results.
Despite FairVote and VPIRG touting that Ranked-Choice Voting is “well tested”, the history shows that as long as the Hare RCV method elects the Condorcet winner, people generally accept the election outcome. But when Hare RCV does not elect the Condorcet winner, the election is considered a failure in every respect. Burlington 2009 demonstrates this perfectly as RCV was repealed the following year. A wide majority of the city did not see Bob Kiss as representing the majority of the city. We were not protected from the spoiler effect and a large portion of the city were punished simply for voting their hopes rather than their fears.