The following are questions and answers about the Election Integrity Protocol provided by its author in preparation for public expert testimony advocating for its legislation in the state of Colorado.
Q: Why do we need the Election Integrity Protocol?
- A: In some cases, we don’t. If a voting jurisdiction uses hand counts of paper ballots along with robust teller committees to implement their elections, they are good to go. They can increase public assurance by becoming EIP certified, but it is not entirely necessary if that jurisdiction is content with their election processes. In addition, hand counts can be augmented with VTNs and/or an optional EIP sidecar to securely transmit election results and also to double check vote counts.
However, in a large and growing number of situations where voter discontent is high, particularly in any area using mail-in ballots or only machine counting of votes, EIP is essential. The primary issue with these other voting scenarios is that human observation has been removed from the vote counting process.
Observation falls into two categories: verification and participation. If a voter can’t verify their ballot selections throughout the election, we aren’t really conducting elections. And if a jurisdiction employs a single company or entity to count all of the ballots, people are forced into a situation of trust, as opposed to consensus, which is the standard norm for elections. Real elections have multiple parties tallying the votes by consensus. Nobody "trusts" anyone or anything else. Trust is removed from the process, or more accurately it was never there to begin with.
And finally, EIP offers a capability not found in other election protocols, and that is the ability of the voter to actually see their own ballot after they vote and to monitor the election in real time. This presents an unprecedented level of transparency, which is the true hallmark of any valid election.
Q: There’s no evidence of election fraud. Where is yours?
- A: This question is backwards. In an election, the onus is not on the electorate to search for evidence of fraud, rather it is on the election provider to guarantee that fraud cannot occur merely as a prerequisite to even conducting an election.
Nobody here is making claims of election fraud, rather we are doing what any sentient human being would do in any election, and that is to ask you, the election provider, what assurances you have put in place to ensure vote anomalies cannot occur.
In other words, think of it like buying a car or any other service. It’s the duty of the election provider to provide confidence in the voter that their system is robust enough to use in an election. It’s not the job of the voter to prove otherwise.
There are many more, but here are eight questions that people have for any election service provider:
How is a voter ensured that their vote is counted at all, let alone counted correctly?
Is a voter able to match the contents of their ballot with the scanned result?
How can a voter be ensured that ballots are not counted multiple times?
How can a voter be assured that undervotes are not replaced with fraudulent votes?
How can a voter be assured that fraudulent or unauthorized ballots cannot be counted?
Since CVR records are placed in databases which can be updated multiple times at any time after a vote is first recorded, what assurances are there that data records have not or cannot be altered or manipulated?
How can a voter be assured that dead people aren’t voting?
Are there plans to allow multiple parties to count the votes so that consensus among opposing parties can be reached rather than having to trust a single vendor?
If these questions cannot be answered adequately, or at all, we have a problem. Election protocols of the past were able to answer these questions with ease. The election systems we have in place in Colorado today cannot answer any of these questions. That’s why we’re here.
Q: Moving forward, how would you recommend going about ensuring election integrity?
- A: We would propose that the Election Integrity Protocol becomes a mandatory requirement for all election providers. That’s the intent of our legislative efforts.
The questions raised earlier (and many more) should have been provided to election system vendors as a part of the RFP.
Some misinformed advocates of the current system refer to Colorado election systems as “the gold standard”. One thing to notice about this claim is that many of the attributes they tout are about system security, audits, and the like.
But notice that the average voter doesn’t care much about any of that. What they really care about is the election results and the veracity of the process used to obtain those results. When those questions are asked, they are based on the time-tested process used by teller committees worldwide in the hand counting of paper ballots. If your “gold” standard has replaced human observation with machines, then you need to be able to answer the same questions people have of hand count systems.
Q: You refer to mail-in voting as “operating elections in a degraded mode”. You seem to be advocating for the elimination of that form of voting. Can you elaborate on that?
- A: While definitely convenient, there is no corollary to mailing votes from the past - and so it’s natural that people would compare that in order to enhance their assurance of election transparency when machines are used to tally votes instead of people.
Mail-in voting presents a seemingly insurmountable issue when it comes to vote verification. What I mean here is that in an electronic context, the voter needs to be able to locate their ballot so that they can verify that their selections remain intact.
It turns out with mail in ballots and drop boxes, there’s simply no way to do that. Further research needs to be done in this area, but preliminary indications are that fully transparent mail-in voting cannot be accomplished while maintaining a separation of voter identity from their vote. You can still perform what appears to look like an election, but the voter is not able to verify their ballot selections.
That’s what we mean by “operating in a degraded mode” because if they vote in person, voters are able to verify their ballot selections. This is not possible using mail-in ballots without tying the voter’s identity to their vote, or by trusting a third-party, who has the ability to do so, which violates EIP zero trust requirements.
So, if you trust “the man”, go ahead, and continue to vote by mail. You’ll still be able to see the unverifiable "results" of the "election", but if you want to see your actual vote in a real election, you will need to vote in person.
Q: You say that we are focusing on the wrong thing when we focus on machines. What do you mean by that?
- A: So, today a lot of time, effort, discussion, and money is put into attempting to make these machines robust and to lock them down. But after thinking about that for a while, it became evident that that’s really not the correct approach anyway!
In an election, what we really care about is the results. And the results are obtained in an extremely simple manner. Our task is merely to count votes in the election, which is something a fourth grader can do. It’s also something a calculator can do really well. In fact, manual hand counts involve calculators all the time - not only to come up with their totals, but also to double check their work. In very simple terms, a computer can be thought of as nothing but an extremely powerful calculator and in fact, that is really the only required use for them in an election. In practice, calculators don’t fail. Neither do computers in this respect. If all we’re doing is adding numbers, then we can rely 100% on computers to do that. The entire world operates that way now - it’s not a problem.
So, the issue isn’t really the counting of ballots, rather it’s in the manner in which we go about doing that when using machines. First of all, as mentioned earlier, there is no observation of that machine count. The machine is a black box that we aren’t allowed to look at nor to observe in any meaningful manner. It would seem that that’s the first thing that has to go, but in an odd sense, it’s not even required because… it doesn’t matter!
That’s because secondly, the tally is performed by a single company or vendor. That’s the second thing that has to go - we need multiple eyes on the tally process. We need to introduce truly objective observation into our elections. So how do you do that with a calculator? You don’t. Instead, you employ multiple calculators at the same time counting the same data from different people and compare those results. That’s what EIP uses distributed ledgers for.
Third, there is currently a complete lack of transparency when it comes to the tally results. It’s one thing to keep the voter’s identity a secret but it’s another to keep the election results a secret. The longer the time span between when a vote is cast and when it is made observable by multiple parties, the more time and incentive there is for nefarious behavior. If that time period is shortened to nanoseconds, an entire attack surface can be eliminated. The immediate dissemination of vote results to multiple parties participating in a distributed ledger solves this problem.
Getting into the weeds a bit, a distributed ledger resides on multiple machines where a copy of the election results sits on each machine and is updated as soon as each person’s vote is cast. All of these machines are nodes on a cooperative distributed ledger network. The idea here is that multiple participants in the community and jurisdictions affected by an election would participate in that election by standing up one of these nodes with their own computer acting as an independent calculator. This way multiple different parties can count the votes at the same time immediately. Eyes on.
To illustrate this, imagine you had the worst computer in the world that was full of bugs and broke down all the time. You live in the back country, and you are running Windows 3.1, but you want to participate in the election, so you stand up a server. Is this even practical? Well, assuming your drivers weren’t out of date, and you could connect to the network, all you would really need the computer to do is to add numbers - and so you would become a node and join the tokenized distributed ledger network.
At the end of the election, and all along the way however, your crappy little computer was able to add the numbers together correctly, and your totals matched those of every other node on the network. Guess what? Nobody cares or possibly even knows that you have a “bad” computer! But your results match those of really fast and “good” computers and so your node is now EIP compliant.
Of course, nobody is recommending that anyone operate in this manner, but the point here is that it’s a waste of time and money to insist that every node participant has the latest and greatest software and computers if all we are doing is adding numbers. The proper way to think of your vote is to think of it like a bank statement transaction - you compare your store receipt with the debit on the bank ledger (your bank statement). You don't concern yourself with how that transaction was recorded, which machines were used and if they were secure, etc. Instead you focus only on the results - the transactions either match or they don't. That’s what we mean when we focus on the results and not the machines.
Q: What sort of a fiscal impact do you expect should EIP legislation succeed?
- A: We expect to see a drastic decrease in the cost of running elections overall. First of all, the very concept of EIP is bringing communities from a lack of participation back into the election process by giving of their time as a civic duty, like they used to in the past. Just like today, there will likely be election providers that work for profit, but the costs of these will be drastically lowered with a truly open free market competitive procurement process rather than the closed or limited source RFP process in place today.
For example, suppose each county wanted to stand up their own distributed ledger node. Under EIP, there are no dramatic costs that need to be incurred other than the ability to properly connect to the network and get certified as an EIP compliant provider. This is accomplished primarily by implementing a simple API. So, each participating jurisdiction would be expected to provide their own implementation, along with whatever costs may or may not be associated with that.
Furthermore, there may be some providers who choose to provide such a node at little or no cost. For example, some organizations such as the military might be interested in standing up a server. Same goes for universities, high schools, political parties, and the like. All are welcome to participate at some level. Unlike the current mail-in ballot regime, EIP is all about promoting maximum transparency and participation in order to gain consensus and maximize observation across the electorate.
Q: You spoke of a “zero trust” requirement. What is that?
- A: One of the pillars of EIP is an insistence on using consensus instead of trust. Consensus requires cooperation, where trust requires none. The term “Zero Trust” means exactly what it says. There is simply no amount of trust at all.
This is similar to, but not quite the same thing as distrust. Let’s say you trust somebody. If you were to measure that, you would use a positive number. In contrast, if you don’t trust somebody, you might measure that using negative numbers. With zero trust, your trust is at a level of exactly 0. That means you don’t trust something or someone, but at the same time, you don’t necessarily distrust them. What it really means is that trust is not ever a consideration, and some measures are put in place taking that lack of trust into account. Believe it or not, the DoD has lots to say about zero trust, but we won’t go into that here.
Anytime you have questions about EIP, think of the process from which it is derived: a teller committee. If you’ve ever seen a medium size election, they show up with ballot boxes and they make sure they are empty before any vote counting starts. It’s not that they distrust anybody, rather it’s required that there is consensus among observers that the boxes are empty. The same philosophy moves forward when votes are sorted into categories, and when they are counted. It’s nothing personal, we just make sure there are multiple eyes on the process, expecting identical results. And so, a zero-trust election has no processes based on trust and all of them based on consensus. That is the definition of an election. Anything short of that is simply not an election.
Q: I am not comfortable with technology of any kind, and I don’t understand the terminology used. Can you help me?
- A: I sure hope so. First of all, we need to understand that a token is nothing but a randomly assigned number that separates your identity so that you can look up your vote without anybody knowing who you are. It’s nothing but a random number drawn from a hat used as a tracking number attached to your vote. Using that number, you can always locate your vote.
Next, a distributed ledger allows multiple people to count the data at the same time instead of just one Wizard of Oz company.
Finally, if you want to, you can use a Blockchain data structure to enhance the security of the distributed ledger. While it sounds complicated, this use of Blockchain has nothing to do with cryptocurrency. In programming terms, Blockchain is nothing but a data structure. Technically, it’s a linked list. To say you “don’t like Blockchain” is like saying you don’t like arrays, vectors, files, or databases. It doesn’t make any sense. I can show you how to build one, but it’s really not that important, and it’s completely optional
Q: What drove you to create this protocol?
- A: I’m a professional computer programmer and a software architect. I tend to think of the world in terms of modeling systems and so I began to look at election systems, but also because I’ve earned a minor in political science decades ago. As a student in college, I learned that elections have a very long history of contention and attempted fraud. The results of many famous elections of the past are still in question to this day, so it’s important that we don’t delude ourselves into believing that elections are something that should be approached from a perspective of trust. We don’t have to impugn the behavior of anybody involved, it’s just the nature of elections.
Elections come out of contention because not everybody is going to agree how their lives should be governed. Therefore, incentive to commit fraud is to be expected - that’s just the nature of the beast. They’re also absolutely necessary and so they can’t be avoided in any democracy. It’s like taking out the trash. It’s a dirty job, but somebody has to do it. A healthier outlook is that as citizens, it’s our civic duty to perform elections as a community.
At the same time, I noticed people started asking a lot of questions that they didn’t used to ask about elections. It’s hard to avoid the headlines. And finally, it’s required by law, so there’s that. In any case, this piqued my curiosity and so I began to look into how election systems were performed in the past and how they’re run today in Colorado. What has changed - and why? Bottom line is it came down to the fact that in Colorado, the process has changed radically.
We used to have elections based on consensus from opposing parties that were conducted using paper ballots counted manually by teller committees. The teller committee plays the role of an observer. Now we vote by mail, largely, and the entire system is based on trust.
There is no observer.
Since there’s no such thing as an election based on trust, there’s some cognitive dissonance going on here.
This realization motivated me to look at ways to solve an obvious problem. At first, I couldn’t think of any because I work with software and machines every day, have for decades and I know all about them. I know that there’s almost nothing you can’t do with a computer. I also know that there’s almost no way you can confidently, consistently and perfectly secure any computer, particularly when you aren’t allowed to even examine it from a programmer’s perspective. And even if you could, it’s an extremely time-consuming, expensive, and ongoing process because the threat surface changes by the minute. In short, it’s a losing battle that must be continuously fought if you rely exclusively on machines.
My first thought was that we should avoid the machines as they exist today altogether because they aren’t solving the problem and they can’t if voters aren’t even allowed to inspect them adequately. So, I was an advocate for the hand count of paper ballots, and I still am. But a funny thing happened on the way to town and that was in thinking about this, I discovered a process whereby machine counting could be incorporated into a partially manual process that would actually work. This process is nothing new really, it’s based primarily on the teller committee process, which has already been used and time-tested all over the world and is still used today. I sculpted these two aspects together into a “people’s protocol” that can be followed in order to solve the problem of providing transparent and reliable elections anywhere in the world. That’s what EIP is.