It sounds so simple: To count ballots, just count the number of votes cast for each candidate. Whoever gets the most wins! In fact, ballot counting in a real election is far more complex than this, primarily because the job is divided up between multiple agents who are not all trustworthy, but also because the actual counting rules are complicated by such options as races where multiple winners may be declared or where voters are allowed to cast multiple votes or weighted votes.
This presentation focuses on the former issue, that of arriving at a trustworthy count in the presence of counters who are not necessarily worthy of trust in the context of an electoral system that is divided into many precincts and local election jurisdictions. At the end, we will examine modified counting rules for more complex elections with multiple winners or weighted votes.
This discussion does not depend, much, on whether the counting is being done by people using paper ballots, or by machine. The issue of un-trustworthy counters arises with either humans or software, and the issue of errors in vote reporting is no less significant with electronic vote reporting than it is with hand transcription of hand delivered written reports.
We assume an election that is carried out in many precincts. The ballot used in each precinct participating in an election may contain many races, and each race may span a different set of precincts. For example, a given precinct may, in one election, participate in races for municipal, county, congressional, state and national races. It is not necessary to assume that precincts are defined by physical geography and voter residence; in some contexts, such as union elections, the logical units corresponding to precincts may be workplaces.
We assume that the ballot used in each precinct is uniform; that is, all voters in each precinct are entitled to vote in exactly the same races. In practice, this may require that a single legal precinct be viewed as two or more precincts, for example, in a closed party primary, where each voter is allowed to participate in only one party's primary election. For another example, one precinct may include urban and rural residents, where only the urban residents are allowed to vote for municipal offices.
We assume that each precinct is operated under a local election authority, for example, a municipal or county government. These local election authorities, in turn, operate under regional election authorities, for example, state governments, which may, in turn, operate under even higher level authorities. We assume that this hierarchy of election authorities is a strict one, in the sense that each precinct operates under exactly one local authority, and each local authority operates under exactly one regional authority. We make no assumptions about the depth of the authority hierarchy.
We assume that the structure of the election hierarchy does not necessarily correspond to the district structure of the offices involved in the election. It may correspond, as is usually the case with county and state races, but other races may involve districts that span odd clusters of precincts, for example, congressional and state legislature districts frequently combine precincts from one county with precincts from another.
We cannot build an electoral system based on trust! Doing so puts the trusted party in a position of great temptation, and doing so turns the trusted office into a well defined target for those intent on corrupting the system. This applies equally to human and machine participants in the election process. If we trust the machines, we are, in fact, putting our trust in the people who build, program and maintain the machines, and there is no reason to beileve that these people are any more trustworthy than the people directly involved in the immediate conduct of the election.
Therefore, we aim to divide the responsibility for counting ballots in such a way that no single counter, acting independently, can make a change in the count without being detected. We will do this by assuring that the entire process of counting, tabulating, and transmitting the election results is redundant, and we add, additionally, the constraint that all intermediate results from various stages in the count are made public, so that independent observers can verify the count.
A vote is a deliberate indication, made by a voter on a ballot, of a preference for one of the candidates standing for office in a particular race. Our goal is to accurately count the votes for each candidate.
An undervote results when a voter casts a ballot without voting for any candidate in a particular race. Undervotes are extremely common, particularly in the more obscure races found at the end of a general election ballot.
An overvote results when a voter casts votes for multiple candidates in a race where only one vote is permitted. The classic lever voting machines of the early 20th century prevented overvotes using a system of cams linking the levers for each office. Modern direct recording electronic voting machines also prevent overvotes. All forms of paper ballots are subject to overvoting, including optical-mark-sense and punched card ballots, although some optical-mark-sense ballot boxes used in polling places will reject overvoted ballots, giving voters a chance to correct their overvotes.
For simple races, those in which voters may only vote for one candidate, it is always the case that the sum of the votes for each candidate plus the number of undervotes plus the number of overvotes will equal the number of ballots counted. We will use this redundancy as our primary tool to ensure that no single person, agency or software entity involved in the ballot count can falsify the result!
Because vote counting is performed incrementally, with results aggregated by precinct, by county, and by state, for example, we must include in our counting rules the possibility of error! At any level in the counting process, we must be able to determine which errors result from local activity and which were reported by lower levels in the hierarchy and are merely being aggregated at this level.
In addition, our count must ensure that all ballots have indeed been accounted for. Election workers have been known to leave ballot boxes locked in the trunks of their cars, not out of malice, but merely because it was late at night after a long hard day, and we wish to detect this. Therefore, we need to accumulate a count of all ballots issued to voters independently of the count of ballots found in the ballot box. Unfortunately, not all ballots issued end up in the ballot box, so we must distinguish between several alternative destinations:
A spoiled ballot is a ballot that must not be counted. Typically, this is because a voter has requested a replacement ballot from the election workers.
A challenged ballot is a ballot that may not be counted until the voters eligability has been established. If someone attempts to vote at a precinct where he or she is not listed as a valid voter, many jurisdictions allow the voter to cast a challenged ballot, which is then sealed in an envelope and the voter's case for being allowed to vote is documented. A challenge resolution board will determine, later, whether this ballot is to be counted.
We can now formulate the basic counting categories that must be reported at every level in the count, from the precinct up to the highest level election authority.
At some levels, ballots unaccounted for may include legitimate causes such as absentee or vote-by-mail ballots expected but not yet received; as these come in, or when they are counted, they will be added to the appropriate total. When the deadline for absentee ballots passes, all outstanding absentee ballots should be removed from the unaccounted for category and added to the count of rejected ballots.
As the process of dealing with challenged ballots proceeds, challenged ballots will be transferred either to the voted ballot category, if the challenge board deems the ballot to be legal, or to the rejected ballot category if the board deems the ballot to be illegal. This process may be quite slow, and in fact, it may still be unfinished at the time a winner is declared and the counting terminated.
In summing the reports from multiple reporting agencies at lower levels in the hierarchy, the sums should be computed separately for each category of ballots, and the totals should also satisfy the rule that the totals for the final four categories should sum to the total for the number of ballots distributed. When the deadline passes by which these ballots are required to be received, the not-yet received ballots may be classified as spoiled ballots
We apply a similar procedure to the votes for each race on the ballot
category f should be subdivided into
f1: votes for candidate 1
f2: votes for candidate 2
where f = f1 + f2 + f3 ...
In summing the reports from multiple reporting agencies at lower levels in the hierarchy, the sums should be computed separately for each category of vote in each race, and the totals should also satisfy the rule that the total votes plus undervotes plus overvotes should equal the total number of ballots voted.
We can now state the basic reporting rule:
The summations and checks suggested here are of significant value for error checking if performed as outlined, but they are no protection against fraud, because a determined crook working at any level in the election hierarchy can easily report any numbers at all to the next level up in the hierarchy. This is why we require full public disclosure at each level in the hierarchy.
At polling places, for example, the vote totals taken from the voting machine can be posted, including over and undervotes, along with the number of voters who had been allowed to cast ballots. Similar totals can be publically distributed at each vote counting center in the hierarchy.
Because all the data is made public, outsiders can replicate all accounting from the precinct level up. Typically, precinct totals for a county will be published as news in a local paper, and county totals for the state will be published as well, so a voter who has actually seen the precinct data can compare this with the published numbers, and both voters and reporters can easily note discrepancies from between the county totals reported locally and the state totals.
This provides significant protection, but in fact, we can gain even more! Whether ballots are accumulated in a traditional ballot box or using a voting machine, the number of ballots physically present or recorded by the machine should match the number expected by the election judges, as recorded in their poll books. The key here is that we have two independent sources of information: On the one hand, we have the counter on a machine or the count of ballots in a box, and on the other hand, we have the counts maintained by those who distributed ballots.
This leads to a general requirement:
For example, if the panel of election judges tracks ballots distributed, spoiled and challenged, they can compute and report the number of ballots that should be found in the ballot box before it is opened. The number actually found in the box will be independent of this and will be determined as the votes for that precinct are counted. Because this number is, itself, used to check the vote totals for any one race, we have achieved a degree of independent checking on the outcomes of all races in the election.
The degree of checking we have is sufficient to detect ballot box stuffing, lost ballots, or the simple addition of votes to the total for one candidate but it is not sufficient to detect careful juggling of totals, so that a gain by one subtotal is exactly balanced by a loss from another. This can be checked by an even stronger requirement:
Thus, the total number of ballots expected in the ballot box should not be known to those removing the ballots from the box until they have been counted, and in counting the votes for any one candidate, the counter for one candidate should not be aware of the number of votes cast for another candidate in the same race.
In hand counting votes, this suggests that those who evaluate each ballot to determine if it is a vote for one candidate, a vote for another, an overvote or an undervote should only classify the ballot, while the accumulation of counts in each category should be done by independent observers of the classification process. Alternatively, the ballot could be observed, in turn, by the counters for each category, and independently evaluated by the judges for that category.
In a computerized vote counting system, this suggests that a proof of independence for each counter is required; that is, a proof that the code used to accumulate one component of the total either has no access to the other components or, if it has access, that it will use the values of the other components. Secure computing environments developed since the late 1960's allow proof that a software component has no access to certain data on the computer, and in a carefully written program, it should be easy to verify which information is actually used in each part of the computation even if a secure environment is not being used.
Modern voting machines and electronic ballot boxes are able to electronically transmit their vote totals or ballot box contents to the next higher level in the election hierarchy. When such reports are done electronically, at least one component of the count should be passed through an alternate channel. This is typically quite easy to do with today's machines because the machines are generally unaware of the number of challenged ballots cast, the number of spoiled ballots, or the total number of ballots distributed to voters. As machines grow more sophisticated, including provisions for these auxiliary counts, the software audit required to enforce these independence provisions will grow correspondingly more complex!
When can a winner be declared? Here is one proposal:
The difficulty with this rule is that many voters deliberately cast undervotes. In many elections, this is, in fact, the responsible thing for a voter to do, for example, if the voter has no opinion, has not heard of the candidates, or considers them equally qualified for the office.
Overvotes may, on rare occasions, be an expression of a voter's mixed feelings about two candidates, but voting machines have been available for decades that prevent casting of an overvote, and many of today's precinct-count mark-sense ballot readers offer the option of rejecting overvoted ballots, in order to minimize the size of this category.
We cannot eliminate overvotes; whenever we allow voters to cast votes on paper ballots that are not immediately read in the voter's presence, we leave open the possibility of overvoting. Vote-by-mail absentee ballots will always allow this, as will all systems relying on centralized ballot counting or where ballot counting is deferred until the close of polls on election day.
Because a deliberate undervotes can represent responsible behavior on the part of a voter, we need to use election machinery where failures in the vote tabulators, whether they are human or machine, do not lead to undervotes! If we are assured that the only undervotes recorded represent deliberate voter intent, we can modify our criteria for reporting by redefining the uncertainty as follows:
What do we do if a winner cannot be declared? The rules already given automatically force recounting activity in response to failures in the arithmetic checks on the totals, and at some time, so long as the physical evidence of votes on which this counting rests has not been destroyed, the uncertainty due to errors must eventually reach zero.
If the uncertainty reaches zero and a winner still cannot be declared, we must examine the overvotes! Some of these may be genuine overvotes, votes that we must discard, but we have asked that failures in our vote counting procedures preferentially report overvotes and not undervotes, so there will be some number of overvotes that represent such failures. We must seek these out:
This ammounts to a criterion for automatically initiating a recount! Just as the challenged ballot resolution process reduces the count of challenged ballots, throwing each into either the rejected ballot category of the voted ballot category, so the overvote resolution process distinguishes between overvotes that were the result of machine misreading of ballots and those that were the result of deliberate overvotes. Of course, it is still possible that this recount will not disclose the winner of the race.
Of course, a tie vote is still possible, and it is possible that it will be impossible to account for all ballots because some have been destroyed, but no ballot counting rule can account for these circumstances. In such cases, coin tosses, legislative tie breaking or court battles are reasonable, and all such mechanisms are outside the domain of this discussion.
The rules outlined above require that the voting technology never count a deliberate undervote as a vote for one or the other candidate, and they require that errors, where they occur, be counted as overvotes. This absolute statement is, of course, an impossibility, but it provides a standard by which to evaluate voting technology!
Voting machines that prevent the casting of overvotes are clearly helpful, if they meet the requirements for independent accumulation of votes outlined here. Electronic ballots boxes, for example, those incorporating mark-sense readers, are similarly useful if they can be made to return overvoted ballots to the voter. It is unlikely that any technology will prevent overvotes on Absentee ballots sent in by mail, however, so we must be prepared to deal with these!
In the case of paper ballots, during a preliminary count, we must assure ourselves that any deliberate looking mark on the ballot in or near a voting position is counted as a vote. In the case of mark-sense ballot readers, this implies that the reader's sensing threshold should be set light enough that any mark significantly darker than the more common defects in the paper counts as a vote, and this means that some smudged erasures and hesitation marks will be counted as votes. Voters are never encouraged to erase their votes, and voters should know better than to hesitate with their pencils on the ballot, but this does happen.
The few dark defects in the ballot paper will tend to be randomly distributed over the ballot, so they will add to vote totals at random, and those voters who make hesitation marks tend to make them uniformly, so these will also be unlikely to bias the election outcome, or if they are counted as votes, they are likely to count as overvotes. Voters who vote and then erase rarely do so on races where they intend a deliberate undervote, so smudged erasures are likely to lead to overvotes. Therefore, hand examination of mark-sense ballots should be useful!
Punched card ballots, on the other hand, fail to meet the criteria outlined here. Handling of voted cards, and particularly, their tight stacking in a box of cards or in the hopper of a card reader, can force hanging chad back into a hole in the card. It is easy to verify experimentally that hanging chad forced back into the card may be impossible to distinguish from an unvoted punch position on the ballot. Therefore, a deliberately voted ballot may easily be read as an undervote. Furthermore, if a voter does make an accidental overvote, or if rough handling dislodges a piece of chad, leading to an overvote, visual inspection cannot easily distinguish between this and a deliberate overvote.
In the above sections, we have dealt only with one kind of election, that where many candidates run for a single office, where each voter is entitled to exactly one vote, and where the candidate receiving the most votes is the winner. There are other voting schemes! For example, voters may cast preferential votes, or voters may be allowed to vote for more than one candidate. When voters vote for multiple candidates, the vote may be divided among those candidates in several ways.