-
RLAs for 2-Seat STV Elections: Revisited
Authors:
Michelle Blom,
Peter J. Stuckey,
Vanessa Teague,
Damjan Vukcevic
Abstract:
Single Transferable Vote (STV) elections are a principled approach to electing multiple candidates in a single election. Each ballot has a starting value of 1, and a candidate is elected if they gather a total vote value more than a defined quota. Votes over the quota have their value reduced by a transfer value so as to remove the quota, and are passed to the next candidate on the ballot. Risk-li…
▽ More
Single Transferable Vote (STV) elections are a principled approach to electing multiple candidates in a single election. Each ballot has a starting value of 1, and a candidate is elected if they gather a total vote value more than a defined quota. Votes over the quota have their value reduced by a transfer value so as to remove the quota, and are passed to the next candidate on the ballot. Risk-limiting audits (RLAs) are a statistically sound approach to election auditing which guarantees that failure to detect an error in the result is bounded by a limit. A first approach to RLAs for 2-seat STV elections has been defined. In this paper we show how we can improve this approach by reasoning about lower bounds on transfer values, and how we can extend the approach to partially audit an election, if the method does not support a full audit.
△ Less
Submitted 6 February, 2024;
originally announced February 2024.
-
Risk-Limiting Audits for Condorcet Elections
Authors:
Michelle Blom,
Peter J. Stuckey,
Vanessa Teague,
Damjan Vukcevic
Abstract:
Elections where electors rank the candidates (or a subset of the candidates) in order of preference allow the collection of more information about the electors' intent. The most widely used election of this type is Instant-Runoff Voting (IRV), where candidates are eliminated one by one, until a single candidate holds the majority of the remaining ballots. Condorcet elections treat the election as…
▽ More
Elections where electors rank the candidates (or a subset of the candidates) in order of preference allow the collection of more information about the electors' intent. The most widely used election of this type is Instant-Runoff Voting (IRV), where candidates are eliminated one by one, until a single candidate holds the majority of the remaining ballots. Condorcet elections treat the election as a set of simultaneous decisions about each pair of candidates. The Condorcet winner is the candidate who beats all others in these pairwise contests. There are various proposals to determine a winner if no Condorcet winner exists. In this paper we show how we can efficiently audit Condorcet elections for a number of variations. We also compare the audit efficiency (how many ballots we expect to sample) of IRV and Condorcet elections.
△ Less
Submitted 19 April, 2023; v1 submitted 18 March, 2023;
originally announced March 2023.
-
Ballot-Polling Audits of Instant-Runoff Voting Elections with a Dirichlet-Tree Model
Authors:
Floyd Everest,
Michelle Blom,
Philip B. Stark,
Peter J. Stuckey,
Vanessa Teague,
Damjan Vukcevic
Abstract:
Instant-runoff voting (IRV) is used in several countries around the world. It requires voters to rank candidates in order of preference, and uses a counting algorithm that is more complex than systems such as first-past-the-post or scoring rules. An even more complex system, the single transferable vote (STV), is used when multiple candidates need to be elected. The complexity of these systems has…
▽ More
Instant-runoff voting (IRV) is used in several countries around the world. It requires voters to rank candidates in order of preference, and uses a counting algorithm that is more complex than systems such as first-past-the-post or scoring rules. An even more complex system, the single transferable vote (STV), is used when multiple candidates need to be elected. The complexity of these systems has made it difficult to audit the election outcomes. There is currently no known risk-limiting audit (RLA) method for STV, other than a full manual count of the ballots.
A new approach to auditing these systems was recently proposed, based on a Dirichlet-tree model. We present a detailed analysis of this approach for ballot-polling Bayesian audits of IRV elections. We compared several choices for the prior distribution, including some approaches using a Bayesian bootstrap (equivalent to an improper prior). Our findings include that the bootstrap-based approaches can be adapted to perform similarly to a full Bayesian model in practice, and that an overly informative prior can give counter-intuitive results. Via carefully chosen examples, we show why creating an RLA with this model is challenging, but we also suggest ways to overcome this.
As well as providing a practical and computationally feasible implementation of a Bayesian IRV audit, our work is important in laying the foundation for an RLA for STV elections.
△ Less
Submitted 23 February, 2023; v1 submitted 8 September, 2022;
originally announced September 2022.
-
Auditing Ranked Voting Elections with Dirichlet-Tree Models: First Steps
Authors:
Floyd Everest,
Michelle Blom,
Philip B. Stark,
Peter J. Stuckey,
Vanessa Teague,
Damjan Vukcevic
Abstract:
Ranked voting systems, such as instant-runoff voting (IRV) and single transferable vote (STV), are used in many places around the world. They are more complex than plurality and scoring rules, presenting a challenge for auditing their outcomes: there is no known risk-limiting audit (RLA) method for STV other than a full hand count.
We present a new approach to auditing ranked systems that uses a…
▽ More
Ranked voting systems, such as instant-runoff voting (IRV) and single transferable vote (STV), are used in many places around the world. They are more complex than plurality and scoring rules, presenting a challenge for auditing their outcomes: there is no known risk-limiting audit (RLA) method for STV other than a full hand count.
We present a new approach to auditing ranked systems that uses a statistical model, a Dirichlet-tree, that can cope with high-dimensional parameters in a computationally efficient manner. We demonstrate this approach with a ballot-polling Bayesian audit for IRV elections. Although the technique is not known to be risk-limiting, we suggest some strategies that might allow it to be calibrated to limit risk.
△ Less
Submitted 8 September, 2022; v1 submitted 29 June, 2022;
originally announced June 2022.
-
Assessing the accuracy of the Australian Senate count: Key steps for a rigorous and transparent audit
Authors:
Michelle Blom,
Philip B. Stark,
Peter J. Stuckey,
Vanessa Teague,
Damjan Vukcevic
Abstract:
This paper explains the main principles and some of the technical details for auditing the scanning and digitisation of the Australian Senate ballot papers. We give a short summary of the motivation for auditing paper ballots, explain the necessary supporting steps for a rigorous and transparent audit, and suggest some statistical methods that would be appropriate for the Australian Senate.
22 J…
▽ More
This paper explains the main principles and some of the technical details for auditing the scanning and digitisation of the Australian Senate ballot papers. We give a short summary of the motivation for auditing paper ballots, explain the necessary supporting steps for a rigorous and transparent audit, and suggest some statistical methods that would be appropriate for the Australian Senate.
22 June 2022 Update: The update includes analysis of Senate preference data from the 2022 Australian election.
△ Less
Submitted 22 June, 2022; v1 submitted 29 May, 2022;
originally announced May 2022.
-
A First Approach to Risk-Limiting Audits for Single Transferable Vote Elections
Authors:
Michelle Blom,
Peter J. Stuckey,
Vanessa Teague,
Damjan Vukcevic
Abstract:
Risk-limiting audits (RLAs) are an increasingly important method for checking that the reported outcome of an election is, in fact, correct. Indeed, their use is increasingly being legislated. While effective methods for RLAs have been developed for many forms of election -- for example: first-past-the-post, instant-runoff voting, and D'Hondt elections -- auditing methods for single transferable v…
▽ More
Risk-limiting audits (RLAs) are an increasingly important method for checking that the reported outcome of an election is, in fact, correct. Indeed, their use is increasingly being legislated. While effective methods for RLAs have been developed for many forms of election -- for example: first-past-the-post, instant-runoff voting, and D'Hondt elections -- auditing methods for single transferable vote (STV) elections have yet to be developed. STV elections are notoriously hard to reason about since there is a complex interaction of votes that change their value throughout the process. In this paper we present the first approach to risk-limiting audits for STV elections, restricted to the case of 2-seat STV elections.
△ Less
Submitted 18 December, 2021;
originally announced December 2021.
-
Towards Verifiable Remote Voting with Paper Assurance
Authors:
Eleanor McMurtry,
Xavier Boyen,
Chris Culnane,
Kristian Gjøsteen,
Thomas Haines,
Vanessa Teague
Abstract:
We propose a protocol for verifiable remote voting with paper assurance. It is intended to augment existing postal voting procedures, allowing a ballot to be electronically constructed, printed on paper, then returned in the post. It allows each voter to verify that their vote has been correctly cast, recorded and tallied by the Electoral Commission. The system is not end-to-end verifiable, but do…
▽ More
We propose a protocol for verifiable remote voting with paper assurance. It is intended to augment existing postal voting procedures, allowing a ballot to be electronically constructed, printed on paper, then returned in the post. It allows each voter to verify that their vote has been correctly cast, recorded and tallied by the Electoral Commission. The system is not end-to-end verifiable, but does allow voters to detect manipulation by an adversary who controls either the voting device, or (the postal service and electoral commission) but not both. The protocol is not receipt-free, but if the client honestly follows the protocol (including possibly remembering everything), they cannot subsequently prove how they voted. Our proposal is the first to combine plain paper assurance with cryptographic verification in a (passively) receipt-free manner.
△ Less
Submitted 9 November, 2021; v1 submitted 7 November, 2021;
originally announced November 2021.
-
Bugs in our Pockets: The Risks of Client-Side Scanning
Authors:
Hal Abelson,
Ross Anderson,
Steven M. Bellovin,
Josh Benaloh,
Matt Blaze,
Jon Callas,
Whitfield Diffie,
Susan Landau,
Peter G. Neumann,
Ronald L. Rivest,
Jeffrey I. Schiller,
Bruce Schneier,
Vanessa Teague,
Carmela Troncoso
Abstract:
Our increasing reliance on digital technology for personal, economic, and government affairs has made it essential to secure the communications and devices of private citizens, businesses, and governments. This has led to pervasive use of cryptography across society. Despite its evident advantages, law enforcement and national security agencies have argued that the spread of cryptography has hinde…
▽ More
Our increasing reliance on digital technology for personal, economic, and government affairs has made it essential to secure the communications and devices of private citizens, businesses, and governments. This has led to pervasive use of cryptography across society. Despite its evident advantages, law enforcement and national security agencies have argued that the spread of cryptography has hindered access to evidence and intelligence. Some in industry and government now advocate a new technology to access targeted data: client-side scanning (CSS). Instead of weakening encryption or providing law enforcement with backdoor keys to decrypt communications, CSS would enable on-device analysis of data in the clear. If targeted information were detected, its existence and, potentially, its source, would be revealed to the agencies; otherwise, little or no information would leave the client device. Its proponents claim that CSS is a solution to the encryption versus public safety debate: it offers privacy -- in the sense of unimpeded end-to-end encryption -- and the ability to successfully investigate serious crime. In this report, we argue that CSS neither guarantees efficacious crime prevention nor prevents surveillance. Indeed, the effect is the opposite. CSS by its nature creates serious security and privacy risks for all society while the assistance it can provide for law enforcement is at best problematic. There are multiple ways in which client-side scanning can fail, can be evaded, and can be abused.
△ Less
Submitted 14 October, 2021;
originally announced October 2021.
-
Assertion-Based Approaches to Auditing Complex Elections, with Application to Party-List Proportional Elections
Authors:
Michelle Blom,
Jurlind Budurushi,
Ronald L. Rivest,
Philip B. Stark,
Peter J. Stuckey,
Vanessa Teague,
Damjan Vukcevic
Abstract:
Risk-limiting audits (RLAs), an ingredient in evidence-based elections, are increasingly common. They are a rigorous statistical means of ensuring that electoral results are correct, usually without having to perform an expensive full recount -- at the cost of some controlled probability of error. A recently developed approach for conducting RLAs, SHANGRLA, provides a flexible framework that can e…
▽ More
Risk-limiting audits (RLAs), an ingredient in evidence-based elections, are increasingly common. They are a rigorous statistical means of ensuring that electoral results are correct, usually without having to perform an expensive full recount -- at the cost of some controlled probability of error. A recently developed approach for conducting RLAs, SHANGRLA, provides a flexible framework that can encompass a wide variety of social choice functions and audit strategies. Its flexibility comes from reducing sufficient conditions for outcomes to be correct to canonical `assertions' that have a simple mathematical form.
Assertions have been developed for auditing various social choice functions including plurality, multi-winner plurality, super-majority, Hamiltonian methods, and instant runoff voting. However, there is no systematic approach to building assertions. Here, we show that assertions with linear dependence on transformations of the votes can easily be transformed to canonical form for SHANGRLA. We illustrate the approach by constructing assertions for party-list elections such as Hamiltonian free list elections and elections using the D'Hondt method, expanding the set of social choice functions to which SHANGRLA applies directly.
△ Less
Submitted 2 October, 2021; v1 submitted 25 July, 2021;
originally announced July 2021.
-
Auditing Hamiltonian Elections
Authors:
Michelle Blom,
Philip B. Stark,
Peter J. Stuckey,
Vanessa Teague,
Damjan Vukcevic
Abstract:
Presidential primaries are a critical part of the United States Presidential electoral process, since they are used to select the candidates in the Presidential election. While methods differ by state and party, many primaries involve proportional delegate allocation using the so-called Hamilton method. In this paper we show how to conduct risk-limiting audits for delegate allocation elections usi…
▽ More
Presidential primaries are a critical part of the United States Presidential electoral process, since they are used to select the candidates in the Presidential election. While methods differ by state and party, many primaries involve proportional delegate allocation using the so-called Hamilton method. In this paper we show how to conduct risk-limiting audits for delegate allocation elections using variants of the Hamilton method where the viability of candidates is determined either by a plurality vote or using instant runoff voting. Experiments on real-world elections show that we can audit primary elections to high confidence (small risk limits) usually at low cost.
△ Less
Submitted 29 June, 2021; v1 submitted 16 February, 2021;
originally announced February 2021.
-
A Unified Evaluation of Two-Candidate Ballot-Polling Election Auditing Methods
Authors:
Zhuoqun Huang,
Ronald L. Rivest,
Philip B. Stark,
Vanessa Teague,
Damjan Vukcevic
Abstract:
Counting votes is complex and error-prone. Several statistical methods have been developed to assess election accuracy by manually inspecting randomly selected physical ballots. Two 'principled' methods are risk-limiting audits (RLAs) and Bayesian audits (BAs). RLAs use frequentist statistical inference while BAs are based on Bayesian inference. Until recently, the two have been thought of as fund…
▽ More
Counting votes is complex and error-prone. Several statistical methods have been developed to assess election accuracy by manually inspecting randomly selected physical ballots. Two 'principled' methods are risk-limiting audits (RLAs) and Bayesian audits (BAs). RLAs use frequentist statistical inference while BAs are based on Bayesian inference. Until recently, the two have been thought of as fundamentally different.
We present results that unify and shed light upon 'ballot-polling' RLAs and BAs (which only require the ability to sample uniformly at random from all cast ballot cards) for two-candidate plurality contests, which are building blocks for auditing more complex social choice functions, including some preferential voting systems. We highlight the connections between the methods and explore their performance.
First, building on a previous demonstration of the mathematical equivalence of classical and Bayesian approaches, we show that BAs, suitably calibrated, are risk-limiting. Second, we compare the efficiency of the methods across a wide range of contest sizes and margins, focusing on the distribution of sample sizes required to attain a given risk limit. Third, we outline several ways to improve performance and show how the mathematical equivalence explains the improvements.
△ Less
Submitted 12 May, 2021; v1 submitted 19 August, 2020;
originally announced August 2020.
-
Random errors are not necessarily politically neutral
Authors:
Michelle Blom,
Andrew Conway,
Peter J. Stuckey,
Vanessa Teague,
Damjan Vukcevic
Abstract:
Errors are inevitable in the implementation of any complex process. Here we examine the effect of random errors on Single Transferable Vote (STV) elections, a common approach to deciding multi-seat elections. It is usually expected that random errors should have nearly equal effects on all candidates, and thus be fair. We find to the contrary that random errors can introduce systematic bias into e…
▽ More
Errors are inevitable in the implementation of any complex process. Here we examine the effect of random errors on Single Transferable Vote (STV) elections, a common approach to deciding multi-seat elections. It is usually expected that random errors should have nearly equal effects on all candidates, and thus be fair. We find to the contrary that random errors can introduce systematic bias into election results. This is because, even if the errors are random, votes for different candidates occur in different patterns that are affected differently by random errors. In the STV context, the most important effect of random errors is to invalidate the ballot. This removes far more votes for those candidates whose supporters tend to list a lot of preferences, because their ballots are much more likely to be invalidated by random error. Different validity rules for different voting styles mean that errors are much more likely to penalise some types of votes than others. For close elections this systematic bias can change the result of the election.
△ Less
Submitted 28 September, 2020; v1 submitted 1 July, 2020;
originally announced July 2020.
-
Assessing Centrality Without Knowing Connections
Authors:
Leyla Roohi,
Benjamin I. P. Rubinstein,
Vanessa Teague
Abstract:
We consider the privacy-preserving computation of node influence in distributed social networks, as measured by egocentric betweenness centrality (EBC). Motivated by modern communication networks spanning multiple providers, we show for the first time how multiple mutually-distrusting parties can successfully compute node EBC while revealing only differentially-private information about their inte…
▽ More
We consider the privacy-preserving computation of node influence in distributed social networks, as measured by egocentric betweenness centrality (EBC). Motivated by modern communication networks spanning multiple providers, we show for the first time how multiple mutually-distrusting parties can successfully compute node EBC while revealing only differentially-private information about their internal network connections. A theoretical utility analysis upper bounds a primary source of private EBC error---private release of ego networks---with high probability. Empirical results demonstrate practical applicability with a low 1.07 relative error achievable at strong privacy budget $ε=0.1$ on a Facebook graph, and insignificant performance degradation as the number of network provider parties grows.
△ Less
Submitted 28 May, 2020;
originally announced May 2020.
-
You can do RLAs for IRV
Authors:
Michelle Blom,
Andrew Conway,
Dan King,
Laurent Sandrolini,
Philip B. Stark,
Peter J. Stuckey,
Vanessa Teague
Abstract:
The City and County of San Francisco, CA, has used Instant Runoff Voting (IRV) for some elections since 2004. This report describes the first ever process pilot of Risk Limiting Audits for IRV, for the San Francisco District Attorney's race in November, 2019. We found that the vote-by-mail outcome could be efficiently audited to well under the 0.05 risk limit given a sample of only 200 ballots. Al…
▽ More
The City and County of San Francisco, CA, has used Instant Runoff Voting (IRV) for some elections since 2004. This report describes the first ever process pilot of Risk Limiting Audits for IRV, for the San Francisco District Attorney's race in November, 2019. We found that the vote-by-mail outcome could be efficiently audited to well under the 0.05 risk limit given a sample of only 200 ballots. All the software we developed for the pilot is open source.
△ Less
Submitted 1 April, 2020;
originally announced April 2020.
-
Stop the Open Data Bus, We Want to Get Off
Authors:
Dr. Chris Culnane,
A/Prof. Benjamin I. P. Rubinstein,
A/Prof. Vanessa Teague
Abstract:
The subject of this report is the re-identification of individuals in the Myki public transport dataset released as part of the Melbourne Datathon 2018. We demonstrate the ease with which we were able to re-identify ourselves, our co-travellers, and complete strangers; our analysis raises concerns about the nature and granularity of the data released, in particular the ability to identify vulnerab…
▽ More
The subject of this report is the re-identification of individuals in the Myki public transport dataset released as part of the Melbourne Datathon 2018. We demonstrate the ease with which we were able to re-identify ourselves, our co-travellers, and complete strangers; our analysis raises concerns about the nature and granularity of the data released, in particular the ability to identify vulnerable or sensitive groups.
△ Less
Submitted 14 August, 2019;
originally announced August 2019.
-
RAIRE: Risk-Limiting Audits for IRV Elections
Authors:
Michelle Blom,
Peter J. Stuckey,
Vanessa Teague
Abstract:
Risk-limiting post election audits guarantee a high probability of correcting incorrect election results, independent of why the result was incorrect. Ballot-polling audits select ballots at random and interpret those ballots as evidence for and against the reported result, continuing this process until either they support the recorded result, or they fall back to a full manual recount. For electi…
▽ More
Risk-limiting post election audits guarantee a high probability of correcting incorrect election results, independent of why the result was incorrect. Ballot-polling audits select ballots at random and interpret those ballots as evidence for and against the reported result, continuing this process until either they support the recorded result, or they fall back to a full manual recount. For elections with digitised scanning and counting of ballots, a comparison audit compares randomly selected digital ballots with their paper versions. Discrepancies are referred to as errors, and are used to build evidence against or in support of the recorded result. Risk-limiting audits for first-past-the-post elections are well understood, and used in some US elections. We define a number of approaches to ballot-polling and comparison risk-limiting audits for Instant Runoff Voting (IRV) elections. We show that for almost all real elections we found, we can perform a risk-limiting audit by looking at only a small fraction of the total ballots (assuming no errors were made in the tallying and distribution of votes).
△ Less
Submitted 29 October, 2019; v1 submitted 20 March, 2019;
originally announced March 2019.
-
Differentially-Private Two-Party Egocentric Betweenness Centrality
Authors:
Leyla Roohi,
Benjamin I. P. Rubinstein,
Vanessa Teague
Abstract:
We describe a novel protocol for computing the egocentric betweenness centrality of a node when relevant edge information is spread between two mutually distrusting parties such as two telecommunications providers. While each node belongs to one network or the other, its ego network might include edges unknown to its network provider. We develop a protocol of differentially-private mechanisms to h…
▽ More
We describe a novel protocol for computing the egocentric betweenness centrality of a node when relevant edge information is spread between two mutually distrusting parties such as two telecommunications providers. While each node belongs to one network or the other, its ego network might include edges unknown to its network provider. We develop a protocol of differentially-private mechanisms to hide each network's internal edge structure from the other; and contribute a new two-stage stratified sampler for exponential improvement to time and space efficiency. Empirical results on several open graph data sets demonstrate practical relative error rates while delivering strong privacy guarantees, such as 16% error on a Facebook data set.
△ Less
Submitted 16 January, 2019;
originally announced January 2019.
-
Auditing Indian Elections
Authors:
Vishal Mohanty,
Nicholas Akinyokun,
Andrew Conway,
Chris Culnane,
Philip B. Stark,
Vanessa Teague
Abstract:
Indian Electronic Voting Machines (EVMs) will be fitted with printers that produce Voter-Verifiable Paper Audit Trails (VVPATs) in time for the 2019 general election. VVPATs provide evidence that each vote was recorded as the voter intended, without having to trust the perfection or security of the EVMs.
However, confidence in election results requires more: VVPATs must be preserved inviolate an…
▽ More
Indian Electronic Voting Machines (EVMs) will be fitted with printers that produce Voter-Verifiable Paper Audit Trails (VVPATs) in time for the 2019 general election. VVPATs provide evidence that each vote was recorded as the voter intended, without having to trust the perfection or security of the EVMs.
However, confidence in election results requires more: VVPATs must be preserved inviolate and then actually used to check the reported election result in a trustworthy way that the public can verify. A full manual tally from the VVPATs could be prohibitively expensive and time-consuming; moreover, it is difficult for the public to determine whether a full hand count was conducted accurately. We show how Risk-Limiting Audits (RLAs) could provide high confidence in Indian election results. Compared to full hand recounts, RLAs typically require manually inspecting far fewer VVPATs when the outcome is correct, and are much easier for the electorate to observe in adequate detail to determine whether the result is trustworthy.
△ Less
Submitted 25 January, 2019; v1 submitted 10 January, 2019;
originally announced January 2019.
-
Options for encoding names for data linking at the Australian Bureau of Statistics
Authors:
Chris Culnane,
Benjamin I. P. Rubinstein,
Vanessa Teague
Abstract:
Publicly, ABS has said it would use a cryptographic hash function to convert names collected in the 2016 Census of Population and Housing into an unrecognisable value in a way that is not reversible. In 2016, the ABS engaged the University of Melbourne to provide expert advice on cryptographic hash functions to meet this objective.
For complex unit-record level data, including Census data, auxil…
▽ More
Publicly, ABS has said it would use a cryptographic hash function to convert names collected in the 2016 Census of Population and Housing into an unrecognisable value in a way that is not reversible. In 2016, the ABS engaged the University of Melbourne to provide expert advice on cryptographic hash functions to meet this objective.
For complex unit-record level data, including Census data, auxiliary data can be often be used to link individual records, even without names. This is the basis of ABS's existing bronze linking. This means that records can probably be re-identified without the encoded name anyway. Protection against re-identification depends on good processes within ABS.
The undertaking on the encoding of names should therefore be considered in the full context of auxiliary data and ABS processes. There are several reasonable interpretations:
1. That the encoding cannot be reversed except with a secret key held by ABS. This is the property achieved by encryption (Option 1), if properly implemented;
2. That the encoding, taken alone without auxiliary data, cannot be reversed to a single value. This is the property achieved by lossy encoding (Option 2), if properly implemented;
3. That the encoding doesn't make re-identification easier, or increase the number of records that can be re-identified, except with a secret key held by ABS. This is the property achieved by HMAC-based linkage key derivation using subsets of attributes (Option 3), if properly implemented.
We explain and compare the privacy and accuracy guarantees of five possible approaches. Options 4 and 5 investigate more sophisticated options for future data linking. We also explain how some commonly-advocated techniques can be reversed, and hence should not be used.
△ Less
Submitted 22 February, 2018;
originally announced February 2018.
-
Health Data in an Open World
Authors:
Chris Culnane,
Benjamin I. P. Rubinstein,
Vanessa Teague
Abstract:
With the aim of informing sound policy about data sharing and privacy, we describe successful re-identification of patients in an Australian de-identified open health dataset. As in prior studies of similar datasets, a few mundane facts often suffice to isolate an individual. Some people can be identified by name based on publicly available information. Decreasing the precision of the unit-record…
▽ More
With the aim of informing sound policy about data sharing and privacy, we describe successful re-identification of patients in an Australian de-identified open health dataset. As in prior studies of similar datasets, a few mundane facts often suffice to isolate an individual. Some people can be identified by name based on publicly available information. Decreasing the precision of the unit-record level data, or perturbing it statistically, makes re-identification gradually harder at a substantial cost to utility. We also examine the value of related datasets in improving the accuracy and confidence of re-identification. Our re-identifications were performed on a 10% sample dataset, but a related open Australian dataset allows us to infer with high confidence that some individuals in the sample have been correctly re-identified. Finally, we examine the combination of the open datasets with some commercial datasets that are known to exist but are not in our possession. We show that they would further increase the ease of re-identification.
△ Less
Submitted 15 December, 2017;
originally announced December 2017.
-
Vulnerabilities in the use of similarity tables in combination with pseudonymisation to preserve data privacy in the UK Office for National Statistics' Privacy-Preserving Record Linkage
Authors:
Chris Culnane,
Benjamin I. P. Rubinstein,
Vanessa Teague
Abstract:
In the course of a survey of privacy-preserving record linkage, we reviewed the approach taken by the UK Office for National Statistics (ONS) as described in their series of reports "Beyond 2011". Our review identifies a number of matters of concern. Some of the issues discovered are sufficiently severe to present a risk to privacy.
In the course of a survey of privacy-preserving record linkage, we reviewed the approach taken by the UK Office for National Statistics (ONS) as described in their series of reports "Beyond 2011". Our review identifies a number of matters of concern. Some of the issues discovered are sufficiently severe to present a risk to privacy.
△ Less
Submitted 3 December, 2017;
originally announced December 2017.
-
Trust Implications of DDoS Protection in Online Elections
Authors:
Chris Culnane,
Mark Eldridge,
Aleksander Essex,
Vanessa Teague
Abstract:
Online elections make a natural target for distributed denial of service attacks. Election agencies wary of disruptions to voting may procure DDoS protection services from a cloud provider. However, current DDoS detection and mitigation methods come at the cost of significantly increased trust in the cloud provider. In this paper we examine the security implications of denial-of-service prevention…
▽ More
Online elections make a natural target for distributed denial of service attacks. Election agencies wary of disruptions to voting may procure DDoS protection services from a cloud provider. However, current DDoS detection and mitigation methods come at the cost of significantly increased trust in the cloud provider. In this paper we examine the security implications of denial-of-service prevention in the context of the 2017 state election in Western Australia, revealing a complex interaction between actors and infrastructure extending far beyond its borders.
Based on the publicly observable properties of this deployment, we outline several attack scenarios including one that could allow a nation state to acquire the credentials necessary to man-in-the-middle a foreign election in the context of an unrelated domestic law enforcement or national security operation, and we argue that a fundamental tension currently exists between trust and availability in online elections.
△ Less
Submitted 3 August, 2017;
originally announced August 2017.
-
Computing the Margin of Victory in Preferential Parliamentary Elections
Authors:
Michelle Blom,
Peter J. Stuckey,
Vanessa Teague
Abstract:
We show how to use automated computation of election margins to assess the number of votes that would need to change in order to alter a parliamentary outcome for single-member preferential electorates. In the context of increasing automation of Australian electoral processes, and accusations of deliberate interference in elections in Europe and the USA, this work forms the basis of a rigorous sta…
▽ More
We show how to use automated computation of election margins to assess the number of votes that would need to change in order to alter a parliamentary outcome for single-member preferential electorates. In the context of increasing automation of Australian electoral processes, and accusations of deliberate interference in elections in Europe and the USA, this work forms the basis of a rigorous statistical audit of the parliamentary election outcome. Our example is the New South Wales Legislative Council election of 2015, but the same process could be used for any similar parliament for which data was available, such as the Australian House of Representatives given the proposed automatic scanning of ballots.
△ Less
Submitted 31 July, 2017;
originally announced August 2017.
-
Public Evidence from Secret Ballots
Authors:
Matthew Bernhard,
Josh Benaloh,
J. Alex Halderman,
Ronald L. Rivest,
Peter Y. A. Ryan,
Philip B. Stark,
Vanessa Teague,
Poorvi L. Vora,
Dan S. Wallach
Abstract:
Elections seem simple---aren't they just counting? But they have a unique, challenging combination of security and privacy requirements. The stakes are high; the context is adversarial; the electorate needs to be convinced that the results are correct; and the secrecy of the ballot must be ensured. And they have practical constraints: time is of the essence, and voting systems need to be affordabl…
▽ More
Elections seem simple---aren't they just counting? But they have a unique, challenging combination of security and privacy requirements. The stakes are high; the context is adversarial; the electorate needs to be convinced that the results are correct; and the secrecy of the ballot must be ensured. And they have practical constraints: time is of the essence, and voting systems need to be affordable and maintainable, and usable by voters, election officials, and pollworkers. It is thus not surprising that voting is a rich research area spanning theory, applied cryptography, practical systems analysis, usable security, and statistics. Election integrity involves two key concepts: convincing evidence that outcomes are correct and privacy, which amounts to convincing assurance that there is no evidence about how any given person voted. These are obviously in tension. We examine how current systems walk this tightrope.
△ Less
Submitted 4 August, 2017; v1 submitted 26 July, 2017;
originally announced July 2017.
-
Privacy Assessment of De-identified Opal Data: A report for Transport for NSW
Authors:
Chris Culnane,
Benjamin I. P. Rubinstein,
Vanessa Teague
Abstract:
We consider the privacy implications of public release of a de-identified dataset of Opal card transactions. The data was recently published at https://opendata.transport.nsw.gov.au/dataset/opal-tap-on-and-tap-off. It consists of tap-on and tap-off counts for NSW's four modes of public transport, collected over two separate week-long periods. The data has been further treated to improve privacy by…
▽ More
We consider the privacy implications of public release of a de-identified dataset of Opal card transactions. The data was recently published at https://opendata.transport.nsw.gov.au/dataset/opal-tap-on-and-tap-off. It consists of tap-on and tap-off counts for NSW's four modes of public transport, collected over two separate week-long periods. The data has been further treated to improve privacy by removing small counts, aggregating some stops and routes, and perturbing the counts. This is a summary of our findings.
△ Less
Submitted 27 April, 2017;
originally announced April 2017.
-
Towards Computing Victory Margins in STV Elections
Authors:
Michelle Blom,
Peter J. Stuckey,
Vanessa J. Teague
Abstract:
The Single Transferable Vote (STV) is a system of preferential voting employed in multi-seat elections. Each vote cast by a voter is a (potentially partial) ranking over a set of candidates. No techniques currently exist for computing the margin of victory (MOV) in STV elections. The MOV is the smallest number of vote manipulations (changes, additions, and deletions) required to bring about a chan…
▽ More
The Single Transferable Vote (STV) is a system of preferential voting employed in multi-seat elections. Each vote cast by a voter is a (potentially partial) ranking over a set of candidates. No techniques currently exist for computing the margin of victory (MOV) in STV elections. The MOV is the smallest number of vote manipulations (changes, additions, and deletions) required to bring about a change in the set of elected candidates. Knowledge of the MOV of an election gives greater insight into both how much time and money should be spent on the auditing of the election, and whether uncovered mistakes (such as ballot box losses) throw the election result into doubt---requiring a costly repeat election---or can be safely ignored. In this paper, we present algorithms for computing lower and upper bounds on the MOV in STV elections. In small instances, these algorithms are able to compute exact margins.
△ Less
Submitted 16 August, 2017; v1 submitted 9 March, 2017;
originally announced March 2017.
-
An analysis of New South Wales electronic vote counting
Authors:
Andrew Conway,
Michelle Blom,
Lee Naish,
Vanessa Teague
Abstract:
We re-examine the 2012 local government elections in New South Wales, Australia. The count was conducted electronically using a randomised form of the Single Transferable Vote (STV). It was already well known that randomness does make a difference to outcomes in some seats. We describe how the process could be amended to include a demonstration that the randomness was chosen fairly.
Second, and…
▽ More
We re-examine the 2012 local government elections in New South Wales, Australia. The count was conducted electronically using a randomised form of the Single Transferable Vote (STV). It was already well known that randomness does make a difference to outcomes in some seats. We describe how the process could be amended to include a demonstration that the randomness was chosen fairly.
Second, and more significantly, we found an error in the official counting software, which caused a mistake in the count in the council of Griffith, where candidate Rina Mercuri narrowly missed out on a seat. We believe the software error incorrectly decreased Mercuri's winning probability to about 10%---according to our count she should have won with 91% probability.
The NSW Electoral Commission (NSWEC) corrected their code when we pointed out the error, and made their own announcement.
We have since investigated the 2016 local government election (held after correcting the error above) and found two new errors. We notified the NSWEC about these errors a few days after they posted the results.
△ Less
Submitted 7 November, 2016;
originally announced November 2016.
-
Auditing Australian Senate Ballots
Authors:
Berj Chilingirian,
Zara Perumal,
Ronald L. Rivest,
Grahame Bowland,
Andrew Conway,
Philip B. Stark,
Michelle Blom,
Chris Culnane,
Vanessa Teague
Abstract:
We explain why the Australian Electoral Commission should perform an audit of the paper Senate ballots against the published preference data files. We suggest four different post-election audit methods appropriate for Australian Senate elections. We have developed prototype code for all of them and tested it on preference data from the 2016 election.
We explain why the Australian Electoral Commission should perform an audit of the paper Senate ballots against the published preference data files. We suggest four different post-election audit methods appropriate for Australian Senate elections. We have developed prototype code for all of them and tested it on preference data from the 2016 election.
△ Less
Submitted 1 October, 2016;
originally announced October 2016.
-
Efficient Computation of Exact IRV Margins
Authors:
Michelle Blom,
Peter J. Stuckey,
Vanessa J. Teague,
Ron Tidhar
Abstract:
The margin of victory is easy to compute for many election schemes but difficult for Instant Runoff Voting (IRV). This is important because arguments about the correctness of an election outcome usually rely on the size of the electoral margin. For example, risk-limiting audits require a knowledge of the margin of victory in order to determine how much auditing is necessary. This paper presents a…
▽ More
The margin of victory is easy to compute for many election schemes but difficult for Instant Runoff Voting (IRV). This is important because arguments about the correctness of an election outcome usually rely on the size of the electoral margin. For example, risk-limiting audits require a knowledge of the margin of victory in order to determine how much auditing is necessary. This paper presents a practical branch-and-bound algorithm for exact IRV margin computation that substantially improves on the current best-known approach. Although exponential in the worst case, our algorithm runs efficiently in practice on all the real examples we could find. We can efficiently discover exact margins on election instances that cannot be solved by the current state-of-the-art.
△ Less
Submitted 20 August, 2015;
originally announced August 2015.
-
The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election
Authors:
J. Alex Halderman,
Vanessa Teague
Abstract:
In the world's largest-ever deployment of online voting, the iVote Internet voting system was trusted for the return of 280,000 ballots in the 2015 state election in New South Wales, Australia. During the election, we performed an independent security analysis of parts of the live iVote system and uncovered severe vulnerabilities that could be leveraged to manipulate votes, violate ballot privacy,…
▽ More
In the world's largest-ever deployment of online voting, the iVote Internet voting system was trusted for the return of 280,000 ballots in the 2015 state election in New South Wales, Australia. During the election, we performed an independent security analysis of parts of the live iVote system and uncovered severe vulnerabilities that could be leveraged to manipulate votes, violate ballot privacy, and subvert the verification mechanism. These vulnerabilities do not seem to have been detected by the election authorities before we disclosed them, despite a pre-election security review and despite the system having run in a live state election for five days. One vulnerability, the result of including analytics software from an insecure external server, exposed some votes to complete compromise of privacy and integrity. At least one parliamentary seat was decided by a margin much smaller than the number of votes taken while the system was vulnerable. We also found protocol flaws, including vote verification that was itself susceptible to manipulation. This incident underscores the difficulty of conducting secure elections online and carries lessons for voters, election officials, and the e-voting research community.
△ Less
Submitted 5 June, 2015; v1 submitted 21 April, 2015;
originally announced April 2015.
-
End-to-end verifiability
Authors:
Josh Benaloh,
Ronald Rivest,
Peter Y. A. Ryan,
Philip Stark,
Vanessa Teague,
Poorvi Vora
Abstract:
This pamphlet describes end-to-end election verifiability (E2E-V) for a nontechnical audience: election officials, public policymakers, and anyone else interested in secure, transparent, evidence-based electronic elections.
This work is part of the Overseas Vote Foundation's End-to-End Verifiable Internet Voting: Specification and Feasibility Assessment Study (E2E VIV Project), funded by the Dem…
▽ More
This pamphlet describes end-to-end election verifiability (E2E-V) for a nontechnical audience: election officials, public policymakers, and anyone else interested in secure, transparent, evidence-based electronic elections.
This work is part of the Overseas Vote Foundation's End-to-End Verifiable Internet Voting: Specification and Feasibility Assessment Study (E2E VIV Project), funded by the Democracy Fund.
△ Less
Submitted 14 April, 2015;
originally announced April 2015.
-
vVote: a Verifiable Voting System
Authors:
Chris Culnane,
Peter Y. A. Ryan,
Steve Schneider,
Vanessa Teague
Abstract:
The Pret a Voter cryptographic voting system was designed to be flexible and to offer voters a familiar and easy voting experience. In this paper we present a case study of our efforts to adapt Pret a Voter to the idiosyncrasies of elections in the Australian state of Victoria. This technical report includes general background, user experience and details of the cryptographic protocols and human p…
▽ More
The Pret a Voter cryptographic voting system was designed to be flexible and to offer voters a familiar and easy voting experience. In this paper we present a case study of our efforts to adapt Pret a Voter to the idiosyncrasies of elections in the Australian state of Victoria. This technical report includes general background, user experience and details of the cryptographic protocols and human processes. We explain the problems, present solutions, then analyse their security properties and explain how they tie in to other design decisions. We hope this will be an interesting case study on the application of end-to-end verifiable voting protocols to real elections.
A preliminary version of this paper appeared as the 10th February 2014 version of "Draft Technical Report for VEC vVote System".
The team involved in develo** the vVote design described in this report were: Craig Burton, Chris Culnane, James Heather, Rui Joaquim, Peter Y. A. Ryan, Steve Schneider and Vanessa Teague.
△ Less
Submitted 20 September, 2015; v1 submitted 27 April, 2014;
originally announced April 2014.
-
Rational Secret Sharing and Multiparty Computation: Extended Abstract
Authors:
Joseph Y. Halpern,
Vanessa Teague
Abstract:
We consider the problems of secret sharing and multiparty computation, assuming that agents prefer to get the secret (resp., function value) to not getting it, and secondarily, prefer that as few as possible of the other agents get it. We show that, under these assumptions, neither secret sharing nor multiparty function computation is possible using a mechanism that has a fixed running time. How…
▽ More
We consider the problems of secret sharing and multiparty computation, assuming that agents prefer to get the secret (resp., function value) to not getting it, and secondarily, prefer that as few as possible of the other agents get it. We show that, under these assumptions, neither secret sharing nor multiparty function computation is possible using a mechanism that has a fixed running time. However, we show that both are possible using randomized mechanisms with constant expected running time.
△ Less
Submitted 7 September, 2006;
originally announced September 2006.
