The Open Canvass Method

The Open Canvass Method is proposed as a method to return accountability to our elections. It can be deployed immediately whenever paper ballots are used. Before the method is described, a short summary of the current problems is provided. (If you are reading a printed version of this page, links to references are provided at the bottom.)

Note: This was previously named the Comparative Optical Recognition Election Completion Technique (CORECT)_TM

URL of this page: http://www.copswiki.org/Common/OpenCanvass
by Raymond Lutz (Updated: 2009-05-05 Revision: 26)

Open Canvass Overview -- on one slide

• START HERE: Quick Open Canvass Overview

Open Canvass in a nutshell

• Paper ballots are required. They are completed at the polling place or at home (Vote-by-Mail - VBM). The ballots should have the precinct encoded on them (this is the practice today).
• Three distinct phases, processed by distinct teams of people.
  1. Phase 1 Voting
     • Voter signs-in etc. as usual, ballot issued to the voter. (VBM: ballot mailed to the voter).
     • Voter completes the ballot by darkening bubbles on the form.
     • Voter deposits the ballots through the slot in the ballot box, (VBM: Ballot mailed to Registrar of Voters or delivered to any precinct)
  2. Phase 1A End of Day at Precinct
     • VBM envelopes are deposited into the ballot box as well, and are included on the log sheet.
     • Precinct workers deposit log sheets and remaining blank ballots into slots in precinct box.
     • Tape is applied over the slots.
     • Transport sealed boxes to collection centers and then to the Registrar of Voter's office.
  3. Phase 1B Initial Reception at Registrar of Voters
     
     • Sealed ballot boxes are processed through receiving inspection.
     • Completed ballots separated from log sheets.
     • Ballots can be grouped by precinct.
     • VBM envelopes separated from precinct-completed ballots.
     • VBM envelopes are validated, opened, and ballots separated.
  4. Phase 2 Create election record.
     • Scan ballots using conventional document imaging equipment
     • create full images of each ballot, storing each into a separate file with unique sequence number.
     • Imaging is handled by a highly trained staff who validate the accuracy of the result but do not attempt to tally votes.
     • Image files are stored on optical media such as data DVDs to create a permanent record of the election.
     • Election record can be obtained by anyone who wishes to review it for nominal fee to cover cost of media and reproduction.
  5. Phase 3 Comparative Recognition
     • Separate competitive teams (Registrar of Voters, political parties, oversight groups) redundantly review the ballot image data and reduce it to the tally.
     • Each team creates a flat data file where each record is indexed by the ballot sequence number.
     • If desired, the ballots may be reviewed manually, and the images may optionally be placed on the Internet for public inspection.
     • Separate teams submit their results to the Registrar who compares the data files. Any ballots where disagreement exists may be inspected manually (that is, the image file can be inspected.)

• Any discrepancy between the results of any single ballot can be raised to the Registrar for final resolution.

Please see the description below for more details. NOTE: The Open Canvass method is not a commercial product and is available for unlimited deployment. (Please acknowledge the author Raymond Lutz and Citizens Oversight.org when referencing the method.)

---

Background

Help America Vote Act (HAVA)

The changes in our voting system were instigated by the Help America Vote Act (HAVA) of 2002⁽¹⁾.

Issues

• VVPATS - Voter-verified paper audit trails -- laws adopted by at least 26 states mandate such trails. This occurred after the large-scale election fraud in the 2004 elections as documented by many sources.
• Security issues remain prominent in the public debate about voting technologies.
• Vendors produced poorly designed, poorly tested, or poorly constructed e-voting equipment. COPs believes this was the expected result of relying on so much custom hardware and firmware design and production.
• Poll workers required significant training on the electronic equipment. Too few poll workers had the required training, resulting in long lines, excessive delays and voter confusion.
• Allocation of the machines became a strategy to bias the results of the election. Providing too few machines in African-American areas, for example, resulted in reducing the Democratic votes. The film "American Blackout" documents this sort of attack.
• The cost of implementing DRE voting systems can be substantial.
• DRE systems are large and require power. They cannot be placed in many of the customary polling places and larger rooms with power must be utilized. We noted in the San Diego East County area that polling places normally found in churches were moved from the community room to the larger sanctuary.
• Testing of the equipment was frequently handled by the voting machine vendors themselves.
• See Letter Report on Electronic Voting⁽²⁾ -- Committee on a Framework For Understanding Electronic Voting, National Research Council

Problem in a nutshell: Elections can be hacked

With the advent of electronic voting equipment, we have learned that there is intense pressure to cheat the system. As a result, voting equipment, scanner equipment, and "central tabulators" have all been used to change the results of elections. Moving to open-source software is one proposal, but even open source software is subject to hacks and backdoors. Some groups are suggesting that hand-counting ballots at precincts is the way to finally return confidence to election results. However, that solution has problems too.

Here is a brief summary of the problems faced by these proposals: %IMAGE{"DieboldAccuvote400x369.jpg" size="200" align="right" type="frame" caption="Diebold Elections System Accu Vote-TSx DRE"}%

DRE Machines

The "Direct-Record Election" machines accept input from the user on each race and record the vote in the form of an internal tally. At first, these machines provided no paper trail, allowing unlimited changes to the count without any means to check it. If a machine died or was reset, the votes could be lost. Later, under VVPAT, the machines were retrofitted with a paper tape to allow a paper trail to be created, but the paper tape is difficult to review and store. The DRE machines are custom made and the software has been kept private. Because their only purpose is for elections, that custom software will be a target for backdoors to be inserted so the results can be changed.

It is claimed that disabled voters prefer these machines as it lets them vote on their own. Helping a voter cast a ballot under the scrutiny of an observer is perhaps just as good, if not better. The claim that the disabled prefer the machines is a claim that should be checked. If indeed the machines are a help in that regard, they can be used to create a paper ballot so they can be scanned like the rest. The HAVA law specifies that at least one DRE per polling place is required for disabled voters. (Under CORECT, if these are still used, paper ballots would be generated from the data of the DRE machine.) If the DRE machines are used to create a paper ballot which the voter can check and can be later scanned, this is compatible with CORECT.

%IMAGE{"DieboldPrecinctScanner-Labeled.jpg" size="200" align="right" type="frame" caption="Diebold Precinct Scanner"}%
%IMAGE{"Scanner_Ballot_Box-Diebold.jpg" size="200" align="right" type="frame" caption="Diebold ballot box used with precinct scanners"}%

Scanned paper ballots

Durable paper ballots is an important step to allow the election to be completely checked by hand if necessary to see if it matches the conclusions of the scanners. However, the code in the scanners that converts the scanned images to the tally is custom written specifically and only for elections. This means it is fertile ground for hackers to install backdoors and hooks to allow the ultimate tally to be changed.

Central Tabulators

Both the DRE machines, scanned paper ballots, and even hand counting at precints all rely on a central tabulator to add up all the results from all precincts. This is usually only a program running on a PC, either a spreadsheet or perhaps a database application. In any case, the results can be just changed by an unscrupulous user or a hacker can get into a specialized database program. In fact, custom programs are perhaps more vulnerable to attacks of this type than standard, "off-the-shelf" products, which are designed for general robustness and are relied upon by many users for their accuracy.

Hand-Counted Paper Ballots at the Precinct

Some election integrity researchers are proposing that we return to hand-counted paper ballots, counted at the precincts. The New Hampshire "sort and stack" method is one of the methods proposed by proponents. (See Hand Count Presentation⁽³⁾) Costs are estimated at $0.07 per ballot per race. It turns out this is very expensive and it does not solve all of the integrity problems. For the upcoming 05 Feb 2008 presidential primary in San Diego County, we could expect costs of 1.5M x 10 = $15M to count the ballots using this method. For the recent Nov 2006 elections, there were up to 100 items on the ballot. 1.5M x 100 = $150M to count the ballots in this fashion.

There is significant training required, and even New Hampshire advocates admit it is not feasible in larger precincts or when there are a large number of races. Precinct workers are not necessarily trustworthy, and it can be argued that it is probably better if they never handle the ballots at all. There is no assurance that the ballots won't be "dropped" on the floor during the counting process, or numbers fudged when reported. COPs argues that precinct workers should handle the ballots as little as possible, if at all.

In the San Diego East County area, there are 760 precincts. However, we have only about 100 "trusted" precinct workers and it is impossible for them to cover 76 precincts each to make sure the precincts get adequate supervision. Also, most voters (60%) are planning to vote by mail, eliminating the option altogether.

Precinct voting has other problems too. First, we have a very large number of precincts (32%) that conduct the election on the sites of churches, some placing the voting area in the sanctuary and in one case, having people sign in on the altar. For voters of other faiths, going into this "sacred" area of the church may be unpalatable. For the faithful, it may be considered sacrilegious. The pastor at one church distributed voter guides in the narthex. After being told to remove them, he replaced them later in the day. He said "This is a church first and a polling place second."

A Stanford study found that the location of the polling place, whether it is in a church, school, firehouse, or a person's home, will always slant the results of the election. (See Polling Places Can Affect Elections⁽⁴⁾) You can clearly understand how having churchgoers vote on the Mt. Soledad cross while standing in the sanctuary and voting in front of the altar before a cross is probably one of the most coercive of situations, yet it is exactly what has been established. The only way to avoid this entire question is to move to Vote by Mail (VBM) elections. VBM elections have other good characteristics, such as allowing the voter to think about the vote a bit longer. People report a feeling of a take-home test rather than a pop-quiz. VBM provides additional safeguards against voter fraud if the signature is validated, and studies report that VBM elections produce similar voter turn out and do not bias either party.

With all that said, hand counting paper ballots is still the gold standard of accuracy and reliability. When all else fails, you will turn to this approach. Yet, human beings are not well suited for such counting, while machines are specifically well suited to do it, as long as sufficient safeguards and redundancy exist.

The Open Canvass Method

The Open Canvass Method takes the sensitive part of the election, that is recognizing and tallying the vote, and exposes it to intense public scrutiny and redundant recounting. It allows the use of off-the-shelf (OTS) document processing equipment which is already heavily tested and utilized in the private sector and is even respected by the courts in the operation of most major businesses today. This provides for rapid reporting of results and complies with nearly all requirements of the HAVA law, is scalable to complex elections and is much less costly than hand counting or polling-place electronic voting using proprietary DREs. This method avoids all the downsides of the hand-counted paper ballots.

The description below assumes that the Open Canvass method is used as the primary method for completing the canvass. However, the method can be easily used in concert with any existing method that uses paper ballots. For example, in San Diego County, the Registrar currently (as of 2008) uses paper ballots suitable for use by the Open Canvass method, and uses Diebold scanners at the office of the Registrar of Voters to scan all the ballots, and then the ballots are placed in storage. The Open Canvass method can be used before or after the existing method to scan all the ballots and provide a check on the result provided by the certified Diebold scanners and central tabulator. As we gain more experience with the method, we propose just such a gradual deployment.

The Open Canvass Method is summarized as follows:

Use Conventional Paper Ballots

• No electronic equipment is used for voting. Voters at polling places complete ballots using standard writing instruments exactly as they do if they are voting by mail. Typically, this means darkening bubbles next to the desired vote.
• Voters sign-in as usual and are provided with an appropriate ballot.
• "Locked" deposit boxes are provided at each polling location. Precinct workers do not handle ballots excessively or attempt to tally the vote. In practice, these are likely cardboard boxes with a small slot for the insertion of the ballots. Ballots should be inserted by the voter, and not handled by the precinct workers.
• If voters complete their ballots at home (Vote-by-Mail), they can mail the properly completed ballot to the Registrar of Voters office, hand-carried, or deposited in a polling-place deposit box. When these are received, they should be logged by the precinct workers and inserted into the ballot box. It may be easiest to segregate these into a separate compartment in the ballot box.

Notes

• If available, polling-place scanners can be used for a preliminary count in the precincts. These scanners must include a locked ballot box or appropriate sealed cardboard box where the scanned ballots can be deposited. It is desirable to have an overall count of the number of ballots cast.
• Said scanners can be used to provide feedback to the voter in terms of alerting to over or under voting, and therefore complying with some of the desirable parts of HAVA.
• Since no firmware or software is distributed to the precincts, there is no concept of a "sleep-over", no need to check or validate source code, etc. Any reporting by the precincts is only preliminary in nature. The scanners in the polling places, if used, are not relied upon for the final tally whatsoever. If scanners are used to alert the voter for over or under voting, they can create a preliminary count, but this count is not official and useful for news media feedback only.
• It is recommended that the ballots be designed to include a machine-readable "race number" next to each race that appears. Different ballot types include different races and it will be easiest to separate out the races if they can be identified regardless of the ballot type.

• Additional Comments.
  • As the fraction of voters who visit precincts continues to fall, it is the opinion of COPs that we reduce the number of polling places to one per post office location. At that location, precinct workers would work with voters to process their VBM ballots and insert them into locked ballot boxes.
  • One thing that has been completely disregarded in the voting process is the use of computers to improve the sign-in process and to look up voters' registration. This is an area that could be vastly improved with networked computers so a voter could go into any precinct, identify themselves (perhaps by using a PIN code or signature verification), and even allow registration at the time of voting (which is allowed in some states).

Chain of custody

• Each locked/sealed drop box is transported to the Registrar of Voters office and unlocked in a secure area, viewed by time-compression video cameras (perhaps one frame per second or 5 seconds.) Camera data is uploaded to an Internet site for review by the public.
• Inspectors log in the ballots from each polling-place, including the number of blank ballots, number of VBM ballots, etc. as provided by the log sheets from the precinct. This is different from practice today where the number of ballots received is checked at the precinct. No checking is performed at the polling-place to avoid possible fraud by polling place workers.
• The ballots are transferred to manageable boxes in preparation for processing.
• VBM ballots: signature validation is performed as it is today. (@@ Need to further document the signature validation process).

%IMAGE{"i800comp_308.jpg" size="200" align="right" type="frame" caption="Kodak 800i, an example of a high-duty cycle scanner capable of 120 pages per minute, scanning both sides of the page at 200dpi resolution, and it has a 1000-sheet input tray."}%
%IMAGE{"BellHowell-Spectrum-XF8140-Scanner.jpg" size="200" align="right" type="frame" caption="Bell & Howell 8140DCI Spectrum XF Scanner, an example of a high-duty cycle scanner capable of 140 pages per minute, scanning both sides of the page at 200dpi resolution. It has a 500-sheet input capacity."}%

Scanning

• Scanning will be performed by standard high-speed image scanners with no custom modification for the vote counting application.
  • A single file is created for each ballot, and may include both sides of the ballot. Optionally, a set of files is created, one for each side of the ballot, with similar names. The following are examples of scanned ballots, useful for discussion.
    • 2008-02 Scanned Ballot: Full-color, JPEG format, 96 dpi, 191KB⁽⁵⁾
    • 2008-02 Scanned Ballot: Grayscale, PDF format, 200 dpi, 68KB⁽⁶⁾
    • 2008-02 Scanned Ballot: Grayscale, PDF format, 300 dpi, 130KB⁽⁷⁾
    • 2008-06 Scanned Ballot: Grayscale, PDF format, 200 dpi, 21KB⁽⁸⁾

• • The scanning process is less vulnerable to fraudulent attacks if the content of the ballots is unknown (i.e. no image recognition at this stage and no tallying is performed) and the result is purely the images of the ballots.
  • High-end scanners are used by corporate document management departments and are not custom designed for elections. This eliminates the likelihood that any hackable back-doors exist in these units, and since only images are created, such back-doors are extremely difficult to implement. However, demanding that these commercial products be "open" or "non-proprietary" is counter productive. It does not matter if they are proprietary because they are not affecting the output of the tally.
  • Document imaging technologies are deployed heavily in private industry today, with many large businesses choosing to scan all documents that are received and immediately shred and recycle the paper. Such document images have been tested in court, with images scanned and reduced to optical media acknowledged as extremely difficult to "hack." Those businesses choose to shred and recycle the originals to preserve the privacy of their customers. In the Open Canvass method, however, the original ballots are preserved for any later challenges to the scanning process.
  • For example, the Kodak 800i can scan 120 pages per minute at 200 dpi resolution, scanning both sides of the document at the same time. 1,000 ballots can be inserted at a time. Such a machine runs about $50K.
  • The Bell & Howell Spectrum XF 8140 DBI scans at 140 ballots per minute, and they run about $31K each.
• To scan all the ballots in San Diego County (about 1.5 million ballots) would take at least 178 hours using a single machine. However, about 60% of VBM ballots can be scanned in advance of election day without actually attempting to tally the vote, leaving only about 70 hours on one machine.
• In larger counties, multiple scanners may be needed to expedite the work on election night.
• Even if multiple machines are employed, the cost is far less than if manual hand counts are exclusively utilized.
• A limited number of highly trained workers operate the scanners. This approach does not suffer from the lack of trained poll workers seen when the scanners or DREs are deployed to all the polling places.
• It is recommended that optical recognition of the content of the ballots NOT be attempted at this time by these workers. Modern document scanners provide such recognition as a standard part of their functionality. However, performing vote recognition on the images as they are produced provides an incentive to manipulate the ballots in some fashion by the workers. Therefore, this step should be separately processed by a separate team of workers who have no impact on the eventual tally. It is necessary for these workers to check the quality of the scanned images as they are produced from time to time.
• The California Secretary of State has said verbally that this method of imaging the ballots does not need to be certified because no vote tally is being attempted.

%IMAGE{"dvd_bulk_rep.jpg" size="200" align="right" type="frame" caption="Stack of DVDs which would be the result of the election"}%

Election Record

• The primary output of the scanning process conducted by the Registrar of Voters is optical media containing images of all the ballots.
  • Assuming 8.5 x 11 ballots (double-sided) scanned at 200dpi (dots-per-inch) resolution (black and white only, like a fax) the compressed image files are approximately 20-70K bytes per side, say 100KB for both sides. Both sides of the ballot are contained in the same file, and the file is named according to the sequence number.
  • Assuming 1.5 million ballots in San Diego County (the number of ballots returned in November, 2006), the total space requirements is approximately 100K x 1.5M = 150 GB. If the high capacity (200 GB) Blue-Ray DVD is used for storage, all the images could fit on a single Blue-Ray DVD, or if standard DVD disks are used, about 32 data DVD's would be required to store all the images.
• The ballots are stored in a single directory with no attempt to separate them into precincts or ballot types. However, it is required that the ballot contain the precinct number and ballot type in clear type so they can be recognized on the ballot.
• The Election Record is available to any citizen who wishes to purchase the disks at a cost to cover the cost of the disks and reproduction, not to exceed $2,500 for the election record for the entire county, or about $50 per DVD disk.
• Ballot image data optical media are provided to the major parties, and any other oversight groups that wish to check the results.

Tallying the Vote -- Comparative Optical Recognition

• The Registrar of Voters then performs optical recognition of the ballots.
  • This step is perhaps best performed after the ballot image data is finalized to avoid the small possibility that the image data could be tampered with based on the content of the vote. However, because of other checks in the system, it can also be argued that those checks sufficiently mitigate this danger, and recognition of the vote can be performed (by the Registrar) simultaneous with the generation of the images.
  • If the ballots are designed to include the race number next to each voting option, they can be extracted from the images without needing to know the many ballot types that may exist. This can substantially simplify the vote recognition step.
• Parties and oversight groups may use any standard or proprietary software or other means, including manual inspection of the ballot images, to capture the vote from the ballot images. Off-the-shelf software is readily available at reasonable cost, which typically include easy-to-use tools to allow extraction of the vote from the ballot forms. For example (these examples are not endorsed but appear to be sufficient for the purposes of this application):
  • ABBYY -- FormReader 6.5 Enterprise Edition ($399)⁽⁹⁾
  • Gravic -- Remark Office OMR 6 ($895)⁽¹⁰⁾
  • AnyDoc -- Software OCR for AnyDoc⁽¹¹⁾
  • Oyster Software, Inc. -- FormsPro⁽¹²⁾

• Each group creates a flat datafile. The index of each record should be the unique serial number of the ballot image file. The format of this data file will be clearly documented.

  For example:

SEQNUM	OBAMA	MCCAIN	PROP123
234987	1	0	Y
234988	0	1	N
234989	0	0	0

Etc.

• The resulting data files from any groups that wishes to supply it can be compared. If there are any differences, those ballots can be inspected individually.
  • If at least three groups are involved, and if a majority of those producing the results agrees on the result, it is normal practice to consider that to be the result, particularly if we find that the number of discrepancies is significant.
• The parties to the election and any oversight group can challenge the recognized vote on any ballot to the Registrar of Voters and request that officials inspect the images and reach an official ruling. To avoid unlimited review, any group would be limited to a single request for review limited to less than 10% of the ballots. (More study may be needed on this point.)
• Over time, with the various recognizers checking each other, they will improve until there are very few ballots requiring manual recognition.
• Companies with large storage servers (such as Google), may wish to upload the entirety of the election ballot images to the Internet so the ballots can be inspected by millions of Internet users. A virtual hand count can be implemented among those users, with any comments to the ballots kept as an associated set of user remarks.
• The "central tabulator" is redundantly implemented by each party and oversight group, eliminating the danger of an unscrupulous registry worker.

Checking your vote (Under Study)

There are a number of attacks that can be deployed that result in discarding of ballots for one reason or another. To defeat these attacks, there is a balance between privacy and information that can be provided. If complete privacy is ensured, then the chain-of-custody must be bulletproof.

• This feature is recommended but not required to gain most of the benefits of the Open Canvass Method. After completing initial discussions, it has been removed from the main proposal to avoid likely legal challenges. However, such a method may be acceptable over time.
• Each ballot would be encoded with a unique and arbitrary (long) number.
• The number is provided on the receipt of the ballot.
• If anyone wishes to check on their vote, they can do so using the receipt they were provided when they initially voted.
• A voter who visits the Registrar can find out if his ballot was included in the image set. and to find out if by asking the Registrar of Voters, but the content of the ballot is not revealed. The voter is already able to find out if his ballot was received. This check provides additional information to assure the voter that his ballot was not only received but also included in the ballot image set.
• It is difficult to deploy vote-purchasing schemes as it is difficult for others to look up the ballot using the random number as it is not included in the public data files. The data set would have to be purchased and image processing software run on it.

Deploying the Open Canvass Method

• It is very feasible to deploy this method immediately, even if any other means is used to count the ballots.
• The method requires paper ballots to be deployed.
• If precinct scanners are exclusively used, rescanning the ballots to create the images is necessary.

Mailing List

• Please subscribe to our Election Integrity mailing list:

About the Author

• Raymond Lutz -- http://www.copswiki.org/Common/RaymondLutz -- Mr. Lutz has over 25 years of experience in the document management industry. He founded the Multifunction Products Association (MFPA) in 1992 and has served as the editor and author of industry standards and recommendations. He holds a Master's degree in Electronics Engineering from San Diego State University. Mr. Lutz is available for consultation at Cognisys.com.

---

Notes

1 : Summary of changes and issues instigated by the Help America Vote Act (HAVA) of 2002 http://www.copswiki.org/Common/HelpAmericaVoteAct

2 : Letter Report on Electronic Voting - http://www.copswiki.org/w/pub/Common/OpenCanvass/LetterReportOnElectronicVoting-NationalResearchCouncil.pdf

3 : Hand Count Presentation - http://www.democracyfornewhampshire.com/files/Hand_count_training_D-fest_July_5_2007.pdf

4 : Stanford Study revealing that Polling Places Can Affect Elections -- http://www.copswiki.org/Common/PollingPlacesCanAffectElections

5 : http://www.copswiki.org/w/pub/Common/OpenCanvass/ballot096fc.jpg 2008-02 Scanned Ballot: Full-color, JPEG format, 96 dpi, 191KB -

6 : http://www.copswiki.org/w/pub/Common/OpenCanvass/ballot200bw.pdf 2008-02 Scanned Ballot: Grayscale, PDF format, 200 dpi, 68KB -

7 : http://www.copswiki.org/w/pub/Common/OpenCanvass/ballot300bw.pdf 2008-02 Scanned Ballot: Grayscale, PDF format, 300 dpi, 130KB -

8 : http://www.copswiki.org/w/pub/Common/OpenCanvass/scannedballot200dpi.pdf 2008-06 Scanned Ballot: Grayscale, PDF format, 200 dpi, 21KB -

9 : http://www.abbyy.com/formreader6/?param=30487 ABBYY -- FormReader 6.5 Enterprise Edition ($399) -

10 : http://www.gravic.com/remark/officeomr/ Gravic -- Remark Office OMR 6 ($895) -

11 : http://www.anydocsoftware.com/software/products/ocr/intro.html AnyDoc -- Software OCR for AnyDoc -

12 : http://www.oystersoft.com/products.shtml Oyster Software, Inc. -- FormsPro -

0