Title:Non(c)esuch Ballot-Level Risk-Limiting Audits for Precinct-Count Voting Systems

Abstract:Risk-limiting audits (RLAs) guarantee a high probability of correcting incorrect reported outcomes before the outcomes are certified. The most efficient use ballot-level comparison, comparing the voting system's interpretation of individual ballot cards sampled at random (cast-vote records, CVRs) from a trustworthy paper trail to a human interpretation of the same cards. Such comparisons require the voting system to create and export CVRs in a way that can be linked to the individual ballots the CVRs purport to represent. Such links can be created by keeping the ballots in the order in which they are scanned or by printing a unique serial number on each ballot. But for precinct-count systems (PCOS), these strategies may compromise vote anonymity: the order in which ballots are cast may identify the voters who cast them. Printing a unique pseudo-random number ("cryptographic nonce") on each ballot card after the voter last touches it could reduce such privacy risks. But what if the system does not in fact print a unique number on each ballot or does not accurately report the numbers it printed? This paper gives two ways to conduct an RLA so that even if the system does not print a genuine nonce on each ballot or misreports the nonces it used, the audit's risk limit is not compromised (however, the anonymity of votes might be compromised). One method allows untrusted technology to be used to imprint and to retrieve ballot cards. The method is adaptive: if the technology behaves properly, this protection does not increase the audit workload. But if the imprinting or retrieval system misbehaves, the sample size the RLA requires to confirm the reported results when the results are correct is generally larger than if the imprinting and retrieval were accurate.