Joseph Lorenzo Hall, UC Berkeley School of Information1
Election auditing works to ensure agreement between what the voter sees, what the voting system records and what is counted by back-end tabulation systems. A key concept in voting system security and auditability is that of software independence whereby an ``undetected error or fault in the voting system software is not capable of causing an undetectable change in election results.'' Practically, this is achieved by testing the voting system before an election and checking the election results after the election.
In terms of testing, more than 40 states require voting systems be federally certified by independent laboratories before they can be used in live elections. These laboratories perform a series of tests and audits of the software, equipment and documentation to ensure that a given voting system conforms to the federal standards. Some states have found this process to be lacking and have decided to employ their own experts to further evaluate systems.[3,4,5]
In terms of post-election auditing, the dominant form of auditing currently in use involves comparing hand-counts of paper audit records with the electronically-recorded and tabulated results. A small minority of states, only 12, allow voting systems that do not produce a paper record.3 However, only a handful of States have provisions that require routine hand-counts of these records to audit the electronic results. Even amongst the States that do this type of post-election auditing, they typically mandate a flat-percentage audit of 1%-20% of precincts, machines or election districts, randomly chosen. The state-of-the-art in post-election auditing, in practice, involves tuning the size of the audit to a desired level of confidence (or statistical significance) while taking into account the size of the units being audited and the margins of contests on the ballot.[9,10] This type of ``tuned'' audit can help to ensure that jurisdictions do not needlessly waste time and effort. In the context of this article, audits based on statistical confidence will simply mean more or less hand counting.
California has been performing post-election manual tallies for over 43 years.4 At that time in the early 1960s, punchcard voting equipment, after lever machines, had become the next major voting technology. The type of punchcard that was best suited for large jurisdictions, like Los Angeles County, maximized the number of ballot positions per ballot; these punchcards had no candidate or choice names printed on the face of the punchcard. The new ``automatic manual recount'' process would serve as a check on the punchcard tabulation machinery in order to ensure that the ballot position number on the paper punchcard corresponded to the correct candidate in the tabulation program.5 In fact, while the emphasis in current law is that the manual tally is not a recount (vote totals do not change in the tally but do in a recount), the original provision called for a ``public manual recount'' of ballots in 1% of precincts or no fewer than 6 precincts.6
California law specifies very little directly about the conduct of the manual tally. The legal definition of the ``one percent manual tally'' is:
[The] ``One percent manual tally'' is the public process of manually tallying votes in 1 percent of the precincts, selected at random by the elections official, and in one precinct for each race not included in the randomly selected precincts. This procedure is conducted during the official canvass to verify the accuracy of the automated count.7For electronic voting systems, the law considers the voter-verified paper audit trail (VVPAT) the record of the vote for tallying purposes and the VVPAT governs if there is a discrepancy between the electronic and paper records.8 Finally, Sec. 15360 of the California's Election code specifies a number of high-level requirements for the tally:
In practice, the hand-counting method used by counties in California seems very similar. The typical tally team uses four people consisting of two talliers, one caller and one witness:
This type of post-election audit--the manual tally of paper records against results in the election database--has become increasingly important now that many states have adopted requirements that voting systems produce independent paper records. Such records do not serve their role as an audit trail if the records are not routinely examined as part of an audit.11
In California, there have been problems in the past due to underspecification in existing legislation. While a catalog of such deficiencies due to regulatory underspecification is beyond the scope of this work, we provide a few illustrative examples. For example, only recently did the manual tally law explicitly specify that VBM ballots be included. With many counties in California now reporting 40-50% of ballots cast as VBM ballots, this had meant that a large fraction of cast ballots went unaudited. Also, the law only recently specified a method for random selection of precincts to be manually tallied.12 Jurisdictions have in the past used, and continue to use, opaque methods of generating pseudorandom numbers--such as via software provided by the voting system vendor for this purpose--instead of publicly verifiable methods like those described by Cordero et. al.13
In addition to the underspecification alluded to above, there are other serious constraints related to timing and resources imposed upon jurisdictions that affect their manual tally. The most significant constraint is due to the time period in which the manual tally must be completed. California law specifies that the canvass, which includes the manual tally, must be complete 28 calendar days after the election.14 For smaller jurisdictions that do not have to count many ballots, the timing of the manual tally can occur promptly after election day. For very large counties, such as Los Angeles County, the manual tally process can take weeks. This is a serious constraint because, as we explain later, the integrity of the audit critically depends on all initial counting being complete before the tally begins; otherwise, the numbers being audited will change during the audit. Performing a high-quality audit also depends on resource constraints such as a jurisdiction's budget and available staff and space.
As our goal was initially to increase the security and transparency of the manual tally process, we recognized that our efforts would exacerbate these tensions. Our new procedures needed to be optimized, in a sense, to take advantage of possible efficiencies where election officials could save time and resources.
In order to develop improved post-election audit procedures that could be used by California counties, we chose a non-standard and somewhat exploratory methodology. We go in more detail below, but essentially we did the following:
We have been fortunate enough to collaborate with a number of election officials to improve their audit processes. Over the past year, we have worked closely in a larger multidisciplinary team16 with election officials in California's Alameda County, Marin County, San Mateo County and Yolo County.
These counties were interested, to different extents, in incorporating academic input about security and auditability into their post-election process. Our interaction with some of these counties was more indirect in some cases, when the county was interested in academic input on specific elements of their manual tally procedures.17
We decided to collaboratively redesign of the post-election audit procedures for one county, San Mateo. San Mateo County was willing to work closely with us to re-evaluate their procedures, was a fairly large county and was located close to our home institution. Our multidisciplinary team met with the election officials and staff of San Mateo over the Fall of 2006 and Spring of 2007 and this author observed the random selection and manual tally processes over a number of election cycles and developed the written procedures.
Our aim was to have a rich, iterative interaction where researchers learned about the issues involved in running elections and election officials learned about security, transparency and auditability while we both worked to align our two sets of expertise into concrete election procedures. As our collaboration progressed, our research team was able to highlight what we felt were the best practices in election auditing, from a scientific and policy perspective. In late Fall 2006, we drafted a first set of post-election audit procedures specific to San Mateo County that we modified as a group. These audit procedures were used as a model by San Mateo in the post-election audits of their 2006 and 2007 elections.[18,19]
We were able to make a number of improvements to the procedures in terms of security, transparency and efficiency.
The manual tally serves multiple security-relevant roles: as an audit process, a deterrent process and a tamper-evidence process. Given the heightened attention to security in elections in recent years, election officials are eager to learn about threats, possible attacks and mechanisms to neutralize exploitable opportunities that could allow subverting the elections process. We recommended a number of security-based improvements to existing procedures and subsequently observed other security-critical behavior that could be improved.
Timing of random selection and tally: Since the purpose of the tally is to compare two sets of independent vote counts, the random selection and manual tally must take place after the count has been completed. That is, a given ballot type cannot be audited until all the ballots of those type are counted.18 From a security perspective, attackers should not be able to predict which precincts will be audited while they still have an opportunity to influence vote totals. There is evidence that many jurisdictions perform their random selection very soon after election day, before they could possibly have completed counting VBM and provisional ballots.19 Unfortunately, for very large jurisdictions like Los Angeles, it is not possible to wait until counting is completed before commencing the selection and tally; the tally process would take longer than the time permitted for the canvass. One possible solution for very large jurisdictions is to treat each ballot type as a sampling stratum in a stratified sampling regime.20
Timing of retrieval of tally materials: Related to this last point is the preservation of the chain of custody for the audit materials once the selection is finished. As soon as the audited precincts have been chosen, the ballot materials to be audited become particularly sensitive. A window of opportunity exists here during which attackers who have tampered with the electronic count could avoid detection by manipulating the audit trail. It is important to minimize the amount of time between the selection and tally and particularly to protect sensitive ballot materials used in the audit.
The feasibility of collecting audit materials quickly depends on the size of the county. Notably, it was difficult for San Mateo, a relatively large county, to initially comply with this recommendation as different ballot materials needed for the tally were stored in physically separated warehouses across the county. They have since been able to store all materials on site for the selection and tally at their main warehouse. In contrast, Marin, a smaller county, stores such materials on-site. The time between the selection and tally for both of these counties is now very brief, about one hour. However, in Alameda, another large county about twice the size of San Mateo, three days elapsed between their selection and tally, considerably widening the window of opportunity for tampering with audit trail materials.
Seal verification: Election officials have to pay increasing attention to tamper-evident security seals due to studies that have shown physical access to voting systems can be an important prerequisite for exploiting serious vulnerabilities. Of course, the importance of maintaining the integrity of this seal-based custody chain does not disappear after election day. We observed inconsistent attention to seal verification during the manual tally. While one jurisdiction placed appropriate weight on seal verification, others performed more casual verification to assess that the seal was not broken (but without verifying the serial number on the seal). Attention to seal verification and seal integrity is a critical step for detecting tampering.
Blind counting: To eliminate the possibility of conscious or unconscious influence on the tally by the tally team, the team should operate under blind counting rules. That is, the tally team will conduct the tally without knowing the ballot totals for the tallied precinct. When the tally is complete for a particular ballot type in one precinct, a supervisor compares their totals to those from the election management system (EMS) database. If the totals do not reconcile, the tally team must count the ballots again to make sure there was not a counting mistake.21
While observing, we noted some issues with blind counting and observers' interaction with tally team members. To support transparency, as we note below, observers must have a copy of the electronic results for the precinct being audited. In one case, however, an observer told the tally team the correct electronic tally result when the hand tally was incorrect. This was a violation of two procedural rules: observers are forbidden to interact directly with tally teams and the tally must proceed under a blind counting protocol. To prevent this, observers must be reminded explicitly about the rules of engagement between observers and the tally team and about the importance of conducting a blind count.
Problems with randomness: We observed how slight changes in the random selection method resulted in imperfect randomness.
In San Mateo county, an observer who rolled a set of three ten-sided dice mis-read the roll as being invalid; that is, not corresponding to a valid precinct. Despite the rolled digits in fact being valid, this observer immediately picked up the dice and re-rolled them, effectively ruining that roll. From a security perspective, one could imagine attackers might take advantage of such a situation to ensure that certain precincts are not chosen. In this case, the presiding election official had to explicitly reiterate that observers must not pick up the dice unless directed to by an elections official.
In another case, the county followed their selection protocol perfectly but the protocol itself was flawed. Alameda County performs random selection of precincts using a rotating hopper and a set of 10 ping-pong balls with the digits 0-9 written on them. An election official draws a ping pong ball from the hopper and this digit serves as the ones place of a random number. Balls are drawn, corresponding to successive digits, until the random number chosen corresponds to a number between one and approximately 1200 (there are precincts in Alameda). One quirk in this selection method results in imperfect randomness: only when the hundreds place digit is 0, 1 or 2 do they draw a fourth digit. This results in non-uniform random selection. Because any random number where the hundreds place is larger than 2 can correspond to only precincts numbered from approximately 300-999, this ultimately results in those precincts being chosen with twice the probability of the remaining precincts. Upon inquiring about this with Alameda, we were told that the original method devised to select random numbers required starting with the thousands digit and starting over from scratch when the result would have been an invalid precinct number. We have recommended to Alameda county that they return to discarding invalid random numbers entirely rather than conditionally discarding specific digits. We highlight this case along with two illustrative solutions in a separate research memorandum.22
This highlights a compelling finding for procedural research: certain procedures, especially those related to technical security matters, are very sensitive to changes in the protocol. Small changes to procedures may seem trivial to those not familiar with the technical background but could have severe consequences. In order to avoid these kinds of imperfections, experts and observers with domain knowledge need to be involved when procedures change. In the longer term, it makes sense for these types of sensitive procedures to be specified in law or regulation so that such deviance is minimized.
Tallying and reporting appropriate records: Tallying the proper records of the vote as well as reporting meaningful data about the tally are critical security-relevant aspects of tally audits. Previous security work has emphasized that keeping track of data such as undervotes, overvotes and spoiled ballots/VVPATs can serve to aid detection of particularly subtle dynamic attacks. For example, a dynamic attack that misprints VVPAT records could be detected during an audit via an unusual amount of spoiled VVPAT records. Election officials must track these numbers by hand-counting undervotes, overvotes and spoiled ballots as part of the manual tally. Counties do this inconsistently now, but new reporting requirements for the 1% manual tally require counties to report this information to the Secretary of State. To support collection of this data, we assisted the Secretary of State in designing a reporting instrument that includes reporting, among other data, quantities of overvotes, undervotes and spoiled ballots.23
We observed that one county did not appear to be counting the actual paper records but the totals tapes.24 At least, the method that they used to perform their tally of VVPAT records was very different from the other counties. The tally must be over the records verified by the voter or the necessary confirmation of voter intent is never possible and opportunities for mischief and/or error increase. Like other counties we observed, this particular county started by cutting VVPAT records off of the VVPAT roll. However, they immediately placed the cut VVPATs into manila folders and began cutting up the totals tape, race-by-race, for each VVPAT roll. The tally proceeded by the caller calling out phrases like, ``McCain, 0...Obama, 0...''; that is, instead of calling out votes off of individual VVPATs, the caller appeared to be reading totals off of the totals tape. When we asked election officials about this, they stated that they were ``counting individual votes and not just the summary''. In addition to the security-related concern that voters do not verify the totals tape information the law is very specific that the VVPAT must be used for the manual count.25 We have been unable to confirm what we observed.26
Resistance to insider modification of voted ballots: We observed inconsistent attention to insider attacks on voted ballots during the tally process. When we did see provisions meant to mitigate certain types of insider attacks, we were often surprised by their existence. For example, each of the counties we observed had tally teams use pencil for marking tally documents. We found this puzzling as this permitted talliers to erase marks instead of the more standard accounting process for correcting mistakes: crossing out errors and initialing corrections.27 When we inquired about this, officials responded with an obvious security-based answer: pens could be used to indelibly change voted ballots. In fact, San Mateo's procedures included a prohibition on any indelible marking device in the tally area. While we were surprised by this particular case, there did not seem to be more systematic attention to insider threats to the tally process. Obviously, as is the theme of this work, exhaustive attention to insider threats will undoubtedly conflict with other constraints and priorities. Research examining insider threats to election office activity is a promising area for future work.
As we have stressed in previous work, electoral transparency requires supporting access, oversight, accountability and comprehensibility of election processes. In terms of access and oversight, procedural improvements that impact transparency relate mostly to to publication of notice, procedures and data so that members of the public can observe the process in an informed manner and perform their own calculations, if necessary. In terms of accountability and comprehensibility, we found it was important to have clear lines of communication for asking questions or alerting officials to procedural anomalies.
Public notice: Observers wishing to witness the manual count need to have public notice of the time and location of the tally process. When we began this work, it was difficult to know when and where a given jurisdiction's manual tally would be conducted. With a recent addition to the manual tally law, a minimum of 5-day public notice is now required.28 This has largely alleviated such frustrations and we have been able to find such notice for the jurisdictions that we have wanted to observe. However, in addition to traditional means of posting notice, like newspaper advertisements, we recommend wide, varied posting of such notice, such as on the jurisdiction's web site, via press release or op-ed in local community publications.
Procedures publication: Along with knowing when and where the tally will take place, observers will need information about the tally procedures themselves as well as any observer guidelines. Observers might not be familiar with the intricacies of the tally procedure and should be provided with a document that summarizes the process and then goes into detail about how the tally is conducted. The few written tally procedures we have seen, from the counties we observed, range from very detailed to providing a high-level overview.[26,27,28] Also, observers may be unfamiliar with how they should behave while observing the tally, as was the case mentioned above where an observer inadvertently broke the blind counting rule (see 4.1). We encountered this ourselves in San Mateo when we were told that no discussion is allowed amongst observers during the tally process per their observer guidelines. San Mateo seems to have the best practice here in terms of providing observation guidelines for all observable events in a typical election cycle.29
Data publication: In addition to procedural information, observers need be provided with various data. For the random selection, observers need a hardcopy (or read-only copy) of the mapping between possible random numbers to precinct identifiers.30 This allows observers of the random selection to verify that the selected number indeed corresponds to the correct precinct identifier. In our observations, these materials were made available to observers in Alameda and Marin but not in San Mateo. San Mateo instead had the mapping spreadsheets on a laptop--decidedly not read-only--and would turn the laptop towards observers so that they could verify the selection.31
For the tally, observers should have hardcopy (or read-only) copies of the unofficial statement of the vote as well as the detailed precinct results reports for each selected precinct. We have recommended that jurisdictions provide the statement of the vote during the random selection process so that the jurisdiction ``commits to'' or ``vouches for'' the vote totals before any precinct is selected. Observers need detailed precinct reports wile observing so that they can confirm the tally totals in the same manner as the tally supervisor confirms each tally team's manual count results. Again, these materials were available in Alameda and Marin counties but were not present in San Mateo.
Clear lines of communication: Observers need effective lines of communication for asking questions in a timely manner and also escalating issues that they feel are contrary to written procedures or otherwise anomalous. During our observations, we were able to easily ask questions of even the most senior elections personnel. We consistently received thoughtful and considerate responses to our queries and concerns. This notion of transparency seems to be something that counties support well already.
Efficiency--that is, minimizing waste during the tally in terms of time and resources--was a major concern during this work. We approached this research project knowing that we could not simply make demands of election officials in terms of security and transparency and expect them to adopt our ideas without question. Accordingly, we felt that we should work equally as hard at giving something back. During our initial conversations with elections officials, it became clear that recommending steps that could make their processes more efficient would be greatly appreciated.
The manual tally, as we have mentioned above, can be problematic in terms of time, space and staff. The tally is a time- and resource-intensive effort that requires a significant amount of work from election staff (and/or temporary employees) during a crucial time in which these staff could be assisting with other canvass-related activities. Most of the recommendations we have made in terms of efficiency relate to time efficiencies; that is, if we could find a way to do a task in less time, it would free up staff and other resources.
Randomness can be inefficient: Often our preferred methods of publicly-verifiable random selection can be inefficient. For example, in San Mateo during the random selections in November 2006 and 2007, using 10-sided dice to select the 1% sample went fairly quickly but selecting precincts for races not included in the 1% sample took a considerable amount of time--on the order of an hour--due to the high frequency of invalid rolls. During these selection events with many misrolls, we found ourselves (observers and election officials) making up rules as we went along. For example, if there were two precincts to choose from, we would roll one die and specify that even numbers corresponded to one precinct and odds to the other. But this ad-hoc rule creation was troubling and became difficult to do easily on-the-fly with larger numbers of precincts. Among the recommendations of Cordero et. al, they advised ``binning'' random numbers into equal sized bins to increase the frequency of valid rolls. We created a web-accessible script written in PHP to do this for an arbitrarily-large jurisdiction with an arbitrary number of 10-sided dice. This script does one thing: given a number of precincts to choose from and a number of 10-sided dice, it calculates the appropriate binning to minimize the frequency of misrolls (it also displays the bin mapping in a format that is easy for election staff to cut-and-paste into a spreadsheet program). San Mateo county used this script for their random selection in the manual tally for their February 2008 election and considerably shortened the time it took to do the selection as well as streamlined the process.32
Vote results reports should be fine-grained: In some cases, the vendors' EMSs will not report machine-specific results within a precinct. Unfortunately, this often means that a manual tally of, say, four to five VVPAT rolls for a given precinct can be compared only with aggregate precinct totals, instead of on a machine-by-machine basis. Considering that we observed that it might take one tally team of four people over 4 hours to tally one full VVPAT roll, finding a discrepancy after all that effort is ineffective and inefficient; if there is a discrepancy, the EMS report contains no information that would be helpful in locating on which VVPAT roll the discrepancy might be contained. This was the case in San Mateo which uses Hart InterCivic voting systems; each precinct had 4-5 VVPAT rolls but the Hart system only reports results at the precinct level. This can result, due to blind counting rules mentioned above, in the tally team having to redo the tally for each of that precinct's VVPAT rolls. If the EMS had reported vote totals for each machine in the precinct, the tally team would have instead had to retally a small number of VVPAT rolls.33
State-of-the-art auditing methodologies can also place distinct requirements on voting systems. For example, statistically conservative audit schemes start with a flat percentage audit, then require the auditor to calculate a statistical confidence value and, if needed, increase the sample size of the audit. However, some vendors' EMSs will produce meaningful results only in PDF format, a format useful for presentation of information but not useful for computation. To quickly calculate a statistical quantity with data from hundreds of precincts in such an unusable format would require an army of transcribers. If EMSs had the capability to output vote totals in an open, machine-readable and machine-processable format, such as the OASIS standard Election Markup Language,34 they would better support more sophisticated forms of election audits.
Adverse effects of good team demeanor: We observed subtle effects of tally team members becoming gradually more comfortable with one another. We noticed that, quite naturally, the members of a tally team tended to get progressively more comfortable with each other as tallying progressed and increasingly reluctant to assert certain conflicting aspects of their tally team roles.35 It is natural for a working group to converge, socially or otherwise, on a more comfortable working state, but often it seemed that objections were self-silenced to avoid derailing or slowing down the tally. However, this posed a few unique problems. We noted that occasionally, a tallier would either forget to call out on every multiple-of-ten vote or call out earlier than another tallier. More often than not, this was dealt with informally rather than with a more formal procedure of backing up ten votes and redoing the tally to this point. We also noted that the witness would occasionally question the vote determination made by the caller or mis-stack ballots into a stack of 9 ballots. These hiccups were also often dealt with informally instead of with a more formal challenge procedure for questioning the determination of a caller or rolling back the count to correct for mis-stacking. To help solve this problem, tally team training should emphasize that that talliers must feel comfortable stopping the process at any point for clarification or to question a determination made by other team members.
Using pre-filled tally sheets: A big time saver observed in Marin County's tally was the use of pre-printed tally sheets. In other jurisdictions such as Alameda and San Mateo, tally teams had to fill out generic tally sheets by hand for the precinct they were tallying.36 In a primary election with many candidates and many races, this can take a significant amount of time; e.g., in San Mateo, we observed that this took about one hour or 20 person-hours.37 In contrast, Marin used a digital tally sheet template in which they had one staff member fill out the candidate names and then print copies for the tally team. To save time in terms of person-hours, pre-filled printed tally sheets should be made for all jurisdiction-wide races and then races unique to a particular ballot style can be filled in by hand.
Innovative uses of RFID technology: Finally, Alameda county exposed us to very innovative uses of radio-frequency identification (RFID) technologies in their chain-of-custody procedures. Alameda applied RFID chips to the election media and the pollbook for each precinct. When pollworkers returned precinct materials to drop-off locations, an election staffer with a RFID reader would read the RFID chips from within a sealed security bag, without breaking the seal. This shortened the time needed to check the presence of critical items drastically--from about 30 minutes to less than 5--while preserving one link in the chain of custody. While this use of RFID technology was not in the context of the manual tally, it shows increasing promise in the use of RFID chips for elections-related chain-of-custody. Given the poor quality of current security seal technology, we recommend that researchers combine the inventory-tracking capability of RFID technology, the tamper-evidence of sensitive security seals and recent innovations in uncloneable RFIDs to provide the a type of security seal that can be read and cryptographically verified quickly at a distance but that will also ``self-destruct'' upon physical tampering, so that no forged replacement could be crafted.
We analyzed the manual tally process as used in a number of California counties to design a generic set of tally procedures that California counties can use. In the process of iterating on the design of procedures with San Mateo as well as observing elections in San Mateo, Alameda and Marin Counties, we developed a number of improvements in terms of security, transparency and efficiency. We also discovered some issues outside the scope of procedure design; for example, the challenges that large counties face in meeting the 28 day canvass deadline or how voting systems could better support manual tally audits. The current procedures resulting from this work exist specifically for San Mateo or in a generic form, designed for use by any California county in improving their 1% manual tally process. We have attempted to note in the generic procedures where certain ideas are not specific to California.
This material is based upon work supported by the National Science Foundation under A Center for Correct, Usable, Reliable, Auditable and Transparent Elections (ACCURATE), Grant Number CNS-0524745. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author and do not necessarily reflect the views of the National Science Foundation.
Considering the almost 2-year time period over which this research was conducted, there are many contributors to acknowledge. Close collaborators in this work included Kim Alexander, Aaron Burstein, Arel Cordero, David Dill, Deirdre Mulligan, Philip Stark and David Wagner. This work would have not been possible without the cooperation and patience of local and state election officials and their staff, such as Warren Slocum, David Tom, Theresa Rabe, Freddie Oakley, Tom Stanionis, Elaine Ginnold, Dave MacDonald, Jennie Bretschneider, Lowell Finley and California Secretary of State Debra Bowen. In the process of completing this work, the author found discussions with the following people helpful: Judy Bertelsen, Tim Erickson, Michelle Gabriel, Candice Hoke, Meg Holmberg, David Jefferson, Bob Kibrick, Mark Lindeman, John McCarthy, Lawrence Norden, Dennis Paull and Pam Smith.
This document was generated using the LaTeX2HTML translator Version 2002-2-1 (1.71)
Copyright © 1993, 1994, 1995, 1996,
Computer Based Learning Unit, University of Leeds.
Copyright © 1997, 1998, 1999, Ross Moore, Mathematics Department, Macquarie University, Sydney.
The command line arguments were:
latex2html -split 0 -show_section_numbers -local_icons -no_navigation jhall_evt08_html
The translation was initiated by Joseph Hall on 2008-07-01
When the tally is done by hand, there shall be no less than four persons for each office or proposition to be counted. One shall read from the ballot, the second shall keep watch for any error or improper vote, and the other two shall keep the tally.