Busting the Paper Ballot: Voting Meets Adversarial Machine Learning

TL;DR

This paper investigates the security vulnerabilities of machine learning classifiers used in US election ballot tabulation, demonstrating potential physical-world adversarial attacks that could influence election outcomes.

Contribution

The study introduces new ballot datasets, evaluates various models, analyzes gradient masking issues, and demonstrates feasible physical adversarial attacks on election ballots.

Findings

Traditional white box attacks are ineffective due to gradient masking.

Gradient masking results from numerical instability, which can be mitigated.

Physical adversarial attacks can potentially flip election outcomes with low success rates.

Abstract

We show the security risk associated with using machine learning classifiers in United States election tabulators. The central classification task in election tabulation is deciding whether a mark does or does not appear on a bubble associated to an alternative in a contest on the ballot. Barretto et al. (E-Vote-ID 2021) reported that convolutional neural networks are a viable option in this field, as they outperform simple feature-based classifiers. Our contributions to election security can be divided into four parts. To demonstrate and analyze the hypothetical vulnerability of machine learning models on election tabulators, we first introduce four new ballot datasets. Second, we train and test a variety of different models on our new datasets. These models include support vector machines, convolutional neural networks (a basic CNN, VGG and ResNet), and vision transformers (Twins and CaiT). Third, using our new datasets and trained models, we demonstrate that traditional white box attacks are ineffective in the voting domain due to gradient masking. Our analyses further reveal that gradient masking is a product of numerical instability. We use a modified difference of logits ratio loss to overcome this issue (Croce and Hein, ICML 2020). Fourth, in the physical world, we conduct attacks with the adversarial examples generated using our new methods. In traditional adversarial machine learning, a high (50% or greater) attack success rate is ideal. However, for certain elections, even a 5% attack success rate can flip the outcome of a race. We show such an impact is possible in the physical domain. We thoroughly discuss attack realism, and the challenges and practicality associated with printing and scanning ballot adversarial examples.