From the Verified Voting Blog

Posts from the Verified Voting Blog.

Duncan Buell: Patriocracy Overlooks Internet Voting Security Concerns | Verified Voting Blog

Jan 212012

The League of Women Voters of South Carolina recently screened “Patriocracy,” a new film by Brian Malone, who attended the screening and participated in a question and answer event afterward. The film focuses on the question of whether the US political system is broken because politics have become too partisan and the unwillingness of polarized groups to compromise. My primary motivation in writing this review stems from a segment of the film that featured Americans Elect COO Elliot Ackerman making the familiar and discredited argument that if we can bank and shop online we can vote online. Read More »

Roadmap for Future California Elections | Verified Voting Blog

Dec 312011

When it comes to elections, what does California do well? What could California do better? How have we led, and how have we perhaps lagged behind? These are questions that a diverse group of individuals and organizations asked themselves and one another over the course of three months, with an aim to envision the future of California’s elections.

Download the Roadmap for Future California Elections (pdf)

It turned out to be an extraordinary conversation and a process which could very well serve as a model for other states as well. One driving force in the process was the convening organization, the James Irvine Foundation, which has long worked on issues of importance to Californians. The participants included a diverse range of representatives with a concern for voters and not-yet voters, for elections and how they function, and for California’s democracy. Read More »

David Jefferson: If I can shop and bank online, why can’t I vote online?

Nov 052011

There is widespread pressure around the country today for the introduction of some form of Internet voting in public elections that would allow people to vote online, all electronically, from their own personal computers or mobile devices. Proponents argue that Internet voting would offer greater speed and convenience, particularly for overseas and military voters and, in fact, any voters allowed to vote that way.

However, computer and network security experts are virtually unanimous in pointing out that online voting is an exceedingly dangerous threat to the integrity of U.S. elections. There is no way with current technology to guarantee that the security, privacy, and transparency requirements for elections can all be met with any security technology in the foreseeable future. Anyone from a disaffected misfit individual to a national intelligence agency can remotely attack an online election, modifying or filtering ballots in ways that are undetectable and uncorrectable of just disrupting the election and creating havoc. There are a host of such attacks that can be used singly or in combination. In the cyber security world today almost all of the advantages are with attackers, and any of these attacks can result in the wrong persons being elected, or initiatives wrongly passed or rejected.

Nonetheless, the proponents point to the fact that millions of people regularly bank and shop online every day without apparent problems,. They note that an online voting transaction resembles an ecommerce transaction, at least superficially. You connect your browser to the appropriate site, authenticate yourself, make your choices with the mouse, click on a final confirmation button, and you are done! All of the potential attacks alluded above apply equally to shopping and banking services, so what is the difference? People ask, quite naturally, “If it is safe to do my banking and shopping online, why can’t I vote online?”

This is a very fair question, and it deserves a careful, thorough answer because the reasons are not obvious. Unfortunately it requires substantial development to explain fully. But in brief, our answer is in two-parts:

1. It is not actually “safe” to conduct ecommerce transactions online. It is in fact very risky, more so every day, and essentially all those risks apply equally to online voting transactions.

2. The technical security, privacy, and transparency requirements for voting are structurally different from, and much more stringent than, those for ecommerce transactions. Even if ecommerce transactions were safe, the security technology underpinning them would not suffice for voting. In particular, the security and privacy requirements for voting are unique and in tension in a way that has no analog in the ecommerce world.

The <a href=”http://thevotingnews.com/docs/Jefferson_IV_Revised.pdf”>full essay (PDF)</a> expands upon these two points in order.

Full Article: If I can shop and bank online, why can’t I vote online? | Verified Voting Blog.

How Voting Equipment Varies in the U.S.

Oct 252011

The following article was posted at Digital Communities on October 24 2011.

Pamela Smith and the Verified Voting Foundation (VVF) are on a mission — in her words — “to safeguard elections in the digital age.” In an earlier time, she said, ballot boxes were inspected the morning before voting began then were padlocked. Voters would insert their paper ballots, and when the polls closed, officials would unlock the boxes and count the ballots. Smith, the foundation’s president, isn’t advocating a return to those simpler days, but she says that some modern electronic voting systems present unique challenges that make democracy vulnerable to tampering.

With some systems, said Smith, the voter marks a paper ballot, which then goes through an electronic scanner for tallying the vote. With that kind of system, she said, there’s a hard-copy record of the vote that can be used to audit accuracy, or in the event of a recount. The foundation’s map of “America’s Voting Systems in 2010” show a broad range of systems, from Oregon’s vote-by-mail to South Carolina’s “DRE without VVPAT,” which signifies a direct recording electronic voting machine that has no voter-verified paper audit trail. Read More »

MIT to host Cal/Tech Voting Technology Project Seminar Election Integrity: Past, Present, and Future

Sep 272011

Hosted by the Caltech/MIT Voting Technology Project, a seminar entitled “Election Integrity: Past, Present, and Future” will commemorate the 25th anniversary of the First National Symposium on Security and Reliability of Computers in the Electoral Process, held in Boston in 1986.   The panelists will look back at the issues that first aroused concerns about the use of computers in public elections a quarter of a century ago, then assess the current situation and future directions for enhancing election integrity. The goal is also to continue dialogues among all stakeholders in the election process, including election administrators, technical professionals, academics, citizens, and vendors. There will be a Q&A period following each panel.

From the MIT website:

A renewed focus on voting technologies and election administration erupted following the 2000 presidential election and the recount controversy in Florida. Since 2000, the focus of analysis has expanded to consider other vital aspects of U.S. public elections, including transparency and the public verification of election results.

Full Article: MIT to host Cal/Tech Voting Technology Project Seminar Election Integrity: Past, Present, and Future | Verified Voting Blog.

Report on the Estonian Internet Voting System

Sep 032011

I visited Estonia in mid-July of this year at the invitation of Edgar Savisaar, the country’s first prime minister and current mayor of Tallinn. Mr. Savisaar is the leader of the Centre Party, which placed second in recent national elections. The Centre Party and Mr. Savisaar have been questioning the outcome of the Internet voting portion of those elections. They invited me to Estonia because of a presentation I made at a European Parliament panel on the risks of Internet voting.

I told my hosts that I was happy to discuss the risks of Internet voting, but I would not comment on internal Estonian politics. When asked whether or not I thought the national election was rigged, I refused to comment, aside from saying that no one could prove that it was or was not rigged, because there is no way to conduct a recount of an Internet election.

The Internet portion of the 2011 election lasted from February 24 to March 2, with paper balloting conducted on March 6. The Internet vote was counted the evening of March 6. Estonian law allows complaints to be submitted only during the 3 days immediately following the procedure being challenged. Since Internet voting is considered separate from paper voting, the final day for submitting complaints about Internet voting was March 5. Graduate student Paavo Pihelgas was the only person who submitted a complaint by the deadline. (The Centre Party and independent candidates tried to file complaints, but they did not do so within the required 72 hour time frame).

Pihelgas asked the National Election Commission (NEC) to cancel the election results, since the possibility of election-rigging malware meant that there was no way to be sure that the voters’ preferences had been correctly recorded. NEC rejected his complaint the following day, saying that they have all the necessary provisions to detect such cases, without specifying what those provisions are. When Pihelgas resubmitted his complaint, it was forwarded to the Supreme Court. The Supreme Court dismissed the complaint on March 21, say that the voter can file a complaint only when his/her rights have been breached.

I have communicated with several Estonians before, during, and after my trip. I have also read a report written by a team from the OSCE/ODIHR (Organization for Security and Cooperation in Europe/Office for Democratic Institutions and Human Rights) who observed the March 2011 election, and I have talked with a member of the OSCE/ODIHR team. Based on the information I have obtained, I have concluded that the Internet voting system used in Estonia is insecure.

Read the Full Article at the Verified Voting Blog: Report on the Estonian Internet Voting System | Verified Voting Blog.

Let the MOVE Act have a chance to work before considering electronic return of ballots

Aug 082011

Military and overseas voters saw improvements in their ability to vote in 2010, thanks to the Military and Overseas Voter Empowerment Act (MOVE) passed in late 2009, according to a report to Congress last month by the Military Postal Service Agency (MPSA). The report indicates that MOVE will improve things further as its provisions become better known and implemented.

The MOVE Act required states to send ballots to military and overseas voters at least 45 days before election-day in federal elections so they have time to return their voted ballot. MPSA must pick up ballots for return to election offices no later than 7 days before election day. MOVE also sped up the process by requiring states to offer electronic transmission (website, email, fax) of blank ballots and registration materials.

The law stopped short of establishing electronic return of voted ballots because ballots cannot be secured against undetected interception and manipulation over the internet. New procedures were implemented for 2010, coordinating MPSA with USPS, including the use of Express Military Mail Service (EMMS) for uniformed overseas service members and their families.

Full Article: Let the MOVE Act have a chance to work before considering electronic return of ballots | Verified Voting Blog.

Voting machine problems in Mississippi primary highlight national concern | Verified Voting Blog

Aug 062011

In the August 3 primary in Mississippi voters experienced voting machine problems: candidates’ names and entire contests missing from the voting machine screens and equipment failing to booting up properly. Problems were reported in Hinds County, which uses the Advanced Voting Systems Winvote and in several counties that use the Premier (Diebold) TSx equipped with a voter-verifiable paper audit trail printer. Advanced Voting Systems has been out of business for several years after they failed to meet requirements for certification to Federal voting systems standards but their machines are still used in Hinds County and in several jurisdictions in Virginia. The same type of AVS machine produced still-unexplained anomalies in Fairfax County, Virginia in 2009. The majority of Mississippi counties use the Premier TSx and most are equipped with voter verified paper audit trail printers, though the printers are not required by state law or regulation.

In California, a top to bottom review of voting systems found the TSx to have numerous security vulnerabilities and in 2007 the Secretary of State established conditions of use that severely restrict the machine’s use and required 100% manual audits of the voter-verifiable paper trails. No such routine audit is required in Mississippi. Also in 2007, a team of computer scientists at Princeton demonstrated the ease with which the TSx could be hacked. Many States, including Iowa, Florida, and Virginia, where TSx machines have been used recently or remain in use, have either replaced the TSx or are phasing them out along with other direct-recording electronic voting machines.

Read the entire article: Voting machine problems in 2011 MS primary highlight national concern | Verified Voting Blog.

David Jefferson: Email Voting - A National Security Threat in Government Elections

Jun 222011

I am very concerned about the widespread push toward Internet voting in the U.S., of which email voting is just one kind. Neither the Internet itself, nor voters’ computers, nor the email vote collection servers are secure against any of a hundred different cyber attacks that might be launched by anyone in the world from a self-aggrandizing loner to a foreign intelligence agency. Such an attack might allow automated and undetectable modification or loss of any or all of the votes transmitted.

While all Internet voting systems are vulnerable to such attacks and thus should be unacceptable to anyone, email voting is by far the worst Internet voting choice from a national security point of view since it is the easiest to attack in the largest number of different ways.

The technical points I am about to state are not my opinions alone. The computer security research community in the U.S. is essentially unanimous in its condemnation of any currently feasible form of Internet voting, but most especially of email voting. I strongly urge legislators in states considering e-mail voting to request testimony from other independent computer network security experts who are not affiliated with or paid by any voting system vendor. Email voting is extremely dangerous in ways that people without strong technical background are not likely to anticipate.

Read the Entire Article

Philip Stark: Report on second risk-limiting audit under AB 2023 in Monterey County California

May 072011

The second risk-limiting audit under California AB 2023 was conducted on May 6 in Monterey County. The contest was a Special all-mail election for Monterey Peninsula Water Management District Director, Division 1. Monterey uses Sequoia equipment. There were two candidates: Brenda Lewis and Thomas M. Mancini, and write-ins. 2111 ballots were cast in all. The reported totals were 1353 reported for Lewis, 742 for Mancini, and 13 write-ins. The remaining 3 ballots were recorded as undervotes and overvotes. Lewis was reported to have 64.18% of the valid votes.

Two members of the public observed the entire audit process, which took roughly 90 minutes including some preliminary explanation of the procedure. They confirmed that their interpretation of the ballots agreed with mine and the elections officials’, and they helped roll the dice used to select ballots at random. In conversations afterward, they seemed quite satisfied with the transparency of the procedure (although perhaps not utterly convinced by the mathematics that justified the details).

Read the Full Article at the Verified Voting Blog

Luther Weeks: Democracy Theater - Online Voting is Risky and Expensive

Apr 302011

Online voting is an appealing option to speed voting for military and overseas voters. Yet it is actually “Democracy Theater”, providing an expensive, risky illusion of supporting our troops. Technologists warn of the unsolved technical challenges, while experience shows that the risks are tangible and pervasive. There are safer, less expensive solutions available.

This year, the Government Administration and Elections Committee held hearings on a bill for online voting for military voters. Later they approved a “technical bill”, S.B. 939. Tucked at the end was a paragraph requiring that the Secretary of the State “shall, within available appropriations, establish a method to allow for on-line voting by military personnel stationed out of state.”

In 2008, over thirty computer scientists, security experts and technicians signed the “Computer Technologists’ Statement on Internet Voting,” listing five unsolved technical challenges and concluding: “[W]e believe it is necessary to warn policymakers and the public that secure internet voting is a very hard technical problem, and that we should proceed with internet voting schemes only after thorough consideration of the technical and non-technical issues in doing so.”

Read the full article at the Verified Voting Blog

Jeremy Epstein: Oak Ridge, spear phishing, and i-voting

Apr 252011

Oak Ridge National Labs (one of the US national energy labs, along with Sandia, Livermore, Los Alamos, etc) had a bunch of people fall for a spear phishing attack (see articles in Computerworld and many other descriptions). For those not familiar with the term, spear phishing is sending targeted emails at specific recipients, designed to have them do an action (e.g., click on a link) that will install some form of software (e.g., to allow stealing information from their computers).

This is distinct from spam, where the goal is primarily to get you to purchase pharmaceuticals, or maybe install software, but in any case is widespread and not targeted at particular victims. Spear phishing is the same technique used in the Google Aurora (and related) cases last year, the RSA case earlier this year, Epsilon a few weeks ago, and doubtless many others that we haven’t heard about. Targets of spear phishing might be particular people within an organization (e.g., executives, or people on a particular project).

Read the Full Article at the Verified Voting Blog.

Disappointing Reversal on Transparency and Security for Washington Elections | Verified Voting Blog

Mar 082011

A bill aimed at reducing restriction to voting for military and other overseas voters passed the Washington State Senate by a 47-1 vote on Friday. Senate Bill 5171 contains many provisions that will certainly make voting easier for Washington citizens living overseas including moving the primary election date two weeks earlier and meeting requirements of the Federal MOVE Act for mailing of absentee ballots 45 days prior to the election. We strongly support those provisions.

However, the bill also will allow for the acceptance of absentee ballots returned by email and fax. In addition to requiring, by affidavit, that voters returning their ballots electronically forego the secrecy of their ballot, it also makes the state’s elections vulnerable to tampering and error.

Read the full article at the Verified Voting Blog