The future of voting should not involve your cellphone, according to a leading cybersecurity expert. In a first-of-its-kind pilot program, West Virginia will test blockchain encrypted mobile phone voting for members of the U.S. military. But Joe Hall, chief technologist and director of internet architecture at the Center for Democracy & Technology, warned that the plan presents a host of risks. “West Virginia has taken the ridiculous step of deciding that they’re going to not only vote on a mobile device, which in and of itself is just a bad idea, but use a blockchain mechanism, something associated with crypto-currency or bitcoin,” Hall told Grant Burningham, host of the Yahoo News podcast “Bots & Ballots.” In a September interview with Burningham, venture capitalist Bradley Tusk argued that his foundation’s plan to test cellphone voting was a way to boost voter participation in the U.S. However, Hall believes the risks outweigh the possible benefits.
Pop quiz: which part of the federal government is tasked with preventing cyber interference in our elections? Congress has refused to say. We have reached a point of a significant gap between an important federal need and existing federal power. And in the absence of that federal power, federal agencies have stepped into the gap and extended their authority into domains unanticipated by Congress. Of course, there is clear statutory guidance for some aspects of protecting election integrity. We can think about preventing campaign interference in our elections. Portions of that job fall squarely within the domain of the Federal Elections Commission, which enforces campaign finance laws. We can also think about prosecution or punishment of those who engage in either foreign campaign interference, like the Justice Department’s recent criminal indictment of a Russian woman with interference in the 2018 midterm elections, or foreign cyber interference, like actions from the Obama and Trump administrations to sanction those who interfere with election systems in the United States. But that’s focused on punishing election interference that has already occurred.
Just days before a pivotal midterm congressional election, dozens of jurisdictions around the country go to polls without a paper backup for electronic voting systems. The shortfall comes despite nearly two years of warnings from cybersecurity experts that in the absence of a paper backup system, voters’ intentions cannot be verified in case of a cyberattack that alters election databases. Fourteen states will conduct the midterm elections where voters will register their choices in an electronic form but will not leave behind any paper trail that could be used to audit and verify the outcome. Delaware, Georgia, Louisiana, New Jersey and South Carolina have no paper backup systems anywhere in the state. Nine other states have several jurisdictions without a physical alternative to electronic records — Arkansas, Florida, Indiana, Kansas, Kentucky, Mississippi, Pennsylvania, Tennessee and Texas.
The National Academy of Sciences report is blunt: “There is no realistic mechanism to fully secure vote casting and tabulation computer systems from cyber threats.” But election officials can and should audit votes — rather than performing time-consuming full recounts — before election results are certified to confirm their legitimacy, the report states. Risk-limiting audits are a relatively new way to double-check the results of an election after the fact. First implemented in Colorado in 2017, the audits examine a randomly chosen, statistically significant number of paper ballots and compare the results in those ballots to the actual result. They’re done no matter the margin of victory; suspicious results may trigger a full recount. “It’s an abbreviated recount, in a sense,” said Ronald Rivest, one of the inventors of the RSA public-key cryptosystem and a member of the NAS panel that wrote the report.
A group of security researchers and voting technology vendors trying to hash out cybersecurity requirements for voting systems once again butted heads over whether to require vendors to let anyone test their products. The subject arose during a teleconference late last week of the Voluntary Voting System Guidelines cyber working group. When election security consultant Neal McBurnett suggested that the new guidelines require vendors to make products available for open-ended vulnerability testing, Joel Franklin of voting giant Election Systems & Software shot back with a question: “Is there other software tied to critical infrastructure software that’s open to public OEVT?” Franklin said he wasn’t dismissing the value of OEVT. “I’m just wondering if we’re putting an undue burden on voting systems when there are computers in nuclear security and every other critical infrastructure industry” that aren’t available for OEVT.
lection officials across the US are inundated and confused by the plethora of free cyber-security offerings that the private sector has made available in the past months, a Department of Homeland Security official said last week. … But while the actions of these companies were driven by a desire to help, a DHS official says these free offerings have managed to create confusion with some election officials. “So what we’ve seen is a lot of the cyber-security companies and the IT companies offering free services, which I think is a great move forward,” said Christopher Krebs, Under Secretary for National Protection and Programs Directorate at the DHS, in an interview on the Cyberlaw Podcast, last week.
Election officials across the country have closed thousands of polling places and reduced the number of workers staffing them in recent years, citing cost savings and other new realities like increased early and absentee balloting. However, days from what many expect will be one of the busiest midterm elections in decades, the burden of Americans’ shrinking access to in-person voting options is falling more heavily on urban areas and minority voters, a USA TODAY analysis of national and state data shows. Voting rights advocates say the disappearance of polling sites could create confusion about where to vote, and thinner staffing of remaining sites could mean longer lines. Those problems, they fear, could shrink voter turnout in some neighborhoods.
Since the adoption of electronic voting machines in the 1990s, election experts have argued that paper records are critical for auditing elections and detecting potential tampering with vote tallies. The issue gained new prominence following the 2016 elections, which spurred multiple investigations into allegations of Russian interference in the electoral process. In a panel discussion hosted by Princeton’s Center for Information Technology Policy (CITP), experts examined the state of U.S. election security. The moderator Ed Felten, the Robert E. Kahn Professor of Computer Science and Public Affairs and director of CITP, opened the discussion by noting that “Princeton has quite a bit of expertise in this area.” He cited two faculty members working in election technology and policy, Andrew Appel and Jonathan Mayer. Appel, the Eugene Higgins Professor of Computer Science, recently served as a member of the National Academies’ Committee on the Future of Voting, while Mayer, assistant professor of computer science and public affairs, recently developed bipartisan election security legislation as a staffer in the United States Senate. Also on the panel was Marian Schneider, a former Pennsylvania elections official and the president of Verified Voting, a nonprofit organization that aims to improve election security practices.
Sometimes, it’s the scale. Hundreds of thousands of votes take longer to tally than just a few, so huge urban areas often lag behind smaller places. Other times, it’s the mail. California, for instance, where there are seven tight House races, is notoriously slow, in part because more than half of voters opt to use vote-by-mail ballots (a.k.a. “absentee” ballots in some places). California ballots postmarked on Election Day have three days to show up at county elections offices. A few other states allow a week or 10 days; Alaska will accept ballots from abroad up to 15 days later. “I’ve always speculated about a worst-case scenario where an Alaska Senate seat could determine control of the U.S. Senate, and there may still be ballots sitting at local ‘post offices,’” said Paul Gronke, director of the Early Voting Information Center at Reed College, in an email. “Post office,” he said, could actually mean a remote bait shop or grocery store from which ballots would need to be airlifted, validated and counted.
Arizona: Maricopa County to rely on employees, not tech company, during next election | Downtown Devil
The Maricopa County Recorder’s Office is turning to county employees to set up voting equipment instead of hiring a technology company for the general election in November after facing criticism for reports of delays in the opening of polling sites in the primary election in August. Maricopa Recorder Adrian Fontes said reports of delays from…
A federal judge is considering ordering Georgia election officials to ensure that hundreds of new U.S. citizens can vote in next week’s election. U.S. District Judge Eleanor Ross heard testimony Monday from voting rights groups who say many newly naturalized Americans have registered to vote but are being turned away at early-voting locations because their citizenship status hasn’t been updated in government computers. Ross said she’ll rule quickly before Election Day on Nov. 6. The plaintiffs in the lawsuit asked Ross to order county election workers to put voters who have proved their citizenship on the state’s list of active registered voters. At least 3,667 voter registration applications are on hold in Georgia because their citizenship couldn’t be verified by state driver’s license records. But those records aren’t often updated until Georgians renew their licenses, so those who became citizens after receiving their licenses are being flagged by the state until they show naturalization papers or a U.S. passport.
Iowa officials say they are using old-school technology — namely paper ballots — to thwart cyberterrorists employing sophisticated methods from trying to hack into the state’s voting systems. Iowa officials held a Statehouse news conference Monday to assure voters who already are casting early ballots in the run-up to the Nov. 6 general election that steps are being taken to ensure the integrity of the process and trust in the final outcome. “We vote on paper ballots,” said Iowa Secretary of State Paul Pate, who is on that ballot because he faces a challenge from Democrat Deidre DeJear. “This a crucial security measure. You can’t hack a paper ballot.” The state of Iowa’s computer systems face thousands of attacks on a daily basis, said Jeff Franklin of the Iowa Office of the Chief Information Officer. However, there is no evidence of any unauthorized intrusions into the election system, he noted, mainly because outside of voter registration very little of Iowa’s process or voting equipment is web-based.
It’s true that if Alejandro Rangel wants to vote on election day, he has to get out of Dodge. But that is not the whole story. Befitting its status as an iconic city of the American West with a reputation built around legendary outlaws and mythical lawmen, Dodge City is now caught in the middle of a political gunfight that has swiftly generated its own half-truths and spiraled into a national controversy. The Democrats drew first, pointing out that the only place to vote in Dodge City on election day is being moved two and a half miles from the city center to an exhibition hall in what amounts to an urban wilderness. The move, they said, will further disenfranchise Latinos who make up a majority of the city’s residents but turn out to vote in very low numbers and have no one from their community elected to the city or county commissions.
The voter registration law known as Senate Bill 3 will stay in place through the upcoming midterms, after the New Hampshire Supreme Court on Friday overruled a lower court’s order that would have put the law on hold. The decision from the high court capped off a rollercoaster week for election officials in New Hampshire. On Monday, Hillsborough County Superior Court Judge Kenneth Brown ordered them to stop using Senate Bill 3 (or “SB3”) in the upcoming midterms. By Wednesday, the state said, essentially, “Not so fast.” Arguing that it was too late to make any substantial changes to the registration process and that Brown’s instructions would burden pollworkers, state election officials asked both Brown and the New Hampshire Supreme Court for permission to keep the law in place. (The opposing attorneys challenging SB3, meanwhile, called this “a thinly-veiled attempt to create a record of difficulty and confusion where there really is none” so the state could avoid compliance with Brown’s order.)
In an effort to secure elections and voting in New Jersey, three bills sponsored by Assemblyman Vince Mazzeo and Assemblyman Roy Freiman were advanced by the Assembly State and Local Government Committee on Oct. 18. The first bill (A-3991) sponsored by Mazzeo establishes the “New Jersey Elections Security Act,” which would allow New Jersey to transition to a paper ballot voting system. “New Jersey is only one of a handful of states that uses voting machines and does not provide a paper record, which makes it difficult to detect hacking,” said Mazzeo, D-Atlantic. Since it is evident in the current climate we live in that no federal action will be taken to protect our voters, we must take it upon ourselves to preserve democracy by ensuring safety for voters and allowing them to fairly have a say in their representatives.”
Native American residents of North Dakota have been left scrambling to meet a controversial voter ID requirement that could render many ineligible to vote in the upcoming November mid-term elections. Earlier this month, the Supreme Court declined to overturn the GOP-backed voter law, which requires North Dakotans to show identification with their current street address. As many Native American reservations do not use physical street addresses, the law makes it difficult for thousands of people to cast their ballots. While Native American residents do often use PO boxes as mailing addresses, PO boxes do not qualify as proof of residency under the voter ID law. As a result, many voters will have to make the effort to obtain identification or documents, such as a tribal voting letter issued by tribal officials, that provide proof of a residential address.
Texas: Texans say glitchy voting machines are changing their ballots. The state blames user error. | The Washington Post
“Make sure to confirm that your summary page accurately reflects your choices BEFORE casting your ballot!” reads a flier distributed by the Texas secretary of state’s election division to state polling locations. The notice was the agency’s quick fix for a glitch in its widely used Hart eSlate voting machines. Texas native Peter Martin, 69, was one of many who missed the message. “I’ve always voted. It’s the only opportunity that I have to make any sort of difference in terms of politics,” he said. When the registered independent went to a recreational center in Grapevine, Tex., last week, he planned to vote for Senate hopeful Beto O’Rourke. The Hart machine offered a fast-tracked option for straight-ticket voters. Martin selected it, expecting the machine to populate an all-Democrat ballot.
Voters from around the state have reported a curious thing happening at the polls this week: They meant to vote straight-ticket but when they reviewed their final list of selected candidates, someone from an opposing party was picked instead. Some people wondered if there was malfeasance. Others blamed malfunctioning voting machines. And both Democrats and Republicans have tried to warn voters in their respective parties. But according to the Texas secretary of state’s office, the voting machines are not at fault. Rather, the problems reported are the result of “voters hitting a button or using the selection wheel before the screen is finished rendering,” which de-selects the pre-filled candidate selection. “The issue is occurring primarily with the U.S. Senate race selections, because it is at the top of the ballot,” said Sam Taylor, a spokesman for the secretary of state. On Saturday, that office said that it has only been notified of fewer than 20 related issues. “In each case, these voters were able to properly review and cast a ballot that accurately reflected the choices they made,” the office said in a statement.
Afghanistan: Suicide bomber targets Afghanistan’s election commission headquarters in Kabul | The Defense Post
A suicide bomber targeting the headquarters of Afghanistan’s Independent Election Commission on Monday killed at least one person and wounded six, officials said, in the latest violence to strike the controversial poll. One police officer was killed when the militant, who was on foot, blew up near a vehicle carrying IEC employees as it entered the base at 8 a.m. (0330 GMT). Four election workers and two other police officers were also wounded in the blast. The attacker was “identified and gunned down by police before reaching his target,” Kabul police spokesperson Basir Mujahid told reporters.
Brazilian authorities reiterated that the electronic voting machines used in the country’s elections are completely fraud-proof prior to the run-off, which took place on yesterday (29). In a public service announcement run on national television and radio on Saturday night, the minister at the Superior Electoral Tribunal (TSE) Justice Rosa Weber highlighted the security of the electronic polling machines in use in Brazil and the danger of fake news dissemination. To ensure a smooth election involving nearly 148 million citizens in Brazil, where voting is compulsory, Weber said the electoral justice took “various measures to prevent and correct any possible failures.”
Neither of the two front-runners in Georgia’s presidential election was likely to win enough votes to secure victory in the first round of voting, the first officials results show. The Central Election Commission (CEC) said that according to results from 14 percent of the polling stations, Salome Zurabishvili secured 40 percent of the vote and Grigol Vashadze won nearly 38 percent. Zurabishvili, a French-born former foreign minister, has the backing of the ruling Georgian Dream party. Vashadze, also an ex-foreign minister, is running for the opposition United National Movement (UNM). Their closest challenger, former parliament speaker Davit Bakradze, who was nominated by the opposition European Georgia party, was a distant third with 10.8 percent of the votes.
A police report has been lodged by a Kuala Selangor PKR candidate after a jammer device was found allegedly used to sabotage the party polls. According to the report sighted by The Star, Kuala Selangor PKR Youth chief candidate R Sabahbathi said the device was found by district council workers at about 2pm on Sunday while they were cleaning up the Kuala Selangor Indoor Stadium where the election was supposed to take place. He said the device was allegedly placed on the floor at the spectators’ seats since 10.30am when polling just started. It had a metal casing with six antennas, and labels that read “4G” and “WiFi”. “All the Internet data cannot be used forcing eligible voters not to be able to cast their votes,” he said in the report, which was lodged at the Kuala Selangor police headquarters.
The leader of Sweden’s Social Democrats, Stefan Lofven, on Monday abandoned efforts to form a government, extending a political deadlock that has gripped the country since an inconclusive national election seven weeks ago. The failed attempt brought the prospect of a snap election closer, though the speaker of parliament said he would try to avoid that at all costs. The Sept. 9 vote gave the anti-immigrant Sweden Democrats hold the balance of power, but neither Lofven’s center-left bloc nor the center-right group of parties has been willing to give them a say in policy due to their white supremacist roots. “In light of the responses I have had so far … the possibility does not exist for me to build a government that can be accepted by parliament,” Lofven told reporters.
Media Release: Verified Voting Calls on Texas to Investigate Straight-Ticket Voting Issues; Voters Should Carefully Check Choices
Marian K. Schneider: “Verified Voting urges Secretary of State Rolando Pablos to move Texas toward reliable, verifiable voting systems that include a voter-marked paper ballot statewide.” The following is a statement from Marian K. Schneider, president of Verified Voting, in response to reports that voters in six counties in Texas (Harris, Montgomery, Fort Bend, Travis,…
It was the kind of security lapse that gives election officials nightmares. In 2017, a private contractor left data on Chicago’s 1.8 million registered voters — including addresses, birth dates and partial Social Security numbers — publicly exposed for months on an Amazon cloud server. Later, at a tense hearing , Chicago’s Board of Elections dressed down the top three executives of Election Systems & Software, the nation’s dominant supplier of election equipment and services. The three shifted uneasily on folding chairs as board members grilled them about what went wrong. ES&S CEO Tom Burt apologized and repeatedly stressed that there was no evidence hackers downloaded the data. The Chicago lapse provided a rare moment of public accountability for the closely held businesses that have come to serve as front-line guardians of U.S. election security. A trio of companies — ES&S of Omaha, Nebraska; Dominion Voting Systems of Denver and Hart InterCivic of Austin, Texas — sell and service more than 90 percent of the machinery on which votes are cast and results tabulated. Experts say they have long skimped on security in favor of convenience, making it more difficult to detect intrusions such as occurred in Russia’s 2016 election meddling. The businesses also face no significant federal oversight and operate under a shroud of financial and operational secrecy despite their pivotal role underpinning American democracy.
The Department of Homeland Security is “more prepared than we’ve ever been” to ensure the security of the Nov. 6 midterm elections, Homeland Security Secretary Kirstjen Nielsen said Sunday. “The goal here … is absolutely to assure Americans that their votes will count and their votes will be counted correctly,” Nielsen told “Fox News Sunday.” “We are constantly monitoring, constantly working with them, sharing information.” Among other measures , Nielsen said, her department will be establishing a “virtual situation room.” “We will be setting up a virtual situation rom on Election Day so we can very quickly support any incident response that’s needed and so we can share any information,” Nielsen said.
In March, officials from 38 states packed into a conference hall in Cambridge, Massachusetts, for a two-day election simulation exercise that was run like a war game. More than 120 state and local election officials, communications directors, IT managers, and secretaries of state ran drills simulating security catastrophes that could happen on the worst Election Day imaginable. The tabletop exercise began each simulation months before the Nov. 6 midterm elections, accelerating the timeline until states were countering attacks in real time as voters went to the polls. Organized by the Defending Digital Democracy (D3P) project at Harvard, a bipartisan effort to protect democratic processes from cyber and information attacks, the drills forced participants to respond to one nightmare scenario after another—voting machine and voter database hacks, distributed denial of service (DDoS) attacks taking down websites, leaked misinformation about candidates, fake polling information disseminated to suppress votes, and social media campaigns coordinated by nation-state attackers to sow distrust.
National: Researcher finds trove of political fundraising, old voter data on open internet | CyberScoop
A consulting firm that works with Democratic campaigns unknowingly left sensitive fundraiser information and credentials to old voter record databases open on the internet, according to a report published on Wednesday. Cybersecurity company Hacken says it discovered an unprotected network-attached storage (NAS) device managed by Rice Consulting, a Maryland firm that provides fundraising and mass communication to Democratic clients. Authentication was reportedly disabled on the NAS, and Hacken says that it was indexed by Shodan, an Internet-of-Things search engine. With its contents publicly accessible, the NAS revealed details about Rice Consulting’s clients as well as details about “thousands of fundraisers,” Hacken says. Those details include names, phone numbers, emails, addresses and companies. There were apparently also contracts, meeting notes, desktop backups and employee details. Rice Consulting did not respond to an email request for comment on the Hacken report. When CyberScoop called the firm, the person who answered said “There’s no one here who can tell you anything,” and hung up.
Congress did not pass the bipartisan Secure Elections Act. This means in the two years since Russian interference disrupted our election systems, we have failed to improve security around the technologies that support our election processes. Legislating a fix to the problem is proving futile. It’s time to ask ourselves – as citizens, elected leaders, technologists and those interested in protecting our democracy – what else we can do to improve election security. A recent report delivered to Capitol Hill found that “election machines used in more than half of U.S. states carry a flaw disclosed more than a decade ago that makes them vulnerable to a cyberattack,” according The Wall Street Journal. Shouldn’t we view our elections through the lens not just of security, but safety? Think about it this way: we have the NTSB for travel, the FDA for food, OSHA for workplace safety. We would scarcely accept 50 percent of cars on the road to be faulty or 50 percent of food on grocery store shelves to be tainted.
Voting Blogs: Ten ways to make voting machines cheat with plausible deniability | Andrew Appel/Freedom to Tinker
Voting machines can be hacked; risk-limiting audits of paper ballots can detect incorrect outcomes, whether from hacked voting machines or programming inaccuracies; recounts of paper ballots can correct those outcomes; but some methods for producing paper ballots are more auditable and recountable than others.
A now-standard principle of computer-counted public elections is, use a voter-verified paper ballot, so that in case the voting machine cheats in counting the votes, the human doing an audit or recount can see the paper that the voter marked. Why would the voting machine cheat? Well, they’re computers, and any computer may have security vulnerabilities that permits an attacker to modify or replace its software. We must presume that any voting machine might, at any time, be under the complete control of an attacker, an election thief.