Author - Barbara Simons

Verified Voting Blog: What if Volkswagen made Voting Machines?

Volkswagen stock plummeted today, because of accusations by the Environmental Protection Agency that VW uses software that turns on its emission control device when the software detects that one of its diesel cars is undergoing emission testing. When not being tested, the software disables the device, thereby causing the car to spew as much as 40 times the pollution limit of the Clean Air Act.

Like VW cars, modern voting machines contain software that is tested before use in elections. It would not be difficult to write voting machine software that would, like the VW software, know when it is being tested, and thus behave correctly during testing but not during an actual election. If such behavior were detected after an election, the vendor stock would plummet, but so would voter confidence in the outcome of the election. Furthermore, in the case of some voting systems that cannot be legitimately recounted, such as paperless voting machines or online votes, there would be no way to determine after the election if the declared winners were the actual winners.

Verified Voting Blog: Online voting rife with hazards

This column was originally posted ar USA Today on November 4, 2014.

Today Americans are voting in an election that could shift control of the U.S. Senate and significantly impact the direction our nation will take in the next few years. Yet, 31 states will allow over 3 million voters to cast ballots over the Internet in this election, a practice that computer security experts in both the federal government and the private sector have warned is neither secure nor trustworthy. Most states’ online voting is limited to military and overseas voters, but Alaska now permits all voters to vote over the Internet. With a hotly contested Senate seat in Alaska, the use of an online voting system raises serious concerns about the integrity of Alaska’s election results. Alaska’s State Election Division has even acknowledged that its “secure online voting solution” may not be all that secure by posting this disclaimer on its website: “When returning the ballot through the secure online voting solution, your are [sic] voluntarily waving [sic] your right to a secret ballot and are assuming the risk that a faulty transmission may occur.”

Unfortunately, faulty transmission is only one of the risks of Internet voting. There are countless ways ballots cast over the Internet can be hacked and modified by cyber criminals. The National Institute of Standards and Technology, at the direction of Congress, has conducted extensive research into Internet voting in the last decade and published several reports that outline all the ways votes sent over the Internet can be manipulated without detection. After warning that there are many possible attacks that could have an undiscovered large-scale impact, the institute concluded that secure Internet voting is not yet achievable.

Verified Voting Blog: Recount Roulette

We risk an election meltdown worse than the Florida 2000 debacle when the presidential election came down to hanging chads and chaos. This time we are looking at another razor close result and perhaps another recount. However, if a recount is required in either of two key states — Virginia and Pennsylvania — we risk catastrophe, because most of those votes will be cast on paperless voting machines that are impossible to recount. To make matters even worse, the wake of superstorm Sandy could cause disruption on Election Day. Polling places without paper ballots that lack power will have to close, resulting in voter disenfranchisement. This is inexcusable, especially as voting advocates have long urged states to provide emergency paper ballots. Other states present their own hazardous recount challenges. About one quarter of voters nationwide will use paperless direct-recording electronic (DRE) voting machines, most of which have touch screens. Unfortunately, the DRE software can store voters’ choices incorrectly.

Colorado: Voting in Colorado

Arapahoe County Colorado was in the news the week with the Denver Post reporting that envelopes containing absentee ballots mailed to over 230,000 voters included “I Voted” stickers, which rubbed up against the ballot and in some cases left a faint, near-linear mark that appeared exactly where voters draw a line to select their candidates. The Secretary of State has issued a list of procedures to address the potential of un-readable ballots and because there is a software independent record of the voted, officials are confident that the problem can be resolved. Unfortunately not all potential problems with the Colorado’s voting technology can be resolved.

For polling place and early voting, Colorado uses Direct Recording Electronic (DRE) machines and paper based optical scan systems as well as at least two counties doing hand count of paper ballots. About 70% of ballots cast in Colorado are returned by mail. Some counties have only residual use of DRE to satisfy HAVA requirements, others collect substantial votes on DRE in precinct polling places. Some counties receive paper ballots at polling places but count them centrally by optical scan.

Verified Voting Blog: Internet Voting in the U.S.

This article appears in the October 2012 issue of Communications of the ACM

The assertion that Internet voting is the wave of the future has become commonplace. We frequently are asked, “If I can bank online, why can’t I vote online?” The question assumes that online banking is safe and secure. However, banks routinely and quietly replenish funds lost to online fraud in order to maintain public confidence. We are told Internet voting would help citizens living abroad or in the military who currently have difficulty voting. Recent federal legislation to improve the voting process for overseas citizens is a response to that problem. The legislation, which has eliminated most delays, requires states to provide downloadable blank ballots but does not require the insecure return of voted ballots.

Yet another claim is that email voting is safer than Web-based voting, but no email program in widespread use today provides direct support for encrypted email. As a result, attachments are generally sent in the clear, and email ballots are easy to intercept and inspect, violating voters’ right to a secret ballot. Intercepted ballots may be modified or discarded without forwarding. Moreover, the ease with which a From header can be forged means it is relatively simple to produce large numbers of forged ballots. These special risks faced by email ballots are in addition to the general risks posed by all Internet-based voting schemes.

Full Article: Internet Voting in the U.S. | October 2012 | Communications of the ACM.

Verified Voting Blog: Virginia – the new Florida?

There are many ways in which Virginia 2012 could resemble the Florida 2000 – only worse. At least in 2000 there were paper ballots to recount in Florida.  But only 7 out of 134 Virginia localities (Virginia terminology for counties and independent cities) do not use paperless  Direct Recording Electronic (DRE) voting machines. If a DRE loses or miscounts ballots, it is essentially impossible to determine the correct results.

As if to guarantee that it will be impossible ever to verify an election in Virginia, Virginia law actually prohibits manual post-election ballot audits of paper ballots, except in extremely narrow and unlikely circumstances. This prevents election verification even in the 7 localities that have no paperless DREs (Chesterfield, Gloucester, Hanover, New Kent, Wythe, Fredericksburg, and Williamburg), together with the 30 other localities that have a mix of paper ballots and paperless voting machines.  Unless the anti-verification law is repealed, Virginia will continue to be a poster child for how not to run an election, even after Virginia replaces all of its antiquated paperless DREs with paper ballot based optical scan systems, as it should. But it gets worse.

Verified Voting Blog: Ohio – Improved but Still a Concern

Ohio’s status as a large battleground state means that problems in Ohio could have a significant impact nationwide. Although Ohio is in better shape than a number of states because there are no paperless voting machines,The major concern is that about half the counties use Direct Recording Electronic (DRE) machines, though they are equipped with Voter Verified Paper Audit Trail (VVPAT) printers. In theory a VVPAT is supposed to accurately represent the choices the voter makes with the touch screen machine. In practice, VVPATs can be difficult and even confusing to read. Tests have shown that most voters do not bother to check the VVPAT.  Therefore, VVPATs offer only limited protection against election theft. Someone wishing to steal an election could change both the electronic version of the voter’s choices and the VVPAT, while retaining the correct version on the DRE screen, so that the change would not be obvious to the voter.  If the voter happens to notice and void the VVPAT, election rigging software could print and store in memory the voter’s correct choices. That way, the VVPAT results would match the electronic ones, even though the overall result was rigged.

Verified Voting Blog: Report on the Estonian Internet Voting System

I visited Estonia in mid-July of this year at the invitation of Edgar Savisaar, the country’s first prime minister and current mayor of Tallinn. Mr. Savisaar is the leader of the Centre Party, which placed second in recent national elections. The Centre Party and Mr. Savisaar have been questioning the outcome of the Internet voting portion of those elections. They invited me to Estonia because of a presentation I made at a European Parliament panel on the risks of Internet voting.

I told my hosts that I was happy to discuss the risks of Internet voting, but I would not comment on internal Estonian politics. When asked whether or not I thought the national election was rigged, I refused to comment, aside from saying that no one could prove that it was or was not rigged, because there is no way to conduct a recount of an Internet election.

The Internet portion of the 2011 election lasted from February 24 to March 2, with paper balloting conducted on March 6. The Internet vote was counted the evening of March 6. Estonian law allows complaints to be submitted only during the 3 days immediately following the procedure being challenged. Since Internet voting is considered separate from paper voting, the final day for submitting complaints about Internet voting was March 5. Graduate student Paavo Pihelgas was the only person who submitted a complaint by the deadline. (The Centre Party and independent candidates tried to file complaints, but they did not do so within the required 72 hour time frame).

Verified Voting Blog: Internet Voting – Not as Easy as You Think

Recently the Huffington Post published an article about Hawaii’s recent Internet and phone-based elections (“America’s Newest State Holds America’s Newest Election“). The article presents an optimistic and patriotic view of the Everyone Counts (E1C) election system that allows voters to cast their ballots from their home computers or over the phone. It was written by E1C executive Aaron Contorer and is effectively a marketing piece for E1C that exaggerates the scope of the election, overlooks or insults other election methods, and glosses over the formidable technical challenges and dangers posed by the electronic submission of voted ballots.

The election in Honolulu was for neighborhood board members, and thus was not covered by Hawaii’s public election laws. That matters because Hawaii’s election laws, fortunately, require a voter-verified paper ballot and a post-election hand audit of a percentage of these ballots. Since such verification and audits are impossible with a purely Internet-based voting system, there is no legal way to use the E1C system under current Hawaii state law. Nevertheless, because this small election is being used to promote Internet voting generally, and because Internet voting schemes are being proposed across the United States, the issue demands thorough discussion. In response to multiple efforts to allow voting over the Internet in major elections, many of our nation’s prominent technology experts have signed a statement cautioning against adopting Internet-based voting systems without first understanding and guarding against the numerous and well-documented dangers. This is not because, as Mr. Contorer suggests, those opposing Internet voting find “[t]he introduction of technology to any process … scary”. The signatories to this statement are not at all intimidated by technology; in fact many are established experts in voting systems who are most certainly aware of the major risks associated with Internet voting.