Verified Voting Blog: How the Internet Works

If we can use the Internet to deliver blank ballots, then why not use it to return voted ballots? Part of the answer lies with the nature of the Internet itself. If we are to be sure that the vote cast is the same as the vote counted, we need a way to guarantee that 1) the voted ballot has not been substituted or altered in transit, and 2) the ballot received actually was sent by the voter, not someone impersonating them. But due to the way the Internet currently works, neither of these conditions can be assured. Before looking at sending ballots via Email, it’s helpful to understand how all Internet communication works, whether it be an email, website, file download, or tweet. What we now call the Internet grew out of research on connecting computers of different types and at different locations into a single network. One of the problems facing researchers was how to move electronic information reliably on pathways that are unknown and unpredictable. Two computers might be connected via a wire across the room, or across a huge network of sub-connections spanning the planet.

Verified Voting Blog: On India’s Electronic Voting Controversy

For Americans who care about verified elections, recent events in India are resonant.  Verified Voting applauds the advocates, ordinary citizens and technologists who are working for accountable voting in the world’s largest democracy.  We support calls for the government of India  to 1) engage constructively, rather than persecute, technologists who have conducted critical research on Indian voting systems; and 2) take immediate steps toward a verifiable voting process suited to India’s needs.

A bit of background for Americans who have not yet tuned in to the controversy:  India adopted a nationwide system of paperless direct-recording electronic voting machines in 2004.  Early on, some Indian computer security experts pointed to the inherent vulnerability of a purely electronic voting process, and a number of journalists and candidates for office raised concerns.  The machines in India are much simpler than those used in America, but are no less vulnerable to wholesale attacks originating from the voting system vendor, and are prone to a number of serious machine-by-machine “retail” attacks.

Verified Voting Blog: Internet Voting – An Introduction

In a wired world, it was inevitable that the subject of Internet Voting become a hot topic sooner rather than later. But more than just a topic of discussion, this year eighteen states will allow overseas ballots to be returned via email in November’s elections. Yet according to security experts, voted ballots sent via Internet…

Verified Voting Blog: State Election Officials: Recountable Process a Must for Overseas Voters

Last week, the National Association of Secretaries of State (NASS) adopted a resolution acknowledging both serious security and privacy concerns related to Internet voting and the need for a verifiable, recountable election process. Verified Voting applauds NASS for adopting this official position. Military and overseas voters (also called “UOCAVA voters” after the Uniformed and Overseas Citizens Absentee Voting Act) were a major topic at NASS”s summer conference last week in Providence, Rhode Island. States are now working hard to implement a recently enacted amendment to UOCAVA, the Military and Overseas Voter Emplowerment Act of 2009 (MOVE). The MOVE Act’s requirements include delivery of ballots to military and overseas voters 45 days prior to Federal elections and the option for electronic delivery of blank ballots to UOCAVA voters. One of the primary topics at the conference was a policy not required by MOVE: the use of the Internet for the return of completed ballots to election officials. Some states, for example West Virginia and Arizona, are experimenting with various forms of Internet voting, and over 30 states now allow, under varying circumstances, e-mail or fax delivery of voted ballots from UOCAVA voters.

Verified Voting Blog: Voting results in New Jersey should not be mysterious

Last week in South Carolina, an unknown, unemployed veteran (recently indicted on felony obscenity charges) who did not even campaign, beat a well-financed political veteran in the Democratic Senate primary election. Even the White House called the results “mysterious.” Allegations have been made that South Carolina’s touch-screen computerized voting machines were hacked. It’s a possibility.…

Verified Voting Blog: The 2010 Primaries: More Recounts than Recountable Elections

The 2010 primary election season is in full swing.  As in every election cycle, there are a number of extremely close races, with recounts looming for some.  So far this year, state-mandated automatic recounts are likely for the Democratic primary for Lieutenant Governor of Pennsylvania, and for the Republican primary for Ohio’s 18th U.S. Congressional District.  In Oregon, a recount is possible in the statewide race for superintendent of schools. Some of 2010’s recounts will include the hand-to-eye examination of actual ballots; for example, Oregon mandates that recounts be 100% hand-counted.  But too many “recounts” this year will depend upon the correct functioning of computer software or firmware.  We believe that this state of affairs is not tenable.  When a state does not provide every voter with a reliable, physical ballot showing his or her intent, or does not conduct computer-independent recounts of those ballots, then an effective recount –  a process that should provide the strongest possible evidence of the intent of the electorate – is not possible.

Verified Voting Blog: Comments on EAC UOCAVA Pilot Program Testing Requirements

This week the Elections Assistance Commission (EAC) released public comments submitted on their draft UOCAVA Pilot Program Testing Requirements. The EAC document spell outs testing and certification requirements for Internet voting pilot programs for military and overseas voters, partly in response to the requirements of the Military and Overseas Voter Empowerment (MOVE) Act passed in 2009. The MOVE Act required many excellent improvements that increase opportunities for voters overseas to be able to cast their ballots in time to be counted. These changes include the electronic delivery of blank ballots and information, but not the electronic return of voted ballots. The Act also included a provision for experimental programs involving voting via the Internet. At least three states (AZ, CO, WV, and possibly GA and FL) are planning to carry out voluntary pilot programs this year. Despite the short time available for comment, many substantive comments were submitted, including from Verified Voting. While we do not mention them all here, there were many insightful comments and we urge you to read through them. Many of the comments expressed recurring themes:

Audits, Security Standards and Procedures: Verified Voting noted that an equipment manufacturing standard alone is insufficient to provide anything resembling “reasonable assurance that the pilot systems will operate correctly and securely”, as stated in Section 1.1.3 of the EAC Draft. We assert that a comprehensive security plan is required, not merely an equipment testing plan. Robust post-election audits are essential to demonstrating correct and secure operation of any voting system, be it remote or local.

Verified Voting Blog: Military and Overseas Voting Update

For members of the military, their families, and other United States citizens living overseas, voting has always presented unique challenges. Some of these problems include reliable delivery of blank ballots to the voters, secure and timely return of voted ballots, and authenticating that ballots were completed and returned by the same person they were sent to. According to an EAC study, Voting from Abroad: A Survey Of UOCAVA Voters:

There are no reliable data available on the number of [military and overseas] voters dispersed around the globe; some estimates hover around 4 million. Active-duty military are estimated at 1.5 million and family of military another 1.5 million.

In 1986 and again in 2009, Congress passed laws looking to improve access to voting for military and overseas voters. And today, as communication technologies like fax and email have become available, states are moving forward with plans for electronic transmission and receipt of ballots, all too often without sufficient regard for the privacy and security issues involved.

Verified Voting Blog: Verified Voting Comments to EAC on Internet Voting Pilots

With many states already deploying a form of Internet voting, email return of voted ballots (see map), it is important that requirements for remote voting systems and the pilot programs that test them reflect the highest standards for security. On April 30, 2010, Verified Voting submitted comments to the EAC on proposed testing requirements for military and overseas voting pilot programs that use remote technologies such as Internet Voting. In a letter to the EAC, president Pam Smith said that the comments focused on “the broad outlines of the pilot program and core precepts to which we believe any pilots should adhere.” Sending voted ballots over the public Internet “is in a security class by itself,” the letter noted, and these ballots are vulnerable to attacks from a wide range of individuals, organizations, and even governments. “Voting systems for UOCAVA voters should not be held to a higher security standard than domestic absentee voting,” the letter said, “nor should UOCAVA voters be required to use a system that is less secure than those used by voters back home.”

Verified Voting Blog: Efficient Auditing of Election Results

On March 27 and 28, 2010, Verified Voting and Common Cause sponsored a meeting of in Washington, D.C. to share experiences and ideas for improving post-election audits. The participants included election officials, statisticians, computer and political scientists, election integrity advocates, and voting system vendor technical staff. This meeting marked the first time that diverse stakeholders, including voting systems vendors, met together for the explicit purpose of identifying the potential benefits and challenges of using small batches of ballots (i.e., smaller than precincts — down to and including individual ballot records) to make audits more effective and efficient.

Verified Voting Blog: Verified Voting Comments on EAC Internet Pilot Requirements

Thank you for the opportunity to comment on the proposed UOCAVA Pilot Program Testing Requirements.  We appreciate the invitation for public input to such an important initiative.  In this letter we confine our comments to the broad outlines of the pilot program and core precepts to which we believe any pilots should adhere. The Verified Voting Foundation has benefited greatly from prominent experts whose professional work duties include achieving U.S. national security objectives within digital networks and computer communications.  This expertise leads us to set forth this core understanding:  Federal election security is a fundamental component of U.S. national security.  Applying this principle, we submit that election security should not be compromised for convenience or transmission speed. Internet voting (which for purposes of these comments we define as transmission of voted ballots over the public Internet) is in a security class by itself.  In comparing Internet transmission of voted ballots to paper absentee ballot voting, we agree with the oft-made point that voting systems for UOCAVA voters should not be held to a higher security standard than domestic absentee voting. Nor should UOCAVA voters be required to use a system that is less secure than those used by voters back home.

Verified Voting Blog: Responsible Use of Technology for Overseas Voting

Last November, the Federal Voting Assistance Program (FVAP) contacted each State with recommendations for meeting the new requirements established in the MOVE Act with the goal of bringing the absentee voting success rate for Uniformed Service members, their families and citizens residing outside the U.S. in line with that of the general population. Verified Voting strongly supports FVAP’s specific recommendations: providing a 45 day period for ballot transit, removal of notary and witnessing requirements, participation with the Uniform Law Commission efforts towards regularizing rules for overseas voters, and the responsible use of technology to aid in providing voting materials to military and overseas citizens. As an active participant in the Alliance for Military and Overseas Voting Rights (AMOVR), we agree with the principle that “transmitting blank ballots electronically does not risk voters’ privacy while improving the process in all States.” Through these recommendations each state can meet the requirements of the MOVE Act without undue risk to the integrity of the electoral process, and greatly facilitate the voting process for the citizens serving our nation in uniform and others living overseas.

However, some States are considering going beyond these recommendations in ways that could be harmful. Experts in technology such as NIST, the GAO and internal reviewers of Department of Defense projects cite significant concerns with respect to the electronic submission of voted ballots. Such systems would rely on computers, servers and/or networks outside the control of election officials, for which criteria for testing and secure operation have yet to be established. Attacks on such systems could significantly threaten the integrity of elections or the ability of voters to cast ballots. Even minor phishing and spoofing attacks could trick voters into giving up their voting credentials to an attacker.

Verified Voting Blog: Judge Orders Expert Review of Voting Machines in New Jersey

A judge in New Jersey has ordered a new review of New Jersey’s voting systems, this time by qualified technical experts, in a partial victory for advocates challenging the systems’ constitutionality. State law requires that voting systems be “accurate and reliable.” From our vantage point, these systems don’t meet that standard; because they cannot be audited, there’s no way to check for accuracy. A recent report from researchers at UCSD illustrated a stunning new kind of vulnerability in the type of voting system in widespread use in New Jersey (AVC Advantage), where code could be inserted, modify results and vanish without detection. An author on that study, and expert witness in the New Jersey case, Prof. Edward Felten, said preventing such attacks “requires an extraordinary level of security engineering, or the use of safeguards such as voter-verified paper ballots.”

While other requirements from the Judge address some security measures, including criminal background checks on personnel working with the voting machines and all third party vendors who examine or transport them, and protocols for inspecting machines to ensure they have not been tampered with, such checks have no impact on any tampering that may have occurred in the past (such as during the extended periods of time in which they were left unattended at polling places before and after past elections), and provide no failsafe that would ensure reliability. Voting systems can no longer be connected to the Internet, which we trust means New Jersey will now provide a more secure way to allow for the return of voted ballots from overseas voters.

Verified Voting Blog: Software in Dangerous Places

Software increasingly manages the world around us, in subtle ways that are often hard to see. Software helps fly our airplanes (in some cases, particularly military fighter aircraft, software is the only thing keeping them in the air). Software manages our cars (fuel/air mixture, among other things). Software manages our electrical grid. And, closer to home for me, software runs our voting machines and manages our elections. Sunday’s NY Times Magazine has an extended piece about faulty radiation delivery for cancer treatment. The article details two particular fault modes: procedural screwups and software bugs. The procedural screwups (e.g., treating a patient with stomach cancer with a radiation plan intended for somebody else’s breast cancer) are heartbreaking because they’re something that could be completely eliminated through fairly simple mechanisms. How about putting barcodes on patient armbands that are read by the radiation machine? “Oops, you’re patient #103 and this radiation plan is loaded for patent #319.”

Verified Voting Blog: Hurry Up and Wait: Tennessee Senate Delays, Weakens Voter Confidence Act in the Opening Hours of the 2010 Session

On the basis of several highly questionable assumptions, the Tennessee General Assembly has voted to delay implementation of paper ballot voting until 2012, and to eliminate the Tennessee Voter Confidence Act’s provision for routine hand-counted audits of computer vote tallies. On Tuesday, the Tennessee Senate passed House Bill 614 on a vote of 22-10. The Senate’s passage of House Bill 614 was strongly influenced by a perception that there are no machines available that meet the law’s requirements. The Voter Confidence Act requires optical scan systems to be certified by the U.S. Election Assistance Commission to “the applicable voluntary voting system guidelines.” In November, Chancellor Russell Perkins of the Davidson County Chancery Court determined that the Voter Confidence Act allows the State to purchase voting systems certified by the EAC to either 2002 or 2005 standards. The 2002 standards are deemed by Section 222(e) of the Help America Vote Act to be first set of voluntary voting system guidelines.

Voting technology expert Dr. Douglas Jones, who was recently named to the EAC’s Technical Guidelines Development Committee, testified to the court that some voting systems certified to the 2002 standard could be updated to the 2005 standard with a simple software patch. The State of New York certified an updated version of one of the 2002-certified systems, made by Election Systems and Software, to the 2005 guidelines on December 15, 2009. One day after the Senate vote, the U.S. Election Assistance Commission certified a complete paper ballot voting system to all of the 2005 federal guidelines.It is unfortunate that the vote occurred when it appears that not all Senators had access to the facts.

Verified Voting Blog: What Google's New China Policy Tells Us About Internet Voting

Google recently announced in an important change of policy that it will stop censoring search results for queries coming from China.  That is interesting in its own right, but is not why I am writing this article. According to their corporate blog post, what prompted this change of policy was the discovery of “a highly sophisticated and targeted attack on [Google’s] corporate infrastructure originating from China”.  They found similar attacks on “at least twenty other large companies from a wide range of businesses”. Google further said that they “have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists”.  We are not likely to hear more detail in public about the attacks, but this is extraordinary news.

Verified Voting Blog: Monopoly, ES&S, and Nassau County, Part 2

In last week’s post, I reported on the surprise decision of New York State’s Nassau County to dump it’s 450 Dominion ImageCast voting machines after an intense effort and behind the scenes deal making by ES&S. As the purchasing proposal shows, ES&S spared no expense to convince this large county to dump the small upstart…

Verified Voting Blog: Verified Voting Letter to Tennessee State Senators

We respectfully urge you to vote No on House Bill 614, which seeks to delay implementation of the Tennessee Voter Confidence Act and fatally weaken its provision for manual post-election audits of electronic vote tallies. HB 614 is on the Senate’s calendar for Tuesday January 12, 2010. Rejection of the bill is warranted based on the determination of the Chancery Court regarding the TVCA and its requirements for federal certification of voting systems, and on the State’s still un-met need for verifiable ballots and hand-counted audits of electronic vote tallies.

In November 2009, the Chancery Court of Davidson County, after receiving information from voting technology experts, corrected the assumption that the TVCA required new voting systems to be certified by the United States Election Assistance Commission (the EAC) to the 2005 version of the Federal voluntary voting system guidelines. The Court issued a Conclusion of Law noting the TVCA allows voting systems to be certified by the EAC to either the 2002 voting system standards or the 2005 guidelines, and ordered the State Elections Division to proceed with implementation without delay.

Verified Voting Blog: Justice Department Seeks to Block Merger of Voting Machine Vendors

According to an article in the New York Post a lawsuit is expected to be filed by the Department of Justice that would seek to block the already-completed merger of the nation’s two largest voting-machine makers, Election Systems & Software (ES&S) and Premier Election Solutions (formerly Diebold Election Systems). The article cites “a person close to the situation” that the DoJ lawsuit, “if successful, would effectively undo the merger of Diebold’s Premier Elections Solutions with Election Systems & Software, a $5 million deal completed in September.”

Verified Voting Blog: Monopoly, ES&S, and Nassau County

There was lots of reporting last week about the decision to award New York City’s huge voting machine contract to the ES&S, but the really interesting story slipped by nearly unnoticed – Nassau County, home to nearly 1 million registered voters, announced they were abandoning their recently purchased Dominion ImageCast machines for ES&S systems. This announcement came as quite a surprise because Nassau County has been using the Dominion machines for accessible voting in all polling places since 2008, as well as spent time and money training poll workers in the use of the new systems. So how is it that ES&S managed to snatch away Nassau County, in terms of voting system sales the second largest prize in New York State, from the much smaller Dominion? The answer is a cautionary tale about the power of a near monopoly to force smaller competitors out of the market.

ES&S has long been one of a handful of voting machine companies dominating the United States market. But recently, with Sequoia Voting Systems struggling financially, and the absorption of Diebold into ES&S (a move opposed by many), the company already has a near-stranglehold on providing voting systems and services to election officials. In New York State however, ES&S faces a small competitor from just across Lake Ontario in Canada, Dominion Voting. Dominion designed and built the ImageCast, a new scanner and accessible ballot marker combination system that many County Boards of Elections around the state, including Nassau, liked enough to order and use in 2008 and 2009 [Note – initially Dominion partnered with Sequoia to bring the ImageCast to New York, but Sequoia later pulled out and turned the contract over to Dominion]. Indeed, even if New York City chose the ES&S DS200 scanner, a decision finally made this week, little upstart Dominion would still have provided over half of the Empire State’s huge number of voting machines! But big companies like Wal-Mart and ES&S don’t stand around idly letting small competitors take what they see as their market share. And the way they do it is by being big enough to offer customers deals that are simply too good to pass up. And that’s exactly what ES&S did in Nassau County.

Verified Voting Blog: Candice Hoke Comments to the FCC on Internet Voting

In her response to an FCC’s question about what can we learn from pilot projects that have tested online voting, Verified Voting Foundation Board of Advisors member Candice Hoke observed that none of the domestic internet voting pilot projects have been properly structured to test for and approximate the risks that would be posed to domestic US elections. Specifically, she noted that these pilots are especially remiss in conceptualizing the risks for elections to Federal and Statewide office, where the fiscal control over billions of dollars is concerned, and the direction of military powers and foreign policy/aid.

Hoke continued: “The Internet voting pilot programs were structured by for-profit vendors, who also reported on their “success” without any independent evaluation and transparency on some critical dimensions. In Hawai’i, the project did report a dramatic drop in the reported rate of voter participation. The pilot, however, did not include any structures by which an assessment could be conducted of whether technical attacks had occurred to intercept, modify or otherwise block voted ballots from reaching the election processing location. Nor did it offer any auditing assessments that the ballots as tabulated matched the ballots as cast by voters. Thus, no conclusions can be drawn about the pilot’s success, and it bears little relation to a Federal or Statewide election context.

Verified Voting Blog: Comments to the FCC on Internet Voting

It is likely that no one in the country has studied the subject of internet voting more intensely than David Jefferson, senior scientist at Lawrence Livermore National Laboratory. Part of his job is to help devise strategies to defend against the relentless attacks we see every hour of every day against U.S. networks, both government and corporate, from sources ranging from self aggrandizing students to foreign intelligence and cyber warfare agencies. He has also been deeply involved in voting and election security for over a decade as a voting technology advisor to five successive Secretaries of State in California, and is a coauthor of most of the best known peer-reviewed scientific publication on Internet voting, the SERVE Security Report.

[pullquote align=”left”]“The integrity of a general election is as important as the integrity of many of our national defense secrets.[/pullquote]In his comments to the FCC, Jefferson emphasizes that election security is an aspect of U.S. national security. He observes that, “few people have any idea how tiny is the fraction of votes that, if selectively lost or switched, could swing a presidential election, or swing the balance of power in a house of Congress. The controversial 2000 presidential election that was decided by a few hundred votes in one state was only the most extreme object lesson, but other elections such as the recent Minnesota senatorial election, have been as close. This is all the more true in these times in which the electorate is nearly evenly divided on several key national issues. It is vital that we protect the security of every vote, or the legitimacy of our government will be rightly called into question–a situation that is very damaging in a democracy.”

Verified Voting Blog: Verified Voting Comments to FCC on Internet Voting

In the American Recovery and Reinvestment Act of 2009 (Recovery Act), Congress directed the Federal Communications Commission (FCC), as part of its development of a National Broadband Plan, to include “a plan for the use of broadband infrastructure and services in advancing …civic participation.” On December 10, 2010 the Federal Communications Commission issued a request for public comments “…on how broadband can help to bring democratic processes—including elections, public hearings and town hall meetings—into the digital age…” Verified Voting, in submitted comments, answered the question – “With existing technology, is it possible to enable and ensure safe and secure voting online today?”, simply – “In a word, no.” As a recent report from the National Institute of Standards and Technology (NIST) indicates, “…The security challenges associated with e-mail return of voted ballots are difficult to overcome using technology widely deployed today.” And “…Technology that is widely deployed today is not able to mitigate many of the threats to casting ballots via the web.

Despite the short window allowed for public comment, numerous organizations and individuals, including Verified Voting submitted comments. Much of Verified Voting’s commentary was informed by the “Computer Technologists’ Statement on Internet Voting”, published last year and signed by dozens of leading technology professionals and computer security experts. This post is the first in a series that will highlight the commentary submitted to the FCC on the issue of the role of the internet in the electoral process. In answer to the question “With existing technology, is it possible to enable and ensure safe and secure voting online today?”, Verified Voting responded, “in a word, no.”

Verified Voting Blog: Polling Place Burglary Raises Specter of Fraud

The burglary at one of Houston’s early voting locations (“Computers stolen at early polling location; Ballot board to check electronic voting machines for tampering,” Page B2, Tuesday) raises the specter of election fraud. Some computers were stolen, and as far as we know, the voting machines stored at Hester House were untouched. But if the burglars wanted to tamper with the election outcome, what could they have accomplished? In 2007, California Secretary of State Debra Bowen put together a team to conduct a security analysis of the state’s electronic voting systems. I was part of the team analyzing the Hart InterCivic voting system — the same type we use here in Harris County. Our report concluded that the Hart system has a wide variety of security flaws and that it can be attacked in a manner that makes it hard to detect and correct. We further concluded that these attacks can be carried out by a single individual without extensive effort and without long-term access to the equipment. Our results were corroborated by a follow-up study conducted by the Ohio secretary of state.

Did the Houston burglars tamper with the voting machines? I hope not. Could they have tampered with the voting machines? Absolutely. Could we determine if tampering had occurred? Only if we got lucky and found clearly incriminating evidence, such as the burglar’s fingerprints near the connectors on the backs of the voting machines.

Verified Voting Blog: My Vote on NY Voting Machine Certification

During the week of December 7, 2009, the New York State Citizen Election Modernization Advisory Committee met and reviewed certification test data results from the state’s testing program, and to vote on recommending approval of the two voting systems to the four Commissioners of the State Board of Election. The Commissioners will vote on final certification at their December 15, 2009 meeting. On December 10, 2009, the Advisory Committee approved recommendation by a vote of 10 For and 1 Against. I was the only vote opposing the recommendation. Below is the statement I made prior to the committee vote.

I believe in New York State’s certification process. It is rightfully called the best in the nation. We have required vendors to conform to a higher standard than ever before, we have conducted extensive testing with independent oversight, and as a result we have a huge trove of data upon which we can base our decision on whether these new voting systems are ready to be certified. Just the fact that we even have this substantial set of test results against a large number of very specific standards is a credit to New York’s process. Arguably, we have more data available to us about these systems than has ever been made available to a public body such this Advisory Committee before. It is because of this comprehensive approach that we can even be talking about some of the test findings, which never would have been revealed in a typical voting system certification program.