Verified Voting Blog: How the Internet Works

If we can use the Internet to deliver blank ballots, then why not use it to return voted ballots? Part of the answer lies with the nature of the Internet itself. If we are to be sure that the vote cast is the same as the vote counted, we need a way to guarantee that 1) the voted ballot has not been substituted or altered in transit, and 2) the ballot received actually was sent by the voter, not someone impersonating them. But due to the way the Internet currently works, neither of these conditions can be assured. Before looking at sending ballots via Email, it's helpful to understand how all Internet communication works, whether it be an email, website, file download, or tweet. What we now call the Internet grew out of research on connecting computers of different types and at different locations into a single network. One of the problems facing researchers was how to move electronic information reliably on pathways that are unknown and unpredictable. Two computers might be connected via a wire across the room, or across a huge network of sub-connections spanning the planet.

Verified Voting Blog: One Solution – Delivering Blank Ballots via Internet

As noted in Part One of this series, one of the goals of the MOVE Act is to improve access to election materials such as voter registration forms and blank ballots. Examining why (and ignoring voter registration for the moment), we see that there are two parts to the process of voting from an overseas location: 1) obtaining a blank absentee ballot, and 2) returning the voted ballot. The first problem, obtaining a blank ballot, should be refined a bit – part of the problem for overseas voters is obtaining a blank ballot with sufficient time for it to be returned within state designated absentee ballot deadlines. And one way to solve this part of the problem is to send blank ballots to military and overseas voters via the Internet.

Verified Voting Blog: On India’s Electronic Voting Controversy

For Americans who care about verified elections, recent events in India are resonant.  Verified Voting applauds the advocates, ordinary citizens and technologists who are working for accountable voting in the world's largest democracy.  We support calls for the government of India  to 1) engage constructively, rather than persecute, technologists who have conducted critical research on Indian voting systems; and 2) take immediate steps toward a verifiable voting process suited to India's needs.

A bit of background for Americans who have not yet tuned in to the controversy:  India adopted a nationwide system of paperless direct-recording electronic voting machines in 2004.  Early on, some Indian computer security experts pointed to the inherent vulnerability of a purely electronic voting process, and a number of journalists and candidates for office raised concerns.  The machines in India are much simpler than those used in America, but are no less vulnerable to wholesale attacks originating from the voting system vendor, and are prone to a number of serious machine-by-machine "retail" attacks.

Verified Voting Blog: Internet Voting – An Introduction

In a wired world, it was inevitable that the subject of Internet Voting become a hot topic sooner rather than later. But more than just a topic of discussion, this year eighteen states will allow overseas ballots to be returned via email in November’s elections. Yet according to security experts, voted ballots sent via Internet simply cannot be made secure, and make easy and inviting targets for attackers ranging from lone hackers to foreign governments seeking to undermine US elections.

The Pentagon rejected the idea of returning voted ballots via the internet as recently as 2004, when the SERVE (Secure Electronic Registration and Voting Experiment) project was canceled. In a memo, Deputy Defense Secretary Paul Wolfowitz said “In view of the inability to ensure legitimacy of votes that would be cast in the SERVE internet voting project, thereby bringing into doubt the integrity of the election, I hereby direct you to take immediate steps to ensure that no voters use the system to register or vote via the internet.”

Verified Voting Blog: State Election Officials: Recountable Process a Must for Overseas Voters

Last week, the National Association of Secretaries of State (NASS) adopted a resolution acknowledging both serious security and privacy concerns related to Internet voting and the need for a verifiable, recountable election process. Verified Voting applauds NASS for adopting this official position. Military and overseas voters (also called "UOCAVA voters" after the Uniformed and Overseas Citizens Absentee Voting Act) were a major topic at NASS"s summer conference last week in Providence, Rhode Island. States are now working hard to implement a recently enacted amendment to UOCAVA, the Military and Overseas Voter Emplowerment Act of 2009 (MOVE). The MOVE Act's requirements include delivery of ballots to military and overseas voters 45 days prior to Federal elections and the option for electronic delivery of blank ballots to UOCAVA voters. One of the primary topics at the conference was a policy not required by MOVE: the use of the Internet for the return of completed ballots to election officials. Some states, for example West Virginia and Arizona, are experimenting with various forms of Internet voting, and over 30 states now allow, under varying circumstances, e-mail or fax delivery of voted ballots from UOCAVA voters.

Verified Voting Blog: Best Practices for Voting Systems Supporting Military and Overseas Voters

Given the current focus on UOCAVA implementation, the NIST draft Information System Security Best Practices for UOCAVA-Supporting Systems (referred to here as the Draft) is a timely and important document. A summary of security standards and guidelines “deemed most applicable for jurisdictions using IT systems to support UOCAVA voting” is indeed necessary at a time when many states are moving forward with Internet based voting, too often with insufficient thought to the security implications of casting votes online. The Draft acknowledges the urgency of proper security:

“…security compromise could carry severe consequences for the integrity of the election, or the confidentiality of sensitive voter information. Failure to adequately address threats to these systems could prevent voters from casting ballots, expose individuals to identity fraud, or even compromise the results of an election.” [1. Draft NISTIR 7682, Executive Summary, page 1]

Unfortunately, the Draft falls short of providing the comprehensive analysis of security practices implied by the title. While the limitations and scope of topics are clearly laid out, the remaining gaps, particularly those related to online return of voted ballots, are too large and too important to ignore. Even with disclaimers, the Draft may encourage many in the target audience, the election officials and IT staff implementing UOCAVA voting [2. Draft NISTIR 7682, Executive Summary, page 2 – “The guidance in this publication will assist election officials in collaborating with system designers and administrators to define roles and establish processes that ensure the ongoing secure operation of the systems.”], to believe that the controls outlined in the Draft are adequate to address all types of online voting, including return of voted ballots via Email.

Verified Voting Blog: Voting results in New Jersey should not be mysterious

Last week in South Carolina, an unknown, unemployed veteran (recently indicted on felony obscenity charges) who did not even campaign, beat a well-financed political veteran in the Democratic Senate primary election. Even the White House called the results “mysterious.” Allegations have been made that South Carolina’s touch-screen computerized voting machines were hacked. It’s a possibility. Study after study has shown that computerized voting systems, like all computers, can be programmed to do what you want them to do — including steal votes. The hacking allegation is speculative. The truth is that we don’t know whether anyone tampered with the voting machines in South Carolina. And that is the problem. Why is this relevant to New Jersey voters? The answer is simple: It can happen here, too. We know that the 11,000 Sequoia Advantage DRE computerized voting machines used in all but three counties in New Jersey can be hacked. Princeton University computer science department chairman Andrew Appel and an international team of computer security experts spent the summer of 2008 examining the Sequoia DREs. They produced a comprehensive report documenting the many ways in which they are vulnerable.

Verified Voting Blog: On the South Carolina Primary – A call for recountable, auditable voting systems

Last week’s surprising outcome in a party primary in South Carolina for United States Senate was accompanied by anecdotal reports of voting problems on election day, and many questions about the accuracy of the vote count. Whether specific reports of irregularities in this election are confirmed, the most important fact about South Carolina’s voting system is that most ballots cannot be effectively audited or recounted. Serious concerns about the integrity of the primary (and of other elections conducted using the same technology) are inevitable, and legitimate. South Carolina uses paperless touch-screen electronic voting machines for all but absentee voting, which is done using paper ballots. Thus for the vast majority of votes, voters cannot check to be sure their votes were recorded as intended, and election officials cannot conduct legitimate recounts or audits to prove that the machines were counting the votes correctly. When there is no reliable hard-copy record of the voters’ intent to fall back on, election officials, candidates and the public are at the mercy of the counting software, which may or may not function correctly.   Absent a “do-over” election using a system that can be recounted or audited, there is simply no way to know if the outcome was correct. In our 2008 joint report report “Is America Ready to Vote,” Common Cause, Verified Voting, and the Brennan Center for Justice rated South Carolina inadequate for failing to offer the basics of a verified election: an auditable system, and manual audits of the system to check electronic counts.

Verified Voting Blog: The 2010 Primaries: More Recounts than Recountable Elections

The 2010 primary election season is in full swing.  As in every election cycle, there are a number of extremely close races, with recounts looming for some.  So far this year, state-mandated automatic recounts are likely for the Democratic primary for Lieutenant Governor of Pennsylvania, and for the Republican primary for Ohio's 18th U.S. Congressional District.  In Oregon, a recount is possible in the statewide race for superintendent of schools. Some of 2010's recounts will include the hand-to-eye examination of actual ballots; for example, Oregon mandates that recounts be 100% hand-counted.  But too many "recounts" this year will depend upon the correct functioning of computer software or firmware.  We believe that this state of affairs is not tenable.  When a state does not provide every voter with a reliable, physical ballot showing his or her intent, or does not conduct computer-independent recounts of those ballots, then an effective recount -  a process that should provide the strongest possible evidence of the intent of the electorate - is not possible.

Verified Voting Blog: Comments on EAC UOCAVA Pilot Program Testing Requirements

This week the Elections Assistance Commission (EAC) released public comments submitted on their draft UOCAVA Pilot Program Testing Requirements. The EAC document spell outs testing and certification requirements for Internet voting pilot programs for military and overseas voters, partly in response to the requirements of the Military and Overseas Voter Empowerment (MOVE) Act passed in 2009. The MOVE Act required many excellent improvements that increase opportunities for voters overseas to be able to cast their ballots in time to be counted. These changes include the electronic delivery of blank ballots and information, but not the electronic return of voted ballots. The Act also included a provision for experimental programs involving voting via the Internet. At least three states (AZ, CO, WV, and possibly GA and FL) are planning to carry out voluntary pilot programs this year. Despite the short time available for comment, many substantive comments were submitted, including from Verified Voting. While we do not mention them all here, there were many insightful comments and we urge you to read through them. Many of the comments expressed recurring themes:

Audits, Security Standards and Procedures: Verified Voting noted that an equipment manufacturing standard alone is insufficient to provide anything resembling “reasonable assurance that the pilot systems will operate correctly and securely”, as stated in Section 1.1.3 of the EAC Draft. We assert that a comprehensive security plan is required, not merely an equipment testing plan. Robust post-election audits are essential to demonstrating correct and secure operation of any voting system, be it remote or local.

Verified Voting Blog: Military and Overseas Voting Update

For members of the military, their families, and other United States citizens living overseas, voting has always presented unique challenges. Some of these problems include reliable delivery of blank ballots to the voters, secure and timely return of voted ballots, and authenticating that ballots were completed and returned by the same person they were sent to. According to an EAC study, Voting from Abroad: A Survey Of UOCAVA Voters:

"There are no reliable data available on the number of [military and overseas] voters dispersed around the globe; some estimates hover around 4 million. Active-duty military are estimated at 1.5 million and family of military another 1.5 million."

In 1986 and again in 2009, Congress passed laws looking to improve access to voting for military and overseas voters. And today, as communication technologies like fax and email have become available, states are moving forward with plans for electronic transmission and receipt of ballots, all too often without sufficient regard for the privacy and security issues involved.

Verified Voting Blog: Verified Voting Comments to EAC on Internet Voting Pilots

With many states already deploying a form of Internet voting, email return of voted ballots (see map), it is important that requirements for remote voting systems and the pilot programs that test them reflect the highest standards for security. On April 30, 2010, Verified Voting submitted comments to the EAC on proposed testing requirements for military and overseas voting pilot programs that use remote technologies such as Internet Voting. In a letter to the EAC, president Pam Smith said that the comments focused on "the broad outlines of the pilot program and core precepts to which we believe any pilots should adhere." Sending voted ballots over the public Internet "is in a security class by itself," the letter noted, and these ballots are vulnerable to attacks from a wide range of individuals, organizations, and even governments. "Voting systems for UOCAVA voters should not be held to a higher security standard than domestic absentee voting," the letter said, "nor should UOCAVA voters be required to use a system that is less secure than those used by voters back home."

Verified Voting Blog: California Legislation Calls for First Risk-Limiting Pilot Audits

Over the past year, election auditing experts, including Verified Voting staff, have been working with California Secretary of State Debra Bowen’s office toward improving California’s audits. Now legislation authorizing the Secretary of State to work with a minimum of five volunteer counties to conduct pilot risk-limiting audits in 2011 is making good progress. The Secretary of State will report to the legislature on the risk-limiting pilots, and how their effectiveness, efficiency, and cost compare to those of the current 1% manual tally. Currently, California law requires hand counting all contests on ballots from one percent of randomly selected precincts in each county, and comparing those hand counted totals with the announced election results.

Verified Voting Blog: Efficient Auditing of Election Results

On March 27 and 28, 2010, Verified Voting and Common Cause sponsored a meeting of in Washington, D.C. to share experiences and ideas for improving post-election audits. The participants included election officials, statisticians, computer and political scientists, election integrity advocates, and voting system vendor technical staff. This meeting marked the first time that diverse stakeholders, including voting systems vendors, met together for the explicit purpose of identifying the potential benefits and challenges of using small batches of ballots (i.e., smaller than precincts -- down to and including individual ballot records) to make audits more effective and efficient.

Verified Voting Blog: Verified Voting Comments on EAC Internet Pilot Requirements

Thank you for the opportunity to comment on the proposed UOCAVA Pilot Program Testing Requirements.  We appreciate the invitation for public input to such an important initiative.  In this letter we confine our comments to the broad outlines of the pilot program and core precepts to which we believe any pilots should adhere. The Verified Voting Foundation has benefited greatly from prominent experts whose professional work duties include achieving U.S. national security objectives within digital networks and computer communications.  This expertise leads us to set forth this core understanding:  Federal election security is a fundamental component of U.S. national security.  Applying this principle, we submit that election security should not be compromised for convenience or transmission speed. Internet voting (which for purposes of these comments we define as transmission of voted ballots over the public Internet) is in a security class by itself.  In comparing Internet transmission of voted ballots to paper absentee ballot voting, we agree with the oft-made point that voting systems for UOCAVA voters should not be held to a higher security standard than domestic absentee voting. Nor should UOCAVA voters be required to use a system that is less secure than those used by voters back home.

Verified Voting Blog: Dominion Sues to Stop New York City Contract with ES&S

Update I, 2/19/10 – Court documents posted, links here

In a surprise move, Dominion Voting Systems has filed an Article 78 lawsuit in New York State Supreme Court in Albany to stop the New York City Board of Elections from awarding a $70 million dollar contract for new voting machines to ES&S. If a temporary restraining order is granted, it would call into question the city’s ability to deploy new voting systems in the 2010 elections, a schedule already in jeopardy due to the City Board of Election’s long delay in selecting new systems. The competition between the two companies for the New York City contract was intense, and has raised questions of lobbyist influence, possible investigations, and even subpoenas.

In court papers, Dominion argues that the New York City Board of Elections failed to comply with New York State and New York City Procurement Laws, Rules and Regulations, and awarded the contract on the basis of illegal criteria. Further, the lawsuit argues that the New York City Board of Elections:

1) Did not conduct a lawful bidding and procurement process;

2) Did not disclose the method and criteria used in evaluating bidders;

3) Did not award the contract to the lowest responsible bidder.

The city used a point system to evaluate the two companies. In the final evaluation, ES&S received 3,417 points, while Dominion received 3,395, a difference of only 22 points. Dominion claims that the slightly higher overall score for ES&S in the city’s evaluation is due to extra points given to the ES&S DS200 scanners for an option called “Easy Startup”. This option is said to include electronic machines pre-programmed in the warehouse prior to delivery to poll sites, and the ability for poll workers to open the machines without a password (such a configuration is not only an obvious security risk, but disallowed under New York election law). The lawsuit claims that the State Board of Elections explicitly ruled that the DS200 Easy Startup option does not comply with state law, and informed the New York City Board that it would reject any contracts that included it.

It remains to be seen if what impact, if any, the suit will have on the city’s ability to deploy of new voting systems this year, a schedule already in jeopardy. And of course, if the State Supreme Court were to grant the restraining order, the reaction of Federal Judge Gary Sharpe to yet further delays in New York City’s HAVA implementation schedule will need to be reckoned with as well.

Verified Voting Blog: Responsible Use of Technology for Overseas Voting

Last November, the Federal Voting Assistance Program (FVAP) contacted each State with recommendations for meeting the new requirements established in the MOVE Act with the goal of bringing the absentee voting success rate for Uniformed Service members, their families and citizens residing outside the U.S. in line with that of the general population. Verified Voting strongly supports FVAP's specific recommendations: providing a 45 day period for ballot transit, removal of notary and witnessing requirements, participation with the Uniform Law Commission efforts towards regularizing rules for overseas voters, and the responsible use of technology to aid in providing voting materials to military and overseas citizens. As an active participant in the Alliance for Military and Overseas Voting Rights (AMOVR), we agree with the principle that “transmitting blank ballots electronically does not risk voters’ privacy while improving the process in all States.” Through these recommendations each state can meet the requirements of the MOVE Act without undue risk to the integrity of the electoral process, and greatly facilitate the voting process for the citizens serving our nation in uniform and others living overseas.

However, some States are considering going beyond these recommendations in ways that could be harmful. Experts in technology such as NIST, the GAO and internal reviewers of Department of Defense projects cite significant concerns with respect to the electronic submission of voted ballots. Such systems would rely on computers, servers and/or networks outside the control of election officials, for which criteria for testing and secure operation have yet to be established. Attacks on such systems could significantly threaten the integrity of elections or the ability of voters to cast ballots. Even minor phishing and spoofing attacks could trick voters into giving up their voting credentials to an attacker.

Verified Voting Blog: Judge Orders Expert Review of Voting Machines in New Jersey

A judge in New Jersey has ordered a new review of New Jersey’s voting systems, this time by qualified technical experts, in a partial victory for advocates challenging the systems’ constitutionality. State law requires that voting systems be “accurate and reliable.” From our vantage point, these systems don't meet that standard; because they cannot be audited, there's no way to check for accuracy. A recent report from researchers at UCSD illustrated a stunning new kind of vulnerability in the type of voting system in widespread use in New Jersey (AVC Advantage), where code could be inserted, modify results and vanish without detection. An author on that study, and expert witness in the New Jersey case, Prof. Edward Felten, said preventing such attacks “requires an extraordinary level of security engineering, or the use of safeguards such as voter-verified paper ballots.”

While other requirements from the Judge address some security measures, including criminal background checks on personnel working with the voting machines and all third party vendors who examine or transport them, and protocols for inspecting machines to ensure they have not been tampered with, such checks have no impact on any tampering that may have occurred in the past (such as during the extended periods of time in which they were left unattended at polling places before and after past elections), and provide no failsafe that would ensure reliability. Voting systems can no longer be connected to the Internet, which we trust means New Jersey will now provide a more secure way to allow for the return of voted ballots from overseas voters.

Verified Voting Blog: Software in Dangerous Places

Software increasingly manages the world around us, in subtle ways that are often hard to see. Software helps fly our airplanes (in some cases, particularly military fighter aircraft, software is the only thing keeping them in the air). Software manages our cars (fuel/air mixture, among other things). Software manages our electrical grid. And, closer to home for me, software runs our voting machines and manages our elections. Sunday's NY Times Magazine has an extended piece about faulty radiation delivery for cancer treatment. The article details two particular fault modes: procedural screwups and software bugs. The procedural screwups (e.g., treating a patient with stomach cancer with a radiation plan intended for somebody else's breast cancer) are heartbreaking because they're something that could be completely eliminated through fairly simple mechanisms. How about putting barcodes on patient armbands that are read by the radiation machine? "Oops, you're patient #103 and this radiation plan is loaded for patent #319."

Verified Voting Blog: Hurry Up and Wait: Tennessee Senate Delays, Weakens Voter Confidence Act in the Opening Hours of the 2010 Session

On the basis of several highly questionable assumptions, the Tennessee General Assembly has voted to delay implementation of paper ballot voting until 2012, and to eliminate the Tennessee Voter Confidence Act's provision for routine hand-counted audits of computer vote tallies. On Tuesday, the Tennessee Senate passed House Bill 614 on a vote of 22-10. The Senate's passage of House Bill 614 was strongly influenced by a perception that there are no machines available that meet the law's requirements. The Voter Confidence Act requires optical scan systems to be certified by the U.S. Election Assistance Commission to "the applicable voluntary voting system guidelines." In November, Chancellor Russell Perkins of the Davidson County Chancery Court determined that the Voter Confidence Act allows the State to purchase voting systems certified by the EAC to either 2002 or 2005 standards. The 2002 standards are deemed by Section 222(e) of the Help America Vote Act to be first set of voluntary voting system guidelines.

Voting technology expert Dr. Douglas Jones, who was recently named to the EAC's Technical Guidelines Development Committee, testified to the court that some voting systems certified to the 2002 standard could be updated to the 2005 standard with a simple software patch. The State of New York certified an updated version of one of the 2002-certified systems, made by Election Systems and Software, to the 2005 guidelines on December 15, 2009. One day after the Senate vote, the U.S. Election Assistance Commission certified a complete paper ballot voting system to all of the 2005 federal guidelines.It is unfortunate that the vote occurred when it appears that not all Senators had access to the facts.

Verified Voting Blog: What Google's New China Policy Tells Us About Internet Voting

Google recently announced in an important change of policy that it will stop censoring search results for queries coming from China.  That is interesting in its own right, but is not why I am writing this article. According to their corporate blog post, what prompted this change of policy was the discovery of "a highly sophisticated and targeted attack on [Google's] corporate infrastructure originating from China".  They found similar attacks on "at least twenty other large companies from a wide range of businesses". Google further said that they "have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists".  We are not likely to hear more detail in public about the attacks, but this is extraordinary news.

Verified Voting Blog: Monopoly, ES&S, and Nassau County, Part 2

In last week’s post, I reported on the surprise decision of New York State’s Nassau County to dump it’s 450 Dominion ImageCast voting machines after an intense effort and behind the scenes deal making by ES&S. As the purchasing proposal shows, ES&S spared no expense to convince this large county to dump the small upstart competitor who had won the contract, offering perks, discounts, and a highly unusual arrangement to resell Nassau’s current ImageCasts and split the profits with the county. But the real surprise here, and surely one that will be of interest in the rumored upcoming DOJ investigation into the ES&S/Diebold merger, is that ES&S is actually paying more for Nassau’s used ImageCasts than the county paid for them new! According to the contract pricing posted by New York’s Office of General Services, Nassau paid $11,097.50 per ImageCast (assuming they received the 3.5% discount).

Verified Voting Blog: Verified Voting Letter to Tennessee State Senators

We respectfully urge you to vote No on House Bill 614, which seeks to delay implementation of the Tennessee Voter Confidence Act and fatally weaken its provision for manual post-election audits of electronic vote tallies. HB 614 is on the Senate's calendar for Tuesday January 12, 2010. Rejection of the bill is warranted based on the determination of the Chancery Court regarding the TVCA and its requirements for federal certification of voting systems, and on the State's still un-met need for verifiable ballots and hand-counted audits of electronic vote tallies.

In November 2009, the Chancery Court of Davidson County, after receiving information from voting technology experts, corrected the assumption that the TVCA required new voting systems to be certified by the United States Election Assistance Commission (the EAC) to the 2005 version of the Federal voluntary voting system guidelines. The Court issued a Conclusion of Law noting the TVCA allows voting systems to be certified by the EAC to either the 2002 voting system standards or the 2005 guidelines, and ordered the State Elections Division to proceed with implementation without delay.

Verified Voting Blog: Justice Department Seeks to Block Merger of Voting Machine Vendors

According to an article in the New York Post a lawsuit is expected to be filed by the Department of Justice that would seek to block the already-completed merger of the nation's two largest voting-machine makers, Election Systems & Software (ES&S) and Premier Election Solutions (formerly Diebold Election Systems). The article cites “a person close to the situation” that the DoJ lawsuit, “if successful, would effectively undo the merger of Diebold's Premier Elections Solutions with Election Systems & Software, a $5 million deal completed in September.”

Verified Voting Blog: Monopoly, ES&S, and Nassau County

There was lots of reporting last week about the decision to award New York City’s huge voting machine contract to the ES&S, but the really interesting story slipped by nearly unnoticed – Nassau County, home to nearly 1 million registered voters, announced they were abandoning their recently purchased Dominion ImageCast machines for ES&S systems. This announcement came as quite a surprise because Nassau County has been using the Dominion machines for accessible voting in all polling places since 2008, as well as spent time and money training poll workers in the use of the new systems. So how is it that ES&S managed to snatch away Nassau County, in terms of voting system sales the second largest prize in New York State, from the much smaller Dominion? The answer is a cautionary tale about the power of a near monopoly to force smaller competitors out of the market.

ES&S has long been one of a handful of voting machine companies dominating the United States market. But recently, with Sequoia Voting Systems struggling financially, and the absorption of Diebold into ES&S (a move opposed by many), the company already has a near-stranglehold on providing voting systems and services to election officials. In New York State however, ES&S faces a small competitor from just across Lake Ontario in Canada, Dominion Voting. Dominion designed and built the ImageCast, a new scanner and accessible ballot marker combination system that many County Boards of Elections around the state, including Nassau, liked enough to order and use in 2008 and 2009 [Note - initially Dominion partnered with Sequoia to bring the ImageCast to New York, but Sequoia later pulled out and turned the contract over to Dominion]. Indeed, even if New York City chose the ES&S DS200 scanner, a decision finally made this week, little upstart Dominion would still have provided over half of the Empire State’s huge number of voting machines! But big companies like Wal-Mart and ES&S don’t stand around idly letting small competitors take what they see as their market share. And the way they do it is by being big enough to offer customers deals that are simply too good to pass up. And that’s exactly what ES&S did in Nassau County.

Verified Voting Blog: Candice Hoke Comments to the FCC on Internet Voting

In her response to an FCC’s question about what can we learn from pilot projects that have tested online voting, Verified Voting Foundation Board of Advisors member Candice Hoke observed that none of the domestic internet voting pilot projects have been properly structured to test for and approximate the risks that would be posed to domestic US elections. Specifically, she noted that these pilots are especially remiss in conceptualizing the risks for elections to Federal and Statewide office, where the fiscal control over billions of dollars is concerned, and the direction of military powers and foreign policy/aid.

Hoke continued: "The Internet voting pilot programs were structured by for-profit vendors, who also reported on their “success” without any independent evaluation and transparency on some critical dimensions. In Hawai’i, the project did report a dramatic drop in the reported rate of voter participation. The pilot, however, did not include any structures by which an assessment could be conducted of whether technical attacks had occurred to intercept, modify or otherwise block voted ballots from reaching the election processing location. Nor did it offer any auditing assessments that the ballots as tabulated matched the ballots as cast by voters. Thus, no conclusions can be drawn about the pilot’s success, and it bears little relation to a Federal or Statewide election context.

Verified Voting Blog: Comments to the FCC on Internet Voting

It is likely that no one in the country has studied the subject of internet voting more intensely than David Jefferson, senior scientist at Lawrence Livermore National Laboratory. Part of his job is to help devise strategies to defend against the relentless attacks we see every hour of every day against U.S. networks, both government and corporate, from sources ranging from self aggrandizing students to foreign intelligence and cyber warfare agencies. He has also been deeply involved in voting and election security for over a decade as a voting technology advisor to five successive Secretaries of State in California, and is a coauthor of most of the best known peer-reviewed scientific publication on Internet voting, the SERVE Security Report.

[pullquote align="left"]“The integrity of a general election is as important as the integrity of many of our national defense secrets.[/pullquote]In his comments to the FCC, Jefferson emphasizes that election security is an aspect of U.S. national security. He observes that, “few people have any idea how tiny is the fraction of votes that, if selectively lost or switched, could swing a presidential election, or swing the balance of power in a house of Congress. The controversial 2000 presidential election that was decided by a few hundred votes in one state was only the most extreme object lesson, but other elections such as the recent Minnesota senatorial election, have been as close. This is all the more true in these times in which the electorate is nearly evenly divided on several key national issues. It is vital that we protect the security of every vote, or the legitimacy of our government will be rightly called into question--a situation that is very damaging in a democracy.”

Verified Voting Blog: Verified Voting Comments to FCC on Internet Voting

In the American Recovery and Reinvestment Act of 2009 (Recovery Act), Congress directed the Federal Communications Commission (FCC), as part of its development of a National Broadband Plan, to include “a plan for the use of broadband infrastructure and services in advancing …civic participation.” On December 10, 2010 the Federal Communications Commission issued a request for public comments “…on how broadband can help to bring democratic processes—including elections, public hearings and town hall meetings—into the digital age…” Verified Voting, in submitted comments, answered the question – “With existing technology, is it possible to enable and ensure safe and secure voting online today?”, simply – “In a word, no.” As a recent report from the National Institute of Standards and Technology (NIST) indicates, “…The security challenges associated with e-mail return of voted ballots are difficult to overcome using technology widely deployed today.” And “…Technology that is widely deployed today is not able to mitigate many of the threats to casting ballots via the web.

Despite the short window allowed for public comment, numerous organizations and individuals, including Verified Voting submitted comments. Much of Verified Voting’s commentary was informed by the "Computer Technologists’ Statement on Internet Voting”, published last year and signed by dozens of leading technology professionals and computer security experts. This post is the first in a series that will highlight the commentary submitted to the FCC on the issue of the role of the internet in the electoral process. In answer to the question “With existing technology, is it possible to enable and ensure safe and secure voting online today?”, Verified Voting responded, “in a word, no.”

Verified Voting Blog: Polling Place Burglary Raises Specter of Fraud

The burglary at one of Houston's early voting locations (“Computers stolen at early polling location; Ballot board to check electronic voting machines for tampering,” Page B2, Tuesday) raises the specter of election fraud. Some computers were stolen, and as far as we know, the voting machines stored at Hester House were untouched. But if the burglars wanted to tamper with the election outcome, what could they have accomplished? In 2007, California Secretary of State Debra Bowen put together a team to conduct a security analysis of the state's electronic voting systems. I was part of the team analyzing the Hart InterCivic voting system — the same type we use here in Harris County. Our report concluded that the Hart system has a wide variety of security flaws and that it can be attacked in a manner that makes it hard to detect and correct. We further concluded that these attacks can be carried out by a single individual without extensive effort and without long-term access to the equipment. Our results were corroborated by a follow-up study conducted by the Ohio secretary of state.

Did the Houston burglars tamper with the voting machines? I hope not. Could they have tampered with the voting machines? Absolutely. Could we determine if tampering had occurred? Only if we got lucky and found clearly incriminating evidence, such as the burglar's fingerprints near the connectors on the backs of the voting machines.

Verified Voting Blog: My Vote on NY Voting Machine Certification

During the week of December 7, 2009, the New York State Citizen Election Modernization Advisory Committee met and reviewed certification test data results from the state’s testing program, and to vote on recommending approval of the two voting systems to the four Commissioners of the State Board of Election. The Commissioners will vote on final certification at their December 15, 2009 meeting. On December 10, 2009, the Advisory Committee approved recommendation by a vote of 10 For and 1 Against. I was the only vote opposing the recommendation. Below is the statement I made prior to the committee vote.

I believe in New York State’s certification process. It is rightfully called the best in the nation. We have required vendors to conform to a higher standard than ever before, we have conducted extensive testing with independent oversight, and as a result we have a huge trove of data upon which we can base our decision on whether these new voting systems are ready to be certified. Just the fact that we even have this substantial set of test results against a large number of very specific standards is a credit to New York’s process. Arguably, we have more data available to us about these systems than has ever been made available to a public body such this Advisory Committee before. It is because of this comprehensive approach that we can even be talking about some of the test findings, which never would have been revealed in a typical voting system certification program.