Verified Voting Blog: Statement on New York Voting System Certification

This is my opening statement for today’s meeting of New York’s Citizen Election Modernization Advisory Committee, which was created by the State Legislature to advise the Board of Elections on adoption of the new systems. Testing is now completed and results are being evaluated, with the State Board of Elections scheduled to make a determination on certifying systems on December 15th. We have come to an important moment in New York’s saga in adopting HAVA compliant voting systems. The long and rigorous testing required by New York State’s laws and regulations, arguably the best in the nation, has now been completed. Remaining is the difficult part – determining whether the systems have met the high standards required by New York State.

We have been presented with a huge amount of data to evaluate, and have only an extremely short time in which to do so. I’m pleased the Board staff has set aside this day to answer all our questions, but I am concerned that even the long, intense session we are embarking on may be insufficient to thoroughly assess the volume of data before us. Nevertheless, I look forward to today’s session and getting answers to the literally hundreds of questions I have about the test results.

Verified Voting Blog: Tinkering with Disclosed Source Voting Systems

In October, Sequoia Voting Systems, Inc. (“Sequoia”) announced that it intended to publish the source code of their voting system software, called “Frontier”, currently under development. (Also see EKR‘s post: “Contrarianism on Sequoia’s Disclosed Source Voting System”.) Yesterday, Sequoia made good on this promise and you can now pull the source code they’ve made available from their Subversion repository here. Sequoia refers to this move in it’s release as “the first public disclosure of source code from a voting systems manufacturer”. Carefully parsed, that’s probably correct: there have been unintentional disclosures of source code (e.g., Diebold in 2003) and I know of two other voting industry companies that have disclosed source code (VoteHere, now out of business, and Everyone Counts), but these were either not “voting systems manufacturers” or the disclosures were not available publicly. Of course, almost all of the research systems (like VoteBox and Helios) have been truly open source. Groups like OSDV and OVC have released or will soon release voting system source code under open source licenses.

I wrote a paper ages ago (2006) on the use of open and disclosed source code for voting systems and I’m surprised at how well that analysis and set of recommendations has held up (the original paper is here, an updated version is in pages 11–41 of my PhD thesis). The purpose of my post here is to highlight one point of that paper in a bit of detail: disclosed source software licenses need to have a few specific features to be useful to potential voting system evaluators. I’ll start by describing three examples of disclosed source software licenses and then talk about what I’d like to see, as a tinkerer, in these agreements. The definition of an open source software product is relatively simple: for all practical purposes, anything released under an OSI-approved software license is open source, especially in the sense that one who downloads the source code will have wide latitude to copy, distribute, modify, perform, etc. the source code. What we refer to as disclosed source software is publicly released under a more restrictive license.

Verified Voting Blog: Report on New York Voting System Pilot

Testimony on the voting machine pilot I gave at the New York State Senate Election Committee’s hearing on November 30, 2009. Full submitted testimony is posted here.

New York State was wise to do a pilot of our new voting systems. It provides an opportunity to work out the kinks in new systems and the procedures for managing them, allows us to learn from the inevitable mistakes, and to apply what we learn in the future. In my opinion, New York’s just concluded pilot was extremely valuable and revealed some important areas that need improvement. Certainly, privacy and ballot design issues often came up. However, given my limited speaking time I will submit comments on those two issues with my written testimony. Today I will discuss another pilot experience from which important lessons can be learned – the failure of some of the new voting machines and how New York can benefit from this failure.

Questions Raised in NY-23 Congressional Race
The NY-23 Congressional race had national attention, with 9 of 47 pilot counties holding elections in this race. Despite assurances from vendors, some of the new machines were inoperable on Election Day. In cases where machines failed, paper ballots were treated according to New York State emergency ballot rules, assuring that all votes were counted. Indeed, this is the great strength of New York’s new voting system – it ultimately relies on the marked paper ballot which contains a software independent record of voter intent.

Verified Voting Blog: No Voting Machine Virus in New York-23 Election

Erroneous reports are circulating that a virus caused a problem in the scanners used in the NY-23 Congressional race. The reports, based on an inaccurate article published in the Gouverneur Times, are incorrect. There was no virus in the NY-23 machines. How do I know? Well, in the first place, the Dominion ImageCast scanners in question run the Linux operating system, which is nearly immune to viruses due to its inherent ability to lock out programs that lack explicit permission to run, unlike the highly vulnerable Windows operating system. Second, the State Board of Elections gave an account of the problem at their public meeting on November 10, and which I confirmed in a phone conversation with staff earlier this week. Here’s what really happened:

Let’s be clear. While no votes were lost due the ability to independently count the paper ballots, a problem did occur that affected certain machines around the state. The issue was a bug in the Dominion source code that caused the machine to hang while creating ballot images for certain vote combinations in multiple candidate elections (the ImageCast, like the other scanner used in New York, the ES&S DS200, creates digital images of each ballot which can be reviewed after the election). So if, for example, a “vote for three candidates out of five” race was voted in a certain way, the scanner would hang. This is one reason why the defect affected some, but not all machines with ballots containing this type of race, because only certain combinations of votes caused the memory problem. But here’s the thing – the problem was discovered before the election.

Verified Voting Blog: Enfranchising Military Voters: Michigan Legislators Protect Verifiable, Secret Ballots

In a move to enfranchise soldiers deployed overseas, the Michigan House of Representatives has passed legislation that would allow blank absentee ballots to voters overseas by fax or e-mail. If House Bill 5279 passes the Senate and becomes law, local election officials will be able to send and receive applications for absentee ballots via fax or e-mail, and also be able to send blank absentee ballots to voters electronically. Voters will then print, mark and send the completed physical ballots to their local Michigan election officials. H5279 passed the House unanimously on November 5. Senate committee action is likely in December, according to Emily Carney, an aide to Senate Campaign and Election Oversight Committee chair Sen. Susan McManus.

House Bill 5279 implements a central recommendation of the Pew Center on the States’s January 2009 report “No Time to Vote“. The Pew report stated that Michigan currently does not allow overseas and military voters sufficient time to vote because ballots have to be sent and received via postal mail. The Pew Center recommended that Michigan allow election officials to e-mail blank absentee ballots to overseas and military voters, and accept completed ballots beyond the current election-day deadline.

Verified Voting Blog: Email Ballots – A Threat to the Security and Privacy of the Military Vote

Last week  the state Massachusetts, intending to improve military voters access to the ballot while serving overseas, approved a law which throws the integrity and security of those ballots into question by allowing their return by email. The original bill contained excellent provisions which would have helped solve one of the biggest problems facing overseas military personnel – timely receipt of absentee ballots. Currently, absentee ballots are sent by conventional mail, which can take two weeks to reach military voters. The problem is further exacerbated when soldiers are deployed in the field where they may not receive mail for long periods of time.

In its original form, the Massachusetts bill allowed military only to acquire an absentee ballot online. The downloaded blank ballot could then be printed, voted on and sent back, greatly enhancing the availability of ballots. But, in an ill conceived last minute addition, the bill was modified to also allow return of voted ballots by email. In terms of voter privacy and ballot security, email return of ballots is one of the worst choices and should never have been inserted in the bill let alone been approved. It’s not like the data wasn’t available. All lawmakers needed to do was consult a 2008 NIST research document which lays out the problems with email return of ballots in gruesome detail.

Verified Voting Blog: Comments on the California Secretary of State’s Precinct Level Data Pilot Project

Thank you for inviting comments on your Precinct Level Data Pilot Project, which seeks to provide precinct-level vote tabulation data to the public. We applaud Secretary Bowen’s pilot program. Timely precinct-level election results from California counties are crucial for establishing the integrity of California’s elections, for supporting analyses of election results and for designing and conducting post-election vote-tabulation audits. We have examined the sample data from the four counties—Orange County, Sacramento County, San Francisco County and San Luis Obispo County—that provided data for the Pilot Project.[1. See: http://www.sos.ca.gov/elections/sov/2009-special/precinct-data/index.htm] We submit these comments in the hope that you find them helpful as the Pilot Project goes forward.

Verified Voting Blog: National and State Voting Rights Groups Urge Massachusetts Governor Not to Sign Internet Voting Bill

UPDATE November 13: Massachusetts Lawmakers are listening to the concerns raised by computer scientists and civic organizations, and there is interest in correcting the oversight in the bill signed on Wednesday with new emergency legislation. Please visit the VerifiedVoting Action Center to send Massachusetts lawmakers an email urging protection of soldiers’ right to secret, verifiable…

Verified Voting Blog: On the Proposed ES&S Merger

Bad for the country, bad for New York

On the face of it, it would seem that the proposed merger of Premier Voting Systems (aka Diebold) and Election Systems & Software (ES&S) shouldn’t matter much to New York State. After all, Premier pulled out of the state over a year ago, and ES&S splits the state’s voting system sales with a competitor, Dominion Voting Systems. But there’s plenty of reason for New Yorkers to be wary of further consolidation of the rapidly shrinking voting machine industry. Recall the not so distant past when ES&S, along with Sequoia Voting Systems, jointly decided that paperless voting was New York’s future and offered only touch screen DREs to the state. When New Yorkers for Verified Voting organized the first ever demonstration of a paper ballot system with an accessible Ballot Marking Device and an optical scanner at the Albany State Capitol, the makers of the AutoMark ballot marking device, with whom we had arranged the demo, were ordered by ES&S to remove the scanner because it didn’t fit their product plans. The New York Daily News reported this story in 2005:

At the Capitol recently, a lobbyist managed to shut down a demonstration of optical scanning by getting his client to pull its machine from the display. Assemblywoman Sandra Galef of Westchester called the company to object and was told that New York is “a touch-screen state.” ” I said, ‘We are?’” Galef recalled. “I’m a legislator. I don’t think I’ve voted on anything.”

Verified Voting Blog: Recommendations to NIST on Post Election Audits

Verified Voting today joined with computers scientists and advocacy organizations in signing the following recommendations on post-election audits to the National Institute of Standards and Technology.

We, the undersigned, participated in a working meeting on vote tabulation audits hosted by the American Statistical Association (ASA) on October 23 and 24, 2009. We write to emphasize that future iterations of the Voluntary Voting System Guidelines (VVSG) should facilitate effective vote tabulation audits. We applaud the VVSG II’s requirement for independent voter-verifiable records (IVVRs). This requirement is necessary to enable verification of election outcomes independently of the tabulation systems; it should be adopted as soon as possible. However, if election outcomes are to be verified efficiently, vote tabulation systems must meet requirements that go well beyond the draft VVSG 1.1.

Verified Voting Blog: Paper Ballots, Photocopiers, and Security

When I heard that New York City had found that a photocopy of a ballot could be successfully scanned by both of the two systems being used in New York State, my first thought was that this is Sun-Rises-in-the-East news. It didn’t surprise me, and the first line of defense against attacks involving any type of fake ballot, photocopied or printed, is well designed and implemented ballot management security procedures. But this is a complex issue which bears some discussion.

Before discussing the security threat, let’s look at a technical question – should a scanner be able to detect a photocopied ballot? One of the challenges posed by modern high resolution copiers and printers is that they are capable of producing all manner of difficult to detect counterfeits. This became an extremely serious problem in the 1990’s as convincing counterfeit currency became easy to produce using the off the shelf copiers. In response, the United States has been replacing currency with new bills containing anti-counterfeiting features. So it’s no surprise that a modern copier can create a ballot that can be successfully scanned.

Verified Voting Blog: Improving the 2010 EAC Election Day Survey

The Election Day Survey plays an ongoing, important, and unique role in collecting and publishing data on election administration in the United States. Balancing the right of the public to know how our elections function with the burden of reporting useful data by those who administer our elections is clearly a complex task but one we feel is extremely worthwhile. There are several categories of data we believe are very useful to collect, and our recommendations address those categories specifically.

Voting System Reports

Beginning in 2004, Verified Voting collaborated with various partners to collect voters’, observers’ and others’ reports about incidents or malfunctions including those involving voting systems, the mechanism by which voters cast their votes. These reports came to the “Election Incident Reporting System” (EIRS) primarily via calls to a hotline operated by the Election Protection Coalition, part of an effort to protect the rights of voters to cast a ballot and have confidence that their ballot was counted. We made available a free public dataset of those reports. The project was cited in a GAO report  about electronic voting security and reliability in 2005.

Verified Voting Blog: Burstein and Hall’s Response to the EAC

Verified Voting Foundation Board of Advisors member Joseph Lorenzo Hall and Aaron Burstein submitted the following response to the EAC’s letter from October 21 2009.

Thank you for your reply of October 21, 2009, to our letter of October 13, 2009. We appreciate your pointing out that relevant documents are available on the EAC’s website. Of course, it was the EAC’s commendable policy of making these documents publicly available that allowed us to initiate this dialogue. As you know, neither test plans nor test reports were available under the NASED qualification testing program; this change is important for establishing a more trustworthy voting system testing and certification program under the EAC. After carefully reviewing your letter, however, we continue to question whether iBeta’s test plan for the Premier system fully incorporates some of the lessons of the California Top-to-Bottom Review (TTBR) into EAC testing and certification. Even for the examples the EAC points to in its reply, the test plan does not state in sufficient detail what iBeta proposed to do to test the system. For example, an element of the security test—“port access is controlled” (test plan p. 73)—states a desired result or conclusion but does not describe how iBeta would arrive at that conclusion nor under what conditions would this element fail.

Verified Voting Blog: Verified Voting Statement on the Acquisition of Premier Election Solutions

The recently announced acquisition of Premier Election Solutions (formerly Diebold) by its largest competitor, Election Services & Software (ES&S), requires close scrutiny, as it raises greater concerns about the security, transparency and cost of elections and creates a profound anti-competitive effect in the shrinking marketplace for voting systems. We welcome the call by Senator Charles E. Schumer, chair of the U.S. Senate Committee on Rules and Administration, for a Department of Justice probe of the Premier sale,[1. http://schumer.senate.gov/new_website/record.cfm?id=317761] and we hope the Department acts promptly on the recommendation. In addition, a judge for the US District Court in New Jersey has set a date for a hearing on an injunction to block the merger.[2. http://legaltimes.typepad.com/blt/2009/09/judge-sets-hearing-on-injunction-to-block-voting-machine-merger.html] Verified Voting estimates that some 64 percent of the nation’s registered voters live in jurisdictions where ES&S or Premier vote tabulating equipment is used. The request was brought by a vendor who argues that the resulting stranglehold on the market raises a “threat of irreparable harm” to voters.[3. Based on 2008 voter registration data. http://verifiedvoting.org/verifier]

What can we expect to see? In the near future, many election jurisdictions, especially those using direct-recording electronic voting systems, may need to replace their current voting systems as equipment purchased to comply with the Help America Vote Act of 2002 nears the end of its expected life. With ES&S’ acquisition of Premier’s contracts, it dominates the marketplace.[4. “Ongoing Challenges in Voting System Certification.” By Douglas W. Jones. Presented at the Innovations in Election Technology Conference, May 28, 2009. http://www.cs.uiowa.edu/~jones/voting/uminn09.shtml]

Verified Voting Blog: NY-23 and the Voting Machine Pilot Program

For the first time, NY-23 will vote on paper ballots

The special election for the seat in the NY-23 Congressional district has begun to draw national attention, being seen by some as a bellwether of the strength of conservative Republicans. Unnoted by the mainstream media is the fact that the election will be conducted on new voting systems that are being used for the first time as part of the state’s pilot program. The pilot, which permits use of the as yet uncertified machines on a provisional basis, was designed to allow local Boards of Elections try out the new systems in an off year election when turnout is typically low and few races for state or national offices are held. However, the vacancy in the NY-23 seat created by the resignation of Representative John McHugh and the political makeup of the district, always strongly Republican, creates a high tension atmosphere where the eyes of the nation will focus on northern New York on November 3rd. The performance of the new voting machines as well as the procedures used to manage and secure the paper ballots will be under intense scrutiny.

Verified Voting Blog: EAC Response to Burstein and Hall

The Election Assistance Commission has sent this response to Aaron Burstein and Joseph Lorenzo Hall’s comments on the EAC’s Voting System Test Lab and the California Top to Bottom Review of Voting Systems.

Thank you for your letter dated October 13, 2009, concerning the federally accredited Voting System Test Lab’s (VSTL) consideration of the California Secretary of State’s Top-To-Bottom Review (TTBR) in developing the test plan for the Premier Assure 1.2 voting system. The VSTL that tested the Premier Assure 1.2, iBeta Laboratories, closely reviewed the findings of the TTBR during the development of its test plan in accordance with the requirements of EAC’s Testing and Certification program and the “Evolution of Testing” requirement contained in Section 1.5 of the 2002 Voting System Standards (VSS). In addition, the VSTL reviewed the results of the Kentucky, Ohio, and Connecticut Reports which resulted in an update of the Security Test Case to verify that Connecticut’s recommended tamper-resistant seals were incorporated into the Premier Technical Data Package (TDP). The review of the 3 March 2009 California Secretary of State report. was also reviewed as well as the Premier Product Advisory Notices. Finally, please note that the software and firmware versions of each component of the system reviewed by California were an earlier version than that tested by the EAC VSTL. A comparison is listed below for your information.

Verified Voting Blog: California Top-to-Bottom Reviewers Letter to the Election Assistance Commission

We write to you on behalf of those individuals listed below from the California Secretary of State’s Top-To-Bottom Review (TTBR) in 2007. The TTBR was an unprecedented, in-depth evaluation of California’s voting systems, which allowed investigators to gain a better understanding of their vulnerabilities. As you know, the EAC recently certified Premier’s Assure 1.2 voting system as conforming to the 2002 Voting System Standards (VSS). This system was tested by iBeta Laboratories (iBeta), one of the accredited Voting System Test Labs (VSTLs). According to the posted test plan—the roadmap for a VSTL’s evaluation of a voting system during certification testing—for Premier Assure 1.2, iBeta interpreted the TTBR studies of the Premier system’s predecessor to have “concluded that the vulnerabilities within the system depend almost entirely on the effectiveness of the election procedures.” On the basis of this interpretation, iBeta developed a test plan that called for “no additional testing” of the Premier system’s security properties. The EAC approved this plan. Taken together, iBeta’s misunderstanding of the significance of the TTBR findings and the EAC’s approval of a test plan that was designed around this misunderstanding, represent a missed opportunity to use the testing and certification process to improve voting system integrity and reliability.

Verified Voting Blog: Verified Voting Public Comment on the Draft Voluntary Voting System Guidelines, Version 1.1

Download PDF Version

We appreciate the opportunity to comment on the most recent iteration of the Voluntary Voting System Guidelines (1.1). We understand that the goal is to move forward on specific elements from the prior draft which were widely supported. The exclusion of some key principles warrant great concern and if left out of any approved version going forward, will delay progress toward greater reliability of voting systems. We support the comments made by A Center for Correct, Usable, Reliable, Auditable and Transparent Elections (ACCURATE), and add our comments on three main points below.

1. SOFTWARE INDEPENDENCE

Software independence (SI), or the “quality of a voting system or voting device such that a previously undetected change or fault in software cannot cause an undetectable change or error in election outcome,” is the foundation of an auditable voting system. Verified Voting strongly supports software independence. Leaving out this core element from the prior draft in the current VVSG 1.1 will delay essential progress in voting system reliability and security. We strongly recommend the reinstatement of the principle of software independence into the VVSG to be enacted as quickly as possible. For security, nothing is as crucial as auditing an auditable voting system. Without the ability to detect changes or problems in the voting system confidence in the integrity of electoral outcomes is unfounded.

Verified Voting Blog: Internet Voting – Not as Easy as You Think

Recently the Huffington Post published an article about Hawaii’s recent Internet and phone-based elections (“America’s Newest State Holds America’s Newest Election“). The article presents an optimistic and patriotic view of the Everyone Counts (E1C) election system that allows voters to cast their ballots from their home computers or over the phone. It was written by E1C executive Aaron Contorer and is effectively a marketing piece for E1C that exaggerates the scope of the election, overlooks or insults other election methods, and glosses over the formidable technical challenges and dangers posed by the electronic submission of voted ballots.

The election in Honolulu was for neighborhood board members, and thus was not covered by Hawaii’s public election laws. That matters because Hawaii’s election laws, fortunately, require a voter-verified paper ballot and a post-election hand audit of a percentage of these ballots. Since such verification and audits are impossible with a purely Internet-based voting system, there is no legal way to use the E1C system under current Hawaii state law. Nevertheless, because this small election is being used to promote Internet voting generally, and because Internet voting schemes are being proposed across the United States, the issue demands thorough discussion. In response to multiple efforts to allow voting over the Internet in major elections, many of our nation’s prominent technology experts have signed a statement cautioning against adopting Internet-based voting systems without first understanding and guarding against the numerous and well-documented dangers. This is not because, as Mr. Contorer suggests, those opposing Internet voting find “[t]he introduction of technology to any process … scary”. The signatories to this statement are not at all intimidated by technology; in fact many are established experts in voting systems who are most certainly aware of the major risks associated with Internet voting.