Verified Voting Public Commentary: Verified Voting Testimony before the Pennsylvania State Senate Senate State Government Committee: Voting System Technology and Security

Download as PDF The security of election infrastructure has taken on increased significance in the aftermath of the 2016 election cycle. During the 2016 election cycle, a nation-state conducted systematic, coordinated attacks on America’s election infrastructure, with the apparent aim of disrupting the election and undermining faith in America’s democratic institutions. Intelligence reports that have…

Verified Voting Blog: Testimony of Verified Voting to the Georgia House of Representatives House Science and Technology Committee

Download as PDF Georgia’s voting machines need an update. The lifespan of voting machines has been estimated at 10-15 years.1 Purchased in 2002 Georgia’s voting machines are at the outside of that estimate. As voting systems age they are more susceptible to error, malfunction or security threats potentially losing or miscounting votes. Georgia is one…

Verified Voting Blog: Andrew W. Appel: My testimony before the House Subcommittee on IT

This article appeared originally at Freedom to Tinker on September 30, 2016. I was invited to testify yesterday before the U.S. House of Representatives Subcommittee on Information Technology, at a hearing entitled “Cybersecurity: Ensuring the Integrity of the Ballot Box.”  My written testimony is available here.  My 5-minute opening statement went as follows:

My name is Andrew Appel.  I am Professor of Computer Science at Princeton University.   In this testimony I do not represent my employer. I’m here to give my own professional opinions as a scientist, but also as an American citizen who cares deeply about protecting our democracy. My research is in software verification, computer security, technology policy, and election machinery.  As I will explain, I strongly recommend that, at a minimum, the Congress seek to ensure the elimination of Direct-Recording Electronic voting machines (sometimes called “touchscreen” machines), immediately after this November’s election; and that it require that all elections be subject to sensible auditing after every election to ensure that systems are functioning properly and to prove to the American people that their votes are counted as cast. There are cybersecurity issues in all parts of our election system:  before the election, voter-registration databases; during the election, voting machines; after the election, vote-tabulation / canvassing / precinct-aggregation computers.  In my opening statement I’ll focus on voting machines.  The other topics are addressed in a recent report I have co-authored entitled “Ten Things Election Officials Can Do to Help Secure and Inspire Confidence in This Fall’s Elections.”

Verified Voting Public Commentary: Statement to the Pennsylvania Senate State Government Committee Re: SB 1052

Verified Voting is writing today to express our opposition to Senate Bill 1052, a bill which would permit the return of ballots by electronic transmission over insecure Internet means for military voters in Pennsylvania, and to urge you to vote NO on SB 1052. Ballots sent by email are vulnerable to undetectable manipulation or tampering while in transit over the Internet. Ballots sent by fax are also vulnerable to attackers. Today most facsimiles are sent via Internet over facsimile mail programs which have the same threat profile as emailed ballots. By permitting the electronic return of voted ballots, SB 1052 will significantly damage the integrity of Pennsylvania’s elections and put the ballots of military voters at grave risk.

Department of Defense and National Institute of Standards and Technology oppose online voting.

At the start of the 21st century the promise of secure Internet voting seemed attainable; Congress directed the Department of Defense (DOD) in the 2002 National Defense Authorization Act (NDAA) to develop an online voting system for military and overseas voters. The Federal Voting Assistance Program (FVAP), an agency administered by the DOD, developed a system for deployment in 2004. After a security review the DOD cancelled the project because it could not ensure the legitimacy of votes cast over the Internet. In 2005 Congress directed the National Institute of Standards and Technology (NIST) to study the online return of voted ballots for the purpose of setting security standards so DoD and FVAP could develop a secure online voting system for military voters. NIST published numerous reports on its research, and documented several security issues that cannot be mitigated or solved with the cyber security safeguards and voting system protocols currently available. NIST concluded that until these challenges are overcome, secure Internet voting is not yet feasible.

For these reasons the Department of Defense has warned that it cannot ensure the legitimacy of ballots sent over the Internet and has stated “[the Department of Defense] does not advocate for the electronic transmission of any voted ballot, whether it be by fax, email or via the Internet.” In addition, the Federal Voting Assistance Program, in a report to Congress in 2013, stated clearly that the postal mail return of a voted ballot, coupled with the electronic transmission of a blank ballot is the “most responsible”[4. Federal Voting Assistance Program, May 2013, “2010 Electronic Voting Support Wizard (EVSW) Technology Pilot Program Report to Congress http://www.fvap.gov/uploads/FVAP/Reports/evsw_report.pdf] method of absentee voting for UOCAVA voters. The overwhelming evidence that secure Internet voting is not within our grasp led Congress to repeal, in the 2015 National Defense Authorization Act, the earlier directive that DoD pursue online voting for military and overseas voters.

It is not reasonable to expect the Pennsylvania Department of State should be able to develop a secure online ballot return system when the Department of Defense and the National Institute of Standards and Technology have determined secure online voting is not presently achievable.

Verified Voting Public Commentary: Comments on Colorado Rules Concerning Internet Voting

We are pleased to provide testimony and remarks regarding proposed rule changes to Colorado’s Rules Concerning Elections 8 CCR 1501-5. We appreciate the effort of your office to solicit preliminary comments from the public to inform the draft of the proposed rule changes and were happy to participate in the process. We remain in opposition to Rule 16.2.1(c). However, before addressing Rule 16.2.1(c), we would first like to address proposed new Rule 16.2.8 prohibiting Internet voting because it is inextricably linked to proposed Rule 16.2.1(c).

Public comments voiced significant objection to Internet voting. The Secretary has proposed Rule 16.2.8 which states:

New Rule 16.2.8:
16.2.8 NOTHING IN THIS RULE 16.2 PERMITS INTERNET VOTING. INTERNET VOTING MEANS A SYSTEM THAT INCLUDES REMOTE ACCESS, A VOTE THAT IS CAST DIRECTLY INTO A CENTRAL VOTE SERVER THAT TALLIES THE VOTES, AND DOES NOT REQUIRE THE SUPERVISION OF ELECTION OFFICIALS

Proposed new Rule 16.2.8 unfortunately fails to recognize that email and fax return of voted ballots (permitted and expanded in Rule 16.2.1(c)) is Internet voting and includes all of the inherent security risk of Internet voting. In fact, email (and digital fax) are considered by voting system experts at both the National Institute of Standards and Technology and the U.S. Election Assistance Commission to be even less secure, [1. “E-mails are significantly easier to intercept and modify in transit than other forms of communication.” NIST IR 7551 A Threat Analysis of UOCAVA Voting Systems http://www.nist.gov/itl/vote/upload/uocava-threatanalysis-final.pdf], [2. “Email is about the least secure method of ballot delivery,” Brian Hancock The Canvass – “Internet voting, not ready for prime-time?” Feb 2013 http://www.ncsl.org/Portals/1/Documents/legismgt/elect/Canvass_Feb_2013_no_37.pdf] than the type of Internet voting system described in proposed Rule 16.2.8.

Verified Voting Blog: Post Election Audits for New Hampshire

No voting system is perfect. Nearly all elections in New Hampshire, as in most of the nation, are counted using electronic vote counting systems. Such systems have produced result-changing errors through problems with hardware, software and procedures. Error can also occur when compiling results. Even serious error can go undetected if results are not audited effectively.

In a municipal election in Palm Beach County, Florida in 2012 a “synchronization” problem with the election management software allotted votes to both the wrong candidate and the wrong contest; this was uncovered during a post-election audit. The results were officially changed after a public hand count of the votes. Particularly noteworthy about that example is the fact that Florida has one of the nation’s weakest audit provisions; even so, it enabled the discovery of this critical error. In another state, a software malfunction caused thousands of votes to be added to the total. A manual audit revealed the mistake and officials were able to correct the results and avoid a costly run-off election. In a Republican primary in Iowa, a manual check of the physical ballots revealed a programming error that was attributing votes to the wrong candidates. Thanks to the manual audit, the correct person was seated in office.

Verified Voting Blog: Verified Voting Recommendations to the Presidential Commission on Election Administration

On Election Day, long lines were produced in many cases due to voting systems that malfunctioned in multiple locations across the country. As stated in a joint letter we signed sent to President Obama last November, “While insufficient voting equipment was not the only cause for long wait times, it no doubt contributed to the problems we saw on Election Day. The need to improve our voting systems is urgent. Much of the voting equipment in use today is nearing the end of its life cycle, making equipment attrition and obsolescence a serious and growing threat.”[1. http://www.calvoter.org/issues/votingtech/pub/Election_verification_letter_to_Obama_11-20-]

In our “Counting Votes 2012: A State By State Look At Election Preparedness” report[2. http://countingvotes.org], about the 50 states’ preparedness for this major election cycle, we identified key areas of concern. We predicted many states could have problems due to:

• aging voting systems,
• dependence on machine interface for voting for the majority of voters, and
• thoroughness of policies and regulations for emergency back-up provisions in case polling place problems occur and lines start to form.

There were few surprises. As one of our technology expert recruits for the OurVoteLive (OVL) Election Protection hotline indicated:

What’s most interesting is that if you divide things into “easy to solve” and “hard to solve”, the “easy to solve” ones tend to be in places using optical scan [ballots], and the “hard to solve” in places using machines [DREs].

Verified Voting Blog: Statement on the Dangers of Internet Voting in Public Elections

At a time when more and more transactions occur online, a number of election officials and private organizations are looking to the Internet as one more possible avenue for balloting. When the Academy of Motion Picture Arts and Sciences announced that would be using an online voting system to help its members choose this year’s Oscar nominees and finalists, thereby adding to the “credibility” of online voting, we find ourselves compelled to remind the general public that it is dangerous to deploy voting by email, efax, or through Internet portals in public governmental elections at this time. Public elections run by municipal, local and state governments should not be compared to elections like the one run by the Academy. The following describes our concerns about the use of Internet voting systems in public elections.

• Cyber security experts at the National Institute of Standards and Technology[1] and the Department of Homeland Security[2] have warned that current Internet voting technologies should not be deployed in public elections. Internet voting systems, including email, fax and web based voting systems in which marked ballots are cast online, cannot be properly protected and may be subject to undetectable alteration.

• Citizens ask, “If I can bank online, why can’t I vote online?” Online banking and e-commerce are NOT secure, despite massive business investments in state-of-the-art cyber-security tools.

• Banking policies protect and reimburse people whose money or credit card numbers are stolen online. If a hacker deletes or alters a ballot, the action can neither be traced nor corrected.

• Banking policies generally do not protect companies when funds are stolen from their accounts. It has been reported that as many as ten percent of small business have had money stolen from their bank accounts.[3] Even so, businesses understand and accept that money lost through cyber-crime is part of the risk of doing business online, and they seek to reduce losses by obtaining fraud insurance. We cannot take that approach in counting votes in public elections; a cyber-attack that alters or deletes just a few hundred votes, and perhaps even fewer, can change the result of an election. There is no such thing as “fraud insurance” for ballots, and we can scarcely accept online fraud in ten percent of our election jurisdictions.

• The parties in online business transactions maintain and audit account records to detect fraudulent activities. But because we vote by secret ballot in public elections, individual voters have no way to check and verify that their ballots were properly counted. Thus online voting is particularly susceptible to tampering, all but certain to go undetected.

• Internet voting system vendors make claims about the security of their products that have never been substantiated by publicly reviewable testing and research.

Verified Voting Blog: Verified Voting Comments on Proposed Changes to Colorado Election Rule 43

On February 14, 2012, Colorado Secretary of State Scott Gessler held a hearing on proposed changes to existing regulations governing county procedures for the security of ballots, voting equipment, and other election materials.  The public was invited to comment.  Verified Voting reviewed the proposed rules changes (which can be found here) and made the following comment, highlighting concerns about changes to chain procedures of custody of ballots and equipment. Submitted February 21, 2012

Thank you for this opportunity to comment upon proposed revisions to Colorado Election Rules governing county procedures for securing election equipment and materials. Verified Voting is a national nonpartisan organization working to safeguard elections in the digital age. We seek to promote the deployment of election systems and practices that vouchsafe the accessibility, reliability, and transparency of public elections. We believe that the proposed revision contains several positive changes, as well as some that cause concern, or call for more clarity.

Verified Voting Blog: Roadmap for Future California Elections

When it comes to elections, what does California do well? What could California do better? How have we led, and how have we perhaps lagged behind? These are questions that a diverse group of individuals and organizations asked themselves and one another over the course of three months, with an aim to envision the future of California’s elections. It turned out to be an extraordinary conversation and a process which could very well serve as a model for other states as well. One driving force in the process was the convening organization, the James Irvine Foundation, which has long worked on issues of importance to Californians. The participants included a diverse range of representatives with a concern for voters and not-yet voters, for elections and how they function, and for California’s democracy.

Download the Roadmap for Future California Elections (pdf)

Verified Voting Blog: Verified Voting Comments to EAC on Internet Voting Pilots

With many states already deploying a form of Internet voting, email return of voted ballots (see map), it is important that requirements for remote voting systems and the pilot programs that test them reflect the highest standards for security. On April 30, 2010, Verified Voting submitted comments to the EAC on proposed testing requirements for military and overseas voting pilot programs that use remote technologies such as Internet Voting. In a letter to the EAC, president Pam Smith said that the comments focused on “the broad outlines of the pilot program and core precepts to which we believe any pilots should adhere.” Sending voted ballots over the public Internet “is in a security class by itself,” the letter noted, and these ballots are vulnerable to attacks from a wide range of individuals, organizations, and even governments. “Voting systems for UOCAVA voters should not be held to a higher security standard than domestic absentee voting,” the letter said, “nor should UOCAVA voters be required to use a system that is less secure than those used by voters back home.”

Verified Voting Blog: Verified Voting Comments on EAC Internet Pilot Requirements

Thank you for the opportunity to comment on the proposed UOCAVA Pilot Program Testing Requirements.  We appreciate the invitation for public input to such an important initiative.  In this letter we confine our comments to the broad outlines of the pilot program and core precepts to which we believe any pilots should adhere. The Verified Voting Foundation has benefited greatly from prominent experts whose professional work duties include achieving U.S. national security objectives within digital networks and computer communications.  This expertise leads us to set forth this core understanding:  Federal election security is a fundamental component of U.S. national security.  Applying this principle, we submit that election security should not be compromised for convenience or transmission speed. Internet voting (which for purposes of these comments we define as transmission of voted ballots over the public Internet) is in a security class by itself.  In comparing Internet transmission of voted ballots to paper absentee ballot voting, we agree with the oft-made point that voting systems for UOCAVA voters should not be held to a higher security standard than domestic absentee voting. Nor should UOCAVA voters be required to use a system that is less secure than those used by voters back home.

Verified Voting Blog: Verified Voting Letter to Tennessee State Senators

We respectfully urge you to vote No on House Bill 614, which seeks to delay implementation of the Tennessee Voter Confidence Act and fatally weaken its provision for manual post-election audits of electronic vote tallies. HB 614 is on the Senate’s calendar for Tuesday January 12, 2010. Rejection of the bill is warranted based on the determination of the Chancery Court regarding the TVCA and its requirements for federal certification of voting systems, and on the State’s still un-met need for verifiable ballots and hand-counted audits of electronic vote tallies.

In November 2009, the Chancery Court of Davidson County, after receiving information from voting technology experts, corrected the assumption that the TVCA required new voting systems to be certified by the United States Election Assistance Commission (the EAC) to the 2005 version of the Federal voluntary voting system guidelines. The Court issued a Conclusion of Law noting the TVCA allows voting systems to be certified by the EAC to either the 2002 voting system standards or the 2005 guidelines, and ordered the State Elections Division to proceed with implementation without delay.

Verified Voting Blog: Verified Voting Comments to FCC on Internet Voting

In the American Recovery and Reinvestment Act of 2009 (Recovery Act), Congress directed the Federal Communications Commission (FCC), as part of its development of a National Broadband Plan, to include “a plan for the use of broadband infrastructure and services in advancing …civic participation.” On December 10, 2010 the Federal Communications Commission issued a request for public comments “…on how broadband can help to bring democratic processes—including elections, public hearings and town hall meetings—into the digital age…” Verified Voting, in submitted comments, answered the question – “With existing technology, is it possible to enable and ensure safe and secure voting online today?”, simply – “In a word, no.” As a recent report from the National Institute of Standards and Technology (NIST) indicates, “…The security challenges associated with e-mail return of voted ballots are difficult to overcome using technology widely deployed today.” And “…Technology that is widely deployed today is not able to mitigate many of the threats to casting ballots via the web.

Despite the short window allowed for public comment, numerous organizations and individuals, including Verified Voting submitted comments. Much of Verified Voting’s commentary was informed by the “Computer Technologists’ Statement on Internet Voting”, published last year and signed by dozens of leading technology professionals and computer security experts. This post is the first in a series that will highlight the commentary submitted to the FCC on the issue of the role of the internet in the electoral process. In answer to the question “With existing technology, is it possible to enable and ensure safe and secure voting online today?”, Verified Voting responded, “in a word, no.”

Verified Voting Blog: Enfranchising Military Voters: Michigan Legislators Protect Verifiable, Secret Ballots

In a move to enfranchise soldiers deployed overseas, the Michigan House of Representatives has passed legislation that would allow blank absentee ballots to voters overseas by fax or e-mail. If House Bill 5279 passes the Senate and becomes law, local election officials will be able to send and receive applications for absentee ballots via fax or e-mail, and also be able to send blank absentee ballots to voters electronically. Voters will then print, mark and send the completed physical ballots to their local Michigan election officials. H5279 passed the House unanimously on November 5. Senate committee action is likely in December, according to Emily Carney, an aide to Senate Campaign and Election Oversight Committee chair Sen. Susan McManus.

House Bill 5279 implements a central recommendation of the Pew Center on the States’s January 2009 report “No Time to Vote“. The Pew report stated that Michigan currently does not allow overseas and military voters sufficient time to vote because ballots have to be sent and received via postal mail. The Pew Center recommended that Michigan allow election officials to e-mail blank absentee ballots to overseas and military voters, and accept completed ballots beyond the current election-day deadline.

Verified Voting Blog: Recommendations to NIST on Post Election Audits

Verified Voting today joined with computers scientists and advocacy organizations in signing the following recommendations on post-election audits to the National Institute of Standards and Technology.

We, the undersigned, participated in a working meeting on vote tabulation audits hosted by the American Statistical Association (ASA) on October 23 and 24, 2009. We write to emphasize that future iterations of the Voluntary Voting System Guidelines (VVSG) should facilitate effective vote tabulation audits. We applaud the VVSG II’s requirement for independent voter-verifiable records (IVVRs). This requirement is necessary to enable verification of election outcomes independently of the tabulation systems; it should be adopted as soon as possible. However, if election outcomes are to be verified efficiently, vote tabulation systems must meet requirements that go well beyond the draft VVSG 1.1.

Verified Voting Blog: Improving the 2010 EAC Election Day Survey

The Election Day Survey plays an ongoing, important, and unique role in collecting and publishing data on election administration in the United States. Balancing the right of the public to know how our elections function with the burden of reporting useful data by those who administer our elections is clearly a complex task but one we feel is extremely worthwhile. There are several categories of data we believe are very useful to collect, and our recommendations address those categories specifically.

Voting System Reports

Beginning in 2004, Verified Voting collaborated with various partners to collect voters’, observers’ and others’ reports about incidents or malfunctions including those involving voting systems, the mechanism by which voters cast their votes. These reports came to the “Election Incident Reporting System” (EIRS) primarily via calls to a hotline operated by the Election Protection Coalition, part of an effort to protect the rights of voters to cast a ballot and have confidence that their ballot was counted. We made available a free public dataset of those reports. The project was cited in a GAO report  about electronic voting security and reliability in 2005.

Verified Voting Blog: Verified Voting Statement on the Acquisition of Premier Election Solutions

The recently announced acquisition of Premier Election Solutions (formerly Diebold) by its largest competitor, Election Services & Software (ES&S), requires close scrutiny, as it raises greater concerns about the security, transparency and cost of elections and creates a profound anti-competitive effect in the shrinking marketplace for voting systems. We welcome the call by Senator Charles E. Schumer, chair of the U.S. Senate Committee on Rules and Administration, for a Department of Justice probe of the Premier sale,[1. http://schumer.senate.gov/new_website/record.cfm?id=317761] and we hope the Department acts promptly on the recommendation. In addition, a judge for the US District Court in New Jersey has set a date for a hearing on an injunction to block the merger.[2. http://legaltimes.typepad.com/blt/2009/09/judge-sets-hearing-on-injunction-to-block-voting-machine-merger.html] Verified Voting estimates that some 64 percent of the nation’s registered voters live in jurisdictions where ES&S or Premier vote tabulating equipment is used. The request was brought by a vendor who argues that the resulting stranglehold on the market raises a “threat of irreparable harm” to voters.[3. Based on 2008 voter registration data. http://verifiedvoting.org/verifier]

What can we expect to see? In the near future, many election jurisdictions, especially those using direct-recording electronic voting systems, may need to replace their current voting systems as equipment purchased to comply with the Help America Vote Act of 2002 nears the end of its expected life. With ES&S’ acquisition of Premier’s contracts, it dominates the marketplace.[4. “Ongoing Challenges in Voting System Certification.” By Douglas W. Jones. Presented at the Innovations in Election Technology Conference, May 28, 2009. http://www.cs.uiowa.edu/~jones/voting/uminn09.shtml]

Verified Voting Blog: Verified Voting Public Comment on the Draft Voluntary Voting System Guidelines, Version 1.1

Download PDF Version

We appreciate the opportunity to comment on the most recent iteration of the Voluntary Voting System Guidelines (1.1). We understand that the goal is to move forward on specific elements from the prior draft which were widely supported. The exclusion of some key principles warrant great concern and if left out of any approved version going forward, will delay progress toward greater reliability of voting systems. We support the comments made by A Center for Correct, Usable, Reliable, Auditable and Transparent Elections (ACCURATE), and add our comments on three main points below.

1. SOFTWARE INDEPENDENCE

Software independence (SI), or the “quality of a voting system or voting device such that a previously undetected change or fault in software cannot cause an undetectable change or error in election outcome,” is the foundation of an auditable voting system. Verified Voting strongly supports software independence. Leaving out this core element from the prior draft in the current VVSG 1.1 will delay essential progress in voting system reliability and security. We strongly recommend the reinstatement of the principle of software independence into the VVSG to be enacted as quickly as possible. For security, nothing is as crucial as auditing an auditable voting system. Without the ability to detect changes or problems in the voting system confidence in the integrity of electoral outcomes is unfounded.