The Verified Voting Blog

This blog contains posts authored by the Verified Voting Team and by members of the Verified Voting Board of Advisors.

Statement to the Pennsylvania Senate State Government Committee Re: SB 1052

Verified Voting is writing today to express our opposition to Senate Bill 1052, a bill which would permit the return of ballots by electronic transmission over insecure Internet means for military voters in Pennsylvania, and to urge you to vote NO on SB 1052. Ballots sent by email are vulnerable to undetectable manipulation or tampering while in transit over the Internet. Ballots sent by fax are also vulnerable to attackers. Today most facsimiles are sent via Internet over facsimile mail programs which have the same threat profile as emailed ballots. By permitting the electronic return of voted ballots, SB 1052 will significantly damage the integrity of Pennsylvania’s elections and put the ballots of military voters at grave risk.

Department of Defense and National Institute of Standards and Technology oppose online voting.

At the start of the 21st century the promise of secure Internet voting seemed attainable; Congress directed the Department of Defense (DOD) in the 2002 National Defense Authorization Act (NDAA) to develop an online voting system for military and overseas voters. The Federal Voting Assistance Program (FVAP), an agency administered by the DOD, developed a system for deployment in 2004. After a security review the DOD cancelled the project because it could not ensure the legitimacy of votes cast over the Internet. In 2005 Congress directed the National Institute of Standards and Technology (NIST) to study the online return of voted ballots for the purpose of setting security standards so DoD and FVAP could develop a secure online voting system for military voters. NIST published numerous reports on its research, and documented several security issues that cannot be mitigated or solved with the cyber security safeguards and voting system protocols currently available. NIST concluded that until these challenges are overcome, secure Internet voting is not yet feasible.

For these reasons the Department of Defense has warned that it cannot ensure the legitimacy of ballots sent over the Internet and has stated “[the Department of Defense] does not advocate for the electronic transmission of any voted ballot, whether it be by fax, email or via the Internet.” In addition, the Federal Voting Assistance Program, in a report to Congress in 2013, stated clearly that the postal mail return of a voted ballot, coupled with the electronic transmission of a blank ballot is the “most responsible”[4. Federal Voting Assistance Program, May 2013, “2010 Electronic Voting Support Wizard (EVSW) Technology Pilot Program Report to Congress] method of absentee voting for UOCAVA voters. The overwhelming evidence that secure Internet voting is not within our grasp led Congress to repeal, in the 2015 National Defense Authorization Act, the earlier directive that DoD pursue online voting for military and overseas voters.

It is not reasonable to expect the Pennsylvania Department of State should be able to develop a secure online ballot return system when the Department of Defense and the National Institute of Standards and Technology have determined secure online voting is not presently achievable.

It’s bold, but legal: How campaigns and their super PAC backers work together | The Washington Post

The 2016 presidential contenders are stretching the latitude they have to work with their independent allies more than candidates in recent elections ever dared, taking advantage of a narrowly drawn rule that separates campaigns from outside groups. For the first time, nearly every top presidential hopeful has a personalized super PAC that can raise unlimited sums and is run by close associates or former aides. Many also are being boosted by non­profits, which do not have to disclose their donors. The boldness of the candidates has elevated the importance of wealthy donors to even greater heights than in the last White House contest, when super PACs and nonprofits reported spending more than $1 billion on federal races. Although they are not supposed to coordinate directly with their independent allies, candidates are finding creative ways to work in concert with them.

What if Volkswagen made Voting Machines?

Volkswagen stock plummeted today, because of accusations by the Environmental Protection Agency that VW uses software that turns on its emission control device when the software detects that one of its diesel cars is undergoing emission testing. When not being tested, the software disables the device, thereby causing the car to spew as much as 40 times the pollution limit of the Clean Air Act.

Like VW cars, modern voting machines contain software that is tested before use in elections. It would not be difficult to write voting machine software that would, like the VW software, know when it is being tested, and thus behave correctly during testing but not during an actual election. If such behavior were detected after an election, the vendor stock would plummet, but so would voter confidence in the outcome of the election. Furthermore, in the case of some voting systems that cannot be legitimately recounted, such as paperless voting machines or online votes, there would be no way to determine after the election if the declared winners were the actual winners.


Colorado Secretary of State Wayne Williams obscured key facts in online-voting commentary

Last week’s guest commentary by Secretary of State Wayne Williams in The Colorado Statesman obscured some important facts. He was responding to criticism of his new rule establishing criteria for the casting of election ballots by email.

Last week’s guest commentary by Secretary of State Wayne Williams in The Colorado Statesman obscured some important facts. He was responding to criticism of his new rule establishing criteria for the casting of election ballots by email.

In it, Secretary Williams implies that the federal government expanded voting by email. He writes, “The federal government, along with the Colorado General Assembly, expanded the electronic ballot transmission for military and overseas voters.” In fact the federal government has neither endorsed nor expanded the return of marked ballots over email. The Military and Overseas Voter Empowerment, or MOVE Act of 2009 (a bill we proudly supported) only directs states to send blank ballots to military and overseas voters electronically, not return of voted ballots That’s because voted ballots could be manipulated or deleted in transit — undetectably. Due to such unsolved security issues, last year Congress eliminated a Defense Department online voting project. The federal agency tasked with helping enfranchise military voters has stated that ballot return by postal mail is the “most responsible” method. In no instance does the federal government encourage states to offer electronic ballot return for military and overseas voters.

In 2006 the Colorado General Assembly passed legislation to permit online ballot return for military voters, but only under the most restricted circumstances. And it did so before most of the public was aware of today’s cybersecurity risks and of attacks in which data and sensitive information of millions of Americans had been compromised.

Technical staff of  Smartmatic demonstrate their automative vote reading machine  at COMELEC  in Intramuros Manila, Friday, Smartmatic is one of the two companies competing  for the contract for the voting machine in the 2016 elections.

How not to measure security

This article was originally posted at Freedom to Tinker on August 10, 2015. It is reposted here with permission of the author.

A recent paper published by Smartmatic, a vendor of voting systems, caught my attention. The first thing is that it’s published by Springer, which typically publishes peer-reviewed articles – which this is not. This is a marketing piece. It’s disturbing that a respected imprint like Springer would get into the business of publishing vendor white papers. There’s no disclaimer that it’s not a peer-reviewed piece, or any other indication that it doesn’t follow Springer’s historical standards. The second, and more important issue, is that the article could not possibly have passed peer review, given some of its claims. I won’t go into the controversies around voting systems (a nice summary of some of those issues can be found on the OSET blog), but rather focus on some of the security metrics claims.

The article states, “Well-designed, special-purpose [voting] systems reduce the possibility of results tampering and eliminate fraud. Security is increased by 10-1,000 times, depending on the level of automation.”

That would be nice. However, we have no agreed-upon way of measuring security of systems (other than cryptographic algorithms, within limits). So the only way this is meaningful is if it’s qualified and explained – which it isn’t. Other studies, such as one I participated in (Applying a Reusable Election Threat Model at the County Level), have tried to quantify the risk to voting systems – our study measured risk in terms of the number of people required to carry out the attack. So is Smartmatic’s study claiming that they can make an attack require 10 to 1000 more people, 10 to 1000 times more money, 10 to 1000 times more expertise (however that would be measured!), or something entirely different?

Just Ducky

If it looks like a duck, walks like a duck, and quacks like a duck, it’s a duck.  It is not a seagull.  People will, understandably, refer to it as a duck.  Deciding to call it a seagull does not cause it to cease being a duck and does not transform it into a seagull.  With me so far?  An election held by a California city is an “advisory election” if its purpose is to enable only the city’s registered voters to voice their opinions on substantive issues in a non-binding manner.  City advisory elections are subject to the California Election Code’s general requirements and prohibitions.

Now consider the following scenario.  A small California city’s leaders, and the elections system vendor they hire, plan an election that in all respects is described by California Elections Code section 9603.  The city leaders and vendor publicly and consistently refer to the planned activity as an “advisory vote” and “advisory election.”  The city is notified that the election will be illegal, both because it will use an Internet voting system, prohibited by the Elections Code, and because the system is not state-certified, as required by the Elections Code.   With just two weeks to go, the city’s leaders and vendor respond by re-labeling the planned activity a “poll” or “community poll” but make no other changes.

Principles for New Voting Systems

Many jurisdictions will need to replace their voting systems in the next few years. Commercial voting systems currently in the marketplace are expensive to acquire and maintain and difficult to audit effectively. Elections may be verifiable in principle--if they generate a voter-verifiable paper trail that is curated well--but current systems make it hard or impractical to verify elections in practice.

Recent experience with open-source tabulation systems in risk-limiting audits in California and Colorado, and voting system projects in Los Angeles County, CA, and Travis County, TX, suggest that the US could have voting systems that are accurate, usable, verifiable, efficiently auditable, reliable, secure, modular, and transparent, for a fraction of the cost of systems currently on the market.

The key to reducing costs is to use commodity off-the-shelf hardware, open-source software, and open data standards.  Usability and auditability need to be designed into new systems from the start. The US could have the best possible voting systems, instead of just the best voting systems money can buy, if new systems adhere to the Principles enunciated below. (Download PDF)


New Standards for Election Data

Examining election results to confirm winners and losers for very close elections can be problematic for contests that span multiple jurisdictions using different equipment and diverse data formats for reporting those results. Such differences have been a significant barrier to conducting post-election risk-limiting audits in time to change preliminary election results if necessary. To address problems caused by incompatible election reporting formats, the IEEE has developed a new standard for election results reporting (1622-2). This standard marks the culmination of over ten years of efforts by many individuals and organizations (including Verified Voting), with crucial technical staff support from the National Institute of Standards and Technology (NIST). In the recently completed 2014 elections, the Ohio Secretary of State’s office successfully used a draft version of the standard to report and export election results and the Associated Press Election Services used the same draft standard to import Ohio’s election results and incorporate it into their national election reporting for television, radio, and newspaper clients across the country. You are invited to weigh in: to see the proposed reporting standard and submit your comments and suggestions for improvement here.

Verified Voting has been actively working for a number of years to develop and promote adoption of national data standards for to support inter-operability, transparent reporting, and post-election audits comparing hand-eye manual counts of voter-verified records with electronic tabulation results.  In 2008 and 2009, we submitted formal comments on the draft 2007 Voluntary Voting Systems Guidelines (VVSG) proposed by the U.S. Election Assistance Commission (EAC)’s Technical Guidelines Development Committee (TGDC). While the draft 2007 VVSG "encourages" adoption of a standard data exchange format to facilitate interoperability between different hardware components, Verified Voting and other groups and experts urged that voting systems be required to input and output data using a common standard format for election data import, export and exchange. As we pointed out, requiring standard data exchange formats can also help facilitate another important VVSG goal -- interoperability of election hardware and software components from different vendors.

Security not yet available for online voting

California’s record low turnout for November’s elections is indeed worrisome, and incoming Secretary of State Alex Padilla’s promises to increase the voter rolls are laudable. However, the editorial board’s desire to see online voting as the natural evolution of our voting systems is misplaced.  Yes, we do bank, shop and communicate online, but a quick review of the latest headlines proves these transactions aren’t secure. Cybercrime is estimated to cost businesses billions every year. Elections are unlike financial transactions because they’re extremely vulnerable to undetectable hacking. Because we vote by secret ballot, there is no way to reconcile the votes recorded and the marks the voter actually makes with technology currently available.

Mail Your Ballot Back: Why Voting Online Puts Your Vote and Privacy at Risk

Twenty-three states plus the District of Columbia allow military and overseas voters (not domestic voters) to return voted ballots by email, facsimile and/or other Internet transmission; six allow  internet return in  military in zones of “hostile fire.” Alaska allows it for all absentee voters. But these methods of casting ballots over the Internet are very insecure; ballots returned this way are at risk for manipulation, loss or deletion.

According to the National Institute for Standards and Technology, the agency charged with reviewing the security of internet voting systems, even the most sophisticated cyber security protections cannot secure voted ballots sent over the Internet and that secure Internet voting is not feasible at this time.[1] Even if ballots are returned electronically over online balloting systems that employ security tools such as encryption or virtual private networks, the privacy, integrity or the reliable delivery of the ballot can’t be guaranteed.[2]

Just as important, ballots sent by electronic transmission cannot be kept private.[3]  Most States which accept electronically transmitted ballots require voters to sign a waiver forfeiting the right to a secret ballot.  In some cases this waiver conflicts with State law or constitution which guarantees the right to a secret ballot.