The Verified Voting Blog

This blog contains posts authored by the Verified Voting Team and by members of the Verified Voting Board of Advisors.

wayne_williams

Colorado Secretary of State Wayne Williams obscured key facts in online-voting commentary

Last week’s guest commentary by Secretary of State Wayne Williams in The Colorado Statesman obscured some important facts. He was responding to criticism of his new rule establishing criteria for the casting of election ballots by email.

Last week’s guest commentary by Secretary of State Wayne Williams in The Colorado Statesman obscured some important facts. He was responding to criticism of his new rule establishing criteria for the casting of election ballots by email.

In it, Secretary Williams implies that the federal government expanded voting by email. He writes, “The federal government, along with the Colorado General Assembly, expanded the electronic ballot transmission for military and overseas voters.” In fact the federal government has neither endorsed nor expanded the return of marked ballots over email. The Military and Overseas Voter Empowerment, or MOVE Act of 2009 (a bill we proudly supported) only directs states to send blank ballots to military and overseas voters electronically, not return of voted ballots That’s because voted ballots could be manipulated or deleted in transit — undetectably. Due to such unsolved security issues, last year Congress eliminated a Defense Department online voting project. The federal agency tasked with helping enfranchise military voters has stated that ballot return by postal mail is the “most responsible” method. In no instance does the federal government encourage states to offer electronic ballot return for military and overseas voters.

In 2006 the Colorado General Assembly passed legislation to permit online ballot return for military voters, but only under the most restricted circumstances. And it did so before most of the public was aware of today’s cybersecurity risks and of attacks in which data and sensitive information of millions of Americans had been compromised.

COMELEC/ DECEMBER 12,2014
Technical staff of  Smartmatic demonstrate their automative vote reading machine  at COMELEC  in Intramuros Manila, Friday, Smartmatic is one of the two companies competing  for the contract for the voting machine in the 2016 elections.
INQUIRER PHOTO/JOAN BONDOC

How not to measure security

This article was originally posted at Freedom to Tinker on August 10, 2015. It is reposted here with permission of the author.

A recent paper published by Smartmatic, a vendor of voting systems, caught my attention. The first thing is that it’s published by Springer, which typically publishes peer-reviewed articles – which this is not. This is a marketing piece. It’s disturbing that a respected imprint like Springer would get into the business of publishing vendor white papers. There’s no disclaimer that it’s not a peer-reviewed piece, or any other indication that it doesn’t follow Springer’s historical standards. The second, and more important issue, is that the article could not possibly have passed peer review, given some of its claims. I won’t go into the controversies around voting systems (a nice summary of some of those issues can be found on the OSET blog), but rather focus on some of the security metrics claims.

The article states, “Well-designed, special-purpose [voting] systems reduce the possibility of results tampering and eliminate fraud. Security is increased by 10-1,000 times, depending on the level of automation.”

That would be nice. However, we have no agreed-upon way of measuring security of systems (other than cryptographic algorithms, within limits). So the only way this is meaningful is if it’s qualified and explained – which it isn’t. Other studies, such as one I participated in (Applying a Reusable Election Threat Model at the County Level), have tried to quantify the risk to voting systems – our study measured risk in terms of the number of people required to carry out the attack. So is Smartmatic’s study claiming that they can make an attack require 10 to 1000 more people, 10 to 1000 times more money, 10 to 1000 times more expertise (however that would be measured!), or something entirely different?

Just Ducky

If it looks like a duck, walks like a duck, and quacks like a duck, it’s a duck.  It is not a seagull.  People will, understandably, refer to it as a duck.  Deciding to call it a seagull does not cause it to cease being a duck and does not transform it into a seagull.  With me so far?  An election held by a California city is an “advisory election” if its purpose is to enable only the city’s registered voters to voice their opinions on substantive issues in a non-binding manner.  City advisory elections are subject to the California Election Code’s general requirements and prohibitions.

Now consider the following scenario.  A small California city’s leaders, and the elections system vendor they hire, plan an election that in all respects is described by California Elections Code section 9603.  The city leaders and vendor publicly and consistently refer to the planned activity as an “advisory vote” and “advisory election.”  The city is notified that the election will be illegal, both because it will use an Internet voting system, prohibited by the Elections Code, and because the system is not state-certified, as required by the Elections Code.   With just two weeks to go, the city’s leaders and vendor respond by re-labeling the planned activity a “poll” or “community poll” but make no other changes.

Principles for New Voting Systems

Many jurisdictions will need to replace their voting systems in the next few years. Commercial voting systems currently in the marketplace are expensive to acquire and maintain and difficult to audit effectively. Elections may be verifiable in principle--if they generate a voter-verifiable paper trail that is curated well--but current systems make it hard or impractical to verify elections in practice.

Recent experience with open-source tabulation systems in risk-limiting audits in California and Colorado, and voting system projects in Los Angeles County, CA, and Travis County, TX, suggest that the US could have voting systems that are accurate, usable, verifiable, efficiently auditable, reliable, secure, modular, and transparent, for a fraction of the cost of systems currently on the market.

The key to reducing costs is to use commodity off-the-shelf hardware, open-source software, and open data standards.  Usability and auditability need to be designed into new systems from the start. The US could have the best possible voting systems, instead of just the best voting systems money can buy, if new systems adhere to the Principles enunciated below. (Download PDF)

ieee

New Standards for Election Data

Examining election results to confirm winners and losers for very close elections can be problematic for contests that span multiple jurisdictions using different equipment and diverse data formats for reporting those results. Such differences have been a significant barrier to conducting post-election risk-limiting audits in time to change preliminary election results if necessary. To address problems caused by incompatible election reporting formats, the IEEE has developed a new standard for election results reporting (1622-2). This standard marks the culmination of over ten years of efforts by many individuals and organizations (including Verified Voting), with crucial technical staff support from the National Institute of Standards and Technology (NIST). In the recently completed 2014 elections, the Ohio Secretary of State’s office successfully used a draft version of the standard to report and export election results and the Associated Press Election Services used the same draft standard to import Ohio’s election results and incorporate it into their national election reporting for television, radio, and newspaper clients across the country. You are invited to weigh in: to see the proposed reporting standard and submit your comments and suggestions for improvement here.

Verified Voting has been actively working for a number of years to develop and promote adoption of national data standards for to support inter-operability, transparent reporting, and post-election audits comparing hand-eye manual counts of voter-verified records with electronic tabulation results.  In 2008 and 2009, we submitted formal comments on the draft 2007 Voluntary Voting Systems Guidelines (VVSG) proposed by the U.S. Election Assistance Commission (EAC)’s Technical Guidelines Development Committee (TGDC). While the draft 2007 VVSG "encourages" adoption of a standard data exchange format to facilitate interoperability between different hardware components, Verified Voting and other groups and experts urged that voting systems be required to input and output data using a common standard format for election data import, export and exchange. As we pointed out, requiring standard data exchange formats can also help facilitate another important VVSG goal -- interoperability of election hardware and software components from different vendors.

Security not yet available for online voting

California’s record low turnout for November’s elections is indeed worrisome, and incoming Secretary of State Alex Padilla’s promises to increase the voter rolls are laudable. However, the editorial board’s desire to see online voting as the natural evolution of our voting systems is misplaced.  Yes, we do bank, shop and communicate online, but a quick review of the latest headlines proves these transactions aren’t secure. Cybercrime is estimated to cost businesses billions every year. Elections are unlike financial transactions because they’re extremely vulnerable to undetectable hacking. Because we vote by secret ballot, there is no way to reconcile the votes recorded and the marks the voter actually makes with technology currently available.

Mail Your Ballot Back: Why Voting Online Puts Your Vote and Privacy at Risk

Twenty-three states plus the District of Columbia allow military and overseas voters (not domestic voters) to return voted ballots by email, facsimile and/or other Internet transmission; six allow  internet return in  military in zones of “hostile fire.” Alaska allows it for all absentee voters. But these methods of casting ballots over the Internet are very insecure; ballots returned this way are at risk for manipulation, loss or deletion.

According to the National Institute for Standards and Technology, the agency charged with reviewing the security of internet voting systems, even the most sophisticated cyber security protections cannot secure voted ballots sent over the Internet and that secure Internet voting is not feasible at this time.[1] Even if ballots are returned electronically over online balloting systems that employ security tools such as encryption or virtual private networks, the privacy, integrity or the reliable delivery of the ballot can’t be guaranteed.[2]

Just as important, ballots sent by electronic transmission cannot be kept private.[3]  Most States which accept electronically transmitted ballots require voters to sign a waiver forfeiting the right to a secret ballot.  In some cases this waiver conflicts with State law or constitution which guarantees the right to a secret ballot.

New Voting Systems Standards Committee Steps into Election Data Void

What does the Institute of Electrical and Electronic Engineers (IEEE) have to do with elections? Glad you asked. IEEE, or the Institute of Electrical and Electronics Engineers, is the world's largest professional association for the advancement of technology. Along with its major educational and publishing activities, IEEE is one of the leading standards-making organizations in the world. IEEE standards affect a wide range of industries including: power and energy, biomedical and healthcare, Information Technology (IT), telecommunications, transportation, nanotechnology, information assurance, and many more. In 2013, IEEE had over 900 active standards, with over 500 standards under development.

IEEE has many subgroups that establish standards for various industry areas. and one of these is IEEE Project 1622 (or P1622). This group has been active lately working on setting common standards for important election related practices, including things like distributing blank ballots (for voters who are overseas, e.g.). With Congress’ stalemate on appointing new members to the Election Assistance Commission (EAC), development and adoption of U.S. election data standards seems to be shifting from the EAC’s Voluntary Voting Systems Guidelines (VSSG) Technical Development Committee to the IEEE VSSC. Brian Hancock, EAC Director of Voting System Testing and Certification, spoke positively about this development at the recent conference of the Election Verification Network (EVN) in San Diego.

Following adoption of its initial proposed standard for electronic distribution of blank ballot information (1622-2011, published in January 2012), the IEEE Project 1622 for Voting Systems Electronic Data Interchange has been authorized to become the IEEE Voting Systems Standards Committee (VSSC).

KeyboardVoting-300x225

Hack the Vote: The Perils of the Online Ballot Box

While most voters will cast their ballots at polling stations in November, online voting has been quietly and rapidly expanding in the United States over the last decade. Over 30 states and territories allow some form of Internet voting (such as by email or through a direct portal) for some classes of voters, including members of the military or absentees.

Utah just passed a law allowing disabled voters to vote online; and Alaska allows anyone to cast their ballots online. And there were recent news reports that Democratic and Republican national committees are contemplating holding primaries and caucuses online. We estimate that over three million voters now are eligible to vote online in the U.S.

But online voting is fraught with danger. Hackers could manipulate enough votes to change the results of local and national elections. And a skilled hacker can do so without leaving any evidence.

Hot State Update! What’s happening in Virginia, Oregon, Connecticut and more… and what Verified Voting is doing to help.

At Verified Voting we work to establish relationships in the states with policy makers and elections officials, in order to ensure they are educated on how to keep our votes secure. We’ve started 2014 with lots of activity around the country, building on a very strong and determined energy around voting issues, much of it unfolding on the state level. We have a great network of people in place and continue to work to make our voices heard. The following is a quick look at some of the Hot States on which we are focusing.

Virginia: This session, House and Senate bills sought to initiate electronic return of voted ballots over the Internet by overseas military voters. Amendments made to the bills called for security protocols to be examined and review of the feasibility and costs involved prior to initiating actual ballot return, thanks to intense outreach with our allies Virginians for Verified Voting, a lot of letters from VA supporters (thank you!), and an op-ed penned by Justin Moore (who is on VV’s advisory board) in the Richmond Times Dispatch.  The amended version of HB 759/SB 11 was conferenced and passed, with these crucial stop-gaps and a clause requiring that the provision be re-approved in 2016 before any ballots are sent over the Internet. As the review process takes place over the coming 18 months, we will be participating actively.  Ensuring that technologists are at the table as the conversation moves forward is critical, as is feedback from Virginia voters.  See the Bill summary here.