The Verified Voting Blog

This blog contains posts authored by the Verified Voting Team and by members of the Verified Voting Board of Advisors.

decock

Verified Voting announces appointment of John DeCock as new Executive Director

Verified Voting, the nation's leading election integrity organization, today announced the appointment of John DeCock as our new Executive Director.

"We are delighted to have John join our team," said Verified Voting President Pamela Smith. "John's appointment signals an important step in our efforts to safeguard elections and to support each voter's right to cast an effective ballot. John's exceptional skills and experience will support our outreach and ability to share our resources with a broad range of communities, from voters to policymakers to election officials and more. Working together with John, I am certain that we will continue making vital contributions towards achieving reliable and publicly verifiable elections."

"There is nothing more fundamental to our Democracy than the right to vote and the knowledge that each vote matters and will be properly counted," said DeCock. "I am looking forward to working with the talented staff and board at Verified Voting, as well as with the many experts who have collectively achieved so much. There still is much to do to improve the systems by which we cast our votes and to guarantee that every voter knows that his or her vote is counted as cast."

johnwashburn

All Election Integrity is Local: Remembering John Washburn (1962-2016)

We were saddened to learn of the untimely passing of election integrity activist John Washburn at the age of 53. John was a fiercely independent thinker - disarmingly honest and contagiously cheerful - and a passionate advocate for transparent election administration. Verified Voting President Pamela Smith noted that John "was actively engaged with the Wisconsin Government Accountability Board, referring to himself as their "thorn" in his good-natured way. He could be thorny, but it was in the best interests of reliable elections, and he came at the work with the highest level of integrity. I suspect he will be missed by both friends and "adversaries" alike."

On a tribute board set up by the funeral home where John's memorial service will be held on January 23, Verified Voting Advisory Board member Douglas Jones observed that "John was a man who fought to protect democracy using careful research and the weight of facts to ensure that election results actually report the will of the people. His testimony before government panels at both the state and national level was always calm, reasoned and persuasive."

John studied the issue of pre-election testing extensively and compiled exemplary guidelines for creating ballot test decks for Logic and Accuracy Testing. A glimpse of his contributions to the struggle for transparent and reliable elections can be gained from his blog Washburn's World and his website Washburn Research. John felt strongly that election activists should get involved with their local elections. With deep appreciation for John's contributions to the struggle for fair and accurate election, we are reposting John's plea for getting involved on the ground that first appeared on the VoteTrustUSA website in 2006.

All Election Integrity is Local
by John Washburn

It has been pointed out on my blog, my focus on the election irregularities in my home voting district of Gemantown District #1 is petty and I should move down the road to the big fish, the City of Milwaukee. I agree the City of Milwaukee is where 10% of the entire ballots cast in the state of Wisconsin are cast in the 314 wards of the City of Milwaukee. So by the simple application of the Willy Sutton Maxim, the bulk of state fraud is committed there because that is where the votes are. And, I have spent time examining the election irregularities there. I disagree though that I should ignore the election irregularities perpetrated by my neighbors and my village clerk. The Swedes have a delightful proverb, "Sweep your own stoop before you offer to sweep you neighbor’s stoop". The same holds for election integrity; more so actually.

appel

Verified Voting Welcomes Andrew Appel to the Advisory Board

Verified Voting is pleased to welcome Andrew W. Appel, PhD. to our Advisory Board. Dr. Appel is the Eugene Higgins Professor of Computer Science at Princeton University, where he has been on the faculty since 1986. He served as Department Chair from 2009-2015. His research is in software verification, computer security, programming languages and compilers, and technology policy. He received his A.B. summa cum laude in physics from Princeton in 1981, and his PhD in computer science from Carnegie Mellon University in 1985.

Dr. Appel has been Editor in Chief of ACM Transactions on Programming Languages and Systems and is a Fellow of the ACM (Association for Computing Machinery). He has worked on fast N-body algorithms (1980s), Standard ML of New Jersey (1990s), Foundational Proof-Carrying Code (2000s), and the Verified Software Toolchain (2010s).

Statement to the Pennsylvania Senate State Government Committee Re: SB 1052

Verified Voting is writing today to express our opposition to Senate Bill 1052, a bill which would permit the return of ballots by electronic transmission over insecure Internet means for military voters in Pennsylvania, and to urge you to vote NO on SB 1052. Ballots sent by email are vulnerable to undetectable manipulation or tampering while in transit over the Internet. Ballots sent by fax are also vulnerable to attackers. Today most facsimiles are sent via Internet over facsimile mail programs which have the same threat profile as emailed ballots. By permitting the electronic return of voted ballots, SB 1052 will significantly damage the integrity of Pennsylvania’s elections and put the ballots of military voters at grave risk.

Department of Defense and National Institute of Standards and Technology oppose online voting.

At the start of the 21st century the promise of secure Internet voting seemed attainable; Congress directed the Department of Defense (DOD) in the 2002 National Defense Authorization Act (NDAA) to develop an online voting system for military and overseas voters. The Federal Voting Assistance Program (FVAP), an agency administered by the DOD, developed a system for deployment in 2004. After a security review the DOD cancelled the project because it could not ensure the legitimacy of votes cast over the Internet. In 2005 Congress directed the National Institute of Standards and Technology (NIST) to study the online return of voted ballots for the purpose of setting security standards so DoD and FVAP could develop a secure online voting system for military voters. NIST published numerous reports on its research, and documented several security issues that cannot be mitigated or solved with the cyber security safeguards and voting system protocols currently available. NIST concluded that until these challenges are overcome, secure Internet voting is not yet feasible.

For these reasons the Department of Defense has warned that it cannot ensure the legitimacy of ballots sent over the Internet and has stated “[the Department of Defense] does not advocate for the electronic transmission of any voted ballot, whether it be by fax, email or via the Internet.” In addition, the Federal Voting Assistance Program, in a report to Congress in 2013, stated clearly that the postal mail return of a voted ballot, coupled with the electronic transmission of a blank ballot is the “most responsible”[4. Federal Voting Assistance Program, May 2013, “2010 Electronic Voting Support Wizard (EVSW) Technology Pilot Program Report to Congress http://www.fvap.gov/uploads/FVAP/Reports/evsw_report.pdf] method of absentee voting for UOCAVA voters. The overwhelming evidence that secure Internet voting is not within our grasp led Congress to repeal, in the 2015 National Defense Authorization Act, the earlier directive that DoD pursue online voting for military and overseas voters.

It is not reasonable to expect the Pennsylvania Department of State should be able to develop a secure online ballot return system when the Department of Defense and the National Institute of Standards and Technology have determined secure online voting is not presently achievable.

What if Volkswagen made Voting Machines?

Volkswagen stock plummeted today, because of accusations by the Environmental Protection Agency that VW uses software that turns on its emission control device when the software detects that one of its diesel cars is undergoing emission testing. When not being tested, the software disables the device, thereby causing the car to spew as much as 40 times the pollution limit of the Clean Air Act.

Like VW cars, modern voting machines contain software that is tested before use in elections. It would not be difficult to write voting machine software that would, like the VW software, know when it is being tested, and thus behave correctly during testing but not during an actual election. If such behavior were detected after an election, the vendor stock would plummet, but so would voter confidence in the outcome of the election. Furthermore, in the case of some voting systems that cannot be legitimately recounted, such as paperless voting machines or online votes, there would be no way to determine after the election if the declared winners were the actual winners.

wayne_williams

Colorado Secretary of State Wayne Williams obscured key facts in online-voting commentary

Last week’s guest commentary by Secretary of State Wayne Williams in The Colorado Statesman obscured some important facts. He was responding to criticism of his new rule establishing criteria for the casting of election ballots by email.

Last week’s guest commentary by Secretary of State Wayne Williams in The Colorado Statesman obscured some important facts. He was responding to criticism of his new rule establishing criteria for the casting of election ballots by email.

In it, Secretary Williams implies that the federal government expanded voting by email. He writes, “The federal government, along with the Colorado General Assembly, expanded the electronic ballot transmission for military and overseas voters.” In fact the federal government has neither endorsed nor expanded the return of marked ballots over email. The Military and Overseas Voter Empowerment, or MOVE Act of 2009 (a bill we proudly supported) only directs states to send blank ballots to military and overseas voters electronically, not return of voted ballots That’s because voted ballots could be manipulated or deleted in transit — undetectably. Due to such unsolved security issues, last year Congress eliminated a Defense Department online voting project. The federal agency tasked with helping enfranchise military voters has stated that ballot return by postal mail is the “most responsible” method. In no instance does the federal government encourage states to offer electronic ballot return for military and overseas voters.

In 2006 the Colorado General Assembly passed legislation to permit online ballot return for military voters, but only under the most restricted circumstances. And it did so before most of the public was aware of today’s cybersecurity risks and of attacks in which data and sensitive information of millions of Americans had been compromised.

COMELEC/ DECEMBER 12,2014
Technical staff of  Smartmatic demonstrate their automative vote reading machine  at COMELEC  in Intramuros Manila, Friday, Smartmatic is one of the two companies competing  for the contract for the voting machine in the 2016 elections.
INQUIRER PHOTO/JOAN BONDOC

How not to measure security

This article was originally posted at Freedom to Tinker on August 10, 2015. It is reposted here with permission of the author.

A recent paper published by Smartmatic, a vendor of voting systems, caught my attention. The first thing is that it’s published by Springer, which typically publishes peer-reviewed articles – which this is not. This is a marketing piece. It’s disturbing that a respected imprint like Springer would get into the business of publishing vendor white papers. There’s no disclaimer that it’s not a peer-reviewed piece, or any other indication that it doesn’t follow Springer’s historical standards. The second, and more important issue, is that the article could not possibly have passed peer review, given some of its claims. I won’t go into the controversies around voting systems (a nice summary of some of those issues can be found on the OSET blog), but rather focus on some of the security metrics claims.

The article states, “Well-designed, special-purpose [voting] systems reduce the possibility of results tampering and eliminate fraud. Security is increased by 10-1,000 times, depending on the level of automation.”

That would be nice. However, we have no agreed-upon way of measuring security of systems (other than cryptographic algorithms, within limits). So the only way this is meaningful is if it’s qualified and explained – which it isn’t. Other studies, such as one I participated in (Applying a Reusable Election Threat Model at the County Level), have tried to quantify the risk to voting systems – our study measured risk in terms of the number of people required to carry out the attack. So is Smartmatic’s study claiming that they can make an attack require 10 to 1000 more people, 10 to 1000 times more money, 10 to 1000 times more expertise (however that would be measured!), or something entirely different?

Comments on Colorado Rules Concerning Internet Voting

We are pleased to provide testimony and remarks regarding proposed rule changes to Colorado’s Rules Concerning Elections 8 CCR 1501-5. We appreciate the effort of your office to solicit preliminary comments from the public to inform the draft of the proposed rule changes and were happy to participate in the process. We remain in opposition to Rule 16.2.1(c). However, before addressing Rule 16.2.1(c), we would first like to address proposed new Rule 16.2.8 prohibiting Internet voting because it is inextricably linked to proposed Rule 16.2.1(c).

Public comments voiced significant objection to Internet voting. The Secretary has proposed Rule 16.2.8 which states:

New Rule 16.2.8:
16.2.8 NOTHING IN THIS RULE 16.2 PERMITS INTERNET VOTING. INTERNET VOTING MEANS A SYSTEM THAT INCLUDES REMOTE ACCESS, A VOTE THAT IS CAST DIRECTLY INTO A CENTRAL VOTE SERVER THAT TALLIES THE VOTES, AND DOES NOT REQUIRE THE SUPERVISION OF ELECTION OFFICIALS

Proposed new Rule 16.2.8 unfortunately fails to recognize that email and fax return of voted ballots (permitted and expanded in Rule 16.2.1(c)) is Internet voting and includes all of the inherent security risk of Internet voting. In fact, email (and digital fax) are considered by voting system experts at both the National Institute of Standards and Technology and the U.S. Election Assistance Commission to be even less secure, [1. “E-mails are significantly easier to intercept and modify in transit than other forms of communication.” NIST IR 7551 A Threat Analysis of UOCAVA Voting Systems http://www.nist.gov/itl/vote/upload/uocava-threatanalysis-final.pdf], [2. “Email is about the least secure method of ballot delivery,” Brian Hancock The Canvass - “Internet voting, not ready for prime-time?” Feb 2013 http://www.ncsl.org/Portals/1/Documents/legismgt/elect/Canvass_Feb_2013_no_37.pdf] than the type of Internet voting system described in proposed Rule 16.2.8.

Just Ducky

If it looks like a duck, walks like a duck, and quacks like a duck, it’s a duck.  It is not a seagull.  People will, understandably, refer to it as a duck.  Deciding to call it a seagull does not cause it to cease being a duck and does not transform it into a seagull.  With me so far?  An election held by a California city is an “advisory election” if its purpose is to enable only the city’s registered voters to voice their opinions on substantive issues in a non-binding manner.  City advisory elections are subject to the California Election Code’s general requirements and prohibitions.

Now consider the following scenario.  A small California city’s leaders, and the elections system vendor they hire, plan an election that in all respects is described by California Elections Code section 9603.  The city leaders and vendor publicly and consistently refer to the planned activity as an “advisory vote” and “advisory election.”  The city is notified that the election will be illegal, both because it will use an Internet voting system, prohibited by the Elections Code, and because the system is not state-certified, as required by the Elections Code.   With just two weeks to go, the city’s leaders and vendor respond by re-labeling the planned activity a “poll” or “community poll” but make no other changes.

Principles for New Voting Systems

Many jurisdictions will need to replace their voting systems in the next few years. Commercial voting systems currently in the marketplace are expensive to acquire and maintain and difficult to audit effectively. Elections may be verifiable in principle--if they generate a voter-verifiable paper trail that is curated well--but current systems make it hard or impractical to verify elections in practice.

Recent experience with open-source tabulation systems in risk-limiting audits in California and Colorado, and voting system projects in Los Angeles County, CA, and Travis County, TX, suggest that the US could have voting systems that are accurate, usable, verifiable, efficiently auditable, reliable, secure, modular, and transparent, for a fraction of the cost of systems currently on the market.

The key to reducing costs is to use commodity off-the-shelf hardware, open-source software, and open data standards.  Usability and auditability need to be designed into new systems from the start. The US could have the best possible voting systems, instead of just the best voting systems money can buy, if new systems adhere to the Principles enunciated below. (Download PDF)