The Verified Voting Blog

This blog contains posts authored by the Verified Voting Team and by members of the Verified Voting Board of Advisors.

Developing a Framework to Improve Critical Infrastructure Cybersecurity

Apr 10 2013

» VerifiedVoting

Under Executive Order 13636 ^[2](“Executive Order”), the Secretary of Commerce is tasked to direct the Director of NIST to develop a framework for reducing cyber risks to critical infrastructure (the “Cybersecurity Framework” or “Framework”). The Framework will consist of standards, methodologies, procedures and processes that align policy, business, and technological approaches to address cyber risks. The Department of Homeland Security, in coordination with sector-specific agencies, will then establish a voluntary program to support the adoption of the Cybersecurity Framework by owners and operators of critical infrastructure and any other interested entities.

NIST has issued a Request for Information (RFI) in the Federal Register. It is to this RFI that our response pertains. The undersigned persons and organizations include experts on matters relating to election technology, election practices, encryption, Internet security, and/or privacy. We appreciate the opportunity to provide input on this RFI entitled “Developing a Framework to Improve Critical Infrastructure Cybersecurity”.

Our response focuses on the discussion of specific practices as they pertain to elections practices and systems as part of the nation’s critical infrastructure. (Download the Full Response as a PDF)

Helping LA County Build a Voting System

Apr 2 2013

» Joseph Lorenzo Hall

This past week I was at the kick-off meeting of the LA County Voting System Assessment Project’s (VSAP) Technical Advisory Committee. The VSAP is Registrar/ClerkDean Logan’s intense and groundbreaking effort to design, develop, procure and implement a publicly owned voting system. I am honored to be asked to serve on such an important body.

LA County is the largest election jurisdiction in the US, with 5 million registered voters, 10 languages, 5,000 precincts and a very large physical area. The county currently uses the InkaVote Plus voting system (with Audio Ballot Booth for accessibility), which is essentially an overhaul of former punchcard equipment to use inked styluses for marking and to provide in-precint checks for the voter in case they make mistakes.

Internet voting for overseas military puts election security at risk

Mar 23 2013

» Pamela Smith

Connecticut lawmakers are considering legislation to allow military voters to cast ballots over the Internet. The intention of this legislation is well-meaning — Connecticut does need to improve the voting process for military voters — but Internet voting is not the answer. Every day, headlines reveal just how vulnerable and insecure any online network really is, and how sophisticated, tenacious and skilled today’s attackers are. Just last week, we learned that the U.S. has already experienced our first-ever documented attack on an election system, when a grand jury report revealed that someone hacked into the Miami-Dade primary elections system in August 2012. A chilling account in The Washington Post recently reported that most government entities in Washington, including congressional offices, federal agencies, government contractors, embassies, news organizations, think tanks and law firms, have been penetrated by Chinese hackers. They join a long list that includes the CIA, FBI, Department of Defense, Bank of America, and on and on. These organizations have huge cybersecurity budgets and the most robust security tools available, and they have been unable to prevent hacking. Contrary to popular belief, online voting systems would not be any more secure.

Statement on the Dangers of Internet Voting in Public Elections

Feb 15 2013

» Verified Voting

At a time when more and more transactions occur online, a number of election officials and private organizations are looking to the Internet as one more possible avenue for balloting. When the Academy of Motion Picture Arts and Sciences announced that would be using an online voting system to help its members choose this year’s Oscar nominees and finalists, thereby adding to the “credibility” of online voting, we find ourselves compelled to remind the general public that it is dangerous to deploy voting by email, efax, or through Internet portals in public governmental elections at this time. Public elections run by municipal, local and state governments should not be compared to elections like the one run by the Academy. The following describes our concerns about the use of Internet voting systems in public elections.

• Cyber security experts at the National Institute of Standards and Technology[1] and the Department of Homeland Security[2] have warned that current Internet voting technologies should not be deployed in public elections. Internet voting systems, including email, fax and web based voting systems in which marked ballots are cast online, cannot be properly protected and may be subject to undetectable alteration.

• Citizens ask, “If I can bank online, why can’t I vote online?” Online banking and e-commerce are NOT secure, despite massive business investments in state-of-the-art cyber-security tools.

• Banking policies protect and reimburse people whose money or credit card numbers are stolen online. If a hacker deletes or alters a ballot, the action can neither be traced nor corrected.

• Banking policies generally do not protect companies when funds are stolen from their accounts. It has been reported that as many as ten percent of small business have had money stolen from their bank accounts.[3] Even so, businesses understand and accept that money lost through cyber-crime is part of the risk of doing business online, and they seek to reduce losses by obtaining fraud insurance. We cannot take that approach in counting votes in public elections; a cyber-attack that alters or deletes just a few hundred votes, and perhaps even fewer, can change the result of an election. There is no such thing as “fraud insurance” for ballots, and we can scarcely accept online fraud in ten percent of our election jurisdictions.

• The parties in online business transactions maintain and audit account records to detect fraudulent activities. But because we vote by secret ballot in public elections, individual voters have no way to check and verify that their ballots were properly counted. Thus online voting is particularly susceptible to tampering, all but certain to go undetected.

• Internet voting system vendors make claims about the security of their products that have never been substantiated by publicly reviewable testing and research.

Election, Tech Experts to Obama: Yes, “We Need to Fix That,” But E-Voting Not the Answer

Dec 7 2012

» VerifiedVoting

Groups Warn Against Hasty Action on Internet Voting in Response to Long Lines, Technical Glitches in November

In a letter delivered to President Obama and congressional leaders this week, a broad coalition of experts, including congressional representatives, elections officers and cyber-security experts, is urging the president and Congress to reject any calls for Internet voting. They are warning officials that Internet voting remains a highly insecure option that leaves our systems vulnerable to cyber-attacks and technical failures. After voters across the country waited as long as seven hours to cast their ballots and Hurricane Sandy wreaked havoc on East Coast election systems last November, lawmakers in Congress are introducing legislation to facilitate the voting process in federal elections, and some parties have expressed Interest in online voting. The text of the letter can be found here.

Some modest proposals for voter signature verification

Nov 30 2012

» Douglas W. Jones

Iowa Secretary of State Matt Schultz proposes that we use some kind of electronic scanning system to evaluate voter signatures. I have no idea how good signature comparison software is these days, but I do I know that my own signature isn’t very consistent. Would automatic signature matching software really work well enough to recognize that all of my signatures are mine while rejecting forgeries? I’m skeptical. If one person’s absentee ballot is incorrectly rejected because someone or some software thinks their signature does not match, that would seem to me to be a violation of that voter’s civil rights. If signature matching has a higher likelihood of failing for one group of people than for another, then signature verification can be said to systematically deny voting rights to that group.

Recount Roulette

Nov 5 2012

» Barbara Simons and Mark Halvorson

We risk an election meltdown worse than the Florida 2000 debacle when the presidential election came down to hanging chads and chaos. This time we are looking at another razor close result and perhaps another recount. However, if a recount is required in either of two key states — Virginia and Pennsylvania — we risk catastrophe, because most of those votes will be cast on paperless voting machines that are impossible to recount. To make matters even worse, the wake of superstorm Sandy could cause disruption on Election Day. Polling places without paper ballots that lack power will have to close, resulting in voter disenfranchisement. This is inexcusable, especially as voting advocates have long urged states to provide emergency paper ballots. Other states present their own hazardous recount challenges. About one quarter of voters nationwide will use paperless direct-recording electronic (DRE) voting machines, most of which have touch screens. Unfortunately, the DRE software can store voters’ choices incorrectly.

Voting in Colorado

Oct 21 2012

» Barbara Simons

Arapahoe County Colorado was in the news the week with the Denver Post reporting that envelopes containing absentee ballots mailed to over 230,000 voters included “I Voted” stickers, which rubbed up against the ballot and in some cases left a faint, near-linear mark that appeared exactly where voters draw a line to select their candidates. The Secretary of State has issued a list of procedures to address the potential of un-readable ballots and because there is a software independent record of the voted, officials are confident that the problem can be resolved. Unfortunately not all potential problems with the Colorado’s voting technology can be resolved.

For polling place and early voting, Colorado uses Direct Recording Electronic (DRE) machines and paper based optical scan systems as well as at least two counties doing hand count of paper ballots. About 70% of ballots cast in Colorado are returned by mail. Some counties have only residual use of DRE to satisfy HAVA requirements, others collect substantial votes on DRE in precinct polling places. Some counties receive paper ballots at polling places but count them centrally by optical scan.

Internet Voting in the U.S.

Oct 13 2012

» Barbara Simons and Douglas W. Jones

The assertion that Internet voting is the wave of the future has become commonplace. We frequently are asked, “If I can bank online, why can’t I vote online?” The question assumes that online banking is safe and secure. However, banks routinely and quietly replenish funds lost to online fraud in order to maintain public confidence. We are told Internet voting would help citizens living abroad or in the military who currently have difficulty voting. Recent federal legislation to improve the voting process for overseas citizens is a response to that problem. The legislation, which has eliminated most delays, requires states to provide downloadable blank ballots but does not require the insecure return of voted ballots.

Yet another claim is that email voting is safer than Web-based voting, but no email program in widespread use today provides direct support for encrypted email. As a result, attachments are generally sent in the clear, and email ballots are easy to intercept and inspect, violating voters’ right to a secret ballot. Intercepted ballots may be modified or discarded without forwarding. Moreover, the ease with which a From header can be forged means it is relatively simple to produce large numbers of forged ballots. These special risks faced by email ballots are in addition to the general risks posed by all Internet-based voting schemes.

Virginia – the new Florida?

Oct 9 2012

» Barbara Simons

There are many ways in which Virginia 2012 could resemble the Florida 2000 – only worse. At least in 2000 there were paper ballots to recount in Florida. But only 7 out of 134 Virginia localities (Virginia terminology for counties and independent cities) do not use paperless Direct Recording Electronic (DRE) voting machines. If a DRE loses or miscounts ballots, it is essentially impossible to determine the correct results.

As if to guarantee that it will be impossible ever to verify an election in Virginia, Virginia law actually prohibits manual post-election ballot audits of paper ballots, except in extremely narrow and unlikely circumstances. This prevents election verification even in the 7 localities that have no paperless DREs (Chesterfield, Gloucester, Hanover, New Kent, Wythe, Fredericksburg, and Williamburg), together with the 30 other localities that have a mix of paper ballots and paperless voting machines. Unless the anti-verification law is repealed, Virginia will continue to be a poster child for how not to run an election, even after Virginia replaces all of its antiquated paperless DREs with paper ballot based optical scan systems, as it should. But it gets worse.

Two notoriously unreliable paperless DRE systems are still being used in Virginia, years after their inadequacies had become common knowledge. A distinctive feature of the WINVote that makes it particularly vulnerable is it’s use of wifi to communicate between equipment in the polling place. The AVS WINVote, used only in Hind County, Mississippi and in the state of Virginia, failed to qualify for federal certification in 2007, even to the lower testing of the two voting systems standards. Since then, AVS seems to have folded, with maintenance done by Election Services Online, a Philadelphia based company with ties to the Shoup family, that founded AVS predecessor company over a century ago.

The other unreliable paperless DRE system is the Unilect Patriot, which gained notoriety in November, 2004 in both North Carolina and Pennsylvania. In Carteret County, N.C. a Patriot machine lost almost 4500 votes in early voting, while in Pennsylvania the Patriot appears to have lost a significant number of votes in the 2004 presidential race. Pennsylvania Secretary of State Pedro Cortes issued a report claiming that the Patriot was not “capable of absolute accuracy” and was not “safely and efficiently usable”. Pennsylvania decertified the Patriot; it is now used only in Virginia. Should either the AVS WINVote or the Unilect Patriot malfunction on Election Day with the Presidential or Senate race hanging in the balance, our country could be in uncharted territory.