Verified Voting Blog: In D.C.’s Web Voting Test, the Hackers Were the Good Guys

Last month, the District conducted an Internet voting experiment that resulted in a team from the University of Michigan infiltrating election computers so completely that they were able to modify every ballot cast and all election outcomes without ever leaving their offices. They also retrieved the username and password for every eligible overseas voter who had signed up to participate. The team even defended the system against attackers from China and Iran. More than any other event in recent years, this test illustrates the extreme national security danger of Internet voting.

Though the District’s Board of Elections and Ethics prudently dropped the plan to use the most dangerous parts of the system in Tuesday’s midterms, the board still claims Internet voting is the wave of the future. By contrast, the consensus of the computer security community is that there is no secure Internet voting architecture suitable for public elections. The transmission of voted ballots over the Internet, whether by Web, e-mail or other means, threatens the integrity of the election. Simply fixing the problems identified in the District’s test will not prove the system secure. Almost certainly the next test will discover new vulnerabilities yielding a similar disastrous result.

People frequently ask: If we can bank online, why can’t we vote online? The answer is that because every banking transaction must be associated with a customer, banks know what their customers are doing, and customers get monthly statements that can be used to detect unauthorized transactions. There is no banking equivalent of the requirement for a secret ballot untraceable to the voter. While banks have huge budgets for mitigating security problems, they still lose substantial sums due to online fraud. In addition, while banks may tolerate the costs of online theft, because they save money overall, elections cannot tolerate a “small” amount of vote theft. For more than a decade, computer security scientists have been warning of certain core dangers related to Internet voting. The successful Michigan incursion confirmed many of them.

Read More

Verified Voting Blog: Voting Machine Expert Offers Insights on North Carolina “Vote-Flipping”

Douglas Jones is a voting technology expert on the computer science faculty at the University of Iowa who has done extensive study of the ES&S iVotronic direct recording voting machine. In this interview he offers his insights on reports of straight-party voting problems on iVotronics in multiple North Carolina counties.

Q: Are you familiar with this type of problem?

DJ: There have been sporadic reports of “vote flipping” since the iVotronic came into widespread use, but there has never been a good explanation, and I am not convinced that there is just one problem. It may be that several different problems are being confused. In 2004, I was involved in assessing the iVotronic voting machines used in Miami-Dade County, Florida, and one thing I investigated was the possible cause of reports of “vote flipping”. My report is available  online (see particularly section 11, pages 20 to 23.)

Since writing that report, I have heard several reports from pollworkers and others who have observed voters who either touched the screen with two fingers or accidentally rested the thumb of one hand on the screen while voting with the other, causing their touches to be misinterpreted in exactly the way I described in that report. Read More

National: Vote Flipping and Touch Screen Calibration

Again this election cycle, stories have emerged about “vote flipping”, most notably in Texas, where a video of erratic touchscreen behavior was posted on several sites, and in several North Carolina counties. (link, link, link, link) As voting technology expert Douglas Jones wrote several years ago, it seems unlikely that vote flipping is evidence of intentional hacking. However, these incidents do highlight the lack of transparency of software-generated election results and undermine confidence in elections generally. Vote flipping can be caused by a voter touching the screen in two places, for example resting one hand on the machine while making selections with the other (see pp. 20-22 here), but the most likely cause of “vote-flipping” is miscalibration. As Rice University computer scientist Dan Wallach explains in a post at ACCURATE:

The screen shows pictures of buttons with labels for the various candidates, which the voter selects by touching the screen with their finger. Some voters using these machines have reported problems where they pressed the button for one candidate and a different candidate was selected. These issues are most likely the result of poor touchscreen calibration rather than any security problems with the voting machines’ software.

Read More

Editorials: A Common Sense Solution to Defective Voting | Lawrence Norden/The Hill Blog

In a week, millions of Americans will exercise their most important civil right – the right to vote. But as surely as some campaigns will end in a deluge of confetti and others in popped balloons, there will also be problems with vote tallies. Some votes will be counted more than once, some votes will be counted not at all, and some votes will appear as if by magic. This state of affairs is not caused by corruption. It is caused by malfunctioning voting machines. Since 2002, federal, state and local governments have spent billions on electronic voting systems. These systems are complex, consisting of tens of thousands of lines of computer code. And when, as is inevitable, some machines malfunction on the first Tuesday in November, it is election officials who will be asked to explain. They will struggle to cope with these problems while under enormous pressure to produce timely and accurate results. One would think that information about voting machine malfunctions would be just as open as the democracy for which, they are, quite literally the linchpin. Instead, defects or failures in voting machines are treated as secrets. For the most part, voting system manufacturers are under no obligation to publicly report malfunctions to a central authority. Officials in each of the nation’s approximately 4,700 election jurisdictions are left to fend for themselves. Read More

Verified Voting Blog: Comprehensive Map of US Voting Equipment Released

Voter-marked paper ballots dominate among U.S. voting methods, but one fourth of voters still depend on unverifiable equipment
Verified Voting has released a new version of the Verifier, a map of voting technology used throughout the United States and territories, along with a statistical summary of voting technology that States will use this November.

The Verifier can be accessed by clicking here.

“While voter-marked paper ballots have consistently been the most prevalent voting system in the nation, this election marks the highest levels of voter-marked paper ballot use in ten years,” said Verified Voting policy analyst Sean Flaherty.

The Verifier allows users to quickly search for voting equipment information by any combination of type, vendor, machine model, or paper record type. Clicking on a state in the US map displays a map of that state’s election jurisdictions. Each of these can be clicked to reveal detailed data on the local voting equipment, election officials, and number of registered voters.

The Verifier has been updated with detailed information sheets about the nation’s voting systems, including new models like the DS200. The data sheets include voting machine descriptions and explanations of how each system is used.

In addition to the voting systems map, the Verifier provides a comprehensive map of accessible equipment serving voters with disabilities. The Verifier is provided as a public service at no cost to users.

The Verifier’s data show that 67 percent of Americans live in election jurisdictions where voter-marked paper ballots will be the standard voting system. All but a tiny handful of paper ballot jurisdictions use ballot scanners to tabulate ballots (approximately one million registered voters live in jurisdictions that hand count paper ballots).

But one fourth of the nation’s voters must still depend upon all-electronic voting machines for polling-place voting. Verified Voting’s statistical summary can be viewed here.

“We’re gratified with the direction we’ve seen, toward more jurisdictions with verifiable, recountable elections. But one fourth of the nation’s voters are still forced to depend on voting systems that cannot be recounted,” said Verified Voting president Pamela Smith. “This situation must change by 2012; the phaseout of voting without a safety net is long overdue,” said Smith.

Verified Voting Blog: Hacking the D.C. Internet Voting Pilot

This article was posted at Ed Felten’s “Freedom to Tinker” blog and is re-posted with permission.

The District of Columbia is conducting a pilot project to allow overseas and military voters to download and return absentee ballots over the Internet. Before opening the system to real voters, D.C. has been holding a test period in which they’ve invited the public to evaluate the system’s security and usability. This is exactly the kind of open, public testing that many of us in the e-voting security community — including me — have been encouraging vendors and municipalities to conduct. So I was glad to participate, even though the test was launched with only three days’ notice. I assembled a team from the University of Michigan, including my PhD students, Eric Wustrow and Scott Wolchok, and Dawn Isabel, a member of the University of Michigan technical staff. Within 36 hours of the system going live, our team had found and exploited a vulnerability that gave us almost total control of the server software, including the ability to change votes and reveal voters’ secret ballots. In this post, I’ll describe what we did, how we did it, and what it means for Internet voting. Read More

Verified Voting Blog: States May Use Federal HAVA Funds for Post-Election Audits

Post-election audits of electronic vote tallies are inexpensive.  The process is simple: a sample of precincts (or batches of ballots that have been tallied electronically) is chosen randomly, counted by hand, and compared to the corresponding computer tally.  To mention just two examples, North Carolina conducted an audit of  the Presidential election in 275 precincts (almost 10% of the total precincts in the state) for a statewide total of $31,000, and  Connecticut’s November 2008 audit costed 11 cents per audited race on each ballot.

Still, in these straightened times, States and counties with auditable voting systems might be concerned about the costs of manually counting ballots.  In May, the U.S. Election Assistance Commission gave such jurisdictions excellent but little-noticed news: the Commission ruled that States may use Federal Help America Vote Act (HAVA) funds to pay for the cost of post-election audits.  The EAC concluded that funds allocated under either Section 101 or Section 251 of HAVA may be used to fund audits. Read More

Verified Voting Blog: Dangers of Internet Voting Confirmed

For years, computer security experts have said that casting ballots using the Internet cannot be done securely. Now, after a team from the University of Michigan successfully hacked the Washington D.C. Board of Elections and Ethics (DCBOEE) public test of Internet voting, we have a visceral demonstration of just how serious the threats really are.

Prior to rolling out the Internet voting system this November year, the DCBOEE allowed a 5 day trial period, inviting the public to test the ballot casting system and probe its security. Despite short notice given to the public, Dr. Alex Halderman and a team of students took up the challenge. What they were able to achieve in 36 hours demonstrates how vulnerable Internet voting is to a whole host of attacks, and how serious the security threats really are.

In testimony before the DC Council Hearing of The Committee on Government Operations and The Environment, Dr. Halderman detailed the extent to which his team was able to take complete control of DCBOEE’s Internet voting system:

Read More

Verified Voting Blog: Coalition Calls For Halt to Washington State E-mail Ballot Program

This week, as University of Michigan computer technologists revealed in stark fashion the risks of Internet voting, Verified Voting, Common Cause, and Voter Action worked to halt an effort to expand the electronic return of voted ballots in Washington State. The Secretary of State of Washington  has proposed an emergency rule that would allow voters to send their votes home to election officials via e-mail.  In a letter to the Secretary this week, the three organizations and a cooperating attorney wrote that e-mail balloting is not required by Federal or State law, and exposes voters’ ballots to unacceptable risk of error or fraud.

This week, Dr. Alex Halderman and his students at the University of Michigan provided a powerful demonstration of the wisdom of avoiding the electronic submission of voted ballots for the foreseeable future.  Professor Halderman’s team hacked the District of Columbia’s pilot Internet voting portal for the District’s overseas and military voters, changing the contents of encrypted ballots and re-encrypting them,discovering the identities and user PINs of voters – as well as noting attempts by users in Iran and China to gain access to the DC voting system. Read More

Verified Voting Public Commentary: Verified Voting Lauds Successful Test Hack of Internet Voting Pilot

Verified Voting applauds the decision of the District of Columbia Board of Elections and Ethics to suspend their plan to offer overseas voters the dangerous option of returning their voted ballots by a “digital vote by mail” Internet voting system. The District’s plans to continue other Internet-based ballot return methods (including email and fax) for the District’s military and civilian overseas voters still raise concerns among voting security experts. DC election officials made the decision after inviting technology experts to hack the Board’s prototype voting system during a trial period. The test pilot was apparently attacked successfully shortly after it began by a team of academic experts led by Prof. J. Alex Halderman at the University of Michigan.

The attack caused the University of Michigan fight song to be played for test voters when they completed the balloting process. Full details of the hack and its impact on submitted test ballots are expected to become available in the coming days. In addition to the Michigan team’s breach of the voting system, Verified Voting’s Board Chair Dr.David Jefferson documented a very serious vote loss problem that caused voters to inadvertently return blank ballots while believing that they had submitted complete ballots. The disenfranchising bug was noted in at least two widely used computer/browser configurations. It is possible that the same problem would affect voters trying to use email or some fax systems to return voted ballots.

Read More

Verified Voting Blog: The meaning of Alex Halderman’s successful attack on the DC Internet voting system

University of Michigan Prof. Alex Halderman has now released some details about his successful attack on the District of Columbia’s proposed Internet voting system which has been under test for the last week. (See It is now clear that Halderman and his team were able to completely subvert the entire DC Internet voting system remotely, gaining complete control over it and substituting fake votes of their choice for the votes that were actually cast by the test voters. What is worse, they did so without the officials even noticing for several days. Let there be no mistake about it: this is a major achievement, and supports in every detail the warnings that security community have been giving about Internet voting for over a decade now. After this there can be no doubt that the burden of proof in the argument over the security of Internet voting systems has definitely shifted to those who claim that the systems can be made secure.

Read More