The Verified Voting Blog

This blog contains posts authored by the Verified Voting Team and by members of the Verified Voting Board of Advisors.

No to Online Voting in Virginia | Electronic Frontier Foundation

This article originally appeared on Electronic Frontier Foundation's website on February 4th, 2019

Experts agree: Internet voting would be an information security disaster. Unfortunately, the Commonwealth of Virginia is considering a pair of bills to experiment with online voting. Pilot programs will do nothing to contradict the years of unanimous empirical research showing that online voting is inherently vulnerable to a variety of threats from malicious hackers, including foreign nations.

EFF strongly opposes Virginia H.B. 2588 and S.J.R. 291, and all online voting. Instead, EFF recommends that absentee voting, like all voting, be conducted with paper records and risk-limiting audits, the current state-of-the art in election security.

[caption id="" align="alignnone" width="602"] xkcd.com[/caption]

Verified Voting Calls on Gov. Tom Wolf and the Penn. General Assembly to Appropriate Funding to Replace Vulnerable Electronic Voting Machines

Marian K. Schneider: “Verified Voting calls on the Pennsylvania legislature to appropriate additional funding to subsidize the cost of replacement.”

The following is a statement from Marian K. Schneider, president of Verified Voting, formerly Deputy Secretary for Elections and Administration in the Pennsylvania Department of State, following Gov. Tom Wolf’s budget address to the joint legislative session on Tuesday morning. For additional media inquires, please contact aurora@newheightscommunications.com 

“The security of Pennsylvania’s elections is at a crossroads. In 2018, 83 percent of Pennsylvanians have voted on unverifiable direct recording electronic (DRE) systems. The state already recognizes the need to replace aging and vulnerable electronic voting machines with ones that have a voter-verifiable paper ballot or record of votes cast before the 2020 election. Governor Tom Wolf committed to this nearly a year ago, yet his budget address to the joint legislative session today falls short of providing the resources counties need to implement best election security practices. In light of the inadequacy of the funding request and the timing of the directive, the Governor should allow the 17 counties that already vote on paper ballots to keep their systems until more resources are available.  Regardless, the remaining counties who do not have a plan to replace their systems are risking another presidential election in which the reported outcome cannot be verified.

“The Governor doesn’t have to look any further than the bipartisan Blue Ribbon Commission on Pennsylvania’s Election Security’s report last week for funding options. The report, which published recommendations to help counties purchase electronic voting systems with paper ballots and implement mandatory post-election audits and election emergency plans before the 2020 presidential election, recommends legislators fully fund the replacement of vulnerable systems using creative financing mechanisms if possible. The Governor could also relieve counties that already provide paper ballots from the mandate to replace their systems immediately. For these counties, robust post-election audits can protect the integrity of the election outcomes with the existing systems.

“Verified Voting calls on the Pennsylvania legislature to appropriate additional funding to subsidize the cost of replacement. In addition, we urge the Department of State to insist that all newly-certified voting systems include the most secure features and will be ready for robust post-election tabulation audits. Given the threat of hacking and other cyberattacks, the cost of replacing Pennsylvania’s current systems in 50 counties is far outweighed by the cost of leaving our elections vulnerable.” Read the rest

To Enhance Election Security, Rhode Island Tests A New Way to Verify Election Results

Aurora Matthews, New Heights Communications, aurora@newheightscommunications.com, (301)221-7984

PROVIDENCE, RI – Rhode Island is making good on its promise to road-test risk-limiting election audits, following 2017 passage of legislation by the Rhode Island General Assembly, requiring them. Beginning with the presidential primary in April 2020, Rhode Island will become the second state to require these audits to verify election results. A “risk limiting” audit checks if the election result is correct. Specifically it checks the counting of the votes. A “risk-limiting” audit limits the risk that the wrong election result will be certified. It can catch errors which change the result and correct a wrong result.

For more background on the legislation, visit here: https://www.commoncause.org/democracy-wire/rhode-island-adopts-risk-limiting-election-audits/ and here: http://webserver.rilin.state.ri.us/BillText/BillText17/HouseText17/H5704.pdf

To prepare for next year’s full implementation, the Rhode Island Board of Elections will conduct three pilot audits on January 16 and 17 at 50 Branch Avenue in Providence, Rhode Island beginning at 9:30 a.m. These pilot audits will be conducted with local election officials from Bristol, Cranston and Portsmouth, Rhode Island.

The purpose is to test three different methods for conducting risk-limiting audits. A variety of tasks will be conducted over two days, including hand tabulation of a sample of ballots. For purposes of planning future audits a time and measurement study will be conducted over the two days.

Rhode Island will demonstrate three types of audits:

  • Ballot-level comparison audit for Bristol precincts: This method A ballot-level comparison audit is an audit that is similar to checking an expense report. First the audit checks that the subtotals add up to the reported totals. And then individual ballots are checked against how they are recorded by the machine – similar to checking receipts against numbers in a spreadsheet.
  • Batch-level comparison audit for Cranston precincts: This method will check a random sample of ballot “batches” and compare the total vote count of those batches against the voting machine’s count. A batch will consist of between 250-300 ballots.
  • Ballot-level polling audit for Portsmouth precincts: This method will check a random sample of ballots with the reported outcome, not against the voting machine’s record of those votes. This is comparable to an exit poll. But instead of using the voters’ responses to questions, it checks marking of the actual ballots. Enough ballots are sampled to give election officials confidence that the outcome is correct.

“We strongly support the Rhode Island Board of Election’s piloting risk-limiting audits as they prepare for full implementation of our law in 2020. Given recent threats to US cybersecurity, risk-limiting audits help conduct accurate, fair elections, strengthening voter confidence in election results,” said John Marion, Executive Director of Read the rest

Verified Voting Recommends Hand-Marked Paper Ballots for Georgia to SAFE Commission

Verified Voting sent a letter to the Secure, Accessible, Fair Elections (SAFE) Commission on Friday, January 4 with their recommendations for a new voting system in Georgia.

Read the letter below or download it here

Verified Voting submits the following statement endorsing hand-marked paper ballots that are scanned as the primary voting method for voters. Verified Voting respectfully requests that this statement be shared with the entire SAFE commission in advance of the next meeting scheduled for January 10, 2019.

Recommendation. In light of the pervasive security vulnerabilities of all electronic voting systems, including Ballot Marking Devices (BMDs), as well as the considerable cost of BMDs, Verified Voting Foundation endorses the use of hand-marked paper ballots as the best primary method for recording votes in public elections. BMDs do play an important role for some voters, including voters with disabilities, that prevent them from hand-marking paper ballots. However, the primary voting method for most voters should be hand-marked paper ballots.

Rationale. Hand-marked paper ballots offer better voter verification than can be achieved with a computerized interface. A paper ballot that is indelibly marked by hand and physically secured from the moment of casting is the most reliable record of voter intent. A hand-marked paper ballot is the only kind of record not vulnerable to software errors, configuration errors, or hacking. With hand-marked paper ballots, voters are responsible only for their own errors, while with a BMD, voters are responsible for catching and correcting errors or alterations made by the BMD. Consequently, well-designed hand-marked paper ballots combined with a risk-limiting post-election tabulation audit provide the gold standard for ensuring that reported election results accurately reflect the will of the people.

Verified Voting Welcomes Colorado Secretary of State Wayne Williams to its Board of Advisors

Wayne Williams: “I’m excited to share my expertise so that we can continue to strengthen our nation’s election systems and voters’ confidence in those systems.”

Verified Voting, a leading national organization focused solely on making our voting technology secure, welcomes Wayne Williams to its Advisory Board. Williams, while serving as Colorado Secretary of State from 2015 to 2019, adopted new voting standards requiring voter-verifiable paper ballots and implemented the nation’s first statewide risk-limiting audit (RLA) in Colorado.

“Voter confidence in elections is critical for Americans’ faith in our democratic republic. The election reforms we adopted in Colorado, including paper ballots and the nation’s first full risk-limiting audit, helped encourage Coloradans to vote in record numbers. I’m excited to share my enthusiasm and election expertise on the Verified Voting Board of Advisors so that we can continue to strengthen our nation’s election systems and voters’ confidence in those systems,” said Williams.

Under Williams’ leadership, Colorado led the nation in voter registration and turnout. He also served on the Executive Committee of the National Association of Secretaries of State for three years. Prior to serving as Secretary of State Williams served as El Paso County Clerk & Recorder, where he successfully ran elections in Colorado’s most populous county. Williams graduated magna cum laude from Brigham Young University, received his law degree from the University of Virginia and is a Certified Elections/Registration Administrator. Williams is also a Harry S. Truman Scholar and received the Medallion Award from the National Association of Secretaries of State for his efforts in protecting the right to vote during the fire-ravaged primary election in 2012.

“Wayne Williams brings extensive expertise as an on-the-ground election official and we are delighted to have him join Verified Voting’s Advisory Board,” said Barbara Simons, Verified Voting’s Board Chair.

View the full list of Verified Voting Advisory Board members here.

For additional press inquiries, please contact Aurora Matthews at aurora@newheightscommunications.com Read the rest

Election Security Experts Applaud City of Fairfax, VA and Orange County, CA for Leading in New Election Integrity Methods

New Reports from Verified Voting Show How Risk-Limiting Audits in California and Virginia Can Improve Election Security and Public Confidence

WASHINGTON, D.C – Robust post-election audits are changing the election security landscape and the City of Fairfax, Virginia and Orange County, California are leading the way. Risk-limiting audits (RLAs) of voter-marked paper ballots can promote election security and public confidence by providing rigorous statistical evidence that election outcomes match the ballots — and a means to detect and correct outcomes that don’t match. If the method is widely adopted it will bolster confidence in elections. In the months leading up to the midterms, the City of Fairfax and Orange County implemented pilot projects that, as documented in two new reports by the Verified Voting Foundation, with funding support from Microsoft, demonstrated the benefits of risk-limiting audits.

The “Pilot Risk-Limiting Audit” reports, released today at the MIT Election Audit Summit, detail how Orange County and the City of Fairfax conducted pilots — in June and August 2018, respectively — and how these pilots provide lessons for election officials and policymakers around the country.

“The pilots in the City of Fairfax and Orange County provide a framework for risk-limiting audits and are a positive step toward more widespread use of this method going forward,” said Marian K. Schneider, Verified Voting’s president.

The reports discuss the process of developing the pilots, as well as the implementation. An RLA of the tabulation of an election contest checks a random selection of voted paper ballots or voter-verifiable paper records. This statistically-sound audit can stop as soon as it finds strong evidence that the reported outcome was correct. Or, if the reported outcome was wrong because ballots were miscounted in the tabulation, an RLA is very likely to lead to a full hand recount that corrects the outcome.

Colorado became the first state to conduct statewide RLAs in 2017. New Mexico uses a related procedure, and Rhode Island will soon follow suit. The RLA pilots in the City of Fairfax and Orange County represent a growing interest from election officials looking for a reliable and efficient way to provide strong statistical evidence to confirm reported results of vote tallies. Other states looking to replicate robust post-election audits like RLAs must require voters to vote on voter-marked paper ballots, either marked by hand or using ballot marking devices. Direct Recording Electronic (DRE) voting machines that produce “voter-verifiable paper audit trails” provide, at best, an obsolescent stopgap: most voters never check them, and often they are hard to audit.

The reports on the RLA pilots in Orange County and the City of Fairfax demonstrate the importance of frequent Read the rest

Why voters should mark ballots by hand | Andrew Appel

[caption id="attachment_132454" align="alignleft" width="200"] ExpressVote ballot card, with bar codes for optical scanner and with human-readable summary of choices for use in voter verification and in recount or audit.[/caption]

Because voting machines contain computers that can be hacked to make them cheat, “Elections should be conducted with human-readable paper ballots. These may be marked by hand or by machine (using a ballot-marking device); they may be counted by hand or by machine (using an optical scanner).  Recounts and audits should be conducted by human inspection of the human-readable portion of the paper ballots.”

Ballot-marking devices (BMD) contain computers too, and those can also be hacked to make them cheat.  But the principle of voter verifiability is that when the BMD prints out a summary card of the voter’s choices, which the voter can hold in hand before depositing it for scanning and counting, then the voter has verified the printout that can later be recounted by human inspection.

But really?  As a practical matter, do voters verify their BMD-printed ballot cards, and are they even capable of it?  Until now, there hasn’t been much scientific research on that question.

A new study by Richard DeMillo, Robert Kadel, and Marilyn Marks now answers that question with hard evidence:

  1. In a real polling place, half the voters don’t inspect their ballot cards, and the other half inspect for an average of 3.9 seconds (for a ballot with 18 contests!).
  2. When asked, immediately after depositing their ballot, to review an unvoted copy of the ballot they just voted on, most won’t detect that the wrong contests are presented, or that some are missing.

This can be seen as a refutation of Ballot-Marking Devices as a concept.  Since we cannot trust a BMD to accurately mark the ballot (because it may be hacked), and we cannot trust the voter to accurately review the paper ballot (or even to review it at all), what we can most trust is an optical-scan ballot marked by the voter, with a pen.  Although optical-scan ballots aren’t perfect either, that’s the best option we have to ensure that the voter’s choices are accurately recorded on the paper that will be used in a recount or random audit.

Verified Voting Outlines Steps Voters Can Take to Report Problems on Election Day

Voters who experience problems to call the Election Protection hotline at 866-OUR VOTE / 1-888-Ve-y-vota

To speak with Marian K. Schneider or for additional media inquires, please contact aurora@newheightscommunications.com  

November 6, 2018 – Recent reports of possible threats to voting systems and registration databases are alarming, but voters should not be deterred from voting this Election Day. Election officials at the state-level are more prepared for cybersecurity threats or problems with computers than they were two years ago.

“The only way to ensure your vote doesn’t count is if you don’t vote,” said Marian K. Schneider, president of Verified Voting.

Verified Voting urges voters who notice anything wrong with their voter registration or at their polling place to call the Election Protection Hotline: 866-OUR VOTE / 1-888-Ve-y-vota or check out 866OURVOTE.org. Voters should also report any problems to their local county board of elections or to the Secretary of State’s office or both. Doing so will allow officials to understand how widespread the issue is and assist in efforts to pinpoint the cause.

For statewide information about polling place equipment, please visit the Verifier. Read the rest

Verified Voting Calls on Texas to Investigate Straight-Ticket Voting Issues; Voters Should Carefully Check Choices

Marian K. Schneider: “Verified Voting urges Secretary of State Rolando Pablos to move Texas toward reliable, verifiable voting systems that include a voter-marked paper ballot statewide.”

The following is a statement from Marian K. Schneider, president of Verified Voting, in response to reports that voters in six counties in Texas (Harris, Montgomery, Fort Bend, Travis, Tarrant, and McLennan) experienced straight-ticket voting issues using the Hart eSlate voting machines. At a minimum, 5.1 million Texas voters in six of the largest counties in Texas that use Hart eSlate voting machines may be affected by this issue. For additional media inquires, please contact aurora@newheightscommunications.com

“Verified Voting calls on Secretary of State Rolando Pablos to launch a broader and more robust statewide public information effort to advise voters to carefully check their choices as displayed before submitting them on direct recording electronic (DRE) voting machines manufactured by Hart InterCivic.

“Verified Voting appreciates that the Secretary of State issued an advisory warning voters to check their choices carefully before submitting the ballot. More work needs to be done to ensure that all voters in the affected counties are equipped to cast their votes as they intend.

“The reported problems underscore the design flaw in voting systems that do not incorporate a voter-marked paper ballot. Paper ballots that are retained can be later sampled to check if the software is correctly reporting the voters’ selections. Without such a safeguard, public confidence in elections diminishes. Verified Voting urges Secretary Pablos to move Texas toward reliable, verifiable voting systems that include a voter-marked paper ballot statewide.

“Verified Voting also calls on Secretary Pablos to investigate the reports of voting problems, determine the root cause of the issue and publicize the results of such an investigation. Voters should be instructed to report any problems to their local county board of elections or to the Secretary of State’s office or both. Doing so will allow officials to understand how widespread the issue is and assist in efforts to pinpoint the cause.

“Verified Voting also urges voters who experience problems to call the Election Protection hotline at 866-OUR VOTE / 1-888-VE-Y-VOTA. Read the rest

An unverifiability principle for voting machines | Andrew Appel

This article was originally posted at Freedom to Tinker on October 22, 2018.

In my last three articles I described the ES&S ExpressVote, the Dominion ImageCast Evolution, and the Dominion ImageCast X (in its DRE+VVPAT configuration).  There’s something they all have in common: they all violate a certain principle of voter verifiability.

  • Any voting machine whose physical hardware can print votes onto the ballot after the last time the voter sees the paper,  is not a voter verified paper ballot system, and is not acceptable.
  • The best way to implement this principle is to physically separate the ballot-marking device from the scanning-and-tabulating device.  The voter marks a paper ballot with a pen or BMD, then after inspecting the paper ballot, the voter inserts the ballot into an optical-scan vote counter that is not physically capable of printing votes onto the ballot.

The ExpressVote, IC-Evolution, and ICX all violate the principle in slightly different ways: The IC-Evolution one machine allows hand-marked paper ballots to be inserted (but then can make more marks), the ExpressVote in one configuration is a ballot-marking device (but after you verify that it marked your ballot, you insert it back into the same slot that can print more votes on the ballot), and IC-X configured as DRE+VVPAT can also print onto the ballot after the voter inspects it.  In fact, almost all DRE+VVPATs can do this:  after the voter inspects the ballot, print VOID on that ballot (hope the voter doesn’t notice), and then print a new one after the voter leaves the booth.