The Verified Voting Blog

This blog contains posts authored by the Verified Voting Team and by members of the Verified Voting Board of Advisors.

New Report: Internet Voting Threatens Ballot Secrecy

Casting a secret ballot in the upcoming election might not be so secret or secure depending on where – and how – you vote, according to a new report The Secret Ballot at Risk: Recommendations for Protecting Democracy. The report was coauthored by three leading organizations focused on voting technology, the Electronic Privacy Information Center (EPIC), Verified Voting and Common Cause.

Caitriona Fitzgerald, State Policy Coordinator for EPIC and a co-author of the report, said, "The secret ballot is a core value in all 50 states. Yet states are asking some voters to waive this right. That threatens voting freedom and election integrity. This report will help safeguard voter privacy."

This year 32 states will allow voting by email, fax and internet portals – mostly for overseas and military voters. In most states, voters using Internet voting must waive their right to a secret ballot.

Giving up the right to a secret ballot threatens the freedom to vote as one chooses, argue the report authors. The report cites several examples of employers making political participation a condition of employment -- such as an Ohio coal mining company requiring its workers to attend a Presidential candidate’s rally - and not paying them for their time.

“On Election Day, we all are equal. The Secret Ballot ensures voters that employers’ political opinions stop at the ballot box,” said Susannah Goodman, director of Common Cause's national Voting Integrity Campaign. “The Secret Ballot was established for a reason. The Secret Ballot ensures that we can all vote our conscience without undue intimidation and coercion.”

Marc Rotenberg, EPIC President, agreed, “The secret ballot is the cornerstone of modern democracy. The states must do more to protect the privacy of voters.”

Give Us The Ballot | Dr. Martin Luther King Jr.

The following passage is excerpted from a speech that Dr. King delivered before the Lincoln Memorial at the March on Washington, on May 17, 1957, three years after Brown v. Board of Education and eight years before the enactment of the Voting Rights Act.

Three years ago the Supreme Court of this nation rendered in simple, eloquent and unequivocal language a decision which will long be stenciled on the mental sheets of succeeding generations. For all men of good will, this May 17 decision came as a joyous daybreak to end the long night of segregation. It came as a great beacon light of hope to millions of distinguished people throughout the world who had dared only to dream of freedom. It came as a legal and sociological deathblow to the old Plessy doctrine of "separate-but-equal." It came as a reaffirmation of the good old American doctrine of freedom and equality for all people.

Unfortunately, this noble and sublime decision has not gone without opposition. This opposition has often risen to ominous proportions. Many states have risen up in open defiance. The legislative halls of the South ring loud with such words as "interposition" and "nullification." Methods of defiance range from crippling economic reprisals to the tragic reign of violence and terror. All of these forces have conjoined to make for massive resistance.

But, even more, all types of conniving methods are still being used to prevent Negroes from becoming registered voters. The denial of this sacred right is a tragic betrayal of the highest mandates of our democratic traditions and its is democracy turned upside down.

So long as I do not firmly and irrevocably possess the right to vote I do not possess myself. I cannot make up my mind — it is made up for me. I cannot live as a democratic citizen, observing the laws I have helped to enact — I can only submit to the edict of others.
Three years ago the Supreme Court of this nation rendered in simple, eloquent and unequivocal language a decision which will long be stenciled on the mental sheets of succeeding generations. For all men of good will, this May 17 decision came as a joyous daybreak to end the long night of segregation. It came as a great beacon light of hope to millions of distinguished people throughout the world who had dared only to dream of freedom. It came as a legal and sociological deathblow to the old Plessy doctrine of "separate-but-equal." It came as a reaffirmation of the good old American doctrine of freedom and equality for all people.

Unfortunately, this noble and sublime decision has not gone without opposition. This opposition has often risen to ominous proportions. Many states have risen up in open defiance. The legislative halls of the South ring loud with such words as "interposition" and "nullification." Methods of defiance range from crippling economic reprisals to the tragic reign of violence and terror. All of these forces have conjoined to make for massive resistance.

But, even more, all types of conniving methods are still being used to prevent Negroes from becoming registered voters. The denial of this sacred right is a tragic betrayal of the highest mandates of our democratic traditions and its is democracy turned upside down.

So long as I do not firmly and irrevocably possess the right to vote I do not possess myself. I cannot make up my mind — it is made up for me. I cannot live as a democratic citizen, observing the laws I have helped to enact — I can only submit to the edict of others.

A Democracy Worth the Paper — Ballot — it’s Written on | Mark Halvorson and Barbara Simons

As the CIA digs deep to investigate foreign influence on our election, we should recognize that we don’t need cybersecurity experts to tell us if our votes have been accurately counted. Citizen observers can do the job, if we fix the way we vote and the way we verify those votes.

Our democracy is in crisis because we have introduced computers into our voting systems without proper safeguards. First and foremost, every vote must be cast on a paper ballot marked by the voter. In addition, we must require that at least a random sample of those paper ballots be counted by hand to determine if the electronically reported election results are correct.

About 25 percent of the 2016 votes, including almost all of Pennsylvania, were cast on paperless, computerized voting machines. Since software can contain bugs, programming errors, and even malware, we never should have allowed paperless voting machines to record and count our votes, because there is no way to verify that votes are properly recorded and counted inside the machines. Voting on a paperless electronic voting machine is like speaking your vote to a stranger behind a screen and ­­­­­trusting him to cast it for you, without ever seeing the person or how he marked your ballot.

Furthermore, even states with paper ballots tabulate almost all of them using computerized optical scanners. Paper ballots provide no protection unless they are manually checked after the election to verify or correct the computer-declared results. There are only two ways to independently verify electronic tallies (that is, to confirm whether or not the person behind the screen was honest and accurate): post-election audits and recounts done by hand by examining the original paper ballots.

Election Security Is a Matter of National Security | David Dill

State-sponsored cyber-attacks seemingly intended to influence the 2016 Presidential election have raised a question: Is the vulnerability of computerized voting systems to hacking a critical threat to our national security? Can an adversary use methods of cyber-warfare to select our commander-in-chief?

A dedicated group of technically sophisticated individuals could steal an election by hacking voting machines key counties in just a few states. Indeed, University of Michigan computer science professor J. Alex Halderman says that he and his students could have changed the result of the presidential election. Halderman et al. have hacked a lot of voting machines, and there are videos to prove it. I believe him.

Halderman isn’t going to steal an election, but a foreign power might be tempted to do so. The military expenditures of a medium-size country dwarf the cost of a multi-pronged attack, which could include using the internet, bribing employees of election offices and voting machine vendors, or just buying voting machine companies. It is likely that such an attack would not be detected, given our current election security practices.

What would alert us to such an attack? What should we do about it? If there is reason to suspect an election result (perhaps because it’s an upset victory that defies the vast majority of pre-election polls), common sense says we should double-check the results of the election as best we can. But this is hard to do in America. Recount laws vary with each state. In states where it is possible to get a recount, it often has to be requested by one of the candidates, often at considerable expense.

In the recent election, it is fortunate that Green Party Presidential candidate Jill Stein, citing potential security breaches, recently requested a recount of the 2016 presidential vote in Wisconsin and Pennsylvania and plans to do so in Michigan. Donald Trump unexpectedly won these three states by very narrow margins, and their recount laws are favorably compared with some of the other swing states.

Want to Know if the Election was Hacked? Look at the Ballots | J. Alex Halderman

You may have read at NYMag that I’ve been in discussions with the Clinton campaign about whether it might wish to seek recounts in critical states. Thatarticle, which includes somebody else’s description of my views, incorrectly describes the reasons manually checking ballots is an essential security safeguard (and includes some incorrect numbers, to boot). Let me set the record straight about what I and other leading election security experts have actually been saying to the campaign and everyone else who’s willing to listen. 

How might a foreign government hack America’s voting machines to change the outcome of a presidential election? Here’s one possible scenario. First, the attackers would probe election offices well in advance in order to find ways to break into their computers. Closer to the election, when it was clear from polling data which states would have close electoral margins, the attackers might spread malware into voting machines in some of these states, rigging the machines to shift a few percent of the vote to favor their desired candidate. This malware would likely be designed to remain inactive during pre-election tests, do its dirty business during the election, then erase itself when the polls close. A skilled attacker’s work might leave no visible signs — though the country might be surprised when results in several close states were off from pre-election polls.

Could anyone be brazen enough to try such an attack? A few years ago, I might have said that sounds like science fiction, but 2016 has seen unprecedented cyberattacks aimed at interfering with the election. This summer, attackers broke into the email system of the Democratic National Committee and, separately, into the email account of John Podesta, Hillary Clinton’s campaign chairman, and leaked private messages. Attackers infiltrated the voter registration systems of two states, Illinois and Arizona, and stole voter data. And there’s evidence that hackers attempted to breach election offices in several other states.

In all these cases, Federal agencies publicly asserted that senior officials in the Russian government commissioned these attacks. Russia has sophisticated cyber-offensive capabilities, and has shown a willingness to use them to hack elections. In 2014, during the presidential election in Ukraine, attackers linked to Russia sabotaged the country’s vote-counting infrastructure and, according to published reports, Ukrainian officials succeeded only at the last minute in defusing vote-stealing malware that was primed to cause the wrong winner to be announced. Russia is not the only country with the ability to pull off such an attack on American systems — most of the world’s military powers now have sophisticated cyberwarfare capabilities.

[caption id="attachment_108182" align="aligncenter" width="800"]The pink counties predominately use optical scan paper ballots, which can be examined to confirm that the computer voting machines produced an accurate count. Blue counties use paperless voting systems, which require forensic analysis. The pink counties predominately use optical scan paper ballots, which can be examined to confirm that the computer voting machines produced an accurate count. Blue counties use paperless voting systems, which require forensic analysis.[/caption]

Were this year’s deviations from pre-election polls the results of a cyberattack? Probably not. I believe the most likely explanation is that the polls were systematically wrong, rather than that the election was hacked. But I don’t believe that either one of these seemingly unlikely explanations is overwhelmingly more likely than the other. The only way to know whether a cyberattack changed the result is to closely examine the available physical evidence — paper ballots and voting equipment in critical states like Wisconsin, Michigan, and Pennsylvania. Unfortunately, nobody is ever going to examine that evidence unless candidates in those states act now, in the next several days, to petition for recounts.

Voting Experts Call for Nationwide Audit to Verify Election Results

Days after an unexpected outcome in the presidential election, a leading voting security group is reinforcing its call for a national post-election manual audit to validate computer-generated election results. In the months leading up to the election federal authorities issued unprecedented warnings regarding the computer security of the U.S. election system following revelations that over 20 states’ voter registration systems and a Florida voting system vendor were targeted by foreign cyber attacks. Federal officials acknowledged that the system vendor and four states’ voter registration databases were compromised by hackers including Illinois and Arizona.

“This national election was held under an unfortunate cloud of uncertainty due to documented attacks on U.S. election systems and claims of rigging before votes were even cast,” said Verified Voting President Pamela Smith. “In order for democracy to work, we all need to believe in the system that elects our leaders. Voters must have assurance their ballots will be counted the way they intended to cast them—especially in a time when so much doubt has been cast on the electoral process. Luckily, there’s an easy way to do this: a post-election audit that manually examines a random sample of the ballots.”

Almost all ballots cast in the U.S. are tabulated by computers; software is vulnerable to errors, bugs, malware and attacks. The security breaches identified in the months before the election led national security experts in both the federal government and private sector to issue unprecedented warnings about the cyber security of U.S. voting systems. In an extraordinary move, the Department of Homeland Security partnered with state and federal election officials in an effort to shore up voting system security following the disclosed attacks.

A nationwide audit of about 1.4 million ballots–just over 1% of the votes cast– could give 95% confidence that each state’s result is right. About 25% of Americans voted on equipment that does not produce an auditable paper record, mostly in Delaware, Georgia, Louisiana, and New Jersey. But votes cast by the other 75% are on paper ballots or paper records voters have the chance to check, and those can and should be checked in every election.

Still time for an election audit | Ron Rivest and Philip Stark

A Washington Post–ABC News poll found that 18% of voters — 33% of Clinton supporters and 1% of Trump supporters — think Trump was not the legitimate winner of the election. Sen. Lindsey Graham, R-S.C., has called on Congress to investigate the Russian cyberattack on the Democratic National Committee and the election. There are reasons for concern. According to the director of national intelligence, the leaked emails from the DNC were “intended to interfere with the U.S. election process.” The director of national intelligence, the Department of Homeland Security, and the National Security Agency concluded that the Russian government is behind the DNC email hack and that Russian hackers attacked U.S. voter registration databases.

We know that the national results could be tipped by manipulating the vote count in a relatively small number of jurisdictions — a few dozen spread across a few key states. We know that the vast majority of local elections officials have limited resources to detect or defend against cyberattacks. And while pre-election polls have large uncertainties, they were consistently off. And various aspects of the preliminary results, such as a high rate of undervotes for president, have aroused suspicion.

Computers counted the vast majority of the 130 million votes cast in this year's election. Even without hacking, mistakes are inevitable. Computers can’t divine voter intent perfectly; computers can be misconfigured; and software can have bugs. Did human error, computer glitches, hacking, or other problems change the outcome? While there is, as yet, no compelling evidence, the news about hacking and deliberate interference makes it worth finding out.

Election integrity: Missing components to remedy

This oped appeared originally at the The Hill on November 8, 2016.

Our election systems’ vulnerabilities received unprecedented bipartisan and media attention from mid-summer onward, sparked by the apparently Russian origins of hacks into the Democrat’s communications systems. If tampering with the U.S. election process was a goal, then election technologies used for voter registration and vote tabulation, and the Internet itself, were hypothesized as additional potential targets. Further disclosures added fire to the considerable smoke.

While correction of U.S. election vulnerabilities may appear to be largely a simple matter of upgrading the election technologies, including voting devices and voter registration databases, that focus alone would be window dressing.  It would conceal and permit continuation of a broad array of vulnerabilities warranting reassessment and remedy.  Indeed, a full cyber risk assessment of our “mission critical” election processes would highlight a broad range of soft points that include many not yet a part of public and policymaker scrutiny. Outdated technology may appear to be the easiest correction, yet it is not. Other weak links in the process will defeat secure and resilient elections processes unless they, too, are redressed—like any weak chain.

Our election systems’ vulnerabilities received unprecedented bipartisan and media attention from mid-summer onward, sparked by the apparently Russian origins of hacks into the Democrat’s communications systems. If tampering with the U.S. election process was a goal, then election technologies used for voter registration and vote tabulation, and the Internet itself, were hypothesized as additional potential targets. Further disclosures added fire to the considerable smoke.

While correction of U.S. election vulnerabilities may appear to be largely a simple matter of upgrading the election technologies, including voting devices and voter registration databases, that focus alone would be window dressing.  It would conceal and permit continuation of a broad array of vulnerabilities warranting reassessment and remedy.  Indeed, a full cyber risk assessment of our “mission critical” election processes would highlight a broad range of soft points that include many not yet a part of public and policymaker scrutiny. Outdated technology may appear to be the easiest correction, yet it is not. Other weak links in the process will defeat secure and resilient elections processes unless they, too, are redressed—like any weak chain.

The illustrative list below elucidates some agenda items relevant on the eve of casting, counting, and reporting tallies -- and on checking the accuracy of vote tallies if hacking may have occurred.

Trump’s claim the election is rigged is unfounded

I serve as President of Verified Voting, a voting security organization that seeks to strengthen democracy by working to ensure that on Election Day, Americans have confidence that their votes will be counted as we intended to cast them. Election officials, security experts and advocates have been working together around the country toward that goal, at a level that also is unprecedented.

Elections are administered by local officials. America doesn’t have one monolithic national voting system the way there is in other countries. We have thousands of them, operating under state and local supervision.

In recent years, the way in which America votes has trended toward increasingly reliable and verifiable methods. More than 75 percent of Americans will vote this election on paper ballots or on voting machines with voter verifiable paper trails. That’s more than in past elections, including 2012 and 2014. (You can check out how your local area votes on our map of voting systems, at http://verifiedvoting.org/verifier ) That means more voters than ever will be voting on recountable, auditable systems.

Why is that important? Because it offers officials a way to demonstrate to the loser of an election and the public that yes, they really did get fewer votes than their opponent or opponents.This is a nonpartisan issue. If you lose an election because something went wrong with a voting system somewhere, that’s fundamentally unfair. The more checks and balances we have in place (such as paper backup trails and audits), the greater our ability to withstand tampering or just general malfunction.

That’s not to say that our systems have no vulnerabilities. We have a higher degree of reliability in our election systems than in the past, but there’s still work to be done. What’s notable is that more is being done to ensure security this year than ever before.

David Dill: Why Can’t We Vote Online? | KQED

This interview was posted at KQED on October 4, 2016, where audio of the interview can be heard.

david_dillWe can bank online and we can shop online so why can’t we vote online? To answer that question, we first need to agree on what it means, said David Dill, a computer science professor at Stanford and the founder of the Verified Voting Foundation. In other words, what do people mean when they ask: “Why can’t we vote online?”

“The reason people want internet voting is because they want the convenience to vote at home or vote on their smartphone,” Dill said. I have to agree. I want to vote online like I do everything else online. I want to vote anywhere, anytime and on any device. If that’s the case, Dill said the answer is simple: We can’t vote online because our personal devices are too easy to hack. “If we had online elections, we would never be able to trust the results of those elections,” Dill said. “These systems are just notoriously insecure.”

If you follow the news, you know that our smartphones and personal computers are constantly getting hacked. While antivirus companies try, no software can stop all viruses. In fact, you might have a virus on your computer right now and not realize it, Dill said. “Now you can imagine the impact on trying to cast a ballot on such a machine,” Dill said. “The technology does not exist for secure online voting.”

But aren’t there places that have voted online? Yes, but Dill says they’ve all been hacked.