Verified Voting Public Commentary

Tag Archive

Verified Voting Public Commentary: Verified Voting Testimony before the Pennsylvania State Senate Senate State Government Committee: Voting System Technology and Security

Download as PDF

The security of election infrastructure has taken on increased significance in the aftermath of the 2016 election cycle. During the 2016 election cycle, a nation-state conducted systematic, coordinated attacks on America’s election infrastructure, with the apparent aim of disrupting the election and undermining faith in America’s democratic institutions. Intelligence reports that have been published in 2017 demonstrate that state databases and third-party vendors not only were targeted for attack, but were breached.1 Regardless of the success of hacking attempts in 2016, the consensus among the intelligence community is that future attacks on American elections are inevitable.2 The inevitability of attacks is a key concept in cyber security, that is, it’s not whether a system will be attacked, but when.

The existence and national significance of this threat have escalated the priority of securing Pennsylvania’s elections infrastructure. Two primary areas that require immediate and sustained attention are 1) securing both the state and county networks, databases and data transmission infrastructure that touch elections; and 2) instilling confidence in election outcomes by replacing legacy voting systems with new systems that permit reliable recounts and audits.

During the time that I served the Commonwealth as Deputy Secretary for Elections and Administration and Special Advisor to the Governor on Election Policy, I worked with the Office of Administration-Office of Information Technology to protect the Commonwealth’s networks that touch elections and to implement procedures to recover from any potential attacks. These efforts complied with cyber security best practices to monitor, detect, respond and recover. OA-OIT’s experienced staff is continuing this effort, and along with the Department of State, they have engaged county CIOs and technology staff to coordinate similar efforts at the counties working through the Commonwealth’s relationship with the County Commissioners Association of Pennsylvania (CCAP). Assuming the administration receives support from the General Assembly, the Commonwealth is on the right track to taking the necessary steps to monitor, detect, respond and recover from cyber attacks. Read More

Verified Voting Blog: Testimony of Verified Voting to the Georgia House of Representatives House Science and Technology Committee

Download as PDF

Georgia’s voting machines need an update. The lifespan of voting machines has been estimated at 10-15 years.1 Purchased in 2002 Georgia’s voting machines are at the outside of that estimate. As voting systems age they are more susceptible to error, malfunction or security threats potentially losing or miscounting votes.

Georgia is one of only a handful of States that is still casting votes on entirely electronic voting systems, known as Direct Record Electronics (DREs). These machines record votes only in digital form; if the digital records are corrupted, either by benign error or malicious attack, there are no backup records and no way to know whether votes have been corrupted. When Georgia purchased these machines in 2002, the national trend was toward paperless touchscreen voting machines. Since then, however, most states moved away from paperless voting systems, driven by mounting research establishing these machines’ security flaws and some high profile and costly machine failures.2 Most of the nation has adopted voting systems that rely on a voter-marked paper ballot, an election safeguard recognized as essential by election officials and computer security experts alike.

A paper ballot provides a durable, physical record that is out of reach of a cyber attack and cannot be lost by a digital malfunction or programming error. Paper ballots can be used in a recount or to perform a post-election audit or check on the election results to help ensure the election outcome is correct. Today roughly 70% of voters in our nation mark a paper ballot which is counted by an electronic scanner. Read More

Verified Voting Blog: Testimony of Verified Voting to the New York State Assembly Standing Committee on Election Law

Download as PDF

In 2016 the threat of cyber attacks on our elections from foreign entities became an alarming reality. We learned that an adversarial nation was targeting our election systems with the intent to disrupt and undermine the legitimacy of our free, democratic government. In the declassified report “Assessing Russian Activities and Intentions in Recent U.S. Elections” the U.S. Intelligence Community warned that “Russian intelligence obtained and maintained access to elements of multiple US state or local electoral boards.”1 Several months ago we learned that the U.S. Department of Homeland Security (DHS) contacted officials in twenty-one states to notify them that their election systems had been targeted by Russian hackers. When asked at a June hearing of the Senate Select Committee of Intelligence if we should expect continued cyber attacks on our election infrastructure, then FBI director James Comey stated emphatically, “[t]hey will be back.”2 The gravity of this threat cannot be overstated. It is critical that we take every precaution to protect our election systems.

The stealth, skill and sophistication of today’s state-level cyber attackers should not be underestimated. Cyber security experts have warned that attacks today continue to outpace our ability to defend against them. The unending list of high profile and well-defended enterprises that have fallen victim to cyber attacks3 demonstrates the impracticality of trying to defend any computer system absolutely. Further complicating the problem, our election offices are typically under-resourced and understaffed. Though the New York State Board of Elections currently has in place some of the more advanced cyber security and cyber hygiene requirements for election systems, we cannot expect our county election offices to defend against cyber attacks from a state-level attacker. Read More

Verified Voting Blog: Verified Voting Testimony for the New Jersey State Assembly Judiciary Committee

Verified Voting is a national non-partisan, not for profit research and advocacy organization founded by computer scientists and committed to safeguarding democracy in the digital age. We promote technology and policies that ensure auditable, accessible and resilient voting for all eligible citizens. We urge you to adopt the proposed amendments and vote “YES” on A-4619.

New Jersey is one of only a handful of states whose voters are still casting votes on entirely electronic voting systems, direct recording electronic (DREs). Because these systems record votes directly onto computer memory without any independent paper record of the vote, they are especially vulnerable to undetectable and uncorrectable errors in the vote count.

Numerous studies and security evaluations of DRE systems over the years have found that the DREs in use in New Jersey have insecurities making them vulnerable to undetectable manipulation and tampering.1 Because DRE systems prevent anyone from verifying that the electronic tally accurately reflects voter intent, many States have discontinued the use of electronic DRE voting systems in favor of paper ballots. In 2006 only 25% of voters nationwide cast their ballots on paper but in 2017 more than 70% of U.S. voters marked a paper ballot.2 Read More

Verified Voting Blog: Verified Voting Letter to the US Senate Select Committee on Intelligence

This letter was sent to the US Senate Select Committee on Intelligence following a hearing on June 21, 2017. (Download PDF)

Verified Voting vigorously applauds the Senate Select Committee on Intelligence for its leadership and commitment to securing our elections. With clear evidence that foreign attackers sought to attack our 2016 elections through various means, our intelligence agencies warn that hostile attackers will be back to attack future elections. Congress and the most vulnerable states should act with urgency to fund and implement protective reforms that will make our election systems resilient against cyber attack: funding the adoption of paper ballots and accessible ballot marking systems, and implementing robust, manual post-election audits of the votes.

The June 21 hearing is an important first step toward those reforms, providing valuable information through witness testimony and questions of the Senators. We wish to expand on several key points that were raised in the hearing to ensure a clear understanding of the challenges we face in securing our elections.

It is crucial to understand that further reforms are urgently needed to bolster the mitigations currently in place so that it is possible to detect and correct a cyber attack on the vote count.

Some testimony asserted that pre-election testing and post-election audits currently in place would catch errors in vote tallies caused by a malicious attacker or software failure. Unfortunately, pre-election testing, though helpful for ensuring the completeness of ballot programming, can be defeated by malicious software designed to detect when the system is in test mode. This is what happened with Volkswagen diesels cars: the software caused the cars’ emissions systems to behave correctly during testing, but then allowed them to pollute under non-testing conditions.

Read More

Verified Voting Blog: Alex Halderman: Expert Testimony before the US Senate Select Committee on Intelligence

This testimony was delivered at a hearing on June 21, 2017. (Download PDF)

Chairman Burr, Vice Chairman Warner, and members of the Committee, thank you for inviting me to speak today about the security of U.S. elections. I’m here to tell you not just what I think, but about concerns shared by hundreds of experts from across cybersecurity research and industry. Such expertise is relevant because elections—the bedrock of our democracy—are now on the front lines of cybersecurity, and they face increasingly serious threats. Our interest in this matter is decidedly non-partisan; our focus is on the integrity of the democratic process, and the ability of the voting system to record, tabulate, and report the results of elections accurately.

My research in computer science and cybersecurity tackles a broad range of security challenges.1 I study attacks and defenses for the Internet protocols we all rely on every day to keep our personal and financial information safe. I also study the capabilities and limitations of the world’s most powerful attackers, including sophisticated criminal gangs and hostile nation states. A large part of my work over the last ten years has been studying the computer technology that our election system relies on.2 In this work, I often lead the “red team,” playing the role of a potential attacker to find where systems and practices are vulnerable and learn how to make them stronger.

I know firsthand how easy it can be to manipulate computerized voting machines. As part of security testing, I’ve performed attacks on widely used voting machines, and I’ve had students successfully attack machines under my supervision.

US Voting Machines Are Vulnerable

As you know, states choose their own voting technology.3 Today, the vast majority of votes are cast using one of two computerized methods. Most states and most voters use the first type, called optical scan ballots, in which the voter fills out a paper ballot that is then scanned and counted by a computer. The other widely used approach has voters interact directly with a computer, rather than marking a choice on paper. It’s called DRE, or direct-recording electronic, voting. With DRE voting machines, the primary records of the vote are stored i n computer memory.4

Both optical scanners and DRE voting machines are computers. Under the hood, they’re not so different from your laptop or smartphone, although they tend to use much older technology—sometimes decades out of date.5 Fundamentally, they suffer from security weaknesses similar to those of other computer devices. I know because I’ve developed ways to attack many of them myself as part of my research into election security threats.

Ten years ago, I was part of the first academic team to conduct a comprehensive security analysis of a DRE voting machine. We examined what was at that time the most widely used touch-screen DRE i n the country,6 and spent several months probing it for vulnerabilities. What we found was disturbing: we could reprogram the machine to invisibly cause any candidate to win. We also created malicious software—vote-stealing code—that could spread from machine-to-machine like a computer virus, and silently change the election outcome.7

Vulnerabilities like these are endemic throughout our election system. Cybersecurity experts have studied a wide range of U.S. voting machines—including both DREs and optical scanners—and in every†single†case¨†they’ve found severe vulnerabilities that would allow attackers to sabotage machines and to alter votes.8 That’s why there is overwhelming consensus in the cybersecurity and election integrity research communities that our elections are at risk.

Cyberattacks Could Compromise Elections

Of course, interfering in a state or national election is a bigger job than just attacking a single machine. Some say the decentralized nature of the U.S. voting system and the fact that voting machines aren’t directly connected to the Internet make changing a state or national election outcome impossible. Unfortunately, that is not true.9

Some election functions are actually quite centralized. A small number of election technology vendors and support contractors service the systems used by many local governments. Attackers could target one or a few of these companies and spread malicious code to election equipment that serves millions of voters.

Furthermore, in close elections, decentralization can actually work against us. An attacker can probe different areas of the most important “swing states” for vulnerabilities, find the areas that have the weakest protection, and strike there.10 In a close election, changing a few votes may be enough to tip the result, and an attacker can choose where—and on which equipment—to steal those votes. State and local elections are also at risk.

Our election infrastructure is not as distant from the Internet as it may seem.11 Before every election, voting machines need to be programmed with the design of the ballot, the races, and candidates. This programming is created on a desktop computer called an election management system, or EMS, and then transferred to voting machines using USB sticks or memory cards. These systems are generally run by county IT personnel or by private contractors.12 Unfortunately, election management systems are not adequately protected, and they are not always properly isolated from the Internet. Attackers who compromise an election management system can spread vote-stealing malware to large numbers of machines.13

Russian Attack Attempts: The Threats Are Real

The key lesson from 2016 is that hacking threats are real.

This month, we’ve seen reports detailing Russian efforts to target voter registration systems i n up to 39 states14 and to develop a capability to spread an attack from an election technology vendor to local election offices.15 Attacking the IT systems of vendors and municipalities could put the Russians in a position to sabotage equipment on election day, causing voting machines or electronic poll books to fail, resulting in long lines or other disruptions. The Russians could even have engineered this chaos to have a partisan effect, by targeting localities that lean heavily towards one candidate or another.

Successful infiltration of election IT systems also could have put the Russians in a position to spread an attack to the voting machines and potentially steal votes. Although the registration systems involved were generally maintained at the state level, and most pre-election programming is performed by counties or outside vendors, counties tend to be even less well defended than state governments. They typically have few IT support staff and little, if any, cybersecurity expertise.

Another approach that the Russians might have been planning is to tamper with the voting system in an obvious, easily discovered way, such as causing reporting systems to send the news media incorrect initial results on election night. Even if the problem was corrected and no actual votes were changed, this would cause uncertainty in the results and widespread distrust of the system, which would injure our democratic processes. If voters cannot trust that their votes are counted honestly, they will have reason to doubt the validity of elections.16

I don’t know how far the Russians got in their effort to penetrate our election infrastructure, nor whether they interfered with equipment on election day. (As far as the public knows, no voting equipment has been forensically examined to check whether it was successfully attacked.) But there is no doubt that Russia has the technical ability to commit widescale attacks against our voting system, as do other hostile nations. As James Comey testified here two weeks ago, we know “They’re coming after America,” and “They’ll be back.”17

Practical Steps to Defend Election Infrastructure

We must start preparing now to better defend our election infrastructure and protect it from cyberattacks before the elections in 2018 and 2020. The good news is, we know how to accomplish this. Paper ballots, audits, and other straightforward steps can make elections much harder to attack.

I have entered into the record a letter from over 100 computer scientists, security experts, and election officials. This letter recommends three essential measures that can safeguard U.S. elections:

● First, we need to replace obsolete and vulnerable voting machines, such as paperless systems, with optical scanners and paper ballots—a technology that 36 states already use. Paper provides a resilient physical record of the vote18 that simply can’t be compromised by a cyberattack. President Trump made this point well shortly before the election in an interview with Fox News. “There’s something really nice about the old paper-ballot system,” he said. “You don’t worry about hacking. You don’t worry about all the problems that you’re seeing.”19

● Second, we need to consistently and routinely check that our election results are accurate, by inspecting enough of the paper ballots to tell whether the computer results are right.20 This can be done with what’s known as risk-limiting audits.21 Such audits are a common-sense quality control.22 By manually checking a relatively small random sample of the ballots, officials can quickly and affordably provide high assurance that the election outcome was correct.

Optical scan ballots paired with risk-limiting audits provide a practical way to detect and correct vote-changing cyberattacks. They may seem low-tech, but they are a reliable, cost-effective defense.23

● Lastly, we need to raise the bar for attacks of all sorts including both vote tampering and sabotage by conducting comprehensive threat assessments and by applying cybersecurity best practices to the design of voting equipment24 and the management of elections.

These fixes aren’t expensive. Replacing insecure paperless systems nationwide would cost between $130 million and $400 million.25 Running risk-limiting audits nationally for federal elections would cost less than $20 million a year.26 These amounts are vanishingly small compared to the national security improvement the investment buys. Yet such measures could address a prime cyber challenge, boost voter confidence, and significantly strengthen a crucial element of our national security. They would also send a firm response to any adversaries contemplating interfering with our election system.

Election officials have an extremely difficult job, even without having to worry about cyberattacks by hostile governments. The federal government can make prudent and cost-effective investments to help them defend our election infrastructure and uphold voters’ confidence. With leadership from across the aisle, and action in partnership with the states, our elections can be well protected in time for 2018 and 2020.

Thank you for the opportunity to testify. I look forward to answering any questions.

––––––––––––––––––––––––––

1 My curriculum vitae and research publications are available online at https://jhalderm.com .

2 For an accessible introduction to the security risks and future potential of computer voting technologies, see my online course, Securing†Digital†Democracy†, which is available for free on Coursera: https://www. coursera.org/learn/digital-democracy .

3 In many states, the technology in use even differs from county to county. Verified Voting maintains an online database of the equipment in use in each locality: https://www.verifiedvoting.org/verifier/ .

4 Some DREs also produce a printed record of the vote and show it briefly to the voter, using a mechanism called a voter-verifiable paper audit trail, or VVPAT. While VVPAT records provide a physical record of the vote that is a valuable safeguard against cyberattacks, research has shown that VVPAT records are difficult to accurately audit and that voters often fail to notice if the printed record doesn’t match their votes. For these reasons, most election security experts favor optical scan paper ballots. See: S. Goggin and M. Byrne, “An Examination of the Auditability of Voter Verified Paper Audit Trail (VVPAT) Ballots.” In Proceedings†of†the†2007†USENIXØACCURATE†Electronic†Voting†Technology Workshop†, August 2007. Available at: http://www.accurate-voting.org/wp-content/uploads/2007/08/evt07-goggin.pdf . See also: B. Campbell and M. Byrne, “Now Do Voters Notice Review Screen Anomalies?” In Proceedings of the 2009 USENIX/ACCURATE/IAVoSS Electronic Voting Technology Workshop, August 2009. Available at: http://chil.rice.edu/research/pdf/CampbellByrne_EVT_(2009).pdf .

5 In 2016, 43 states used computer voting machines that were at least 10 years old—close to the end of their design lifespans. Older hardware and software generally lacks defenses that guard against more modern attack techniques. See: L. Norden and C. Famighetti, “America’s Voting Machines at Risk,” Brennan Center, 2015. https://www.brennancenter.org/publication/americas-voting-machines-risk See also: S. Checkoway, A. Feldman, B. Kantor, J. A. Halderman, E. W. Felten, and H. Shacham, “Can DREs Provide Long-Lasting Security? The Case of Return-Oriented Programming and the AVC Advantage.” In Proceedings of the 2009 USENIX/ACCURATE/IAVoSS Electronic Voting Technology Workshop, August 2009. Available at: https://jhalderm.com/pub/papers/avc-evt09.pdf .

6 The machine was the Diebold AccuVote TS, which is still used statewide in Georgia in 2017.

7 A. J. Feldman, J. A. Halderman, and E. W. Felten, “Security Analysis of the Diebold AccuVote-TS Voting Machine.” In Proceedings of the 2007 USENIX/ACCURATE Electronic Voting Technology Workshop (EVT), August 2007. The research paper and an explanatory video are available at: https://citp.princeton.edu/research/voting/ .

8 For a partial bibliography of voting machine attack research, see: J. A Halderman, “Practical Attacks on Real-world E-voting.” In F. Hao and P. Y. A. Ryan (eds.), Real-World Electronic Voting: Design¨ Analysis and Deployment , CRC Press, December 2016. Available at: https://jhalderm.com/pub/papers/ch7-evoting-attacks-2016.pdf .

9 I explained how attackers can bypass these obstacles in a recent congressional briefing: Strengthening Election Cybersecurity , May 15, 2017. The video is available at https://www.electiondefense.org/congressional-briefings-cyber-security/ .

10 For a more detailed description of how adversaries might select targets, see J. A. Halderman, “Want to Know if the Election was Hacked? Look at the Ballots,” November 2016, available at: medium.com/@jhalderm/want-to-know-if-the-election-was-hacked-look-at-the-ballots-c61a6113b0ba .

11 Fortunately, the U.S. has resisted widespread use of Internet voting—a development that would paint a fresh bull’s eye on our democratic system. I myself have demonstrated attacks against Internet voting systems in Washington, D.C., Estonia, and Australia. See: S. Wolchok, E. Wustrow, D. Isabel, and J. A. Halderman, “Attacking the Washington, D.C. Internet Voting System.” In Proceedings of the 16th Intl Conference on Financial Cryptography and Data Security, February 2012. Available at: https://jhalderm.com/pub/papers/dcvoting-fc12.pdf D. Springall, T. Finkenauer, Z. Durumeric, J. Kitcat, H. Hursti, M. MacAlpine, and J. A. Halderman, “Security Analysis of the Estonian Internet Voting System.” In Proceedings of the 21st ACM Conference on Computer and Communications Security (CCS), November 2014. Available at: https://jhalderm.com/pub/papers/ivoting-ccs14.pdf J. A. Halderman and V. Teague, “The New South Wales iVote System: Security Failures and Verification Flaws in a Live Online Election.” In Proceedings of the 5th International Conference on E-voting and Identity, September 2015. Available at: https://arxiv.org/pdf/1504.05646v2.pdf . For a broader discussion of why secure Internet voting systems are likely decades away, see: R. Cunningham, M. Bernhard, and J. A. Halderman, “The Security Challenges of Online Voting Have Not Gone Away.” IEEE Spectrum, November 3, 2016. http://spectrum.ieee.org/tech-talk/telecom/security/thesecurity-challenges-of-online-voting-have-not-gone-away .

12 In my own state, Michigan, about 75% of counties outsource pre-election programming to a pair of independent service providers. These are small companies with 10–20 employees that are primarily in the business of selling election supplies, including ballot boxes and “I Voted” stickers.

13 See, for example, J. Calandrino, et al., “Source Code Review of the Diebold Voting System,” part of the California Secretary of State’s “Top-to-Bottom” Voting Systems Review, July 2007. Available at: https://jhalderm.com/pub/papers/diebold-ttbr07.pdf .

14 M. Riley and J. Robertson, “Russian Cyber Hacks on U.S. Electoral System Far Wider Than Previously Known.” Bloomberg†, June 13, 2017. https://www.bloomberg.com/politics/articles/2017-06-13/russianbreach-of-39-states-threatens-future-u-s-elections .

15 M. Cole, R. Esposito, S. Biddle, and R. Grim, “Top-secret NSA Report Details Russian Hacking Efforts Days Before 2016 Election.” The†Intercept†, June 5, 2017. https://theintercept.com/2017/06/05/top-secretnsa-report-details-russian-hacking-effort-days-before-2016-election/ .

16 See, as one example, E. H. Spafford, “Voter Assurance.” NAE The†Bridge†, December 2008. https://www.nae.edu/19582/Bridge/VotingTechnologies/VoterAssurance.aspx .

17 Testimony of former FBI Director James B. Comey before the Senate Select Committee on Intelligence, June 8, 2017.

18 Of course, paper ballots can be tampered with too, by people handling them. Optical scan tabulation has the advantage that it produces both paper and electronic records. As long as officials check that both sets of records agree, it would be very difficult for criminals to alter the election outcome without being detected, whether by a cyberattack or by old-fashioned ballot manipulation.

19 See: http://www.businessinsider.com/donald-trump- election-day-fox-news-2016-11 .

20 At least 29 states already require some form of post-election audit. However, since the procedures in most states are not designed as a cyber defense, the number of ballots that are audited may be much too low or geographically localized to reliably detect an attack. Some states also allow auditing by rescanning paper ballots through the same potentially compromised machines. Results from paperless DRE voting machines cannot be strongly audited, since there is no physical record to check. For state-by-state details, see National Conference of State Legislatures, “Post-election Audits,” June 2017. Available at: http://www.ncsl.org/research/elections-and-campaigns/post-election-audits635926066.aspx .

21 For a detailed explanation of risk-limiting audits, see J. Bretschneider et al., “Risk-Limiting Post-Election Audits: Why and How.” Available at: https://www.stat.berkeley.edu/~stark/Preprints/RLAwhitepaper12.pdf New Mexico already requires something similar to a risk-limiting audit, and Colorado is implementing risk-limiting audits starting in 2017. Risk-limiting audits have been tested in real elections in California, Colorado, and Ohio.

22 One of the reasons why post-election audits are essential is that pre-election “logic and accuracy” testing can be defeated by malicious software running on voting machines. Vote-stealing code can be designed to detect when it’s being tested and refuse to cheat while under test. Volkswagen’s emission-control software did something similar to hide the fact that it was cheating during EPA tests.

23 Former CIA director James Woolsey and Lt. Col. Tony Shaffer call for paper ballots and auditing in a May 12, 2017 op-ed in Fox News: “Ultimately, we believe the solution to election insecurity lies in President Reagan’s famous old adage: ‘trust but verify’.” http://www.foxnews.com/opinion/2017/05/12/america-s-voting-systems-need-security-upgrades-it-s-time-to-beef-up-cybersecurity.html .

24 One notable effort to develop secure voting equipment is STAR-Vote, a collaboration between security researchers and the Travis County, Texas elections office. STAR-Vote integrates a range of modern defenses, including end-to-end cryptography and risk limiting audits. See S. Bell et al., “STAR-Vote: A Secure, Transparent, Auditable, and Reliable Voting System.” USENIX Journal of Election Technology and Systems (JETS) 1(1), August 2013. https://www.usenix.org/system/files/conference/evtwote13/jets-0101-bell.pdf .

25 Brennan Center, “Estimate for the Cost of Replacing Paperless, Computerized Voting Machines,” June 2017. https://www.brennancenter.org/sites/default/files/analysis/New_Machines_Cost_Across_Paperless_Jurisdictions%20%282%29.pdf . This cost might be significantly reduced by developing voting equipment based on open-source software and commercial off-the-shelf (COTS) hardware.

26 This estimate assumes that auditing a federal race will have an average cost similar to manually recounting 10% of precincts. In a risk-limiting audit, the actual number of ballots that must be checked varies with, among other factors, the margin of victory.

Verified Voting Blog: Andrew W. Appel: My testimony before the House Subcommittee on IT

This article appeared originally at Freedom to Tinker on September 30, 2016. I was invited to testify yesterday before the U.S. House of Representatives Subcommittee on Information Technology, at a hearing entitled “Cybersecurity: Ensuring the Integrity of the Ballot Box.”  My written testimony is available here.  My 5-minute opening statement went as follows:

My name is Andrew Appel.  I am Professor of Computer Science at Princeton University.   In this testimony I do not represent my employer. I’m here to give my own professional opinions as a scientist, but also as an American citizen who cares deeply about protecting our democracy. My research is in software verification, computer security, technology policy, and election machinery.  As I will explain, I strongly recommend that, at a minimum, the Congress seek to ensure the elimination of Direct-Recording Electronic voting machines (sometimes called “touchscreen” machines), immediately after this November’s election; and that it require that all elections be subject to sensible auditing after every election to ensure that systems are functioning properly and to prove to the American people that their votes are counted as cast. There are cybersecurity issues in all parts of our election system:  before the election, voter-registration databases; during the election, voting machines; after the election, vote-tabulation / canvassing / precinct-aggregation computers.  In my opening statement I’ll focus on voting machines.  The other topics are addressed in a recent report I have co-authored entitled “Ten Things Election Officials Can Do to Help Secure and Inspire Confidence in This Fall’s Elections.” Read More

Verified Voting Public Commentary: Statement to the Pennsylvania Senate State Government Committee Re: SB 1052

Download Statement as PDF

Verified Voting is writing today to express our opposition to Senate Bill 1052, a bill which would permit the return of ballots by electronic transmission over insecure Internet means for military voters in Pennsylvania, and to urge you to vote NO on SB 1052. Ballots sent by email are vulnerable to undetectable manipulation or tampering while in transit over the Internet. 1Ballots sent by fax are also vulnerable to attackers. Today most facsimiles are sent via Internet over facsimile mail programs which have the same threat profile as emailed ballots. By permitting the electronic return of voted ballots, SB 1052 will significantly damage the integrity of Pennsylvania’s elections and put the ballots of military voters at grave risk.

Department of Defense and National Institute of Standards and Technology oppose online voting.

At the start of the 21st century the promise of secure Internet voting seemed attainable; Congress directed the Department of Defense (DOD) in the 2002 National Defense Authorization Act (NDAA) to develop an online voting system for military and overseas voters.  The Federal Voting Assistance Program (FVAP), an agency administered by the DOD, developed a system for deployment in 2004. After a security review the DOD cancelled the project because it could not ensure the legitimacy of votes cast over the Internet.  In 2005 Congress directed the National Institute of Standards and Technology (NIST) to study the online return of voted ballots for the purpose of setting security standards so DoD and FVAP could develop a secure online voting system for military voters. NIST published numerous reports on its research, and documented several security issues that cannot be mitigated or solved with the cyber security safeguards and voting system protocols currently available. NIST concluded that until these challenges are overcome, secure Internet voting is not yet feasible. 2

For these reasons the Department of Defense has warned that it cannot ensure the legitimacy of ballots sent over the Internet and has stated “[the Department of Defense] does not advocate for the electronic transmission of any voted ballot, whether it be by fax, email or via the Internet.” 3 In addition, the Federal Voting Assistance Program, in a report to Congress in 2013, stated clearly that the postal mail return of a voted ballot, coupled with the electronic transmission of a blank ballot is the “most responsible”4 method of absentee voting for UOCAVA voters. The overwhelming evidence that secure Internet voting is not within our grasp led Congress to repeal, in the 2015 National Defense Authorization Act, the earlier directive that DoD pursue online voting for military and overseas voters.

It is not reasonable to expect the Pennsylvania Department of State should be able to develop a secure online ballot return system when the Department of Defense and the National Institute of Standards and Technology have determined secure online voting is not presently achievable. Read More

Verified Voting Public Commentary: Comments on Colorado Rules Concerning Internet Voting

Download as PDF

We are pleased to provide testimony and remarks regarding proposed rule changes to Colorado’s Rules Concerning Elections 8 CCR 1501-5. We appreciate the effort of your office to solicit preliminary comments from the public to inform the draft of the proposed rule changes and were happy to participate in the process. We remain in opposition to Rule 16.2.1(c). However, before addressing Rule 16.2.1(c), we would first like to address proposed new Rule 16.2.8 prohibiting Internet voting because it is inextricably linked to proposed Rule 16.2.1(c).

Public comments voiced significant objection to Internet voting. The Secretary has proposed Rule 16.2.8 which states:

New Rule 16.2.8:
16.2.8 NOTHING IN THIS RULE 16.2 PERMITS INTERNET VOTING. INTERNET VOTING MEANS A SYSTEM THAT INCLUDES REMOTE ACCESS, A VOTE THAT IS CAST DIRECTLY INTO A CENTRAL VOTE SERVER THAT TALLIES THE VOTES, AND DOES NOT REQUIRE THE SUPERVISION OF ELECTION OFFICIALS

Proposed new Rule 16.2.8 unfortunately fails to recognize that email and fax return of voted ballots (permitted and expanded in Rule 16.2.1(c)) is Internet voting and includes all of the inherent security risk of Internet voting. In fact, email (and digital fax) are considered by voting system experts at both the National Institute of Standards and Technology and the U.S. Election Assistance Commission to be even less secure, 1, 2 than the type of Internet voting system described in proposed Rule 16.2.8. Read More

Verified Voting Blog: Post Election Audits for New Hampshire

The following testimony was presented by Verified Voting President Pamela Smith to the New Hampshire House Election Law Committee on January 21, 2014.

No voting system is perfect. Nearly all elections in New Hampshire, as in most of the nation, are counted using electronic vote counting systems. Such systems have produced result-changing errors through problems with hardware, software and procedures. Error can also occur when compiling results. Even serious error can go undetected if results are not audited effectively.

In a municipal election in Palm Beach County, Florida in 2012 a “synchronization” problem with the election management software allotted votes to both the wrong candidate and the wrong contest; this was uncovered during a post-election audit. The results were officially changed after a public hand count of the votes.1 Particularly noteworthy about that example is the fact that Florida has one of the nation’s weakest audit provisions; even so, it enabled the discovery of this critical error. In another state, a software malfunction caused thousands of votes to be added to the total. A manual audit revealed the mistake and officials were able to correct the results and avoid a costly run-off election.2 In a Republican primary in Iowa, a manual check of the physical ballots revealed a programming error that was attributing votes to the wrong candidates. Thanks to the manual audit, the correct person was seated in office.3

Read More

Verified Voting Blog: Verified Voting Recommendations to the Presidential Commission on Election Administration

The Presidential Commission on Election Administration will meet again today in Denver, Colorado. The Webcast can be linked to via the Commission website. Verified Voting has submitted the following recommendations to the Commission.

I. Contingency Planning and Eliminating Long Lines

On Election Day, long lines were produced in many cases due to voting systems that malfunctioned in multiple locations across the country. As stated in a joint letter we signed sent to President Obama last November, “While insufficient voting equipment was not the only cause for long wait times, it no doubt contributed to the problems we saw on Election Day. The need to improve our voting systems is urgent. Much of the voting equipment in use today is nearing the end of its life cycle, making equipment attrition and obsolescence a serious and growing threat.”1

In our “Counting Votes 2012: A State By State Look At Election Preparedness” report2, about the 50 states’ preparedness for this major election cycle, we identified key areas of concern. We predicted many states could have problems due to:

• aging voting systems,
• dependence on machine interface for voting for the majority of voters, and
• thoroughness of policies and regulations for emergency back-up provisions in case polling place problems occur and lines start to form.

There were few surprises. As one of our technology expert recruits for the OurVoteLive (OVL) Election Protection hotline indicated:

What’s most interesting is that if you divide things into “easy to solve” and “hard to solve”, the “easy to solve” ones tend to be in places using optical scan [ballots], and the “hard to solve” in places using machines [DREs]. Read More

Verified Voting Blog: Statement on the Dangers of Internet Voting in Public Elections

At a time when more and more transactions occur online, a number of election officials and private organizations are looking to the Internet as one more possible avenue for balloting. When the Academy of Motion Picture Arts and Sciences announced that would be using an online voting system to help its members choose this year’s Oscar nominees and finalists, thereby adding to the “credibility” of online voting, we find ourselves compelled to remind the general public that it is dangerous to deploy voting by email, efax, or through Internet portals in public governmental elections at this time. Public elections run by municipal, local and state governments should not be compared to elections like the one run by the Academy. The following describes our concerns about the use of Internet voting systems in public elections.

• Cyber security experts at the National Institute of Standards and Technology[1] and the Department of Homeland Security[2] have warned that current Internet voting technologies should not be deployed in public elections. Internet voting systems, including email, fax and web based voting systems in which marked ballots are cast online, cannot be properly protected and may be subject to undetectable alteration.

• Citizens ask, “If I can bank online, why can’t I vote online?” Online banking and e-commerce are NOT secure, despite massive business investments in state-of-the-art cyber-security tools.

• Banking policies protect and reimburse people whose money or credit card numbers are stolen online. If a hacker deletes or alters a ballot, the action can neither be traced nor corrected.

• Banking policies generally do not protect companies when funds are stolen from their accounts. It has been reported that as many as ten percent of small business have had money stolen from their bank accounts.[3] Even so, businesses understand and accept that money lost through cyber-crime is part of the risk of doing business online, and they seek to reduce losses by obtaining fraud insurance. We cannot take that approach in counting votes in public elections; a cyber-attack that alters or deletes just a few hundred votes, and perhaps even fewer, can change the result of an election. There is no such thing as “fraud insurance” for ballots, and we can scarcely accept online fraud in ten percent of our election jurisdictions.

• The parties in online business transactions maintain and audit account records to detect fraudulent activities. But because we vote by secret ballot in public elections, individual voters have no way to check and verify that their ballots were properly counted. Thus online voting is particularly susceptible to tampering, all but certain to go undetected.

• Internet voting system vendors make claims about the security of their products that have never been substantiated by publicly reviewable testing and research. Read More

Verified Voting Blog: Verified Voting Testimony to the Maryland Board of Elections

On February 23, the Maryland State Board of Elections held meeting a proposed system for remote absentee voting was discussed. Verified Voting submitted testimony (see below) about the system, which includes the use of ballot marking wizard software. We maintain that such software — regardless of any other program it may be bundled or used with — meets the definition of  a voting system in Section 301 of the Help America Vote Act and should therefore undergo testing and certification before use. Further, such online ballot marking software contains potentially severe hazards. We raise these in the testimony provided to the SBE.

Thanks to passage of a law requiring voter-marked paper ballots, Maryland is in a slow transition to using a fully voter-verifiable system one day. However, another concern raised in the remarks we provided was the use of a bar code on the remotely printed voted ballot, from which a new version of the voted ballot would be printed once it is received by mail back at the elections office. This version printed from information encoded in the barcode design is the one that would be officially counted. This runs counter to the concept of voter-verifiable ballots. Verified Voting’s testimony follows after the fold. Read More

Verified Voting Blog: Verified Voting Comments on Proposed Changes to Colorado Election Rule 43

On February 14, 2012, Colorado Secretary of State Scott Gessler held a hearing on proposed changes to existing regulations governing county procedures for the security of ballots, voting equipment, and other election materials.  The public was invited to comment.  Verified Voting reviewed the proposed rules changes (which can be found here) and made the following comment, highlighting concerns about changes to chain procedures of custody of ballots and equipment. Submitted February 21, 2012

Thank you for this opportunity to comment upon proposed revisions to Colorado Election Rules governing county procedures for securing election equipment and materials. Verified Voting is a national nonpartisan organization working to safeguard elections in the digital age. We seek to promote the deployment of election systems and practices that vouchsafe the accessibility, reliability, and transparency of public elections. We believe that the proposed revision contains several positive changes, as well as some that cause concern, or call for more clarity. Read More

Verified Voting Blog: Roadmap for Future California Elections

When it comes to elections, what does California do well? What could California do better? How have we led, and how have we perhaps lagged behind? These are questions that a diverse group of individuals and organizations asked themselves and one another over the course of three months, with an aim to envision the future of California’s elections. It turned out to be an extraordinary conversation and a process which could very well serve as a model for other states as well. One driving force in the process was the convening organization, the James Irvine Foundation, which has long worked on issues of importance to Californians. The participants included a diverse range of representatives with a concern for voters and not-yet voters, for elections and how they function, and for California’s democracy.

Download the Roadmap for Future California Elections (pdf)

The immediately tangible result of the convenings is the “Roadmap for the Future of California Elections,” which contains a common vision we all support in the form of a set of principles. Naturally we do not all find all of our own strategies and priorities in all of the subsequent recommendations, but a good many of us agreed with most of those as well, a remarkable achievement in light of the varied points of view represented.

Out of these recommendations come action steps, with participants signing on to continue the process and expand the conversation about this vision and what can be for California.

Verified Voting is pleased to be part of the process and looks forward to hearing your thoughts and ideas about the Roadmap and ways you envision a better future for California elections.

Verified Voting Blog: Best Practices for Voting Systems Supporting Military and Overseas Voters

Given the current focus on UOCAVA implementation, the NIST draft Information System Security Best Practices for UOCAVA-Supporting Systems (referred to here as the Draft) is a timely and important document. A summary of security standards and guidelines “deemed most applicable for jurisdictions using IT systems to support UOCAVA voting” is indeed necessary at a time when many states are moving forward with Internet based voting, too often with insufficient thought to the security implications of casting votes online. The Draft acknowledges the urgency of proper security:

“…security compromise could carry severe consequences for the integrity of the election, or the confidentiality of sensitive voter information. Failure to adequately address threats to these systems could prevent voters from casting ballots, expose individuals to identity fraud, or even compromise the results of an election.” 1

Unfortunately, the Draft falls short of providing the comprehensive analysis of security practices implied by the title. While the limitations and scope of topics are clearly laid out, the remaining gaps, particularly those related to online return of voted ballots, are too large and too important to ignore. Even with disclaimers, the Draft may encourage many in the target audience, the election officials and IT staff implementing UOCAVA voting 2, to believe that the controls outlined in the Draft are adequate to address all types of online voting, including return of voted ballots via Email. Read More

Verified Voting Blog: Verified Voting Comments to EAC on Internet Voting Pilots

With many states already deploying a form of Internet voting, email return of voted ballots (see map), it is important that requirements for remote voting systems and the pilot programs that test them reflect the highest standards for security. On April 30, 2010, Verified Voting submitted comments to the EAC on proposed testing requirements for military and overseas voting pilot programs that use remote technologies such as Internet Voting. In a letter to the EAC, president Pam Smith said that the comments focused on “the broad outlines of the pilot program and core precepts to which we believe any pilots should adhere.” Sending voted ballots over the public Internet “is in a security class by itself,” the letter noted, and these ballots are vulnerable to attacks from a wide range of individuals, organizations, and even governments. “Voting systems for UOCAVA voters should not be held to a higher security standard than domestic absentee voting,” the letter said, “nor should UOCAVA voters be required to use a system that is less secure than those used by voters back home.” Read More

Verified Voting Blog: Verified Voting Comments on EAC Internet Pilot Requirements

Thank you for the opportunity to comment on the proposed UOCAVA Pilot Program Testing Requirements.  We appreciate the invitation for public input to such an important initiative.  In this letter we confine our comments to the broad outlines of the pilot program and core precepts to which we believe any pilots should adhere. The Verified Voting Foundation has benefited greatly from prominent experts whose professional work duties include achieving U.S. national security objectives within digital networks and computer communications.  This expertise leads us to set forth this core understanding:  Federal election security is a fundamental component of U.S. national security.  Applying this principle, we submit that election security should not be compromised for convenience or transmission speed. Internet voting (which for purposes of these comments we define as transmission of voted ballots over the public Internet) is in a security class by itself.  In comparing Internet transmission of voted ballots to paper absentee ballot voting, we agree with the oft-made point that voting systems for UOCAVA voters should not be held to a higher security standard than domestic absentee voting. Nor should UOCAVA voters be required to use a system that is less secure than those used by voters back home.

Read More

Verified Voting Blog: Verified Voting Letter to Tennessee State Senators

We respectfully urge you to vote No on House Bill 614, which seeks to delay implementation of the Tennessee Voter Confidence Act and fatally weaken its provision for manual post-election audits of electronic vote tallies. HB 614 is on the Senate’s calendar for Tuesday January 12, 2010. Rejection of the bill is warranted based on the determination of the Chancery Court regarding the TVCA and its requirements for federal certification of voting systems, and on the State’s still un-met need for verifiable ballots and hand-counted audits of electronic vote tallies.

In November 2009, the Chancery Court of Davidson County, after receiving information from voting technology experts, corrected the assumption that the TVCA required new voting systems to be certified by the United States Election Assistance Commission (the EAC) to the 2005 version of the Federal voluntary voting system guidelines. The Court issued a Conclusion of Law noting the TVCA allows voting systems to be certified by the EAC to either the 2002 voting system standards or the 2005 guidelines, and ordered the State Elections Division to proceed with implementation without delay. Read More

Verified Voting Blog: Verified Voting Comments to FCC on Internet Voting

In the American Recovery and Reinvestment Act of 2009 (Recovery Act), Congress directed the Federal Communications Commission (FCC), as part of its development of a National Broadband Plan, to include “a plan for the use of broadband infrastructure and services in advancing …civic participation.” On December 10, 2010 the Federal Communications Commission issued a request for public comments “…on how broadband can help to bring democratic processes—including elections, public hearings and town hall meetings—into the digital age…” Verified Voting, in submitted comments, answered the question – “With existing technology, is it possible to enable and ensure safe and secure voting online today?”, simply – “In a word, no.” As a recent report from the National Institute of Standards and Technology (NIST) indicates, “…The security challenges associated with e-mail return of voted ballots are difficult to overcome using technology widely deployed today.” And “…Technology that is widely deployed today is not able to mitigate many of the threats to casting ballots via the web.

Despite the short window allowed for public comment, numerous organizations and individuals, including Verified Voting submitted comments. Much of Verified Voting’s commentary was informed by the “Computer Technologists’ Statement on Internet Voting”, published last year and signed by dozens of leading technology professionals and computer security experts. This post is the first in a series that will highlight the commentary submitted to the FCC on the issue of the role of the internet in the electoral process. In answer to the question “With existing technology, is it possible to enable and ensure safe and secure voting online today?”, Verified Voting responded, “in a word, no.”

Read More