Verified Voting Blog

This blog contains posts authored by the Verified Voting Team and by members of the Verified Voting Board of Advisors.

Media Release: Election Security Experts Applaud City of Fairfax, VA and Orange County, CA for Leading in New Election Integrity Methods

New Reports from Verified Voting Show How Risk-Limiting Audits in California and Virginia Can Improve Election Security and Public Confidence

WASHINGTON, D.C – Robust post-election audits are changing the election security landscape and the City of Fairfax, Virginia and Orange County, California are leading the way. Risk-limiting audits (RLAs) of voter-marked paper ballots can promote election security and public confidence by providing rigorous statistical evidence that election outcomes match the ballots — and a means to detect and correct outcomes that don’t match. If the method is widely adopted it will bolster confidence in elections. In the months leading up to the midterms, the City of Fairfax and Orange County implemented pilot projects that, as documented in two new reports by the Verified Voting Foundation, with funding support from Microsoft, demonstrated the benefits of risk-limiting audits.

The “Pilot Risk-Limiting Audit” reports, released today at the MIT Election Audit Summit, detail how Orange County and the City of Fairfax conducted pilots — in June and August 2018, respectively — and how these pilots provide lessons for election officials and policymakers around the country.

“The pilots in the City of Fairfax and Orange County provide a framework for risk-limiting audits and are a positive step toward more widespread use of this method going forward,” said Marian K. Schneider, Verified Voting’s president.

The reports discuss the process of developing the pilots, as well as the implementation. An RLA of the tabulation of an election contest checks a random selection of voted paper ballots or voter-verifiable paper records. This statistically-sound audit can stop as soon as it finds strong evidence that the reported outcome was correct. Or, if the reported outcome was wrong because ballots were miscounted in the tabulation, an RLA is very likely to lead to a full hand recount that corrects the outcome.

Colorado became the first state to conduct statewide RLAs in 2017. New Mexico uses a related procedure, and Rhode Island will soon follow suit. The RLA pilots in the City of Fairfax and Orange County represent a growing interest from election officials looking for a reliable and efficient way to provide strong statistical evidence to confirm reported results of vote tallies. Other states looking to replicate robust post-election audits like RLAs must require voters to vote on voter-marked paper ballots, either marked by hand or using ballot marking devices. Direct Recording Electronic (DRE) voting machines that produce “voter-verifiable paper audit trails” provide, at best, an obsolescent stopgap: most voters never check them, and often they are hard to audit.

The reports on the RLA pilots in Orange County and the City of Fairfax demonstrate the importance of frequent audit pilots that include election officials in the design – reducing the burdens on officials and audit staff while also creating support around RLAs – as well as the need for funding to purchase election technology that supports efficient audits. The reports suggest that in addition to this technology, laws and procedures must also be designed with audits in mind in order to help states safeguard elections with robust post-election audits.

“Protecting the integrity of the voting process is a key priority of our Defending Democracy Program, so that people can trust that their vote is properly counted. Risk-limiting audits are an important way to provide confidence in the outcome of an election. We funded Verified Voting Foundation’s “Pilot Risk-Limiting Audit” reports to show that these audits really work,” said Tom Burt, Corporate Vice President, Customer Security & Trust, Microsoft.

To read the reports, click here for the City of Fairfax and here for Orange County.

Verified Voting Blog: Why voters should mark ballots by hand | Andrew Appel

ExpressVote ballot card, with bar codes for optical scanner and with human-readable summary of choices for use in voter verification and in recount or audit.

Because voting machines contain computers that can be hacked to make them cheat, “Elections should be conducted with human-readable paper ballots. These may be marked by hand or by machine (using a ballot-marking device); they may be counted by hand or by machine (using an optical scanner).  Recounts and audits should be conducted by human inspection of the human-readable portion of the paper ballots.”

Ballot-marking devices (BMD) contain computers too, and those can also be hacked to make them cheat.  But the principle of voter verifiability is that when the BMD prints out a summary card of the voter’s choices, which the voter can hold in hand before depositing it for scanning and counting, then the voter has verified the printout that can later be recounted by human inspection.

But really?  As a practical matter, do voters verify their BMD-printed ballot cards, and are they even capable of it?  Until now, there hasn’t been much scientific research on that question.

A new study by Richard DeMillo, Robert Kadel, and Marilyn Marks now answers that question with hard evidence:

  1. In a real polling place, half the voters don’t inspect their ballot cards, and the other half inspect for an average of 3.9 seconds (for a ballot with 18 contests!).
  2. When asked, immediately after depositing their ballot, to review an unvoted copy of the ballot they just voted on, most won’t detect that the wrong contests are presented, or that some are missing.

This can be seen as a refutation of Ballot-Marking Devices as a concept.  Since we cannot trust a BMD to accurately mark the ballot (because it may be hacked), and we cannot trust the voter to accurately review the paper ballot (or even to review it at all), what we can most trust is an optical-scan ballot marked by the voter, with a pen.  Although optical-scan ballots aren’t perfect either, that’s the best option we have to ensure that the voter’s choices are accurately recorded on the paper that will be used in a recount or random audit. Read More

Verified Voting Blog: An unverifiability principle for voting machines | Andrew Appel

This article was originally posted at Freedom to Tinker on October 22, 2018.

In my last three articles I described the ES&S ExpressVote, the Dominion ImageCast Evolution, and the Dominion ImageCast X (in its DRE+VVPAT configuration).  There’s something they all have in common: they all violate a certain principle of voter verifiability.

  • Any voting machine whose physical hardware can print votes onto the ballot after the last time the voter sees the paper,  is not a voter verified paper ballot system, and is not acceptable.
  • The best way to implement this principle is to physically separate the ballot-marking device from the scanning-and-tabulating device.  The voter marks a paper ballot with a pen or BMD, then after inspecting the paper ballot, the voter inserts the ballot into an optical-scan vote counter that is not physically capable of printing votes onto the ballot.

The ExpressVote, IC-Evolution, and ICX all violate the principle in slightly different ways: The IC-Evolution one machine allows hand-marked paper ballots to be inserted (but then can make more marks), the ExpressVote in one configuration is a ballot-marking device (but after you verify that it marked your ballot, you insert it back into the same slot that can print more votes on the ballot), and IC-X configured as DRE+VVPAT can also print onto the ballot after the voter inspects it.  In fact, almost all DRE+VVPATs can do this:  after the voter inspects the ballot, print VOID on that ballot (hope the voter doesn’t notice), and then print a new one after the voter leaves the booth. Read More

Verified Voting Blog: Continuous-roll VVPAT under glass: an idea whose time has passed | Andrew Appel

This article was originally posted at Freedom to Tinker on October 19, 2018.

States and counties should not adopt DRE+VVPAT voting machines such as the Dominion ImageCast X and the ES&S ExpressVote. Here’s why.

Touchscreen voting machines (direct-recording electronic, DRE) cannot be trusted to count votes, because (like any voting computer) a hacker may have installed fraudulent software that steals votes from one candidate and gives them to another. The best solution is to vote on hand-marked paper ballots, counted by optical scanners. Those opscan computers can be hacked too, of course, but we can recount or random-sample (“risk-limiting audit”) the paper ballots, by human inspection of the paper that the voter marked, to make sure.

Fifteen years ago in the early 2000s, we computer scientists proposed another solution: equip the touchscreen DREs with a “voter verified paper audit trail” (VVPAT). The voter would select candidates on a touchscreen, the DRE would print those choices on a cash-register tape under glass, the voter would inspect the paper to make sure the machine wasn’t cheating, the printed ballot would drop into a sealed ballot box, and the DRE would count the vote electronically. If the DRE had been hacked to cheat, it could report fraudulent vote totals for the candidates, but a recount of the paper VVPAT ballots in the ballot box would detect (and correct) the fraud.

By the year 2009, this idea was already considered obsolete. The problem is, no one has any confidence that the VVPAT is actually “voter verified,” for many reasons:

  1. The VVPAT is printed in small type on a narrow cash-register tape under glass, difficult for the voter to read.
  2. The voter is not well informed about the purpose of the VVPAT. (For example, in 2016 an instructional video from Buncombe County, NC showed how to use the machine; the VVPAT-under-glass was clearly visible at times, but the narrator didn’t even mention that it was there, let alone explain what it’s for and why it’s important for the voter to look at it.)
  3. It’s not clear to the voter, or to the pollworker, what to do if the VVPAT shows the wrong selections. Yes, the voter can alert the pollworker, the ballot will be voided, and the voter can start afresh. But think about the “threat model.”  Suppose the hacked/cheating DRE changes a vote, and prints the changed vote in the VVPAT. If the voter doesn’t notice, then the DRE has successfully stolen a vote, and this theft will survive the recount.  If the voter does notice, then the DRE is caught red-handed, except that nothing happens other than the voter tries again (and the DRE doesn’t cheat this time). You might think, if the wrong candidate is printed on the VVPAT then this is strong evidence that the machine is hacked, alarm bells should ring– but what if the voter misremembers what he entered in the touch screen?  There’s no way to know whose fault it is.
  4. Voters are not very good at correlating their VVPAT-in-tiny-type-under-glass to the selections they made on the touch screen. They can remember who they selected for president, but do they really remember the name of their selection for county commissioner? And yet, historically in American elections, it’s as often the local and legislative offices where ballot-box-counting (insider) fraud has occurred.
  5. “Continuous-roll” VVPATs, which don’t cut the tape into individual ballots, compromise the secrecy of the ballot.  Since any of the political-party-designated pollwatchers can see (and write down) what order people vote on the machine, and know the names of all the voters who announce themselves when signing in, they can (during a recount) correlate voters to ballots. (During a 2006 trial in the Superior Court of New Jersey, I was testifying about this issue; Judge Linda Feinberg saw this point immediately, she said it was obvious that continuous-roll VVPATs compromise the secret ballot and should not be acceptable under New Jersey law. )

Read More

Verified Voting Blog: Design flaw in Dominion ImageCast Evolution voting machine | Andrew Appel

This article was originally posted at Freedom to Tinker on October 16, 2018.

The Dominion ImageCast Evolution looks like a pretty good voting machine, but it has a serious design flaw: after you mark your ballot, after you review your ballot, the voting machine can print more votes on it!. Fortunately, this design flaw has been patented by a rival company, ES&S, which sued to prevent Dominion from selling this bad design. Unfortunately, that means ES&S can still sell machines (such as their ExpressVote all-in-one) incorporating this design mistake.

When we use computers to count votes, it’s impossible to absolutely prevent a hacker from replacing the computer’s software with a vote-stealing program that deliberately miscounts the vote. Therefore (in almost all the states) we vote on paper ballots. We count the votes with optical scanners (which are very accurate when they haven’t been hacked), and to detect and correct possible fraud-by-hacking, we recount the paper ballots by hand. (This can be a full recount, or a risk-limiting auditan inspection of a randomly selected sample of the ballots.)

Some voters are unable to mark their ballots by hand–they may have a visual impairment (they can’t see the ballot) or a motor disability (they can’t physically handle the paper). Ballot-marking devices (BMDs) are provided for those voters (and for any other voters that wish to use them); the BMDs are equipped with touchscreens, and also with audio and tactile interfaces (headphones and distinctively shaped buttons) for blind voters, and even sip-and-puff input devices for motor-impaired voters. These BMDs print out a paper ballot that can be scanned by the optical scanners and can be recounted by hand. Read More

Verified Voting Blog: David Jefferson: The Myth of “Secure” Blockchain Voting

Click here to download a pdf version of this blog

In the last couple of years several startup companies have begun to promote Internet voting systems, this time with a new twist – using a blockchain as the container for voted ballots transmitted from voters’ private devices. Blockchains are a relatively new system category somewhat akin to a distributed database. Proponents promote them as a revolutionary innovation providing strong security guarantees that can render online elections safe from cyberattack.

Unfortunately, such claims are false. Although the subject of considerable hype, blockchains do not offer any real security from cyberattacks. Like other online elections architectures, a blockchain election is vulnerable to a long list of threats that would leave it exposed to hacking and manipulation by anyone on the Internet, and the attack might never be detected or corrected. Read More

Verified Voting Blog: Verified Voting Testimony before the Pennsylvania Senate State Government Committee

Written Testimony of Verified Voting President Marian K. Schneider before the Pennsylvania Senate State Government Committee Public Hearing on Senate Bill 1249 and Voting Machine Demonstration, September 25, 2018. Download as PDF.

Thank you Chairman Folmer, Minority Chair Williams, and members of the Committee for allowing Verified Voting to submit written testimony in connection with the Senate State Government Committee hearing. We write to address the security risks presented for Pennsylvania’s counties and the need to expeditiously replace aging and vulnerable electronic voting systems. We urge the Committee to recommend that the Commonwealth appropriate adequate funding to permit counties to replace their aging electronic voting systems as soon as possible.

Verified Voting is a national non-partisan, non-profit research and advocacy organization committed to safeguarding elections in the digital age. Founded by computer scientists, Verified Voting’s mission is to advocate for the responsible use of emerging technologies to ensure that Americans can be confident their votes will be cast as intended and counted as cast. We promote auditable, accessible and resilient voting for all eligible citizens. Our board of directors and board of advisors include some of the top computer scientists, cyber security experts and statisticians working in the election administration arena as well as former and current elections officials. Verified Voting has no financial interest in the type of equipment used. Our goal is for every jurisdiction in the United States to have secure and verifiable elections.

There are two basic kinds of electronic voting systems in use in Pennsylvania: Direct recording electronic (DRE) or optical scan systems. Both types of systems are computers, and both are prepared in similar ways. The primary difference is that an optical scan system incorporates a voter-marked paper ballot, marked either with a pen or pencil or with a ballot marking device and that ballot is retained for recounts or audits. Optical scan systems leverage the speed of the computer to report unofficial results quickly. The presence and availability of that paper ballot provides a trustworthy record of voter intent and allows jurisdictions to monitor their system for problems, detect any problems, (either hacking or error), respond to them and recover by, if necessary, hand counting the paper ballots. Seventeen counties in Pennsylvania already benefit from the security protection of paper ballots. Read More

Verified Voting Blog: Serious design flaw in ESS ExpressVote touchscreen: “permission to cheat” | Andrew Appel

This article was originally posted at the Freedom to Tinker blog.

Kansas, Delaware, and New Jersey are in the process of purchasing voting machines with a serious design flaw, and they should reconsider while there is still time!

Over the past 15 years, almost all the states have moved away from paperless touchscreen voting systems (DREs) to optical-scan paper ballots.  They’ve done so because if a paperless touchscreen is hacked to give fraudulent results, there’s no way to know and no way to correct; but if an optical scanner were hacked to give fraudulent results, the fraud could be detected by a random audit of the paper ballots that the voters actually marked, and corrected by a recount of those paper ballots.

Optical-scan ballots marked by the voters are the most straightforward way to make sure that the computers are not manipulating the vote.  Second-best, in my opinion, is the use of a ballot-marking device (BMD), where the voter uses a touchscreen to choose candidates, then the touchscreen prints out an optical-scan ballot that the voter can then deposit in a ballot box or into an optical scanner.  Why is this second-best?  Because (1) most voters are not very good at inspecting their computer-marked ballot carefully, so hacked BMDs could change some choices and the voter might not notice, or might notice and think it’s the voter’s own error; and (2) the dispute-resolution mechanism is unclear; pollworkers can’t tell if it’s the machine’s fault or your fault; at best you raise your hand and get a new ballot, try again, and this time the machine “knows” not to cheat. Read More

Verified Voting Blog: Four ways to defend democracy and protect every voter’s ballot | Douglas W. Jones

This article was originally posted at phys.org.
As voters prepare to cast their ballots in the November midterm elections, it’s clear that U.S. voting is under electronic attack. Russian government hackers probed some states’ computer systems in the runup to the 2016 presidential election and are likely to do so again – as might hackers from other countries or nongovernmental groups interested in sowing discord in American politics.

Fortunately, there are ways to defend elections. Some of them will be new in some places, but these defenses are not particularly difficult nor expensive, especially when judged against the value of public confidence in democracy. I served on the Iowa board that examines voting machines from 1995 to 2004 and on the Technical Guidelines Development Committee of the United States Election Assistance Commission from 2009 to 2012, and Barbara Simons and I coauthored the 2012 book “Broken Ballots.”

Election officials have an important role to play in protecting election integrity. Citizens, too, need to ensure their local voting processes are safe. There are two parts to any voting system: the computerized systems tracking voters’ registrations and the actual process of voting – from preparing ballots through results tallying and reporting. Read More

Verified Voting Blog: The National Academies of Sciences, Engineering, and Medicine releases report on “The Future of Voting”

Today the National Academies of Sciences, Engineering, and Medicine released a report on election security, “Securing the Vote: Protecting American Democracy.” The Committee for The Future of Voting, which includes Verified Voting Board member Ron Rivest and Advisory Board member Andrew Appel, released the report at a public event in Washington, DC, where the report’s findings and key recommendations were discussed. Included in the Committee’s recommendations, which echo many of Verified Voting’s policies, were:

  • Human-readable paper ballots, made available for all elections as soon as 2018
  • State-mandated risk-limiting audits
  • Increased funding to state and local governments for cybersecurity and election infrastructure

In addition to Ron Rivest and Andrew Appel, Verified Voting’s own Barbara Simons, David Dill, Philip Stark, Matt Blaze, Doug Kellner, and Alex Halderman reviewed the report ahead of its release.

To read the full report and recommendations, visit nap.edu/FutureOfVoting