Verified Voting Blog

This blog contains posts authored by the Verified Voting Team and by members of the Verified Voting Board of Advisors.

Verified Voting Blog: Verified Voting Public Comments on VVSG 2.0 Principles and Guidelines

Download the PDF

Verified Voting is pleased to see the VVSG 2.0 principles and guidelines finally moving forward. We are enthusiastic about the VVSG 2.0 structure and, with some reservations, about the content of the principles and guidelines. Full implementation of the VVSG 2.0 will, in time, help bring about voting systems that set new standards for universal usability, security, and verifiability. All these properties – backed by sound procedures – are essential to enable officials to run resilient elections, and to reassure voters that their votes have been cast as intended and counted as cast.

We urge the EAC to allow the technical requirements and test assertions to be approved and revised without a vote of the commissioners. We agree with the TGDC, the NASED executive council, and others that for several reasons, these documents are best managed by technical staff, adhering to a well-defined process with broad consultation and opportunity for public comment.

Verification and the VVSG

Verified Voting especially welcomes Principle 9, which stipulates that a voting system “is auditable and enables evidence-based elections,” and the associated guidelines. No matter how otherwise usable and reliable a voting system may be, it is unacceptably dangerous if it cannot provide trustworthy, software-independent evidence that people’s votes have been accurately recorded and counted.

A voting system alone can “enable” evidence-based elections but cannot provide them. As Philip Stark and David Wagner wrote in their seminal paper, the basic equation is that “evidence = auditability + auditing.” A voting system with a voter-verifiable audit trail, such as a voter-marked paper ballot, provides auditability. Compliance audits to ensure that the audit trail is substantially complete and accurate, and risk-limiting tabulation audits of the audit trail, provide actual evidence that outcomes are correct. Read More

Verified Voting Blog: Verified Voting Testimony before the Allegheny County Pennsylvania Board of Elections

Download the pdf

Thank you, Chairman Baker and members of the Board, for allowing Verified Voting to submit written testimony in connection with the Public Meeting on the Purchase of Voting Systems. We hope to provide background on the security needs that counsel for the adoption of a new voting system with a verifiable and auditable paper ballot, and provide some high-level recommendations for consideration by the Board as it deliberates the purchase of new voting equipment for Allegheny County.

About Verified Voting

Verified Voting is a national, non-profit non-partisan organization. Verified Voting’s mission is to strengthen democracy for all voters by promoting the responsible use of technology in elections. Since our founding in 2004, we have acted on the belief that the integrity and strength of our democracy relies on citizens’ trust that each vote is counted as cast. We bring together policymakers and officials who are designing and implementing voting-related legislation and regulations with technology experts who comprehend the risks associated with election technology. We have provided direct assistance to election officials in implementing the most efficient post-election audits to verify election results. Additionally, we connect advocates and researchers, the media and the public to provide greater understanding of these complex issues.

Our board of directors and board of advisors include some of the top computer scientists, cyber security experts and statisticians working in the election administration arena as well as former and current elections officials. Verified Voting has no financial interest in the type of equipment used. Our goal is for every jurisdiction in the United States to have secure and verifiable elections.

In addition to our expertise and reputation in the field, Verified Voting has assets developed over years of monitoring election administration practice. These include the most complete, accurate and up-to-date publicly-accessible database of voting and tabulation systems in use, and comprehensive archives of news and publications on election technology. Our dataset on voting equipment is used and relied upon by organizations in need of reliable historical and current data on the election equipment. Further, we assist researchers, the press and the public by providing custom datasets for their use.

The Scope of the Problems with Election Security and Current Election Infrastructure

Election administration depends on computers at multiple points in the election process. Equipment for voting is but one part of a broad array of election technology infrastructure that supports the conduct of elections today. Some of that technology infrastructure includes voter registration databases, internet facing applications such as online voter registration and polling place lookup, network connections between state government and local jurisdictions, the computers that program the voting devices that record and count votes in addition to the voting devices themselves. Some jurisdictions also use electronic poll books to check voters in at polling sites and most states and localities report election night returns via a website.

To the extent that any of these can be compromised or manipulated, can contain errors, or can fail to operate correctly—or at all—this can potentially affect the vote. Election system security requires not only efforts to prevent breaches and malfunctions, but also fail-safes that address breaches or malfunctions that do occur and procedures to confirm the correctness of election outcomes.

The security of election infrastructure has taken on increased significance in the aftermath of the 2016 election cycle. During the 2016 election cycle, a nation-state conducted systematic, coordinated attacks on America’s election infrastructure, with the apparent aim of disrupting the election and undermining faith in America’s democratic institutions. Intelligence reports and recent investigations demonstrate that state databases and third-party vendors not only were targeted for attack, but were breached.1

The intelligence community agrees that future attacks on American elections are inevitable.2 The inevitability of attacks is a key concept in cyber security: it’s not whether a system will be attacked, but when. Moreover, cyber security experts now agree that it is impossible to thwart all attacks on computer systems. Rather, best practice demands a multilayered approach built around the concept of resiliency. Systems are resilient if owners can monitor, detect, respond and recover from either an intentional attack or a programming mistake or error. The capacity to recover from even a successful attack is integral to the security of U.S. elections.

The Board’s immediate attention is focused on replacing Allegheny County’s legacy paperless direct recording electronic (DRE) voting systems. Two basic kinds of electronic voting systems are used in the United States: Direct recording electronic (DRE) and optical scan systems. Both types of systems are computers, and both are prepared in similar ways. Currently, Allegheny County voters vote on DREs. Direct recording electronic systems directly record the voter’s choices to computer memory. The voter may interface with the voting machine in one of several ways, such as a touchscreen or push buttons, but the voter’s selections are recorded directly to memory stored in the machine. There is no software-independent3 record of voter intent provided with a DRE system.

Because DRE systems lack a paper ballot that was separately marked by the voter and then tabulated, errors or malware on the software could result in an undetectable change in the election outcome. All DREs are vulnerable, even those with a “voter verifiable paper audit trail” (VVPAT) present security risks and verification challenges that are difficult to overcome. 4 A printout of election results from the memory card of a DRE after the fact or a printout of “cast vote records” does not provide any additional verification of the election results. Those printouts simply call up the data that is stored on the computer’s memory. If the data was not stored correctly, whether because of malware or malfunction in the voting system, a printout of incorrect data is meaningless. Without a contemporaneous software independent record of voter intent, there is no way to verify, audit or recount DREs.

Replacing DREs is urgent because, by design, it is impossible to verify that the computer correctly captured the voter’s choices. Thus, DRE systems are not resilient. This inherent design flaw of DRE systems is why Governor Wolf has directed the counties to replace paperless DRE systems by the 2020 elections.

Mitigating Voting System Risks

Fortunately, for voting systems, a general consensus has formed on the steps necessary to provide a secure, resilient and verifiable election:

● A paper ballot (marked by pen or computerized ballot marking device) that voters can verify before casting;

● Tabulation of the marked ballot separately by an optical scanner;

● Routine, robust post-election audits to either confirm that reported outcomes are accurate or identify problems for further investigation before vote counts are finalized; and

● The ability to carry out full manual recounts if needed.

Optical scan systems leverage the speed of the computer to report unofficial results quickly. The difference between DRE and optical scan systems is that an optical scan system incorporates a voter-marked paper ballot, marked either with a pen or pencil or with a ballot marking device and that ballot is retained for recounts or audits. The paper ballots provide a trustworthy record of voter intent and allow jurisdictions to monitor their system for problems, detect any errors, (whether due to hacking or accident), respond to them and recover by, if necessary, hand counting the paper ballots.

For technology used for marking and counting votes, voters must be able to confirm firsthand that their ballots were indeed marked as they intended, and election officials must be able to use those ballots to demonstrate that all the votes were included and were counted as cast. This process is crucial to defuse the narrative that our elections can be hacked.

This bridge between the voter and correctly reported outcomes requires a physical artifact as evidence of the voter’s intent, and a process for checking. That artifact is typically the paper ballot that is voter-marked, either with a pen or pencil or through the use of an accessible interface such as a ballot marking device. Voting systems, especially ballot marking devices, should make it as easy as possible for voters to verify their ballots.

Post-election tabulation audits provide the crucial check of vote counts against voters’ ballots. It is important to check the ballots themselves, not relying upon software-generated images or other artifacts that voters themselves could not verify. Effective audits manually inspect enough of the voter-verified paper ballots to provide strong evidence that the reported election outcomes match the ballots. The most robust tabulation audits, called risk-limiting audits, provide a large, statistically guaranteed minimum chance of correcting outcomes that are wrong due to tabulation errors. Colorado and Rhode Island have passed laws to require risk-limiting audits before election results are certified. Many other states require some other form of tabulation audit, which may or may not provide evidence that outcomes are correct — and, in some states, is conducted too late to correct wrong outcomes. Pennsylvania requires a flat percentage (2%) audit but Allegheny County currently has no ability to conduct a meaningful audit with its current equipment.

Tabulation audits do not stand alone. Other compliance procedures ensure that all ballots are accounted for and the numbers of ballots cast reconciles with the number of voters whosigned in, and that important chain of custody security procedures have been followed each election. Put together, these practices provide assurance that voters’ ballots determine the election results. Other election processes also should be routinely audited.

Full manual recounts must be available, when necessary, to correct election outcomes. Risk-limiting audits, by definition, require full manual recounts when audit samples do not find strong evidence that the reported outcome is correct. The best recount provisions allow for full recounts of elections with very close margins, and for full or partial recounts at candidate expense (unless errors are found) in other contests, all conducted by hand.

Consensus Support for Change

The chorus of voices calling for the security measure of voter marked paper ballots plus robust post-election audits has grown louder since 2016. On September 17, 2018, a federal court in Georgia issued a decision in Curling v. Kemp finding that the persistent vulnerabilities in the Georgia’s paperless voting system raised profound constitutional issues that require urgent action from state officials. In explaining its ruling, the court outlined the constitutional imperative to secure election systems against modern cyberthreats, thus protecting voters’ due process and equal protection rights.

The Georgia court’s conclusion underscores the stakes associated with ensuring secure and reliable election systems: “The 2020 elections are around the corner. If a new balloting system is to be launched in Georgia in an effective manner, it should address democracy’s critical need for transparent, fair, accurate, and verifiable election processes that guarantee each citizen’s fundamental right to cast an accountable vote.”5

In September 2018, the National Academies of Science, Engineering and Medicine (NASEM) issued a Consensus Report that, among other recommendations, emphasizes the importance of paper ballots and post-election audits.6:

4.11 Elections should be conducted with human-readable paper ballots. These may be marked by hand or by machine (using a ballot-marking device); they may be counted by hand or by machine (using an optical scanner). Recounts and audits should be conducted by human inspection of the human-readable portion of the paper ballots. Voting machines that do not provide the capacity for independent auditing (e.g., machines that do not produce a voter-verifiable paper audit trail) should be removed from service as soon as possible.

5.6 Jurisdictions should conduct audits of voting technology and processes (for voter registration, ballot preparation, voting, election reporting, etc.) after each election….

5.7 Audits of election outcomes should include manual examination of statistically appropriate samples of paper ballots cast.

5.8 States should mandate risk-limiting audits prior to the certification of election results…. [When fully implemented, risk]-limiting audits should be conducted for all federal and state election contests, and for local contests where feasible.7

The Committee also analyzed and detailed the cyber security threats that exist for electronic voting systems and other election systems. Key findings on cyber security include:

● all digital information—such as ballot definitions, voter choice records, vote tallies, or voter registration lists—is subject to malicious alteration;

● there is no technical mechanism currently available that can ensure that a computer application—such as one used to record or count votes—will produce accurate results;

● testing alone cannot ensure that systems have not been compromised; and

● any computer system used for elections—such as a voting machine or e-pollbook—can be rendered inoperable.

In Pennsylvania, PittCyber’s Blue Ribbon Commission on Pennsylvania’s Election Security Study and Recommendations echoes NASEM’s recommendations and specifically calls for the replacement of vulnerable legacy DRE systems in Pennsylvania and the adoption of risklimiting audits.8

Ballot Marking Devices

Allegheny’s current precinct voting device, the ES&S iVotronic, is a DRE system and must be replaced because of its high susceptibility to an undetectable error or tampering in its programming. Under federal law, jurisdictions are required to provide a voting method so that voters with disabilities can privately and independently cast their ballots. DRE systems incorporate some accessibility features in all devices, allowing jurisdictions to provide a single device for all voters.

The new generation of proprietary commercially available voting systems address the problem of ensuring an auditable paper record and accessibility through the use of a ballot-marking device. These devices provide an electronic user interface and presentation of the ballot, permit the voter to mark their ballot and then print the voter’s selections either on a ballot that is identical to one marked with a pen or pencil or a summary of the ballot choices. Ideally, the paper is presented to the voter for verification – an important step to ensuring a trustworthy record for audit. After verification, the paper ballot or summary ballot is scanned for tabulation and retained for recounts and audits.

Some of the new crop of ballot marking devices are similar to paper-based legacy systems that have been used in 13 counties in Pennsylvania since 2006. These systems use a uniform full-size ballot for all voters, which most voters mark by hand, and other voters mark using a ballot marking device with assistive interfaces. Usually these ballots are tabulated by scanners at the polling place but several counties in Pennsylvania tabulate the ballots centrally at the county offices.

Ballot marking devices provide undeniable benefits that may improve the voting experience for some voters. For example, they include assistive technologies such as read-aloud audio function to assist with marking and then verifying the ballot, can allow voters to adjust the text size, are able to present a variety of ballot styles on a single device and make it easier to present multilingual ballots.9 Because not all voters can mark a ballot using a pen, and because not all voters can use screens, it is imperative that a variety of options for marking a ballot are available in the polling place for all voters.

A growing number of jurisdictions nationally and in Pennsylvania are adopting a new type of ballot marking device that do not produce ballots that are indistinguishable from those marked by hand. Instead, these systems produce summary ballots that show, for each contest that the voter could vote in, only the name of the contest and the voter’s selection(s) – or show that the voter did not make a selection in that contest. Summary ballots may be the same size as the hand-marked ballots (although very different in appearance), or they may be substantially smaller. Many of these summary ballots also encode the voter selections as barcodes, which are easier to tabulate than the human-readable text of the selections. Even if the barcodes are nonproprietary and can be read by barcode readers, it may be difficult for a voter to discern whether a printed bar code properly reflects the voters’ choices.

Some BMDs include an embedded scanner within the hardware. Such “all-in-one” devices present additional security challenges because they allow the ballot to pass through the printer after the voter has already viewed and ostensibly verified the ballot. Because the printer function and the tabulation function are both controlled by software, an attacker could exploit this hardware design to alter ballots after a voter has reviewed the ballot.10

Considerations in Selecting new Systems

As Allegheny County considers its voting system choice, Verified Voting urges the Board to consider a variety of issues relating to security, resiliency and verifiability. Because we count votes by computers, certain security risks and vulnerabilities are present and will always be present. The policy considerations involve reducing those risks as much as possible and deploying a system that allows Allegheny County to recover from any event that could interfere with the integrity of the election. In addition, the choice of voting system should ensure that voters have an available and appropriate voting method and that they can deliberately verify their choices before casting their ballots. Allegheny County should also ensure that any system it chooses facilitates the adoption of robust post-election audits, such as risk-limiting audits. An audit has value when it relies on a trustworthy record of voter intent, that cannot be undetectably altered by software, and has arrived at the end of the electoral process through a system that has rigorous chain of custody procedures.

All of the voting systems that have been certified in Pennsylvania incorporate a paper record but there are significant differences in how the systems are deployed and function in the field. Moreover, significant differences exist among the systems with regard to the ease of verification of the voter’s choices and whether the voter has actually verified the paper record.

In light of the pervasive security vulnerabilities of all electronic voting systems, including Ballot Marking Devices (BMDs), the considerable cost of BMDs, the necessity for a deliberate verification of the paper record, Verified Voting endorses the use of voter-marked paper ballots, marked primarily with a pen or pencil, and supplemented with BMDs, as the best method for recording votes in public elections. Verified Voting believes that voters should have the opportunity to choose the method that best suits their needs while offering voters the opportunity to deliberately verify their ballots. BMD usage should not be limited to voters with identified disabilities; nor should all in-person voters be compelled to use BMDs. For several reasons, most precinct-based polling places are well served by one BMD and a separate tabulator. In this configuration, election procedures must assure that a critical mass of voters use the BMD. For instance, if necessary, some fraction of voters (such as every 20th voter) can be explicitly invited, but not required, to use the BMD. Such a process has several benefits: it preserves the secrecy of the ballot for voters who use the BMD and it ensures that poll workers and voters alike are familiar with the operation of the BMD to guarantee a smooth election.

When deciding which system to choose, Verified Voting cautions against choosing ballot marking devices for all voters. This would, in essence, entail swapping one existing DRE for one ballot marking device. Allegheny County currently has 1,332 precincts and at least 2 DREs, if not more, in each precinct. Costs for a single ballot marking device can range from $6,200- $10,000 per device just for the purchase. Service contract pricing can be tied to the number of devices so annual costs could also be higher. Consequently, choosing BMDs for all voters could be the most expensive option.

Moreover, it is necessary to purchase enough of these expensive machines to accommodate all the voters who need them especially during peak election turnout. An inadequate number of BMDs, either because too few were allocated, or because some fail to work, can easily generate long lines, disenfranchising voters who are unable to wait for the machines and no emergency paper ballots are available. Pittsburgh has a history with long lines at the polls, even during the 2018 midterm elections.11

As described above, several options for purchase include “all-in-one” systems that combine marking of the ballot and tabulating of the ballot. The design flaw that allows a paper ballot to pass through the printer (controlled by software) after the ballot leaves the possession of the voter presents an unacceptable risk that the ballot could be altered in undetectable ways. Not only that, these devices present a risk that the election could be disrupted in a way that makes it impossible to recover the correct votes as intended by the voter. Such systems are neither “software independent” nor resilient. Verified Voting recommends BMDs that either separate the marking of the ballot from the tabulation function, or are designed in such a way that prevents the system from altering any ballots or voiding any ballots after the ballot has left the possession of the voter.

Voter-marked paper ballots can provide a trustworthy verification bridge from voter intent to vote tabulation: voters can verify that their marks reflect their intended choices, and election officials can verify, through audits and recounts, that the vote counts accurately reflect the voter marks. Both parts of the bridge are necessary. If a voting system does not provide a ballot that voters can verify, it is fatally insecure. If the system produces a marked ballot that in principle the voter can verify, then the system’s security and trustworthiness depend in significant part on how many voters verify their ballots, how carefully, and what happens if they note discrepancies. Consequently, it is important to design all voting systems and procedures to strongly encourage as many voters to verify their ballots as possible.

BMDs raise voter verification concerns because voters who use them cannot verify their ballots until after entering all the selections. (In contrast, a voter who hand-marks a ballot can verify each selection as it is marked, then review the entire ballot before finally casting the ballot.) When verification cannot begin until late in the voting process, voters may tend to rush past it. As a result, voters can easily overlook errors, unintended choices, and even malicious changes in their selections, or even in which contests are listed on their ballots. With the proper attention to the verification process, including good ballot design, good system design, proper allocation of devices, and a process to encourage voters to deliberately verify their choices, a jurisdiction such as Allegheny County can create an environment to encourage deliberate verification of ballots for voters who vote on ballot marking devices.

A comprehensive system that uses a separate, single tabulation device for all ballots, regardless of whether they are marked by hand or marked by a ballot marking device, is preferable from a security and verifiability standpoint.

The availability of hand-marked paper ballots as an option for voters has other advantages. First, hand-marked paper ballots are significantly less expensive than BMDs. Most paper ballots, whether hand-marked or machine-marked, are tabulated by scanners, and typically a polling place will require only a single scanner unless the precinct is unusually large and then likely only one additional scanner. If, however, a scanner breaks down, voters can deposit their marked paper ballots in a ballot box for later scanning. No additional wait time is required. A voting system that incorporates hand-marked paper ballots for most voters is scalable and can easily handle a spike in voter turnout on election day. Either additional privacy booths may be added or voters can mark ballots in any convenient spot.

We do not believe that compelling all in-person voters to use BMDs is an effective way to protect the rights of voters with disabilities – especially when those BMDs have poor or questionable security and verification properties for all voters. At the same time, BMD use should not be restricted to voters who are unable to hand-mark their ballots. For several reasons, including ballot anonymity, quality assurance, and voter dignity, it is best to have a critical mass of voters using polling place BMDs throughout election day, assisted by pollworkers who are trained to help all voters appropriately. Crucially, to support this objective, the BMDs and election processes should meet the verifiability standards we have discussed.

Conclusion

Verified Voting is grateful for the opportunity to participate in this hearing today. Allegheny County, as Pennsylvania’s second largest jurisdiction, can demonstrate its commitment to the integrity of elections by selecting a secure, verifiable and resilient voting system that serves the citizens of Allegheny County well.

1 “Illinois election officials say hack yielded information on 200,000 voters,” Chicago Tribune, Aug. 29, 2016, http://www.chicagotribune.com/news/local/politics/ct-illinois-state-board-of-elections-hack-update-met-0830- 20160829-story.html; “Russian hackers targeted Arizona election system,” The Washington Post, Aug. 29, 2016, https://www.washingtonpost.com/world/national-security/fbi-is-investigating-foreign-hacks-of-state-electionsystems/2016/08/29/6e758ff4-6e00-11e6-8365-b19e428a975e_story.html?utm_term=.de487f1d4b90.

2 Assessing Russian Activities and Intentions in Recent U.S. Elections, ICA 2017-01D, Office of the Director of National Intelligence, 2017 at iii; Securing Elections from Foreign Interference, Brennan Center for Justice, June 29, 2017 at 4.

3 Software independence in voting systems was described by Ron Rivest (MIT) and John Wack (NIST) as follows: “A voting system is software-independent if an undetected change or error in its software cannot cause an undetectable change or error in an election outcome.” See Rivest, R. and Wack, J. “On the Notion of Software Independence in Voting Systems.” Available at https://people.csail.mit.edu/rivest/RivestWackOnTheNotionOfSoftwareIndependenceInVotingSystems.pdf

4 The Board may have heard that the precinct voting devices are “unhackable.” That statement is untrue. Each precinct voting device is programmed by a regular laptop or desktop computer. The program files are then loaded onto the precinct voting device via some kind of memory card, cartridge or USB stick. This is true for every kind of computer that counts votes. An error or malware on the computer that programs the voting devices could infect the entire county. If that computer is connected to a network (which is not a best practice but may occur anyway), a phishing attack, for example, in which the attacker obtained login credentials could provide a pathway for the attacker to modify the ballot definition file. Alex Halderman, Professor of Computer Science at the University of Michigan, has demonstrated numerous times how this could be done, including in the New York Times video available here: https://www.nytimes.com/2018/04/05/opinion/election-voting-machine-hacking-russians.html

5 Curling v. Kemp, No.1:17-CV-02589-AT, at 46

6 National Academies of Science, Engineering, and Medicine, 2018, Securing the Vote: Protecting American Democracy, available for download at https://www.nap.edu/catalog/25120/securing-the-vote-protecting-americandemocracy

7 Securing the Vote at 7-9.

8 “The Blue Ribbon Commission On Pennsylvania’s Election Security Study And Recommendations,” Jan. 2019, University of Pittsburgh Institute for Cyber Law Policy and Security, available for download https://www.cyber.pitt.edu/report

9 Brennan Center for Justice, Common Cause, National Election Defense Coalition, Verified Voting Foundation, Securing the Nation’s Voting Machines: A Toolkit for Advocates and Election Officials, at 3 (May 31, 2018), available for download at https://www.brennancenter.org/publication/securing-nations-voting-machines

10 Appel, A., “Design flaw in Dominion ImageCast Evolution voting machine,” Freedom to Tinker, Oct. 16, 2018, retrieved from https://freedom-to-tinker.com/2018/10/16/design-flaw-in-dominion-imagecast-evolution-votingmachine/

11 See e.g., Delano, J. “Reporter Update: Murrysville Voters Tired Of Long Lines At Polls”. KDKA2 CBS Pittsburgh https://pittsburgh.cbslocal.com/video/4071328-reporter-update-murrysville-voters-tired-of-long-lines-atpolls/

 

 

 

Verified Voting Blog: Counting Votes: Paper Ballots and Audits in Congress, Crisis at the EAC?, Florida’s Mystery Counties

In her testimony at an election security hearing before the Committee on House Administration last week, Verified Voting President Marian Schneider joined advocates and election officials in calling on Congress to help states and local jurisdictions replace aging voting systems, conduct risk-limiting audits and enhance election infrastructure security. In order to prepare for 2020, Congress must provide “adequate financial investment in cyber security best practices, replacement equipment and post-election audit processes … immediately and continue at a sustainable level moving forward.”

Writing in Governing, Graham Vyse highlighted the significant bipartisan agreement between the two secretaries of state who testified, Jocelyn Benson (D-MI) and John Merrill (R-AL), on efforts needed to address emerging threats to election security. Significantly, the state election officials, along with all the witnesses, were unanimous in recommending the replacement of direct recording electronic voting machines with paper ballot voting systems and conducting post-election ballot audits.

Two days after the hearing, House Homeland Security Committee Chairman Bennie Thompson (D-MS), House Administration Committee Chairwoman Zoe Lofgren (D-CA) and Rep. John Sarbanes (D-MD), the chairman of the Democracy Reform Task Forcereintroduced The Election Security Act. Aimed at reducing risks posed by cyberattacks by foreign entities or other actors against U.S. election systems, the bill would establish cybersecurity standards for voting system vendors and require states to use paper ballots during elections.

Last month legislation was introduced in both chambers intended to strengthen election security by providing government grants to assist states, as well as local and tribal governments, in developing and implementing plans to address cybersecurity threats or vulnerabilities. This week Verified Voting wrote an open letter to the bills’ sponsors supporting their efforts and encouraging them to add provisions specifically prohibiting these funds from being used for internet-based voting. The letter notes that “[c]ybersecurity experts agree that no current technology, including blockchain voting, can guarantee the secure, verifiable, and private return of voted ballots over the internet.”

The departure of Ryan Macias from his position as acting head of the Election Assistance Commission’s head of voting system testing and certification program reflects an agency in crisis, according to Politico’s Morning Cybersecurity. Macias’ departure may be related to an exchange at an EAC field hearing, when Chairwoman Christy McCormick repeatedly asked Macias why EAC commissioners didn’t have final approval over the details of federal voting system standards.
Read More

Verified Voting Blog: Verified Voting Testimony Before the House Administration Committee hearing on “Election Security”

Election administration depends on computers at multiple points in the election process. Equipment for voting is but one part of a broad array of election technology infrastructure that supports the conduct of elections today. Some of that technology infrastructure includes voter registration databases, internet facing applications such as online voter registration and polling place lookup, network connections between state government and local jurisdictions, the computers that program the voting devices that record and count votes in addition to the voting devices themselves. Some jurisdictions also use electronic poll books to check voters in at polling sites and most states and localities report election night returns via a website.  To the extent that any of these can be compromised or manipulated, can contain errors, or can fail to operate correctly—or at all—this can potentially affect the vote. Election system security requires not only efforts to prevent breaches and malfunctions, but also fail-safes that address breaches and malfunctions that do occur.  The security of election infrastructure has taken on increased significance in the aftermath of the 2016 election cycle. During the 2016 election cycle, a nation-state conducted systematic, coordinated attacks on America’s election infrastructure, with the apparent aim of disrupting the election and undermining faith in America’s democratic institutions. Intelligence reports and recent investigations demonstrate that state databases and third-party vendors not only were targeted for attack, but were breached. The consensus among the intelligence community is that future attacks on American elections are inevitable.2 The inevitability of attacks is a key concept in cyber security: it’s not whether a system will be attacked, but when. Moreover, cyber security experts now agree that it is impossible to thwart all attacks on computer systems. Rather, best practice demands a multi-layered approach built around the concept of resiliency. Systems are resilient if owners can monitor, detect, respond and recover from either an intentional attack or a programming mistake or error. The capacity to recover from even a successful attack is integral to the security of U.S. elections.  Despite considerable progress in the last few years, much work must be done to secure our nation’s elections infrastructure. Two primary areas that require immediate and sustained attention are 1) securing both the state and county networks, databases and data transmission infrastructure that touch elections; and 2) instilling confidence in election outcomes by replacing older, vulnerable legacy voting systems with new systems that permit reliable recounts and post-election audits. Full Article: Written Testimony for U.S. House Committee on House Administration hearing on “Election Security.”.

Verified Voting Blog: Verified Voting Letter in Support of Congressional Election Cybersecurity Legislation

This letter was sent to Senators Cory Gardner (R-CO), Mark Warner (D-VA) and Representatives Derek Kilmer (D-WA) and Michael McCaul (R-TX) on May 14, 2019. Download the PDF.

Thank you for introducing legislation aimed at increasing cybersecurity at the state and local levels of government. We recognize the need for this important legislation, which is aimed at hardening cyber resiliency efforts and preventing vulnerabilities from becoming nightmare realities. For the states that would respond to the proposed grants in H.R. 2130 and S.1065, and for the protection of the citizens who live in them, we applaud your support in the battle against cyberattacks.

At the same time that you are bolstering cybersecurity defenses, we encourage you to add provisions specifically prohibiting these funds from being used for internet-based voting. Cybersecurity experts agree that internet return of marked ballots lacks sufficient safeguards for security and privacy. We urge you to specifically name internet voting as a threat and prohibit the funding provided by your legislation from being used to support internet voting programs and pilots.

Cybersecurity experts agree that no current technology, including blockchain voting, can guarantee the secure, verifiable, and private return of voted ballots over the internet. Both because vote-rigging malware could already be present on the voter’s computer and because electronically returned ballots could be intercepted and changed or discarded en route, local elections officials would be unable to verify that the voter’s ballot accurately reflects the voter’s intent. Furthermore, even if the voter’s selections were to arrive intact, the voted ballot could be traceable back to the individual voter, violating voter privacy. Read More

Verified Voting Blog: Counting Votes May 16 2019

In her testimony at an election security hearing before the Committee on House Administration last week, Verified Voting President Marian Schneider joined advocates and election officials in calling on Congress to help states and local jurisdictions replace aging voting systems, conduct risk-limiting audits and enhance election infrastructure security. In order to prepare for 2020, Congress must provide “adequate financial investment in cyber security best practices, replacement equipment and post-election audit processes … immediately and continue at a sustainable level moving forward.”

Writing in Governing, Graham Vyse highlighted the significant bipartisan agreement between the two secretaries of state who testified, Jocelyn Benson (D-MI)and John Merrill (R-AL) on efforts needed to address emerging threats to election security. Along with all the witnesses, the state election officials agreed that more federal funding for election security was needed. Significantly the witnesses were also unanimous in recommending the replacement of direct recording electronic voting machines with paper ballot voting system and conducting post-election ballot audits.

Two days after the hearing, House Homeland Security Committee Chairman Bennie Thompson (D-MS), House Administration Committee Chairwoman Zoe Lofgren (D-CA) and Rep. John Sarbanes (D-MD), the chairman of the Democracy Reform Task Force reintroduced The Election Security Act. Aimed at reducing risks posed by cyberattacks by foreign entities or other actors against U.S. election systems, the bill would establish cybersecurity standards for voting system vendors and require states to use paper ballots during elections.

The resignation of the Election Assistance Commission’s head of voting system testing and certification reflects an agency crisis according to Politico’s Morning Cybersecurity. Macias’ departure may be related to an exchange  at an EAC field hearing, when Commissioner Christy McCormick repeatedly asked Macias why EAC commissioners didn’t have final approval over the details of federal voting system standards. After Macias leaves on May 17, the EAC will have only one employee working full-time on assessing voting machines based on federal standards former Colorado voting security expert Jerome Lovato, who, according to an email obtained by CyberScoop, the EAC has appointed Lovato to replace Macias. The EAC’s internal announcement cited Lovato’s experience testing and piloting voting systems and his familiarity with risk-limiting audits. He previously worked for a decade as a voting systems specialist at the Colorado Secretary of State’s office.

Sen. Ron Wyden (D-OR) has contacted VR Systems, the Florida voter-registration software maker that the FBI apparently believes Russia hacked, asking if “the company ever engaged a third party to conduct a forensic examination of its computer networks and systems since the hacking assertions first came to light after the 2016 election”. As Kim Zetter reports in Politico, VR Systems, insists it wasn’t hacked, referencing an analysis by FireEye to claim there was never an intrusion in VR System’s EVID servers or network. A separate FBI investigation indicated that malware was installed on the network of a vendor fitting VR Systems’ description.

After a briefing last Friday with the FBI and DHS, Florida Gov. Ron DeSantis, revealed that, according to the Müller investigation, election information in two Florida counties was accessed by Russian hackers in 2016. Due to a nondisclosure agreement, he said he was willing, but not allowed, to identify the counties. This had led inevitably to a chorus of denials from county election officials across the state. US Sen. Marco Rubio (R-FL) earlier this month clarified that while the Russians did not appear to have access to vote tallying systems, access to the statewide voter registration database could have allowed a hacker to modify voter information in any county.

Russian hacking aside, a respected former supervisor of elections observed that the state is in desperate need of upgrades to its election system. WJCT quotes longtime Leon County Supervisor Ion Sancho, who described Florida’s election infrastructure as, “frankly, not secure.” He observed that to him “it’s been clear to me that the election infrastructure, not only in Florida but in the country, is not secure”. He when on the say he doubts the FBI will ever disclose which Florida county was hacked, “because the FBI has a policy of not telling the truth relative to the disclosure of the methods and sources of how they find out information.” Sancho added his voice to those calling for paper ballots and “scientifically valid” methods to assure accurate tabulation.

Appealing a January dismissal by a Cobb County Superior Court judge, the Coalition for Good Governance asked the Georgia Supreme Court to reinstate a lawsuit contesting the election of Lt. Gov. Geoff Duncan. The suit alleges that an analysis, reveals an anomalous in the residual vote rate in the Lt. Governor’s race relative to previous elections and significantly other “down-ballot” contests. As AP reports, the “aberrant pattern” only appeared in votes reported cast on touchscreen voting machines, not those cast on paper absentee and provisional ballots, Brown wrote. The paper ballots followed the normal pattern.

In US News, Susan Milligan reported on evidence suggesting that voters (some more or less than others) have less faith in the integrity of the election process in 2018 than they had in 2016. Polling comparisons indicate a dramatic decline in voter confidence over past election cycles. Richard Blumenthal, one of the bipartisan authors of (bill number), Richard Blumenthal (D-CT) warned of “… a real danger to such distrust in the integrity of our election system that has lasting damage.”

Michael Bitzer, a politics and history professor specializing in Southern politics highlighted that voters increasingly question the integrity not just of the candidates or the media but election process itself. Along with experts and advocates that have (talked about) election integrity and integrity for years, elected officials are now making charges of fraud or fixing and publicly questioning the fairness of elections.

Verified Voting Blog: Statement on Maryland HB706/SB919 Online Delivery and Marking of Absentee Ballots

To download the PDF click here.

Verified Voting supports Maryland House Bill 706 (Senate Bill 919) as an immediate, short-term mitigation to reduce risks inherent in Maryland’s current online absentee ballot system by limiting its use to only those who would otherwise be unable to vote. Going forward, substantial changes are necessary to provide Maryland’s voters with secure, reliable, accessible means of voting absentee.

Verified Voting supports the objective of helping voters to obtain their ballots and cast their votes, but any technology used for this purpose must be carefully evaluated. Regrettably, computer scientists and others have found that Maryland’s system has several grave shortcomings.

Because Maryland does not check signatures on returned absentee ballots, there is no way to distinguish legitimate from illegitimate ballots. Using information that is widely available, an attacker could readily request, electronically receive (at multiple fake email addresses), and cast any number of absentee ballots.1 Even if the attacker did not cast the ballots, any voters purported to have requested absentee ballots would be required to cast provisional ballots, creating chaos and suspicion and increasing the likelihood that the voter will be disenfranchised. Read More

Verified Voting Blog: Verified Voting Statement on EAC Chair Christy McCormick

The following is a statement from Verified Voting’s president, Marian K. Schneider:

“Verified Voting congratulates Christy McCormick on her election as Chair of the Election Assistance Commission and her three priorities for her tenure: election preparedness, replacing aging voting equipment, and working towards improving accessibility for all voters including voters with disabilities, military and overseas voters and limited English proficient voters.

“With those laudable goals in mind, Verified Voting urges Christy McCormick and the EAC to ensure that the next generation of voting systems provide most voters the opportunity to mark their ballots by hand and support robust post-election tabulation audits. These post-election audits can protect the integrity of the election outcomes with the existing systems.Technology has evolved so that improved security, verifiability and accessibility are not mutually exclusive, but can give everyone, the candidates, voters, the press and the public assurance that our voting system is resilient against attack.”

Verified Voting Blog: No to Online Voting in Virginia | Electronic Frontier Foundation

This article originally appeared on Electronic Frontier Foundation’s website on February 4th, 2019

Experts agree: Internet voting would be an information security disaster. Unfortunately, the Commonwealth of Virginia is considering a pair of bills to experiment with online voting. Pilot programs will do nothing to contradict the years of unanimous empirical research showing that online voting is inherently vulnerable to a variety of threats from malicious hackers, including foreign nations.

EFF strongly opposes Virginia H.B. 2588 and S.J.R. 291, and all online voting. Instead, EFF recommends that absentee voting, like all voting, be conducted with paper records and risk-limiting audits, the current state-of-the art in election security.

Read More

Verified Voting Blog: Verified Voting Recommends Hand-Marked Paper Ballots for Georgia to SAFE Commission

Verified Voting sent a letter to the Secure, Accessible, Fair Elections (SAFE) Commission on Friday, January 4 with their recommendations for a new voting system in Georgia. Read the letter below or download it here

Verified Voting submits the following statement endorsing hand-marked paper ballots that are scanned as the primary voting method for voters. Verified Voting respectfully requests that this statement be shared with the entire SAFE commission in advance of the next meeting scheduled for January 10, 2019.

Recommendation. In light of the pervasive security vulnerabilities of all electronic voting systems, including Ballot Marking Devices (BMDs), as well as the considerable cost of BMDs, Verified Voting Foundation endorses the use of hand-marked paper ballots as the best primary method for recording votes in public elections. BMDs do play an important role for some voters, including voters with disabilities, that prevent them from hand-marking paper ballots. However, the primary voting method for most voters should be hand-marked paper ballots.

Rationale. Hand-marked paper ballots offer better voter verification than can be achieved with a computerized interface. A paper ballot that is indelibly marked by hand and physically secured from the moment of casting is the most reliable record of voter intent. A hand-marked paper ballot is the only kind of record not vulnerable to software errors, configuration errors, or hacking. With hand-marked paper ballots, voters are responsible only for their own errors, while with a BMD, voters are responsible for catching and correcting errors or alterations made by the BMD. Consequently, well-designed hand-marked paper ballots combined with a risk-limiting post-election tabulation audit provide the gold standard for ensuring that reported election results accurately reflect the will of the people. Read More

Media Release: Election Security Experts Applaud City of Fairfax, VA and Orange County, CA for Leading in New Election Integrity Methods

New Reports from Verified Voting Show How Risk-Limiting Audits in California and Virginia Can Improve Election Security and Public Confidence

Robust post-election audits are changing the election security landscape and the City of Fairfax, Virginia and Orange County, California are leading the way. Risk-limiting audits (RLAs) of voter-marked paper ballots can promote election security and public confidence by providing rigorous statistical evidence that election outcomes match the ballots — and a means to detect and correct outcomes that don’t match. If the method is widely adopted it will bolster confidence in elections. In the months leading up to the midterms, the City of Fairfax and Orange County implemented pilot projects that, as documented in two new reports by the Verified Voting Foundation, with funding support from Microsoft, demonstrated the benefits of risk-limiting audits.

The “Pilot Risk-Limiting Audit” reports, released today at the MIT Election Audit Summit, detail how Orange County and the City of Fairfax conducted pilots — in June and August 2018, respectively — and how these pilots provide lessons for election officials and policymakers around the country. Read More

Verified Voting Blog: Why voters should mark ballots by hand | Andrew Appel

Because voting machines contain computers that can be hacked to make them cheat, “Elections should be conducted with human-readable paper ballots. These may be marked by hand or by machine (using a ballot-marking device); they may be counted by hand or by machine (using an optical scanner).  Recounts and audits should be conducted by human inspection of the human-readable portion of the paper ballots.”

Ballot-marking devices (BMD) contain computers too, and those can also be hacked to make them cheat.  But the principle of voter verifiability is that when the BMD prints out a summary card of the voter’s choices, which the voter can hold in hand before depositing it for scanning and counting, then the voter has verified the printout that can later be recounted by human inspection.

But really?  As a practical matter, do voters verify their BMD-printed ballot cards, and are they even capable of it?  Until now, there hasn’t been much scientific research on that question.

A new study by Richard DeMillo, Robert Kadel, and Marilyn Marks now answers that question with hard evidence:

  1. In a real polling place, half the voters don’t inspect their ballot cards, and the other half inspect for an average of 3.9 seconds (for a ballot with 18 contests!).
  2. When asked, immediately after depositing their ballot, to review an unvoted copy of the ballot they just voted on, most won’t detect that the wrong contests are presented, or that some are missing.

This can be seen as a refutation of Ballot-Marking Devices as a concept.  Since we cannot trust a BMD to accurately mark the ballot (because it may be hacked), and we cannot trust the voter to accurately review the paper ballot (or even to review it at all), what we can most trust is an optical-scan ballot marked by the voter, with a pen.  Although optical-scan ballots aren’t perfect either, that’s the best option we have to ensure that the voter’s choices are accurately recorded on the paper that will be used in a recount or random audit. Read More

Verified Voting Blog: An unverifiability principle for voting machines | Andrew Appel

This article was originally posted at Freedom to Tinker on October 22, 2018.

In my last three articles I described the ES&S ExpressVote, the Dominion ImageCast Evolution, and the Dominion ImageCast X (in its DRE+VVPAT configuration).  There’s something they all have in common: they all violate a certain principle of voter verifiability.

  • Any voting machine whose physical hardware can print votes onto the ballot after the last time the voter sees the paper,  is not a voter verified paper ballot system, and is not acceptable.
  • The best way to implement this principle is to physically separate the ballot-marking device from the scanning-and-tabulating device.  The voter marks a paper ballot with a pen or BMD, then after inspecting the paper ballot, the voter inserts the ballot into an optical-scan vote counter that is not physically capable of printing votes onto the ballot.

The ExpressVote, IC-Evolution, and ICX all violate the principle in slightly different ways: The IC-Evolution one machine allows hand-marked paper ballots to be inserted (but then can make more marks), the ExpressVote in one configuration is a ballot-marking device (but after you verify that it marked your ballot, you insert it back into the same slot that can print more votes on the ballot), and IC-X configured as DRE+VVPAT can also print onto the ballot after the voter inspects it.  In fact, almost all DRE+VVPATs can do this:  after the voter inspects the ballot, print VOID on that ballot (hope the voter doesn’t notice), and then print a new one after the voter leaves the booth. Read More

Verified Voting Blog: Continuous-roll VVPAT under glass: an idea whose time has passed | Andrew Appel

This article was originally posted at Freedom to Tinker on October 19, 2018.

States and counties should not adopt DRE+VVPAT voting machines such as the Dominion ImageCast X and the ES&S ExpressVote. Here’s why.

Touchscreen voting machines (direct-recording electronic, DRE) cannot be trusted to count votes, because (like any voting computer) a hacker may have installed fraudulent software that steals votes from one candidate and gives them to another. The best solution is to vote on hand-marked paper ballots, counted by optical scanners. Those opscan computers can be hacked too, of course, but we can recount or random-sample (“risk-limiting audit”) the paper ballots, by human inspection of the paper that the voter marked, to make sure.

Fifteen years ago in the early 2000s, we computer scientists proposed another solution: equip the touchscreen DREs with a “voter verified paper audit trail” (VVPAT). The voter would select candidates on a touchscreen, the DRE would print those choices on a cash-register tape under glass, the voter would inspect the paper to make sure the machine wasn’t cheating, the printed ballot would drop into a sealed ballot box, and the DRE would count the vote electronically. If the DRE had been hacked to cheat, it could report fraudulent vote totals for the candidates, but a recount of the paper VVPAT ballots in the ballot box would detect (and correct) the fraud.

By the year 2009, this idea was already considered obsolete. The problem is, no one has any confidence that the VVPAT is actually “voter verified,” for many reasons:

  1. The VVPAT is printed in small type on a narrow cash-register tape under glass, difficult for the voter to read.
  2. The voter is not well informed about the purpose of the VVPAT. (For example, in 2016 an instructional video from Buncombe County, NC showed how to use the machine; the VVPAT-under-glass was clearly visible at times, but the narrator didn’t even mention that it was there, let alone explain what it’s for and why it’s important for the voter to look at it.)
  3. It’s not clear to the voter, or to the pollworker, what to do if the VVPAT shows the wrong selections. Yes, the voter can alert the pollworker, the ballot will be voided, and the voter can start afresh. But think about the “threat model.”  Suppose the hacked/cheating DRE changes a vote, and prints the changed vote in the VVPAT. If the voter doesn’t notice, then the DRE has successfully stolen a vote, and this theft will survive the recount.  If the voter does notice, then the DRE is caught red-handed, except that nothing happens other than the voter tries again (and the DRE doesn’t cheat this time). You might think, if the wrong candidate is printed on the VVPAT then this is strong evidence that the machine is hacked, alarm bells should ring– but what if the voter misremembers what he entered in the touch screen?  There’s no way to know whose fault it is.
  4. Voters are not very good at correlating their VVPAT-in-tiny-type-under-glass to the selections they made on the touch screen. They can remember who they selected for president, but do they really remember the name of their selection for county commissioner? And yet, historically in American elections, it’s as often the local and legislative offices where ballot-box-counting (insider) fraud has occurred.
  5. “Continuous-roll” VVPATs, which don’t cut the tape into individual ballots, compromise the secrecy of the ballot.  Since any of the political-party-designated pollwatchers can see (and write down) what order people vote on the machine, and know the names of all the voters who announce themselves when signing in, they can (during a recount) correlate voters to ballots. (During a 2006 trial in the Superior Court of New Jersey, I was testifying about this issue; Judge Linda Feinberg saw this point immediately, she said it was obvious that continuous-roll VVPATs compromise the secret ballot and should not be acceptable under New Jersey law. )

Read More

Verified Voting Blog: Design flaw in Dominion ImageCast Evolution voting machine | Andrew Appel

This article was originally posted at Freedom to Tinker on October 16, 2018.

The Dominion ImageCast Evolution looks like a pretty good voting machine, but it has a serious design flaw: after you mark your ballot, after you review your ballot, the voting machine can print more votes on it!. Fortunately, this design flaw has been patented by a rival company, ES&S, which sued to prevent Dominion from selling this bad design. Unfortunately, that means ES&S can still sell machines (such as their ExpressVote all-in-one) incorporating this design mistake.

When we use computers to count votes, it’s impossible to absolutely prevent a hacker from replacing the computer’s software with a vote-stealing program that deliberately miscounts the vote. Therefore (in almost all the states) we vote on paper ballots. We count the votes with optical scanners (which are very accurate when they haven’t been hacked), and to detect and correct possible fraud-by-hacking, we recount the paper ballots by hand. (This can be a full recount, or a risk-limiting auditan inspection of a randomly selected sample of the ballots.)

Some voters are unable to mark their ballots by hand–they may have a visual impairment (they can’t see the ballot) or a motor disability (they can’t physically handle the paper). Ballot-marking devices (BMDs) are provided for those voters (and for any other voters that wish to use them); the BMDs are equipped with touchscreens, and also with audio and tactile interfaces (headphones and distinctively shaped buttons) for blind voters, and even sip-and-puff input devices for motor-impaired voters. These BMDs print out a paper ballot that can be scanned by the optical scanners and can be recounted by hand. Read More

Verified Voting Blog: David Jefferson: The Myth of “Secure” Blockchain Voting

Click here to download a pdf version of this blog

In the last couple of years several startup companies have begun to promote Internet voting systems, this time with a new twist – using a blockchain as the container for voted ballots transmitted from voters’ private devices. Blockchains are a relatively new system category somewhat akin to a distributed database. Proponents promote them as a revolutionary innovation providing strong security guarantees that can render online elections safe from cyberattack.

Unfortunately, such claims are false. Although the subject of considerable hype, blockchains do not offer any real security from cyberattacks. Like other online elections architectures, a blockchain election is vulnerable to a long list of threats that would leave it exposed to hacking and manipulation by anyone on the Internet, and the attack might never be detected or corrected. Read More

Verified Voting Blog: Verified Voting Testimony before the Pennsylvania Senate State Government Committee

Written Testimony of Verified Voting President Marian K. Schneider before the Pennsylvania Senate State Government Committee Public Hearing on Senate Bill 1249 and Voting Machine Demonstration, September 25, 2018. Download as PDF.

Thank you Chairman Folmer, Minority Chair Williams, and members of the Committee for allowing Verified Voting to submit written testimony in connection with the Senate State Government Committee hearing. We write to address the security risks presented for Pennsylvania’s counties and the need to expeditiously replace aging and vulnerable electronic voting systems. We urge the Committee to recommend that the Commonwealth appropriate adequate funding to permit counties to replace their aging electronic voting systems as soon as possible.

Verified Voting is a national non-partisan, non-profit research and advocacy organization committed to safeguarding elections in the digital age. Founded by computer scientists, Verified Voting’s mission is to advocate for the responsible use of emerging technologies to ensure that Americans can be confident their votes will be cast as intended and counted as cast. We promote auditable, accessible and resilient voting for all eligible citizens. Our board of directors and board of advisors include some of the top computer scientists, cyber security experts and statisticians working in the election administration arena as well as former and current elections officials. Verified Voting has no financial interest in the type of equipment used. Our goal is for every jurisdiction in the United States to have secure and verifiable elections.

There are two basic kinds of electronic voting systems in use in Pennsylvania: Direct recording electronic (DRE) or optical scan systems. Both types of systems are computers, and both are prepared in similar ways. The primary difference is that an optical scan system incorporates a voter-marked paper ballot, marked either with a pen or pencil or with a ballot marking device and that ballot is retained for recounts or audits. Optical scan systems leverage the speed of the computer to report unofficial results quickly. The presence and availability of that paper ballot provides a trustworthy record of voter intent and allows jurisdictions to monitor their system for problems, detect any problems, (either hacking or error), respond to them and recover by, if necessary, hand counting the paper ballots. Seventeen counties in Pennsylvania already benefit from the security protection of paper ballots. Read More

Verified Voting Blog: Serious design flaw in ESS ExpressVote touchscreen: “permission to cheat” | Andrew Appel

This article was originally posted at the Freedom to Tinker blog.

Kansas, Delaware, and New Jersey are in the process of purchasing voting machines with a serious design flaw, and they should reconsider while there is still time!

Over the past 15 years, almost all the states have moved away from paperless touchscreen voting systems (DREs) to optical-scan paper ballots.  They’ve done so because if a paperless touchscreen is hacked to give fraudulent results, there’s no way to know and no way to correct; but if an optical scanner were hacked to give fraudulent results, the fraud could be detected by a random audit of the paper ballots that the voters actually marked, and corrected by a recount of those paper ballots.

Optical-scan ballots marked by the voters are the most straightforward way to make sure that the computers are not manipulating the vote.  Second-best, in my opinion, is the use of a ballot-marking device (BMD), where the voter uses a touchscreen to choose candidates, then the touchscreen prints out an optical-scan ballot that the voter can then deposit in a ballot box or into an optical scanner.  Why is this second-best?  Because (1) most voters are not very good at inspecting their computer-marked ballot carefully, so hacked BMDs could change some choices and the voter might not notice, or might notice and think it’s the voter’s own error; and (2) the dispute-resolution mechanism is unclear; pollworkers can’t tell if it’s the machine’s fault or your fault; at best you raise your hand and get a new ballot, try again, and this time the machine “knows” not to cheat. Read More

Verified Voting Blog: Four ways to defend democracy and protect every voter’s ballot | Douglas W. Jones

This article was originally posted at phys.org.
As voters prepare to cast their ballots in the November midterm elections, it’s clear that U.S. voting is under electronic attack. Russian government hackers probed some states’ computer systems in the runup to the 2016 presidential election and are likely to do so again – as might hackers from other countries or nongovernmental groups interested in sowing discord in American politics.

Fortunately, there are ways to defend elections. Some of them will be new in some places, but these defenses are not particularly difficult nor expensive, especially when judged against the value of public confidence in democracy. I served on the Iowa board that examines voting machines from 1995 to 2004 and on the Technical Guidelines Development Committee of the United States Election Assistance Commission from 2009 to 2012, and Barbara Simons and I coauthored the 2012 book “Broken Ballots.”

Election officials have an important role to play in protecting election integrity. Citizens, too, need to ensure their local voting processes are safe. There are two parts to any voting system: the computerized systems tracking voters’ registrations and the actual process of voting – from preparing ballots through results tallying and reporting. Read More

Verified Voting Blog: The National Academies of Sciences, Engineering, and Medicine releases report on “The Future of Voting”

Today the National Academies of Sciences, Engineering, and Medicine released a report on election security, “Securing the Vote: Protecting American Democracy.” The Committee for The Future of Voting, which includes Verified Voting Board member Ron Rivest and Advisory Board member Andrew Appel, released the report at a public event in Washington, DC, where the report’s findings and key recommendations were discussed. Included in the Committee’s recommendations, which echo many of Verified Voting’s policies, were:

  • Human-readable paper ballots, made available for all elections as soon as 2018
  • State-mandated risk-limiting audits
  • Increased funding to state and local governments for cybersecurity and election infrastructure

In addition to Ron Rivest and Andrew Appel, Verified Voting’s own Barbara Simons, David Dill, Philip Stark, Matt Blaze, Doug Kellner, and Alex Halderman reviewed the report ahead of its release.

To read the full report and recommendations, visit nap.edu/FutureOfVoting