Year: 2019

Kim Zetter investigates NC pollbook for Russian hack — And additional FL incidents!

From Politico: How Close Did Russia Really Come to Hacking the 2016 Election?

Why does what happened to a small Florida company and a few electronic poll books in a single North Carolina county matter to the integrity of the national election? The story of Election Day in Durham—and what we still don’t know about it—is a window into the complex, and often fragile, infrastructure that governs American voting…

The fact that so many significant questions about VR Systems remain unanswered three years after the 2016 election undermines the government’s assertions that it’s committed to providing election officials with all of the timely information they need to secure their systems in 2020. It also raises concerns that the public may never really know what occurred in 2016.

From Politico: How Close Did Russia Really Come to Hacking the 2016 Election? <read>

Why does what happened to a small Florida company and a few electronic poll books in a single North Carolina county matter to the integrity of the national election? The story of Election Day in Durham—and what we still don’t know about it—is a window into the complex, and often fragile, infrastructure that governs American voting…The infrastructures around voting itself—from the voter registration databases and electronic poll books that serve as gatekeepers for determining who gets to cast a ballot to the back-end county systems that tally and communicate election results—are provided by a patchwork of firms selling proprietary systems, many of them small private companies like VR Systems. But there are no federal laws, and in most cases no state laws either, requiring these companies to be transparent or publicly accountable about their security measures or to report when they’ve been breached. They’re not even required to conduct a forensic investigation when they’ve experienced anomalies that suggest they might have been breached or targeted in an attack.

And yet a successful hack of any of these companies—even a small firm—could have far-flung implications.

But VR Systems doesn’t just make poll book software. It also makes voter-registration software, which, in addition to processing and managing new and existing voter records, helps direct voters to their proper precinct and do other tasks. And it hosts websites for counties to post their election results. VR Systems software is so instrumental to elections in some counties that a former Florida election official said that 90 percent of what his staff did on a daily basis to manage voters and voter data was done through VR Systems software…

The company’s expansive reach into so many aspects of election administration and into so many states—and its use of remote access to gain entry into customer computers for troubleshooting—raises a number of troubling questions about the potential for damage if the Russians (or any other hackers) got into VR Systems’ network The company’s expansive reach into so many aspects of election administration and into so many states—and its use of remote access to gain entry into customer computers for troubleshooting—raises a number of troubling questions about the potential for damage if the Russians (or any other hackers) got into VR Systems’ network —either in 2016, or at any other time. Could they, for example, alter the company’s poll book software to cause the devices to malfunction and create long delays at the polls? Or tamper with the voter records downloaded to poll books to make it difficult for voters to cast ballots—by erroneously indicating, for example, that a voter had already cast a ballot, as voters in Durham experienced? Could they change results posted to county websites to cause the media to miscall election outcomes and create confusion? Cybersecurity experts say yes. In the case of the latter scenario, Russian hackers proved their ability to do precisely this in Ukraine’s results system in 2014.

Apparently NC is not the only suspicious incident related to VR Systems, and perfect for one Russian M.O.:

An incident in Florida in 2016 shows what this kind of Election Day confusion might look like in the U.S. During the Florida state primary in August 2016—just six days after the Russians targeted VR Systems in their phishing operation—the results webpage VR Systems hosted for Broward County, a Democratic stronghold, began displaying election results a half hour before the polls closed, in violation of state law. This triggered a cascade of problems that prevented several other Florida counties from displaying their results in a timely manner once the election ended…

If an attacker is inside VR Systems’ network or otherwise obtains the VPN credentials for a VR Systems employee, he can potentially remotely connect to customer systems just as if he were a VR Systems employee. When it comes to Russian hacking, this threat is not theoretical: It is precisely how Russian state hackers tunneled into Ukrainian electric distribution plants in 2015 to cause a power outage to more than 200,000 customers in the middle of winter.

VR systems was likely successfully hacked:

The Mueller report goes a step further. It says that not only did Russian hackers send phishing emails in August 2016 to employees of “a voting technology company that developed software used by numerous U.S. counties to manage voter rolls,” but the hackers succeeded in installing malware on the unidentified company’s network. The Mueller investigators write: “We understand the FBI believes that this operation enabled the GRU [Russia’s military intelligence service] to gain access to the network of at least one Florida county government.”… Since the Mueller report was published earlier this year, it has been confirmed that two Florida counties were hacked by the Russians after receiving phishing emails…

It is possible that the reports from Mueller and the NSA are wrong, and that their authors—with no firsthand knowledge of events and with limited details about what occurred—mistakenly concluded that the phishing campaign against VR Systems was successful…

The fact that so many significant questions about VR Systems remain unanswered three years after the 2016 election undermines the government’s assertions that it’s committed to providing election officials with all of the timely information they need to secure their systems in 2020. It also raises concerns that the public may never really know what occurred in 2016.

Its a long article, well worth reading. There are many details supporting and going  beyond what we have highlighted here.

*****Update from Kim Zetter 1/02/2020 Election probe finds security flaws in key North Carolina county but no signs of Russian hacking  <read>

“Absence of evidence shouldn’t be mistaken for evidence of absence,” said Susan Greenhalgh, vice president of policy and programs for National Election Defense Coalition. “I would hope the lesson learned here is that we need to be vigilant about irregularities from their onset … and promptly initiate investigations to rule out malicious cyber events.”

 

BMD’s are dangerous to democracy

One of the key issues this year is the purchase of Ballot Marking Devices (BMDs) for all voters vs. Voter Marked Paper Ballots. In recent weeks, two board members have resigned from Verified Voting over a perception that VV is doing too much to tout Risk Limiting Audits (RLAs) of BMDs to the detriment of secure, evidence based elections.  An  extensive article in the NY Review of Books highlights the issues with BMDs: How New Voting Machines Could Hack Our Democracy. By mid-week Verified Voting had issued a clarification that states its general opposition to BMDs.

Editorial: We should not be wasting Federal and state money on BMDs except for those with disabilities. Instead, we should be using a portion of the savings on developing better BMDs that better serve those with disabilities.

One of the key issues this year is the purchase of Ballot Marking Devices (BMDs) for all voters vs. Voter Marked Paper Ballots. In recent weeks, two board members have resigned from Verified Voting over a perception that VV is doing too much to tout Risk Limiting Audits (RLAs) of BMDs to the detriment of secure, evidence based elections.  An  extensive article in the NY Review of Books highlights the issues with BMDs: How New Voting Machines Could Hack Our Democracy <read>

The problem cited by the two board members, Philip Stark and Rich DeMillo, was VV touting RLAs of BMDs, with that publicity used as evidence in court by vendors refuting claims of the inadequacy of BMDs.

By mid-week Verified Voting had issued a clarification that states its general opposition to BMDs:  Verified Voting Blog: Verified Voting Statement on Ballot Marking Devices and Risk-limiting Audits <read>

Verified Voting strongly advocates for best practices, including hand-marked paper ballots (with some judicious use of BMDs), careful voter verification of machine-marked ballots, strong chain of custody for all paper ballots, proper ballot accounting, and risk-limiting audits to verify tabulations of paper ballots.

We have one nit with VVs position, when they say: “Verified Voting recommends that any electronic tabulation of paper ballots be checked by a risk-limiting audit.” We say that RLA, better described as Risk Limiting Tabulation Audits, are unsuitable for small contests. They are excellent for Statewide and Federal contests, yet at some point between that size and contests with a few thousand ballots the only actual RLA would be more costly or always degrade into a full recount.

From the Review of Books article:

Most leading election security experts instead recommend hand-marked paper ballots as a primary voting system, with an exception for voters with disabilities. These experts include Professor Rich DeMillo of Georgia Tech, Professor Andrew Appel of Princeton University, Professor Philip Stark of the University of California at Berkeley, Professor Duncan Buell of the University of South Carolina, Professor Alex J. Halderman of the University of Michigan, and Harri Hursti, who is “considered one of the world’s foremost experts on the topic of electronic voting security” and is “famously known for his successful attempt to demonstrate how the Diebold Election Systems’ voting machines could be hacked.” These scholars warn that even a robust manual audit, known as a Risk Limiting Audit, cannot detect whether a BMD-marked paper ballot has been hacked. BMDs instead put the burden on voters themselves to detect whether such ballots include fraudulent or erroneous machine marks or omissions—even though studies already show that many voters won’t notice.

For this reason, many analysts have cautioned against acquiring these new ballot-marking machines for universal use, but election officials in at least 250 jurisdictions across the country have ignored their advice. Georgia (all one hundred and fifty-nine counties), South Carolina (all forty-six counties), and Delaware (all three counties) have already chosen these systems for statewide use in 2020. At least one or more counties in the following additional states have done the same: Pennsylvania (for the most populous county, plus at least four more), Wisconsin (for Waukesha, Kenosha, Chippewa and perhaps more), Ohio (for the most populous county and others), Tennessee (for at least ten counties), North Carolina (for the most populous county), West Virginia (for the most populous county and at least one other), Texas (for at least Dallas and Travis counties), Kentucky (for the most populous county), Arkansas (at least four counties), Indiana (for the most populous county and at least eight others), Kansas (for the first and second most populous counties), California (again, for the most populous county), Montana (at least one county, though not until 2022), and Colorado (for early voting). New York state has certified (that is, voted to allow) one such system as well.

Editorial: We should not be wasting Federal and State money on BMDs except for those with disabilities. Instead, we should be using a portion of the savings on developing better BMDs that better serve those with disabilities.

 

We Told You So Dept: NPV Compact Author Admits One of Its Flaws

In the hypothetical that all states agreed to the compact, Aram thinks some election reforms would be in order:

“One of the things that I think should be done, that would need to be done, after enough states sign onto this but before it goes into effect – there should be some standardization of the balloting process, and the counting process, so we can get a reliable national tally.”..

“I’ve advocated for states to adopt this idea, but defer implementation until say 2032. So, Florida would adopt it today, but say ‘our adoption takes effect when you get to 270, but no earlier than 2032,” Amar said. “That would both give Congress time, in the meanwhile, to iron out any logistical wrinkles of the kind that you just mentioned. And it would also defuse the wrongheaded, but persistent, assumption that some people have that this is going to help one political party and hurt the other.”

Unfortunately, his recommendations do not go far enough to cure the problem he now recognizes..

Testimony in FL by Prof Vik Amer:  Bill Looks To Create ‘National Popular Vote,’ Lawmakers Hear From One Of The Idea’s Authors <read/listen>

In the hypothetical that all states agreed to the compact, Aram thinks some election reforms would be in order:

“One of the things that I think should be done, that would need to be done, after enough states sign onto this but before it goes into effect – there should be some standardization of the balloting process, and the counting process, so we can get a reliable national tally.”

That kind of overhaul would take time. For that reason and others, Aram wants his plan to have a delayed implementation.

“I’ve advocated for states to adopt this idea, but defer implementation until say 2032. So, Florida would adopt it today, but say ‘our adoption takes effect when you get to 270, but no earlier than 2032,” Amar said. “That would both give Congress time, in the meanwhile, to iron out any logistical wrinkles of the kind that you just mentioned. And it would also defuse the wrongheaded, but persistent, assumption that some people have that this is going to help one political party and hurt the other.”

Unfortunately, his recommendations do not go far enough to cure the problem he now recognizes. To implement the NPV there needs to be a Constitutional Amendment and reform of the Electoral Count Act.  We would need a sufficient uniform system, uniform franchise, enforceable and enforced to make a national popular vote system that would truly make every vote equal and verifiable. For more see our latest testimony before the CT General Assembly <read>

The arguments for and against BMDs go on, amidst expensive problems in PA

From Bloomberg  Expensive, Glitchy Voting Machines Expose 2020 Hacking Risks

Paper ballots may be safer and cheaper, but local officials swoon at digital equipment…

Cybersecurity experts are baffled by local election officials choosing the computerized voting machines. “It’s a mystery to me,” said Rich DeMillo, a Georgia Tech computer science professor and former Hewlett-Packard chief technology officer. “Does someone have 8 x 10 glossies? No one has been able to figure out the behavior of elections officials. It’s like they all drink the same Kool-Aid.”

The animus is mutual. At conferences, election administrators swap complaints about cyber experts treating them like idiots, said Dana DeBeauvoir, head of elections in Travis County, Texa

We have long agreed with all those calling for Voter Marked Paper Ballots. Paying double or more for machines that are risky and lead to long lines can most easily be explained by the extensive lobbying of election officials and legislative bodies.

From Bloomberg  Expensive, Glitchy Voting Machines Expose 2020 Hacking Risks <read>

Paper ballots may be safer and cheaper, but local officials swoon at digital equipment…

Her experience Nov. 5 was no isolated glitch. Over the course of the day, the new election machinery, bought over the objections of cybersecurity experts, continued to malfunction. Built by Election Systems & Software, the ExpressVote XL was designed to marry touchscreen technology with a paper-trail for post-election audits. Instead, it created such chaos that poll workers had to crack open the machines, remove the ballot records and use scanners summoned from across state lines to conduct a recount that lasted until 5 a.m.

In one case, it turned out a candidate that the XL showed getting just 15 votes had won by about 1,000. Neither Northampton nor ES&S know what went wrong…

But now, the machinery that was supposed to be the solution has spawned a whole new controversy, this time with national security at stake—the prospect of foreign states disrupting American elections…

Yet many state and local jurisdictions, like Northampton County, are buying a new generation of computerized voting machines ahead of the 2020 presidential election that security experts say are less secure and cost more—about $24 per voter, compared with $12 per voter in jurisdictions using a mix of the two systems, according to the University of Pittsburgh, which analyzed costs in Pennsylvania…

Cybersecurity experts are baffled by local election officials choosing the computerized voting machines. “It’s a mystery to me,” said Rich DeMillo, a Georgia Tech computer science professor and former Hewlett-Packard chief technology officer. “Does someone have 8 x 10 glossies? No one has been able to figure out the behavior of elections officials. It’s like they all drink the same Kool-Aid.”

The animus is mutual. At conferences, election administrators swap complaints about cyber experts treating them like idiots, said Dana DeBeauvoir, head of elections in Travis County, Texas, whose office purchased a computerized system DeMillo deplores. Hand-marked ballots are “a supremely horrible idea” cooked up by people in Washington “who have never had to really conduct an election,” she said.

We have long agreed with all those calling for Voter Marked Paper Ballots. Paying double or more for machines that are risky and lead to long lines can most easily be explained by the extensive lobbying of election officials and legislative bodies.

Editorial, Bridgeport Part 2: What could/should we do

Earlier we described the general situation with regard to the recent Bridgeport Primary and some steps in the wrong direction.<read part 1> Today we will discuss some steps that could be taken to prevent these same problems in Bridgeport, Hartford, Stamford, and elsewhere in Connecticut.

Increase Enforcement
Monitor Elections With Independent Monitors
Randomly Audit Absentee Votes, Envelopes, and Applications
Do for Elections What We Have Done for Probate

 

Earlier we described the general situation with regard to the recent Bridgeport Primary and some steps in the wrong direction.<read part 1> Today we will discuss some steps that could be taken to prevent these same problems in Bridgeport, Hartford, Stamford, and elsewhere in Connecticut.

Increase Enforcement:  Over at least the last dozen years all the state watchdog agencies have been under assault by the General Assembly. Faced with an increasing load of complaints the relatively small State Elections Enforcement Agency (SEEC) has been considerably reduced in size. The result has been slower and slower adjudication of cases, while the General Assembly mandated that many cases not dissolved in a year must be dismissed. A start would be aiming to double its size with additional administrative staff, yet mostly more investigators and lawyers.  The sooner the better as it takes years for a lawyer there to be fully knowledgeable and productive. We should also outlaw fines levied on officials being paid by their towns. (Maybe its just me, but when there is a blatant violation it makes no sense for the actual perpetrators not to bare the burden)  In significant cases we would like to see the violators replaced.

Monitor Elections With Independent Monitors: Last year, Bridgeport had a primary rerun twice because of absentee ballot problems.  The second time a monitor said to do it again.  That was a local individual who did a good job as far as we know, yet the answer is truly independent monitors, and not just for a couple primaries. Full time expert monitors should be assigned to repeat violators such as Bridgeport – for multiple years – paid to also get registrar certifications, all at the town’s expense.

Randomly Audit Absentee Votes, Envelopes, and Applications: Connecticut has post-election audits of polling place cast votes. We do not audit the centrally counted absentee ballots or the Election Day Registration ballots. We should go way beyond that and randomly select a % of absentee ballot envelopes, checklists, and applications for signature integrity, and voter interviews to determine how pervasive these problems are in every town across the state. Where necessary enforcement actions and expanded audits undertaken based on violations found.  Towns with a history of abuse should be subject to increased random selection in subsequent years. This should be a truly Independent Audit perhaps under the auspices of the State Auditors of Public Accounts or the SEEC.  The state’s history with the not truly independent post-election audit should be avoided.

Finally, a robust measure of prevention and professionalism that could make a huge difference in Connecticut Elections:

Do for Elections What We Have Done for Probate: Rationalize, Professionalize, Economize.

 

 

Editorial, Bridgeport Part 1: What NOT to do

Remember the 1st law of holes: “When you are in a hole, stop digging!”

The election integrity story in Connecticut lately has been the Bridgeport Primary where Marilyn Moore won the primary for mayor in the polling places and Joe Ganim won the absentee votes by enough to win by a comfortable margin of 270 votes, with an absentee margin of 3 to 1. You can read our Recent News links on our home page for more of the details. Bridgeport is known for absentee problems and a high energy absentee operation, mostly by party insiders who in this case support Ganim the incumbent. Yet the extent of this year’s operation seems to be even greater than usual. Neither campaign is looking very professional at this point.

The questions are: 1) To what extent has this operation resulted in lots of illegal absentee ballots? 2) To what extent did illegal activities change the result? 3) Should there be a rerun of the primary? 4) What should/can be done to prevent this from happening again in Bridgeport or anywhere in Connecticut? 5) What should not be done – what would not help?

We will address what not to do today and what we could do, later in part 2.

 

 

The election integrity story in Connecticut lately has been the Bridgeport Primary where Marilyn Moore won the primary for mayor in the polling places and Joe Ganim won the absentee votes by enough to win by a comfortable margin of 270 votes, with an absentee margin of 3 to 1. You can read our Recent News links on our home page for more of the details. Bridgeport is known for absentee problems and a high energy absentee operation, mostly by party insiders who in this case support Ganim the incumbent. Yet the extent of this year’s operation seems to be even greater than usual. Neither campaign is looking very professional at this point.

The questions are: 1) To what extent has this operation resulted in lots of illegal absentee ballots? 2) To what extent did illegal activities change the result? 3) Should there be a rerun of the primary? 4) What should/can be done to prevent this from happening again in Bridgeport or anywhere in Connecticut? 5) What should not be done – what would not help?

Here are my short answers to the first three questions, we will address what not to do today and what we could do, later in part 2.

  1. We will likely never know how many absentee ballots were issued illegally, how many votes were not completed by voters, and how many voters were intimidated. It is hard work to investigate each absentee vote and harder to prove if a particular vote was illegal.
  2. We will likely never know. There were illegal activities on both sides, yet clearly more on the Ganim side. Yet, maybe they actually won by legal active absentee promotion.
  3. Courts are very reluctant to call for rerun elections.  They are not only costly but bring out a different set of voters, a compressed time for legitimate absentee votes, less time for the election, and a change in voters because other races are not on the ballot.  Its a bit easier in municipal races where the actual election day could be conceivably be postponed as well as requiring additional an additional primary. One standard is proving that enough votes were compromised that the result could have changed. Another standard is any skulduggery or errors. Both are too stringent in our opinion, if you agree then it is a judgement call somewhere in the middle. My decision in this case would be for a rerun with strong, independent monitoring. Perhaps a creative solution, considering reality in Bridgeport would be a separate Mayoral ballot in November with Moore and Ganim with equal positions on the ballot.  Many courts would disagree. In this case, I suspect many would agree to a rerun.

Two things NOT to do:

Remember the 1st law of holes: “When you are in a hole, stop digging!”

Bad Idea #1: It has been suggested, even by the Secretary of the State, that what we need is more absentee voting, no-excuse absentee voting.  That would seem to be almost obviously the wrong thing to do, if you want to reduce absentee abuses. In fact, violating the current law requiring a valid excuse is one of the several frequent abuses in the recent primary. It would be like reducing illegal speeding by doubling the speed limit. There are many states claiming no significant increase in fraud when they went to no-excuse absentee voting.  We are skeptical of those claims, yet even if they are true, they are not Connecticut where we have a steady stream of  proven absentee fraud – including recent fraud in Bridgeport(last two primaries), Hartford, and Stamford. I have said it before, and I will say it again: We justified the Citizens Election Program because of a history of campaign finance problems, similarly we can and should ustify not expanding absenting voting because of a Connecticut record of ongoing of fraud. For more see or testimony in opposition in 2017:

Bad Idea #2: There was a proposal in the last General Assembly to let voters submit absentee ballot applications online, without signatures S.B. 156. One of the key ways fraudulent absentee ballots are created is by fraudulent applications, where voters attest to their excuse. On of the key ways fraud is discovered and proven is hand-writing analysis of those applications. A huge mistake. For more read my testimony against the bill: Would Remove Valuable Fraud Detection/Prosecution Tool.

Perhaps we will hear several more ideas for digging the hole deeper before this is over.

Reminder, Cybersecurity will never be enough

States and the Federal Government are pumping millions into cybersecurity and new voting systems. That is all good, especially when the new systems are for Voter Marked Paper Ballots and Ballot Marking Devices for those with disabilities. Yet ultimately, it can provide a false sense of security. No matter how strong the cybersecurity and the quality of software, based on Turing’s Halting Problem, it is impossible to secure a computer system from errors and hacking. it is also impossible to secure systems from insiders and others with physical access.

Today’s stories at The Voting News provide a reminder of current vulnerabilities:

How state election officials are contributing to weak security in 2020 | Joseph Marks/The Washington Post
Cyber firm examines supply-chain challenge in securing election ecosystem | Charlie Mitchell/InsideCyberSecurity.com
Editorials: Cyber attacks threaten security of 2020 election | Ray Rothrock/San Jose Mercury-News
Arizona: Is Arizona doing enough to protect 2020 elections? Computer security experts weigh in | Andrew Oxford/Arizona Republic
Georgia: Check-in computers stolen in Atlanta hold statewide voter data | Mark Niesse and Arielle Kass/The Atlanta Journal-Constitution
(PS: Instead stealing these computers they could have hacked them or the voting machines.)
Louisiana: New Louisiana election, same old voting machines | Melinda DeSlatte/Associated Press
New Jersey: Activists press for federal support to upgrade New Jersey’s vulnerable voting machines | Briana Vannozzi/NJTV News
North Carolina: Experts Warn of Voting Machine Vulnerabilities in North Carolina | Nancy McLaughlin/Greensboro News & Record
North Carolina: Voting equipment approval didn’t follow law | Jordan Wilkie/Carolina Public Press
Pennsylvania: Elections officials touted new electronic poll books. Now the city says they don’t work right. | Jonathan Lai/Philadelphia Inquirer

States and the Federal Government are pumping millions into cybersecurity and new voting systems. That is all good, especially when the new systems are for Voter Marked Paper Ballots and Ballot Marking Devices for those with disabilities. Yet ultimately, it can provide a false sense of security. No matter how strong the cybersecurity and the quality of software, based on Turing’s Halting Problem, it is impossible to secure a computer system from errors and hacking. it is also impossible to secure systems from insiders and others with physical access.

That is why we need:

  • Voter Marked Paper Ballots that can be audited and recounted to verify the machine results
  • Strong physical security and chain-of-custody for ballots
  • Best is publicly scanned and reported machine totals compared to the physical ballots

Op-Ed: Election Security Isn’t That Hard

Op-Ed in Politico by two former secretaries of state, one D and one R:  Election Security Isn’t That Hard

First, we need to dispel one misconception. Many people (including many election officials) believe that if a voting system or scanner is never connected to the internet, it will always be safe. Alas, that’s not the case…

What this means is that while we must make our election infrastructure as secure as possible, we need to accept that it is essentially impossible to make those systems completely secure.

Overall, we agree as far as this op-ed goes. Yet, Risk Limiting Tabulation Audits alone are not sufficient. We need additional audits to check the rest of the process, “process audits” e.g. chain-of-custody/ballot security audits, check-in process audits (appropriate voters allowed or excluded from voting?), accuracy of the voter registration database and lists etc.  Like many officials the authors focus on cyber attack, yet we must also protect our systems from insider attack. Connecticut has a way to go to meet these standards. We do have voter marked paper ballots and air-gaped systems. Yet we have insufficient protection of those paper ballots and insufficient election audits.

Op-Ed in Politico by two former secretaries of state, one D and one R:  Election Security Isn’t That Hard <read>

That’s not to say that it’s easy, particularly given the decentralized nature of our election administration system. Most states administer elections locally and only a few states have uniform equipment in each locality. For many years, election administration has been woefully underfunded, leading to wide variability in capacity and resources. But, as long as the equipment incorporates a voter-marked paper ballot, officials can adjust existing processes to instill confidence in elections, regardless of the equipment in place.

First, we need to dispel one misconception. Many people (including many election officials) believe that if a voting system or scanner is never connected to the internet, it will always be safe. Alas, that’s not the case…

What this means is that while we must make our election infrastructure as secure as possible, we need to accept that it is essentially impossible to make those systems completely secure.

We completely agree. Its important to take strong security measures to protect election systems – voting systems, registration systems – yet that can never be sufficient. We need systems, manual, and computer that are not dependent of electronics. Paper voter lists at every polling place to backup electronic pollbooks and online voter databases. Paper ballots to vote on when the systems fail or the power goes out. Independent audits and recounts of the paper to detect problems and to recover from errors, fraud, and disasters.

The three parts work together. Voter-verifiable paper ballots are required as a check on the computers that tabulate the ballots. The strong chain of custody prevents ballot box stuffing, as well as the theft or alteration of voted ballots. And ballot audits, known as Risk-Limiting Audits (RLAs), make it possible to recover from an attack, or even from malware or unintended mistakes, by randomly selecting ballots and using them to check the accuracy and correctness of the scanner.

It’s not enough to just have paper ballots – it’s also important that they be checked by voters. If a voter makes a mistake while marking her ballot or if a machine that marks a paper ballot for the voter misrecords the voter’s selections, then the voter’s choices will not be correctly counted. This is an important step to raise confidence in the validity of any system. A strong chain of custody also increases confidence.

Overall, we agree as far as this goes. Yet, Risk Limiting Tabulation Audits alone are not sufficient. We need additional audits to check the rest of the process, “process audits” e.g. chain-of-custody/ballot security audits, check-in process audits (appropriate voters allowed or excluded from voting?), accuracy of the voter registration database and lists etc.  Like many officials the authors focus on cyber attack, yet we must also protect our systems from insider attack.

Connecticut has a way to go to meet these standards. We do have voter marked paper ballots and air-gaped systems. Yet we have insufficient protection of those paper ballots and insufficient election audits.

 

Why ballot images fail as the record of an election

A new paper demonstrates how to steal an election by manipulating ballot images: Unclear Ballot: Automated Ballot Image Manipulation. In fact, it is a neat solution that changes the image before the CVR is created, in a way that would be hard to detect.

For the non-technical this may seem difficult, yet for those with the appropriate computer skills it is a straight-forward task. Then anyone with access to election computer systems could install the code maliciously, unknowingly, or under threat.

A new paper demonstrates how to steal an election by manipulating ballot images: Unclear Ballot: Automated Ballot Image Manipulation <read>

The current crop of election optical scanners count elections by creating ballot images, followed by processing those images to create a record of the votes on those images, storing those votes in a computer record known as a Cast Vote Record (CVR).  Some would audit elections by only examining the images, rather than the paper ballots. Such audits can be useful, yet are ultimately limited by the opportunity for the images to be manipulated.  The paper shows how easy that is. In fact, it is a neat solution that changes the image before the CVR is created, in a way that would be hard to detect.

From the paper:

Using computer vision techniques, we develop an algorithm that automatically and seamlessly manipulates ballot images, moving voters’ marks so that they appear to be votes for the attacker’s preferred candidate. Our implementation is compatible with many widely used ballot styles, and we show that it is effective using a large corpus of ballot images from a real election. We also show that the attack can be delivered in the form of a malicious Windows scanner driver, which we test with a scanner that has been certified for use in vote tabulation by the U.S. Election Assistance Commission. These results demonstrate that post-election audits must inspect physical ballots, not merely ballot images, if they are to strongly defend against computer-based attacks on widely used voting systems…

Uses for image audits. So long as image audits are not the sole mechanism for verifying election results, they do provide substantial benefits to election officials.Using an image audit vastly simplifies some functions of election administration,like ballot adjudication in cases where marks cannot be interpreted by scanners or are otherwise ambiguous. Image audits can be used to efficiently identify and document election discrepancies,

Read the paper. It shows why there is more to it than making a few marks on a ballot.

For the non-technical this may seem difficult, yet for those with the appropriate computer skills it is a straight-forward task. Then anyone with access to election computer systems could install the code maliciously, unknowingly, or under threat.