Author: Luther Weeks

Common Sense: Paper Ballots are Insufficient for Voting Integrity

Reminder: Myth #9 – If there is ever a concern we can always count the paper.

Note: This is the third post in an occasional series on Common Sense Election Integrity, summarizing, updating, and expanding on many previous posts covering election integrity, focused on Connecticut. <next> <previous>

Last time our post ended with, “Voter Verified Paper Ballots alone provide the opportunity for voting integrity, a necessary prerequisite for democracy. ‘Opportunity’ is insufficient.

Introduction

Voter Verified Paper Ballots (VVPBs) are a necessary condition for voting integrity, yet as they say “a chain is only as strong as its weakest link”.  VVPBs are only one link in a long chain that provides voting integrity, we might construct different chains with different links, but in the end, the entire chain must be complete and strong enough to provide voting integrity.

Three major segments of the chain of voting integrity:

  1. Democratic voting access and participation: This would include areas critical to an effective democratic process beyond counting votes accurately such as fair rights to vote, accurate voter registration, lack of voter suppression, ballot design, candidate access to the ballot, campaign financing mechanisms, along with voter access to candidate information, complete news, and sufficient education.
  2. A reliable and credible ballot chain of custody: Just like evidence in court, if we cannot trust the chain of custody of ballots then they can only provide a false confidence.
  3. Exploiting ballots to create voting integrity and credibility: Ballots never used, seldom used, or incorrectly used are as helpful as seat belts used improperly, or not at all. Ballots provide election integrity when used for timely and effective audits and recounts coupled with effective action.

In this post, we discuss item #3:

Exploiting ballots to create voting integrity and credibility

Ballots must actually be used for election integrity. This seems so simple it may seem unnecessary to point out, except that many voters and officials seem to believe merely employing optical scanners is sufficient – the cure for voting integrity concerns.  In our The Myths In the Nutmeg State, this is Myth #9:

Myth #9 – If there is ever a concern we can always count the paper.

Reality

The law limits when the paper can be counted.

  • Audits can protect against error or fraud only if enough of the paper is counted and discrepancies in the vote are investigated and acted upon in time to impact the outcome of the election.  See myths #1 and #2.
  • An automatic recount (called a recanvass in CT) occurs when the winning vote margin is within 0.5%. The polling place moderator or the Secretary of the State can call for a recanvass, but even candidates must convince a court that there is sufficient reason for a recount.
  • Recanvass by hand is not required by law.  In early 2008 the Secretary of the State reversed her policy of hand recanvasses.  We now recanvass by optical scanner.

Unlike Connecticut, some jurisdictions with paper ballots do not perform post-election audits or automatic recounts in any form.

To fully exploit paper ballots would require they be used in several ways in addition to the original election count (by hand or by optical scanner):

  • A thorough, complete, adversarial, manual hand recount on close elections. By thorough we mean checking each ballot to correctly classify it by voter’s intent and checking both sides the ballot for distinguishing marks which would disqualify the vote. By complete we mean reviewing absentee ballot and provisional ballot materials to make sure that appropriate ballots are counted and appropriate ballots are rejected. By manual hand count we mean that all counting is performed by human counters using counting and tallying methods that assure accuracy. By adversarial we mean one where all competing interests are represented in closely observing the classification and counting, have a right to object to the classification or procedures employed, and there are far means for resolving objections. By close election we mean one where there is more than a very small probability that errors in classifying votes, counting votes, qualifying ballots, or tallying errors could have caused a result different than the voters’ intentions in the original count.
  • Comprehensive, statistically meaningful, effective post-election audits. Audits approaching the standards in the Principles and Best Practices for Post-Election Audits and The League of Women Voters Report on Election Auditing. By Comprehensive we mean auditing all ballots cast including those originally counted by hand or by machine, and with all contests at least subject to selection for audit. We advocate for optical scanning followed by audits, those who advocate for counting exclusively by hand, should not trust that original hand count and should also insist on post-election audits. (We also point out that beyond the paper ballots, comprehensive election auditing should include auditing the whole voting process). By statistically meaningful we mean auditing enough paper and analyzing results such that strong statistical confidence in the result can be determined. By effective we mean the results of audits are used consistently for improving the election process, determining what levels to set for automatic close election recounts, and lead to full recounts when the audit cannot guarantee a high confidence in the original reported result.
  • Candidate and public directed audits. Candidates and the public (at least in the case of ballot questions) should be given the right to select ballots for audit or recount either as part of post-elections audits or by paying the cost of such audits. Given such rights, questioned results in specific districts could be selected for audit or recount to satisfy the concerns of candidates and the public.
  • Public access to the ballots. Several states provide for public review of ballots under freedom of information laws and other means. Such access has been used to instill public confidence in the process and also to confirm suspicions based on statically irregular results. When possible ballots should be posted to the web, rather than requiring access that is expensive and time consuming for officials, candidates and the public.

This is our list, let us know if we have missed another valuable use for ballots. Paper ballots are necessary but insufficient for election integrity. Using the ballots as we have described is also necessary for voting integrity. Yet, we must insure that the ballots audited, recounted, or accessed by the public are actually the ones cast by voters. Sometime soon we will discuss the chain of custody!

Video-Cure for Internet voting – WARNING: Viewing may cause severe, permanent eInSecurity

For better and for worse the seriousness of the vulnerability goes well beyond what was reported two days ago; goes well beyond Internet voting in D.C; serious issues going well beyond voting.

Testimony earlier today by Prof. Alex Haldeman to Washington D.C. Council.  As reported two days ago Alex and his team hacked, changed votes, and played the U. Michigan Fight Song on public test of D.C.’s proposed Internet voting system.  Without their testing, the system might well have been used and possibly abused in the actual November election.

For better and for worse (*) the seriousness of the vulnerability goes well beyond what was reported two days ago; goes well beyond Internet voting in D.C; serious issues going well beyond voting.

I highly recommend taking the time to watch the video at least Alex’s testimony. which is the 1st 20min or so of the hearing.  It it is also worth taking the time to listen to the questions and answers by the other experts testifying as well. WARNING: Viewing will likely raise severe, permanent distrust in any Internet system. <Video, courtesy Joe Hall>

I challenge any election official, legislator, or any voter, to listen to the entire video, then to support Internet voting and explain why these experts are wrong.

You can also read Joe Hall’s summary of the “new key insights” <here>.  However, I strongly recommend taking them time for the video.

Update: Brad Friedman interviews Dr. David Jefferson <about 14 min in 1st hour>

Update: CNN demos and interview of Alex Haldeman <view>

Update: Washington Post editorial:  Flaws in D.C.’s online voting system should serve as a warning to all states <read>

(*) Better because there was much more demonstrated than the hacking of a single voting system. The large, apparently common risks of many government and private networks. Worse because it demonstrates really serious vulnerabilities to the infrastructure we trust for  much more than voting.

Internet Voting Faces The Music: Hats off to D.C. and Michigan

Testers submitting votes complained of the annoying music playing on their computer after votng. In short order the music was identified, leaving testers wondering why D.C. picked the Michigan Fight Song. Now all has been revealed and the problems went well beyond the music.

Will this clear demonstration of vulnerabilities cause states and Congress to sing a different Internet voting tune? We hope so, yet we doubt it.

The District of Columbia Board of Elections and Ethics has been gearing up for a Pilot Test of Digital Votes by Mail. They agreed to have the public test the value and security of there Internet voting system originally scheduled to be pilot(*) tested for the November election.

D.C. should be applauded by agreeing to this public test prior to the pilot. Some pointed out prior to the test that the testing time was too short and the notice too short – in the real world hackers would have a much longer opportunity to succeed. I point out that the test also does not show the most vulnerable part of the system – the opportunity for insiders, election officials, software vendors, hardware vendors, communications vendors, and support staff to change votes – the vulnerability where the fewest people could change the most votes.

Testers submitting votes complained of the annoying music playing on their computer after voting. In short order the music was identified, leaving testers wondering why D.C. picked the Michigan Fight Song. Now all has been revealed and the problems went well beyond the music.

Despite the time limitations, Alex Haldeman and his team from Michigan completely compromised the system <read>

We found a vulnerability in the way the system processes uploaded ballots. We confirmed the problem using our own test installation of the web application, and found that we could gain the same access privileges as the server application program itself, including read and write access to the encrypted ballots and database…

D.C. launched the public testbed server on Tuesday, September 28. On Wednesday afternoon, we began to exploit the problem we found to demonstrate a number of attacks:

  • We collected crucial secret data stored on the server, including the database username and password as well as the public key used to encrypt the ballots.
  • We modified all the ballots that had already been cast to contain write-in votes for candidates we selected. (Although the system encrypts voted ballots, we simply discarded the encrypted files and replaced them with different ones that we encrypted using the same key.) We also rigged the system to replace future votes in the same way.
  • We installed a back door that let us view any ballots that voters cast after our attack. This modification recorded the votes, in unencrypted form, together with the names of the voters who cast them, violating ballot secrecy.
  • To show that we had control of the server, we left a “calling card” on the system’s confirmation screen, which voters see after voting. After 15 seconds, the page plays the University of Michigan fight song. Here’s a demonstration

The specific vulnerability that we exploited is simple to fix, but it will be vastly more difficult to make the system secure. We’ve found a number of other problems in the system, and everything we’ve seen suggests that the design is brittle: one small mistake can completely compromise its security. I described above how a small error in file-extension handling left the system open to exploitation. If this particular problem had not existed, I’m confident that we would have found another way to attack the system.

One more complement to D.C.: Their primary election was September 14th.  On September 27th they released the results of their post-election audit and a likely unique random forensic audit of their voting equipment. They found some incorrect firmware versions! <read>

I wonder if any banks out there would dare offer a similar public test opportunity? Power utilities? Transportation?

There are several states planning Internet voting pilots under the MOVE Act. We and others have warned of the theoretical risks of Internet voting and specifically the pilot provisions of the otherwise valuable MOVE Act. Will this clear demonstration of vulnerabilities cause states and Congress to sing a different Internet voting tune? We hope so, yet we doubt it.

Update: Comments by David Jefferson at VerifiedVoting <read>

Computer security and election experts have been saying for over 10 years that the transmission of voted ballots over the Internet cannot be made safe with any currently envisioned technology. We have been arguing mostly in vain that:

1) Attacks can be remote: Internet voting systems can be attacked remotely by any government, any criminal syndicate, or any self aggrandizing individual in the world.

2) Effective defense virtually impossible: There are innumerable modes of attack, from very easy to very sophisticated, and if anyone competent seriously tried to attack an Internet election the election officials would have essentially no chance at successfully defending. The election would be compromised

3) Attackers may change votes arbitrarily: An attack need not just prevent people from voting (bad as that would be), but could actually change large numbers of votes, allowing the attackers to determine the winner.

4) Attacks may be undetected: An attack might go completely undetected. The wrong people could be elected and no one would ever know.

Prof. Halderman demonstrated all of these points

Update: Unfortunately amid our appreciation for the D.C. testing and auditing, they seem to demonstrate what I call a Miraculous Blind Faith In Science in their response: <read>

With all due respect to Mr. Jefferson, the lesson learned is not to be more timid, but more aggressive about solving the problem in exactly the way that we have chosen. Our task is to continue pursuing a robust, secure digital means for overseas voters to cast their ballot rather than resorting to e-mail or fax. As Thomas Edison famously said, “Nearly every man who develops an idea works at it up to the point where it looks impossible, and then gets discouraged. That’s not the place to become discouraged.”

The burden of proof will always rest with the election officials to ensure integrity and transparency of all voting systems, but the computer science community has a heavy burden as well. The computer science community needs to understand that this toothpaste is already out of the tube and no volume of warnings can put it back. Voters are currently casting ballots by e-mail and fax. We need to work together to find a better alternative.

Even more, voters expect that there will be a day when online voting will be as simple as paying bills or paying taxes. While there will always be citizens who choose to file their taxes on paper and there will always be voters who wish to visit their local polling place on Election Day, election officials know that voters expect, one day, to cast their ballot from their laptop.

With all due respect, science and technology have their limitations. We have yet to cure the common cold, make Reagan ‘s Star Wars vision a reality, or produce gold from sea water.  As we have pointed out before: Damn the science; Damn the integrity; If it feels good do it!

Update: Discussion D.C. Official vs. Pam Smith of Verified Voting <video>

*) Do not confuse Pilot testing with other for forms of testing such as demonstrations or prototype tests. Pilot testing implies using a system for actual use, but on a limited basis. An election pilot test would involve real ballots, real voters, in an actual election, counting those votes to determine the declared winner of the election and the course of democracy. We note D.C. seems also to be using the phrase testing of the Pilot for its public test, hopefully not to be confused with the Pilot itself, originally scheduled for November.

Will The World’s Largest Democracy beat the U.S. to full VVPR?

Scientists and Whistleblower(s) made their point. Now, India heading toward all voter verifiable paper records.

In late August we covered the arrest of voting integrity advocate Hari Prasad for receiving a voting machine used in India for testing. Researchers with the help of Whistleblower(s) obtained the voting machine and demonstrated its vulnerabilities.

Now, encouraging news from India, via Rop Gonggri. <read>

Yesterday there was a meeting of all the national political parties in India, and it appears the ECI has finally given in: they are now looking at alternatives where the voter sees his/her vote on a piece of paper which can be counted by hand. Here, they also did that, which was just a first step to having the machines scrapped. It’s going to be interesting to see whether the Indian government thinks they can drag on the existing solution until something new is ready. (They tried that here, didn’t work.)

Too early to cry victory, but certainly another big step forward. Now the charges against Hari Prasad, the man who spent time in jail for daring to notice that the emperor had no clothes on, need to be dropped (TODAY GENTLEMEN!) and Hari needs to be fully rehabilitated. Then a strict deadline for scrapping black-box voting needs to be imposed. Then the details of any new voting system need to be worked out. There is already talk of allowing a hand-count only if a judge permits it, which is of course far too restrictive.

Currently the U.S. is a mixture of paper ballots, optical scan paper ballots, DREs (Touch Screen) with Voter Verifiable Paper Records (VVPR(*)), and DREs with no paper voter verifiable record. India is all a simple electronic machine with no paper record.

I would not go quite as far as Rop.  He would have paper ballots with all hand counting. I believe we are better off with paper ballots and optical scanning giving the record of occasional official shenanigans and the spotty record in manual counting by Connecticut officials.

(*) VVPR, Voter Verifiable Paper Records include those produced by DREs and Paper Ballots – paper ballots are much preferred, since they must be filled out by voters.  The paper records produced by DREs are inconvenient to verify and are often not actually verified by voters.

Video: The Real Story: Jerry Farrell, SOTS Candidate

“Two key things the next Secretary must solve”:

  • Voting for the disabled
  • Military Voting – getting the ballot back in time

Secretary of the State candidate Jerry Farrell was interviewed on Fox News, The Real Story <video>

For a while I thought we would never get to elections, but the interviewer did bring them up near the end. Overall a good introduction to Jerry and his qualifications. All open-ended, softball questions. Hopefully other candidates will be given the same opportunity to showcase their qualificatons.

“Two key things the next Secretary must solve”:

  • Voting for the disabled
  • Military Voting – getting the ballot back in time

Product Liability: It is not just for consumers

The opportunity is for Secretaries of State and Attorneys General in states harmed by poor products to take advantages of documented defects like those uncovered by UConn, learn of those defects based on studying submissions required by California’s law, and aggressively following Ohio’s example of redress.

Consumers can study product quality by reading Consumer Reports. When products do no perform as advertised we can recover damages under tort law, class action suits, or occasionally rely on actions by consumer protection agencies or state attorney’s general. Similar actions options are open to election officials when voting equipment proves problematic or fails to perform intended functions.

Two years ago in the Outsourced State, we discussed the Voters Unite report, Vendors are Undermining the Structure of U.S. Elections. Two recent developments in Ohio and California show the way aggressive election officials could obtain redress for  election equipment inadequacies like those recently documented by the University of Connecticut (UConn).

Product Defect Example
Recall that memory card failures have plagued our Diebold/ES&S/Dominion AccuVote-OS optical scanners for several years. Depending on the study somewhere between 5% and over 10% of memory cards are completely unreadable when subject to pre-election testing. After years of problems reported in Florida and Connecticut (Presumably occurring but not reported in other states that also use the AccuVote-OS, such as other New England states), UConn recently released a report that a major component of the problem is a product design flaw: The battery test is not able to detect those with low power remaining. Thus when memory cards are tested before each election, the test fails to detect many cards that cannot make it through the election.

An Aggressive Secretary of State Shows The Way
Led by Secretary of State, Jennifer Brenner, Ohio recently won a settlement with Diebold over a software error that caused problems in the 2008 election. <read>

The settlement (PDF) is the result of contract claims made in a lawsuit filed by Secretary Brunner in 2008 regarding problems some counties had encountered with their Premier voting systems. It comes after months of negotiations that involved the Secretary of State’s office, 47 counties that use Premier equipment, and Premier Election Solutions, Diebold, Inc., and Data Information Management Systems, Inc. (a separate company that markets and services voter registration systems to various Ohio counties.)

Among the highlights of the settlement for counties who decide to participate:

  • A total $470,424 of one-time payments to the 47 counties using Premier voting equipment.
  • At the option of each county using Premier voting equipment, up to $2.4 million worth of free software licensing for the voting machines for two years.
  • Each Premier county is eligible to receive free, new AccuVote TSX DRE voting machines equal to up to 15 percent of the number of machines the county already has – which adds up to a potential 2,909 free voting machines for the counties.
  • A 50 percent discount in maintenance fees if a county chooses continuing voting system maintenance from Premier.
  • A 50 percent discount for new generation precinct-based optical scan voting machines, if a county chooses to switch from an electronic touch screen voting system to a paper ballot optical scan voting system.
  • County boards of elections are not bound by the settlement to select Premier as their vendor for services, and they retain the right to negotiate with other vendors who offer certified voting equipment in Ohio, even if they accept the county’s one-time payment from Premier.

New California Law Destined To Help
Led by Secretary of State Debra Bowen, California recently passed a law that is destined to discourage vendors from hiding defects in their systems and to publicize such defects to other states <read>

“Reliable voting systems are critical to a successful democracy, but also to people’s confidence in the electoral process,” said Secretary Bowen, who sponsored similar legislation that the Governor vetoed last year. “Companies that make cars, toys and thousands of other products have to report product flaws and even issue recalls of seriously troubled items. There is no reason that the same philosophy of transparency should not apply to the voting equipment on which millions of Californians rely to record and tally their votes.”…

Beginning January 1, voting system vendors and ballot manufacturers will be required to notify the California Secretary of State, in writing, of every known problem in their respective systems. In turn, the Secretary of State is required to submit a report of all disclosed problems to the U.S. Election Assistance Commission (EAC), making it possible for voters and elections officials in all states to benefit from California’s transparency. Companies may be liable for civil penalties of up to $50,000 per violation for failing to disclose known product flaws

In recent years, undisclosed defects with voting or ballot systems came to light only after incidents in Humboldt, San Francisco, Sutter, Calaveras and Yolo Counties. Errors were caught by government officials or election observers, and no election results were compromised. “Voters have to put their faith in a voting system every time they cast ballots,” added Bowen. “This new law helps ensure that faith need not be blind.”

The Brennan Center for Justice recently recommended a similar solution national database, Voting System Failures: A Database Solution, as discussed on NPR. Perhaps California’s law will accomplish most of the same objectives, starting sooner.

The opportunity is for Secretaries of State and Attorneys General in states harmed by poor products to take advantages of documented defects like those uncovered by UConn, learn of those defects based on studying submissions required by California’s law, and aggressively following Ohio’s example of redress.

A Tale In Three Ballots

Now that Connecticut voters are used to optical scan ballots, perhaps it is time to revisit ballot design in the “land of steady habits”. Perhaps one of those habits could be continuous improvement! We hear a lot about increasing participation in elections. Creating a better ballot can increase the number of voters willing to vote, and their satisfaction with the process.

Bo Lipari published his testimony on the recent New York Primary <read>

It is all interesting reading. I find two points of particular interest.  Bo’s comments on how excessive problems were attributed to the optical scanners and on the limitations of New York’s full face ballot requirement, that is not all that different from Connecticut’s:

media reports too often implied that all problems were machine problems, but in fact while some voting machines certainly did fail to perform as expected, these reports were in the minority. By far the largest number of problem reports were administrative and legislative issue…

Hard to Read Ballots – The single most common complaint was ballots that were difficult to read. Let me be perfectly clear – ballot problem reports are not a machine problem, they are a political problem. New York Election Law requires the full face ballot, a grid layout where all candidates in all races are traditionally presented on a single page. Further, all candidates from the same party must appear in a single row or column. These and other requirements, like the confusing but obligatory party icon displayed in each box (which is all too easy to confuse with the fill-in oval), leave no choice but to use lettering far too small to be legible for far too many voters.

In the past, New York’s Legislature has not been inclined to eliminate the full face ballot despite calls to do so from civic groups. Truth be told, the full face ballot layout reinforces straight party line voting-it’s easy and natural to go straight down or across the party line filling in boxes, and so political parties tend to favor it. The full face ballot is a holdover from the days of lever machines and like those machines, it’s time has passed. New York’s current ballot design is a usability nightmare for voters. The grid layout is unclear and confusing; the small boxes are filled with unnecessary symbols; the typeface is far too small to be readable. Far better ballot designs are not just possible, they are necessary. I call on the Legislature to change New York State Election law and abolish the full face ballot requirement at the start of the new session.

The recent primary clearly demonstrated that New York voters desperately need a new, usable ballot design. Senators, you are the ones with the power, and the responsibility, to accomplish it.

I have been meaning to bring up ballot design for a while.  This is a good time with Bo’s excellent introduction to the subject.

Look at a sample Connecticut ballot it is in a grid just like a lever machine, one line per party and boxes for each candidate.  To most Connecticut voters this has been the way it has always been – the only way it can be. Most of us are clueless to other designs except for a vague understanding that in Florida in 2000 there was something worse called a “butterfly ballot” and something we nutmeggers understand how to read, not at all, the “punchcard ballot.”

What could possibly be better or worse than our familiar ballot?

Lets start with worse. New York’s ballots are similar to ours, but they require a complete full face ballot, with all the questions, offices, and candidates on one side of one page. In Connecticut we can use multiple sides and multiple pages for complex elections.  It gets worse, New York City requires candidate names in four languages and a party symbol in each box, take a look at a sample NY City Ballot courtesy of the NY League Of Women Voters. Part of which is below:

Now lets explore better. Another way of creating a ballot in other states is the so called, not partisan ballot, with each race getting a separate box on the ballot and the candidates listed with their party but without a party line.  Voters have to work a bit harder if they want to vote strictly along party lines and hopefully think a bit more about individual candidates and races. Here is an example from Minnesota.

Now that Connecticut voters are used to optical scan ballots, perhaps it is time to revisit ballot design in the “land of steady habits”. Perhaps one of those habits could be continuous improvement! We hear a lot about increasing participation in elections. Creating a better ballot might well increase the number of voters willing to vote, and their satisfaction with the process.

There is more to it than simply changing laws, and moving names and boxes around. The Brennan Center for Justice has a report, Better Ballots, discussing extensive ballot design considerations including usability testing – actually testing to see how well voters understand the ballot! Take a look at page 23 of their report to see a before and after example of a ballot similar to Minnesota’s. <Brennan Center Report>

Podcast: What’s the matter in Tennessee?

Allegations of massive election fraud, voter suppression, intimidation, and election manipulation in Shelby County, Tennessee. 10 candidates have filed a lawsuit.

Note to Connecticut voters: Instead of our check-off lists, many states require voter signed poll books. They can help resolve questions like those raised in Tennessee.

Allegations of massive election fraud, voter suppression, intimidation, and election manipulation in Shelby County, Tennessee. 10 candidates have filed a lawsuit.

  • Wrong database used which said voters had already voted – official explanation proves false
  • Over 5000 voters illegally turned away
  • 100% unverifiable voting, 100% unverifiable poll books.
  • 3221 more votes than voters recorded in poll books
  • White Republican candidates win in 70% black, democratic areas
  • Signed poll tapes found in trash
  • A month and a half after the election, the certified election results have not been released

Interview of Bev Harris by Brad Friedman. Bev says she has never heard so much lying by election officials and Bev has heard it all!

The interview starts about half way into the show. In the first half Brad defends Acorn and attacks the idea of massive voter fraud vs. election fraud <post with podcast>

All we can say is that where there is smoke [screens] there is often fire. And without transparency and credibility there will always be doubt.

Note to Connecticut voters: Instead of our check-off lists, many states require voter signed poll books. They can help resolve questions like those raised in Tennessee. In the podcast, Bev points out that the electronic poll books do not contain any voter signatures and are totally unverifiable. In Connecticut we use paper check-off lists. In many states voters must each sign paper poll books or lists, but in Connecticut it is a poll worker checking off names on the list. So we pretty much always have had the paper equivalent of the unverifiable system in use in Tennessee – there is no guarantee that a poll worker might by mistake check off the wrong name causing concern if you come in and your name is already checked off, or fraud could be created by checking off some extras and adding some corresponding ballots. An electronic system would be easier to manipulate on a large scale than a paper one. Yet a paper list with voter signatures can be verified to a much greater extent, can reduce the chance of the wrong voter being checked off or signed, and provide evidence to distinguish between a voter trying to vote twice and attempted fraud.

LWVCT: Voters Guide to Secretary of the State Candidates

Would you support legislation and funding to require post-election audits to be conducted by others than the same local officials who conducted the local election?

The League of Women Voters have published a guide to the Secretary of the State Candidates, listing their qualifications and their responses to two questions <read>

Jerry Farrell, Jr.
The Secretary of the State and local registrars of voters are responsible for both running our elections and conducting post-election audits of our voting machines. Would you support legislation and funding to require post-election audits to be conducted by others than the same local officials who conducted the local election? Please explain.

I do believe that there are improvements that can be made in the post-election audits that would enhance the credibility of the election process. It will be my responsibility to ensure that our elections are open and fair. I support having “outside auditors” as part of the post-election audit, as it would add to the transparency and legitimacy of both the audit and the election itself. I do believe that we need to approach the idea in a way that does not add to the financial burdens and mandates that municipal and state governments are facing.

Denise Wright Merrill
The Secretary of the State and local registrars of voters are responsible for both running our elections and conducting post-election audits of our voting machines. Would you support legislation and funding to require post-election audits to be conducted by others than the same local officials who conducted the local election? Please explain.

There is no greater mandate than to ensure elections are fair, open and accountable. The Secretary of the State randomly selects precincts to be audited and audits are open to the public. This provides accountability.

I believe that post-election audits should include third party review. I would work with the coalition that proposed these solutions to determine whether this could be achieved in a cost-effective manner. I would also review other recommendations made by the coalition such as requiring best practices and consistent procedures for post-election audits and propose legislation to conform our laws to those practices.

No responses were received from other candidates on the ballot.

Common Sense: The Indispensable Role Of Voter Verified Paper Ballots

Paper ballots filled out by voters are inherently “Voter Verified”. They provide the ultimate record of voters’ intent. They alone provide the opportunity for determining the exact result in close elections and the opportunity to verify the correct result in all elections. They alone provide the opportunity for public transparency necessary for real trust and confidence. Voter Verified Paper Ballots alone provide the opportunity for voting integrity, a necessary prerequisite for democracy.

Note: This is the second post in an occasional series on Common Sense Election Integrity, summarizing, updating, and expanding on many previous posts covering election integrity, focused on Connecticut. <previous> <next>

Among the heroes of our Democracy, George Washington has been called The Indispensable Man. When it comes to voting integrity, voter verified paper ballots play The Indispensable Role.

Perhaps there is an alternative. I’ll grant that paper might not be the only possible media. Voter verified stone tablets/ballots might work but are hardly realistic. Beyond a different permanent media, so far, no safe alternative has been proposed which has withstood scrutiny.

The alternatives that fail to pass scrutiny, so far:

  • Basic Touch Screen Electronic Voting (DREs)
  • DREs with “Voter Verified” Paper Trails
  • Internet Voting (including: Websites, Email, or Kiosk based)

Any form of voting that relies solely on computers for integrity is subject to fraud and error:

A hardware error could occur changing a program, or causing a touch screen or scanner to function improperly and unexpected, undetectably, to dramatically change a result – either on an individual voting machine or in transmitting or accumulating results.

An unscrupulous insider could change a program or function of a computer in a variety of ways that could be difficult or impossible to detect.

A voting machine could be programmed incorrectly to begin with, running correctly for years and then suddenly produce the wrong result on a particular set of ballots or based on the placement or spelling of a particular candidate’s name.

(It is not common sense that the spelling of a candidate’s name could change the result. It is common sense for experienced computer programmers. Programmers all have stories of mysterious problems. Believe it or not! I cannot send emails with my cell number including imbeded dashes ‘-‘, I can use periods ‘.” and other marks, I can use other phone numbers but not my particular cell number with dashes – the sent emails just plain disappear. I was using the cell number on my email signature.  It took months of lost emails, lost communications, interpersonal misunderstandings, changing software and email providers to no avail. until I stumbled onto this hard to believe fact. I still find it hard to believe, but it was repeatedly, rigorously tested to my amazed/dismayed satisfaction. As far as I can tell it is either a Microsoft or Apache bug which I have not pursued.)

No amount of testing or security can be sufficient to prevent such errors and fraud:

Based on Alan Turing’s Halting Problem it is impossible to determine, in general, that a computer program will do what it is expected to do in all possible circumstances. We could test many sequences of ballots and prove they are counted correctly, but in different circumstances the computer might function differently: A different set of ballots, a different sequence of their submission, submission at a different time, or with different time delays between ballots etc. could yield different results. In reality, it would be almost impossible to test each voting machine with a reasonable number of typical sets of ballots to provide reasonable levels of confidence, let alone test each machine before each election.

Beyond these basic, insurmountable obstacles, voting has unique challenges:

  • Resources are limited. Election officials, in general have limited computer and security expertise. Jurisdictions cannot afford the expertise to plan reasonably effective testing and security measures. They cannot perform extensive testing of single voting machines, let alone each machine before each election.
  • Election computers are programmed anew for each election. Past results do not imply that current programming is reliable or that new errors or fraud have not been induced.
  • Scanners or touch screens can go out of alignment or develop blind/weak spots and errors.
  • Security measures to prevent insider tampering with programming and computer chips would be prohibitively extensive, costly, and sophisticated.

Each of the current alternatives have their own limitations:

Touch screen (DRE) voting machines without paper trails do not have transparent records which can be verified by the voter or election officials after elections. There is no way for anyone to determine if a vote cast by a voter increased the vote for the correct candidates; no way for the public or officials to determine if the counters or electronic records of votes accurately reflect the voters’ actual choices.

Internet voting methods are subject to all the risks of the public and “private secure” Internets.  Sophisticated Government agencies and corporations are regularly subject to hacking (e.g. Google and the U.S. Defense Department). It is wildly optimistic and delusional  to expect voting jurisdictions or voting vendors to do as well, let alone better. Kiosks mitigate a few, but hardly all of these risks. Banks lose billions in ATM electronic fraud each year – once again, they are more sophisticated and can afford more to avoid costly fraud. And bankers have an advantage with double entry bookkeeping and customer receipts which provide means to detect fraud – means by definition unavailable to electronic voting. The recent extensive Wikileaks disclosure of government documents is an example of what a lone or very limited number of insiders can do in compromising the security of a system.

Paper trail DREs provide an inadequate substitute for voter verified paper ballots. The current paper trails are difficult to read for voters and officials and are frequently lost to jams oeundetected “out of paper” conditions.  A small percentage of voters actually verify their vote – fraud or error can misclassify a significant percentage of votes, with the smaller percentage verified chalked up to “I/you must have pushed the wrong button”.  Beyond this DREs are much more costly to purchase, operate, and audit than optical scanners.

The Bottom Line

It is theoretically impossible to develop a computer only voting solution that is not subject error and fraud. Beyond theory, common sense shows that proposed electronic voting systems are subject to error and insider fraud, with all but impossible testing and security requirements, well beyond the capabilities and resources available to election officials.

Paper ballots filled out by voters are inherently “Voter Verified”. They provide the ultimate record of voters’ intent. They alone provide the opportunity for determining the exact result in close elections and the opportunity to verify the correct result in all elections. They alone provide the opportunity for public transparency necessary for real trust and confidence. Voter Verified Paper Ballots alone provide the opportunity for voting integrity, a necessary prerequisite for democracy.

We will have much more to say.  “Opportunity” is insufficient.