Category: Chain of Custody

We cannot trust computers, communications, or officials with elections

Recently two serious structural flaws in computer chips have been disclosed (they were discovered several months ago). So far, the understanding is that one will be difficult to fix and the other impossible, without a new computer architecture.  See:  The World Grapples with Critical Computer Flaws <read>

We cannot say it enough, “Ultimately, computers cannot be protected from fraud and error.” We also cannot trust officials to operate flawlessly. Fortunately, there are solutions.

Recently two serious structural flaws in computer chips have been disclosed (they were discovered several months ago). So far, the understanding is that one will be difficult to fix and the other impossible, without a new computer architecture.  See:  The World Grapples with Critical Computer Flaws <read>

We cannot say it enough, “Ultimately, computers cannot be protected from fraud and error.”

It is useful to take steps to test and protect computers and communication systems from fraud, hacking, and error. Yet, ultimately they cannot be fully protected – that was proven many years ago by Alan Turing, a consequence of his “Halting Problem”.

We also cannot trust officials to operate flawlessly.  We cannot trust them even to understand the science involved.  Many believe that air-gapped computers are safe from hacking, ignoring the science and the experience of STUXNET.

Fortunately, there are solutions.

Editorial:

The solution is software independence – that a voting system results not be dependent on software – that the system, electronic and manual will detect any error in hardware or software, providing the correct election result. That means paper ballots followed by sufficient ballots security, post-election audits, and where necessary full recounts. AND;

Official independence – that a voting system does not depend on trusting officials. That there is sufficient transparency and public verifiablity that citizens can independently verity all aspects of the voting process, including independently verifying that all votes were counted and totaled accurately.

Lots of Smoke in Broward County, after ballots destroyed

From Alternet via TruthOut: Was the Heated 2016 Democratic Primary Rigged for Debbie Wasserman Schultz?

“I see what I would call a high likelihood of massive incompetence. Either that or there is fraud. I don’t think you should see numbers this big in this many precincts.”

“This is really weird.” He continued that they ought to be reconciling the number of voters with ballots and if they’re not doing it, “they’re grossly negligent.” Jones served on the Election Assistance Commission’s Technical Guidelines Development Committee for four years, but said “I’ve never seen a county that looks like this.”

From Alternet via TruthOut: Was the Heated 2016 Democratic Primary Rigged for Debbie Wasserman Schultz?  <read>

In August 2016, Florida Congresswoman Debbie Wasserman Schultz faced off against progressive maverick and Bernie Sanders supporter Tim Canova — her first-ever primary challenger — after six terms in Congress…

Now new evidence of original ballots being destroyed and cast ballots not matching voter lists calls into question the results of that election…

According to a transcript of the November hearing, the attorney for the Supervisor’s office Burnadette Norris-Weeks claimed the ballots were destroyed, “Because they can’t just store hundreds and hundreds of thousands of boxes.

It’s possible that lack of storage space is not the only reason Broward County officials wanted to destroy the ballots. Months of investigating the Supervisor’s office and analyzing election data reveal that in the vast majority of precincts in the race, the number of cast ballots does not match the number of voters who voted…

Canova is not the first one to take the Broward County Supervisor of Elections’ office to court. He is in line behind the Republican Party that sued in November of 2016 over absentee ballots being opened in secret, and a not-for-profit that sued in October last year when Broward County left a medical marijuana amendment off some ballots.

Problems with the county’s elections go further back than that. In 2006, according to documents provided by the Florida Fair Elections Coalition, the Broward County Supervisor of Elections’ office admitted to a “loss of data” that included over 100,000 ballot images.

W do not buy the explanations/excuses. Two respected computer scientists characterize it succinctly:

Duncan Buell, a professor of computer science at the University of South Carolina, said, “I see what I would call a high likelihood of massive incompetence. Either that or there is fraud. I don’t think you should see numbers this big in this many precincts.” Buell has examined election records extensively in South Carolina.

Douglas Jones, a computer science professor at the University of Iowa sputtered in disbelief at the data. “This is really weird.” He continued that they ought to be reconciling the number of voters with ballots and if they’re not doing it, “they’re grossly negligent.” Jones served on the Election Assistance Commission’s Technical Guidelines Development Committee for four years, but said “I’ve never seen a county that looks like this.”

This is reminiscent of 2004 across Ohio, there officials kept the ballots for the required time, yet worked to run out the clock on Freedom Of Information Requests. This helped Richard Hayes Phillips expose many issues there in his book Witness to a Crime

We do applaud Florida and Ohio for their unquestioned stand that ballots are FOIable public records.

Just a step in the right direction: Merrill meets with Homeland Security

“Yesterday, along with representatives from the state’s information technology and public safety departments, I met with regional officials from the United States Department of Homeland Security to discuss how we can work together to ensure that Connecticut elections are safe from outside interference or manipulation. We had a productive meeting and I look forward to working together in the months and years to come to protect our elections, the bedrock of our democracy.” – Denise Merrill, Connecticut Secretary of the State

We applaud this step in the right direction.  Last year as leader of the National Association of Secretaries of State, Merrill opposed the designation of elections as critical infrastructure, leading in expressing the concern for a Federal take-over of elections. We were critical of that stand then and remain so.

In our opinion this is just a step. There are several aspects to election security/integrity that should be addressed,. This  step may assist in those that are under direct control of the of the the State, yet less so those under local control.

Secretary Merrill met with Homeland Security on Thursday:

Merrill Statement on Meeting with DHS Officials Regarding Election Cybersecurity

“Rosenberg, Gabe” <Gabe.Rosenberg@ct.gov>: Oct 27 04:57PM

“Yesterday, along with representatives from the state’s information technology and public safety departments, I met with regional officials from the United States Department of Homeland Security to discuss how we can work together to ensure that Connecticut elections are safe from outside interference or manipulation. We had a productive meeting and I look forward to working together in the months and years to come to protect our elections, the bedrock of our democracy.” – Denise Merrill, Connecticut Secretary of the State

Gabe Rosenberg
Communications Director
Connecticut Secretary of the State Denise Merrill

We applaud this step in the right direction.  Last year as leader of the National Association of Secretaries of State, Merrill opposed the designation of elections as critical infrastructure, leading in expressing the concern for a Federal take-over of elections. We were critical of that stand then and remain so.

In our opinion this is just a step. There are several aspects to election security/integrity that should be addressed,. This  step may assist in those that are under direct control of the of the the State, yet less so those under local control.  It’s not an issue of a State take-over of local elections, but the impossibility of every town in the State doing what even the NSA has failed at – protecting their most sensitive systems from attack. Yet, like the NSA, the State is capable of doing ever better.

  • We need to protect our Centralized Voter Registration System (CVRS) from corruption and denial of service attacks on election day.
  • We need to protect the CVRS from incremental loss or corruption of data over time.  That means independently logging of every add, change, and delete of the file, balancing, and auditing those changes against the database regularly, and especially in the days and weeks before an election.
  • Making sure that if we use electronic pollbooks that there is a usable paper pollbook in every polling place and a copy of that in the Registrars’ Offices during every election.  We want to avoid the disaster that occurred in a NC county in the last election

Cybersecurity from “outside interference or manipulation” is insufficient. We must prevent insider attacks. We must be able to recover from “interference and manipulation”, since complete prevention is not possible.. As we have said before, database and election integrity depends on Prevention, Detection, and Recovery.

  • We have paper ballots everywhere in Connecticut.  Yet, they need to be protected better.  In the majority of Connecticut municipalities they can be accessed by either Registrar for hours, undetected.  In many, they can be accessed by any official in the Registrars’ Offices, sometimes by other officials.  Without paper that we can trust there can be no detection or recovery from insider attack.
  • We need to have sufficient audits of results we can trust, from the accurate counting/adjudication of paper ballots to the totals reported by the State.  Where necessary those audits ending in full recounts to determine and certify the correct winners.
  • We also need process audits to verify various aspects of the election process:  Comparing checkoffs to ballots counted; verifying ballot security; verifying the integrity of checkoffs to actual legal voters; the integrity of the absentee ballot process, from application integrity,  mail delivery. signature verification, counting etc.

 

 

 

 

We respond to Secretary Merrill’s testimony opposing audit transparency bill

Last Monday we testified for S.B. 540, a bill that would increase audit transparency and public verifiability.

Later we noticed that Secretary of the State, Denise Merrill, submitted testimony opposing one provision of the bill and therefor recommending against the entire bill. Her testimony misinterpreted our bill, recommending against it based on something we did not ask for and was not part of the bill.

In response we wrote a follow-up letter to the GAE Committee.

Last Monday we testified for S.B. 540, a bill that would increase audit transparency and public verifiability.  The bill would:

  • Set common sense minimal standards for ballot security.
  • Set common sense prior public notice requirements for all aspects of the audits which should be transparent and publicly verifiable.
  • Based on sound science, make the recently implemented machine audits, manually verifiable, transparent, and publicly verifiable.

Our testimony <read>

Later we noticed that Secretary of the State, Denise Merrill, submitted testimony opposing one provision of the bill and therefor recommending against the entire bill. Her testimony <read>

Her testimony misinterpreted our bill, recommending against it based on something we did not ask for and was not part of the bill:

My main objection is that it potentially jeopardizes the sanctity of ballot secrecy. Some people do initial or sign a ballot if a mistake is made. In smaller towns, deducing identity from these details is actually possible.
Creating images of ballots that anyone can take home and study could result in people’s ballots being posted online, something that we are already contending with vis-à-vis the voter file.
She went on to suggest a solution similar to the one actually  proposed in the bill.
If there is public uncertainty about our new audit equipment or there is a desire to “audit the audit equipment”there areless intrusive ways to ensure accurate results such as a random sampling of ballots that can be compared to computerized result s while at the audit session. These types of simple solutions could be implemented at no cost and with much less intrusion to the sanctity of our voted ballots.
In response we wrote a follow-up letter to the GAE Committee.  Our letter <read>

The Secretary’s testimony incorrectly stated that the S.B. 540 requires the posting of ballot images online. In fact, S.B. 540 bill does not require the release of ballot images to the public and does not require the posting of ballot images online.

S.B. 540 requires the release of Cast Vote Records (CVRs) to the public present at a machine audit, with no requirement for online posting.  CVRs are not ballot images. They do not include stray marks by voters. They are data records, one record for each ballot that contains the digital interpretation of the votes on the ballot i.e. numbers indicating which bubbles on the ballot were filled in.  They are totaled to determine the votes for each candidate or question in the audit

In the paper included in my testimony, CVRs are described:

“In a machine-assisted audit, the retabulation system produces an interpretation of votes on each ballot (a Cast Vote Record, or CVR) that can be matched with that ballot. The CVRs are exported from the retabulation system. Observers verify that these exported CVRs produce the same electoral outcome(winners, etc.) as the voting system. Then observers compare a random sample of actual ballots against the corresponding CVRs.”

There is no law in Connecticut exempting CVRs from the Freedom of Information Act. A quick survey of election officials and advocates indicates that CVRs for entire elections or audits are regularly provided to requesters in the states of AZ, NY, CO and SC. In SC, they are published online.

In addition to correcting the her misinterpretation, we also pointed out our stand that voted ballots are, in fact, subject to Freedom Of Information requests in Connecticut.

PS: Although it is irrelevant to S.B. 540 we disagree with the Secretary’s interpretation that voted ballots or ballot images are exempt from Connecticut’s Freedom of Information Act (FOI).  We are not aware of an explicit exemption in Connecticut statutes. To our knowledge, FOI of ballots has never been tested before the FOI Commission or in court. We are aware of several states where allots and ballot images are subject to FOI.

 

Testimony on bill to improve election audits, transparency, and security

 

Yesterday, we testified in support of our bill to improve the post-election audits, audit transparency, and ballot security.

  • Common sense reforms to require all aspects of audits to be transparent and open to the public.
  • Common sense reforms to establish minimal standards for ballot security.
  • Electronically Assisted Manual Audits that are transparent and publicly verifiable, based on sound science.

 

Yesterday, we testified in support of our bill to improve the post-election audits, audit transparency, and ballot security.

  • Common sense reforms to require all aspects of audits to be transparent and open to the public.
  • Common sense reforms to establish minimal standards for ballot security.
  • Electronically Assisted Manual Audits that are transparent and publicly verifiable, based on sound science.

Here is our testimony  <read>

Security Against Election Hacking

From Freedom to Tinker, Andrew Appel: Security against Election Hacking – Part 1: Software Independence <read>

We have heard a lot lately about the vulnerabilities of our elections to hacking.  Both cyberhacking and unsophisticated insider attacks. Andrew Appel describes some common sense approaches to detect and deter error and fraud in our elections, covering three major vulnerabilities:

  • Incorrect or unavailable poolbooks.
  • Voting machines
  • Accumulation of results across polling places and jurisdictions

From Freedom to Tinker, Andrew Appel: Security against Election Hacking – Part 1: Software Independence <read>

We have heard a lot lately about the vulnerabilities of our elections to hacking.  Both cyberhacking and unsophisticated insider attacks. Andrew Appel describes some common sense approaches to detect and deter error and fraud in our elections, covering three major vulnerabilities:

  • Incorrect or unavailable poolbooks.
  • Voting machines
  • Accumulation of results across polling places and jurisdictions

Any of these computers could be hacked.  What defenses do we have?  Could we seal off the internet so the Russians can’t hack us?  Clearly not; and anyway, maybe the hacker isn’t the Russians—what if it’s someone in your opponent’s political party?  What if it’s a rogue election administrator?

The best defenses are ways to audit the election and count the votes outside of, independent of the hackable computers…

So the good news is: our election system has many checks and balances so we don’t have to trust the hackable computers to tell us who won.  The biggest weaknesses are DRE paperless touchscreen voting machines used in a few states, which are completely unacceptable; and possible problems with electronic pollbooks.

In this article I’ve discussed paper trails: pollbooks, paper ballots, and per-precinct result printouts.  Election officials must work hard to assure the security of the paper trail: chain of custody of ballot boxes once the polls close, for example.  And they must use the paper trails to audit the election, to protect against hacked computers (and other kinds of fraud, bugs, and accidental mistakes).  Many states have laws requiring (for example) random audits of paper ballots; more states need such laws, and in all states the spirit of the laws must be followed as well as the letter.

Read the full, brief article to understand the details of Appel’s recommendations.

In addition to paying attention to all these recommendations, Connecticut needs to attend to improving our existing post-election audit transparency, the security of ballots, and consider adding formal measures along these lines for check off lists and results reporting.

 

 

Marks questions marks: Colorado democracy black and blue

“Where their is smoke there is fire”.  We say, “Where there is black and blue there is a victim” and “When it quacks like a cover up, suspicion is justified”.  In this case we have ballots filled-in in black and blue with cross-outs. We suspect Colorado democracy is the victim.

Once again, a blow to those who claim there  is no voting fraud.  A further justification of counting votes by scanner in public in polling places, limiting mail-in voting, and  limiting central scanning, while  arguing for requiring adversarial election officials in every operation.

“Where their is smoke there is fire”.  We say, “Where there is black and blue there is a victim” and “When it quacks like a cover up, suspicion is justified”.  In this case we have ballots filled-in in black and blue with cross-outs. We suspect Colorado democracy is the victim.  From the Colorado Statesman:  State may or may not be probing ballot fraud in Chaffee County <read>

Colorado elections watchers who have been following the zig-zagging, on-again, off-again case of the 2012 Republican Primary Chaffee County ballots completed half in blue and half in black ink may get an answer soon whether or not state officials believe the ballots are evidence of election fraud.

Or they may get no answer at all…

According to the secretary of state’s office, 3,235 ballots were cast in the county election. Of those, 140 were marked partly in blue and partly in black ink, and another 43 were marked in varying ways — fully blackened squares side by side with dashed-off Xs, or neatly filled-in boxes alongside boxes scribbled over with messy scrawls — the kind of markings that show inconsistency and can raise suspicion that more than one person filled out a ballot.

In the fall of 2012 Marilyn Marks, a high-profile election integrity activist and proud thorn-in-the-side to election administrators, filed an open records request for ballots from several counties. She was concerned with the rules giving the public access to voted ballots and whether ballots could be traced to individual voters, in effect undermining the right to cast a secret ballot.

Chaffee County delivered color images of its ballots to Marks. And the images shocked her.

“They were so weird,” she said. “Here was one that was completed half in blue and then half in black. Well that’s odd, I think and move on. Then there’s another one. Then another one. What is going on here? I’m sure I said it out loud to myself.”

Marks showed the images to her lawyer and to fellow election activists, who agreed they were weird, and then she filed a complaint with the secretary of state

I agree that this is highly suspicious.  I’ll go beyond that, based on my experience, this seems to be almost guaranteed fraud, likely by insiders after the fact.

I have personally reviewed thousands of ballots, perhaps 30,000, and been in the room while perhaps 100,000 have been reviewed by others in exactly 100 post-election audit counting sessions, about 10 recanvasses, as central-count Absentee Moderator, and leading the recount of 25,000 ballots in Bridgeport. I have seen a number of strange marks on ballots – they are usually brought to the attention of others in the room as they are so interesting and need adjudication to determine voters intent.  I have no statistics on strange marks, yet 43/3,235 seems possible, yet high.  Yet, I do not recall a single ballot in two colors or pen and pencil.  So, 140/3,235 all in blue and black is way out of line with experience.

It seems there is some official agreement that this is more than suspicious:

A few weeks later, in the middle of October, secretary of state’s office investigator Michael Hagihara found himself visiting the Chaffee County clerk’s office, where he conducted a two-day investigation. He talked to the elections staff, studied voted ballots, sealed up elections office ballpoints with the ballots and reviewed video of the elections staffers tallying the votes.

In an October 24, 2012, memo, Hagihara reported on the investigation for Secretary of State Scott Gessler, Deputy Secretary of State Suzanne Staiert and Director of Elections Judd Choate. Hagihara did not believe the county elections administration staff was to blame for any irregularities — but he did find irregularities. He determined that 140 ballots out of roughly 3,235 were filled out partly with blue and partly with black ink. He said those ballots “created serious questions as to the legitimacy of the votes cast.

Read the entire article. The questions now are if anything is being investigated and if anything will be officially resolved.

Once again, a blow to those who claim there  is no voting fraud.  A further justification of counting votes by scanner in public in polling places, limiting mail-in voting, and  limiting central scanning, while  arguing for requiring adversarial election officials in every operation.

TSA provides “Security Theater” , not “Peace of Mind”

The Intercept covers the lack of security and abundance of BS from the TSA: TSA Doesn’t Care That Its Luggage Locks Have Been Hacked 

In a spectacular failure of a “back door” designed to give law enforcement exclusive access to private places, hackers have made the “master keys” for Transportation Security Administration-recognized luggage locks available to anyone with a 3D printer…

Now that they’ve been hacked, however, TSA says it doesn’t really care one way or another.

What reminders and lessons can we learn from this?

The Intercept covers the lack of security and abundance of BS from the TSA: TSA Doesn’t Care That Its Luggage Locks Have Been Hacked  <read>

In a spectacular failure of a “back door” designed to give law enforcement exclusive access to private places, hackers have made the “master keys” for Transportation Security Administration-recognized luggage locks available to anyone with a 3D printer…

When the locks were first introduced in 2003, TSA official Ken Lauterstein described them as part of the agency’s efforts to develop “practical solutions that contribute toward our goal of providing world-class security and world-class customer service.”

Now that they’ve been hacked, however, TSA says it doesn’t really care one way or another.

“The reported ability to create keys for TSA-approved suitcase locks from a digital image does not create a threat to aviation security,” wrote TSA spokesperson Mike England in an email to The Intercept.

“These consumer products are ‘peace of mind’ devices, not part of TSA’s aviation security regime,” England wrote.

What reminders and lessons can we learn from this?

  • Government lies and covers up.
  • “Backdoors” to security defeat security, such as backdoors to encryption.  If there were no master keys then this particular hack would not have happened.
  • Like the Snowden revelations, publishing this information informs and protects the public.  Not publishing it only serves the criminals and protects the government.
  • This is similar to the hack of Diebold/ES&S/Dominion AccuVote-OS optical scanners used in Connecticut – the keys were hacked by using a photo in the Diebold online catalog for extra keys.  Like the TSA keys, every AccuVote-OS uses the exact same key, in the possession of thousands of election officials in every election and between elections, easily duplicated.
  • Except for the master keys the TSA locks would be a bit safer than the seals used to “secure” Connecticut’s scanner and ballot cases – primarily because TSA keys are used by consumers to protect their valuables from others – ballot and scanner seals are used to protect against the very same people who apply and open the seals.

For more on the vulnerability of seals see our past coverage <here> <and here>

Common Sense: Laws must be Sufficient, Enforceable, and Enforced

In one of his books, Gerry Weinberg pointed out that employee evaluations should be multiplicative not additive, that is, the various dimensions of performance and capabilities should be multiplied rather than added to determine the overall value of an employee.

There is an analogy with laws, including election laws.  Laws must be Sufficient, Enforceable, and Enforced. Missing one of the three, all value is lost.

Note: This is then eleventh post in an occasional series on Common Sense Election Integrity, summarizing, updating, and expanding on many previous posts covering election integrity, focused on Connecticut. <next> <previous>

In one of his books, Gerry Weinberg pointed out that employee evaluations should be multiplicative not additive, that is, the various dimensions of performance and capabilities should be multiplied rather than added to determine the overall value of an employee.  e.g. If my writing and verbal communication are poor, no matter how much technical knowledge I have, what I can contribute is very limited, yet with just average skills in every other area matched with high technical knowledge one can accomplish a lot.  Similarly with great interpersonal skills, yet poor technical judgement, I can be less than valuable!

There is an analogy with laws, including election laws.  Laws must be Sufficient, Enforceable, and Enforced e.g.

  • Sufficient  –  Laws have to be sufficient to prevent that which they are designed to prevent, or to protect what they have been designed to protect. e.g. In Connecticut we have weak ballot security laws: They do not protect all ballots until they are needed for post-election audits; some of the security requirements are ambiguous, open to multiple interpretations; and are based on unwarranted trust in weak seals and entirely lacking in seal protocols.
  • Enforceable – There has to be a reasonable means of enforcing the law.  Once again, we point to ballot security in Connecticut where it is generally believed (ambiguous law) that two individuals from opposing parties must be involved in any access to ballots, yet most ballots are locked in cabinets in rooms with a single lock, with both registrars and often others having access to a key, along with a log of access maintained by an honor system.
  • Enforced – In reality the must actually be enforced. In recent years we have seen many examples, from banking fraud, leaks of classified information by high-level officials, and campaign finance laws.

We were reminded of this limitations today with an article, one among several recently, on the Federal Elections Commission: More Soft Money Hard Law <read>  The FEC is stymied by partisan gridlock.

We all have seen the lack of strong enforcement against the fraudulent activities of big banks, their management, and employees. Or, perhaps less known, existing trade agreements with environmental and labor protections which are ignored, rendering the provisions that sound powerful, generally meaningless.

So, whenever we ask for sufficient election laws, we remind that more is needed. They must also be enforceable and enforced. Missing one of these three components, all value is lost.

Two days at the Voting and Elections Summit

Three simple ideas standout among the many things I learned and relearned:

  1. When we are concerned about every cost associated with voting, small and large, compare those costs to what we spend “spreading democracy” elsewhere.
  2. Contemplate what people spend in time and expense for the excitement of the Superbowl. Why are we not similarly engaged in Election Day, where the who wins is much more significant to our lives?
  3. Should we be at least as concerned with protecting and auditing paper ballots, as we are with the footballs used in the semi-finals?

I always get rejuvenated with new ideas and camaraderie of a conference.  For the last two days I have participated in the Voting and Elections Summit in Washington, D.C.

If you or anyone you know needs help with registering to vote or absentee voting the source of help is the U.S. Vote Foundation or the Overseas Vote Foundation.

Three simple ideas standout among the many things I learned and relearned:

  1. When we are concerned about every cost associated with voting, small and large, compare those costs to what we spend “spreading democracy” elsewhere.
  2. Contemplate what people spend in time and expense for the excitement of the Superbowl.  Why are we not similarly engaged in Election Day, where who wins is actually much more significant to our lives?
  3. Should we be at least as concerned with protecting and auditing paper ballots, as we are with the footballs used in the semi-finals?

Monday and Tuesday, I will be back at the Capitol considering what might be possible in the future, while wondering if we are willing to pay for a voting system worthy of the potential value of trustworthy elections, at the NIST Future of Voting Symposium II.  Yes, I went to the 1st Symposium and Connecticut benefited.