Category: Electronic Vulnerability

NJ: Questionable practices – Questioning courts and watchdogs

Rigged election or three human errors – we may never know for sure.

Update: All four parts of the series are now complete in one <.pdf>

Significant that the Judge ordered a redo of the election. For the reasons stated, that may not be the best solution when the voters’ intentions are clear.

*************

Rigged election or three human errors – we may never know for sure.  Freedom To Tinker: NJ election cover-up <read>

The Court: The 2011 New Jersey Primary Election was held on June 7, 2011. In District 3 of Fairfield Township, Cumberland County, four individuals ran for two open seats on the Democratic Executive Committee. Following the election, the County Clerk certified the results as Vivian Henry, 34 votes; Mark Henry, 33 votes; Ernest Zirkle, 9 votes; and Cynthia Zirkle, 10 votes…

[Administrator of the Cumberland County Board of Elections] Ms. Hernandez claimed that she has programmed the voting machines in Cumberland County since June of 2008, to avoid the cost of the County of hiring a programmer. She further claimed that she mistakenly placed the position for Vivian and Mark Henry onto the position of Cynthia and Ernest Zirkle, and vice versa. This information was then put into the voting machine cartridge and sent to the warehouse for testing. The voting machine technicians inserted the cartridge into the voting machine and began the necessary testing. Ms. Hernandez then claims that the voting machine technicians did not catch her error in the programming…

On August 17, 2011, an expert retained by the Plaintiffs, Dr. Andrew W. Appel, made an inspection of the voting machine and the laptop, pursuant to the Order following the July 11 hearing. In conducting this inspection, Mr. Appel found certain concerns with the security procedures which the Administrator had put in place.

He also discovered that his ability to examine the Administrator’s WinEDS laptop was seriously compromised by what appeared to be an action that someone performed on the computer on August 16, 2011, which erased a number of files which Dr. Appel wanted to examine…

In response to the August 22, 2011 Order to Show Cause, the Attorney General filed a Certification of Jason W. Cossaboon, Sr., a Computer System Analyst employed by Cumberland County. Mr. Cossaboon, in his Certification, states that on August 16, 2011, he was asked by the Administrator to determine the date the hardening process was applied to the laptop used to program the voting machines. [editor’s note: I’ll explain “hardening” in the sequel article]

 

He apparently was not able to find a log file for the laptop to indicate the date the hardening was done. However, he states that while working on the laptop, he noticed the computer was running very slowly. As a result, he deleted certain “temporary files.” He also, for some reason, deleted the event view logs…

I do not know and may never know exactly why this election was defective. I have suspicions that something happened here that was improper and I even question whether something happened here that may have been criminal. And I strongly encourage the Attorney General to turn this over to the Attorney General Division of Criminal Justice, so that appropriate criminal investigators can conduct a full and complete investigation of this matter, to assure that criminality did not take place.

Although the Board of Elections and the Administrator maintain that human error was all that was involved here, for me to believe that I have to believe that three independent errors, human errors, occurred here, and that somewhat stretches my belief of common sense and reality, but it’s possible.

Accordingly, I am ordering a new election to be conducted on September 27, 2011.

To be continued. This is part one of four blog posts promised.

EVT/WOTE: When is the CT Recanvass law totally inadequate?

To be reasonably sure that the correct candidate is officially designated as the winner in a race with a write-in candidate, it would be prudent to assume the possibility of a 25% undercount of write-in votes. Then require a recount of all write-in votes in a race where the write-in candidate received at least 42% of the votes in a two candidate race (or 42% of the votes necessary to win in a more than two candidate race.)

Editor’s Note: August 8th and 9th, we attended the EVT/WOTE (Electronic Voting Technology / Workshop On Trustworthy Elections) in San Francisco.  Over the next few days we will be highlighting several papers and talks from the conference.

We have criticized Connecticut’s recanvass law as inadequate in very close elections, where the result may depend on accurate adjudication of a handful or less of votes where voters’ intent may be critical and subject to interpretation.

In a paper delivered yesterday, An Analysis of Write-in Marks on Optical Scan Ballots, researchers analyzed 100,000 ballots for write-in votes that might not have been counted correctly. They concluded in that one sample, from one election, in one jurisdiction that 16% of write-in votes were not counted by the Diebold/ES&S/Dominion-AccuVoteOS scanners. This means, according to my math, that if a write-in candidate in a two candidate race received 46% of the vote as counted by the scanner, it is quite likely that a rigorous hand count would show that candidate as the actual winner – reversing the election night apparent result.

This is not a problem with the scanners as designed. It is a problem with voters misunderstanding the write-in process. None the less, in most states, like Connecticut, the voters’ intent should and does legally rule.

More research would be needed in more elections and on more ballot formats to determine the range of possible error in scanner counting of write-in ballots. The range might be 10% to 25% undercounted write-in votes depending on conditions. Connecticut uses those same AccuVote-OS scanners, yet a different ballot format. Our rate of undercounting could be higher or lower. In a race that was expected to be close with many write-in ballots a candidate might provide better voter education or bring out many inexperienced voters – once again, the undercount rate could vary either way.

Pending further research: To be reasonably sure that the correct candidate is officially designated as the winner in a race with a write-in candidate, it would be prudent to assume the possibility of a 25% undercount of write-in votes. Then require a recount of all write-in votes in a race where an apparently losing write-in candidate received at least 42% of the votes in a two candidate race (or 42% of the votes necessary to win in a more than two candidate race.)

Ohio 2004: Case Not Proven – Smoke yet no fire

Distortion obscures the real story and learning available from the 2004 Ohio case. This is a seriously risky and vulnerable system, both from its complex, weak design and outsourcing to partisans. Elections results should be accumulated by computer and human systems that we can trust.

Several sources have carried the following article from the Free Press. It seems the headline distorts the actual case: New court filing reveals how the 2004 Ohio presidential election was hacked <read>

A more accurate headline would be “New court filing confirms how the 2004 Ohio presidential election results could easily have been changed, undetected

Almost all systems are vulnerable to change by insiders, yet good systems have a variety of security measures, separation of duties, oversight, cross-checks,  and audits to reduce the likelihood of inappropriate change while increasing the likelihood of skulduggery being detected.

Reading the article we see lots of evidence that the system was vulnerable to change by insiders, lack of controls, and a design that lends itself to undetected change. The circumstantial evidence seems consistent with a system designed to be vulnerable:

“SmarTech was a man in the middle. In my opinion they were not designed as a mirror, they were designed specifically to be a man in the middle.”

A “man in the middle” is a deliberate computer hacking setup, which allows a third party to sit in between computer transmissions and illegally alter the data. A mirror site, by contrast, is designed as a backup site in case the main computer configuration fails.

Add to that a system that seems overly complex and unnecessary to outsource. And that it was outsourced to a clearly partisan entity.  We have lots of smoke, yet no proven fire. The headline is a disservice to election integrity:

  • Distortion harms the case for a history and a potential for fraud and error when claims are made that cannot be substantiated. Especially it those who read quickly or are less logical spread the report and its claims. It subjects them and other voting integrity advocates with claims of distortion.
  • Distortion obscures the real story and learning available from the 2004 Ohio case. This is a seriously risky and vulnerable system, both from its complex, weak design and outsourcing to partisans. Elections results should be accumulated by computer and human systems that we can trust.

This article and diagrams add significant details to previous information covered three years ago by the Free Press, yet the case remains unproven.  There is much to question in Ohio in 2004.  Three years ago we also reviewed the book “Witness to a Crime” by Richard Hayes Phillips. It provides clear evidence of several instances of significant manipulations in that election, we have yet to hear of any of them refuted.

Round-Up: O Me O My O – Errors in Jersey and Fraud in Ohio

We frequently highlight stories of election error and fraud nationwide. We do this as a service to provide references to counter the frequent statements from election officials and legislators claiming no record of such errors and fraud.

Editor’s Note: We frequently highlight stories of election error and fraud nationwide. We do this  as a service to provide references to counter the  frequent statements from election officials and legislators claiming no record of such errors and fraud.

O Me O My O –  How They Add Votes In Ohio

Secretary of State turns investigation over to prosecutors: Elections chief suspects voter fraud – Secretary of State seeks criminal investigation <read>

Looks like certain fraud and perhaps a strong case for prosecution:

Ohio Secretary of State Jon Husted wants the attorney general and the Lawrence County Prosecutor to determine if a group of Democrats attempted voter fraud in the 2010 general election.

If so, it could mean prison time and a fine for anyone convicted of these crimes.

On Tuesday Husted turned over to Mike DeWine and J.B. Collier the findings of his investigation into the applications of 119 Lawrence County absentee ballots for further review and possible prosecution…

At issue are applications for absentee ballots that were sent to two post office boxes — 42 were sent to a box in the name of Ironton resident Charles Maynard and 77 were sent to a box in the name of Russell Bennett of Chesapeake during the fall of 2010.

“Of the 77 absentee ballot applications marked to be sent to Russ Bennett’s P.O. Box, 68 reportedly were hand-delivered to the Lawrence County Board of Elections office by a man named Butch Singer,” according to the letter sent to Mike DeWine and J.B. Collier.

In October a board of elections employee noticed that the handwriting in the “Send Ballot To” portion of the applications differed from that in the section with the voter’s name. The board then contacted 10 voters to see where they wanted their ballot sent.

“All 10 voters replied that they wanted their ballots mailed to them at their home address, suggesting that the ‘Send Ballot To’ portion of the absentee ballot application was completed after the voters filled in their application form,” Husted’s letter states.

Incidents like this demonstrate the reality of absentee/mail voting risks and why we would limit such voting to those genuinely unable to vote in person.

Humans and Machines Err In Garden State

In New Jersey, a voting machine is misprogrammed, then apparently a faulty or lax pre-election test fails to recognize the error.  Finally, the surprise result causes an investigation: “Human error” found in Fairfield election results <read>

A supposed malfunction of the problematic and much-debated Sequoia AVC Advantage voting machines is being chalked up to human error.

Results from Primary Election day last month puzzled two candidates who expected the exact opposite. Less than a month later, there’s a line in the sand being drawn between a second election and inspection of the voting machine itself.

“On Election Day, the votes cast for Candidates Vivian and Mark Henry registered for Candidates Cynthia and Ernest Zirkle, respectively,” read a statement addressed to all affected by the Democratic County Committee election in Fairfield.

According to documents provided to The News, Cumberland County Board of Elections Director Lizbeth Hernandez takes responsibility and regrets a pre-election programming error.

Attached to a legal petition filed by the Zirkles were 28 affidavits from voters swearing they supported the two candidates.

Those 28 votes of the 43 total cast on June 7 make up the majority.

How frequently do such errors occur? We have no way of knowing. The good news is that in this instance the error was discovered and will be corrected. Yet, it is rare that so few voters are involved and that such strong evidence can be developed so that an investigation is initiated. Since New Jersey has paperless touch screen voting machines a re-vote will be required.

There is a tendency to dismiss these errors as “only” “human errors”, just as we dismiss transportation accidents as pilot, controller, or engineer errors. However, whatever role inadequate human capabilities or inadequate systems play in the equation, these are voting integrity issues that can be significantly reduced with better procedures, training, and systems, along with corrective measures like paper ballots and post-election audits.

Here in Connecticut we have paper ballots so that if such a problem were discovered we would not need a re-vote, just a recanvass or a recount. Yet we have little no reason to celebrate. We have many referendums  or special elections in single towns with all memory cards programmed identically. In many cases there is no obvious reason to believe, let alone realistically prove, which candidate or decision “should” have won – too  close an election or too many voters to realistically get enough  affidavits.  And referendums and special elections are exempt from post-election audits such as they are.

Flip-Flopping has its place, but not in voting

Reading and listening to the media we are led to believe that flip-flopping is the worst possible political sin. Wrong. Much of the time we spend writing, voice-mailing, or speaking with legislators is working to convince them to understand a more complete picture; to change their positions on issues.

Brad Friedman covers the case of a voting machine flip-flopping in Los Vegas and the history of flip-flopping and completely missing votes: Las Vegas Mayoral Candidate Sees Own Vote Flipped to Opponent on Touch-screen Voting Machine <read>

It took two tries, but Carolyn Goodman, candidate for Mayor of Las Vegas, and wife of current Mayor Oscar Goodman, was finally able to vote for herself today on Nevada’s illegally-certified, 100% unverifiable Sequoia AVC Edge touch-screen voting machines. At least she thinks she did. Whether her vote will actually be counted for her is something that nobody can ever know…

The failure that Goodman had, and noticed, is just the latest in a string of celebs and candidates who have had similar problems with 100% unverifiable voting machines — as still used by some 20 to 30% of voters in the U.S. — either flipping their vote, or not allowing them to vote at all…

[Randy] Wooten was running for mayor in the rural Poinsett County town with a population of just 80 people that year, when he learned, after the close of polls on Election Night, that he had received a grand total of ZERO votes, as reported by the county’s ES&S iVotronic touch-screen voting systems.

As AP noted at the time Wooten said, “I had at least eight or nine people who said they voted for me, so something is wrong with this picture.” Among those people who Wooten believed had voted for him: himself and his wife.

In Praise Of Flip-Flopping

Reading and listening to the media we are led to believe that flip-flopping is the worst possible political sin. Wrong. Much of the time we spend writing, voice-mailing, or speaking with legislators is working to convince them to understand a more complete picture; to change their positions on issues.

In 2005, Secretary of the State, Susan Bysiewicz, publicly tested and was about to choose unverifiable touch screen (DRE) voting machines similar to those in Los Vegas – then she looked at the evidence, considered additional information from vocal advocates, and flip-flopped. That is why we have voter verifiable paper ballots and optical scanners in Connecticut, with a side benefit of saving about half the cost of DREs.

Security Theater: Scary! Expert Outlines Physical Security Limitations

Connecticut’s ballots and voting machines are vulnerable. We are subject to many of the characteristics of “Security Theater” outlined by Dr. Roger Johnston of Argonne Lab’s Vulnerability Assessments Team. “Security” seals can be compromised, undetected in seconds. That is only the tip of the iceberg. Forget those Dracula movies. Contemplate the value of ballots to our democracy while watching the video.

Back in January, we covered reports on six failed attempts by New Jersey to successfully secure voting machines with “security” seals – seals like those used in Connecticut to “protect” our ballots and voting machines. A computer expert and a security expert provided reports outlining the ease with which those seals can be compromised by an amateur and an expert.

“Security” seals can be compromised, undetected in seconds. That is only the tip of the iceberg. Full security often involves a lot more, locks, vaults, chain-of-custody, alarms, video surveillance, and guards. Unfortunately, most physical security can also be easily defeated, according to one of the experts, Roger Johnston of the Argonne National Lab Vulnerability Assessments Team.

Last week I was fortunate to hear Dr. Johnston speak at a voting integrity conference in Chicago. Although I don’t have his slides or a video from that conference, I do have video’s of a short appearance on NBC and a longer talk he gave last year:

  • Getting paid to break into things: Argonne’s Roger Johnston on NBC <watch 4min>
  • Proving Voltaire Right: Security Blunders Dumber Than Dog Snot <watch 127min>

What I found most enlightening last week was a slide showing fifteen characteristic attributes of “Security Theater” (you can see it at about 5 min into the second video). Some of the attributes we often observe in Connecticut ballot security are:

  • “Sense of urgency”
    Urgency can be seen and felt on election night as officials are rushing to finalize results, complete paperwork, and complete a seventeen hour day. Is the seal applied correctly to prevent access without tampering? Do two officials check the seal number on the ballot case and the moderator’s return? Is the return completed in ink or pencil? Are the ballots under observation by at least two officials until they are locked in town hall?  Is the seal number on the bag checked against the moderator’s return when the ballots are locked in town hall? Officials complain that may take days for both registrars to be available to checking ballots and sealed paper work after an election.
  • A very difficult security problem
    Budgets are tight. Very few towns keep their ballots in vaults or securely locked facilities. We observe weak single locks or padlocks, ballots stored in isolated storage rooms with weak building security. Or no locks at all.
  • Involves fad and/or pet technology
    We have seen seals made by with office printer labels with no numbers and seals that are entirely written by hand.
  • Questions, concerns, & dissent are not welcome or tolerated
    Any suggestion that someone might compromise security is instead defensively interpreted as an accusation against the integrity of a registrar or all registrars. We are told that Connecticut towns cannot afford to improve security. Security does cost money, yet there are economical alternatives to dramatically increase ballot security. Can we afford to leave our democracy conveniently vulnerable?
  • Strong emotion, over confidence, arrogance, ego, and/or pride related to security
    (see above)
  • Conflicts of Interest
    Most registrars and election officials are closely aligned with parties – that is why we have at least two registrars in each town, of opposing interests. Everyone in town hall is dependent on the outcome of budget referendums and the plans of those elected. (as a counter example, the owner of a jewelry store, bank president, or jail guard normally has little conflict of interest in security)
  • No well-defined adversary
    Most individuals, election officials, candidates, candidate supporters, and town employees are honest. Yet, almost every person, agency, or business has stakes in election outcomes.
  • No well-defined use protocol
    Our statutes are on ballot security are weak and ambiguous, it is unlikely that the pending technical bills will change that. Towns follow (or don’t follow) a variety of procedures, mostly unpublished, vulnerable, and unverifiable.
  • No effective [vulnerability assessments]; no devil’s advocate
    You could say that CTVotersCount and the Coalition have been devil’s advocates, yet so far to little avail.
  • People who know little about security or the technology are in charge
    Many of our registrars and their staff demonstrate and will admit lack of knowledge of our voting technology. How many actually understand security? How many understand security technology such as the vulnerability of seals, locks, and the lack of security in a chain-of-custody filled out using an “honor system”? What security is there when most towns provide access with a single key and many provide access to that key for anyone working in the registrars office? How secure is access to the key or to the ballot storage by other means?

Forget those Dracula movies. Contemplate the value of ballots to our democracy while watching the Dog Snot video.

Not up for a scary movie? Here is a recent interview of Dr. Johnston on Op-News.  He provides suggestions for improving voting security. <read> Here the context is voting machines but the same considerations also apply to ballots. How many of these are in effect in your town?

Suggestions for better election security:

1.  Let’s try to separate concerns, questions, and criticisms about election security from political attacks on election officials (who are often elected themselves).  Security should be controversial and we need to listen to all input about it.

2.  Election officials need to think like the bad guy.  How would you cheat?

3.  Establish a health security culture and climate, where security is constantly on everybody’s mind and open for discussion and debate and review and outside analysis.

4.  Ironically (and counter-intuitively), the best security is usually transparent.

5.  Security is hard work, so expect to put in hard work.

6.  Do periodic background checks on people who move and maintain the voting machines.

7.  Somebody has to sign for the machines when they reach the polling place prior to the election (there can’t be a delay in delivery), and at least semi-watch them.  Use custodians, teachers, secretaries, and school kids (a great civics lesson!) to keep an eye on the machines if you can’t lock them up.

8.  Consider escorting the machines to and from the polling places.

9.  Lean on manufacturers of voting machines to get serious about security.

10.  Have a real, secure chain of custody, not bureaucratic forms to sign or initial purporting to be a chain of custody.

11.  Try bribing your people, then make them public heroes and let them keep the money if they decline.  (Wait at least one day, though.)  Word will get around it isn’t a good idea to accept a bribe.

12.  Form a pro bono citizens panel with local security experts to provide guidance.

13.  You must randomly select some machines before, during, and after the election to completely tear apart, examine, and reverse engineer.  Just seeing if they appear to run correctly is not good enough!  It’s too easy to turn cheating on and off.

14.  If you are going to use seals, provide at least a few hours of training in how to spot attacked seals.  Give lots of examples of attacked seals.  Discuss how the seals will likely be attacked.

NJ Chain-of-Custody: Six unsuccessful attempts to seal voting machines

Nothing approaching these six regimes and court challenges could happen in Connecticut! Unlike New Jersey, we have no standard seal “regime”, no standard for seals or ballot containers and any election regulations and procedures going beyond the law are unenforceable. Similar court challenges in the “Nutmeg State” would be about as useful as carved wooden nutmeg seals.

New Jersey has attempted six “Seal regimes” to protect their voting machines. Two new reports demonstrate the inadequacies of the seals and associated procedures. The reports document court testimony and contain sometimes graphic demonstrations of how easily various “tamper evident” seals can be compromised. [May not be deemed appropriate reading for officials and voters  in some Connecticut towns]

Nothing like this could happen in Connecticut! Unlike New Jersey, we have no enforceable standards. See our editorial below.

The Reports

Security seals on voting machines: a case study, by Andrew W. Appel”Security seals on voting machines: a case study”, by Andrew W. Appel, Princeton University

Insecurity of New Jersey’s seal protocols for voting machines, by Roger G. Johnston

From Johnston:

In 2008 and 2009 the plaintiffs in the New Jersey voting-machine lawsuit, Gusciora v. Corzine, asked me to study the use of tamper-indicating security seals proposed by the New Jersey Division of Elections to secure their voting machines. In this paper I am making some of my assessments available to the public.

I found that the proposed seals and security measures are insufficient to guarantee election integrity. The skills, time, and resources to spoof these seals and security measures are not a major barrier to an adversary, and are, in fact, widely available. The design of the AVC Advantage voting machines themselves is not conducive to good security, especially the lack of security on the voter’s end of the machine. There are vulnerability and other problems with the seals chosen by New Jersey. Another serious problem is New Jersey’s failure to have well-designed seal use protocols in place. The lack of internal inspections of the voting machines is unfortunate, as is the State’s lack of concern about possible attacks on small numbers of voting machines (not just statewide attacks). I found that New Jersey does not exhibit a healthy security culture for elections, has no independent physical security experts and vulnerability assessors to advise the state, and misunderstands key security concepts. The poor security practices involved in storage, transport, and chain-of-custody for the voting machines are troubling as well…

154. In summary, I can state to a reasonable degree of certainty that the seals and security measures proposed by New Jersey to provide security for the AVC Advantage voting machines are insufficient to guarantee election integrity. The skills, time, and resources to spoof these seals and security measures are not a major barrier to an adversary, and are, in fact, widely available.

155. Various factors contribute to New Jersey’s ineffective security. The design of the AVC Advantage voting machines themselves is not conducive to good security, especially the lack of security on the voter’s end of the machine. There are vulnerability and other problems with the seals chosen by New Jersey. Another serious problem is New Jersey’s failure to have well-designed seal use protocols in place. The lack of internal inspections of the voting machines is unfortunate, as is the lack of concern about attacks on small numbers of voting machines given the number of close elections in the past.

156. Other negative factors include New Jersey’s failure to exhibit a healthy security culture for elections, the absence of independent physical security experts and vulnerability assessors to advise the state, and the state’s misunderstandings about key security concepts. The poor security practices involved in storage, transport, and chain-of-custody for the voting machines are troubling as well.

From Appel:

Tamper-evident seals are used by many states’ election officials on voting machines and ballot boxes, either to protect the computer and software from fraudulent modification or to protect paper ballots from fraudulent substitution or stuffing. Physical seals in general can be easily defeated, and the effectiveness of seals depends on the protocol for their application and inspection. The legitimacy of our elections may therefore depend on whether a particular state’s use of seals is effective to prevent, deter, or detect election fraud. This paper is a case study of the use of seals on voting machines by the State of New Jersey. I conclude that New Jersey’s protocols for the use of tamper-evident seals have been not at all effective. I conclude with a discussion of the more general problem of seals in democratic elections…

Simply slapping seals on a device does not magically protect it. Physical seals in general are can be defeated with simple techniques and at low cost [Johnston 1997a]. In addition the effectiveness of seals depends on having a protocol for their application and inspection [Johnston 1997b], otherwise one will notice if a seal has been replaced with a different one…

Appel demonstrates how, he as an amateur easily defeated several seals, one like many used in Connecticut to seal ballots:

The seals used by Union County are very easy to defeat in a few seconds, by poking a jeweler’s screwdriver into the opening and thereby disengaging the teeth. Strap seals in general are easy to defeat with simple tools [Johnston 1997a]. The jeweler’s screwdriver is not necessarily even the best or fastest way to defeat this seal; it is the one that occurred to the author, who was (at that time) entirely an amateur at defeating seals.

Like Connecticut there is no specific training on seal inspection for pollworkers or Moderators.  Such training would likely be more challenging to implement in Connecticut, since we do not have specified standard seals or containers.  In New Jersey:

Pollworkers are hired from among the general public to work 15 hours on election day for $200, with two hours of training before election day. This training covers how to run a polling place and conduct elections; it is not specific to seals. I have inspected the pollworker instruction manuals from three different counties; these manuals give no instruction in the purpose of the seals or in inspecting them for tampering.

Of course Connecticut uses different voting equipment and we have paper ballots to recanvass, recount, and audit. Yet, but the same seal challenges and risks apply.  From Appel:

Therefore most computer scientists recommend methods of voting that allow computers to count the vote, with random audits to verify that (with high statistical probability) the computers are not cheating. For this to work, there must be a record of each ballot that is not mediated by a computer that could possibly cheat in creating this record. One method that satisfies these criteria is to let the ballots be paper optical-scan forms… Immediately at the close of the polls, the computer can report the candidate totals for that precinct, and in addition there are paper ballots that can be audited in a hand count of randomly selected precincts…

There remains a security problem to solve: how is the integrity of the ballot box to be maintained between the close of the polls and the time of the audit? One method would be to perform the audit immediately, in the presence of the same witnesses (from both political parties and from the State) that have been (presumably) watching the ballot box all day. This might be the best approach, but it has disadvantages: those witnesses may have been working for 14 hours already running the election, and it requires the random selection of precincts to audit to be made by the time the polls close.

Therefore it is usually presumed that some combination of security seals with chain-of-custody arrangements will provide for the integrity of the paper ballots. Therefore, the considerations discussed elsewhere in this paper—regarding security seals and their associated protocols—are very relevant to optical-scan balloting.

In Connecticut, we need to protect the ballots in order to trust the result of recanvasses, recounts, audits and investigations. But the results can only be no more reliable and credible than the chain-of-custody. And that chain-of-custody, is completely dependent on the seals used, seal protocols, actual practices, enforcement and enforceablity.

Editorial

Nothing approaching these six regimes and court challenges could happen in Connecticut! Unlike New Jersey, we have no standard seal “regime”, no standard for seals or ballot containers and any election regulations and procedures going beyond the law are unenforceable. Similar court challenges in the “Nutmeg State” would be about as useful as carved wooden nutmeg seals.

Even if we had standards for seals and their inspection, not much would happen. Most of our statutes remain locked in the lever age, specifying that lever machines will be sealed with “a numbered metal seal” and some statutes covering earlier paper only elections where statutes require “ballot boxes”  be sealed with “one adhesive ballot box sealing stamp” supplied by the Secretary of the State.  We have no enforceable standards for ballot containers, ballots seals, tabulator seals, and “tamper evident” tape. Most interpret our statutes to mean that ballots do not have to be sealed beyond fourteen days after an election – with post-election audits commencing on day fifteen.

We located one section of the Connecticut statutes that was specifiably updated to address what happens if an optical scanner is found with a broken seal:

9-259 (c)…The seal on the tabulator shall remain unbroken. If the seal is broken, the registrars of voters shall be notified immediately and the tabulator tape shall be produced. If the tape does not show all zeros, the registrars of voters shall be notified immediately and the tabulator shall not be used.

So, even if a seal were broken, allowing an insider or outsider to change the memory card or “permanent” chips on the machine, as long as the the machine produced a zero tape then the election would go forward.

We have discussed seals and security before; highlighting the apparently unforeceable seals on our scanners specified by the Secretary of the State; and an earlier report on seals, also by, by Roger Johnson, and portions of the California Top-To-Bottom Review: FAQ – How can the scanner be hacked? It is kept in a canvas bag protected by a tamper-evident seal!

We also point to the Coalition post-election audit reports which have documented the failure of election officials to follow chain-of-custody procedures, for example <read>

For more on Connecticut chain-of-custody, read our next post about a recent election in Colorado.

In 2008 and 2009 the plaintiffs in the New Jersey voting-machine lawsuit, Gusciora v. Corzine, asked me to study the use of tamper-indicating security seals proposed by the New Jersey Division of Elections to secure their voting machines. In this paper I am making some of my assessments available to the public.
I found that the proposed seals and security measures are insufficient to guarantee election integrity. The skills, time, and resources to spoof these seals and security measures are not a major barrier to an adversary, and are, in fact, widely available. The design of the AVC Advantage voting machines themselves is not conducive to good security, especially the lack of security on the voter’s end of the machine. There are vulnerability and other problems with the seals chosen by New Jersey. Another serious problem is New Jersey’s failure to have well-designed seal use protocols in place. The lack of internal inspections of the voting machines is unfortunate, as is the State’s lack of concern about possible attacks on small numbers of voting machines (not just statewide attacks). I found that New Jersey does not exhibit a healthy security culture for elections, has no independent physical security experts and vulnerability assessors to advise the state, and misunderstands key security concepts. The poor security practices involved in storage, transport, and chain-of-custody for the voting machines are troubling as well.

Why We Need Audits and Recounts: AccuVote Missed 0.4% of Ballots in Aspen Elections

How do we know that our Dieblod/Premier/Dominion AccuVote-OS voting machines count ballots and votes accurately in each election, in each polling place? Maybe sometimes they do and sometimes they don’t.

The reason we need paper ballots, audits and recounts is to verify that citizens’ votes are counted accurately. How do we know that our Dieblod/Premier/Dominion AccuVote-OS voting machines count ballots and votes accurately in each election, in each polling place?  Maybe sometimes they do and sometimes they don’t.

In Aspen, Colorado they did not, missing 11 ballots out of 2544. Premier AccuVote Machines Missed 0.4% of Ballots in Aspen Elections <read>

On May 5th 2009, Aspen (CO) held municipal elections for mayor, two city council seats and a ballot measure. Pitkin County’s Premier (formerly Diebold) AccuVote optical scan voting machines failed to register 11 (0.4%) of 2,544 ballots, which was discovered due to the ballots also being counted on Election Day at a central location with a separate system. Premier is one of the three largest providers of voting equipment in the United State…

To underscore the importance of the missing 11 ballots, it is not uncommon for manual recounts of optical scan elections to find new valid votes that were discounted by the optical scan voting machine, either because the machine detected a stray pen mark as an over-vote (voting for more candidates than allowed), or because a voter marked a choice too lightly or outside the designated spot on the ballot, such that the machine detected an under-vote, or skipped race. Such “found” votes are common in manual recounts where humans can recognize a voter’s intent that the optical scan machine could not. In the recent Aspen election, the independent scanning of ballots did indeed allow election officials to find at least one such valid vote missed by the AccuVote voting machines.

However, this problem is unrelated to the discovery that nearly a half percent of ballots – 11 ballot cards in all – went entirely unrecorded by the AccuVote machines. According to Aspen City Clerk Kathryn Koch, both the poll book record of the number of voters who voted and the TrueBallot record of ballots processed agree that there were 2,544 ballots. The AccuVote machines, however only recorded 2,533 ballots

Unfortunately, differences in counts between humans and AccuVote-OS optical scanners in Connecticut audit reports are routinely dismissed as human error rather than potential scanner errors to be investigated. See the Coalition Audit Reports.

This is also why CTVotersCount stands for stronger audits and actual recounts in very close elections in Connecticut.  We also are strongly support auditing by machine in Connecticut, with systems like the one used in Aspen by TrueBallot, and others by ClearBallot, and TEVSystems – provided Connecticut implements such systems in ways that are transparent, provide for public verification, and confidence.

Sadly these same ballots are being withheld from public scrutiny to verify this result.

Video: Dan Wallach channels Stephen Colbert

Must Watch: From the EVT/WOTE conference, Dan Wallach presents today’s word: “Out of Site, Out of Mind”

Must Watch: From the EVT/WOTE conference, Dan Wallach presents today’s word: “Out of Site, Out of Mind” <video>

In addition to channeling Stephen Colbert, Dan was challenging Mark Lindeman’s performance last year of his ballad “Plaudits for Audits” <watch and listen>

Faith in Technology: Drilling, Driving, and Voting

“Deep anxiety aroused by the deaths in the water and on the interstates is calmed by the ameliorating belief that technology will save us, and if not now, soon. After all, the promise of technology is in the better life to come.”

Food for thought. As states and voters consider Internet for voting, based on faith in vendors that say it works, and ignoring the vast majority of independent technologists and studies that say it is unproven and risky, we point to this cautionary tale: Why Do We Worship at the Altar of Technology? <read>

If there is one true religion in the US, it leads us to worship at the altar of technology. Christian or Jew, Muslim or atheist, we accept the doctrine of this shared faith: that technology provides the main path to improving our lives and that if it occasionally fails, even catastrophically, it will just take another technology to make it all better. It is this doctrine that connects BP’s Deepwater Horizon and Toyota’s sudden acceleration debacles – and the responses to them…

Of course, corporations don’t see this as their first mission, operating as they do on cost containment and profit maximisation, not cutting-edge technology as an end in itself. But their customer base has been convinced that each time they buy a new car, they are buying the future and lucky that the world’s smartest geologists and engineers are helping fuel their experience of it. Never mind that the technology they are largely buying is media and telecom gadgetry

As the article points out oil and automobiles are linked by more than technology. The analogy to voting also breaks down in another way — when it comes to voting technology, vendor profit maximization is directly linked to the technology.

Our response to BP and Toyota’s failures expose the danger in our faith. Deep anxiety aroused by the deaths in the water and on the interstates is calmed by the ameliorating belief that technology will save us, and if not now, soon. After all, the promise of technology is in the better life to come.

Recall the Help America Vote Act (HAVA) designed to use technology to save us from the alleged problems with punch-cards and lever machines, yet effectively providing us with new expensive voting equipment left vulnerable to the same risks as our previous voting systems, error and fraud.

In fact, like oil and automobiles, the problem with voting is not the technology. The problem is believing that technology itself is the source of the problems, the only necessary component of a solution, and fervent faith that the proposed next technology is the solution.

[We cannot help but point out the related natural human tendency to avoid responsibility. We seldom read that a driver drove off the road, into a house, or a tree.  It seems it was almost always the car that went off the road.]