Category: Electronic Vulnerability

Why ballot images fail as the record of an election

A new paper demonstrates how to steal an election by manipulating ballot images: Unclear Ballot: Automated Ballot Image Manipulation. In fact, it is a neat solution that changes the image before the CVR is created, in a way that would be hard to detect.

For the non-technical this may seem difficult, yet for those with the appropriate computer skills it is a straight-forward task. Then anyone with access to election computer systems could install the code maliciously, unknowingly, or under threat.

A new paper demonstrates how to steal an election by manipulating ballot images: Unclear Ballot: Automated Ballot Image Manipulation <read>

The current crop of election optical scanners count elections by creating ballot images, followed by processing those images to create a record of the votes on those images, storing those votes in a computer record known as a Cast Vote Record (CVR).  Some would audit elections by only examining the images, rather than the paper ballots. Such audits can be useful, yet are ultimately limited by the opportunity for the images to be manipulated.  The paper shows how easy that is. In fact, it is a neat solution that changes the image before the CVR is created, in a way that would be hard to detect.

From the paper:

Using computer vision techniques, we develop an algorithm that automatically and seamlessly manipulates ballot images, moving voters’ marks so that they appear to be votes for the attacker’s preferred candidate. Our implementation is compatible with many widely used ballot styles, and we show that it is effective using a large corpus of ballot images from a real election. We also show that the attack can be delivered in the form of a malicious Windows scanner driver, which we test with a scanner that has been certified for use in vote tabulation by the U.S. Election Assistance Commission. These results demonstrate that post-election audits must inspect physical ballots, not merely ballot images, if they are to strongly defend against computer-based attacks on widely used voting systems…

Uses for image audits. So long as image audits are not the sole mechanism for verifying election results, they do provide substantial benefits to election officials.Using an image audit vastly simplifies some functions of election administration,like ballot adjudication in cases where marks cannot be interpreted by scanners or are otherwise ambiguous. Image audits can be used to efficiently identify and document election discrepancies,

Read the paper. It shows why there is more to it than making a few marks on a ballot.

For the non-technical this may seem difficult, yet for those with the appropriate computer skills it is a straight-forward task. Then anyone with access to election computer systems could install the code maliciously, unknowingly, or under threat.

 

Jimmy Carter says a full investigation would show Trump lost in 2016, we are not so sure.

Former President Jimmy Carter questioned the legitimacy of Donald Trump’s presidency on Thursday, saying he would likely not be in the White House if the Russians did not interfere in the 2016 presidential election.

“I think a full investigation would show that Trump didn’t actually win the election in 2016. He lost the election, and he was put into office because the Russians interfered on his behalf,”

I have the greatest respect for President Carter, especially after his presidency, including his work for election integrity across the Globe. Yet we need actual actions not speculation.

From Politico <read>

Former President Jimmy Carter questioned the legitimacy of Donald Trump’s presidency on Thursday, saying he would likely not be in the White House if the Russians did not interfere in the 2016 presidential election.

“I think a full investigation would show that Trump didn’t actually win the election in 2016. He lost the election, and he was put into office because the Russians interfered on his behalf,”

I am not sure what such an investigation would show. All we know for sure is that there wasn’t a sufficient investigation, before or after the election, thru two administrations. Lots more to investigate in addition to foreign interference.

While its quite possible a though investigation would prove that. There is a lot of question if anything close to enough votes were changed in states that mattered. It might be too late for an investigation to prove anything like that.

More important would have been credible recounts in MI, PA, and WI which were thwarted by election officials and archaic laws intended to protect those same officials. More useful at this point and then would have been a call for investigation and for voter marked paper ballots everywhere.

I am one who believes it is likely that voter suppression small, large, legal and not clearly would have changed the result for Hillary as they would have for Kerry in 2004 and Gore in 2000.

I have the greatest respect for President Carter, especially after his presidency, including his work for election integrity across the Globe. Yet we need actual actions not speculation.

The Cyber War? We will all be victims.

NYTimes, David Sanger: U.S. Escalates Online Attacks on Russia’s Power Grid

To me, the basic story is a ho hum. Russia and China are lurking in our power grid and its been known for sometime we are in Russia’s. I would be concerned if we weren’t attempting to match them. All of that is covered in Sanger’s book, The Perfect Weapon, which I am reading right now.

There are two things that are scary in all this:

NYTimes, David Sanger: U.S. Escalates Online Attacks on Russia’s Power Grid <read>

Not sure the headline is accurate, to use the word ‘attacks’. The article points to our increasing cyber presence in the Russian grid, but no claims of actual attack. This in the same week as large, as yet, unattributed outages in South America. And yesterday’s rumors that the Trump Administration may be planning on bombing Iran.

To me, the basic story is a ho hum. Russia and China are lurking in our power grid and its been known for sometime we are in Russia’s. I would be concerned if we weren’t attempting to match them. All of that is covered in Sanger’s book, The Perfect Weapon, which I am reading right now. If you buy it, get the recently released paperback update.

There are two things that are scary in all this:

First, there is lots apparently withheld from our President, from the article:

Two administration officials said they believed Mr. Trump had not been briefed in any detail about the steps to place “implants” — software code that can be used for surveillance or attack — inside the Russian grid.

Pentagon and intelligence officials described broad hesitation to go into detail with Mr. Trump about operations against Russia for concern over his reaction — and the possibility that he might countermand it or discuss it with foreign officials, as he did in 2017 when he mentioned a sensitive operation in Syria to the Russian foreign minister.

There are indications that the plans to bomb Iran are also being created without telling the President. While I am worried about John Bolton and the risk of him starting a war, I am just as concerned with the risks inherent in our President and understand why some keep things from him. Itt is all scary.

Second,  the next war will be a cyber war. If we start by bombing a specific facility in Iran, we will likely attempt to kill their power and communications grids. If not, its likely Russia will go after ours. In a couple escalations the World will likely be powered down.

In an all-out cyber war, we will be likely victims. If our power grid is successfully attacked it will be out for months, with transformers, power plants, etc. destroyed. In short, no power, no communications, no transportation, no food, and most of us without water, medicine and healthcare. It would make what happened and continues in Puerto Rico seem minor.

PS: Our election infrastructure is much less protected than our power grid. Worse, the goal of Russia is likely to disrupt our elections, bring our elections and thus our democracy into question.

Two and a half years after election possible Russian hack investigated

Almost three years after the first public revelation of hackers’ interference in the 2016 presidential race, the Department of Homeland Security has decided to conduct a forensic analysis of computers used in Durham County during that election,

What we “saw” before smelled more like a cursory cover-up than an investigation.

Politico story by Kim Zetter: Software vendor may have opened a gap for hackers in 2016 swing state  <read>

A Florida election software company targeted by Russians in 2016 inadvertently opened a potential pathway for hackers to tamper with voter records in North Carolina on the eve of the presidential election, according to a document reviewed by POLITICO and a person with knowledge of the episode.

A Florida election software company targeted by Russians in 2016 inadvertently opened a potential pathway for hackers to tamper with voter records in North Carolina on the eve of the presidential election, according to a document reviewed by POLITICO and a person with knowledge of the episode…

Almost three years after the first public revelation of hackers’ interference in the 2016 presidential race, the Department of Homeland Security has decided to conduct a forensic analysis of computers used in Durham County during that election,

We have reported the potential hack and lack of investigation before <Beware of watchdog that does not bark any details> We were told that no votes were changed in 2016, without any analysis of voting machines. We are told that there was nothing to see in NC, without anyone qualified doing the looking. By now the trail is likely quite cold.

What we “saw” before smelled more like a cursory cover-up than an investigation.

Beware: The Gospel of Internet Voting

LA Times article features the entrepreneur behind Internet voting pilots vs. Science: The vote-by-phone tech trend is scaring the life out of security experts <read>

With their playbook for pushing government boundaries as a guide, some Silicon Valley investors are nudging election officials toward an innovation that prominent coders and cryptographers warn is downright dangerous for democracy…
As seasoned disruptors of the status quo, tech pioneers have proven persuasive in selling the idea, even as the National Academies of Science, Engineering and Medicine specifically warn against any such experiment…

Tusk is certain participation in elections would surge if the technology were widely permitted, even though studies in some of the few places around the world that have tried the method revealed no big turnout boost

Crusade, Gospel, Genie seem appropriate to describe entrepreneur Tusk. Its a blind disregard for evidence, science, and the scientists, including yours truly, warning of the risks of Internet voting

LA Times article features the entrepreneur behind Internet voting pilots vs. Science: The vote-by-phone tech trend is scaring the life out of security experts <read>

With their playbook for pushing government boundaries as a guide, some Silicon Valley investors are nudging election officials toward an innovation that prominent coders and cryptographers warn is downright dangerous for democracy…
As seasoned disruptors of the status quo, tech pioneers have proven persuasive in selling the idea, even as the National Academies of Science, Engineering and Medicine specifically warn against any such experiment.
The fight over mobile voting pits technologists who warn about the risks of entrusting voting to apps and cellphones against others who see internet voting as the only hope for getting most Americans to consistently participate on election day…
Bradley Tusk is using the same tactics in this personal crusade that he used to advance tech startups. He has bet a significant share of the fortune he built off his equity stake in Uber that the gospel of mobile voting will spread so fast that most Americans will have the option of casting their ballots for president by phone as soon as 2028.
He has already persuaded the state of West Virginia and the City of Denver to start tinkering with voting by phone, and hopes to move quickly from there.
“What we learned at Uber is once the genie is out of the bottle, it can’t be put it back in,”
Tusk is certain participation in elections would surge if the technology were widely permitted, even though studies in some of the few places around the world that have tried the method revealed no big turnout boost

Crusade, Gospel, Genie seem appropriate to describe Tusk. It is a blind disregard for evidence, science, and the scientists, including yours truly, warning of Internet voting:

The entrepreneur frames the fight as one pitting reformers against special interests invested in a low turnout that makes lawmakers unaccountable and easy to corrupt. He talks of the security concerns as if they are a sideshow. Sure, the scholars raising them are earnest, he said, but their approach to the challenge bewilders him. He likens them to people whose only solution to making a swimming pool safer is to fill it with concrete.That prospect alarms some of the nation’s most prominent election-security thinkers, who see in Tusk a formidable adversary with an intimidating public relations tool kit. They say he and other promoters for the projects are misleading election officials about how secure the systems are.
“There is wide agreement among computer security experts that this is problematic,” said David Dill, a professor emeritus in computer science at Stanford. “It disturbs me that officials are getting enthusiastic about this voting technology without talking to the people who have the expertise to evaluate its security.”
The National Academies report warns that the risks of this and other forms of internet voting are “more significant than the benefits.”

Read the full article for more details behind Tusk’s quest and the warnings from scientists.

 

 

The Case Against Trusting Democracy to BMDs

Ballot Marking Devices (BMDs) are under consideration by several states for use for all in-person voting. They have paper ballots, “What could possibly go wrong?”.  A recent paper makes the case that they cannot be audited or trusted to provide accurate results. The paper recommends that they should be limited to use by voters that need accessibility:  Ballot-marking devices (BMDs) cannot assure the will of the voters 

not only is it inappropriate to rely on voters to check whether BMDs alter expressed votes, it doesn’t work.

Yet, this paper has been very controversial in election integrity circles. Advocates for those with disabilities argue that everyone should vote the same way on the same equipment, because that is what is needed to provide equality, to incentivize and cause better BMDs that meet everyone’s needs including those for evidence based elections.

Ballot Marking Devices (BMDs) are under consideration by several states for use for all in-person voting. They have paper ballots, “What could possibly go wrong?”.  A recent paper makes the case that they cannot be audited or trusted to provide accurate results. The paper recommends that they should be limited to use by voters that need accessibility:  Ballot-marking devices (BMDs) cannot assure the will of the voters <read>

..paper ballots provide no assurance unless they accurately record the vote as the voter expresses it. Voters can express their intent by hand-marking a ballot with a pen, or using a computer called a ballot-marking device (BMD),which generally has a touchscreen and assistive interfaces. Voters can make mistakes in expressing their intent in either technology, but only the BMD is also subject to systematic error from computer hacking or bugs in the process of recording the vote on paper, after the voter has expressed it. A hacked BMD can print a vote on the paper ballot that differs from what the voter expressed, or can omit a vote that the voter expressed…

Research shows that most voters do not review paper ballots printed by BMDs, even when clearly instructed to check for errors. Furthermore,most voters who do review their ballots do not check carefully enough to notice errors that would change how their votes were counted…There is no action that a voter can take to demonstrate to election officials that a BMD altered their expressed votes, and thus no way voters can help deter, detect, contain, and correct computer hacking in elections. That is, not only is it inappropriate to rely on voters to check whether BMDs alter expressed votes, it doesn’t work.

The entire paper is readable and makes a complete case for its conclusions.

Simply stated Georgia, Pennsylvania, and other states seeking accurate, credible elections need paper ballots, sufficient post-election audits, ballot protection, and Voter-Marked Paper Ballots. BMDs are insufficient and cost several times more.

Yet, this paper has been very controversial in election integrity circles. Advocates for those with disabilities argue that everyone should vote the same way on the same equipment, because that is what is needed to provide equality, to incentivize and cause better BMDs that meet everyone’s needs including those for evidence based elections.

Editorial

We completely agree with the paper’s conclusions. Overall there is nothing new here, except an extensive review and clarification of older and recent work.

We are sympathetic to the needs of those with disabilities. We need better interfaces and BMDs to serve them better. Yet, spending triple on inadequate equipment is not the path forward.

As long as we have absentee voting, we will have voter marked paper ballots, as long as BMDs use multiple interfaces, all voters will not vote the same way.

Better that money and effort be spent on research and innovation, than on excessive purchases of inadequate equipment. Where is the incentive for vendors to innovate when election officials can be, all but, mandated to buy the inadequate equipment on the market? The only incentive would be for multiple rounds of modestly better BMDs followed by multiple rounds of expensive replacements.

 

 

 

Robert Mueller Showed How U.S. Elections Broke in 2016. Here’s How to Fix Them

Quite inclusive article from TIME: Robert Mueller Showed How U.S. Elections Broke in 2016. Here’s How to Fix Them <read>

Here’s what experts say would strengthen American elections against future attacks.

I fully agree, except possibly with one item on the list.

A pretty inclusive article from TIME: Robert Mueller Showed How U.S. Elections Broke in 2016. Here’s How to Fix Them <read>

Over a nearly two-year investigation, Special Counsel Robert Mueller has shown the sheer breadth of the Russian effort to meddle in the 2016 election.

From hacking into campaign email systems to using social media to stir up voters, the Russian effort hit at a number of soft spots in the American electoral system.

Experts say Russia didn’t stop there either, using similar strategies to attempt to influence the 2018 elections, and, they expect, the 2020 elections as well. They also warn that Iran and China may be mulling similar influence operations too.

Here’s what experts say would strengthen American elections against future attacks.

  • Use paper ballots

  • Secure online voter rolls

  • Audit elections

  • Stop the spread of fake news

  • Make social media ad-buying more transparent

  • Improve technology policy

I fully agree, except possibly with “Stop the spread of fake news”, where the devil may be in the details. Any attempt to squash free speech may backfire.

Rhode Island Risk Limiting Audit in Time Magazine

Not exactly person of the year or prisoner of the month, I did have my picture in Time Magazine! The occasion was the Rhode Island Risk Limiting Audit (RLA) where I participated last week.

Rhode Island wants to make sure their elections are protected from all sorts of problems, after a programming error in 2017 almost caused an incorrect result to be certified. The article contains some very good summaries of what what we and the Rhode Island Board of Elections were up to.

“Democracy and elections are only as good as whether people trust them or not,” [Secretary of State Nellie] Gorbea said. “Confidence in our democracy is critical to every other public policy issue.”…

 

Not exactly person of the year or prisoner of the month I did have my picture in Time Magazine! The occasion was the Rhode Island Risk Limiting Audit (RLA) where I participated last week.

Russia Wants to Undermine Trust in Elections. Here’s How Rhode Island Is Fighting Back <read>

Contrary to the headline, Rhode Island wants to make sure their elections are protected from all sorts of problems, after a programming error in 2017 almost caused an incorrect result to be certified.

The article contains some very good summaries of what what we and the Rhode Island Board of Elections were up to:

“Democracy and elections are only as good as whether people trust them or not,” [Secretary of State Nellie] Gorbea said. “Confidence in our democracy is critical to every other public policy issue.”…

Amid this uncertainty, Rhode Island is pioneering a means of protecting its election results through a procedure called a “risk-limiting audit.” This method, which election experts consider the gold-standard of post-election checks, is essentially an efficient review of ballots that provides strong statistical evidence that the reported vote tallies in an election are correct…

In addition to public officials and election staffers, the “protectors of democracy” in Providence included a substantial number of volunteers offering their time and expertise for free, simply because they were passionate about securing their fellow citizens’ votes. Teams from Worcester Polytechnic Institute and MIT developed the software that selected votes for the pilot, which will be open source so other states can use it in the future. The leader of a Connecticut citizens’ group[, Luther Weeks, Executive Director of Connecticut Citizen Election Audit] provided input on one ballot-counting method, and a woman who independently advocates for audits organized observers to gather timing data throughout the event. Many in the group greeted each other like summer camp friends after a winter away, eager to catch up on issues they’d seen in other elections and share tips on the newest democracy-defending tactics…

at the Board of Elections warehouse in Providence, where 22 election staffers overseen by Deputy Director of Elections Miguel Nunez and Warehouse and Logistics Manager Steve Taylor retrieved and manually counted ballots for three different kinds of risk-limiting audits to see which method worked best for their state…

I was there to learn and also to lead the demonstration of two methods of performing the batch comparison audit. In the end both methods demonstrated that the two voting machines we audited were accurate last November 6th and with good methods and the dedicated officials present we were also accurate.

At the end of Rhode Island’s pilot, the batch-level comparison and ballot-level comparison audits were both successful, meaning they provided strong statistical evidence confirming the reported election results. The ballot-polling audit fell very slightly outside the accepted risk, which in a real audit would trigger another round using a slightly larger sample. But in this pilot, the goal was simply to test the methods, not to meet a particular level of evidence.

It was an to participate in the months of planning and three days of execution.

Basics: Why we need to have paper ballots and must effectively audit our elections

[The vendors] control the code in devices they sell. That means that technology we buy for one purpose can be reprogrammed without our consent or even our knowledge.

A quote in a book excerpt caught our eye: For Tech Firms, Power Lies in the Coding <read>
— you may well own these things in the future, but if today’s system is anything to go by, you’ll very rarely control the code inside them. Tech firms have control over the initial design of their products, determining their “formal and technical” properties as well as their “range of possibilities of utilisation.” And they’ll obviously retain control over platforms— like social media applications — that remain under their direct ownership. But they’ll also control the code in devices they sell. That means that technology we buy for one purpose can be reprogrammed without our consent or even our knowledge.
This is the heart of the need for Evidence Based Elections. Elections that are Software Independent, that can be verified independent of the technology. Elections that are Publicly Verifiable, that can be verified independent of the election officials by multiple members of the public, candidates, and parties.

Beware the costly solution that does not solve the problem

WhoWhatWhy: Will Georgia Double Down on Non-Transparent, Vulnerable Election Machines? 

Georgia’s newly elected secretary of state, Brad Raffensperger (R), hopes to replace them not with hand-marked paper ballots and scanners (as virtually all independent cybersecurity election experts recommend), but rather with touchscreen ballot-marking devices,..In addition to security concerns, all touchscreen systems tend to cause long lines…The ExpressVote system also would cost taxpayers more than three times as much as hand-marked paper ballots and scanners:? an estimated $100 million as opposed to $30 million.

A system only greedy vendors and fraudsters would love.

******Update: Verified Voting Statement to Georgia

As we have been warning, paper records from DRE (touch Screen) voting machines are not the equivalent of hand-marked paper ballots.

WhoWhatWhy: Will Georgia Double Down on Non-Transparent, Vulnerable Election Machines? <read>

The good news is that Georgia, which was the first state in the country to deploy paperless machines statewide, has finally decided to replace these machines. But Georgia’s newly elected secretary of state, Brad Raffensperger (R), hopes to replace them not with hand-marked paper ballots and scanners (as virtually all independent cybersecurity election experts recommend), but rather with touchscreen ballot-marking devices, a prime example of which is the ExpressVote system from Election Systems & Software, LLC (ES&S). The ExpressVote is the specific system that Governor-elect Brian Kemp (R) began promoting last year. ES&S is Georgia’s current vendor.

Like other touchscreen barcode balloting systems, the ExpressVote generates computer-marked paper printouts (Kemp and many others misleadingly call them “paper ballots”) with barcodes that are then counted on scanners. Although these paper printouts include human-readable text purporting to summarize the voter’s selections, the barcode, which humans can’t read, is the only part of the printout actually counted by the scanner. According to computer science professor Richard DeMillo of the Georgia Institute of Technology, the barcode constitutes a new potential target for malevolent actors, as it can be manipulated to instruct the scanner to flip or otherwise alter votes…

In addition to security concerns, all touchscreen systems tend to cause long lines because they limit the number of people who can vote at once to the number of touchscreens at the polling place…

The ExpressVote system also would cost taxpayers more than three times as much as hand-marked paper ballots and scanners:? an estimated $100 million as opposed to $30 million.

A system only greedy vendors and fraudsters would love.

******Update: Verified Voting Statement to Georgia <read>