Category: Electronic Vulnerability

Russians not the only threat to our elections

Many articles on the Congressional hearings on the “Russian” hacking or not hacking of our elections.  Brad Friedman and Mark Karlin come closet to my opinions:

Recent article by Mark Karlin referencing Brad Friedman:  Beyond the Russians, Electronic Voting Machines Are Vulnerable to Any Hackers  

Journalists and activists have been sounding the alarm about electronic voting machines and their proprietary software for years. The vulnerability of these machines to hacking has not been front and center for some time — primarily due to the failure of the corporate media and legislative bodies to take it seriously. That changed, to some extent, with the charges about Russian hacking from US intelligence agencies. However, the current emphasis is on the Russians allegedly attempting to influence the 2016 election, not on the flawed electronic voting machines that make hacking possible…

Meanwhile, our Secretary of the State continues to spread myths about the safety of voting systems not connected to the internet and “tamper-proof” seals that are at best “tamper-evident”. 

We add that paper ballots are insufficient.  They need protection from tampering.  We need sufficient audits and recounts.  Audits and recounts that are comprehensive and convincing.  Audits and recounts that are transparent and publicly verifiable.f

Many articles on the Congressional hearings on the “Russian” hacking or not hacking of our elections.  Brad Friedman and Mark Karlin come closet to my opinions:

Recent article by Mark Karlin referencing Brad Friedman:  Beyond the Russians, Electronic Voting Machines Are Vulnerable to Any Hackers   <read>

Journalists and activists have been sounding the alarm about electronic voting machines and their proprietary software for years. The vulnerability of these machines to hacking has not been front and center for some time — primarily due to the failure of the corporate media and legislative bodies to take it seriously. That changed, to some extent, with the charges about Russian hacking from US intelligence agencies. However, the current emphasis is on the Russians allegedly attempting to influence the 2016 election, not on the flawed electronic voting machines that make hacking possible…

Ironically enough today, in the U.S. Senate Intelligence Committee, top intelligence officials from the FBI and DHS testified in regard to concerns about alleged Russian manipulation of the 2016 election. Neither they, nor the elections officials who also testified today, seemed to know much of anything about the actual vulnerability of U.S. voting systems. Or, if they did, they certainly offered a whole lot of demonstrably inaccurate information about whether voting systems are connected to the Internet (they are), whether our decentralized voting and tabulation systems make it impossible to hack a  Presidential election (it doesn’t), and whether actual voting results were manipulated in the 2016 President race (they claimed that they weren’t, even while the DHS finally admitted they never actually checked a single machine or counted a single ballot to find out!)

On the other hand, one computer scientist and voting machine expert, Dr. Alex Halderman of the University of Michigan, also testified today and he actually knows what he’s talking about, because he’s personally hacked just about every voting system in use in the U.S. today, including 10 years ago when he first hacked the exact same 100% unverifiable touch-screen voting machines used in the state of Georgia during Tuesday’s Special Election for U.S. House, the most expensive such election in U.S. History. As he explained in his prepared remarks [PDF] today, 10 years ago, he “was part of the first academic team to conduct a comprehensive security analysis of a DRE [touch-screen] voting machine.” It was a Diebold touch-screen machine, the exact same type used in GA yesterday, as obtained from a source of mine and given to his crew at Princeton University at the time…

The Russian hacking makes for a profitable corporate media narrative — particularly with tweeter Trump tossing gas on the fire. However, if we are looking to secure our voting system from foul play, shouldn’t we also start paying major legislative attention to the electronic voting machines themselves?

I could hardly say it better.

Meanwhile, our Secretary of the State continues to spread myths about the safety of voting systems not connected to the internet and “tamper-proof” seals that are at best “tamper-evident”.

We add that paper ballots are insufficient.  They need protection from tampering.  We need sufficient audits and recounts.  Audits and recounts that are comprehensive and convincing.  Audits and recounts that are transparent and publicly verifiable.

Hacking voting systems is/was easy

Article in the Atlantic summarizes some of the bad news from the last couple of weeks:  There’s No Way to Know How Compromised U.S. Elections Are <read>

So let us not be complacent. Just because you do not understand something, does not mean that hundreds and thousands of others can’t easily hack it.

Article in the Atlantic summarizes some of the bad news from the last couple of weeks:  There’s No Way to Know How Compromised U.S. Elections Are <read>

While the NSA concluded the attack was carried out by the most sophisticated of hackers—the Russian military—their entry methods were relatively vanilla. They gained access to the credentials and documents of a voting system vendor via a spear-phishing attack, and then used those credentials and documents to launch a second spear-phishing attack on local elections officials, which if successful could have compromised election officials’ systems and whatever voter data they possessed.

While the NSA concluded the attack was carried out by the most sophisticated of hackers—the Russian military—their entry methods were relatively vanilla. They gained access to the credentials and documents of a voting system vendor via a spear-phishing attack, and then used those credentials and documents to launch a second spear-phishing attack on local elections officials, which if successful could have compromised election officials’ systems and whatever voter data they possessed…

The splintered digital infrastructure across and within states; the use of multiple vendors; the overlapping interfaces between municipalities, counties, and states; and the reliance on of volunteers for data entry and verification in both registration and voting mean that there are literally thousands of entry points to compromise elections in each state.

Another case study is the state of Georgia, where organizations have filed lawsuits against the state over the security of its elections in advance of the special election in the 6th Congressional District. A June 14 Politico investigation revealed just how insecure the entire system is, and how much more insecure it was in the past. Last August, cybersecurity researcher Logan Lamb probed the Kennesaw State University’s Center for Election Systems—which programs voting machines for the entire state—and found a structure that basically begged to be hacked.

It had no password protection, and was available on a public site without encryption and lacking even basic security updates. Lamb found millions of registration records, credentials for the central elections server, files for the electronic ballot equipment, and database information for the Global Election Management Systems (GEMS) used by many states for preparing ballots and counting votes. In other words, with rather basic tools that fall well outside the realm of sophisticated “hacking,” as it is known, Lamb would have had a wide-open entry point to disrupting Georgia elections last fall, had he been a malicious actor.

So let us not be complacent. Just because you do not understand something, does not mean that hundreds and thousands of others can’t easily hack it.

If [Connecticut] Voting Machines Were Hacked, Would Anyone Know?

NPR story by Pam Fessler:  If Voting Machines Were Hacked, Would Anyone Know?   Fessler quotes several experts and election officials including Connecticut Assistant Secretary of the State Peggy Reeves:

Still, Connecticut Election Director Peggy Reeves told a National Academies of Sciences, Engineering, and Medicine panel on Monday that many local election officials are ill-equipped to handle cybersecurity threats.

“Many of our towns actually have no local IT support,” she said. “Seriously, they don’t have an IT director in their town. They might have a consultant that they call on if they have an issue. So they look to us, but we’re a pretty small division.”

Reeves said the best protection against hackers is probably the fact that the nation’s voting system isso decentralized, with different processes and equipment used in thousands of different locations.

We certainly agree with that and the cybersecurity experts quoted.

NPR story by Pam Fessler:  If Voting Machines Were Hacked, Would Anyone Know? <read>  Fessler quotes several experts and election officials including Connecticut Assistant Secretary of the State Peggy Reeves:

Still, Connecticut Election Director Peggy Reeves told a National Academies of Sciences, Engineering, and Medicine panel on Monday that many local election officials are ill-equipped to handle cybersecurity threats.

“Many of our towns actually have no local IT support,” she said. “Seriously, they don’t have an IT director in their town. They might have a consultant that they call on if they have an issue. So they look to us, but we’re a pretty small division.”

Reeves said the best protection against hackers is probably the fact that the nation’s voting system isso decentralized, with different processes and equipment used in thousands of different locations.

We certainly agree with that and the cybersecurity experts quoted.

 

How easy would it be to rig the next election? Very Easy

Article at Think Progress: How easy would it be to rig the next election? 

In the popular imagination, this is what election hacking looks like?—?dramatic, national-scale interference that manually rewrites tallies and hands the victory to the outlier. Certainly these attacks may occur. However, they’re only one of a variety of electoral hacks possible against the United States, at a time when hacking attacks are becoming more accessible to threat-actors and nation-state-sponsored attackers are growing more brazen. Yes, hackers may attempt to change the vote totals for American elections?—?but they can also de-register voters, delete critical data, trip up voting systems to cause long lines at polling stations, and otherwise cultivate deep distrust in the legitimacy of election results. If hackers wish to rig a national election, they can do it by changing only small numbers on a state level.

Article at Think Progress: How easy would it be to rig the next election?  <read>

In the popular imagination, this is what election hacking looks like?—?dramatic, national-scale interference that manually rewrites tallies and hands the victory to the outlier. Certainly these attacks may occur. However, they’re only one of a variety of electoral hacks possible against the United States, at a time when hacking attacks are becoming more accessible to threat-actors and nation-state-sponsored attackers are growing more brazen. Yes, hackers may attempt to change the vote totals for American elections?—?but they can also de-register voters, delete critical data, trip up voting systems to cause long lines at polling stations, and otherwise cultivate deep distrust in the legitimacy of election results. If hackers wish to rig a national election, they can do it by changing only small numbers on a state level.

Not just hackers!  Insiders.  Not just election officials.  Contractors, ISPs, voting system vendors, municipal staffers…

One thing all voting machines seem to have in common is that whenever they have been subjected to aggressive testing by hackers, they have fallen apart.

Insecure voting systems are the norm, not the exception
“These machines are just so poorly engineered, the only real way to secure them is to destroy them and start over,” said the University of Michigan’s Matt Bernhard…

Voting technology provides a false sense of security?—?and opens up new vulnerabilities
As a result of the work of investigators affiliated with the TTBR and EVEREST, as well as more recent investigations by researchers like Haldeman at the University of Michigan (who installed Pac-Man on a Sequoia DRE in 2010) or Edward Felton and Andrew Appel at Princeton, paperless DRE machines have become less popular. In 2016, their use had declined more than 15 percent since the last presidential election.

But in many ways, the remaining uneasily patched DREs have been cast as the bogeyman of voting machines?—?while the other systems’ remarkable vulnerabilities have been ignored.

Meanwhile officials remain complacent <read>

Public Voting Machine Hackathon: Challenge or Sham

The worlds largest democracy has offered the public a chance to hack its unverifiable voting machines.  The details are skimpy, history does not provide confidence, and while it may be a step in the right direction it is ultimately insufficient.  See the article by George Washington University Professor Poorvi Vora: Hacking EVMs: The EC has issued a challenge. It must first accept the challenge it faces

The worlds largest democracy has offered the public a chance to hack its unverifiable voting machines.  The details are skimpy, history does not provide confidence, and while it may be a step in the right direction it is ultimately insufficient.  See the article by George Washington University Professor Poorvi Vora: Hacking EVMs: The EC has issued a challenge. It must first accept the challenge it faces <read>

Let’s not forget that such a so-called challenge was also given in 2009. The examination of EVMs should be treated as an opportunity to make the process more transparent and open. In 2009, however, when the Election Commission allowed the public to examine EVMs, the examination was hugely circumscribed so as to prevent anyone from carrying out any substantive – albeit practical – attack.

If this offer of EVM examination is simply a cosmetic offer as in 2009, and not intended to allow for a complete analysis, the trust deficit between the Indian public and Indian elections will continue to grow.

The Election Commission should demonstrate that their claims of EVM security do not rest on the very fragile assumption that all insiders with access to the EVM can be trusted. To understand what an insider with access can achieve if they try to tamper with the systems, they should provide the experts with design documents and details of the tests used to verify the design and security properties. The Election Commission’s approach so far, of keeping design details secret, is termed “security through obscurity” by computer security experts, and was debunked as far back as the late 1800s by Dutch cryptographer Auguste Kerckhoffs…

In addition to the transparency provided by public testing of EVMs before elections, there is a role for transparency after the election as well. Even if one were to believe that EVMs are tamper proof, every election outcome must be checked to ensure that the unexpected did not happen, that “mock drill data” (votes due to key presses during testing) was erased as it is supposed to be, and did not contribute to the count, that errors did not affect the outcome, that the EVMs were correctly calibrated, that somebody did not try to change the outcome and succeed, and so on.

If the VVPAT record is verified by the voter to be a faithful reproduction of the vote, is stored securely separate from the EVMs, and is publicly audited after the election, it provides strong independent confirmation that the outcome is correct.

It is not sufficient to simply print VVPAT records, nor is it sufficient for voters to carefully check them. A correctly printed VVPAT record indicates merely that the machine correctly understood the vote. It does not indicate that the vote was correctly recorded or counted. A public audit needs to be performed to determine that the VVPAT records are consistent with the declared election outcome.

There is a lot more in the article.

Surprising statements by Denise Merrill and Neil Jenkins

Denise Merrill, Secretary of the State and President of the National Association of Secretaries of State and Neil Jenkins from Homeland Security spoke on NPR on election integrity.  <listen>

We disagree with both their similar statements:

.”Because our system is highly decentralized there’s no way to disrupt the voting process in any large-scale meaningful way through cyber attacks because there’s no national system to attack,” [Merrill] said Tuesday at a hearing before the U.S. Election Assistance Commission on the impact of the critical infrastructure designation.

Jenkins was quoted as saying “having thousands of elections offices each with their own systems making hacking elections nearly impossible”

Denise Merrill, Secretary of the State and President of the National Association of Secretaries of State and Neil Jenkins from Homeland Security spoke on NPR on election integrity.  <listen>

We disagree with both their similar statements:

.”Because our system is highly decentralized there’s no way to disrupt the voting process in any large-scale meaningful way through cyber attacks because there’s no national system to attack,” [Merrill] said Tuesday at a hearing before the U.S. Election Assistance Commission on the impact of the critical infrastructure designation.

Jenkins was quoted as saying “having thousands of elections offices each with their own systems making hacking elections nearly impossible”

Others may wish to believe differently, but based on science, recent history, and common sense, we point out:

  •  Secretary/President Merrill is almost correct when she says “Because our system is highly decentralized there’s no way to disrupt the voting process in any large-scale meaningful way through cyber attacks because there’s no national system to attack,”  However, it is possible to attack Federal elections in a “meaningful’ way, especially a non-cyber way, in that a few thousand votes could sway a state’s electoral votes, senator, or representatives.  That may or not be large-scale, but it is meaningful. Put a few of states together and it could change the apparent President and the balance in the Senate and House.  In 2016 attacks in three states, PA, MI, and WI, could have done the job. In 2000, FL,  and 2004, OH, just one state could have changed the result.
  • Elections are not as decentralized as the Secretary and Jenkins imply. It is inaccurate to say that thousands of jurisdictions have their own systems:  I.e. all of Connecticut’s scanners are programmed and maintained by a single out-of-state vendor.  That same vendor does the same for most of New England.  Nationwide some jurisdictions are very large in many states such as LA County in CA, Cuyahoga County OH, or several FL counties.  Some cities are rather large.  In this past election there were major errors in Detroit.  Philadelphia all votes are “counted” on unauditable touch screen machines.
  • A single entity is now responsible for the non-random auditing of all of Connecticut’s memory cards, reporting on our post-election election audits, and programming and supervising the software dependent machines now doing our electronic post-election “audit”.
  • Connecticut’s new voting machines for those with disabilities are programmed by another single entity, not tested in a meaningful end-to-end way, and are now used in most municipalities to test the optical scanners in a way that reduces the value of the pre-election tests.  (Rather than an actual test of the interface, a canned set of ballots is printed by the machine.  Those ballots produce huge black squares rather than  filled in bubbles.  When they are used to test the scanners it does not test that the scanners actually detect bubbles at the correct coordinates.)

These do not meet my definition of decentralized (or independent).  I am not necessarily arguing for more centralization.  I am arguing for more skepticism, more vigilance, more awareness, more transparency, and less obfuscation.

We and officials cannot prove negatives, that there were no cyber-attacks; that there were no conventional attacks; that  there were no significant errors in the results reported.

Officials have not proven that the election results were accurate enough to support the .  With paper ballots uniformly required, with effective post-election audits, and process audits they would be able to prove it.

*****Update 4/15/2017

Alex Halderman agrees <read>

Halderman said that most people think that the United States’ voting machines are secure because they are different in each county and they aren’t connected to the Internet. “In fact, many of these things break down,” said Halderman.

Halderman said an attacker can select the machines that are the most vulnerable or attack the third-party vendors that provide the memory cards for each machine. By using this method, an attacker could have altered the votes in 75 percent of Michigan counties, according to Halderman. He said that although he thinks that no states carried out sufficient forensics to determine whether their voting machines were hacked, he does not believe that those votes were manipulated.

Controlling Voting Algorithms is Critical

A short op-ed in the Courant from Bloomberg View, by Cathy O’Neil describes the risks of artificial intelligence algorithms used  by the likes of Facebook and Google: Controlling A Pervasive Use Of Algorithms Critical 

We should have concerns with algorithms beyond Artificial Intelligence. The same concerns apply to any algorithm (computer code/manual process), such as voting machines.  We have no access to the code in our AccuVoteOS optical scanners. Yet we know from studies such as the California Top-To-Bottom-Review,  Hacking Democracy’s Hursti Hack, and studies by UConn that the system is vulnerable to attack.  We do not know and cannot know for sure if the software running on a particular AccuVoteOS and its memory card is correct and accurate.

A short op-ed in the Courant from Bloomberg View, by Cathy O’Neil describes the risks of artificial intelligence algorithms used  by the likes of Facebook and Google: Controlling A Pervasive Use Of Algorithms Critical  <read>

Humans are gradually coming to recognize the vast influence that artificial intelligence will have on society. What we need to think about more, though, is how to hold it accountable to the people whose lives it will change…

In short, people are being kept in the dark about how widely artificial intelligence is used, the extent to which it actually affects them and the ways in which it may be flawed. That’s unacceptable. At the very least, some basic information should be made publicly available:

Scale: Whose data is collected, how, and why? How reliable are those data? What are the known flaws and omissions?

Impact: How does the algorithm process the data? How are the results of its decisions used?

Accuracy: How often does the algorithm make mistakes — say, by wrongly identifying people as criminals or failing to identify them as criminals? What is the breakdown of errors by race and gender?

Such accountability is particularly important for government entities that have the power to restrict our liberty. If their processes are opaque and unaccountable, we risk handing our rights to a flawed machine.

We should have concerns with algorithms beyond Artificial Intelligence.  The same concerns apply to any algorithm (computer code/manual process), such as voting machines.  We have no access to the code in our AccuVoteOS optical scanners. Yet we know from studies such as the California Top-To-Bottom-Review,  Hacking Democracy’s Hursti Hack, and studies by UConn that the system is vulnerable to attack.  We do not know and cannot know for sure if the software running on a particular AccuVoteOS and its memory card is correct and accurate.

The best defense is a comprehensive, sufficient Post Election Audit.

Yet now Connecticut audits with the UConn Audit Station with undisclosed software.  Even if we knew the software and tested it, there still would be no assurance that we missed something in our tests, there was a hardware error, or the software was compromised.  As we wrote in a recent op-ed in the CTMirror and as covered in the most recent Citizen Audit Report the only defense is a manual audit of that Audit Station, every time it is used.

Covering the items in the Courant Op-Ed:

Scale: Whose data is collected, how, and why? How reliable are those data? What are the known flaws and omissions?
Our voting data is collected.  It is only as reliable as the optical scanner as deployed.  The system is vulnerable to attack in a variety of ways.

Impact: How does the algorithm process the data? How are the results of its decisions used?
It is supposed to be a straight-forward interpretation of marks to vote counts, provided the scanner is properly configured and programmed.  The results are used to determine who leads our democracy AND if our votes actually determine that.

Accuracy: How often does the algorithm make mistakes — say, by wrongly identifying people as criminals or failing to identify them as criminals? What is the breakdown of errors by race and gender?
Here this is, how often does in inaccurately count votes?  Did it count them accurately enough in this election? If we had trustworthy audits of the voting machines and the Audit Station we could answer these questions.

Georgia on my mind. Paper not on Georgia’s radar.

Georgia and Cobb election officials are rejecting calls from advocacy groups for voters to use paper ballots while the FBI investigates a data breach at Kennesaw State University.

Voters will continue to use electronic voting machines during upcoming elections, said Candice Broce, spokesperson for Georgia Secretary of State Brian Kemp. The use of paper ballots is reserved as a backup system in case there is a problem with the voting machines, she said…

Earlier this month, KSU announced a federal investigation at the Center for Elections Systems located on the Kennesaw campus to determine if there was a data breach that might have affected the center’s records, according to Tammy DeMel, spokesperson for the university.

When will they ever learn?  We firmly believe that the days of paperless elections are coming to an end. It may take a few more years, yet we believe it is unlikely that any jurisdiction in the U.S. well make a major purchases of paperless voting equipment in the future. The useful life of most paperless equipment will end within the next decade or so.

Recall that the potential hacking of Georgia’s touch-screens was a very early example that started concerns with electronic voting.  The dangers and suspicions were highlighted in Chapter 11 of the book, Black Box Voting, by Bev Harris.  Especially, Chapter 11,  Noun and Verb? rob-georgia.zip

Now Georgia is back in the news.  Election officials reject advocacy groups’ call for paper ballots <read> <or here>

Georgia and Cobb election officials are rejecting calls from advocacy groups for voters to use paper ballots while the FBI investigates a data breach at Kennesaw State University.

Voters will continue to use electronic voting machines during upcoming elections, said Candice Broce, spokesperson for Georgia Secretary of State Brian Kemp. The use of paper ballots is reserved as a backup system in case there is a problem with the voting machines, she said.

Cobb voters will also use the voting machines in next week’s special elections for the 1 percent special purpose local option sales tax for education and the vacant Marietta school board Ward 6 seat, said Janine Eveler, director of Cobb elections.

Earlier this month, KSU announced a federal investigation at the Center for Elections Systems located on the Kennesaw campus to determine if there was a data breach that might have affected the center’s records, according to Tammy DeMel, spokesperson for the university.

Tuesday, the watchdog group Common Cause called on Georgia election officials to use paper ballots to ensure the integrity of next month’s congressional special election on April 18. That election is to fill Georgia’s Sixth District congressional seat left vacant after Tom Price was confirmed as the Health and Human Services secretary.

When will they ever learn?  We firmly believe that the days of paperless elections are coming to an end. It may take a few more years, yet we believe it is unlikely that any jurisdiction in the U.S. well make a major purchases of paperless voting equipment in the future. The useful life of most paperless equipment will end within the next decade or so.

Testimony on Early Voting and Registrar’s Bills

Yesterday, we submitted testimony on a number of early voting bills and a bill likely submitted by the Registrars of Voters Association.

The primary reason to avoid expanded mail-in or no-excuse absentee voting is the opportunity for and documented record of absentee voting fraud. There are other reasons:

  • Contrary to a touted benefit – early voting DECREASES turnout…

And a bill likely submitted by the Registrars of Voters Association.

As an election official, I am sympathetic to the wish of Registrars to make their jobs simpler.  Yet, my sympathy ends when it results in barriers to participation in democracy for candidates and citizens.

Yesterday, we submitted testimony on a number of early voting bills and a bill likely submitted by the Registrars of Voters Association.

Our testimony of a variety of early voting bills <read>

We oppose expanded mail-in voting in any form, including no-excuse absentee voting. As I testified several times in the past, we have no objection to a Constitutional Amendment authorizing the General Assembly to legislate early voting, provided, that voters are clearly informed of the amendment’s intent for the form(s) of early voting to be authorized.

The primary reason to avoid expanded mail-in or no-excuse absentee voting is the opportunity for and documented record of absentee voting fraud. There are other reasons:

  • Contrary to a touted benefit – early voting DECREASES turnout – An academic report concluded that early voting, including mail-in voting, decreases turnout by 3%. An earlier report showed a reduction of 2.6% to 2.9%.
  • It disenfranchises voters, not providing the opportunity to revote when they mistakenly overvote.
  • It disenfranchises voters, when applications or ballots are lost or delayed in the mail.

We could support a version of in-person early voting as suggested by S.J.27.

However, any such approach should have sufficient provisions to provide:

  • Assurance that voters can receive impartial voting instructions and the opportunity for spoiling ballots and trying again.
  • Sufficient provisions for security of ballots, check-in lists, and voting machines in periods when voting does not occur.
  • Absentee ballots should be included in all post-election audits.  This becomes more and more important as the number of absentee votes increases.

Our testimony on the Registrars bill <read>

The Citizen Audit supports one provision:

Lines 86-90 requiring the permanent posting of declaratory rulings, opinions, and regulations by the Secretary of the State on the web.

The Citizen Audit opposes one provisions as currently written:

Lines 131-132 require that random audit drawings be held within 72 hours of the election.  We agree that a deadline should be set for the random drawing which has often occurred very late in the process, causing problems for election officials and the public.  However, vote counting does not complete until 48 hours after the election.  The drawing should be held sometime after all results are reported to the Secretary of the State and available for public review on the Secretary’s election reporting system.  Also, the random drawing should have a required advanced notification. See our testimony on S.B. 540.   We suggest the following substitute language:

“and take place not later than the 8th day after any election or primary and be noticed to the public by press release at least three business days in advance.”

The Citizen Audit completely opposes one provision:

Lines 149-156 would remove the requirement that the Secretary of the State consult with the University of Connecticut for the approval of electronic pollbooks.  Was this proposed be because Prof. Shvartsman of UConn has tested several available electronic pollbooks and found them all lacking? (Ref: Video of NH Forum on Electronic Pollbooks, on May 10, 2016 at 30min: https://www.youtube.com/watch?v=mtYJkVNIGMA or as covered by the Manchester Union Leader: https://ctvoterscount.org/CTVCdata/16/05/UnionLeader20160511.pdf)

I personally oppose one other provision:

Sections 8 and 9 preclude voters who register after petitions become available from being counted for the petition.  This would reduce ballot access for petitioning primary candidates. It would reduce participation and preclude a standard practice that results in more eligible voters registering.

It is normal and vital to success for petitioning candidates and their supporters to approach citizens that are unaffiliated and ask them to sign the petition by simultaneously reregistering in the candidate’s party – this change would preclude that.  They also approach eligible citizens to encourage them to sign the petition and simultaneously register for the first time – this change would preclude that.

As an election official, I am sympathetic to the wish of Registrars to make their jobs simpler.  Yet, my sympathy ends when it results in barriers to participation in democracy for candidates and citizens.

 

We respond to Secretary Merrill’s testimony opposing audit transparency bill

Last Monday we testified for S.B. 540, a bill that would increase audit transparency and public verifiability.

Later we noticed that Secretary of the State, Denise Merrill, submitted testimony opposing one provision of the bill and therefor recommending against the entire bill. Her testimony misinterpreted our bill, recommending against it based on something we did not ask for and was not part of the bill.

In response we wrote a follow-up letter to the GAE Committee.

Last Monday we testified for S.B. 540, a bill that would increase audit transparency and public verifiability.  The bill would:

  • Set common sense minimal standards for ballot security.
  • Set common sense prior public notice requirements for all aspects of the audits which should be transparent and publicly verifiable.
  • Based on sound science, make the recently implemented machine audits, manually verifiable, transparent, and publicly verifiable.

Our testimony <read>

Later we noticed that Secretary of the State, Denise Merrill, submitted testimony opposing one provision of the bill and therefor recommending against the entire bill. Her testimony <read>

Her testimony misinterpreted our bill, recommending against it based on something we did not ask for and was not part of the bill:

My main objection is that it potentially jeopardizes the sanctity of ballot secrecy. Some people do initial or sign a ballot if a mistake is made. In smaller towns, deducing identity from these details is actually possible.
Creating images of ballots that anyone can take home and study could result in people’s ballots being posted online, something that we are already contending with vis-à-vis the voter file.
She went on to suggest a solution similar to the one actually  proposed in the bill.
If there is public uncertainty about our new audit equipment or there is a desire to “audit the audit equipment”there areless intrusive ways to ensure accurate results such as a random sampling of ballots that can be compared to computerized result s while at the audit session. These types of simple solutions could be implemented at no cost and with much less intrusion to the sanctity of our voted ballots.
In response we wrote a follow-up letter to the GAE Committee.  Our letter <read>

The Secretary’s testimony incorrectly stated that the S.B. 540 requires the posting of ballot images online. In fact, S.B. 540 bill does not require the release of ballot images to the public and does not require the posting of ballot images online.

S.B. 540 requires the release of Cast Vote Records (CVRs) to the public present at a machine audit, with no requirement for online posting.  CVRs are not ballot images. They do not include stray marks by voters. They are data records, one record for each ballot that contains the digital interpretation of the votes on the ballot i.e. numbers indicating which bubbles on the ballot were filled in.  They are totaled to determine the votes for each candidate or question in the audit

In the paper included in my testimony, CVRs are described:

“In a machine-assisted audit, the retabulation system produces an interpretation of votes on each ballot (a Cast Vote Record, or CVR) that can be matched with that ballot. The CVRs are exported from the retabulation system. Observers verify that these exported CVRs produce the same electoral outcome(winners, etc.) as the voting system. Then observers compare a random sample of actual ballots against the corresponding CVRs.”

There is no law in Connecticut exempting CVRs from the Freedom of Information Act. A quick survey of election officials and advocates indicates that CVRs for entire elections or audits are regularly provided to requesters in the states of AZ, NY, CO and SC. In SC, they are published online.

In addition to correcting the her misinterpretation, we also pointed out our stand that voted ballots are, in fact, subject to Freedom Of Information requests in Connecticut.

PS: Although it is irrelevant to S.B. 540 we disagree with the Secretary’s interpretation that voted ballots or ballot images are exempt from Connecticut’s Freedom of Information Act (FOI).  We are not aware of an explicit exemption in Connecticut statutes. To our knowledge, FOI of ballots has never been tested before the FOI Commission or in court. We are aware of several states where allots and ballot images are subject to FOI.