Category: National

Video: If you still have faith in Internet/online voting

We are not surprised that some do not trust us. What is surprising is that many still trust their intuition over the testimony of experts. For those who still have faith in the Internet we present a panel earlier this year at the Overseas Vote Foundation.

We have said it simply in an op-ed, we have pointed to a statement by technologists and presented lists of cyber attacks, but people still think Internet voting is a good idea and that technologist should be able to figure it out. We are not surprised that many still do not trust us. What is surprising is that some trust their intuition over the testimony of experts. For those who still have faith in the Internet we present a panel earlier this year at the Overseas Vote Foundation, UOCAVA Summit.<view> (the 1st first video is the introduction, which automatically links to the panelists in order)

The moderator Assoc. Prof. Candice Hoke, Cleveland-Marshall College of Law, introduces the panel and explains why taking prescription drugs is safer than internet voting.

Joe Jarzombek, Department of Homeland Security, explains the risks of purchased software and what questions elections officials need to ask vendors.

Prof. David Jefferson, Lawrence Livermore National Laboratory, describes the vulnerabilities of email, fax, and web voting and why its false to assume that since I can bank online, why can’t we vote online?

Asst. Prof. J. Alex Halderman, University of Michigan, describes his experiences creating a voting machine virus, testing Indian voting machines, and his recent attack on the Washington D.C. online voting system

Dr. Josh Benaloh, Microsoft Security, demonstrates that the central issues are verifiability and vulnerability, not limited to electronic voting. He outlines advanced methods for verifying elections, which leave most vulnerabilities in place.

Stay tuned for the Q&A at the end. It ended with a question from West Virginia officials incompletely answered.  Let me provide my response:

  • With online delivery of ballots and absentee ballot applications, the  soldier in the example could vote anytime after the ballots were available as long as he had access to an online computer with a printer.  This would solve the problem for the soldier without the risk and expense of online voting (which would also require an online computer).
  • There is an incorrect assumption in the question. It is true that we could allow a person to accept the risk that their vote would be compromised by online voting, but that is insufficient, since everyone’s vote is at risk if some votes can be compromised.

“Wisconsin is no Minnesota” (Psssst: neither is Connecticut)

Many of the problems in Wisconsin are similar to those we are led to “expect” in states like Connecticut. One unique concern in Wisconsin is several coincident actions of one of the candidates.

Brad Friedman covers issues in the Wisconsin recount, so far. <read>

Many of the problems are similar to those we are led to “expect” in states like Connecticut:

  • Bags not sealed
  • Seal numbers missing
  • Seal numbers don’t match
  • Faith in sealed bags
  • Extra ballots found outside bags
  • Batches of ballots not counted or reported on election night
  • Officials making errors in calculations or submitting results to the state
  • Homegrown accounting systems
  • Local and state officials making errors in transcription and addition

We point out that incompetence or mistakes are good cover for skulduggery , especially where they occur regularly and are routinely accepted/ignored. CTVotersCount readers know that Connecticut Post-Election Audits frequently expose similar problems, as the citizen Bridgeport Recount found, usually followed by no action. The recent exception being some useful, but incomplete, steps to reduce the odds of problems occurring similar to those in Bridgeport, but little to cause the system to correct similar counting, calculating, and reporting errors.

One unique concern in Wisconsin is several coincident actions of one of the candidates, issues including misstatements by the candidate, the activities of the candidate after the election, the location of the changes in votes right after the election, and the location of some of the chain of custody problems (See Brad’s Report).

We are pleased that Wisconsin is holding the recount, such as it is, and that citizens are reporting issues and concerns. The best result would be a recount that ultimately provides real integrity and confidence, followed by positive reform in Wisconsin and other states. At this point we remain open but skeptical that this recount will be satisfactory.

CT Mirror Op-Ed: Online voting is risky and expensive

Online voting is an appealing option to speed voting for military and overseas voters. Yet it is actually “Democracy Theater”, providing an expensive, risky illusion of supporting our troops. Technologists warn of the unsolved technical challenges, while experience shows that the risks are tangible and pervasive. There are safer, less expensive solutions available.

Our op-ed published at the CTMirror <read>

Online voting is risky and expensive

by Luther Weeks

Luther Weeks is executive director of CTVotersCount.

April 29, 2011

Online voting is an appealing option to speed voting for military and overseas voters. Yet it is actually “Democracy Theater”, providing an expensive, risky illusion of supporting our troops. Technologists warn of the unsolved technical challenges, while experience shows that the risks are tangible and pervasive. There are safer, less expensive solutions available.

This year, the Government Administration and Elections Committee held hearings on a bill for online voting for military voters. Later they approved a “technical bill”, S.B. 939. Tucked at the end was a paragraph requiring that the Secretary of the State “shall, within available appropriations, establish a method to allow for on-line voting by military personnel stationed out of state.”

In 2008, over thirty computer scientists, security experts and technicians signed the “Computer Technologists’ Statement on Internet Voting,” listing five unsolved technical challenges and concluding: “[W]e believe it is necessary to warn policymakers and the public that secure internet voting is a very hard technical problem, and that we should proceed with internet voting schemes only after thorough consideration of the technical and non-technical issues in doing so.”

The prevailing attitude seems to be, if voters and election officials like it and see no obvious problems then it must be safe.

In September 2010, Washington D.C. opened their proposed internet voting system to public testing. The system was quickly compromised, changing all past and future votes. Separately, the municipal network was entered, passwords to municipal systems obtained, and the list of codes for Internet voting in the November election were obtained.

This should not be surprising. Almost weekly we learn of one system or another that is penetrated by outsiders, including teens and overseas criminals. Organizations that have been unable to protect networks and applications include banks, government agencies, the Department of Defense, Google, and ironically, Internet security firms.

Several states have implemented various forms of Internet voting. None has subjected their systems to evaluation and testing for the difficult challenges identified by the experts. One of the “success stories” without any proof for precluding vulnerabilities is West Virginia. That state spent about $75,000 for 54 electronic votes. Over $1,300 per voter!

To the public, like some legislators, it seems intuitive to accept that “We use ATMs and bank online with no problems, why not vote that way?” This argument fails theoretically and practically. The anonymous ballot does not provide the verification and proof of banking receipts or double entry bookkeeping which help detect fraud. ATMs are bank-owned computers with special network security, much safer than general purpose computers. Even so, banks lose billions each year to fraud with ATMs and online banking. They have warned their business customers to avoid online banking.

There are better, safer, economical alternatives available. The Federal Military and Overseas Voter Empowerment Act (MOVE), passed in 2009, provides for electronic distribution of ballots and absentee ballots that can be returned together in one envelope. In conjunction with the Overseas Voter Foundation, express return of ballots was available from 94 countries for $25 or less. Even regular express rates from almost anywhere are available for less than one-tenth the cost of the unproven West Virginia system. If a military and overseas voter can get to a computer network then they should be able to express their paper ballot and absentee application, at our expense, providing a safe, anonymous, and auditable vote.

To ask Secretary of the State, Denise Merrill, to accomplish what experts have not is a tall order. Especially with no budget! As Merrill testified earlier this year, “In the future, it is conceivable that we could move in the direction of online voting. But the problem is, the technology to make sure no one can hack into an online voting system and distort the vote totals has not yet been developed. We want to make voting more convenient, but not at the expense of the security or integrity of our elections…there is no on-line voting system secure enough to protect the integrity of the vote.”

Update: Said a different way. CBC interview with Professor Andrew Appel. He emphasizes that online voting is “dangerous to democracy” on both the client and server ends. (Interview starts about 1/3 into the podcast <listen>

When are recounts reasonable?

The Wisconsin Supreme Court election recount started this week. The margin was a bit over 7,000 votes and the percentage just under 0.5% as required by law. John Nichols writes of past instances where the loser asked for recounts in much wider margins and of cases with relatively close margins where the original result was overturned

The Wisconsin Supreme Court election recount started this week. The margin a was bit over 7,000 votes and the percentage just under 0.5% as required by law. John Nichols writes in Recount reasonable — just ask a Republican, of past instances where the loser asked for recounts in much wider margins and of cases with relatively close margins where the original result was overturned <read>

Back in 1960, when the closest presidential race in modern American history was decided for Democrat John Kennedy, the Republican National Committee and state Republican parties sought recounts in 11 states, including Texas. Kennedy’s advantage over Republican Richard Nixon in Texas in the initial count was 46,000 votes. While Democrats objected that Kennedy’s margin was too large to be overturned, Republicans argued that allegations of voting irregularities in a number of Texas counties justified the demand.

Similarly, in the 1976 presidential race, after Democrat Jimmy Carter beat Republican Gerald Ford in Ohio by more than 9,000, Republicans sought a recount of the votes in that state.

And just last year in Minnesota’s gubernatorial race, Democrat Mark Dayton led Republican Tom Emmer by a little less than 9,000 votes. A hand recount of the state’s ballots confirmed Dayton’s winning margin was 8,770 votes. Emmer’s campaign and the state Republican Party continued to wage court fights and challenge ballots until more than a month after the election, when Emmer finally conceded.

In all three cases, Republicans made reasonable requests for recounts, even if those requests failed to overturn the results.

But Wisconsinites know that recounts can alter results.

In 1970, it appeared that Les Aspin had lost a Democratic primary to Doug La Follette in southeastern Wisconsin’s 1st Congressional District. But after the official canvass, the margin of victory for La Follette — now Wisconsin’s secretary of state — was less than 0.5 percent of the vote. That enabled the former Pentagon aide to seek a recount paid for by the state. The recount found enough uncounted Aspin votes, most of them in Kenosha, to put him ahead of La Follette.

Barely a month after the primary was finally settled in his favor, Aspin defeated Republican Congressman Henry Schadeberg and began a distinguished career that would eventually see him chair the House Armed Services Committee before his appointment as President Bill Clinton’s secretary of defense.

In 1982, it appeared that Democrat Russ Feingold had lost his first political race to Republican state Sen. Everett Bidwell. But the vote in the south-central Wisconsin Senate district was close enough to entitle Feingold to a state-sanctioned recount. He pursued it and, after uncounted Feingold votes turned up in rural Sauk County and on a broken voting machine at a school in Dane County, the result was reversed. Feingold was elected to the state Senate and a decade later became a U.S. senator, serving 18 years as the chamber’s most independent and principled member.

Elections are huge endeavors, involving thousands, sometimes millions, of votes that are tabulated by poll workers and clerks who are — like all of us — imperfect human beings.

When dealing with so many variables, mistakes and missteps are to be expected.

Recounts set things right. They identify actual winners, as well as flaws in the voting and counting systems of the state.

Wisconsin law calls for machine recounts unless a candidate objects. In this case many precincts are being hand counted to preserve the memory card used in the election. They could use alternate memory cards, but their scanners are so old that the manufacturer cannot supply them. From what we have seen Wisconsin’s recount law is stronger than Connecticut’s – Wisconsin calls for each ballot to be reviewed by those representing opposing candidates to make sure they agree it can be counted by machine – Connecticut’s does not – only by procedure do we call for election officials, not candidate representatives, to check ballots. In fact, our recanvass law remains stuck in the lever age presuming that tabulators do no have ballots. Connecticut procedures but not our law may be reasonable for moderately close races, but insufficient when voter intent and absentee ballot adjudication becomes critical.

More online voting risks and opportunities for skulduggery

We have been warning of the risks of Internet voting and ignoring science since our founding. Yet, we have overlooked some of the risks, literally right in front of our nose.

Since our founding, we have been warning of the risks of Internet voting and ignoring science. We are currently amazed at our own legislators, risking military voters rights, dismissing the scientific facts and the practical evidence of the impossibility of internet voting. Yet, we have overlooked some of the risks, literally right in front of our nose.

More Risks Right In Front Of Our Nose

An ongoing story starting late last week highlights those dangers.  B. F. has a post describing intended or accidental suppression which brought those issues to my attention http://tinyurl.com/3fg2t36 (Note: We use the initials B.F. and a tinyurl intentionally and instructively, just in case you might want to bring this post to the attention of your friends through an email, post, or Facebook link.)

Here is a summary of what happened to B.F.:

If you use an AOL email address, AOL is doing you the favor of making sure you do not receive email containing any links to [B.F.’s site] in it.

Not email from a [B.F. site] address, mind you, as if I were a spammer or something (which, obviously, I’m not), but any email from anybody that has a link to this site, or to one of our news stories.

I learned this swell news early this week when someone was kind enough to let me know that their attempts at sending a link to this site to a friend bounced back to them with an error message. That error message was “HVU:B2”. What is that error?:

* 421 HVU:B2
o There is at least one URL or domain in your e-mail that is generating substantial complaints from AOL members. Resolution will require opening a support request.

That’s right, “substantial complaints” from someone, whatever that means, will result in no links to stories at [B.F.’s site] getting through to any of AOL’s millions of members. And they will never know about it.

Again, these are not even emails from [B.F’s site]. They are simply emails from anybody to any AOL email address which has my domain linked in the body of the email.

Neat, huh? I wonder what would happen if there were “substantial complaints from AOL members” about, say, FoxNews.com? Or MSNBC.com? Or NYTimes.com? Would that result in millions of members not being able to receive any email that links to anything at those sites? Sounds like a great way to [expletive verb] someone you don’t care for politically, doesn’t it?…

So far, I’ve spoken to at least 10 different AOL support people on the phone, since clicking the “support request” URL they offer in the error message seen above actually takes you to someplace on the “AOL Postmaster” that doesn’t actually give you the form you supposedly are to fill out to deal with this issue.

It took a day or two, and several more calls to more very nice AOL tech support people who told me they couldn’t help me in the slightest…

Most ironically, and so that you are open to the interpretation that these are not intended but simply the result of bureaucratic incompetence:

I finally looked up the AOL corporate website online, found the numbers for the “Corporate Media Inquiries” department, figuring I’d either get help or get an on the record comment about this mess and about the fact that AOL is censoring members emails for them, and spoke to another very nice person whom I told about the situation, explained that I was a journalist, not a spammer (and besides the notes being rejected didn’t even need to come from my address to get rejected), mentioned the irony that I even write news for Huffington Post from time to time,

But from personal experience I would call it unintentional arrogance. Over the years, I have put up with similar problems from both AOL and Google:

  • I am webmaster for a 501.c3 organization that runs annual tournaments for children.  Over the years AOL has, to my knowledge, blocked us at least twice. It took some time, each time, to realize this was happening. Both times, I did manage to get through the bureaucracy and get it fixed after some time.  Once was because a spammer used some of our email addresses.  Another time when a board member sent an email that had some key words in it that had AOL classify our site as a spammer.
  • A couple of years ago we had problems  when a couple of my WordPress sites fell victim to some WordPress vulnerabilities with  malware added from sources unknown. Malware with potential for spreading viruses.  The good news is that Google informed me and provided tools, so that it could be quickly corrected. But the bad news was that the sites were banned for several weeks from Google search results and provided users with messages that warned of the dangers of my sites.

Withing the last month, a popular news site was hacked and completely taken down such that it had to essentially be rebuilt.  And just this weekend another popular reader supported  news site sent this message to donors:

We learned that right in the middle of our spring campaign this past week that our secure credit card processor was offline for several hours on a few occasions. Donations were not processing. If you encountered this and gave up, please try again.

So what? What can we learn?

  • Incidents like these may be intentional, untended, or bureaucratic arrogance.
  • They point the way to intentional disruption.
  • They point the way to intentional disruption covered up as unintended, well meant policies. Who is against protection from spam and viruses? Asking users to report concerns?
  • In cases like AOL’s  policies, when users are able to nominate spammers, dangerous, or offensive sites, or email addresses. – these policies can be used by others to assist in their agendas. It would not take any computer expertise. Beyond the simple cases, expert unethical hackers could infect sites and use policies like Google’s to their advantage.
  • Each of these examples either went unnoticed for several days, took away capabilities for several days once they were discovered, often inadvertently.
  • No matter how noble the intention or accidental, the result can be disruption and in some cases defamation in what could be a critical time period.
  • Most of all recognize that these are common occurrences. Much more widespread than the samples that each of us is aware of or listed here.

What does this have to do with online voting and democracy?

  • Any of these problems , or similar problems, can occur to any web site, any email account, any time – including those associated with voting, campaigns, and news, all vital to democracy.
  • Voting vulnerabilities include: Online voting, online registration, campaign web sites, campaign emails etc.  The impact of such vulnerabilities varies.
  • Many solutions to speeding military and overseas voting include sending election notification and voting materials by email. These would likely come from a known url and email account, which could be blocked. Presumably any form of online voting would require notification and information be sent electronically, unless overseas voters are expected to find and keep checking the site for upcoming elections and availability of materials.
  • We all know email is unsafe, vulnerable to hacking and blocking. These vulnerabilities highlight the possibility of easier and unintentional methods of blocking email return of ballots, email used for voter registration, or email communications/questions between voters and election officials.
  • Voting itself and access by remote military and overseas voters is conducted in very short windows.  A site blocked or down for even a day can discourage/disenfranchise someone who has infrequent opportunities for internet access.

Despite the risks we remain in favor of email notification and web access to election materials for military and overseas voting, but the high risk of using the internet, email, or fax for the return of votes is unacceptable.

I agree with our current Secretary of the State, Denise Merrill in her testimony this year:

  • In the future, it is conceivable that we could move in the direction of online voting.
  • But the problem is, the technology to make sure no one can hack into an online voting system and distort the vote totals has not yet been developed.
  • We want to make voting more convenient, but not at the expense of the security or integrity of our elections…
  • …there is no on-line voting system secure enough to protect the integrity of the vote…

Photo ID: “Birther Bills” For All?

  • This year’s proposals are the strictest voter identification proposals ever considered by states. Most severely limit forms of acceptable identification voters may show and make scant allowances for those unable to obtain the specific form of identification required by the law, even if they have other forms of ID that can verify their identities at the polls.
  • Photo ID proposals will cost cash-strapped states up to $20 million to implement.

Advancement Project: <read>

According to Advancement Project, this reactionary trend is part of the largest legislative effort to scale back voting rights since Reconstruction: nearly two-thirds of state across the nation introduced onerous voter identification bills this year. The report looks to the implications of this broad effort.

Among the report’s key findings:

  • Proposals to require strict forms of photo ID to vote have been introduced in 32 states.
  • This year’s proposals are the strictest voter identification proposals ever considered by states. Most severely limit forms of acceptable identification voters may show and make scant allowances for those unable to obtain the specific form of identification required by the law, even if they have other forms of ID that can verify their identities at the polls.
  • The photo ID proposals are part of larger coordinated efforts by conservative and Tea-Party backers, designed to reduce the voting strength of voters of color who saw record turnout in 2008, in advance of the 2012 elections.
  • Voter impersonation, the only voting irregularity that could be addressed with photo ID, is exceedingly rare. The proposals do nothing to address other voting problems that are known to occur.
  • Studies show that approximately 11 percent of voters – about 21 million people – lack or cannot obtain a current state-specific photo ID. African American voters are twice as likely to lack current state ID.
  • Photo ID proposals will cost cash-strapped states up to $20 million to implement.
  • Many of the proposals may be legally flawed and constitute a “poll tax” by imposing undue costs and burdens on voters.

We are reminded of the Presidential “Birther Bills” based on the rejection of alternative forms of ID that have been accepted for years.  We also note the strong support of the Tea Party despite the cost.  As we have said before “When we favor something, we ignore the costs“.

Wisconsin: Democracy In The Gap: Between Impatience And Incompetence

The best outcome of a recount would be to determine the correct winner of the election, leading to an improved system in Wisconsin, and serving as an example to other states. Yet, Democrats should not get their hopes up for a change in the result.

Let us hope that something good comes from the election error and concern in Wisconsin.

Most CTVotersCount readers have been reading various stories of the recent Wisconsin election, for example <here> or <here>

Overall the situation points out the weak underbelly of elections in many of our states, including Wisconsin and Connecticut. There is little reason to have confidence in the accuracy of election results reported on election night and marginally little additional reason to trust the certified results which usually conform closely to the original reported results.

The underlying causes are our media fueled goal to get results immediately from tired officials, regardless of their accuracy; followed by officials wish to get it over-with, avoiding any any questions of accuracy or if every vote was in fact counted;  playing a role is the lack of public attention and budget necessary for trusted, accurate elections; and the initially apparent winner claiming victory along with the real or imagined risks to the initial looser in being labeled a sore looser. We are aware that many Republicans continue claiming irregularities in the Minnesota 2008 recount while they accuse Democrats of not getting over Florida in 2000.

I agree and caution those that are calling for a complete recount in Wisconsin:

  • A thorough recount may expose the weak underbelly of the system in Wisconsin. It may show many small errors; uncounted votes; inappropriately adjudicated absentee ballots; slight changes due to machines and people missing voters’ intent; and even uncover some system flaws like those found in Humboldt County and in Ohio in after the 2008 election.
  • Democrats should not get their hopes up unless they find additional suspicious results in other precincts and counties. Chances are that a recount would uncover many small differences but unlikely that they would add up to enough to overturn an election. Everyone should avoid pushing unfounded or highly speculative theories.
  • The best outcome of a recount would be to determine the correct winner of the election, leading to an improved system in Wisconsin, and serving as an example to other states. A transparent, credible recount of integrity would serve to provide confidence in this one election to the ultimate looser and the majority of voters in Wisconsin. I expect it would uncover additional problems with the system beyond the “lone wolf” spreadsheet accounting in one county which could lead to an improved system. Admittedly this is an optimistic view, yet there are often at least positive incremental improvements after election vulnerabilities are discovered, with unfortunately the risk of expensive, knee-jerk reactions of questionable impact (see 2000, HAVA, vendor “help”).

Waukesha County, Wisconsin vs. Bridgeport Connecticut

  • Connecticut has little to offer Wisconsin as an example of accurate accounting. We do have some “lone wolfs” that use spreadsheet accounting, but many others use the old fashioned system of human transcription and accounting. As one Representative characterized our election system, it is a bit of the “Wild West”. In general, by hand or spreadsheet it is a three step process of manual transcription and accounting with a record of errors and omissions.
  • We have no idea what a recanvass would show in a statewide Connecticut Election. In the recent race for Governor we understand that about eight towns (nobody knows, there was no requirement to report it) ran out of preprinted ballots and produced copied ballots that would be counted by hand. At least two of those ran out of ballots in polling places. The state recounted none of those towns.  The Connecticut Post newspaper and citizens recounted one of those towns demonstrating extensive counting and accounting errors along with wide discrepancies in ballot counts vs. check-off lists. Ten percent of districts were subject to post-election audits of district machine counted audits. No official report is yet available, however, the Coalition audit observation report demonstrated the usual level of significant differences that indicate inaccurate counting and the possibility of machine errors. The audits do not check hand counted ballots or centrally counted absentee ballots. As far as we know, five towns have yet to supply official audit report to the Secretary of the State for the audits which would have been completed by November 22nd 2010.
  • Connecticut has little to offer Wisconsin in the area of recounting. Like Wisconsin, our recanvasses are primarily a modified recount by similar machines and memory cards. Unlike Wisconsin, we have no provision in our recanvasses for our adjusting vote counts if check-off lists counts do not match.  In fact, Connecticut recanvass do not check check-off lists.  Recounts in Connecticut are possible via a court order. Procedures are not defined in our state law.

We also recommend that citizens of Wisconsin with concerns under take a thorough review of all posted results and confirm election documents to uncover any other potential specific questionable counts. To his credit, the well supported and financed losing candidate in Connecticut in November 2010 did that to satisfy himself that the result was accurate enough to select the actual winner.

We also note that the Connecticut Legislature and Secretary of the State are proposing steps that would reduce the possibility of similar ballot shortages in the future, yet we have much more work to provide election integrity and credibility equal to the promise of democracy.

Let us take no comfort in the election error in Wisconsin.  Let us hope that something good comes from the concerns.

Update. More reasons to Investigate:

Worth checking the source of numbers reported and the accounting details. Alleged history of some questionable results in the county: 20,000 more votes than ballots (Waukesha, 2006) <read> <read>

Also Democrat refutes earlier impression that she endorsed/understood revised result <read>

Losing democracy in cyberspace

Voting computers, like heads of state, must be held accountable to the people they serve.

As we have said, many times, with regard our audits in Connecticut: “If we dismiss all differences as human counting errors, if there ever was error or fraud it would not be recognized.”

Editorial by voting integrity advocated Penny Venetis in NorthJersey.com: Losing democracy in cyberspace – Voting computers, like heads of state, must be held accountable to the people they serve. <read>

What nobody is talking about is how votes will be cast in emerging democracies. For elections to be legitimate in such countries, it is critical to use voting technology that counts votes accurately. In the 21st century, chances are high that computers will be used in some form in the coming elections in Egypt and Tunisia. But voting computers, like heads of state, must be held accountable to the people they serve.

It is a tenet of computer science that computers can be programmed to do anything, including play “Jeopardy!” and steal votes…

The Princeton hacks are not unique. Studies commissioned by the secretaries of state of California, Ohio, Maryland and Connecticut outline in great detail the many vulnerabilities of various computerized voting systems.

The University of Connecticut and Professor Appel in New Jersey have produced several excellent reports on the vulnerabilities of voting machines and the lack of physical security provided by “tamper evident” seals in common use. Yet, as Professor Venetis points out, having paper ballots and knowing the risks is not enough:

But voter verified paper ballots, in and of themselves, cannot detect fraud. To fully ensure that the voting computers are not cheating, it is necessary to audit a certain percentage of voting machines in each election precinct by manually counting the paper ballots and comparing the hand-counted results with the computer-generated results. This system worked marvelously in Minnesota, when millions of voter verified paper ballots had to be hand-counted to determine the winner of the 2008 Senate race. Studies showed that the tally was 99.99 percent accurate.

Finally, to ensure that votes are counted accurately, it is imperative that totals be counted and announced at the precinct level. This protects against tampering with voting machines and paper ballots while they are being transported to centralized tabulation locations.

New Jersey falls short because they do not have paper ballots or paper records. Connecticut has paper ballot and audits, yet our audits fall far short. Our law has several glaring exemptions and flaws, including: Only polling place optical scanned ballots are audited – omitting most absentee ballots and hand counted ballots, like those copied ballots in Bridgeport; exemptions for districts that have recanvasses or contested elections; results audited against are not published; there is no deadline for publishing results of the audits which are not binding on the election; random drawings have not met the requirements of the law; audits showing differences that have been investigated behind closed doors; and the audit reports have dismissed all differences as human counting errors. <See: Inadequate Counting, Reporting,  and Reporting Continue>

As we have said, many times, with regard our audits in Connecticut: “If we dismiss all differences as human counting errors, if there ever was error or fraud it would not be recognized.”

Virtual war a real threat…to water and democracy

LATimes reports on cyber threats to a Southern California water system. This is why we have been testifying against “online” voting and highlighting that even good size cities cannot protect their systems. Clearly each of Connecticut’s 169 towns could not afford even the expense of threat assessment of online voting systems. A good start would be vulnerability assessment of our existing paper ballot and voting machine security.

LATimes reports on cyber threats to a Southern California water system.  This is why we have been testifying against “online” voting and highlighting that even good size cities cannot protect their systems.  Clearly each of Connecticut’s 169 towns could not afford even the expense of threat assessment of online voting systems. A good start would be vulnerability assessment of our existing paper ballot and voting machine security. Virtual war a real threat <read>

When a large Southern California water system wanted to probe the vulnerabilities of its computer networks, it hired Los Angeles-based hacker Marc Maiffret to test them. His team seized control of the equipment that added chemical treatments to drinking water — in one day…

“There’s always a way in,” said Maiffret, who declined to identify the water system for its own protection.

The weaknesses that he found in California exist in crucial facilities nationwide, U.S. officials and private experts say.

The same industrial control systems Maiffret’s team was able to commandeer also run electrical grids, pipelines, chemical plants and other infrastructure. Those systems, many designed without security in mind, are vulnerable to cyber attacks that have the potential to blow up city blocks, erase bank data, crash planes and cut power to large sections of the country.

Update: New York Times post reviews several recent attacks on businesses by individuals. Clearly no reason to be assured by the by the above article’s assertion that “Terrorist groups such as Al Qaeda don’t yet have the capability to mount such attacks”. The Asymmetrical Online War <read>

“It’s a completely surreal realization that nation states can be seriously confronted by teenagers, but that’s where we’re at,” said John Perry Barlow, the Grateful Dead lyricist who co-founded the Electronic Frontier Foundation in 1990 to help defend young computer hackers. “One very smart person can take on an entire nation state.”

One can take on the security apparatus of the Web as well. In the space of a little more than a month, two computer security firms have been publicly humiliated, one by an anonymous computer hacker who claimed in an e-mail interview with a Forbes columnist to be a 16-year-old girl and a second by someone who is apparently a 21-year-old Iranian…

Hardly a week passes when there isn’t some new incident underscoring the fundamental imbalance of power in cyberspace between attacker and defender, where a highly motivated and reasonably skilled intruder, operating in secrecy from almost anywhere in the world, can with apparent ease unravel digital fortifications intended to offer banking-grade security.

In February, an executive at HBGary, a Sacramento, Calif., security software and consulting firm, made the mistake of publicly boasting that he had unmasked the identities of the members of Anonymous, a secretive collection of cyber-vigilantes who had attracted attention by launching Internet denial-of-service attacks in defense of Wikileaks. The security company, which was engaged in a series dubious business propositions, soon found that the details of its business were exposed to the world. Anonymous, whose ringleader was possibly a teenager, tricked one of the company’s systems administrators into giving them password information, making it possible to steal more than 50,000 of HBGary’s e-mail messages and placing them on a Russian web site.

Update: Man hacks Federal Reserve and other financial institutions <read>

According to court documents, Poo found a security vulnerability in the Federal Reserve’s network in June 2010, resulting in thousands of dollars worth of damages. However, it is believed that he stole the huge booty of credit card numbers and other account information from other financial institutions.

The American government claims to have also obtained extensive evidence of how Poo’s alleged criminal hacking activity targeted the US’s national security, military and financial sectors.

Security Theater: Scary! Expert Outlines Physical Security Limitations

Connecticut’s ballots and voting machines are vulnerable. We are subject to many of the characteristics of “Security Theater” outlined by Dr. Roger Johnston of Argonne Lab’s Vulnerability Assessments Team. “Security” seals can be compromised, undetected in seconds. That is only the tip of the iceberg. Forget those Dracula movies. Contemplate the value of ballots to our democracy while watching the video.

Back in January, we covered reports on six failed attempts by New Jersey to successfully secure voting machines with “security” seals – seals like those used in Connecticut to “protect” our ballots and voting machines. A computer expert and a security expert provided reports outlining the ease with which those seals can be compromised by an amateur and an expert.

“Security” seals can be compromised, undetected in seconds. That is only the tip of the iceberg. Full security often involves a lot more, locks, vaults, chain-of-custody, alarms, video surveillance, and guards. Unfortunately, most physical security can also be easily defeated, according to one of the experts, Roger Johnston of the Argonne National Lab Vulnerability Assessments Team.

Last week I was fortunate to hear Dr. Johnston speak at a voting integrity conference in Chicago. Although I don’t have his slides or a video from that conference, I do have video’s of a short appearance on NBC and a longer talk he gave last year:

  • Getting paid to break into things: Argonne’s Roger Johnston on NBC <watch 4min>
  • Proving Voltaire Right: Security Blunders Dumber Than Dog Snot <watch 127min>

What I found most enlightening last week was a slide showing fifteen characteristic attributes of “Security Theater” (you can see it at about 5 min into the second video). Some of the attributes we often observe in Connecticut ballot security are:

  • “Sense of urgency”
    Urgency can be seen and felt on election night as officials are rushing to finalize results, complete paperwork, and complete a seventeen hour day. Is the seal applied correctly to prevent access without tampering? Do two officials check the seal number on the ballot case and the moderator’s return? Is the return completed in ink or pencil? Are the ballots under observation by at least two officials until they are locked in town hall?  Is the seal number on the bag checked against the moderator’s return when the ballots are locked in town hall? Officials complain that may take days for both registrars to be available to checking ballots and sealed paper work after an election.
  • A very difficult security problem
    Budgets are tight. Very few towns keep their ballots in vaults or securely locked facilities. We observe weak single locks or padlocks, ballots stored in isolated storage rooms with weak building security. Or no locks at all.
  • Involves fad and/or pet technology
    We have seen seals made by with office printer labels with no numbers and seals that are entirely written by hand.
  • Questions, concerns, & dissent are not welcome or tolerated
    Any suggestion that someone might compromise security is instead defensively interpreted as an accusation against the integrity of a registrar or all registrars. We are told that Connecticut towns cannot afford to improve security. Security does cost money, yet there are economical alternatives to dramatically increase ballot security. Can we afford to leave our democracy conveniently vulnerable?
  • Strong emotion, over confidence, arrogance, ego, and/or pride related to security
    (see above)
  • Conflicts of Interest
    Most registrars and election officials are closely aligned with parties – that is why we have at least two registrars in each town, of opposing interests. Everyone in town hall is dependent on the outcome of budget referendums and the plans of those elected. (as a counter example, the owner of a jewelry store, bank president, or jail guard normally has little conflict of interest in security)
  • No well-defined adversary
    Most individuals, election officials, candidates, candidate supporters, and town employees are honest. Yet, almost every person, agency, or business has stakes in election outcomes.
  • No well-defined use protocol
    Our statutes are on ballot security are weak and ambiguous, it is unlikely that the pending technical bills will change that. Towns follow (or don’t follow) a variety of procedures, mostly unpublished, vulnerable, and unverifiable.
  • No effective [vulnerability assessments]; no devil’s advocate
    You could say that CTVotersCount and the Coalition have been devil’s advocates, yet so far to little avail.
  • People who know little about security or the technology are in charge
    Many of our registrars and their staff demonstrate and will admit lack of knowledge of our voting technology. How many actually understand security? How many understand security technology such as the vulnerability of seals, locks, and the lack of security in a chain-of-custody filled out using an “honor system”? What security is there when most towns provide access with a single key and many provide access to that key for anyone working in the registrars office? How secure is access to the key or to the ballot storage by other means?

Forget those Dracula movies. Contemplate the value of ballots to our democracy while watching the Dog Snot video.

Not up for a scary movie? Here is a recent interview of Dr. Johnston on Op-News.  He provides suggestions for improving voting security. <read> Here the context is voting machines but the same considerations also apply to ballots. How many of these are in effect in your town?

Suggestions for better election security:

1.  Let’s try to separate concerns, questions, and criticisms about election security from political attacks on election officials (who are often elected themselves).  Security should be controversial and we need to listen to all input about it.

2.  Election officials need to think like the bad guy.  How would you cheat?

3.  Establish a health security culture and climate, where security is constantly on everybody’s mind and open for discussion and debate and review and outside analysis.

4.  Ironically (and counter-intuitively), the best security is usually transparent.

5.  Security is hard work, so expect to put in hard work.

6.  Do periodic background checks on people who move and maintain the voting machines.

7.  Somebody has to sign for the machines when they reach the polling place prior to the election (there can’t be a delay in delivery), and at least semi-watch them.  Use custodians, teachers, secretaries, and school kids (a great civics lesson!) to keep an eye on the machines if you can’t lock them up.

8.  Consider escorting the machines to and from the polling places.

9.  Lean on manufacturers of voting machines to get serious about security.

10.  Have a real, secure chain of custody, not bureaucratic forms to sign or initial purporting to be a chain of custody.

11.  Try bribing your people, then make them public heroes and let them keep the money if they decline.  (Wait at least one day, though.)  Word will get around it isn’t a good idea to accept a bribe.

12.  Form a pro bono citizens panel with local security experts to provide guidance.

13.  You must randomly select some machines before, during, and after the election to completely tear apart, examine, and reverse engineer.  Just seeing if they appear to run correctly is not good enough!  It’s too easy to turn cheating on and off.

14.  If you are going to use seals, provide at least a few hours of training in how to spot attacked seals.  Give lots of examples of attacked seals.  Discuss how the seals will likely be attacked.