This article was posted at physorg.com on March 11 2012.

As many as 25 percent of Americans are expected to use paperless electronic voting machines in the upcoming November elections, according to the Verified Voting Foundation, but confidence has been eroded by incidents showing vulnerabilities. The foundation, which seeks more reliable election systems, contends that voting machines in 11 states are all-electronic, with no paper systems for recounts, and that many other jurisdictions have some of these systems in place. … Pamela Smith of the Verified Voting Foundation said these incidents highlight the fact “that you can have insider challenges as well as outsider hacks. It points out that you have to be able to check the system.” Election security and technology has been an issue in the United States since the 2000 president election marred by “hanging chads” in Florida that muddled the result. (more)

On February 23, the Maryland State Board of Elections held meeting a proposed system for remote absentee voting was discussed. Verified Voting submitted testimony (see below) about the system, which includes the use of ballot marking wizard software. We maintain that such software — regardless of any other program it may be bundled or used with — meets the definition of  a voting system in Section 301 of the Help America Vote Act and should therefore undergo testing and certification before use. Further, such online ballot marking software contains potentially severe hazards. We raise these in the testimony provided to the SBE.

Thanks to passage of a law requiring voter-marked paper ballots, Maryland is in a slow transition to using a fully voter-verifiable system one day. However, another concern raised in the remarks we provided was the use of a bar code on the remotely printed voted ballot, from which a new version of the voted ballot would be printed once it is received by mail back at the elections office. This version printed from information encoded in the barcode design is the one that would be officially counted. This runs counter to the concept of voter-verifiable ballots. Verified Voting’s testimony follows after the fold. (more)

On February 14, 2012, Colorado Secretary of State Scott Gessler held a hearing on proposed changes to existing regulations governing county procedures for the security of ballots, voting equipment, and other election materials.  The public was invited to comment.  Verified Voting reviewed the proposed rules changes (which can be found here) and made the following comment, highlighting concerns about changes to chain procedures of custody of ballots and equipment.

Submitted February 21, 2012

Thank you for this opportunity to comment upon proposed revisions to Colorado Election Rules governing county procedures for securing election equipment and materials. Verified Voting is a national nonpartisan organization working to safeguard elections in the digital age. We seek to promote the deployment of election systems and practices that vouchsafe the accessibility, reliability, and transparency of public elections. We believe that the proposed revision contains several positive changes, as well as some that cause concern, or call for more clarity.

We begin by noting several laudable provisions in the proposed changes:
Continued ban on voting system connection to the Internet
The draft changes to Rule 43 continue Colorado’s wise policy of prohibiting election administrators from connecting voting system components to the Internet. In the past decade, Colorado joined a number of States, including California, Texas, New York, and Ohio, in recognizing that connecting any component of a voting system to the Internet creates unacceptable security risks. This provision should eliminate the insecure practice of using the Internet for the transmission of voted ballots. (We feel compelled to note here the disparity between this Rule and the present debate over whether to fund an Internet pilot project for Colorado’s military and overseas voters. Claims that Internet voting systems now being proffered for use are fundamentally safe from the risks of the Internet ring hollow; as experts have noted, the security problems with Internet voting are largely intrinsic to the Internet itself rather than to a given system or vendor.)
Required annual updates of county security plans
The draft Rule 43 would establish a requirement that counties update their security plans annually, in contrast to the previous Rule, which did not require regular updates. We believe this change is useful and could help Colorado election administrators more effectively manage election materials.
The draft changes also include language that we believe calls for clarification or revision, in the following areas:
Safeguarding stored, voted ballots
Regarding the safeguarding of voted ballots, the draft language governing the use of security cameras and other surveillance describes “areas used for processingmail-in ballots, including but not limited to areas used for Signature Verification, tabulation, or storage of voted ballots beginning at least thirty-five (35) days prior to the election and continuing through at least thirty (30) days after the election, unless there is a recount or contest.” Beyond this language, there is no mention of the security surveillance of voted ballots that are not mail-in ballots, and it is unclear if such non-mail-in ballots are also covered by the same security surveillance provisions. We respectfully suggest that Rule 43 clearly require video surveillance of the storage of all voted ballots, each of which is not less critical to the integrity of the election than another. (more)

This article was posted at Computerworld on March 1 2012.

Internet voting systems are inherently insecure and should not be allowed in the upcoming general elections, a noted security researcher said at the RSA Conference 2012 being held in San Francisco this week. David Jefferson, a computer scientist at Lawrence Livermore National Laboratories and chairman of the election watchdog group Verified Voting, called on election officials around the country to drop plans to allow an estimated 3.5 million voters to cast their ballots over the Internet in this year’s general elections. In an interview with Computerworld US on Wednesday, Jefferson warned that the systems that enable such voting are far too insecure to be trusted and should be jettisoned altogether.

Jefferson is scheduled to participate in a panel discussion on the topic at RSA on Thursday. Also on the panel are noted cryptographer and security guru Ron Rivest, who is the “R” in RSA, and Alex Halderman, an academic whose research on security vulnerabilities in e-voting systems prompted elections officials in Washington to drop plans to use an e-voting system in 2010.

“There’s a wave of interest across the country, mostly among election officials and one agency of the to offer Internet voting,” to overseas citizens and members of the military, Jefferson said. “From a security point of view, it is an insane thing to do.”

A total of 33 states allow citizens to use the Internet to cast their ballots. In a majority of cases, those eligible to vote over the Internet receive their blank ballots over the Web, fill them in and submit their ballots via email as a PDF attachment. Some states, such as Arizona, have begun piloting projects that allow eligible voters to log into a web portal, authenticate themselves and submit their ballots via the portal.

The insecurity and the inability to audit such voting practices is unacceptable, Jefferson said.

Ballots sent via email for instance, are transmitted in the clear without encryption. That means any entity, such as an ISP or a malicious hacker that sits between the voter and the county where the vote is being cast, can view, filter, substitute or modify the ballot, he said.

Meanwhile, the e-voting Web portals that have been proposed for use in Arizona and are being tested in other states, are prone to all the security vulnerabilities and attacks that other sites face, he said.

As one example, he pointed to an attack crafted by Halderman , an assistant professor of computer science at the University of Michigan, in 2010 against a Digital Vote by Mail System that was proposed for use in Washington. The system was designed to be used by overseas voters and military personnel based in other countries.

But Halderman, along with a team of researchers, easily broke into the system, and showed how they could modify and replace marked ballots in the system. The researchers even tweaked the system so that voters would be greeted with the University of Michigan fight song when they landed on the vote confirmation page.

The election officials in charge of such systems do not have the technical expertise or the resources needed to detect or protect their systems against such attacks, Jefferson said. “The kind of attack that Halderman did can be repeated any where at any time,” with little response, he said.

In addition, Web-based voting systems are vulnerable to the samesecurity threats that face other websites. These threats include DNS routing attacks, man-in-the middle attacks and denial-of-service attacks and can prevent voters from casting their ballots. The client systems that eligible voters use to cast their ballots are equally vulnerable, Jefferson said. Numerous attacks are possible where a voter might case a ballot and have no way of knowing whether the ballot was intercepted, modified or cast at all.

Electronic voting systems of the sort proposed for use in this year’s general elections do not provide anywhere near the auditability provided by paper votes, he said. While there are mechanisms to ensure that the same voter does not cast multiple ballots, there is nothing to prove that a ballot was cast in the manner that the voter intended, he said.

“Once you put ink on paper, you can’t change it without that change being easily detectable,” Jefferson said. “Paper is indelible. People can see it, track it and read it.” He noted that the only country with an Internet voting system comparable to the U.S. is Estonia. Other countries have tried e-voting technology and have either gone back to paper voting or are reconsidering it, he said.

“What we are asking every state, every jurisdiction to do is not use Internet voting,” Jefferson said. “It is OK to transmit blank ballots over the Internet” to overseas and absentee voters he said, but not ballots that have been filled in.

Susannah Goodman, director of the election reform project at the watchdog group Common Cause, said states that are moving ahead with Internet voting plans would do well to look at states such as New York and California which have said they will not adopt such measures,because of security concerns.

“Knowing what we know, it is not a verifiable form of voting. It is not a safe form of voting,” she said.

This article was posted at the Los Angeles Times on Feb. 13, 1012.

It’s often been said that Oscar season reflects the broader splendors and dysfunctions of American public life. The Academy of Motion Picture Arts and Sciences’ ideals of scrupulous fair play have been under constant challenge in recent years, on such issues as the promotional pull of A-list stars, the power of big-studio money and negative advertising campaigns designed to undermine the competition. Now, though, the academy may be committing a blunder of its own making. It recently announced that it would be ditching its current all-mail secret ballot system, and that its more than 5,000 members would be voting through their own computers, starting next year.

The academy said the software developed by the San Diego-based computer voting company Everyone Counts would incorporate “multiple layers of security” and “military-grade encryption techniques” to ensure that nothing untoward or underhanded could occur beforePricewaterhouseCoopers, its accountancy firm, captured the votes from the Internet ether.

Unfortunately, leading computer scientists around the world who have looked at Internet voting systems do not share the academy’s confidence. On the contrary, they say the technology is vulnerable to a variety of cyber attacks — no matter how many layers of encryption there are — and risks producing a fraudulent outcome without anyone necessarily realizing it.

Nothing has demonstrated the danger more starkly, perhaps, than a pilot Internet election in Washington in the fall of 2010, which was comprehensively hacked by a team from the University of Michigan. Election officials had invited the public to test the program, and the team, led by computer scientist J. Alex Halderman, was able not only to change votes undetected but also to see who had voted for whom. Halderman reported seeing attempted hacks from as far away as Iran and China, and took steps to thwart them while election administrators in Washington remained blissfully unaware.

Computer experts on both sides of the Atlantic are unequivocal: There is no known way to have a secret ballot, keeping the voter entirely separate from his or her vote, and also to conduct a meaningful audit ensuring that nothing went awry. David Dill, a computer science professor at Stanford University and the founder of the voting rights group VerifiedVoting.org, said the danger was far more acute when voters use their own computers, which tend to be riddled with malicious software that enables hackers half a world away to manipulate them at will. (more)

This article was posted at the UK Guardian on Feb. 2, 1012.

Computer security experts have warned that the 2013 Oscars ballot may be vulnerable to a variety of cyber attacks that could falsify the outcome but remain undetected, if the Academy of Motion Picture Arts and Sciences follows through on its decision to switch to internet voting for its members. The Academy announced last week that it would be ditching its current vote-by-mail system and allowing its members to fill out electronic ballots from their home or office computers to make their choices for best picture and the other big Hollywood prizes, starting in 2013. It announced a partnership with Everyone Counts, a California-based company which has developed software for internet elections from Australia to Florida, and boasted it would incorporate “multiple layers of security” and “military-grade encryption techniques” to maintain its reputation for scrupulous honesty in respecting its members’ voting preferences.

The change will be a culture shock for an Academy voting community that tends to skew older and more conservative: indeed, concerns are already surfacing whether all of the Academy voters even have email addresses. And the claims have been met with deep scepticism by a computer scientist community which has grappled for years with the problem of making online elections fully verifiable while maintaining ballot secrecy – in other words, being rigorous about auditing the voting process but still making sure nobody knows who voted for what. So far, nobody has demonstrated that such a thing is possible.

“Everybody would like there to be secure internet voting, but some very smart people have looked at the problem and can’t figure out how to do it,” said David Dill, a professor of computer science at Stanford University and founder of the election transparency group Verified Voting. “The problem arises as soon as you decouple the voter from the recorded vote. If someone casts a ballot for best actor A and the vote is recorded for best actor B, the voter has no way of knowing the ballot has been altered, and the auditor won’t be able to see it either.” (more)

The League of Women Voters of South Carolina recently screened “Patriocracy,” a new film by Brian Malone, who attended the screening and participated in a question and answer event afterward. The film focuses on the question of whether the US political system is broken because politics have become too partisan and the unwillingness of polarized groups to compromise. My primary motivation in writing this review stems from a segment of the film that featured Americans Elect COO Elliot Ackerman making the familiar and discredited argument that if we can bank and shop online we can vote online.

If one were doing a film about cures for cancer, and time were given to someone explaining theories of the arrangement of crystals around the patient, the science would be called into question. If one were doing a film about nuclear energy and time were given to someone explaining that the answer lay in extending the half life of uranium by a factor of four to six, the science would be called into question. If one were doing a film about the possible evils of the Citizens United decision of SCOTUS, and time were given to someone discussing how to have the House of Representatives solve the problem by passing a law, then the legal judgement would be called into question, and the judgement of the filmmaker would be called into question in permitting a bogus argument like that to be included in what was purported to be a legitimate film. (more)