Verified Voting Blog

Questions linger in US on high-tech voting

Verified Voting — Sun, 11 Mar 2012 08:10:33 +0000

This article was posted at physorg.com on March 11 2012. As many as 25 percent of Americans are expected to use paperless electronic voting machines in the upcoming November elections, according to the Verified Voting Foundation, but confidence has been eroded by incidents showing vulnerabilities. The foundation, which seeks more reliable election systems, contends that [...]

Verified Voting Testimony to the Maryland Board of Elections

Verified Voting — Fri, 09 Mar 2012 05:43:46 +0000

On February 23, the Maryland State Board of Elections held meeting a proposed system for remote absentee voting was discussed. Verified Voting submitted testimony (see below) about the system, which includes the use of ballot marking wizard software. We maintain that such software — regardless of any other program it may be bundled or used [...]

Verified Voting Comments on Proposed Changes to Colorado Election Rule 43

Verified Voting — Thu, 08 Mar 2012 07:26:05 +0000

Thank you for this opportunity to comment upon proposed revisions to Colorado Election Rules governing county procedures for securing election equipment and materials. Verified Voting is a national nonpartisan organization working to safeguard elections in the digital age. We seek to promote the deployment of election systems and practices that vouchsafe the accessibility, reliability, and transparency of public elections. We believe that the proposed revision contains several positive changes, as well as some that cause concern, or call for more clarity.

We begin by noting several laudable provisions in the proposed changes:

Continued ban on voting system connection to the Internet
The draft changes to Rule 43 continue Colorado's wise policy of prohibiting election administrators from connecting voting system components to the Internet. In the past decade, Colorado joined a number of States, including California, Texas, New York, and Ohio, in recognizing that connecting any component of a voting system to the Internet creates unacceptable security risks. This provision should eliminate the insecure practice of using the Internet for the transmission of voted ballots. (We feel compelled to note here the disparity between this Rule and the present debate over whether to fund an Internet pilot project for Colorado's military and overseas voters. Claims that Internet voting systems now being proffered for use are fundamentally safe from the risks of the Internet ring hollow; as experts have noted, the security problems with Internet voting are largely intrinsic to the Internet itself rather than to a given system or vendor.)

Required annual updates of county security plans
The draft Rule 43 would establish a requirement that counties update their security plans annually, in contrast to the previous Rule, which did not require regular updates. We believe this change is useful and could help Colorado election administrators more effectively manage election materials.

The draft changes also include language that we believe calls for clarification or revision.

Internet voting systems too insecure, researcher warns

Verified Voting — Fri, 02 Mar 2012 11:43:21 +0000

This article was posted at Computerwold on Mar. 1 2012.

Internet voting systems are inherently insecure and should not be allowed in the upcoming general elections, a noted security researcher said at the RSA Conference 2012 being held in San Francisco this week. David Jefferson, a computer scientist at Lawrence Livermore National Laboratories and chairman of the election watchdog group Verified Voting, called on election officials around the country to drop plans to allow an estimated 3.5 million voters to cast their ballots over the Internet in this year's general elections. In an interview with Computerworld US on Wednesday, Jefferson warned that the systems that enable such voting are far too insecure to be trusted and should be jettisoned altogether.

Jefferson is scheduled to participate in a panel discussion on the topic at RSA on Thursday. Also on the panel are noted cryptographer and security guru Ron Rivest, who is the "R" in RSA, and Alex Halderman, an academic whose research on security vulnerabilities in e-voting systems prompted elections officials in Washington to drop plans to use an e-voting system in 2010.

"There's a wave of interest across the country, mostly among election officials and one agency of the [Department of Defense] to offer Internet voting," to overseas citizens and members of the military, Jefferson said. "From a security point of view, it is an insane thing to do."

Stealing Oscar: The Academy’s plan to allow voting by computer is an open invitation for cyber attacks and fraudulent outcomes

Verified Voting — Mon, 13 Feb 2012 20:59:19 +0000

This article was posted at the Los Angeles Times on Feb. 13, 1012.

It's often been said that Oscar season reflects the broader splendors and dysfunctions of American public life. The Academy of Motion Picture Arts and Sciences' ideals of scrupulous fair play have been under constant challenge in recent years, on such issues as the promotional pull of A-list stars, the power of big-studio money and negative advertising campaigns designed to undermine the competition. Now, though, the academy may be committing a blunder of its own making. It recently announced that it would be ditching its current all-mail secret ballot system, and that its more than 5,000 members would be voting through their own computers, starting next year.

The academy said the software developed by the San Diego-based computer voting company Everyone Counts would incorporate "multiple layers of security" and "military-grade encryption techniques" to ensure that nothing untoward or underhanded could occur beforePricewaterhouseCoopers, its accountancy firm, captured the votes from the Internet ether.

Unfortunately, leading computer scientists around the world who have looked at Internet voting systems do not share the academy's confidence. On the contrary, they say the technology is vulnerable to a variety of cyber attacks — no matter how many layers of encryption there are — and risks producing a fraudulent outcome without anyone necessarily realizing it.

UK Guardian: Oscars vote vulnerable to cyber-attack under new online system, experts warn

Verified Voting — Thu, 02 Feb 2012 19:35:16 +0000

Computer security experts have warned that the 2013 Oscars ballot may be vulnerable to a variety of cyber attacks that could falsify the outcome but remain undetected, if the Academy of Motion Picture Arts and Sciences follows through on its decision to switch to internet voting for its members. The Academy announced last week that it would be ditching its current vote-by-mail system and allowing its members to fill out electronic ballots from their home or office computers to make their choices for best picture and the other big Hollywood prizes, starting in 2013. It announced a partnership with Everyone Counts, a California-based company which has developed software for internet elections from Australia to Florida, and boasted it would incorporate "multiple layers of security" and "military-grade encryption techniques" to maintain its reputation for scrupulous honesty in respecting its members' voting preferences. The change will be a culture shock for an Academy voting community that tends to skew older and more conservative: indeed, concerns are already surfacing whether all of the Academy voters even have email addresses. And the claims have been met with deep scepticism by a computer scientist community which has grappled for years with the problem of making online elections fully verifiable while maintaining ballot secrecy – in other words, being rigorous about auditing the voting process but still making sure nobody knows who voted for what. So far, nobody has demonstrated that such a thing is possible. "Everybody would like there to be secure internet voting, but some very smart people have looked at the problem and can't figure out how to do it," said David Dill, a professor of computer science at Stanford University and founder of the election transparency group Verified Voting. "The problem arises as soon as you decouple the voter from the recorded vote. If someone casts a ballot for best actor A and the vote is recorded for best actor B, the voter has no way of knowing the ballot has been altered, and the auditor won't be able to see it either."

Duncan Buell: Patriocracy Overlooks Internet Voting Security Concerns

Verified Voting — Fri, 20 Jan 2012 16:22:01 +0000

The League of Women Voters of South Carolina recently screened "Patriocracy," a new film by Brian Malone, who attended the screening and participated in a question and answer event afterward. The film focuses on the question of whether the US political system is broken because politics have become too partisan and the unwillingness of polarized groups to compromise. My primary motivation in writing this review stems from roughly 60-second segment of the 60-minute film that featured Americans Elect COO Elliot Ackerman making the familiar and discredited argument that if we can bank and shop online we can vote online. If one were doing a film about cures for cancer, and time were given to someone explaining theories of the arrangement of crystals around the patient, the science would be called into question. If one were doing a film about nuclear energy and time were given to someone explaining that the answer lay in extending the half life of uranium by a factor of four to six, the science would be called into question. If one were doing a film about the possible evils of the Citizens United decision of SCOTUS, and time were given to someone discussing how to have the House of Representatives solve the problem by passing a law, then the legal judgement would be called into question, and the judgement of the filmmaker would be called into question in permitting a bogus argument like that to be included in what was purported to be a legitimate film.

Ballot Secrecy Keeps Voting Technology at Bay | Scientific American

Verified Voting — Tue, 10 Jan 2012 01:23:44 +0000

Republicans during Tuesday's New Hampshire primary will use a technology recognizable to Washington and Lincoln to make their choices Posted at Scientific American: Voters in the recent Iowa caucuses and Tuesday's New Hampshire primary will rely on paper ballots as they have for generations. In the very next primary on January 21, South Carolinians will vote with backlit touch-screen computers. In an age of electronic banking and online college degrees, why hasn't the rest of the nation gone the way of the Palmetto State? The reason is simple and resonates with the contentious debate that has yet to be resolved after at least 15 years of wrangling over the issue of electronic voting. No one has yet figured out a straightforward method of ensuring that one of the most revered democratic institutions—in this case, electing a U.S. president—can be double checked for fraud, particularly when paperless e-voting systems are used. Voters can cast their ballot in a variety of ways, depending upon the method adopted by their election district. This includes paper ballots, punch cards, two different types of touch-screen electronic voting system (one that prints out a receipt verifying your vote and one that does not), optical scanners used to digitize paper ballots, or some combination of these. New Hampshire, like nearly two-thirds of the country, has a paper ballot system that voters mark up and turn in to election officials who count the ballots either by electrical scanners or by hand. With the optical-scan approach, if the ballot is not filled out properly or is unreadable, the scanner will not accept the vote and the voter can fix his or her ballot before leaving the polling place, Dill says.

Roadmap for Future California Elections

Verified Voting — Fri, 30 Dec 2011 18:54:41 +0000

When it comes to elections, what does California do well? What could California do better? How have we led, and how have we perhaps lagged behind? These are questions that a diverse group of individuals and organizations asked themselves and one another over the course of three months, with an aim to envision the future of California's elections. Download the Roadmap for Future California Elections (pdf) It turned out to be an extraordinary conversation and a process which could very well serve as a model for other states as well. One driving force in the process was the convening organization, the James Irvine Foundation, which has long worked on issues of importance to Californians. The participants included a diverse range of representatives with a concern for voters and not-yet voters, for elections and how they function, and for California's democracy.

Dismissed Venango County Pennsylvania Election Board Files Appeal | VotePA

Verified Voting — Fri, 02 Dec 2011 22:27:44 +0000

Attorney Charles A. Pascal, Jr., has filed a Motion For Reconsideration on behalf of members of the specially appointed Venango County Election Board. The filing was made this afternoon in response to President Judge Oliver J. Lobaugh's order dismissing the Board yesterday. Citing ongoing investigations into serious voting machine problems reported during the May 17 primary election, the specially appointed Election Board requested that they be allowed to continue their work until 11:59 PM on December 31, 2011. "The members of the specially appointed Board of Elections believes that it is necessary to continue their work in order to assure the voters of the County of Venango of the integrity of the election process in the county," the Motion states, "and to assure that any possible violations of policy, protocol, best practices, or the law, or any directive of the Pennsylvania Secretary of State, are not repeated in future elections."

If I can shop and bank online, why can’t I vote online?

Verified Voting — Wed, 02 Nov 2011 07:36:12 +0000

There is widespread pressure around the country today for the introduction of some form of Internet voting in public elections that would allow people to vote online, all electronically, from their own personal computers or mobile devices. Proponents argue that Internet voting would offer greater speed and convenience, particularly for overseas and military voters and, in fact, any voters allowed to vote that way. However, computer and network security experts are virtually unanimous in pointing out that online voting is an exceedingly dangerous threat to the integrity of U.S. elections. There is no way with current technology to guarantee that the security, privacy, and transparency requirements for elections can all be met with any security technology in the foreseeable future. Anyone from a disaffected misfit individual to a national intelligence agency can remotely attack an online election, modifying or filtering ballots in ways that are undetectable and uncorrectable of just disrupting the election and creating havoc. There are a host of such attacks that can be used singly or in combination. In the cyber security world today almost all of the advantages are with attackers, and any of these attacks can result in the wrong persons being elected, or initiatives wrongly passed or rejected. Nonetheless, the proponents point to the fact that millions of people regularly bank and shop online every day without apparent problems,. They note that an online voting transaction resembles an ecommerce transaction, at least superficially. You connect your browser to the appropriate site, authenticate yourself, make your choices with the mouse, click on a final confirmation button, and you are done! All of the potential attacks alluded above apply equally to shopping and banking services, so what is the difference? People ask, quite naturally, “If it is safe to do my banking and shopping online, why can’t I vote online?” This is a very fair question, and it deserves a careful, thorough answer because the reasons are not obvious. Unfortunately it requires substantial development to explain fully. But in brief, our answer is in two-parts: 1. It is not actually “safe” to conduct ecommerce transactions online. It is in fact very risky, more so every day, and essentially all those risks apply equally to online voting transactions. 2. The technical security, privacy, and transparency requirements for voting are structurally different from, and much more stringent than, those for ecommerce transactions. Even if ecommerce transactions were safe, the security technology underpinning them would not suffice for voting. In particular, the security and privacy requirements for voting are unique and in tension in a way that has no analog in the ecommerce world.

How Voting Equipment Varies in the U.S.

Verified Voting — Tue, 25 Oct 2011 12:04:58 +0000

The following article was posted at Digital Communities on October 24 2011. Pamela Smith and the Verified Voting Foundation (VVF) are on a mission — in her words — "to safeguard elections in the digital age." In an earlier time, she said, ballot boxes were inspected the morning before voting began then were padlocked. Voters would insert their paper ballots, and when the polls closed, officials would unlock the boxes and count the ballots. Smith, the foundation’s president, isn't advocating a return to those simpler days, but she says that some modern electronic voting systems present unique challenges that make democracy vulnerable to tampering. With some systems, said Smith, the voter marks a paper ballot, which then goes through an electronic scanner for tallying the vote. With that kind of system, she said, there's a hard-copy record of the vote that can be used to audit accuracy, or in the event of a recount. The foundation's map of "America's Voting Systems in 2010" show a broad range of systems, from Oregon's vote-by-mail to South Carolina's "DRE without VVPAT," which signifies a direct recording electronic voting machine that has no voter-verified paper audit trail.

MIT to host Cal/Tech Voting Technology Project Seminar Election Integrity: Past, Present, and Future

Verified Voting — Tue, 27 Sep 2011 00:00:11 +0000

Hosted by the Caltech/MIT Voting Technology Project, a seminar entitled "Election Integrity: Past, Present, and Future" will commemorate the 25th anniversary of the First National Symposium on Security and Reliability of Computers in the Electoral Process, held in Boston in 1986.   The panelists will look back at the issues that first aroused concerns about the use of computers in public elections a quarter of a century ago, then assess the current situation and future directions for enhancing election integrity. The goal is also to continue dialogues among all stakeholders in the election process, including election administrators, technical professionals, academics, citizens, and vendors. There will be a Q&A period following each panel. From the MIT website: A renewed focus on voting technologies and election administration erupted following the 2000 presidential election and the recount controversy in Florida. Since 2000, the focus of analysis has expanded to consider other vital aspects of U.S. public elections, including transparency and the public verification of election results.

Report on the Estonian Internet Voting System

Verified Voting — Sat, 03 Sep 2011 16:55:34 +0000

I visited Estonia in mid-July of this year at the invitation of Edgar Savisaar, the country's first prime minister and current mayor of Tallinn. Mr. Savisaar is the leader of the Centre Party, which placed second in recent national elections. The Centre Party and Mr. Savisaar have been questioning the outcome of the Internet voting portion of those elections. They invited me to Estonia because of a presentation I made at a European Parliament panel on the risks of Internet voting. I told my hosts that I was happy to discuss the risks of Internet voting, but I would not comment on internal Estonian politics. When asked whether or not I thought the national election was rigged, I refused to comment, aside from saying that no one could prove that it was or was not rigged, because there is no way to conduct a recount of an Internet election. The Internet portion of the 2011 election lasted from February 24 to March 2, with paper balloting conducted on March 6. The Internet vote was counted the evening of March 6. Estonian law allows complaints to be submitted only during the 3 days immediately following the procedure being challenged. Since Internet voting is considered separate from paper voting, the final day for submitting complaints about Internet voting was March 5. Graduate student Paavo Pihelgas was the only person who submitted a complaint by the deadline. (The Centre Party and independent candidates tried to file complaints, but they did not do so within the required 72 hour time frame). Pihelgas asked the National Election Commission (NEC) to cancel the election results, since the possibility of election-rigging malware meant that there was no way to be sure that the voters' preferences had been correctly recorded. NEC rejected his complaint the following day, saying that they have all the necessary provisions to detect such cases, without specifying what those provisions are. When Pihelgas resubmitted his complaint, it was forwarded to the Supreme Court. The Supreme Court dismissed the complaint on March 21, say that the voter can file a complaint only when his/her rights have been breached. I have communicated with several Estonians before, during, and after my trip. I have also read a report written by a team from the OSCE/ODIHR (Organization for Security and Cooperation in Europe/Office for Democratic Institutions and Human Rights) who observed the March 2011 election, and I have talked with a member of the OSCE/ODIHR team. Based on the information I have obtained, I have concluded that the Internet voting system used in Estonia is insecure.

Let the MOVE Act have a chance to work before considering electronic return of ballots

Dan McCrea — Sun, 07 Aug 2011 17:57:31 +0000

Military and overseas voters saw improvements in their ability to vote in 2010, thanks to the Military and Overseas Voter Empowerment Act (MOVE) passed in late 2009, according to a report to Congress last month by the Military Postal Service Agency (MPSA). The report indicates that MOVE will improve things further as its provisions become better known and implemented. The MOVE Act required states to send ballots to military and overseas voters at least 45 days before election-day in federal elections so they have time to return their voted ballot. MPSA must pick up ballots for return to election offices no later than 7 days before election day. MOVE also sped up the process by requiring states to offer electronic transmission (website, email, fax) of blank ballots and registration materials. The law stopped short of establishing electronic return of voted ballots because ballots cannot be secured against undetected interception and manipulation over the internet. New procedures were implemented for 2010, coordinating MPSA with USPS, including the use of Express Military Mail Service (EMMS) for uniformed overseas service members and their families.

Voting machine problems in Mississippi primary highlight national concern

Verified Voting — Thu, 04 Aug 2011 22:42:17 +0000

In the August 3 primary in Mississippi voters experienced voting machine problems: candidates’ names and entire contests missing from the voting machine screens and equipment failing to booting up properly. Problems were reported in Hinds County, which uses the Advanced Voting Systems Winvote and in several counties that use the Premier (Diebold) TSx equipped with [...]

Email Voting: A National Security Threat in Government Elections

Verified Voting — Mon, 20 Jun 2011 16:08:30 +0000

I am very concerned about the widespread push toward Internet voting in the U.S., of which email voting is just one kind. Neither the Internet itself, nor voters’ computers, nor the email vote collection servers are secure against any of a hundred different cyber attacks that might be launched by anyone in the world from [...]

Philip Stark: Report on second risk-limiting audit under AB 2023 in Monterey County California

Verified Voting — Sat, 07 May 2011 16:21:33 +0000

The second risk-limiting audit under California AB 2023 was conducted on May 6 in Monterey County. The contest was a Special all-mail election for Monterey Peninsula Water Management District Director, Division 1. Monterey uses Sequoia equipment. There were two candidates: Brenda Lewis and Thomas M. Mancini, and write-ins. 2111 ballots were cast in all. The reported totals were 1353 reported for [...]

Online voting is risky and expensive

Verified Voting — Fri, 29 Apr 2011 19:36:44 +0000

This article was posted at the CT Mirror and is cross-posted here with permission. Online voting is an appealing option to speed voting for military and overseas voters. Yet it is actually “Democracy Theater”, providing an expensive, risky illusion of supporting our troops. Technologists warn of the unsolved technical challenges, while experience shows that the [...]

Oak Ridge, spear phishing, and i-voting

Verified Voting — Mon, 25 Apr 2011 07:11:39 +0000

Oak Ridge National Labs (one of the US national energy labs, along with Sandia, Livermore, Los Alamos, etc) had a bunch of people fall for a spear phishing attack (see articles in Computerworld and many other descriptions). For those not familiar with the term, spear phishing is sending targeted emails at specific recipients, designed to [...]