Safeguarding the 2008 vote Key inputs for the Senate Rules and Administration Committee Hearings and the Ballot Integrity Act Voting Rights Taskforce Wellstone.

Safeguarding the 2008 vote

Key inputs for the Senate Rules and Administration Committee

Hearings and the Ballot Integrity Act Voting Rights Taskforce

Wellstone Democratic Renewal ClubMarch 15, 2007

03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008

2

Participants Dr. Don Goldmacher, M.D., state delegate AD-14 Ms. Michelle Gabriel, M.S., M.B.A., state delegate AD-16,

author of “Election Monitoring in California 2006” Mr. Jim Soper, M.A., Senior software consultant, author of

www.CountedAsCast.com Dr. Judy Bertelsen, M.D., Ph.D. Professor Harold Lecar, Ph.D. Ms. Jackie Riskin, M.Sw. Mr. Lee Munson, M.B.A.


3

Our situation

Our Voting Machines, System, and Procedures

are putting our Democracy at risk!

Electronic voting can be corrupted…

Accidentally or Intentionally


5

DeForest Soaries resigns from Election Assistance Commission (EAC) saying…

…that we “had made things worse through the passage of the Help America Vote Act.

…there’s an erosion of voting rights implicit in our inability to trust the technology that we use and if we were another country being analyzed by America, we would conclude that this country is ripe for stealing elections and for fraud.”


6

Our situation

How do we avoid a 2008 re-run of Florida 2000, Ohio 2004, and Florida 2006?


7

Federal legislation is required to establish

minimum safeguards for the 2008 vote.•Don’t federalize all election law.

•States could have more stringent security laws.


8

Principal Remedies Handmarked paper ballots ONLY

Establish serious audits of machine counts

Re-structure the EAC or dump it Enforce the election laws


9

Legislation must address these issues:

Voting machines are NOT secure. Security mitigations are not enough and not

followed. Audits are inadequate and poorly

implemented. Machine created paper trails (VVPATs) are

virtually useless and give an illusion of security.

Election laws are not enforced. The EAC (Election Assistance Commission) is

dysfunctional.


10

Our Vision for 2008 Hand marked paper ballots (HMPB). Ballot marking devices (BMD) with touchscreen

and audio interface for disabled voting. Precinct based optiscan (PBOS) or central

optiscan if PBOS is not available. Sufficient hand counted manual audits of

optiscan and BMD ballots. True audits of election results. Timely, public, and affordable access to voting

records. Timely enforcement of all Federal and State

election laws.


11

Our Vision for 2008

All points of the vision must be done together. A piecemeal implementation will leave open security

vulnerabilities. Even paper ballots are NOT secure without audit reform .

The devil is in the details, and clear definitions will be required. Currently, each Election Official chooses a different interpretation of election laws.


12

Definitions (Optiscan) Opti-scan - optical ballot scanner


13

Definitions (Touchscreen)


14

Definitions (DRE, VVPAT)

DRE (Direct Recording Electronic)

VVPAT (Voter Verified Paper Audit Trail)


15

Definitions (Tabulator)

Tabulatorcentral votecounting

computer

Memorycards


16

Definitions (Memory Card)

Memory card used to transfer data, including votes, between the central tabulator and the scanners and voting machines in the precincts.


17

Definitions (Auditing) Auditing – check vote totals from some

% of precincts after the election


18

The Players Federal

EAC – Election Assistance Commission ITA – Independent Testing Authority NIST – National Institute of Standards and

Technology State

SoS – Secretary of State County Elections Officials – Registrar of

Voters, Board of Elections, Clerk/Recorder


19

Our goals…. We would like to…

…help in drafting the Ballot Integrity Act …communicate with staff on key issues

PRIOR to the hearings ……to be a resource to Senator Feinstein’s

office on election integrity issues Our expertise is a combination of academic,

technical, business, and first hand election experience. We want to help!

Supporting Detail


21

Avi Rubin, e-voting expert, Johns Hopkins professor: “…when I first studied the Diebold DRE in 2003, I felt

that a Voter Verified Paper Audit Trail (VVPAT) provided enough assurance. But, I continued, after 4 years of studying the issue, I now believe that a DRE with a VVPAT is not a reasonable voting system. The only system that I know of that achieves software independence as defined by NIST, is economically viable and readily available is paper ballots with ballot marking machines for accessibility and precinct optical scanners for counting – coupled with random audits. That is how we should be conducting elections in the US, in my opinion.”

From Avi Rubin’s BLOG describing his testimony before a House subcommittee hearing on “Ensuring the Integrity of Elections”, March 7th, 2007.

Electronic voting can be corrupted…

Accidentally or Intentionally


23

Electronic voting system security is inadequate

NIST Report, 11/06Princeton Report, 9/06NRC Report, 7/06BBV Report, 7/06Brennan Report, 6/06Hursti II Report, 5/06Berkeley Report, 2/06

Hursti I Report, 5/05RABA Report, 1/04Compuware Report, 11/03SAIC Report, 9/03Johns Hopkins Report, 7/03Saltman Paper, 3/78

13 reputable reports ALL say:Electronic voting is vulnerable!


24


The risk of an outsider attack by a poll worker, voter or hacker, especially via a virus or similar, is real.

Chicago misplaced 400+ memory cardsCleveland misplaced 75+ memory cards.

Hackers can gain access if the machines havewireless or internet connections


25


Successful simulated attacks on an election

Poll workers, possibly voters. VVPAT may be compromised. Attack might not be caught by an audit.

Touchscreen to tabulator, Diebold & Sequoia

Summary tape and precinct totals incorrect; virus carried to other machines.

Princeton Hack

9/2006

Pollworker/Sleepovers. A good audit might catch this

Touchscreen to tabulator, Diebold

A programmer can take complete control of a DRE, and an election. Undetectable.

Hursti II5/2006

Pollworker/Sleepovers. A good audit might catch this

Optical Scan to tabulator, Diebold

A programmer took control of memory cards, which handle the vote-reporting & counting.

Hursti I5/2005,11/2005

Anyone with access to the known tabulator passwords

Tabulator & database, Diebold

Central vote totals could be changed with no trace

GEMS tabulator

5/2005

AccessEquipmentDescriptionAttack

Date


26


The risk of an insider (election official, company programmer) attack is real Example: Easter Eggs (hidden code) We do not know what software is inside the

machines on election day No amount of testing will detect hidden

code Jeffery Dean, 23 embezzlement convictions Clinton Curtis hired to write a program to

manipulate an election


27

Electronic voting system security is inadequate Glitches happen Sarasota county, FL : 18,000 votes

“disappeared” Many more examples of “lost” votes Software and data are trade secrets Nobody, and no machine, should be

counting American votes in secret


28

Electronic Voting Recommendations

Open source software – public inspection Software verification

Check that the software used on election day is the software that was inspected, tested and certified.

Public testing of systems Security (red team) testing Ban wireless and internet connections

Security mitigations

Classic Obfuscation #1: There are security problems with DREs and electronic voting

but they can be mitigated with proper measures


30

Security mitigations are inadequate and not followed Tamper evident seals don’t work

Not all pollworkers trained to look at seals, procedures not defined if seal is torn,

Taking a machine out of service not enough if manipulation spreads like a virus

Chain of custody of memory cards is nullified by processes inherent to voting machine Machines need to be in place prior to

Election Day This allows adequate access for

manipulation of memory cards

Audits

Classic Obfuscation #2: Audits will catch any problems


32

Audits are inadequate and poorly implemented A fixed %age audit ( i.e..1-2%) will not catch

manipulation in a close race Example: San Francisco County has 600

precincts 1% audit = 6 precincts: CA current law

If there is a real difference in the audit vs. the machine count in 5% (30) precincts, there is only a 27% chance of noticing it.

2% audit = 12 precincts: Holt Bill proposal If there is a real difference in the audit vs. the

machine count in 5% (30) precincts, there is only a 46% chance of noticing it.


33

Audit Recommendations 99% confidence level in results. Include ALL votes – absentee and provisional. Random, public choice of precincts to count

and a preliminary statement of vote to count against.

Implement a tiered audit system that adjusts for the closeness of the race.

Require discrepancy procedures and results reporting.

Look at effects of discrepancies in larger context. Would such a small difference affect results of state or federal elections.


34

Audits on VVPATs are problematic VVPATs were an afterthought, never tested for

voters catching errors. Votes were not educated to look at VVPATs Poll workers didn’t understand their purpose

and sometimes told voters to NOT look at them.

Paper jams were frequent and votes not recorded

Rolls were very difficult to read at audits. If the VVPAT was unreadable, the roll was re-

printed from the memory card-which was NOT voter verified


35

VVPAT Recommendations Federal law banning VVPATs and DREs

Florida, New Mexico, and Maryland are all moving in that direction

Only Voter Marked Paper Ballots should be allowed

Systems already purchased are sunk costs Ballot marking devices should be certified for

HAVA compliance

Enforcement

Too little, too late


37

Election laws are not enforced No checks and balances on Elections Officials

On Election Day it is nearly impossible to get any legal action done.

Deadline to certify the vote allows officials to delay providing information, etc. until too late

Officials are not being held accountable for not following election code. District Attorneys and Attorney Generals are not acting on these issues.


38

Enforcement recommendations Timely !!! Enforcement must be immediate

and allow revote. Need to cover pollworkers and elections

officials Consequences spelled out explicitly

Election Assistance Commission (EAC)

Past, present, and future


40

EAC – Quick history Mandated by HAVA (Help America Vote Act) in

2002. Voluntary System Guidelines > 1 year late but

HAVA requirements not extended, thus forcing purchase of expensive, poorly designed, inadequately tested electronic equipment.

DeForest Soaries resigns in 2005. ITA (Independent Testing Authority) testing

shown to be a failure in 2006.


41

EAC Current Structure Issues No enforcement power – only makes

recommendations. Sets up privatization /corporate secrets fraught

with conflict of interest in testing – should set up public, transparent, highly professional testing process.

Leadership is bipartisan but is political – should be professional, technical and legal. Election administration should be nonpartisan.


42

EACProposed structural changes Re-structure in a way to help in 2008 or else

sunset the organization Turn all testing over to NIST (National Institute

of Standards and Technology) Make testing results public Actually test for security vulnerability, including

insider and outsider attacks. Actual attacks should be attempted on the equipment. If a fix is made, that fix should be tested by an actual

attack attempt.

Sunshine provisions


43

ReferencesLink to this presentationwww.countedascast.com/alameda/march-15-2007mollinari.ppt

Links to security reportswww.countedascast.com/issues/security.php#reports

Procedures are inadequatewww.countedascast.com/issues/procedures.php

Why we know (before 06) that the ITA testing has failedwww.countedascast.com/issues/testing.php#ita

Easter egg definition and picturewww.countedascast.com/issues/testing.php#easteregg


44

Senator Feinstein: Report Highlights Needfor New Legislation to Reform Electronic Voting

December 1, 2006The Ballot Integrity Act

P1:Paper Records, Voter Verification and Audit: Requires that voting machines produce a paper record that voters can verify, and correct if necessary, after casting their vote. Also requires that the paper record be preserved and used in a mandatory, random audit.

P2: Electronic Voting System Security: Takes measures to prevent technological manipulation of electronic voting systems and requires that all voting system software be disclosed to and certified by the Election Assistance Commission.

P4: Official Election Observers: Grants all official, legitimate domestic and international election observers unrestricted access to the election process, provided that they accept election rules, do not interfere with the election process, respect the secrecy of the ballot and are accredited by the Election Assistance Commission.

P6: Enforcement of HAVA Provisions: Clarifies that individuals can pursue legal resolution of violations of the Help America Vote Act. Permanently extends the authorization of the Election Assistance Committee. Requires that contractors hired by the Commission go through a public bidding process.


45

Ballot Integrity Act (BIA) BIA proposal

Paper Records, Voter Verification and Audit: Requires that voting machines produce a paper record that voters can verify and correct if necessary, after casting their vote. Also requires that the paper record be preserved and used in a mandatory, random audit

Concerns include: Still allows DREs Needs to define random Needs to define that audits

are hand counted Does not require that

system notify voter of under and over votes

Good points include Mandatory, random audits


46

Ballot Integrity Act BIA proposal

Electronic Voting System security: Takes measures to prevent technological manipulation of electronic voting systems and requires that all voting system software be disclosed to and certified by the EAC

Concerns include EAC has been so far

ineffective. Would this catch Hurst I and

II attacks? What will catch insider

attack hidden code? Software verification – how

do you know the software disclosed to the EAC is what is on the machines.

Does not specifically ban wireless or internet connections

Good points include: Recognition that more

security measures are needed.


47


Official Election Observers: Grants all official, legitimate domestic and international election observers unrestricted access to the election process, provided that they accept election rules, do not interfere with the election process, respect the secrecy of the ballot and are accredited by the EAC.

Concerns include: Less than current CA law. All citizens should be allowed

to observe. Definitions required.e.g.

Elections Officials vs. monitors definition of interfering.

EAC accreditation creates hurdles and bureaucracy. What is gained by this?

What are enforcement provisions at the time and after the election?

Good Points include: Unrestricted access to the

election process


48


Enforcement of HAVA provisions: Clarifies that individuals can pursue legal resolution of violations of HAVA. Permanently extends the authorization of the

EAC.

Concerns include: EAC has been ineffective. HAVA has been very

difficult to interpret.

Good points include: Some enforcement

strengthening

Safeguarding the 2008 vote Key inputs for the Senate Rules and Administration Committee Hearings and the Ballot Integrity Act Voting Rights Taskforce Wellstone.

Documents

voting machines

disabled voting

voting records

electronic voting

stealing elections

state election laws

author of election monitoring

bmd ballots