Safeguarding the 2008 vote Key inputs for the Senate Rules and Administration Committee Hearings and the Ballot Integrity Act Voting Rights Taskforce Wellstone Democratic Renewal Club March 15, 2007
Mar 26, 2015
Safeguarding the 2008 vote
Key inputs for the Senate Rules and Administration Committee
Hearings and the Ballot Integrity Act Voting Rights Taskforce
Wellstone Democratic Renewal ClubMarch 15, 2007
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
2
Participants Dr. Don Goldmacher, M.D., state delegate AD-14 Ms. Michelle Gabriel, M.S., M.B.A., state delegate AD-16,
author of “Election Monitoring in California 2006” Mr. Jim Soper, M.A., Senior software consultant, author of
www.CountedAsCast.com Dr. Judy Bertelsen, M.D., Ph.D. Professor Harold Lecar, Ph.D. Ms. Jackie Riskin, M.Sw. Mr. Lee Munson, M.B.A.
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
3
Our situation
Our Voting Machines, System, and Procedures
are putting our Democracy at risk!
Electronic voting can be corrupted…
Accidentally or Intentionally
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
5
DeForest Soaries resigns from Election Assistance Commission (EAC) saying…
…that we “had made things worse through the passage of the Help America Vote Act.
…there’s an erosion of voting rights implicit in our inability to trust the technology that we use and if we were another country being analyzed by America, we would conclude that this country is ripe for stealing elections and for fraud.”
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
6
Our situation
How do we avoid a 2008 re-run of Florida 2000, Ohio 2004, and Florida 2006?
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
7
Federal legislation is required to establish
minimum safeguards for the 2008 vote.•Don’t federalize all election law.
•States could have more stringent security laws.
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
8
Principal Remedies Handmarked paper ballots ONLY
Establish serious audits of machine counts
Re-structure the EAC or dump it Enforce the election laws
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
9
Legislation must address these issues:
Voting machines are NOT secure. Security mitigations are not enough and not
followed. Audits are inadequate and poorly
implemented. Machine created paper trails (VVPATs) are
virtually useless and give an illusion of security.
Election laws are not enforced. The EAC (Election Assistance Commission) is
dysfunctional.
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
10
Our Vision for 2008 Hand marked paper ballots (HMPB). Ballot marking devices (BMD) with touchscreen
and audio interface for disabled voting. Precinct based optiscan (PBOS) or central
optiscan if PBOS is not available. Sufficient hand counted manual audits of
optiscan and BMD ballots. True audits of election results. Timely, public, and affordable access to voting
records. Timely enforcement of all Federal and State
election laws.
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
11
Our Vision for 2008
All points of the vision must be done together. A piecemeal implementation will leave open security
vulnerabilities. Even paper ballots are NOT secure without audit reform .
The devil is in the details, and clear definitions will be required. Currently, each Election Official chooses a different interpretation of election laws.
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
12
Definitions (Optiscan) Opti-scan - optical ballot scanner
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
13
Definitions (Touchscreen)
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
14
Definitions (DRE, VVPAT)
DRE (Direct Recording Electronic)
VVPAT (Voter Verified Paper Audit Trail)
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
15
Definitions (Tabulator)
Tabulatorcentral votecounting
computer
Memorycards
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
16
Definitions (Memory Card)
Memory card used to transfer data, including votes, between the central tabulator and the scanners and voting machines in the precincts.
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
17
Definitions (Auditing) Auditing – check vote totals from some
% of precincts after the election
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
18
The Players Federal
EAC – Election Assistance Commission ITA – Independent Testing Authority NIST – National Institute of Standards and
Technology State
SoS – Secretary of State County Elections Officials – Registrar of
Voters, Board of Elections, Clerk/Recorder
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
19
Our goals…. We would like to…
…help in drafting the Ballot Integrity Act …communicate with staff on key issues
PRIOR to the hearings ……to be a resource to Senator Feinstein’s
office on election integrity issues Our expertise is a combination of academic,
technical, business, and first hand election experience. We want to help!
Supporting Detail
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
21
Avi Rubin, e-voting expert, Johns Hopkins professor: “…when I first studied the Diebold DRE in 2003, I felt
that a Voter Verified Paper Audit Trail (VVPAT) provided enough assurance. But, I continued, after 4 years of studying the issue, I now believe that a DRE with a VVPAT is not a reasonable voting system. The only system that I know of that achieves software independence as defined by NIST, is economically viable and readily available is paper ballots with ballot marking machines for accessibility and precinct optical scanners for counting – coupled with random audits. That is how we should be conducting elections in the US, in my opinion.”
From Avi Rubin’s BLOG describing his testimony before a House subcommittee hearing on “Ensuring the Integrity of Elections”, March 7th, 2007.
Electronic voting can be corrupted…
Accidentally or Intentionally
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
23
Electronic voting system security is inadequate
NIST Report, 11/06Princeton Report, 9/06NRC Report, 7/06BBV Report, 7/06Brennan Report, 6/06Hursti II Report, 5/06Berkeley Report, 2/06
Hursti I Report, 5/05RABA Report, 1/04Compuware Report, 11/03SAIC Report, 9/03Johns Hopkins Report, 7/03Saltman Paper, 3/78
13 reputable reports ALL say:Electronic voting is vulnerable!
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
24
Electronic voting system security is inadequate
The risk of an outsider attack by a poll worker, voter or hacker, especially via a virus or similar, is real.
Chicago misplaced 400+ memory cardsCleveland misplaced 75+ memory cards.
Hackers can gain access if the machines havewireless or internet connections
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
25
Electronic voting system security is inadequate
Successful simulated attacks on an election
Poll workers, possibly voters. VVPAT may be compromised. Attack might not be caught by an audit.
Touchscreen to tabulator, Diebold & Sequoia
Summary tape and precinct totals incorrect; virus carried to other machines.
Princeton Hack
9/2006
Pollworker/Sleepovers. A good audit might catch this
Touchscreen to tabulator, Diebold
A programmer can take complete control of a DRE, and an election. Undetectable.
Hursti II5/2006
Pollworker/Sleepovers. A good audit might catch this
Optical Scan to tabulator, Diebold
A programmer took control of memory cards, which handle the vote-reporting & counting.
Hursti I5/2005,11/2005
Anyone with access to the known tabulator passwords
Tabulator & database, Diebold
Central vote totals could be changed with no trace
GEMS tabulator
5/2005
AccessEquipmentDescriptionAttack
Date
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
26
Electronic voting system security is inadequate
The risk of an insider (election official, company programmer) attack is real Example: Easter Eggs (hidden code) We do not know what software is inside the
machines on election day No amount of testing will detect hidden
code Jeffery Dean, 23 embezzlement convictions Clinton Curtis hired to write a program to
manipulate an election
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
27
Electronic voting system security is inadequate Glitches happen Sarasota county, FL : 18,000 votes
“disappeared” Many more examples of “lost” votes Software and data are trade secrets Nobody, and no machine, should be
counting American votes in secret
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
28
Electronic Voting Recommendations
Open source software – public inspection Software verification
Check that the software used on election day is the software that was inspected, tested and certified.
Public testing of systems Security (red team) testing Ban wireless and internet connections
Security mitigations
Classic Obfuscation #1: There are security problems with DREs and electronic voting
but they can be mitigated with proper measures
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
30
Security mitigations are inadequate and not followed Tamper evident seals don’t work
Not all pollworkers trained to look at seals, procedures not defined if seal is torn,
Taking a machine out of service not enough if manipulation spreads like a virus
Chain of custody of memory cards is nullified by processes inherent to voting machine Machines need to be in place prior to
Election Day This allows adequate access for
manipulation of memory cards
Audits
Classic Obfuscation #2: Audits will catch any problems
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
32
Audits are inadequate and poorly implemented A fixed %age audit ( i.e..1-2%) will not catch
manipulation in a close race Example: San Francisco County has 600
precincts 1% audit = 6 precincts: CA current law
If there is a real difference in the audit vs. the machine count in 5% (30) precincts, there is only a 27% chance of noticing it.
2% audit = 12 precincts: Holt Bill proposal If there is a real difference in the audit vs. the
machine count in 5% (30) precincts, there is only a 46% chance of noticing it.
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
33
Audit Recommendations 99% confidence level in results. Include ALL votes – absentee and provisional. Random, public choice of precincts to count
and a preliminary statement of vote to count against.
Implement a tiered audit system that adjusts for the closeness of the race.
Require discrepancy procedures and results reporting.
Look at effects of discrepancies in larger context. Would such a small difference affect results of state or federal elections.
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
34
Audits on VVPATs are problematic VVPATs were an afterthought, never tested for
voters catching errors. Votes were not educated to look at VVPATs Poll workers didn’t understand their purpose
and sometimes told voters to NOT look at them.
Paper jams were frequent and votes not recorded
Rolls were very difficult to read at audits. If the VVPAT was unreadable, the roll was re-
printed from the memory card-which was NOT voter verified
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
35
VVPAT Recommendations Federal law banning VVPATs and DREs
Florida, New Mexico, and Maryland are all moving in that direction
Only Voter Marked Paper Ballots should be allowed
Systems already purchased are sunk costs Ballot marking devices should be certified for
HAVA compliance
Enforcement
Too little, too late
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
37
Election laws are not enforced No checks and balances on Elections Officials
On Election Day it is nearly impossible to get any legal action done.
Deadline to certify the vote allows officials to delay providing information, etc. until too late
Officials are not being held accountable for not following election code. District Attorneys and Attorney Generals are not acting on these issues.
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
38
Enforcement recommendations Timely !!! Enforcement must be immediate
and allow revote. Need to cover pollworkers and elections
officials Consequences spelled out explicitly
Election Assistance Commission (EAC)
Past, present, and future
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
40
EAC – Quick history Mandated by HAVA (Help America Vote Act) in
2002. Voluntary System Guidelines > 1 year late but
HAVA requirements not extended, thus forcing purchase of expensive, poorly designed, inadequately tested electronic equipment.
DeForest Soaries resigns in 2005. ITA (Independent Testing Authority) testing
shown to be a failure in 2006.
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
41
EAC Current Structure Issues No enforcement power – only makes
recommendations. Sets up privatization /corporate secrets fraught
with conflict of interest in testing – should set up public, transparent, highly professional testing process.
Leadership is bipartisan but is political – should be professional, technical and legal. Election administration should be nonpartisan.
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
42
EACProposed structural changes Re-structure in a way to help in 2008 or else
sunset the organization Turn all testing over to NIST (National Institute
of Standards and Technology) Make testing results public Actually test for security vulnerability, including
insider and outsider attacks. Actual attacks should be attempted on the equipment. If a fix is made, that fix should be tested by an actual
attack attempt.
Sunshine provisions
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
43
ReferencesLink to this presentationwww.countedascast.com/alameda/march-15-2007mollinari.ppt
Links to security reportswww.countedascast.com/issues/security.php#reports
Procedures are inadequatewww.countedascast.com/issues/procedures.php
Why we know (before 06) that the ITA testing has failedwww.countedascast.com/issues/testing.php#ita
Easter egg definition and picturewww.countedascast.com/issues/testing.php#easteregg
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
44
Senator Feinstein: Report Highlights Needfor New Legislation to Reform Electronic Voting
December 1, 2006The Ballot Integrity Act
P1:Paper Records, Voter Verification and Audit: Requires that voting machines produce a paper record that voters can verify, and correct if necessary, after casting their vote. Also requires that the paper record be preserved and used in a mandatory, random audit.
P2: Electronic Voting System Security: Takes measures to prevent technological manipulation of electronic voting systems and requires that all voting system software be disclosed to and certified by the Election Assistance Commission.
P4: Official Election Observers: Grants all official, legitimate domestic and international election observers unrestricted access to the election process, provided that they accept election rules, do not interfere with the election process, respect the secrecy of the ballot and are accredited by the Election Assistance Commission.
P6: Enforcement of HAVA Provisions: Clarifies that individuals can pursue legal resolution of violations of the Help America Vote Act. Permanently extends the authorization of the Election Assistance Committee. Requires that contractors hired by the Commission go through a public bidding process.
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
45
Ballot Integrity Act (BIA) BIA proposal
Paper Records, Voter Verification and Audit: Requires that voting machines produce a paper record that voters can verify and correct if necessary, after casting their vote. Also requires that the paper record be preserved and used in a mandatory, random audit
Concerns include: Still allows DREs Needs to define random Needs to define that audits
are hand counted Does not require that
system notify voter of under and over votes
Good points include Mandatory, random audits
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
46
Ballot Integrity Act BIA proposal
Electronic Voting System security: Takes measures to prevent technological manipulation of electronic voting systems and requires that all voting system software be disclosed to and certified by the EAC
Concerns include EAC has been so far
ineffective. Would this catch Hurst I and
II attacks? What will catch insider
attack hidden code? Software verification – how
do you know the software disclosed to the EAC is what is on the machines.
Does not specifically ban wireless or internet connections
Good points include: Recognition that more
security measures are needed.
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
47
Ballot Integrity Act BIA proposal
Official Election Observers: Grants all official, legitimate domestic and international election observers unrestricted access to the election process, provided that they accept election rules, do not interfere with the election process, respect the secrecy of the ballot and are accredited by the EAC.
Concerns include: Less than current CA law. All citizens should be allowed
to observe. Definitions required.e.g.
Elections Officials vs. monitors definition of interfering.
EAC accreditation creates hurdles and bureaucracy. What is gained by this?
What are enforcement provisions at the time and after the election?
Good Points include: Unrestricted access to the
election process
03/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008
48
Ballot Integrity Act BIA proposal
Enforcement of HAVA provisions: Clarifies that individuals can pursue legal resolution of violations of HAVA. Permanently extends the authorization of the
EAC.
Concerns include: EAC has been ineffective. HAVA has been very
difficult to interpret.
Good points include: Some enforcement
strengthening