Resolution on IV (SF, 2017)


http://sfgov.org/electionscommission/sites/default/files/Documents/resolutions/Elections_Comm_Internet_Voting_Res.pdf

SAN FRANCISCO ELECTIONS COMMISSION
RESOLUTION ON INTERNET VOTING
(Adopted by the San Francisco Elections Commission (6-0) on April 19, 2017.)

Resolution opposing internet and email voting in local, state, and federal elections.

WHEREAS, The San Francisco Elections Commission (“Elections Commission”) on August 20, 2008 adopted a “Policy on Favoring Paper Balloting over Other Forms,” stating in part that-
(a) “[direct-recording electronic] (DRE) voting systems capture a vote and store it on a memory card rather than mark a paper ballot”; and that
(b) “significant numbers of voters continue to have misgivings about votes not being cast on a paper ballot, believing that it provides inferior security and inferior ability to conduct a meaningful recount if one is necessary”; and adopting as policy that
(c) “the San Francisco Department of Elections shall operate in all its functions so as to prefer the use of paper ballots (either marked by hand with the current system or marked with the assistance of a machine designed for disabled access in future systems) over the use of DRE voting,” consistent with any legal requirements;

WHEREAS, Internet voting systems, including returning marked ballots by email, do not involve casting paper ballots, meaning there is no meaningful or independent way to audit, recount or correct results in the case of electronic error or tampering;

WHEREAS, Internet voting is fraught with even more risk than DRE voting, because it exposes local election jurisdictions to foreign governments, potential adversaries, and malicious actors located anywhere in the world—enabling large-scale, sophisticated, automated, undetectable, and uncorrectable vote tampering;

WHEREAS, The San Francisco Voting Systems Task Force, in its June 2011 report, concluded in part that-
(a) “anyone anywhere with Internet access has the ability to target remote digital voting systems in order to carry out the same type of Internet-based attacks that have succeeded against several organizations with security expertise that far exceeds that of any voting system vendor or election jurisdiction—including Google, Adobe, RSA Security, and dozens of other large corporations”; and that
(b) “the use of remote digital voting—especially the digital return of voted electronic ballots with no audited paper ballots—is far too insecure in public elections application for the foreseeable future”; and that
(c) “the official ‘ballot of record’ should be a paper artifact”;

WHEREAS, The Elections Commission on November 18, 2015 adopted a resolution “that it be the position of the Elections Commission that open voting systems using paper ballots have the potential to provide the greatest degree of accessibility, accuracy, transparency, security, auditability, affordability, and flexibility in elections, and so would best serve the voters of San Francisco”;

WHEREAS, Reports of the hacking of major corporate and government computer networks are a regular occurrence in the news—affecting the networks of organizations including JP Morgan, Bank of America, Wells Fargo, Charles Schwab, Visa, Mastercard, Yahoo, Symantec, the CIA, the FBI, the Pentagon, INTERPOL, and NATO—not to mention incidents that go unreported due to being undetected or not disclosed;

WHEREAS, Voting differs fundamentally from banking and other types of transactions because in banking customers can check transactions and have mistakes corrected; whereas with voting, a ballot cannot be linked back to the voter once it has been cast;

WHEREAS, Last year, the Democratic National Committee’s email system and the voter registration systems of Illinois and Arizona were hacked, leading the FBI to publish a security alert and the Department of Homeland Security to declare our election infrastructure to be a “critical infrastructure subsector”;

WHEREAS, Fully protecting an election management system or voting system from insider or outsider attacks by hackers, programmers, or election administrators is not possible in the foreseeable future;

WHEREAS, Protecting the average voter’s computer, be it a desktop or smartphone, from an endless and ever-evolving array of malware, fake apps and malicious websites is not possible in the foreseeable future;

WHEREAS, In just thirty-six hours a team of University of Michigan computer scientists penetrated an internet voting system about to be used by Washington DC; and in doing so obtained control of every part of the system—including votes, vote totals, passwords, tabulator, encryption codes, databases, voter records, and cameras—causing officials to cancel the project;

WHEREAS, No national standards exist for internet voting systems, and the National Institute of Standards and Technology (NIST) has stated that “Internet voting systems cannot currently be audited with a comparable level of confidence in the audit results as those for polling place systems. Malware on voters’ personal computers poses a serious threat that could compromise the secrecy or integrity of voters’ ballots. And, the United States currently lacks a public infrastructure for secure electronic voter authentication”;

WHEREAS, Sections 19205 and 19295 of the California Elections Code forbid connecting any part of a voting or ballot marking system to the Internet, or to a wireless, phone, or other external network;

WHEREAS, Democracy advocates, joined in the past by Secretary of State Debra Bowen, defeated at least three previous attempts in the California legislature to introduce some form of internet voting to California’s elections, including SB 908 (2011-12); AB 19 (2013-2014); and AB 887 (2015-16);

WHEREAS, AB 1403 (2017–18), “Military and overseas voters: return of ballot by email,” represents yet another attempt to introduce internet voting into California’s elections;

WHEREAS, In Canada, where internet voting is being tried in some municipal elections in Ontario for example, British Columbia’s Independent Panel on Internet Voting conducted a review and issued its “Recommendations Report to the Legislative Assembly of British Columbia – February 2014,” recommending not to implement universal internet voting and concluding in part that—
(a) “research suggests that Internet voting does not generally cause non-voters to vote. Instead, Internet voting is mostly used as a tool of convenience for individuals who have already decided to vote”; and that
(b) “Internet voting is most popular among middle-age voters and least popular among youth and therefore reflects traditional voter turnout demographics. These findings run contrary to the widely expressed belief that Internet voting will lead to increased participation by youth”;

WHEREAS, The seeming convenience of internet voting is overshadowed by the fact that votes cast by computer and transmitted over the internet are especially vulnerable to being changed or eavesdropped upon, subverting both voter intent and ballot secrecy and so the integrity of the ballot itself;

WHEREAS, The integrity of our country’s elections depend on the integrity of ballots, election technology and processes used not just locally but across the country;

WHEREAS, In July 2015, a team of election officials, computer security experts, and experts in disability, usability, auditing, testing, and legal issues published a thorough, 136-page report entitled, “The Future of Voting: End-to-End Verifiable Internet Voting (E2E-VIV) – Specification and Feasibility Study,” which in part-
(a) defined “end-to-end verifiable” as, “First, every voter can check that his or her ballot is cast and recorded as he or she intended. Second, anyone can check that the system has accurately tallied all of the recorded ballots”;
(b) contained an extensive and rigorous set of requirements that any internet voting system should satisfy; and
(c) concluded by saying, “It is currently unclear whether it is possible to construct an E2E-VIV system that fulfills the set of requirements contained in this report”;

now, therefore be it RESOLVED,
That it be the policy of the Elections Commission to oppose allowing votes in United States local, state, and federal elections to be cast over the internet, including by email.


[Original draft]

Resolution On Internet And Email Voting
Submitted to the San Francisco Elections Commission by Jim Soper
April 11, 2017
Contact: JimSoper2@gmail.com

Whereas, sections 19205 and 19295 of the California Elections Code forbid connecting any part of a voting or ballot marking system to the Internet, or to a wireless-, phone-, or other external network;

Whereas, Secretaries of State Padilla and Bowen and democracy advocates have defeated four attempts in the legislature to expose California’s elections to the dangers of the Internet [1];

Whereas, AB 1403 represents yet another attempt to bypass California’s defenses against outsider or insider hacking of its election systems [2];

Whereas, the San Francisco Voting Systems Task Force found that: “Internet access has the ability to target remote digital voting systems in order to carry out the same type of Internet-based attacks that have succeeded against several organizations with security expertise that far exceeds that of any voting system vendor or election jurisdiction— including Google, Adobe, RSA Security, and dozens of other large corporations.” [3];

Whereas, as we have seen with the examples of the CIA, FBI, Pentagon, Interpol, NATO, VISA, Master Card, Yahoo, Symantec, and BitCoin, penetrations of “highly secure” websites happen almost daily [4];

Whereas, the San Francisco Voting Systems Task Force has recommended that “The official “ballot of record” should be a paper artifact…” [5];

Whereas, Internet and email voting systems do not use paper ballots, so there is no independent way to monitor, audit, recount or repair the results;

Whereas, JP Morgan, Bank of America, Wells Fargo, and Charles Schwab have also been hacked;

Whereas, voting differs from online banking in that the customer gets a receipt for the transaction; but a ballot cannot be linked to the voter once it is cast (How do you refund a secret vote?) [6];

Whereas, the Internet was not designed with security in mind; this is a fundamental weakness;

Whereas, Internet voting relies almost entirely on millions of lines of complex computer code, including on numerous chips (usually made in China), and in the operating system;

Whereas, the complex computer code is inherently not understandable by the public; truly convincing stakeholders that loser of a close race actually lost is not possible in the foreseeable future;

Whereas, fully protecting any complex election management system from attacks by the programmers, election administrators, or by other insiders is not possible in the foreseeable future;

Whereas, protecting the average voter’s computer, be it a desktop or smartphone, from thousands of kinds of advanced malware, and fake apps and websites is not possible in the foreseeable future;

Whereas, in just 36 hours a team of University of Michigan computer scientists penetrated an Internet voting system about to be used by Washington DC; in doing so they acquired control of every part of the system – votes, vote totals, passwords, tabulator, encryption codes, databases, voter records, cameras – everything; officials canceled the project [7];

Whereas, the National Institute of Standards and Technology (NIST) has stated that “Internet voting systems cannot currently be audited with a comparable level of confidence in the audit results as those for polling place systems. Malware on voters’ personal computers poses a serious threat that could compromise the secrecy or integrity of voters’ ballots. And, the United States currently lacks a public infrastructure for secure electronic voter authentication. [8];

Whereas, a team of election officials, computer security experts, and experts in disability, usability, auditing, testing, and legal issues prepared a very thorough, 116 page report on “End-To-End Verifiable Internet Voting” (E2E-VIV) [9];

Whereas, the report defines “end-to-end verifiable” as follows: “First, every voter can check that his or her ballot is cast and recorded as he or she intended. Second, anyone can check that the system has accurately tallied all of the recorded ballots.” [10];

Whereas, the report contains an extensive and rigorous set of requirements for an Internet voting;

Whereas, the report concludes by saying “It is currently unclear whether it is possible to construct an E2E-VIV system that fulfills the set of requirements contained in this report“; just the most basic starting requirement, the construction and testing of a high quality, in-person, End-To-End Verifiable system, well before we expose one to the Internet, is not possible in the foreseeable future [11];

Whereas, no national standards exist for Internet voting systems;

Whereas, in January, the NSA’s Tailored Access Unit outlined how they create an Advanced Persistent Threat (APT) against their high-value targets [12] (hint: be more persistent than advanced; just expect them to make tiny mistakes, they will [13]);

Whereas, American intelligence services penetrated and ruined remote Iranian nuclear centrifuges that were not even connected to the Internet using the Stuxnet virus [14];

Whereas, since Stuxnet, spy agencies around the world have been “weaponizing” the Internet [15];

Whereas, in the past year, Democratic National Committee email system and the voter registration systems of Illinois and Arizona have been hacked, leading the FBI to publish a security alert [16] and the Department of Homeland Security to declare our election Infrastructure to be a “critical infrastructure subsector” [17].

Whereas, online voting constitutes a quantum leap in the risks of large scale errors or fraud;

Whereas, processing over 3 million votes, an online system for Los Angeles County would represent the single most important elections target awaiting exploitation in the US – ie: it’s a sitting duck;

now, therefore be it resolved,

  • that it is the policy of the San Francisco Elections Commission to oppose the use of any Internet or email voting system to cast voted ballots that cannot meet requirements of transparency, testing, verifiability, usability, accessibility, reliability, and security as exemplified by the aforementioned E2E-VIV report;

    and be it further resolved, that any such voting system must:

  • allow only eligible voters to vote;
  • not allow the voter to show their votes to anybody else after they have voted;
  • be easy to use and accessible to all voters;
  • be secure from attack by well-funded nation states;
  • ensure that the voter’s computer/phone is protected against fake apps, websites and other malware;
  • resist massive, coordinated “denial of service” attacks on the system and on the voters’ computers;
  • allow for large-scale resolution of disputed votes, including the correction of the totals;
  • be end-to-end verifiable by the general public;
  • allow public review of the entire system including all documentation, source code, and system logs;
  • allow anybody to test the entire system, including penetration testing, with no restrictions;
  • and be reviewed, tested and certified by the State of California.

    Endnotes
    1] SB 908 (Runner, 2011), AB 1929 (Gorell, 2012), AB 19 (Ting, 2013), AB 887 (Ting, 2015-6),
    http://leginfo.legislature.ca.gov/
    2] “Initiatives – Active Measures”, by the Office of the Attorney General of California,
    https://oag.ca.gov/initiatives/active-measures : #15-0108, #15-0117, 1#5-0118
    3] Page 26,”San Francisco Voting Systems Task Force Report”, June, 2011,
    http://sfgov.org/sfc/vstf/Modules/FinalVSTFReport__5789.pdf?documentid=490
    5] Page 28, “San Francisco Voting Systems Task Force Report”, June, 2011,
    6] Verified Voting Blog: If I can shop and bank online, why can’t I vote online?”, by Dr. David Jefferson,
    https://www.verifiedvoting.org/if-i-can-shop-and-bank-online-why-cant-i-vote-online/
    7] “Hacking the D.C. Internet Voting Pilot”, by Dr. J. Alex Halderman, University of Michigan,
    https://freedom-to-tinker.com/blog/jhalderm/hacking-dc-internet-voting-pilot/
    8] “NIST Activities on UOCAVA Voting”, by the Information Technology Laboratory of the National Institute of Standards and Technology,
    http://www.nist.gov/itl/vote/uocava.cfm
    9] “The Future of Voting: End-To-End Verifiable Internet Voting (Summary)”, published by the US Vote Foundation,
    https://www.usvotefoundation.org/e2e-viv/summary
    10] Page 3, “The Future of Voting: End-To-End Verifiable Internet Voting (Full Report)”, published by the US Vote Foundation,
    https://www.usvotefoundation.org/sites/default/files/E2EVIV_full_report.pdf
    11] “End-To-End Verifiable Internet Voting”, by Jim Soper,
    https://countedascast.org/internet-voting-risks/end-to-end-verifiable-internet-voting/
    12] “NSA’s chief hacker explains how to keep the NSA out of your business”, by Yoni Heisler, BGR News,
    https://www.yahoo.com/tech/nsa-chief-hacker-explains-keep-nsa-business-040001861.html
    13] Page 5, “Attacking the Washington, D.C. Internet Voting System”, by Scott Wolchok, Eric Wustrow, Dawn Isabel, and J. Alex Halderman
    https://jhalderm.com/pub/papers/dcvoting-fc12.pdf
    14] Countdown to Zero Day: Stuxnet And The Launch Of The World’s First Digital Weapon by Kim Zetter, also “An Unprecedented Look at Stuxnet, the World’s First Digital Weapon”, by Kim Zetter, WIRED,
    http://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/
    15] “Internet of Things to be used as spy tool by governments: US intel chief”, by David Kravets, Ars Technica,
    http://arstechnica.com/tech-policy/2016/02/us-intelligence-chief-says-iot-climate-change-add-to-global-instability/
    16] “Targeting Activity Against State Board of Election Systems”
    https://s.yimg.com/dh/ap/politics/images/boe_flash_aug_2016_final.pdf
    17] “Statement by Secretary Jeh Johnson on the Designation of Election Infrastructure as a Critical Infrastructure Subsector”,

    https://www.dhs.gov/news/2017/01/06/statement-secretary-johnson-designation-election-infrastructure-critical
  • Leave a Reply

    Fill in your details below or click an icon to log in:

    WordPress.com Logo

    You are commenting using your WordPress.com account. Log Out / Change )

    Twitter picture

    You are commenting using your Twitter account. Log Out / Change )

    Facebook photo

    You are commenting using your Facebook account. Log Out / Change )

    Google+ photo

    You are commenting using your Google+ account. Log Out / Change )

    Connecting to %s

    %d bloggers like this: