Security and Technology: Lessons Learned since HAVA
Written testimony for the California Senate Select Committee on Science, Innovation and Public Policy
March 11, 2014
- Co-Chair, Voting Rights Task Force
- Author of CountedAsCast.org, CountedAsCast.com
- Currently develop mobile apps
- Member, San Francisco Voting Systems Task Force, 2009-11
- Former senior software consultant in AI for Digital Equipment Corporation – making complex systems work in real life
Lessons Learned 2002 – 2008
- I got into EI advocacy in February, 2005, when I learned that an embezzler with 23 convictions, Jeffery Dean, had programmed what will become the Diebold election systems.
- See many more issues on Security here: http://www.countedascast.com/issues/security.php
- Testing before 2007 was ineffective. Secretary Bowen’s Top to Bottom Review proved this.
- The testing regulations proposed recently by Secretary Bowen are very good. They include open ended vulnerability testing, and source code inspections.
- No amount of testing will discover code hidden in the software waiting to be triggered by an insider. Sometimes called an “Easter egg”.
- Open source software reduces, but does not eliminate the risk of hidden code. Election software is very complex.
- See : http://www.countedascast.com/issues/testing.php .
Lessons Learned 2009 – 2014
Voter Registration Data Abuse
- Systematic suppression of registrants across the country.
- Solution: Pakistan, SMS mobile phone text-messaging system
- 55 million hits.
- Well publicized. An example of “crowdsourcing”.
- Discovered systematic problems affecting hundreds of thousands of voters.
- See : http://blackboxvoting.org/reports/solutions-two-innovations-improve-voter-list-accuracy-turnout-and-reduce-fraud/
Vote by Mail (VbM) Abuse
- We need to treat our election systems, and vote by mail systems as if they have been programmed by a convicted embezzler, because at least one of them of them has.
- Jeffery Dean also created software called VoteRemote, to handle Vote By Mail. He then set up his own ballot printing and mailing company, then called Spectrum Print & Mail. (http://12160.info/profiles/blogs/convicted-felon-embezzler)
- Criminals use the voter history information to identify who hasn’t or doesn’t vote, so that they can switch them to VbM, and vote “for” them.
- There are documented incidents in California where voters have discovered that fraudsters have voted for them, by mail, using forged signatures.
- VbM ballot printers should NOT have access to images of signatures. The signature can be printed on the envelope, and sent in fraudulently.
- Any system is hackable
- Ex: Washington DC, Sept 2010 (https://freedom-to-tinker.com/blog/jhalderm/hacking-dc-internet-voting-pilot/).
- Users devices are not secure.
- Example: fake banking software for users (Zeus virus).
- Denial of Service (DoS) attacks.
- See https://countedascast.org/internet-voting-risks/
The biggest danger comes from INSIDERS
- Database administrators
- Election workers
- We do not know what is going on inside the computers, they are too complex
- Transparency is an extension of security. A 2nd check on the system.
- Need to prove to the losers and to the public that they lost.
- Ukraine, Egypt – public does not trust the elections. The result is revolts when the “elected” party goes too far.
- Estonia, could not prove to the Center Party that they lost (2011)
- Cannot recount the paperless ballots.
- Center Party got 28% of paper votes. Less than 10% of the Internet vote. They are still angry.
- Nobody, and no machine, should be counting votes in secret.
- Ex: Tunisia – successful 1st ever election of the Arab Spring.
The government is moving ahead with a new constitution.
Every ballot was shown and counted to every observer present, in every polling place, worldwide, before the ballots left the precinct.
Result: the ballot counts are accepted.
- Paper ballots are auditable, recountable.
- Timely, public access to election data online.
- Ex: SF Digital Election Observer: http://sfdeo.wordpress.com
Uncovered bugs in the Sequoia RCV software – twice.
- Ex: Online detailed precinct reports: see AB 813 (Melendez).
- Current 1% Manual Count is inadequate.
- Recounts cost too much
- Fresno charges $46/hr per worker to recount ballots.
- There is no automatic recount in California.
- See “Recount Principles and Best Practices” http://ceimn.org/sites/default/files/recountprinciplesbestpractices2014.pdf
- Risk -Limiting Audits
Theoretically a good idea, but not understood by the public.
- Trachtenberg Electronic Verification System (TEVS)
System to read and count images of all the ballots in an election.
On first use in Humboldt County, discovered a serious bug in Diebold software.
Software is much improved recently.
- Possible to conduct risk-limiting audits AND full rereading/recounting of ballot images (TEVS).
- Counties need much more financial support from the state. In general, they get much difficult work done with few resources, and are constantly being asked to do more. Increasing voting options such as digital voting systems, vote by mail, provisional ballots, early voting, etc, drastically multiply the complexity of what they have to accomplish, and they deserve better support.
- Consider declaring ballots as public records. Some privacy issues, but we need to look at this closely.
- Publish as much information online as soon as possible. This goes beyond detailed precinct reports, to include system logs, ballot definition files, etc. None of this should be treated as proprietary, which historically, it has been.
- Absent very good auditing, California should require and pay for automatic recounts when the margin of victory is narrow.
- The state should support, and counties should conduct pilot projects for TEVS, risk-limiting audits, and hand counting ballots in the precinct, to see how well they really work.
- For projects such as the Pakistani voter registration project to work, the registration data needs to be available to the public.
- Ideally, election audits should be run by an agency independent of the department that produced the original count.
- Truly open source (free) software should have its testing and certification costs paid for by the state.
- California needs to treat voter registration and vote by mail software as mission critical – subject to a top to bottom review, similar to voting systems.
- California needs to start tracking VbM ballots throughout the entire chain of custody, including in the post office and the registrar’s office. Treat each ballot as if it’s worth $100, because it is.
- Print ballots in Braille.