Category: FAQ

Ten Myths In The Nutmeg State

Ten Myths About Electronic Voting In Connecticut: Myth #1 – Connecticut has the toughest and strongest audit law in the country because we audit 10%.

Ten Myths About Electronic Voting In Connecticut <.pdf>

Myth #1 – Connecticut has the toughest and strongest audit law in the country because we audit 10%.

Reality

  • Connecticut audits a maximum of 3 or 20% of races in 10% of the districts.  This is adequate only in the case of statewide races which are selected for the audit.
  • Questions, referendums, and special elections are exempt from audits.  Centrally scanned absentee ballots and all hand counted ballots also are exempt from the audits.
  • In a state representative race or municipal race, the probability of detecting an error or fraud is in the range of 2-4%.  This is far from sufficient.
  • Towns with only one district would have municipal races audited an average of once in 20 years.
  • Districts where there is an automatically recanvassed race or a contested race are exempt from audits – a state wide recanvass or contest would block all audits for the election in the entire state.
  • Selection of the races to be audited is not required to be public. Audits are public, yet have no statutory prior public notification requirement. 

Myth #2 – UConn reports of the post-election audits proved that our voting machines count accurately.

Reality

  • In 2010 Registrars reported 29 instances of differences between the machine and hand counts with differences ranging from 6 to 40 for a candidate, in a single district. The highest percentage discrepancies was 22%.  Such differences have continued at unacceptable levels, uninvestigated.
  • Without transparent investigations we can’t attribute the differences to either machine or human counting errors. Evidence for a complete investigation is no longer available as the ballots are no longer under seal.
  • Observations of the actual audits raise questions about the credibility of the data provided to UConn. In Aug 2012 31% of reports by towns did not contain data necessary to determine the outcome of the audit, and an additional six reports were lost or never filed with the Secretary of the State.

 

Myth #3 –Hand counting is prone to human error. Electronic voting is more reliable because computers produce the same result over and over again. We should abandon manual audits and just run the ballots through another similar machine to validate the count.

Reality

  • Computers and memory cards are programmed by humans and just as prone to human error.
  • An improperly programmed computer will miscount the vote over and over again.
  • Since all cards in a district should by definition contain exactly the same information, re-scanning on a similar machine would not detect erroneous or fraudulent programming.
  • People can determine voter intent more exactly.  They can produce an accurate/verifiable count given time, proper procedures, and controls.
  • However, it is likely that publicly verifiable, “software independent”, automated audits will be feasible.

 

Myth #4 – Auditing the paper by hand is too costly and time consuming.

Reality

  • A sufficient hand audit would cost between $0.25 and $0.50 per ballot cast for the largest elections in Connecticut – a small fraction of the cost of conducting an election ($5.00 to $20.00 per ballot cast).
  • The integrity of the vote and public confidence should drive decisions related to the conduct of elections.  Cost, speed, and inconvenience are important, yet secondary, considerations.

 

Myth #5 – We can rely on procedures to catch errors and ensure the integrity of elections.

Reality

  • Procedures are followed inconsistently, at best, sometimes not at all, and there is no enforceable penalty for failing to follow part or all of a procedure. Ballots and optical scanners have been left unsealed and unattended.  Ballots have been unsealed and audits begun before the stated start of “public” audits.
  • Only processes which are codified in the statutes are clearly enforceable.

Myth #6 Memory card errors cannot affect the outcome of our elections because election officials conduct pre-election testing of our electronic voting systems.

Reality

  • Pre-election testing cannot detect all errors and programming attacks. Pre-election testing of electronic voting systems will detect only basic errors such as ‘junk’ memory cards, wrong candidates, and machines that simply don’t work.
  • Computer science tells us it is impossible to test completely.  Recent academic reports continue to outline many ways that clever programming can circumvent detection during basic pre-election testing.

 

Myth #7 – We don’t have to worry about memory card problems because UConn tests the memory cards before and after each election.

Reality

  • UConn’s program is useful program, however, the trend is for fewer and fewer districts to send in cards for testing before and after the election. Selection is unlikely to be random.
  • Many districts fail to send memory to UConn cards for pre- and post-election testing. In the 2012 Presidential Primary, compliance in submitting cards by local officials ranged from 8% to 18%.
  • UConn reported that cards indicated that pre-election testing procedures continue not be followed consistently. How can we be sure the procedure for random selection of cards was followed?
  • Over the years the number of cards tested per election have declined and reports have been delayed.

 

Myth #8 – If we can trust our money to ATMs and online banking, we can trust our votes to computers.

Reality

  • Banks lose billions in online banking fraud every year. The savings ought weigh the costs to banks. Errors can be easily detected because the customer receives a receipt and the bank must account for all funds by double-entry bookkeeping.
  • Memory cards for elections are programmed differently for each town and every election because the races on the ballot and the candidates are different in each town and in each election.  In addition, voters cannot be issued any receipt to take with them because it would open the door to vote buying and intimidation.
  • The only public security test of an Internet voting system, in Washington D.C., was quickly compromised.
  • The only way to be sure the machines count correctly is to count enough of the paper to ensure that if fraud or error were to occur it would be detected. Secret voting precludes paper records for online voting.

 

Myth #9 – If there is ever a concern we can always count the paper.

Reality

The law limits when the paper can be counted.

  • Audits can protect against error or fraud only if enough of the paper is counted and discrepancies in the vote are investigated and acted upon in time to impact the outcome of the election.  See myths #1 and #2.
  • An automatic recanvass (recount) occurs when the winning vote margin is within 0.5%. The local Head Moderator moderator or the Secretary of the State can call for a recanvass, but even candidates must convince a court that there is sufficient reason for an actual recount.
  • Recounting by hand is not required by law. In early 2008 the Secretary of the State reversed her policy of hand recanvasses.  We now recanvass by optical scanner.
  • In 2010, the Citizen Recount showed huge discrepancies in Bridgeport, never recognized by the ‘system’.

 

Myth #10 The only way to ensure that all the votes are counted and that every vote counts is to count 100% of the paper.

Reality

Properly programmed scanners do a reasonable job of counting ballots.  The key to safe elections is to:

  1. Appoint an independent Audit Board with expertise in auditing and statistics to oversee the audits.
  2. Count enough of the ballots to detect and deter error or fraud.
  3. Investigate discrepancies and determine their cause, then take corrective and preventative action.
  4. Expand the audit when discrepancies are uncovered that have the potential to impact an election outcome
  5. Start and complete audits quickly so that data is preserved and the winners reflect the intent of the voters.
  6. Codify and enforce the process so violations can be prevented or surfaced and corrected.

 

FAQ – Why Is Voting Different Than Scanning A Can Of Peas?

[Greenwich Registrar of Voters] Musca said she had confidence in the machines’ accuracy. There’s no way you can make a mistake. You color in your ovals and the machine reads it,” she said. “It’s as good as scanning their can of peas (at the supermarket). If they trust the price on their can of peas, they should trust this as well.” <ref>

Unfortunately, Grocery Scanning (like ATM banking) is not the same as optical scan voting. Its not just that the computers are different – the whole “system” is different.

If the store programmed the peas incorrectly, then a customer would notice – their receipt and the money they paid would be incorrect – or the store would notice that they were losing money on peas – or perhaps an observant unbiased clerk that did not have blind faith in the scanner would notice. If just one customer or store employee noticed then the problem would be swiftly corrected and likely correct at least until the next change in price for peas was input by another employee.

Why do registrars say that manual counting of ballots is error prone? Because it is done by people who are inherently unreliable. Why do grocery scanners make mistakes? Because they are programmed and updated by people who are inherently unreliable.

How do we detect and correct problems with grocery scanners? We have checks and balances to offset the errors often made by humans – the store should have them while they input prices and upgrade the system – the receipt and money exchange is another check.

How do we detect and correct problems with voting systems – we test as well as we can beforehand – we independently test memory cards (we should) – we do sufficient random audits after elections. We cannot check receipts – we have something better in Connecticut: the ballots filled out by the voters. There is no money transaction we can check, they voter cannot detect an error and see that it is fixed for subsequent voters.

How do we detect and correct problems with human hand counted audits? We count with best practices that reduce problems with counting in the first place: teams of three or four counters; redundant counting of small batches; counting without knowledge of original machine counts; public observation of procedures. If counts don’t match machine results we count again, more carefully. If they still don’t match we do forensic research on the ballots and machines to determine the reason for the discrepancy and then work to determine the cause. (These are all things we should do. Unfortunately, at this time these are not the sort of things that are always done in Connecticut).

Let us not forget that paying a few cents more for a can of peas is hardly the same as losing democracy. We take voting integrity as a hassle at our peril.

Comparing Voting Computers To Electric Meters

We often hear voting computers compared to ATMs. We have debunked< the notion that Voting Computers can be trusted like ATMs. Today an article by the Courant's consumer watchdog, George Gombossy, Once Again Meter Madness, has me considering how Connecticut’s Voting Computers and Electric Meters are the same and different.

Update:  Courant Editorial calls for Independent Audit <read>

We often hear voting computers compared to ATMs. We have debunked the notion that Voting Computers can be trusted like ATMs. Today an article by the Courant’s consumer watchdog, George Gombossy, Once Again Meter Madness, has me considering how Connecticut’s Voting Computers and Electric Meters are the same and different.

I suggest reading Gombossy’s article 1st and then returning here for the comparison: <read>
Same: Voting computers and electric meters are complex pieces of equipment that the ordinary citizen and voting official do not understand.

Different: The case of an electric meter is often transparent with a counter you can read that records usage by the customer. Voting computers have internal meters controlled by software that nobody can see or read as votes are accumulated.

Same: Both are sealed with tamper evident seals.

Different: Meter seals are there to keep the customer from stealing electricity. Voting Computer seals are there to keep insiders from stealing democracy.

Same: Meters are read and audited by employees of the electric company that is charged (no pun intended) with charging customers accurately. Voting computers are read and audited by election officials charged with running elections with integrity.

Same: When their electric meters are audited, the customer may be restricted to standing at a distance which precludes the actual observation of the function of the meter. When voting computers are audited the public may be restricted to standing at a distance which precludes the actual observation of the marks on the ballots being counted and the results being tabulated.

Different: The Courant’s watchdog has spent several columns investing and bringing the important issue of electric meter accuracy to the attention of the public. The Courant’s editorial page has, in the face of contrary evidence, touted the accuracy of our voting computers.

Different: The Attorney General is calling for independent testing of a suspect electric meter that has passed two tests by the electric utility. The Secretary of the State, some registrars, and at least one State Representative are considering calling for the elimination of manual recounts of our voting computers, even as some of those recounts and audits show differences in the voting computer results and the manual hand count of the voters intent.

Same: Just because many electric meters are tested and work, it does not mean that all electric meters will work correctly all the time. Just because many voting computers are tested and work, it does not mean that all voting computers will work correctly all the time.

Different: When your electric meter does not work, you get an odd, suspect, transparent bill that can be a trigger to you or the electric company to look for an explanation. When your voting computer flips votes, unless it is audited carefully, nobody will ever know.

Different: All electric meters of the same model are the same unless there is a mechanical flaw in one meter. Voting computers are programmed separately for each election, each district, and each race – each is a unique opportunity for error or fraud involving many voting computers.

FAQ: Framing The Issue: Did the Machine Perform Flawlessly?

(Note: I have benefited from reading and contemplating the concept of framing issues from the linguist George ‘Don’t Think of an Elephant’ Lakoff founder of Rockridge Institute and cultural anthropologist Jeffrey Feldman, founder of the frameshop. While contemplating press reports on the recent election in a moment of sudden inspiration, I realized everyone has been asking and answering the wrong question – incorrectly framing the issues and our concerns with electronic voting. Here is my meager attempt changing the frame and starting toward more accurate understanding.)

We are asking the wrong questions when we ask if the audits proved that the “Machines Performed Flawlessly” or if the “Machines Incorrectly Counted The Votes”. We are using a misleading frame.

Continue reading “FAQ: Framing The Issue: Did the Machine Perform Flawlessly?”

FAQ – How can the scanner be hacked? It is kept in a canvas bag protected by a tamper-evident seal!

Update 10/28: The Secretary of the State’s Office has taken action to mitigate these concerns by requiring three additional tamper evident seals to indicate when the case has been open and to protect the ports. <read the details> Our democracy hangs, literally, by a vulnerable plastic thread – that can be compromised with a few … Continue reading “FAQ – How can the scanner be hacked? It is kept in a canvas bag protected by a tamper-evident seal!”

Update 10/28: The Secretary of the State’s Office has taken action to mitigate these concerns by requiring three additional tamper evident seals to indicate when the case has been open and to protect the ports. <read the details>

Our democracy hangs, literally, by a vulnerable plastic thread – that can be compromised with a few $, in a few seconds.

Background: The recent story in New Britain started curiosity for information on the actual security of the canvas bag and the tamper-evident seal that are required to protect the AccuVote-OS optical scanners in Connecticut. By fortunate coincidence I had just started reading the CA Top-To-Bottom Source Code Review of the Diebold Voting System which also led to an article, Tamper-Indicting Seals in American Scientist by Roger G. Johnson, head of the Vulnerability Assessment Team at Los Alamos National Laboratory. (I will post a review of the CA Source Code Review in the near future)

Even though there is a tamper-evident seal over the memory card in the optical scanner, that alone would be insufficient to protect the memory card from unauthorized changes for two reasons: 1) Despite the recommendations of the University of Connecticut, the parallel port remains operational and exposed to provide access to compromise the scanner’s software and/or the memory card. 2) Four screws can be removed to provide access to the memory card and other parts for alteration/replacement without without disturbing the seal. The employed solution is a canvass bag matched with a tamper-evident seal enclosing the entire optical scanner.

Continue reading “FAQ – How can the scanner be hacked? It is kept in a canvas bag protected by a tamper-evident seal!”

FAQ: Stop! What You Are Doing Will Scare The Voters Away From The Polls.

While not a question. This statement has been raised a couple of times in the last few days. A candidate was concerned that by raising the issue of election integrity it could cut voting at the polls. A registrar called to tell me that there were a lot seniors in her town that would be afraid to vote it they came to hear me. Neither of these people have heard my presentation. In fact, the registrar said she could not make my presentation as she has a day job and only does registrar work when she is paid.

There are several answers to this statement, let me give them:

  • I encourage everyone to vote. The only only way to guarantee your vote will not be counted is to avoid voting.
  • We agree that increasing voter confidence will increase participation and that increased participation is good.
  • Do you agree that actual integrity of the system is equally important as the perception of integrity?
  • My goal is to increase voter confidence in the election system by exposing vulnerabilities and causing the process to be improved. I do not condone sweeping anything under the rug.
  • I have confidence in the reliability of the democratic process with informed voters.
  • My intention is to protect and enhance the value of everyone’s vote. While CTVotersCount is dedicated completely to voting integrity and confidence, I personally support measures to increase voter participation which do not otherwise compromise election integrity and oppose those that could easily compromise election integrity.

Update 9/26: TalkNationRadio (no transcript yet) addressed this topic today. PEW Research shows no drop-off in voting in Florida or Maryland as voters become more cynical with regard to election integrity. (Not sure how comforting this information is, yet it refutes the entire premise of the concerns being raised.)

Continue reading “FAQ: Stop! What You Are Doing Will Scare The Voters Away From The Polls.”

FAQ: Have they have fixed all the problems with the voting machines?

Lately I have heard several versions of this statement. In July a registrar said something close to the following to me: The company let go of all the bad (convicted felon) programmers and they have fixed all the problems with the machines. Last week a local monthly paper had this to say in an editorial: … Continue reading “FAQ: Have they have fixed all the problems with the voting machines?”

Lately I have heard several versions of this statement. In July a registrar said something close to the following to me:

The company let go of all the bad (convicted felon) programmers and they have fixed all the problems with the machines.

Last week a local monthly paper had this to say in an editorial:

Potential glitches uncovered by the University of Connecticut Voting Technology Research Center in 2006 have been remedied. – Glastonbury Life

The security holes discovered by UConn have not been fixed. We are using the same version,1.96.6, of the software that UConn tested. The state requires that all software versions be certified by the Secretary of the State before they are used in our elections. Thus far 1.96.6 is the only version that has ever been certified in Connecticut. Time is running out for a coordinated update of machines before the November 6th election.

Continue reading “FAQ: Have they have fixed all the problems with the voting machines?”

FAQ: Should We Vote All Paper?

Many voting advocates take a strong position that we should vote only on paper and then count the paper. Registrars and long term election officials resist the paper.

Many voting advocates take a strong position that we should vote only on paper and then count the paper.

Registrars and long term election officials resist the paper.

Continue reading “FAQ: Should We Vote All Paper?”

FAQ: We all trust ATM’s. Why don’t you trust voting machines?

This is a very understandable and legitimate question that must be answered. If there were significant problems with ATM’s we would know about them because banks or consumers would be losing money, it would be reported all over the news, and there would be investigations by regulators. The guilty would be punished, the losses restored, ATMs banned, or fixed. Computer experts need to explain the apparent inconsistency.

Two too simple answers are: We are computer experts, voting machines have unique risks, trust us. We are voting equipment vendors and election officials, we know more about voting computers and running elections than computer experts.

An accurate simple answer is that voting machines are different from ATMs in several ways, especially in their programming, usage, and implementation which are based on the different requirements of voting vs consumer banking.

Continue reading “FAQ: We all trust ATM’s. Why don’t you trust voting machines?”