Category: Chain of Custody

To trust our elections we need evidence, enough evidence

A recent article in Barons by respected scientists: Elections Should be Grounded in Evidence, Not Blind Trust 

Here’s what an evidence-based election would look like:

  • Voters hand-mark paper ballots to create a trustworthy, durable paper vote record. Voters who cannot hand-mark a ballot independently are provided assistive technologies, such as electronic ballot marking devices. But because these devices are subject to hacking, bugs, and software misconfiguration, the use of such ballot-marking devices should be limited.

  • Election officials protect the paper ballots to ensure no ballot has been added, removed, or altered…

A recent article in Barons by respected scientists: Elections Should be Grounded in Evidence, Not Blind Trust  <read>

Here’s what an evidence-based election would look like:

  • Voters hand-mark paper ballots to create a trustworthy, durable paper vote record. Voters who cannot hand-mark a ballot independently are provided assistive technologies, such as electronic ballot marking devices. But because these devices are subject to hacking, bugs, and software misconfiguration, the use of such ballot-marking devices should be limited.
  • Election officials protect the paper ballots to ensure no ballot has been added, removed, or altered. This requires stringent physical security protocols and ballot accounting, among other things.
  • Election officials count the votes, using technology if they choose. If the technology altered the outcome, that will (with high confidence) be corrected by the steps below.
  • Election officials reconcile and verify the number of ballots and the number of voters, with a complete canvass to ensure that every validly cast ballot is included in the count.
  • Election officials check whether the paper trail is trustworthy using a transparent “compliance audit,” reviewing chain-of-custody logs and security video, verifying voter eligibility, reconciling numbers of ballots of each style against poll book signatures and other records, and accounting for every ballot that was issued.
  • Election officials check the results with an audit that has a known, large probability of catching and correcting wrong reported outcomes—and no chance of altering correct outcomes. The inventory of paper ballots used in the audit must be complete and the audit must inspect the original hand-marked ballots, not images or copies.

None of these steps stands alone. An unexamined set of paper ballots, no matter how trustworthy, provides no evidence. Conversely, no matter how rigorous, audits and recounts of an untrustworthy paper trail provide no evidence that the reported winners won. Auditing or recounting machine-marked ballots or hand-marked ballots that have not been kept secure can check whether the reported outcome reflects that paper trail, but cannot provide evidence that the reported winners won.

We completely and enthusiastically agree.

One more time: Hand Marked Paper Ballots, protected and exploited

Our Longtime Editorial Opinion

We hear a lot about protecting voting equipment and paper ballots. We talk a lot about both as well. They are not equal!…

Today an article in Freedom to Tinker echoing our opinion: ESS voting machine company sends threats

Our Longtime Editorial Opinion

We hear a lot about protecting voting equipment and paper ballots. We talk a lot about both as well. They are not equal!

It is good to protect machines from tampering; good to test machines; and good to preserve them for post-election forensic analysis; yet, ultimately they cannot be fully protected and error free. They cannot be preserved for extended periods, they are needed for the next election.

Paper ballots are also ‘hackable’ by good old fashioned replacement, destruction, or alteration; yet they can be well protected by strong security measures and audits of security compliance. They must be exploited by sufficient, transparent, publicly verifiable audits and recounts.

Today an article in Freedom to Tinker echoing our opinion: ESS voting machine company sends threats  <read>

The ExpressVote XL, if hacked, can add, delete, or change votes on individual ballots — and no voting machine is immune from hacking. That’s why optical-scan voting machines are the way to go, because they can’t change what’s printed on the ballot. And let me explain some more: The ExpressVote XL, if adopted, will deteriorate our security and our ability to have confidence in our elections, and indeed it is a bad voting machine. And expensive, too!

The main point of the article is that ES&S is using false claims made against Dominion to intimidate others, making accurate, indisputable, scientific claims:

Apparently, ES&S must think that amongst all that confusion, the time is right to send threatening Cease & Desist letters to the legitimate critics of their ExpressVote XL voting machine. Their lawyers sent this letter to the leaders of SMART Elections, a journalism+advocacy organization in New York State who have been communicating to the New York State Board of Elections, explaining to the Board why it’s a bad idea to use the ExpressVote XL in New York (or in any state).

ES&S  machines, as far as we know, are no more or less vulnerable than other brands, however, the company exposes its lack of integrity by its unfounded intimidation.

Elections Should be Grounded in Evidence, Not Blind Trust

Commentary in Barron’s this week Elections Should be Grounded in Evidence, Not Blind Trust <read>

Even though there is no compelling evidence the 2020 vote was rigged, U.S. elections are insufficiently equipped to counter such claims because of a flaw in American voting. The way we conduct elections does not routinely produce public evidence that outcomes are correct.

Commentary in Barron’s this week Elections Should be Grounded in Evidence, Not Blind Trust <read>

Even though there is no compelling evidence the 2020 vote was rigged, U.S. elections are insufficiently equipped to counter such claims because of a flaw in American voting. The way we conduct elections does not routinely produce public evidence that outcomes are correct.

Furthermore, despite large investments since 2016, voting technology remains vulnerable to hacking, bugs, and human error. A report by the National Academies into the 2016 election process concluded that “there is no realistic mechanism to fully secure vote casting and tabulation computer systems from cyber threats.” The existence of vulnerabilities is not evidence that any particular election outcome is wrong, but the big-picture lesson from 2020 is that ensuring an accurate result is not enough. Elections also have to be able to prove to a skeptical public that the result really was accurate.

We need evidence-based elections: processes that create strong public evidence that the reported winners really won and the reported losers really lost, despite any problems that might have occurred. Every step in election administration—from technology choices to voter eligibility checks, physical security, the canvass, and audits—should flow from that requirement…

Here’s what an evidence-based election would look like:

  •  Voters hand-mark paper ballots to create a trustworthy, durable paper vote record. Voters who cannot hand-mark a ballot independently are provided assistive technologies, such as electronic ballot marking devices. But because these devices are subject to hacking, bugs, and software misconfiguration, the use of such ballot-marking devices should be limited.
  • Election officials protect the paper ballots to ensure no ballot has been added, removed, or altered. This requires stringent physical security protocols and ballot accounting, among other things.
  • Election officials count the votes, using technology if they choose. If the technology altered the outcome, that will (with high confidence) be corrected by the steps below.
  • Election officials reconcile and verify the number of ballots and the number of voters, with a complete canvass to ensure that every validly cast ballot is included in the count.
  • Election officials check whether the paper trail is trustworthy using a transparent “compliance audit,” reviewing chain-of-custody logs and security video, verifying voter eligibility, reconciling numbers of ballots of each style against poll book signatures and other records, and accounting for every ballot that was issued.
  • Election officials check the results with an audit that has a known, large probability of catching and correcting wrong reported outcomes—and no chance of altering correct outcomes. The inventory of paper ballots used in the audit must be complete and the audit must inspect the original hand-marked ballots, not images or copies.

None of these steps stands alone. An unexamined set of paper ballots, no matter how trustworthy, provides no evidence. Conversely, no matter how rigorous, audits and recounts of an untrustworthy paper trail provide no evidence that the reported winners won. Auditing or recounting machine-marked ballots or hand-marked ballots that have not been kept secure can check whether the reported outcome reflects that paper trail, but cannot provide evidence that the reported winners won…

outsourcing audits, as Georgia did after the November vote, may prevent such process improvements. It is the responsibility of election officials (and not a third party) to ensure and demonstrate that the paper trail includes no more and no less than every validly cast ballot, and that the reported result is what those ballots show.

We note that, to us, ‘Outsourcing’ audits is a distinct concept from ‘Independent’ audits. Outsourcing implies turning all responsibly over to a hired vendor or entity dependent on election officials for funding. Independent auditing means assigning responsibility for the audit, or at least assessment and oversight of the audit to an entity independent of election officials.

Paper Ballots Integral to Connecticut Election Security – ANNOTATED

A recent article in the Journal Inquirer is at best misleading:  Paper Ballots Integral to Connecticut Election Security <read>

Connecticut has some good election integrity practices, yet there are gaps and vulnerabilities.

Full disclosure, I am a resident of Glastonbury and have been a poll-worker here since 2013 and prior to that from 2008 in Vernon, Connecticut. I take no pleasure in writing this post. Yet, even when people you know and appreciate provide, in your opinion, inaccurate or uninformed information to the public, it is not appropriate to ignore it. There is some good information in this article, yet it is not entirely accurate.

I absolutely agree that Voter Marked Paper Ballots like we have in Connecticut are the widely recognized basis of election security and integrity. Yet they are just a start.

A recent article in the Journal Inquirer is at best misleading:  Paper Ballots Integral to Connecticut Election Security <read>

Connecticut has some good election integrity practices, yet there are gaps and vulnerabilities.

Full disclosure, I am a resident of Glastonbury and have been a poll-worker here since 2013 and prior to that from 2008 in Vernon, Connecticut. I take no pleasure in writing this post. Yet, even when people you know and appreciate provide, in your opinion, inaccurate or uninformed information to the public, it is not appropriate to ignore it. There is some good information in this article, yet it is not entirely accurate.

Below is my annotation in blue:

Paper Ballots Integral to Connecticut Election Security
Election officials in the state are pointing to the benefits of physical ballots as the national conversation around election security continues to draw focus.

I absolutely agree that Voter Marked Paper Ballots like we have in Connecticut are the widely recognized basis of election security and integrity. Yet they are just a start.

by Alex Wood, Journal Inquirer / January 4, 2021  
 
(TNS) — With election officials around the country under very public attack, Mark Dobbins, the Democratic registrar of voters in Glastonbury, wants Connecticut residents to know more about the procedures election officials here use to make sure that all legal votes — and only legal votes — are counted.

It is a sad consequence in the atmosphere of this election that officials are under attack. Anyone who threatens an official and makes false or uninformed claims should be ashamed. And, in the most blatant cases where physical harm is threatened, prosecuted.

One is the old-fashioned paper trail, which Connecticut election officials use for many records, including ballots.

“We use a lot of paper, and you can’t hack paper,” Dobbins says.

Not exactly, even though paper ballots are a good start at election security and auditability, anyone with access to the storage of voted paper ballots can hack them, better still, with access to blank ballots as well, hacking is pretty straightforward. As we have pointed out over and over, Connecticut has very weak ballot security. In the majority of towns a single official may access ballot storage undetected for hours. polling place voted ballots are normally sealed with numbered seals which scientists have demonstrated offer little protection from skilled experts and amateurs alike.

Security experts also point out that over confidence in security by officials is a warning sign of lack of security. <See Do Connecticut’s Tamper-“Evident” Seals Protect Our Ballots?>

In addition, the tabulating machines that count ballots aren’t connected to the Internet and can’t be hacked into, he says.

It is of course important that scanners are not connected to the Internet, however, Hari Hursti long ago demonstrated how the machines used in Connecticut can easily be hacked  <The Hursti Hack> by anyone who has physical access to them. In Connecticut scanners are subject to that same weak security as voted ballots. Even computers not connected to the Internet can be hacked by Foreign actors <for example the STUXNET Attack>.

He adds that the tabulating machines are useless without memory cards. When the cards aren’t in use, he says, LHS Associates, an election services company based in Salem, New Hampshire, holds them securely.

First, the machines themselves can be hacked. They have software which could easily be changed by changing the chips, especially by a rogue service person form LHS Associates. LHS employs a number of people who program the memory cards. There is no audit or observation of LHS programming or security. At least none has been publicly disclosed. Unlike Connecticut, many states require that all programming of memory cards be accomplished by officials and not outsourced as Connecticut does. Here is a UConn papers describing additional vulnerabilities <here> <and here>.

Gabe Rosenberg, general counsel to Secretary of the State Denise W. Merrill, says the University of Connecticut’s Center for Voting Technology Research, or VoTeR Center, takes the memory cards before and after the election to make sure there are no problems.

 Actually, UConn takes a sample of memory cards. Its not a scientific sample. Registrars choose the cards to send to UConn after the election and don’t send all that are asked for. UConn is a little slow in providing reports.  The memory card audit report was for the 2014 elections. Here it is latest report, we suggest reading the summary <2014> <all reports>   It’s hard to trust an audit that is not random and publicly verifiable. There are some problems reported in those audits.

Officials audit 5% of the state’s voting precincts, Rosenberg says. The results exactly matched the machine counts this year, and the historical error rate is less than 1%, he says.

Connecticut does an audit of 5% of the voting districts, yet excluded from the audit are Election Day Registration ballots and centrally counted absentee ballots. In this COVID year of increased mail-in voting there are clearly gaps in the audit. Looking at the UConn reports, the last report of the audit completed was for 2016, which was completed about 19 months after the election, so at best we may have to wait a long while for official confirmation of that claim. It might be a really long wait since the previously completed report was for the 2011 election. UConn excludes large differences between machine counts and audit counts, with the aid of the Secretary of the State’s Office attributing all significant differences to human error in the counting process.

Another security measure widely used in Connecticut elections is to have “many eyes watching everything,” Dobbins says.

ELECTION SECURITY

Against hacking: Use of paper ballots and other paper records, vote tabulating machines not connected to the Internet, audits of vote counts

Monitoring: “Many eyes watching everything”

Physical secuirty: Locked rooms for blank ballots and other election supplies, completed absentee ballots stored in “cages” within vaults, police escorts

I am sure all of these practices are in place in some towns in Connecticut. Perhaps most Absentee Ballots are in vaults. It is different for polling place voted ballots: Most towns hold them in locked rooms or cabinets that have single key locks, with keys available to several officials providing individual access. Few towns have cages for polling place ballots Few use vaults for polling place ballots. Serving in several polling places in Glastonbury I have never had or seen a police escort. From my experience police escorts are not prevalent for the custody of voted ballots.

For example, vote tabulating machines are tested before the election, and members of the public “are welcome to come and look over our shoulder and watch us do it,” he says. Likewise, the public can watch as ballots are counted, he adds.

Yes testing is important to find ballot programming errors. Public observation of testing is also important. However, no level of testing can prevent errors and fraud. Every computer is subject error and fraud. For instance, your laptop and smartphone were tested before you received them, there is no assurance that they did not contain errors or supply-chain fraud. Voting machines are no different.

Dobbins says election equipment — from blank ballots to office supplies to the personal protective equipment that election workers needed this year — is kept in “blue bins” in a locked room around election time.

Once again, the rooms in many towns can be accessed by single officials for hours undetected.  Those blue bins which are from the same manufacturer all have the same keys.

He says he and Lisbeth Becker, Glastonbury’s Republican registrar, are the only people with keys to the room — and that no one is allowed to go in alone. Any time he goes in, Dobbins says, he must be accompanied by a Republican or an unaffiliated voter.

My understanding is that such access by two individuals is not monitored, only procedure prevents an individual from lone access. In fact, just a few years ago, prior to the current registrars, I reviewed a couple of pages of the access log and noted a single individual, a Deputy Registrar, had signed in alone several times. He and others could have easily done that even without signing in. (That same deputy was later arrested by the town for computer security violations).

On Election Day, Dobbins says, the number of ballots at each polling place is noted at the start of the day — and every ballot has to be accounted for at the end of the day.

Due to the vastly increased demand for absentee ballots amid the COVID-19 pandemic, the secretary of the state’s office had absentee ballot applications mailed to every registered voter this year.

Some have wondered whether a new resident of an address could send in an application in the old resident’s name, then vote by absentee ballot under that name while also voting under their own name.

But if the impersonated voter were to vote elsewhere, Rosenberg says, the fraudster would be caught. He adds that state law makes such fraud punishable by up to five years in prison and a $5,000 fine — and that several federal laws prohibit it as well — putting a high price on casting a single fraudulent vote.

Responsibilities for Connecticut elections are divided between registrars of voters and town clerks. The clerks’ responsibilities include sending out blank absentee ballots to voters who request them, receiving the completed ballots back, and storing them until it is time for the registrars to count them.

Manchester Town Clerk Joseph V. Camposeo says his office had to add part-time staff members to handle the increased workload, including data entry when ballots were sent out and when they were returned. He says the ballots were stored in a “cage” in his office’s vault for extra security.

My experience is that Manchester has security practices that are well above average in Connecticut.

Manchester had absentee ballot “drop boxes” behind Town Hall and at the police station this year. When he collected more than one or two ballots from the police station box, Camposeo says, he would have a police escort on the way back.

©2021 Journal Inquirer, Distributed by Tribune Content Agency, LLC.

In summary, many of these practices are good ones, if followed by every official in every town. Yet, they are insufficient and especially vulnerable to insider attack, including vendors and a variety of town employees, not just election officials. Elections are more vulnerable to outsiders when the insiders are over confident.

Security is difficult. Connecticut has a good basis with Voter Marked Paper Ballots, no Internet connections, and no Internet voting. Security practices are much more difficult given the nature of a state with 169 towns each with two registrars from opposing parties expected to be knowledgeable in all aspects of elections, including election security. Many are understaffed and underpaid. It’s a lot to expect that each official can understand, implement, and monitor security, while following the best practices of other states with larger election jurisdictions. Many Municipal Clerks are in the same boat. Yet surfacing issues can be the beginning of improvement. On the other hand, the distributed nature of Connecticut elections makes it difficult for localized errors and fraud to result in an inaccurate state-wide result, yet local elections remain more vulnerable.

We need stronger uniform, enforceable, and enforced security procedures across the state. Among other things Connecticut needs stronger tabulation audits, audits of ballot and scanner security.

 

A small hole in ballot packages, is a huge gap in security

Last week Kevin Rennie blogged about a letter from the leader of the Municipal Clerks Association sent to the clerks. Information that should have come from the Secretary of the State warning about problems and misinformation about the mailing of ballot packages to voters. Information that should have gone to voters not just clerks: Merrill Failure: 20,000 Voters Will Not Receive Absentee Ballots. Town Clerks Will Try to Solve Primary Crisis. Unglued, Too. Ballots May Fall Out of Envelopes. There is plenty of disappointment in the post and letter, yet I will concentrate on one item of advice to the clerks:

Additionally, I have been informed that the sides of some inner envelopes have not been properly glued shut by the manufacturer; as a result, the voter’s ballot could slip out of the inner envelope while the town clerk is processing the returns into CVRS. This issue is not related to the voter accidentally slicing open the envelope. It is due to poor quality control at the mail house. Please be on the lookout for envelopes that are not sealed on the side. Please tape the defective inner envelopes shut.

This may appear to be insignificant. Yet it is a big deal. There are reasons for an inner envelope, especially in this election.

Last week Kevin Rennie blogged about a letter from the leader of the Municipal Clerks Association sent to the clerks. Information that should have come from the Secretary of the State warning about problems and misinformation about the mailing of ballot packages to voters. Information that should have gone to voters not just clerks: Merrill Failure: 20,000 Voters Will Not Receive Absentee Ballots. Town Clerks Will Try to Solve Primary Crisis. Unglued, Too. Ballots May Fall Out of Envelopes.<read> There is plenty of disappointment in the post and letter, yet I will concentrate on one item of advice to the clerks:

Additionally, I have been informed that the sides of some inner envelopes have not been properly glued shut by the manufacturer; as a result, the voter’s ballot could slip out of the inner envelope while the town clerk is processing the returns into CVRS. This issue is not related to the voter accidentally slicing open the envelope. It is due to poor quality control at the mail house. Please be on the lookout for envelopes that are not sealed on the side. Please tape the defective inner envelopes shut.

This may appear to be insignificant. Yet it is a big deal. There are reasons for an inner envelope, especially in this election.

Outer envelopes are usually opened on election day by election officials of both parties,  supervised by a Polling Place Moderator or a Central Count Absentee Ballot Moderator. In those usual cases everything is under  the observation of multiple officials and open to observation of voters in the polling place or at the central count location. Not this year! The outer envelope is opened by the clerk’s staff and separated from the inner envelope in advance of election day. The purpose is to reduce the work on Election Day.

There are serious unintended consequences:

  • There are no known, published official procedures for the opening of the envelopes by the clerks, no standards for the security of the ballots, and no formal requirements for public observation.
  • CT has very weak to non-existent standards for ballot security. There is no monitoring of such security. Other states have much stronger standards. E.g. in CO all the areas where ballots or election equipment is under video surveillance for weeks before and after an election. (Even so a clerk was caught on video messing with ballots between an election and a recount. An election where she was on the ballot. She won the recount after losing the initial count.) In NM ballots are kept in metal containers, with two padlocks, one key sent to the clerk and one to a judge by different polling place officials.
  • The clerks’ offices also have free access to blank ballots. There are no such ballots available at central count absentee locations.
  • So lets spell it out:
    • The clerks’ staff could examine ballots with open envelopes that were not properly glued and replace them with ballots with votes for a different candidate.
    • They could un-glue additional envelopes and mark them as if they were not originally sealed correctly.
    • The clerks staff, perhaps loan individuals, perhaps others in town hall could access inner envelopes any time after they are opened until they are turned over to the registrars on Election Day.

The vast majority of election officials, clerks, clerks’ staff, and town hall employees are of high integrity. Yet clerks and registrars, even in Connecticut, have committed crimes with absentee ballots and regular ballots. And they are all very trusting of their staffs and often apparently ignorant of the risks of poor ballot security. According to security experts, overconfidence in security is a primary sign of risk.

There are lots of holes in our ballot security. This is just one novel example spelled out for your consideration and concern.

Moreover, the result is deservedly less confidence in the integrity of our elections.

Reminder, Cybersecurity will never be enough

States and the Federal Government are pumping millions into cybersecurity and new voting systems. That is all good, especially when the new systems are for Voter Marked Paper Ballots and Ballot Marking Devices for those with disabilities. Yet ultimately, it can provide a false sense of security. No matter how strong the cybersecurity and the quality of software, based on Turing’s Halting Problem, it is impossible to secure a computer system from errors and hacking. it is also impossible to secure systems from insiders and others with physical access.

Today’s stories at The Voting News provide a reminder of current vulnerabilities:

How state election officials are contributing to weak security in 2020 | Joseph Marks/The Washington Post
Cyber firm examines supply-chain challenge in securing election ecosystem | Charlie Mitchell/InsideCyberSecurity.com
Editorials: Cyber attacks threaten security of 2020 election | Ray Rothrock/San Jose Mercury-News
Arizona: Is Arizona doing enough to protect 2020 elections? Computer security experts weigh in | Andrew Oxford/Arizona Republic
Georgia: Check-in computers stolen in Atlanta hold statewide voter data | Mark Niesse and Arielle Kass/The Atlanta Journal-Constitution
(PS: Instead stealing these computers they could have hacked them or the voting machines.)
Louisiana: New Louisiana election, same old voting machines | Melinda DeSlatte/Associated Press
New Jersey: Activists press for federal support to upgrade New Jersey’s vulnerable voting machines | Briana Vannozzi/NJTV News
North Carolina: Experts Warn of Voting Machine Vulnerabilities in North Carolina | Nancy McLaughlin/Greensboro News & Record
North Carolina: Voting equipment approval didn’t follow law | Jordan Wilkie/Carolina Public Press
Pennsylvania: Elections officials touted new electronic poll books. Now the city says they don’t work right. | Jonathan Lai/Philadelphia Inquirer

States and the Federal Government are pumping millions into cybersecurity and new voting systems. That is all good, especially when the new systems are for Voter Marked Paper Ballots and Ballot Marking Devices for those with disabilities. Yet ultimately, it can provide a false sense of security. No matter how strong the cybersecurity and the quality of software, based on Turing’s Halting Problem, it is impossible to secure a computer system from errors and hacking. it is also impossible to secure systems from insiders and others with physical access.

That is why we need:

  • Voter Marked Paper Ballots that can be audited and recounted to verify the machine results
  • Strong physical security and chain-of-custody for ballots
  • Best is publicly scanned and reported machine totals compared to the physical ballots

Do Connecticut’s Tamper-“Evident” Seals Protect Our Ballots?

Experts and amateurs have long claimed that so called, tamper-evident seals are easy to defeat.

Experts and amateurs have long claimed that so called, tamper-evident seals are easy to defeat.
See Security Theater: Scary! Expert Outlines Physical Security Limitations.

Matt Bernhard has provided a video showing one easy method of compromising the seals commonly in use in Connecticut. Those that seal perhaps 90% of our ballots and optical scanners:

As Matt says there is a small possibility someone could detect the resealing. I doubt it would happen and if it did it would be doubted. There are no seal protocols in Connecticut.

There is more explanation in a similar video Matt did earlier with a bit different seal:

Don’t worry the bad guys, expert and amateur, have other ways as well. We are not helping them. We are informing those that feel our ballots are secure.

PS: Most voted ballots in Connecticut are sealed in bags or plastic boxes and stored where they can be accessed by multiple single individuals for hours, undetected.

Testimony to the Connecticut Cybersecurity Task Force – UPDATED

I testified in my capacity as Executive Director of the Connecticut Citizen Election Audit. I was the only member of the public providing testimony.

Why are post-election audits and paper ballots a critical component of protecting our elections?  “[D}data protection involves prevention, detection, and recovery”.  Cybersecurity and other measures protecting voting equipment and voting systems are primarily prevention measures and to a lesser degree detection measures. No matter how much effort we put into cybersecurity, software testing, and hardware maintenance there will always be a significant level of vulnerability.

Paper ballots, sufficient post-election audits, and recounts provide a primary means of detecting cyber, software, human, and hardware failures. They also provide a means of recovery. They provide for, so called, software independent verification of election results, resulting in justified public confidence.

Today was the 2nd and perhaps last meeting of the Connecticut Cybersecurity Task Force, aimed at recommending items for Connecticut’s share of the $5.1 million in new Federal Funding.

I testified in my capacity as Executive Director of the Connecticut Citizen Election Audit. I was the only member of the public providing testimony. In a couple of days I will pass on the video of the event, once it becomes available.  For now:
Here is the Agenda: <read> and my Testimony: <read>

I largely addressed the need for paper ballot security and post-election audits and how some of the new Federal money could be used to enhance them now and in the future.

I think I raised some awareness from my testimony and the questions members asked, yet it seems that the modest items I suggested might be deemed cost prohibitive. I spoke for six minutes and addressed questions for about 10 minutes (the emboldened portion of my written testimony), so the video will be interesting. The recommendations for spending the $5.1 million will apparently closely mimic the items listed near the end of the agenda.

Here is an excerpt of some highlights:

Enhancing post-election audits was explicitly included as an appropriate use of funds in the Federal legislation. Protection of paper ballots is a necessary component of trustworthy post-election audits.  I recommend initial steps that will cost, less than one-half a million dollars and outline a more comprehensive, yet efficient plan for the long run that might best protect Connecticut elections and ultimately our democracy.

Why are post-election audits and paper ballots a critical component of protecting our elections?  “[D}data protection involves prevention, detection, and recovery”.  Cybersecurity and other measures protecting voting equipment and voting systems are primarily prevention measures and to a lesser degree detection measures. No matter how much effort we put into cybersecurity, software testing, and hardware maintenance there will always be a significant level of vulnerability.

Paper ballots, sufficient post-election audits, and recounts provide a primary means of detecting cyber, software, human, and hardware failures. They also provide a means of recovery. They provide for, so called, software independent verification of election results, resulting in justified public confidence. I agree with Secretary Merrill that public confidence is important. I emphasize that the goal should be justified public confidence.

For post-election audits and recounts to be trusted requires strong paper ballot security and a credible chain-of-custody. Audits must also be transparent and publicly verifiable. The independent Citizen Audit reports show our ballot security is woefully inadequate.

Connecticut currently has an insufficient post-election audit. Insufficient because it only audits 5% of polling-place cast, machine counted ballots, exempting all centrally counted absentee ballots, Election Day Registration ballots, and originally hand-counted ballots from the audit. Insufficient because many of the local counting sessions are poorly conducted, with most differences in counts attributed to human counting error and left uninvestigated – a phenomenon that is, as far as I can tell, unique to Connecticut.

Fortunately, there is a straight-forward remedy close at hand. The UConn VoTeR Center in conjunction with the Secretary’s Office have developed an independent, electronic system to rescan and recount the ballots, called the Audit Station.  Unfortunately, the Audit Station has not been used in a way that meets requirements for software independence or that would satisfy most election integrity activists, leading scientists, and security experts.

The good news is that the Audit Station could easily be enhanced to satisfy most experts.My written testimony details Citizen Audit recommendations for ballot security and audits. Once again, I emphasize that audits and protected paper ballots are necessary for detection and recovery from every type of attack, breakdown, and error.

The Registrars of Voters Association asked for money for electronic pollbooks and for GEMS systems to accumulate results from memory cards, presumably somehow replacing or enhancing our new, completely air-gaped Election Night Reporting System.

Without explanation the Registrars linked those systems to improved cybersecurity.

They also asked the State to pay for new computers, newer than the XP systems many registrars use and sometimes share with other town employees.

Those suggestions were apparently ignored.

For the agenda from the 1st meeting and a list of task force members, see this press release: <read>

***********UPDATE:

Days sooner than last time, the video is available: <View>

My testimony starts at about 45 minutes in.

In reviewing the video, I note that Secretary Merrill did express interest in using some of the Federal money for some of our recommendations and considering improving some aspects of the audits.

How Could CT Spend New Federal Election Security Money?

Connecticut will have available somewhere around $5 million to spend on election security in the new “omnibus” appropriations bill. Woefully inadequate for states that should be replacing touch-screen voting with all paper ballots.  etc., for a state that already has paper ballots, a lot can be accomplished.

Denise Merrill is already thinking about how to spend it: CTMirror: Omnibus has millions to strengthen CT voting system against cyber attacks.

Secretary Merrill asked me for suggestions in a brief conversation a couple of weeks ago. At the time, off the top of my head, I suggested and we briefly discussed three things. After consideration I would suggest some more things. Security is not just cyber security and training officials. It also requires physical protection of ballots, physical protection of voting machines, and understanding the situation before determining the training needed.

Connecticut will have available somewhere around $5 million to spend on election security in the new “omnibus” appropriations bill. Woefully inadequate for states that should be replacing touch-screen voting with all paper ballots. Yet, for a state that already has paper ballots, a lot can be accomplished.

Explanatory Statement on Consolidated Appropriations Act, 2018
House Appropriations Committee; Rep. Rodney Frelinghuysen, R-N.J., 3/21/2018

ELECTION REFORM PROGRAM

The bill provides $380,000,000 to the Election Assistance Commission to make payments to states for activities to improve the administration of elections for Federal office, including to enhance election technology and make election security improvements, as authorized under HAVA sections 101 [Payments to States for activities to improve administration of elections], 103 [Guaranteed minimum payment amount], and 104 [Authorization of appropriations] of the Help America Vote Act 2002 (P.L. 107-252). Consistent with the requirements of HAVA, states may use this funding to:

  • replace voting equipment that only records a voter’s intent electronically with equipment that utilizes a voter-verified paper record;
  • implement a post-election audit system that provides a high-level of confidence in the accuracy of the final vote tally;
  • >upgrade election-related computer systems to address cyber vulnerabilities identified through DHS or similar scans or assessments of existing election systems;
  • facilitate cybersecurity training for the state chief election official’s office and local election officials;
  • implement established cybersecurity best practices for election systems;
  • and fund other activities that will improve the security of elections for federal office.

Denise Merrill is already thinking about how to spend it: CTMIrror:Omnibus has millions to strengthen CT voting system against cyber attacks <read>

Connecticut Secretary of State Denise Merrill has asked the state to fund two IT positions at her agency to help strengthen protections of the state’s electoral system. Currently the state’s election system relies on an IT team that works for all state agencies.

Merrill says she wants an IT staff “with substantial knowledge of elections” to help fend off cyber threats.

The election chief’s request is pending.

The federal funds in the omnibus, which Merrill says will amount to between $3 million and $5 million for her agency, will be released within 45 days.

Merrill said she plans to use that money to buy equipment, and especially to train election personnel in the state’s 169 towns.

Secretary Merrill asked me for suggestions in a brief conversation a couple of weeks ago. At the time, off the top of my head, I suggested and we briefly discussed three things:

  • Strengthening Connecticut’s woefully inadequate ballot security.  At a minimum setting basic standards for ballot access and minimum sealing duration in law as I suggested in legislation: <S.B.540 2017> That was indeed a minimal proposal at an estimated cost of $30,000.
  • Improving the Electronic Audit to satisfy reasonable integrity requirements as we have proposed in that same bill and in more detailed form to the Secreary’s Office and the UConn Voter Center. Once again this is very few thousands in enhancing some of the prototype code UConn has developed to meet those specifications along with a few thousands in developing documentation while piloting the enhanced system as the current system has been piloted over the last two November elections.
  • Developing the training and support system necessary to use the UConn audit system for all post-election audits – with a trained staff to support the audits deployed across state in the nine regional governments, reducing the need for UConn computer scientist support. I.e. The state has already purchased nine complete systems, that is one for each region of the state. I have suggested training election day scanner experts for the job in a system similar to the way the State now pays part-time registrars additional part-time income providing Moderator Certification classes. I would deploy teams of two trained individuals with three complete audit systems (two to use, one a spare) to each visit three regions for three days each, allowing registrars from towns selected for audit to signup for times to present the ballots for audit.  At most $50,000 to setup the system and train the individuals (they could easily be trained, hands-on in one day, and perhaps assisted by a UConn expert the 1st day of actual auditing.) The cost to pay for each year, renting a van for each team, refresher training,  etc. Might be $30,000 – that’s about half what the hand-count audit costs today. Certainly for cutting costs in half, towns could be expected to pay for the service after a couple years of Omnibus funding!.

After consideration I would suggest some more things. Security is not just cyber security and training officials. It also requires physical protection of ballots, physical protection of voting machines, and understanding the situation before determining the training needed. I would suggest:

  • An independent security audit of every one of the 169 municipalities, performed by a reputable third-party. I would assess the security of paper ballots – how sure can we be that they have not been tampered with for audits and recounts?; the security of voting machines and memory cards; the security of registrars’ office records and municipal clerk election records; the security practices surrounding receipt and processing of absentee ballots; the security practices and security of the elections network associated with the voter registration system and the municipal network in general. At a minimum assess a random sample of very small, small, medium, and large municipalities.
  • Based on that assessment make recommendations for the training of officials and further enhancements of all areas assessed (I suspect needs will be identified that go well beyond the $5 million.

In the long run, beyond the $5 million, the optional solution for ballot storage may be some configuration regional storage with better monitoring and safeguards that can be accomplished by 169 individual municipalities.  Such rationalization would facilitate the audits and would also provide a basis for, so called. risk limiting audits.

 

Five pieces of testimony on six bills

On Thursday the GAE Committee held testimony on most election bills this year. (There was one last week and a couple more will be on Monday). For once, I was able to support more bills than I opposed!

Opposition and support by the Secretary of the State and Registrars was mixed. In addition to supporting and opposing various bills, I offered several suggestions for improvement. And one suggestion for radical improvement.

On Thursday the GAE Committee held testimony on most election bills this year. (There was one last week and a couple more will be on Monday). For once, I was able to support more bills than I opposed!

Opposition and support by the Secretary of the State and Registrars was mixed. In addition to supporting and opposing various bills, I offered several suggestions for improvement. And one suggestion for radical improvement.

It would be a very instructive exercise for you to read my testimony, that from individual registrars, ROVAC (Registrars Of Voters Association, Connecticut), the Secretary of the State, and others.

The bills were:
H.B.5422 Election Day Registration for Primaries
[Supported]

H.B.5459 Wording Change to Closing Polls
[Provided extensive comments and changes, pointing out that polling-
place ballots are insufficiently protected and how to change that.]

H.J.28 and S.J.31 Constitutional Amendment Authorizing Early Voting
[Supported. This is a much safer alternative than proposed and
rejected by the voters in 2014. I suggested modifications that
would save municipalities a lot, and provide even more
hours for voters.]

S.B.410 Post-Election Audit Drawing Date and SOTS Posting of Rulings
[Supported the bill with changes.]

S.B.411 Curing a Civil Rights Violation with EDR
[Supported. For several years I have been warning of the
potential violation]

You can see all the testimony <here>

Links to the bills are at the top of my testimony on each bill.