Mid-Term Report: Two really dangerous bills and a duck

Yesterday, the Government Elections and Administration (GAE) held its last meeting of the year to approve bills originating in the Committee. Today we will recap three of be seven election bills we are tracking.

It is hard to compare and prioritize the importance and impact of bills for good or ill. Today’s three bills provide an instructive contrast. All three are well intended, yet ill conceived. One is extremely threatening to democracy, yet the threat may be way off or ultimately avoided. Another sets a bad precedent for Connecticut and the Nation, flaunts reason, with a message almost the opposite of that intended. The third aimed at fairness is unfair to most of those seeking redress for an imagined unfairness. UPDATED.

UPDATED.

Yesterday, the Government Elections and Administration (GAE) held its last meeting of the year to approve bills originating in the Committee. Today we will recap three of be seven election bills we are tracking.

It is hard to compare and prioritize the importance and impact of bills for good or ill. Today’s three bills provide an instructive contrast. All three are well intended, yet ill conceived. One is extremely threatening to democracy, yet the threat may be way off or ultimately avoided. Another sets a bad precedent for Connecticut and the Nation, flaunts reason, with a message almost the opposite of that intended. The third aimed at fairness is unfair to most of those seeking redress for an imagined unfairness.

The National Popular Vote Agreement

For about the fifth time in eight years, the National Popular Vote Agreement came up and passed the GAE. We can only hope it does get vote on in the House and Senate.  The one time it passed the House, it lost originally  by one vote, but several members changed their votes to provide a pass.

Perhaps Connecticut’s seven Electoral College votes will not tip the balance to put the Compact in effect. That would take states passing the Compact totaling half the Nation’s total Electoral College. The Compact is half-way there, so far, after seven years. But the danger is in that passing here, Connecticut’s yea or nay could make the difference or influence other states.

Maybe the danger is far off. Maybe there will not be another really close election like 1876, 1960, 2000, or 2004 for a long time. Maybe things will change and we will have more voting integrity, less suppression across the country. Maybe faced with an actual impending implementation, enough states will bow out of the Compact in time.

Maybe Not. The stakes are high. An essentially “stolen” presidency can be bad in itself, and also disheartening for democracy.

In my estimation, the most dangerous bill going forward this year.

Constitutional Amendment to Void the Secret Vote

For the last three or four years we have been fighting Internet voting, a bad idea, justified in the name of supporting our troops. Statistics show great results in supporting our troops based on the implementation of the MOVE Act. Connecticut paralleled other states in going from 61%  absentee ballot return rates in 2010, to 94% in 2012, on the same order as the return rate for all absentee ballots.

Yet critics are not satisfied. They push for risky, expensive, and likely ineffective Internet voting. Yesterday, Representative Hwang called anyone who would vote against the bill “unpatriotic”. We applaud the three Representatives that voted against the bill, articulating the risks of coercion and the value of the Secret Vote. They are the true courageous patriots.

As we said in our testimony, “Like vaccination, it only works if everyone has the secret vote.”

Also I applaud Secretary of the State, Denise Merrill’s steadfast opposition to Internet voting and defense of the secret vote, in the face of such support for Internet voting.

Here we are torn with regard to the dangers. This bill is bad because it is a foot in the door of eliminating the secret vote. Yet, is it worse that it is a foot in the door of Internet voting? Or is the worst aspect that it is using flag waiving to accuse others of being unpatriotic, while actually assaulting the democracy our soldiers and ancestors fought and died for? And, like the Popular Vote Compact it sets  influence and precedent for other states as well.

In my estimation, the second most dangerous bill going forward this year.

Limit Post-Election Audits to Three Per Town Per Election

This bill started off really, really, bad. It would have cut post-election audits in half, from 10% down to 5%, and worse by “auditing” by feeding the ballots through a different scanner and comparing the tapes.

As such it would have been a contender for the most dangerous bill of the year – it would impact only Connecticut, but seriously and immediately and had Connecticut be known as the 1st state ever to “effectively eliminate post-election audits”. Hopefully, like last year, it would never have been brought before the Senate or House. As we testified, audits should be strengthened, not weakened.

What remains is severely abbreviated version with only a clause limiting audits to a maximum of three districts per election or primary. There are several impacts of this well-intended, yet flawed remnant:

  • Audits work best when truly random across all districts. Limiting some towns causes the audit to be less protective, with certain votes and districts to have less opportunity for being selected. (Fortunately, a limit of three on 10% has only a moderate such a effect in Connecticut).
  • The intention is to save towns from “being audited almost every time” while others “hardly or never get selected”. This effort to spread the burden fairly will actually help towns with many polling places audit less, and place additional burdens on towns with fewer polling places, especially those with a single polling place.
  • It is worse than it might seem. When towns like New Haven and Hartford, get regularly selected for three to six polling places, they have about two hundred votes per polling place (and over the long run, audit a fair 10% of their votes). But when towns like Suffield, Lebanon, Clinton, Oxford, or Andover get audited, they have to count 2000, 3000, 4000, or approaching 9000 votes at once! Under the current law they get their fair share over time.
  • The towns with many polling places are right that they their scanners get audited almost every time, yet this bill will not change that. Yet, they will get a bit less than their 10% share. Yet large towns will continue to, fairly, get routinely selected even more often. (We marvel at how some with 20 to 30 districts in a 10% audit random drawing are surprised they are almost always selected.)

In the grand scheme of things this bill, unfair as it is, will have little effect on audit integrity. Yet, we are sympathetic to the towns with few polling places, who ironically are disproportionately represented within the Registrars of Voters Association of Connecticut (ROVAC) which is the bill’s proponent. Can we call this a ‘duck’, since maybe we ducked the a really bad bill, leaving one with a few quacks in the logic.

Testimony: Defending the Secret Vote and Check-in Integrity

Yesterday, I testified against two bills. I do not particularly like testifying against bills that promote concepts that I support, like electronic check-in, yet like all technology, it can be done in a way that helps, without adding risks.

On the other hand, it is a privilege to defend the Secret Vote, one of many, often under-appreciated, keystones of democracy. Also appreciated is the many thoughtful questions presented by the Committee which gave me an opportunity to stand for the Secret Vote.

Yesterday, I testified against two bills. I do not particularly like testifying against bills that promote concepts that I support, like electronic check-in, yet  like most technology, it can be done in a way that helps, without adding risks.

On the other hand, it is a privilege to defend the Secret Vote, one of many, often under-appreciated, keystones of democracy. Also appreciated is the many thoughtful questions presented by the Committee which gave me an opportunity to stand for the Secret Vote.

My prepared remarks <read>

Chairs and members of the Committee, my name is Luther Weeks, Executive Director of CTVotersCount , a software technologist and a veteran.I oppose S.B. 441. I support the concept of electronic check-in. Unfortunately, this bill does not impose any requirements or standards with regard to the capabilities, reliability, and integrity of electronic check-in systems nor for associated manual processes.  It has other serious flaws, that would reduce check-in integrity, reduce transparency, and extend waiting lines. The State of Indiana has initiated a robust certification process, perhaps Connecticut could base any certification on Indiana’s work, without duplicating it.

I oppose S.J. 24  for four reasons.

  • The secret vote protects us all. The true value of the secret vote is everyone’s right that every voters’ vote be secret, so that it cannot be sold or intimidated. The secret vote is not simply a right for an individual to keep their vote secret. No person can waive that right for every other voter. Like vaccination, it only works if everyone has the secret vote.
  • Military members are especially subject to intimidation and perceived intimidation, based on the authority of command and confirmed by continuing disappointing revelations. As my Basic Training Captain expressed it, “I am your mother, your father, your sister, and your brother”.
  • This bill is motivated by Internet voting, a risky, unsafe method of voting.  In addition to overwhelming opposition by Computer Scientists and Security Experts, Internet voting has been discredited by a Department of Defense study, security experts from the Department of Homeland Security, and the National Institute of Standards and Testing.
  • This bill is motivated by a desire to help soldiers vote, yet, conventional means have proven successful and economical, when the MOVE (Military and Overseas Voting) Act has been followed by Election Officials and the Military.

This veteran says:

 “Support our soldiers by waiving the Flag, but do not waive the secret vote. Do not thank me for my service — protect the secret vote that all of our soldiers and ancestors have fought and died for. Weakening the secret vote is ‘Democracy Theater’ at its worst, providing the illusion of helping our troops, providing an illusion of democracy.”

I also supplied extensive written testimony on both bills: <eCheck-In> <Secret Vote>

I spoke for the allotted three minutes. Then I was questioned extensively  on the value of the Secret Vote. Unfortunately, the hearing was  not recorded by CT-N.  Sometime there will be transcripts, yet they cannot not replace a video or being there.

Experts demonstrate how to hack email voting

Security researchers say they have developed an interesting trick to take over Gmail and Outlook.com email accounts – by shooting down victims’ logout requests even over a supposedly encrypted connection.
And their classic man-in-the-middle attack could be used to compromise electronic ballot boxes to rig elections, we’re told.

Thanks to a friend for passing on this link to a ‘how to’ demonstration from last summer’s Black Hat 2013:  Gmail, Outlook.com and e-voting ‘pwned’ on stage in crypto-dodge hack – Once you enter, you can never leave logout <read>

Security researchers say they have developed an interesting trick to take over Gmail and Outlook.com email accounts – by shooting down victims’ logout requests even over a supposedly encrypted connection.

And their classic man-in-the-middle attack could be used to compromise electronic ballot boxes to rig elections, we’re told.

Ben Smyth and Alfredo Pironti of the French National Institute for Research in Computer Science and Control (INRIA) announced they found a way to exploit flaws in Google and Microsoft’s web email services using an issue in the TLS (Transport Layer Security) technology, which encrypts and secures website connections.

Full details of the attack are yet to be widely disseminated – but it was outlined for the first time in a demonstration at this year’s Black Hat hacking convention in Las Vegas on Wednesday.

In short, we’re told, it uses a TLS truncation attack on a shared computer to block victims’ account logout requests so that they unknowingly remain logged in: when the request to sign out is sent, the attacker injects an unencrypted TCP FIN message to close the connection. The server-side therefore doesn’t get the request and is unaware of the abnormal termination….

The attack does not rely on installing malware or similar shenanigans: the miscreant pulling off the trick must simply put herself between the victim and the network. That could be achieved, for example, by setting up a naughty wireless hotspot, or plugging a hacker-controlled router or other little box between the PC and the network.

The researchers warned that shared machines – even un-compromised computers – cannot guarantee secure access to systems operated by Helios (an electronic voting system), Microsoft (including Account, Hotmail, and MSN), nor Google (including Gmail, YouTube, and Search).

Maybe you use some other email system. But maybe that is a system that has yet to be hacked, publicly. If you send in a vote, what system does your recipient use?

Why do we ignore science and facts?

We have often been perplexed when the public and the Legislature ignore science and simple facts. No more so than when it comes to Internet voting where there is overwhelming recognition of the risks by scientists AND overwhelming evidence that individual, business, and government computers have been repeatedly compromised.

New research provides some clues why.

We have often been perplexed when the public and the Legislature ignore science and simple facts.  No more so than when it comes to Internet voting where there is overwhelming recognition of the risks by scientists AND overwhelming evidence that individual, business, and government computers have been repeatedly compromised.

A recent article and a recent book hint that it might be human nature.

The Hartford Courant’s Science Columnist, Robert Thorson, looking at climate change and a new Yale study says: When Politicians Fight, Facts Take Beating <read>

The study attributes the problem to political conflict:

Psychologist Dan M. Kahan and his colleagues proved that political fighting diminishes our ability to think about evidence-based science.

Think climate change, which was well understood 20 years ago, yet conflict persists. Ditto for gun control, for which the data are compelling. Think nuclear power, genetically modified foods, national health care, commercial drones or any politically contentious topic that could be easily solved with evidence-based reasoning.

Congress is not alone. All of us are vulnerable to bias, prejudice, narrow-mindedness and tunnel vision. In short, seeing what we want to see, rather than what actually is.

This study’s technical name for this phenomenon is the “Identity-Protective Cognition Thesis” or ICT. It says cultural conflict disables the faculties we use to make sense of science that would better inform decisions. The key word here is “disabling.” When there’s no conflict, we’re fine. When there is, we’re disabled.

The ICT thesis is true. We maintain our allegiances by skewing our thinking. Kahan’s clever experiment yielded results so robust that no political partisan could explain them away…

The results are compelling. Both conservative Republicans and liberal Democrats did far worse on tests of evidence-based thinking when the scenario was politically contentious than when it was not. The more political things became, the more the subject’s mental biases kicked in to disable their reasoning skills. And the more scientifically inclined an issue was, the worse they did, perhaps because they were more facile at manipulating the numbers to match their versions of reality. Importantly, self-identified liberals were no more open-minded than conservatives, even though that’s how they’re defined.

Scientists like me have long tried to explain bad policy decisions on a dearth of scientific data or the lack of voter science, technology, engineering and mathematics education. Others fault an excess of highly paid lobbyists. Kahan’s study tags the ICT as a major culprit, advocating that governments must “adopt measures that effectively shield decision-relevant science from the influences that generate this reason-disabling state.”

That might explain some of the problems we see in some election integrity issues. Democrats and Republicans are generally on opposite sides for:

  • Voter Id where Republicans ignore the facts of very very little votER fraud.
  • Absentee voting or mail-in voting, where Democrats ignore the facts of frequent cases of organized votING fraud, and the obvious opportunities.
  • National Popular Vote where both sides ignore the technical risks.

Internet voting seems different in character, where the parties are aligned, not  divided, and in many cases, like Connecticut, the entire Legislature ignores all the risks and unanimously passes Internet voting two years in a row. Even the Governor, knowing the risks and unconstitutionality as articulated in his veto message, signs the bill the second time it hits his desk. By and large, the public goes along with favoring Internet voting, especially for the Military, saying “If we can bank online, why can’t we vote online?”, completely ignoring science, the frequently documented hacks, and NSA disclosures.

A perfect storm: a harder to verify application than banking, a less technically competent/financed election function expected to provide security, and high apparent motivations for insider manipulation of election results. Yet, in the face of all this legislative and public support for Military Internet Voting. Why?

One clue may come from the the Trolley Problem as covered in the book Moral Tribes recently reviewed here.  As we said in the review:

How do we make moral decisions and cooperate or not? It is the result of two systems, thinking fast and slow – a fast intuitive system and a slower logical system. Much of the book and the interesting aspects center around how these systems work, studying the brain, often by experiments in ‘trolleyology‘ – we can save five people who will be killed a trolley by sacrificing one, either by throwing a switch, throwing a fat man onto the tracks, or by other variations. Why do we make different choices based on the method of sacrifice? Research reviewed in the book provides an answer, and demonstrates the two modes of moral choice, their flaws, and their limits – limits we are challenged to transcend.

From the book:

(p. 111) Turning the trolley away from five and onto one…makes utilitarian sense and doesn’t trigger much of an opposing emotional response, causing most people to approve. Pushing the man off the footbridge…likewise makes utilitarian sense, but it also it also triggers a significant negative emotional response, causing most people to disapprove.

(p. 129)Thus, we see dual-process brain design not just in moral judgement but in the choices we make about food, money, and the attitudes we’d like to change. For most things that we do, our brains have automatic settings that tell us how to proceed. But we can also override those automatic settings, provided we are aware of the opportunity to do so and motivated to take it.

I speculate:

  • Providing for online voting by the military evokes a strong emotional response along the lines of “Solders in remote battlefields and other isolated locations obviously have challenges in voting. They are voluntarily sacrificing for us. My experience tells me that online voting would be a convenient way for them to vote. We must to do anything and everything for them to make up for our lack of sacrifice…”.
  • The risks of online voting are a secondary, rational risk, no matter how great or small, our emotional brain does not see that risk. It only sees the sacrificing soldiers.
  • The alternative facts are only available to the rational brain:
    • That all forms of Internet voting, online, email, and fax, face documented obvious, yet not intuitive threats;
    • That online voting is more risky than online banking; That online banking has proven vulnerable to the tune of several billion dollars in losses each year, yet those losses are not seen by individuals;
    • That other states have had great success with providing blank ballot download, effective help, and effective web information following the MOVE Act;
    • That states such as RI, touted as successful with Internet voting have on a small percentage of votes returned by fax, and the similarly “successful” WV pilot did not convince their legislature to move forward.
  • Legislators are additionally at risk of being emotionally persuaded that voters will interpret any vote against soldiers and being weak on the military, security, and defense.

So, we have quite a challenge in personally and collectively making the rational decision. Not just for online vetoing, but for other issues that get highly emotional, either from political polarization for emotional blockage

Denise Merrill does the right thing – by all voters and the CT Constitution

Merrill has remained steadfast in her commitment to protect us from the risks of Internet voting. She is recommending a system to aid the Military in downloading blank ballots and mailing them in quicker. A system that has proven successful in other states. She also reminds the Legislature that Internet voting (including Fax and Email return) would be unconstitutional in Connecticut,

AP Story: Conn. official recommends out-of-state military voters download ballot but still mail in vote <read> <update – the report>

Last year the CT Legislature, ignoring the technical impossibility of secure, secret Internet Voting, ordered the Secretary of the State and the Military Department to provide secure Internet voting for Military and their dependents.  This was in spite of testimony and reports from Computer Scientists, experts from Homeland Security, experts from the National Institute of Standards, and Department of Defense reports that Internet voting could not be made secure. She was also to report back this year with any legislation required.

Merrill has remained steadfast in her commitment to protect us from the risks of Internet voting. She is recommending a system to aid the Military in downloading blank ballots and mailing them in quicker. A system that has proven successful in other states. She also reminds the Legislature that Internet voting (including Fax and Email return) would be unconstitutional in Connecticut,  requiring a Constitutional Amendment to remove the right to a “secret vote”. (Some argue it is a right that can be waived by a voter. We contend it is every voter’s right that no other voter’s vote can be document, such that it can be sold or intimidated).

Meanwhile, the bill’s proponent, Senator Gayle Slossberg, plans to continue efforts to defy Science and the Constitution.

There is a dispute in the facts between Secretary Merrill, the Election Assistance Commission, and Senator Gayle Slossberg on the current rate of Military vote return (61% vs. 94%). In any case if Senator Slossberg is correct, and we adopted the Rhode Island system she recommends, it is only used there for 3.2% of the military votes returned after being in place for years, thus we would have a whooping 64% return rate. The 94% sounds really good, they rate right up there with the return of domestic AB votes, and up there with other states that already use the system recommended by Secretary Merrill.

We would encourage the Secretary and the Legislature to provide the same system to all overseas voters, including those beyond the Military that serve us, such as State Department employees, Military Contractors, Peace Corps, NGO staff, and business personel.

See all our posts on Internet voting, and its history in Connecticut <here>

Scientists to Evaluate Internet Voting, Will Legislators Listen?

This promises to be an important project. The powerful team all but guarantees a significant, trusted result. Yet, what is critical is that officials and legislators fully understand the result and undertake any Internet voting following any detailed requirements developed by the study. Our own educated prediction is that reasonably safe Internet voting is likely to be judged possible, yet unlikely to be feasible. There are significant security challenges, especially if voting were to be performed from voters’ computers, without requiring sophisticated verification techniques on the part of voters, and expensive security provisions by officials.

A project to evaluate Internet voting has been initiated by The Overseas Vote Foundation:  End-to-End Verifiable Internet Voting Project Announcement <read>

Their efforts aim to produce a system specification and set of testing scenarios, which if they meet the requirements for security, auditability, and usability, will then be placed in the public domain. At the same time, they intend to demonstrate that confidence in a voting system is built on a willingness to verify its security through testing and transparency.

“The secure, tested, certified remote voting systems that election officials envision aren’t even for sale. Available online ballot return systems are not considered secure by the scientific community, nor are they certified. As a result, email has become the default stopgap method for moving ballots online. Email is especially weak on security, yet it is being used regularly by election officials because viable alternatives are not available,” says Susan Dzieduszycka-Suinat, President and CEO of Overseas Vote Foundation, who spearheaded this project…

“There is a historical misunderstanding in the U.S. election community that this project aims to correct. Our country’s best scientists are not against technology advancements, nor are they inherently at odds with the election officials who seek technology improvements to meet their administrative challenges. What the U.S. scientific community takes issue with are the unproven claims of security regarding existing systems that are not publicly

tested or vetted. This study aims to recalibrate this situation. This group of scientific leaders has often pointed out security vulnerabilities in past systems, however they do agree on one thing: that if IV does happen, it should be in a system that takes advantage of end-to-end verifiability and auditability,” said Ms. Dzieduszycka-Suinat.

This promises to be an important project. The powerful team all but guarantees a significant, trusted result. Yet, what is critical is that officials and legislators fully understand the result and undertake any Internet voting following any detailed requirements developed by the study. Our own educated prediction is that reasonably safe Internet voting is likely to be judged possible, yet unlikely to be feasible. There are significant security challenges, especially if voting were to be performed from voters’ computers, without requiring sophisticated verification techniques on the part of voters, and expensive security provisions by officials.

Voting as safe as the big banks. Hypocrisy to go around.

Another installment in our observations of Cognitive Dissonance in Connecticut, especially the Legislature. The latest dissonance/hypocrisy involves the breech of personal information by state contractor JP Morgan Chase.
All we are left with is that Internet Voting is no more safe than Internet banking. Actually less so because vote fraud, without double entry bookkeeping is harder to detect and prove.

Another installment in our observations of Cognitive Dissonance in Connecticut, especially the Legislature. The latest dissonance/hypocrisy involves the breech of personal information by state contractor JP Morgan Chase. From the Courant: Tax Refund, Other Debit Card Data Exposed In Computer Breach <read>

When the state suddenly ended its longstanding practice of sending paper checks for tax refunds nearly two years ago, some taxpayers criticized the decision to provide refunds via debit cards.

Now, the state is scrambling as some data on those tax-refund cards may have been exposed to potential identity theft.

State Treasurer Denise Nappier announced Thursday that the personal information on some prepaid debit cards was exposed during an attack on the computer servers of JP Morgan Chase, the international banking giant that oversees the debit card program for Connecticut.

The computer breach covers multiple states, and 14,335 accounts were exposed in Connecticut, Nappier said. Nearly 7,000 of those accounts involved taxpayers seeking refunds, and the remainder covered items like unemployment benefits and child-support payments that are now issued on debit cards. Those included more than 4,400 accounts at the state Department of Social Services, nearly 3,000 accounts at the Department of Labor, and seven at the Department of Children and Families.

Actually sounds like pretty standard stuff these days. Company servers are breached or somebody steals a State laptop with data that should or should not be there etc. The public effected will be offered a number of months or years of free credit monitoring. But this is an election year and politicians are running for Governor.

Last year Senate Republican leader John McKinney of Fairfield raised concerns when his constituents complained about the switchover on tax refunds, saying the decision had been made unilaterally without notifying the state legislature beforehand.

When told Thursday about the security breach, McKinney said, “You gotta be kidding me!”

McKinney, who is running for the Republican nomination for governor, immediately called for a public hearing to obtain a full explanation of the details of the breach. He had sought a similar hearing nearly two years ago to answer questions about security and why JP Morgan Chase was

chosen for the job. The Democratic-controlled legislature, however, rejected the idea of a hearing and said the switch was a decision by Gov. Dannel P. Malloy’s administration.

“We were told this was a perfect solution,” McKinney said in an interview Thursday. “We were told this was foolproof and secure, and obviously the administration was wrong.”

State tax Commissioner Kevin B. Sullivan, a former lawmaker who served in the state Senate with McKinney for nearly six years, started laughing when he heard that McKinney was calling for a new hearing.

“Sen. McKinney wants to have a hearing on everything, and I appreciate that his gubernatorial campaign needs” publicity, Sullivan said. “His response to everything is to have a hearing.”

Sullivan said that no hearing is necessary and that state officials are working with the bank to resolve the issue.

So where is the hypocrisy?

CTVotersCount.org readers will recall that the Legislature did have hearings on Internet Voting this year, and clearly received information that the Internet voting was unsafe for voting. We provided testimony and documentation that computer and security experts, including Federal Government experts agree the Internet is unsafe for voting.

Where was Rep McKinney on that?  He voted for it, as did every other Representative and Senator, democrat and republican.

In 2012 Internet voting was put into an unrelated campaign finance disclosure bill by parties unknown. Such a provision, without hearings, is known as a “rat’. The bill itself had no hearings either and passed both houses, only stopped from becoming a law by the Governor’s veto.

There is no shortage of hypocrisy to spread around since the Governor signed this year’s bill despite his veto message from last year.

All we are left with is more proof that Internet Voting is no more safe than Internet banking. Actually less so because vote fraud, without double entry bookkeeping is harder to detect and prove. We also have, yet another, lesson on human nature, driven to believe what we would want.

Cognitive Dissonance? Not in Connecticut when it comes to the Internet

In psychology, cognitive dissonance is the discomfort experienced when simultaneously holding two or more conflicting cognitions: ideas, beliefs, values or emotional reactions. In a state of dissonance, people may sometimes feel “disequilibrium”: frustration, hunger, dread, guilt, anger, embarrassment, anxiety, etc – Wikipedia

The state fails at protecting data, legislators to get lesson in Internet security, N.I.S.T experts say unsafe the Internet is not safe for voting, the N.S.A. and others can look at practically anything, yet local registrars, the Secretary of the State, and the State Military Department can protect Internet voting by Legislative decree.

In psychology, cognitive dissonance is the discomfort experienced when simultaneously holding two or more conflicting cognitions: ideas, beliefs, values or emotional reactions. In a state of dissonance, people may sometimes feel “disequilibrium”: frustration, hunger, dread, guilt, anger, embarrassment, anxiety, etc – Wikipedia

The state fails at protecting data, legislators to get lesson in Internet security, N.I.S.T experts say unsafe the Internet is not safe for voting, the N.S.A. and others can look at practically anything, yet local registrars, the Secretary of the State, and the State Military Department can protect Internet voting by Legislative decree.

As CTVotersCount readers know, the Legislature passed Internet voting over the objections of the Secretary of the State. Choosing not to define it but to leave it up the Secretary and Military Department to define a secure way to accomplish it. Despite the concerns of virtually every Computer Scientist and experts from the National Institute of Standards. Who will implement the actual voting? 169 local municipalities, many with (very) part-time registrars? The Secretary of the State with the help of the State IT function?  Two more interesting events this week:

The Motor Vehicle Department inadvertently released the names of job applicants on its web site, making hacking into their computers unnecessary. Courant:  DMV Snafu Posts 400 Job Applicants’ Personal Info On State Website <read>

The state Department of Motor Vehicles’ commissioner has sent individual letters of apology to about 400 job applicants whose names, home addresses, phone numbers, email addresses and exam scores were posted on the DMV’s official website by mistake…

The DMV had intended to post a job announcement on its website about 1 p.m. on Aug. 27 for the position of “Information Technology Analyst 2.” But the following morning, someone from the DMV’s human resources unit discovered that instead of the job-vacancy posting, “a file with a spreadsheet containing the names and other information of candidates who had passed the examination for this title had been posted,” [Commissioner Melody A.] Currey said in the letter.

Wednesday at 1:00pm, in the Legislative Office Building: State Capitol Police Dept.: Internet Safety for Legislators & Staff. Apparently consisting of:

An “Internet Safety” training program available to all legislators and legislative employees. This comprehensive program is designed to heighten awareness on protecting yourself and your family from internet and technology crimes.

Sounds like a good idea. But would a similar training be available or even feasible for military and their dependents eligible for Internet voting, across the counter, the world, under the sea, and in combat situations?  Let alone election officials in 169 towns, if they become responsible for Internet voting?

For more read some of your past posts on Internet Voting or Internet Security

 

Student hijacks election, case highlights internet voting vulnerability

Another challenge for Secretary of the State Denise Merrill and the state Military Department in creating a safe online voting system for Connecticut. We would add that one of the key (pun intended) vulnerabilities in online voting is in the user id’s and passwords required for voting.

A former Cal State student was sentenced to one year in jail for hacking a student election, to gain positions which pay much better than most town council positions in Connecticut. Two excellent articles by Doug Chapin: Cautionary Tale: Student Gets Jail Time for Stealing Online School Election <read> and a follow-up by David Jefferson: <read>

The gist of the story from Chapin:

Technically, this isn’t the kind of election news I usually blog about (because it doesn’t involve a public election) but I thought it was worth sharing … From UTSanDiego:

A former Cal State San Marcos student who rigged a campus election by stealing nearly 750 student passwords to cast votes for himself and friends was sentenced Monday in federal court to a year in prison …Weaver, 22, of Huntington Beach was a third-year business student when he carried out the elaborate plan to win election as president of the school’s student council in March 2012. He pleaded guilty this year to three federal charges, including wire fraud and unauthorized access to a computer …

The plan to steal the election was months in the making.

On Weaver’s computer, authorities found a PowerPoint presentation from early 2012, proposing that he run for campus president and that four of his fraternity brothers run for the four vice president spots in the student government. The presentation noted that the president’s job came with an $8,000 stipend and the vice presidents each got a $7,000 stipend.

Weaver also had done a bit of research, with computer queries such as “how to rig an election” and “jail time for keylogger.”

A month before the election, Weaver purchased three keyloggers — small electronic devices that secretly record a computer user’s keystrokes [pictured above – ed.].

Authorities said Weaver installed keyloggers on 19 school computers, stole passwords from 745 students and cast ballots from the accounts of more than 630 of those victims.

The plot was discovered, however, when technicians spotted unusual activity on the last day of the election period:

Using remote access, technicians watched the computer user cast vote after vote. They also watched as the user logged into the account of a university official and read an email from a student complaining that the system would not let her vote.Weaver had already cast a ballot from the student’s account, which was why she couldn’t vote.

The techs called campus police, who found Weaver at the school computer. He had keyloggers with him and was arrested.

The student didn’t help himself when he engaged in an elaborate cover-up afterwards

Jefferson adds several cautionary concerns that the hacker could have been a bit smarter and been less likely to be caught or the hack discovered, and that a similar public election hack would have been more difficult to discover, concluding:

In the many debates on the subject of Internet voting it is important not to allow anyone to use this Cal State San Marcos student election experience to argue that online public elections can be made safe because those who would cast phony votes will be caught. Mr. Weaver’s actions were detected because he was voting from computers controlled by the university IT staff, and he was identified and caught because he was not even minimally technically skilled in the techniques that could have distanced him from the crime. In a high stakes public election we will not be so lucky.

What would we add?

We would add that one of the key (pun intended) vulnerabilities in online voting is in the user id’s and passwords required for voting.

What if Matthew Weaver had spent his time getting a job in the computer lab and obtained the list of passwords from a central server and then made some timely changes to alter logs of the ip addresses used for voting?

The now famous D.C. Hack among other things demonstrated that even outsiders have the possibility of gaining a list of voters and their passwords.

One of those pesky details that would confront Connecticut Secretary of the State, Denise Merrill and the Sswtate Military Department when they design a safe online voting system for Connecticut.  If they choose web based voting, how in the age of Bradley Manning access can they insure that military computers and individuals’ computers are safe for internet voting? How can they assure that passwords sent through the mail arrive in time, to the intended recipient, and uncompromised?

Gov Malloy signs bill similar to one he said was risky and unconstitutional last year

Last year in 2012, after several weeks of consideration, Governor Malloy vetoed H.B. 5556 writing in his veto message:

Upon close examination, however, I find that some portions of this bill likely violate the United States Constitution…I cannot support the bill before me given its many legal and practical problems…First, as a matter of policy, I do not support any mechanism of voting that would require an individual to waive his or her constitutional rights in order to cast a timely, secret ballot, even if such waiver is voluntary. Second, as the Secretary of the State has pointed out, allowing an individual to email or fax an absentee ballot has not been proven to be secure. In 2011, the United States Department of Commerce, National Institute of Standards and Technology, issued a report on remote electronic voting. The report concluded that remote electronic voting is fraught with problems associated with software bugs and potential attacks through malicious software, difficulties with voter authentication, and lack of protocol for ballot accountability. None of these issues are addressed in this bill.

Last year in 2012, after several weeks of consideration, Governor Malloy vetoed H.B. 5556 (see Pages 51-55) writing in his veto message:

Upon close examination, however, I find that some portions of this bill likely violate the United States Constitution…I cannot support the bill before me given its many legal and practical problems…
HB 5556 also contains a provision allowing deployed service members to return an absentee ballot by email or fax if the service member waives his or her constitutional right to a secret ballot. I agree with Secretary of the State Denise Merrill that this provision raises a number of serious concerns. First, as a matter of policy, I do not support any mechanism of voting that would require an individual to waive his or her constitutional rights in order to cast a timely, secret ballot, even if such waiver is voluntary. Second, as the Secretary of the State has pointed out, allowing an individual to email or fax an absentee ballot has not been proven to be secure. In 2011, the United States Department of Commerce, National Institute of Standards and Technology, issued a report on remote electronic voting. The report concluded that remote electronic voting is fraught with problems associated with software bugs and potential attacks through malicious software, difficulties with voter authentication, and lack of protocol for ballot accountability. None of these issues are addressed in this bill. To be clear, I am not opposed to the use of technology to make the voting process easier and more accessible to our citizens. However, I believe that these legitimate problems have to be carefully studied and considered before enacting such a provision.

Last year the fax and email voting provisions were a glaring ‘rat’ stuffed into an unrelated emergency bill. Some said the Governor was against the underlying bill, but wanted more cover for the veto. We hoped, that even if that were the case, the accurate analysis of that ‘rat’ would still prevail this year. Apparently not.

There is a distinction without a difference in this year’s bill, S.B. 647, with regard to the elements of the veto message. Last year’s bill specified email or fax return of ballots. This year’s bill requires the Secretary of the State and the CT Military Department to determine a safe method of Internet voting. But all known methods have the same security risks and they all violate the Connecticut and U.S. Constitutions.

We could argue that this year’s bill is worse in at least three regards, requiring two impossible feats by the Secretary of the State, although she will have the help of the CT Military Department the three feats. One which the U.S. Defense Department has found impossible:

  • Develop a secure electronic voting system which does not violate the Constitutions.
  • Have that system transmit results immediately to the appropriate town hall.
  • Develop , implement, and operate such a system at no cost to the state and towns.

Summary Of The Problems With The Bill

  • This bill is a threat to the security, accuracy, and secrecy of the votes of our military members and their dependents, and thus to the certified outcomes of our elections.
  • It is unconstitutional since it violates the Connecticut Constitution, which states: “The right of secret voting shall be preserved.”
  • It requires the Secretary of the State and the Connecticut Military Department to develop a system for secure and private online voting by October 1st. A task that security experts, computer scientists, and experts at Homeland Security, and NIST (The National Institutes of Standards and Technology) believe is technically impossible.
  • It is further complicated by provisions for voting by deployed military dependents. It also is not restricted to deployed military, not even restricted to military actually on duty.
  • It sets a requirement for guaranteed receipt immediately in each voter’s municipality. This cannot be accomplished by either fax or email return.
  • While online voting through a web page might be developed to meet the guaranteed return requirement, it is also insecure, risks the secret vote, and would be very expensive.
  • All known methods of Internet voting would likely violate Connecticut’s Voter Verified Paper Records law established in 2005.

The Requirements of the Bill*
[Our comments in brackets]

  • On or before October 1, 2013, the Secretary of the State, in consultation with the Military Department, shall select a method for use in any election or primary held after September 1, 2014 [After the August 2014 Primary]
  • may be used by any elector or applicant for admission as an elector who is a  member of the armed forces and expects to be living or traveling outside the several states of the United States and the District of Columbia before and on election day, [Any travel or living change would apply, duty related or not. A National Guard member not deployed but on vacation or a business trip could presumably vote under this act]
  • or such member’s spouse or dependent if living where such member is stationed, [It includes spouses and dependents but not those on vacation, at college, or on business trips]
  • gives due consideration to the interests of maintaining the security of such ballot and the privacy of information contained on such ballot, [due consideration’ should include assuring the Constitutional requirement of a secret vote be strictly maintained. It should include evaluation by computer security experts, and effective security testing]
  • and…ensures receipt, prior to the closing of the polls on the day of the election or primary, of such ballot by the municipality in which the member or member’s spouse or dependent is enrolled or has applied for admission as an elector, if such method is properly utilized by such  member or such member’s spouse or dependent prior to the closing of  the polls on the day of the election or primary. [Thus, it must be guaranteed to be received by some official, inbox, or machine in the appropriate municipality by 8:00pm EST, if voted by 8:00pm EST (i.e. this is immediately). And 8:00pm EST could be almost any hour of the 24 hours in a day, depending on the deployment, business, or vacation location(*)]
  • Not later than January 1, 2014, the Secretary of the State shall submit a report, in accordance  with section 11-4a of the general statutes, to the joint standing committees of the General Assembly having cognizance of matters relating to elections and veterans’ and military affairs describing such  method and any legislative changes necessary for its implementation. [But necessary legislation enacted or not, implementation is required by this bill]

* After the bill was passed by the CT House and Senate we sent a letter to Governor Malloy asking for a veto, reminding him of his veto last year.  We made one mistake in that letter – using an older version of the bill, we misinterpreted the time requirement, stating that the bill did not require ‘immediate’ transmittal, but transmittal in four hours, by the close of election day, not the close of the polls. The actual bill creates a tougher, much more difficult barrier to implementation. This post updates portions of the details in that letter to conform to our corrected interpretation.

Analysis of the three known options: Email, Fax, and Online Voting

  1. Email is (1) of course, not secure with the NSA listening in, interceptable by bad external actors, and directly accessible by insiders such as email vendors, insiders at data centers all along the way from personal computers or military computers, state computers, local town computers, and every stop along the way. (2) Email cannot meet the mandated fimmediate delivery requirement – often emails take much longer to traverse the Internet, presumably especially from remote locations the military must protect (3) Email frequently is not delivered at all. Several times a year we become aware of emails sent to us that never arrive. (4) Email schemes we are aware of, in other states, all require that an individual in an elections office or town hall receive and print the “ballot” for counting – a clear violation of the secret vote. (5) Email would have to cover personal computers for spouses and dependents, not military computers. And the military member might be on vacation or business in an area where no military computer access is available.
  2. Fax, (1) like email is subject to interception in transmission (2) and like mail is subject to individuals in town hall or state government viewing the fax as it is received. (3) Subject to viewing and potential viewing by multiple members of the military as it is passed up the chain-of-command and to the Voting Assistance Officer, as articulated by Representative Alexander. (4) We cannot expect the chain-of-command to pass votes and wake Voting Assistance Officers to pass votes along at all hours and within four hours, nor to provide services to dependents – Note the deployed military chain-of-command also has a war to fight and enemies that might not avoid attacking during that critical four-hour period.
  3. Online Voting – By online voting we mean some interactive means of voting on a web page or sending a .pdf ballot under the control of a webpage, not via email. (1) Online voting can be more secure that email or fax voting, yet is still not secure as confirmed by NIST and Homeland Security. And no online voting system has proven secure by sufficient evaluation and testing – in fact, the only system subject to some public testing quickly failed spectacularly and another was broken by an average citizen, while vendors refuse to open their systems to scrutiny.  (2) Online voting may be difficult to administer and use, when the system is too hard to use vendors often blame the voters. (3) Online voting is expensive! Will the state and local officials making home-grown solutions, do better than highly funded vendors or turn to the vendors expensive, ineffective solutions? Such a system would have cost just Edmonton, Alberta $400,000. (4) Online systems entail emailing or paper mailing IDs to the voters – email can be compromised, and avoiding especially slow and unreliable outgoing mail to deployed military is a major motivation for this bill. (5) Once again, online voting cannot be restricted to military computers and serve dependents or serve soldiers away from home, not on Military business.

Another Miracle for the Secretary, Military Department, and Local Officials

The Legislature requires that the report, voting implemented, and run at no cost! It was passed with a note from the Office of Fiscal Analysis stating: “NO FISCAL IMPACT”. Note: A similar, yet less challenging task for the Secretary of the State to evaluate in another proposed bill this year, was estimated at $150,000. (See the Fiscal Note for S.B. 777).

Additional Documentation

Bruce McConnell Expert from the Department of Homeland Security
NPR:
 Online Voting ‘Premature,’ Warns Government Cybersecurity Expert
http://tinyurl.com/BMDHSNPR

Warnings about the dangers of Internet voting have been growing as the 2012 election nears, and an especially noteworthy one came Thursday from a top cybersecurity official at the U.S. Department of Homeland Security.

Bruce McConnell told a group of election officials, academics and advocacy groups meeting in Santa Fe, N.M., that he believes “it’s premature to deploy Internet voting in real elections at this time.”

McConnell said voting systems are vulnerable and, “when you connect them to the Internet, that vulnerability increases.” He called security around Internet voting “immature and underresourced.”

McConnell’s comments echo those of a number of computer scientists who say there’s no way to protect votes cast over the Internet from outside manipulation.

NIST: Internet Voting Not Yet Feasible http://tinyurl.com/NISTeVote

Internet voting is not yet feasible, researchers from the National Institute of Standards and Technology have concluded. ”Malware on voters’ personal computers poses a serious threat that could compromise the secrecy or integrity of voters’ ballots,” said Belinda Collins, senior advisor for voting standards within NIST’s information technology laboratory, in an May 18 statement. ”And, the United States currently lacks an infrastructure for secure electronic voter authentication,” she added. Collins released the statement in response to an inquiry from Common Cause, a Washington, D.C. nonprofit active in campaign finance and election reform.

“This statement should serve as a blunt warning that we just aren’t ready yet and proves that we can’t trust the empty promises of ‘secure Internet voting’ from the for-profit vendors,” said Susannah Goodman, head of Common Cause’s Voting Integrity Project. ”We urge election officials and state and federal lawmakers to heed NIST’s warning and step back, support further research and STOP online voting programs until they can be made secure,” Goodman added…

Secretary of the State’s Symposium on Online Voting

An exceptional panel of experts on voting technology and the challenges of overseas voting. Credit is due to the panelists, the Secretary, and those who contributed behind the scenes in making this event possible. John Dankowski, of Connecticut Public Broadcasting did an exemplary job of moderating a very civil, thorough debate. Video: http://tinyurl.com/SOTSOVS

Secretary of the State Denise Merrill’s testimony on S.B. 283, 2/22/2013:

Now, Senate Bill 283 concerning — AN ACT CONCERNING ON-LINE VOTING FOR MILITARY PERSONNEL SERVING OUT OF STATE. Again, I think everyone in this room supports the ability of our brave men and women in uniform, especially those serving overseas in places like Afghanistan, to vote and have their ballot counted.

I still have two, major concerns with this bill that prevent me from supporting it at this time. I mean, first, it talks about on-line voting. There — you should be aware, there’s a lot of different versions of what that actually means. So I’m presuming here it would mean developing an on-line application where the Soldier, Sailor, Airman or Airwoman or Marine can, again, have a secure log-in and — and actually select their ballot choices on the computer through a web-based application, which is different than some other proposals that have been made with electronic transmission.

This system, again, would be very costly, very expensive; and I’m talking millions of dollars to develop. My main objection to this, besides the cost which is significant — and, again, I’d like to make sure we have a problem before we spend that kind of money — but my main objection is that we simply — I don’t think we have the technology to guarantee the security, integrity of that ballot and prevent tampering or hacking these votes that are submitted on-line. It’s the same objection we have to any ballot submitted on-line at this time.

We had a — we convened a public forum on this topic with foremost experts in this field, last year at CCSU. The forum was televised; we have it on our web site; you can see what was said by these people. We asked one of the top computer science experts in the country what it would take to make on-line voting secure, and he said, Let me put it this way, saying you can have secure on-line voting is like saying you can have safe smoking.

Many people say, well, we can do bank on — banking on-line; why can’t we vote on-line? Again, I posed that exact question to the experts at that forum, and the answer was that the banking industry builds into their revenue forecast a two-to-three percent loss of funds every year due to fraud and hacking through on-line banking. I don’t think we can afford to have that kind of leeway, shall we say, in our election system. I don’t think we can adopt that kind of a model. And I, certainly, would never be able to accept the loss of a number of votes due to fraudulent hacking, just in the name of convenience. So I just don’t think we’re ready to go there.

Who knows; in the future, this may change. But I would just need to be assured before we came up with any system like that for any voter, that no one could tamper with the ballots. And I think right now, as you all know, if you have an e-mail system, yourself, I’m sure every one of us have had our e-mails hacked in some way or another or gotten or not received mail because it went into the wrong folder or whatever. It would be very difficult to design that kind of a system, so I’d be able to — I’d be — want to be able to look every Connecticut military person and their family in the eye and tell them that the vote is secure. And I don’t feel I can do that at this time.

From Representative Alexander’s Statement in Veterans Affairs Committee Hearing 2/19/2013:

REP. ALEXANDER: Thank you, Mr. Chair. I’ll be real quick. I appreciate the Clerk’s position in trying to make it easier to have servicemen and women vote any where deployed or — or in a unit wherever, and have a Voting Assistance Officer. I really took that to heart myself. But did you ever think of possible fraud when it comes to allowing military men and women to fax in their ballot, where, you know, as someone who — who was an Adjutant and ran an S1 in a battalion, the — the way usually squadrons and battalions work, you know, you’d have a Lance Corporal, a 19 or 20-year-old, fine, outstanding young man or woman who wanted to vote fill out the ballot, and then bring that piece of paper to the S1 office to be faxed. He or she doesn’t fax it themselves. Another clerk does.

ANTOINETTE SPINELLI: Oh, is that right?

REP. ALEXANDER: That — that would probably be the very common way this is implemented in most units, at the unit level, where you have a 19-year-old individual, a 20-year-old person, a Lance Corporal wants to vote — good on him for wanting to do that — brings that to their Platoon Sergeant up the chain. That Platoon Sergeant maybe, or a Squad Leader, facilitates the Lance Corporal to go to the S1 office. He submits that, and that will get faxed with a whole stack of other faxes that are going to go out in the office. And as someone that was an Adjutant, I was running an office like this day in and day out. And as an Adjutant, I would worry, as being sort of the person who is managing this type of office, that I would have a fellow maybe Lance Corporal faxing this information, where you might have someone that, being 19 or 20 years old, didn’t realize that, oh, changing it from, you know, Senator McCain, to President Obama is not a serious felony offense, which it is, and because of that chain of custody in — in reality, and — and the way maybe the military works in — in professional office spaces, I would just worry that during this handover to the fax, that you’re opening the door for potential fraud.

But the individual’s not, themselves, faxing it. Most likely, and most of the times in squadrons, you’re going to have a third party doing it, usually a 20, 21, 22-year-old Corporal or Lance Corporal doing that. And as an Adjutant running an S1, I’d be very concerned about this, and — and monitoring this very carefully, but — but that is something that would really concern me, and — and trouble me. Have the clerks thought of it from — from that angle at all? Where you could have potential voter fraud coming out of this?