Category: National

The Case Against Trusting Democracy to BMDs

Ballot Marking Devices (BMDs) are under consideration by several states for use for all in-person voting. They have paper ballots, “What could possibly go wrong?”.  A recent paper makes the case that they cannot be audited or trusted to provide accurate results. The paper recommends that they should be limited to use by voters that need accessibility:  Ballot-marking devices (BMDs) cannot assure the will of the voters 

not only is it inappropriate to rely on voters to check whether BMDs alter expressed votes, it doesn’t work.

Yet, this paper has been very controversial in election integrity circles. Advocates for those with disabilities argue that everyone should vote the same way on the same equipment, because that is what is needed to provide equality, to incentivize and cause better BMDs that meet everyone’s needs including those for evidence based elections.

Ballot Marking Devices (BMDs) are under consideration by several states for use for all in-person voting. They have paper ballots, “What could possibly go wrong?”.  A recent paper makes the case that they cannot be audited or trusted to provide accurate results. The paper recommends that they should be limited to use by voters that need accessibility:  Ballot-marking devices (BMDs) cannot assure the will of the voters <read>

..paper ballots provide no assurance unless they accurately record the vote as the voter expresses it. Voters can express their intent by hand-marking a ballot with a pen, or using a computer called a ballot-marking device (BMD),which generally has a touchscreen and assistive interfaces. Voters can make mistakes in expressing their intent in either technology, but only the BMD is also subject to systematic error from computer hacking or bugs in the process of recording the vote on paper, after the voter has expressed it. A hacked BMD can print a vote on the paper ballot that differs from what the voter expressed, or can omit a vote that the voter expressed…

Research shows that most voters do not review paper ballots printed by BMDs, even when clearly instructed to check for errors. Furthermore,most voters who do review their ballots do not check carefully enough to notice errors that would change how their votes were counted…There is no action that a voter can take to demonstrate to election officials that a BMD altered their expressed votes, and thus no way voters can help deter, detect, contain, and correct computer hacking in elections. That is, not only is it inappropriate to rely on voters to check whether BMDs alter expressed votes, it doesn’t work.

The entire paper is readable and makes a complete case for its conclusions.

Simply stated Georgia, Pennsylvania, and other states seeking accurate, credible elections need paper ballots, sufficient post-election audits, ballot protection, and Voter-Marked Paper Ballots. BMDs are insufficient and cost several times more.

Yet, this paper has been very controversial in election integrity circles. Advocates for those with disabilities argue that everyone should vote the same way on the same equipment, because that is what is needed to provide equality, to incentivize and cause better BMDs that meet everyone’s needs including those for evidence based elections.

Editorial

We completely agree with the paper’s conclusions. Overall there is nothing new here, except an extensive review and clarification of older and recent work.

We are sympathetic to the needs of those with disabilities. We need better interfaces and BMDs to serve them better. Yet, spending triple on inadequate equipment is not the path forward.

As long as we have absentee voting, we will have voter marked paper ballots, as long as BMDs use multiple interfaces, all voters will not vote the same way.

Better that money and effort be spent on research and innovation, than on excessive purchases of inadequate equipment. Where is the incentive for vendors to innovate when election officials can be, all but, mandated to buy the inadequate equipment on the market? The only incentive would be for multiple rounds of modestly better BMDs followed by multiple rounds of expensive replacements.

 

 

 

Robert Mueller Showed How U.S. Elections Broke in 2016. Here’s How to Fix Them

Quite inclusive article from TIME: Robert Mueller Showed How U.S. Elections Broke in 2016. Here’s How to Fix Them <read>

Here’s what experts say would strengthen American elections against future attacks.

I fully agree, except possibly with one item on the list.

A pretty inclusive article from TIME: Robert Mueller Showed How U.S. Elections Broke in 2016. Here’s How to Fix Them <read>

Over a nearly two-year investigation, Special Counsel Robert Mueller has shown the sheer breadth of the Russian effort to meddle in the 2016 election.

From hacking into campaign email systems to using social media to stir up voters, the Russian effort hit at a number of soft spots in the American electoral system.

Experts say Russia didn’t stop there either, using similar strategies to attempt to influence the 2018 elections, and, they expect, the 2020 elections as well. They also warn that Iran and China may be mulling similar influence operations too.

Here’s what experts say would strengthen American elections against future attacks.

  • Use paper ballots

  • Secure online voter rolls

  • Audit elections

  • Stop the spread of fake news

  • Make social media ad-buying more transparent

  • Improve technology policy

I fully agree, except possibly with “Stop the spread of fake news”, where the devil may be in the details. Any attempt to squash free speech may backfire.

Book Review: Bad Blood, Fantasyland, (and Blockchains)

I recently read Bad Blood by John Carreyrou. I could not put it down. Not surprising since it has been on the NYTimes best seller list for months and its the only book I have noticed on Amazon with a full five star rating – with currently just over two-thousand reviews. But for me it was more than that.  It brought back memories of a good portion of my career in the eighties and nineties, along with my last fifteen years concerned with electronic voting.

All reminiscent of Kurt Andersen’s book: Fantasyland: How America Went Haywire: A 500-Year History. To me, just like the California Gold Rush, minus the gold.

I recently read Bad Blood by John Carreyrou. I could not put it down. Not surprising since it has been on the NYTimes best seller list for months and its the only book I have noticed on Amazon with a full five star rating – with currently just over two-thousand reviews. But for me it was more than that.  It brought back memories of a good portion of my career in the eighties and nineties, along with my last fifteen years concerned with electronic voting.

It details the creation, life, and death of Silicon Valley startup Theranos. Theranos was started by Stamford drop-out Elizabeth Holmes. She had an idea for a blood test that would take only a drop of blood and quickly provide an analysis that conventionally took much more blood and much more time. It was a great idea, yet science said it was impossible and she never was able to develop a solution. What she did develop was a large following of famous board members a huge kitty of venture capitol, two large losing customers. A large, harmful group-delusion. Along the way she created a phony test that likely killed people. All reminiscent of Kurt Andersen’s book: Fantasyland: How America Went Haywire: A 500-Year History. To me, just like the California Gold Rush, minus the gold.

The read brought back memories. As I said earlier this year in testimony on a bill in the Connecticut General Assembly to propose a Task Force to study blockchains to solve an undefined problem with our voter registration system:

I have a 35-year career building, evaluating, purchasing and implementing computer systems and new technology.For 9of those years I was a Director of Strategic Planning for the Travelers Computer Science Division and for 8 years worked for two start-ups, designing, developing, and marketing data communications software to large enterprises and government agencies.I keep up with election technology and security issues, daily exchanging ideas with nationally recognized experts in computer science and computer security.

This is bill represents a classic mistake – a “hot” technology solution in search of an undefined problem. This proposal defines no problem and limits the solution to one over-hyped technology. Better to have the problem clearly defined and then solicit proposals to solve the problem – solutions technical and otherwise.

The way to solve problems is to define the problem, create a team of experts on the subject matter, with technical problem solvers, and experts who have solved similar problems for other states and nations – then let them brainstorm, evaluate and propose effective solutions.

If there is a problem to be solved, it is likely there is a solution – if so, it almost certainly does not depend on blockchains, and likely does not need any “hot” technology.

The amazing thing is people, smart people, keep falling for the same old things. As Carreyrou points out many smart people hired by Theranos had questions from the start. Many quit along the way. Some paid a high price for exposing the company, others dared not take the risk. At least initially Holmes was likely deluded herself.

I worked for a similar, much smaller, startup in 1997. A product that hardly worked – likely all but impossible to create – impossible with the minimal skills of those developing it. I had some doubts the day I walked in the door – I was an expert in the problem and its value, yet I said “maybe they know something I don’t.” I needed a job.  Most, if not all of the rest of the fifty or so employees were not so knowledgeable. The founder was as he described it a “serial entrepreneur”. His actual M.O. was taking venture capitol, failing, and saying in the ashes he had discovered a better idea and attracted more venture capitol. I left after eleven sad, ridiculous months. Sad because so many in the company were hurt – fortunately no customers lost much. The boss, said lack of sales was our fault as we needed to find more sophisticated customers who would appreciate the value of our cumbersome product.

Believe me Blockchains are another over-hyped technology with little if any value. Scientists I trust say that <read>. I have studied it enough to agree with them. And based on all my experience the hype smells just like many things I have seen before. The bill is still alive in the General Assembly, lets hope it dies or at least the Task Force sees through the hype.

Its all the same as that Theranos Bad Blood. Just another journey in Fantasyland. Both good reads and cautionary tales.

Three Experts on Blockchains

Do you need a public blockchain? The answer is almost certainly no. A blockchain probably doesn’t solve the security problems you think it solves. The security problems it solves are probably not the ones you have. …A false trust in blockchain can itself be a security risk. The inefficiencies, especially in scaling, are probably not worth it. I have looked at many blockchain applications, and all of them could achieve the same security properties without using a blockchain—of course, then they wouldn’t have the cool name.

There are two bills submitted to the General Assembly this year to research Blockchain technology. One to solve a sketchily defined, possible problem with our voter registration system, and another to use Blockchain technology for online voting. We will have more to say about the bills and those specific problems later, but let us start with three experts opinions of Blockchain technology itself.

Bruce Schneier article at Wired  There’s No Good Reason to Trust Blockchain Technology  <read>

Bruce Schneier is a highly respected security expert from Harvard University often a guest on the PBS Newshour. Private Blockchains are the type used in West Virginia in prototyping a system for electronic voting – a system hidden from public scrutiny and testing, Probably what would be considered for both of those systems in Connecticut. Schneier says:

Private blockchains are completely uninteresting. … In general, they have some external limitation on who can interact with the blockchain and its features. These are not anything new; they’re distributed append-only data structures with a list of individuals authorized to add to it. Consensus protocols have been studied in distributed systems for more than 60 years. Append-only data structures have been similarly well covered. They’re blockchains in name only, and—as far as I can tell—the only reason to operate one is to ride on the blockchain hype…

A public Blockchain is what most cryptocurrencies like Bitcoin use, Schneier says:

Do you need a public blockchain? The answer is almost certainly no. A blockchain probably doesn’t solve the security problems you think it solves. The security problems it solves are probably not the ones you have. (Manipulating audit data is probably not your major security risk.) A false trust in blockchain can itself be a security risk. The inefficiencies, especially in scaling, are probably not worth it. I have looked at many blockchain applications, and all of them could achieve the same security properties without using a blockchain—of course, then they wouldn’t have the cool name.

Vinton Cerf is one of the Fathers of the Internet. Schneier quotes him in a simple summary of Cerf’s views of Blockchains:

Bill Black On The Real News  Cryptocurrency Firms Regularly Lose Codes and Money <watch> Less technical but clearly undermines the claim that even for cryptocurrency, Blockchains do not solve every problem and are over hyped.

****Update 4/29/2019 Moody’s agrees with Schneier:  Bond Rating Agency Moody’s Warns on Risks of Private Blockchains <read>

 

 

Rhode Island Risk Limiting Audit in Time Magazine

Not exactly person of the year or prisoner of the month, I did have my picture in Time Magazine! The occasion was the Rhode Island Risk Limiting Audit (RLA) where I participated last week.

Rhode Island wants to make sure their elections are protected from all sorts of problems, after a programming error in 2017 almost caused an incorrect result to be certified. The article contains some very good summaries of what what we and the Rhode Island Board of Elections were up to.

“Democracy and elections are only as good as whether people trust them or not,” [Secretary of State Nellie] Gorbea said. “Confidence in our democracy is critical to every other public policy issue.”…

 

Not exactly person of the year or prisoner of the month I did have my picture in Time Magazine! The occasion was the Rhode Island Risk Limiting Audit (RLA) where I participated last week.

Russia Wants to Undermine Trust in Elections. Here’s How Rhode Island Is Fighting Back <read>

Contrary to the headline, Rhode Island wants to make sure their elections are protected from all sorts of problems, after a programming error in 2017 almost caused an incorrect result to be certified.

The article contains some very good summaries of what what we and the Rhode Island Board of Elections were up to:

“Democracy and elections are only as good as whether people trust them or not,” [Secretary of State Nellie] Gorbea said. “Confidence in our democracy is critical to every other public policy issue.”…

Amid this uncertainty, Rhode Island is pioneering a means of protecting its election results through a procedure called a “risk-limiting audit.” This method, which election experts consider the gold-standard of post-election checks, is essentially an efficient review of ballots that provides strong statistical evidence that the reported vote tallies in an election are correct…

In addition to public officials and election staffers, the “protectors of democracy” in Providence included a substantial number of volunteers offering their time and expertise for free, simply because they were passionate about securing their fellow citizens’ votes. Teams from Worcester Polytechnic Institute and MIT developed the software that selected votes for the pilot, which will be open source so other states can use it in the future. The leader of a Connecticut citizens’ group[, Luther Weeks, Executive Director of Connecticut Citizen Election Audit] provided input on one ballot-counting method, and a woman who independently advocates for audits organized observers to gather timing data throughout the event. Many in the group greeted each other like summer camp friends after a winter away, eager to catch up on issues they’d seen in other elections and share tips on the newest democracy-defending tactics…

at the Board of Elections warehouse in Providence, where 22 election staffers overseen by Deputy Director of Elections Miguel Nunez and Warehouse and Logistics Manager Steve Taylor retrieved and manually counted ballots for three different kinds of risk-limiting audits to see which method worked best for their state…

I was there to learn and also to lead the demonstration of two methods of performing the batch comparison audit. In the end both methods demonstrated that the two voting machines we audited were accurate last November 6th and with good methods and the dedicated officials present we were also accurate.

At the end of Rhode Island’s pilot, the batch-level comparison and ballot-level comparison audits were both successful, meaning they provided strong statistical evidence confirming the reported election results. The ballot-polling audit fell very slightly outside the accepted risk, which in a real audit would trigger another round using a slightly larger sample. But in this pilot, the goal was simply to test the methods, not to meet a particular level of evidence.

It was an to participate in the months of planning and three days of execution.

Basics: Why we need to have paper ballots and must effectively audit our elections

[The vendors] control the code in devices they sell. That means that technology we buy for one purpose can be reprogrammed without our consent or even our knowledge.

A quote in a book excerpt caught our eye: For Tech Firms, Power Lies in the Coding <read>
— you may well own these things in the future, but if today’s system is anything to go by, you’ll very rarely control the code inside them. Tech firms have control over the initial design of their products, determining their “formal and technical” properties as well as their “range of possibilities of utilisation.” And they’ll obviously retain control over platforms— like social media applications — that remain under their direct ownership. But they’ll also control the code in devices they sell. That means that technology we buy for one purpose can be reprogrammed without our consent or even our knowledge.
This is the heart of the need for Evidence Based Elections. Elections that are Software Independent, that can be verified independent of the technology. Elections that are Publicly Verifiable, that can be verified independent of the election officials by multiple members of the public, candidates, and parties.

Beware the costly solution that does not solve the problem

WhoWhatWhy: Will Georgia Double Down on Non-Transparent, Vulnerable Election Machines? 

Georgia’s newly elected secretary of state, Brad Raffensperger (R), hopes to replace them not with hand-marked paper ballots and scanners (as virtually all independent cybersecurity election experts recommend), but rather with touchscreen ballot-marking devices,..In addition to security concerns, all touchscreen systems tend to cause long lines…The ExpressVote system also would cost taxpayers more than three times as much as hand-marked paper ballots and scanners:? an estimated $100 million as opposed to $30 million.

A system only greedy vendors and fraudsters would love.

******Update: Verified Voting Statement to Georgia

As we have been warning, paper records from DRE (touch Screen) voting machines are not the equivalent of hand-marked paper ballots.

WhoWhatWhy: Will Georgia Double Down on Non-Transparent, Vulnerable Election Machines? <read>

The good news is that Georgia, which was the first state in the country to deploy paperless machines statewide, has finally decided to replace these machines. But Georgia’s newly elected secretary of state, Brad Raffensperger (R), hopes to replace them not with hand-marked paper ballots and scanners (as virtually all independent cybersecurity election experts recommend), but rather with touchscreen ballot-marking devices, a prime example of which is the ExpressVote system from Election Systems & Software, LLC (ES&S). The ExpressVote is the specific system that Governor-elect Brian Kemp (R) began promoting last year. ES&S is Georgia’s current vendor.

Like other touchscreen barcode balloting systems, the ExpressVote generates computer-marked paper printouts (Kemp and many others misleadingly call them “paper ballots”) with barcodes that are then counted on scanners. Although these paper printouts include human-readable text purporting to summarize the voter’s selections, the barcode, which humans can’t read, is the only part of the printout actually counted by the scanner. According to computer science professor Richard DeMillo of the Georgia Institute of Technology, the barcode constitutes a new potential target for malevolent actors, as it can be manipulated to instruct the scanner to flip or otherwise alter votes…

In addition to security concerns, all touchscreen systems tend to cause long lines because they limit the number of people who can vote at once to the number of touchscreens at the polling place…

The ExpressVote system also would cost taxpayers more than three times as much as hand-marked paper ballots and scanners:? an estimated $100 million as opposed to $30 million.

A system only greedy vendors and fraudsters would love.

******Update: Verified Voting Statement to Georgia <read>

Georgia, Pennsylvania, New Jersey…on my mind

Story in Atlanta Journal-Constitution outlines what keeps election integrity awake all night: Georgia prepares to move from electronic to paper ballots .

State lawmakers broadly agree that it’s time to replace Georgia’s 27,000 direct-recording electronic voting machines with a system that leaves a verifiable paper trail.

With a paper ballot, recounts and audits could verify the accuracy of electronic tabulations.

But there’s disagreement about what kind of paper-based voting system Georgia should use and how much taxpayer money to spend on it…

It would be a sad shame if state and Federal money is spent to buy such risky equipment at triple the cost of voter marked paper ballots.

Story in Atlanta Journal-Constitution outlines what keeps election integrity awake all night: Georgia prepares to move from electronic to paper ballots <read>

State lawmakers broadly agree that it’s time to replace Georgia’s 27,000 direct-recording electronic voting machines with a system that leaves a verifiable paper trail.

With a paper ballot, recounts and audits could verify the accuracy of electronic tabulations.

But there’s disagreement about what kind of paper-based voting system Georgia should use and how much taxpayer money to spend on it…

One option calls for voters to complete paper ballots by hand, filling in bubbles with a pen and then inserting their ballots into optical scanners for tabulation.

Under another type of system, voters would choose their candidates on touchscreens — similar to those currently in use across the state — and then machines would print paper ballots reflecting their selections. Voters could then review their ballots and insert them into optical scanners…

Many election integrity advocates favor hand-marked paper ballots, saying they most closely reflect voters’ intentions. Election officials would be able to review how voters filled out their ballots, and they wouldn’t have to trust that a computer printed out their choices correctly.

Some county and state election officials prefer ballot-marking devices, which are more familiar to Georgia voters who are accustomed to casting their ballots on touchscreens. Ballot-marking devices can accommodate the disabled and elderly by adjusting type size or providing audio, and they help avoid mismarked ballots by preventing voters from circling candidates’ names or scratching out their choices.

There’s also a third potential option. Georgia could switch to hand-marked paper ballots and also provide at least one ballot-marking device at each precinct to accommodate the disabled…

Replacing the state’s voting machines won’t be cheap.

It could cost the public about $30 million to move Georgia to hand-marked paper ballots and over $100 million for ballot-marking devices.

Editorial

We favor the third option. Most voters filling out paper ballots by hand, with ballot marking devices available to accommodate those with disabilities. There is no guarantee voters actually check ballots created by ballot marking devices (see: Handmarked paper ballots more verifiable than ballot marking devices ), no guarantee they would consider it a machine error rather than their own mistake, and no reason for officials to believe or to verify voters that claim that the machine made an error. Worse many forms of those marking devices and their forms of ballot are much more difficult (expensive) to audit and recount.

It would be a sad shame if state and Federal money is spent to buy such risky equipment at triple the cost of voter marked paper ballots.

Handmarked paper ballots more verifiable than ballot marking devices

New study The study What Voters are Asked to Verify Affects Ballot Verification: A Quantitative Analysis of Voters’ Memories of Their Ballots

As a practical matter, do voters verify their BMD-printed ballot cards, and are they even capable of it?  Until now, there hasn’t been much scientific research on that question…

  1. In a real polling place, half the voters don’t inspect their ballot cards, and the other half inspect for an average of 3.9 seconds (for a ballot with 18 contests!).

  2. When asked, immediately after depositing their ballot, to review an unvoted copy of the ballot they just voted on, most won’t detect that the wrong contests are presented, or that some are missing.

New study summarized by Andrew Appel: Why voters should mark ballots by hand <read>

Because voting machines contain computers that can be hacked to make them cheat, “Elections should be conducted with human-readable paper ballots. These may be marked by hand or by machine (using a ballot-marking device); they may be counted by hand or by machine (using an optical scanner).  Recounts and audits should be conducted by human inspection of the human-readable portion of the paper ballots.”

Ballot-marking devices (BMD) contain computers too, and those can also be hacked to make them cheat.  But the principle of voter verifiability is that when the BMD prints out a summary card of the voter’s choices, which the voter can hold in hand before depositing it for scanning and counting, then the voter has verified the printout that can later be recounted by human inspection.

But really?  As a practical matter, do voters verify their BMD-printed ballot cards, and are they even capable of it?  Until now, there hasn’t been much scientific research on that question.

A new study by Richard DeMillo, Robert Kadel, and Marilyn Marks now answers that question with hard evidence:

  1. In a real polling place, half the voters don’t inspect their ballot cards, and the other half inspect for an average of 3.9 seconds (for a ballot with 18 contests!).

  2. When asked, immediately after depositing their ballot, to review an unvoted copy of the ballot they just voted on, most won’t detect that the wrong contests are presented, or that some are missing.

The study What Voters are Asked to Verify Affects Ballot Verification: A Quantitative Analysis of Voters’ Memories of Their Ballots <read>

Recognize that ballot marking devices, like the IVS used in Connecticut, are a valuable vehicle for those with disabilities. Voters without disabilities should avoid them. Leave them for those that need them. There are two other reasons to encourage the vast majority of voters to use hand-marked paper ballots. Ballot marking devices are much more expensive than voting booths for marking paper ballots and can lead to long lines.

Georgia voter registration system crisis touches Connecticut

Georgia Secretary of State, Brian Kemp, just launched an investigation of the Democratic Party of Georgia, after their consultant pointed out a serious vulnerability in Georgia’s voter registration system/database: Kemp’s Aggressive Gambit to Distract From Election Security Crisis

This touches Connecticut because the vendor for Georgia’s system, PCC, is located in Bloomfield Connecticut and supplies Connecticut’s voter registration and election night reporting systems. It is not certain that the reports so far accurately portray PCC’s role in Georgia and if any of the same vulnerabilities apply to the Connecticut’s system. From our understanding Connecticut has paid a lot of attention to the security of our voter registration system and that PCC supplies the software by is not involved in its operation. We have reached out to the Secretary of the State’s Office suggesting that they address the relevance of the Georgia report to Connecticut.

Georgia Secretary of State, Brian Kemp, just launched an investigation of the Democratic Party of Georgia, after their consultant pointed out a serious vulnerability in Georgia’s voter registration system/database: Kemp’s Aggressive Gambit to Distract From Election Security Crisis <read>

This touches Connecticut because the vendor for Georgia’s system, PCC, is located in Bloomfield Connecticut and supplies Connecticut’s voter registration and election night reporting systems. It is not certain that the reports so far accurately portray PCC’s role in Georgia and if any of the same vulnerabilities apply to the Connecticut’s system. From our understanding Connecticut has paid a lot of attention to the security of our voter registration system and that PCC supplies the software by is not involved in its operation. We have reached out to the Secretary of the State’s Office suggesting that they address the relevance of the Georgia report to Connecticut.

The beginning of the article points to the weakness discovered in the Georgia system and the attempted political deflection of the issue from Brian Kemp’s responsibilities as Secretary of State to the Democratic Party:

When Georgia Democrats were alerted to what they believe to be major vulnerabilities in the state’s voter registration system Saturday, they contacted computer security experts who verified the problems. They then notified Secretary of State Brian Kemp’s lawyers and national intelligence officials in the hope of getting the problems fixed.

Instead of addressing the security issues, Kemp’s office put out a statement Sunday saying he had opened an investigation that targets the Democrats for hacking…

WhoWhatWhy, which exclusively reported on these vulnerabilities Sunday morning, had consulted with five computer security experts on Saturday to verify the seriousness of the situation. They confirmed that these security gaps would allow even a low-skilled hacker to compromise Georgia’s voter registration system and, in turn, the election itself. It is not known how long these vulnerabilities have existed or whether they have been exploited…

“What is particularly outrageous about this, is that I gave this information in confidence to Kemp’s lawyers so that something could be done about it without exposing the vulnerability to the public,” Brown told WhoWhatWhy. “Putting his own political agenda over the security of the election, Kemp is ignoring his responsibility to the people of Georgia.”…

“It’s so juvenile from an information security perspective that it’s crazy this is part of a live system,” Constable said.

It’s Georgia and Brian Kemp’s responsibility but the article also implicates PCC:

A Connecticut-based private contractor, PCC Technologies Inc., has contracts to manage voter registration systems for Georgia and 14 other states. PCC also runs online voter registration for six of them, including Georgia. If these vulnerabilities exist in Georgia, they could also be present in other states where PCC operates.

Matt Bernhard, a Ph.D. student in computer science at the University of Michigan focusing on voting technology, found that personally identifiable information could also be accessed through North Carolina’s voter page, which PCC also manages.

As Georgia’s system has not been audited — if it had, these problems would have been found and fixed, presumably — there are likely other vulnerabilities that could impact the midterm election, according to Constable.

PCC also runs the ElectioNet system, which is used by every county in Georgia to manage the state’s voter rolls. If voter registration data was changed, it would show up in the ElectioNet system. In a declaration as part of a recent lawsuit against the state, Colin McRae, chair of the Chatham County Board of Registrars, disclosed that the ElectioNet system is also responsible for populating the data in the pollbooks of every state.

Our understanding is that PCC just supplies software to Connecticut and does not manage our voter registration system.

Connecticut does not officially use ePollbooks. We use printed paper checkin lists, although some registrars have purchased and use ePollbooks for redundant record keeping. We presume it is PCC code that is used to print the paper checkin lists we use and to load the ePollbooks purchased by some towns.  Any significant errors in either of those could cause chaos and dramatically effect elections.  Once again, there is a strong possibility that vulnerabilities in Georgia may not apply to Connecticut.