Category: Reports

UConn paper warns of limitations of cryptography

Use of good tools must go hand-in-hand with good use of tools

We have just become aware of an excellent paper from the University of Connecticut (UConn):  Integrity of Electronic Voting Systems: Fallacious Use of Cryptogrphy <read>

The report describes the limits of cryptography to protect the integrity of election equipment, our votes, and ultimately our democracy. They also provide a memorable phrase widely applicable beyond cryptography and elections:

Use of good tools must go hand-in-hand with good use of tools. In particular, severe security deficiencies have been reported in electronic voting terminals despite the use of cryptography. In this way, superficial uses of cryptography can lead to a false sense of security. Worse, cryptography can prevent meaningful independent technological audits of voting equipment when encryption obfuscates the auditable data. A vendor may provide its own test and audit tools, but relying on the self-test and self-audit features is problematic as one should never trust self-auditing software (cf. relying on a corporate entity to perform self-audit).

They the describe the challenges and limitations of using cryptography in general, the general vulnerabilities in the Diebold-Premier-Dominion AccuVote-TSx, and demonstrating two specific attacks:

we designed and tested two attacks against the AV-TSx terminal. In the first, the attacker wishes to swap votes received by two candidates. The attacker can be successful provided that the sizes of the two files that define the candidate representation in the digital slate are identical. We found that is not a rare occurrence and in fact our test election contained such pairs of candidates. The swapping was applied to the name definitions of the two candidates and included the integrity check. In the second attack, the attacker simply wishes to make one of the candidates disappear from the slate. This can be achieved though a modification of the file that defines the layout of the candidate’s name.

All our findings are based on straightforward experimentation with the voting terminal; we had no access to internal or proprietary information about the terminal or access to source code.

They point that systems are vulnerable because of their complexity:

Two observations are critical in this respect: (i) The safety and correctness of a large system is only as good as its weakest link. Additionally, a single failure — whether benign or malicious — can ripple through and affect the entire system. (ii) Procedural counter-measures can be used to mitigate the weaknesses of the system, however, in a large system relying on many distributed procedural elements, the probability of a procedure failure can be extremely high, even if each individual procedure fails with small probability.

They also provide examples of other measures which provide vulnerability

Cryptographic techniques can mitigate the risks of attacks against removable media cards. The level of protection depends upon the strength of the cryptographic techniques, upon the safekeeping of the digital keys used to protect the cards, but also upon the safe-keeping of the voting terminal themselves. Indeed, the firmware of the voting terminal necessarily holds a copy of the digital keys used to protect the removable media. A successful attack against the terminal compromises those keys that an attacker can use to produce forged, compromised removable media cards. This situation is analogous to one where a person always hides a physical key under the doormat – knowing where the key is hidden defeats the purpose of having a lock. The trust in the whole system depends on the vendor diligence in…

Once a card is programmed on EMS, it is shipped to the election officials to be inserted into the voting terminal where it stays for the duration of the election before being shipped back for aggregating the results (where central tabulation is used). The integrity of the card during the entire process is critical to the integrity of the election.

If the card can be tampered with while in transit to the precinct election officials, the entire system can be compromised. The election description can be made inconsistent with the paper ballot leading to an incorrect interpretation of the votes and therefore incorrect tallying.

Implications for Connecticut

Although we use the AccuVote-OS and this report is on the AccuVote-TSx many similar risks apply, even if the AccuVote-OS makes less use of cryptography. As the UConn report points out:

in 2005 H. Hursti released his findings on the Diebold OpticalScan system (the so-called “Hursti Hack”). This was an early design that used only a superficial password protection to secure the system. Newer designs normally incorporate some cryptographic tools; however, the application of the tools remains haphazard.

That is the same system in use today, everywhere in Connecticut.

 

Which, if any, of Connecticut’s 169 towns would be secure for Internet voting (let alone email and fax voting)?

Some of the smaller Connecticut towns have very part time registrars who maintain office hours as infrequent as one hour a week. Registrars in their 70’s and 80’s whose towns have not provided them with access to email. Towns that have resisted laws to require them to post meeting minutes on the web as too challenging and costly? How will those towns accept and provide security for email and fax voting? How about even our larger cities? How well prepared are they and can they be?

Last week the Legislature, without public hearings, passed email and fax voting, stuffed in an otherwise popular bill. It would mandate each of Connecticut’s 169 towns and 339 registrars of voters to implement voting via email and fax from any location in the world. As is well know, email and fax are totally insecure.

Less well known, is how unprepared and unable our nations cities are in securing the internet. It should be obvious since our corporations, including networking giants,  intelligence community, and military forces are not able to secure their networks. For a lesson in cyber security of the internet (with email being the most vulnerable), consider Homeland Security expert Bruce McConnell’s recent talk <read/view>

Recently the New York Times highlighted a report on the security of our nations cities: U.S. Study Cites Worries on Readiness for Cyberattacks <read>

A study commissioned by President Obama to assess the nation’s ability to respond to terrorist attacks and man-made and natural disasters has found that state and local officials have the most confidence in their public health and medical services but are the most concerned about whether agencies can respond to cyberattacks…

But it was the report’s findings about cybersecurity that appeared to be the most troubling, and they continued a drumbeat from the Obama administration about the need for Congress to pass legislation giving the Department of Homeland Security the authority to regulate computer security for the country’s infrastructure.

The report said that cybersecurity “was the single core capability where states had made the least amount of overall progress” and that only 42 percent of state and local officials believed that theirs was adequate.

Although a little more than 80 percent of officials said they had adopted measures to address the issue, 45 percent said they did not have a formal program to prevent and respond to attacks.

The report said that roughly two-thirds of those officials reported that they had not updated their “information security or disaster recovery plans in at least two years.”

The preparedness report said that a little less than two-thirds of the companies in the United States had sustained cyberattacks and that “only 50 percent of owners and operators at high-priority facilities” like electrical grids said that they reported such attacks.

Since 2006, there has been a 650 percent increase in the number of reported cyberattacks in the United States, rising to 41,776 in 2010 from 5,503 in 2006, according to the report.

Some the smaller of Connecticut towns have very part time registrars who maintain office hours as infrequent as one hour a week. Registrars in their 70’s and 80’s whose towns have not provided them with access to email.  Towns that have resisted laws to require them to post meeting minutes on the web as too challenging and costly? How will those towns accept and provide security for email and fax voting? How about even our larger cities? How well prepared are they and can they be?

Enthusiastic support for the Secretary’s Performance Task Force Recommendations

Given the many members, the brief meetings, and the lack of representation of all interests, we were skeptical when the Task Force was convened. To our delight, we find that we can offer endorsement of each of the twenty-one recommendations in the report.

There is a lot to do in all the recommendations. It will take time, money, and deliberate work with everyone at the table. Our hope is that each of the recommendations will be thoroughly explored, evaluated, and acted upon, that none get overlooked.

Last summer and fall, the Secretary of the State convened an Elections Performance Task Force to look at elections and what might be done to improve them in the State of Connecticut. Details, presentations, and videos of the Task Force meetings are available at the Secretary’s web site <here> The Secretary issued a final report and recommendations <here>

Given the many members, the brief meetings, and the lack of representation of all interests, we were skeptical when the Task Force was convened. To our delight, we find that we can  offer endorsement of each of the twenty-one recommendations in the report, starting on page 34.

We strongly endorse those recommendations in bold below [our comments in brackets]

Identify measures that will increase the efficiency and effectiveness of the voting process.

1. The Secretary recommends an amendment to Article 6, Section 7 of the Connecticut State Constitution similar to House Joint Resolution Number 88 of the 2011 legislative session. The amendment would allow the General Assembly to adopt more flexible laws for voting.

2. The Secretary recommends partnering with Professor Heather Gerken to develop a Connecticut Democracy Index. This would allow for benchmarking across municipalities and with other states to track trends in the election process, to measure performance and to gain valuable data that can inform decisions going forward.

3. The Secretary recommends streamlining the absentee ballot process. A working group should be formed to examine and make recommendations around ideas like creating a single absentee ballot application and linking the absentee ballot tracking system with the Centralized Voter Registration System. [Assuming such streamlining does not increase integrity risks or confidence in the process]

4. The Secretary recommends further study of how regionalism could make Connecticut’s electoral  system more cost-effective and consistent. For instance, the use of a statewide online voter registration system, regional on-demand ballot printing, and regional voting centers should all be further explored. [Here we would go further to explore complete regionalizaton, “doing for elections what we have done for probate in Connecticut]

5. The Secretary recommends that the polling place for district elections be the same as for state elections. This will help eliminate voter confusion caused by having to go to different polling locations for different elections. [This would be convenient, yet if mandated, would be challenging for many towns due to different boundaries and contests]

6. The Secretary recommends exploring better ways of coordinating the printing of ballots with programming of memory cards in order to create a more efficient, reliable and cost-effective process.

7. The Secretary recommends the development of a certification process for Registrars of Voters. Additionally, standards and best practices should be developed for that office around issues such as election administration, voter registration and voter outreach. These standards and best practices may need to account for differences in small, medium and large municipalities. Finally, a mechanism for enforcement and, if necessary, the removal of a Registrar of Voters should be created. [We would especially recommend standardization and better practices for post-election audits and recanvasses, along with better manuals, including creating manuals for each pollworker position]

8. The Secretary recommends that a formal study of the cost of elections be undertaken, and that a standardized set of measures for such costs be established.[We would combine this into the Democracy Index, providing ongoing measures and comparison over time]

Maintain the security and integrity of the voting process.

9. The Secretary recommends the development of a secure online voter registration system in Connecticut. The system should be tied to other statewide databases, such as the Department of Social Services, the Department of Developmental Services, and the Department of Motor Vehicles, to allow for verification of data.

10. The Secretary recommends that the state acquire at least one high speed, high volume scanner to be utilized in the post-election auditing process. This centralization of the process will reduce the fiscal and logistical burdens on towns, as well as provide for a more accurate and secure auditing process.[We are a strong supporter of electronic auditing, done effectively and transparently. The number of scanners and their capacities should be a byproduct of an effective electronic auditing pilot, plan, cost benefit analysis, and appropriate law establishing and governing electronic audits]

11. The Secretary recommends that the post-election auditing process be amended to include all ballots that are machine-counted, including those counted centrally.[We would go farther and subject all ballots cast to selection for audit.]

12. The Secretary recommends that a greater emphasis be placed on ballot security. Ballots should be stored in a secure, locked facility. Additionally, two individuals should always be present whenever these facilities are accessed. This policy should be uniformly followed and enforced.

13. The Secretary recommends that the state join the Electronic Registration Information Center (ERIC), an interstate data consortium that the Pew Center on the States is currently building. This data center would allow participating states to streamline the processes for registering eligible voters; update records of existing voters; and remove duplicate and invalid records from state voter files. The Secretary stresses the need to include multiple agencies in the database, including those that offer public assistance, interact with people with disabilities, and otherwise come into contact with eligible voters who may not normally visit the Department of Motor Vehicles. Evaluate ways to integrate technology into our election system.

14. The Secretary recommends further exploring the use of new technologies in the election process through pilot programs and examination of other states’ usage. However, the cost and security of any new technologies should be carefully examined. Examples of new technologies for consideration include:

a. Electronic poll books

   b. More advanced voting systems for the voters with disabilities

    c. Online voter registration

15. The Secretary recommends immediate implementation of a statewide web-based electronic reporting system for election results.

16. The Secretary recommends the use of web-based training to standardize election staff training across the state.[We would like to see video training and manuals having a pollworker focus, designed by professional technical writers]

Find ways to increase voter participation, particularly among minorities, young people, people with disabilities, and military and overseas voters.

17. The Secretary recommends Election Day registration in Connecticut and any necessary adjustments to the voter file system to ensure accuracy. Election Day registration has increased voter participation in states where it has been enacted.

18. The Secretary recommends an effort to increase voter participation in Connecticut, with a particular focus on youth, minorities, people with disabilities, and military and overseas voters.

a. Early voting bears further study as a possible mechanism for reaching minority voters. [We are skeptical that early voting has a particular focus on any group of voters]

   b. Since the electorate is becoming more mobile, voter registrations should be mobile as well.
   c. Connecticut’s curbside voting program should be better advertised to voters with disabilities, all polling  places should be easily handicapped accessible, and poll workers at all locations should be properly trained on utilizing the IVS vote by phone system. A viable, better alternative to the IVS system should also be sought.

   d. The military and overseas voting process should be amended to allow for the facsimile transmittal of completed absentee ballot applications. The original application would then be returned in the envelope along with the completed absentee ballot via mail, in order for the ballot to be counted.[Fax transmission should only be required to obtain a blank ballot in situations where the voter cannot print a blank ballot]

e. The military and overseas voting process should be streamlined by the electronic transmission of printable, mailable ballots. This, along with the above recommendation, would eliminate the mailing time of transmitting completed applications and blank ballots through manual post, and would allow for more time for participation by military and overseas voters.

f. The electronic transmission of ballots to military and overseas voters should be further streamlined through the use of the Centralized Voter Registration System.[Having the system aid the overseas voter in downloading their correct blank ballot]

19. The Secretary recommends that existing voter registration provisions included in legislation such as the National Voter Registration Act be fully enforced. The Secretary further recommends that Connecticut’s Department of Corrections be designated as an official voter registration agency.

20. The Secretary recommends a concerted effort to educate the public and the incarcerated population about the voting rights of those detained pre-sentencing and the restoration of voting rights to felons. The Secretary further recommends that the restoration of voting rights be extended to include parolees, as is the case in over a dozen states.

21. The Secretary recommends that Election Day be declared a holiday, as it is in many countries, and/or that elections include in-person voting on a weekend day. This would grant citizens more time to vote and would allow for the use of students and persons with the day off as poll workers.

We note several caveats:

Our endorsement of proposals is conditional. Conditional on the details of any proposed implementation or law. For instance, although we support Election Day Registration, we do not support the current bill before the Legislature which would call for Election Day Registration, because the bill is inadequate to protect the rights of EDR voters, other voters, and could result in chaos and uncertainty.

The report is the Secretary of the State’s, not approved by or endorsed by the Task Force as a whole.

Contained in this report are the findings of the Election Performance Task Force, organized by subcommittee subject matter, with the additional category of voting technology. The Secretary utilized these findings along with feedback from members of the task force, other interested parties, and the public to shape the recommendations that are detailed at the end of this report.

While we endorse the recommendations, we do not endorse the details in the report itself:

  • The statistical information and conclusions do not come close to meeting rigorous standards in justifying the conclusions reached.
  • As noted in the report, the cost of elections information provided is questionable. We find it wildly inaccurate to include data that elections might have been conducted at costs per voter less than the cost of printing a single ballot.
  • We strongly disagree that there is any basis to predict that online voting will be a safe and accepted practice within ten years.

There is a lot to do in all the recommendations. It will take time, money, and deliberate work with everyone at the table. Our hope is that each of the recommendations will be thoroughly explored, evaluated, and acted upon, that none get overlooked.

UConn Report: Batteries and officials failing faster than previously reported

  Most projects start out slowly, and then sort of taper off.
    – Augustine’s Law #XL

Most projects start out slowly, and then sort of taper off. – Augustine’s Law #XL

Last week, the University of Connecticut (UConn) released a report on memory card testing covering 2007 – 2010. The results from 2007 until pre-election testing for August 2010 had been previously published, we expected to see the 2010 results much sooner. <report>

From the Conclusion, our comments in brackets [ ]:

Correctness of Card Programming: The audits determined that 100% of the cards actually used in the election [and actually submitted to UConn for testing] showed correct programming in terms of both the election description data and the executable code on the cards. In the case of the pre-election cards, in all cases where small discrepancies in the election description data were discovered, these differences were due to the very late changes, such as candidate name changes, substitutions, and race changes.

Audit Coverage: The number of memory cards submitted for audits fell substantially in 2010. We understand that in some cases districts were advised to not submit cards for audit in an apparent effort to occlude the fact that memory cards were duplicated. It is recommended that the SOTS Office encourages the districts to always submit one out four cards for pre-election audit and all of their used cards for post-election audit. The number of cards examined by the audits needs to be substantially increased in future elections to provide a better statistical basis for the overall election landscape in Connecticut. Not only this will help ensure proper programming of the cards, but it will also help address the reliability problem of the memory cards…

This dramatic drop in card submission renders most of the other statistics in the report unreliable and questionable. As UConn states, officials may be avoiding sending in duplicated cards; they could be choosing to send in more “junk data” cards as they are useless in the election; or avoiding sending in “junk data” cards assuming. incorrectly, it would reflect badly on them . Without public drawings we have no indication that cards are selected randomly, or that officials actually understand that they should be. Without accurate data it is hardly worth reviewing and making decisions based on the statistical analysis of the partial data.

Memory cards submitted by officials to UConn (Out of about 800 districts and 3500 cards)

As we have noted in the past, because the cards are not actually and publicly randomly selected, in addition to making it impossible for the reported results to be statistically accurate, it also provids an easy loophole for errors and skulduggery to be covered-up.

An earlier UConn report indicated that the problem was old batteries and that replacing batteries regularly might solve the “junk data” problem. Apparently this is not always so, with some cards quickly draining the batteries:

Continuing with the Conclusions:

This data loss is most likely caused by the weak batteries on the cards (however, as of this writing it is not clear how long a fresh battery lasts in a memory card). We are continuing to examine this issue. Increasing audit coverage will enable us to obtain and evaluate more cards that failed in search for a solution. In particular, we know that some cards drain batteries much faster than most; when we identify such cards it is recommended that they are removed from circulation. Longer term solution may be to develop replacement cards that use non-volatile memory technology…

Memory Card Duplication: In recent elections more then 6% of the cards [selected and submitted by officials] were involved in duplication. We note that the only authorized entity to provide card programming for election in Connecticut is LHS Associates. There is no guarantee that cards duplication done by the districts correctly reproduces data and programming on the copy cards. Additionally, if duplicated cards are not submitted for audits it increases the risk of using incorrect cards in elections. It is recommended that the SOTS Office reinforces its policy that prohibits card duplication…

Adherence to Election Procedures: The technological audits established that the districts do not always adhere to the established pre-election procedures. Most notably, in recent elections over 6% of the memory cards are duplicated by the districts, a practice that is not permitted by the SOTS Office. Additionally, some districts do not prepare all of their cards for elections and/or prepare for elections by running elections instead of running test elections. It is recommended that the SOTS Office reiterates the importance of following the prescribed election procedures. Lastly, some districts send cards for pre-election audit before they test the cards, while other districts send cards after they test the cards. For the pre-election audit to be most effective, it is recommended that districts uniformly send cards after the cards are tested and prepared for elections.

Overall, we applaud the report and the work of the UConn Voter Center. We are disappointed in the data submitted by election officials and the lack of progress in effectively addressing memory card problems. We are sympathetic to officials for the problems bad memory cards cause, yet our sympathy ends when they do not play their part in providing cards needed for UConn to make detailed and accurate assessments. We note that the lack of cooperation happened in the Bysiewicz Administration. We hope that the Merrill Administration will elicit more cooperation and encourage production of more timely reports for both memory cards and post-election audits.

For memory card testing to be useful and reach the potential of the exemplary testing developed by UConn, the program needs to be well defined and mandatory, enforceable, and enforced. The program should be mandated by law and/or all memory cards required to be sent through UConn in both directions from and to registrars, never to and from LHS, the vendor responsible for programming the cards. Or as we have recommended, the cards should be programmed in Connecticut, co-located with an independent testing function using the UConn developed test.

Brennan Center: Changes in state laws could make voting harder

“Over the past century, our nation expanded the franchise and knocked down myriad barriers to full electoral participation. In 2011, however, that momentum abruptly shifted.”

Report from the Brennan Center For Justice: Voting Law Changes in 2012 <read>

Executive Summary

Over the past century, our nation expanded the franchise and knocked down myriad barriers to full electoral participation. In 2011, however, that momentum abruptly shifted.

State governments across the country enacted an array of new laws making it harder to register or to vote. Some states require voters to show government-issued photo identification, often of a type that as many as one in ten voters do not have. Other states have cut back on early voting, a hugely popular innovation used by millions of Americans. Two states reversed earlier reforms and once again disenfranchised millions who have past criminal convictions but who are now taxpaying members of the community. Still others made it much more difficult for citizens to register to vote, a prerequisite for voting.

These new restrictions fall most heavily on young, minority, and low-income voters, as well as on voters with disabilities. This wave of changes may sharply tilt the political terrain for the 2012 election. Based on the Brennan Center’s analysis of the 19 laws and two executive actions that passed in 14 states, it is clear that:

  • These new laws could make it significantly harder for more than five million eligible voters to cast ballots in 2012.
  • The states that have already cut back on voting rights will provide 171 electoral votes in 2012 – 63 percent of the 270 needed to win the presidency.
  • Of the 12 likely battleground states, as assessed by an August Los Angeles Times analysis of Gallup polling, five have already cut back on voting rights (and may pass additional restrictive legislation), and two more are currently considering new restrictions.

States have changed their laws so rapidly that no single analysis has assessed the overall impact of such moves. Although it is too early to quantify how the changes will impact voter turnout, they will be a hindrance to many voters at a time when the United States continues to turn out less than two thirds of its eligible citizens in presidential elections and less than half in midterm elections.

This study is the first comprehensive roundup of all state legislative action thus far in 2011 on voting rights, focusing on new laws as well as state legislation that has not yet passed or that failed. This snapshot may soon be incomplete: the second halves of some state legislative sessions have begun.

We point out that “voter suppression” is different than “making it harder…to cast ballots”.

  • We see no significant fraud problems calling for the stiff voter ID requirements and for curtailing EDR. These, along with making it more difficult for felons to vote and stiffer registration requirements each would tend to suppress the vote to the detriment of older, poorer and disabled citizens.
  • While current initiatives may be politically motivated, we have frequently cited risks and fraud associated with expanded mail-in and no-excuse absentee voting.
  • Early voting may be expensive if done without increasing risk, it might also suppress or encourage voting by particular groups. For instance, early voting would benefit employed citizens if voting centers are located in areas where many people work.

We note that the Brennan Center agrees with the analysis that mail voting and early voting have little effect on turn-out <here> <here>. According to the Brennan Report:

The primary benefit of early voting is convenience. Voters are provided more options and days during which they can vote. While there is little evidence that early and absentee voting increase turnout, there is strong anecdotal evidence that it makes election administration easier, reducing the crush of voters at the polling place on a single day. In the past, that Election Day crush has led to hours-long lines, and resulted in the de facto disenfranchisement of tens of thousands of voters.

CLARIFICATION: Official Post-Election Audit Report

We were surprised and pleased to open the following letter from Deputy Secretary of the State, James Spallone, clarifying/correcting some of the impressions left by the report. We appreciate the clarification.

We remain concerned when the differences between machine counts and hand counts reported by several registrars of voters. We also continue to be concerned, that such differences are attributed to hand counting errors, without investigation.
ADDENDUM ADDED.

Editor’s Note: CTVotersCount welcomes responsible contrary opinions. Even more so, we appreciate factual corrections to information published here.

Last month we posted and criticized the Official Post-Election Audit Report for the November 2010 election, created by the University of Connecticut. We said the audit was “Flawed by lack of transparency, incomplete data, and assumed accuracy”. Upon returning from California we were surprised and pleased to open the following letter from Deputy Secretary of the State, James Spallone, clarifying/correcting some of the impressions left by the report.

Based on the clarifications we now understand that we were under the misimpression that the Secretary of the State’s Office had conduced unannounced, non-transparent recounts of some of the data originally reported by registrars of voters. According to Mr. Spallone such counts did not occur. Secret counts would not be illegal, yet would tend to reduce public confidence in the integrity of the audits and in our democracy. On the other hand, not conducting investigations of significant differences does not inspire confidence or lead to integrity.

We remain concerned with the differences between machine counts and hand counts reported by several registrars of voters. We also continue to be concerned, that such differences are attributed to hand counting errors, without investigation. As we have said in the past “if all differences are attributed to hand counting errors, then if there ever were a machine error or fraud it would not be recognized by the audit”.

We appreciate the clarification and will continue to encourage the investigation of significant differences, announced, and subject to public observation, along with improved auditing procedures, training of officials, and improvements in the audit law without increasing costs.

The audit remains, in our opinion, “Flawed by lack of investigation, incomplete data, and assumed accuracy”.

Addendum:

Perhaps a small yet critical point, we interpret the situation differently. The Deputy Secretary says: “Information gathering and follow-up, however, is not part of the official audit process.” It may not be part of the unenforceable ‘process’ developed by the Secretary of the State’s Office, but we interpret it legally as part of the Audit. The audit law requires the report from UConn, so anything that contributes to the report would, in our opinion, be part of the audit. For instance, past investigations included in the report, and in this case discussions between the SOTS Office and registrars or UConn leading to the dropping of some data from the report etc.

Susan Bysiewicz, former Secretary of the State, claimed that the audit was ‘Independent’ because UConn completed the audit report, rather than her office. We agree with her that the report (and obviously therefore anything included in it) is part of the audit. We disagree that UConn is ‘independent’ legally since their budget for elections depends on the Secretary of the State, and is not ‘independent’ in practice since the Secretary’s Office reviews and contributes interpretations to the report.

Once again, the law does not require investigations to be public – the issue is that transparency would be one of the requirements for credibility of the report and trust in democracy.

How Anonymous Are Paper Ballots?

A new research report brings into question the degree of anonymity in paper ballots. The finding raises potential concerns for states and election jurisdictions considering the merits of either making ballots available for public review or releasing them under freedom of information requests. We find reasons for concern with ballot anonymity and reasons for skepticism that the result will hold under additional research.

A new research report brings into question the degree of anonymity in paper ballots:  New Research Result: Bubble Forms Not So Anonymous <read overview> <report>

From the overview:

Today, Joe Calandrino, Ed Felten and I are releasing a new result regarding the anonymity of fill-in-the-bubble forms. These forms, popular for their use with standardized tests, require respondents to select answer choices by filling in a corresponding bubble. Contradicting a widespread implicit assumption, we show that individuals create distinctive marks on these forms, allowing use of the marks as a biometric. Using a sample of 92 surveys, we show that an individual’s markings enable unique re-identification within the sample set more than half of the time. The potential impact of this work is as diverse as use of the forms themselves, ranging from cheating detection on standardized tests to identifying the individuals behind “anonymous” surveys or election ballots.

The data is based on a sample of 92 ballots filled out at the same time, on the same form, using the same writing instrument:

To test the limits of our analysis approach, we obtained a set of 92 surveys and extracted 20 bubbles from each of those surveys. We set aside 8 bubbles per survey to test our identification accuracy and trained our model on the remaining 12 bubbles per survey…

Additional testing—particularly using forms completed at different times—is necessary to assess the real-world impact of this work. Nevertheless, the strength of these preliminary results suggests both positive and negative implications depending on the application. For standardized tests, the potential impact is largely positive. Imagine that a student takes a standardized test, performs poorly, and pays someone to repeat the test on his behalf. Comparing the bubble marks on both answer sheets could provide evidence of such cheating. A similar approach could detect third-party modification of certain answers on a single test.

The possible impact on elections using optical scan ballots is more mixed. One positive use is to detect ballot box stuffing—our methods could help identify whether someone replaced a subset of the legitimate ballots with a set of fraudulent ballots completed by herself. On the other hand, our approach could help an adversary with access to the physical ballots or scans of them to undermine ballot secrecy. Suppose an unscrupulous employer uses a bubble form employment application. That employer could test the markings against ballots from an employee’s jurisdiction to locate the employee’s ballot. This threat is more realistic in jurisdictions that release scans of ballots.

The finding raises potential concerns for states and election jurisdictions considering the merits of either making ballots available for public review or releasing them under freedom of information requests. We find reasons for concern with ballot anonymity and reasons for skepticism that the result will hold under additional research. Before concluding a number of serious implications, it is critical to do longitudinal studies, as recommended in the report, and to study several other challenging dimensions.  Considerations and directions include:

  • On a small sample, a 51% chance of the most likely individual being correctly identified may not be all that useful, not knowing which 51% are the correct identifications.
  • How does the probability of the detection of correct correspondent vary with the number of voters? 100, 200, 400, 800 etc.
  • Are there classes of voters that clump and are hard to distinguish and others that are fairly unique?  Is this similar to blood type classifications, with more types, but much less distinct classes? Or is it similar to DNA with many variations, but again nowhere near as distinct?
  • From looking at a lot of ballots in audits and recanvasses it is clear to me that people do make consistent marks in bubbles on a single ballot, with a single instrument, on a single day, however:
    • Do voters make the same marks over time and in different contexts?
    • To what extent do single voters or collective groups of voters fill in bubbles the same way from election to election?  I suspect it varies from person to person as well,. For me I suspect I am very inconsistent from election to election, except that I do tend to fill in complete bubbles – which would place me in a large class of voters difficult to distinguish individually.
    • Filling out an SAT or survey can be quite different than voting. In an SAT we think more and in different ways, under much more stress. In a survey we may hardly think or care at all.
  • In Connecticut we use felt tip pens in polling places. To what extent does such a thicker instrument make the classification more or less accurate? I would suspect the thicker the instrument the more difficult the classification in general.
  • In longitudinal studies (using forms filled out on different occasions, days, weeks, months, or years apart): How much more difficult is identification when the instrument varies? e.g. Felt tip pens can be drier or wetter, vary in thickness based on use.  Pencils can vary by sharpness, vary by manufacturer. Pens and pencil marks may vary in the way the instrument is be able to be gripped or is gripped on a particular occasion.
  • What good are past examples from one type of test/ballot type to another?  I suspect difficulties based on bubble size, bubble shape, rectangles, or connecting lines – even shape of ballot/test form, layout, lighting, sitting vs. standing etc.
  • For example, let us say an employer, union, government entity, criminal enterprise, or church wanted to use this method to test votes of individual employees/members, without their knowledge. What accuracy/confidence could they expect with samples from presumably a small subset of voters in a precinct when attempting to identify their ballots in a sea of ballots filled out by other voters?

More research is necessary before we can conclude the degree to which bubble analysis can be used to identify voters.  Even so there would be trade-offs between public the positive value and risks of public availability of ballots for review. There are mechanisms of election transparency short of public disclosure of complete paper ballots  – methods which could reduce risks but at some risks to credibility and transparency. Of course we could eliminate paper ballots all together and take the greater risks of errors, skulduggery, and lack of confidence of electronic voting like we have seen in recently in New Jersey, last year in Kentucky and several years ago in Sarasota.

Report: What Hath HAVA Wrought?

Charles Stewart III, presented a fascinating report earlier this spring. It is forty-two pages, double spaced, yet engaging throughout. In addition to describing HAVA and its implications, the report covers the political process which resulted in a useful, yet insufficient response to the issues raised in 2000.

Charles Stewart III, presented a fascinating report earlier this spring at a conference, Bush v Gore, 10 Years Later: Election Administration in the United States.. .The report, in draft form, as presented: What Hath HAVA Wrought? Consequences, Intended and Not, of the Post-Bush v. Gore Reforms <read>

It is forty-two pages, double spaced, yet engaging throughout. In addition to describing HAVA and its implications, the report covers the political process which resulted in a useful, yet insufficient response to the issues raised in 2000.  We are left with several thoughts generated by reading the report. (These are our thoughts based on our interpretation of the fascinating details in the report. In general they are consistent with the report, yet our conclusions and interpretations go beyond those in the report.):

  • Like the Patriot Act rushed through after 911, the Help America Vote Act (HAVA) was passed in a crisis window of opportunity to fix exposed problems and also to enact longstanding wish lists for reform. Little has happened to election reform efforts at a national level since HAVA and it seems that actual state election integrity improvement legislation and activity has similarly tapered off, except in the wake of a state crisis now and then.
  • We can expect the same in the aftermath of last November in Bridgeport. The current reforms viewed as less than ideal by the Coalition and the Secretary of the State are likely all we will see from that incident.
  • The report reminds us how strong the calls for machines to allow the independent voting for voters with disabilities were five years ago. And how little we hear from that community to fix Connecticut’s inadequate IVS system.  The report identifies that the real issue for voters with disabilities seems to be physical access to the polling place rather than accommodating machines.
  • It seems there never was much attention paid to electoral accounting and recounting which were at the core of Gore v Bush decision.  (See our testimony on the NPV earlier this year especially page 6) Even in election integrity circles presidential electoral accounting continues to be largely unknown.
  • The report confirms our concerns with disenfranchisement represented by increased mail-in and unlimited absentee balloting.
  • Generally, election officials have pushed for unlimited absentee voting because they claim it saves money, while in Connecticut town clerks opposed increased absentee voting based on estimated higher costs. It is an interesting open issue less critical than the risks vs. turnout implications of mail voting.
  • The report highlights the continuing neglect of voting administration, especially when compared to other government functions. Would the public stand for birth records, drivers licenses, or criminal records with the errors pervasive in voter registration lists?  Would they accept Federal Reserve, weapons, or virus research security as weak as ballot security? Why do we accept such weak security and integrity in voting?
  • We are struck with be lack of balance between election integrity, the promise of counting every vote, vs. the rush to have results and move on quickly after every election. This effects accuracy, overseas voting, and presidential accounting.
  • Not covered in the report is any discussion of the role of vendors in HAVA. We recall tales of much vendor involvement with Congress. Following the money, it seems to us that the reforms that were enacted were those that result in spending: for new voting machines, for special machines for disabled voters, and centralized voter registration systems. Reforms improving the lot of or requiring more work on the part of officials seem to be neglected unless they were a consequence of the large vendor expenditures.
  • Three Billion for HAVA seems like real money.  But it is a few days at war or a day or so of deficit which might depend on which person is elected President or Senator.  It is equal to the deficit we are dealing with in Connecticut, the solution to which is dependent on who is Governor.

This report is recommended reading.  It also suggest that we should read and report on some of the other papers delivered at the same conference.


Researchers: Early Voting alone DECREASES turnout

Researchers found: The convenience of Early Voting depresses turnout. Election Day Registration increases turnout. When both are combined the effect is about the same as Election Day Registration alone.

Op-Ed by researchers in the New York Times: Voting Early, but Not So Often <Op-Ed> <Full Report>

Turnout is a prime justification for early voting. Researchers at the University of Wisconsin analyzed early voting  and discovered it actually decreases turnout.

From the Op-Ed

States have aggressively expanded the use of early voting, allowing people to submit their ballots before Election Day in person, by mail and in voting centers set up in shopping malls and other public places. More than 30 percent of votes cast in the 2008 presidential race arrived before Election Day itself, double the amount in 2000. In 10 states, more than half of all votes were cast early, with some coming in more than a month before the election. Election Day as we know it is quickly becoming an endangered species…

But a thorough look at the data shows that the opposite is true: early voting depresses turnout by several percentage points…Controlling for all of the other factors thought to shape voter participation, our model showed that the availability of early voting reduced turnout in the typical county by three percentage points

Early voting only adds to convenience and weakens the effect and motivation for Get Out The Vote Efforts:

Even with all of the added convenience and easier opportunities to cast ballots, turnout not only doesn’t increase with early voting, it actually falls. How can this be? The answer lies in the nature of voter registration laws, and the impact of early voting on mobilization efforts conducted by parties and other groups on Election Day.

In most states, registration and voting take place in two separate steps. A voter must first register, sometimes a month before the election, and then return another time to cast a ballot. Early voting by itself does not eliminate this two-step requirement. For voters who missed their registration deadline, the convenience of early voting is irrelevant.

Irrelevant to the current research yet relevant to the issue, we point out that  early voting also changes the campaign season. With many voting early, literature, advertisements, news articles, late developments, and endorsements occurring after voting begins influence fewer and fewer votes, both in elections and primaries.

The researchers found one exception. Election Day Registration (EDR) when combined with Early Voting does increase turnout:

Fortunately, there is a way to improve turnout and keep the convenience of early voting. Our research shows that when early voting is combined with same-day registration — that is, you can register to vote and cast an early ballot on the same day — the depressive effect of early voting disappears. North Carolina and Vermont, two otherwise very different states that combined early voting with same-day registration, had turnout levels in 2008 that were much higher than the overall national figure of 58 percent of the voting-age population. Turnouts in Vermont and North Carolina were, respectively, 63 percent and 64 percent. Allowing Election-Day registration, in which voters can register at the polling place, has the same effect. Our models show that the simple presence of Election-Day registration in states like Minnesota and New Hampshire increases turnout by more than six points.

So, it seems that Election Day Registration alone has the same effect as early voting combined with EDR. Perhaps more research is needed to verify the combined effect vs. EDR alone. But for now early voting must be considered as a convenience only, and without EDR a detriment to turnout.

Of course, this is only one study and only one election.  But the report sets the bar quite high for them level of detail and analysis. And the enthusiasm of 2008 would be the last type of election environment where we would expect  a convenience functioning to reduce turnout.

Going forward, proponents of Early Voting, who accept this research, must embrace EDR while focusing on the convenience and prove claimed cost savings of early voting(*).  CTVotersCount will continue our efforts to point out integrity risks of mail-in voting(**), and the costs associated with safe early voting.

* We have heard many claims of cost savings for mail-in voting.  A case would need to be made based on each state’s proposed implementation. Perhaps it is easy to show savings for statewide all mail-in voting, yet maintaining election day polling place voting would on the surface save little, unless many polling places were closed – negating at least some existing convenience.

** As Ron Rivest has pointed out, there is a case for excuse absentee balloting including military and overseas voters.  But limiting mail-in voting, limits exposure, and limits the risk.

UCONN: Failed memory cards caused by weak batteries, inadequate design

This week at the 2010 Electronic Voting Technology Workshop on Trustworthy Elections in Washington, D.C., Dr. Alex Shvartsman and his team from the Uconn VoTeR Center delivered a significant paper. It covered research into the cause of the complete failure of the AccuVote-OS memory cards, at an unacceptable rate — We suggest the costs of mitigating the problems should be born by the manufacturer and/or distributor since the ultimate cause is the inadequate design of the memory cards for their intended purpose.

This week I attended the 2010 Electronic Voting Technology Workshop on Trustworthy Elections in Washington, D.C., Dr. Alex Shvartsman and his team from the Uconn VoTeR Center delivered a significant paper.  It covered research into the cause of the complete failure of  the AccuVote-OS memory cards, at an unacceptable rate.  <See our earlier coverage>. <The Research Report>

[W]e determined the time interval from the instant when a battery warning is issued by the AccuVote to the point when the battery does not have enough voltage to retain data on the memory card.We show that such interval is about 2 weeks. Thus timely warnings cannot be provided to protect against battery discharge and loss of data during the election process…

Recommendations

we determined the time interval from the instant when a battery warning is issued by the AccuVote to the point when the battery does not have enough voltage to retain data on the memory card. We show that such interval is about 2 weeks. Thus timely warnings cannot be provided to protect against battery discharge and loss of data during the election process…

The lifetime of the Energizer battery, when its voltage remains above the 2V needed for data retention in standby mode, at that current load, according to its datasheet [9] is 9,000 hours or approximately one year.

Given that it is possible that a memory card is used for elections once a year, it leads us to the same conclusion: For each election, a decision would be made, whether or not to replace the batteries for this election. The decision would be based on the amount of time since the batteries were last replaced and on the estimate of the service life of the battery (e.g., using the procedure at the end of the previous section).

Discussing the challenge with Dr. Shvartsman at the workshop, it seems that replacing the batteries is more complicated than might be assumed. The battery is under the memory card label, so replacement includes completely removing all remnants of the old label then preparing and placing a new label on the memory card. Shvartsman estimated the replacement cost, including labor, may be on the order of $10 per memory card.

We suggest that $10 per year per card is well worth avoiding most of the problems associated with the current huge, unacceptable failure rate. The total cost would be about $40,000 per year, somewhere in the range of $0.025 per ballot cast. To put this in context, ballot printing is about $0.45 per ballot and election costs average in the range of $5.00 to $8.00 per ballot cast. We also suggest the costs of mitigating the problems should be born by the manufacturer and/or distributor since the ultimate cause is the inadequate design of the memory cards for their intended purpose.

PS:  Dr. Shrvartsman is mentioned prominently in an article posted at Verified Voting: Voting Technology Research Gets In-Depth <read>