By Gregory Miller

October 3rd, 2016

Yet Another Report About Voter Fears & Voting System Integrity

October 3rd, 2016
Today, we learned of yet another blog post and a White Paper about voter “concerns” and sentiments regarding the trustworthiness of our existing election infrastructure.  This was led by a bit of a sensational headline:
.

“Democracy at Risk: More Than 15 Million Voters May Stay Home on Election Day Over Cyber-Security Doubts”

.
The sum and substance of their article is that the State of PA is the most vulnerable for an election hack.  Or as one respected Media outlet asked of us today, “Would you agree that Pennsylvania — given any number of aspects, incbwp_covercluding non-paper ballots —  is among the most vulnerable states to cyber-focused attacks?
 .
No.  Not so much.  Not even close, actually.
 .
FACT: “PA is no more vulnerable to cyber-focused attacks than any other state relying heavily if not completely on digital voting machinery, namely DREs,” says John Sebes, CTO at the OSET Institute.  Notwithstanding reports such as the CarbonBlack white paper, PA’s voting machines share the same technical security vulnerabilities as in other states, no more and no less.”
 .
Let’s put a fine point on this:  If one believes there are State actors seeking to alter an election result by exploiting voting machine vulnerabilities — despite the fact there are lower-cost higher-impact attack opportunities on U.S. elections in general, including some already underway — then PA might be a more attractive target.  In other words, PA is not more vulnerable but potentially more attractive insofar as attempts on voting machines.  While we’re at it, a few more points worth making:
.
  • Its really not just about PA.  Actually, FL, and VA, are also among potential swing states that have paperless voting machine vulnerabilities, and have potential Federal election margins that might be narrow enough for an undetected exploit to have a chance of being effective.
  • Although elections are at some risk from State sponsored adversaries, concern over possible “voting machine hacks” should not be the major concern of voters, and certainly not a reason to not vote.
  • The best way to make sure your ballot isn’t counted correctly, is to not cast one in the first place.
  • Voters with concerns over paperless DREs should consider their alternatives for voting on paper ballots in absentee, by-mail, early, and election-day voting.
.
Honestly, we’re not impressed with the nearly sensational approach Ben Johnson’s  blog post presents.  And while the paper makes some interesting observations (and is a slick presentation to be sure), we don’t believe CarbonBlack is a subject matter expert in elections technology and infrastructure.  But if they are, then they’re not being particularly intellectually honest in their assessment by singling out PA for convenience of making their point.
.
We take Ben’s point about the potential for people to stay at home; we’ve seen some similar numbers from equally unscientific polls regarding voter sentiment we’ve been involved with, but chose not to publish.  We’re working with some folks deeply experienced at polling, who believe more thorough polling would be required to vet this potential.  However, we agree that there does seem to be a rising sentiment.
.
This is one of the reasons election integrity professionals are walking a fine line publicly discussing it.
.
All that observed, the most important value in CarbonBlack’s blog post or any discussion about voter fears should be a wake-up call that more messaging is required to inform voters of the importance to get out and vote (and disregard the hype about rigging, legitimacy, or hacking concerns.)  That is, lest we experience a BREXIT of our own.
.
We note Mr. Johnson obtained his Masters in CS from Johns Hopkins in 2006, and he has some impressive credentials with some good experience (e.g., computer scientist for certain 3-letter Agencies).  We’d welcome a professional like Ben into the election integrity community.  For starters, our CTO has a professional colleague who is a Professor at Johns Hopkins, and truly one of the top election technology integrity experts in the nation if not globally.  Actually, we’d be surprised if Ben doesn’t know this Professor already.  Maybe we should (re)connect them.  Then perhaps, once embedded in the election integrity community, Ben’s writing will be a bit more conditioned on some internal realities.  For sure, we’d welcome CarbonBlack acquiring the domain expertise to contribute to the integrity and security mandates of this critical democracy infrastructure.  We’re just not sure this blog post or the accompanying White Paper serves the best interest of election integrity goals, where intellectual honesty, a lack of hyperbole, and straight talk are essential.
.
But then, if media coverage is the goal and publishing bait too delicious for the Media to pass on, then there is one more note of clarity deserving here.  CarbonBlack has just quietly filed for an IPO (Initial Public Offering), so brand awareness raising activity like this White Paper is normal.
.
Think about it from their PoV: “Let’s leverage all the “FUD” about this year’s election integrity and tie it together with our need for lots of media coverage to support our impending IPO road show.”  Sorry, a bit self-serving IOHO.  Apologies if this reads strongly, but add grains of salt accordingly.
.
BTW: we offered to chat with CarbonBlack about their paper.  Had that happened, we might have been able to help boost their credibility without this work looking so self-serving.  There response to us on Twitter?  “Sure, send eMail to media@carbonblack.com.”  Really? Directing us to your Media Relations team?  That flagged us to look into CarbonBlack a bit more, and that’s when we discovered the IPO filing news breaking today.
.
Look, even we are feeling trepidation about recent interviews and demos we’ve put together with NBC Nightly News, due to air soon.  Its such a fine line between scaring off the vote, and yet having a vital conversation about how election integrity can be increased, while costs are decreased, and usability is improved.  To wit, we recently launched this video to start that delicate conversation, striking the right chord.
.
And no, we don’t single out any jurisdiction, let alone PA, a State doing the best it can (and a good job at that) to be as ready as possible.
.
Back to work here.

September 22nd, 2016

Announcing: Our Story in a New 2-Minute Video

September 22nd, 2016

wetheteamIts amazing what can happen when you bring in real talent.  Last year we brought in a new team member in social media, who proved her capabilities so fast that we promoted her to Director of Citizen Outreach.  We’ve known for over a year that the time was drawing near to figure out how to tell the TrustTheVote Project story to the public.  Specifically, sharing our mission with those other than elections professionals and government.  Meegan Gregg did it.  And it appears (to use a baseball term) to be a “Walk-off Home Run” or maybe a “drop the mic” result.

Today we’re launching our story, in a 2-minute video developed by a team led by Meegan.  It involved an enormously generous grant from XPLANE, the visual story-telling firm, and implemented by the talented production work of several supporting firms including, PingPongPop and Marmoset for voice-over and music; TalkBack for sound & video integration, and RoboToro for web engineering.

So, what’s the point; why the video, and why now?

Candidly, we need to engage the public’s interest and support for our Project.  Our operation needs the support of the people, because the TrustTheVote Project is by the people and for the people.  We’re building a 21st century “democracy operating system,” ElectOS to increase integrity, lower cost, improve voter experience, and maybe help turn-out.

The video is the best way to tell a story of a complex Silicon Valley project underway by some of the same folks who helped bring you products from Apple and the web browser from Netscape.  It connects citizens to a real and pressing problem that is consuming lots of media attention right now in this election cycle: our crumbling voting systems infrastructure.

Now, there is no need to panic: what’s in production now will make it through this election—despite one candidate suggesting there will be “rigging.”  But 43 States have to replace their machinery by 2020, which will be here before we know it.  And their choice is to replace their existing stuff with more of the same.  And that stuff is mostly built on 90’s personal computers.

But the time to address this problem and engage the public is now because this election cycle is upon us, and while we’ll make it through (although we fear there will be challenges and recounts), we the people can improve our own voting experience, increase confidence in elections and their outcomes, and trust the vote. Our civic duty and civil right to free and fair elections is the single most important liberty we have as American citizens.  This video explains how we, the people can with your support ensure that liberty is preserved in a time where election technology has become an under-funded disregarded backwater of government I.T.

So please have a look at our new story and tell us what you think!

August 12th, 2016

A Response to POLITICO: Election Infrastructure as Critical Infrastructure

August 12th, 2016

Below is a letter prepared by co-founders Gregory Miller and John Sebes sent to Tim Starks and Cory Bennett of POLITICO, who cover cyber-security issues.  A formatted version is here.  The signal-to-noise ratio on this subject is rapidly decreasing.  There seems to be some fundamental misunderstandings of the challenges local election officials (LEOs) face; the process by which the equipment is qualified for deployment (albeit decrepit archaic technology by today’s standards); what the vulnerabilities are (and are not); and why a designation of “critical infrastructure” is an important consideration.  We attempt to address some of those points in this response to Tim’s otherwise really good coverage.

Tim Starks
tstarks@politico.com
Morning Cybersecurity Column
POLITICO
1000 Wilson Blvd, 8th Floor,
Arlington, VA, 22209

RE:      11.August Article on Whether to Designate Election Infrastructure as Critical Infrastructure

Greetings Tim

I am a co-founder of the OSET Foundation, a 501.c.3 nonprofit election technology research institute in the Silicon Valley.  I’m writing in response to your article this week in Morning Cybersecurity:

ANOTHER VIEW ON ELECTIONS AS “CRITICAL INFRASTRUCTURE” –
Maybe classifying the election system as part of the nation’s “critical infrastructure” isn’t so wise.

We’ve been on a public benefit mission to innovate electoral technology since 2006.  We’re a group of tech-sector social entrepreneurs bringing years of experience from our former employers like Apple, Facebook, Mozilla, Netscape, and elsewhere to bear on innovating America’s “critical democracy infrastructure” —a term we coined nearly a decade ago.

We’re working with elections officials across the country to develop a publicly owned democracy operating system called ElectOS™ in order to update and upgrade America’s voting systems with innovations that will increase integrity and improve participation for 1/3rd the cost of today’s aging systems.  ElectOS will innovate voting machinery the way Android® has innovated smart phones and mobile devices.  Both are freely available (oropen source”), and like Android, we believe ElectOS will one day enjoy a flourishing commercial market to sustain its continued innovation, deployment, and support.

We’ve been studying the challenges of election administration infrastructure for a decade.  So, we read with great interest your article regarding another viewpoint about making a critical infrastructure designation for our nation’s deteriorating, obsolete, and vulnerable voting infrastructure.  There are elements of your article we agree with (and more specifically comments of Cris Thomas), and there are points that we disagree with because they reveal some misunderstanding of the realities of election administration and the processes of managing the machinery today.  Thus, we were compelled to write you and share these clarifications.

We hope our comments are helpful going forward as you continue to cover this important topic, especially in light of the current election season and the delicate issues being raised by at least one candidate and other media.  Good on you for covering this. Below please find our (hopefully helpful) contributions to your effort.  Relevant portions of your article appear indented in blue.

In recent days, a growing chorus of experts and policy makers have backed a proposal to give elections the same level of federal security protections that the government already grants other so-called critical infrastructure, such as the power grid or financial industry.

First, we believe it’s important to be very clear on what elections infrastructure are we talking about?  We should be discussing voting technology operated by Local Election Officials (“LEOs”), and not web sites and eMail servers run by political NGOs.

Sure, the recent attacks on NGOs are a wake-up call for a variety of potential attacks on real Election Infrastructure (“EI”) and peripheral targets.  But the Critical Infrastructure (“CI”) designation should be for core EI; that is, voting machines and the election administration software and systems that manage voting machinery.

But an old school hacker who was part of the L0pht collective says such a change might do more harm than good.  “Classifying voting computers as critical infrastructure is going to cause a lot of headaches at the local level,” Cris Thomas, aka “Space Rogue,” tells MC [MC = “POLITICO Morning Cybersecurity”].

Critical Election Infrastructure (“CEI”) is not very different than other locally managed CI.  Not all CI is big corporate IT like financial transaction processing systems, or government-operated systems like the ATC, or quasi-public technology like the power grid operated by a variety organizations, but subject to many government regulations.  By contrast, we already have CI that is local, including local government operated.  For example, there are small local water utilities and municipal water treatment organizations.  Local first responders’ infrastructure is CI as well.  So, there is plenty of precedent for giving a CI designation to locally managed assets.

Because elections, even national elections, have been historically treated as a local event; having a federal designation as critical infrastructure will fundamentally change how we have handled our elections for the last 240 years.

CEI designation will not cause a fundamental change in the current situation where U.S. elections are a local matter.  Mr. Thomas is mistaken on this one point.  Local election organizations will have the same responsibilities, plus some new ones for managing CI.  But a county election administrator will still manage elections the day after or even the year after a critical infrastructure designation.  That cannot, should not, and will not change.

Thomas, now a strategist at Tenable Network Security, says the idea misses the point: We need to remain focused on the security concerns of the current system, which fall into two areas. First, many manufacturers are not testing the systems well enough before selling them to municipalities, often using off-the-shelf hardware and software with minimal security and using things like default, hard-coded passwords.

Of course, the existing voting machines have technical security issues—and at the risk of reading like we’re overly defending vendors, what computing system has none?  And of course, it’s also true that a CI designation won’t change these products’ default security posture.

at the same time, the local government certification agencies seldom have the time, resources and knowledge to properly test these computers for vulnerabilities, …

The same is true regarding certification process, although Mr. Thomas is mistaken about that process itself.  There are notlocal certification agencies,” but rather Federal and State organizations that certify the systems local (county) election jurisdictions are authorized to use. Nevertheless a CI designation will not increase the rigor of the certification process, and it won’t increase the capability of LEOs to do technical scrutiny of their own.

and often just accept a manufacturer’s claims of security.

We must also take exception on Mr. Thomas’s last comment.  The idea of certification sometimes amounts to “just accepting vendor security claims” —cannot be, and is not the case.  Although the current certification process isn’t as strong as we’d like, and though nearly all stakeholders want improvement, there are already clear requirements for vendors to demonstrate compliance with security related requirements.  On the other hand, misleading vendor claims about security can sway LEOs when selecting a certified system (and the choices are down to three vendors).

[T]he result is a system that our entire democracy depends on, which is run with minimal, easily bypassed security.

Sure, but its a mistake to focus solely on technical security problems of voting machines, particularly since these systems are not going to be replaced with better technology immediately upon a CI designation.  In the near term, the impact of CEI will be more on people and process, and less on technology itself.  LEOs will need help to build organizational capacity and expertise to manage physical assets as critical infrastructure, with physical security, personnel security, increased operational security processes, and the ability to demonstrate that a variety of kinds of people and process controls are actually being followed rather than merely mandated.

So, improvements in the human aspects and processes are the immediate value of a Critical Election Infrastructure designation.  Such a designation would need to clearly state that our local election officials (LEOs) are custodians of not just critical infrastructure, but infrastructure that is critical to our national security.

That’s never been a responsibility for LEOs, and many LEOs will be dismayed that they will be called upon to operate in ways that they never imagined would be important.  It will require long-term capacity building.  In the short term, there are many improvements in people and process that are possible, although unlikely unless there is a high sense of urgency and importance.  The designation of election infrastructure and critical infrastructure, however, can help create and maintain that urgency.

A better approach, Thomas says, is to increase funding for the National Voluntary Laboratory Accreditation Program run by NIST and the U.S. Election Assistance Commission.

We agree in principle, but this is not mutually exclusive with Critical Infrastructure.  Clearly, there is room for improvement, and NIST and EAC have important roles.  With Critical Election Infrastructure, their roles would need to enlarge, but reasonably so.

We also agree that more funding for these organizations’ election integrity efforts are necessary, but doing so is not an either / or decision in consideration of other aspects of CEI.  If Election Infrastructure is truly “critical” then several things must occur, including, but not limited to the additional support for NIST and EAC that Mr. Thomas is encouraging.

Here are three examples of improvement that a Critical Election Infrastructure designation would enable —though additional funding and expertise would be required.

  1. Do not connect anything relating to ballots, counting, voter check-in, etc. to the Internet, ever—and in many cases no local wireless networking should be allowed.  With CEI, using an Internet connection is no longer a convenience or shortcut in the grey area of safety—it’s a possible vulnerability with national security implications.
  2. Physically secure the election back-office systems.  The typical election management system (EMS) is a nearly decade old Microsoft Windows based application running on Personal Computers no longer manufactured, that are as easy to break into (“black hack”) as any ordinary PC.  Yet, they are the brains of the voting system, and “program” the voting machines for each election.  So put them in locked rooms, with physical access controls to ensure that only authorized people every touch them, and never one person alone.
  3. Perform physical chain of custody really well (i.e., for machines, paper ballots, poll books, precinct operations logs, —everything), with measurable compliance, and transparency on those measurements.  It’s just not reasonable to expect LEO Operations to do excellent physical chain of custody routinely everywhere, if these physical assets are not classed as CI.  They’re not funded or trained to operate physical security at a CI level.  So, there is plenty of room for improvement here, including new responsibility, resources, training, and accountability.  All of this may be low hanging fruit for improvement (not perfection) in the near term, but only if the mandate of CEI is made.

We hope this is helpful.  We’re glad to discuss issues of election integrity, security, and innovation whenever you want.  The co-founders have been in the technology sector for three decades.  Both have worked on critical infrastructure initiatives for the government.  The OSET CTO, John Sebes has been in digital security for over 30-years and is deeply experienced with the policy, protocols, and tools of systems and facilities security.  Our Advisory Board includes former US CTO Aneesh Chopra, digital security expert and CSO of Salesforce.com, Dr. Taher Elgamal, global expert on elections systems integrity, Dr. Joe Kiniry, DHS Cyber-Security Directorate Dr. Douglas Maughan, and several former state election officials.

Respectfully,

Gregory A. Miller
Co-Founder & Chief Development Officer

July 25th, 2016

Showtime: OSET/TrustTheVote Project Appearing at DNC Convention Strategic Forum Event

July 25th, 2016

(This is a x-post from Ms. Voting Matters’ announcement on the OSET Institute’s corporate site.)

We are totally excited about an amazing opportunity tomorrow, Tuesday July 26th, to appear at an event as part of the Democrat National Convention.

The only thing that would make this truly complete is if the Republican National Convention had also invited us (we asked, and although we’re pleased to be working with several in the RNC infrastructure, making something happen was not possible.)

But the New Democrat Network (NDN) and the New Policy Institute did reach out to us and invited us to their premier Strategy Forum now being held at its 4th Democrat National Convention.  So, we’re focused on presenting to an audience estimated to exceed 1,000 per latest projections based on RSVPs as of yesterday (over 900).  This is truly an amazing opportunity for us to spread the story of our work and we’re deeply appreciative of the NDN’s invitation.

The event, “Looking Ahead: Talks on the Future of America and American Politics” is bringing together a collection of amazing thought-leaders on the future and innovation of democracy including experts such as Ari Berman, Alec Ross, Joel Gamble, Jose Antonio Vargas, and others.

The title of our presentation is: “Modernizing Our Election Technology Can Make Our Democracy Better.”

This will not be telecast, although we’re still waiting word about a webcast, video stream, or recording of the sessions.  We’ll update this as soon as we know.

However, part of our presentation will be the launch of a new 2 minute video vignette about the looming problem of obsolete voting machinery and our approach to help bring about innovation which will increase integrity, lower costs, improve participation, and rejuvenate a flagging industry with new technology to innovate the business of delivering finished voting systems. That video will be available on YouTube tomorrow afternoon, and we will add a comment to this post and update it accordingly.

OSET’s Director Citizen Outreach, Meegan Gregg, and the Foundation’s Co-Founder, Gregory Miller will deliver this “Ted-Talk” -like presentation at 12:20pm EDT at the Convention Center in Philadelphia.  It should be a great time and a huge (oops) opportunity.

March 13th, 2016

Another Laudable Online Voting Architecture Concept But…

March 13th, 2016

Recently, we were asked about a concept authored by a former technology executive at Citrix (yes, those folks) back in 2012 regarding a potential end to end secure voting system.  But that was actually part of a larger question: whether and to what extent digital security must now live beneath the operating system software layer rather than on top of it.  The author’s ideas for an online voting system are laudable and his credentials are credible. His follow-on article last year (2015) is interesting, and more to the point of hardware-level security alluded to in the first article.  I offer a couple of comments below including some points by our CTO on this approach because it is something baked into ElectOS.

First, we agree that a hardware root of trust is an essential ingredient for any trustworthy computing device running mission critical software.  The author, Ahmed Sallam (now CEO at DeepSAFE Technology) rightly points that out, but we doubt that Citrix has an existing product that can safely run an Internet Voting client.  We’d love to be proven wrong on that, but it does not change the fact that the core problem is one of successfully combining many ingredients.  This is one of the well known ingredients.

There is, from my perspective a well-developed and detailed technical white paper providing a worked example of a hardware root of trust from Apple for its iOS mobile operating system.  This hardware rooted security layer has allowed Apple to develop Apple Pay and their biometric authentication management system (you can see a very good overview video here (may require Safari Browser to watch) of how it works).  For those wishing to dive deeper, here is the NIST Draft Guidelines for Hardware Rooted Security in Mobile Devices.

At a deeper level of detail, our CTO (John Sebes) agrees with the technical architecture for the server side, but he believes that for the client side, Ahmed’s approach is a bit of overkill.  As John observes, “If I understand it right, the Sallam model seeks to allow trusted and un-trusted code to run on a device, with a full operating system and all.”

So, the client architecture that John and the TrustTheVote Project have been advocating from the beginning, starts with a consumer device that has a hardware root of trust and a hypervisor that can validate a boot image as coming from a trustworthy source. John reports that we nearly have that today.  And it has to have the ability to do both:

  • a normal local boot into a full service mobile device OS to work as a phone browser, etc.; and
  • a boot from an external physical device with the boot image for something else.

One such “something else” will probably be a banking App, but the one we’re interested in is a Voting (ballot casting) App — with a single purpose: it runs only that one App and the SW stack under it, immune to malware, etc.  That’s not even that hard, but there are interesting PKI (Public Key Infrastructure) issues for ensuring that a given voting App is the real {authentic | authorized} voting App, and performing strong authentication of the user-voter, etc.

Now for the “But…” part of this.  Fundamentally, we agree with Ahmed’s vision and concept; however, Citrix will be a potential player in the iVoting technology arena if and only if it is a major player in the mobile computing technology computing ecosystem.  From what we can tell, Citrix is moving in that direction.

So to summarize, at the end of the day,

  1. Do we believe Citrix has a solution for iVoting? No.
  2. Do we believe the author of both articles referenced here, Ahmed Sallam (now since departed from Citrix and CEO of DeepSAFE) has a credible vision and concept for online voting? Yes.
  3. Do we believe that concept is complete and in terms of what we understand about the totality of the problem? No.
  4. Will the hardware root of trust (hardware layer security below the operating system), such as the elegant model embodied in iOS and articulated by the NIST Guidelines be a key ingredient going forward? Yes.
  5. Are we (anyone) there yet for a voting App/system? No.

January 25th, 2016

Announcing the Launch of VoteStream Beta

January 25th, 2016

Over the past three years we have used this space to document our efforts to create a truly open source, standards based election reporting solution: VoteStream.  At each step we have been guided by the needs of election professional and the ideals of the OSET Foundation: that a critical democracy infrastructure should be verifiable, accurate, secure, and transparent (in process).

Today we are excited to take the next step in that process.  In partnership with the Knight Foundation, the TrustTheVote project is launching a round of beta testing for the next version of VoteStream.  This round will continue to focus on the requirements of local election officials and solicit feedback from academics, journalists, and other stakeholders.

In past tests we demonstrated the ability of VoteStream to publish election results in an easily accessible format.  This round will demonstrate the process of converting raw election data to the standard format published by the National Institute of Standards and Technology.

The beta round will be lead by Iain Padley, our new Director of Election Professional Stakeholder Engagement.  Iain comes to OSET with experience in community and political organizing with a special emphasis on education issues.  He has spent much of the past three years working with local and state election officials to leverage public data to drive increased civic engagement among educators.

If you would like to apply for a spot in this beta round please fill out an application form or email Iain directly at iain.padley@osetfoundation.org

November 26th, 2014

Biting the Bitcoin; Reflections on the Latest “Bitvote” Buzz

November 26th, 2014

In those continuing efforts to route around the abysmal state of voting in America, we’re starting to hear an increasing drumbeat about Bitcoin as a basis for reinventing elections.  We’ve been watching this discussion or evangelism unfold in the past few weeks.  We even fielded questions from politicos in the Beltway last week about it (seriously).

As technocrats at heart around here, how can we not have our tails in a slow wag over the potential of Bitcoin technology (specifically the Block Chain)?  Well, a slow wag maybe; getting our tails in a twist over it for voting?  Not so much.  And here’s why.

I’m going to use one particular article that dropped this week as a vehicle for discussion.  Not because we’re picking on this author or his publication by any stretch (besides, publishing technicality, it was only a “contributed piece”).  But rather, this article provides a typical, and as good as any, evangelistic essay on the topic.

To start with, the author makes a fundamental assumption that is wholly inappropriate for U.S. elections administration. Then, several other observations on his part unfortunately reveal a complete lack of understanding of U.S. election law and practices (not that we think he should be an expert in such things, but he probably should have some basic understanding before assuming how Bitcoin might or might not innovate the process of elections).  Author Odell leads with:

The primary problem with the antiquated methods come down to a single fundamental issue, centralization.

Well, actually, that centralization is necessary and it isn’t central, but local — the machinery of U.S. elections are required to be in the control of U.S. local election officials.  It’s a feature not a bug.  His next assertion:

Current voting methods require a large amount of human involvement, from poll workers, to vote counters, to the companies and engineers that design the voting machines.

Yes, yes they do.   And the effort is worth it, for the proper operation of critical democracy infrastructure. You see, the integrity of the process depends on local control of ballots, transparency of the local operations, and a critical dual approach to counting ballots that prevents both sole reliance on people and sole reliance on technology.  Both people and software have fundamental limits in trustworthiness, so it is important to use both, in order to solely trust neither.  Odell continues:

Then you have the oversight groups who employ individuals to oversee the election workers.

Actually, that’s a feature, not a bug.  Election workers’ work should be transparent, but the accountability benefits of transparency only accrue if members of the public and good-government groups are actually watching.  Then the author continues with some assertions that I’ll take list-wise in response.

Current voting methods are …

  • inefficient and expensive
    Well, expensive is a fixable feature of a dysfunctional market for election technology; inefficient is a value judgement not shared by local elections officials, who seek the most efficient way of performing their duties, given the rules, regulations, and resources they have.
  • susceptible to fraud and manipulation
    Yes, by definition, and they always will be, hence the VAST mandate (elections must be delivered that are Verifiable, Accurate, Secure, and Transparent), and hence the model for ballot-count integrity I referred to above.
  • need to be vastly improved
    We agree on this point to the extent there is always room for innovation, but it has to fit with local elections officials’ legally mandated responsibilities.

Odell continues…

Bitcoin technology can provide us with a new and improved voting system built from the ground up, a decentralized and secure alternative.

Decentralized” in this context would mean non-localized.  But that would mean local elections officials relying on a trust management system that they cannot and do not control.  That doesn’t fit current election law and regulations in the vast majority of the jurisdictions in this country.  “Secure” in this context means “local elections officials should trust this decentralized system because its proponents say it is trustworthy.”  At the risk of thinking too practically: that’s just not likely to happen anytime soon.

Odell adds…

Bitcoin is a decentralized and robust ledger secured by computers around the world that run the Bitcoin software.

Indeed it is.  We’re not disputing that characterization, but no local election official in this country is going to swallow a story of, “This crypto is so good it will never break and you can trust it so much that you can outsource to a nebulous global network all the responsibility you have for demonstrating the accuracy of election results.”  Not going to happen, not any time soon.  I’ll pass on even attempting to address “robust” in the author’s assertion about the ledger, as it would apply to voting in America.

Then consider that there is an entire generation of post-Snowden voters coming up who are crypto-luddites, and who believe that any system’s fundamental reliance on crypto is an invitation for central governments’ national security establishments to sneak in.  The most recent example is the Tor Network, which supposedly protects the anonymity of people using the web.  In fact, about 80% of its infrastructure has been compromised, and if someone is unlucky enough to use that 80% while being targeted by national security apparatus, their anonymity will be breached.  Unfortunately perhaps, there’s no reason to suppose that the foreseeable future of Bitcoin is any brighter, and not just because Mark Cuban says so.

I’ll toss in one final thought about the near-term practicality of Bitcoin being the pathway to secure and fraud-free elections.  Bitcoin usage requires at least a basic appreciation of the concept of public-key encryption (“PKI”); specifically the use of public and private keys (as straight forward as some may believe it to be).  We learned long ago from our prior ventures that the public was nowhere near ready (and still not today) for widespread use of technology like digital signatures or public key cryptography.  While Bitcoin transactions are simple enough and do not require a computer scientist to mine bitcoins or make purchases, in order to use Bitcoin technology as a basis for casting and counting ballots, one would need considerably more Bitcoin knowledge.

I’ll leave this critique by observing that at least for the article I chose, the title did state, “How Bitcoin Could Make Voter Fraud and Stolen Elections Impossible.”  The operative word there is “Could.”  And if we simply want to consider the potential of a technology (verses its practicality) then the potential of Bitcoin to provide for a more secure means of voting is acknowledged.  However, I remain convinced it is impractical for American elections as they are conducted and regulated today, and skeptical about the term “Impossible” for anything related to voting security.

How Bitcoin Fits Into Our Innovation Envelope
Now, let me shift from a critique of the current Bitcoin evangelists to a comparison with our charge.  We have had some people complain that as a non-profit election technology R&D organization, we should be spending more time looking over the horizon at everything from the block chain to smartphone Internet-based voting.  We are spending all of our time looking at innovations, with one major important difference: we are an “applied research” organization and not a “basic research” organization.

What that means is we are funded to have an emphasis on discovering, determining, and developing innovations that are likely to find their way into adoption, adaptation and deployment in the foreseeable future, in order to begin shifting elections administration and voting into the 21st century, while respecting laws and regulations as they stand, and process and politics as they exist.

So, where does this leave us with regard to Odell’s (and others’) vision of the Bitcoin blockchain serving as the basis for reinventing how (at least) America votes?  Let’s put it this way:

  • We are focused on election technology innovations that meet the current requirements of U.S. election officials (not necessarily those abroad).
  • That includes voting system technology that requires the typical use of standard encryption for data integrity.
  • Current requirements for voting systems don’t require any further use of crypto, including block chains.
  • We are also working on innovations in election technology that exceed the requirements of U.S. election officials, and improve their ability to deliver on the “VAST” mandate (that elections are Verifiable, Accurate, Secure, and Transparent).
  • In the arena of voting systems, “E2E” (End-To-End) is the crypto-based innovation that is most likely to fit within existing election administration practice (always a requirement) and deliver improvements that election officials can support, and that the public (citizen-voters) can benefit from.
  • E2E ballot verification is technically well known.  In the TrustTheVote Project, we rely on the applied crypto experts that are part of our technical stakeholder community, who are well versed in the application of E2E techniques to voting systems.

The bottom line here is that we didn’t say that there is no room for Bitcoin blockchain technology in future innovations, only that it doesn’t even remotely fit into something that local elections officials can use in the foreseeable future.

August 11th, 2014

Bracing for Inevitable Manipulation

August 11th, 2014

We really haven’t been hiding under a rock, its just the stack of reading all of us have to catch up on while so much is going on has become an archeological project here — well, OK, namely for myself.  And so my comments below about news from earlier this summer regarding Facebook’s manipulating people’s news feeds and some commentary about Facebook’s “I Voted!” button might seem like I’m really behind, but actually it dawned on me this past weekend that an important piece of our work backed by the Knight Foundation has a role in this… where “this” is actually about big data.

Facebook’s use of happy and sad words to research how they affect the mood of people’s news feeds was well covered in the news a couple of months ago.  This “emotional contagion experiment,” raised all sorts of ethical questions about research on subjects who don’t know they’re being tested.

But in the tech and political worlds, people have been equally disturbed about another kind of possible Facebook manipulation—its use, or non-use, of what it calls the “Voter Megaphone.”

What’s the Facebook Voter Megaphone?

FBMegaphoneThe megaphone is the “I Voted!” button that Facebook placed on the top of News Feeds for all U.S. users over age 18 on Election Day in 2010 and 2012. Users could click the button to show their friends they voted and subsequently see which of their friends clicked the button as well.

A study, commissioned by Facebook researchers and published in the journal Nature in September 2012, determined that the “I Voted” button may have boosted 2010 turnout at least by 60,000 voters and as much as 340,000 voters because of the social-media ripple effect. People who saw that their “close” friends had voted were more likely themselves to go out and vote, the study showed.

Across a very big country, 340,000 people may not seem that much, but for campaign consultants, micro-targeters, and turnout specialists, that’s a very big number indeed, especially for 2010, a mid-term election when turnout is always lower.

Facebook did another experiment with an “I Voted!” graphic on the 2012 Election Day. Those results have not been published yet.

So who is upset about this?

Let’s walk through why people are upset at this and why it is important for the TrustTheVote Project.

Micah L. Sifry is a co-founder and the executive editor of the Personal Democracy Forum, an organization that covers the ways technology is changing politics. He’s a pro-Democrat progressive. In a July 3 blog post he spoke to one of the Facebook researchers and pressed him as to whether the Facebook experiments with the Voter Megaphone could have actually helped President Obama in the 2012 election. The researcher’s and Sifry’s conclusion is that it could have.

Here’s how: Facebook users tend to be more female, more urban, and younger. Those are all demographic groups that skew Democratic. If Facebook used its “I Voted” experiment on a random sample of Facebook’s users, and it increased turnout, it could have benefited Barack Obama.

But Sifry wasn’t cheering for his Democratic side. He pointed out that Facebook could just as easily not have offered the “I Voted” button to certain people, or to certain people in certain states and voting districts. That could just as easily lessen turnout for one party or the other. The point is that Facebook could manipulate an election and it would be very hard to tell by outsiders. It’s stealthy manipulation.

Jonathan Zittrain, a professor of law and computer science at Harvard University calls it “digital gerrymandering” and denounced it in a post in NewRepublic.com in June: “Consider a hypothetical, hotly contested future election,” Zittrain wrote. “Suppose that Mark Zuckerberg personally favors whichever candidate you don’t like. He arranges for a voting prompt to appear within the news feeds of tens of millions of active Facebook users—but unlike in the 2010 experiment, the group that will not receive the message is not chosen at random. Rather, Zuckerberg makes use of the fact that Facebook ‘likes’ can predict political views and party affiliation, even beyond the many users who proudly advertise those affiliations directly. With that knowledge, our hypothetical Zuck chooses not to spice the feeds of users unsympathetic to his views. Such machinations then flip the outcome of our hypothetical election.”

What does this have to do with the TrustTheVote Project?

Here’s why this is relevant to the TrustTheVote Project. Presidential and congressional campaigns today are high-stakes, high-tech efforts with lots of money and sophistication behind them. They have the advantage of “big data” collected from all of their outreach and social media efforts. Facebook, Twitter, other social media platforms, also have that “big data” advantage.

Election administrators, on the other hand, don’t. Well, actually they do, but they don’t have the sophistication and money to do a lot with it. Election administrators have lots of data, historical and recent, on turnout by state, congressional district, county, even down to precinct level, and they have demographic data and vote results data going back a long time.

That’s where TrustTheVote Project’s VoteStream initiative comes in. We are developing, in our Election Results Reporting System, software that local election administrators can use that will give top level and deep granular-level data about how the vote went, indexed by many different variables, down to the precinct level. The general public, not to mention reporters and campaign consultants, could immediately spot anomalies that might be worth looking at closer to see whether there was manipulation, or perhaps just brilliant targeting.

What else will VoteStream do?

votestream_election_metadataVoteStream will help local election officials have a more level playing field with the wealthy “big data” players who can use voting and voter registration data for manipulative purposes. Elections officials can use the big data, instead, to inform.

Here’s another way that VoteStream, and in particular the TrustTheVote Project’s open-source election technologies, can help combat manipulation. Most election administrators are smart enough to predict that Democrats will want to increase turnout in Democratic precincts, and the same for Republican campaigns in Republican precincts. But campaigns have become way more sophisticated in their targeting than that. And these campaigns do not warn election administrators in advance about who or where they are targeting.

A campaign today, or even an outside SuperPac, using social media and other sophisticated get-out-the-vote campaigns, could greatly increase turnout suddenly in a way that local elections officials aren’t prepared for.  Election workers at a few targeted precincts could suddenly be greeted out of nowhere with a huge turnout and have inadequate vote casting and counting machines to cope. Or, a breakdown in the old voting machines combined with an unexpected spike in turnout could suddenly make for a three-hour wait to vote. This is not far-fetched. This is in part what happened in Florida in 2012 in key districts, unexpectedly high turnout which made for long lines.

So, during my archeological content dig this weekend, this connect-the-dots exercise seemed worth sharing if only to point out that lots of our work here has some real potential to help in ways we might not immediately recognize.  File it under the doctrine of unintended windfall benefit.

August 8th, 2014

“Digital Voting”—Don’t believe everything you think

August 8th, 2014

In our most recent blog post we examined David Plouffe’s recent Wall Street Journal forward-looking op-ed [paywall] and rebalanced his vision with some practical reality.

Now, let’s turn to Plouffe’s notion of “digital voting.”  Honestly, that phrase is confusing and vague.  We should know: it catalyzed our name change last year from Open Source Digital Voting Foundation (OSDV) to Open Source Election Technology Foundation (OSET).

Most Americans already use a “digital” machine to cast their ballots, if you mean by “digital” a computer-like device that counts votes electronically, and not by the old pre-2000 methods of punched cards or mechanical levers. What Plouffe probably meant is what elections professionals call iVoting, which is voting via the Internet—and increasingly that implies your mobile device.

Internet voting has not been approved anywhere in the United States for general public use, although Alaska is experimenting in a limited way with members of the military voting in this manner. Norway just stopped its Internet voting experiment. The challenges of iVoting are daunting.

Just think about it: many credit-card companies and several major online merchandisers have been hacked at some point, and all commercial and government web sites face intrusion attempts by the hour. The Department of Defense is continually bombarded by efforts to break-in. And sometimes hackers manage to actually get in and steal stuff. Voting is too important to let it be vulnerable to hacking.

Security of online voting is not yet with us. Sure, a few vendors of online voting technologies will emphatically claim their systems have never been hacked (to their knowledge) and that they use so-called “military grade” security (whatever that actually means).  Members of our technical team have been deeply involved in cyber-security for decades. We can say with confidence that no security on the Internet is absolute, assured, or guaranteed.  So when it comes to moving cast ballots via the Internet, the security issues are real and cannot be hand-waved away.  And elections that are run, in any part, over the public Internet pose just too tempting an opportunity for some predator looking to disrupt or even derail a U.S. election.

But, that doesn’t mean elections technologies can’t be improved or be made more digital, and thereby more verifiable, more accurate, and more transparent. That’s exactly what the TrustTheVote Project is all about.

The open-source software and standards that we are developing and advocating will make online voter registration, digital poll books (used to check you in at your polling place) and (ultimately) casting and counting ballots better, faster, and more auditable.  And our software is designed to run on ordinary computer hardware – whether that is a tablet, a scanner, or laptop computer.  Adopting the TrustTheVote Project technology means there will no longer be a requirement for election administrators to acquire expensive, proprietary software or hardware with long-term costly service contracts.

Importantly, we believe there are many parts of elections administration that can benefit from digital innovations, which may or may not use the Internet in some way.  And we’re focusing on delivering those innovations.

However, for the foreseeable future, ballot casting and counting can be dramatically improved without needing to involve the Internet.

So, we should to be cautious about the phrase “digital voting” in an age when all things digital tend to imply “Internet.”

All that observed, we really like how Plouffe ended his recent Wall Street Journal op-ed: “There are disrupters in every industry… the good ones won’t just apply the best practices of the private sector, but will also innovate and create on their own to meet their unique needs.”

The TrustTheVote Project intends to be one of those disrupters.  We add one tiny nuance: in our case, those “unique needs” are primarily those of our stakeholders—the state, county and city officials who run our elections. We won’t be running elections, they will, but we are thinking as far outside of the typical ballot box as we can when looking for opportunities to make voting easy, convenient, and ideally, a delight.

August 7th, 2014

David Plouffe’s View of the Future of Voting — We Agree and Disagree

August 7th, 2014

David Plouffe, President Obama’s top political and campaign strategist and the mastermind behind the winning 2008 and 2012 campaigns, wrote a forward-looking op-ed [paywall] in the Wall Street Journal recently about the politics of the future and how they might look.

He touched on how technology will continue to change the way campaigns are conducted – more use of mobile devices, even holograms, and more micro-targeting at individuals. But he also mentioned how people might cast their votes in the future, and that is what caught our eye here at the TrustTheVote Project.

Here’s what Plouffe wrote: “More states will inevitably move to online voter registration and perhaps digital voting. There will be resistance…but our voting system won’t remain disconnected forever from the way we are leading the rest of our lives.

His last statement – that the voting system will come to resemble more our mobile-device-dependent world – is probably true in the long run.  But it’s going to take time, probably more time than we all would like.  Even though we can bank, buy coffee, and get a boarding pass for an airplane via our smart phones, voting by smart phone is more complicated—hugely more complicated.

When you’re banking online, the financial institution has to be able, absolutely, to identify and verify it is you who authorized (or didn’t authorize) a particular transaction (such as a purchase with your bank card at Amazon.com).  But in the world of elections, the election administrator has to be sure, absolutely, that they can never identify you as the person who cast a particular ballot. It’s completely opposite of online banking because of the sacred assurances of voter anonymity and the secret ballot.

Sure, elections officials should verify you as the individual who is checking in to cast a ballot, but once you have been authenticated, the connection with a particular ballot must cease to exist.  And doing that by your smart phone (or any other digital device connected to the Internet) is beyond non-trivial; it’s downright near impossible.

So, there’s a privacy and technology challenge there.  In other words, we need security of the ballot, but we also need privacy of the voter.  And in the digital world there is an opposite (we call it “inverse”) relationship between security and privacy.

Think about an airport and TSA check points.  If you want absolute privacy, you should be able to walk straight to your gate uninhibited.  If you want absolute security, you should not be able to do so until everything about you has been identified and verified as that exact person with an authorized ticket  to board a plane.

If you think about how awful it would be if your online bank account got hacked, imagine if your state’s online voting system was compromised. Not only could the result be suspect, the fact that an election was hacked would undermine voters’ confidence in our democracy.

So smartphone voting might be a ways off. But in the here and now and very near future, the TrustTheVote Project is already delivering on some of Plouffe’s other visions.

Online voter registration, for example, is already being implemented in many states and through third party organizations. The TrustTheVote Project helped Rock The Vote develop its “Rocky” core software, which operates that group’s nationwide online registration. TrustTheVote helped Virginia implement its online voter registration and our technology powers the search part of the Virginia site, which lets you know if you’re already registered, are at the right polling place, and that your address is up to date. This was all developed with TrustTheVote Project open-source technology that all states and localities can adopt and adapt.

And we’re underway on other innovations—like apps to help you figure out the best time to go to your polling place and apps to help you “check in” to vote, just like the ones you use to get  like you download and print a boarding pass for your flight.

So to David Plouffe, yes elections and campaigns will change in the future.  But it will come step by step and not by a big bang of smartphone voting.