Tagged voting

NBC News, Voting Machines, and a Grandmother’s PC

 

I’d like to explain more precisely what I meant by “your grandmother’s PC” in the NBC TV Bay Area’s report on election technology. Several people thought I was referring to voting machines as easily hacked by anyone with physical access, because despite appearances:

Voting machines are like regular old PCs inside, and like any old PC …

  • … it will be happy to run any program you tell it to, where:
  • “You” is anyone that can touch the computer, even briefly, and
  • “Program” is anything at all, including malicious software specially created to compromise the voting machine.

That’s all true, of course, as many of us have seen recently in cute yet fear mongering little videos about how to “hack an election.” However, I was referring to something different and probably more important: a regular old PC running some pretty basic windows-XP application software, that an election official installed on the PC in the ordinary way, and uses in the same way as anything else.

That’s your “grandmother’s PC,” or in my son’s case, something old and clunky that looks a exactly like the PC that his grandfather had a decade plus ago – minus some hardware upgrades and software patches that were great for my father, but for voting systems are illegal.

But why is that PC “super important”? Because the software in question is the brains behind every one of that fleet of voting machines, a one stop shop to hack all the voting machines, or just fiddle vote totals after all those carefully and securely operated voting machines come home from the polling places. It’s an “election management system” (EMS) that election officials use to create the data that tells the voting machines what to do, and to combine the vote tally data into the actual election results.

That’s super important.

Nothing wrong with the EMS software itself, except for the very poor choice of creating it to run on a PC platform that by law is locked in time as it was a decade or so ago, and has no meaningful self-defenses in today threat environment. As I said, it wasn’t a thoughtful choice – nobody said it would be a good idea to run this really important software on something as easily hacked as anyone’s grandparent’s PC. But it was a pragmatic choice at the time, in the rush to the post-hanging-chads Federally funded voting system replacement derby. We are still stuck with the consequences.

It reminds me of that great old radio show, Hitchhiker’s Guide to the Galaxy, where after stealing what seems like the greatest ship in the galaxy, the starship Heart of Gold, our heroes are stuck in space-time with Eddie Your Ship-Board Computer, “ready to get a bundle of kicks from any program you care to run through me.” The problem, of course, is that while designed to do an improbably large number of useful things, it’s not able to do one very important thing: steer the ship after being asked to run a program to learn why tea tastes good.

Election management systems, voting machines, and other parts of a voting system, all have an individual very important job to do, and should not be able to do anything else. It’s not hard to build systems that way, but that’s not what’s available from today’s 3 vendors in the for-profit market for voting systems, and services to operate them to assist elections officials. We can fix that, and we are.

But it’s the election officials, many many of them public servants with a heart of gold, that should really be highlighted. They are making do with what they have, with enormous extra effort to protect these vulnerable systems, and run an election that we all can trust. They deserve better, we all deserve better, election technology that’s built for elections that are Verifiable, Accurate, Secure, and Transparent (VAST as we like to say). The “better” is in the works, here at OSET Institute and elsewhere, but there is one more key point.

Don’t be demoralized by the fear uncertainty and doubt about hacking elections. Vote. These hardworking public servants are running the election for each of us, doing their best with what they have. Make it worth something. Vote, and believe what is true, that you are an essential part of the process that makes our democracy to be truly a democracy.

— John Sebes

The D.C. Pilot Project: Facts vs. Fictions – From Our Viewpoint

The TrustTheVote Project of the Open Source Digital Voting (OSDV) Foundation achieved another important milestone two weeks ago this morning, this time with the District of Columbia Board of Elections and Ethics, although not without some controversy.  The short of it is, and most important to us, the Foundation has been given the opportunity to put real open source elections software into a production environment for a real public election.  But it turns out that milestone is struggling to remain visible.

[Note: this is a much longer post than I would prefer, but the content is very important to explain a recent announcement and our role.]

I’ve waited to launch a discussion in this forum in order to let the flurry of commentaries calm on the news.  Now we need to take the opportunity to speak in own voice, rather than the viewpoint of  journalists and press releases, and provide insight and reality-checks from the authoritative source about what we’re up to: Us. For those of you who have not read any of this news, here is a sample or two.  The news is about the District of Columbia is implementing a Pilot program to digitally deliver ballot to a group of qualified overseas voters, and accept digitally returned ballots from them.  (Actually, D.C. already has accepted digitally returned ballots via Fax and eMail.)  So, the headline might be:

District of Columbia to Launch Pilot Program to benefit Overseas & Military Voters with Digital Distance Balloting Solution Using Open Source Software from Non-Profit Voting Technology Group.”

I believe that is as simple and factual as it gets, and IMHO a fair headline.  However, here are two alternative headlines, depending on your view, interests, or issues:

  1. Open Source Voting Project Succeeds in Production Deployment of New Transparent and Freely Available Elections Technology.”
    -or-
  2. OSDV Foundation Advances Misguided Cause of Internet Voting, Despite Well Settled Dangers, Putting Election Integrity at Risk.”

If you follow our work or have read our statement on these topics before, then you recognize the headline #1 is where our interests and intentions are focused. Over the past two weeks, though, we’ve received plenty of feedback that some believe that headline #2 is the real and unfortunate news, undermining the efforts of those who tirelessly work for elections integrity. Well, that is not what we intended to do. But we do need to do a better job at communicating our goals, as the facts unfold about the project. So, let me back up a bit and start  an explanation of what we are really doing and what are real intentions are.

But first let me make the following statement, repeating for the record our position on Internet voting:

The Open Source Digital Voting Foundation does not advocate the general use of the public Internet for the transaction of voting data.  The technical team of the TrustTheVote Project strongly cautions that no Internet-based system for casting, let alone counting, of ballots can be completely secure, nor can a voter’s privacy be ensured, or the secrecy of their ballot protected.

We do not recommend replacing current voting systems by adopting Internet Voting systems. However, we think that there may be a use case in which Internet-based ballot return may be the only course of last resort for rapid delivery of a ballot in time to be counted. That case is the very limited situation of an overseas or military voter who believes that they may be disenfranchised unless they rely on a digital means to return their marked ballot, because physical means are not timely or not available. That is the situation that we genuinely believe is being restrictively addressed in the D.C. Pilot project that we are participating.

And to be crystal clear: OSDV’s role is supplying technology.  The District’s Board of Elections and Ethics is running the show, along withe the District’s I.T. organization. But why did we chose this role? The success of the TrustTheVote Project is predicated on accomplishing three steps to delivering publicly owned audit-ready, transparent voting technology:

  1. Design;
  2. Development; and
  3. Deployment.

Design.  We are employing a public process that engages a stakeholder community comprised of elections officials and experts.  We cannot design on our own and expect what we come up with will be what will work.  It is, and must be, a framework of technology components in order to be adoptable and adaptable to each jurisdiction that chooses to freely acquire and deploy the Project’s work. None of the TV Framework specifically addresses any transport means of ballot data.   The Framework voting systems architecture includes accessible ballot marking (“ABM”) devices, optical scanners for paper ballot marked by hand or ABM, and tabulators.  The Framework elections management services architecture includes EMS components, poll books, and ballot design studio.

Development.  We are employing an open source method and process, somewhat modified and similar in structure to how the Mozilla Foundation manages development of their open source software – with a core team that ensures development continuity and leadership, complemented by a team of paid and volunteer contributors.  And the development has to be open, to go along with the open design process, and open testing, delivering on the commitment to building election technology that anyone can see, touch, and try.  We’re developing for the four legs of integrity: accuracy, transparency, trust, and security.

Deployment. But “open source” at the Foundation is also about distribution for deployment.  As we’ve said before, the  OSDV Public License, based on our “cousin’s” license, the Mozilla Public License, meets the special needs of government licensee.  And in so doing we avail the source code, and where required, resources (in exchange for a development grant to the Foundation) to make the necessary refinements and modifications to enable the adopting jurisdiction to actually deploy this open source technology.  The deployment will generally be managed by a new type of commercial player in the elections technology sector: the systems integrator who will provide qualified commodity hardware, with the Project’s software, and the services to stand it up and integrate it with other jurisdiction’s IT infrastructure where required.

Motivation
One critic has asked, “Why would you agree to support any project that uses the Internet in elections or voting?”  Our motivation for working with the District of Columbia is all about the third “D” – Deployment.   All of our efforts are merely academic, unless stakeholders who have contributed to the specifications actually adopt the resulting open source technology as an alternative to buying more proprietary elections technology, when the opportunity arises to replace or enhance their current solutions.

Now, what about that “Internet” element?

The District of Columbia Board of Elections & Ethics (B.O.E.E) was in search of a solution to enhance their compliance with the MOVE Act.  Of course, people in many election jurisdictions were asking:

If I can deliver the blank ballot and reduce the cycle time for qualified overseas voters, then why shouldn’t we go all the way and facilitate digital return of the marked ballot?

Well, there’s a host of reasons why one shouldn’t do that.  For one quick example: our valued strategic technology partner collaborating with us on data standards, the Overseas Vote Foundation, not only offers digital blank ballot delivery, but  also have renewed their courier services through the assistance of the US Postal Service and FedEx to ensure that the Military voters’ marked ballots can, in fact, make it back in time.   But on the other hand, there is an unfortunate reality that once the digital path is open, OVF, US Mails, or FedEx notwithstanding, jurisdictions will explore leveraging the Net; its happening already in several locations.  That does not make it right or preferable, but it does make it a reality that we need to address.

So, the District at least – at our encouragement dating back to March in Munich – heard our encouragement to explore options, but they did have some requirements.

Specifically, they wanted to conduct a Pilot of a solution that might be a better alternative to accepting returned marked ballots as eMail attachments or Faxed marked ballots exclusively for their overseas and military voters.  And particularly unique to their requirements was – to our delight – a fully transparent open source software solution with unbridled ownership of the resulting source code for all elements of the Pilot solution.  That, of course, is in complete harmony with our charter and mission.

Again, for those readers who know us, and understand our motivations and position on the Internet issue, you can understand our acute focus on the opportunity to deploy open source elections administration software in a real election setting. In the after-glow of this real possibility, and drilling into the details of how the ballot design studio could work for this, we realized we needed to get back to grappling with this digital ballot return detail of the Pilot project.

Initially, we were definitely concerned about how to approach this aspect of the Pilot, since we’ve been clear about our position on the use of the Internet.  But to be frank, with the prospect that the District could simply turn to commercial proprietary Internet voting systems vendors, we felt we had to help find an alternative open source approach for the limited purpose of this Pilot. We encouraged the B.O.E.E. to find an alternative means to digitally return the ballot, but neither by deploying Internet voting products, nor by continuing to rely on Fax or eMail attachments in the clear.  In return, they asked for our help in figuring out how they could implement a solution that worked with real ballot and attestation documents as digital artifacts, which could be transported on an encrypted channel.  This could be better than eMail to be sure, but still using public packet-switched networks.

We turned to several of our technical advisers and convened a meeting to discuss how B.O.E.E and OCTO could approach a digital vote-by-mail Pilot to explore this approach to improving on eMail attachments or Fax’d returns.  The meeting was frank, open, and rather than continuing the rhetoric of avoidance, we witnessed a bunch of stalwarts in information security express concerns, suggest points of mitigation, and brain storm on the possibilities.  And several were kicked around, but tossed aside for want of either acceptable user experience, cost limitations, or operational practicality.  A straw man solution was framed and members of the Core Team went off to refine it knowing that there were aspects that they simply could not address with this Pilot.  Perhaps the most important Pilot parameter: this could not and would not be an exercise to completely assess and determine solutions to all of the known vulnerabilities of securing a voting transaction over a public network.

But it was agreed that a “digital vote-by-mail” process – with the known vulnerabilities and constraints – could be a “worked example” that simply was not what proprietary commercial vendors are selling. And, it was realized that such a solution could not and should not claim any victory in improved security or privacy – no such reality can exist in this solution.

And folks, that is simply and honestly the extent to which we were and are treating this: a “worked example” to serve as a vehicle for voices on all sides of the argument to train their attention in assessing, testing, and determining the viability of such an approach strictly for those overseas and military voters.

One could say the Foundation took a calculated risk: that in order to achieve the larger goal of deploying open source elections technology into a real production environment (a first, and hopefully ground breaking step), we would have to accept that our Stakeholder, B.O.E.E would use the Internet to transport a ballot and attestation document pair using the best possible techniques currently available – HTTPS and standard encryption tools.  And at some measure, at least they had chosen not to pursue a commercial proprietary Internet voting solution, given their steadfast requirement of open source software and maximum transparency.

To my activist colleagues I offer this: we’re giving you a worked example on which to build your arguments against digital transport.  Please do so! We’re with you, believe it or not.  Very frankly, I’d be happy to support some initiative to severely restrict the use of public packet switched networks for transacting voting data.

I want to (re)focus the Project’s attention on the reason a few of us gave up our paying jobs some four years ago: to build a non-profit solution to restore trust in the computers used in the various processes of casting and counting votesWe don’t advocate iVoting.  We do advocate accuracy, transparency, trust, and security in the use of computers in elections and intend to keep working on that open source framework. We do believe limited Pilots are worth it for the special use case of UOCAVA voters,  if such a Pilot can fuel an intellectually honest debate and/or initiatives to resolve the concerns, or end the use of the Net altogether in this regard.  We think the District of Columbia’s Pilot is such a worked example.

OK, this went way over my intended length, but in the spirit of transparency its important we explain what’s been underway for the past several weeks from an authoritative source: Us. In the next installment on this topic, we will discuss more details on the technology we’ll provide for the District’s Pilot, and reiterate our concerns, but also consider the potential of the open source movement in public elections systems.

Thanks for reading.
Greg Miller

Why Publish Ballots?

I’d like to thank Eric Rescorla for making an excellent and pithy point about the purpose of publishing images of  marked ballots.  But first, thanks (again) to Mitch Trachtenberg of the Humboldt Transparency Project for publishing a hand-picked set of ballot images that provide a great example of the difficult borderline cases of interpreting hard-marked paper ballots — whether it is a human or some software doing the interpreting.  Ballot publication can show how much of a given election result actually depended on these borderline cases.

Eric made a broader point that is so widely misunderstood that it truly merits repetition:

The main point of publishing ballot images  is to allow people to independently verify that the images published correspond to the votes recorded for those images.

True, but verification requires more than ballot images – it requires that each image is published along with information about how that ballot’s marks were interpreted as votes that were counted.  I cringe every time somebody talks about ballot image publication as though it were just posting some JPEGs on a Web site.

By viewing the images plus these “cast ballot records“, members of the public can look at a ballot image and decide for themselves whether they think its votes were interpreted correctly — and if not, whether the putative mistakes are enough to effect the outcome of a race.

And just as important, consider the cases where an election official is involved in deciding an ambiguous mark – particularly at large scales such as with vote-by-mail.  As a result, broader transparency requires that the election process maintain audit records of these decisions, in case they need to be re-visited.

So, sure, the publication of images alone is helpful for transparency, but Mitch’s examples show how much interpretive leeway there can be. And in close elections, that leeway can influence whether a recount is required, or even influence an election result. So it’s just as important to maintain and publish cast-ballot records, audit records, and the like.

But that is a lot of work!

And often is not feasible with current voting systems and election management technology. It’s actually quite a job to maintain and publish all this information in a form useful to members of the public – a job that we’re working on at the TrustTheVote Project of course, by building all of our election technology system components with the “Save Everything” principle.

— EJS

Barbara Simons on Voter Registration

We have a special treat today with a guest blog from Barbara Simons, an eminent computer scientist who is on the Board of Advisors of the U.S. Election Assistance Commission. (More on Barbara: her bio.) She has an excellent account of part of the story about where voter registration came from, and why it is controversial that U.S. citizens must proactively request permission to vote, and then pass muster w.r.t. eligibility requirements as evaluated by an election official.  The controversy, in a nutshell, is that registration can be a way of preventing people from voting, including via the practice of disenfranchising felons.  So where did the practice of registration, and the controversy, come from? Barbara: take it away …

[Ed. Note:  The following commentary from Barbara Simons incorporates for referential, historical, and explanatory purposes only quotations that by any standard today would be considered controversial, inappropriate, and simply reprehensible.  They are only quotes pulled from history to explain the point and are not the opinions or positions of Ms. Simons, the TrustTheVote Project, or the OSDV Foundation.]

Felon disenfranchisement was introduced in the South after the Civil War as a way of disenfranchising the newly freed slaves. Southern whites even invented new felonies that were applied almost exclusively to African Americans. Here are some quotes from that era.

From a Mississippi Supreme Court decision upholding the state’s disenfranchisement law (Ratliff v. Beale): “The [constitutional] convention swept the circle of expedients to obstruct the exercise of the franchise by the negro race.  By reason of its previous condition of servitude and dependence, this race had acquired or accentuated certain peculiarities of habit, of temperament and of character, which clearly distinguished it, as a race, from that of the whites — a patient docile people, but careless, landless, and migratory within narrow limits, without aforethought, and its criminal members given rather to furtive offenses than to the robust crimes of the whites.  Restrained by the federal constitution from discriminating against the negro race, the convention discriminated against its characteristics and the offenses to which its weaker members were prone.”

The following is from John Field Bunting, who introduced disenfranchisement legislation in Alabama in 1901: “The crime of wife-beating alone would disqualify sixty percent of the Negroes.” Perhaps the bluntest acknowledgment of the purpose of the felon disenfranchisement laws was provided by Carter Glass, a delegate to the Virginia Constitutional Convention in 1902.  Glass stated that Virginia’s felony disenfranchisement scheme

… will eliminate the darkey as a political factor in this State in less than 5 years, so that in no single county will there be the least concern felt for the complete supremacy of the white race in the affairs of government.

The end of Reconstruction marked the beginning of disenfranchisement for the newly freed slaves.  In the South during the Jim Crow era that followed, African Americans were prevented from registering by a combination of poll taxes, literacy tests, felon disenfranchisement, and threatened or real violence.  For example, there were 130,334 African American voters in Louisiana in 1896, but only 1,342 in 1904.

According to “Registration of Voters in Louisiana”: “Six pages of [the Constitution of 1898] are devoted to suffrage and elections.  The object of the convention was, of course, to establish white supremacy by reducing the number of Negroes voting to a minimum.  The qualifications to vote as well as

the entire system of registration were written in such a way that most Negroes could be disenfranchised.

Other clauses were incorporated to permit the poor white to vote and yet not admit the Negro to the ballot.”

Felon disenfranchisement laws still have a disproportionate impact on African Americans.  Only Maine and Vermont (both of which have small African American populations) have no felon disenfranchisement laws.  Felons can vote from prison in those states.  Southern states are disproportionately represented among states with the extensive felon disenfranchisement laws, as are states with large non-white prison populations.  African American males have been significantly impacted, with roughly one in six disenfranchised in the early 21 century because of felony convictions.

It seems likely that if the U.S. didn’t engage in felon disenfranchisement that a number of election results, including at the presidential level, would have had different outcomes. The U.S. is the only democracy that has lifetime felon disenfranchisement.  We are still living with the legacy of slavery.

Barbara Simons

PS: Thanks again to Barbara for a valuable history lesson of background for our work at TTV to  include registration as a legally required part of a broader effort voter record management technology, that also includes some of the changes contemplated by the “election modernization” efforts in Congress.  — John Sebes, CTO TrustTheVote Project

Trusting Neither People, Paper, or Computers: Hybrid Voting Scheme

In a previous posting, I referred to paper ballots as part of a recipe for election procedures that provide provide integrity and assurance by not relying solely on either computers or people to operate perfectly. As promised, here is some more info, especially important because there seems to be an increasing trend towards a "hybrid" style of election operations with both paper ballots and a variant of computerized voting.

Read more

Re-inventing How America Votes — Now More Relevant Than Ever

In a previous post, I noted two things we’ve learned from this election. The first (and subject of that post) is to what extent the Internet has changed the way elections are conducted. The second, and the focus here, is to what extent the election taught us anything about the need to re-invent HOW America votes.

In the past two days, I’ve been asked several times whether the election, as it turned out, reduces the importance of our Project or not. Seriously.

Read more

House Panel OKs “Voting Paper Trail” Bill

I thought that today’s news about e-voting and legislation is notable as an example of the way voting technology and policy interact in our unique U.S. voting system.

First, what was Congress working on? Crafting legislation about elections; one bill to authorize payments to states for efforts to put in place paper ballots or paper audits for the November 2008 election, and another that effectively over-rules 21 states’ regulations requiring a voter to have a valid "excuse" to qualify for an absentee ballot (a.k.a. vote by mail).

Read more