Tagged digital voting

Dismantling Federal Assistance to US Elections — The Freeze/Thaw Cycle

Last time I wrote in this series on the EAC being dismantled, I used the metaphor of freezing and thawing to describe not only how the EAC’s effectiveness has been limited, but also the consequence:

We now have voting systems that have been vetted with standards and processes that are almost as Jurassic as the pre-Internet era.

This time I need to support my previous claims by explaining the freeze/thaw cycle in more detail, and connecting it to the outcome of voting systems that are not up to today’s job, as we now understand it, post-2016.

The First Try

EAC’s first try at voting system quality started after the year 2000 election hanging chad debacle, and after the Help America Vote Act (HAVA) designed to fix it. During the period of 2004 to 2006, the EAC was pretty busy defining standards and requirements (technically “guidelines” because states are not obligated to adopt them) for the then-next-gen of voting systems, and setting up processes for testing, review, and certification.

That first try was “good enough” for getting started on a way out of the hanging chad morass, but was woefully inadequate in hindsight. A beginning of a second try resulted in the 2007 recommendations to significantly revise the standards, because the hindsight then showed that the first try had some assumptions that weren’t so good in practice. My summary of those assumptions:

  • Electronic Voting Machines (EVMs) were inherently better than paper-based voting, not just for accessibility (which is a true and important point) but also for reliability, accuracy, and many other factors.
  • It’s OK if EVMs are completely paperless, because we can assume that the hardware and software will always make an accurate and permanent digital record of every voter’s choice.
  • The then current PC technology was good enough for both EVMs and back-office systems, because that PC tech was good enough desktop computing.
  • Security and quality are important, and can be “legislated” into existence by written standards and requirements, and a test process for evaluating whether a voting system meets those requirements.

Even in 2007, and certainly even more since then, we’ve seen that what these assumptions actually got us was not what we really wanted. My summary of what we got:

  • Voting machines lacking any means for people to cross-check the work of the black-box hardware and software, to detect malfunctions or tampering.
  • Voting machines and back-office systems that election officials can only assume are unmodified, un-tampered copies of the certified systems, but can’t actually validate.
  • Voting machines and back-office systems based on decades old PC technology, with all the security and reliability limitations thereof, including the ready ability of any software to modify the system.
  • Voting system software that passed testing, but when opened up for independent review in California and in Ohio, was found to be rife with security and quality problems.

Taken together, that meant that election tech broadly was physically unreliable, and very vulnerable, both to technological mischance and to intentional meddling. A decade ago, we had much less experience than today with the mischances that early PC tech is prone to. At the time, we also had much less sensitivity to the threats and risks of intentional meddling.

Freeze and Thaw

And that’s where the freeze set in. The 2007 recommendations have been gathering dust since then. A few years later, the freeze set in on EAC as well, which spent several years operating without a quorum of congressionally approved commissioners, and not able to change much – including certification standards and requirements.

That changed a couple years ago. One of the most important things that the new commissioners have done is to re-vitalize the process for modernizing the standards, requirements, and processes for new voting system. And that re-vitalization is not a moment too soon, just as most of the nation’s states and localities have been replacing decaying voting machines with “new” voting systems thatare not substantially different from what I’ve described above.

That’s where the huge irony lies – after over a decade of inactivity, the EAC has finally gotten its act together to try to become an effective voting system certification body for the future — and it is getting dismantled.

It is not just EAC that’s making progress. EAC works with NIST, and a Technical Guidelines Working Group (TGWC), and many volunteers from many organizations (including ours) that working in several groups focused on help the TGWC. We’ve dusted off the 2007 recommendations, which address how to fix at least some of those consequences I listed above. We’re writing detailed standards for interoperability, so that election officials have more choice about how to acquire and operate voting tech. I could go on about the range of activity and potential benefits, but the point is, there is lot that is currently a-building that is poised to be frozen again.

A Way Forward?

I believe that it is vitally important, indeed a matter of national security, that our election tech makes a quantum leap forward to address the substantial issues of our current threat environment, and the economic and administrative environment that our hardworking election officials face today.

If that’s to happen, then we need a way to not get frozen again, even if the EAC is dismantled. A look at various possible ways forward will be the coda for this series.

— EJS

The Myth of Technologist Suppression of Internet Voting

I’ve got to debunk a really troubling rumor. It’s about Internet voting, or more specifically, about those who oppose it. Longtime readers will recall that Internet voting is not one of the favorite topics here, not because it isn’t interesting, but because there are so many more nearer-term low-effort ways to use tech to improve U.S. elections. However, I’ve heard this troubling story enough times that I have to debunk it today, and return to more important topics next time.

Here’s the gist of it: there is a posse of respectable computer scientists, election tech geeks, and allies who are:

  • Un-alterably opposed to Internet voting, for ever, and
  • Lying about i-voting’s feasibility in order to prevent its use as a panacea for increased participation and general wonderfulness, because they have a hidden agenda to preserve today’s low-participation elections.

I have to say, simply: no. I’ve been in this pond for long enough to know just about every techie, scientist, academic, or other researcher who understands both U.S. elections and modern technology. We all have varying degrees of misgivings about current i-voting methods, but I am confident that every one of these people stands with me on these 4 points.

  1. We oppose the increased use of i-voting as currently practiced.
  2. We very much favor use of the Internet for election activities of many kinds, potentially nearly everything except returning ballots; many of us have been working on such improvements for years.
  3. We strongly believe and support the power of invention and R&D to overcome the tech gaps in current i-voting, despite believing that some of the remaining issues are really* hard problems.
  4. We strongly believe that i-voting will eventually be broadly used, simply because of demand.

We all share a concern that if there is no R&D on these hard problems, then eventually today’s highly vulnerable forms of i-voting will be used widely, to the detriment of our democracy, and to the advantage of our nation-state adversaries who are already conducting cyber-operations against U.S. elections.

I believe that we need a two pronged approach: to support to the R&D that’s needed, but in the mean time to enable much needed modernization of our existing clunky decaying elections infrastructure, to lay the rails for future new Internet voting methods to be adopted.

Returning to the kooky story … but what about all those Luddite nay-sayers who say i-voting is impossible and that the time for i-voting is “never”? There are none, at least among tech professionals and/or election experts. There is some harsh rhetoric that’s often quoted, but it is against the current i-voting methods, which are indeed a serious problem.

But for the future, the main difference among us is about the little asterisk that I inserted in point 3 above — it means any number of “really” before “hard.” I’m grateful to colleague Joe Kiniry of Galois and of Free&Fair, for noting that our differences are really “just the number of ‘really’ we put before the word ‘hard’.”

— EJS

PS: A footnote about i-voting Luddites and election tech Luddites more broadly. There are indeed some vocal folks who are against the use of technology in elections, for example, those that advocate for a return to hand-counted paper ballots, with no computers used for ballot casting or counting. They do indeed say “never” when it comes to using the Internet for voting, and indeed e-voting as well. But that’s because of personal beliefs and policy decisions, not because of a professionally informed judgment that hard problems in computer science can never be solved. In fact, these anti-tech people are the other end of the spectrum from the folks who so strongly favor i-voting at any cost that they caricature nay-sayers of any kind; both folks use out of context quotes about current i-voting drawbacks as way to shift a conversation to the proposition of “Internet voting, no way, not ever” from the more important but nuanced questions of: Internet voting, not whether, but how?

Accurate Election Results in Michigan and Wisconsin is Not a Partisan Issue

counties

Courtesy, Alex Halderman Medium Article

In the last few days, we’ve been getting several questions that are variations on:

Should there be recounts in Michigan in order to make sure that the election results are accurate?

For the word “accurate” people also use any of:

  • “not hacked”
  • “not subject to voting machine malfunction”
  • “not the result of tampered voting machine”
  • “not poorly operated voting machines” or
  • “not falling apart unreliable voting machines”

The short answer to the question is:

Maybe a recount, but absolutely there should be an audit because audits can do nearly anything a recount can do.

Before explaining that key point, a nod to University of Michigan computer scientists pointing out why we don’t yet have full confidence in the election results in their State’s close presidential election, and possibly other States as well. A good summary is here and and even better explanation is here.

A Basic Democracy Issue, not Partisan

The not-at-all partisan or even political issue is election assurance – giving the public every assurance that the election results are the correct results, despite the fact that bug-prone computers and human error are part of the process. Today, we don’t know what we don’t know, in part because the current voting technology not only fails to meet the three (3) most basic technical security requirements, but really doesn’t support election assurance very well. And we need to solve that! (More on the solution below.)

A recount, however, is a political process and a legal process that’s hard to see as anything other than partisan. A recount can happen when one candidate or party looks for election assurance and does not find it. So it is really up to the legal process to determine whether to do a recount.

While that process plays out let’s focus instead on what’s needed to get the election assurance that we don’t have yet, whether it comes via a recount or from audits — and indeed, what can be done, right now.

Three Basic Steps

Leaving aside a future in which the basic technical security requirements can be met, right now, today, there is a plain pathway to election assurance of the recent election. This path has three basic steps that election officials can take.

  1. Standardized Uniform Election Audit Process
  2. State-Level Review of All Counties’ Audit Records
  3. State Public Release of All Counties Audit Records Once Finalized

The first step is the essential auditing process that should happen in every election in every county. Whether we are talking about the initial count, or a recount, it is essential that humans do the required cross-check of the computers’ work to detect and correct any malfunction, regardless of origin. That cross-check is a ballot-polling audit, where humans manually count a batch of paper ballots that the computers counted, to see if the human results and machine results match. It has to be a truly random sample, and it needs to be statistically significant, but even in the close election, it is far less work than a recount. And it works regardless of how a machine malfunction was caused, whether hacking, manipulation, software bugs, hardware glitches, or anything.

This first step should already have been taken by each county in Michigan, but at this point it is hard to be certain. Though less work than a recount, a routine ballot polling audit is still real work, and made harder by the current voting technology not aiding the process very well. (Did I mention we need to solve that?)

The second step should be a state-level review of all the records of the counties’ audits. The public needs assurance that every county did its audit correctly, and further, documented the process and its findings. If a county can’t produce detailed documentation and findings that pass muster at the State level, then alas the county will need to re-do the audit. The same would apply if the documentation turned up an error in the audit process, or a significant anomaly in a difference between the human count and the machine count.

That second step is not common everywhere, but the third step would be unusual but very beneficial and a model for the future: when a State is satisfied that all counties’ election results have been properly validated by ballot polling audit, the State elections body could publicly release all the records of all the counties’ audit process. Then anyone could independently come to the same conclusion as the State did, but especially election scientists, data scientists, and election tech experts. I know that Michigan has diligent and hardworking State election officials who are capable of doing all this, and indeed do much of it as part of the process toward the State election certification.

This Needs to Be Solved – and We Are

The fundamental objective for any election is public assurance in the result.  And where the election technology is getting in the way of that happening, it needs to be replaced with something better. That’s what we’re working toward at the OSET Institute and through the TrustTheVote Project.

No one wants the next few years to be dogged by uncertainly about whether the right person is in the Oval Office or the Senate. That will be hard for this election because of the failing voting machines that were not designed for high assurance. But America must say never again, so that in two short years and four years from now, we have election infrastructure in place that was designed from ground-up and purpose-built to make it far easier for election officials to deliver election results and election assurance.

There are several matters to address:

  • Meeting the three basic security requirements;
  • Publicly demonstrating the absence of the vulnerabilities in current voting technology;
  • Supporting evidenced-based audits that maximize confidence and minimize election officials’ efforts; and
  • Making it easy to publish detailed data in standard formats, that enable anyone to drill down as far as needed to independently assess whether audits really did the job right.

All that and more!

The good news (in a shameless plug for our digital public works project) is that’s what we’re building in ElectOS. It is the first openly public and freely available set of election technology; an “operating system” of sorts for the next generation of voting systems, in the same way and Android is the basis for much of today’s mobile communication and computing.

— John Sebes

NBC News, Voting Machines, and a Grandmother’s PC

 

I’d like to explain more precisely what I meant by “your grandmother’s PC” in the NBC TV Bay Area’s report on election technology. Several people thought I was referring to voting machines as easily hacked by anyone with physical access, because despite appearances:

Voting machines are like regular old PCs inside, and like any old PC …

  • … it will be happy to run any program you tell it to, where:
  • “You” is anyone that can touch the computer, even briefly, and
  • “Program” is anything at all, including malicious software specially created to compromise the voting machine.

That’s all true, of course, as many of us have seen recently in cute yet fear mongering little videos about how to “hack an election.” However, I was referring to something different and probably more important: a regular old PC running some pretty basic windows-XP application software, that an election official installed on the PC in the ordinary way, and uses in the same way as anything else.

That’s your “grandmother’s PC,” or in my son’s case, something old and clunky that looks a exactly like the PC that his grandfather had a decade plus ago – minus some hardware upgrades and software patches that were great for my father, but for voting systems are illegal.

But why is that PC “super important”? Because the software in question is the brains behind every one of that fleet of voting machines, a one stop shop to hack all the voting machines, or just fiddle vote totals after all those carefully and securely operated voting machines come home from the polling places. It’s an “election management system” (EMS) that election officials use to create the data that tells the voting machines what to do, and to combine the vote tally data into the actual election results.

That’s super important.

Nothing wrong with the EMS software itself, except for the very poor choice of creating it to run on a PC platform that by law is locked in time as it was a decade or so ago, and has no meaningful self-defenses in today threat environment. As I said, it wasn’t a thoughtful choice – nobody said it would be a good idea to run this really important software on something as easily hacked as anyone’s grandparent’s PC. But it was a pragmatic choice at the time, in the rush to the post-hanging-chads Federally funded voting system replacement derby. We are still stuck with the consequences.

It reminds me of that great old radio show, Hitchhiker’s Guide to the Galaxy, where after stealing what seems like the greatest ship in the galaxy, the starship Heart of Gold, our heroes are stuck in space-time with Eddie Your Ship-Board Computer, “ready to get a bundle of kicks from any program you care to run through me.” The problem, of course, is that while designed to do an improbably large number of useful things, it’s not able to do one very important thing: steer the ship after being asked to run a program to learn why tea tastes good.

Election management systems, voting machines, and other parts of a voting system, all have an individual very important job to do, and should not be able to do anything else. It’s not hard to build systems that way, but that’s not what’s available from today’s 3 vendors in the for-profit market for voting systems, and services to operate them to assist elections officials. We can fix that, and we are.

But it’s the election officials, many many of them public servants with a heart of gold, that should really be highlighted. They are making do with what they have, with enormous extra effort to protect these vulnerable systems, and run an election that we all can trust. They deserve better, we all deserve better, election technology that’s built for elections that are Verifiable, Accurate, Secure, and Transparent (VAST as we like to say). The “better” is in the works, here at OSET Institute and elsewhere, but there is one more key point.

Don’t be demoralized by the fear uncertainty and doubt about hacking elections. Vote. These hardworking public servants are running the election for each of us, doing their best with what they have. Make it worth something. Vote, and believe what is true, that you are an essential part of the process that makes our democracy to be truly a democracy.

— John Sebes

“Digital Voting”—Don’t believe everything you think

In our most recent blog post we examined David Plouffe’s recent Wall Street Journal forward-looking op-ed [paywall] and rebalanced his vision with some practical reality.

Now, let’s turn to Plouffe’s notion of “digital voting.”  Honestly, that phrase is confusing and vague.  We should know: it catalyzed our name change last year from Open Source Digital Voting Foundation (OSDV) to Open Source Election Technology Foundation (OSET).

Most Americans already use a “digital” machine to cast their ballots, if you mean by “digital” a computer-like device that counts votes electronically, and not by the old pre-2000 methods of punched cards or mechanical levers. What Plouffe probably meant is what elections professionals call iVoting, which is voting via the Internet—and increasingly that implies your mobile device.

Internet voting has not been approved anywhere in the United States for general public use, although Alaska is experimenting in a limited way with members of the military voting in this manner. Norway just stopped its Internet voting experiment. The challenges of iVoting are daunting.

Just think about it: many credit-card companies and several major online merchandisers have been hacked at some point, and all commercial and government web sites face intrusion attempts by the hour. The Department of Defense is continually bombarded by efforts to break-in. And sometimes hackers manage to actually get in and steal stuff. Voting is too important to let it be vulnerable to hacking.

Security of online voting is not yet with us. Sure, a few vendors of online voting technologies will emphatically claim their systems have never been hacked (to their knowledge) and that they use so-called “military grade” security (whatever that actually means).  Members of our technical team have been deeply involved in cyber-security for decades. We can say with confidence that no security on the Internet is absolute, assured, or guaranteed.  So when it comes to moving cast ballots via the Internet, the security issues are real and cannot be hand-waved away.  And elections that are run, in any part, over the public Internet pose just too tempting an opportunity for some predator looking to disrupt or even derail a U.S. election.

But, that doesn’t mean elections technologies can’t be improved or be made more digital, and thereby more verifiable, more accurate, and more transparent. That’s exactly what the TrustTheVote Project is all about.

The open-source software and standards that we are developing and advocating will make online voter registration, digital poll books (used to check you in at your polling place) and (ultimately) casting and counting ballots better, faster, and more auditable.  And our software is designed to run on ordinary computer hardware – whether that is a tablet, a scanner, or laptop computer.  Adopting the TrustTheVote Project technology means there will no longer be a requirement for election administrators to acquire expensive, proprietary software or hardware with long-term costly service contracts.

Importantly, we believe there are many parts of elections administration that can benefit from digital innovations, which may or may not use the Internet in some way.  And we’re focusing on delivering those innovations.

However, for the foreseeable future, ballot casting and counting can be dramatically improved without needing to involve the Internet.

So, we should to be cautious about the phrase “digital voting” in an age when all things digital tend to imply “Internet.”

All that observed, we really like how Plouffe ended his recent Wall Street Journal op-ed: “There are disrupters in every industry… the good ones won’t just apply the best practices of the private sector, but will also innovate and create on their own to meet their unique needs.”

The TrustTheVote Project intends to be one of those disrupters.  We add one tiny nuance: in our case, those “unique needs” are primarily those of our stakeholders—the state, county and city officials who run our elections. We won’t be running elections, they will, but we are thinking as far outside of the typical ballot box as we can when looking for opportunities to make voting easy, convenient, and ideally, a delight.

David Plouffe’s View of the Future of Voting — We Agree and Disagree

David Plouffe, President Obama’s top political and campaign strategist and the mastermind behind the winning 2008 and 2012 campaigns, wrote a forward-looking op-ed [paywall] in the Wall Street Journal recently about the politics of the future and how they might look.

He touched on how technology will continue to change the way campaigns are conducted – more use of mobile devices, even holograms, and more micro-targeting at individuals. But he also mentioned how people might cast their votes in the future, and that is what caught our eye here at the TrustTheVote Project.

Here’s what Plouffe wrote: “More states will inevitably move to online voter registration and perhaps digital voting. There will be resistance…but our voting system won’t remain disconnected forever from the way we are leading the rest of our lives.

His last statement – that the voting system will come to resemble more our mobile-device-dependent world – is probably true in the long run.  But it’s going to take time, probably more time than we all would like.  Even though we can bank, buy coffee, and get a boarding pass for an airplane via our smart phones, voting by smart phone is more complicated—hugely more complicated.

When you’re banking online, the financial institution has to be able, absolutely, to identify and verify it is you who authorized (or didn’t authorize) a particular transaction (such as a purchase with your bank card at Amazon.com).  But in the world of elections, the election administrator has to be sure, absolutely, that they can never identify you as the person who cast a particular ballot. It’s completely opposite of online banking because of the sacred assurances of voter anonymity and the secret ballot.

Sure, elections officials should verify you as the individual who is checking in to cast a ballot, but once you have been authenticated, the connection with a particular ballot must cease to exist.  And doing that by your smart phone (or any other digital device connected to the Internet) is beyond non-trivial; it’s downright near impossible.

So, there’s a privacy and technology challenge there.  In other words, we need security of the ballot, but we also need privacy of the voter.  And in the digital world there is an opposite (we call it “inverse”) relationship between security and privacy.

Think about an airport and TSA check points.  If you want absolute privacy, you should be able to walk straight to your gate uninhibited.  If you want absolute security, you should not be able to do so until everything about you has been identified and verified as that exact person with an authorized ticket  to board a plane.

If you think about how awful it would be if your online bank account got hacked, imagine if your state’s online voting system was compromised. Not only could the result be suspect, the fact that an election was hacked would undermine voters’ confidence in our democracy.

So smartphone voting might be a ways off. But in the here and now and very near future, the TrustTheVote Project is already delivering on some of Plouffe’s other visions.

Online voter registration, for example, is already being implemented in many states and through third party organizations. The TrustTheVote Project helped Rock The Vote develop its “Rocky” core software, which operates that group’s nationwide online registration. TrustTheVote helped Virginia implement its online voter registration and our technology powers the search part of the Virginia site, which lets you know if you’re already registered, are at the right polling place, and that your address is up to date. This was all developed with TrustTheVote Project open-source technology that all states and localities can adopt and adapt.

And we’re underway on other innovations—like apps to help you figure out the best time to go to your polling place and apps to help you “check in” to vote, just like the ones you use to get  like you download and print a boarding pass for your flight.

So to David Plouffe, yes elections and campaigns will change in the future.  But it will come step by step and not by a big bang of smartphone voting.

A Northern Exposed iVoting Adventure

NorthernExposureImageAlaska’s extension to its iVoting venture may have raised the interests of at least one journalist for one highly visible publication.  When we were asked for our “take” on this form of iVoting, we thought that we should also comment here on this “northern exposed adventure.” (apologies to those fans of the mid-90s wacky TV series of a similar name.)

Alaska has been among the states that allow military and overseas voters to return marked absentee ballots digitally, starting with fax, then eMail, and then adding a web upload as a 3rd option.  Focusing specifically on the web-upload option, the question was: “How is Alaska doing this, and how do their efforts square with common concerns about security, accessibility, Federal standards, testing, certification, and accreditation?

In most cases, any voting system has to run that whole gauntlet through to accreditation by a state, in order for the voting system to be used in that state. To date, none of the iVoting products have even tried to run that gauntlet.

So, what Alaska is doing, with respect to security, certification, and host of other things is essentially: flying solo.

Their system has not gone through any certification program (State, Federal, or otherwise that we can tell); hasn’t been tested by an accredited voting system test lab; and nobody knows how it does or doesn’t meet  federal requirements for security, accessibility, and other (voluntary) specifications and guidelines for voting systems.

In Alaska, they’ve “rolled their own” system.  It’s their right as a State to do so.

In Alaska, military voters have several options, and only one of them is the ability to go to a web site, indicate their choices for vote, and have their votes recorded electronically — no actual paper ballot involved, no absentee ballot affidavit or signature needed. In contrast to the sign/scan/email method of return of absentee ballot and affidavit (used in Alaska and 20 other states), this is straight-up iVoting.

So what does their experience say about all the often-quoted challenges of iVoting?  Well, of course in Alaska those challenges apply the same as anywhere else, and they are facing them all:

  1. insider threats;
  2. outsider hacking threats;
  3. physical security;
  4. personnel security; and
  5. data integrity (including that of the keys that underlie any use of cryptography)

In short, the Alaska iVoting solution faces all the challenges of digital banking and online commerce that every financial services industry titan and eCommerce giant spends big $ on every year (capital and expense), and yet still routinely suffer attacks and breaches.

Compared to the those technology titans of industry (Banking, Finance, Technology services, or even the Department of Defense), how well are Alaskan election administrators doing on their shoestring (by comparison) budget?

Good question.  It’s not subject to annual review (like banks’ IT operations audit for SAS-70), so we don’t know.  That also is their right as a U.S. state.  However, the  fact that we don’t know, does not debunk any of the common claims about these challenges.  Rather, it simply says that in Alaska they took on the challenges (which are large) and the general public doesn’t know much about how they’re doing.

To get a feeling for risks involved, just consider one point, think about the handful of IT geeks who manage the iVoting servers where the votes are recorded and stored as bits on a disk.  They are not election officials, and they are no more entitled to stick their hands into paper ballots boxes than anybody else outside a
county elections office.  Yet, they have the ability (though not the authorization) to access those bits.

  • Who are they?
  • Does anybody really oversee their actions?
  • Do they have remote access to the voting servers from anywhere on the planet?
  • Using passwords that could be guessed?
  • Who knows?

They’re probably competent responsible people, but we don’t know.  Not knowing any of that, then every vote on those voting servers is actually a question mark — and that’s simply being intellectually honest.

Lastly, to get a feeling for the possible significance of this lack of knowledge, consider a situation in which Alaska’s electoral college votes swing an election, or where Alaska’s Senate race swings control of Congress (not far-fetched given Murkowski‘s close call back in 2010.)

When the margin of victory in Alaska, for an election result that effects the entire nation, is a low 4-digit number of votes, and the number of digital votes cast is similar, what does that mean?

It’s quite possible that those many digital votes could be cast in the next Alaska Senate race.  If the contest is that close again,  think about the scrutiny those IT folks will get.  Will they be evaluated any better than every banking data center investigated after a data breach?  Any better than Target?  Any better than Google or Adobe’s IT management after having trade secrets stolen?  Or any better than the operators of military unclassified systems that for years were penetrated through intrusion from hackers located in China who may likely have been supported by the Chinese Army or Intelligence groups?

Probably not.

Instead, they’ll be lucky (we hope) like the Estonian iVoting administrators, when the OCSE visited back in 2011 to have a look at the Estonian system.  Things didn’t go so well.  OCSE found that one guy could have undermined the whole system.  Good news: it didn’t happenCold comfort: that one guy didn’t seem to have the opportunity — most likely because he and his colleagues were busier than a one-armed paper hanger during the election, worrying about Russian hackers attacking again, after they had previously shut-down the whole country’s Internet-connect government systems.

But so far, the current threat is remote, and it is still early days even for small scale usage of Alaska’s iVoting option.  But while the threat is still remote, it might be good for the public to see some more about what’s “under the hood” and who’s in charge of the engine — that would be our idea of more transparency.

<soapbox>

Wandering off the Main Point for a Few Paragraphs
So, in closing I’m going to run the risk of being a little preachy here (signaled by that faux HTML tag above); again, probably due to the surge in media inquiries recently about how the Millennial generation intends to cast their ballots one day.  Lock and load.

I (and all of us here) are all for advancing the hallmarks of the Millennial mandates of the digital age: ease and convenience.  I am also keenly aware there are wing-nuts looking for their Andy Warhol moment.  And whether enticed by some anarchist rhetoric, their own reality distortion field, or most insidious: the evangelism of a terrorist agenda (domestic or foreign) …said wing nut(s) — perhaps just for grins and giggles — might see an opportunity to derail an election (see my point above about a close race that swings control of Congress or worse).

Here’s the deep concern: I’m one of those who believes that the horrific attacks of 9.11 had little to do with body count or the implosions of western icons of financial might.  The real underlying agenda was to determine whether it might be possible to cause a temblor of sufficient magnitude to take world financial markets seriously off-line, and whether doing so might cause a rippling effect of chaos in world markets, and what disruption and destruction that might wreak.  If we believe that, then consider the opportunity for disruption of the operational continuity of our democracy.

Its not that we are Internet haters: we’re not — several of us came from Netscape and other technology companies that helped pioneer the commercialization of that amazing government and academic experiment we call the Internet.  Its just that THIS Internet and its current architecture simply was not designed to be inherently secure or to ensure anyone’s absolute privacy (and strengthening one necessarily means weakening the other.)

So, while we’re all focused on ease and convenience, and we live in an increasingly distributed democracy, and the Internet cloud is darkening the doorstep of literally every aspect of society (and now government too), great care must be taken as legislatures rush to enact new laws and regulations to enable studies, or build so-called pilots, or simply advance the Millennial agenda to make voting a smartphone experience.  We must be very careful and considerably vigilant, because its not beyond the realm of reality that some wing-nut is watching, cracking their knuckles in front of their screen and keyboard, mumbling, “Oh please. Oh please.”

Alaska has the right to venture down its own path in the northern territory, but it does so exposing an attack surface.  They need not (indeed, cannot) see this enemy from their back porch (I really can’t say of others).  But just because it cannot be identified at the moment, doesn’t mean it isn’t there.

</soapbox>

One other small point:  As a research and education non-profit we’re asked why shouldn’t we be “working on making Internet voting possible?”  Answer: Perhaps in due time.  We do believe that on the horizon responsible research must be undertaken to determine how we can offer an additional alternative by digital means to casting a ballot next to absentee and polling place experiences.  And that “digital means” might be over the public packet-switched network.  Or maybe some other type of network.  We’ll get there.  But candidly, our charge for the next couple of years is to update an outdated architecture of existing voting machinery and elections systems and bring about substantial, but still incremental innovation that jurisdictions can afford to adopt, adapt and deploy.  We’re taking one thing at a time and first things first; or as our former CEO at Netscape used to say, we’re going to “keep the main thing, the main thing.”

Onward
GAM|out

The Root Cause — Long Lines, Late Ballot Counts, and Election Dysfunction in General

I’ve spent a fair bit of time over the last few days digesting a broad range of media responses to last week’s election’s operation, much it reaction to President Obama’s “we’ve got to fix that” comment in his acceptance speech. There’s a lot of complaining about the long lines, for example, demands for explanation of them, or ideas for preventing them in te future — and similar for the difficulty that some states and counties face for finishing the process of counting the ballots. It’s a healthy discussion for the most part, but one that makes me sad because it mostly misses the main point: the root cause of most election dysfunction. I can explain that briefly from my viewpoint, and back that up with several recent events.

The plain unvarnished truth is that U.S. local election officials, taken all together as the collective group that operates U.S. federal and state elections, simply do not have the resources and infrastructure to conduct elections that

  • have large turnout and close margins, preceded by much voter registration activity;
  • are performed with transparency that supports public trust in the integrity of the election being accessible, fair, and accurate.

There are longstanding gaps in the resources needed, ranging from ongoing budget for sufficient staff, to inadequate technology for election administration, voting, counting, and reporting.

Of course in any given election, there are local elections operations that proceed smoothly, with adequate resources and physical and technical infrastructure. But we’ve seen again and again, that in every “big” election, there is a shifting cast of distressed states or localities (and a few regulars), where adminstrative snafus, technology glitches, resource limits, and other factors get magnified as a result of high participation and close margins. Recent remarks by Broward County, FL, election officials — among those with the most experience in these matters — really crystalized it for me. When asked about the cause of the long lines, their response (my paraphrase) is that when the election is important, people are very interested in the election, and show up in large numbers to vote.

That may sound like a trivial or obvious response, but consider it just a moment more. Another way of saying it is that their resources, infrastructure, and practices have been designed to be sufficient only for the majority of elections that have less than 50% turnout and few if any state or federal contests that are close. When those “normal parameters” are exceeded, the whole machinery of elections starts grinding down to a snail’s pace. The result: an election that is, or appears to be, not what we expect in terms of being visibily fair, accessible, accurate, and therefore trustworthy.

In other words, we just haven’t given our thousands of localities of election officials what they really need to collectively conduct a larger-than-usual, hotly contested election, with the excellence that they are required to deliver, but are not able to. Election excellence is, as much as any of several other important factors, a matter of resources and infrastructure. If we could somehow fill this gap in infrastructure, and provide sufficient funding and staff to use it, then there would be enormous public benefits: elections that are high-integrity and demonstrably trustworthy, despite being large-scale and close.

That’s my opinion anyway, but let me try to back it up with some specific and recent observations about specific parts of the infrastructure gap, and then how each might be bridged.

  • One type of infrastructure is voter record systems. This year in Ohio, the state voter record system poorly served many LEOs who searched for but didn’t find many many registered absentee voters to whom they should have mailed absentee ballots. The result was a quarter million voters forced into provisional voting — where unlike casting a ballot in a polling place, there is no guarantee that the ballot will be counted — and many long days of effort for LEOs to sort through them all. If the early, absentee, and election night presidential voting in Ohio had been closer, we would still be waiting to hear from Ohio.
  • Another type of infrastucture is pollbooks — both paper, and electronic — and the systems that prepare them for an election. As usual in any big election, we have lots of media anecdotes about people who had been on these voter rolls, but weren’t on election day (that includes me by the way). Every one of these instances slows down the line, causes provisional voting (which also takes extra time compared to regular voting), and contributes to long lines.
  • Then there are the voting machines. For the set of places where voting depends on electronic voting machines, there are always some places where the machines don’t start, take too long get started, break, or don’t work right. By now you’ve probably seen the viral youtube video of the touch screen that just wouldn’t record the right vote. That’s just emblematic of the larger situation of unreliable, aging voting systems, used by LEOs who are stuck with what they’ve got, and no funding to try to get anything better. The result: late poll opening, insufficient machines, long lines.
  • And for some types of voting machines — those that are completely paperless — there is simply no way to do a recount, if one is required.
  • In other places, paper ballots and optical scanners are the norm, but they have problems too. This year in Florida, some ballots were huge! six pages in many cases. The older scanning machines physically couldn’t handle the increased volume. That’s bad but not terrible; at least people can vote. However, there are still integrity requirements — for example, the voters needs to put their unscanned ballots in an emergency ballot box, rather than entrust a marked ballot to a poll worker. But those crazy huge ballots, combined with the frequent scanner malfunction, created overstuffed full emergency ballot boxes, and poll workers trying to improvise a way store them. Result: more delays in the time each voter required, and a real threat to the secret ballot and to every ballot being counted.

Really, I could go on for more and more of the infrastructure elements that in this election had many examples of dysfunction. But I expect that you’ve seen plenty already. But why, you ask, why is the infrastructure so inadequate to the task of a big, complicated, close election conducted with accessibility, accuracy, security, transparency, and earning public trust? Isn’t there something better?

The sad answer, for the most part, is not at present. Thought leaders among local election officials — in Los Angeles and Austin just to name a couple — are on record that current voting system offerings just don’t meet their needs. And the vendors of these systems don’t have the ability to innovate and meet those needs. The vendors are struggling to keep up a decent business, and don’t see the type of large market with ample budgets that would be a business justification for new systems and the burdensome regulatory process to get them to market.

In other cases, most notably with voter records systems, there simply aren’t products anymore, and many localities and states are stuck with expensive-to-maintain legacy systems that were built years ago by big system integrators, that have no flexibility to adapt to changes in election administration, law, or regulation, and that are too expensive to replace.

So much complaining! Can’t we do anything about it? Yes. Every one of those and other parts of election infrastructure breakdowns or gaps can be improved, and could, if taken together, provide immense public benefit if state and local election officials could use those improvements. But where can they come from? Especially if the current market hasn’t provided, despite a decade of efforts and much federal funding? Longtime readers know the answer: by election technology development that is outside of the current market, breaks the mold, and leverages recent changes in information technology, and the business of information technology. Our blog in the coming weeks will have several examples of what we’ve done to help, and what we’re planning next.

But for today, let me be brief with one example, and details on it later. We’ve worked with state of Virginia to build one part of new infrastructure for voter registration, and voter record lookup, and reporting, that meets existing needs and offers needed additions that the older systems don’t have. The VA state board of elections (SBE) doesn’t pay any licensing fees to use this technology — that’s part of what open source is about. The don’t have to acquire the software and deploy it in their datacenter, and pay additional (and expensive) fees to their legacy datacenter operator, a government systems integrator. They don’t have to go back to the vendor of the old system to pay for expensive but small and important upgrades in functionality to meet new election laws or regulations.

Instead, the SBE contracts with a cloud services provider, who can — for a fraction of the costs in a legacy in-house government datacenter operated by a GSI — obtain the open-source software, integrate it with the hosting provider’s standard hosting systems, test, deploy, operate, and monitor the system. And the SBE can also contract with anyone they choose, to create new extensions to the system, with competition for who can provide the best service to create them. The public benefits because people anywhere and anytime can check if they are registered to vote, or should get an absentee ballot, and not wait like in Ohio until election day to find out that they are one in a quarter million people with a problem.

And then the finale, of course, is that other states can also adopt this new voter records public portal, by doing a similar engagement with that same cloud hosting provider, or any other provider of their choice that supports similar cloud technology. Virginia’s investment in this new election technology is fine for Virginia, but can also be leveraged by other states and localities.

After many months of work on this and other new election technologies put into practical use, we have many more stories to tell, and more detail to provide. But I think that if you follow along and see the steps so far, you may just see a path towards these election infrastructure gaps getting bridged, and flexibly enough to stay bridged. It’s not a short path, but the benefits could be great: elections where LEOs have the infrastructure to work with excellence in demanding situations, and can tangibly show the public that they can trust the election as having been accessible to all who are eligible to vote, performed with integrity, and yielding an accurate result.

— EJS

Detours in Election Technology: The “Open” Factor and Mobility

In a recent posting, I recalled the old-fashioned traditional proprietary-IT-think of vendors leveraging their proprietary data for their customers, and contrasted that with election technology where the data is public.

In the “open data” approach, you do not need to have integrated reporting features as part of a voting system or election management system. Instead, you can choose your own reporting system, hook it up to your open database of election data, and mine that data for whatever reports you want. And if you need help, only a few days of a reporting-systems consultant can get you set up quite quickly. The same applies to what we used to call “ad hoc querying” in the olden enterprise IT days, and now might be “data mining”. Well, every report is the result doing one or more database queries, and formatting the results. When you can do ad hoc creation of new report template, then an ad hoc query is really just a new report. With the open-data approach, there is no need to buy any additional “modules” from a voting system vendor in order to be able to do querying, reporting, or data mining. Instead, you have ready access to the data with whatever purpose-built tools you choose.

Election Reporting? got an app for that ...

Election Reporting? got an app for that ...

Today, I want to underline that point as applied to mobility, that is, the use of apps on mobile devices (tablets, smart phones, etc.) to access useful information in a quick and handy on-the-go small-screen form factor.  Nowadays, lots of folks want “an app for that” and election officials would like to be able to provide. But the options are not so good. A proprietary system vendor may have an app, but it might not be what you had in mind; and you can’t alter it. You might get a friendly government System Integrator to crack open your proprietary voting system data and write some apps for you, but that is not a cheap route, either.

What, in contrast, is the open route? It might seem a detour to get you where you want to go, but consider this. With open data, there is no constraint on how you use it, or what you use it with. If you use an election management system that has a Web services API, you can publish all that data to the whole world in a way that anyone’s software can access it– including mobile apps– including all the data, not just what happens to be available in proprietary product’s Web interface. That’s not just open-source and “open data” but also “complete data.”

Then for some basic apps, you can get friendly open-gov techies to make something simple but effective for starters, and make the app open source. From there on out, it is up to the ingenuity of the tens of thousands of mobile app tinkerers and good government groups (for an example, read about one of them here, and then try it the app yourself) to come up great ideas about how to present the data — and the more options there are, the more election data, the public’s data, gets used for the public good.

I hope that that picture sounds more appealing than closed systems. But to re-wind to Proprietary Election Technology Vendors’ (PETV) offerings to Local Election Officials (LEO), consider this dialogue as the alternative to “open data, complete data.”

LEO: I’d like to get an election data management solution with flexible reporting, ad hoc querying, a management dashboard, a nifty graphical public Web interface, and some mobile apps.

PETV: Sure, we can provide it. We have most of that off the shelf, and we can do some customization work and professional services to tailor it to your needs. Just guessing from you asked for, that will be $X for the software license, $Y per year for support, $Z for the customization work, and we’ll need to talk about yearly support for the custom stuff.

LEO: Hmmm. Too much for me. Bummer.

PETV: Well, maybe we can cut you a special deal, especially if you lower your sights on that customization stuff.

LEO: Hmmm. Then I’m not really getting all I asked for, but I am getting something I can afford. … But will you all crack open your product’s database with a Web services API so that anybody can write a mobile app for it, for any mobile device in the world?

PETV: Wow! That would be some major customization. I think you’ll find our mobile app is just fine.

LEO: What about cracking open the database so I can use my choice of reporting tools?

PETV: Ah, no, actually, and I think you’ll find our reporting features are really great.

I’ll stop the dialogue (now getting painful to listen to) and actually stop altogether for today, leaving the reader to contrast it with the open-data, complete-data approach of an open election data management system with core functions and features, basic reporting, basic mobility, and above all the open-ness for anyone to data-mine or mobilize the election data that is, in fact, the people’s information.

— EJS

Bedrock 4: Into the Ballot Design Studio

Continuing our Bedrock election story (see parts one, two, and three if you need to catch up), we find the County of Bedrock Board of Elections staff, including design guru Dana Chisel, in the “ballot design studio,” a dusty back room of the BBoE. Chisels in hand, staffers ponder the blank slate, or rather sandstone, of sample ballot slabs on easels. With the candidate and referendum filing periods closed and the election only a couple weeks away, it’s time to make the ballots.

Dana Chisel, design queen of Bedrock

Dana Chisel, design queen of Bedrock

Now, you might think that the ballot consists of the 3 items we know of – the race for Mayor, the race for Quarry Commission, and the question on the quarry fee. However, recall that each precinct in Bedrock County has a distinct set of districts. In this election, each precinct has a distinct ballot with a distinct set of contests corresponding to the districts that the precinct is part of. At a first cut, the contests by precinct are:

  • Downtown-001: the contest for mayor, and the referendum on quarry fees;
  • Quarrytown-002: the contests for mayor and quarry commissioner, and the referendum on quarry fees;
  • QuarryCounty-003: the contest for quarry commissioner, and the referendum on quarry fees;
  • County-004: the referendum on quarry fees.

You’ll note that only Town residents — in Precincts 1 or 2 — are entitled to vote for mayor, while residents of the Mineral District — in Precincts 2 or 4 — are the only voters entitled to for Quarry Commissioner. Last, all voters in the county are eligible to vote on county revenue issues such as taxes and fees imposed by the county.

That, plus the list of candidates and the text of the referendum, comprise what might be called the content of each of the 4 ballots, or the ballot configuration. But the ballots themselves need to be designed: the ballot items have to appear in some order, and the candidates likewise; the ballot items have to be arranged in some visual design, vertically or horizontally, with sufficient space between each, fitting the size of ballot slates that they will be etched on … and so on.

Ballot for Precinct 1 in the Bedrock Special Election of 1 April, 1000000 B.C.

Ballot for Precinct 1 in the Bedrock Special Election of 1 April, 1000000 B.C.

So, armed with chisels, the proverbial blank slate, and several tablets stating the legal requirements for contest and candidate order, design guru Dana Chisel marks out a prototype ballot containing all the requisite ballot content, laid out according to usability principles known since the Stone Age (left justified text, instructions separate from content, instructions with simple words along with pictures, and more). After a few tries and consultation with their boss Rocky, they have a design model for each of the 4 ballots. The next step are usability testing with volunteer voters, and using the results to create the final slabs that serve as the model for each ballot style. Then they’re ready for mass reproduction of  ballots for the upcoming election — get those duplidactylsaurs into action!

Now, you might think that they’re ready for election day, but wait there’s more, including the preparation of pollbooks, and then early voting, and then eventually election day operations.

Next time: Pollbooks and Early Voting

— EJS