Tagged e-voting

Vote-Flipping in Pennsylvania is Not the Problem, But Recounts?

The reports of “vote flipping” on voting machines in PA are certainly alarming to the voters using the machines, but it’s unfortunate that there are calls to treat it as a law enforcement issue. It’s a known issue with the decade-or-older flakey touch screens, and one that local election officials deal with in most elections. In some cases it may be user error; in others, a result of poor screen calibration. Sometimes the appearances are even more problematic, as with a mis-recorded straight-party vote, which affects every contest on the ballot.

Though voters and poll workers may disagree on what actually happened in these cases, what’s not controversial is the small scale — about 24 out of 24,000 machines statewide; only one voter affected per machine; and in at least some of these cases, the voter admitted that after some work, they got their votes recorded properly.

So concerns about “rigging” of individual machines is misplaced. Even leaving aside the technical fact that these are electro-mechanical issues — not riggable software — it’s a poor choice for rigging to choose a method that’s apparent to the voters, and in such small numbers.

But suppose that the resolution of the PA election depends in-part on refuting claims of rigging? That these machines have real problems. With no paper trail, there is no way to re-check the voters’ choices. A recount is, in one sense, an exercise in re-doing or rerunning the addition of the vote tallies from each machine. But it’s more complicated than that.

In each county with these paperless touch-screen machines, for each machine, the election officials have to maintain records of custody of the machines and their removable data cartridges, with record-keeping procedures sufficient to withstand substantial challenges. It’s not impossible to refute claims of rigging in these circumstances, but it is grindingly detailed work, and with a lot of grist for the mill of legal challenges.

— John Sebes

More on CyberScoop Coverage of Voting Machine Vulnerabilities

CyberScoop‘s Chris Bing wrote a good summary of the response to Cylance’s poorly timed announcement of old news on voting machine vulnerabilities: Security Firm Stokes Election Hacking Fears.

I have a couple of details to add, but first let me re-iterate that the system in question does have vulnerabilities which have been well known for years, and reference exploits are old news. Sure, Cylance techs did write some code to create a new variant on previous exploits, but as Princeton election security expert Andrew Appel noted, the particular exploit was detectable and correctable, unlike some other hacks.

Regardless of whether Cylance violated the unwritten code of reporting on new vulnerabilities only, and regardless of good intentions vs. fear-mongering effects, the basic premise is wrong.

You can’t expect election officials to modify critical voting systems in response to a blog. In fact, election officials should not be modifying software at all, and should modify hardware only for breakage replacement.

Perhaps the folks at Cylance didn’t know that there are very special and very specific rules for modifying voting systems. Here  are 5 details about how it really works:

  • The hardware and software of voting systems is highly regulated, and modifications can only be done following regulatory review.
  • Even if this were a new vulnerability, and even if there were what some would claim is an easy fix, it would still require the vendor to act, not the election officials. Vendors would have to make the fix, and re-do their testing, then re-engage for testing by an accredited test lab (at the vendor’s expense), and then go back to government certification of the test lab’s finding.
  • Election officials are barred from “patching” or any kind of unsupervised modification. This makes a lot of sense, if you think about it: someone representing the vendor wants to modify these systems, while each of 10,000+ local election bodies is supposed to ensure only the legitimate changes happen? That’s not feasible, even if were legal.
  • Local election officials are required to do pre-election testing for machines’ “logic and accuracy,” and they must not use machines that have not passed such testing, which in some localities must also be signed off by an elections board. Making even a legitimate certified change to a system 4 days before an election would invalidate it for use on election day. Consider early voting! It is really many weeks since modifications of any kind were allowed.
  • So there is no way that a disclosure like this, with this timing, could ever be viewed as responsible by anyone who understands how voting tech is regulated and operated. I expect that it didn’t occur to the Cylance folks that there might be special rules about voting systems that would make disclosures 4 days before, or even 4 weeks before, completely impractical for any benefit. But regardless of a possible upside, it ought to have been clear that there is considerable downside for fear-mongering the integrity of an election a mere days before election day– especially this one.

And that would still be the case if this were a new finding.  Which it isn’t.

Making a new variant exploit on a vulnerability well known for some time is just grandstanding, and most responsible security folks steer clear of that to maintain their reputation.  I can’t fathom why Cylance in this case behaved so at variance with the unwritten code of ethical vulnerability research. I hope it was just impulsive behavior based on a genuine concern about the integrity of our elections.  The alternative would be most unfortunate.

— John Sebes, CTO

NBC News, Voting Machines, and a Grandmother’s PC


I’d like to explain more precisely what I meant by “your grandmother’s PC” in the NBC TV Bay Area’s report on election technology. Several people thought I was referring to voting machines as easily hacked by anyone with physical access, because despite appearances:

Voting machines are like regular old PCs inside, and like any old PC …

  • … it will be happy to run any program you tell it to, where:
  • “You” is anyone that can touch the computer, even briefly, and
  • “Program” is anything at all, including malicious software specially created to compromise the voting machine.

That’s all true, of course, as many of us have seen recently in cute yet fear mongering little videos about how to “hack an election.” However, I was referring to something different and probably more important: a regular old PC running some pretty basic windows-XP application software, that an election official installed on the PC in the ordinary way, and uses in the same way as anything else.

That’s your “grandmother’s PC,” or in my son’s case, something old and clunky that looks a exactly like the PC that his grandfather had a decade plus ago – minus some hardware upgrades and software patches that were great for my father, but for voting systems are illegal.

But why is that PC “super important”? Because the software in question is the brains behind every one of that fleet of voting machines, a one stop shop to hack all the voting machines, or just fiddle vote totals after all those carefully and securely operated voting machines come home from the polling places. It’s an “election management system” (EMS) that election officials use to create the data that tells the voting machines what to do, and to combine the vote tally data into the actual election results.

That’s super important.

Nothing wrong with the EMS software itself, except for the very poor choice of creating it to run on a PC platform that by law is locked in time as it was a decade or so ago, and has no meaningful self-defenses in today threat environment. As I said, it wasn’t a thoughtful choice – nobody said it would be a good idea to run this really important software on something as easily hacked as anyone’s grandparent’s PC. But it was a pragmatic choice at the time, in the rush to the post-hanging-chads Federally funded voting system replacement derby. We are still stuck with the consequences.

It reminds me of that great old radio show, Hitchhiker’s Guide to the Galaxy, where after stealing what seems like the greatest ship in the galaxy, the starship Heart of Gold, our heroes are stuck in space-time with Eddie Your Ship-Board Computer, “ready to get a bundle of kicks from any program you care to run through me.” The problem, of course, is that while designed to do an improbably large number of useful things, it’s not able to do one very important thing: steer the ship after being asked to run a program to learn why tea tastes good.

Election management systems, voting machines, and other parts of a voting system, all have an individual very important job to do, and should not be able to do anything else. It’s not hard to build systems that way, but that’s not what’s available from today’s 3 vendors in the for-profit market for voting systems, and services to operate them to assist elections officials. We can fix that, and we are.

But it’s the election officials, many many of them public servants with a heart of gold, that should really be highlighted. They are making do with what they have, with enormous extra effort to protect these vulnerable systems, and run an election that we all can trust. They deserve better, we all deserve better, election technology that’s built for elections that are Verifiable, Accurate, Secure, and Transparent (VAST as we like to say). The “better” is in the works, here at OSET Institute and elsewhere, but there is one more key point.

Don’t be demoralized by the fear uncertainty and doubt about hacking elections. Vote. These hardworking public servants are running the election for each of us, doing their best with what they have. Make it worth something. Vote, and believe what is true, that you are an essential part of the process that makes our democracy to be truly a democracy.

— John Sebes

A Northern Exposed iVoting Adventure

NorthernExposureImageAlaska’s extension to its iVoting venture may have raised the interests of at least one journalist for one highly visible publication.  When we were asked for our “take” on this form of iVoting, we thought that we should also comment here on this “northern exposed adventure.” (apologies to those fans of the mid-90s wacky TV series of a similar name.)

Alaska has been among the states that allow military and overseas voters to return marked absentee ballots digitally, starting with fax, then eMail, and then adding a web upload as a 3rd option.  Focusing specifically on the web-upload option, the question was: “How is Alaska doing this, and how do their efforts square with common concerns about security, accessibility, Federal standards, testing, certification, and accreditation?

In most cases, any voting system has to run that whole gauntlet through to accreditation by a state, in order for the voting system to be used in that state. To date, none of the iVoting products have even tried to run that gauntlet.

So, what Alaska is doing, with respect to security, certification, and host of other things is essentially: flying solo.

Their system has not gone through any certification program (State, Federal, or otherwise that we can tell); hasn’t been tested by an accredited voting system test lab; and nobody knows how it does or doesn’t meet  federal requirements for security, accessibility, and other (voluntary) specifications and guidelines for voting systems.

In Alaska, they’ve “rolled their own” system.  It’s their right as a State to do so.

In Alaska, military voters have several options, and only one of them is the ability to go to a web site, indicate their choices for vote, and have their votes recorded electronically — no actual paper ballot involved, no absentee ballot affidavit or signature needed. In contrast to the sign/scan/email method of return of absentee ballot and affidavit (used in Alaska and 20 other states), this is straight-up iVoting.

So what does their experience say about all the often-quoted challenges of iVoting?  Well, of course in Alaska those challenges apply the same as anywhere else, and they are facing them all:

  1. insider threats;
  2. outsider hacking threats;
  3. physical security;
  4. personnel security; and
  5. data integrity (including that of the keys that underlie any use of cryptography)

In short, the Alaska iVoting solution faces all the challenges of digital banking and online commerce that every financial services industry titan and eCommerce giant spends big $ on every year (capital and expense), and yet still routinely suffer attacks and breaches.

Compared to the those technology titans of industry (Banking, Finance, Technology services, or even the Department of Defense), how well are Alaskan election administrators doing on their shoestring (by comparison) budget?

Good question.  It’s not subject to annual review (like banks’ IT operations audit for SAS-70), so we don’t know.  That also is their right as a U.S. state.  However, the  fact that we don’t know, does not debunk any of the common claims about these challenges.  Rather, it simply says that in Alaska they took on the challenges (which are large) and the general public doesn’t know much about how they’re doing.

To get a feeling for risks involved, just consider one point, think about the handful of IT geeks who manage the iVoting servers where the votes are recorded and stored as bits on a disk.  They are not election officials, and they are no more entitled to stick their hands into paper ballots boxes than anybody else outside a
county elections office.  Yet, they have the ability (though not the authorization) to access those bits.

  • Who are they?
  • Does anybody really oversee their actions?
  • Do they have remote access to the voting servers from anywhere on the planet?
  • Using passwords that could be guessed?
  • Who knows?

They’re probably competent responsible people, but we don’t know.  Not knowing any of that, then every vote on those voting servers is actually a question mark — and that’s simply being intellectually honest.

Lastly, to get a feeling for the possible significance of this lack of knowledge, consider a situation in which Alaska’s electoral college votes swing an election, or where Alaska’s Senate race swings control of Congress (not far-fetched given Murkowski‘s close call back in 2010.)

When the margin of victory in Alaska, for an election result that effects the entire nation, is a low 4-digit number of votes, and the number of digital votes cast is similar, what does that mean?

It’s quite possible that those many digital votes could be cast in the next Alaska Senate race.  If the contest is that close again,  think about the scrutiny those IT folks will get.  Will they be evaluated any better than every banking data center investigated after a data breach?  Any better than Target?  Any better than Google or Adobe’s IT management after having trade secrets stolen?  Or any better than the operators of military unclassified systems that for years were penetrated through intrusion from hackers located in China who may likely have been supported by the Chinese Army or Intelligence groups?

Probably not.

Instead, they’ll be lucky (we hope) like the Estonian iVoting administrators, when the OCSE visited back in 2011 to have a look at the Estonian system.  Things didn’t go so well.  OCSE found that one guy could have undermined the whole system.  Good news: it didn’t happenCold comfort: that one guy didn’t seem to have the opportunity — most likely because he and his colleagues were busier than a one-armed paper hanger during the election, worrying about Russian hackers attacking again, after they had previously shut-down the whole country’s Internet-connect government systems.

But so far, the current threat is remote, and it is still early days even for small scale usage of Alaska’s iVoting option.  But while the threat is still remote, it might be good for the public to see some more about what’s “under the hood” and who’s in charge of the engine — that would be our idea of more transparency.


Wandering off the Main Point for a Few Paragraphs
So, in closing I’m going to run the risk of being a little preachy here (signaled by that faux HTML tag above); again, probably due to the surge in media inquiries recently about how the Millennial generation intends to cast their ballots one day.  Lock and load.

I (and all of us here) are all for advancing the hallmarks of the Millennial mandates of the digital age: ease and convenience.  I am also keenly aware there are wing-nuts looking for their Andy Warhol moment.  And whether enticed by some anarchist rhetoric, their own reality distortion field, or most insidious: the evangelism of a terrorist agenda (domestic or foreign) …said wing nut(s) — perhaps just for grins and giggles — might see an opportunity to derail an election (see my point above about a close race that swings control of Congress or worse).

Here’s the deep concern: I’m one of those who believes that the horrific attacks of 9.11 had little to do with body count or the implosions of western icons of financial might.  The real underlying agenda was to determine whether it might be possible to cause a temblor of sufficient magnitude to take world financial markets seriously off-line, and whether doing so might cause a rippling effect of chaos in world markets, and what disruption and destruction that might wreak.  If we believe that, then consider the opportunity for disruption of the operational continuity of our democracy.

Its not that we are Internet haters: we’re not — several of us came from Netscape and other technology companies that helped pioneer the commercialization of that amazing government and academic experiment we call the Internet.  Its just that THIS Internet and its current architecture simply was not designed to be inherently secure or to ensure anyone’s absolute privacy (and strengthening one necessarily means weakening the other.)

So, while we’re all focused on ease and convenience, and we live in an increasingly distributed democracy, and the Internet cloud is darkening the doorstep of literally every aspect of society (and now government too), great care must be taken as legislatures rush to enact new laws and regulations to enable studies, or build so-called pilots, or simply advance the Millennial agenda to make voting a smartphone experience.  We must be very careful and considerably vigilant, because its not beyond the realm of reality that some wing-nut is watching, cracking their knuckles in front of their screen and keyboard, mumbling, “Oh please. Oh please.”

Alaska has the right to venture down its own path in the northern territory, but it does so exposing an attack surface.  They need not (indeed, cannot) see this enemy from their back porch (I really can’t say of others).  But just because it cannot be identified at the moment, doesn’t mean it isn’t there.


One other small point:  As a research and education non-profit we’re asked why shouldn’t we be “working on making Internet voting possible?”  Answer: Perhaps in due time.  We do believe that on the horizon responsible research must be undertaken to determine how we can offer an additional alternative by digital means to casting a ballot next to absentee and polling place experiences.  And that “digital means” might be over the public packet-switched network.  Or maybe some other type of network.  We’ll get there.  But candidly, our charge for the next couple of years is to update an outdated architecture of existing voting machinery and elections systems and bring about substantial, but still incremental innovation that jurisdictions can afford to adopt, adapt and deploy.  We’re taking one thing at a time and first things first; or as our former CEO at Netscape used to say, we’re going to “keep the main thing, the main thing.”


TrustTheVote on HuffPost

We’ll be live on HuffPost online today at 8pm eastern:

  • @HuffPostLive http://huff.lv/Uhokgr or live.huffingtonpost.com

and I thought we should share our talking points for the question:

  • How do you compare old-school paper ballots vs. e-voting?

I thought the answers would be particularly relevant to today’s NYT editorial on the election which concluded with this quote:

That the race came down to a relatively small number of voters in a relatively small number of states did not speak well for a national election apparatus that is so dependent on badly engineered and badly managed voting systems around the country. The delays and breakdowns in voting machines were inexcusable.

I don’t disagree, and indeed would extend from flaky voting machines to election technology in general, including clunky voter record systems that lead to many of the lines and delays in polling places.

So the HuffPost question is apposite to that point, but still not quite right. It’s not an either/or but rather a comparison of:

  • old-school paper ballots and 19th century election fraud;
  • old-school machine voting and 20th century lost ballots;
  • old-school combo system of paper ballots machine counting and botched re-counting;
  • new-fangled machine voting (e-voting) and 21st century lost ballots;
  • newer combo system of paper ballots and machine counting (not voting).

Here are the talking points:

  • Old-school paper ballots where cast by hand and counted by hand, where the counters could change the ballot, for example a candidate Smith partisan could invalidate a vote for Jones by adding a mark for Smith.
  • These and other paper ballot frauds in the 19th century drove adoption in the early 20th century of machine voting, on the big clunky “level machines” with the satisfying ka-thunk-swish of the level recording the votes and opening the privacy curtain.
  • However, big problem with machine votingno ballots! Once that lever is pulled, all that’s left is a bunch of dials and counters on the backside being increased by one. In a close election that requires a re-count, there are no ballots to examine! Instead the best you could do is re-read each machine’s totals and re-run the process of adding them all up in case there was an arithmetic error.
  • Also, the dials themselves, after election day but before a recount, were a tempting target for twiddling, for the types of bad actors who in the 19th century fiddled with ballot boxes.
  • Later in the 20th century, we saw a move to a combo system of paper ballots and machine counting, with the intent that the machine counts were more accurate than human counts and more resistant to human meddling, yet the paper ballots remaining for recounts, and for audits of the accuracyof machinery of counting.
  • Problem: these were the punch ballots of the infamous hanging chad.
  • Early 21st century: run from hanging chad to electronic voting machines.
  • Problem: no ballots! Same as before, only this time, the machins are smaller and much easier to fiddle with. That’s “e-voting” but wihout ballots.
  • Since then, a flimsy paper record was bolted on to most of these systems to support recount and audit.
  • But the trend has been to go back to the combo system, this time with durable paper ballots and optical-scanning machinery for counting.
  • Is that e-voting? well, it is certainly computerized counting. And the next wave is computer-assisted marking of paper ballots — particularly for voters with disabilities — but with these machine-created ballots counted the same as hand-marked ballots.

Bottom line: whether or not you call it e-voting, so long as there are both computers and human-countable durable paper ballots involved, the combo provides the best assurance that niether humans nor computers are mis-counting or interfering with voters casting ballots.


PS: If you catch us on HP online, please let us know what you thought!

Detours in Election Technology: The “Open” Factor and Mobility

In a recent posting, I recalled the old-fashioned traditional proprietary-IT-think of vendors leveraging their proprietary data for their customers, and contrasted that with election technology where the data is public.

In the “open data” approach, you do not need to have integrated reporting features as part of a voting system or election management system. Instead, you can choose your own reporting system, hook it up to your open database of election data, and mine that data for whatever reports you want. And if you need help, only a few days of a reporting-systems consultant can get you set up quite quickly. The same applies to what we used to call “ad hoc querying” in the olden enterprise IT days, and now might be “data mining”. Well, every report is the result doing one or more database queries, and formatting the results. When you can do ad hoc creation of new report template, then an ad hoc query is really just a new report. With the open-data approach, there is no need to buy any additional “modules” from a voting system vendor in order to be able to do querying, reporting, or data mining. Instead, you have ready access to the data with whatever purpose-built tools you choose.

Election Reporting? got an app for that ...

Election Reporting? got an app for that ...

Today, I want to underline that point as applied to mobility, that is, the use of apps on mobile devices (tablets, smart phones, etc.) to access useful information in a quick and handy on-the-go small-screen form factor.  Nowadays, lots of folks want “an app for that” and election officials would like to be able to provide. But the options are not so good. A proprietary system vendor may have an app, but it might not be what you had in mind; and you can’t alter it. You might get a friendly government System Integrator to crack open your proprietary voting system data and write some apps for you, but that is not a cheap route, either.

What, in contrast, is the open route? It might seem a detour to get you where you want to go, but consider this. With open data, there is no constraint on how you use it, or what you use it with. If you use an election management system that has a Web services API, you can publish all that data to the whole world in a way that anyone’s software can access it– including mobile apps– including all the data, not just what happens to be available in proprietary product’s Web interface. That’s not just open-source and “open data” but also “complete data.”

Then for some basic apps, you can get friendly open-gov techies to make something simple but effective for starters, and make the app open source. From there on out, it is up to the ingenuity of the tens of thousands of mobile app tinkerers and good government groups (for an example, read about one of them here, and then try it the app yourself) to come up great ideas about how to present the data — and the more options there are, the more election data, the public’s data, gets used for the public good.

I hope that that picture sounds more appealing than closed systems. But to re-wind to Proprietary Election Technology Vendors’ (PETV) offerings to Local Election Officials (LEO), consider this dialogue as the alternative to “open data, complete data.”

LEO: I’d like to get an election data management solution with flexible reporting, ad hoc querying, a management dashboard, a nifty graphical public Web interface, and some mobile apps.

PETV: Sure, we can provide it. We have most of that off the shelf, and we can do some customization work and professional services to tailor it to your needs. Just guessing from you asked for, that will be $X for the software license, $Y per year for support, $Z for the customization work, and we’ll need to talk about yearly support for the custom stuff.

LEO: Hmmm. Too much for me. Bummer.

PETV: Well, maybe we can cut you a special deal, especially if you lower your sights on that customization stuff.

LEO: Hmmm. Then I’m not really getting all I asked for, but I am getting something I can afford. … But will you all crack open your product’s database with a Web services API so that anybody can write a mobile app for it, for any mobile device in the world?

PETV: Wow! That would be some major customization. I think you’ll find our mobile app is just fine.

LEO: What about cracking open the database so I can use my choice of reporting tools?

PETV: Ah, no, actually, and I think you’ll find our reporting features are really great.

I’ll stop the dialogue (now getting painful to listen to) and actually stop altogether for today, leaving the reader to contrast it with the open-data, complete-data approach of an open election data management system with core functions and features, basic reporting, basic mobility, and above all the open-ness for anyone to data-mine or mobilize the election data that is, in fact, the people’s information.


Detours in Election Technology: The “Open” Factor and Tradeoffs

During some recent election technology adoption discussions, I’ve realized how some standard proprietary-IT-think has affected acquisitions of election technology. And it is a mind-set that I used to have too, back when I was in the enterprise IT infrastructure business.

Back then, the normal thing was to have a core technology with some primary value, a road map of a couple major extensions of the core technology, and a product roadmap for adding functions and features. Of course we wanted our customers to want more of our stuff as time went by, and we wanted to support our pricing model with customer options for this growing set of features.

A Typical Product Road Map

A Typical Product Road Map

And one more-or-less knee-jerk response was an expanding feature set for “reporting.” The idea was familiar: the vendor lets you, the customer, use their software; the software builds up a valuable base of information (a proprietary information base) about its history of use and what it can tell you about your IT usage; so the software should be able to prepare you reports that tell you various kinds of juicy information nuggets.  And the big assumption was that only that software had the smarts to do so.

And that went double for the cases where a few “reports” were small enough in scope but commonly enough used that it was better to present a handful of them as graphics on a single administrative screen. Thus, the “management dashboard” and new spin on higher product value.

Rewind to the present day, and I found it curious that this mindset is still around, including among adopters of election technology. But in election-land, there is huge missing concept here: Inside of election technology, the data is not proprietary, not specific to a vendor.  Sure, a closed system vendor may make data format(s) proprietary, but the data of elections, contests, candidates, ballots, voters, vote totals — all that and more is by rights public data.

Now, here is the “open” factor: In an open system, all that public data is freely available.  Anyone, or anyone’s code, can access the data. Take the example of the TTV Election Manager and TTV Tabulator working to consolidate vote counts. The Election Manager’s database is an ordinary database with a public schema. If an election official wants some specific reports generated, it is only one option to ask for Election Manager or Tabulator features to slice and dice the data and prepare nifty tables and graphics. And it is tempting to want that in the same Web application interface of the Election Manager. That temptation is underlined because existing proprietary EMSs do have the “you can only get reports from me” concept — though seemingly to not able please all users with one set of limited reporting features.

Typical Reporting Package with Database

Typical Reporting Package with Database

But a better option is to recognize that all the data is there already, sitting in a publicly documented database which can be accessed directly by any purpose-built reporting system. Get the reporting system of your choice  — there are tons of them ranging from the grand-daddy of them all Crystal Reports (now offered by software giant SAP) to the reporting offering of venerable open-source project GNU. Hook up the reporting system to your database of election data (yes, that can be a real election management database in the picture above), and design and generate reports to your hearts’ content. And even better: a purpose-built reporting package probably has many more handy features than either a product manager or a customer of a voting system product would think of.

And that’s the power of “open data,” using the best tool for each job — an election data management system to manage election data, a voting system to collect votes, and a reporting system to generate a wide variety of customizable reports. And that power creates options and trade-offs, which are essential in funding-constrained U.S. election-land. It’s tempting to want one vendor to have a completely integrated product of everything, but it may well be more cost-effective — and ultimately more useful — to have  a collection of packages each of which has your best bang-for-the-buck for each task you need automated.


PS: Next time on “Detours” — mobile computing as another example of a detour from traditional proprietary-IT-think in election-land.

Bedrock 4: Into the Ballot Design Studio

Continuing our Bedrock election story (see parts one, two, and three if you need to catch up), we find the County of Bedrock Board of Elections staff, including design guru Dana Chisel, in the “ballot design studio,” a dusty back room of the BBoE. Chisels in hand, staffers ponder the blank slate, or rather sandstone, of sample ballot slabs on easels. With the candidate and referendum filing periods closed and the election only a couple weeks away, it’s time to make the ballots.

Dana Chisel, design queen of Bedrock

Dana Chisel, design queen of Bedrock

Now, you might think that the ballot consists of the 3 items we know of – the race for Mayor, the race for Quarry Commission, and the question on the quarry fee. However, recall that each precinct in Bedrock County has a distinct set of districts. In this election, each precinct has a distinct ballot with a distinct set of contests corresponding to the districts that the precinct is part of. At a first cut, the contests by precinct are:

  • Downtown-001: the contest for mayor, and the referendum on quarry fees;
  • Quarrytown-002: the contests for mayor and quarry commissioner, and the referendum on quarry fees;
  • QuarryCounty-003: the contest for quarry commissioner, and the referendum on quarry fees;
  • County-004: the referendum on quarry fees.

You’ll note that only Town residents — in Precincts 1 or 2 — are entitled to vote for mayor, while residents of the Mineral District — in Precincts 2 or 4 — are the only voters entitled to for Quarry Commissioner. Last, all voters in the county are eligible to vote on county revenue issues such as taxes and fees imposed by the county.

That, plus the list of candidates and the text of the referendum, comprise what might be called the content of each of the 4 ballots, or the ballot configuration. But the ballots themselves need to be designed: the ballot items have to appear in some order, and the candidates likewise; the ballot items have to be arranged in some visual design, vertically or horizontally, with sufficient space between each, fitting the size of ballot slates that they will be etched on … and so on.

Ballot for Precinct 1 in the Bedrock Special Election of 1 April, 1000000 B.C.

Ballot for Precinct 1 in the Bedrock Special Election of 1 April, 1000000 B.C.

So, armed with chisels, the proverbial blank slate, and several tablets stating the legal requirements for contest and candidate order, design guru Dana Chisel marks out a prototype ballot containing all the requisite ballot content, laid out according to usability principles known since the Stone Age (left justified text, instructions separate from content, instructions with simple words along with pictures, and more). After a few tries and consultation with their boss Rocky, they have a design model for each of the 4 ballots. The next step are usability testing with volunteer voters, and using the results to create the final slabs that serve as the model for each ballot style. Then they’re ready for mass reproduction of  ballots for the upcoming election — get those duplidactylsaurs into action!

Now, you might think that they’re ready for election day, but wait there’s more, including the preparation of pollbooks, and then early voting, and then eventually election day operations.

Next time: Pollbooks and Early Voting


Bedrock 3: The Big Picture

At the end of our last visit to the fictional Town of Bedrock, we left Fred as he applied to run for mayor. Now we’ll continue the story, but with a focus on Bedrock itself, in order to continue building up a detailed, yet simplified, account of actual U.S. election practice.

The focus is on Bedrock rather than its colorful denizens, because the answer to the current question — can Fred be a candidate for mayor in the upcoming election? — lies partly in the details of Cobblestone County and Town of Bedrock, how they are structured and administered for elections. At a first glance of the Bedrock County map, you’ll see that the Town of Bedrock is entirely in Cobblestone County, dividing the county into two regions, the part that is incorporated in the Town, and the unincorporated portion.

Map for Election Administration of Bedrock

Map for Election Administration of Bedrock

Look a bit more closely though, and you’ll see the Mineral District — not a town but a political division called an electoral district (in some states in the U.S., called a jurisdiction rather than a district). The Mineral District in the part of the county that’s affected by quarrying operations at the Bedrock Quarry, and the Bedrockites who live there get to elect the Quarry Commission to regulate the Quarry. Look a bit more carefully and you’ll notice that part of the Mineral District is in the Town of Bedrock, and the rest is in the unincorporated county.

To keep our Election Tale simple, that’s almost all of the electoral structure of Cobblestone County that is the jurisdiction of the Bedrock BoE. The remaining part may be a bit more familiar: the precincts. Each precinct is a region in which all of the voters are entitled to vote on exactly the same ballot items; put another way, in one precinct all of the voters reside in exact same set of electoral districts. So in Bedrock County, there are 4 precincts:

  • The “Downtown-001” precinct, part of two districts: the district of the Town of Bedrock, and the district for Bedrock County;
  • The “Quarrytown-002” precinct, part of those same two districts, plus the Mineral District;
  • The “QuarryCounty-003” precinct, part of the Mineral District and the County;
  • The “County-004” precinct, part of just the district for the County.

Looking a little more carefully, you’ll notice the Flintstone residence is in the QuarryTown-002 precinct, which means the Flintstones (or at least those of them that are registered voters) are eligible to run for offices in either the Town or the Quarry District. To say that more generally, in order to be eligible to run for an office, you have to reside in the district that the office is part of. Fred wants to run for Mayor of the Town of Bedrock, so he has to reside in the Town of Bedrock.

Rocky Stonerman

Rocky Stonerman

Back at the BBoE, Rocky has completed the eligibility check for Fred, having ensured that:

  • he resides in the Town of Bedrock,
  • he is registered to vote,
  • his current address matches the address in his voter record,
  • he is not serving jail time,

and perhaps some other eligibility requirements in Stone Age election law that we are not aware of. Fred is satisfied to find that on the Bedrock slab-site’s Upcoming Election slab, he is listed as a candidate for mayor. However, there is also a bit of a surprise: his neighbor Betty Rubble is running against him! And also Barney Rubble is running for Fred’s old Quarry Commission seat. Also, the commission’s clerical errors seem to have been resolved, and the quarry fee referendum will be on the ballot. With a few more days of filing time left, an irritated Fred ponders who lives in the Mineral District, that might be convinced to run against Barney.

Next Time: it’s time for ballot design – get out your Chisel!


Voting System (De)Certification, Reloaded (Part 3 of 2)

Thanks to some excellent recent presentations by EAC folks, we have today a pleasant surprise of an update to our recent blogs Voting System Decertification: A Way Forward (in Part 1 and Part 2). As you might imagine with a government-run test and certification program, there is an enormous amount of detail (much of it publicly available on the EAC web site!) but Greg and I have boiled it down to a handful of point/counterpoints. Very short version: EAC seems to be doing a fine job, both in the test/certification/monitoring roles, and in public communication about it. At the risk of oversimplifying down to 3 points, here goes:

1. Perverse Incentive

Concern: ES&S’s Unity would be de-certified as a result of EAC’s investigation into functional irregularities documented in Cuyahoga County, Ohio, by erstwhile elections direction Jane Platten (Kudos to Cuyahoga). With the more recent product just certified, the “fix” might be for customers of to upgrade to the latest version, with unexpected time and unbudgeted upgrade expense to customers, including license fees. If so, then the product defect, combined with de-certification, would actually benefit the vendor by acting to spur customers toward paid upgrades.

Update: Diligent work at EAC and ES&S has resulted in in ES&S providing an in-place fix to its product, so that EAC doesn’t have to de-certify the product, and customers don’t have to upgrade. In fact, one recent result of EAC’s work with Cuyahoga County, the county was able to get money back from the vendor because of the issues identified.

Next Steps: We’ll be waiting to hear whether the fix is provided at ES&S’s expense (or at least no cost to customers), as it appears may be the case. We’ll also be watching with interest the process in which version fix goes through the test and certification process to get legal for real use in elections. As longtime readers know, we’ve stressed the importance of the emergence of a timely re-certification process for products that have been certified, need a field update, and need the previously used test lab to test the updated system with testing that is as rigorous as the first time, but less costly and more timely.

2. Broken Market

Concern: This situation may be an illustration of the untenable nature of of a market that would require vendors to pay for expensive testing and certification efforts, and to also have to forego revenue when otherwise for-pay upgrades are required because of defects in software.

Update: By working with the vendor and their test lab on both the earlier and current versions of the product, all customers will be able to obtain a no-fee update of their existing product version, rather than being required to do a for-fee upgrade to a later product version. Therefore, the “who pays for the upgrade?” question applies only to those customers who actually want to to pay for the latest version.

Next Steps: Thanks to the EAC’s new process of publishing timelines for all product evaluation versions, it should be possible to compare the timeframe for the original testing, the more recent testing, and the testing of the bug fixed version of We can hope that this case demonstrates that a re-certification process can indeed be equally rigorous, less costly, and more timely.

ES&S Evaluation Timeline

ES&S Evaluation Timeline

3. Lengthy Testing and Certfication

Concern: The whole certification testing process costs millions and takes years for these huge voting system products of several components and dozens of modules of software. How could a re-test really work at a tiny fraction of a fraction of that time and cost?

Update: Again, thanks to publishing those timelines, and with experience of recent certification tests, we can see the progress that EAC is making towards their goal that an end-to-end testing campaign of a system to be less than 9 months and a million dollars, perhaps even quarter or a third less. The key, of course, is that a system be ready for testing. As we’ve seen with some of the older systems that simply weren’t designed to meet current standards, and weren’t engineered with a rigorous and documented Q&A process that could be disclosed to a test lab to build on, well, it can be a lengthy process — or even one that a vendor withdraws from in order to go back and do some re-engineering before trying again.

Next Steps: A key part of this time/cost reduction is EAC’s guidance to vendors on readiness for testing. That guidance is another relatively recent improvement by EAC. We can hope for some public information in future about how the readiness assessment has worked, and how it helped a test process get started right. But even better, EAC folks have again repeated a further goal for time/cost reduction, but moving to voting system component certification, rather than certifying the whole enchilada – or perhaps I should say, a whole enchilada, rather than the whole plato gordo of enchilada, quesadillas, and chile relleno, together with the the EMS for it all with its many parts – rice, frijoles, pico de gallo, fresh guacamole … (I detect an over-indlugence in metaphor here!)

One More Thing: As we’ve said before, we think that component level testing and re-testing is the Big Step to get whole certification scheme into a shape that really serves its real customers – election officials and the voting public. And we’re proud to jump in and try it out ourselves — work with EAC, use the readiness assessment ourselves, do a pilot test cycle, and see what can be learned about how that Big Step might actually work in the future.