Safeguarding the 2008 Vote For Speaker Nancy Pelosi Voting Rights Taskforce Wellstone Democratic...

Safeguarding the 2008 Vote

For Speaker Nancy Pelosi

Voting Rights TaskforceWellstone Democratic Renewal ClubJune 26, 2007

Contents

Participants Executive Presentation Supporting Detail

Holt Bill (HR 811) EAC Banning DREs Electronic Voting At Risk Audits Enforcement

Background and Definitions References

06/15/07 Voting Rights Taskforce - Safeguarding our Elections in 2008

3

Participants

Mr. James Soper, M.A., Senior software consultant, author of www.CountedAsCast.com, (510) 258-4857, [email protected].

Dr. Judy Bertelsen, M.D., Ph.D., (510) 486-1467, [email protected].

Mr. Lee Munson, B.A., M.B.A., (415) 751-4535, [email protected].


4


How to avoid the Florida 2000, Ohio 2004, and Florida 2006 fiascos in

2008?


5


Elections using electronic voting systems have been

distorted … accidentally or intentionally


6

DeForest Soaries resigns from Election Assistance Commission (EAC)

…we “had made things worse through the passage of the Help America Vote Act…

…if we were another country being analyzed by America, we would conclude that this country is ripe for stealing elections and for fraud.”

- Chairman and republican appointee to the EAC


7

Safeguards for 2008

Re-structure the EAC or sunset it. Timely enforcement of election laws. Require vastly improved, rigorous

and timely manual audits. Timely, public, and affordable

access to voting records.


8

Ban DREs

Use hand marked paper ballots (HMPB).

Use precinct based optical scanners (PBOS).

Use ballot marking devices (BMD) with touchscreen and audio interfaces for voters with disabilities.


9


A system is only as secure as its weakest link. A piecemeal implementation will leave open

security vulnerabilities. Even paper ballots are NOT secure without improving audits and procedures.

The devil is in the details. We need clear, detailed definitions and laws. Currently, each Election Official chooses a different interpretation of election laws.


10

Holt Bill (HR 811) positives:

Requires useful audits and public reporting of results.

Bans most wireless and internet connections.

Addresses testing lab conflict of interest and requires public reporting of testing results.

Requires some disclosure of source code. Requires paper ballots be available (in

2010!).


11

Holt Bill Weaknesses

Gives more authority to a politicized, incompetent failure called the EAC.

Is weak on enforcement and penalties. Does not explicitly ban DREs. Funds text-to-speech devices before

they have been studied and are ready.


12

Our goals….

We would like to … … assist in writing & reviewing federal

voting legislation ... to be a resource to Congresswoman

Pelosi’s office on election integrity issues Our expertise is a combination of academic,

programming, computer security, business, and first hand election experience. We want to and can help!

Supporting Detail

Holt Bill Issues

DREs/VVPATSAuditsEAC


15

Holt Bill HR811

Holt Bill proposal on DREs and VVPATs (paper trails)

Requires VVPATS on DREs

Makes the VVPAT the ballot of record for audits and recounts.

Addresses voters' with disabilities ability to verify their votes from the VVPAT

Concerns include: Does not require software

independence, thus does not address inherent DRE security issue.

Requires systems to meet requirements for 2008 but study of disabled voters ability to verify not until 12/2008

Does not address inherent VVPAT printer reliability and auditability issues

Good points include Requires a paper trail Makes the paper the ballot of

record


16

Holt Bill HR811

Holt Bill Proposal on Audits

State Election Auditor

Minimum audit of 3% to 10%

Precincts to audit chosen within 24 hours of the final unofficial vote count

Additional handcounting if audits don’t match the unofficial tally

Concerns include: Assumes all precincts are the same size Assumes one size fits all for all states Does not state confidence levels (eg.

99%) Does not require investigation into

causes of discrepancies Does not require analysis of

consequences of discrepancies to all statewide races

Good points include Mandatory, random audits Absentee ballots must be auditted Tiered audits Precincts chosen after vote count

announced Publication of discrepancy procedures Publication of detailed results


17

Holt Bill HR 811

Holt Bill proposal on EAC Gives more authority to the

EAC

Concerns include: EAC has been worse than

ineffective. Nothing in legislation to

change or improve or better define EAC responsibilities

:

Election Assistance Commission (EAC)

Past, present, and future


19

EAC – A Quick History

Mandated by HAVA (Help America Vote Act) in 2002. Voluntary System Guidelines > 1 year late but HAVA

compliance deadlines were not extended, thus forcing purchase of expensive, poorly designed and tested electronic equipment.

DeForest Soaries resigns in 2005. ITA (Independent Testing Authority) testing shown to be a

MAJOR failure in 2006. EAC 8/06 decertification of Ciber labs not announced until

after the 11/06 election. Many machines were “tested” by Ciber.

EAC suppresses report that Voter ID laws reduces turnout.


20

EAC - Current Structure Issues

Leadership is bipartisan but is political – should be professional, technical and legal. Election administration should be nonpartisan.

Latest vote fraud report in which wording was manipulated to continue to support Republican claims despite findings to the contrary

No enforcement power – only makes recommendations.

Sets up privatization/corporate secrets fraught with conflict of interest in testing – should set up public, transparent, highly professional testing process.


21

EACProposed structural changes

Re-structure in a way to help in 2008 or else sunset the commission.

Turn all testing over to NIST (National Institute of Standards and Technology)

Promptly make testing results public Actually test for security vulnerability, including

insider and outsider attacks. Actual attacks should be attempted on the equipment. If a fix is made, that fix should be tested by an actual

attack attempt.

Sunshine provisions

Banning DREs

Requiring Software Independence as defined

by NIST will effectively ban DREs


23

Printable pdf version

Printable pdf version


24

Inherent problems with DREs

We don't know what's inside the machines Disenfranchisement (vote suppression)

Broken machines Insufficient machines Shown to suppress minority votes

www.votersunite.org/info/NM_UVbyBallotTypeandEthnicity.pdf Extra and cumbersome ballot verification steps Studies show higher undervote rate than optical

scanAre DREs worth any of their positives? NO


25

Who wants to Ban DREs?

Florida, New Mexico and Maryland are all working towards banning DREs

Election Integrity advocates across the country including:

Progressive Democrats of America Voters Unite

Computer security expert Professor Avi Rubin no longer supports DREs with or without a VVPAT…


26

Avi Rubin, e-voting expert, Johns Hopkins professor:

“…when I first studied the Diebold DRE in 2003, I felt that a Voter Verified Paper Audit Trail (VVPAT) provided enough assurance. But, I continued, after 4 years of studying the issue, I now believe that a DRE with a VVPAT is not a reasonable voting system. The only system that I know of that achieves software independence as defined by NIST, is economically viable and readily available is paper ballots with ballot marking machines for accessibility and precinct optical scanners for counting – coupled with random audits. That is how we should be conducting elections in the US, in my opinion.”

From Avi Rubin’s BLOG describing his testimony before a House subcommittee hearing on “Ensuring the Integrity of Elections”, March 7th, 2007.

Electronic voting can be corrupted…

Accidentally or Intentionally


28

Electronic voting at risk

NIST Report, 11/06Princeton Report, 9/06NRC Report, 7/06BBV Report, 7/06Brennan Report, 6/06Hursti II Report, 5/06Berkeley Report, 2/06

Hursti I Report, 5/05RABA Report, 1/04Compuware Report, 11/03SAIC Report, 9/03Johns Hopkins Report, 7/03Saltman Paper, 3/78

www.CountedAsCast.com/issues/security.php#reports

13 reputable reports ALL say:Electronic voting is vulnerable!


29


The risk of an outsider attack by a poll worker, voter or hacker, especially via a virus or similar, is real.

Chicago misplaced 400+ memory cardsCleveland misplaced 75+ memory cards.

Hackers can gain access if the machines havelocal network, wireless or Internet connections


30


Successful simulated attacks on an election

Poll workers, possibly voters. VVPAT may be compromised. Attack might not be caught by an audit.

Touchscreen to tabulator, Diebold & Sequoia

Summary tape and precinct totals incorrect; virus carried to other machines.

Princeton Hack

9/2006

Pollworker/Sleepovers. A good audit might catch this

Touchscreen to tabulator, Diebold

Showed that a person can take complete control of a DRE, and an election. Undetectable.

Hursti II5/2006

Pollworker/Sleepovers. A good audit might catch this

Optical Scan to tabulator, Diebold

Showed that a person can take control of memory cards, which handle the vote-reporting & counting.

Hursti I5/2005,11/2005

Anyone with access to the known tabulator passwords

Tabulator & database, Diebold

Central vote totals were changed with no trace

GEMS tabulator

5/2005

AccessEquipmentDescriptionAttack

Date


31


The risk of an insider (election official, company programmer) attack is real

Example: Easter Eggs (hidden code) We do not know what software is inside the

machines on election day No amount of testing will detect hidden

code Jeffrey Dean, voting systems programmer,

23 computer embezzlement convictions Clinton Curtis hired to write a program to

manipulate an election


32


Glitches happen Sarasota county, FL : 18,000 votes

“disappeared” Many more examples of “lost” votes Software and data are trade secrets Nobody, and no machine, should be

counting American votes in secret


33

Electronic Voting Recommendations

Software verification Check that the software used on election

day is the software that was inspected, tested and certified.

Public testing of systems Security (red team) testing Ban all network connections, including wireless Open source software – public inspection


34

Security “mitigations” are not really secure

Tamper evident seals don’t work Not all pollworkers trained to look at seals,

procedures not defined if seal is torn. Taking a machine out of service not enough if

manipulation spreads like a virus. Chain of custody of memory cards is

nullified by processes inherent to voting machine

Machines need to be in place prior to Election Day.

This allows adequate access for manipulation of memory cards.

Audits

Classic Obfuscation #2: Audits will catch any problems


36

Audit Issues Audits should be determined by statisticians NOT

politicians A fixed audit percentage assumes a fixed number of

precincts and fixed margins between leading candidates. These vary for each election contest.

DREs have no margin of error. Audits of optical scanners SHOULD NOT match 100%.

Voter-caused and machine-caused discrepancies must be noted

Politicians should set the boundaries for statisticians – for example, desired confidence levels for accurate election outcomes (say 90% to 99%) and desired maximum error rates for machines.


37

Audit Recommendations

How much to audit A federal taskforce on the statistics of audits should set standards

and approve state election audit plans for states who want to devise their own.

Tiered audit system that adjusts for the closeness of the race. Federally funded recounts for very close elections

What to audit Include ALL votes – absentee, military, mail-in, overseas, early,

provisional. How to audit

A preliminary statement of votes as an established control. Both random selections and manual audits to be publicly observable

Reporting and further actions Require that audit results are used to correct election results and are

reported publicly. Have statisticians or mathematicians evaluate whether

discrepancies could affect election outcomes; and determine whether or not to expand audits.


38

Audits on VVPATs are problematic

VVPATs were an afterthought, never tested for voters catching errors.

Tests show that voters who examine VVPATs often miss detecting omissions and errors and that most voters do not even look at the VVPATs

Brennan Center and MIT/Caltech reports state that only 1/3 of people look at them.

Poll workers didn’t understand the reason for VVPATs and sometimes told voters to NOT look at them.

Paper jams were frequent and votes not recorded Rolls from some systems were very difficult to read at

audits. If the VVPAT was unreadable, the roll was re-printed

from the memory card-which was NOT voter verified


39

VVPAT Recommendations

Federal legislation should… Ban VVPATs and DREs. Florida, New Mexico, and Maryland are all moving in

that direction Allow only Voter Marked Paper Ballots

Systems already purchased are sunk costs Ballot marking devices should be certified for

HAVA compliance

Enforcement

Too little, too late


41

Election laws are not enforced

No checks and balances on Elections Officials On Election Day it is nearly impossible to get

any legal action done. Deadline to certify the vote allows officials to

delay providing information, etc. until too late Officials are not being held accountable for not

following election code. District Attorneys and Attorney Generals are not acting on these issues, and sometimes help election officials cover up problems.


42

Enforcement recommendations

Timely !!! Enforcement must be immediate and allow revote.

Enforcements need to cover pollworkers and elections officials.

Citizens must be able to initiate lawsuits that the courts act upon very quickly.

PENALTIES spelled out explicitly. Timely, public, and affordable access to voting

records is key!!! Public oversight organizations need access!!!


43

Definitions and Background


44

The Players

Federal EAC – Election Assistance Commission ITA – Independent Testing Authority NIST – National Institute of Standards and

Technology State

SoS – Secretary of State County Elections Officials – Registrar of

Voters, Board of Elections, Clerk/Recorder


45

Definitions (Optical scanner)

Optical ballot scanner


46

Definitions (DRE, VVPAT)

DRE (Direct Recording Electronic)

VVPAT (Voter Verified Paper Audit Trail)


47

Definitions (Touchscreen)

Ballot Marking Devices (BMDs) are touchscreen machines that produce a paper ballot. DREs do not.


48

Definitions (Tabulator)

Tabulatorcentral votecounting

computer

Memorycards


49

Definitions (Memory Card)

Memory card used to transfer data, including votes, between the central tabulator and the scanners and voting machines in the precincts.


50

Definitions (Auditing)

Auditing – check vote totals from some % of precincts after the election


51

References

Link to this presentation

www.CountedAsCast.com/alameda/docs/presentation26jun07.php

Security issues

www.CountedAsCast.com/issues/security.phpConducting audits

www.CountedAsCast.com/issues/audits.phpProcedures are inadequate

www.CountedAsCast.com/issues/procedures.phpFailed EAC/ITA testing

www.CountedAsCast.com/issues/testing.php Monitoring elections

www.CountedAsCast.com/resources/monitoring.php

Safeguarding the 2008 Vote For Speaker Nancy Pelosi Voting Rights Taskforce Wellstone Democratic...

Documents

Transcript of Safeguarding the 2008 Vote For Speaker Nancy Pelosi Voting Rights Taskforce Wellstone Democratic...