by Jan OttoWhy do we vote? We vote to preserve liberty and justice for all citizens and their families according to their decisions as members of our free and open society. Elections express the will of "we the people" in a city, county, state or country -- provided they are fair. Fair elections have two missions. The first is to validate the choices that citizens have made, and second is to be conducted in accordance with transparent standards that give losers no grounds for contesting outcomes. These open the way for a peaceful transfer of power.
The Current SituationInterference in advance of the November 2020 elections is greater than ever as both foreign and domestic enemies of freedom vie for power. The value of the US policy decisions to the rest of the world cannot be over-estimated. We are the largest, most successful democratic republic ever, and that success rests on votes that accurately convey the will of the people. Yet recent findings of in-depth research on the vulnerabilities of election systems in each of all 50 states show how alarmingly unprotected we are by the very election systems that exist for the purpose protecting us. Election systems exist to serve the will of "we the people" -- not the will of enemies.
A United States citizen trying to make an informed decision amid political clamor needs a basic understanding of fair election practices. Here we lay out the basics and "why" of elections processes. Attacks on fairness never stop.
In the United States, elections are conducted in counties and managed overall by states, usually by the Secretary of State's office in each state. The more local the election, the closer it is to citizens. The Federal Election Assistance Commission may only provide guidelines.
Benchmarks and Gold Standard for Voter AssuranceThe most important factors to ensure fair election process are as follows:
- Correct Voter ID so that only those entitled to vote have the opportunity, while at the same time everyone who is entitled to vote has the opportunity.
- Transparency -- Polls can be independently monitored and available to all registered voters as each state provides. This means that voting takes place at a polling location that is free of interference, is adequately staffed by trained workers, and is open to observation by any citizen.
- Paper Ballots - hacking experts say that only hand-marked paper ballots, untouched by machines, assure the integrity of the vote, because only hand marked paper ballots create a secure trail for auditing. Hand marked paper ballots are free of any possible software hacking or manipulation. Then ballot collection and tabulation are performed under secure protocols. These are part of a "chain of custody."
- A Risk-Limiting Audit is performed after the votes are tabulated and before the results are reported.
- The results of the polling location tabulation are provided to the Secretary of State in a timely and secure fashion.
No software/hardware only voting process is secure. Election machines are, to a greater or lesser degree, like Swiss cheese, full of holes. Vulnerabilities can exist in software design, operating hardware, neglect of required software updates, loading data of any sort, storing data, transmitting data, hardware design, emails, access by different employees, using multiple vendors, outdated systems and just plain human error. All systems are able to be compromised in some way at some point.
Cui Bono – Who Benefits?Elections exist for the purpose of maintaining an open society of a free people. Who might benefit from stealing the people's elections? It is relatively simple to identify threats from local graft or vote manipulation from local actors caught up in corruption of one sort or another. There are of course the voting machine vendors whose promise of security cannot be verified because of possible secrets or errors hidden in proprietary software. Clearly, the insecure products on the market sell for brow-raising prices. Nevertheless, vendors excel at winning contracts and are generally well-liked by government customers who trust their false promises of secure results. They may even believe themselves at times! Hackers prove them wrong. Their machines are manufactured abroad, often in the Philippines. And clearly, there are multiple foreign actors who relentlessly disrupt the United States' interests at every level.
When it comes to federal elections, multiple actors enact different strategies; some want a specific candidate or ballot initiative passed, and so may only target a narrow aspect in a few key districts. Some may want to crash the entire system, throwing the US into chaos. Fortunately, the principles that apply to voter assurance at the local level also work at the national level, except in an instance of a massive national Denial of Service (DoS) or ransomware attack. These are the purview of the NSA, FEC and FBI.
State systems have not allowed for threats from foreign nationals. Rather, efforts go into maintaining voting systems and counting votes accurately. States cannot learn "what happened" after a vote. Hacking attacks are almost always invisible, and there is little or no forensic capture and verification of data security built into these processes. Unfortunately, rogue states – or hackers from anywhere -- have ever more powerful, subtle tools to disrupt elections.
Elections are already disrupted by disinformation campaigns and attacks on voter rolls, such as we have seen from Russian hackers; attacks on government websites including spoofing sites, and the possibility of denial of service or ransomware attacks on the day of elections. Such incidents undermine a citizen's trust in the safety of his or her vote. As November 3rd, 2020 nears, rhetoric ramps up the notion of declaring results invalid. The danger of this threat to the stability of the United States is substantial.
Other worries concern voting machine processes that might limit citizen opportunities to participate in an election. As ballots become more choice-laden, confusing and lengthy, there are ways to change these options either before the voter makes a choice, or afterwards, when that choice is recorded. For example, using OCR machine technology to record paper ballot choices instead of using image scanners, creates opportunities for special inks that OCR machines cannot "see" or for marking white spaces. An OCR machine can lose information when it tries to make a "pretty" image.
We can do better. The integrity of our elections underpins the most successful country in the world. Without it, the transfer of power becomes rough, even subject to deliberate violence, as we see in the news of today. Here we propose as the "Gold Standard" for Voter Assurance. We show each step of the election process and identify weaknesses, threats and best practices.
Elements of a Gold Standard for Voter AssuranceThese are known necessary basics for election security
- Voter ID
- Clean Voter rolls
- Paper Ballots
- Accurate and Secure Tabulation
- Risk Limiting Audits
- Secure data storage and transmission
- Accurate and secure reporting of results
To put these in place, as responsible people know, means taking on the work of addressing all the details that assure quality and reliability for any good system. These tools are part of already recognized voting processes that support and combine to create voter assurance. The more distant a system is from person to person physical presence, the less secure it is.
Voter IDCorrect Voter ID processes require that citizens who wish to register to vote demonstrate to a county clerk, in person, that they have the right to vote. They must show that they are a citizen of the United States of America, over the age of 18, and have not had their right to vote compromised by felony conviction or other statutory restriction. So called "Motor Voter" laws, where those registering for driver's licenses are also registered to vote, compromise security. This is because driver license requirements are different from voter requirements.
The gold standard for Voter ID includes facial identification against a citizenship document. Passports, and passport cards are excellent examples of secure documents. In the future, a separate Voter ID card or passport document is advisable on a national or state level. Although driver licenses are a currently accepted, it is worth examining the cost and opportunity to use or create a separate Voter ID document.
Clean Voter RollsA clean voter roll identifies all of the voters in a district, municipality or county that have the current right to vote in an election according to the laws of the state and country. It assures the political entity that no person without that right is listed on the voter roll. The joke that dead people cast apparent ballots is only too true for states that fail to purge voter rolls. The most accurate way to manage and maintain these rolls is for each citizen who has established his right to vote according to state requirements to present legally acceptable identification to a clerk of the court or other appointed entity within a specified time period. This enables the state to purge all names not so verified. Then, when that citizen comes to the polls, a poll worker checks them against the voter roll list as they present their ID.
Gold standard clean voter rolls are also cross checked against a national data base to protect against double voting. The cross check ensures that no registered voter has voted elsewhere. At present there are two systems states use:
The ERIC (Electronic Registration Information Center) developed by Pew Charitable trust/ IBM cross check to which individual states subscribe,
The Interstate Voter Registration Crosscheck Program, run by the Kansas Secretary of State.
These databases check voter rolls against addresses, vehicle registrations and participating states' voter rolls. Should a questionable voter be identified, the state or voting district must notify the voter in a timely manner that they will be removed from the rolls unless the voter takes some action. Note that although it is illegal to vote in more than once in a given election, it is not illegal to be registered in multiple locations.
The US Election Assistance Commission has released a YouTube video of their recommendations for clean elections (
https://www.eac.gov/videos/spring-cleaning-voter-list-maintenance-best-practices-tools-and-success-stories---webcast). Their a panel of experts speak about how "Clean voter rolls lead to clean elections," and how maintaining these rolls is an ongoing, even daily effort.
The task of managing and updating voter rolls falls to County Clerks. One consequence of messy or outdated voter rolls is a lack of correct preparation for election day processes. Another is that fraud is easier to perpetrate. This means that developing and maintaining clean voter rolls through purging voters that are no longer eligible to vote is essential.
Voter ID at the PollsIn order to vote, a voter must register. At present 14 states require ID at the polls. This requirement allows the poll worker to identify positively who may vote. In this way, post-election, verified identification helps maintain clean voter rolls through retaining the valid voter on the rolls. And of course, verified ID it makes fraud much more difficult. Voter ID at the polls forestalls fraud because a person must be positively identified as on the roll, and also as having voted in a particular precinct. If they show up as having voted in a different precinct that is easier to detect.
In order to close the loop on clean voter rolls and create the best voter assurance, we recommend a statutory requirement for voter ID at the polls.
E Poll Books and Printed Voter RollsAlthough county clerks and poll workers enjoy the convenience of electronic databases for poll books, a gold standard requires printed voter rolls originating at the county clerk's office. This is because it has come to light that in preparation of the E Poll books, voter data is frequently stored or transmitted in vulnerable ways.
For example, voter data has been discovered in the Amazon Web Service (AWS) open cloud, available to anyone who is searching for it. It is a fact that E Poll Books data must be stored for management and organization somewhere and it is a fact that AWS gives out free $50 gift cards. Nevertheless, it is easy for hackers to perform quick, clandestine data searches and manipulate data. For organizations not prepared for hackers who do not maintain forensic tools and paper trails, getting hacked is a realistic threat.
Given access to voter rolls, there are several avenues hackers can take. For instance, they can target specific voters with disinformation or illegally disqualify legitimate voters. Disqualification is then only discovered when voters come to the polls, when it is too late to do anything about it. Another avenue is a ransomware attack, where the data is held hostage for money or other reasons. Sensitive voter data has even been found to be transmitted by email. This is notoriously unreliable and subject to manipulation.
Therefore, in the preparation of poll books and the printed lists that provide an audit trail, as well as in data storage and transmission processes, compliance with strict cyber security protocols is essential. These steps maintain the assurance that only voters registered to vote actually vote, and that all who cast ballots are similarly qualified and eligible.
Hand-Marked Paper Ballots for A Valid Audit TrailA Risk Limiting Audit [RLA] is one of the most powerful and essential tools available. An RLA requires a hand count of a statistically significant number of paper ballots to a predetermined level of risk assessment, usually set at 10% or 5% as percentage of likelihood that fraud exists. Machine generated paper ballots are untrustworthy. Hand-marked paper ballots, untouched by voting machines, are indispensable to a reliable audit. All electronic systems can be hacked, if only because at some point, whether for data transmission, or software updates or new procedure updates, there will be an introduction of an opening for a hacker.
Paper ballot design and printing is a well-documented and known process already in place for County Clerks and Secretaries of State. These necessarily include design elements to counteract duplication and manipulation by increasingly sophisticated means to manipulate results. Prevention might include hash marks, alignment marks, bar codes and other marks on ballots. A thorough review by cyber security experts on the final design of the ballots in relationship to the tabulation, storage and transmission of results is highly recommended.
Chain of custody of the paper ballots is another facet of the process that is generally well known and carefully followed, as chain of custody violations are an easy way to create doubt or fraud. As we will see in the next section on risk limiting audits, incorporating chain of custody requirements at a statutory level including the risk mitigation audit is a wise move.
Accurate and Secure TabulationSince all tabulations, data storage and transmission are performed electronically, there are several protocols necessary to assure the sanitation of this data and these processes. Unfortunately, current systems sold for these purposes by various vendors fall woefully short of the systems and practices actually required to maintain sanitized, accurate, and malware free data.
Although typically vendors fiercely defend their proprietary software and systems maintenance contracts, there is little or no oversight possible or practical until a breach or hack becomes public knowledge. While all of the processes and protocols sold with these systems appear to be secure and reliable, according to permitted third party testing such as that done at DEFCON, all systems tested had proven weaknesses and exploitable vulnerabilities to even semi-serious hackers, never mind sophisticated criminal and rogue state agents.
Tabulating systems rely on computer hardware and software. It is essential that these systems are designed, maintained and managed both for accuracy of tabulation and secure transmission of data. Most of these machines are unreliable in some way. They use outdated operating systems, have outdated security protocols, lack proper maintenance and use off the shelf hardware that comes with internet broadcasting modems. They are assembled and tested in foreign counties where it is simple to install hidden malware. The cost of purchasing and maintaining these machines is well above market price for similar systems, yet the high price does not buy security from hacking, fraud and manipulation.
In actual fact, cash registers used at Point of Sale systems are more secure than these voting machine systems. Vender contracts lock states and counties into oppressive and expensive maintenance deals. Even so, it is possible to compensate for vendor voting machine vulnerability to some degree with proper vote counting procedures. For example, opening the tabulation process to observation by voters and interested parties helps assure voters of a fair and honest result. Switzerland has a post-election celebration where citizens bring their wine and cheese to sit and enjoy observing the tabulation.
There is the possibility of developing more secure, certifiable open source software and machines through an alliance of 6 to 11 interested states. Transparency would be the winner. Open source software such as image scanning hardware combined with software such as OpenCount is readily available and highly secure. One Colorado research study estimated that the cost of switching to open source system could be recouped in three years. These systems do not require high acquisition costs or over-the-top maintenance contracts. Yet they have promise to provide a more reliable and forensically verifiable result along with the capability to add and review forensic tools useful to detect hacking or manipulation. That capability is a key element of any new system, although it has not been much considered until now. Open source systems would not be foolproof, but it could add a considerable safety factor, if only because they can meet a transparency requirement impossible with today's vendors. Security is ongoing because threats evolve and develop. Open source systems might better be able to adapt and evolve to protect us far better than today's hidebound arrangements tied up in profitable contract deals.
Risk Limiting AuditsThis is a process that is performed after ballots are tabulated but before transmission to the Secretary of State. A statistical analysis of the closeness of the vote is made as to how many ballots must be hand counted in order to verify that the results of tabulation are statistically likely to be correct. The closer the vote, the more ballots must be hand counted. Only this hand counting of hand-marked paper ballots assures voters that the results are in line with the number of voters who actually voted and highly likely to be accurate.
It is tempting to perform "transitive audits" where a different software and machine from vote tabulation machines performs the audit, but the difficulty of guarding against a hack that takes that into account is more difficult and expensive than the hand counting of paper ballots in proper numbers.
With hand marked paper ballots, a proper chain of custody, and a risk limiting audit, the results of tabulation are highly likely to be evaluated correctly. In the event of a divergence between the two tabulations, it is possible to do a recount of the paper ballots in a properly maintained in chain of custody, thus eliminating the likelihood of a fraudulent result. This assures the voter that their vote was properly recorded and tabulated.
If electronic only voting systems are used, there is no forensic or auditing method that can guarantee the results to be free of fraud or manipulation. The system performing the audit is limited to the data available. Once the data is corrupted, it is unrecoverable. Paper ballots in proper chain of custody produce data that is near impossible to corrupt. This is not true of electronic data bases, especially since these databases are so large, and must be stored and transmitted across vulnerable systems.
In the realm of voter assurance, risk limiting audits with hand marked paper ballots are the single most powerful tool available, at the least cost, to ensure that the vote was tabulated correctly.Secure Data Storage and TransmissionAccording to the Election Assistance Commission (EAC), voting machines need only be certified to tabulate that the vote is free of interference. Certification is no assurance that the storage and transmission of this data is secure. Once the voting results have been securely tabulated and verified through a properly conducted risk mitigating audit, it is time for the data to be stored and transmitted to the Secretary of State.
In this storage and transmission process there are many opportunities for hackers to steal, change or replace this data. The Secretary of State of New Hampshire developed a process to verify that the data received matches that which was sent. Such gold standard steps combat attacks. A process can use bar codes to match the data sent to the data received as verified by a Secretary of State. The development of hacking-hardened processes to then put into practice takes careful coordination between systems developers and designers, county clerks, and secretaries of state. Once protocols are in place, maintaining them, updating them and training on them is an ongoing process. Systems are never "done." Maintenance is not done once; it is done regularly.
Cyber security threats are mounting with the expansion and use of electronic voting equipment in the states. This is going to be problematic as hackers and improperly maintained, certified and updated software can effect the security of the voting system. It also leads to increased hacking threats from the United States as well as the world community. In fact, there is a lot of chatter on the dark web that indicate hackers are aware of the weaknesses in electronic voting.
Click here...
Canvasing: Accurate and Secure Reporting of Results
Once all of the counties and municipalities have reported to the Secretary of State, these results themselves must be tabulated to create a final tally, and the results reported. This process is subject to the same protocols and processes that the county clerks use, with the additional requirement that the results not be disrupted by attacks on the website of the Secretary of State, or by ransomware attacks on the data itself.
These were not such important considerations in past years, but increased sophistication, severity and targeting by hackers make it imperative to review current practices and identify the most immediate risks and also plan for longer range protections.
In ConclusionWe have the tools. We must have a sense of urgency to protect ourselves from elections that can steal our way of life. While we at Voter Assurance have presented an analysis based on our understanding of current information, it is our hope and our invitation that others will join us, collaborate with us and with one another, and that other non-profit organizations, those with governmental responsibilities, and everyone who can contribute to making the vote of each and every citizen count – welcome!
We are particularly grateful to our Wyoming Secretary of State Ed Buchanan and to the hackers at Cambridge Global Advisors. When citizens know that their vote will be taken respectfully, that it will be counted accurately and reported clearly, then the decisions of we the people of our republic will keep us strong.