The RISKS Digest
Volume 27 Issue 06

Sunday, 4th November 2012

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Roles of governments in election oversight and accountability
NJ e-mail voting article on Freedom-to-Tinker
Andrew W. Appel
Comments on Andrew Appel's blog item
Penny Venetis via PGN
Fiddling voting machines in Ohio
Doug McIlroy
A Huffington Post blog on Recount Roulette
Barbara Simons
Charlie Rose show on elections
Barbara Simons
Excerpt from 0ct 2012 CACM article by Simons and Jones
Romney and Obama campaign websites leak PII
Jeremy Epstein
Sandy wreaks havoc on Internet infrastructure
Lauren Weinstein
Hurricane Sandy knocked out a phone line 3000+ miles away
John Pettitt
Restoring wired service after Sandy may take 2 weeks, Verizon says
Stephen Lawson via Monty Solomon
Hurricane Sandy also disrupts cellular networks and wired Internet
Jon Brodkin via Monty Solomon
In Sandy's Wake, Cellphone Users Steaming at Hit-or-Miss Service
Lauren Weinstein
Info on RISKS (comp.risks)

Roles of governments in election oversight and accountability

"Peter G. Neumann" <>
Sun, 4 Nov 2012 10:22:12 PST
This issue of RISKS is a just-in-time special issue before the Tuesday U.S.
elections.  A bunch of relevant items just happened to come in over the
weekend, nudging me to swing into gear.  After many years of tilting at the
windmills of voting integrity, I am once again prompted to editorialize on a
variety of related topics.

The state and federal roles thus far have been rather inadequate, failing to
provide any meaningful assurances whatever that elections can be run without
serious problems, and these roles have often become strongly politicized.
It is clear that some sort of oversight is necessary to ensure integrity
throughout the entire election process—from beginning to end.  At
present, every step along the way is a potential weak link, with respect to
accidental and intentional misuse as well as deceptive practices that create
abounding voter confusion.  It is also clear that much greater
accountability is necessary, particularly in cases where rectification of
egregious problems is difficult or in some cases rendered essentially
impossible by short-sighted legislation and regulations, inadequacies of
proprietary systems, and the lack of foresight and planning for exceptional
conditions such as clearly evident election irregularities.

However, these considerations have been made much worse by what has happened
leading up to the U.S. election on Tuesday in past week: Hurricane Sandy,
with its ensuing losses of power and Internet access, shut-downs of public
transit and businesses, and losses of life and property.  The federal,
state, and local government responses have generally been exceptional,
although Election Day on the east coast is expected to be severely
complicated as a result.

As noted in this RISKS issue, various attempts are being made to reduce the
hardships that voters are likely to experience.  However, inherent
weaknesses in the election process are likely to make some of the would-be
fixes even more vulnerable to unfortunate disruptions and even willful
misuse.  Not incidentally, when you have neither electricity nor the ability
to travel (no gas, no subways, etc.), and polling places with no power that
have to be relocated, voting in person may be exceedingly difficult and
confused by misleading reports of voting site availability.  Furthermore,
proposed emergency alternatives of voting by Internet or e-mail, or even
trying to print a ballot from the Web, are likely to be problematic in the
absence of electrical power, supposedly trustworthy computers, the rush to
provide those alternatives without any real assurances, and so on!  PGN

A few of the most relevant items are included in this issue.  There is much
more that should be said before Tuesday's election, but this RISKS issue is
already full of grist for the mill and needs to be out sooner than that.  I
hope my hastily concocted points above resonate with everyone nonpartisan
enough to understand the RISKS.  Unfortunately, certain partisan behaviors
relating to the election process further muddle up the works, and could even
leave us in doubt about the results for an longer time than in 2000.

My bottom line here is that much more attention needs to be devoted to
proactive planning for the future, rather than simply waiting for the next
environmental catastrophe, or the next headedly disputed local or national
election.  (See my article on the needs for long-term thinking in the
October 2012 CACM: or
more directly PGN

NJ e-mail voting article on Freedom-to-Tinker

"Andrew W. Appel" <appel@CS.Princeton.EDU>
Sun, 04 Nov 2012 11:23:01 -0500
  [The Freedom-to-Tinker website provides an amazing ongoing collection of
  thought pieces.  The latest, by Andrew Appel, appeared just in time for
  this issue of RISKS.  And it is just one of many items there that is
  specifically related to election integrity.  Browsing that website is a
  very worthwhile endeavor.  Here is Andrew's item.  PGN]

On November 3rd, the Lieutenant Governor of New Jersey issued a
directive, well covered in the media, permitting storm-displaced New
Jersey voters to vote by e-mail.  The voter is to call or e-mail the
county clerk to request an absentee ballot by e-mail or fax, then the
voter returns the ballot by e-mail or fax:

“The voter must transmit the signed waiver of secrecy along with the
voted ballot by fax or e-mail for receipt by the applicable county board
of election no later than November 6, 2012 at 8 p.m.''

We see already one problem: The loss of the secret ballot.  At many times in
the 20th century, NJ political machines put such intense pressure on voters
that the secret ballot was an important protection.  In 2012 it's in the
news that some corporations are pressuring their employees to vote in
certain ways.  The secret ballot is still critical to the functioning of

But there's a much bigger problem with the Lt. Gov. Kim Guadagno's
directive: If voters and county clerks follow her instructions, their votes
will be invalid.

Her directive reads, “Any voter who has been displaced is hereby
designated an `overseas voter for the purposes of the Overseas
Residents Absentee Voting Law, N.J.S.A. 19:59-1 et seq.

But the New Jersey Statute (at 19:59-15.4) requires an additional step that
Lt. Gov. Guadagno omitted from her directive:

N.J.S.A. 19:59-15.4(a):  Immediately after a copy of the voted overseas
ballot or federal write-in absentee ballot has been transmitted by
electronic means to the appropriate county board of elections, as
permitted pursuant to section 3 of P.L.1995, c.195 (C.19:59-14),
the overseas voter shall place the original voted ballot in a secure
envelope, together with a certificate substantially the same as provided
for in section 9 of P.L.1976, c.23 (C.19:59-9), and send the documents
by air mail to the appropriate county board of elections.

N.J.S.A. 19:59-15.4(d): Prior to certification of the results of the election,
the county board shall:

(1) compare the information on the copy transmitted by electronic means of
each voted ballot with the same on the original voted ballot sent by air
mail by the voter who transmitted to the county board a copy of the voted
ballot by electronic means, and the signature on the statement received by
electronic means with the signature on the certificate received by air mail;
and (2) ascertain whether an original voted ballot has been received for
each copy of a voted ballot received by electronic means and

Then things really get murky: The statute doesn't say what happens if the
hardcopy is not received, except that the county superintendent of elections
must investigate.  It's not difficult to imagine that these ballots will end
up in court.

I urge the Lieutenant Governor to issue a revised order, clarifying that
displaced voters must immediately follow up by mailing hardcopy identical to
their e-mailed ballot—or risk having their votes thrown out.

That hardcopy-backup requirement is there for a reason:  E-mail voting
(without a paper backup) is the most insecure form of voting there is.
We should not use it, except in extreme emergencies, and even then,
*only* with the statutorily required paper backup.

Andrew W. Appel

UPDATE [12:07 p.m. EDT 4 Nov] : Alexander Shalom of the New Jersey
ACLU reports that Robert Giles, Director of the New Jersey Division of
Elections, is aware of the paper-ballot requirement and plans to issue
clarifications.  Mr. Giles also notes that they will have the e-mail
addresses of any voters who vote by e-mail, so that election officials
can tell those voters directly to send in their hardcopy immediately./

  [As I pull this issue together, COMMENTS from Barbara Simons, Luther
  Weeks, Penny Venetis (see below), and Matt Blaze are appended to Andrew's
  blog item, and perhaps more by the time you get to check the
  Freedom-to-Tinker website.  Matt Blaze's pithy comment is that “21
  counties have been asked to design an implement a large-scale complex
  system on three-day notice. What could go wrong?''  In addition, Matt
  wrote up some preliminary thoughts last night:
  Also, in a posting to Lauren Weinstein's Network Neutrality Squad, he
  notes in response to Andrew's third paragraph above:
    “Even worse, the loony `Oh yeah, it's safe to vote by Internet!'
    contingent is sure to be fired up by all this.''
  Above all, congratulations to those voters who were able to avail
  themselves of early voting!  PGN]

Comments on Andrew Appel's blog item (Penny Venetis)

"Peter G. Neumann" <>
Sun, 4 Nov 2012 12:11:07 PST
Penny Venetis <> appended the following comments to
Andrew's blog item above.

Excellent points.  I would like to add the following questions and
comments to Prof. Appel's posting to demonstrate that the Lt. Governor
needs to think matters through more clearly before her directive goes
into effect.  Like Prof. Appel, I urge her to follow up with more
information AND to eliminate transmitting ballots via the Internet
completely.  Here are the questions that need answering:

1-Who is a displaced voter?  And what will be required to prove that someone
is a displaced voter?  Is a voter who is at home without power a displaced
voter?  Or must someone be unable to live in their homes to be a displaced
voter?  Is a voter who has no gas in her car and chooses to vote on line a
displaced voter?

These questions are important.  Given that this is an emergency
measure, only those who are in emergency situations, away from their
homes and unable to go to the polls should be permitted to vote
according to the Lt. Gov's directive.  Otherwise, we will be altering
the way the legislature intended voting to be conducted in NJ and will
be eliminating statutorily mandated safeguards that ensure ballot.

2-There is a danger that ballots that are sent exclusively
electronically and not accompanied by a paper ballot will either not be
counted, or treated as provisional ballots.  Provisional ballots are
ballots that have been deemed suspect in some fashion.  They are
different from emergency paper ballots, which are treated, by statute,
as facially valid ballots. Study after study has shown, including in NJ,
that too many provisional ballots are discarded.  That is why Prof.
Appel's request that the the Lt. Governor make public announcements that
the e-mailed ballot be accompanied by a mail in ballot is critical.

3-For this reason alone, we do not need the extra administrative step of
e-mailing ballots.  I believe that the overseas ballot statute makes clear
that the e-mailed ballot will not count unless it is accompanied by a paper
back up.  Why have voters in the US use this two step process?  It is safer,
and preserves ballot secrecy if only a mail in ballot is required.  Using
mail in ballots exclusively may delay vote counting.  But, the integrity of
the vote is paramount, and elections do not have to be certified until at
least a week after Election Day.  There is no constitutional right to having
election results announced on Election Day itself.

In sum, I would recommend the following:

A.  Only truly displaced voters should be permitted to vote under the
directive.  Those are voters who cannot live in their homes and have no
ability to vote in person in their county polling places.

B.  That no executed ballot be submitted electronically.  Ballots can
be e-mailed to voters.  But, the completed ballot should be sent in via
mail.  This preserves ballot secrecy and, makes the tabulation process
easier for already over-extended election officials.

Penny Venetis

Fiddling voting machines in Ohio

Doug McIlroy <>
Sat, 03 Nov 2012 22:34:43 -0400
The *Columbus Free Press* tells how to tack uncertified parts onto certified
systems—at least in trustworthy places such as Ohio:

The *Free Press* has obtained internal memos from the senior staff of the
Ohio Secretary of State's office confirming the installation of untested and
uncertified election tabulation software. Yesterday, the *Free Press*
reported that `experimental' software patches were installed on ES&S voting
machines in 39 Ohio counties.  ...  this last minute `experimental' software
update will supposedly transmit custom election night reports to the
Secretary of State's office from the county boards of elections, bypassing
the normal election night reporting methods.

[Election Counsel] Seske explains “It is not part of the certified Unity
system, so it did not require federal testing.''

  [See also Aviva Shen, 1 Nov 2012, Ohio's Ballot Woes Could Delay Election
  Results for Weeks, in ThinkProgress: The Columbus Dispatch reported that a
  data-sharing glitch and mistakes by election officials have caused
  thousands of absentee ballot requests to be rejected. This absentee ballot
  fiasco is just the latest in Ohio's dysfunctional election saga.  PGN]

A Huffington Post blog on Recount Roulette

Barbara Simons <simons@ACM.ORG>
Sun, 4 Nov 2012 07:53:41 -0800
Yesterday afternoon the Huff Po posted "Recount Roulette", an article that I
co-authored with Mark Halvorson.  You can find it at

Recount Roulette
Mark Halvorson and Barbara Simons

We risk an election meltdown worse than the Florida 2000 debacle when the
presidential election came down to hanging chads and chaos. This time we are
looking at another razor close result and perhaps another recount.

However, if a recount is required in either of two key states — Virginia
and Pennsylvania — we risk catastrophe, because most of those votes will
be cast on paperless voting machines that are impossible to recount.

To make matters even worse, the wake of superstorm Sandy could cause
disruption on Election Day.  Polling places without paper ballots that
lack power will have to close, resulting in voter
disenfranchisement.  This is inexcusable, especially as
voting advocates have long urged states to provide emergency paper

Other states present their own hazardous recount challenges. About one
quarter of voters nationwide will use paperless direct-recording electronic
(DRE) voting machines, most of which have touch screens.  Unfortunately, the
DRE software can store voters' choices incorrectly.  Software is notoriously
buggy, which is why software vendors, notably Microsoft and Apple, are
forever sending out software fixes, many of which patch security

In the event of a recount, paperless DREs will spit out the same unverified
numbers as before, numbers that could be wrong.  There will be no paper
ballots that accurately represent the voters' choices to determine the
correct outcome.  For example, during the June 2011 Democratic primary in
Cumberland County, New Jersey, an incorrectly programmed paperless DRE
switched votes, causing the actual losers to be declared victors.  In
this small election the declared losers, knowing they had received more
votes than the DRE reported, obtained enough supporter affidavits to have
the election overturned and a new one ordered. Had there been paper ballots,
a new election would have been unnecessary, because the paper ballots could
have been recounted.  In addition, two notoriously unsound paperless DRE
systems are widely used in Virginia; years after their inadequacies had been
exposed.  The AVS WINVote and the Unilect Patriot were both decertified
in Pennsylvania.   In two other battleground states, Colorado and
Florida, many votes will be cast on paperless DREs. None of these votes can
be recounted.

Florida legislators, with memories of 2000, seem determined to *prevent
recounts*.  Because of drastic changes to state election code that severely
restrict how many ballots are counted by hand, it is essentially impossible
to conduct a valid statewide recount.  According to Ion Sancho, Director of
Elections for Leon County, ``Florida does not allow a manual count for over
99% of its ballots.'' Another machine failure that changed election outcomes
occurred in the March 2012 municipal election in Wellington, FL.  Two losing
candidates were declared winners by voting system software that incorrectly
swapped totals among candidates.  The discrepancy, discovered during a
post-election audit, resulted in numerous court hearings.  Eventually, a
hand count of the ballots confirmed that the original electronic tally was
wrong.  County elections director Susan Bucher said,
``Frankly, without paper ballots and without audits, we would have let the
wrong winners serve.''

The following swing states do not guarantee that all of their paper ballots
will be hand counted in a recount: Colorado, Florida, Iowa, Ohio, North
Carolina and Wisconsin.  Instead, these states allow paper ballots to be
re-scanned or `retabulated' by the same voting machines (optical scanners)
that counted the ballots on election day.

“Here's why this poses a problem.  As illustrated by the Wellington and
Cumberland near-fiascos, machine retabulation ignores the risks that
computer-reported results could be incorrect, either because of software
failure or hidden malicious software that manipulates results.

What should be done at this late date? All jurisdictions that have both
paperless DREs and paper ballots with optical scanners should strongly
encourage voters to vote on paper ballots.  Jurisdictions that allow
either a manual recount or a machine retabulation should count by hand.

We need legislation to ensure that every state uses only paper ballot
systems and conducts meaningful audits and recounts.  Accurate and
verifiable elections are essential for our democracy so that all voters
trust election outcomes.  We must stop spinning the
recount roulette wheel.

Mark Halvorson, founder and former director of Citizens for Election
Integrity Minnesota, organized non-partisan observations of Minnesota's 2008
and 2010 recounts and created a databases
( for
recount laws.

Barbara Simons, co-author of the recently published Broken Ballots: Will
Your Vote Count (") is retired from IBM
research, Board Chair of Verified Voting, and a former President of ACM, the
oldest and largest scientific society for computing professionals.

Charlie Rose show on elections

Barbara Simons <>
Sun, 04 Nov 2012 09:31:00 -0800
I was recently on the Charlie Rose show, where spoke about the risks of the
electronic voting machines and Internet voting.
The topic was "Broken Ballots: Will Your Vote Count?", the book that I
co-authored with Doug Jones (

While I discussed the possibility of major meltdowns in the upcoming
election, I had no idea that we would be seeing the kinds of problems that
confront the victims of Hurricane Sandy - on top of all the other risks.  We
really need a major overhaul much of the currently deployed election
technology, together with new election laws that mandate post-election
manual ballot audits and recount.

Excerpt from 0ct 2012 CACM article by Simons and Jones

"Peter G. Neumann" <>
Sun, 4 Nov 2012 10:22:12 PST
The assertion that Internet voting is the wave of the future has become
commonplace. We frequently are asked, "If I can bank online, why can't I
vote online?" The question assumes that online banking is safe and
secure. However, banks routinely and quietly replenish funds lost to online
fraud in order to maintain public confidence.

We are told Internet voting would help citizens living abroad or in the
military who currently have difficulty voting. Recent federal legislation to
improve the voting process for overseas citizens is a response to that
problem. The legislation, which has eliminated most delays, requires states
to provide downloadable blank ballots but does not require the insecure
return of voted ballots.

Yet another claim is that e-mail voting is safer than Web-based voting, but
no e-mail program in widespread use today provides direct support for
encrypted e-mail. As a result, attachments are generally sent in the clear,
and e-mail ballots are easy to intercept and inspect, violating voters'
right to a secret ballot. Intercepted ballots may be modified or discarded
without forwarding. Moreover, the ease with which a From header can be
forged means it is relatively simple to produce large numbers of forged
ballots. These special risks faced by e-mail ballots are in addition to the
general risks posed by all Internet-based voting schemes.

Many advocates also maintain that Internet voting will increase voter
participation, save money, and is safe. We find the safety argument
surprising in light of frequent government warnings of cybersecurity threats
and news of powerful government-developed viruses. We see little benefit in
measures that might improve voter turnout while casting doubt on the
integrity of the results.

Almost all the arguments on behalf of Internet voting ignore a critical risk

theft. In the days of hand-counted paper ballots, election theft was
conducted at the retail level by operatives at polling places and local
election offices. By contrast, introduction of computers into the voting
process created the threat that elections can be stolen by inserting malware
into code on large numbers of machines. The situation is even more dangerous
with Internet voting, since both the central servers and the voters'
computers are potentially under attack from everywhere.

Despite the serious threats it poses to election integrity, Internet voting
is being used in several countries and U.S. states, and there is increasing
public pressure to adopt it elsewhere. We examine some of these threats, in
the hope of encouraging the technical community to oppose Internet voting
unless and until the threats are eliminated.

Romney and Obama campaign websites leak PII

Jeremy Epstein <jeremy.j.epstein@GMAIL.COM>
Sat, 3 Nov 2012 14:07:19 -0400
According to a NYT article, a Stanford grad student has determined that the
Romney and Obama campaign websites are leaking PII through URLs, etc.

  Several pages on the Obama site included a user's personal information in
  the page title at the top of the page or in the URL address, Mr. Mayer
  said, thereby giving third parties operating on the site the opportunity
  to collect identifying data. The information flowing to third parties, he
  said, variously included the username; the proper name under which a
  person registered; and their street address and ZIP code.

  On the Romney site, Mr. Mayer said, he found that a number of pages
  included the user's name in the page title. Many pages also included a
  unique numerical ID number in the URL, which flowed to third parties, he

  Nothing really unusual - there's lots of PII leakage in lots of sites, but
  seems relevant given the policy issues associated with PII protection.

Sandy wreaks havoc on Internet infrastructure

Lauren Weinstein <>
Tue, 30 Oct 2012 22:06:43 -0700
  "Datacenter sites and co-location centers in and around New York City are
  struggling to stay online with varying degrees of success. And there are
  reports of intermittent issues with undersea cables crossing the Atlantic
  Ocean."  (Barb Darrow, 30 Oct, 2012, in Gigaom via NNSquad)

Hurricane Sandy knocked out a phone line 3000+ miles away

John Pettitt <>
Mon, 29 Oct 2012 21:30:03 -0700

Due to Hurricane Sandy on the East Coast, calls may not ring though to the
Network Operations Hotline. This does not affect calls to Customer Support.

Makes me wonder what it would take to knock my home phone (and 911) access
out - which distant disaster could knock my VOIP provider offline?  Clearly
VOIP is not provisioned with the same redundancy as traditional "plan old
telephone service"

Restoring wired service after Sandy may take 2 weeks, Verizon says (Stephen Lawson)

Monty Solomon <>
Sat, 3 Nov 2012 23:10:27 -0400
Stephen Lawson, *Computerworld*, 2 Nov 2012 (IDG News Service)
In the worst-hit areas, lack of power is preventing the carrier from
bringing back phone, Internet and video service

Consumers in the areas hardest hit by Hurricane Sandy may not get wired
phone, Internet and video service back for as long as two weeks, Verizon
Communications warned on Friday, while the FCC reported continued slow
progress by carriers in restoring mobile coverage.

The wired service outages could include the company's high-speed FiOS
fiber-optic service as well as data and voice services over copper lines,
Verizon spokesman Alberto Canal said. Verizon can't restore many of its
services in areas that still don't have commercial power, he said. For
safety reasons, the carrier's crews have to wait until power cables are
placed before bringing communications back, he said.

Friday's time estimate by Verizon, the incumbent wireline carrier based in
New York, was its longest yet. Though service is steadily being restored,
the deadly storm that made landfall late Monday with ferocious winds, rain
and floods has proved also to be a lingering communications catastrophe for
residents of some areas. ...

Hurricane Sandy also disrupts cellular networks and wired Internet AT&T, Verizon, T-Mobile, and Sprint are all hit by outages.

Wed, 31 Oct 2012 01:26:33 -0400
Jon Brodkin, Ars Technica, 30 Oct 2012

In addition to taking New York City data centers offline, Hurricane Sandy
has disrupted cellular service and wired Internet, TV, and phone services
from major providers.

AT&T, Verizon Wireless, T-Mobile, and Sprint have all acknowledged cellular
outages.  Wireline services are also being disrupted. Verizon (the
non-wireless part of the company) has acknowledged loss in service for FiOS
voice, Internet, and video, as well as non-FiOS Internet and phone
services. ..

Hurricane Sandy takes data centers offline with flooding, power outages
Hosting customers stranded as generators in NY data centers run out of fuel.

Jon Brodkin, 30 Oct 2012

In Sandy's Wake, Cellphone Users Steaming at Hit-or-Miss Service

Lauren Weinstein <>
Sat, 3 Nov 2012 11:39:20 -0700  (*The New York Times* via NNSquad)

  "To wireless customers, cellphone networks might seem to be made out of
  thin air. But they are plenty vulnerable to catastrophic storms - and
  bringing service back can take an excruciatingly long time."

As I've said many times, not having at least one conventional landline
phone (ideally powered over copper from the central office) puts you at a
terrible disadvantage in emergencies.  Cell networks are the first to become
overloaded, first to fail, and the hardest to restore.

Please report problems with the web pages to the maintainer