This issue of RISKS is a just-in-time special issue before the Tuesday U.S. elections. A bunch of relevant items just happened to come in over the weekend, nudging me to swing into gear. After many years of tilting at the windmills of voting integrity, I am once again prompted to editorialize on a variety of related topics. The state and federal roles thus far have been rather inadequate, failing to provide any meaningful assurances whatever that elections can be run without serious problems, and these roles have often become strongly politicized. It is clear that some sort of oversight is necessary to ensure integrity throughout the entire election process—from beginning to end. At present, every step along the way is a potential weak link, with respect to accidental and intentional misuse as well as deceptive practices that create abounding voter confusion. It is also clear that much greater accountability is necessary, particularly in cases where rectification of egregious problems is difficult or in some cases rendered essentially impossible by short-sighted legislation and regulations, inadequacies of proprietary systems, and the lack of foresight and planning for exceptional conditions such as clearly evident election irregularities. However, these considerations have been made much worse by what has happened leading up to the U.S. election on Tuesday in past week: Hurricane Sandy, with its ensuing losses of power and Internet access, shut-downs of public transit and businesses, and losses of life and property. The federal, state, and local government responses have generally been exceptional, although Election Day on the east coast is expected to be severely complicated as a result. As noted in this RISKS issue, various attempts are being made to reduce the hardships that voters are likely to experience. However, inherent weaknesses in the election process are likely to make some of the would-be fixes even more vulnerable to unfortunate disruptions and even willful misuse. Not incidentally, when you have neither electricity nor the ability to travel (no gas, no subways, etc.), and polling places with no power that have to be relocated, voting in person may be exceedingly difficult and confused by misleading reports of voting site availability. Furthermore, proposed emergency alternatives of voting by Internet or e-mail, or even trying to print a ballot from the Web, are likely to be problematic in the absence of electrical power, supposedly trustworthy computers, the rush to provide those alternatives without any real assurances, and so on! PGN A few of the most relevant items are included in this issue. There is much more that should be said before Tuesday's election, but this RISKS issue is already full of grist for the mill and needs to be out sooner than that. I hope my hastily concocted points above resonate with everyone nonpartisan enough to understand the RISKS. Unfortunately, certain partisan behaviors relating to the election process further muddle up the works, and could even leave us in doubt about the results for an longer time than in 2000. My bottom line here is that much more attention needs to be devoted to proactive planning for the future, rather than simply waiting for the next environmental catastrophe, or the next headedly disputed local or national election. (See my article on the needs for long-term thinking in the October 2012 CACM: http://www.csl.sri.com/neumann/insiderisks.html#228 or more directly http://www.csl.sri.com/neumann/cacm228.pdf) PGN
[The Freedom-to-Tinker website provides an amazing ongoing collection of thought pieces. The latest, by Andrew Appel, appeared just in time for this issue of RISKS. And it is just one of many items there that is specifically related to election integrity. Browsing that website is a very worthwhile endeavor. Here is Andrew's item. PGN] On November 3rd, the Lieutenant Governor of New Jersey issued a directive, well covered in the media, permitting storm-displaced New Jersey voters to vote by e-mail. The voter is to call or e-mail the county clerk to request an absentee ballot by e-mail or fax, then the voter returns the ballot by e-mail or fax: “The voter must transmit the signed waiver of secrecy along with the voted ballot by fax or e-mail for receipt by the applicable county board of election no later than November 6, 2012 at 8 p.m.'' <http://www.state.nj.us/state/elections/2012-results/directive-email-voting.pdf> We see already one problem: The loss of the secret ballot. At many times in the 20th century, NJ political machines put such intense pressure on voters that the secret ballot was an important protection. In 2012 it's in the news that some corporations are pressuring their employees to vote in certain ways. The secret ballot is still critical to the functioning of democracy. But there's a much bigger problem with the Lt. Gov. Kim Guadagno's directive: If voters and county clerks follow her instructions, their votes will be invalid. Her directive reads, “Any voter who has been displaced is hereby designated an `overseas voter for the purposes of the Overseas Residents Absentee Voting Law, N.J.S.A. 19:59-1 et seq. <http://www.state.nj.us/state/elections/2012-results/directive-email-voting.pdf> But the New Jersey Statute (at 19:59-15.4) requires an additional step that Lt. Gov. Guadagno omitted from her directive: N.J.S.A. 19:59-15.4(a): Immediately after a copy of the voted overseas ballot or federal write-in absentee ballot has been transmitted by electronic means to the appropriate county board of elections, as permitted pursuant to section 3 of P.L.1995, c.195 (C.19:59-14), the overseas voter shall place the original voted ballot in a secure envelope, together with a certificate substantially the same as provided for in section 9 of P.L.1976, c.23 (C.19:59-9), and send the documents by air mail to the appropriate county board of elections. N.J.S.A. 19:59-15.4(d): Prior to certification of the results of the election, the county board shall: (1) compare the information on the copy transmitted by electronic means of each voted ballot with the same on the original voted ballot sent by air mail by the voter who transmitted to the county board a copy of the voted ballot by electronic means, and the signature on the statement received by electronic means with the signature on the certificate received by air mail; and (2) ascertain whether an original voted ballot has been received for each copy of a voted ballot received by electronic means and counted. Then things really get murky: The statute doesn't say what happens if the hardcopy is not received, except that the county superintendent of elections must investigate. It's not difficult to imagine that these ballots will end up in court. I urge the Lieutenant Governor to issue a revised order, clarifying that displaced voters must immediately follow up by mailing hardcopy identical to their e-mailed ballot—or risk having their votes thrown out. That hardcopy-backup requirement is there for a reason: E-mail voting (without a paper backup) is the most insecure form of voting there is. We should not use it, except in extreme emergencies, and even then, *only* with the statutorily required paper backup. Andrew W. Appel UPDATE [12:07 p.m. EDT 4 Nov] : Alexander Shalom of the New Jersey ACLU reports that Robert Giles, Director of the New Jersey Division of Elections, is aware of the paper-ballot requirement and plans to issue clarifications. Mr. Giles also notes that they will have the e-mail addresses of any voters who vote by e-mail, so that election officials can tell those voters directly to send in their hardcopy immediately./ https://freedom-to-tinker.com/blog/appel/nj-lt-governor-invites-voters-to-submit-invalid-ballots/ [As I pull this issue together, COMMENTS from Barbara Simons, Luther Weeks, Penny Venetis (see below), and Matt Blaze are appended to Andrew's blog item, and perhaps more by the time you get to check the Freedom-to-Tinker website. Matt Blaze's pithy comment is that “21 counties have been asked to design an implement a large-scale complex system on three-day notice. What could go wrong?'' In addition, Matt wrote up some preliminary thoughts last night: http://www.crypto.com/blog/njvoting). Also, in a posting to Lauren Weinstein's Network Neutrality Squad, he notes in response to Andrew's third paragraph above: “Even worse, the loony `Oh yeah, it's safe to vote by Internet!' contingent is sure to be fired up by all this.'' Above all, congratulations to those voters who were able to avail themselves of early voting! PGN]
Penny Venetis <email@example.com> appended the following comments to Andrew's blog item above. Excellent points. I would like to add the following questions and comments to Prof. Appel's posting to demonstrate that the Lt. Governor needs to think matters through more clearly before her directive goes into effect. Like Prof. Appel, I urge her to follow up with more information AND to eliminate transmitting ballots via the Internet completely. Here are the questions that need answering: 1-Who is a displaced voter? And what will be required to prove that someone is a displaced voter? Is a voter who is at home without power a displaced voter? Or must someone be unable to live in their homes to be a displaced voter? Is a voter who has no gas in her car and chooses to vote on line a displaced voter? These questions are important. Given that this is an emergency measure, only those who are in emergency situations, away from their homes and unable to go to the polls should be permitted to vote according to the Lt. Gov's directive. Otherwise, we will be altering the way the legislature intended voting to be conducted in NJ and will be eliminating statutorily mandated safeguards that ensure ballot. 2-There is a danger that ballots that are sent exclusively electronically and not accompanied by a paper ballot will either not be counted, or treated as provisional ballots. Provisional ballots are ballots that have been deemed suspect in some fashion. They are different from emergency paper ballots, which are treated, by statute, as facially valid ballots. Study after study has shown, including in NJ, that too many provisional ballots are discarded. That is why Prof. Appel's request that the the Lt. Governor make public announcements that the e-mailed ballot be accompanied by a mail in ballot is critical. 3-For this reason alone, we do not need the extra administrative step of e-mailing ballots. I believe that the overseas ballot statute makes clear that the e-mailed ballot will not count unless it is accompanied by a paper back up. Why have voters in the US use this two step process? It is safer, and preserves ballot secrecy if only a mail in ballot is required. Using mail in ballots exclusively may delay vote counting. But, the integrity of the vote is paramount, and elections do not have to be certified until at least a week after Election Day. There is no constitutional right to having election results announced on Election Day itself. In sum, I would recommend the following: A. Only truly displaced voters should be permitted to vote under the directive. Those are voters who cannot live in their homes and have no ability to vote in person in their county polling places. B. That no executed ballot be submitted electronically. Ballots can be e-mailed to voters. But, the completed ballot should be sent in via mail. This preserves ballot secrecy and, makes the tabulation process easier for already over-extended election officials. Penny Venetis
The *Columbus Free Press* tells how to tack uncertified parts onto certified systems—at least in trustworthy places such as Ohio: The *Free Press* has obtained internal memos from the senior staff of the Ohio Secretary of State's office confirming the installation of untested and uncertified election tabulation software. Yesterday, the *Free Press* reported that `experimental' software patches were installed on ES&S voting machines in 39 Ohio counties. ... this last minute `experimental' software update will supposedly transmit custom election night reports to the Secretary of State's office from the county boards of elections, bypassing the normal election night reporting methods. [Election Counsel] Seske explains “It is not part of the certified Unity system, so it did not require federal testing.'' http://www.freepress.org/departments/display/19/2012/4768 [See also Aviva Shen, 1 Nov 2012, Ohio's Ballot Woes Could Delay Election Results for Weeks, in ThinkProgress: The Columbus Dispatch reported that a data-sharing glitch and mistakes by election officials have caused thousands of absentee ballot requests to be rejected. This absentee ballot fiasco is just the latest in Ohio's dysfunctional election saga. PGN]
Yesterday afternoon the Huff Po posted "Recount Roulette", an article that I co-authored with Mark Halvorson. You can find it at http://www.huffingtonpost.com/barbara-simons/voting-ballots-recount_b_2069192.html?utm_hp_ref=politics Recount Roulette Mark Halvorson and Barbara Simons We risk an election meltdown worse than the Florida 2000 debacle when the presidential election came down to hanging chads and chaos. This time we are looking at another razor close result and perhaps another recount. However, if a recount is required in either of two key states — Virginia and Pennsylvania — we risk catastrophe, because most of those votes will be cast on paperless voting machines that are impossible to recount. To make matters even worse, the wake of superstorm Sandy could cause disruption on Election Day. Polling places without paper ballots that lack power will have to close, resulting in voter disenfranchisement. This is inexcusable, especially as voting advocates have long urged states to provide emergency paper ballots. Other states present their own hazardous recount challenges. About one quarter of voters nationwide will use paperless direct-recording electronic (DRE) voting machines, most of which have touch screens. Unfortunately, the DRE software can store voters' choices incorrectly. Software is notoriously buggy, which is why software vendors, notably Microsoft and Apple, are forever sending out software fixes, many of which patch security holes. In the event of a recount, paperless DREs will spit out the same unverified numbers as before, numbers that could be wrong. There will be no paper ballots that accurately represent the voters' choices to determine the correct outcome. For example, during the June 2011 Democratic primary in Cumberland County, New Jersey, an incorrectly programmed paperless DRE switched votes, causing the actual losers to be declared victors. In this small election the declared losers, knowing they had received more votes than the DRE reported, obtained enough supporter affidavits to have the election overturned and a new one ordered. Had there been paper ballots, a new election would have been unnecessary, because the paper ballots could have been recounted. In addition, two notoriously unsound paperless DRE systems are widely used in Virginia; years after their inadequacies had been exposed. The AVS WINVote and the Unilect Patriot were both decertified in Pennsylvania. In two other battleground states, Colorado and Florida, many votes will be cast on paperless DREs. None of these votes can be recounted. Florida legislators, with memories of 2000, seem determined to *prevent recounts*. Because of drastic changes to state election code that severely restrict how many ballots are counted by hand, it is essentially impossible to conduct a valid statewide recount. According to Ion Sancho, Director of Elections for Leon County, ``Florida does not allow a manual count for over 99% of its ballots.'' Another machine failure that changed election outcomes occurred in the March 2012 municipal election in Wellington, FL. Two losing candidates were declared winners by voting system software that incorrectly swapped totals among candidates. The discrepancy, discovered during a post-election audit, resulted in numerous court hearings. Eventually, a hand count of the ballots confirmed that the original electronic tally was wrong. County elections director Susan Bucher said, ``Frankly, without paper ballots and without audits, we would have let the wrong winners serve.'' The following swing states do not guarantee that all of their paper ballots will be hand counted in a recount: Colorado, Florida, Iowa, Ohio, North Carolina and Wisconsin. Instead, these states allow paper ballots to be re-scanned or `retabulated' by the same voting machines (optical scanners) that counted the ballots on election day. “Here's why this poses a problem. As illustrated by the Wellington and Cumberland near-fiascos, machine retabulation ignores the risks that computer-reported results could be incorrect, either because of software failure or hidden malicious software that manipulates results. What should be done at this late date? All jurisdictions that have both paperless DREs and paper ballots with optical scanners should strongly encourage voters to vote on paper ballots. Jurisdictions that allow either a manual recount or a machine retabulation should count by hand. We need legislation to ensure that every state uses only paper ballot systems and conducts meaningful audits and recounts. Accurate and verifiable elections are essential for our democracy so that all voters trust election outcomes. We must stop spinning the recount roulette wheel. Mark Halvorson, founder and former director of Citizens for Election Integrity Minnesota, organized non-partisan observations of Minnesota's 2008 and 2010 recounts and created a databases (http://ceimn.org/ceimn-state-recount-laws-searchable-database/) for recount laws. Barbara Simons, co-author of the recently published Broken Ballots: Will Your Vote Count (http://www.brokenballots.com/") is retired from IBM research, Board Chair of Verified Voting, and a former President of ACM, the oldest and largest scientific society for computing professionals.
I was recently on the Charlie Rose show, where spoke about the risks of the electronic voting machines and Internet voting. http://www.bloomberg.com/video/author-barbara-simons-on-broken-ballots-book-WvcqDqijSTGGIoh4mfvung.html The topic was "Broken Ballots: Will Your Vote Count?", the book that I co-authored with Doug Jones (http://www.brokenballots.com). While I discussed the possibility of major meltdowns in the upcoming election, I had no idea that we would be seeing the kinds of problems that confront the victims of Hurricane Sandy - on top of all the other risks. We really need a major overhaul much of the currently deployed election technology, together with new election laws that mandate post-election manual ballot audits and recount.
The assertion that Internet voting is the wave of the future has become commonplace. We frequently are asked, "If I can bank online, why can't I vote online?" The question assumes that online banking is safe and secure. However, banks routinely and quietly replenish funds lost to online fraud in order to maintain public confidence. We are told Internet voting would help citizens living abroad or in the military who currently have difficulty voting. Recent federal legislation to improve the voting process for overseas citizens is a response to that problem. The legislation, which has eliminated most delays, requires states to provide downloadable blank ballots but does not require the insecure return of voted ballots. Yet another claim is that e-mail voting is safer than Web-based voting, but no e-mail program in widespread use today provides direct support for encrypted e-mail. As a result, attachments are generally sent in the clear, and e-mail ballots are easy to intercept and inspect, violating voters' right to a secret ballot. Intercepted ballots may be modified or discarded without forwarding. Moreover, the ease with which a From header can be forged means it is relatively simple to produce large numbers of forged ballots. These special risks faced by e-mail ballots are in addition to the general risks posed by all Internet-based voting schemes. Many advocates also maintain that Internet voting will increase voter participation, save money, and is safe. We find the safety argument surprising in light of frequent government warnings of cybersecurity threats and news of powerful government-developed viruses. We see little benefit in measures that might improve voter turnout while casting doubt on the integrity of the results. Almost all the arguments on behalf of Internet voting ignore a critical risk theft. In the days of hand-counted paper ballots, election theft was conducted at the retail level by operatives at polling places and local election offices. By contrast, introduction of computers into the voting process created the threat that elections can be stolen by inserting malware into code on large numbers of machines. The situation is even more dangerous with Internet voting, since both the central servers and the voters' computers are potentially under attack from everywhere. Despite the serious threats it poses to election integrity, Internet voting is being used in several countries and U.S. states, and there is increasing public pressure to adopt it elsewhere. We examine some of these threats, in the hope of encouraging the technical community to oppose Internet voting unless and until the threats are eliminated.
According to a NYT article, a Stanford grad student has determined that the Romney and Obama campaign websites are leaking PII through URLs, etc. Several pages on the Obama site included a user's personal information in the page title at the top of the page or in the URL address, Mr. Mayer said, thereby giving third parties operating on the site the opportunity to collect identifying data. The information flowing to third parties, he said, variously included the username; the proper name under which a person registered; and their street address and ZIP code. On the Romney site, Mr. Mayer said, he found that a number of pages included the user's name in the page title. Many pages also included a unique numerical ID number in the URL, which flowed to third parties, he said. Nothing really unusual - there's lots of PII leakage in lots of sites, but seems relevant given the policy issues associated with PII protection. http://bits.blogs.nytimes.com/2012/11/01/romney-and-obama-campaigns-leaking-web-site-visitor-data/
"Datacenter sites and co-location centers in and around New York City are struggling to stay online with varying degrees of success. And there are reports of intermittent issues with undersea cables crossing the Atlantic Ocean." http://j.mp/QTy0sW (Barb Darrow, 30 Oct, 2012, in Gigaom via NNSquad) http://gigaom.com/cloud/superstorm-sandy-wreaks-havoc-on-internet-infrastructure/
http://corp.sonic.net/status/2012/10/29/noc-hotline-down/ Due to Hurricane Sandy on the East Coast, calls may not ring though to the Network Operations Hotline. This does not affect calls to Customer Support. Makes me wonder what it would take to knock my home phone (and 911) access out - which distant disaster could knock my VOIP provider offline? Clearly VOIP is not provisioned with the same redundancy as traditional "plan old telephone service"
Stephen Lawson, *Computerworld*, 2 Nov 2012 (IDG News Service) In the worst-hit areas, lack of power is preventing the carrier from bringing back phone, Internet and video service Consumers in the areas hardest hit by Hurricane Sandy may not get wired phone, Internet and video service back for as long as two weeks, Verizon Communications warned on Friday, while the FCC reported continued slow progress by carriers in restoring mobile coverage. The wired service outages could include the company's high-speed FiOS fiber-optic service as well as data and voice services over copper lines, Verizon spokesman Alberto Canal said. Verizon can't restore many of its services in areas that still don't have commercial power, he said. For safety reasons, the carrier's crews have to wait until power cables are placed before bringing communications back, he said. Friday's time estimate by Verizon, the incumbent wireline carrier based in New York, was its longest yet. Though service is steadily being restored, the deadly storm that made landfall late Monday with ferocious winds, rain and floods has proved also to be a lingering communications catastrophe for residents of some areas. ... http://www.computerworld.com/s/article/9233232/Restoring_wired_service_after_Sandy_may_take_2_weeks_Verizon_says
Jon Brodkin, Ars Technica, 30 Oct 2012 In addition to taking New York City data centers offline, Hurricane Sandy has disrupted cellular service and wired Internet, TV, and phone services from major providers. AT&T, Verizon Wireless, T-Mobile, and Sprint have all acknowledged cellular outages. Wireline services are also being disrupted. Verizon (the non-wireless part of the company) has acknowledged loss in service for FiOS voice, Internet, and video, as well as non-FiOS Internet and phone services. .. http://arstechnica.com/information-technology/2012/10/hurricane-sandy-also-disrupts-cellular-networks-and-wired-internet/ Hurricane Sandy takes data centers offline with flooding, power outages Hosting customers stranded as generators in NY data centers run out of fuel. Jon Brodkin, 30 Oct 2012 http://arstechnica.com/information-technology/2012/10/hurricane-sandy-takes-data-centers-offline-with-flooding-power-outages/
http://j.mp/Yl2iJl (*The New York Times* via NNSquad) "To wireless customers, cellphone networks might seem to be made out of thin air. But they are plenty vulnerable to catastrophic storms - and bringing service back can take an excruciatingly long time." As I've said many times, not having at least one conventional landline phone (ideally powered over copper from the central office) puts you at a terrible disadvantage in emergencies. Cell networks are the first to become overloaded, first to fail, and the hardest to restore.
Please report problems with the web pages to the maintainer