The Hacking of Election Administration

 

A year ago I gave an extensive interview with the Public Radio program “Reveal” on the threat of hacking the voting machines that would be used in the 2016 Presidential election. Because of the physical security measures and procedures in place in election offices combined with the total number of machines that would have to be attacked, I was confident that attempts to hack or subvert the election through voting equipment could not be pulled off without detection in time to foil the attempt.

What I never envisioned at the time was the vulnerability of voter confidence to manipulation, from the inside and outside. I never anticipated the effectiveness of attacks on the legitimacy of our democratic institutions. I never expected the profession of Election Administration to be undermined by elected officials, by the media and the political fringes. In other words, I never expected Election Administration itself to be hacked.

The term hacking implies some kind interference, disruption, manipulation, destruction or loss of control. Hacking as it applies to elections is misused and misapplied. Election hacking invokes images of cyber villains taking control of voting equipment and manipulating and changing election outcomes. The reality is that elections are not really vulnerable to this type of hacking. Due to the de-centralized nature of voting, the number of individual machines, and the security counter-measures that each jurisdiction employs, it is a practical impossibility to pull off.

There is evidence that unauthorized and possibly hostile agents gained access to unsecured voting registration information at the state level. While this access is disturbing and a violation of voter privacy, it is not a threat to elections and voting. It is merely the virtual equivalent of dumpster diving-discovering interesting stuff but nothing really actionable. This mischief has been mis-branded as hacking and as a result has become the subject of a national security intervention- and that is a problem and a threat.

Elections have been designated as “critical infrastructure” and therefore entitled to defense and protection by the Department of Homeland Security (DHS). But what does “critical infrastructure” mean? Where is it? These are fundamental questions that no one really knows the answer too- not even those charged with protecting it (whatever it is).

I have my own definition of “critical election infrastructure” to propose for your consideration.

The foundation of the infrastructure is the laws and regulations of each state governing voter registration and voting. The second aspect is the legal and governance framework for the administration of those laws and regulations. The third piece of the infrastructure is the human, capital, and financial resources allocated for the administration of elections. The fourth aspect is the professional, managerial, and ethical qualifications of those charged with election administration. The final and least tangible piece of infrastructure is “legitimacy”; the yardstick by which all democracies are judged by scholars, by history, by the public, and by media.

Laws and regulations can suppress participation, disqualify eligible voters, invalidate valid votes, and even rig the game. Sometimes this is intentional, sometimes for advantage and sometimes the result of bad legislation or poor code revision practices.

Governance of election administration may be by a non-partisan elected official, a partisan elected official, a partisan or non-partisan appointed official, a partisan or non-partisan board, or by some other body. None of these structures are inherently better than another but all of them have their weaknesses and vulnerabilities to outside influences.

Election administration is chronically under-resourced, a fact that has become widely recognized. The cyclical nature of elections demands more people, space and money in some years than in others. This does not fit traditional governmental budgeting practices. Straight line budgeting of off election years creates a crisis in election years. Across-the-board cuts, a favorite budgeting tactic in lean times, are nonsensical as if it would be appropriate for a 10% budget cut to be offset by registering 10% fewer voters and counting 10% fewer votes.

There was a time, not too long ago, when elections were simple, clerical in nature and run by rather anonymous administrators. There was a time when election administration was not like managing an IT department. There was a time when public expectations did not require election administrators to be media savvy. There was a time when administrators were largely insulated from attack or attempts to influence by activists, interest groups, partisans and the public. Times have changed as have the required qualifications and expectations of election administrators.

What once may have been merely sour grape criticisms by losing candidates and campaigns has morphed into deliberate and shameless efforts to discredit election systems, election results, and election administrators. Extreme disappointment in a candidate’s loss (or narrow win) has become the basis to justify overt, untrue, and non-factual attacks on the integrity and legitimacy of elections. Legitimacy is undermined by the frivolous and continuous claims of fraud which have been normalized by their frequency, volume and quantity.

While these vulnerabilities and attacks on election administration as an institution are not new, I never anticipated their cumulative effectiveness in “hacking” the system and  voter confidence.  It is time to focus on securing the real “election infrastructure” whose legitimacy is visibly and actually under attack every day on all sides rather than being distracted by the hypothetical and unrealistic threats of hacking registration databases and voting machines.

 

Advertisements

Election Survival

survival-425

I recently attended a state election conference whose purpose was to discuss the new laws passed during the year.  The event was scheduled just days after the final certifications and reports for the 2016 Presidential election were completed.

I could not help but notice the profusion of congratulatory sentiments (self and otherwise) expressed for “surviving” the election year.  While such congratulations are routinely offered after elections, these expressions seemed more numerous, more heartfelt and were offered in a more weary tone.  I admit that I offered and received my share of congratulations but, at a point, I caught myself wondering about the practice.

Since when did mere survival of an election become the basis of compliments and praise?  What a low standard of success we hold ourselves to.  The only endeavor in which I have engaged where mere survival is the standard of success is armed combat.

While individual election administrators and organizations may have survived the surreal election year of 2016, the same may not be true of the institutions that underpin American democracy.  Can we, or will we be able to, congratulate our election institutions for surviving as well?

I have done a quick analysis of the health of our democratic institutions and the symptoms are distressing.  The Voting Rights Act and federal oversight/enforcement has been eroded by the Shelby decision resulting in scores of states passing anti-fraud reform intended to suppress the vote for the avowed purpose of reducing Democratic turnout.  Congressional neglect and even hostility to the two federal agencies that oversee any aspect of elections, the Election Assistance Commission and the Federal Election Commission, has left them toothless and largely meaningless in the conduct of elections.

The reasoning offered by Senate leaders for their unprecedented refusal to even consider filling the vacancy on the Supreme Court is, itself, an attack on American political and electoral legitimacy.  The notion that an unknown future President has more constitutional and political authority to appoint a new justice than a sitting elected president is frightening.  The political boundaries of state and federal representatives were redrawn in 2011 by Republican controlled states to guarantee Republican majorities in Congress and state legislatures for an entire decade.  The populist agenda of reform and change (draining the swamp) is directly contradicted by the re-election of over 90% of the incumbent members of Congress of both parties.

The credibility and utility of the Electoral College is also in question because of the frequent disparity between the popular vote and electoral vote and potentially unconstitutional restrictions on how the electors may cast their vote.  It is difficult for most Americans, who don’t remember their 8th grade civics class, to understand why the winner is not the person receiving the most votes as is the case in every other election from dog-catcher to US Senate.

The baseless accusations of a candidate, prior to the election, that officials have rigged the election and the system against that candidate is a direct attack on the integrity of all elections.  The subsequent cynical confession that the candidate did not care anymore because he won mocks the credibility of the original accusations and the intelligence of voters.  The calls for election observers and enforcers to make sure that only the right people vote harkens to a nascent third world country experimenting with democracy for the first time.

One might consider the media a democratic institution which is also under attack; however I believe the media to be a complicit actor in the weakening of our institutions by covering the election as a horse race.  By repeatedly taking the bait of provocative statements and personal attacks media decision makers shifted focus and resources away from informative coverage of issues and positions.  The media was ripe to be duped and manipulated by the Russians, wiki-leaks and FBI Director Comey which may have changed the outcome of the election.

death-of-libertyThe basic inability of many Americans, on the left and the right, to distinguish between fake and real news and the propensity of voters to live in echo chambers are further symptoms the poor condition of our democracy.  Lest this post appear to be a condemnation only of the right, the toxicity of the left’s identity politics over principles further corrodes out institutions by pitting one identity against another.  Post-election claims of disenfranchisement of voters due to provisional voting by progressives contradicts the progressive and enfranchising purpose of provisional voting.  Similarly, frivolous demands for recounts when there is no possibility of changing the outcome cheapen and demean the process and election officials.

The very features of our democratic system that give legitimacy to the outcome of the electoral process might be in jeopardy—not because of the actions of a single candidate or party.  The jeopardy is real as the left and the right have demonstrated the ability and willingness to attack our institutions for their own gain.  Hopefully this is an anomaly of the 2016 election cycle and not a vision of the future.

Stand by for more….

The Best Laid Ballot Plans Go Awry…

m650_1The California Presidential Primary Election is the most complicated election in a four year cycle and has to be among the most complicated in the nation. The ballot for this election features presidential candidates for six political parties.  Each party establishes their own rules and formats for their candidates.  This year, three of the parties have closed their primary which means that only voters already registered with the respective party may vote their candidates.  Three other parties have opened their presidential preference ballot to unaffiliated voters but have closed the election of their party officers.  The result is seven flavors of party ballots for each precinct in the county.

Because the regular Voter Nominated Primary (Top Two) is also on the same ballot for federal, state and county offices, there is also a non-partisan ballot. All voters, affiliated with a party or not, get to vote this portion of the ballot which gives us a total of eight flavors of ballot per precinct with a convoluted decision tree to decide who gets which ballot.  Typically the Top Two primary is straightforward to design and administer, unless there are 34 candidates and a write in for US Senator.  More about that later.

Because a presidential primary is always the most complicated election and the hardest to explain to voters, we spent months developing a plan for both the official ballot and the voter guide to facilitate voter education. Weeks before the candidate filing period ended we had developed and tested mock ups of the ballots and our voter guide.  We accommodated all the variables and constraints of outdated and meaningless formatting, mandatory language, and font size and face requirements in the Election Code and were satisfied that we had everything covered.

We have actively followed and engaged with the President’s Commission for Election Administration (PCEA), and the Center for Design and we tried to adopt their recommendations. We have embraced plain language practices and have considered and adopted many suggestions from language minority groups, from accessibility advocates and from election reform do-gooder organizations of all stripes.

Our designs were the easiest to read and understand, our instructions were as simple and clear as possible, each voter’s ballot was to have offices appear in the same location, and the risk of voter confusion and error would be minimized. As a bonus, our design would save printing and postage costs (for us and the voter) while also reducing the time required to tabulate the voted ballots.

At the last minute, all our work was blown to hell. We now are reduced to a ballot design which is hardly adequate for our needs and the needs of our voters.  The inferior design is driven by a sequence of events entirely outside our control.  The 34 candidates for US Senate triggered a domino effect.  Inflexible, mandated and redundant primary instructions constituted the second domino.  Top down, arbitrary and micromanaging office sequences were the third domino.  The next domino was the 1960s voting system software and hardware which is limited to logic and processing speed only slightly more capable and sophisticated than an abacus.  The next largest domino is the federal and state voting system certification regime that prohibits even the most rudimentary and common sense solutions to programming and database problems which could be fixed by today’s average middle schooler or a free mobile database app.  The final and fatal domino is the reality that there are no better solutions for inadequate voting systems for California for 3-6 years at a minimum.  And then the choices will probably be between various versions of 1990 technology.

The field does not to appear to have learned much since the 200 Presidential election. Despite the recurring cries from commissions, foundations, attorneys, advocates, scholars, think tanks and the public for fixing the things that are wrong with our elections, for making things simpler and less complex, for increasing engagement and participation, for removing barriers and for creating more confidence in our elections; election administration is being smothered by the status quo.

The accretion of outdated and conflicting laws, rules and regulations usually devised by legislators for their own political gain has stressed the system to a near breaking point.  The energetic and blind administration and selective enforcement of purposeless, contradictory laws and regulations actively undermines the integrity of elections.  The inertia of “the way we have always done it” or to choose the most onerous of conflicting statutes is thwarting meaningful reform. The absence of courage to do “what is right” when “what is right” is unpopular or new guarantees election administration to perpetual stasis in an unhealthy state.  In short, election administration is suffering from self-interest, abuse and neglect.

Generally I have been optimistic and have embraced progressive election reforms but I am increasingly concerned that, in the current state of affairs, talk of reform and improvement is only happy talk and wishful thinking. The mass of the whole system may be so weighty as to make it impervious to a paradigm change even by the most intelligent, committed and determined reformers.

But that won’t prevent me, and others, from continuing to tilt at windmills.

Carry on.

 

The Opposite of Courage is Conformity

“The opposite of courage in our society is not cowardice, it is conformity.” ~Rollo May

Almost every definition of courage recognizes that courage is not the absence of fear.  Without over-emphasizing or being over-dramatic, we all have fears.  Some of them are deeply personal and private- self doubt, failure, change, acceptance, self worth, control, etc.  These private fears derive from our own experiences and insecurities and we inevitably take them to work with us.  These fears might be either exacerbated or soothed by our workplace environment and interactions.  t, in any case, they are always present and we act in response to them in one way or another.

Rather than responding to fears, the challenge as a leader is to act courageously and to foster courage in others.

               Act.  Courage is action in spite of fear.   Fear paralyzes.  Fear prevents thinking and reasoning.  Fear stifles our voice.  Fear is embodied in the silent, empty-eyed and frozen appearance of the proverbial “deer in the headlights.”  Just as fear and inaction seal the fate of the deer as a car barrels towards its unwitting target; fear, inaction, and conformity seal the fate of individuals and organizations (although not as suddenly or dramatically.)

               Risk making a mistake.  Inaction because of the fear of making a mistake is the greatest single cause of mediocrity in the work place.  The drive for perfection, when it delays or prevents action out of fear of erring or misjudging, robs a person or team of success rather than ensuring it.  When we fail to act in order to avoid embarrassment and the judgment of others if we make a mistake, we reveal fear and weakness.  We are saying that we prefer to be passive and mediocre rather than risk success.

Courage recognizes that mistakes and mis-steps are not failures; they represent the opportunity to learn and grow for ourselves and others. Michael Eisner, Disney CEO, is reported to have said “To punish failure is yet another way to encourage mediocrity.”  When we recognize that mistakes are an essential part of achieving success and withhold harsh judgments, we empower ourselves and others.

Privilege Principle over Expediency. In the public sector administrators and managers operate by a different set of incentives and motivations than our counterparts in the private sector.  Rather than being motivated and incentivized by profits, losses and bonuses, public administrators and elected officials are often motivated by pleasing others and by not causing any waves.  Elected officials place great value on the views and desires of their constituents which they weigh heavily when setting policy and making decisions.  Administrators tend to be risk averse and generally seek to please as many people as possible- the public, peers, and subordinates.

Perhaps more often than we think, pleasing others and doing the right thing come in conflict, creating a situation in which a choice must be made between expediency (pleasing others) and principle (doing the right thing). Expediency considers each decision in a vacuum with the criterion being the optimal outcome for that specific situation. The criteria for decisions based on expediency are expressed in terms of “Who will benefit?”; “Who will get hurt?”; “Who will be angry?”; “Who will know?”; “How will this affect me?”, etc.  The aggregation of decisions based upon expediency result in inequities, inconsistencies, inefficiency, unpredictability, and chaos while maximizing the benefit to the decision maker personally.

On the other hand, decisions based upon principle place self interest in a subordinate position to “doing the right thing.” “Doing the right thing” is another way of describing decisions that treat everyone equally; that enforce or apply rules, policies, ordinances, and laws rather than ignore them. Doing the right thing is consistent over time and across similar cases.  Doing the right thing does not always win friends or bring personal rewards.  It takes courage to make decisions on principle over expediency when the two are in conflict.  It takes a certain courage to even acknowledge that the two are often in conflict.

Have the Courage to Let Go. There is a paradox that the more an administrator wants to touch everything, the more limited and less effective the administrator becomes.  There are things that are so important to us, things that are so threatening, and things that are such a source of insecurity that we will not yield control even over them even when clinging to them is counter-productive.  For example, when we are jealous of our power and authority we insist on being the final word on everything under our control in order to protect our egos and reputations.  We fail to see that this insistence on control actually limits us and increases the probability of some kind of damage to our reputation and standing.

How is that the case? First, it is an inefficient use of an administrator’s time.  The administrator can easily become overwhelmed by minutiae and delay important actions and decisions.  Insisting on having everything one’s way cuts off the introduction of new ideas and approaches from subordinates.  Such control communicates a lack of trust in the judgment and abilities of others and leads to discouragement and the stifling of initiative in the organization.  At best, this level of control maintains the status quo.  At worst it produces untimely and less than optimal decisions.  It leads to staff morale issues and turnover.

Expressing this paradox in terms of its positive rather than negative outcomes, consider the results of giving up some of the things we cling to:

  • More authority and control given to subordinates increases the span of control of the administrator.
  • More trust in the judgment of subordinates increases the timeliness, quality and quantity of decisions.
  • More credit for success given to others reflects more credibility upon the administrator.
  • Fewer secrets and proactive, top-down sharing of information results in more timely, accurate and complete information being reported to the administrator.
  • Greater transparency in decision making leads to greater confidence and trust in the administrator.
  • More kindness and consideration expressed and demonstrated for others leads to more respect being shown to the administrator.

Reward Courage in Others. Our society is quick and willing to recognize and reward heroism but workplace courage is personal and exhibited without fanfare.  It is seldom heroic and it is often non-conforming in character.  Our culture and bureaucratic environment values and rewards conformity and it is uncomfortable with and often punishes non-conformity.  As administrators, one of our obligations as courageous leaders is to foster an environment where the exercise of personal courage by members of our organization is positively recognized and rewarded.  This might mean having the courage oneself to intervene and re-characterize the organization’s view of the behavior from disruptive and “boat rocking” to admirable and positive.

The value and need for courageous words, ideas, and actions in the workplace has been unrecognized and undervalued. It appears certain to me than courage begets courage.  As leaders, we can foster courage in our organizations by developing and exhibiting greater personal courage to act, to risk, to be principled, to “let go” and to reward courage in others.  We can encourage and inspire others to be courageous.  We can choose courage to be great or we can choose mediocrity, conformity and expediency.

Stay Tuned

(Author’s Note: A version of this article was written and published to an audience of public administrators almost exactly four years ago while ramping up for the 2012 Presidential Election. The observations that triggered the article were drawn primarily from the field of election administration but are also representative of conditions in the public sector generally. As election administrators gear up for another, and potentially raucous, presidential election, the moral and practical value of courageous leadership is even more important.)

Hiding Behind the Words

Zebra_in_black_and_white There is comfort in seeing the world as black and white.  When the duties of election administrators require decisions, solutions which are black or white are highly preferred.  Shades of gray, interpretation of rules and codes, and the use of discretion are fatuously avoided.  No administrator wants to take unnecessary risk or to explain and justify a decision.  Bureaucrats and administrators carefully seek out simplistic and unambiguous responses from statutes, procedures, precedents, and even the practices of others.

A fundamental premise of this decision making style is that the right answer can be found in rules and statutes and, further, when an answer is found in the rules (or in past practices or best practices), it is, by definition, the right answer.   The right answer is the answer that stands on its own without the decision maker having to accept any responsibility for the answer, i.e. the codes says…”, past practice is…”, other jurisdictions do…”, etc..  The ability to insulate oneself from the consequences or criticism of a decision is not the sole advantage, however, in the minds of those who employ this approach.

There is a normative mindset inherent in those who demand black and white and eschew shades of grey which condemns the interpretation and application of rules and laws.  This approach condemns permissive interpretations and liberal construction of the election code, even when the code provides a range of solutions or directs the application of judgment based upon facts for specific cases.  In this framework, there is no discretion and interpretation is always wrong.  Those who maintain this approach see not only the decisions based upon interpretation and discretion as wrong but also see those who would interpret and use discretion as being corrupt and unethical.

The presumed moral superiority of those who read rules and laws restrictively and who assume to correctness and rightness of pat answers is based upon a false sense of neutrality that such an approach provides.  This view is steeped in the tradition of the politics-administration dichotomy which dominated late 19th and early 20th century public administration theory.  Political leaders made the rules and laws based upon a mandate received by the electorate and the role of the virtuous administrator was to faithfully, and with neutrality, implement the will of legislators.  This theory assumes that all situations can be/should be/are addressed in legislation and that the legislators have the expertise to provide technical solutions to complex questions.  Scholars, ethicists, legislators and administrators have all recognized practical and theoretical limitations of governing in this manner but the mindset persists in many current administrators.  It is these administrators who I refer to as bureaucrats.

Bureaucrats do not seem to realize that, in an attempt to avoid errors of discretion and interpretation, they themselves make their own interpretations and use their own discretion.  They use to use choose restrictive and literal interpretations regs, rules and laws even when these decisions are not consistent with facts or with other sections of code. 

There are two important points I am trying to make in this post.  First, a literal, restrictive, black and white reading of governing documents for decision and policy making is equally, although unconsciously, interpretive and discretionary as the approaches of deliberate interpretation and the conscious use of administrative discretion.  There is no legal, ethical or moral high ground to be gained by appeals to literal readings when there is space for interpretation.  In fact, the opposite may be true. 

Let me refer to a recent discussion regarding the mailing of information to voters pertaining to a specific election.  The Election code directs administrators to mail the material to voters as early as 40 days prior to the election.  At the time the code was written, the deadline for registering was 29 days prior to the election and there is a provision in the code that indicates that voter information should be sent to everyone registered 29 days prior to the election.  Since that time, the registration deadline has been moved to 15 days prior to the election but the practice of cutting off mailing voter information at 29 days continues in many places.  When I asked why people who register between the 15th and 29th day dont get voter information, I was told that the 29 day cut-off was interpreted to prohibit sending voter information even when new voters were legitimately registered and there were adequate time and resources to do the mailing.  The suggestion of mailing to these voters was perceived to be provocative and subversive, not to mention reckless.

To be clear on the matter, the code did not direct nor did it prohibit mailing information after 29 days.  It was simply interpreted to mean that registrants after 29 days would not be mailed the same information that other voters received.  At some point in time the 29 day cut off made sense but over time, as other laws changed and printing and mailing technologies evolved, the interpretation somehow evolved to a prohibition on mailing to these voters.  When I challenged this interpretation by asking why it was good service and good policy to withhold the mailing, the answer was predictable– “the code says…”  When I pointed out that it was actually cheaper to do the mailing after 15 days, it reduced returned mail, and it was a greater service to voters; I received a slightly different yet obstinate response-“the code doesn’t say we can….”

My second point is that hiding behind a literal or black and white interpretation sets up intransigent and counter-intuitive policy positions that serve no public interest and often result in high visibility lawsuits which are costly and undermine confidence in our institutions.  There are many notable examples: the 2004 San Diego County case in which clearly legible write-in votes were not counted, reversing the apparent outcome of the election, because the write-in votes were not machine readable (the bubble was not filled in) but were clearly human readable;  the 2009 Hamilton County, Ohio case in which provisional ballots were not counted because the ballot was cast at the right polling place but the wrong precinct ballot was used (even though the ballot contents were identical); and the 2012 Allegheny County, PA case in which reporters were banned from entering a polling place and reporting on voting on Election Day.  The list could go on and on.

Good elections are based upon good decisions- not bureaucratic decisions.  Good decisions are based upon an ethic that seeks the protection of constitutional principles, individual rights, and the respect for the rule of law. 

Stay tuned.

Internet Voting, 4 D’s, and WMD

wmd

In 1998, as one of a handful of people who thought the future of elections was internet voting, I was a co-founder of eBallot.net, a short-lived internet start-up.  The demise of eBallot.net and other internet voting companies was, and continues to be, the report issued by the California Task Force on Internet Voting in January 2000.  A close reading of the report appears to definitively kill internet voting well into the future, if not forever.  Interestingly, the report called into question (directly and indirectly) many of the characteristics and security practices of all paper based voting systems in use at that time.  David Jefferson, the Technology Co-Chair of the Task Force, was responsible for many of the findings in the report.  Mr Jefferson has since continued to be involved in issues regarding voting systems and maintains his strong rejection of internet voting.

Anyone who has followed the post 2000 and post HAVA voting equipment debates knows that there has been a large polarization between election administrators and voting system advocates (of all stripes).  There has not been a lot of common ground or common understanding and there has been, at times, a lack of civility on all sides in the discourse (of which I am probably also guilty).

I recently had an exchange with Mr Jefferson in a discussion forum considering the impact of a student hacking a university on-line voting application and attempting to change the results of the election.  The exchange was notable inasmuch as old rivals (me and Jefferson) began to identify some common understanding and respect for the position of the other.  At his suggestion I am re-publishing parts of our exchange.  It is my hope that more frequent constructive discussions will build bridges of understanding and that this discussion may be seen as the type of exchange that fosters increasing and meaningful dialogue between the election administrator community and those in the watchdog community (for lack of a better term to encompass the scientific, academic, advocacy and political aspects of the critics).

This post is rather long.  Rather than edit it for length and remove something which might resonate with readers, I have kept the thread virtually intact.

The original question, “Is the San Marcos hacking incident  a Bad Omen for Internet Voting?”, was posed by Bill Kelleher, a known writer and advocate of internet voting.  In response to the question, David’s conclusion was:

Jefferson:  “Strong, practical, remote authentication of the users of online systems, especially online voting systems, is a very difficult and unsolved security problem. And it just one of many on the list of profound security that have to be solved before online voting can be made secure. That list also includes; client side malware, fake voting clients, server penetration attacks, distributed denial of service, insider attacks, automated vote buying, and numerous others.

Mr Weaver’s attack was not like those that will occur if Internet voting is used in public elections. He was thwarted because (1) he was voting from a machine controlled by university IT personnel so that they were both able to notice unusual activity in real time; (2) they were actually able to spy on him remotely in real time as he was casting phony votes; and (3) he was physically local, so a police officer could immediately be dispatched to arrest him red handed while he was still casting phony votes, in the commission of a felony, with therefore no need for a warrant to find additional evidence in his pocket that was full of key loggers! None of these fortunate facts will apply in a real attack on an online public election.”

To Jefferson’s response, I chimed in:

Konopasek:  “I believe there are some lessons to be learned from the hack which people on both sides of the electronic voting security issue should consider. First I must say that my position over the years on the topic has evolved to a neutral stance as I have been willing to learn, observe, analyze and discuss based upon a decade long experiment with the technology. I am not so quick to dismiss Mr Jefferson’s concerns as I was 10 years ago nor do I believe that electronic voting is without security risks which means I am not as satisfied or optimistic as Mr Kelleher. I would hope that others might demonstrate a similar capacity to learn and a willingness to evolve.

As a military security expert for nearly two decades I learned and practiced a philosophy of security which I call the four D’s– Deter, Delay, Detect, and Deny. These four principles are fairly self explanatory and represent a progression in degrees of security, cost and operational effectiveness. Too often when we have discussions of voting security there is an unspoken assumption that the level and standard of security being considered is Denial- the costliest and most difficult level of security to achieve. Denial means that every type of attempted fraud or penetration must be defeated immediately and completely. The gold stored at Fort Knox is the classic example of something protected with this level of security- even so, it is doubtful that Fort Knox is invulnerable. It merely uses a highly complex and hardened set of deterrent, delay and detection methodologies. The only way to completely secure Fort Knox would be to never store gold or anything of value in it.

“Deterrence, delay and detection effective, and cheaper and more efficient techniques for the security of almost everything we secure– bank accounts, facilities, computer passwords, encrypted communication, our homes, our cars and our paper ballots. It is not impossible for theft or fraud to be attempted but with the right combination of measures, threats can be deterred from action by the probability of being caught and harsh sanctions when discovered. The history of cryptography and intelligence teaches that with enough time every code and encryption algorithm can be cracked. Encryption delays compromise. It cannot prevent or deny it.”

“Detection, the security principle at play in the “Student Hack Caper,” serves a double role in security designs. First it complements deterrence and gives deterrence credibility. If a thief knows that the odds of detection are high, the likelihood of success is low. The whole reason thieves and burglars wear dark clothing, sneakers, hoods and masks is to avoid detection (and identification). The second principle is that theft or fraud detected is fraud which can be prevented or mitigated. This is precisely what happened in this caper.“

“To assert that if this was a “real” attack on a “real” election that the fraudster would have been smarter, luckier and more stealthy and therefore, by definition, would have succeeded is to assume that “real” election security is ineffective, “real” elections IT personnel are not competent, “real” election fraud could not be identified, isolated and mitigated as was the case in this caper. Any “real” election is and always has been the target of potential, attempted and sometimes actual fraud–and always will be regardless of the voting platform. That threat however does not cause us to stop having elections. Similarly if we insisted on denial as the only acceptable level of security for elections whether hand counted paper ballots, machine counted ballots, electronic ballots or pottery shards are used- democracy would cease to exist. “

“We must cease the insistence that denial is the only acceptable level of security for electronic voting systems. Deterrence, delay and detection are the tools we use everyday to secure our most precious and valuable possessions– and that should include our votes.”

“postscript: Modern science is empirical and based upon observation and evidence. Assertions of what “is” or “might be” absent any theory, evidence, observation or proof might be opinion, politics, superstition or religion but it is not positivist science.”

Jefferson:  “Scott — Using your 4D framework (Deter, Delay, Detect, and Deny) you point out that Denial represents the highest degree of security, cost, and operational effectiveness. You then add that Denial means that ‘every type of fraud or penetration must be defeated immediately and completely’”.

“The criterion I have always used is that not ALL attacks on elections have to be Denied. But LARGE SCALE, AUTOMATED (i.e programmed) REMOTE ATTACKS do have to be absolutely denied. I have never tried to invent mechanisms that prevent small attacks in which only a handful of votes only are at stake, so I have never gotten involved in the VoterID issue, for example, which denies at best a handful of impersonation votes per year. Nor have I spent much time worrying about postal workers opening and modifying ballots transmitted by mail, because such attacks are not automated. I do worry greatly about frauds committed by my kind of people, programmers, both those who write the voting system software and those who are motivated to attack an election remotely.”

“Remote, programmed attacks on Internet voting are the weapons of mass destruction in the elections world. Thank goodness we have had very few so far. (But I do know of handful of cases that have been detected.) Just as with physical WMD, we have to do everything we can in a democracy to deny that possibility of electoral WMD at all costs. It is just not good enough to say that because it has never happened before in this country we can consider the risk to be low. Those of us in the security community know how to attack any current Internet voting architecture and can completely disrupt any of them or worse, rig the results undetectably. If we know how to do it, we can be sure that criminals, foreign intelligence agencies, and our own political partisans know it also, or can pay for people who do.”

“Because we know that no one can build an Internet voting system today that is invulnerable to remote automated attacks that we know how to perpetrate, we are forced to conclude that it is just too dangerous to field Internet voting systems yet. We also know that there are a large number of profoundly difficult Internet security problems that have to be solved before anyone will be able to build a secure enough Internet voting system suitable for public elections, and we are not within a decade of solving any of them. So for the foreseeable future it is best to live without Internet voting and continue to improving the systems we have, particularly absentee balloting systems and procedures.”

Konopasek:  Hi David- I want to make sure you understand that I agree with you that internet voting is best left to the future. My concern is that our attitudes and assumptions about security will delay or inhibit legitimate development of robust internet voting systems while garage engineers, like the ones that built certain models of the current DRE systems, will design, build and lobby for their use. The ubiquity of the internet in our lives and our dependence on it will eventually erode the credibility of security concerns and we will be left with poorly designed systems that will be approved for use in public elections.”

“Interesting that you used WMD as an example. Our tremendous fear of the proliferation of WMD by certain regimes (undoubtedly a real threat to all of us) led us in 2003 to greatly and deceitfully (as it turns out) exaggerate claims that Iraq had nuclear weapons. On that pretext, our nation launched a security operation to eradicate (deny) an imagined threat that COULD have existed but which DID NOT. The fear of what COULD BE cost hundreds of thousands of innocent lives and a decade of warfare and insecurity. The single minded pursuit of a potential security threat changed the world forever, and not for the better.”

“A more reasoned approach, which was not based upon complete and immediate denial of WMD, may have sought to detect indications of WMD, to delay their development with continued embargoes or to deter the Iraqis with threats of escalating coercive means. The president’s arguments and decisions to invade, overthrow the regime, destroy the infrastructure and inflict “shock and awe” represent the classic type of bad policy decisions based upon absolutes, non-negotiable and an insistence on denial.”

“I see many parallels in the decade old arguments against electronic voting in general and internet voting specifically. As long as absolutism is the rule the stage is set for legitimate science to sit on the sidelines while techie entrepreneurs develop the next generation of voting technology. The debate is likely to be overcome by events and popular will- Bill’s evangelism and that of others is already taking hold. Soon “hell no” to internet voting will give way to the demands of the public, the self interest of politicians and the profit motive of business.”

“In 2003 I urged my colleagues at the state and national level to abandon their absolute rejection and to embrace paper audit trails. By doing so, we could influence the design, development, quality and procedures involving what became know as the VVPAT. I warned them that advocates had better sound bites and slogans with mass appeal than their opposition. You know how that turned out. The country has voting systems in which the greatest point of failure mechanically, electronically and procedurally is the VVPAT while there is no evidence that they have enhanced the security or legitimacy of any election. “

“I am urging the community that categorically rejects internet voting to beware of the lessons learned by election administrators– the other side is developing better sound bites and the demographics of decision makers is changing. You would be surprised how many elected officials no longer know what a chad is. Their concerns of late involve finding out sooner if they won or lost the election.”

Jefferson:  “Scott, thanks for your thoughtful comments. I will respond to a few key sentences. “

“SK: “My concern is that our attitudes and assumptions about security will delay or inhibit legitimate development of robust internet voting systems while garage engineers, like the ones that built certain models of the current DRE systems, will design, build and lobby for their use. The ubiquity of the internet in our lives and our dependence on it will eventually erode the credibility of security concerns and we will be left with poorly designed systems that will be approved for use in public elections.” ‘

“DJ: I would say that we must delay the development of “legitimate and robust” IV systems until such time as several fundamental security problems are solved, including: client side malware, fake clients, server side penetration attacks, strong remote voter authentication, distributed denial of service attacks of all kinds, various network attacks, and insider attacks. And we need a mechanism for strong end-to-end auditability that does not depend on paper. “

“I would say that we are already living with the problem you point out: that vendors will design and build dangerous Internet voting systems and lobby for their use, and unfortunately many legislators and election officials who are untrained in security will buy them. All I can do is help educate on the dangers. “

“SK: “A more reasoned approach, which was not based upon complete and immediate denial of WMD, may have sought to detect indications of WMD, to delay their development with continued embargoes or to deter the Iraqis with threats of escalating coercive means. ” “

“DJ: In discussing Internet voting as the WMD of elections, I don’t think it is necessary to compare too closely to the history of the Iraq war. There the WMD did not in fact exist, so the whole basis for policy and war was false. But regarding Internet voting there is no doubt whatsoever that undetectable, programmed remote attacks are possible, and many of us know how to do them. If you want a demonstration, just insist that the vendors place their systems up for open public tests as was done in D.C. in 2010, and we will demonstrate how they can be destroyed.”

“In any case the issue is, I think, simpler. I hope we can agree that if we could wave a magic wand and free us of the danger of real WMD, so that no one can ever detonate a nuclear, radiological, chemical or biological weapon in the U.S. (or anywhere else, for that matter) then we should hurry and wave that wand. Well, with electoral WMD, we do have such a magic wand. We do not have to permit insecure Internet voting in this country. When and if Internet voting can be implemented without the risk of remote programmed attacks, then the risk of WMD will be eliminated and we can go ahead and vote online.”

“SK: “The debate is likely to be overcome by events and popular will- Bill’s evangelism and that of others is already taking hold. Soon “hell no” to internet voting will give way to the demands of the public, the self interest of politicians and the profit motive of business.” “

“DJ: Just to be clear, my position is not “Hell no”. It is “not now, and not for the foreseeable future, until such time as the profound Internet security problems will be solved.” In the mean time all I can do is work as hard as I can to educate the public and officials to the very real danger of cyber attack on online public elections.”

“SK: “In 2003 I urged my colleagues at the state and national level to abandon their absolute rejection and to embrace paper audit trails. By doing so, we could influence the design, development, quality and procedures involving what became know as the VVPAT. I warned them that advocates had better sound bites and slogans with mass appeal than their opposition. You know how that turned out.”

“DJ: Yes, you are right. The VVPATs as they were implemented were absolute mechanical crap, and still are. I actually had the opportunity to cast a formal vote against the certification in CA of Sequoia’s lousy VVPAT despite the fact that I was one of the most prominent advocates of VVPAT. I learned from that experience that the vendors cannot be trusted. They just did not care about the fact that paperless DREs were and still are completely unauditable, and instead invented completely bogus arguments for DRE security which too many election official believed (and many still do). When forced to add a paper trail to DREs the vendors did the crappiest, cheapest, junkiest job imaginable, and then screamed “I told you so” when they turned out to be unreliable. Paper handling mechanics cannot be perfect, but it can be 1000 times more reliable than those systems are. Under the circumstances, states would have been better off dropping DREs entirely and switching to optical scan rather than certifying the junky VVPATs the Diebold, Sequoia, and ES&S produced.”

“SK: “I am urging the community that categorically rejects internet voting to beware of the lessons learned by election administrators– the other side is developing better sound bites and the demographics of decision makers is changing. You would be surprised how many elected officials no longer know what a chad is. Their concerns of late involve finding out sooner if they won or lost the election.””

“DJ: If you have any ideas as to how to better present the dangers of cyber attacks on online elections I would be glad to hear them. If you could address the issue, and critically assess those sound bites in your blog, that would help greatly. Maybe even put in a good word for Verified Voting.”

Constructive responses are welcome.

Stay tuned.

Headline: “Clerks kill Election Day voter registration”

provisional ballot binThe last hours of many legislative sessions are filled with unexpected and sometimes hard to explain events.  Yesterday (March 14), the last day of the Utah 2013 legislative session was definitely one of those cases.  For years, the media, scholars and politicians have bemoaned the fact that the state has suffered from low voter turnout.  The Salt Lake Tribune, reporting on the close of the session summarized the low turnout dilemma:  

The Governor’s Commission on Strengthening Democracy — formed by former Gov. Jon Huntsman to find ways to improve voter turnout — made Election Day registration a top priority, but the idea has foundered for five years since it was recommended.

Utah voter turnout is among the nation’s lowest. In 2010, 36.2 percent of Utah’s voting-eligible population cast ballots — ranking No. 49 among the 50 states. In 2012 when favorite-son Mitt Romney was running for president, that rose to 55.4 percent — but still ranked only No. 38, and was still below the national average of 58.2 percent.

Utah has an interesting form of same day registration as part of the statute pertaining to provisional ballots.  If a voter fails to re-register or update their registration by the legal registration deadlines, the voter can cast a provisional ballot at the polling place assigned to their new address and that ballot will be counted provided the voter was previously registered, at anytime, anywhere in the state.  The statewide registration system makes this easy to verify and simple to verify that the voter has not previously voted.  The vast majority of provisional ballots cast (75%+) fall into this category.  The net result is same day registration for a sub-set of the state’s residents.

The ballots of voters who showed up on election day, cast a provisional ballot but were not previously registered in the state yet are otherwise qualified are not counted.  These voters are registered for future elections but the registration is not effective for that election.  The majority of provisional ballots not counted in the state fall into this category.

The upshot of the statute is that one group who ignores or fails to meet arbitrary registration deadlines gets their vote counted and another group who fails to meet the same deadlines does not.  To close this gap, Rep Rebecca Houck has sponsored a bill for the last five years which would close the loophole and would permit the provisional ballots for all eligible voters who show up on election day at the correct polling place to count.

The bill’s sponsor, Rep. Rebecca Chavez-Houck, D-Salt Lake City, has noted that Utah law now allows people to register on Election Day and cast provisional ballots. While that is used to register them for future elections, the provisional ballots are discarded if officials find those people were not previously registered in Utah.

“What this bill does is allow the vote to be counted,” Jenkins [the Republican Senate Sponsor] said. “This allows you to register and vote on same day if you prove your residency and identity.”

Previous attempts to pass the bill met partisan resistance and did not make it to a vote.  This year, however, the bill had support from both major political parties and the House passed the bill after hearing testimony in favor by the State Republican Party, State Democratic Party, League of Women Voters and the head of the Utah Tea Party.  The only testimony in opposition came from County Clerks—who complained it would be too much work.  As the bill proceeded to the Senate and passed out of committee, the Clerk’s Association mounted the bill’s only opposition.

A bill to allow Election Day voter registration died Thursday — ironically killed by election officials who worried that it could work too well, and cause them too much work, in a state that has among the worst voter turnout in the nation.

HB91 died on a 10-18 vote in the Senate, after earlier passing the House 58-14.

Most of the opposition cited was from county clerks who said it could create more work than they could now handle between when votes are cast and when counts must be finalized.

This case is representative of election administrators across the country and is not merely a Utah aberration.  Clerks and administrators are not effective policy makers nor is it their function.  The role of administrators should be to inform policymakers about proposed legislation and to even take positions on bills.  There is a fair question of where genuine support and opposition of a proposal ends and where active lobbying and activism for a bill begin.  That line can be fuzzy and may not be meaningful much of the time. 

However, when opposition by election officials to a measure, which is uniformly agreed by all parties to be in the interest of voters and the electoral process (as in this case), is based solely on avoiding additional work, the personal competence, the profession’s credibility and the integrity of the process is rightfully scrutinized, and even called into question, by the public.  The passage of good public policy should not be thwarted by complaints by election administrators that it is “too hard” or by their exaggerated estimates of time and cost.

 Stay Tuned