May 19, 2019

Reexamination of an all-in-one voting machine

The co-chair of the New York State Board of Elections has formally requested that the Election Operations Unit of the State Board re-examine the State’s certification of the Dominion ImageCast Evolution voting machine.

The Dominion ImageCast Evolution (also called Dominion ICE) is an “all-in-one” voting machine that combines in the same paper path an optical scanner (for hand-marked bubble ballots) with a printer (for machine-marked ballots via a touchscreen or audio interface).

Last October, I explained that why this is such a bad idea that it should be considered a design flaw:  if a hacker were able to install fraudulent software into the ICE, that software could print additional votes onto a voter’s ballot after the last time the voter sees the ballot.   I’ll just give one example of what the hacker’s vote-stealing software could do:  In any race where the voter undervotes (does not mark a choice), the hacked software could print a vote into the bubble for the candidate that the hacker wants to win.

The manufacturer may argue that “our software doesn’t do that;” true enough, the factory-installed software doesn’t do that–unless hackers hack into the manufacturer’s network.  They may argue that “our voting machines are not hackable;” well, it’s admirable that they are using modern-day authentication methods for the installation of new software, but in the current state of the art, it’s still the case that practically any computer is hackable.

And therefore, we rely on recounts and risk-limiting audits of the paper ballot as marked by the voter as our ultimate protection against computer hacking.  An all-in-one voting machine, that combines printing and scanning into the same paper path, seriously compromises that protection.

Douglas A. Kellner, co-chair of the New York State Board of elections, wrote on March 7 2019 to his fellow Board commissioners,

Two respected professors of computer science have provided reports that the Dominion ImageCast Evolution voting machine has a “design flaw.” … “after you mark your ballot, after you review your ballot, the voting machine can print more votes on it!” …

[New York State] Election Law § 7-201 requires that the State Board of Elections examine and approve each type of voting machine or voting system before it can be used in New York State…. The examination criteria for certification of voting equipment … requires … “the vendor shall identify each potential point of attack.” …

I have carefully reviewed Dominion’s [submission].  I do not see anything in the submission that addressed the point of attack or threats identified by Professors Appel and DeMillo. …

If there is a serious possibility that an insider could install malware that could program the printer to add marks to a ballot without the possibility of verification by the voter, then the entire audit process is compromised and circumvented. If it was possible for the machine to add a voting mark to the ballot without verification by the voter, the audit is not meaningful because it cannot confirm that the ballot was counted in the manner intended by the voter. …

Election Law § 7-201(3) provides that:  “If at any time after any machine or system has been approved,…the state board of elections has any reason to believe that such machine or system does not meet all the requirements for voting machines or systems set forth in this article, it shall forthwith cause such machine or system to be examined again.” …

In view of the omission of the security threats identified by Professors Appel and DeMillo in the submission by Dominion in support of its application for certification of the ImageCast Evolution, and in view of the absence of any analysis of this issue in the SLI and NYSTEC reports, I request that the Election Operations Unit of the State Board examine again the ImageCast Evolution to consider the vulnerability of the voting system because the printer could be programmed to add marks to ballots without verification by the voter, and that SLI and NYSTEC supplement their reports with respect to these issues.

Pilots of risk-limiting election audits in California and Virginia

In order to run trustworthy elections using hackable computers (including hackable voting machines), “elections should be conducted with human-readable paper ballots. … States should mandate risk-limiting audits prior to the certification of election results.

What is a risk-limiting audit, and how do you perform one? An RLA is a human inspection of a random sample of the paper ballots (or batches of ballots)—using a scientific method that guarantees with high confidence that if the voting machines claimed the wrong winner, then the audit will declare, “I cannot confirm this election,” in which case a by-hand recount is appropriate.  This is protection against voting-machine miscalibration, or against fraudulent hacks of the voting machines.

That’s what it is, but how do you do it?  RLAs require not only a statistical design, but a practical plan for selecting hundreds of ballots from among millions of sheets of paper.  It’s an administrative process as much as it is an algorithm.

In 2018, RLAs were performed by the state of Colorado.  In addition, two just-published reports describe pilot RLAs performed by Orange County, California and Fairfax, Virginia.  From these reports (and from the audits they describe) we can learn a lot about how RLAs work in practice.

Orange County, CA Pilot Risk-Limiting Audit, by Stephanie Singer and Neal McBurnett, Verified Voting Foundation, December 2018.

Neal Kelley, Registrar of Voters of Orange County, ran an RLA of 3 county-wide races in the June 2018 primary, with assistance from Verified Voting.  About 635,000 ballots were cast; many ballots were 3 pages long (printed both sides), about 1.4 million sheets overall.  Of these, just 160 specific (randomly selected) ballot sheets  needed to be found and tabulated by human inspection.  How do you manage a million sheets of paper?

Orange County elections warehouse during the June 2018 risk-limiting audit

Like this!  Keep well organized ballot manifests that list each batch of ballots (that were initially counted by optical scanners), where they came from, how many ballots.  How do you know how many ballots are in each batch?  The optical scanners tell you, but you don’t want to trust the optical scanners (a hacked scanner could influence the audit by lying about how many ballots are in a batch).  So you weigh the batch on a high-precision scale, that tells you ±2 sheets.  And so on.   You can read the details in the report, which really helps to demystify the process.   Still, there are many ways of doing an RLA, and this report describes just one of them.  The audit was finished before the deadline for certifying election results.  The estimated salary cost of the staff of the Registrar of Voters, for the days running the audit, was under $4000.

City of Fairfax,VA Pilot Risk-Limiting Audit, by Mark Lindeman, Verified Voting Foundation, December 2018.

Brenda Cabrera, General Registrar of the City of Fairfax, ran a pilot RLA of the June 12th 2018 Republican primary Senate election, with assistance from Verified Voting.  There were 948 ballots cast, and the audit team ran the audit three ways, to test three different RLA methods.   The audit was scheduled to take two days but finished ahead of schedule.

Colorado ran statewide RLAs of its 2018 primary and general elections, after pilot projects in previous years.

From all these activities we continue to learn more about how to run trustworthy elections.  I encourage state and local election officials nationwide to try RLA pilots of their own.  The Verified Voting Foundation, Democracy Works, the Democracy Fund, Free and Fair, and other individuals and organizations are available to provide advice.



Why voters should mark ballots by hand

Because voting machines contain computers that can be hacked to make them cheat, “Elections should be conducted with human-readable paper ballots. These may be marked by hand or by machine (using a ballot-marking device); they may be counted by hand or by machine (using an optical scanner).  Recounts and audits should be conducted by human inspection of the human-readable portion of the paper ballots.

Ballot-marking devices (BMD) contain computers too, and those can also be hacked to make them cheat.  But the principle of voter verifiability is that when the BMD prints out a summary card of the voter’s choices, which the voter can hold in hand before depositing it for scanning and counting, then the voter has verified the printout that can later be recounted by human inspection.


ExpressVote ballot card, with bar codes for optical scanner and with human-readable summary of choices for use in voter verification and in recount or audit.








But really?  As a practical matter, do voters verify their BMD-printed ballot cards, and are they even capable of it?  Until now, there hasn’t been much scientific research on that question.

A new study by Richard DeMillo, Robert Kadel, and Marilyn Marks now answers that question with hard evidence:

  1. In a real polling place, half the voters don’t inspect their ballot cards, and the other half inspect for an average of 3.9 seconds (for a ballot with 18 contests!).
  2. When asked, immediately after depositing their ballot, to review an unvoted copy of the ballot they just voted on, most won’t detect that the wrong contests are presented, or that some are missing.

This can be seen as a refutation of Ballot-Marking Devices as a concept.  Since we cannot trust a BMD to accurately mark the ballot (because it may be hacked), and we cannot trust the voter to accurately review the paper ballot (or even to review it at all), what we can most trust is an optical-scan ballot marked by the voter, with a pen.  Although optical-scan ballots aren’t perfect either, that’s the best option we have to ensure that the voter’s choices are accurately recorded on the paper that will be used in a recount or random audit. [Read more…]