September 25, 2020

Voting by mail in NJ 2020

For hundreds of years, New Jersey voters have voted in their local precinct polling places (800 registered voters per precinct), with only a tiny percentage voting absentee. This year, for reasons of public health in the pandemic, all voters will receive a mail-in ballot; a few polling places will be open on November 3rd for voters who need other accommodations or to vote by provisional ballot.

Thus, New Jersey has had to implement in 6 months what some western states did over a many-year period: switch to all vote-by-mail. Some of those states have developed procedures and know-how to do it very well; can New Jersey catch up, without being overwhelmed?

I spoke to Nicole DiRado, Administrator of the Union County (NJ) Board of Elections, whose office handles the mail-in ballots. Most years, that’s a few thousand ballots that they process on election day. This year it will be very different.

New this year in NJ are drop boxes.  Union County will ultimately have a drop box in every municipality.  Bipartisan teams of Board of Elections employees will collect ballots from every drop box, every day, in the 45 days before the election.  They will also collect their U.S. mail twice a day once voters start returning their ballots.

Each day’s collection is received at the BoE offices in Elizabeth, NJ, for “staging”.  Members of the public can, in principle, observe this process from the “public” side of the walk-up counter.  Staging includes:  sorting by municipality and ward/district;  comparing signatures with the State Voter Registration System.  For signature matching, BoE workers have access to a “signature history” from that voter, from DMV records and from voter-registration records, but not from every previous election (because NJ’s pollbooks are not electronic).    After staging, the ballot envelopes go into the vault.

New this year is ballot tracking offered on the NJ Division of Elections’ website.  The tracking numbers are not USPS tracking–they can’t tell you where inside the U.S. mail your ballot is–but the tracking system can tell the voter:  when the County Clerk cleared the absentee ballot for mailing to the voter; when it was received back from the voter by the BoE; whether the ballot was accepted or not.  (The tracking system does not seem to say when exactly the County Clerk mailed the ballot to the voter.)

When Election Board Commissioners reject a ballot (due to a deficiency in signature), the voter is contacted by U.S. mail.  (By law, the Commissioners include two Democrats and two Republicans.) The voter is mailed a form to fill out and sign (with the ability to provide other identifying information), and return by U.S. mail.   I asked, “can the voter drop that form into one of the drop boxes”?  Ms. DiRado responded, “I would certainly accept that”, but it didn’t seem to be a formal statewide policy.   She said she has accepted, through drop-boxes, voter registration forms and requests for absentee ballots.  (This year in NJ, absentee ballots will be mailed out even if the voter doesn’t request it.)  

Receiving and staging of ballots begins well over a month before November 3rd.  From time to time there are “inspection periods”, where members of the public can inspect the ballot envelopes to challenge a ballot.  The first such inspection period (in Union County) is October 9th.  After each inspection period (for example, on October 10th), Union County’s ballots are transported to a facility in Linden, NJ. Because the BoE needs a lot more space for a lot more workers to process the ballots, they have acquired additional space for that part of the process (see video).

First, the perforated tab with voter-identifying information is removed from the outer envelope — but the envelope is not yet opened.   Credentialed challengers can observe this process in person, other members of the public from a live-stream video.

In late August 2020, the NJ Legislature passed (and the governor signed) 3 bills regarding election procedures.   Now,  starting 10 days before November 3rd, the envelopes can be opened and run through the scanners.  Ms. DiRado said that her staff will open envelopes and flatten ballots, but will likely wait just a few days before election day to begin running them through the scanners.  Opening and prepping the ballots is far more labor-intensive and will take much longer than running them through the county’s high-speed scanners.  Members of the public can observe all of these processes at the Linden facility (as above: credentialed challengers in person, others on live-stream).  There will be Sheriff’s officers to ensure  that the challengers don’t interfere with the procedures.

The BoE will have several safeguards in place to avoid premature leaks of vote counts.  With every batch of ballots, the machine will report how many ballots are in the batch (and then the ballot papers, but not the votes on them, will be hand-counted to make sure it matches); but the vote totals will be retained in the machine’s memory and not reported until an explicit report is run, on November 3rd.  No one is authorized to run that report before November 3rd.  The optical scanners log any such reports, and the State will audit those logs after the election, to make sure no unauthorized reports were run.

I went online at https://voter.svrs.nj.gov/auth/sign-in  to track my ballot.   To log in to that site, voters need to provide their name, DoB, and a number.  Voters who registered after 2005 using a driver’s license as ID, can use their driver’s license number.  Voters who put a SSN on their voter registration, can use the last 4 digits.  Other voters will have to use their Voter ID number — but nobody knows their own Voter ID number, unless they happen to have saved old sample ballots or voter-registration cards.  This is going to be a problem!  The County Clerk will mail every voter a postcard with this info; or voters can contact their county election officials (link provided on the tracking-system login page) to for help with this.  Ms. DiRado helpfully looked up my number and provided it to me.   I logged into the system and it says my “General Election Mail-in Ballot Request received date” is 8/14/2020.  I didn’t request a ballot, so I assume that’s the date my County Clerk requested mail-in ballots for every voter in Mercer County.   The “Request processed date” is 8/30/2020.  There is no such field as “Ballot mailed to voter date” (and I think that would be worthwhile).  As of September 11th, I had not yet received a ballot in the mail.  The “Ballot received date” is N/A (which is good because I haven’t sent it back yet!) and “Ballot status” is N/A. I can’t tell whether “Ballot status” will track, in a timely way, whether the signature has been accepted.

In summary: I am optimistic that New Jersey is doing a good job in getting its act together in a hurry–from the Legislature and Governor down to the County Boards of Elections (at least Union County, anyway). What voters should do is use those dropboxes to return your ballots, or if you must mail in your ballot, do so as early as you can.

By the way, official government agencies such as the New Jersey Division of Elections shouldn’t use .org domain names like njelections.org, they should use .gov instead. Anyone can get a .org domain name, but only authenticated governmental entities can get a .gov. Therefore, using njelections.gov would be more secure: fraudsters can try to fool voters by setting up newjerseyelections.org, but they have a much harder time creating fake .gov domains.

Safely opening PDFs received by e-mail (or fax?!)

Many election administrators in U.S. states and counties need to receive and open PDF files from voters. Some of these administrators receive these PDFs as e-mail attachments. These may be filled-out voter registration forms, or even voted ballots from UOCAVA (overseas and military) voters. We all know that malware can lurk in e-mail attachments; how can those election officials protect themselves from being hacked?

Internet return of voted ballots is inherently insecure; that’s a separate issue and I’ll discuss it below. For now, how can one safely open a PDF attachment?

I discussed this question with Dan Guido, cybersecurity consultant and CEO of trailofbits.com. The safe way to view a PDF is inside the Chrome or Firefox browser. Printing a PDF directly from Chrome (or Firefox) to your printer is reasonably safe. The unsafe way to view a PDF is with your favorite PDF-viewer app such as Adobe Reader.

The reason is simple: Google (for Chrome) and Mozilla (for Firefox) have put enormous effort into making their PDF viewers safe, putting them inside a “sandbox” that the hackers can’t get out of — and they’ve largely succeeded.

The PDF file format has hundreds of obscure features and complex functionality that are not needed for simple documents. Chrome and Firefox don’t bother to understand the obscure features: they concentrate on getting the common features displayed safely. On the other hand, Adobe Reader does handle all the features of PDF; that’s a much larger thing to get perfectly right, and (perhaps) security is not Adobe’s highest priority.

Sometimes that means that Chrome or Firefox don’t render your document properly; but this is unlikely to be a problem for simple documents such as voter-registration forms or optical-scan ballots.

In some ways that’s a bit disappointing. I like Adobe Reader’s navigation and document-viewing facilities much more than I like the browser’s built-in PDF display. But I should be careful to use Adobe tools only for documents whose provenance I know, or that have been otherwise vetted.

If you do save your PDF to a file, and are tempted to open it later: again, you can use Chrome or Firefox to open it. (See also: PDF.js) If you want to open it in a full-featured (but less secure) tool, first use a PDF “triage tool” such as PDFid, which will scan the file and tell you if anything looks suspicious.

Is it safe to use Fax?

Many jurisdictions still permit (or require) forms and ballots to be sent to them by Fax. Is that safe?

Once upon a time, a “fax machine” was connected to a “land line” that went through the “phone network.” How safe that was in 1985 is no longer relevant today, when nobody has a “fax machine” and the “phone network” is the Internet.

Most voters, and many election administrators, use on-line fax services such as HelloFax. The voter logs in and upload a PDF file; the fax service converts it to a fax-format bitstream and sends it into the part of the Internet called “the phone system”; the receiver logs in (perhaps to a different on-line fax service) and downloads a PDF file that has been converted from the bitstream.

This has so many points of insecurity: the sender’s online-fax service company may be more or less vulnerable to hackers (or insiders); the receiver’s online-fax service, ditto; and the fax-format bitstream is transmitted unencrypted, unauthenticated across the phone network.

In contrast, e-mail can be a lot more secure than that. If you use a major e-mail provider (such as gmail, Microsoft, fastmail) that knows what it’s doing; and if the recipient also uses a reputable e-mail provider, then: your e-mail is uploaded encrypted (and authenticated) to an SMTP server, which goes encrypted (and authenticated) to another SMTP server, which is downloaded encrypted (and authenticated) to the recipient’s mail reader. The vast majority of Internet e-mail traffic is protected this way.

So e-mail your stuff, don’t fax it.

Is e-mail secure? Can we vote that way?

If e-mail is so much more secure than it was 30 years ago, can we safely vote by e-mail?

Unfortunately, no. Even if Internet messages (by e-mail or other protocols) are safe in transmission, the biggest security lapses are in the server computers and especially in the client’s (voter’s) computers. Hackers who can penetrate the security of those systems can change votes before they’re sent, or after they’re received (but before they’re counted).

Furthermore, e-mail is sent from the voter’s computer to the SMTP server (at Google, or Microsoft, or fastmail…) where it is unencrypted and reencrypted for sending to the receiver’s SMTP server (at Microsoft, or fastmail, or Google, …). It’s like, you mail your absentee ballot to your landlord, who takes it out of its envelope, puts it in a fresh envelope, and mails it to an election official. Even if we trust our landlord (and I expect Google, Microsoft, and fastmail are doing a good job), should we need to trust this intermediary? The citizenry elect their government; we don’t entrust this process to a few big tech companies.

And finally, 6% of email (that’s either outbound or inbound from gmail.com) is still unencrypted–that is, insecure. Six percent may not seem like a lot, but it’s millions of users.

Is e-mail voter-registration secure enough?

Internet return of voted ballots, which is not securable by any known technology. But voter-registration can reasonably be done by e-mail: the voter sends in a form, perhaps a scan-to-PDF of their printed and signed registration form. The reason this can work, when it can’t work for voted ballots, is the ability to audit the individual transaction: after a few days, the voter can check the status of their registration with the election official, or the election official can contact the voter to check up. So even if there’s hacking in the client or server computer, it can be detected and corrected. With ballots, we have the secret ballot: nobody is supposed to learn how you voted. Without the ability to check and correct later, “did my ballot get counted for the person I voted for?”, internet voting is insecurable.

NJ agrees No Internet voting in July, vague about November

A formal settlement agreement has been submitted to the NJ Superior Court regarding online ballot access in the 2020 elections.

On May 4, 2020,  New Jersey’s Division of Elections was caught trying to adopt vote-by-Internet on the stealth, even though the law forbids it.  That is, not only is Internet voting inherently insecurable, there’s a 2010 Court Order still in effect that says, “computers utilized for election-related duties shall at no time be connected to the Internet.”  That’s based on the New Jersey Superior Court’s finding that “As long as computers, dedicated to handling election matters, are connected to the Internet, the safety and security of our voting systems are in jeopardy,” in the case of Gusciora v. Corzine.

Penny Venetis, attorney for the Gusciora plaintiffs, filed a motion (in early May) with the Court, to make the State abandon its plans for online voting, on the basis that receiving ballots e-mailed or uploaded on the Internet clearly violates this order.  The Court ordered the parties to reach a settlement by June 8, or report their separate positions.

The State’s initial position was that they would use Democracy Live’s “OmniBallot” online voting system, that permits the voter to choose (1) ballot download (for printing and marking at home), (2) ballot download and mark-on-home-computer (for the voter to print and physically mail), or (3) ballot upload through Democracy Live’s portal.   Democracy Live’s voting system is insecure in all sorts of unsurprising and surprising ways.  Even so, the State proposed to use this for disabled voters, overseas and military voters, and, basically, any voter who wanted to use it.   Doing so would leave New Jersey’s 2020 election extremely insecure.

Plaintiffs’ position was that (1) ballot download has several security problems and should therefore be limited to voters who absolutely need it, specifically, voters with disabilities and military/overseas voters;  (2) computerized ballot marking has even more security problems and should be limited to voters with disabilities that prevent them from hand-marking a paper ballot; (3) no votes should be transmitted over the internet; and (4) if the State is outsourcing ballot-delivery services to private companies, then those companies should not snarf and resell all sorts of personal information about voters and their browser-fingerprints.

The parties did reach a compromise settlement; in mid-June they agreed:

  1. An “electronic ballot access or delivery system” may be used only for public health purposes during the July 2020 primary and November 2020 general election, only for voters with disabilities and military/overseas voters.
  2. Unvoted ballots may be electronically delivered to those voters.
  3. Voters with disabilities may print the unvoted ballot for hand marking and return by U.S. mail or other nonelectronic means; the military or overseas voters may print the ballot for hand marking and then return it by the means specified for them in New Jersey law (N.J.S.A. 19:59).
  4. A voter with a disability who is unable to mark a ballot by hand may be given the choice to use accessible technology to indicate vote selections on the computer, then print and mail (or otherwise physically return) the paper ballot.
  5. Voters’ ballot selections (votes) are never to be transmitted over the internet.  No personal voter information (or information about the voter’s computer or browser) may be gathered, analyzed, or sold.
  6. The State will follow these rules (and write them into vendor contracts) for the July primary.  If the State contemplates using any system in November that does not satisfy these criteria, the State must notify the Plaintiffs no later than August 21st — and if they do so, the schedule is laid out for Plaintiffs and the State to file briefs in whatever lawsuit might ensue.

Although the State didn’t tell us until much later, on May 28th they put out a Request for Bids for a system satisfying our criteria; by June 7th they had already selected a vendor (Voting Works) whose product looks a lot more respectful, compared to Democracy Live, of basic election security principles and voters’ privacy (based on the bid document that Voting Works sent to the State, and on an interview with an executive at Voting Works).

Even so, during the settlement negotiations in early June the State vigorously resisted admitting that Internet voting is not permitted by New Jersey law.  That’s even though: New Jersey statutes clearly enumerate what kinds of voting systems are permissible, and Internet voting is not among them; the statutes clearly lay out the certification requirements for voting systems, and Internet voting is not certified; and the Court Order pretty clearly says that voting systems are not to be connected to the Internet.

Based on the compromise agreement, at least this time the State can’t covertly adopt Internet voting. If the State notifies Prof. Venetis on August 21 that they’re planning to use some sort of on-line voting system that does not satisfy the criteria enumerated above, then she will seek a court order to prevent any internet-based system from being used. Based on the language of the court’s 2010 order “computers utilized for election-related duties shall at no time be connected to the Internet” and the court’s 2010 opinion (quoted in the first paragraph above), the State will have an uphill battle defending an internet-based voting system.