October 22, 2018

Continuous-roll VVPAT under glass: an idea whose time has passed

States and counties should not adopt DRE+VVPAT voting machines such as the Dominion ImageCast X and the ES&S ExpressVote.  Here’s why.

Touchscreen voting machines (direct-recording electronic, DRE) cannot be trusted to count votes, because (like any voting computer) a hacker may have installed fraudulent software that steals votes from one candidate and gives them to another.  The best solution is to vote on hand-marked paper ballots, counted by optical scanners.  Those opscan computers can be hacked too, of course, but we can recount or random-sample (“risk-limiting audit”) the paper ballots, by human inspection of the paper that the voter marked, to make sure.

Fifteen years ago in the early 2000s, we computer scientists proposed another solution: equip the touchscreen DREs with a “voter verified paper audit trail” (VVPAT).  The voter would select candidates on a touchscreen, the DRE would print those choices on a cash-register tape under glass, the voter would inspect the paper to make sure the machine wasn’t cheating, the printed ballot would drop into a sealed ballot box, and the DRE would count the vote electronically.  If the DRE had been hacked to cheat, it could report fraudulent vote totals for the candidates, but a recount of the paper VVPAT ballots in the ballot box would detect (and correct) the fraud.

By the year 2009, this idea was already considered obsolete.  The problem is, no one has any confidence that the VVPAT is actually “voter verified,” for many reasons:

  1. The VVPAT is printed in small type on a narrow cash-register tape under glass, difficult for the voter to read.
  2. The voter is not well informed about the purpose of the VVPAT.  (For example, in 2016 an instructional video from Buncombe County, NC showed how to use the machine; the VVPAT-under-glass was clearly visible at times, but the narrator didn’t even mention that it was there, let alone explain what it’s for and why it’s important for the voter to look at it.)
  3. It’s not clear to the voter, or to the pollworker, what to do if the VVPAT shows the wrong selections.  Yes, the voter can alert the pollworker, the ballot will be voided, and the voter can start afresh.  But think about the “threat model.”  Suppose the hacked/cheating DRE changes a vote, and prints the changed vote in the VVPAT.  If the voter doesn’t notice, then the DRE has successfully stolen a vote, and this theft will survive the recount.  If the voter does notice, then the DRE is caught red-handed, except that nothing happens other than the voter tries again (and the DRE doesn’t cheat this time).   You might think, if the wrong candidate is printed on the VVPAT then this is strong evidence that the machine is hacked, alarm bells should ring– but what if the voter misremembers what he entered in the touch screen?  There’s no way to know whose fault it is.
  4. Voters are not very good at correlating their VVPAT-in-tiny-type-under-glass to the selections they made on the touch screen.  They can remember who they selected for president, but do they really remember the name of their selection for county commissioner?  And yet, historically in American elections, it’s as often the local and legislative offices where ballot-box-counting (insider) fraud has occurred.
  5. “Continuous-roll” VVPATs, which don’t cut the tape into individual ballots, compromise the secrecy of the ballot.  Since any of the political-party-designated pollwatchers can see (and write down) what order people vote on the machine, and know the names of all the voters who announce themselves when signing in, they can (during a recount) correlate voters to ballots.  (During a 2006 trial in the Superior Court of New Jersey, I was testifying about this issue; Judge Linda Feinberg saw this point immediately, she said it was obvious that continuous-roll VVPATs compromise the secret ballot and should not be acceptable under New Jersey law. )

For all these reasons, many states that adopted DRE+VVPAT in the period 2003-2008 have abandoned them, switching over to optical-scan voting with hand-marked (“fill in the opscan bubbles”) paper ballots, with Ballot-Marking Devices (BMDs) available for voters who can’t easily read or handle the paper.  Buncombe County switched to optical scan between 2016 and 2018, because the state of North Caroline outlawed continuous-roll VVPATs).

In the 2018 election, approximately* 42 states will use optical-scan, 3 states will use DRE+VVPAT, and 5 states will use paperless DREs (touchscreens).  Between 2002 and 2018, many states switched from DRE to opscan, from mechanical lever machines to opscan, from punchcard to opscan, from DRE+VVPAT to opscan; but not one state that I know of switched to DRE+VVPAT.  It’s not a good technology; it’s too easy for the computer (if hacked) to manipulate what appears on the paper record.

New Jersey is one of those 5 states that use paperless DREs.  There’s no excuse for that; if the DREs are hacked, elections can be stolen with no detection and no recourse.  (Or if the DREs “make a mistake“, no recount is possible.)  New Jersey should switch to voter-marked optical-scan ballots, like the rest of the country.

But I am informed** that three New Jersey counties (Gloucester, Essex, and Union) are considering the purchase of new voting machines, and they’re considering only the ES&S ExpressVote and the Dominion ImageCast X.  I’ve already explained why the ExpressVote is a bad idea.

New Jersey (or any state) should not adopt Dominion ImageCast X DRE+VVPAT voting machine.  The ImageCast X comes in several configurations, and one of them is basically a DRE+VVPAT, with a continuous-roll cash-register tape under glass.  Kevin Skoglund, a software engineer in Pennsylvania, had an opportunity to examine one at a demonstration in Harrisburg, PA.  He reports that it’s quite difficult to read the VVPAT-under-glass:  the printing was gray (not black) on the thermal paper, the font was small, the glass window in the machine was small.  Even though he has 20/20 vision, he had difficulty reading it.

The ImageCast X is advertised as an optical scanner, not a DRE, because, technically, this configuration prints a QR barcode onto the VVPAT tape, then an integrated scanner immediately reads this QR code before counting the vote.  This is a distinction without a difference.  All the disadvantages 1,2,3,4,5 (above) apply to this format.  Sure, a DRE+VVPAT is marginally better than a DRE; but that’s not the technology to adopt in 2018.

New Jersey should buy optical-scan voting machines for hand-marked optical-scan ballots.  Dominion makes reasonable optical-scan voting machines:  the ImageCast Precinct and the ImageCast Central.  ES&S makes reasonable optical-scan voting machines: the DS200, the DS450, and the DS850.   Three other companies make EAC-certified optical-scan voting machines: Clearballot, Hart, and Unisyn.  New Jersey (and the few other states still using paperless DREs)  should buy optical-scan voting machines from any of these 5 companies.

*I say “approximately” because some states use different machines in different counties.

**e-mail from Robert Giles, Director of the NJ Division of Elections, to Stephanie Harris, October 11, 2018.

Photo of ImageCast X VVPAT window:  Kevin Skoglund, June 2018.

CITP to Launch Tech Policy Clinic; Hiring Clinic Lead

We’re excited to announce the CITP technology policy clinic, a first-of-its-kind interdisciplinary project to engage students and scholars directly in the policy process. The clinic will be supported by a generous alumni gift.

The technology policy clinic will adapt the law school clinic model to involve scholars at all levels in real-world policy activities related to technology—preparing written comments and briefs, working with startup companies, and collaborating with public-interest law groups. As an outgrowth of this work, CITP could provide federal, state and local policy makers with briefings on emerging technologies and could also create simple non-partisan guides to action for citizens and small businesses.

We’re looking to hire a Clinic Lead, an experienced policy professional to lead the clinic. For more information, go to https://citp.princeton.edu/clinic-lead/

CITP was founded as Princeton’s initiative to support research and education on technology policy issues. Over the years, CITP’s voice grew stronger as it uniquely leveraged its strength of world class computer scientists and engineers, to work alongside leading policy experts at the Woodrow Wilson School of Public Policy. The center has now established a recognized national voice in areas including AI policy, privacy and security, technology for governance and civil liberties, broadband policy, big data, cryptocurrencies, and the internet of things. As the national debate over technology and its impact on democracy has come to the forefront in recent times, the demand for technology policy experts has surged. CITP recognizes a need to take on a larger role in tackling some of these technology policy problems by providing on-the-ground training to Princeton’s extraordinary students. We’re eager to hire a Clinic Lead and get started!  

Design flaw in Dominion ImageCast Evolution voting machine

The Dominion ImageCast Evolution looks like a pretty good voting machine,

but it has a serious design flaw: after you mark your ballot, after you review your ballot, the voting machine can print more votes on it!.  Fortunately, this design flaw has been patented by a rival company, ES&S, which sued to prevent Dominion from selling this bad design.  Unfortunately, that means ES&S can still sell machines (such as their ExpressVote all-in-one) incorporating this design mistake.

When we use computers to count votes, it’s impossible to absolutely prevent a hacker from replacing the computer’s software with a vote-stealing program that deliberately miscounts the vote.  Therefore (in almost all the states) we vote on paper ballots.  We count the votes with optical scanners (which are very accurate when they haven’t been hacked), and to detect and correct possible fraud-by-hacking, we recount the paper ballots by hand.  (This can be a full recount, or a risk-limiting auditan inspection of a randomly selected sample of the ballots.)

Some voters are unable to mark their ballots by hand–they may have a visual impairment (they can’t see the ballot) or a motor disability (they can’t physically handle the paper).  Ballot-marking devices (BMDs) are provided for those voters (and for any other voters that wish to use them); the BMDs are equipped with touchscreens, and also with audio and tactile interfaces (headphones and distinctively shaped buttons) for blind voters, and even sip-and-puff input devices for motor-impaired voters.  These BMDs print out a paper ballot that can be scanned by the optical scanners and can be recounted by hand.

In a typical polling place, there are cardboard privacy screens for those voters who use a pen to fill in the the bubbles on their op-scan ballots; one BMD for voters who want machine assistance marking their ballots; and one optical scanner into which all voters deposit their ballots.

In contrast, the ImageCast Evolution is an “all-in-one” device: combination BMD and optical scanner.  Most voters fill out their ballots by hand, and insert into the scanning slot.  But those using the BMD feature will insert a blank ballot into the scanning slot; after they indicate their choices using the touchscreen or audio/button interface, the ImageCast Evolution will fill in the bubbles on their ballot for them.

Combining the BMD+scanner is a really bad idea!  Remember, the purpose of the paper ballot is to guard against cheating by hacked voting computers.  If the optical-scanners have been hacked, they lie about what’s on the paper ballots.  We can detect this fraud by recounting a random sample of the paper ballots.   But the ImageCast Evolution can print right onto your ballot, after you insert it into the slot.  From the diagram of the paper path, above, it’s pretty clear that the same bidirectional paper path contains both the scanner and the printer.  That means it can cast more votes onto your ballot.    Of course, the legitimate software installed by Dominion won’t do that, but the machine is physically capable of it, and fraudulent software can exploit this ability.

When I feed my marked ballot into an optical scanner,  I do not want the optical scanner to have the ability to fill in more bubbles on my ballot!  The whole purpose of the paper ballots, and the human-inspection random audits, and the human-inspection recounts, is to guard against the possibility that a hacker installed cheating software into the voting machine.  If the cheating software can mark my ballot, after the last time I can inspect it, then the ballot seen by the recount team is not the same as I marked it.

This appears to be an elementary security-design mistake.  Security design isn’t easy!  A good security designer has to be able to think adversarially, to understand the threat model, to understand how the software could subvert the hardware.  In this case, the threat is:

  1. Hacker exploits a security vulnerability of the ImageCast voting machine or on the election-administration laptop computer that prepares ballot files.  For example, the ImageCast has several USB ports, and USB is notoriously insecure.
  2. Hacker uses this vulnerability to install additional software on the ImageCast, that fills in additional ovals on the op-scan ballot, after the voter has inserted it for scanning.  For extra credit, don’t perfectly fill in the ovals like a BMD normally would; instead, mimic the style that the voter has used with a pen.  For double-extra-credit, do this only when the scanner detects that the voter has used a similar color pen to the ink-jet cartridge in the BMD’s printer.  For triple-extra-credit, only fill in ovals in races where the voter hasn’t already marked a vote, this avoids overvotes that would draw attention to the paper ballot during an audit or recount.


ImageCast Evolution product brochure.

Another ImageCast Evolution product brochure

Video (click here, scroll down to ImageCast Evolution, click on the first blue square labeled “VIDEO”)

Dual Display Brochure

Dual Display Video (click here, scroll down to ImageCast Evolution, click on the second blue square labeled “VIDEO”).

Dave (Jing) Tian, Nolen Scaife, Deepak Kumar, Michael Bailey, Adam Bates, Kevin R. Butler. SoK: “Plug & Pray” Today – Understanding USB Insecurity in Versions 1 through C. 39th IEEE Symposium on Security and Privacy (Oakland ’18),  May 2018.

Kevin Skoglund, personal communication, June 2018: “In August 2017, ES&S sued Dominion alleging that the ImageCast Evolution infringed on their patents.  In several demos since then [in Harrisburg, PA and in Montgomery County, PA], Dominion has not featured the ICE even though it is still prominent on their website. Instead they have featured the ImageCast X which is not even listed on their website.  The lawsuit appears to have been settled on June 12.  Settlements are typically confidential so there will be no public documents on it.”