by Dave Moore, 11-4-18
In 2004, while attending the Defcon computer security conference in Las Vegas, I attended a meeting where the subject of “e-voting” was discussed.
The “e-voting” concept includes the use of computerized, paperless electronic voting machines, as well as the idea of voting, not from government-sanctioned polling locations, but from an Internet Web site, or by email. This was before the moronic idea of voting from an app on your phone was conceived.
Several thousand of the world’s top computer security experts were in attendance. I thought it quite revealing that, as soon as the words “electronic voting security” came out of the speaker’s mouth, the crowd burst into raucous, jeering laughter.
E-voting security, indeed. You couldn’t fool this crowd; they knew better. That voters across the nation are being conned into thinking their electronically-cast votes are secure is a scam of colossal proportions. That was 14 years ago, and since then, some things have improved, and somethings have actually gotten worse.
The consensus among Internet and computer security experts remains the same: e-voting is a bad idea. Sadly, governments, like modern-day alchemists, still seem to think they can turn sows ears into silk purses. In an effort to understand how voting security is being handled at the state level, some very good studies have been conducted, most notably by The Center for American Progress (CAP) (www.americanprogress.org) in their very thorough study, “Election Security in All 50 States.”
Sadly, Oklahoma only gets a middling grade of “C.” That’s not as bad as the “F” grade given to Arkansas, Florida, Indiana, Kansas and Tennessee, but not as good as the “B” grade (the highest any state earned) given to states like New Mexico, New York and Minnesota.
Oklahoma’s lame showing is due to a number of factors, some of which need to be corrected by the State Legislature so the State Election Board can have the freedom to do a better job ensuring the security and integrity of the election process.
In some areas, Oklahoma looks good. Our voting machines, with paper ballots marked by hand and scanned optically, along with how the machines are tested, earns a big thumbs up, although the law does not require that testing be open to public observance, nor does it specify precisely when testing must be carried out. Even so, good provisions are in place that allow for a voter-verified paper audit trail, which is ideal.
Other areas are flagged as being clearly unsatisfactory. The state does not conduct post-election audits. Ballots are not fully accounted for at the precinct level. Precincts are not required to compare and reconcile the number of ballots with the number of voters who signed in at the polling place. Counties are not explicitly required to compare and reconcile precinct totals with countywide results to ensure that they add up to the correct amount.
Other areas need help, as well. Oklahoma allows certain absentee voters, such as those in the military, to submit completed ballots electronically via fax, either using phone lines or over the Internet, a horrible practice that needs serious attention.
The report titled “Electronic Transmission of Ballots,” by the National Conference of State Legislatures (www.ncsl.org) points out the following problems with e-voting:
Privacy: because election officials are able to identify the person who sent a ballot via electronic transmission, ballots are not fully anonymous; privacy of the ballot is a value for voters and for society as a whole. Security of the election process: many cybersecurity experts are concerned that any Internet connection could be vulnerable to hacking or other cyber attacks. Security of the voter’s computer. Denial of service attack: potential attackers could disrupt the system by overloading it and prevent communications (i.e. voted ballots) from getting through. Voter coercion: the possibility that a voter could be coerced into voting a certain way is a consideration for electronic transmission, as well as for traditional mail absentee voting.
Auditability: electronic transmission does not allow a voter to verify if the ballot received matches the one sent, and without a paper record, a cyberattack may be undetectable. Authentication: how to verify the identity of the voter must be determined. For example, Alaska requires that the ballot be accompanied by two authentication documents that must be printed and signed by the voter and a witness.
In wrapping up its assessment of Oklahoma’s voting systems, the CAP study concludes by saying, “To improve its overall election security, Oklahoma should immediately adopt robust post-election audits that confirm the accuracy of election outcomes. In doing so, the state should look to risk-limiting audits like those in Colorado as a potential model.”
“Given the threat posed by sophisticated nation-states seeking to disrupt U.S. elections, it is imperative that post-election audits be comprehensive enough to test the accuracy of election outcomes with a high degree of confidence and detect any possible manipulation. Oklahoma should also strengthen its ballot accounting and reconciliation procedures by requiring that all ballots – used, unused, and spoiled – are fully accounted for at the precinct level. Part of this includes comparing and reconciling the number of ballots with the number of voters who signed in at the polling place.”
“Moreover, Oklahoma should require counties to compare and reconcile precinct totals with composite results to ensure that they add up to the correct number. Finally, Oklahoma should prohibit voters stationed or living overseas from returning voted ballots electronically. All voted ballots should be returned by mail or delivered in person.”
Dave Moore has been fixing computers in Oklahoma since 1984. As founder of the Internet Safety Group, he also teaches Internet safety workshops for public and private organizations. He can be reached at 405-919-9901 or www.internetsafetygroup.com