Some Observations re: Maryland's Election Procedures, 2016

We have looked closely at Maryland's proposed procedures for the 2016 election. In particular, we looked at the state's planned post-election procedures and its expansion of online ballot marking and online ballot delivery services to all citizens.
Post-Election Procedures
Harvie Branscomb, Joe Kiniry, Mark Lindeman, Neal McBurnett, Ronald L. Rivest, John Sebes, Pamela Smith, Philip Stark, Howard Stanislevic, Paul Stokes, Poorvi L. Vora, Luther Weeks

Summary
Maryland's legislature mandated the use of voter-verifiable paper records in 2007. The mandate was finally implemented in 2016; all votes were cast on paper ballots which were scanned and counted electronically. The ballots were securely stored as evidence of voter intent. The State Board of Elections, however, did not look at the ballots for its audit. Instead, it contracted another software company to check the election using the scan data, which was not verified by voters.

The computerized scan data can differ from the ballots due to error or intentional alteration. Both the voting system and the audit system derive their conclusions from it, and neither would detect election outcome errors resulting from differences between the data and the ballots. In particular, the proposed procedure would not detect a competent effort to change the election outcome.

From preliminary contest counts declared by the state, we observed that Maryland would be able to provide very good confidence in both the statewide outcomes (the contests for President and Senate) by manually inspecting only 112 randomly chosen ballots.

Because Maryland's margins are large, by manually inspecting some more ballots---about 700 of 2.5 million, fewer than one-thirtieth of one percent---Maryland would have been able to greatly improve confidence in each federal outcome, including the contests for seats in the US House of Representatives.

Our team of a dozen election integrity experts wrote the State Board of Elections multiple times---Vora also testified on behalf of the team multiple times in the monthly board meetings---offering to help them carry out a real independent audit, against the paper ballots, in addition to their planned procedures. Our assistance would have been at no cost to the state and would likely have required a single afternoon. We also wrote an op-ed in the Baltimore Sun, the paper of record for the state of Maryland.

Our team wrote the House Ways and Means Committee about legislation proposed in March 2017 to require similar post-election procedures, recommending that the Legislature hold full hearings before legislating a particular kind of audit. No legislation on audits was passed in that session, though there was a discussion (discussion begins at about 3:46, the first notch in the video timeline) in the House Ways and Means Committee.

The House Ways and Means Committee and the Senate Education, Health, and Environmental Affairs Committee held a joint hearing on September 6 on the topic of election cybersecurity. Vora testified on the topic, as did a number of other experts.

Some Detail

Even more detail
Security Issues with the Expansion of Online Ballot Delivery and Marking

Among all states that do not allow internet return of the ballot, Maryland appears to provide the weakest protections. This is largely because the state does not check signatures and does not restrict which voters can obtain their ballots online. The numbers I use below are from the "Online Ballot Delivery Survey Summary" document made available by the state, revised August 2016.

24 states allow online ballot delivery. Of these, 21 recognize the security risks of online ballot delivery and restrict it to the very small fraction of the voting population who need it---such as overseas voters and those serving in the military. Three states (Alaska, Maryland and Washington) allow all registered voters to use online ballot delivery, greatly increasing the risk of malware influencing election outcome, and the incentive to deploy such malware.

Among the three states referred to above, Alaska provides the weakest protections because it allows all voters to return voted ballots on the internet. Of the other two, who limit internet return to only a small fraction of voters, Washington checks signatures on returned voted ballots, but Maryland does not. As a consequence, the main authentication of the voter happens before she receives her ballot, and, thereafter, possession of the ballot is everything. A virtual ballot delivered online is a string of ones and zeroes that can be captured, stored and reused by malware on the voter's computer. It can be redirected, over the internet, by the malware to someone else who can print it, complete it and mail it. (In order to ensure that a voted ballot received by the election authority was indeed sent by the voter, signatures are used as the primary authentication mechanism for absentee ballots, see NIST IR 7711*. )

The use of an online ballot marking tool exposes the vote to any malware, including spyware, on the voter's computer. It violates ballot secrecy and also provides information to malware that might try to redirect the ballot to another entity if it does not like the entered vote. Of the 16 other states with online marking tools, 14 recognize the need to restrict access to those disadvantaged without it, and only two allow all registered voters to use it.

* "In most cases, any mechanism used to remotely authenticate voters will serve as a secondary method to authenticate returned ballots, with voter signatures generally providing the primary mechanism to authenticate returned ballots." NIST IR 7711, Sept 2011, "Security Best Practices for the Electronic Transmission of Election Materials for UOCAVA Voters".



Last update: 15:49:51, Monday, 25 September, 2017 local time.