Some Observations re: Maryland's Election Procedures, 2016 onwards
|We have looked closely at Maryland's proposed procedures for the 2016 election. In particular, we looked at the state's planned post-election procedures and its expansion of online ballot marking and online ballot delivery services to all citizens.|
Harvie Branscomb, Joe Kiniry, Mark Lindeman, Neal McBurnett, Ronald L. Rivest, John Sebes, Pamela Smith, Philip Stark, Howard Stanislevic, Paul Stokes, Poorvi L. Vora, Luther Weeks. While much of the earlier part of this work was done as an intense collaboration, individuals take responsibility only for documents bearing their names.
The computerized scan data can differ from the ballots due to error or intentional alteration. Both the voting system and the audit system derive their conclusions from it, and neither would detect election outcome errors resulting from differences between the data and the ballots. In particular, the proposed procedure would not detect a competent effort to change the election outcome.
From preliminary contest counts declared by the state, we observed that Maryland would be able to provide very good confidence in both the statewide outcomes (the contests for President and Senate) by manually inspecting only 112 randomly chosen ballots.
Because Maryland's margins are large, by manually inspecting some more ballots---about 700 of 2.5 million, fewer than one-thirtieth of one percent---Maryland would have been able to greatly improve confidence in each federal outcome, including the contests for seats in the US House of Representatives.
Our team of a dozen election integrity experts wrote the State Board of Elections multiple times---Vora also testified on behalf of the team multiple times in the monthly board meetings---offering to help them carry out a real independent audit, against the paper ballots, in addition to their planned procedures. Our assistance would have been at no cost to the state and would likely have required a single afternoon. We also wrote an op-ed in the Baltimore Sun, the paper of record for the state of Maryland.
Our team wrote the House Ways and Means Committee about legislation proposed in March 2017 to require similar post-election procedures, recommending that the Legislature hold full hearings before legislating a particular kind of audit. No legislation on audits was passed in that session, though there was a discussion (discussion begins at about 3:46, the first notch in the video timeline) in the House Ways and Means Committee.
The House Ways and Means Committee and the Senate Education, Health, and Environmental Affairs Committee held a joint hearing on September 6 on the topic of election cybersecurity. Vora testified on the topic, as did a number of other experts.
The House Ways and Means Committee held hearings for a number of new bills on 27, February 2018. Of the four interesting bills, two covered online security (see "Security Issues with the Expansion of Online Ballot Delivery and Marking", all the way down) and two covered audits. House Bill 767, "Election Law -- Securing Elections From Foreign Interference" got most of the issues right, and Poorvi Vora testified in support. House Bill 1278, "Election Law -- Securing Elections From Foreign Interference" missed everything about audits while still being a bill that required manual examination of ballots. Poorvi Vora testified to support it with amendments. She followed the testimony with an email summarizing the key suggestions and adding one viewing the bill as a first step towards comprehensive audit legislation and offering to help design the first audit.
Even more detail
|Security Issues with the Expansion of Online Ballot Delivery and Marking|
Among all states that do not allow internet return of the ballot, Maryland appears to provide the weakest protections. This is largely because the state does not check signatures and does not restrict which voters can obtain their ballots online. The numbers I use below are from the "Online Ballot Delivery Survey Summary" document made available by the state, revised August 2016.
24 states allow online ballot delivery. Of these, 21 recognize the security risks of online ballot delivery and restrict it to the very small fraction of the voting population who need it---such as overseas voters and those serving in the military. Three states (Alaska, Maryland and Washington) allow all registered voters to use online ballot delivery, greatly increasing the risk of malware influencing election outcome, and the incentive to deploy such malware.
Among the three states referred to above, Alaska provides the weakest protections because it allows all voters to return voted ballots on the internet. Of the other two, who limit internet return to only a small fraction of voters, Washington checks signatures on returned voted ballots, but Maryland does not. As a consequence, the main authentication of the voter happens before she receives her ballot, and, thereafter, possession of the ballot is everything. A virtual ballot delivered online is a string of ones and zeroes that can be captured, stored and reused by malware on the voter's computer. It can be redirected, over the internet, by the malware to someone else who can print it, complete it and mail it. (In order to ensure that a voted ballot received by the election authority was indeed sent by the voter, signatures are used as the primary authentication mechanism for absentee ballots, see NIST IR 7711*. )
The use of an online ballot marking tool exposes the vote to any malware, including spyware, on the voter's computer. It violates ballot secrecy and also provides information to malware that might try to redirect the ballot to another entity if it does not like the entered vote. Of the 16 other states with online marking tools, 14 recognize the need to restrict access to those disadvantaged without it, and only two allow all registered voters to use it.
The election subcommittee of the Ways and Means Committee of the Maryland House proposed two bills to address our concerns, House Bill 1331, "Election Law Cybersecurity", and House Bill 1658, "Election Law -- Absentee Ballot Requests, Delivery, and Marking", see our testimony at the committee hearings in support of both bills, below.
* "In most cases, any mechanism used to remotely authenticate voters will serve as a secondary method to authenticate returned ballots, with voter signatures generally providing the primary mechanism to authenticate returned ballots." NIST IR 7711, Sept 2011, "Security Best Practices for the Electronic Transmission of Election Materials for UOCAVA Voters".
Last update: 16:51:31, Saturday, 10 March, 2018 local time.