July 25, 2019

Much has been written about the need to further secure our elections, from ensuring the integrity of voting machines to combating fake news. But according to a report quietly issued by a California grand jury this week, more attention needs to be paid to securing social media and email accounts used by election officials at the state and local level.

California has a civil grand jury system designed to serve as an independent oversight of local government functions, and each county impanels jurors to perform this service annually. On Wednesday, a grand jury from San Mateo County in northern California released a report which envisions the havoc that might be wrought on the election process if malicious hackers were able to hijack social media and/or email accounts and disseminate false voting instructions or phony election results.

“Imagine that a hacker hijacks one of the County’s official social media accounts and uses it to report false results on election night and that local news outlets then redistribute those fraudulent election results to the public,” the report reads.

“Such a scenario could cause great confusion and erode public confidence in our elections, even if the vote itself is actually secure,” the report continues. “Alternatively, imagine that a hacker hijacks the County’s elections website before an election and circulates false voting instructions designed to frustrate the efforts of some voters to participate in the election. In that case, the interference could affect the election outcome, or at least call the results into question.”

In San Mateo County, the office of the Assessor-County Clerk-Recorder and Elections (ACRE) is responsible for carrying out elections and announcing local results. The ACRE sends election information to some 43,000 registered voters who’ve subscribed to receive sample ballots and voter information, and its Web site publishes voter eligibility information along with instructions on how and where to cast ballots.

The report notes that concerns about the security of these channels are hardly theoretical: In 2010, intruders hijacked ACRE’s election results Web page, and in 2016, cyber thieves successfully breached several county employee email accounts in a spear-phishing attack.

In the wake of the 2016 attack, San Mateo County instituted two-factor authentication for its email accounts — requiring each user to log in with a password and a one-time code sent via text message to their mobile device. However, the county uses its own Twitter, Facebook, Instagram and YouTube accounts to share election information, and these accounts are not currently secured by two-factor authentication, the report found.

“The Grand Jury finds that the security protections against hijacking of ACRE’s website, email, and social media accounts are not adequate to protect against the current cyber threats. These vulnerabilities expose the public to potential disinformation by hackers who could hijack an ACRE online communication platform to mislead voters before an election or sow confusion afterward. Public confidence is at stake, even if the vote itself is secure.”

The jury recommended the county take full advantage of the most secure two-factor authentication now offered by all of these social media platforms: The use of a FIDO physical security key, a small hardware device which allows the user to complete the login process simply by inserting the USB device and pressing a button. The key works without the need for any special software drivers [full disclosure: Yubico, a major manufacturer of security keys, is currently an advertiser on this site.]

Additionally, the report urges election officials to migrate away from one-time codes sent via text message, as these can be intercepted via man-in-the-middle (MitM) and SIM-swapping attacks.  MitM attacks use counterfeit login pages to steal credentials and one-time codes.

An unauthorized SIM swap is an increasingly rampant form of fraud in which scammers bribe or trick employees at mobile phone stores into seizing control of the target’s phone number and diverting all texts and phone calls to the attacker’s mobile device.

Samy Tarazi is a sergeant with the sheriff’s office in nearby Santa Clara County and a supervisor with the REACT Task Force, a team of law enforcement officers that has been tracking down individuals perpetrating SIM swapping attacks. Tarazi said he fully expects SIM swapping to emerge as a real threat to state and local election workers, as well as to staff and volunteers working for candidates.

“I wouldn’t be surprised if some major candidate or their staff has an email or social media account with tons of important stuff on there [whose password] can be reset with just a text message,” Tarazi told KrebsOnSecurity. “I hope that doesn’t happen, but politicians are regular people who use the same tools we use.”

A copy of the San Mateo County grand jury report is available here (PDF).


105 thoughts on “The Unsexy Threat to Election Security

  1. rip

    Anybody else want to trust their 2FA security to a google titan security key?

    Even yubikey leaves a lot of questions about verification of their algorithms. How do we trust the the wolves that guard the hen-houses from the foxes?

    1. rip

      Oh, sent from my gmail account. Love them, hate them. What should we do?

    2. Chris C

      Apps like google authenticator don’t (or at least don’t need to) call home. The algorithm used, a form of TOTP, is public. I use 1password for handling TOTP codes for logging in to google services and office 365 as well as dozens of others (office 365 gives you the option of using a “non microsoft app”, but they don’t make it easy to find.)

    3. Joe

      TOTP apps are free, open source, and should have no reason to connect to the Internet.

      Yubikey has a TOTP app that stores the TOTP seeds on the yubikey device itself. So it is portable between smartphones and doesn’t leave the secrets on the phone itself.

  2. Robert Zager

    Here are three more unsexy threats to elections.

    1. Public officials using domains that are not .gov domains. This makes it hard for citizens to know what to trust.

    2. People who are not eligible to vote registering to vote and then voting.

    3. People voting in more than one jurisdiction.

    1. Arbee

      Citations for #2 and / or #3?

      Instances of either / both are greater than zero but vanishingly rare.

      Except in some folks’ fevered imaginations.

      1. pc

        #2 happens all the time. Non-citizens can illegally register in states like California which have no voter-ID requirements, and anyone can vote in an election since officials aren’t allowed to verify their identity or eligibility. There are roughly 2.5 million illegal immigrants in the state. There are certainly enough voting to influence an election, as it’s about 6% of the state’s population.

        The current system trusts that only eligible voters are going to the poll. As security experts, we know that trust is not a strategy.

            1. JBA

              So you’ve provided two sources, one of which is a staunchly conservative think tank and the other a local outlet. Great, let’s see if their stories align.

              Heritage: a one-pager that doesn’t actually cite any instances of ineligible voters actually casting votes, but rather pointing out that there’s a possibility for voter fraud that’s being caught and prevented by the systems in place to do just that. OK…

              CBS: Found 906 dead people registered from 2016, of which 561 remain registered. So there’s some issues with effectively purging rolls in a timely manner. But then you consider that L.A. County has 4.3 million registered voters, and suddenly an inaccuracy rate of 0.00013 is, well, vanishingly rare as was noted before.

              Let me repeat it for those in the back: voter fraud is simply not a real threat to our elections, particularly given all of the other *provable* instances of tampering, interference, and – here’s the big one – gerrymandering!

              But I suppose if you really do want to worry about voter fraud, we do have one recent case to look at…

              https://www.businessinsider.com/north-carolina-election-board-says-gop-operative-voter-fraud-2019-2

                1. JenDeyan

                  An article about voter fraud in the 1940s proves voter fraud is happening in 2019? You gotta be kidding?

              1. Jim Marshall

                The only reason to object to Voter ID is for the purposes of cheating – any other answer is disingenuous.

                1. Joe

                  Unless the US had a long and painful history of using such benign sounding requirements to disenfranchise minorities.
                  More obstacles have been proven to have a negative effect on voting minorities. And any attempt to ignore, or disregard our history, is disingenuous.

                2. JBA

                  So the solution to essentially non-existent voter fraud is to institute a policy that has historically been abused to eliminate voters of the opposition?

                  Yeah, that doesn’t sound disingenuous at all…

        1. Nate

          Allow me to demonstrate how you’ve been misled….

          ID isn’t required to vote in many states, but states are still required by federal law to verify identity during *voter registration*. If you don’t have a driver’s license, they verify your SSN:

          “The Help America Vote Act of 2002 requires States to verify the information of newly registered voters for Federal elections. Each State must establish a computerized State-wide voter registration list and verify new voter information with the State’s Motor Vehicle Administration (MVA). The States are required to verify the driver’s license number against the state MVA database. Only in situations where no driver’s license exists should the states verify the last four digits of the new voter registrant’s Social Security Number (SSN). The State submits the last digits of the SSN, name, and date of birth to the MVA for verification with SSA.”

        2. Nate

          “The Help America Vote Act of 2002 requires States to verify the information of newly registered voters for Federal elections.”

          Look it up then realize you were misled.

        3. Joe

          Trust is not a strategy. True.
          But compared to the overblown risk of ineligible immigrants… there are far more absentee ballots that are definitely being counted.
          There is a lot of trust, without verification, when it comes to absentee ballots.
          But of course, Republicans rely on these so they won’t mention it. They only manufacture outrage when minorities are voting.

        4. DennisA

          The federal government cannot and does not require citizenship for state and local elections. That decision is up to states–and there is a case to be made that citizenship should not be a requirement for voting in local elections, anyway. Just an important side note.

          Further, I’ve seen NO reports whatsoever that compare registered voters with votes cast, in any jurisdiction. Voter rolls will and should be expected to have many more registered voters than votes cast–because so many voters don’t vote. More than half, usually, even in Presidential elections.

          Yes, some jurisdictions have outdated rolls that should be cleaned up–deaths, people who have moved. But until these specific registrations are matched to votes casts (local elections officials have those records and they generally are public), there is no case for fraud.

          The fact of dead persons and people who have moved retained on election rolls is not sufficient to allege fraud. Do the actual work, dig out those local registration/voting rolls, and then make the case that no one else has yet been able to make.

      2. Europa

        #3 In Elections to the European Parliament you can either vote in the country where you live, or you can vote in you country of nationality – but you have to make a “declaration”.
        I the UK the government (surprise surprise) screwed this up for the second set of elections running. They also failed to get postal votes out to overseas nationals. Up to a million people may have been effected. #DeniedMyVote
        Government incompetence can screw up elections!
        (Also when I was a student in the UK, I could choose where to vote in my university city or at home by postal vote. In those (fevered) days we (students!) were trusted not to vote twice!)

    2. Dfjo

      The reporter, Greg Palast, has reported extensively about voting suppression.
      He has reported on caging lists and other means means that are utilized, such as in Georgia as well as Florida. Kris Kobach has a prominent place in both locales.
      There has to be more evidence, than an accusation by the present President.

  3. JimV

    It was recently reported that my home county will upgrade its voting system with new electronic machines that will include a two-stage process which produces a paper trail from the initial electronic selections, which is a substantial (and highly welcome) improvement on the present lack of any validation capability external to the machines’ recorded memory. Hopefully the form of paper used will retain whatever anonymized information is produced on it for longer than a few days or weeks.

    1. CParks

      Coming in late to this conversation, but I just wanted to point out that machine-marked paper ballots are acceptable ONLY if the marking that will subsequently be machine-read to tally the vote **can be read and verified by the human voter.**

      A way-too-prevalent version of the current iteration of ballot-marking devices does, in fact, print the names of the candidates selected by the voter, but it also encodes the names in a bar code that’s then read by the tally machine. This is NOT a voter-verifiable ballot, and an effective audit would have to validate the tallied vote against the printed names, NOT against the bar codes. (Yeah, that’s not how the audits are designed…)

      Consequently, the only secure way to use machine-based tallying is to start with HAND-MARKED PAPER BALLOTS.

      It’s a point of pride here in New Mexico that hand-marked paper ballots and robust risk-limiting audits are required by statute…when I personally feed my ballot into the scantron machine before I leave the polling place, I have no question that my vote was tallied exactly as I marked it.

  4. Tim

    Well when you ultimately have one party that has no problem with elections getting hacked as long as it benefits them, it just compounds the problem.

    Your last article demonstrated this. How many comments espoused the belief that they had no problem with journalists being targeted since they don’t agree with their politics?

    We’ve got some fundamental problems with american citizenry when a core belief of a significant number seem to be totally ok with crime as long as their side “wins,” but are the first to wag their finger if it’s the other side doing it. We’ve been experiencing this type of blatant hypocrisy for a long time now. At what point to people get fed up enough to do something about it?

    1. James Beatty

      If you believe corrupt election practices are confined to a single party, you’re either intentionally wearing blinders or you’ve only become interested in the issue since 2016.

      1. Stratocaster

        True enough. But right now there is ONE MAN who is preventing debate or voting on any election security legislation in the Senate.

        1. JimV

          …and doing so deliberately because it benefits him, his cronies, his political party, and all of their deep-pocketed supporters who provide large dark-money funding support to keep all of them in positions of power and control.

      2. Jim Marshall

        James Beatty, there is currently only one political party in the US that opposes Voter ID. Any opposition to voter ID can only be for the purposes of cheating and any other answer is being disingenuous. Voter ID confirmation is one item in a list of election fraud risks we should all support, but sadly are not.

        1. Joe

          In principle true. However, if there is systematic shutdown of offices to get ID in certain areas, forcing people to take a day off to travel 100+ miles to get ID it amounts to voter suppression.

          1. vb

            Also, charging a fee for a Voter ID amounts to charging people to vote. Voter IDs should be free and easy to get. The government knows when a kid turns 18. There are school records, tax records, birth records, SSN records, selective service records, etc. The government has no shortage of information on 18 year-olds. The system should issue Voter IDs on the 18th birthday.

        2. JBA

          Because voter ID doesn’t actually prevent this mythical voter fraud (that isn’t actually happening), but what it does do is effectively suppresses votes of predominately poor and minority communities, especially when you consider the efforts to close down or cut funding to social services like public offices in the communities for the latter.

          So you’re right, it *is* only one party that supports vote ID – because only one party supports suppressing minority votes.

          1. Readership1

            You say voter fraud doesn’t happen. Prove it.

              1. Readership1

                One can prove that voter fraud is not occurring (or is rare) in the US by requiring that all voters produce a photo ID when they vote, eliminate all affidavit/absentee ballots, and requiring proof of citizenship when they receive that ID and register to vote.

                If one wants to claim that vote fraud doesn’t exist, the onus is on him/her to prove it.

                What’s the evidence that voting fraud exists? Extensive case law, criminal prosecutions, voting challenges made by candidates every election season, and common sense that all systems have flaws.

                1. Tim

                  Except that’s not how it works and you know it. You’re being intentionally misleading in order to fit your agenda.

                  No one starts with the claim that there is no problem.

                  Someone claims there is a problem, boom, onus is on them to prove it. citing “common sense that flaws exist” is not evidence that supports your claim. Yes, voter fraud has been demonstrated, but it has been demonstrated on an infinitesimally small scale that it does not affect elections. period. Meanwhile there is AMPLE evidence that voter id is tantamount to voter suppression along racial and economic lines. We already have voter registration that requires validation that you live here. Meanwhile there is ample evidence of gerrymandering, purging voter rolls and putting obstacles in place designed to keep “certain” people from voting. It’s all be admitted to when they think they’re not in front of a camera and sometimes brazenly when they are in front of a recording device. To deny this is to admit stupidity, or admit to being disingenuous. Which is it?

                2. Joe

                  “If one wants to claim that vote fraud doesn’t exist, the onus is on him/her to prove it.”

                  Wow…
                  The burden of proof is on the claimant of the “positive” claim.
                  This is logic 101.

                  Also, I agree that VoterID can’t be effective unless you also abolish all affidavit and absentee ballots.
                  But good luck finding any pro-VoterID politician who would be willing to get rid of Absentee voting.
                  The reason, is because the motivation behind VoterID is NOT to defend against legitimate voter fraud… but rather to disenfranchise specific groups of voters, while leaving others untouched.

                  It is easier, less risky, to commit fraud through the mail, rather than showing up multiple times at polls where people are watching and likely cameras.
                  But absentee voting favors Republicans, so they won’t even mention that risk.

      3. Tim

        Nice Whataboutism, James. I never claimed corruption was confined to one party. Sure both sides have demonstrated corruption, but if you think they are equally corrupt, you’re an idiot. One is leaps and bounds more corrupt than the other. One has shown significantly more hypocrisy than the other

  5. Jim Marshall

    James Beatty, there is only one political party in the US that opposes Voter ID. The only reason to oppose Voter ID is for the purposes of cheating and any other answer is being disingenuous. Voter ID is one item in a list of election tampering risks we should all be supporting.

    1. Nope

      If you knew anything about U.S. history, you’d know that since 1865 voter suppression was aggressively used against black voters. Poll taxes and voter IDs were common methods to discriminate. Even recently, Jeff Sessions CLOSED DMVs in Alabama in predominately black areas to prevent them from registering without having to make a long trip.

      So the idea that opposing voter ID is a sign of criminal intent is wrong.

      Read a book about the history of voter suppression in the US and you’d blush to make such statement if you have soul.

      1. IGoogledIt

        Why does almost every other country have voter ids laws? Voter id laws can be implemented properly that do not discriminate against anyone. For example Mexico requires a voter id but at the same time provide that voter id for free to all its citizens.

        1. Nate

          Allow me to demonstrate how you’ve been misled…

          ID isn’t required to vote in many states, but states are still required by federal law to verify identity during *voter registration*. If you don’t have a driver’s license, they verify your SSN:

          “The Help America Vote Act of 2002 requires States to verify the information of newly registered voters for Federal elections. Each State must establish a computerized State-wide voter registration list and verify new voter information with the State’s Motor Vehicle Administration (MVA). The States are required to verify the driver’s license number against the state MVA database. Only in situations where no driver’s license exists should the states verify the last four digits of the new voter registrant’s Social Security Number (SSN). The State submits the last digits of the SSN, name, and date of birth to the MVA for verification with SSA.”

          1. IGoogledIt

            I have not been misled by anyone. You are purposely trying to misled people to agree with your wrong view. Clearly you have a problem with voter id. Why do you have a problem with it especially if the govt is going to provide everyone with on? You have not once shown how voter id is racist or not needed. In fact the quote you used really works against your side. States are not doing their job. Look at California this year. LA county has been ordered by a court to removed 1.5 million ineligible voters (google la ordered to removed 1.5 million from voter roll) and 9 were just arrested for paying homeless people on skid row to vote. (google skid row vote fraud) They are not doing their job and our election integrity is being hurt by it.

            1. Joe

              “the govt is going to provide everyone with one?”
              No, there are fees and other costs. Any cost even if it just means driving to an office and waiting in line… can and does have the effect of disenfranchising minority voters.
              It has been done throughout history. Taxes and tests.

              “You have not once shown how voter id is racist”
              4th District Court of Appeals has already proven how VoterID is racist. At least it opens the door for racist implementation.

              “The State then elaborated on its justification, explaining that “[c]ounties with Sunday voting in 2014 were disproportionately black” and “disproportionately Democratic.” J.A. 22348-49. In response, SL 2013-381 did away with one of the two days of Sunday voting.”

              1. Laura

                “if it just means driving to an office and waiting in line… can and does have the effect of disenfranchising minority voters.”

                How do you suggest minority voters vote? If they can’t make it to an office, what else are they supposed to do? I don’t believe they’ll be able to get an absentee ballot. And, to my very limited knowledge on the matter, there really isn’t another option.

                1. Joe

                  Voting is much easier than registration for an ID.

                  Voting, without needing an ID, means you just verify your address so they can mark you off. You don’t need to bring anything. And on election day, many get free rides to the voting center.

                  Registering for an ID, means you need to bring the fee (often in an exact amount, sometimes no cash at all, and if by check, now you need a checking account or head to another place to get one), bring other paperwork to prove identity, citizenship, etc… and it is harder to find transportation to get registered.
                  And if English isn’t a primary language… it is very common to be turned away because something is missing or not filled out properly.

                  Very often, the poor and already disadvantaged will have a tough time doing what may seem easy and trivial for someone with a car, bank account, and time to spare.

                  When you add bureaucracy, it invites discrimination. Unfortunately, that isn’t just an academic theory, but rather it is proven throughout our history.

                  1. Laura

                    Hey Joe,

                    I misunderstood your statement of: “if it just means driving to an office and waiting in line” to mean the actual voting in and of itself, not the registration. I see what you’re saying and that makes sense.

                    “And if English isn’t a primary language… it is very common to be turned away ”

                    I don’t see a problem with that. If it’s bad enough that they cannot properly read in English, how would we expect to get accurate results from their voting? For example, if I go to China and vote, but everything is in Mandarin, how is that fair for me to just put a check in the box because I like the way some letters look? If you’re a citizen in a country, you need to make some form of attempt to assimilate and learn the language. Especially if you’re voting for that country’s leader.

                    1. Joe

                      I just happen to agree that new citizens should attempt to assimilate.

                      However, I think voting should be a right that supersedes the aptitude and ability to timely assimilate.

                      There are also cultures who can’t teach English in the household, even if they want to. They may not have the proficiency themselves to teach the next generation English… and instead rely on public school.
                      But now we are getting into a slippery slope of going back to intelligence tests to allow the right to vote. VERY dangerous and susceptible to discrimination.

                      Also, native Americans can and should vote, yet we shouldn’t ask them to adopt any other language as primary.

                      There are those with reading disorders or significant eyesight disability… and normally there is assistance for such.. but adding more and more loopholes, amplifies the burden they already must face.

                      So, although I agree that citizens should be learning and assimilate… it can often take a generation or more to get proficient at all the bureaucracy that would make reasonably easy to navigate.

                      Voting itself isn’t too hard. The only English needed is to recognize the name of the candidate. There are news and politics already translated into whatever language. But registering for a state ID, can vary wildly and be VERY difficult for a new citizen even if they have been trying to learn.

                      It is not that it is insurmountably difficult on minorities… but it is disproportionately difficult. Needlessly so.
                      By contrast, it is very easy to vote by mail as absentee… and yet much easier to commit voter fraud through the mail. Yet proponents of VoterID won’t acknowledge this risk because it may disproportionately affect their constituency instead of their opponent’s.

                    2. timeless

                      Hi Laura,
                      Would you be surprised to learn that English is not the national language of the United States of America?

                      In fact, there is no national language in the USA. [1]

                      Puerto Rico (a US Territory) actually has two official languages: English and Spanish [3]. For the US Presidential election, that doesn’t matter, because while they are citizens, they aren’t able to vote for president (whereas I, a non-resident, can vote).

                      «In every statewide election, California prepares voter information pamphlets in ten languages — English, Spanish, Chinese, Hindi, Japanese, Khmer, Korean, Tagalog, Thai and Vietnamese — for over 20 million registered voters.» [2]

                      As for China, it seems likely you’ve never been. Mainland China does have an official language (this excludes Hong Kong and Macau), but some provinces/regions within China have their own official languages (similar to Puerto Rico).

                      Fwiw, India has an interesting set of languages, no national language [5], an official language, a special standing for English, and 22 regional languages.

                      Voting is not generally limited to people who can “speak a language well” (literacy tests in various southern states [6] are to be abhorred, not praised).

                      I wonder if you could name the national languages of Sweden and Switzerland (hint: both have four).

                      Some countries have mandatory voting (e.g. Australia [7]).

                      Worldwide, it is accepted that people will do their best to educate themselves before they vote.

                      [1] https://www.worldatlas.com/articles/what-is-the-official-language-of-the-united-states.html
                      [2] https://www.sos.ca.gov/elections/
                      [3] https://en.wikipedia.org/wiki/English_language_in_Puerto_Rico
                      [4] https://en.wikipedia.org/wiki/Languages_of_China
                      [5] https://en.wikipedia.org/wiki/Languages_with_official_status_in_India
                      [6] http://www.openculture.com/2014/07/literacy-test-louisiana-used-to-suppress-the-black-vote.html
                      [7] https://www.aec.gov.au/faqs/voting_australia.htm#compulsory

            2. Joe

              The LA county decision was one of the very few lawsuits that Judicial Watch managed to win.

              Founded in 1994 by Larry Klayman, Judicial Watch (JW) is an American conservative activist group that files Freedom of Information Act (FOIA) lawsuits to investigate alleged misconduct by government officials. They primarily target Democrats such as the Clinton’s, Obama and climate scientists as they label climate science, “fraud science.” Judicial Watch has made numerous false and unsubstantiated claims, with a “vast majority” of their lawsuits dismissed. They describe themselves as “a conservative, non-partisan educational foundation, promotes transparency, accountability and integrity in government, politics and the law.” The current President of JW is Tom Fitton.

              1. Joe

                Further, the founder of JW, Larry Klayman recently promoted the conspiracy that the Clinton’s were killing people.

                So although it’s probably a good thing that LA County get better at cleaning up voter registration…. it is, by no means, an indication that these old records are resulting in voter fraud. And the right wing extremists who filed the lawsuit against LA County… have a history of conspiracy theories.

        2. Joe

          Other countries… without nearly as much diversity, nor a history of slavery, Jim Crow, or suppression of minorities.

          Maybe we can use such laws, when we’ve earned it by going a few generations without being racist.

      2. Jim Marshall

        My statement stands. You have not shown any valid reason to oppose Voter ID, because there is none … If the left is really serious about cleaning up voter interference or election tampering then Voter ID must be part of the solution. And right now the left is being extremely hypocritical on this subject.

        1. Joe

          Hypocrisy is that advocates of VoterID, do not want to see it applied to Absentee voters, because it benefits them.

        2. Tim

          Translation: LALALALALALALALALALA I CAN’T HEAR YOU!!! LALALALALALALALALALALALA!

    2. Joe

      Those who support VoterID still oppose requiring an in person vote to actual use it an ID. Because they rely on absentee ballots.
      In-person fraud is still risky… while fraud by mail… is easy and carries little to no risk.

  6. Arbee

    Verifiable voting that’s not vulnerable to coercion requires voting in person with human-readable paper ballots that are available for anyone to look at but that can’t be attributed to a specific voter.

    Voting in person using paper ballots works because — properly — no one trusts anyone.

    People understand how paper ballots work. They don’t rely on trust.

    People watch the vote-counting process. It doesn’t rely on trust.

    People observe recounts. They don’t rely on trust.

    People have confidence in the results. They don’t rely on trust.

    • Mark paper ballots by hand or by machine. A ballot-marking machine used with paper ballots accommodates voters with disabilities.
    • Count ballots by hand or by machine. Using an optical scanner is an option.
    • Conduct recounts and audits by human inspection of human-readable paper ballots.
    • Mandate risk-limiting audits of a statistically-valid random sample of the ballots prior to certifying election results.
    • Any / all electronics and data processing hardware and software MUST be open source; NO BLACK BOXES.

    Can electronics and computers (e.g., blockchain technology) allow people to vote anonymously while still being able to verify that their vote was included in the final total? Miscreants can compromise an electronic vote without breaking the cryptographic algorithms. Malefactors of Great Stealth can

    • bribe election officials and obtain copies of voters’ credentials;
    • hack into computer systems used to create and distribute cryptographic credentials to voters;
    • send phishing emails to voters to trick them into revealing their voting credentials;
    • hack into the PCs or smartphones voters use to vote; or
    • simply trick voters into thinking they’ve cast a vote when they haven’t.

    After-the-fact verification makes things worse. If voters can check how their specific vote was recorded, that means they can prove *how* they voted. Their vote can be coerced. This is similarly true for vote-by-mail or notional on-line voting. Mail-in ballots or on-line voting inherently compromise ballot integrity because voting can be coerced.

    Does the convenience of vote-by-mail or notional on-line voting — with the potential for higher participation — outweigh the risk that mailed-in votes or on-line voting can be coerced or compromised? I don’t know; it’s a fair question.

    With current technology, anonymous uncoerced verifiable voting requires showing up, voting in person, and the use of paper ballots.

    1. Catwhisperer

      In Colorado we have a good system of mail ballots, that are paper, you mark with ink, and then you hand carry them to the drop off locations, then check online to see that your ballot was counted. It’s not scam proof, by any means, but addresses some of the points you bring up.

      Remember though the words of a very effective politician of the last century: “It’s not who votes that matters, it’s who counts the votes that matters…”

      1. Arbee

        With a mailed-in ballot, how does Colorado address the potential for voter coercion?

        1. timeless

          I don’t think any mail-in-ballot place handles coercion.

          Technically, such coercion is a crime, and the penalties can be reasonably severe.

          So, in general, it’s assumed that the protection against this coercion is the risk of the coerced reporting the coercion.

          Note: mail-in-ballots are available for all US states (and DC) [1].

          Generally places that let you check “was my ballot counted” don’t let you check “what was in my ballot”, which is pretty important.

          FWIW, if you’re worried about mail-in-ballots, you should visit Oregon, they’re entirely vote-by-mail [2]. It doesn’t seem to be a problem.

          The biggest form of vote-by-mail abuse is North Carolina’s [3] which was statistically observable in a number of elections, and is resulting in charges, albeit a couple of election rounds late.

          [1] https://travel.state.gov/content/travel/en/international-travel/while-abroad/voting.html
          [2] https://en.wikipedia.org/wiki/Vote-by-mail_in_Oregon
          [3] https://psmag.com/social-justice/after-election-fraud-in-north-carolina-can-we-trust-vote-by-mail-ballots

    2. Joe

      “Can electronics and computers (e.g., blockchain technology) allow people to vote anonymously while still being able to verify that their vote was included in the final total?”

      If done correctly, yes.

      There is a risk of voter coercion if a voter is able to verify their vote counted for any particular candidate. Because someone paying the voter, can receive receipt/proof.

      Ideally, a voter should be able to go online, and verify their vote was counted. But should have to go to a DMV (private booth) if they wanted to see how the vote was counted. This allows for spot checks for any voter that is independent of trusting the election commission or parties.

  7. Dennis

    In my view it should be added to the Constitution as one of the next amendments that if a Congress critter or any political figure in that matter that holds a public office doesn’t use a 2FA access to their public account (or doesn’t know how Facebook / Twitter works) he or she SHOULD NOT be allowed to hold that public office. Period.

  8. bw

    Many years ago I was a consultant for a board of elections in a major city. Democracy hangs by a thread anyway.

    As always, Brian – thanks for the good work

  9. Penet

    Is this a bigger issue? Dr. Robert Epstein states that his research over the past six years shows that Google via various deliberate manipulations moved between 2.6M and 10.4M votes to Hillary Clinton in the 2016 Presidential race

    1. Brian Fiori (AKA The Dean)

      Google did this? Pray tell, how? Any actual evidence?

      1. Readership1

        Look it up, dean. Professor Epstein has written several academic papers and spoken about it on a few podcasts. He’s conducted worldwide research into search engine results. It all shows that there is manipulation of search results with distinct political bias.

        His research was featured in the documentary The Creepy Line.

        1. Brian Fiori (AKA The Dean)

          His research, as it is, is quite flawed and he can’t prove intentional bias. If he took a different group of Google autofills, and suggestions (from Youtube for example) he might reach a different, even contradictory conclusion.

          But even if you take his data at face value, he hasn’t show how it impact ACTUAL voting. To suggest Google moved “2.6M and 10.4M” votes is not only unprovable using Epstein’s methods, what kind of an estimate has a variance this large?

          Changing the “did” to “might have” and the “changed” to “possibly influenced” and you start to get to something that perhaps isn’t laughable. Research wise, that is.

    2. Joe

      Dr. Epstein’s assertions could still be considered true even if Google’s “deliberate” actions merely meant that they reordered search results to give higher priority to reputable sources (legit news, fact checking, etc) over the populist sources (SEO abusing, sensational, crowd sourced “news”).

      This means that you could accuse Google of “shifting back” up to 3 million malleable, flexible opinions from already shifted opinions that were previous coerced by fake news.

      Example, a very typical American who gets their news from Facebook, Youtube, and Reddit… has been bombarded by fake news stories… is not going to vote for Clinton because of a belief that they Clinton and other democrats were involved with a human trafficking and child sex ring going on in a DC pizzeria.
      Upon “Googling”… they get more facts than fiction… and possibly reconsider their position.

      That is how up to 3 million people could have possibly changed their vote based on Google. Because a lot of people are easily manipulated already. And Epstein cannot account for the multitude of other coercive factors on the Internet, and only looks at Google.

  10. Chad

    I, for one, look forward to the dismantling of the social order. At least, we’ll no longer have to pretend this was ever a democracy. If you’re listening Russia, just finish us off all ready.

  11. Stephanie Harris

    As I’ve stated several times lately, I’m ready to go back to paper for almost everything except checking out at a store. At least when someone steals something or is trying to steal, you have 1/2 a chance of being able to catch them. The US needs to come up with it’s own secure web and only authorize communications with users/ countries that will allow and accommodate prosecution for misuse.

  12. Louis Leahy

    2 Factor Authentication does not work without a lockout and if it has a lockout the risk is the user can be locked out of their account by anyone it is a ridiculous solution. The fall back for failed usb tokens is backup codes attacks can simply by pass the usb stick by calling for the backup codes in their phishing attacks the whole fido system is a scam.

    1. Joe

      Phishing for backup codes is exponentially harder and riskier for an attacker. Passwords get used every day. So often that phishing is highly successful because people aren’t on guard for typing a password.

      To phish a backup code for a token, red flags go up because this is a super rare occurrence. Most people have to stop, think and fetch a backup code. This gives a lot of time to question.

  13. Dave

    Here’s a new one. When I was a Senior Software Engineer working on a project for UPRR at one of their subsidiaries, we had an immigrant from Iraq. This would be about 1999, after the first war. She couldn’t program her way out of a Visual Basic for loop. The subsidiary folded. Within a few years, she was in a software management position (senior level I believe) at Election Systems Software. What the hell?!

    1. David D

      Dave – your anecdote sounds like a good story line for a sequel to “The Office” – that or a Dilbert cartoon strip.

  14. Chris

    Election integrity: 1) everyone who can legally vote has the opportunity to vote once, 2) only those who can legally vote have the opportunity to, and 3) the votes are counted properly. Everything else is icing on the cake.

  15. LoneStar State

    States should take a more proactive approach like Texas. https://www.county.org/TAC/media/TACMedia/Education/Event%20Presentation%20Materials/2019/90th-WTCJCA/10-4-019-Voting-Machine-Issues.pdf was presentation by one of the counties that talked about how they counter some of these issues.

    Pretty sure they used this company based on the emails in the presentation (https://cyberdefenses.com/election-security-2020-bundle/).

    Dave — incompetency gets promoted so technical people get things done. It helps only in the short run as those same fools later muck up the process since they “no better”.

    Chris — “legally” is the issue since each state defines that basic fact. How do you handle situations where it cannot be fairly determined that their opportunity wasn’t “taken” from them? Also, tracking in many states seems decent, its the people and politics in the process making it hard.

    Louis Leahy — three factors is best: something you have, something you know, something you are. Combine that it will handle most issues with authentication.

    Core points: every citizen is responsible to do responsibly do research versus being spoon fed opinion. That typically entails looking at multiple sides of an issue and being as unbiased as possible. I find the most people that I’ve spoken to wait until the last minute to do any kind of research on a political issue; are so in love with one pundit or another that they fail to consider any other opinion; and lastly, don’t use any form of reasoning process with evidence to make a decision.

    Riddle me how to fix those issues and we’ll have have a plan.

    1. Louis Leahy

      The something you know is no good if every one else knows it.
      The something you are is not good if everyone else knows who you are.
      The something you have is easily spoofed.

      1. Joe

        Louis, I am not sure if you are new to security or not, but your generalization is not at all correct.

        To even attempt to be secure, a fundamental understanding of authentication factors are essential.

        Knowledge factor is indeed flawed as the knowledge can easily be transferred and replicated. Good for usability, bad for security.

        Inherence factor is much better security, because, it is not transferable without significant work.
        And no… it has nothing to do with other people knowing who you are.
        There are flaws though. Once compromised, there is no way to get another. Copies of fingerprints and face are left everywhere, so the security is left in the ability to duplicate as a warm 3d replica.

        Possession factor is really good security when done correctly. No, it is not easily spoofed. If it is, then most likely, someone is trying to pass a knowledge factor as a possession factor. True secure tokens do the crypto on the device in a tamper resistant container.

  16. poker online

    Poker Online Indonesia uang asli terpercaya. Dewa Poker merupakan salah satu contoh promotor agen game poker online yang terbaik saat ini. Dengan jumlah pemain yang sangat banyak, poker online menjadi salah satu game dengan perputaran uang paling banyak. Jangan ragu untuk bermain poker online sekarang, daftar dan mulailah bertarung di meja poker. Jika anda bosan bermain poker online, coba live poker online dengan dealer cantik dan seksi yang siap menemani anda bermain poker online.

    1. JimV

      Google’s translation:

      “Trusted Online Poker Indonesia real money. God of Poker is one of the best promoters of online poker game agents today. With a large number of players, online poker is one of the most money-playing games. Don’t hesitate to play poker online now, register and start fighting at the poker table. If you are tired of playing poker online, try live poker online with a beautiful and sexy dealer who is ready to accompany you to play online poker.”

      IOW, commercial spam — ignore

      1. Joe

        Why would you help a spammer by translating it into English?

        They obviously were avoiding spam filters by posting in another language. Normally this method is not effective at spamming, since the audience doesn’t get the message. That is, until someone translates it.

        Just label SPAM instead.

  17. Mikey Doesn't Like It

    I find it noteworthy that the grand jury’s report has a section entitled “Responses” — but there aren’t any.

    It will be interesting to see if any of the cited agencies actually provide an “official” response.

    But right now, the absence of any official responses is troubling… or, to be more blunt, the silence is deafening.

    1. James Beatty

      The report states it was released July 24, 2019 – not much time for a government agency to compile a response worthy of release, and even less time to modify the original report to include said response.

  18. Jim

    Ah! One of the subjects I’ve read from the early days of computing. Black box.org used to be the first one I would head over to read. And we are still argue into about it.
    TFA, is used everywhere. An ID and a card. But the box. Is different and usually 10 years out of date. And it takes tax money to buy the programs, and no one has verified the programs, yet.
    Just as in the 70’s, no one verified the vote, no one traces the connections to the next holder, no one traces the counters, no one verified if the results are right, at each step. Or the steps in between. Blackbox had some interesting stories that were provable. And very disheartening. And with modern devices, it’s even worse. Some states even use political party servers for their results. Not even in house, or in their state. And that has not changed. Amazingly, we expect a secure vote.
    But, good write-up.

  19. Mahhn

    I seriously doubt that the Russian medaling is 1/100 of the manipulation that corporations and special interest groups with foreign money commit. Yeah we need to do the best we can, but going after a pick pocket in room while ignoring the two blood covered murderers next to him is just plain stupid. But like the mainstream news say – Oh look a squirrel,,,,,

    1. Tim

      You’re not wrong, but one threat is internal, the other threat is external.

      regardless of what you think of the various American political parties, they’re still american parties and I’ll still classify an external threat as higher than internal threats.

      complaining about internal money in politics is just another whataboutism. Yes it is a problem, but it doesn’t detract from the threat of election meddling from known external hostile threats.

      1. Mahhn

        Foreign money is included in my comment. But never mind, there’s another squirrel, and it’s red white and blue

        1. Joe

          So if 99% of “Russian Meddling” is through financial donations… then you agree it’s the bigger threat?

          Remember, most of “hacking” is simply information gathering. What do they do with that information? They figure out the most effective way to spend their foreign money for a specific campaign.

  20. Winston

    On the fake election results threat, simple. BAN running counts of election results. Results will only be reported AFTER polls are closed. Of course, since we have a corporate lobbyist owned government, good luck with that.

    1. Joe

      I agree. But I only think that will happen when the Electoral College is gone or fundamentally changed.

      With all but two states adopting “winner take all” electoral votes… the system becomes predictable based on only a few states and with only a few counties in those select states.

      The reality is… the states do not care about every vote… so nobody else does. Once 50%+1 is certain… it is done. This flawed system is so predictable, they don’t even have to wait for our highest populated state to even start counting. They know beforehand, since the last census… how it will unfold.

      Get rid of “winner take all” and have states proportionately distribute elector votes based on the popular vote, and it will eliminate most of the predictability. Then the confidence of reporting election results before ballots are closed, is reduced to near zero.

  21. ChrisSuperPogi

    As you reported last July 11th (FEC: Campaigns Can Use Discounted Cybersecurity Services), couldn’t counties do the same, Brian?

    I see that local counties lack guidance on what to do to protect themselves from these threats; especially with the upcoming 2020 elections…

  22. Mark

    My biggest concern is that the Russians break into Ohio, Michigan, Wisconsin, and Pennsylvania election sites, delete just 5-10,000 registered voters. The voters show up at he polls in 2020 and discover they are not listed as registered voters and can’t vote. This would through the entire election into question as this gets out in social media. All my best. Mark

    1. Poll worker

      In Ohio, if your registration record was deleted, you could still vote provisionally. Board of Elections then manually checks each provisional voter’s eligibility and checks to prevent duplicate votes before counting the provisional vote; also maintains a system allowing the provisional voter to call in and find out the outcome.

      1. Joe

        I would imagine this must happen the next day, or even later.
        Ohio, being a swing/battleground state, is generally counted and declared before polls even close on election day.

        So unless there are enough provisional ballots cast to change the outcome… do they even bother with this process?

  23. TJ

    I’m not so concerned about attacks on government networks. There certainly is work to do to harden them, but social media and bogus ‘news’ sources are the biggest threat. Government officials need to remember that GOVERNMENT resources are for GOVERNMENT business. PERSONAL resources are for PERSONAL business. Using unaccredited systems to conduct official government information is vulnerable to attack, thwarts oversight, and breaks record retention regulations and statutes. If officials value convenience over security they are not serving their constituents. They are painting a target on themselves. Ask John Podesta about that lesson learned.

    People are lazy and don’t do their homework. Trolls of various nationalities continuously try to change public opinion through social media. Unfortunately, too many people DO believe anything they read from one source, especially if it aligns with their existing perceptions.

    Education is the solution. Elected leaders can start being leaders which they are not right now. OWN the problem Congress! OWN the problem voters. Brick and mortar news sources. Paper has its place, especially when legitimate news organizations’ very existence depends on their integrity. Online news is not to be trusted unless corroborated by more than one established news organization. Twitter feeds and Facebook? Poisonous. Once again, not to be trusted.

    Kevin Mitnick nailed it in Ghost in the Wires “People are far too trusting.”

  24. TJ

    Winston makes a very good point. No election results from anywhere until the polls close in Hawaii. Helps the voters think for themselves instead of shifting support to the leading team in the fourth quarter.

    1. Gnecht

      Interesting idea. But would exit polls still be OK? If not, is there any method to prevent them that’s compatible with the USA Constitution?

  25. Carl W

    It’s not if this happens, but to whom and how widespread. Manipulating campaigns is now part of the election process. And like so many other cyber threats, it usually start with a spear phishing attack.

    As I wrote about recently in a blog post https://www.phishprotection.com/blog/mueller-report-unravels-politically-motivated-spear-phishing-cyber-attack/
    the Mueller Report confirms that Podesta’s email account was compromised which ultimately benefited the Trump campaign.

    Stop spear phishing and you stop most of this nonsense, but stopping it is really hard. There are stories now that even 2FA can be compromised.

    Do you need 2FA? Yes. Do you need security awareness training? Yes. Should you deploy a defense-in-depth strategy? Yes. The technology to stop this exists. You just have to use it.

  26. SK

    BK, What do you recommend individuals do to not contribute to misinformation and manipulation campaigns? What can individuals do to discern what is actually “true”, and “safely” share that with others?

    Thank you so much for the service you provide. I wish you well.

Comments are closed.