He makes a very cute campaign video. Please watch it above. It’s quite clever. But it would be nice if California Secretary of State candidate Derek Cressman, one of two Democratic candidates vying for the job in the upcoming June 3rd primary, had a better understanding of the electronic voting systems he’d be overseeing as SoS.
I had originally intended to run the video above, because it’s smart and fun, along with a throw-away remark expressing the wish that Cressman understood more about the very technical concerns about the security and verifiable of e-voting system — particularly since the way CA deals with them has such a sweeping effect on the same systems as used across the country.
As a former Common Cause executive, Cressman has made his important fight to overturn the Supreme Court’s abhorrent Citizens United ruling central to his campaign, as highlighted in the animated campaign video above. That’s fine, but the office of Sec. of State, particularly in CA, requires much more.
Rather than offer that throw-away remark, however, I thought I’d see if Cressman had learned more about electronic voting systems since he and I briefly chatted in person at an event last summer, just as he was originally entering the race.
According to comments he sent in response to a recent query from The BRAD BLOG, while Cressman’s general knowledge of the systems seems to have improved since we last spoke, and while he remains an ardent opponent of the madness of Internet Voting and some of the most unsecure methods of precinct-based voting, his understanding of the concerns about the vulnerability of e-voting remains troubling — at least for a Sec. of State candidate in the nation’s most populous state…
Choices slim to none for Election Integrity advocates in CA
The options for Sec. of State in CA this year to replace outgoing term-limited Debra Bowen are vanishingly bleak. One leading Democrat, state Sen. Leland Yee, was recently arrested on federal arms trafficking charges. No big loss there, as Yee had, insanely, been a supporter of Internet Voting, at least until a few voting systems expert quietly attempted to educate him on its unsolvable perils.
There are five other active candidates who remain in the race. One is Green Party candidate David Curtis, who I interviewed last week on KPFK/Pacifica Radio after he had been excluded from a debate that day held by the Sacramento Press Club, despite having placed third in a recent Field Poll [PDF].
The candidates who came in fourth and fifth in that same poll — Dan Schnur, a long-time Republican operative now running as an “independent” and Cressman, respectively — were invited to participate, but Curtis was not. As he confirmed during our live interview, Curtis still sees Internet Voting in the future as potentially viable, despite our Twitter conversation last month in which I explained to him how such voting systems remain 100% unverifiable. That initial conversation was before disclosure of the OpenSLL “Heartbleed” vulnerability came to light, revealing that hundreds of millions of Internet users had put their private financial and personal information at risk of public disclosure for years, without knowing it, via the previously-trusted open source encryption system used by many supposedly secure financial and online commerce sites.
Currently leading that recent Field Poll is Republican Pete Peterson, a public policy adviser at the Pepperdine University’s Davenport Institute (which is funded in part by Charles Koch). Peterson calls for the use of more technology in elections, which, in and of itself, is not all bad (for example, voter registration can be done securely online, as can tracking of absentee/Vote-by-Mail ballots and other public notification systems), but seems to use code words for “Internet Voting” in his advocacy for the use of “e-signatures” for military and overseas voters.
And then there’s state Sen. Alex Padilla, trailing Peterson and currently the leading the Democratic pack, according to the Field Poll. We’ve written at some length about Padilla and SB 360, the dangerously radical election reform bill which he successfully championed last year — and mislead voters about. The new law, signed by Gov. Jerry Brown (D) last October, does away with all federal testing of voting systems in CA and gives sweeping, new executive powers to the Sec. of State to approve new e-voting systems for use in real elections without being certified at either the federal or even state level. While that is a horrible enough idea, it is even more dangerous given that Los Angeles County — the nation’s largest voting jurisdiction — is in the process of developing its own new, 100% unverfiable touch-screen voting system.
So what about Cressman?
With all of that, we thought we’d dig in to learn more about the evolution of Cressman’s views on electronic voting as well as his views on Padilla’s horrible SB 360, which passed since we last spoke with Cressman. The bill may very well make e-voting systems even less secure than they already are in California and even elsewhere in the country, since systems developed here are then sold to the rest of the country (as Los Angeles County has indicated they hope to do). The CA Sec. of State race this year has big national implications.
To that end, I recently sent Cressman two questions: “1) What are you concerns about the voting systems currently in use in CA, and 2) Do you support SB 360? If so, why? If not, why not, and what do you plan to do about it if elected?”
He was kind enough to respond quickly to my questions. Here is Cressman’s initial response in full:
2) I see both opportunities and perils in SB 360. Some early versions were especially problematic and some of the statements by the bill’s author [Padilla] indicated he didn’t fully understand either the bill or our current voting systems. Open source programming and developing a publicly licensed voting system has some promise to free California from the hands of private, black box voting equipment vendors who overcharge and under deliver. However, as we’ve seen with the recent heartbleed vulnerability in Open SSL, open source is not a panacea and we will need to test and certify any open source voting systems vigorously. It is unclear how long the federal EAC [Elections Assistance Commission, currently responsible for certification testing of voting system at the federal level — though now ignored completely in CA, thanks to SB 360], will exist, although it now does look like some new commissioners are being confirmed which is a good sign, so placing all of our hope in that agency may not be well advised. It is also unclear who our next Secretary of State will be, so placing certification solely in the province of that office carries some unknown risks as well and heightens the importance of having a real expert in the office who is committed to election integrity and not merely using the office as a stepping stone to run for something else.
I’ll try not to get too deep into the weeds here, but several of Cressman’s comments require response, as they indicate a disturbing lack of understanding of California’s (and the nation’s) electronic voting systems.
In his response to the first question, Cressman noted his concern about “touchscreen voting machines that lack a voter verified paper ballot.” In fact, as he suggested, that “number is small”, thanks to current SoS Bowen decertifying most such systems in the state after taking office in 2007 and commissioning a “Top to Bottom Review” which found that all such systems are very easily defrauded in such a way that they can be used to flip entire elections in minutes with little chance of detection. The touchscreen systems of the type to which he is referring, however, do not produce a “voter verified paper ballot”. They produce what is called a “Voter Verifiable Paper Audit Trail” or VVPAT. It is not a ballot, and there is no way to know after an election if a voter has “verified” it or not.
Such paper audit trails may be verified by the voter as accurately reflecting their cast ballot, but it is 100% impossible to know if a) what is on that VVPAT is actually recorded by the computer itself as per the voter’s intent and b) whether any vote ever cast on such a voting system during any election, for any candidate or initiative on the ballot, has ever been registered as per any voter’s intent. That is why The BRAD BLOG has long described — accurately — Direct Recording Electronic (DRE, usually touch-screen) voting systems as being 100% unverifiable. After the polls close, it is impossible to verify that a single vote was recorded accurately as per any voter. That is true whether such systems produce a so-called VVPAT or not.
In CA, touch-screen voting systems are required to produce a VVPAT with each electronic ballot that is cast. That requirement, however, is no guarantee that the computer recorded any of those votes accurately. Moreover, as Bowen’s landmark 2007 study found, even touch-screen voting systems that produce VVPATs can be hacked, in seconds time, in such a way that even a manual review of all of the VVPATs could fail to reveal the manipulation. (See how it’s done in this UC Santa Barbara Computer Security Group’s demonstration video, created for Bowen’s 2007 study.)
A touch-screen DRE system with a VVPAT is as unverifiable as those which don’t produce that type of “paper trail”, as is the case with many such systems still in use in many states across the country.
Moreover, as I’ve described in detail previously, the type of touch-screen system known as a Ballot Marking Device (BMD) — the type that Los Angeles County is currently said to be developing — is equally unverifiable after an election. While a BMD differs from a DRE, in that it creates a computer-printed paper ballot (as opposed to a VVPAT) which is then tabulated by another means, such as an optical-scan computer tabulator, rather than internally tabulated by the touch-screen system itself, such systems are also 100% unveriflable after an election.
The easiest example to help explain this, one that I shared with Cressman in a follow-up note, was from my own personal experience voting here in Los Angeles during our statewide primary back in 2008. At the time, I used the county’s optional electronic voting system for disabled voters. That system creates a computer-printed ballot which is then optically-scanned for tabulation by a different computer. Though the county’s current InkaVote Plus system for disabled voters records voter input via a push-button response to an audio ballot, rather than via touch-screen, as the new BMD system they are developing is set to, it still prints out a paper ballot on which it is impossible for citizen overseers after an election to discern if the votes printed by the computer actually reflect the intent of the voter. That is different than hand-marked paper ballots which are, by their very nature, verified by the voter at the time they are filled out, and easy to tell if they have been manipulated by someone afterward.
In my case, as I described after voting in 2008, the computer managed to print 4 out of 12 of my ballot selections incorrectly that year! It printed out selections for candidates other than those which I had selected via the computer system!
While the system I voted on was primarily meant for blind voters, I was able to examine the computer-printed ballot and eventually notice the incorrectly printed votes. Blind voters, of course, wouldn’t have been able to do that. More disturbingly, as studies have shown from CalTech/MIT to Rice University, most voters don’t bother to check their computer printouts once they’ve cast their votes on the computer, and, of those few who do bother to check the computer summary at the end of the voting process, only one-third of them notice when a vote of theirs has been flipped by the computer!
After attempting to point these issues out to Cressman in a follow-up email, just to make sure he fully understood that all such systems (DREs with or without a VVPAT, as well as BMDs) were 100% unverifiable by citizens after the close of polls, he responded as follows:
Common Cause, the non-partisan, left-leaning advocacy organization where Cressman was Vice President of State Operations for years, has long made a distinction between “paperless touchscreens” and those that produce a VVPAT, as if one was more verifiable than the other. That fallacy has been abandoned by many other election integrity organizations over time, but it’s not surprising that Cressman would still use that same “paperless” wording, which is, in truth, a distinction-without-a-difference. It is meant to suggest that, as he says, a VVPAT touch-screen system is somehow superior than a non-VVPAT system. Indeed, we do “disagree” with his characterization of such systems, have even argued that VVPAT systems give a very false sense of security versus non-VVPAT systems, and believe that a Sec. of State candidate ought to be able to fully appreciate those differences and dangers.
As he says, however, “you may disagree”.
As to Cressman’s answer to my second question, concerning SB 360, he is correct about the inherent, and often under-appreciated dangers of “open source” computer voting and tabulation systems. Those too can serve to offer voters a false sense of security for elections which could well go manipulated without notice, for years, just like the “Heartbleed” bug.
As to SB 360 itself, while, as he notes, minor improvements were made to the bill as it rolled through legislative committees in Sacramento, it actually got largely worse, not better, the farther it rolled. As we documented in detail last year, what started as a 4-page bill needed in order to release funds to L.A. County to help with their development of a new voting system quickly became a 39-page mess that completely rewrote huge chunks of the CA Election Code, did away with the need for all federal testing and certification requirements by the U.S. Elections Assistance Commission (EAC) for CA voting systems, and gave unprecedented executive power to a single Secretary of State to approve new voting systems for use in elections without even state-level certification.
In his initial response, Cressman noted his concerns about whether Republicans in Congress may do away with the EAC entirely, as they have long attempted, including going so far as to block the appointment of any commissioners to the agency for years. Nonetheless, even without commissioners, as I detailed in a report last year following an exclusive interview with L.A. County Registrar/Recorder/Counter Clerk Dean Logan, EAC certification testing has continued apace, as directly confirmed to The BRAD BLOG by several different EAC officials, including their Director of Testing and Certification.
While Cressman is correct in noting that “placing all of our hope in that agency may not be well advised,” the pre-SB 360 testing regime in CA required voting system certification at both the federal and state level before systems could be used in state elections. So “all of our hope” was never, legislatively, placed solely in the EAC when it came to certifying systems for use in CA. In fact, under the previous election code, the state was not even allowed to consider certification of systems until they had already received federal certification.
“We cannot rely indefinitely upon the EAC as the sole safeguard for our elections,” Cressman told me in a follow-up note. But we never relied on them as “the sole safeguard”. The California Sec. of State was always required, long before SB 360, to create his or her own testing and certification regime.
Now, however, the certification processes will be placed in the hands of one person — the CA Sec. of State — rather than requiring approval at two different certification levels (state and federal). In that regard, Cressman is spot on when averring that “placing certification solely in the province of the Sec. of State “heightens the importance of having a real expert in the office who is committed to election integrity and not merely using the office as a stepping stone to run for something else.”
Cressman was also correct in a follow-up response to me in which he explained that his “concern about Senator Padilla’s remarks about SB 360 were that it was required in order for Los Angeles to build its own voting system. That is not the case as there was never a prohibition on that.”
Cressman is absolutely right on that point, as I noted in a story last summer on Padilla’s unforgivably misleading advocacy for his radical election reform bill.
So what’s left?
Neither Padilla nor his office ever responded to any of our repeated queries during the passage of that ill-considered legislation, as we had sought clarification on a number of misleading points that the Democratic state Senator — currently the leading Democratic CA SoS candidate — had been using to help peddle it to legislators and the public alike.
Sadly, there are few, if any, choices that fit Cressman’s call for a “real expert” in these matters on the CA Sec. of State ballot this year. The top two vote-getters in the June 3rd statewide primary, from any party or the same party thanks to the state’s new “Top Two” primary system, will go on to face each other in the general election next November.
Cressman did stress, in his follow-up, that he was “against” Internet Voting, and he pointed me to this page on his campaign website where he charges that “it’s irresponsible for a Secretary of State candidate to promise we’ll bring on-line voting to California during the next Secretary’s term.”
That’s good. But is it responsible to ever — much less in “the next Secretary’s term” — use a system of voting that is very easily corrupted as well as 100% unverifiable and un-overseeable by the citizenry after polls have closed?
Cressman’s credentials in fighting against corporate money in elections are rock solid. By all appearances, he also seems to be a very nice and honest fellow. His understanding of electronic voting systems, however, while seemingly improved over the nine months or so since we spoke last, still seem far less than that needed for a state of this size and this importance, as it serves as national model for in the development and security of new voting systems.
On the other hand, he does makes a very cute campaign video.
I’d rather have Cressman in the SOS slot than ANY of the other candidates. As you pointed out, Peterson has ties to one of the Koch brothers and that in itself is enough to eliminate him – there is just no way he could remain impartial and I believe he will try to force IV on the voters of CA. It is truly too bad he is leading the pack. Enough for now – good (long, but that’s ok!) article and I hope you continue to cover this race closely, as I know you will.
I was wondering what the GOP would do regarding their recent ouster from power in CA. Having allies like Padilla in office made it simple that they will triumph in the Golden State to our eternal detriment.
What about using the bit coin or a bit coin type verification system? If everything is tied to a public transparent ledger that can be monitored in real time and is based on a decentralized distributed cryptographic network, wouldn’t that be the next best thing to counting paper ballots in front of the public?
I am looking for an article I read recently which discusses this possibility and will post when I find it.
The biggest benefit it seems to me is that participation would likely increase, making it more likely to push corrupt mainstream political parties to the side.
SH asked @ 3:
Well, I don’t know the ins and outs of BitCoin, but I’m not sure why anyone would need such a complicated scheme to publicly tabulate paper ballots. The scheme you suggest sounds like delivering a pizza with a Mack Truck. Why?
And if I can’t understand it, how is my grandmother going to? Will she simply have to trust in someones encryption technology (whether she even knows what that means?)
That’s not elections. That’s black box magic. And the citizenry can’t oversee it, which every citizen deserves to be able to do in something that calls itself “democracy”.
A more complicated, harder to understand, more difficult (if not impossible) to oversee and verify system would increase partipation?! No clue why that would be. But, either way, if we lose public oversight, all the “participation” in the world doesn’t much matter, if that’s the trade-off.
Here is a group that is working towards online voting using a bitcoin type protocol and network.
http://www.bitcongress.org/
Like I said, counting paper ballots in front of the public (maybe with a streaming webcam that anyone in the country can look in on) is the best way to ensure complete transparency of the actual vote tally in a way everyone can understand.
However, the complicated nature of the bitcoin protocol does not translate into something that the average person could not participate in. The end user interface would be as simple as scanning or entering your unique voting key, and clicking on your choices (like any online poll.) If voting were as easy as posting a message on Facebook, I think a lot more people would indeed participate. Maybe not your grandmother, but then she can go to a physical voting location or mail an absentee ballot.
Also, the most important thing is that people can see what is happening as it happens. Nothing is hidden. You can see where the “votecoins” are going in real time. Even if everyone couldn’t parse what is happening, enough people will be able to so that integrity can be maintained. Also, there will be interfaces built on top of the raw codes that make it possible for the average person to see what is happening (imagine watching as votes are counted in real time for each candidate, ballot proposition, etc.) Further, the voter would get an instant confirmation of their votes they can maintain indefinitely and provide in case an investigation or recount is required.
Look at what happened with the Silk Road site. The FBI was able to literally track every transaction that occurred on the site. Some people were clever enough to hide their ID effectively and remain anonymous, some weren’t.
With voting, every registered voter could be issued a unique ID by the government that allows them to use the protocol while remaining anonymous. The system would verify that the ID is good, but would not link that ID to a particular person, which maintains the anonymity (unless the person chooses to disclose their biographic info publicly). The database linking ID to unique voting key would be kept confidential by the government, or by an independent entity chartered by the government to maintain these records (since perhaps governments in many states are a bit too corrupt to be trusted with this knowledge).
This may not stop all fraud, but neither will paper ballots. If some corrupt local party officials register hundreds of deceased people as voters and their cronies go in and pretend to be these dead people and cast votes, then the paper ballots aren’t necessarily protecting the integrity of the election process.
There is a point at which trust can be broken or fraud perpetrated in any voting system. Diebold machines would be fine if you could actually trust anyone to run them properly. Hell, if everyone were honest you wouldn’t even need to require people to register to vote in the first place. Just put an old mailbox every few blocks and let people write down their votes and drop them in. No one would vote twice, everyone is honest and good, system works great. I think the crypto voting protocol, if implemented intelligently, and if you can trust some organization to actually issue keys only to eligible voters and not just create keys for fake people (like can happen with any voting system), would work.
The whole idea behind bitcoin is you don’t have to trust any individual. In the currency context you don’t have to provide your sensitive credit card or bank account information to a third party. That requires trust of that third party or you could be defrauded. Bitcoin simply transfers your value to someone else, without that someone else getting any of your personal info. The most you could lose is what you willingly gave them.
The encryption tech has been proven time and time again in the last twenty years. The processes and verifications are done by machines, not by humans. It cannot be corrupted once there is a large enough network of distributed nodes monitoring the transactions that occur on the network.
However, any person anywhere can monitor what is happening on that network in real time, adding the final fail safe. If someone cracks the encryption protocol, or if control of a majority of nodes falls into one person’s hand such that they can fake transactions, invalidate genuine keys or change the public ledger nefariously, then the network would discover this and the protocol would become worthless overnight because everyone would stop using it.
Anyway, I hope we are a long way off from anything like internet voting, because until we can actually hold people in power responsible for abusing that power, or to agree to 100% transparency at every point in the voting process, we can’t really trust any election system fully no matter how the ballots are cast, and a system which can be abused on a massive scale like online voting could be should not be implemented. I do understand that a few hundred fake votes here and there, which requires the willing participation of many parties in a criminal enterprise, is ultimately more effective at deterring fraud than any electronic system would be. However, if the initial creation of the voting keys could be transparent and legitimate, there is no reason to fear online voting using a bitcoin type protocol.
SH –
What you have just described — or what that Bitcongress.org group is calling for — from top to bottom, is Internet Voting and just about antithetical to democracy as any description I’ve ever read of such a scheme.
I don’t have time to reply to every point, but allow me to just speak to a few of ’em…
Good. Then let’s do that, rather than come up with schemes, like the one suggested, that do the absolute opposite of that.
And we all know how accurate, reliable and overseeable “online polls” are! 🙂
“Participation” and the ability for citizens to oversee elections are two entirely different issues. For one thing, the “participation” argument, which is used by unverifiable Internet Voting advocates is, at least for now, imaginery. When Honolulu ran it’s first all-digital election, “where people could vote over the Internet or by phone”, the participation rate dropped by 83%.
That said, as I had mentioned, for years, back when advocates of e-voting used the same claims about touch-screen voting systems (that, allegedly, people “liked voting on them”), I suspected people would have liked voting on them even more if money came out the bottom, or if they were able to play Pac-Man on them! That, of course, is no reason to use a 100% unverifiable voting system. (And, ironically enough, years later, a computer scientist actually hacked one of them so he voters could, literally, play Pac-Man on one of them!)
“As it happens”? You mean as votes are being cast? You do realize that’s a HUGE no-no, right?
No. You can see where the computer tells you the “votecoins” are going in real time. What is the evidence that “votes” are actually being cast that way by voters? And how may I, or my grandmother, verify that after the election is over in such a non-transparent scheme?
Ah, cool. Just let me know who I should “have to trust”. Katherine Harris? J. Kenneth Blackwell? Barack Obama? Lemme know. I’m happy to give away my right of oversight to someone else. (#sarcasm)
Sigh…Two problems there.
1) What you would get is not a “confirmation” of how your vote was counted. It is a “confirmation” of how you believe you cast your vote. 2) That scheme also makes vote buying and selling and voter intimidation a no-brainer. There is a reason why you do not leave the polling place with a copy of how you voted.
These are basic democratic principles, that it sounds like the folks who developed the scheme that you cite know absolutely nothing about, unfortunately. That is almost always the case, I’m afraid, when it comes to these Internet Voting schemes which actual election and democracy experts continue to warn against on virtually every front.
Awesome! I’m delighted with the idea that the government will be “able to literally track” the way that everybody votes. What could possibly be the downside to that? (#sarcasm)
Heheh…Are you even thinking here, SH?! The govt issues a “unique ID” to each person, to allow them to “remain anonymous”? Is that your turnip truck parked outside, amigo?
Yes, that’s your turnip truck. Let’s see, either the government or “an independent entity” like the folks that maintain anonymity on credit cards (Target) and passwords (OpenSLL/Heartbleed) should be the ones to make sure that database keeps us all “anonymous”? Sigh…
Ah, you finally hit on something that is correct. It is pretty much impossible to make sure there will be no fraud in an election. That is exactly why you want the process to be as decentralized and as transparent as possible. It must be a system that allows for detection of fraud as easily as possible, and assures that any such fraud, if it occurs, will have the smallest effect on the actual election.
Hand-marked paper ballots, publicly counted at the precinct, are easily the most transparent way to run an election and assure that, if there is any fraud, it will most likely be discovered by any one of the EVERYBODY who is able to oversee the election. Or, if fraud does occur, it would require a fairly huge conspiracy (which is more easily discovered) in orde to actually effect the final results of the election.
Your Bit scheme accomplishes neither of those things, as far as I can tell from your explanation.
Right. So why would you want to make it less transparent, more centralized, and, therefore, more easy to accomplish???
No. They wouldn’t. Because a) We should not have to “trust” anyone in a real democratic election system and b) Errors happen all the time — by malfunction or malfeasance– on such systems, even those run by people who you may think you can trust. However, if you can’t see the votes being counted, you can NEVER have any idea if they were actually tabulated accurately.
That’s a whole lotta “ifs”, that I don’t have time to dispel. But you may be able to do so yourself, now that I’ve pointed some of these things out to you.
So, the “most” I could lose is my entire vote? Great idea! (#sarcasm)
Wait, which “encryption tech”? OpenSLL/Heartbleed, for example? As run over these Internets?
You do realize those were the exact arguments offered by Diebold, Sequoia, ES&S etc. when they hoaxed the country into moving to electronic voting and tabulation systems, right? Before they were proven wrong on absolutely every count, right?
Oh. Cool! So when that happens — or, at least, when we finally discover that has happened — we just cancel the election and hold it again? Or we go with the 2000 Florida plan? (Or, alternately, the time machine plan, where we roll back the close to 4 years earlier to have the person who actually won the election serve out those 4 years instead?)
Thank you. You are correct here. So, I’m not sure why we’re even talking about Internet Voting schemes that can’t possibly meet those requirements.