Transcripts For CSPAN3 Georgetown Law Discussion On Digital

Up next, a discussion on Election Security. This panel looks at preventing Voting Machines from being hacked. And talks about some of the benefits of paper ballots. Georgetown Laws Institute for Technology Law and policy hosted this series. Hi. Welcome. So im matt blaze. Im a professor here at georgetown in both the law school and Computer Science department. I want to welcome you to our afterlunch panel. Thank you for sticking around. On Digital Technologies and voting. We have, on our panel, who i will introduce very briefly, four very distinguished experts at various parts of the digital elections landscape. And and the technology and the risks of some of the Underlying Technology that is inherent there. And well be talking about this subject for from a very wide range of different perspectives. But all with a very technological bias. So im going to very briefly introduce these people. And im going to apologize now for being extremely incomplete in my introductions because they would take up the entire panel. Andrew apel is the higgins professor of science at princeton where he served since 1986. And, in fact, he was one of the members of my Doctoral Committee at princeton. His research focuses on software verification, security, programming languages, and technology policy. And in the case of the latter, particularly, with a focus on election technology. And Voting Systems. The next up on our panel is kim zetter, who is an awardwinning journalist, who has covered cybersecurity and National Security since 1999. Shes been on the staff of wired magazine for over a decade. And has written about tech and security publications like the New York Times, politico, Washington Post and many others. She is also the other of what is cert absolutely the best book on the stuxnet virus and the implications of it. You should run out and buy it and read stark is a professor i the department of statistics at uc berkeley whos work has impacted public policy, from the u. S. Census to credit risk modeling and so forth. Huge range of incredibly influential and important work that he has done. Most relevantly to us his method for auditing Election Outcomes with widely recognized as the standard for relooinl elections that make use of technology, risk limiting audits is something youre going to be hearing about quite a bit during our panel. And finally, Barbara Simmons is chair of the board of verified voting. She is a Computer Scientist whos work has been at the intersection of technology and policy for as long as i can remember. She is a former president of the association for computing machinery, and she was one of the first voices to look at the risks of the use of technology in Voting Systems. And again, i have not done justice to any of these people, but im sure they will introduce themselves as well. So im going to just briefly introduce our panel and kind of frame some of what were talking about here. Technology is all over our election. We ev we have Voting Systems which are probably the most prominent and the most highly visible parts of elections, in particular the technology in Voting Systems can sometimes be essential for the integrity of the ballot itself, for the integrity of the vote count itself and so forth. Voting is probably the main subject of the help america vote act. Theyre obviously quite important and prominent. They are targeted by corrupt candidates and their supporters who have the aim of offering the official outcomes of elections. So the risks are quite serious in Voting Systems, the integrity issues are quite important. But thats not the only place that technology exists in election systems. We also have the election management infrastructure. This is less visible, less standardized, tends to be built by individual counties. And its depended upon for the logistics, including the registration of voters and poll books that are being used at polling places to check voters in and determine whether theyre allowed to cast ballots in the first place. These systems as well are exposed to risk and ought to be attention of actors, particularly hostile state actors who may not be seeking to choose the outcome of an election so much as disrupt the election or cast doubt on the legitimacy of its outcome. And these systems are much larger than more exposed than the Voting Systems that we tend to focus on. So the issues on technology and Election Integrity are vast, and, you know, we will be touching on them quite a bit. I think this all started with a photo. If you recognize this photo that dates you to some extent as having been around at the turn of the century. Who recognizes this photo . Yeah, this is of course the recount of the 2000 president ial election in florida. And this photo and variants of it show, you know, somebody applying scrutiny to a peaiece cardboard that was used to express a voters choice during the election. This photo is interesting because we all know it because it was on the news and in the newspaper for over a month as the example of how terrible things were in the florida election. This is a national embarrassment, and we have to do something to make sure that this never happens again. And i think its interesting that this photo has almost inverted in its meaning in the two decades since. As also showing a strength of the 2000 election, that a human being could look at a physical artifact and make a judgment about what the voter may have intended, that we may agree or disagree about, but at least we can get kind of closer to the truth by examining this. So where does this come from . It came in fact from a Technology Failure in the voting equipment that was used, that did not itself actually involve computers or even electricity in the voting booth. This was the voting machine that produced those ballots. Called a voteowemattic. And the technology involved taking a perforated punch card and inserting it in the top of the machine and making your choice along a column of hole positions using a stylus and punching through the ballots. That would then produce a punch card that could be put into an electronic tab later, and the vote tallies according to what hole position had been punched out. The interesting thing about this is that the only electricity even involved in the voting booth itself was for the light in the room. This is a completely mechanical device, and yet it had a failure type, which a Computer Scientist would recognize probably as a garbage collection failure. [ laughter ] in that the as if more voters than usual showed up for the voting, for voting, eventually the little pieces of cardboard that were punched out from the more popular candidates would back up behind the position where the ballot was to be punched out. And as the day would wear on, in a hotlycontested and very popular election, eventually it would become physically harder to vote for your candidate of choice. And the difficulty would actually be proportional to how popular the candidate was, because there would be these pieces of cardboard behind the ballot. And the cannes kweonsequence of that a properlypunched ballot, if you look at hole number 68 in the center will be cleanly punched out and easily read by the optical electronic tally device that these cards were fed through. But what might happen if we look in the center instead of the cleanly punched out hole that we see in the upper right corner, we might see only a little of the cardboard square, a term that became known to every american, the dimpled chad. Or we might create a flap where the hole might have been that might close up. And neither of those two hanging chad in the terminology of these machines. And what would happen is these cards, a human being would be able to see, ah haha, the dimp. But the reader would pass a beam of light through each position, would interpret either of those conditions as no vote. And what we saw in a very close race is that the number of people in certain counties who didnt vote was within the margin of victory for the winner. Greater than. Sorry. Greater than. The margin of victory was within the margin of nonvotes, so we had to resort to this lengthy, tedious recount, that you can read about now in the history books. So the country was unlike today heavily guided on who should be president. This was a very sharply divided, not at all bipartisan world where there was bipartisan agreement on one thing, which was that we should replace these florida punchcard Voting Machines. And congress very hurriedly passed something called the help america vote act after the 2000 election. It mandated that states shift to accessible Voting Technology that would generally mean electronic touch screens with Adaptive Technology people could use if they couldnt interact with paper or with an ordinary type of interface, so there would be various assistive technologies available for that. And it also provided substantial funding to the states to purchase new equipment. Unfortunately for the most part the equipment mandated by the act didnt really exist at the time that it passed in full production form. And the understanding of how to do bills, equipment that would comply with help america vote in a reliable way, was not well understood by the technical community. And to the extent it was understood, it really wasnt a design consideration in the certification of the equipment. So it allowed for a number of different types of voting equipment, the most prominent is the direct reporting electronic voting machine, which is essentially a computer that stores the tally of the votes cast on it internally in computer memory. It also permitted optical scan ballots and absentee ballots that are mald in on paper as well as assistive devices like ballot marking devices, which im sure will be discussed as we go on. I want to talk a little bit about cre Voting Machines because they probably received the majority of attention from people concerned about technological risks. These are essentially computerized Voting Machines, computers in a particular form that makes them look like a voting machine, but these are really computers just like your laptop or desktop or phone, in that theyre controlled by software. And the tally of votes is maintained inside the memory of the machine under the control of the Software Running on this equipment. And so many questions have been raised over the years about whether dre Voting Machines can be made reliable enough to use in elections. And the overwhelming consensus of experts is that in fact they cannot. Yet many states are still to this day using them. So with that, id like to turn this over to our first panelist, andrew, you can either sit there or come up here. I think if you just keep going okay so ive been studying computer rised Voting Systems since about the hanging chad debacle. And in 2017 i was asked to serve on a National Academy of science of engineering and medicine consensus study panel which met for five twoday meetings. We heard from sketwo universiti cochairs. One law professor and three Election Officials. And we were asked to write down what is the Scientific Consensus. Dont invent any new science. We wrote a report. Here it is. Which has many recommendations backed up by even more pages of scientific explanation. So here are the key recommendations which i dont nearly have time to describe all of. Let me get to the main points. Elections should be conducted with human readable paper ballots. These may be marked by hand or by machine. Now, that was a Scientific Consensus in 2018. Thats no longer quite the Scientific Consensus. They may be counted by hand or machine using an optical scanner. Recounts and add its should be conducted by humans. Voting machines such as dres that do not provide the capacity for independent auditing, machines that do not produce a verifiable paper audit trail should be removed from service as soon as possible. These are the dre machines that you just heard about. They dont have a paper trail. You interact with them on the touch screen. The Computer Program in there says how many votes each candidate got. So its easy to commit largescale election fraud, write a Computer Program that cheats, make sure it doesnt kpaet except on election day like the folks, they wont cheat when theyre in the chess tournaments outside of election day, and get it installed on all the Voting Machines. Heres me installing software on a new jersey voting machine. Its in new jersey. I own this one. It would be a felony to do it on a real in use in the state of new jersey voting machine. But modern computers its much easier to install software through network propagation. Any Computer System now has so many lairs. The top layer is the application that counts your votes. Below that there are other systems and buyose, this is millions of lines of code, thousands of software bugs. And of those some are exploitable that allow an attacker to install a different application on top. So its stealing software instead of vote counting software. This can propagate to a network but also piggbacked on removable media as stuck net did which we can tell you more about. I can write that. Anybody with a bachelors degree can write that that shifts some of the votes around but doesnt do it when its not election day. So the solution recommended in the National Academy report is to vote on optical scan forms. This is a much Better Technology been punch cards. Right next to the name your candidate on the same smeet of paper, that the pen is intended to be read by humans as well as written by humans. This technology works. Its highly accurate. There have been measurements of that. And then we count those in some sort of machine. Either a precinct count optical scanner, the voter feeds the form into in the precinct, or its deposited in a ballot box or mailed in. This year here is how were going to vote. This is from the verified voting foundation. In white or cream color you see the places where were going to vote by optical scan form, counted by op scan commuters, recountable by hand. And in light, light brown are places where for accessibility theyre going to use paperless dres already maybe dres with paper. Thats not a great idea. And in dark, dark brown and in red are places where theyre going to use dres without a paper trail or ballot marking devices with an inadequate paper trail. Part of the good news is that most states use about the right technology for voting. They use the most auditable, least insecure technology. There are a few laggard states such as my own state of new jersey that are still using paperless dres. Theres a bigger problem that most states dont actually audit their paper ballots or even rekouchbt them with any reasonable probability. Heres how we vote. The voter markets a ballot, feeds it in the scanner. Its a computer. All my remarks about how easy it is to hack is plies to that as well. If a hacker got to install fraudulent software, that could deliberately shift the election by miscountsing the ballots. The paper ballot drops into a sealed ballot box, and if you can maintain a reliable chain of custody of that box from the polling place to where it can be stored for auditing and recounting later then you can trust the results of the election independently of any possibly hacked computer. So if you have to recount the ballots by hand, though, whats the point of having a computer . And the answer is, you can do a random sample audit of the paper ballots to be assured with statistically guerin tooebl probability that the outcome of the election is consistent as reported by the computers, is con sint with whats truly on the paper ballots. Many states do some sort of ran dome audit. B professor stark will be talking about the guarantee later. Ill cite the National Consensus report that says states should mandate risk limiting audits prior to the certification of election results. Some states do some sort of audit. The states in pink here do no audits or completely unsatisfactory audits. The states in yellow are mostly unsatisfactory audits. The states in blue do moderately unsatisfactory audits. And all the states you see in green are doing satisfactory risklimiting audits. But several others are following along with pilot projects to on the process of adopting high quality risklimiting audits. Ballotmarking devices were mandated by the act as an assistive technology. For voters who cannot mark a paper ballot by hand, they can use some sort of touch screen that will mark a ballot for them. You might ask, how is the touch green going to help the blind voter . But theres an audio interface you can plug in and allow the marking of a ballot. Some states have started adopting bmds for all, that are fed into an optical scanner. In the National Academy report there was concern about ballot marking devices of whether voters actually inspect whats printed out on that piece of paper, that its after the voter makes the selections on the touch screen and the card comes out, that records their choices supposedly, if the computer in the touch screen hasnt been hacked, will they examine it before they put it in the ballot box . There has been no research on that. The Election Security<\/a>. This panel looks at preventing Voting Machines<\/a> from being hacked. And talks about some of the benefits of paper ballots. Georgetown Laws Institute<\/a> for Technology Law<\/a> and policy hosted this series. Hi. Welcome. So im matt blaze. Im a professor here at georgetown in both the law school and Computer Science<\/a> department. I want to welcome you to our afterlunch panel. Thank you for sticking around. On Digital Technologies<\/a> and voting. We have, on our panel, who i will introduce very briefly, four very distinguished experts at various parts of the digital elections landscape. And and the technology and the risks of some of the Underlying Technology<\/a> that is inherent there. And well be talking about this subject for from a very wide range of different perspectives. But all with a very technological bias. So im going to very briefly introduce these people. And im going to apologize now for being extremely incomplete in my introductions because they would take up the entire panel. Andrew apel is the higgins professor of science at princeton where he served since 1986. And, in fact, he was one of the members of my Doctoral Committee<\/a> at princeton. His research focuses on software verification, security, programming languages, and technology policy. And in the case of the latter, particularly, with a focus on election technology. And Voting System<\/a>s. The next up on our panel is kim zetter, who is an awardwinning journalist, who has covered cybersecurity and National Security<\/a> since 1999. Shes been on the staff of wired magazine for over a decade. And has written about tech and security publications like the New York Times<\/a>, politico, Washington Post<\/a> and many others. She is also the other of what is cert absolutely the best book on the stuxnet virus and the implications of it. You should run out and buy it and read stark is a professor i the department of statistics at uc berkeley whos work has impacted public policy, from the u. S. Census to credit risk modeling and so forth. Huge range of incredibly influential and important work that he has done. Most relevantly to us his method for auditing Election Outcomes<\/a> with widely recognized as the standard for relooinl elections that make use of technology, risk limiting audits is something youre going to be hearing about quite a bit during our panel. And finally, Barbara Simmons<\/a> is chair of the board of verified voting. She is a Computer Scientist<\/a> whos work has been at the intersection of technology and policy for as long as i can remember. She is a former president of the association for computing machinery, and she was one of the first voices to look at the risks of the use of technology in Voting System<\/a>s. And again, i have not done justice to any of these people, but im sure they will introduce themselves as well. So im going to just briefly introduce our panel and kind of frame some of what were talking about here. Technology is all over our election. We ev we have Voting System<\/a>s which are probably the most prominent and the most highly visible parts of elections, in particular the technology in Voting System<\/a>s can sometimes be essential for the integrity of the ballot itself, for the integrity of the vote count itself and so forth. Voting is probably the main subject of the help america vote act. Theyre obviously quite important and prominent. They are targeted by corrupt candidates and their supporters who have the aim of offering the official outcomes of elections. So the risks are quite serious in Voting System<\/a>s, the integrity issues are quite important. But thats not the only place that technology exists in election systems. We also have the election management infrastructure. This is less visible, less standardized, tends to be built by individual counties. And its depended upon for the logistics, including the registration of voters and poll books that are being used at polling places to check voters in and determine whether theyre allowed to cast ballots in the first place. These systems as well are exposed to risk and ought to be attention of actors, particularly hostile state actors who may not be seeking to choose the outcome of an election so much as disrupt the election or cast doubt on the legitimacy of its outcome. And these systems are much larger than more exposed than the Voting System<\/a>s that we tend to focus on. So the issues on technology and Election Integrity<\/a> are vast, and, you know, we will be touching on them quite a bit. I think this all started with a photo. If you recognize this photo that dates you to some extent as having been around at the turn of the century. Who recognizes this photo . Yeah, this is of course the recount of the 2000 president ial election in florida. And this photo and variants of it show, you know, somebody applying scrutiny to a peaiece cardboard that was used to express a voters choice during the election. This photo is interesting because we all know it because it was on the news and in the newspaper for over a month as the example of how terrible things were in the florida election. This is a national embarrassment, and we have to do something to make sure that this never happens again. And i think its interesting that this photo has almost inverted in its meaning in the two decades since. As also showing a strength of the 2000 election, that a human being could look at a physical artifact and make a judgment about what the voter may have intended, that we may agree or disagree about, but at least we can get kind of closer to the truth by examining this. So where does this come from . It came in fact from a Technology Failure<\/a> in the voting equipment that was used, that did not itself actually involve computers or even electricity in the voting booth. This was the voting machine that produced those ballots. Called a voteowemattic. And the technology involved taking a perforated punch card and inserting it in the top of the machine and making your choice along a column of hole positions using a stylus and punching through the ballots. That would then produce a punch card that could be put into an electronic tab later, and the vote tallies according to what hole position had been punched out. The interesting thing about this is that the only electricity even involved in the voting booth itself was for the light in the room. This is a completely mechanical device, and yet it had a failure type, which a Computer Scientist<\/a> would recognize probably as a garbage collection failure. [ laughter ] in that the as if more voters than usual showed up for the voting, for voting, eventually the little pieces of cardboard that were punched out from the more popular candidates would back up behind the position where the ballot was to be punched out. And as the day would wear on, in a hotlycontested and very popular election, eventually it would become physically harder to vote for your candidate of choice. And the difficulty would actually be proportional to how popular the candidate was, because there would be these pieces of cardboard behind the ballot. And the cannes kweonsequence of that a properlypunched ballot, if you look at hole number 68 in the center will be cleanly punched out and easily read by the optical electronic tally device that these cards were fed through. But what might happen if we look in the center instead of the cleanly punched out hole that we see in the upper right corner, we might see only a little of the cardboard square, a term that became known to every american, the dimpled chad. Or we might create a flap where the hole might have been that might close up. And neither of those two hanging chad in the terminology of these machines. And what would happen is these cards, a human being would be able to see, ah haha, the dimp. But the reader would pass a beam of light through each position, would interpret either of those conditions as no vote. And what we saw in a very close race is that the number of people in certain counties who didnt vote was within the margin of victory for the winner. Greater than. Sorry. Greater than. The margin of victory was within the margin of nonvotes, so we had to resort to this lengthy, tedious recount, that you can read about now in the history books. So the country was unlike today heavily guided on who should be president. This was a very sharply divided, not at all bipartisan world where there was bipartisan agreement on one thing, which was that we should replace these florida punchcard Voting Machines<\/a>. And congress very hurriedly passed something called the help america vote act after the 2000 election. It mandated that states shift to accessible Voting Technology<\/a> that would generally mean electronic touch screens with Adaptive Technology<\/a> people could use if they couldnt interact with paper or with an ordinary type of interface, so there would be various assistive technologies available for that. And it also provided substantial funding to the states to purchase new equipment. Unfortunately for the most part the equipment mandated by the act didnt really exist at the time that it passed in full production form. And the understanding of how to do bills, equipment that would comply with help america vote in a reliable way, was not well understood by the technical community. And to the extent it was understood, it really wasnt a design consideration in the certification of the equipment. So it allowed for a number of different types of voting equipment, the most prominent is the direct reporting electronic voting machine, which is essentially a computer that stores the tally of the votes cast on it internally in computer memory. It also permitted optical scan ballots and absentee ballots that are mald in on paper as well as assistive devices like ballot marking devices, which im sure will be discussed as we go on. I want to talk a little bit about cre Voting Machines<\/a> because they probably received the majority of attention from people concerned about technological risks. These are essentially computerized Voting Machines<\/a>, computers in a particular form that makes them look like a voting machine, but these are really computers just like your laptop or desktop or phone, in that theyre controlled by software. And the tally of votes is maintained inside the memory of the machine under the control of the Software Running<\/a> on this equipment. And so many questions have been raised over the years about whether dre Voting Machines<\/a> can be made reliable enough to use in elections. And the overwhelming consensus of experts is that in fact they cannot. Yet many states are still to this day using them. So with that, id like to turn this over to our first panelist, andrew, you can either sit there or come up here. I think if you just keep going okay so ive been studying computer rised Voting System<\/a>s since about the hanging chad debacle. And in 2017 i was asked to serve on a National Academy<\/a> of science of engineering and medicine consensus study panel which met for five twoday meetings. We heard from sketwo universiti cochairs. One law professor and three Election Officials<\/a>. And we were asked to write down what is the Scientific Consensus<\/a>. Dont invent any new science. We wrote a report. Here it is. Which has many recommendations backed up by even more pages of scientific explanation. So here are the key recommendations which i dont nearly have time to describe all of. Let me get to the main points. Elections should be conducted with human readable paper ballots. These may be marked by hand or by machine. Now, that was a Scientific Consensus<\/a> in 2018. Thats no longer quite the Scientific Consensus<\/a>. They may be counted by hand or machine using an optical scanner. Recounts and add its should be conducted by humans. Voting machines such as dres that do not provide the capacity for independent auditing, machines that do not produce a verifiable paper audit trail should be removed from service as soon as possible. These are the dre machines that you just heard about. They dont have a paper trail. You interact with them on the touch screen. The Computer Program<\/a> in there says how many votes each candidate got. So its easy to commit largescale election fraud, write a Computer Program<\/a> that cheats, make sure it doesnt kpaet except on election day like the folks, they wont cheat when theyre in the chess tournaments outside of election day, and get it installed on all the Voting Machines<\/a>. Heres me installing software on a new jersey voting machine. Its in new jersey. I own this one. It would be a felony to do it on a real in use in the state of new jersey voting machine. But modern computers its much easier to install software through network propagation. Any Computer System<\/a> now has so many lairs. The top layer is the application that counts your votes. Below that there are other systems and buyose, this is millions of lines of code, thousands of software bugs. And of those some are exploitable that allow an attacker to install a different application on top. So its stealing software instead of vote counting software. This can propagate to a network but also piggbacked on removable media as stuck net did which we can tell you more about. I can write that. Anybody with a bachelors degree can write that that shifts some of the votes around but doesnt do it when its not election day. So the solution recommended in the National Academy<\/a> report is to vote on optical scan forms. This is a much Better Technology<\/a> been punch cards. Right next to the name your candidate on the same smeet of paper, that the pen is intended to be read by humans as well as written by humans. This technology works. Its highly accurate. There have been measurements of that. And then we count those in some sort of machine. Either a precinct count optical scanner, the voter feeds the form into in the precinct, or its deposited in a ballot box or mailed in. This year here is how were going to vote. This is from the verified voting foundation. In white or cream color you see the places where were going to vote by optical scan form, counted by op scan commuters, recountable by hand. And in light, light brown are places where for accessibility theyre going to use paperless dres already maybe dres with paper. Thats not a great idea. And in dark, dark brown and in red are places where theyre going to use dres without a paper trail or ballot marking devices with an inadequate paper trail. Part of the good news is that most states use about the right technology for voting. They use the most auditable, least insecure technology. There are a few laggard states such as my own state of new jersey that are still using paperless dres. Theres a bigger problem that most states dont actually audit their paper ballots or even rekouchbt them with any reasonable probability. Heres how we vote. The voter markets a ballot, feeds it in the scanner. Its a computer. All my remarks about how easy it is to hack is plies to that as well. If a hacker got to install fraudulent software, that could deliberately shift the election by miscountsing the ballots. The paper ballot drops into a sealed ballot box, and if you can maintain a reliable chain of custody of that box from the polling place to where it can be stored for auditing and recounting later then you can trust the results of the election independently of any possibly hacked computer. So if you have to recount the ballots by hand, though, whats the point of having a computer . And the answer is, you can do a random sample audit of the paper ballots to be assured with statistically guerin tooebl probability that the outcome of the election is consistent as reported by the computers, is con sint with whats truly on the paper ballots. Many states do some sort of ran dome audit. B professor stark will be talking about the guarantee later. Ill cite the National Consensus<\/a> report that says states should mandate risk limiting audits prior to the certification of election results. Some states do some sort of audit. The states in pink here do no audits or completely unsatisfactory audits. The states in yellow are mostly unsatisfactory audits. The states in blue do moderately unsatisfactory audits. And all the states you see in green are doing satisfactory risklimiting audits. But several others are following along with pilot projects to on the process of adopting high quality risklimiting audits. Ballotmarking devices were mandated by the act as an assistive technology. For voters who cannot mark a paper ballot by hand, they can use some sort of touch screen that will mark a ballot for them. You might ask, how is the touch green going to help the blind voter . But theres an audio interface you can plug in and allow the marking of a ballot. Some states have started adopting bmds for all, that are fed into an optical scanner. In the National Academy<\/a> report there was concern about ballot marking devices of whether voters actually inspect whats printed out on that piece of paper, that its after the voter makes the selections on the touch screen and the card comes out, that records their choices supposedly, if the computer in the touch screen hasnt been hacked, will they examine it before they put it in the ballot box . There has been no research on that. The Scientific Consensus<\/a> as of 2013 didnt have answers. Since then there has been research. There have been two studies. Ill show one of them, that show that in real polling places, voters dont really look at the cards. And when they do look at the cards they look at them for a couple of seconds, not nearly long enough to check that every contest on the ballot has printed on it the choice that they indicated on the touch screen. So that if the computer had been hacked and is misrepresenting onto card their vote, what will happen in the recount . The recount will recount whats printed on the paper. And a newer study from the university of michigan shows that 93 of the voters dont notice. This study was done with real voters but in a fake election, right, something set up as an experiment in a public libly. The Voting Machines<\/a> deliberately changed a voters selection and printed a different name on the paper ballot, 93 didnt notice. So this means that the parent trail that comes out of a ballot marking device is not a reliable indication if the computers have been hacked of what the voters indicated. You might think, well, at least 7 of the voters will notice. And they can serve as a check that protectors the rest. But an analysis we did and published last year shows that this doesnt really work. Suppose a hacked ballot marking device changes 10 of the votes in the race for sheriff. I can steal 10 , i can convert a landslide loss into a marginal win. And suppose 10 of the voters actually examine the battle enough to notice, and 50 of them actually know what theyre supposed to do, which is alert the poll worker. Then what happens . One out of 200 voters will raise their hand. What the poll worker is supposed to do, void that ballot, let them recast, and lets assume the machine doesnt cheat that time. They succeed in stealing now 9. 5 instead of 10 . You might think they caught the machine cheating redhanded, you can do something about that. The answer is, no, theres not. When the voter says this paper doesnt have on it what i indicated on the touch screen, theres no evidence of that. The voter might be wrong. The voter might be main. And furthermore we cant invalidate an election because one out of every 200 voters raises their hand and says the machine made a mistake. If we did you can see what the attack on elections would be there. You just get your friends to raise their hands. Ballotmarking devices cannot create a reliable paper trail to be used in audit and should not be used for most voters. Only voters who cannot mark by hand and do not wish to vote by ma mail. And states and jurisdictions should not adopt ballotmarking devices to be used by all voters because of the danger of hacking. All right. The National Academy<\/a> board has quite a bit to say about internet voting. There is no known or immediately foreseeable technology that can secure internet voting. But i wont talk about that at length because one of the other panelists will. And the report makes recommendations in many other areas regarding Voter Registration<\/a>, Voter Registration<\/a> database security, lelect trunk poll books, ballot designs. They can cause voters to overlook the certain con tests are even there. So states, you know, should require the use of well understood and published principles for ballot design. The congress should fund the Election Assistance Commission<\/a> to do its job and fund mitts ss work with the Election Commission<\/a> as it does. States should participate in the electronic information center. And so on and so forth. But i will wrap up here, as im out of time. Okay. Thank you. [ applause ] im going to tell you a story about how voting machine vendors control the message about their machines and see misinformation, some people might say lies, two Election Officials<\/a> and then that information gets passed to the public, the media and the public. So weve heard a lot from voting machine vendors and Election Officials<\/a> that Voting Machines<\/a> cant be hacked because theyre not connected to the internet. One of the vulnerabilities that andrew talked about are not a problem because no one can access the machines. And it turns out that that message that theyve been giving us for years and particularly after the 2016 election just isnt true. So this is the message that was given by a voting machine vendors and repeated by the National Association<\/a> of secretaries of state, in this case the president was saying that our Voting Machines<\/a> are not really cyber at all and we assume she means they are not connected to the internet. Dhs also said that the machines are noninternet connected, and the eac, the one responsible for testing and certifying, also wrote an oped prior to this 2016 election in the Washington Post<\/a> saying everyone, calm down, forget the hype, you cant actually hack these machines, no eaccertified system is connected to the internet. Its not true. Lets talk about modems. There are a lot of machines after an election is over, they want Rapid Transmission<\/a> of results. Usually the results of an election are stored on a memory card inside the machine and after the election, they shut it down, take out the card and drive it into the election office. There is a lot of pressure to get fast votes. As weve seen in iowa, people are impatient. Voting machines undertook Election Officials<\/a> on these in use of modems. In some cases theyre embedded inside the machine, in other cases they get attached later. At the end the machine goes into shutdown mode and this option pops up. The system will dial in and send the votes over a cellular plomo to a server that collects the results. Everyone will tell you, and theyve told me every time ive spoken with them, that cellular mode uchlz are not internet connectivity. Thats not true. Election systems and software which is the top voting machine maker in the country, this is one of their statements over and over again, but this is one of their own diagrams they gave to rhode island in 2015. If you see that circular part in the center showing the modem transmission using a wireless mod em, they sit there right there. Its on their own diagram that is going over the internet. What happens is that the transmission of the votes, the voting machine will dial in using the cellular modem, and it contacts the nearest cell tour. And then the data goes through that cell tower into the carriers backend network. But then it has to get to the county network, and it goes over a server on the internet to receive those votes. We already know basically shown the misinformation of the transmission of those votes. So they will then say, it doesnt matter because all of that process is secured. So the transmission of the votes are secured. So that no one can intercept them and read the votes or alter them. The modum is con firgtd in such a way that no one can dial in, only out, and only when the machine shuts down at the end of the election. Apparently there are all of these safeguards. Also the Backend System<\/a> that receives the transmitted votes is supposed to communicate only with one of those machines with the modum. The problem is none of this has been tested. The Voting Machines<\/a> go through a federal testing lab process and through certification. The modem transmissions dont opinion we dont know whats inside, how they work. They dont have a good track record on implementing security. So we dont actually know that the way that they are saying that these are transmitted securely is actually the case. So what then happens with a mod em machine . I dont know if youre familiar with a stingray . Its a device that Law Enforcement<\/a> uses and the military uses, and what it does is it masquerades as a legitimate cell tower. It transmits a much more powerful signal so that your cell phone will connect to the stingray instead of the cell tower and then pass it on to the cell tower. Its mostly used for tracking phones but also some are designed to intercept the content of communications. If youve got a cellular one in a voting machine, a rogue can put one near a precinct tower. Now they can connect to the rogue cell tower. You can intercept data if its not properly incremented, intsept and change the results or you could swap out the whole package of results if its not authentically signed, and replace it with your own package of results. Those go on to the server. Election officials will tell you, that doesnt matter. These are unofficial results on election night. The real results are on that memory card that gets walked into the county. But if youve got transmit the results at the end of the election that dont match the votes on the modem, you can imagine the mayhem thats going to result. There is going to be a lot of mistrust in that election. Thats not the worst problem. If youve got that cell tower, that is actually an entry point back into that voting machine. If that is connecting to a rogue tower, if theres a vulnerability in that modem, a hacker can transmit malware back on. And once youre in that voting machine, either that way or maybe youve gotten into the voting machine prior when its being programmed, you now control the configuration that have mod em. Even if they say that will only work at the end of the election and only call out and not receive calls in, if you control the configuration of that, you control all that. You can have it contact your system however or whenever you want so you can do recon sens on that machine and study it and establish your attack. So thats the stingray. Again, these are highend systems used by Law Enforcement<\/a> and military. Its not theoretical to have a rogue cell tourer. There was a story published about rogue cell tours that were placed somewhere in the vissin tie of the white house in washington, d. C. Possibly by nation state actors. Its not just people sophisticated. This is a sample of a homemade do it yourself sing ray. It was made by a hacker and present in the 2007. You see that antenna there, that could pick up data from a phone one to two miles away. Thats a pretty raw sample. This is now 2007, much later, youre going to have much more powerful systems that will cost only a couple hundred dollars in hardware. Even rogue hackers or someone who wants to disrupt could do that. Lets go back to that statement, Voting Machines<\/a> are never connected to the internet by everyone. This is also a statement that es s made in 2018. Matt puts together a voting machine hacking in def con. In 2018 when they were pumping up to a couple weeks before, es s got nervous because their machines were included in the machines the hackers would be looking at. They put out ate statement i was able to grab to their customers, and the statement on the web were my annotations on what they were and werent saying. One of the things they say, dont worry, first of all again, these hackers, if they find vulnerabilities in the system it doesnt matter because they have unfettered access to the machine and thats not real world. They said these arent connected to the internet. They say no vote tabulation system is connected to the internet, which is interesting. Because the voting machine itself isnt actually the final tab later, right . It turns to out that that Backend System<\/a> that does tabulate is connected to the internet. So they have lied. Well say that Voting Machines<\/a> arent connected to the internet except when they are. A wrote a story in 2018, february, for the New York Times<\/a> about this modem transmission and the reppurecussions, the risks that that creates. There were a group of researchers that decided they would try and see if they could find those backend servers. If youve got something transmitting over cellular network, theres something that has to be connected to the internet to receive them. There is a server. It turns out they could actually based on Configuration Information<\/a> thats publicly available on the internet that the voting vendors provide and the election offices post on the internet, they describe the type of firewall that they use, its made by sysco, they describe the type of stp, the whole configuration including the type of cellular modem thats embedded. Based on that information, they decided to see if they could look for that very specific footprint of the machines that are receiving the votes, and they did a scan and were able to find these on the internet. They found nine wisconsin counsies, seven florida counties, and four michigan counties. They found systems in ten different states, but these were the primary ones and these are all important critical swing states. Heres the thing. Election officials will tell you, well, the modem transmissions dont matter because we only turn them on for a very brief period less than a minute at the end of the election to transmit. And thats not sufficient time for someone to hack. Any of the technical experts will tell you that a minute is more than sufficient to hack that machine. More importantly it turns to out these ant just connected for a few minutes. Those Backend System<\/a>s that receive the votes are quite often connected year round. You can see them, they dom up with a couple of weeks, some up temporary will sometimes come up a couple of weeks before the elections because they want to test, and then leave it on those weeks before the election. And after they might forget to take it down and might stay up a couple of weekends. But there are some that simply never take them down. Wisconsin was one of them year round. This is a problem. These systems, what are they . I describe this as a server, but its that sounds kind of denying. What is happening is that the systems, the votes are being transmitted and the on the receiving end, theres a firewall thats connected to the internet and behind the firewall there is a stp server that the votes are transmitted on. Thats supposed to serve as a dmz, a safe zone. Theyre deposited and connected to the system that tabulates the votes. Thats not the case. This is a diagram that they created and handed out to Election Officials<\/a>. You can see the votes are coming over the internet, and coming and theres the firewall. You see the wires connected. And you see at the bottom that ems, thats the election Management System<\/a>, that tabulates the final results. Even though they say that that transmission of votes over the internet is unofficial, connected to that system thats receiving those unofficial votes is also the system that is tabulating the official results. Whats more, that election Management System<\/a> is also used to program all the Voting Machines<\/a> prior to an election. So all of these systems are connected to the internet. They are Critical Systems<\/a>. Im only couple more slides. When i brought this to emss attention, they didnt then say that nothing is connected to the internet. They said none of those Critical Systems<\/a> are pingable from the internet because theres a firewall in front. Theyre seeing first they said none are connected. Now when theyre faced with someone saying they actually are, they say well, they may be configured in some manner that youre showing but theres a firewall in front and therefore you cant see whats behind the firewall. But if you can find the firewall then you find the systems that are behind the firewall. So can i have a couple more minutes . One minute . Im wrapping up. One minute. So the sis themselves at the end, the election Management System<\/a>, they arent sophisticated. Its a laptop with the system on it. That firewall, the only thing thats protecting anyone from getting into those Critical Systems<\/a> behind the firewall are the rules of that firewall that say, only these certain systems can connect to us, only these can transmit data. But thats simply software, its configuration rules. If you misconfigure that software, anything can get in. Many, many hacks happen because firewalls are misconfigured. So heres another problem. If that firewall has any Software Vulnerability<\/a> itself you can bypass the rules and protection and get into the Critical Systems<\/a>. The very sysco firewall had a critical vulnerability announced in january of 2008 by sysco. If that turns out that password was sufficient. Many of these stayed available. Just because its available it doesnt mean they get patched. Shortly after that was available, Craig Williams<\/a> announces theyre now seeing exploits of this vulnerability in the wild. Hurry up, everyone, patch your systems. Hes warning. People are actively trying to attack systems that have this vulnerability. We see one more this roundup in wisconsin, these systems connected to the internet. We see sysco announces in 200 eig8. I asked are you aware of this and patching it . My impression was that they were not aware of it and started notifying customers. March 2018, Wisconsin Elections<\/a> commission, it cant immediately establish that patch. Theres a long process for adding patches to servers. So they initiate the process in march. Dont patch the system until julie. Theres six months in which a vulnerability are public and being exploited and the system not getting patched. These systems are fragile. Okay. Thank you. Philip. [ applause ] thanks a lot. Thank you very much for having me. Its an honor to share the podium with this distinguished group. So a lot of this has been covered already by andrew and kim. But the standard arguments that our elections cant be hacked in the u. S. Are some combination offiscal security, you cant get access, theyre not connected to the internet, theyre tested, and this is too decentralized, run by individual Election Officials<\/a> and counties and jurisdictions so its a hard target. Most of this has been debunked by the previous speakers. But physical security is preyed lax. Equipment has sleep overs in the school gymnasiums, churches. There are lots of dpam plz on the intnote of photos of election equipment warehouses where the Election Officials<\/a> warehouses with the door propped open and nobody watching. Just not true. It isnt true that the machines arent connected to the internet, and even if they werent it would still be hackable through other means. One of the things that hasnt been mentioned is supply chain hacks. There are components of these Voting System<\/a>s that come from foreign countries. A colleague of ours at copenhagen found chinese pop songs in memory of a voting machine he bought on the internet. So those songs made it through the Quality Control<\/a> of the election equipment vendor and then through how muchu however many elections it was used in by the official and were still there. More over, theres an issue in recording which im not going to talk about that much. But there are a number of states that outsource their reporting of election to third parties, some of which are corporations based in other countries like spain. So youve got to trust that the aggregation and reporting of the votes is accurate. Tested before election day, andrew talked about that. The diesel gait that something can behave differently on election day versus when its being tested. Even on election day there are other tell tails one could use if you wanted to try more sophisticated testing there would be ways to defeat that. The decentralzation turns out not to be true. There are small mom and pop shops responsible. They have very little if any i. T. Security. Another feature of decentralized systems is that there will be a link. Finally to tip the results of large con tests including the president ial election. Oop oopz the outcome of the 2016 election could have been changed by altering Something Like<\/a> i think fewer than 20,000 votes if you did it strategically in the right places. You dont have to hack the whole country, just get a few and change whats going on in a tight election. So as andrew mentioned, the thing that we really need to be working with is paper. Why is paper so special . Its hard to think of paper as a technology, but it is wonderful for this purpose. It has incredibly important security properties. First of all, its tangible and accountable. You can keep track of how many ballots you sent, how many came back voted, spoiled, unvoted. In order to do that you want to be sure you do things like use ballot stock that can be distinguished from regular paper that you can buy at best buy. It isnt that you cant remove marks or alter marks but its hard to erase without leave something kind of trace. If you have good proceed kolz around taking care of it, you can have some trust in it. I want to talk about the physical security aspect there. Roger johnston, who formerly did physical security for Argon National<\/a> lab around materials, at some point got interested in Election Security<\/a> and went to his officials so a show me how you use your seals. And was shown this box of ballots, slagtered with security tape all over it. You turn it upside down, you can open it from the bottom without disturbing the tape. Andrew wrote about this. Making sure the seals arent easily defeated with sol vercht or a hair drier or Something Like<\/a> that is incredibly important. The fact that humans can read paper ballots, if were talking about the human readable portion. Matt talked about that. One of the features of dimpled chads and hanging chads and pregnant chads is somebody could look at that. You cant look at the electronic state of memory of a Voting System<\/a>. This is becoming troibld because the vote of paper on the batted ballot is no longer the readable portion. Georgia is flirting with this right now making the qr the main part. In order to make large attacks on paperbased voting that requires allot of accomplices. You need to handle a lot of paper, make a lot of it appear or fall off a truck, on a truck, Something Like<\/a> that. In contrast electronic can be done remotely by a small number of people. You dont need access, a lot of accomplices. Paper is a great thing, but paper is not a pannacia. It matters how you mark it, take care of it, tabulate it and audit it. Andrew talked at some length about why ballot marking devices are not a good way to mark the paper if you want to know the paper has a trustworthy record of what voters expressed to the equipment. Ill talk about that more. This is our paper. So lets suppose that we have generated a trustworthy paper trail, meaning if we looked at it carefully we with know who actually won. How do we figure out whether the reported winner won . We cant trust the computers doing the tabulation. We cant trust the people involved. We can maybe trust some aspects of the system. What can we do . Were in a situation where we have to trust Election Officials<\/a> for just about everything. Im not saying that theyre untrustworthy but it would not nice not to have to trust people, and perhaps not all of them are. I would characterize what we have in the u. S. Is procedurebased elections. They say i followed the rules, use certified equipment, this is the result. Trust it. And i would liken this to a brain surgeon doing brain surgery and saying, i used a sterile scalpel, followed the instrictions, the patient is fine. You actually ought to look. Thats what auditing is about. Look and have evidence, not just rely on following procedures. Any way of counting votes can make mistakes, even hand counting ballots in a group can make mistakes and in fact does. Every Electronic System<\/a> is vulnerable to bugs, configuration, hacking and other things. Is it true that despite all of the things that might have gone wrong, the reported winners really won . Or did these problems actually rise to a level of altering the political outcome of the contest . Now, its an unattainable goal to insist on counting every last vote with perfect accuracy, its not going to happen especially if were going to allow hand marked ballots. People are going to mark in funny ways. The technology cant tell what they intended. Humans generally can tell, and there are examples from recounts in minnesota where what was the fraction of votes that were general and am wows. 99. 99 . In some people say we cant have those because the machines cant read them p that doesnt matter. What matters is whether a human being can read them. We can allow for a number of mistakes provided we can catch it. The goal is not count every one perfectly, count well enough to get the right outcome, the right winners or winner. Here are the 3 cs of Election Integrity<\/a>, evidence based. The voters need to create a complete durable voter verified audit trail. Then you got to take care of it. There needs to be adequate curations of paper trail to make sure it tase trustworthy. That is a nontrivialial problem. It is physical and accounting, not a cybersecurity problem. Its the kind of thing that if we ought to be able to count on local Election Officials<\/a> to do anything, we ought to be able to keep track of the paper. That seems like job number one. Finally we need to have some kind of an audit of the reported results against that paper trail. Done in a rigorous way that has the possibility of correcteding the outcome if the outcome is wrong and has a large chance of doing that. How can you catch and correct wrong outcomes . If you have a trustworthy paper trail you could count all the votes by hand and that would tell you who won. Thats expensive. So what are are ge going to do instead . If youre willing to permit a small risk, you typically dont need to look at that many ballots when the outcome is right. What is a risk limiting audit . Any procedure that has a known chance of reporting the it will never make a right outcome wrong. The risk limit is the largest chance that the procedure wont correct the outcome if its wrong. Wrong means that if you were to count the votes on a trustworthy paper trail youd get a different answer. Trustworthy means it reflects what voters intended and did. What they indicated to the equipment. Theres no way to limit the risk if you dont have a paper trail. If they don if the paper trail isnt trust wolty a count might reinforce the wrong answer or turn a correct answer wrong. The basic rule, keep checking evidence until you have convincing evidence that the reported outcomes are right. If you never get convincing evidence that the reported outcomes are right, you look at everything. So you stop if and only if it becomes clear that its pointless to continue. So if its not looking for a smoking gun or the absence of a smoking gun. Its looking for evidence that the outcomes are right. Its been endorsed by a lot of people. Theres a number of ways of doing it. Im going to talk about one of the lowest tech ways, a ballot polling audit, like an exit poll. Instead of asking voters you ask ballots. All right. So i just want to give you some examples of how much work this is. We looked at a number of every president ial race is really 51 con tests, the 50 states and d. C. If we looked at what it would take to limit the risk to 10 for the president ial contest from 92 to 2012, you would expect to look at less than 308 ballots statewide. This is not a heavy burden. Now some states would have to look at a lot. If youre talking about a tiny margin in the swing state its going to be different. Even in the 2016 president ial election we could have audited looking at less than a half of a percent of the ballots cast nationally. Ill shut up because ive been swooped off. Thank you. [ applause ] barbara. Better than i was. So i was originally going to call this talk, i can bank online, why cant i vote online . But then iowa happened. So ive been kind of obsessed for the past few days with trying to figure out what happened in iowa. Its not really voting per se because they are returning the results, not testing ballots. I do have some information about iowa. In fact i just got just before this panel i had a 45minute conversation with the ceo of shadow. Some of you may know that thats the company that did the app. Jeff gary from joyce town was with me. Hes over there. If you have questions about it afterwards and im not around, go talk to jeff. This is the outline. I did put iowa last because we have ten minutes, and i figured if we dont get to it now we can talk about it later if youre interested. Whoops, okay. Thats right. We should not do internet voting including cell phone and blockchain. Im talking about the voting, not iowa specifically. There have been multiple warnings as my panelists have said. Robert mueller most notably when he testified was most animated when he talked about russian interference in our elections. James mattis, secretary of defense, former, i think, warned about russian interference. Christopher wray whos still the fbi director did likewise. And the intelligence communities have been warning consistently about the threats. Including the Senate Intelligence<\/a> committee in a bipartisan statement, that said the Department Homeland<\/a> security expressed the Russian Service<\/a> done alphabetically probably included all 50 states, general election web paijds, Election System Software<\/a> and Election Service<\/a> companies. So if you werent already worried about the 2020 election, you should be now. Now, when it comes to previous elections, like the 2016 election, we dont actually have evidence that those were changed. But then again we didnt do a really careful search to try to find out. Thats one of the problems with a lot of what were confronting, is to say that there is no evidence that something bad happens doesnt mean we know for sure that something bad didnt happen. Its different. Internet voting is the return of a voted ballot over the internet by via web attachment or email. And i think its probably still the case that there are some people who dont understand that email is internet. Ive certainly had Election Officials<\/a> say we do email voting so we dont do internet voting, so thats not true. It goes out over the internet. It can be modified en route, you can have lost ballots, the danger of having no secret ballots, not good protection, you can have ballot box stuffing with counterfeit ballots. Email is not secure, nor is webbased. You can vote on your computer, a smart phone, a smart tablet, and so forth. There is Ongoing Research<\/a> thats trying to use crypto to come up with secure ways of doing way o voting. There is Nothing Available<\/a> thats robust. It is a problem that many of us are, my guest is if we ever get to security internet voting is not for a while. So, to state the obvious. How could under staff and under resource little election of little to know and security expertise protect their service in an internet space election who adversaries, political operatives or even your teenage son. Vulnerabilities are wellknown. On the internet knows that you are an adult. How do we know if y are a voter. Thats a major issue thats not solved in the United States<\/a>. Voter device could change. I think there is again at least in part of the general public who were not expert with computers, this notion where you see on the screen is what goes out on the internet or what gets stored in computer memory neither is true. Computers, components of things, what you see may not have anything that goes out of the internet. You can count on the receipt. I was actually in new york when sandy hurricane hit and i was trying to change my reservation on United Airlines<\/a> get two days to get through. Everybody was trying to reach United Airlines<\/a>. Thats one of the things that happened in iowa. Everybody was trying to call in. That was with united service. Where you send the vote can result in shaking the votes. You cant audit an empinternet based election. You have to worry about voter coercion, this is true for any kinds of voting and not just internet voting. This issue is raised when you have widespread vote by mail with people who dont necessarily need to vote by mail. Regulatio regulations. There is none. There is no government oversight or legal accountability and no ability to do recount. Technology was asked to develop standard internet voting and they threw up their hands. They produced the report but there were no standards. These were quotes. Technology thats widely deployed today is not able to mitigate many to cast ballots boo i tby the web. The computer poses a serious threat compromising the secrecy or the integrity of our voter ballot. We have internet voting in the United States<\/a> mainly for military and overseas voters. Many have been involved with internet voting, it is an ongoing task because a lot of people want to do it. We have been successful so far although there is a lot of pressure to change that. When it comes to military voters, the argument was well, the military cant get their ballots back on time. In 2009 i believe, the move act was passed. What it does is it requires states provide online ballots that can be downloaded. They can download them, print them out and fill it out manually and stick them in an envelope and mail it back. For military voters, they expedited so they can get it quickly. The beauty of the move act is it cuts down the transit time. You just download it over the internet. That has security issues. There was a major study done in British Columbia<\/a> in 2013, they spent 400,000 canadian money to look into internet voting. They were able to do this because of province of ontario in canada allowing internet voting at the top level. Based on that, their conclusion was internet voting does little to nothing to increase Voter Participation<\/a> in general. It does not increase participation. Talking about this earlier, this is an incredible myth, there is little to no evidence that internet voting is going to increase voting. So this is what we are conflicted today quite a bit. It is called block chains voting. It is basically where you store your information at the end after the voting already happened. Block chain can be a single or multiple owner. You have to have majority agreement and you can have collusion among owners and penetrate servers. There is no central authorities of Police Activities<\/a> and with voting, block chain for local officials which eliminate extra security of multiple owners and most of the pint. All internet vulnerabilities are still present with block chain. That report of 2018 says in the particular case of internet voting block chain methods do not readdress security of internet voting. There is no federal state certifications for block chain voting. Vote claims they dont need to be certified. They send the votes over the internet. There is no opening testing by third party or in the mock election elections. You can try to hack in a real election and you can go to jail and a big fine also. They claimed to have done security audits but nothing have been made public. Do we have one minute to talk about iowa . Very fast. I am not going to say much about it because there is a lot to say. You can ask me questions. The reason they move and they try to bring in technology because of all the criticism because theyre so undemocratic. It is difficult for Single Parents<\/a> to participate in this. Iowa initially allowed people to vote on cell phones. That was stopped by the dnc. Because of security threats. They decided none ttheless to g with this. The project was going to be the app plus the phone voting so they chopped off the phone voting and they have to redo the rfp on the app. They dont start working on the app until october. I mean they had enough time do it in my opinion. It was fairly irresponsible. Anyway, i could talk to you about that. My time is up. One quick comment because i talk about security testers, they could not tell me, all he said was he could not tell me who it was or why they have an nba. I will leave you with that. [ applause ] before we open it up, i want to ask one question of the whole panel and please feel free to bring on whatever perspective on this. I have been working in this area of Election Technologies<\/a> for a couple of decades now. Consistently during that time i think all technologies are accused i am saying that we should not use Computer Technology<\/a> we dont trust. I am just being sort of perspective that it is thrown back. We hear things like well, we put a man on the moon surely we can build a reliable Voting System<\/a>. We hear everything has vulnerability and so does everything else. We rely on computers for everythi everything, for the Banking System<\/a> and weapons. Why is this application so different . Stop being so fussy is the overwhelming message that i have heard a lot. I have brief moment of optimism when the National Academy<\/a> report came out of the consensus of the best experts, this is what we all agreed on. The uncontroversial baseline and it says used paper ballots and System Software<\/a> independent. Independent of software for its outcome. I thought well, great, well now have a strong statement of what we could do. When we see any of these maps of whats used in the country, we are doing poorly at deploying this and we hear again we put a man on the moon and everything has vulnerabilities and we rely on computers for everything. I would like to ask each of you, what is your response to that . Since the high order mark of paperless and touch screen machine in about 2003. Many states were using paper all s all along. Almost all states adopted ere machines after 2000s and abandoned them and moved to obstacle scan paper ballots. There had been a widespread understanding that Voting Machines<\/a> are hackable and paper ballot is the cold standard. There has been a lot less progress in consistent ways to audit and recount paper ballots. More understanding in more states. When i see the glass with more than 40 states now using paper ballots to record the vast majority of the votes, i see the glass is fourfifths full. Okay. So a lot of focus on the need of legislation, everyone is frustrated and mcconnell is not pushing legislation forward would require paper trails or audits. And federal law would be great but we dont actually need a federal law for the reasons that andrew just described. States have been very effective when they actually move and when they do take action dealing with the issue in their own jurisdiction. It would be great to have it all at once but in the absence of that, there is still optimism because the state do eventually come around. It is often as after something happens, california was the state that demands to require paper trails. That happens after one of the machine vendors, people lied about the software that was installed. They said it was one version of the software but it turned out to be uncertified version. Florida passed the law of requiring paper trail after a a major miselection sed election sarasota. More than 19,000 did not have a vote cast in a particular race and that caused them to use paper trails. It tends to take some kind of mishaps that moves progress along. I always say thank god for the russians. We would not sitting here today having the conversation or election hearing or any attention on Election Security<\/a> without the russians in 2016. I think it is optimistic. Snoo. So florida has paper. The auditors are not allowed to change the outcome. Having paper does not matter if you look at the paper. You got to look at the paper and it has to be kept secure. The operation for me is get paper and hand mark to anybody who can and learn to keep track of the paper. Thats something that no states are doing a very good job of by law or regulation. The individual elections and officials do good job but by and large we are not regulating it very well. You can do an audit and it means something. There is an enormous amount of logistical complexity conducting the audit. The method that you can use and Voting System<\/a> and no other special data or exports or anything else. Whether the state wants to audit from the top down is a whole. All of these things matter of complexities and it does involve a lot of people figureriing thi out which is why the pilot audits are so important. Why we are seeing states do things that are certainly on the panel would advise them not to do and i think the National Academy<\/a> advised not to do is i would say follow the money. The people who are benefiting from a lot of these stuff a are by having states go to all ballot mark and devices instead of using them as a accessibility option. What they say to the states does not seem get there is no consequences for that. Pennsylvania, what philadelphia recently bought, express code and excel and manufacture 2. 5 million for violation of procurement process. Yet, theyre still trusted as a vendor. Why would you trust them to count the votes. Theyre telling Election Officials<\/a> of the security of the systems and theyre trying to, they sold their system like easier Election Officials<\/a>. In some senses they might and other senses they dont. I think probably the best leverage here is the fear of public humiliation. The problem is it often cuts the other way. If you have an electronic Voting System<\/a>, it is difficult to be public or humiliated because there is no way to tell what happened. Or if you dont know it. If dont look at the paper, you dont know. I am worried of this whole push for block chain voting. It is being pushed by a particular vendor but the vendors being funded by a great wealthy entrepreneur. I think he believes this is going to increase Voter Participation<\/a>. Although we have been trying to tell him it wont. Thats vote but there is a lot of money behind votes but it is not for making money but for pushing this idea. There is another concern which is that the language that we have been using taking over by people who are not doing what it says. So people can vote on phones and the others if they print out the paper, well, we got it on paper trail. Voters have not verified it and you have no idea if what was sent from the cell phone was what voters intended. So this is a case where we have been too successful because people adopted the language without adopting the rules that it entails. I am also concerned about policymakers who want to do the right thing but dont some this Cyber Security<\/a> expert. We have seen it in iowa which actually cuts both ways as far as i am concerned because i am hoping iowa will help kill block chain voting. You didnt test this properly and why would we trust it. I dont see how anyone can advocate voting and when we had 2016 and all these russians attack. I want to change my answer. I am not optimistic. I am trying to respond to his. We have had some progress and there is a lot of attention now. The attention is push towards internet and mobile voting. Election officials seemed to say over and over again we get it now and after 2016 theyre in denial and now we are willing to have dhs coming without it. They still make that decision over and over again. There is nothing that say says there is nothing to force them to make good decisions. A lot of federal funding has been released to states to do whatever they want related to elections. There are not have many constraints if any of money being spent intelligently and etc. Some states are spending it in an unwise way. Theyre not going to get money in at least a decade. Well be stuck of the system that people are buying into now. There is not enough money to begin with. Well, it is not throwing more money out does not solve the problem. Okay. I got andrew and saying that i am 1 5, pessimistic. I will open it up for questions. Please use the microphone. What did you learn you said a little bit of the timing . Dont worry, it wont leave the room. I didnt ask about the amount of money. They got money and they got money from iowa on the candidate. Candidat candidat candidates. It is a small app. The fact that they did not start until october, i find it mind blowing. They did do some security testing, they did not do red team testing. They found one major problem which they corrected and two or three priority columns which they also corrected. They said it was in the back end. The app worked fine. In terms of ability testing it was inadequate. The idea this app is used by elderly people, they were not accustomed to use smartphones and they did not get the app until late. The Iowa Democratic<\/a> party, this notion of security of obscurity by not making it public that people wont be able to hack it. Any security person would tell you it is just wrong. You want to make it public and let people try to hack it so you can find their vulnerabilities. Thats the way you do it. This is a case where you have policymakers making decisions and not listening to people who knows whats going on. I coauthor a book, doug jones, he was yelling and screaming about this and they were not listening to him. Good afternoon, few of you spoke about the National Academy<\/a> p i took a look at the report, that recommendation of audits, includes a line of the fact that folks should adopt it within a decade. That line is right there and recommendation of 5. 12. The question that i have here for folks here and professor starke begins to touch on logistics. This is a gold star report and they were the expert thats involved. Why was that the recommendation . I would welcome feedback from anyone here in the panel. Well, let me first explain the rational for that particular recommendation. We have paper ballots but at e leks they are available or recount. I will take orange county, california, they did a pilot risk audit in the summer of 2018. The first one in 2011. That handled 1. 8 trillion papers. You need to train the staff we are going to do it. Why do you need to do this at all and you move into the logistics. The thing that we can snap your fingers now and having audits for november 2020 election in every state would lead to a melt down of the audits. It cant be done over night. We have to get there as quickly as we can with you know training and design of administrative and logistical featurefeatures. I have been involved in 20 pilot audits now in local jurisdictio jurisdictions. If we want to audit, the big problem is not the paper handling for the audit itself. It is really knowing where the ballots are and how they are stored. That should be a no excuse of local Election Officials<\/a>. If they cant tell you how many ballots they got and where they are, it is like the morning after you are watching and you know the ballots where they are. The answer should be yes. Every content is on the ballot. Thats a much bigger logistical problem. To be able to do something to limit the risks, it would be in states to have paper in 2020. If i can join in also. It is not only the technology thats not necessarily available everywhere. We still have the dres. Also, laws. In michigan i dont know if this is still a law but in 2016, i was involve inside the recount efforts, there was a law that says if the number of ballots do not match, you may not recount. Now you know why . Thats probably you have to do significant changing of laws at the state level. Our audit is funded at the county level and state levels. In some cases you know the question is do we want the potholes repaired or audits. There are problems at every level here enrolling this out and some of them are just really simple. Again, if we are talking about at the top of the ticket content, 300 ballots statewide more than half of a time. Thats an expense. It requires you know doing it. Yes. You got to do it. I witnessed the colorado audit and i was out there to do it. It took a decade for them to get there. It was extremely complicated process of keeping track. They had a system down, it was scientific and which they did not and it was remarkable in the way they did it and they knew exactly what row and what box and what number in that box was the ballot they were looking for. That does not happen over night. It took a decade. Roughly three years of that ten years was arguments between the secretary of state and the county of what they were going to do. A couple of years or three years of it was the procurement process because they decided to change all their equipment in a particular way. It may be audit easier but it was not essential. Yes, it took ten years but not all the audit parts. I am lizzie thompson. Alexander suggested that i let you know that a group of us in the American Bar Association<\/a> drafted a resolution that would be presented to the house of delegates on february 17th which contains recommendations for Congress Consistent<\/a> with the National Academy<\/a> to report and the debt time report. Congress for several elections should provide funding to finish the Cyber Security<\/a> guidelines and they should be mandatory and all voting equipment and Software Related<\/a> and items should be certified. So purely comprehensive resolution and if yall want copies, i am happy to provide it. Thank you. Basthank you for all your important work. I think we have time for one more. What is it that attracts people to such formal guarantees, it is clearly not which ones are most effective. What attracts to what . Various formal guarantees . How can we succeed, is that your question . Broadly, sure. There is places that formal methods can play a role like you try to prove software is correct and what it is supposed to do. Analysis and others are all equ qualitative. I am not sure on answering your question but i dont think there is a formal answer to all of it. It seems that the risk access which is statistical guaranteed. It is not effective, starting out people who would like to be involved in this business where as block chain is. Yeah. We have to somehow convince people that accuracies matter. Another thing that i would like to see people take on is timing, timing should not be the ultimate thing. You got to get the report right away. Lets take the time and do it right. People dont want to hear it but thats an important message. We have ten minutes for a break now. Anybody want to talk about Iowa Campaign<\/a> 2020 is in nevada today. Live coverage on cspan. Watch on demand at cspan. Org and listen on the go with our free cspan radio app. Joining us on saturday at 6 00 p. M. Eastern for the results of the nevada caucuses, precinct results and can dadida speeches, Bernie Sanders<\/a> and tom steyer and Bernie Sanders<\/a> and Amy Klobachar<\/a> and elizabeth warren. Listen live on our free cspan radio app. Our cspan bus is traveling across the country asking voters what issues should president ial candidates should address. The most important issues for me is civil rights and civil liberties. Criminal Justice Reform<\/a> and reproductive premium. Theyre more important than ever because we are seeing them being violated left and right. They are definitely important as every other issues. The issue thats most important to me right now is our veterans do not have housing. I feel as though New Hampshire<\/a> since it is one of our 50 states should do more for our veterans, right now veterans have to leave or go to vermont or they need to go to massachusetts in order to get the services they need. I dont think it is appropriate. These people made the sacrifices for our country and they should have the services when they come home. Rejoining the paris accord. The most important thing to me about this campaign is the truth. We need to work on gun violence and healthcare and college education. We have a lot of things to work on. When the senate votes openly and against the truth and partisan manner, it is time for us to return to our roots, face staff and listen to witnesses. It is time to face the truth and move forward and we cant do that if we dont open our eyes and if we dont pay attention. One of the most porimportant issues to me is education and the cost of education for post graduate and graduate work. Also the concerning legislation of the Trump Administration<\/a> in regards to k through 12. The boss has not done a lot for","publisher":{"@type":"Organization","name":"archive.org","logo":{"@type":"ImageObject","width":"800","height":"600","url":"\/\/ia802804.us.archive.org\/10\/items\/CSPAN3_20200221_154600_Georgetown_Law_Discussion_on_Digital_Technologies__Voting\/CSPAN3_20200221_154600_Georgetown_Law_Discussion_on_Digital_Technologies__Voting.thumbs\/CSPAN3_20200221_154600_Georgetown_Law_Discussion_on_Digital_Technologies__Voting_000001.jpg"}},"autauthor":{"@type":"Organization"},"author":{"sameAs":"archive.org","name":"archive.org"}}],"coverageEndTime":"20240716T12:35:10+00:00"}