Call to Order and Roll Call
The third meeting of the Military and Overseas Voting Assistance Task Force was held on Wednesday, December 11, 2013, at 12:00 PM, in Room 149 of the Capitol Annex. Representative Darryl T. Owens, Chair, called the meeting to order, and the secretary called the roll.
Present were:
Members: Senator Joe Bowen, Co-Chair; Representative Darryl T. Owens, Co-Chair; Senator Jimmy Higdon, Representative Tanya Pullin; Keith Cain, James Fowler, Bobbie Holsclaw, Charles T. Jones, and Lindsay Thurston.
Guests: Justin Lee, Deputy Director of Elections, Office of the Utah Lieutenant Governor; Lori Steele, Founder, Chairman and CEO, Everyone Counts, Inc.; Dan Nolan, Vice President of Strategic Planning/Government Relations, SOE Software; and David Jefferson, Ph.D., Center for Applied Scientific Computing, Lawrence Livermore National Laboratory.
LRC Staff: Greg Woosley, Kristopher Shera, and Ashlee McDonald.
Approval of Minutes
The minutes of the November 12, 2013 meeting were approved, upon motion by Senator Higdon and second by Ms. Thurston.
Utah’s Approach to Military and Overseas Voting
Justin Lee, Deputy Director of Elections, Office of the Utah Lieutenant Governor, stated that there are 2.8 million residents in the twenty-nine counties of Utah. Utah allows limited electronic voting that began with a pilot program approximately fifteen years ago. Military and overseas citizens can apply for and return ballots by fax and email and have been permitted to do so for the last several election cycles. Almost all ballots sent electronically are returned successfully, and no significant issues have been reported.
In 1998, Utah began its pilot program to allow electronic voting, and initially a large number of ballots were returned by fax. By the 2012 election cycle, the numbers had dramatically switched, with two faxed ballot returns, 1,008 email ballot returns, and 1,307 regular mail ballot returns.
For the ballot to be sent to a voter and received by the elections officials in a timely manner, the voter must request the ballot by the Thursday before an election. Utah is able to do this because of the electronic means implemented to allow online voter registration and ballot retrieval. By sending a ballot electronically, the voter signs a form waiving the right to a secret ballot. The waiver is not required; if a voter chooses not to waive the right, the voter can still send it by mail and retain the right to a secret ballot.
Utah has also implemented a signature program in which it works with the Department of Driver’s Licenses to obtain signatures of the residents when they apply for a driver’s license. Through this partnership, Utah has approximately 95 percent of voters’ signatures on file. When the voter receives a downloaded ballot, it is signed, scanned, and returned to a clerk’s office, and the clerk’s first step is to check the signature against the one on file. The voter casting a ballot is then “marked off” in the statewide voter database, and no duplicate ballot is counted for that signature.
After the signature is verified, the ballot is duplicated on a second ballot to make it “secret,” and this second ballot is submitted for counting purposes. The original ballot is then locked away and stored and cannot be opened or examined unless ordered by a judge. The first cast ballot received from a voter is the one that is counted and recorded, and no additional ballots or changed ballots are accepted. Mr. Lee also noted that Utah’s military and overseas balloting process was partially funded by a grant from the Federal Voting Assistance Program (FVAP), which allowed Utah to establish an online ballot retrieval system. Although this system is not an online voting system, the online ballot retrieval system allows military and overseas voters to access a ballot online, and then mark, sign with an electronic signature, print, and return it by an approved means.
Mr. Lee said that over 80 percent of the voters that use the system are overseas, and over 90 percent of voters have reported they would use the system again. The biggest complaint heard from Utah voters is that they are not able to complete the entire voting process online. Aside from this complaint, Utah’s county clerks report that voters are happy with the modernized voting system.
In response to a question from Senator Bowen regarding the privacy of a voter and why a waiver is required, Mr. Lee stated that when a ballot is emailed back to a county clerk’s office, an election official must open the ballot and verify the voter’s signature, and at that time an election official can see how a voter has voted. However, no more than two election officials are authorized to view the ballot, and because the emailed ballot is converted to a second ballot after the signature is verified, privacy concerns are minimized. In response to a question regarding signatures, Mr. Lee testified that Utah has a partnership with the drivers’ license bureau to obtain signatures, and that anyone who registers online consents to allowing his or her signature to be used. There has not been, to his knowledge, any incident where a signature has been duplicated or ballot secrecy compromised other than being seen by the two election officials who examine it.
In response to Ms. Thurston’s question regarding options for the return of ballots in the case of an emergency or natural disaster, Mr. Lee explained that if there were an emergency disrupting military voting, Utah has the authority to use alternative dates and times, and other emergency procedures to ensure votes can be cast and counted.
Mr. Lee responded to a question from Mr. Fowler as to why ballots are printed out and copied to a second ballot by explaining that the ballot reader only accepts a specific format and type of paper. The transmitted ballot has the voter’s name on it for verification purposes.
In response to a question from Senator Higdon about the number of counties and election cycles that have used the electronic voting system, Mr. Lee stated that during the pilot program, only half of the counties in Utah were involved. Utah has used a similar system for all elections since 2010.
In response to Mr. Cain, Mr. Lee explained that Utah needed a statutory amendment for citizens to be allowed to waive their right to a secret ballot. He noted that Kentucky might need to make a similar change to allow its voters to waive any ballot secrecy provisions.
Technology Utilized for Electronic Absentee Voting
Lori Steele, Founder, Chairman and CEO, of Everyone Counts, Inc., showed a comparison of traditional mailed-in ballots versus electronically transmitted ballots. While technology is not perfect, the proper use of technology can raise the bar on election efficiency, security, and privacy. The use of the military common access cards (CAC) can aid the security of ballots for military voters. The key to electronic voting is security in the ballot transmission process. Ballot encryption is very important, and a robust encryption process can result in far greater security with electronic ballots than with standard glue-sealed mailed ballots. The use of electronic ballots greatly increases the accessibility of voting, particularly for overseas voters.
Nineteen of twenty states that participated in a military absentee voting pilot program failed to deliver ballots properly and on time. However, these failures were largely a result of poorly designed systems or processes. If proper funds are spent on good systems and processes, the use of electronic voting can be successful at delivering ballots on time, securely, and privately. Everyone Counts has assisted several states and numerous countries in conducting either online voting or elections using electronically transmitted ballots for the last several election cycles without any security issues reported. The deployed systems have passed all audits conducted and most, if not all, users have been elated at the successful use of the systems.
To accomplish these results, Everyone Counts takes security very seriously, and its system uses a high level of encryption for ballot preparation, transmission, and authentication. The system is designed to resist denial of service attacks, and although deploying these protections is expensive, they are critical to ensuring the security of the system. The protocol Everyone Counts uses enables voters to securely communicate with elections officials in a way that is designed to prevent and detect any eavesdropping, tampering, or forgery; however, the system is also designed to allow voters the flexibility to use any HTML compatible device.
Everyone Counts recently developed a new version of its system using CAC cards. Everyone Counts has been working with South Dakota, has tested hundreds of users in the South Dakota National Guard, and has received positive feedback. The program manager stated that Everyone Counts needed to find a solution for South Dakota so that the turn-around time for military and overseas ballot requests and submission was less than the average 60 days. Everyone Counts implemented a system using the already-in-place CAC card, which the military uses for all online access purposes and contains a digital signature. The original implementation allowed a user to scan the barcode on the bottom of the card, which would contain the user’s information, and Everyone Counts’ system would validate all of the information for the ballot and ensure that all of the required areas of the ballot were filled out accurately.
There are several states and countries with increased internet voting, and there have been slight security issues, as would be expected with any technology software. Overall, voters and elections officials that have used the systems have been extremely pleased. In response to a question from Representative Owens, Ms. Steele stated that more systems have been utilized in western states because those states generally see a higher rate of absentee voting, but Everyone Counts has deployed a system in West Virginia as well. There have been no detected security breaches and no evidence of voter fraud using the systems.
Dan Nolan, Vice President of Strategic Planning/Government Relations for SOE Software, testified that with the SOE system voters could request an absentee ballot, submit credentials for system verification, and log on to the state’s online voting website. Mr. Nolan then walked through a short demonstration of how the SOE system would work for a hypothetical voter. There are numerous voter verification steps to be followed in order to submit a vote, and only once a ballot has been verified against the voters’ information, can it be successfully submitted. Mr. Nolan also confirmed that, like the Everyone Counts system, the SOE system is designed to detect any attempted security breach or effort to hack into the system.
Ms. Steele responded to Mr. Fowler’s question in regards to online delivery and online return by stating that the percentage is much higher for online delivery rather than online return.
In response to a question from Senator Higdon regarding electronic returns that are unaccounted for, Ms. Steele stated that with encrypting each ballot and encrypting each election, it is highly unlikely that this would happen.
David Jefferson, Ph.D., Center for Applied Scientific Computing, Lawrence Livermore National Laboratory, said that there was no question that electronic voting is the more convenient way to vote. The security community nearly universally agrees that online voting is one of the greatest challenges facing security professionals. He said he is not opposed to electronic registration of voters or electronic delivery of ballots to voters, but electronic return of ballots is one of the most dangerous processes when it comes to ensuring the integrity of an election. As an example, Dr. Jefferson stated that if an automated attacker attacks an online election, it could attack a large number of votes, and anyone, anywhere in the world, can conduct a fraud on an online ballot or election. Voters and elections officials may not be able to detect if a ballot, or an entire election, has been the subject of an attack because one of the goals of a successful attacker is to purposely hide the tracks of the attack and erase the log files.
Dr. Jefferson explained that there are three types of fundamental attacks. One is a malware attack in which the actual device or machine a voter is using to vote is attacked. The second is a denial of service attack, which is designed to prevent people from voting or prevent votes from getting to their destination, which were successfully used in elections in Canada in 2003 and Hong Kong in 2012. The last type is the penetration attack, where an attacker directly attacks the server that is collecting the ballots. As one example of how these attacks might work, Dr. Jefferson noted an online voting system was deployed for a mock election in the District of Columbia and was subjected to tests to determine if the system was secure. Within 36 hours, the system was breached, all ballots were removed and replaced with other ballots, and the breach was not detected. The D.C. system was likely not as sophisticated as the systems developed by Everyone Counts and SOE software, but there are no fundamental ways to prevent a similar penetration and manipulation of the elections process if electronic voting systems are used, which means these systems are not appropriate for important elections.
Sophisticated technology companies spend an exorbitant amount of money on security, but Google, Apple, Microsoft, and even the non-classified side of the Lawrence Livermore Labs, have all been breached. Ballot secrecy is not just a privacy issue, but also is a fundamental issue of democracy that is threatened by the possibility of vote buying, coercion, and threats or reprisals over how a person has voted. Dr. Jefferson stated that, in his opinion, email and faxing ballots are the most dangerous electronic processes as there is no method of encryption for a ballot.
Senator Higdon voiced his concerns over the frustration of technology not working properly and how that may affect the online voting process and submission. Mr. Nolan explained that, during the online submission process, there are three steps to allow a voter to discontinue casting the ballot online if the effort was unsuccessful. The voter could then choose to return the ballot by mail.
In response to a question from Ms. Thurston, Mr. Nolan stated that his software has experienced a denial of service attack, but the attack was unsuccessful. Ms. Steele agreed, saying her company has faced similar attacks but has mitigated every one.
With no further business to come before the task force, the meeting adjourned at 2:00 p.m.