In response to the reports of vote flipping in Texas, on Friday Oct 26 I wrote this open letter to the director of elections and copied the secretary of state:
Dear Director Ingram
Confidence in the integrity of our elections is critical to our country and to Texas.
I am a software engineer in the area of risk/fraud, and I have a suggestion that I think should be carried out immediately to address the ‘vote flipping’ problem that has been reported with the Hart/Intercivic machines in Texas.
At a randomly selected set of precinct locations, staffers and invited independent observers should
A) inform voters of the possible problem (NOT telling them how to avoid it by not pressing the button at the same time as flipping the dial, but telling them specifically to verify their final choices and correct them if necessary before submitting)
B) survey these voters on exit, as to whether the problem occurred, and if so which votes were flipped.
Then, it is important to publicly report the results of how many votes were flipped in each direction, relative to the intended vote. Independent observers should likewise be able to publicly report the results of the sample.
This way, we can statistically estimate what the impact may be of the machine errors, and have a level of confidence as to whether or not it is affecting the election.
Without taking this or a similar step, we cannot know whether the machine error is actually invalidating the results of the election.
I’m sure you are concerned for the integrity of our election system, and I strongly urge you to take this step immediately.
I am also posting this letter publicly
Thank you for your work and for taking steps to protect the integrity of our elections — as is your sworn duty, I believe. I would be happy to advise on the implementation if you would like.
On Saturday morning 10/27 I received this response, which was copied also to several email addresses within the Texas secretary of state office:
Golda – Thank you for your kind and respectful massage and thoughtful recommendations.
Please rest assured that we have all of these mechanisms in place and that the issue is not as rampant as it is being portrayed. In many counties, these systems have been in place for 16 years, and very few related issues have ever been reported.
Most importantly, we have performed extensive training of our county election officials and have excellent audit procedures that allow us to identify potential problem areas.
I will be issuing a state-wide advisory shortly. I will make sure I send it to you personally and hope you can share with your network of friends and family.
I appreciate your concern very much. Thank you.
Best regards,
Rolando
Rolando Pablos
Secretary of State
Capitol Building
Room 1E.8
Austin, Texas 78711
After discussion with Jenny Cohn and others, today (Sunday 10/28 evening) I sent this reply:
Hi Rolando
Thanks for the quick and thoughtful response! I would very much like to see the audit procedures, are they posted somewhere?
I'd like to explain why I am concerned that an audit without local paper copies may still be vulnerable, and why a public, transparent and timely response is so important.
My job is in the risk/fraud engineering dept at Postmates, so I am well aware that fraudsters adapt and use sophisticated tuning methods, and that is only to gain a a fairly small amount of money. The stakes here are obviously much higher, and would justify a higher level of effort. Here are two examples I could imagine of potential fraud, one of which I don't believe is detectable without hand counted paper ballots:
Vulnerability examples
1) Suppose through a bad actor hire, a hack into the election management system, or if individual machines were at any time connected to the Internet, rogue software was added to a number of voting machines, which internally adjusted totals in a consistent direction by flipping votes from one side to the other. When the machine totals are gathered, how would an audit be able to detect that they are incorrect? Note that an intelligent hack can be programmed to detect patterns that are more likely on the real election day, such as delays during the vote process while the user examines the ballot, number of votes cast, time period over which the votes are cast, and the computer internal clock matching an election period.
The best way to detect such a hack is to randomly sample physical, voter-verified votes cast vs machine totals. Since we do not have paper ballots, the best currently available way would be to simulate actual voting, including real voter behavior such as pausing during ballot casting, on randomly selected machines and verify their behavior, being careful not to include the simulations into the totals. To ensure voter confidence, such testing would best be done publicly with independent observers present including during the random choice of machine to test.
2) Suppose the election management systems which aggregates votes were hacked to report incorrect totals and to adjust the precinct level counts? Is there a mechanism to verify the totals reported by the system, versus the totals that were reported locally at the precinct? Is any immediate and local record made of the totals at the precinct and machine level before the totals are delivered to the central aggregator?
Public Transparency: Many Eyes Make Bugs Shallow
Any software engineers on your staff will surely have heard the open source maxim, that "with enough eyes, all bugs are shallow". This means, that a having many people looking for possible flaws in a system, is likely to produce a more secure result than having even the best expert design it solo. If your audit and security procedures are public, concerned individuals can look for vulnerabilities such as:
- have your election management systems ever been connected to the Internet?
- are they in physical custody of trusted State or County employees at all times, or are they maintained by private contractors?
- how are the programming distributed to the voting machines, and how is a chain of custody maintained over the USB sticks or memory cards?
- what type of auditing or random sampling methods are used to verify the integrity of the vote? Can independent observers be present?
- are local precinct and machine level totals made public immediately?
- do you perform a Risk-Limiting post-election audit (RLA)? (I believe this is not possible without a paper trail; see https://www.stat.berkeley.edu/~stark/Preprints/gentle12.pdf)
I am bringing these things up not to try to embarrass your office or to level criticism; its just that having an open and critical discussion of the methods is so important to ensuring election integrity and public confidence in our democratic process.
I know your staff is busy, and I am absolutely respectful of people's time; however I do believe that making this a public conversation actually will improve the quality of the process.
*** Could someone respond in a timely way with links to the security and audit procedures followed?
I would also very much like to put whoever is in charge of this, in touch with someone such as Jennifer Cohn (election integrity expert -[email removed]) or Philip Stark (one of the authors of the authoritative paper on RLAs - [email removed]). Even with years of experience supervising elections, to take on the new challenges that hackers constantly develop requires cooperation between experts nationwide. This is the case even in much easier risk environments. Yours is by nature an extremely difficult to manage risk because of the multiple points of vulnerability.
I sincerely thank you for handling this openly and for taking the time to respond and to look into these issues. You have authority over a critically important process and it is so important that we address all potential vulnerabilities.
Best regards,
--Golda Velez
Sr Software Engineer
ps. In the interest of public accountability and transparency, I am going to post our email exchange publicly, again I am not doing this to cause problems for your office; I really think its essential for it to be a public conversation - both for the reasons of many eyes, and for the sake of public confidence in our elections. I also hope it will be an example of a constructive way to engage, rather than any kind of accusation or shouting match, but that it will produce results.
I believe that there is a real vulnerability and a real possibility of election hacking, but that it is likely that the Secretary of State and most or all election officials are not directly aware of it if it has occurred. I am trying to have a genuine dialog and constructively reduce the vulnerabilities that exist — which I believe are fairly glaring. I will post any response here.
For those interested in election integrity (all of us, I hope?), here is Jennifer Cohn’s excellent list of suggestions to address risk in real time.
Also, here is a maybe more reader-friendly piece I wrote last year on the importance of hand-counted paper ballots and why those are more secure than any electronic voting method: Little Old Ladies Counting Ballots Are Our Best Bet for Democracy