Democracy's need for lifeboats in the form of hand-marked paper ballots...
By Ernest A. Canning on 8/30/2019, 9:35am PT  

Like those who took part in the ill-fated maiden voyage of the RMS Titanic as it blindly traversed the Atlantic, many American citizens are rushing headlong towards a pivotal 2020 election, unmindful of the potential for yet another e-voting catastrophe.

In 1912, in defiance of science, passengers and crew mistakenly believed that the Titanic was "unsinkable". In 2019, far too many Americans are either unaware of or have chosen to ignore repeated warnings from computer scientists. For many, the very idea that a Presidential selection could be the product of election fraud or failure in the form of undetectable, malicious manipulation or error of electronically tabulated ballots in disparate local, county and state-run election systems across an entire nation is simply unthinkable.

In 1912, ignoring the danger led to the deaths of 1,500 of the Titanic's 2,224 passengers and crew --- paltry numbers when measured against the threat to humanity's very survival that would be embodied in another four years of the Trump Administration's greed-over-science, anti-environmental policies.

Over the past two decades, the central problem for both computer scientists and election integrity advocates has not been the question as to whether all e-voting and electronic tabulation systems are vulnerable to manipulation via external hacks, mis-programming or malicious insider manipulations --- they are! Instead, they've been stymied by the near impossible task of proving that a given election result was fraudulent. That inability is occasioned by the fact that, in the absence of timely forensic access to the system, its ballot programming and its source codes, electronic theft is largely undetectable in any system that does not deploy hand-marked paper ballots.

While e-voting vulnerabilities to all manner of manipulation, as well as unintended programming errors, have always been present, both the threat of wholesale electronic theft and the dire consequences of that threat in 2020 have never been greater.

Fortunately, just as help for the surviving Titanic passengers and crew was just over the horizon in the form of the HMS Carpathia, democracy itself may be saved as the result of the valiant efforts by the Coalition for Good Governance ("the Coalition") to help compel the State of Georgia to conduct verifiable elections on hand-marked paper ballots. The help may not only save Georgia, but save the entire country, eventually, as evidenced by the extraordinarily well-informed 153-page ruling [PDF] that was recently handed down by U.S. District Court Judge Amy Totenberg…

Systemic vulnerabilities

As we warned in 2017, there are some basic election integrity truths that need to be understood.

The first basic election integrity truth, as The BRAD BLOG reported in 2009, following a stark presentation by a U.S. intelligence officer to the U.S. Elections Assistance Commission (EAC), the nation's only federal agency at the time devoted to overseeing the use of electronic voting and tabulation systems, is that all electronically stored and/or processed data --- registration records, poll books, ballot definition scripts and, most importantly, computerized vote tabulators --- are vulnerable to malicious cyber intrusions.

The second basic truth is that election system vulnerability is not confined only to malicious hackers. All electronic vote tabulation systems are vulnerable to malicious manipulation by insiders, whether by elections officials or the private contractors they hire to oversee state, local and federal elections.

Those basics were recently reiterated in an academic paper [PDF], authored by computer scientists, Andrew W. Appel (Princeton), Richard A. DeMillo (Georgia Tech) and Phillip B. Stark (U.C. Berkeley). That academic paper addressed the vulnerabilities on the newest form of e-voting systems --- currently being deployed in jurisdictions across the country, many in key battleground states, in advance of 2020 --- known as touchscreen Ballot Marking Devices (BMDs).

BMD-generated "paper trails" are not reliable because they cannot be known after an election to reflect the intent of any voter.

"Every computer in every system," the authors of the paper released this past May observed, "is vulnerable to compromise through hacking, insider attacks or exploiting design flaws." This is true with respect to Direct Recording Electronic (DREs) --- usually touchscreen machines, which are 100% unverifiable with or without a so-called "paper trail". That vulnerability also exists with respect to BMDs, which are essentially expensive electronic pencils. A voter uses a touchscreen to express their selections to the computer, which then uses a printer to mark a paper ballot --- with a human-unreadable barcode and/or human-readable selections --- to be subsequently tallied by yet another computer system, an optical-scanner.

"Like any computer," Appel et al observe, "a BMD is vulnerable to hacking, installation of unauthorized software and alteration of installed software."

Those vulnerabilities are especially troubling in the case of BMDs that produce paper printouts bearing "human unreadable" barcodes, which are, according to the computer scientists, "impossible to verify":

Any coded input into a computer system poses the risk that the input-processing software can be vulnerable to attack via deliberately ill-informed input. In the worst-case scenario, an attacker could gain complete control of the system. If an attacker were able to compromise a BMD, the barcodes [can serve as] an attack vector for the attacker to take over an optical scanner too.

These forms of illicit manipulation can go undetected during pre-election "logic and accuracy testing" because BMDs, like DREs, "can be programmed to behave properly when they are tested and misbehave in use." That is what Volkswagen was caught doing for years in 2015 with their so-called "clean diesel" automobiles. When the vehicles sensed they were being tested in the garage they gave one value to emissions testers. But, once on the road, they emitted pollutants at levels as high as 150 times that of normal cars.

Recently, Wired's Kim Zetter debunked the claim made by BMD vendor, ES&S, that its systems were safe because its BMDs are "air gapped" --- essentially, disconnected from the Internet. Researchers, Zetter observed, discovered "nearly three dozen backend election systems in 10 states connected to the internet in the last year, including some in critical swing states". [Listen to Brad Friedman's chilling BradCast interview with Zetter on that here.]

Those findings mirrored an earlier revelation that prior and subsequent to the pivotal 2016 Presidential Election, the computer servers used to administer Georgia's 100% unverifiable Diebold touchscreen DRE voting system --- including administrative passwords --- had been left wide open where anyone could access them on the Internet.

Hoping to retrieve a few documents that would facilitate an understanding of the security procedures utilized by Georgia's election administrator, in August of 2016, Logan Lamb, a 29-year old former cybersecurity researcher at the U.S. Oakridge National Laboratory, logged onto Georgia's elections website and wrote an automated script to scrape information from the site; then left for lunch. When he returned, Lamb discovered he'd retrieved what Zetter described as a "mother load": 15 gigabytes of data that included "registration records for the state's 6.7 million voters; multiple PDFs with instructions and passwords for election workers to sign in to a central server on Election Day," and access to the database of GEMS, the computer election management system which, among other tasks, is used to "tabulate votes and produce summaries of vote totals."

Per Appel et al, vulnerabilities to external hacks exist even when a system has been air-gapped. "Before each election," they noted, "administrators must transfer ballot definition into the voting machine by inserting a ballot definition cartridge that is programmed on election-administration computers that may have been connected previously to various networks". As a result, "vote-changing viruses can propagate via ballot-definition cartridges" even on voting machines that officials claim are never connected to the Internet.

Central tabulation vulnerability

It's vital to understand that e-voting vulnerabilities are not confined to the machines people vote on, either when they are warehoused or operated at the precinct level. A malicious hacker could potentially effectuate wholesale changes to vote totals whenever the tabulations are transmitted over the Internet or at any other moment when the computers which program them may be accessible via the net.

Senator Ron Wyden (D-OR) attempted to address that issue when he introduced the Protecting America Votes and Elections (PAVE) Act of 2019, which would, according to Zetter, "effectively ban transmission of votes via modem and prohibit connecting any election-reporting or election-management system to the internet or to a telecommunications network at any time."

The risk, of course, is not confined to hacking. There remains, for example, a distinct possibility that the 2004 Presidential Election may have been stolen as a result of a man-in-the-middle attack that altered the vote totals in Ohio via the diversion of e-voting data from the Ohio Secretary of State's office to a Republican operative's server in TN before it was posted on the Buckeye State's elections result website.

One could hear an echo of the concerns surrounding the possibility that the 2004 election was stolen in the recent revelation that, according to Marilyn Marks, the Executive Director of the Coalition for Good Governance, Georgia outsourced its election management "to three people operating in a garage" for its still-controversial 2018 elections.

Vote flipping

Judge Totenberg's decision to prevent GA from using their 100% unverifiable touchscreen DREs in 2020 (and thereafter) was based, in part, upon the sworn affidavits from 137 voters, poll workers and election officials, who described multiple problems, including "self-casting ballots, DRE machine malfunctions, voters' candidate selections flipping to other candidates on the DRE screens, and ballots being cast without a chance for the voter to review his or her selection."

Totenberg detailed a number of instances in which votes in the 2018 GA Governor's race intended to be cast for Democrat Stacy Abrams were flipped on-screen to Kemp, the Republican. For some voters, it was necessary to delete and recast the vote three times before the machine appeared to record the vote as intended. On other occasions, voters, with poll worker assistance, had to start the process over from scratch before their votes could be registered onscreen for Abrams. (Whether those votes were actually tabulated internally by the computer itself for Abrams is a separate --- and unknowable --- question.)

Some of the malfunctioning machines were taken out of service, resulting in long lines and people leaving the polls without voting, Totenberg observed, adding that no voter who saw their votes flipped onscreen "could verify whether their intended votes for particular candidates were actually cast as the DREs in use provide no audit trail or printout for voters to review for confirmation purposes."

Willful destruction of likely incriminating e-data

In a recently filed legal brief [PDF], the Coalition alleged that the Georgia Secretary of State's Office deliberately deleted electronically stored information from its servers and devices after the 2016, 2017 and 2018 elections, in order to prevent expert inspection and analysis. By wiping, deleting and overriding that electronically stored data, Georgia's election officials destroyed "evidence that could establish vulnerability, unauthorized access by malicious actors, and possible result-changing manipulation of Georgia's election system," the Coalition alleged.

The Coalition's brief observed while we'll never know for certain what the destroyed evidence would have established, "the inescapable inference is that the [deleted] evidence...was of such a nature that the State Defendants made sure that it could never be seen" --- an allegation that suggests the evidence was deliberately destroyed to prevent a revelation that Georgia's election results from elections conducted between November 2016 and November 2018 might have been the product of electronic theft.

While Judge Totenberg has, as yet, not ruled on the question of spoliation of evidence --- a ruling that could allow the court to assume the worst about what was deliberately deleted --- in her preliminary injunction ruling, she not only rejected the contention made by the Georgia Secretary of State's Office that the servers had merely been "repurposed" for some other use, but also noted that "this course of conduct cast a disturbing shadow on Defendants' posture here," euphemistically chiding "Defendants' inconsistent candor with the Court". Totenberg's observation came after the Coalition, in a Reply Brief [PDF], argued that the Defendants' use of the word "repurpose" was nothing short of Orwellian. "Repurposing," the Coalition argued, "is code for wiping servers and destroying data, much like shredding documents 'repurposes' them into trash."

E-Vote Tabulation Lifeboats: Hand-marked paper ballots

Perhaps the only truly verifiable solution to all forms of 21st century e-voting insecurities can be found in a relatively simple and inexpensive 19th century technology: hand-marked paper ballots, publicly hand-tallied with the results posted at each precinct on election night before ballots and tallies are sent off to central county headquarters. That ideal solution, Democracy's Gold Standard, was applied by Germany's highest court in 2009 after it banned all forms of e-vote tabulation because they lack transparency and the possibility for public oversight of result tabulation.

As reflected by the Appel et al academic paper, many election integrity advocates see Democracy's Gold Standard as time consuming. Their solution is the use of hand-marked paper ballots that can be optically scanned and tallied, together with a post-election "Risk-Limiting Audit (RLA) --- manually inspecting randomly selected paper ballots following a rigorous protocol. The audit stops if and when the sample provides convincing evidence that the reported outcome is correct."

Under that second scenario, hand-marked paper ballots --- preserved by a secure chain of custody after the election --- essentially serve as democracy's life boats. They provide the ultimate source of verifiable outcomes, which is the apparent reason that Senator Wyden included a proposed mandate that all federal elections be conducted on hand-marked paper ballots (other than for disabled voters who may need assistive devices) in the PAVE Act.

If passed, PAVE, allowing for a hand-marked paper ballot for every voter in the country, could all but eliminate the risk of a stolen 2020 Presidential Election.

Unfortunately, to date, the legislation has been bottled up in the Senate. There's no indication that Senate Majority Leader Mitch McConnell will permit a vote on the PAVE Act, despite a bill with a similar mandate already passed on a bipartisan basis in the U.S. House.

Unique incentive

There are several factors that suggest the risk of a stolen Presidential election is greater in 2020 than in any previous election.

We have, in the person of Donald J. Trump, a pathological liar, who, according to former Special Counsel Robert Mueller, could face a criminal indictment the moment he leaves office. Thus, from his perspective, there's a great deal more at stake than simply losing the power of the Presidency.

This past June, the U.S. Senate Intelligence Committee revealed that sophisticated Russian hackers targeted election systems in all 50 states during the 2016 election. While the Intelligence Community and the FBI have insisted they have seen no evidence that votes were changed, as revealed by the case brought before Judge Totenberg in GA, there is simply no scientific way that anyone in those agencies could know that with any degree of certainty.

Indeed, when asked by Wyden, during a June 21, 2017 Senate Select Committee on Intelligence hearing, whether "the Department conducted any kind of post-election forensics on the voting machines that were used in 2016," Homeland Security's Jeannette Manfra, a top-level cybersecurity official, conceded: "We have not. Our Department has not conducted forensics on specific voting machines."

While the number of jurisdictions that utilize easily hacked and 100% unverifiable DREs had been dwindling, last year, according to attorney and hand-marked paper ballot advocate Jennifer Cohen, a number of states and counties were "flocking to buy" the unverifiable, touchscreen barcode BMDs.

In the case of Georgia, the sequence of delay, obfuscation and timing suggest that Kemp and a GOP-controlled legislature could see that the handwriting was on the wall. Given the scope of information that was before the federal District Court, an order barring the continued use of 100% unverifiable DREs was inevitable. They appear to have turned to BMDs, via a $107 million contract with Dominion Voting Systems, in order to prevent the one thing Kemp seems to fear most: a verifiable election conducted on hand-marked paper ballots.

While much has been made of Kemp's resort to voter suppression tactics, the mainstream media has paid scant attention to the distinct possibility that the 2018 GA Governor’s race --- which he oversaw as Secretary of State before certifying himself as the Peach State's new Governor --- may have been electronically stolen.

But it isn't just the minority of states utilizing unverifiable DREs that are of concern. Los Angeles County, CA, which accounts for the nation's largest single block of voters, decided to move to expensive, unverifiable touchscreen BMDs, at a cost of some $300 million, in advance of the 2020 Presidential election. So has Philadelphia, in the key battleground state of Pennsylvania, and many others.

It would be a silly question to ask whether Trump, who previously admitted he'd accept Russian help to get reelected, would be unscrupulous enough to electronically steal the 2020 election if he and his unscrupulous foreign and domestic allies could get away with it. The real question is whether they'd be so brazen as to seek to flip what would otherwise be a lopsided defeat in a heavily Democratic-leaning jurisdiction like L.A. County? If they did, there would likely be little chance of the theft ever being discovered on the questionable new systems currently being rolled out before the 2020 primary elections.

Now or never

The constitutional principle that formed the basis for Judge Totenberg's August 15 decision in Georgia was a recognition that voters have a fundamental right to not only cast a vote but also to have their votes accurately counted. The decision formally recognized that a state's use of the 100% unverifiable GEMS/DRE touchscreens over these past 17-years has resulted in --- and, if continued, will continue to inflict --- irreparable harms not only to voters but to democracy, itself.

Totenberg's injunction was limited to the use of Georgia's GEMS/DRE voting system. The court did not enjoin the installation of a new, unverifiable touchscreen BMD system, according to Marks, because that issue had not been raised in the Coalition's motion for a preliminary injunction. Georgia had formally selected their new system only after the hearing on the motion and just a week before the judge issued her order. Both the language in the decision and, according to an interview with Marks on the day of issuance, Judge Totenberg's comments over the course of multiple hearings, suggest that the court will be receptive to a motion to prevent the use of BMDs as well, if the need for the additional injunction is factually established. Marks says the Coalition will "absolutely" be filing such a motion.

The Coalition, along with the Constitution Party of Georgia, then submitted a petition to GA Secretary of State Brad Raffensberger. The petition contains a demand for Raffensberger to re-examine the Dominion touchscreen BMD (bar coded) voting system that he certified on August 9. The Coalition alleges that the Dominion BMD system is fundamentally flawed and that the Secretary violated GA election laws and rules by rushing to certify it without first obtaining a report from an appointed expert after performance of legally mandated security and functionality testing and evaluation. The Coalition additionally alleged that, because it prints human unreadable bar codes, the Dominion BMDs violate GA law, as well as the U.S. Constitution.

The Coalition petition meets the criteria of a legal doctrine that requires it exhaust administrative remedies before seeking court intervention. It's now well positioned to seek an additional injunction if Raffensberger clings to his previous certification.

Published U.S. District Court decisions, unless or until overturned on appeal, can be cited as a judicial precedent in federal court cases throughout the nation. In this case, the court's (a) extensive coverage of the disastrous performance of Georgia’s Diebold GEMS/DRE voting system throughout its 17 years of misuse in the Peach State, (b) its detailed discussion and factual findings with respect multiple expert studies, analysis and testimony, and (c) the court's determination that "any new system…should address democracy's need for transparent, fair, accurate and verifiable election processes that guarantee each citizen's right to cast an accountable vote," provide a bases for challenging unverifiable DREs and BMDs in every state which deployed them.

If the catastrophe of a stolen 2020 election could lead not only to the destruction of our constitutional form of representative democracy but also endanger the very survival of our species, major voting rights organizations must now step forward to challenge these electronic black holes (both DREs and BMDs) in federal courts across the nation. But they must do so promptly, or risk running afoul of the Purcell Principle --- a U.S. Supreme Court doctrine that admonishes District Courts to not hand down significant election law rulings too close to an election, lest the court's decision cause confusion and chaos at the polls.

Given the uncertainties of the legal system, We the People can't stop there.

Over the past 15 years, computer scientists and election integrity advocates, like Brad Friedman, once dubbed by Robert F. Kennedy, Jr. as a "Paul Revere of the election integrity movement", have been sounding the alarm with respect to the dangers posed to democracy by reason of the lack of transparency and public oversight of our nation's voting systems. Those stark warnings have all too often gone unnoticed.

This article is intended as a clarion call to the America electorate. There's an iceberg dead ahead. If We the People do not rise up immediately and demand transparent elections that can be publicly overseen, that great American experiment we call democracy, like the Titanic before it, could founder and forever be lost.

* * *
Ernest A. Canning is a retired attorney, author, Vietnam Veteran (4th Infantry, Central Highlands 1968) and a Senior Advisor to Veterans For Bernie. He has been a member of the California state bar since 1977. In addition to a juris doctor, he has received both undergraduate and graduate degrees in political science. Follow him on twitter: @cann4ing