Last week, we called out CalPERS for changing its board election procedures. The new process violates the California constitutional requirement that voting be secret by having voters who use mailed-in paper ballots, the most popular method for voting, sign the ballot itself. This deviates from the process stipulated by the California Secretary of State for absentee ballots, and used routinely for other public election mail-in votes. Any voter identifying information, such as a signature, is on the return envelope only. That is separated from the ballot so as to keep the identity of the voter confidential.
The risk of voters having how they voted be vote accessible is real. Even if CalPERS were to try to restrict access, they are public records. One expert thought they would become part of the state archives and thus be open to the public. Even if that is not the case, they would still be public records and therefore subject to disclosure the Public Records Act.1
In addition, as we and others have dug into the election procedures further, we’ve not only unearthed even more violations of law, but have also ascertained that this election is not secure and cannot be audited as required by CalPERS’ own regulation due to the lack of a paper trail for voting by phone and Internet.
Last week, CalPERS’ effort to tamp down the escalating controversy over its election backfired. CalPERS’ CEO Marcie Frost invited board candidates to meet with CalPERS’ staff and the election subcontractors. Curiously, Frost didn’t show up at the meeting and the union candidates also blew it off. The candidates who participated in person were Margaret Brown and Mike Flaherman, and by conference call, Wisom (Sam) Altowaiji and Bruce H. Jennings. General counsel Matt Jacobs led the CalPERS side. CalPERS promised to provide a list of attendees but has not done so.
Not only were the answers to questions unsatisfactory, but the vendors lied repeatedly and had to retreat when called out. As a result, board candidate Margaret Brown wrote a letter to Frost, CalPERS board members, the Secretary of State, the Attorney General, and key legislators who sit on pension fund oversight committees. She gave a high-level overview of the problems and set forth remedies to bring the election procedures into legal and regulatory compliance. We’ve embedded her missive at the end of this post.
CalPERS’ Non-Secret Election Is Also Insecure and Unauditable
As we described at length last week, CalPERS is using new election procedures that violate the California constitution and election laws by having paper ballots that are not secret and by allowing for voting over the Internet, which is against the California election code.
This alone should raise alarms. As board candidate Mike Flaherman said, “A non-secret ballot is an emergency for democracy.” CalPERS board members are state officials. Over 1.4 million CalPERS beneficiaries are eligible to vote. Paper ballots that identify voters is a prescription for intimidation and harassment of those who voted the “wrong” way, most importantly active employees who voted against the recommendation of their union.
Upon further investigation, it turns out that CalPERS’ new election process also violates its own election regulation. In addition, CalPERS’ staff lied to the board by saying the the vendor who is responsible for processing the paper ballots, Integrity Voting Systems, a division of K&H Printing, is certified by the Secretary of State. IVS has no certifications whatsoever. K&H is certified only to print a subset of the ballots used in electronic voting machines in California. It is not certified to produce the ballot CalPERS is using, nor is it certified to count ballots.
As JJ Jelincic said by e-mail:
Board President Rob Feckner has said (on camera yet) that he has never been mislead by staff (even though he was Board President while the CEO was collecting shoe boxes of cash). Board member Bill Slaton has said that whether staff had mislead the Board was a matter of opinion. In this case, there is every reason to believe the staff knew that what it was telling the Board was just wrong.
Even worse, the IVS vote-counting operation is obviously amateurish and insecure. Brown and a witness toured the IVS facility….except it wasn’t an IVS facility. It was a K&H Printing facility in Everett, Washington, certified for printing and finishing some types of ballots used in California voting systems. There was no IVS sign on the facility nor did any employees have IVS business cards. The “Integrity Voting Systems” part of the operation is very much an afterthought.
Brown said the printing part of this facility, which took up the overwhelming majority of the space in the building, was clean and looked state-of-the-art, as you can see from this promotional video. As Brown said by e-mail:
K&H appears to be a successful high-tech, high-volume printer. The built-out office space inside the huge K&H warehouse is modern with cubicles and matching furniture. K&H branding including motivational sayings are professionally displayed on the walls.
Even the vending machine outside the room used to process the mailed-in CalPERS ballots looked spiffy:
By contrast, Brown said the room in which the ballots were being opened and scanned looked like a breakout room from the 1990s, with antiquated equipment:
Four older upright style scanners, similar to those junior high teachers use to grade multiple choice tests, were placed on two sides of the table. A variety of laptops used to check the pdf-format files were also on the table.
The process is not secure:
1. The ballots were in the open after the day’s count, in piles on the table or in boxes. Normal procedure in elections is for ballots to be secured in cages. Brown was told the ballots were kept in boxes in an adjacent room. That door was also open but she was not shown that room.
2. The internal door to counting room was propped open.
3. The counting room has an exterior glass door that leads to the parking lot.
One of the employees said he’d “tidied up” the room before Brown and her witness came in. When Brown asked to see a ballot, one was flipped over, allowing her to see the vote and the voter’s signature.
IVS also gave implausible answers regarding how the ballot counting process worked. During Brown’s visit, the employees maintained that all they were doing was checking ballots to see if they had the required signatures, adjudicating ones where the ballot marks might not scan correctly (for instance, if the voter had made a tick marks rather than filling in the circles by the candidates’ names) and making and checking the PDFs that were then to be sent to yet another vendor, Everyone Counts, for the tally.
My, why are we hearing that “Everyone Counts” name only now? Why has it been kept under wraps, with nary a mention to the board? Could it be because a web search would have revealed unflattering information about Everyone Counts overhyping its pet initiative, voting over the Internet? From a 2016 article in the Atlantic, which among other things, discusses an Internet voting fiasco in Estonia:
“They’re pretending like voting is no different than buying a book on Amazon, and they’re completely, by virtue of ignorance or malice, ignoring the truth of the world,” said Joe Kiniry, a cybersecurity researcher. “The simplest way to check the veracity of their statements is to call up any security researcher in the world that you find online who has made public statements about end-to-end verifiable elections and ask them. And you will find that 999 out of 1000 will tell you that [the likes of] Everyone Counts, [other online voting venders], and Estonia are full of shit.”
We’ll have more to say about Everyone Counts in due course.2
IVS said Everyone Counts was not just running the vote by phone and Internet parts of the election, but also doing all the tabulation. The reason that sounds implausible is that the equipment in IVS’ sad-looking counting room was equipment is uses to sum up votes for “private elections,” meaning non-government elections, such as union elections, as indicated on its web site. Brown saw only ten machines. The six laptops were not capable of scanning. The four other devices are designed not just to create images (which they would do to have an audit trail) but primarily to “score” tests or ballots.
So what seems more likely is that IVS is in fact tabulating votes. Perhaps K&H has restricted IVS to vote counting only for “private elections” so as not to risk tainting its bigger business of printing ballots for public elections. Thus IVS can claim it is not tabulating votes because only the tally by Everyone Counts will be treated as official.3
Note that Everyone Counts has no election certifications whatsoever from the California Secretary of State.
Moreover, no matter what assumptions you make about how the paper ballots are being counted, it cannot comply with CalPERS’ own regulation:
§ 554.8. Ballot Counting and Runoff Election.
On the date specified in the Notice of Election at the location designated by CalPERS, the validated paper ballots shall be tabulated publicly by an independent, neutral agent appointed by CalPERS for that purpose. Online and telephone votes will be tabulated on the date specified in the Notice of Election and be auditable by an independent, neutral agent appointed by CalPERS for that purpose.
1. It is the paper ballots that are supposed to be tabulated, not PDFs. That is clearly not happening since IVS said it is sending the PDFs, and not the actual ballots, to Everyone Counts.
2. The tabulation is to take place only on “the date specified”. Yet IVS is reviewing paper ballots on a daily basis and making decisions not just about whether the ballots were signed (CalPERS’ ballots require a signature as an affirmation; unsigned ballots are not eligible to be counted) but as to whether and how to interpret marks that are on the ballot that the scanners were unable to read or are presumed to be unable to read. Ballots that got mangled in the mail or by the ballot readers would also be subject to special handling.
Making calls about these “outstacked” ballots is an integral part of the tabulation process. This goes beyond mere validation. Having IVS make these decisions on a daily basis in and of itself is a violation of the regulation. Those “outstacked” ballots sit outside the pretense of a “tabulation” on the final day. They also make the idea that the paper ballots will be “tabluated publicly” even more of a joke.
IVS told Brown repeatedly that Everyone Counts was handling all of the vote-counting, meaning for the ballots and the online and the telephone voting. Yet the IVS personnel also told her that Everyone Counts has no scanning machines and everything it does is on line. Thus it is impossible for Everyone Counts to tabulate of the paper ballots as stipulated by the regulation. Inherently, it can only be done by one party, in one place, for a period of time on a designated day. And for the paper ballots which represent the majority of the votes, if what IVS told Brown is accurate, that party cannot be Everyone Counts.
So it should come as no surprise that in the meeting with the candidates, CalPERS and the vendors were unable to say where the ballots would be tabulated publicly so the candidates could supervise the process. They first gave a California address but backpedaled when Brown said the ballots were in Washington and had already been scanned to be tallied as PDFs. They said they’d have to get back to the candidates regarding where the public tabulation of the ballots would take place. Brown and Flaherman said they have not gotten any additional information.
Finally, the regulation calls for the online and telephone votes to be “auditable by an independent, neutral agent appointed by CalPERS for that purpose”. That means auditable by a party separate from the one that does the tabulation, which is Everyone Counts.
However, in the meeting with the candidates, Everyone Counts said it does not produce paper records. This means its process cannot be verified. Even in more secure voting via voting machines, ones that produce paper records are the only type that can be audited properly. As NBC News pointed out:
Breaches in Arizona and Illinois, tied to Russian hackers by intelligence officials, involved Internet-linked registration databases, not the manipulation of voting or tabulation machines, which are offline. But any meddling can undermine public confidence in the system’s integrity. Even benign breakdowns of aging equipment — 43 states have machines that are more than a decade old — can stir chaos and uncertainty.
The antidote, many experts say, is replacing the old machines with ones that provide paper ballots or receipts that can be used to verify any outcome in the event of a close call, challenge or catastrophe.
“I really think it’s negligence for a secretary of state anywhere in the country now not to have a paper trail for their votes, not to have some backup system, because the risks are just too great in this cyber Wild West,” Rep. Adam Schiff, the ranking Democrat on the House Intelligence Committee, said last month.
And that’s before getting to the fact that there is little reason to have confidence in Everyone Counts. It recently ran the vastly smaller elections for Los Angeles neighborhood councils. Tony Butka described the outcome in LA Citywatch:
Here in LA we recently went through a round of Neighborhood Council elections, and the “new experiment” of online voting proved to be a total disaster with mass confusion, verification nightmares, limitations in actually getting online to vote, you name it. The City had to shut the idea down.
Voters also told Brown that they had trouble voting by phone, that they found it difficult to reach a live person on the number provided, which is a help desk number for Everyone Counts. I experienced the same thing myself when I called: one time the call did not go through at all, the other times I had extremely long hold times. One of the agents to whom I spoke said she had heard of complaints from unions forwarding calls, presumably from “get out the vote” efforts. So Everyone Count’s simpler “vote by phone” isn’t working well either.
Lies About the Election Process
We’ve already pointed out one lie made in the meeting between CalPERS and the candidates last week, that the ballots would be tabulated at the end of the election in California. Maybe CalPERS will figure a way to make that happen but that was clearly not the plan as of the meeting.
CalPERS and the vendors tried to claim that the bar codes on each ballot were not linked to individual voters, which seemed implausible on its face. When asked how CalPERS could cancel ballots and reissue them, there was a long silence and CalPERS admitted the bar codes were identifiers.
As Brown states in her memo below, the vendors were “untruthful” in two more ways.
Brown described in the meeting how she had called the Everyone Counts help desk number and asked the people who answered the phone about the complaints she had gotten about not being able to get through to vote and engaged the Everyone Counts staffers in conversation. They told her they were working at home, as contractors, and that they could access the entire CalPERS voting database (which was ported to Everyone Counts). I also made calls (identifying myself by name and saying I was working with some of the candidates) and was also told by the people who spoke to me that they worked at home. That alone raises huge concerns regarding security. Everyone Counts attempts to claim that its process is secure because it uses encryption, but that is not sufficient, since encrypted channels are vulnerable to “man in the middle” attacks. But a far more obvious fail is the human side. Allowing people to work at home, with no one on premises to supervise, allows for all sorts of routine security failures to happen, such as some other member of the household looking on or poking around using the Everyone Counts password (it’s common for people to write down difficult passwords and keep them near their computer).
Everyone Counts insisted all of its phone reps were employees. That conveniently diverted the focus from the bigger security problem of not monitoring them on site. Brown pressed them as to whether they got W-2s or 1099s. Everyone Counts retreated and said it would get back to her.
The second misrepresentation was that Everyone Counts’ website states that it has a “joint venture” with IVS to conduct the CalPERS election. “Joint venture” has a very specific meaning, that of a jointly owned independent legal entity. The vendors admitted they had no joint venture, only an operating agreement.
I encourage California readers to circulate this post widely. CalPERS continues to show that it has no respect for the law or even common-sense privacy protections. The time is long overdue for the legislature to wake up and start asking tough questions.
1 Note that after the election, the ballots go to the state archives under the control of the Secretary of State. CalPERS’ general counsel Matt Jacobs gave nonsensical answers during the meeting with the candidates, saying whether the records would be public depended on who was asking to see them and why. If nothing else, these records are accessible under the Public Records Act as public records, and the PRA does not require the requester to state any motive, not does it allow respondents to discriminate based on the identity of the requester. If CalPERS is to protect voter confidentiality, it must redact the bar codes and signatures on all the paper ballots, as Brown suggests. And that would need to be done before the ballots are sent to the state archives. Jacobs angrily refused to answer whether ballots would be confidential. He declared the question to be hypothetical and refused to answer it until it was posed to him in writing.
2 Space constraints prevent us from having more to say about what an absolutely awful idea online voting is. Consider this quote from the same Atlantic article:
One concern of cybersecurity experts is protecting both the anonymity of a voter, and allowing the voter to prove that their vote was actually cast. In an online purchase, both the merchant and credit-card company or bank attach the customer’s name to the purchase. Purchases are tied back to individuals—something customers want so that they can verify their purchases.
But an online-voting system would need to separate the two—a voter’s identity from their ballot—to protect voter anonymity. In that case, how can that voter be confident that their vote is counted at the end of the day?
Our Richard Smith added:
The other killer point is about authentication and SSNs [CalPERS is using Social Security number for authentication]. SSNs never were an authentication mechanism. They were a (somewhat Mickey Mouse) identification mechanism.
Supplying an SSN is a way to tell a computer system who you are (that’s identification). It doesn’t prove you are who you say you are (that’s authentication).
Full details of this mixup, which clearly isn’t going to die any time soon, from 2009:
How easy is it to get hold of someone else’s genuine SSN? It used to be this easy:
Now it can be this easy, as often as not:
A good overview from late last year in the MIT Technology Review, The Internet Is No Place for Elections, includes this apt section:
In some cases, election officials don’t have enough technical background to distrust claims from vendors, says Pamela Smith, president of Verified Voting, a nonprofit that advocates for greater integrity and verifiability in elections. Terms like “military-grade encryption” or “unhackable” should be red flags, she says.
“Military-grade encryption” is one of Everyone Counts’ pet claims.
3 This is the most charitable assumption one can make. It is plausible and more likely that IVS is tabulating the ballots daily and is either sending daily totals to Everyone Counts or will send its daily and final totals along with the PDFs at the end of the election for Everyone Counts to confirm, or perhaps even merely spot check.Voter Suppression and Ballot Secrecy