By Lambert Strether of Corrente.
No doubt Los Angeles County’s VSAP (“Voting Solutions for All People”) rollout will not be covered as a debacle. The real question is: If there were a debacle — like, say, a case of election fraud — would we even know? Doubtful. Just what we want in a voting system! In this post, I’ll give a brief overview of issues with electronic voting. Then I’ll look at VSAP as an institution. Next, I’ll show why the VSAP system is not only insecure, but likely to make money-in-politics even worse than it already is.
We’ve covered electronic voting before — see here, here, and here — and if you want to understand why hand-marked paper ballots, hand-counted in public (HMPBCP) is the world standard, you can read them, especially the first. In this overview, I’ll make a few high-level observations about electronic voting in general.
Digital systems can never be shown not to have bugs. As Computer Science Elder God Edgers Dijkstra wrote: “Program testing can be used to show the presence of bugs, but never to show their absence!” Many bugs in many important programs persist for years before they are discovered. A list would include Flash in IE6 (persisted 12 years), OpenSSL (15 years), LZO data compression (18 years), and bash (25 years). None of these examples are outlier programs or trivial; they are all used by millions, essential to enterprises, networks, etc. Each of these bug is an insecurity waiting to happen. And that’s before we get to Trojan Horses, which are bugs introduced deliberately by a developer for purposes of their own. In fact, I would go so far as to argue that any voting system decision maker who advocates electronic voting is doing so for reasons other than security, given that HMPBCP is available, which amounts to saying that such a decision maker regards a certain amount of exploited bugs — election fraud — as acceptable.
Now, of course we all use programs all the time: We have programs to turn on our lightbulbs, call cabs, download pr0n, etc. I’m using a program now to write this post! However, if we put voting machine software on the same plane as commercial software, we’re arguing that a central-to-mission function of democracy — the vote — is on the same plane as the very convenient ability to check the contents of our refrigerator from our cellphone. Lest I be thought curmudgeonly in this, recall the example of Bolivia, where one reason the vote was challenged was the use of an unauthorized server for data transmission of the count. Contrast that with the recent vote in Hong Kong, where there were many images of people marking paper ballots, and of people counting them, in public (in fact, of people demanding to be let in to observe). Imagine if electronic systems had been used: First, the Mainland would have had every incentive to have compromised the software, and might well have done so successfully; second, electronic systems, because they are always buggy, are always open to challenge. The fallout could have been extremely ugly at the geopolitical level. Nor would the people’s will have been respected.
With that, let’s turn to Los Angeles County and VSAP. As with any software project, we need to understand the requirements. Here is what I can find on the extremely spiffy and well-budgeted VSAP site: “The Design Concepts“:
The final concept created for VSAP incorporates features driven by the project principles as well as focus group feedback, input and in-person testing.
The concept system features touch-screen technology with a simple user interface, both audio and visual output and a built-in scanner, printer and ballot box. The new voting system will provide voters with options to scan in QR coded ballots from their phone, enter their ballot choices in-person at the polling location or vote-by-mail with printed ballots.
(Note that the concept very explicitly does not say that hand-marked paper ballots will be available at polling locations; only vote by mail.) I note with alarm that the concept document includes no mention of security, or even that the voters vote be accurately recorded and tabulated. Let’s look elsewhere for that. From the aforementioned “Principles“:
TRUST The voting system must instill public trust and have the ability to produce before it is cast and to ensure auditability of the system. It must demonstrate to voters, candidates, and the general public that all votes are counted as cast.
(A little too much focus on PR for my taste: “instill,” “demonstrate.”) Note the fundamental equivocation, which I have underlined: The paper is not the ballot; the paper is only a record of the ballot, which is digital (the QR code). More:
INTEGRITY The system must have integrity, be accountable to voters, and follow existing regulations. System features must . It should also be easy to audit and produce useful, accessible data to verify vote counts and monitor system performance.
“System features must protect against fraud and tampering.” See comments on bugs above. There is nothing insecure about counting ballots by hand in public. That’s why you count them in public. Finally:
TRANSPARENCY The processes and transactions associated with how the system is set up, run, and stored should be easy for the public to understand and verify. This should include making hardware components available for inspection, and
VSAP is being marketed as open source, but that underlined section is an awfully big qualifier. We’ll have to see how it works out in practice.
So, these design concepts and principles are the closest I can come to a requirements document (and I did look using several search tools, as well as doing an image search for diagrams). So, although VSAP uses “ballot marking devices,” we don’t know what requirements they are supposed to meet, and so have no way to judge the success of the VSAP system. If you, readers, can do better, please put your results in comments.
So, the VSA site reads like public relations to me. For completeness, here’s an image of the county-wide rollout:
Pop-up Demo center at LaCrescenta Library. You can interact and use the new ballot marking device!
— Glendale City Clerk (@cogCityClerk) November 25, 2019
Dear Lord. A “voting experience”? So the tiny little alarm head began to ring a little louder, and with this press release it began to clamor: “Votem Corp Selected For LA VSAP Project In Partnership With Smartmatic“:
An innovative voter-centered election system will modernize the way Los Angeles County citizens will cast their ballots. In partnership with , who was awarded a contract to assist LA County in the design, construction, and deployment of the new voting solution, Votem will facilitate the development of the new system’s interactive ballot display.
“We are extremely pleased to be taking this important step forward in delivering on our commitment to modernize the voting experience in Los Angeles County and to lead in the development and implementation of a non-proprietary, publicly-owned voting system that is responsive to the needs and behavior of our electorate,” said Dean Logan, Registrar of Voters, following the awarding of the contract at the Board of Supervisors meeting on Tuesday.
, as designed by and for Los Angeles County, in partnership with IDEO, during prior phases of the VSAP initiative that focus on security, accessibility and usability. The interactive sample ballot display will allow for voters to mark their choices on their mobile device – anywhere, anytime – and then scan in their QR code in person for fast and easy voting at a vote center.
(Hold that thought on QR codes. Again, the QR code is the actual ballot.) Votem, eh? NC readers will be familiar with Votem, since Votem was involved in CalPERS corrupt election process (see here, here, and here). Of the Votem’s many problems, this one seems to be, well, the juiciest. Yves analyes a Votem “CalPERS Tabulation Incident Report” and concludes:
[T]he Incident reports starts with five Big Lies, which is quite impressive in such a short space:
The 2018 CalPERS Public Agency Member Election was conducted by the Everyone Counts/IVS Joint Venture. Everyone Counts has since been acquired by Votem, Corp. The election team and tabulation platform remained the same.
First, the election vendors admitted in 2017 (just the way CalPERS finally confessed that “CalPERS Direct” was not direct investing) that its election “joint venture” was no such thing. It was an operating agreement between K&H Printers-Lithographers, Incorporated, dba Integrity Voting Systems, and Everyone Counts, Inc.6 In keeping, the two parties signed the agreement as separate entities.
Second, the parties nevertheless attempted to depict the contract repeatedly as a joint venture, even stating in the operating agreement that the services were to be provided in the name of the “”IVS/Everyone Counts Joint Venture”. So Votem also misrepresented the name by putting “Everyone Counts” first, implying it is the more important player. We have the agreement embedded at the end of our second post. It makes very clear that K&H Printing, operating as IVS, was the dominant party.
Third, Votem falsely stated that the elections were conducted by the soi disant joint venture. That is false because Everyone Counts defaulted on the agreement by selling its assets to Votem before the election was over.
Fourth, Votem says it acquired “Everyone Counts”. It did not do so. It acquired only Everyone Counts’ assets, deliberately leaving the liabilities and the legal entity behind.
Finally, Votem claims that it acquired “Everyone Counts” after the election. This is false, since the sale of assets closed before the election was over and days before the tabulation took place.
So, underneath all the glossy PR, and the rollout, and the stakeholders, and the lavish website, we have a prime contractor that’s an extremely shady business entity. One, morever, in charge of the ballot!
With all that set-up, let’s quickly move to the critique from the HMPBCP world. First, from the essential Bradblog, “L.A. Registrar Won’t Answer Qs About County’s New Unverifiable Touchscreen Vote Systems.” Here is where the QR code becomes important:
The new VSAP system is a touchscreen Ballot Marking Device or BMD, . While the QR Code (a type of barcode) cannot be verified for accuracy by voters, it is also impossible with such systems to know if any voter has even verified the human-readable portion of the ballot summary at all, much less correctly, after an election. Studies reveal that most do not verify computer-marked ballots at all, and that of the minority who do, most don’t recall the details or selections on the ballot they voted just moments earlier. That’s just one of the many reasons why most cybersecurity and voting systems experts warn against the use of such systems which are now proliferating — and sometimes replacing verifiable hand-marked paper ballot systems — in many states and counties across the country before 2020. (The list of states where counties or the entire state are moving to BMD systems include a number of key battleground states. Such systems are planned for use next year, or are already being used, in OH, WI, PA, TX, WV, KY, NY, NJ, KS, TN, IN, SC, NC and, yes, CA, unless the public prevents these plans.)
(There’s much, much more; read the whole thing, especially Los Angeles residents.) For readers who think they have never seen a QR code, it’s like a bar-code in two dimensions, and it looks like this:
I wanted to find the requirements document and if possible some process flow diagrams, but I’ll take BradBlog at his word. The flow for a Ballot Marking Device would be something like: Voter makes selections on touch-screen (software, hence buggy and insecure), selections are stored (ditto) and printed out (ditto) on a page with a human-readable receipt reflecting (one assumes) the touchscreen selections, and the ballot itself, which is the QR code, which is not human-readable. The page is then scanned (ditto) and QR code is then tabulated (ditto). The sleight of hand is, of course, the ballot itself. A human may think that their reciept, which they can read to check that it matches what they selected on the touch screen, also matches the QR code, which they cannot. But there’s no reason on earth to think that! And the unreadable QR code, since that is what is tabulated, is the ballot! Take the matter out of the delusional digital realm. Suppose voting worked like this: You voted by hand-marking a yellow paper ballot. You then handed the yellow paper ballot to an official who, behind a screen so you could not see, marked a blue ballot that you could not read, sealed it so you could not read it, and then handed the blue ballot back to you and told you to put it in the ballot box, that’s your vote. Does that make any sense? That is how a “Ballot Marking Device” works.
Worse, the QR code ballots reinforce the power of money in politics. Recall that “The new voting system will provide voters with options to scan in QR coded ballots from their phone.” Well, security aside, game that out. From Knock LA, “The Campaign Finance Problem is About to Get Worse“:
Voters who like to fill out their sample ballot in advance and bring it to the polls will be particularly interested in the new Interactive Sample Ballot (ISB) feature. This will allow them to store their choices to a “Poll Pass” containing a QR code and then reload it into the Ballot Marking Device. This is an option that will “help expedite the voting process” by negating the need to individually mark each line on the ballot while in the polling center. This will be particularly useful on a ballot that will be extraordinarily long now that local elections will be folded into the presidential ballot. Unfortunately, this convenience will come at a steep price for our democracy.
Instead of building in assurances that the Poll Pass could only be used by the person who created it, .
While the casual voter may believe that the strategically named organizations that publish slate mailers have carefully screened candidates for inclusion, the truth is that most are nothing more than a pay to play form of political marketing. Inclusion on these ads has more to do with the ability to pay than the views of the included candidate. .
Groups like the California Charter School Association (CCSA), which have already shown the willingness to throw ethics aside in order to win elections, will find the new system even more valuable. Their printed materials could highlight popular candidates without even mentioning their favored candidate while still embedding their choice within the QR code. The unsuspecting voter who does not check all the way down the ballot at the polling place would be casting a vote for a candidate they took no action in choosing and may, in fact, oppose. By creating different slates to cover multiple candidates in races that attract the most attention, groups like CCSA could magnify their effect on the election. .
Given the role that liberal Democrats think the donor class should play in politics, this may not be an issue for VSAP.
G-a-a-a-a-a-h! All that design! All those principles! And at the end of the day we have a system where the voter doesn’t know the vote they cast, and that reinforces the power of big money. Some clever lawyer needs to bring suit on this and fight it all the way to the Supreme Court (who, I suppose, can choose to put the final nail in the democracy’s coffin, or not). Oh, and VSAP hopes a lot of other jurisdictions adopt its system. Swell.
UPDATE 2019-12-07: Here is a diagram of the workflows, comparing real paper ballots to “ballot marking devices”: