September 8, 2017
To the Virginia Board of Elections:
Verified Voting is a national, non-partisan, not-for-profit organization dedicated to securing democracy in the digital age. We were founded in 2004 by computer scientists as computers became more widely used in the election process. Virginia Verified Voting is a grassroots group of Virginia citizens which has actively worked to encourage the secure application of technology in Virginia elections for over a decade. We write to you today to commend the Department of Elections for its actions and strongly support the recommendation to decertify all Direct Record Electronic (DRE) voting machines in the Commonwealth.
There have countless studies and security reviews over the years which have found the DREs in use in Virginia to have multiple insecurities making them vulnerable to manipulation and tampering.1234567 The universally accepted evidence that DREs are insecure and untrustworthy drove the legislature to pass a measure to eliminate them by 2020.
Perhaps the most notable voting system security review is the comprehensive California Secretary of State’s seminal 2007 Voting System Top-to-Bottom Review which found severe security flaws in the Diebold TSx, the Hart InterCivic eSlate, and the Sequoia Edge,8 all machines that are currently used in Virginia. The findings compelled the California Secretary of State to promptly de-certify those very same machines that Virginia is using today.9
California was not alone. Ohio conducted a similar study in 2007, the Evaluation and Validation of Election Related Equipment, Standards and Testing (EVEREST). EVEREST evaluated DREs, ES&S iVotronic, Hart InterCivic and Diebold TSx. The alarming security flaws led Ohio to also discontinue use of paperless DREs and switch to voter-marked paper ballots and optical scan voting machines statewide.10
Optical scan voting systems in which a voter records her vote on a paper ballot provide resilience to cyber attack and auditability of the election process that a DRE cannot. The paper ballot provides a permanent, physical record of voter intent that cannot be altered by a cyber attack and this can be used in a post-election audit to confirm the election tally is correct. In 2011 the U.S. Election Assistance Commission directed the National Institute of Standards and Technology (NIST) to provide guidance on how to audit a DRE voting system to confirm the vote tallies are correct or to catch any potential error or tampering. NIST convened an Auditability Working Group to study the question. The NIST Auditability Working Group found that any system that does not provide a voter-verified paper record of voter intent will be susceptible to undetectable errors in the vote count.11 Put simply, it is impossible to know for sure that the vote tally from DRE voting machines is correct.
The studies cited above have mostly been conducted over a decade ago, when the cyber threat to elections was more theoretical than actual, however, those days are over. We are in a new paradigm; in the last year the U.S. Intelligence Community has warned us that foreign adversaries have been probing our election infrastructure, looking for weaknesses.12 In a March hearing before the U.S. House Intelligence Committee, the former director of the FBI testified ominously that “[t]hey’ll be back.”13 We must face the chilling reality that our foreign adversaries have the will, intention and ability to tamper with our election infrastructure, potentially delegitimizing our elections and destabilizing our government. This a national security issue. We must do everything we can to protect our election infrastructure from cyber terrorism. The Board has the opportunity to act now, to safeguard Virginia’s elections and remove the insecure, untrustworthy DREs in use in the Commonwealth, replacing them with voter-marked paper ballots.
We strenuously support the Department of Election recommendations and urge the Board to immediately de-certify the DREs in use in Virginia.
If you have any questions please don’t hesitate to contact us. We stand ready to assist you in any way. Thank you for your consideration.
Virginia Verified Voting
- A. Kiayias, L. Michel, A. Russell, and A. A. Shvartsman. Integrity Vulnerabilities in the Diebold TSX Voting Terminal. UConn Voting Technology Research (VoTeR) Center, July 16, 2007
- Press Release. “Secretary of the Commonwealth Decertifies Unilect Patriot Voting System in Pennsylvania,” Pennsylvania Department of State, April 7, 2005
- Appel, Andrew, “Report on the Sequoia AVC Advantage,” October 17, 2008, Center for Information Technology and Policy, Princeton University
- Hackett, Robert, “Watch This Security Researcher Hack a Voting Machine,” November 4, 2016, Fortune
- Butler, Enck, Hursti, McLaughlin, Traynor, McDaniel, “Systemic issues in the Hart InterCivic and Premier Voting Systems,”
- Ryan Gardner, Alec Yasinsac, Matt Bishop, Tadayoshi Kohno, Zachary Hartley, John Kerski, David Gainey, Ryan Walega, Evan Hollander, and Michael Gerke. Software Review and Security Analysis of the Diebold Voting Machine Software. Security and Assurance in Information Technology (SAIT) Laboratory, Florida State University, For the Florida Department of State, July 27, 2007
- Yasinsac, Alec, et al. “Software Review and Security Analysis of the ES&S Ivotronic 188.8.131.52 Voting Machine Firmware,” Oct. 17, 2008, USENIX
- Report of the Auditability Working Group, Jan. 14, 2011, U.S. Election Assistance Commission
- Isikoff, Michael, “FBI says foreign hackers penetrated state election systems,” Yahoo News, Aug. 29, 2016
- Washington Post Staff, “Full Transcript: FBI Director James Comey testifies on Russian interference in 2016 election,” March 20, 2017