March 23, 2015
Senator Bill Cadman
Senator Mark Scheffel
Senator Morgan Carroll
Senator Rollie Heath
We write today to express our opposition to House Bill 1130, a bill that as amended would expand the practice in Colorado of return of voted ballots by electronic transmission over the Internet. Verified Voting is a national, non-partisan, nonprofit committed to safeguarding democracy in the digital age, with many Colorado supporters. We advocate for voting technology and policies that promote and improve transparency, accessibility, security and auditability in the election process.
There is a common misconception that returning voted ballots via email as PDF attachments and printing them for scanning at a central scanner is not Internet voting, and somehow does not introduce the security risks of “Internet voting.” This is misleading. Marked or “voted” ballots returned by electronic means (including but not limited to email in the form of PDF attachments) are vulnerable to tampering, manipulation, deletion, and eavesdropping as they travel the Internet, before they can be printed at the elections office. It is not merely the tabulation of votes that must be protected from the risks of the Internet, but the votes themselves even before they can arrive to be tabulated.
The National Institute of Standards and Technology (NIST) is the federal agency tasked with researching the security considerations of voting technology including for remote electronic UOCAVA voting. In examining the email return of voted ballots NIST found that voted ballots returned by email are vulnerable to privacy violations and malicious tampering at countless points as they travel over unsecured networks and email servers.i NIST also warned that voter’s computers may be infected with malicious code or “malware” that could modify ballots before they are emailed to the election official.
Malware could also infect the election computer system and modify ballots before they are printed. In either case, even if the malware was discovered before Election Day, election officials have no way to identify affected ballots.ii This sort of attack, they warn, could be orchestrated by updating malware on already infected computers to recognize and attack ballots and therefore could have large-scale impact.iii
NIST also points out email ballot transmission is “significantly easier to intercept and modify in transit than other forms of communication.” iv This is borne out by other experts: Brian Hancock of the U.S. Election Assistance Commission states: “Email is about the least secure method of ballot delivery.”v Earlier this year researchers at Galois, a defense contractor and computer security firm, published a technical paper detailing an example of an attack on ballots returned by email.vi
The solution is as a Federal Voting Assistance Program (FVAP) report to Congress states: “Electronic delivery of a blank ballot, when combined with the postal return of the voted ballot, remains the most responsible method for moving forward until such time applicable Federal security guidelines are adopted by the [U.S. Election Assistance Commission].” FVAP is responsible for assisting military and overseas voters to ensure their ability to participate effectively in elections.
Colorado permits the insecure practice of electronic return of voted ballots by email return for UOCAVA voters—but in limited circumstances. CO Rev. Stat. 1-8.3-113 states this can happen, for voters who requested their ballots electronically:
(1) (a) In circumstances where another more secure method, such as returning the ballot by mail, is not available or feasible, as specified in rules promulgated by the secretary of state; or (b) If the ballot is for a recall election conducted under article 12 of this code.
Thus far, we have been unable to find any guidance or rule the Secretary of State may have promulgated to ensure that the more secure method of returning voted ballots is used (cf. Election Rules 8 CCR 1501-1 16). Given the forgoing guidance, postal mail return should trump email ballot return.
In agreement with the Military and Overseas Voter Empowerment (MOVE) Act and the Uniform Law Commission’s Uniform Military and Overseas Voter Act (UMOVA), Colorado provides blank ballots electronically and 45 days before an election to military and overseas voters. Colorado also wisely allows military ballots to be counted as long as they are postmarked on Election Day and received up to eight days after the election. Military voters are entitled to expedited postal mail return of voted ballots at no cost, which are returned to election officials within 5.2 days on average. These are significant steps that ease and facilitate the voting process for military and overseas voter and we commend you for those provisions.
In addition, we strongly believe all ballots, including those of our men and women in uniform, deserve to be transmitted securely and privately. We oppose the provision in HB 1130, which we understand was added in Committee after introduction, that therein expands online return of voted ballots. We have no position on the other provisions of the bill.
We also urge the legislature, in light of daily revelations of the comprehensive lack of security of the Internet for any purpose as important as the transmittal of votes, to consider repealing the return of voted ballots by electronic means, before the inevitable corrupted election occurs. Until then, we will work with the Secretary of State to develop clear and specific rules governing the return of voted ballots in agreement with Colorado statute 1-8.3-113.
Thank you very much for your consideration and attention to this matter.
Very truly yours,
Pamela Smith, President
Cc: Senator Leroy Garcia
i NIST IR 7551 “A Threat Analysis of UOCAVA Voting systems”
iii NIST IR 7700 “Security Considerations for Remote Electronic UOCAVA Voting.”
“While each successful attack on the client can only impact one vote or voter (or potentially a small number of voters if a computer is shared), attackers have demonstrated an ability to infect a large number of clients, and thus client–‐side attacks have the ability to have a large–‐scale impact.”
iv NIST IR 7551
v “Internet Voting – Not Ready for Prime Time?” National Conference of State Legislature, The Canvass, Feb 2013
Below is a pdf version of this letter. Click to download.