What follows is an initial quite technical report pertaining to what was labeled an “audit” of the ballot data transmitted over the internet on behalf of 119 voters using the Voatz platform in the Denver Colorado Municipal Election of May 7, 2019. The voters are military and overseas (UOCAVA) electors who chose to use the cell-phone based voting method.
Here is a paragraph that is part of the Terms and Conditions of participation in the “audit” process:
The auditor shall conduct an audit of the mobile voting pilot by comparing the voter verified digital receipts (VVDRs) to the corresponding paper ballot images and cast vote record data provided by the jurisdiction. Similarly, the auditor may compare the VVDRs with the data recorded on the blockchain by utilizing the tools provided as part of the Service.
While auditing, we ask you to refrain from (1)Any activity that could lead to the disruption of our service (DoS), (2)Spamming, (3)Social engineering (including phishing) of Voatz staff or contractors, (4)Any physical attempts against Voatz property or data centers, (5)Sharing any receipts or images from the audit tool on a public forum without the prior written permission of the jurisdiction.
It is notable that the above instructions and the web-based facility provided limited access such that little can be learned from what I will call a review of digital image artifacts of ballot data transmitted by Voatz and the Denver Election Division on behalf of 119 presumably anonymous voters. Anonymity was provided by linking the artifacts using a long unreadable code associated with each voter such as HJK3SX5Z9xnSe62DXsN2x0bHkXsnMuMpFH9DlmF6AvG . The NCC referred to in the text is the National Cybersecurity Center in Colorado Springs. NCC’s partnership with Voatz for the Denver pilot project is supported by Tusk Philanthropies.
Context is available in the following article: https://www.nationalmemo.com/counting-voatz-inside-americas-most-radical-voting-technology/
Initial response to NCC in respect to the “audit” opportunity for the Denver 2019 Municipal Election
Harvie Branscomb, harvie [at] electionquality.com
The instructions associated with the “audit” were to connect via internet to a Voatz server and obtain from there five sets of presumably anonymous records related to 119 Denver UOCAVA voters who chose to use a cell-phone based voting method that receives and delivers vote options and selections over the internet. The offer of access to review did not include the eligibility portion of the election process, and depended itself on records that can be communicated over the internet rather than the physical versions, to the extent they exist. The five sets of electronic records provided, containing various forms of contest selections tabulated in the Denver Municipal election are:
1) a digitally originated image of two sides of 119 full text standard Dominion format ballots with contest selections printed into it digitally, then printed at the Denver central count facility, imprinted with a tracking number on Denver’s Canon imprinters, scanned by the Dominion Democracy Suite voting system, redacted (presumably by Denver staff) to remove evidence of style number, precinct number, and evidence of contests that define styles, transferred to Voatz as a pdf for download from their server;
2) 119 pdfs containing indications of contest-selections (and not the contest-options) sent (not in a verifiable manner but largely anonymously) as an attachment by email to the jurisdiction and to each voter after “casting” on the cell phone with instructions to write to firstname.lastname@example.org (?) with any disagreement; but when it appeared on the Audit Suite that pdf was redacted also to remove indications of style by removing the contests that were not countywide;
3) an online browser that accesses blocks in a blockchain hosted at unknown locations that serves up two payload records per block, each of which can be digested and converted into a meaningful decimal number by external software, including one called base64decoder. The browser that serves up the two crypto keys associated with each block and then searches for the digital payload that requires decoding is extremely inconvenient, error prone, slow and impossible to fully automate (perhaps deliberately). The speed at which the operation can be done manually means that very few presumed ballot contents will be compared between electronic data sources. And at best only semi-automated operation is possible. I have been testing various methods with considerable difficulty.
4) An online Google spreadsheet contains the lookup table between a string of numerical characters decoded from the digital payloads and the contest option names. An examination of this array suggests that some errors or discontinuities are included- such as row 577,578 that show the contest choice in Spanish. This may suggest that a voter voted YES on both of the two ballot questions using Spanish in the voter interface, perhaps revealing their identity in so doing. It may be that this sheet also reveals the count of votes for each contest choice (except for the ballot questions where the two questions are not distinguished by the answers.) Other than the ballot question choices, the other choices in this table probably share a direct relationship with a voter (although the name of the voter is not revealed here). About 105 entries do not contain candidate names but instead “Redacted per CO State Law” that suggests that redaction has taken place here too. I’ll cover the presumed need for redaction in a separate section, perhaps in future.
5) Lastly a CVR file is made available as a .csv. The CVR file also does not include the non-countywide contests or the ballot style or precinct column Dominion would have exported. It also contains an “anonymous ID” column that the Dominion CVR does not contain. The provenance of this sheet is not stated. While it could for the most part be sourced from the Dominion voting system, the Anonymous ID could not have been added by Dominion without extra programming (and recertification). Therefore one must presume that the anonymous ID was added by hand at Denver using a list of anonymous IDs supplied by Voatz – probably in the form of filenames for the pdfs of the printed suitable for tabulation ballot images. It is unclear from what process the CVR was created. It is clear that manual manipulation was involved.
Unfortunately, not one of these 5 image sources are in a form that has verifiable credibility from my perspective as auditor – meaning it would match a physical source document that can be observed physically to establish credibility for my remote access only to a digital copy. The image that comes closest is the ballot image – categorized above as #1.
#1 ballot image – is known to be sourced from the Denver Dominion scanner #3 (indicated in the CVR) and imprinter #8 because the imprinted number appears in the image. Without the evidence of the imprinted number in the image, one would not know if the image came directly from Voatz software or from the Dominion scanner. And as it happens I observed the ballots being printed on a small printer, imprinted by Canon imprinter #8 and scanned by Dominion/Canon scanner #3. However, these images have also been manipulated somewhere to produce what is downloadable from Voatz – modified by the black bands that obscure style markers, precinct and style text indicia and entire contest options and selections. Ideally all audit documents would have a direct association with a source document that is physically observable were I do ask to see it. Apparently because of the evident requirement for redaction – I would not be allowed to see the original ballot or cast vote record in original form.
#2 “voter-verified receipt” – is also a redacted pdf that is not the same that was sent to the voter. There is no proof that any form of it was sent to the voter or that the voter received it. There is no indication whether the voter responded to the email sent to them or not or whether the voter looked at the pdf in any form (printed on paper or onscreen). Thus from the point of view of an “audit” – this is not credible evidence for voter intent- it is far from verified although it is labeled as “Voter-Verified Receipt This is the receipt that was sent to the voter” on the Voatz Audit Suite display. That label appears to be faulty as neither I nor Voatz can know if the voter verified the receipt without further information that is not apparently available from Voatz. The jurisdiction may have some evidence in the form of an email response from the voter, but the Audit Suite provides no such information. Thus the image in #2 is not credible as a record of voter intent.
#3 encrypted data – is the data sourced from the block chain that produces an encoded “payload” from which a string of numbers that index into a lookup table is to be copied. There is no physical source record that backs up the contents of the blockchain or gives it credibility – usually in a convention ballot marker that would be a paper ballot that the voter had verified or at a bare minimum had the opportunity to physically verify. The multiple layers of obfuscation involved in encoding data obtained from an interaction with a cell phone into the blockchain do not add any credibility to the contents eventually obtained from within. The fact that data is stored in the blockchain indicates that the Voatz is closer in design to a paperless DRE than a ballot marker – and election results can be obtained from the blockchain, perhaps with great difficulty. As mentioned above however, it appears that election results can be obtained from item #4.
#4 – the lookup table – is of provenance unknown. It appears not to come from the jurisdiction but rather from Voatz software and it resembles in some ways the cast vote record without a visible correlation of the voter selections to a single cell phone (and voter). It is doubtful that there is a verifiable source document for this data, but rather only electronic data stored in memory on a Voatz server at one point. This lookup table is not offered with any supportive evidence or means to verify its accuracy, instead it is offered as a crucial step in using the blockchain to verify accuracy of other records such as the ballot image that once printed at central count is used to tabulate the Voatz-collected input.
#5 cvr – is a collage of information from the Dominion system and from Voatz – perhaps the string of characters printed from a Voatz software-created ballot image was manually observed by Denver staff and added to or verified against a list of numbers pasted into the resulting CVR that also was partially redacted. Any of these electronic records could have been hashed at the time of creation by trusted election officials and the hashes committed in published public records as the hashes of the CVR from Dominion are when the CO SOS manages a statewide RLA – but hashes that may have been created by Denver for the entire election (if they followed the protocol for the state RLA) would be useless for me to use to verify the authenticity of the CVR produced by Voatz because the CVR has already been redacted after the hash would have been made. If the jurisdiction had created a hash for every set of contest columns, and published the records prior to commencing the RLA, and if all the CVRs were published, then I as a remote observer might have gained adequate confidence in the authenticity of the CVR with respect to the tabulated paper ballots (that I would also need to have access to see).
My initial conclusion is that the data offered has insufficient substantive credibility or means to establish it subject to a request for further physical observation. As a credentialed watcher I did see 6 paper ballots being printed and then 118 imprinted and then scanned but that experience was insufficient for me to establish that the redacted ballot images later provided by the Voatz Audit Suite are authentic. The data collected by cell phone has little credibility as voter-verified intent from an audit point of view because the means of verification was at very best uncertain, not measurable, and depending on transmission to both voter and jurisdiction from Voatz servers offsite, leaving opportunities for strategic manipulation by various parties. And also leaving open an opportunity for the voter to contest without merit the recorded voter intent. According to information I personally obtained from Voatz there is a possibility to obtain sensor information from the voter’s telephone device in case of contest without merit – but this sounded highly problematic in terms of data longevity and or voter privacy implications regardless of the existence of a legal contest.
For these reasons it seems of only moderate value to actually compare the 4 different datasets as well as extremely difficult to do so. I have collected perhaps a hundred payloads that can be converted into that many contest choices among reportedly 862 total. I can now presumably, with properly programmed automation compare the contest choices collected from the blockchain to cast vote record entries or manually and visually to the computer printed marks on downloaded ballot images.
I will probably complete the semi-automated means to verify whether those that I have collected actually do match, but have not had time to do so yet. But even if all match, there remains substantial doubt whether the voter intent was adequately transcribed to the blockchain and to whatever software printed the resulting ballot images that were sent by internet to the Denver counting center. And according to reports from the survey of the voters themselves, there is substantial doubt about the privacy of the voter intent under the circumstances of the voter perspective. That topic is of great interest to me and may be the topic of a further discussion from me, along with questions about unused or skipped blocks in the blockchain and a review of the legal requirement to redact as well as the extra concern about voter privacy that arises because the Voatz-produced records are relatively rare in style and in format at the time of scanning. All of these topics raise important issues for future use of the Voatz system as does the credibility of data made available to “audit” and the feasibility and efficacy of performing it as instructed.
I am however supportive of attempts to pioneer crowdsourced reviews of elections and I thank the jurisdiction and the NCC for arranging for this access to some accessible evidence of the tabulation of the Voatz-involved ballots for purposes of evaluating a portion of the current state of the Voatz product. It is good that tests of internet voting experiments are being made with some opportunity for independent oversight rather than without. Thanks are due to Voatz and Tusk for their cooperation and I thank Denver for making extra arrangements for this review to be made possible in parallel with the RLA and for the county’s willingness to share information with the public.
Harvie Branscomb 5/19/2019